Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed Networking |
- Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed
- MPLS and IPSEC backup
- Are there any copper sfps that can handle 10g over a distance of 200 feet?
- IPSec throughput speed
- HP 2530 - LACP convergence failover time
- Cisco IOS MAB - How exactly does it learn the MAC addresses?
- Request - Recommendations for VPN for radiologists (high throughput)
- Performance Review/Merit Raises
- What does this WCCP do and is it fully configured on my router? I can only see being part of DMVPN.
- Fortigate IPSec Site-to-Site to StrongSwan
- Looking for opinion on Aruba configuration
- Cisco 2921 Input Errors - Overruns with DMZ server running
- IP /24 Block monthly rental charge
- Packet analysis
- Cisco SG350X-48P stacking question
- Layer 2 Filter Outbound
- DCI and MPLS Question
- Shadow Vlans for service providers
- Using Palo Alto Virtual Wire to secure a DMZ?
- UPDATE: Do iBGP speakers advertise their update source to neighbors?
- LDAP and SMTP from DMZ to LAN
- Cisco Virl - 20 nodes. BY nodes, do they means 20 layer 3 interfaces? or 20 devices?
- HPE 2920-24G switches to Watchguard multi wan - Dedicate Voice vlan to secondary External
- Zenoss 4.2.5 - no longer sending emails (x-post from /r/Zenoss)
- HP Switch Remembering Fail-over Route?
Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed Posted: 24 Apr 2018 11:35 AM PDT This originally looked like a DNS issue, then a route leak, and now it's thought to have been a man in the middle attack mounted from within an Equinix data center in Chicago. We had a lot of customers with issues this morning. [link] [comments] |
Posted: 24 Apr 2018 06:25 AM PDT We're in the process of adding an MPLS VPN between two locations where we currently run IPSEC. I was wondering if we could keep the IPSEC as backup and run the MPLS as our main connection to the other location. Both locations are running Cisco ASA's. Would having a static route on each ASA pushing the traffic to the MPLS IP ignore the IPSEC config? And if we wish to use the IPSEC does removing the static route automatically bring up the IPSEC tunnel? [link] [comments] |
Are there any copper sfps that can handle 10g over a distance of 200 feet? Posted: 24 Apr 2018 11:16 AM PDT |
Posted: 24 Apr 2018 11:05 AM PDT Hi Everyone, Just a question on how to maximize throughput in IPSec tunneling. I have two Fortigate 200D devices utilizing IPSec site to site. Now I used iperf to see their speed and its a mix between 25-30 mbps to 10mbps at certain times. I checked the phase 1 and 2 protocols and even minimized the amount of encryption algorithms it would use to talk to one another. For these devices it says the maximum throughput should be 1.3 Gbps and the two locations these devices are in have 1GB pipes up and down. Now obviously it wont use the max 1GB pipe but I imagine that floating 25mbps is really slow in comparison to what the data sheet indicates. Anyone have an idea what may be the issue? Also if anyone has had this similar situation before with similar devices? With the Cisco ASA's it was pretty straight forward so I'm a bit confused myself. [link] [comments] |
HP 2530 - LACP convergence failover time Posted: 24 Apr 2018 01:59 AM PDT Hi, I'm trouble shooting lacp failover at the moment for a customer who requires low failover times on the uplink from their access switches. We are looking for less that 100ms failover time, access switch is connected over a 2 port lacp aggregate, l2 to the distribution. I'm testing between 2 factory default Aruba 2530's and have been told the best way to test the failover time is to use sudo ping on an ubuntu image with an interval of 0.01 seconds and count the failed pings. We are seeing about 60-80 failed pings on a link failure, so if my math is correct that's 600-800ms. Switch log not showing anything and trying to find real world values for failover is hard, dont think HP like to give out specifics like that. HP recommended upgrading to the latest version which I've done but still getting similar results. Any ideas? Is this number not achievable? Is there anything I can do to speed up failover? Thanks! [link] [comments] |
Cisco IOS MAB - How exactly does it learn the MAC addresses? Posted: 24 Apr 2018 11:22 AM PDT I know, the question sounds dumb - of course it learns the MAC addresses from the source MAC of the frames it receives. That's not quite what I'm asking. I know that when the switch receives a frame, it records the source MAC address into the CAM table, for that port/VLAN. Got it. When the MAB process is executing, it uses the known MAC address to authenticate. What source does MAB use to determine the MAC address? Does it look in the CAM table for the MAC addresses on that port? Or does it require an actual frame to enter the switch before it can begin the MAB process? Consider this scenario:
