New Mikrotik security vulnerability (>= 6.29) - system user database and passwords at risk Networking

---

• New Mikrotik security vulnerability (>= 6.29) - system user database and passwords at risk
• Necessity of a border leaf in a spine leaf topology
• adding IP cameras and NVR to a Cisco shop
• Anybody else's VPN to China come back up?
• Help setting up Phone VoIP System on Arris router
• Moronic Monday!
• Quick question about recovery of the password from Cisco MDS
• Tracking bandwidth bills
• Quick VLAN help with HP procurve (2920s)
• Issues with BFD between AWS and Juniper SRX?
• Conditional statements FreeRadius
• How is a VPN you use whilst surfing the net different to connecting to your office through a VPN?
• Niagara exporting/scripting
• Impact of compression and encryption
• Good old Cisco 800 with IOS 12.4 , Twice NAT?
• Adding IPv6 to existing BGP peering
• EIGRP wide scale metrics for links 1Gbps or less
• Patchpanel with unshielded cables
• MLNX-OS and unsupported transceivers - unlock command?
• L3 issues this morning?
• Aruba vs old-procurve
• Experienced network engineers, which advice would you give less experienced engineers?
• Private WAN

New Mikrotik security vulnerability (>= 6.29) - system user database and passwords at risk Posted: 23 Apr 2018 04:34 AM PDT Source: https://forum.mikrotik.com/viewtopic.php?f=21&t=133533 We have discovered a new RouterOS vulnerability affecting all RouterOS versions since v6.29. How it works: The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file. Versions affected: 6.29 to 6.43rc3 (included). Updated versions in all release chains coming ASAP. Am I affected? Currently there is no sure way to see if you were affected. If your Winbox port is open to untrusted networks, assume that you are affected and upgrade + change password + add firewall. The log may show unsuccessful login attempt, followed by a succefful login attempt from unknown IP addresses. What do do: 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "IP -> Services" menu to specify "Allowed From" addresses. Include your LAN, and the public IP that you will be accessing the device from. 2) Change your passwords. What to expect in the coming hours/days: Updated RouterOS versions coming ASAP. RouterOS user database security will be hardened, and deciphering will no longer be possible in the same manner. submitted by /u/getfuture [link] [comments]

Necessity of a border leaf in a spine leaf topology Posted: 23 Apr 2018 08:32 AM PDT We're in the process of designing a L3 BGP-EVPN network for our two datacenters. The plan is separate spine switches in each datacenter and then have an interconnect between datacenters, as well as peering between the datacenter and our campus core as well as a L2 LAG from the old L2 legacy networks into the new, using VXLAN to deliver them until the servers can be re-ip'd. My question lies in the necessity of a border leaf. It seems a lot of designs use a dedicated pair of leafs for the interconnect between datacenters, as well as the peering to the internet/core/etc. We are on a limited budget so what I'm looking for is a compelling reason or argument for doing this as opposed to just attaching those connections directly to the spine. Why should I use a border leaf? submitted by /u/LanaCallKennyLoggins [link] [comments]

adding IP cameras and NVR to a Cisco shop Posted: 23 Apr 2018 03:00 PM PDT I have been working on a project for my employer on setting up a new IP camera system for the building. Currently, they're using coax for the cameras and DVR that is about 9 years old. The picture quality is garbage and the software they have with it isn't what I would call user friendly for the technically illiterate. I am currently in the initiation phase of this project and trying to see if it will be feasible for me to setup and get management approval on. The one thing I was concerned about was whether a QoS configuration would be an issue or even necessary? This is a building of about 100 connected devices and the plan is to use about 20 IP cameras total with (2) 16 channel NVRs. We are not running a flat network and use multiple VLANs, redundant uplinks, etc. I am not super knowledgeable about QoS configs on Cisco Catalyst switches so maybe someone can get me started with what I should know. Thanks submitted by /u/rezadential [link] [comments]

