• Breaking News

    [Android][timeline][#f39c12]

    Tuesday, April 24, 2018

    Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed Networking

    Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed Networking


    Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed

    Posted: 24 Apr 2018 11:35 AM PDT

    This originally looked like a DNS issue, then a route leak, and now it's thought to have been a man in the middle attack mounted from within an Equinix data center in Chicago. We had a lot of customers with issues this morning.

    Here's an article on it with more information.

    submitted by /u/Cpt_Frank_Lapidus
    [link] [comments]

    MPLS and IPSEC backup

    Posted: 24 Apr 2018 06:25 AM PDT

    We're in the process of adding an MPLS VPN between two locations where we currently run IPSEC. I was wondering if we could keep the IPSEC as backup and run the MPLS as our main connection to the other location.

    Both locations are running Cisco ASA's.

    Would having a static route on each ASA pushing the traffic to the MPLS IP ignore the IPSEC config? And if we wish to use the IPSEC does removing the static route automatically bring up the IPSEC tunnel?

    submitted by /u/Ridlas
    [link] [comments]

    Are there any copper sfps that can handle 10g over a distance of 200 feet?

    Posted: 24 Apr 2018 11:16 AM PDT

    IPSec throughput speed

    Posted: 24 Apr 2018 11:05 AM PDT

    Hi Everyone,

    Just a question on how to maximize throughput in IPSec tunneling. I have two Fortigate 200D devices utilizing IPSec site to site. Now I used iperf to see their speed and its a mix between 25-30 mbps to 10mbps at certain times. I checked the phase 1 and 2 protocols and even minimized the amount of encryption algorithms it would use to talk to one another. For these devices it says the maximum throughput should be 1.3 Gbps and the two locations these devices are in have 1GB pipes up and down. Now obviously it wont use the max 1GB pipe but I imagine that floating 25mbps is really slow in comparison to what the data sheet indicates.

    Anyone have an idea what may be the issue? Also if anyone has had this similar situation before with similar devices? With the Cisco ASA's it was pretty straight forward so I'm a bit confused myself.

    submitted by /u/AcidWulf
    [link] [comments]

    HP 2530 - LACP convergence failover time

    Posted: 24 Apr 2018 01:59 AM PDT

    Hi,

    I'm trouble shooting lacp failover at the moment for a customer who requires low failover times on the uplink from their access switches.

    We are looking for less that 100ms failover time, access switch is connected over a 2 port lacp aggregate, l2 to the distribution.

    I'm testing between 2 factory default Aruba 2530's and have been told the best way to test the failover time is to use sudo ping on an ubuntu image with an interval of 0.01 seconds and count the failed pings. We are seeing about 60-80 failed pings on a link failure, so if my math is correct that's 600-800ms. Switch log not showing anything and trying to find real world values for failover is hard, dont think HP like to give out specifics like that.

    HP recommended upgrading to the latest version which I've done but still getting similar results.

    Any ideas? Is this number not achievable? Is there anything I can do to speed up failover?

    Thanks!

    submitted by /u/Sharks_No_Swimming
    [link] [comments]

    Cisco IOS MAB - How exactly does it learn the MAC addresses?

    Posted: 24 Apr 2018 11:22 AM PDT

    I know, the question sounds dumb - of course it learns the MAC addresses from the source MAC of the frames it receives. That's not quite what I'm asking.

    I know that when the switch receives a frame, it records the source MAC address into the CAM table, for that port/VLAN. Got it.

    When the MAB process is executing, it uses the known MAC address to authenticate. What source does MAB use to determine the MAC address? Does it look in the CAM table for the MAC addresses on that port? Or does it require an actual frame to enter the switch before it can begin the MAB process?


    Consider this scenario:

    • 802.1x/MAB reauthentication timer is 1 hour.
    • MAC address inactivity timer is the default of 5 minutes.
    • MAB passed successfully at 4:00:00.
    • The device sends its last frame at 4:56:00, then goes to sleep for ten minutes
    • At 5:00:00, the switch begins reauthentication.

    If the switch uses the CAM table, it still has an entry for the device, and can authenticate the device, and it will reauthenticate at 5:00:00 (+/- some seconds)

    If the switch requires an actual frame, the port will unauthenticate at 5:00:00, and remain unauthenticated until 5:06:00 when the device sends its next frame. This means the device was 'down' for six minutes.