If the switch uses the CAM table, it still has an entry for the device, and can authenticate the device, and it will reauthenticate at 5:00:00 (+/- some seconds) If the switch requires an actual frame, the port will unauthenticate at 5:00:00, and remain unauthenticated until 5:06:00 when the device sends its next frame. This means the device was 'down' for six minutes. Thoughts? [link] [comments] |
Request - Recommendations for VPN for radiologists (high throughput) Posted: 24 Apr 2018 08:09 AM PDT We currently run a very old Cisco ASA 5510 and it is just not keeping up with the demands of our high throughput users. It very well may not be the device issue however I have been told to assess a new VPN. Question is do I just go with a new ASA or is there something like Juniper with known faster throughput for client base or clientless VPN. [link] [comments] |
Performance Review/Merit Raises Posted: 24 Apr 2018 05:47 AM PDT If you don't mind me asking, how much of a raise did you guys get last year and this year? [link] [comments] |
What does this WCCP do and is it fully configured on my router? I can only see being part of DMVPN. Posted: 24 Apr 2018 01:16 PM PDT The below is my full config on WCCP. interface Tunnel0 sh access-l WAAS-REDIRECT-LIST #sh run | i wccp [link] [comments] |
Fortigate IPSec Site-to-Site to StrongSwan Posted: 24 Apr 2018 02:27 AM PDT Hello /r/networking, Please could guide me in right direction. I need to establish kind of site-to-site vpn to route traffic from some internal networks to linux host and next to internet. I was able to establish IPSec tunnel between Fortigate and ubuntu host with strongswan Here is the config of strongswan (ipsec.conf) config setup ipsec.secret #RSA private key for this host, authenticating it to any other host sysctl.conf net.ipv4.ip_forward=1 Output of ifconfig eth0 Link encap:Ethernet HWaddr e6:70:3b:39:07:12 loLink encap:Local Loopback vti0 Link encap:IPIP Tunnel HWaddr As you can see RX packets:152 icmp packets going out FG to vti0 route table of linux host Kernel IP routing table output of ipsec status FortiGate Routed Connections: Tunnel status from fortigate get vpn ipsec tunnel name VPN-DO gateway get router info routing-table all S* 0.0.0.0/0 [1/0] via 185.X.X.X, wan1, [0/56] But I can't get any traffic (even icmp response) back. Do you have any ideas? [link] [comments] |
Looking for opinion on Aruba configuration Posted: 24 Apr 2018 09:14 AM PDT I'm planning for a replacement of the switching in our main office. If it helps, the current setup (which was in place when I arrived) is a single Nexus 5548UP with six 2248TP fabric extenders providing all of the access. I'm aware this isn't a recommended config as the FEXes are meant for TOR and there should be a second 5548UP for redundancy. Here's what I'm planning so far. Core 2 x Aruba 3810M (JL075) Access 5x Aruba 2930M (JL321A) - basic 48-port 1G 1x Aruba 2930M (JL324A) - 24-port smart-rate The plan for the core is to bring in our to-be-installed replacement three virtual hosts and new SAN, as well as two of our main file servers, all operating at 10G with redundant connections. The virtual hosts and SAN would be segregated to a separate iSCSI VLAN and redundant connections would go into each 3810M from all devices. I've installed my share of Cisco gear, but this is my first foray into Aruba and I have a few questions about this design. 1. I believe it's the case (but I can't seem to find anything to definitively state it) that the JL324A can be added to a stack of JL321As. Can anyone confirm? 2. For Aruba stacked devices, when new firmware is released, does the stack as a whole get updated at once or is each device updated separately? 3. For the 3810M core, since my desire is for each switch to be fully redundant, would it make more sense to not stack them together? My thought is that during switch maintenance when updates to the switches are applied, the individual switches could be restarted without having to bring down anything such as the SAN or the virtual hosts. [link] [comments] |