Anybody else's VPN to China come back up? Posted: 23 Apr 2018 06:06 AM PDT The ipsec VPN from one of our data centers to our facility in China has been down for about a year. A few days ago, it came back up and has been up ever since. Anybody else see previously blocked China VPNs start working? submitted by /u/kcornet [link] [comments]

Help setting up Phone VoIP System on Arris router Posted: 23 Apr 2018 03:00 PM PDT So I have a company router that's old and was setup prior by another technician and the company I work for is switching ISP. So we are no longer using ISP & Router A and we are now using ISP & Router B. Everything in A is setup to allow full Wifi and connection to the internet and the VoIP called MegaPath works. With B, everything works with Wifi and full connection to the internet but I can't seem to get the right settings for the VoIP to work. Such as the In/Outbound's & UDP's & Protocols. If anyone has done this before, especially on a Arris. Please comment and help me. Also I was thinking in the future to upgrade the router to a better one that's both provided by the ISP or pay monthly for a service from MegaPath that runs our phone system with 24/7 support plus you pay for a nice router monthly that gets replaced if broken or fails. submitted by /u/CEOTRAMMELL [link] [comments]

Moronic Monday! Posted: 23 Apr 2018 05:12 AM PDT It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected. submitted by /u/AutoModerator [link] [comments]

Quick question about recovery of the password from Cisco MDS Posted: 23 Apr 2018 02:07 PM PDT I got in my hands a Cisco MDS 9148 in production and no admin password. I have no idea of the configuration this thing has inside and I wanted to know if this guide won't break all the config while trying to recover the pass. https://www.cisco.com/c/en/us/support/docs/storage-networking/mds-9000-series-multilayer-switches/29441-8.html If anyone can give me a hand I would appreciate it. submitted by /u/too_afraid_to_regex [link] [comments]

Tracking bandwidth bills Posted: 23 Apr 2018 01:52 PM PDT What do you all use for tracking your bandwidth utilization against your monthly invoices? I'm looking for something that can monitor and track our bandwidth usage (95 percentile) and report back the usage per month. This is so I can confirm our invoices from ISPs match what we're actually doing. I've been using our SNMP graphs to best guess it but looking for something more granular submitted by /u/gerrrrrrrrr [link] [comments]

Quick VLAN help with HP procurve (2920s) Posted: 23 Apr 2018 01:28 PM PDT Scenario: You have a building wired with several 2920's back to a main switch. None of them are configured and sh run lists everything being on DEFAULT_VLAN communicating effectively. I have created a VLAN 2 from the far remote switch heading back towards the main switch. It seems i now have to tag my vlan 2 across an uplink fiber port that carries all the untagged traffic for Default_VLAN. Will this carry the traffic for both or only what's on vlan 2? submitted by /u/lightswitch123 [link] [comments]

Issues with BFD between AWS and Juniper SRX? Posted: 23 Apr 2018 12:46 PM PDT Does anyone have BFD running between AWS and a juniper SRX on their direct connect links? I've got an SRX1500 running 15.1X49 that simply will not negotiate BFD with amazon. BFD on the device itself seems to work fine, I can enable it for any number of other peers- just not with AWS. The sessions are stuck in 'Init' state, not 'Down', which leads me to wonder if there's some negotiation problem happening. Yes, BFD is defined as an allowed inbound system protocol on the security zone. I've got a ticket open with AWS, but in the meantime, I was hoping someone may have seen this before. cheers submitted by /u/switchninja [link] [comments]

Conditional statements FreeRadius Posted: 23 Apr 2018 12:04 PM PDT Hi there, I set up my FreeRadius server at my company and so far we figured out how to send VSA to our Aruba controller and so forth. Now we would like to implement some "conditional statements" like , if EAP/PEAP ok and @mac ok go to secure network, if EAP/PEAP ok and @mac is unknown then GO to BYOD network. So we understand that we would need to do those statements with "Unlang" from FreeRadius , do you guys have some references, examples that we might use ? Cheers! submitted by /u/xzi_vzs [link] [comments]

How is a VPN you use whilst surfing the net different to connecting to your office through a VPN? Posted: 23 Apr 2018 03:19 PM PDT So I have a VPN service which masks my public IP address when online. I also connect to the internal network at my office through a VPN.. now these two scenarios seem very different to me yet both fall under VPN usage. submitted by /u/Reacher45 [link] [comments]

Niagara exporting/scripting Posted: 23 Apr 2018 11:05 AM PDT We are doing a Niagara trane integration to our compass system for BAS controls. The work is very repetitive and my experience is limited with this toolset, I'm trying to find anything I can to help automate parts of the process. Sorry I'm not giving much detail, I'll answer any questions to help clarify but these tools don't talk to each other well and I see that what needs to be done could be migrated easily if I could get something to pull the data from one place and populate it to another but I don't even know where to start with what kind of tools I would need. submitted by /u/singlevice [link] [comments]

Impact of compression and encryption Posted: 23 Apr 2018 03:21 AM PDT Hi, I am trying to find the effect of my compression and encryption algorithms. I chose to simulate using Tetcos Netsim. What I found was tat there was no effect on throughput and delay. I ran their simulation with and without default encryption and I still could not see the effect on throughput or delay. What am I doing wrong or that's how it usually is? Thanks for reading. submitted by /u/vigneshvelu [link] [comments]

Good old Cisco 800 with IOS 12.4 , Twice NAT? Posted: 23 Apr 2018 09:19 AM PDT Hi Gents, I'm struggling from about 2 days on this configuration, searching for a solution. The scenario is simple (all Ips are fake): I need to access to a service on port 8080 from Internet . Between my client and the remote network i have an ADSL Router and a Cisco 800 with IOS 12.4 The remote device is natted behind a firewall that accepts request on his WAN interface (10.31.0.1-2-3) only from the network defined (in this case 10.31.0.0/24) . So, I just need to reach one of these firewall pretenting to be a device on that subnet. I'm gonna post a network layout and my actual sanitized config, that is the result of a HARD digging through cisco ufficial and unofficial forums. Network layout: https://ibb.co/jvq3Gx I also wanna point out some more ts steps already done: -proxy arp is enabled on Vlan23 -I can't rely on nvi nat, because the device is on a remote site so i can't reconfigure it completely. -I can get this to work with an IKEV1 IPSEC vpn client or S2S (already in pleace but not included in the config) , but for this scenario is not suitable. (all commands made on RTR-A) sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 30.30.30.30:8080 10.31.0.1:8080 10.31.0.224:63938 80.80.80.80:63938 ip nat debug (when the client ask for the service behind 8080) Oct 17 20:02:31.000: NAT: s=80.80.80.80->10.31.0.224, d=30.30.30.30 [31879] Oct 17 20:02:31.000: NAT: s=10.31.0.224, d=30.30.30.30->10.31.0.1 [31879] *Oct 17 20:02:35.184: NAT: expiring 30.30.30.30 (10.31.0.1) tcp 8080 (8080) sh run https://pastebin.com/Pf4v4RXn Many thanks to anyone will spend time on this, This is not a critical config for our environment, but I really want to figure out what I'm doing wrong. Regards submitted by /u/melchi0rre [link] [comments]

Adding IPv6 to existing BGP peering Posted: 23 Apr 2018 09:03 AM PDT We've recently been issued our first Public IPv6 range by ARIN and I'm looking to add it to our existing ISP peering. I'm still very green when it comes to IPv6 and suddenly I have to get up to speed very fast... Our peering is pretty straight forward, single ISP and we are only accepting the default route for now. Looking for best practice suggestions for the setup. Should include anything in my prefixes aside from the IPv6 range itself and the routes I accept? Any issues with my transit route to my ISP being IPv4? Is it just a matter of me creating my new internal interface and adding my IPv6 neighbor + network statements? Current Cisco router config: router bgp XXXXX bgp router-id IP address bgp log-neighbor-changes neighbor ISPRouter remote-as XXXX neighbor ISPRouter password 7 12345 neighbor ISPRouter timers 30 90 address-family ipv4 network **Range** neighbor **ISPRouter** activate neighbor **ISPRouter** send-community both neighbor **ISPRouter** next-hop-self neighbor **ISPRouter** soft-reconfiguration inbound neighbor **ISPRouter** route-map ISP-in in neighbor **ISPRouter** route-map ISP-out out exit-address-family submitted by /u/DarkAlman [link] [comments]