    Thoughts?

    submitted by /u/binarycow
    [link] [comments]

    Request - Recommendations for VPN for radiologists (high throughput)

    Posted: 24 Apr 2018 08:09 AM PDT

    We currently run a very old Cisco ASA 5510 and it is just not keeping up with the demands of our high throughput users. It very well may not be the device issue however I have been told to assess a new VPN. Question is do I just go with a new ASA or is there something like Juniper with known faster throughput for client base or clientless VPN.

    submitted by /u/perfik09
    [link] [comments]

    Performance Review/Merit Raises

    Posted: 24 Apr 2018 05:47 AM PDT

    If you don't mind me asking, how much of a raise did you guys get last year and this year?

    submitted by /u/0h800
    [link] [comments]

    What does this WCCP do and is it fully configured on my router? I can only see being part of DMVPN.

    Posted: 24 Apr 2018 01:16 PM PDT

    The below is my full config on WCCP.

    interface Tunnel0
    description DMVPN
    ip address 10.255.14.1 255.255.254.0
    no ip redirects
    ip mtu 1400
    ip wccp 62 redirect in

    sh access-l WAAS-REDIRECT-LIST
    Extended IP access list WAAS-REDIRECT-LIST
    10 deny tcp any eq telnet any
    20 deny tcp any any eq telnet
    30 deny tcp any eq tacacs any
    40 deny tcp any any eq tacacs
    50 deny tcp any eq bgp any
    60 deny tcp any any eq bgp
    70 deny tcp any any eq 123
    80 deny tcp any eq 123 any

    #sh run | i wccp
    ip wccp 61 redirect-list WAAS-REDIRECT-LIST
    ip wccp 62 redirect-list WAAS-REDIRECT-LIST
    ip wccp 62 redirect in

    submitted by /u/hulk9119
    [link] [comments]

    Fortigate IPSec Site-to-Site to StrongSwan

    Posted: 24 Apr 2018 02:27 AM PDT

    Hello /r/networking,

    Please could guide me in right direction.

    I need to establish kind of site-to-site vpn to route traffic from some internal networks to linux host and next to internet.

    I was able to establish IPSec tunnel between Fortigate and ubuntu host with strongswan

    Here is the config of strongswan (ipsec.conf)


    config setup
    charondebug="ike 1, knl 1, cfg 0"
    conn FortiGate
    authby=secret
    type=tunnel
    auto=route
    compress=no
    #linux host public ip
    left=138.X.X.X
    leftsubnet=0.0.0.0/0
    #FG public ip right=185.X.X.X
    rightsubnet=0.0.0.0/0
    leftfirewall=no
    keyexchange=ikev1
    ike=aes256-sha256-ecp521
    esp=aes256-sha256-ecp521
    mark=42


    ipsec.secret

    #RSA private key for this host, authenticating it to any other host
    #which knows the public part.
    185.X.X.X 138.X.X.X : PSK "testtest"


    sysctl.conf

    net.ipv4.ip_forward=1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.ip_no_pmtu_disc = 1


    Output of ifconfig

    eth0 Link encap:Ethernet HWaddr e6:70:3b:39:07:12
    inet addr:138.X.X.X Bcast:138.X.X.X Mask:255.255.240.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:6939 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4920 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:847539 (847.5 KB) TX bytes:943017 (943.0 KB)

    loLink encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:170 errors:0 dropped:0 overruns:0 frame:0
    TX packets:170 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1
    RX bytes:12680 (12.6 KB) TX bytes:12680 (12.6 KB)

    vti0 Link encap:IPIP Tunnel HWaddr
    inet addr:10.1.1.2 P-t-P:10.1.1.2 Mask:255.255.255.0
    UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
    RX packets:152 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1
    RX bytes:12768 (12.7 KB) TX bytes:0 (0.0 B)


    As you can see RX packets:152 icmp packets going out FG to vti0


    route table of linux host

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric RefUse Iface
    default 138.X.X.X0.0.0.0 UG0 00 eth0
    10.1.1.1* 255.255.255.255 UH0 00 vti0
    10.16.0.0 * 255.255.0.0 U 0 00 eth0
    138.X.X.X* 255.255.240.0 U 0 00 eth0


    output of ipsec status FortiGate

    Routed Connections:
    FortiGate{1}: ROUTED, TUNNEL, reqid 1
    FortiGate{1}: 0.0.0.0/0 === 0.0.0.0/0
    Security Associations (1 up, 0 connecting):
    FortiGate[4]: ESTABLISHED 31 minutes ago, 138.X.X.X[138.X.X.X]...185.X.X.X[185.X.X.X]
    FortiGate{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c81632fb_i a2f2414e_o
    FortiGate{5}: 0.0.0.0/0 === 0.0.0.0/0