Cisco 2921 Input Errors - Overruns with DMZ server running Posted: 24 Apr 2018 08:31 AM PDT Off one of our Cisco ASA firewall interfaces I have created a DMZ network. Connected to our ASA on the inside interface (behind a 3com switch) is a Cisco 2921 router that connects us with our corporate office. Whenever I have a server running on the DMZ network, we get a lot of input errors / overruns on the LAN facing interface on the 2921 router. No other interface is getting these errors, just on the 2921. Performance does not seem to be impacted at all but it just seems really strange. Jumbo frames is disabled throughout, I have also tried to enable flow control but it doesn't seem to make any difference. Anyone have any clue as to why we are seeing massive input errors? [link] [comments] |
IP /24 Block monthly rental charge Posted: 24 Apr 2018 11:41 AM PDT Hi All, I have a customer that we are going to rent 2 /24 blocks to in APAC until they can move to their own IP block. What would be a reasonable charge for this be? Thanks [link] [comments] |
Posted: 24 Apr 2018 02:23 PM PDT Greetings everyone !! I am looking for suggestions on which vendor to look at when it comes to packet capturing and analysis. I am working with a financial organization moves traffic at 10Gbps at a minimum and 100Gbps as a max. I need the ability to gather historical data at least for a few days to analyaze packet drops and do capacity planning. NetScout has some offerings but im looking to compare. [link] [comments] |
Cisco SG350X-48P stacking question Posted: 24 Apr 2018 02:07 PM PDT I am having a hard time finding how the stack works on the SG350X series of switches The SG350X-48P has 4 x 10G SFP+ ports. The last 2 can be used for stacking Does that mean I can stack 2 x SG350X-48P's together, and then have 6 x SFP+ Ports left over for devices? That would make the stack link 10GB I would assume so, however I could also see them being reserved for stacking once its in a stack So, does that then mean that I would connect both of them, giving me a 20G stack link and have 4 x SFP+ ports left over total? The Cisco documentation for the SG series seems a bit lacking... [link] [comments] |
Posted: 24 Apr 2018 01:50 PM PDT Running into a problem where an AP needs to broadcast a message on a segment to communicate with its controller. However, I want this broadcast message filtered out on that segment to the devices it's not supposed to go. It's a bit dirty doing some sort of outbound layer 2 fitlering, but since it's a broadcast frame, I can't filter based on some sort of inbound mac-acl where the AP is connected. However there doesn't appear to be an option to do outbound mac-acl filtering. What other options do I have? [link] [comments] |
Posted: 24 Apr 2018 01:46 PM PDT This might be a really stupid question but for whatever reason, I cannot find a straightforward answer. Do DCI solutions like EVPN require MPLS or can it be done over regular IP connections? I always see the layer 2 over layer 3 solutions referenced alongside MPLS. The DCI side is a bit new to me so I'm just looking for some clarification. [link] [comments] |
Shadow Vlans for service providers Posted: 24 Apr 2018 10:00 AM PDT Please see the article below that states that TTB has rolled out shadow vlans which in effect will re-route down interconnects keeping Ethernet services live. https://commsbusiness.co.uk/news/talktalk-business-launches-shadow-vlan/ However after a bit of googling I cannot find any technical detail on how this is being done. Is anyone able to shed any light on this for me for example config of any kind ? [link] [comments] |
Using Palo Alto Virtual Wire to secure a DMZ? Posted: 24 Apr 2018 09:58 AM PDT Our Sysadmins are rolling out a server that requires an interface with a publicly routable address on it, accessible from the outside. We've got a /29 from our ISP so I've got the addresses to spare, but I've never designed a DMZ before and I'm interested in people's Best Practices for this kind of thing. I'm told by our sysadmins that they've heard a lot of anecdotal reports that even 1:1 NAT causes a lot of problems with this specific service and they need to be able to put the actual public address on the physical interface of the server. After bouncing ideas around inside our department, my thought is to take an interface from our ISP distro VLAN on on external switch, and run it through a Virtual Wire on our Palo Alto 3020 firewalls to a null-routed VLAN on our server switch. As diagrammed here. To my mind, this would give us full visibility into the traffic and ability to block based on all the factors, while still being totally transparent to the service and allowing a public address on the server's physical interface. Am I crazy here? Is this a terrible idea, will I ruin the internet and accidentally kill kittens with it? [link] [comments] |
UPDATE: Do iBGP speakers advertise their update source to neighbors? Posted: 24 Apr 2018 01:34 PM PDT Quick refresher: iBGP neighbors peered loopback-to-loopback in the usual fashion aren't advertising their own loopback address (their update-source) to their neighbors. Is this normal? The consensus in that thread was:
The answer (drumroll please)... It's a feature. Transparently dropping your own peering address1 from BGP advertisements was added to PAN OS around version 6.1. This was added to the code to prevent tunnel recursion problems2. So that's... Weird. Without revised software I'll need to provision extra loopback IPs on each box, just for BGP to use. Then do all of my normal management stuff using other addresses. This should be fun for the next guy to figure out. [1] This may only apply to loopback interfaces and iBGP peers. The wording in the internal writeup wasn't clear about exactly how to trigger the feature. [2] Fixing a recursion problem this way is a super weird choice IMO. I'd much rather have all the rope required to hang myself, plus the tooling to protect myself. [link] [comments] |
Posted: 24 Apr 2018 01:34 PM PDT Is this safe? My boss wants to enable AD user authentication and email generation from public facing FTP server in DMZ to LAN. I could just open up those specific ports to specific ip address but I'm not sure from a security standpoint if that is best practice. [link] [comments] |
Cisco Virl - 20 nodes. BY nodes, do they means 20 layer 3 interfaces? or 20 devices? Posted: 24 Apr 2018 09:02 AM PDT |
HPE 2920-24G switches to Watchguard multi wan - Dedicate Voice vlan to secondary External Posted: 24 Apr 2018 12:08 PM PDT Setup: 3 HP 2920-24G switches 2 Vlans - Voice and Data Windows DHCP Server - hands out addresses to 10.x (Data) and 150.X (Voice) I have the IP phones working as expected and hopping on the voice vlan, getting a new IP from the voice scope and working as expected. The only problem, is our main connection has a high latency route to the PBX location. Our copper connection (Secondary external) has a low latency route and I want to specifically force the voice vlan to use the secondary external to help with the delay problems being reported by users. I've tried using policy based routing (override checkbox) and created both vlans within the watchguard. When I do this, the phones drop their IPs and no longer get an IP address at all. I've tried setting Send and receive tagged traffic for selected vlans on both vlans and vice versa in case I had everything backwards. I also tried setting send and receive untagged traffic for the data vlan. Data flows as it should, but the voice vlan just drops out. I know this has to be something simple I'm missing as I'm not much of a network admin, more sys admin than anything. Watchguard info: Int type - VLAN Vlan1 - data ipv4 address is the address of the watchguard vlan10 - voice ipv4 address is the address of the switch with the route to the 10.x network I've setup policies specifically for all mitel ip phone ports From Any-external To Vlan10 From Vlan10 to Any-External Both policies have PBR enabled for the T1 interfaces. Thanks in advance! [link] [comments] |
Zenoss 4.2.5 - no longer sending emails (x-post from /r/Zenoss) Posted: 24 Apr 2018 08:18 AM PDT We use smtp-relay.gmail.com to send our Zenoss emails and it stopped working about a month ago. From the server, I can NOT ping smtp-relay.gmail.com or the IP address which implies, to me, that the networking is no longer working but Zenoss is fully functional otherwise. This install was from the ovf file built on CentOS 5. Any suggestions? [link] [comments] |
HP Switch Remembering Fail-over Route? Posted: 24 Apr 2018 08:11 AM PDT I have a weird problem I can't figure out, hoping one of you folks can assist. I have around 100 HP switches (mostly 8350's - as is the case in this story) across the country and an IMC server in the datacenter. At a handful of our locations we have failover routes, if the MPLS goes down the router directs traffic to a VPN appliance at .2 and the important traffic is let through until the MPLS is restored. When a location fails over, the switch learns that its new route to our IMC server is through the VPN appliance at .2 and it won't forget that, so when the MPLS comes back online the IMC server can't communicate with any of the switches at the location that recently failed over because it's using the MPLS path to communicate and they're trying to reply over the VPN tunnel. Is there anything I can do aside from rebooting the switch to make it use the default route and stop thinking it knows better than its configuration? [link] [comments] |
You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
No comments:
Post a Comment