EIGRP wide scale metrics for links 1Gbps or less Posted: 23 Apr 2018 02:30 AM PDT On the Cisco docs I noticed this: Total Latency for bandwidths below 1 gigabit = (Delay*65536)/10, where 65536 is the wide-scale constant. Total Latency for bandwidths above 1 gigabit = (107* 65536/10)/ Bw, 65536 is the wide-scale constant. Does that not result in 1Gbps and 100Mbps having the same interface speed? Does this have something to do with the minimum delay configured is "delay 1" which results in 10us? I dont have a router to test on right now. source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-wid-met.html submitted by /u/SuddenWeatherReport [link] [comments]

Patchpanel with unshielded cables Posted: 23 Apr 2018 08:22 AM PDT Hello, im wondering if there is a problem to put up a new patchpanel that has unshielded cables connected to it which are connected to unshielded sockets. In an old office where there are already a shielded patch panel with shielded outlets? I understand that the shielded cable must be shielded all the way but is it okey to mix unshielded and shielded "networks" in the switch? I hope I have expressed this somewhat understandably. submitted by /u/Davidberth [link] [comments]

MLNX-OS and unsupported transceivers - unlock command? Posted: 23 Apr 2018 07:48 AM PDT Hi All, We got some transceivers that our reps told us would be compatible. but MLNX-OS is saying its unsupported - yet it will show the full info about it - but not bring up the interface. I know with some switches you need to supply a command to enable unsupported ones. Anyone know this for MLNX-OS? We've been looking for over an hour now, and not getting any close to finding it out. Cheers submitted by /u/imsundee [link] [comments]

L3 issues this morning? Posted: 23 Apr 2018 06:48 AM PDT I checked https://islevel3down.com/ I am dropping packets regularly to 8.8.8.8 anybody else having issues? submitted by /u/Bad_at_IT [link] [comments]

Aruba vs old-procurve Posted: 23 Apr 2018 06:40 AM PDT Anyone here have experience with the new HP-Aruba switch product line? I have a customer that's mostly an A-series Procurve shop and they are looking to add some more of the same if possible. Did they abandon the A-series command line in favour of Aruba or the other way round? submitted by /u/DarkAlman [link] [comments]

Experienced network engineers, which advice would you give less experienced engineers? Posted: 22 Apr 2018 04:11 PM PDT Hi, I'm 22. I've been interested in the networking for a long time (since a high school). I learn, repeat and try to avoid mistakes but still... I sometimes feel I could have done it better if... I'd like to know which techniques should we avoid. Which techniques should we apply. Which sites / forums / channels should we regularly check but especially... What could you've done in a different manner if you had had know-how. I'd like to know general tips / tricks etc. Thank you. submitted by /u/a_broken_loner [link] [comments]

Private WAN Posted: 22 Apr 2018 08:10 PM PDT Just want to make sure i understand this correctly. If i want to run a private WAN between offices i could do the following: 1) Procure a private link link through the providers network. I could use BGP between sites for connectivity and routing. 2) Procure a private MPLS provider managed link, still use BGP but my QoS tagged traffic would be considered? 3) Procure a private link and run my own MPLS and BGP? In all cases it would most likely be a ethernet connection into the router and depending on cost bandwidth would vary depending on the provider offerings? If i have a HQ with most of the resources, e.g. AD, Finance application, Sharepoint, Mail, etc and the remote sites need to access this is much use in not going with a hub and spoke routing setup? https://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/teleworker/guide_c07-682749.doc/_jcr_content/renditions/guide_c07-682749-1.jpg Thanks in advance. submitted by /u/popotatoe [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States