    Tunnel status from fortigate

    get vpn ipsec tunnel name VPN-DO

    gateway
    name: 'VPN-DO'
    type: route-based
    local-gateway: 185.X.X.X:0 (static)
    remote-gateway: 138.X.X.X:0 (static)
    mode: ike-v1
    interface: 'wan1' (17)
    rx packets: 0 bytes: 0 errors: 0
    tx packets: 15 bytes: 1260 errors: 0
    dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
    selectors
    name: 'VPN-DO'
    auto-negotiate: enable
    mode: tunnel
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA
    lifetime/rekey: 43200/40884
    mtu: 1438
    tx-esp-seq: 10
    replay: enabled
    inbound
    spi: a2f2414e
    enc: aes-cb 1b949d5c0761XXXXXXXXXXXXXXX
    auth: sha256 df777659685fXXXXXXXXXXXXXXX
    outbound
    spi: c81632fb
    enc: aes-cb 1413ebedcc3f2XXXXXXXXXXXXXXXX
    auth: sha256 30e9176XXXXXXXXXXXXXXXXX
    NPU acceleration: encryption(outbound)


    get router info routing-table all

    S* 0.0.0.0/0 [1/0] via 185.X.X.X, wan1, [0/56]
    [1/0] via 194.X.X.X, port15
    C 10.1.1.1/32 is directly connected, VPN-DO
    C 10.1.1.2/32 is directly connected, VPN-DO
    S 10.X.X.X/X [10/0] via 10.X.X.X, LAN
    C 10.X.X.X/X is directly connected, LAN
    S 10.X.X.X/X [10/0] is directly connected, Site to Site
    S 10.211.134.0/24 [10/0] is directly connected, Site to Site
    C 185.X.X.X/29 is directly connected, wan1
    S 188.X.X.X/32 [1/0] via 10.1.1.2, VPN-DO
    C 194.X.X.X/X is directly connected, port15


    But I can't get any traffic (even icmp response) back.

    Do you have any ideas?

    submitted by /u/supermac-t
    [link] [comments]

    Looking for opinion on Aruba configuration

    Posted: 24 Apr 2018 09:14 AM PDT

    I'm planning for a replacement of the switching in our main office. If it helps, the current setup (which was in place when I arrived) is a single Nexus 5548UP with six 2248TP fabric extenders providing all of the access. I'm aware this isn't a recommended config as the FEXes are meant for TOR and there should be a second 5548UP for redundancy. Here's what I'm planning so far.

    Core 2 x Aruba 3810M (JL075)

    Access 5x Aruba 2930M (JL321A) - basic 48-port 1G 1x Aruba 2930M (JL324A) - 24-port smart-rate

    The plan for the core is to bring in our to-be-installed replacement three virtual hosts and new SAN, as well as two of our main file servers, all operating at 10G with redundant connections. The virtual hosts and SAN would be segregated to a separate iSCSI VLAN and redundant connections would go into each 3810M from all devices.
    The plan would be to stack the 2930Ms and run 40G uplinks from either end of the stack to the 3810Ms. The JL324A is mixed into the JL321As because we wish to have the ability to run a portion of the client devices at speeds greater than 1G to improve Autodesk Revit shared model performance.

    I've installed my share of Cisco gear, but this is my first foray into Aruba and I have a few questions about this design. 1. I believe it's the case (but I can't seem to find anything to definitively state it) that the JL324A can be added to a stack of JL321As. Can anyone confirm? 2. For Aruba stacked devices, when new firmware is released, does the stack as a whole get updated at once or is each device updated separately? 3. For the 3810M core, since my desire is for each switch to be fully redundant, would it make more sense to not stack them together? My thought is that during switch maintenance when updates to the switches are applied, the individual switches could be restarted without having to bring down anything such as the SAN or the virtual hosts.
    I'm open to comments on the above or any other observations.

    submitted by /u/thomassowellistheman
    [link] [comments]

    Cisco 2921 Input Errors - Overruns with DMZ server running

    Posted: 24 Apr 2018 08:31 AM PDT

    Off one of our Cisco ASA firewall interfaces I have created a DMZ network. Connected to our ASA on the inside interface (behind a 3com switch) is a Cisco 2921 router that connects us with our corporate office. Whenever I have a server running on the DMZ network, we get a lot of input errors / overruns on the LAN facing interface on the 2921 router. No other interface is getting these errors, just on the 2921. Performance does not seem to be impacted at all but it just seems really strange. Jumbo frames is disabled throughout, I have also tried to enable flow control but it doesn't seem to make any difference. Anyone have any clue as to why we are seeing massive input errors?

    submitted by /u/rockysworld
    [link] [comments]

    IP /24 Block monthly rental charge

    Posted: 24 Apr 2018 11:41 AM PDT

    Hi All,

    I have a customer that we are going to rent 2 /24 blocks to in APAC until they can move to their own IP block. What would be a reasonable charge for this be?

    Thanks

    submitted by /u/jsmith1299
    [link] [comments]

    Packet analysis

    Posted: 24 Apr 2018 02:23 PM PDT

    Greetings everyone !! I am looking for suggestions on which vendor to look at when it comes to packet capturing and analysis. I am working with a financial organization moves traffic at 10Gbps at a minimum and 100Gbps as a max. I need the ability to gather historical data at least for a few days to analyaze packet drops and do capacity planning. NetScout has some offerings but im looking to compare.

    submitted by /u/mpmoore69
    [link] [comments]

    Cisco SG350X-48P stacking question

    Posted: 24 Apr 2018 02:07 PM PDT

    I am having a hard time finding how the stack works on the SG350X series of switches

    The SG350X-48P has 4 x 10G SFP+ ports. The last 2 can be used for stacking

    Does that mean I can stack 2 x SG350X-48P's together, and then have 6 x SFP+ Ports left over for devices? That would make the stack link 10GB

    I would assume so, however I could also see them being reserved for stacking once its in a stack

    So, does that then mean that I would connect both of them, giving me a 20G stack link and have 4 x SFP+ ports left over total?

    The Cisco documentation for the SG series seems a bit lacking...

    submitted by /u/IndependentRecipe6
    [link] [comments]

    Layer 2 Filter Outbound

    Posted: 24 Apr 2018 01:50 PM PDT

    Running into a problem where an AP needs to broadcast a message on a segment to communicate with its controller. However, I want this broadcast message filtered out on that segment to the devices it's not supposed to go. It's a bit dirty doing some sort of outbound layer 2 fitlering, but since it's a broadcast frame, I can't filter based on some sort of inbound mac-acl where the AP is connected. However there doesn't appear to be an option to do outbound mac-acl filtering. What other options do I have?

    submitted by /u/sg4rb0sss
    [link] [comments]

    DCI and MPLS Question

    Posted: 24 Apr 2018 01:46 PM PDT

    This might be a really stupid question but for whatever reason, I cannot find a straightforward answer. Do DCI solutions like EVPN require MPLS or can it be done over regular IP connections? I always see the layer 2 over layer 3 solutions referenced alongside MPLS. The DCI side is a bit new to me so I'm just looking for some clarification.

    submitted by /u/suddenjelly
    [link] [comments]

    Shadow Vlans for service providers

    Posted: 24 Apr 2018 10:00 AM PDT

    Please see the article below that states that TTB has rolled out shadow vlans which in effect will re-route down interconnects keeping Ethernet services live.

    https://commsbusiness.co.uk/news/talktalk-business-launches-shadow-vlan/

    However after a bit of googling I cannot find any technical detail on how this is being done. Is anyone able to shed any light on this for me for example config of any kind ?

    submitted by /u/potternet
    [link] [comments]

    Using Palo Alto Virtual Wire to secure a DMZ?

    Posted: 24 Apr 2018 09:58 AM PDT

    Our Sysadmins are rolling out a server that requires an interface with a publicly routable address on it, accessible from the outside. We've got a /29 from our ISP so I've got the addresses to spare, but I've never designed a DMZ before and I'm interested in people's Best Practices for this kind of thing. I'm told by our sysadmins that they've heard a lot of anecdotal reports that even 1:1 NAT causes a lot of problems with this specific service and they need to be able to put the actual public address on the physical interface of the server.

    After bouncing ideas around inside our department, my thought is to take an interface from our ISP distro VLAN on on external switch, and run it through a Virtual Wire on our Palo Alto 3020 firewalls to a null-routed VLAN on our server switch. As diagrammed here.

    To my mind, this would give us full visibility into the traffic and ability to block based on all the factors, while still being totally transparent to the service and allowing a public address on the server's physical interface.

    Am I crazy here? Is this a terrible idea, will I ruin the internet and accidentally kill kittens with it?

    submitted by /u/Princess_Fluffypants
    [link] [comments]

    UPDATE: Do iBGP speakers advertise their update source to neighbors?

    Posted: 24 Apr 2018 01:34 PM PDT

    Link to previous post.

    Quick refresher: iBGP neighbors peered loopback-to-loopback in the usual fashion aren't advertising their own loopback address (their update-source) to their neighbors. Is this normal?

    The consensus in that thread was:

    • Wanting the update-source advertised to peers is a reasonable thing to want.
    • Other platforms don't surprise in this regard.
    • Maybe it's a bug.
    • Call Palo Alto TAC.

    The answer (drumroll please)...

    It's a feature.

    Transparently dropping your own peering address1 from BGP advertisements was added to PAN OS around version 6.1. This was added to the code to prevent tunnel recursion problems2.

    So that's... Weird. Without revised software I'll need to provision extra loopback IPs on each box, just for BGP to use. Then do all of my normal management stuff using other addresses.

    This should be fun for the next guy to figure out.

    [1] This may only apply to loopback interfaces and iBGP peers. The wording in the internal writeup wasn't clear about exactly how to trigger the feature.

    [2] Fixing a recursion problem this way is a super weird choice IMO. I'd much rather have all the rope required to hang myself, plus the tooling to protect myself.

    submitted by /u/kWV0XhdO
    [link] [comments]

    LDAP and SMTP from DMZ to LAN

    Posted: 24 Apr 2018 01:34 PM PDT

    Is this safe? My boss wants to enable AD user authentication and email generation from public facing FTP server in DMZ to LAN. I could just open up those specific ports to specific ip address but I'm not sure from a security standpoint if that is best practice.

    submitted by /u/rockysworld
    [link] [comments]

    Cisco Virl - 20 nodes. BY nodes, do they means 20 layer 3 interfaces? or 20 devices?

    Posted: 24 Apr 2018 09:02 AM PDT

    HPE 2920-24G switches to Watchguard multi wan - Dedicate Voice vlan to secondary External

    Posted: 24 Apr 2018 12:08 PM PDT

    Setup:

    3 HP 2920-24G switches

    2 Vlans - Voice and Data

    Windows DHCP Server - hands out addresses to 10.x (Data) and 150.X (Voice)

    I have the IP phones working as expected and hopping on the voice vlan, getting a new IP from the voice scope and working as expected. The only problem, is our main connection has a high latency route to the PBX location. Our copper connection (Secondary external) has a low latency route and I want to specifically force the voice vlan to use the secondary external to help with the delay problems being reported by users.

    I've tried using policy based routing (override checkbox) and created both vlans within the watchguard. When I do this, the phones drop their IPs and no longer get an IP address at all. I've tried setting Send and receive tagged traffic for selected vlans on both vlans and vice versa in case I had everything backwards. I also tried setting send and receive untagged traffic for the data vlan. Data flows as it should, but the voice vlan just drops out. I know this has to be something simple I'm missing as I'm not much of a network admin, more sys admin than anything.

    Watchguard info: Int type - VLAN

    Vlan1 - data ipv4 address is the address of the watchguard

    vlan10 - voice ipv4 address is the address of the switch with the route to the 10.x network

    I've setup policies specifically for all mitel ip phone ports

    From Any-external To Vlan10

    From Vlan10 to Any-External

    Both policies have PBR enabled for the T1 interfaces.

    Thanks in advance!

    submitted by /u/Howrnetwork
    [link] [comments]

    Zenoss 4.2.5 - no longer sending emails (x-post from /r/Zenoss)

    Posted: 24 Apr 2018 08:18 AM PDT

    We use smtp-relay.gmail.com to send our Zenoss emails and it stopped working about a month ago. From the server, I can NOT ping smtp-relay.gmail.com or the IP address which implies, to me, that the networking is no longer working but Zenoss is fully functional otherwise.

    This install was from the ovf file built on CentOS 5.

    Any suggestions?

    submitted by /u/hawknoob
    [link] [comments]

    HP Switch Remembering Fail-over Route?

    Posted: 24 Apr 2018 08:11 AM PDT

    I have a weird problem I can't figure out, hoping one of you folks can assist.

    I have around 100 HP switches (mostly 8350's - as is the case in this story) across the country and an IMC server in the datacenter.

    At a handful of our locations we have failover routes, if the MPLS goes down the router directs traffic to a VPN appliance at .2 and the important traffic is let through until the MPLS is restored.

    When a location fails over, the switch learns that its new route to our IMC server is through the VPN appliance at .2 and it won't forget that, so when the MPLS comes back online the IMC server can't communicate with any of the switches at the location that recently failed over because it's using the MPLS path to communicate and they're trying to reply over the VPN tunnel.
    When trying to communicate to anything else on the same subnet as the IMC server the switch uses it's default gateway as configured.

    Is there anything I can do aside from rebooting the switch to make it use the default route and stop thinking it knows better than its configuration?

    submitted by /u/Smaz1087
    [link] [comments]

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel