Cisco Firepower Rant Networking

---

• Cisco Firepower Rant
• Has anyone here got fed up and started hitting the IDK button when expected to know the answer everyone else's problems? How did that work out?
• Resources to learn about L2/L3 networking in the datacenter
• Reason for Global Protect syslog "remove previous login"
• How does advanced enterprise/carrier networking stack up to other IT areas in terms of difficulty?
• Network Channel Bonding with a Twist
• wireless vlan sizing question
• seeing alot of traffic port TCP 445 and UDP 137
• Implementing basic VoIP QoS policy on Catalyst/IOS
• Allowing Broadcasting from printer over different Sonicwall Interfaces
• Network/Telecom Techs, how is fiber in a downtown condo pulled (located in Toronto)?
• High Availability Firewalls in Azure issue with public IPs
• Cisco N5K Top Talker interfaces
• What's the best unmanaged gigabit switch out there right now?
• Fiber Optic Monitoring System
• Cellular Failover
• Basic server depolyment question
• Duplicate packets from laptop?
• QUIC and NAT timers
• GUEST SHELL on IOS XE to run IPERF?
• Noob question about supervision of lan routeur interfaces
• AT on my VPC CIDR for traffic traversing a VPN connection
• Failover Routing Question
• Will there be any interruption when changing the hsrp timer on a router pair ?

Cisco Firepower Rant Posted: 30 Jul 2018 10:29 AM PDT I started doing Cisco Firepower back in 2015 and after all those years I need to blow off some steam. IMO it was a clunky solution when there was only the ASA + Firepower Services option, an attempt to go to market as quick as possible that felt weird since there was still ASA configuration via CLI/ASDM and Firepower configuration via FMC (or for the very brave ones out there Firepower via ASDM). I wasn't a big fan of the solution and was quite excited when Cisco announced Firepower Threat Defense, which should have brought the ASA and Firepower technology into a single OS. I thought Cisco finally got a grip and my times with hour long incremental upgrade procedures and slow FMC UI were finally coming to an end with ASA and Firepower code merging into a single solution. Looking back at that time I was really naive to believe they would re-engineer it to finally have a viable competitive solution against the Checkpoint's and Palo Alto's of the world. And holy shit was I disappointed when I got my hands on the platform during a migration from classic ASA to the new Firepower 4100 platform running FTD. I will try to detail my criticism as accurate as possible, but please forgive me any technical errors. Everything I learned about the platform was basically reverse engineered since every time something was broken I had to dig deeper and deeper into this moloch of technologies. FX-OS Only four words are needed to describe the overall architecture... It is a mess. First of all you need to understand that when buying a FPR2100/4100/9300 firewall you end up with a variety of stitched together technologies. On the bottom you have FX-OS, the OS running beneath Firepower Threat Defense. FX-OS is basically Frankensteins Monster of the Cisco UCS platform. If you are familiar with Cisco's server platform, they are using Fabric Interconnects and FEX modules to integrate their servers more tightly into the network fabric and provide a centralized management platform using UCS Manager. FX-OS is exactly that. It is probably a fork of the software running on a UCS Mini (which integrates the Fabric Interconnect functionality into the FEXes of the blade chassis itself). So apart from the firewall software you end up with another piece of software to maintain and update, that can have additional bugs and issues. It isn't even a single technology, since it is running Cisco NX-OS and a forked UCS Manager (Firepower Chassis Manager) - but atleast there is only one upgrade package and updates mostly work. Firepower Threat Defense Firepower Threat Defense is the name of the "unified" image, the platform that should have made everything better, but imo it is a real disaster. Nothing really changed in comparison to ASA + Firepower Services. Back then you had asa code running on the ASA 5500-X series with a little VM running the firepower services on the same hardware. A service policy was used to flag traffic that should be forwarded to the firepower software module, where the traffic was analyzed, flagged and sent back to ASA to enforce an action. FTD is pretty much the same, but they got rid of the additional software/hardware module and just let the ASA code run directly within the firepower linux. Network traffic is being pumped through a shared memory segment with the good old ASA and Firepower code looking at the shared memory segment one after the other. The only real change was that they could get rid of the base operating system on which the asa binary was running and dump asa into the firepower linux. When I first read about the "new" architecture I thought they were kidding, I couldn't believe that this was the result of years of engineering. It looked like a dirty hack to build a NGFW out of the technical debt of both Cisco and Sourcefire with no useful integration between the two platform. I was disappointed but tbh I didn't really care as long as performance, reliability and security was good, so I moved on hoped at least they got the management part right now. Management The management of the platform is the worst I ever encountered with any firewall on the market. Back when FTD was released with 6.0 the only possibility to manage it was Firepower Management Center. Up until today (2018/06) they still don't have feature parity with their local device management solution Firepower Device Manager, which looks fancy but is not even capable of configuring High Availability for firewalls... so apart from very small deployments it is completely useless. Getting FDM out of the way let's focus on FMC. It is available both as virtual appliance and physical appliance and is the heart of every firepower installation. Since FTD does not support any CLI configuration (apart from a enabling/disabling features like HA and protocol inspection) everything must be done from FMC. And this is one of the major pain points I have with the solution. If you lose connectivity between your Firewall and FMC you can't do any changes. What is even worse is that you need to connect FTD to FMC using its management interface, so in case you want to use it to manage branch offices that only have the FTD firewall and no other edge device that is capable of routing you are screwed. Until today there is no (viable) supported way for remote firewall deployments in case you don't have another router. Your only choice is to directly connect your firewall management port to the internet or stage your devices at HQ and send them to the remote location. If you ever screw up the configuration pushed from FMC to FTD you are basically fucked if connectivity is lost between the two devices, since you cannot revert the configuration. Another big pain point is performance with FMC. Believe me, it doesn't matter which appliance you use. I have seen it from FMCv up to the largest hardware appliance, FMC4500, which should be able to support hundreds of devices. It is just horrible. If you try to search your connection events, be ready for minute long waiting times. The same goes for adding new devices, deploying firewall configuration and generating reports. Deploying firewall configuration deserves it's own paragraph since it is the most terrific experience you will ever have with any firewall out there. After encountering > 15 different bugs, you will want to run away screaming. But why is it so bad? First of all... It's ridiculously slow. Depending on your configuration size it will take between 2 and 15 minutes (still applies even with 6.2.3.x, after Cisco proudly announced that performance is so much better now). It doesn't matter what change you make, FMC will generate the full firewall configuration and push it to the managed device. It is a real pain if you just add another interface and have to sit there for up to 15 minutes and wait for your changes to take effect. Just think about what that is like if anybody fucks up and adds incorrect configuration that causes an outage. You know how to fix it, but you must wait for the deployment procedure. Up until a few updates there wasn't even any diff/history feature to compare policy changes. You can only look into the audit log and check log entries one after the other to determine what has really changed. So in case somebody makes a change and you are not sure if that configuration should be applied you are basically fucked and cannot find out what exactly changed. Another massive issue is how the whole deployment procedure works. It generates both ASA + Firepower configuration and pushes it to the device. But what exactly does "generating ASA configuration" mean? I was up for another surprise when one day I checked the logs and found the it basically generates cli configuration and pushes it into the asa part of the firewall... And now guess what is different between the FMC UI and ASA CLI? Exactly, input validation... You enter configuration into FMC, think it is correct, since hey the fucking UI accepted my input and deploy it to the firewall... And now you are up for a big surprise. The rollback procedure from hell. If any of the configuration commands fail, the firewall will rollback the configuration by erasing (!) the running configuration and reloading the startup configuration... Now guess what happens to all your active sessions during that time. :) They are gone, and you just caused an outage by applying your configuration. Back in older releases (< 6.2.3) there were also various issues with ACL compilation which resulted in ~10 minute downtime if the device had to "rollback" a large access control policy / ACL. Programability If you ever did a large migration of firewalls, had to audit rule sets or work with a fancy company that wants to automate their infrastructure you will want your enterprise gear to have feature parity between UI (CLI/GUI) and API. When it comes to firepower I was disappointed once again. First of all there is no API first approach to the product since both sourcefire and asa technology were pretty old, so there was no feature parity between UI and API. Even worse, There wasn't even a FMC API until version 6.1. I was excited when I heard that it will have a REST API and started writing scripts to audit rule sets and automate changes for some of my customers and holy fuck was I up for some surprises. I think I ran into 10 different bugs with adding / editing firewall rules which mostly ended with me not being able to open the access control policy from the UI anymore due to a bug. Then there were a shitload of undocumented issues where I had to decompile the REST API Java code to find out why perfectly valid API requests wouldn't work and found that the API required me to delete various fields I got via a GET request before using a PUT operation to update a rule. I got into very weird situation where I had to map out every possible bug that I could encounter that would destroy my policy and work around it (like not having identity objects, applications, url objects in my rules) etc. etc. Troubleshooting Ever wanted to become a Full Stack engineer? Firepower is exactly what you are looking for. Whenever something breaks you will have two choices. Open a TAC case and play ping pong with the support engineer, who will escalate to engineering after he finds that it is yet another bug or get into the dirty details of this "solution". Troubleshooting firepower is like troubleshooting a linux server running three different web servers, five different back ends and a shitload of databases. Since most issues are related to the management plane of the product you will end up tailing tons of ultra verbose application log files, that throw random errors all the time, look into perl code from 2002 to determine what is going on and ask yourself why the fuck some information is within the mysql database and other information is to be found in the sybase database or for some reason in that weird mongodb that was just added because of the TID feature. It doesn't feel like troubleshooting a firewall, because the tooling is so random and sometimes even breaks the product itself. On various occasions I had TAC engineers using some on board scripts that broke things like HA between FMCs or destroy the management interface configuration of the firewall. Features like user identity are probably the most fun ones to troubleshoot. Before 6.2.x there wasn't even an official way to check if a firewall knew the correct user to ip mappings, so you had to write a SQL query to get that information out of the database running on the firewall. Long story short - troubleshooting firepower is weird and without knowing the exact system architecture you will feel lost pretty quickly. Software Reliability / Quality It might not come as a surprise that the quality of Firepower Threat Defense (or rather the whole firepower line) is beyond saving. The architecture is so fucked up that inevitable it will fail imo. Combining two legacy solutions into one package and not re-engineering any major part of the different products had to end like this. During my last three years of working with it I had to open about 85 (!) cases, and mind you I tried my very best to solve every possible issue by myself. At some point I didn't even bother anymore to report bugs or open cases, because the issues just kept coming. I did my fair share of working with engineering to reproduce bugs and really wanted this product to succeed, but even after all the promises by cisco to invest in software quality (for which they basically stopped the roadmap, because there were too many escalations) it is still a mess. It is not as bad Firepower 5.4 - 6.1.0, but there are still a ton of issues with features like FMC High Availability, FTD High Availability, FMC performance, FMC REST API, etc. etc. and I feel like they would have to start from zero to produce anything good. --- I am normally not that bashful, but this product has stolen so much time from me and I don't want anybody else to go through this shit. I know this post is very long, but believe me I could go on for many more pages about all the issues with firepower and why I think it will never get to a point where it is competitive. TL ; DR - Don't buy Cisco Firepower, it's not worth it submitted by /u/laclobunu [link] [comments]

Has anyone here got fed up and started hitting the IDK button when expected to know the answer everyone else's problems? How did that work out? Posted: 30 Jul 2018 07:33 AM PDT As we all know it is common for apps and server people to just pawn there issues off on the network and we have to figure out the problem. Sometimes it feels like we have to know more about how everyone's stuff works more than they do. I just had to explain to an exchange administrator that the mystery IP with 5k connections to his server was another one in the cluster. They didn't even know what cluster IPs they were using between their servers. What happens if we just start acting as dumb as they are and say IDK to everything? Do they get forced to learn or do we just look like butt heads? submitted by /u/evilmercer [link] [comments]

Resources to learn about L2/L3 networking in the datacenter Posted: 30 Jul 2018 12:22 AM PDT Hello, I am interested in learning about L2/L3 networking in the datacenter. I find it hard to understand how to use VXLAN in the datacenter, differences between BGP-EVPN and OVSDB. If you know about a good book that explains such concepts, or a tutorial, please let me know. Thanks in advance! submitted by /u/poisoned_ivy20 [link] [comments]

Reason for Global Protect syslog "remove previous login" Posted: 30 Jul 2018 04:02 PM PDT Trying to figure out what is the reason for global protect syslog where Event ID is "globalprotectgateway-logout-succ" and reason in description is "remove previous login". submitted by /u/vidhur22 [link] [comments]

How does advanced enterprise/carrier networking stack up to other IT areas in terms of difficulty? Posted: 30 Jul 2018 03:58 PM PDT submitted by /u/HomeNetworkEngineer [link] [comments]

Network Channel Bonding with a Twist Posted: 30 Jul 2018 03:58 PM PDT Hi all, I've got a question for the community, currently I have internet service from COX communications here in San Diego (300 Mbps Down, 30 up) and I have ATT ADSL that was bundled with my home digital phone (10 Mbps down, 1.5 up). Since COX added their data cap of 1 TB I've come close to hitting the cap, I'm looking at taking the plunge into DirecTV Now as my only TV provider and I know my internet usage will increase. Here is my question, I would like a Failover/Load balancing router that will fallback to the ATT ADSL once I have hit my data cap. Does anyone have a solution or recommendation? Most of the routers I've found do have failover/load balancing but not with the connection switching event occurring after a data threshold is reached. Currently my network is a follows: COX-> Google Onhub x3-> device ATT (different wifi network)-> device What I'd like: COX (1st TB of Data)_________ ATT (Once Cap exceeded) ___ > Google Onhub x3-> device Thanks for the Support, Erik submitted by /u/Eriklandi [link] [comments]

wireless vlan sizing question Posted: 30 Jul 2018 09:57 AM PDT I have 3 floors on a building with about 475 or so people total across them. Both our guest and internal wireless vlans are currrently /23 networks and was planning on moving them to /22 networks. I was wondering what is considered too large a subnet for a wireless network.. At what point do I have to become overly concerned about too much broadcast traffic, etc. submitted by /u/Saidin86 [link] [comments]

seeing alot of traffic port TCP 445 and UDP 137 Posted: 30 Jul 2018 02:02 PM PDT Hello , im on a windows network and my UTM appliance is blocking alot of traffic from the inside network going out to the internet. The traffic is SMB TCP 445 and UDP 137 . Can anyone tell me what the heck is going on ? Everything seems to be working . submitted by /u/nflnetwork29 [link] [comments]

Implementing basic VoIP QoS policy on Catalyst/IOS Posted: 30 Jul 2018 08:27 AM PDT I'm super interested in QoS, but I'm not in a place to deep-dive into it just yet. I'm looking for a basic VoIP QoS policy I can roll out, then expand on later if needed. We are rolling out VoIP across a 100% Cisco LAN with minimum 1Gbps connectivity to all switches. Congestion is very rare, but a few interfaces show nonzero output drops, and in keeping with best practices and vendor recommendations, I'm looking at rolling out QoS along with our deployment. The network is mostly 3560/3750-era Catalyst switches, but some 3650/3850/Nexus gear too. We are rolling out mostly Mitel IP420g phones, but a few IP480s as well. So far I've read: Campus QoS Design - Simplified [Cisco Live 2016] Mitel Planning and Installation Guide A fair bit of IOS documentation I'm looking for the most basic QoS configuration that achieves this result (from page 42 of the Mitel guide): Mitel recommends the following values for QoS traffic marking: RTP Traffic – Expedited Forwarding or PHB-EF, that is, DSCP 46 or 184 (ToS (dec) value set on the Call Control Options page in Mitel Connect Director) Signaling Traffic – Class Selector 3 or PHB-CS3, that is, DSCP 24 or 96 (ToS (dec) value set on the Call Control Options page in Connect Director) All sites use PRIs exclusively for incoming/outgoing calls, so no VoIP traffic will leave our AS. QoS only applies within the managed LAN/WAN. All WAN sites use Comcast EPL or dark fiber for connectivity. So far, here's what I've deduced, mostly from the Cisco Live slide deck: ! Global config mls qos mls qos map cos-dscp 0 8 16 24 32 46 48 56 ! policy-map MARKING-POLICY class VOICE set dscp ef class MULTIMEDIA-CONFERENCING set dscp af41 class CALL-SIGNALING set dscp cs3 class TRANSACTIONAL-DATA set dscp af21 class BULK-DATA set dscp af11 class SCAVENGER set dscp cs1 class DEFAULT set dscp default ! mls qos srr-queue input priority-queue 2 bandwidth 30 mls qos srr-queue input bandwidth 70 30 mls qos srr-queue input buffers 90 10 mls qos srr-queue input threshold 1 80 90 mls qos srr-queue input cos-map queue 1 threshold 1 0 1 2 mls qos srr-queue input cos-map queue 1 threshold 2 3 mls qos srr-queue input cos-map queue 1 threshold 3 6 7 mls qos srr-queue input cos-map queue 2 threshold 1 4 5 mls qos srr-queue input dscp-map queue 1 threshold 1 0 8 10 12 14 mls qos srr-queue input dscp-map queue 1 threshold 1 16 18 20 22 mls qos srr-queue input dscp-map queue 1 threshold 2 24 mls qos srr-queue input dscp-map queue 1 threshold 3 48 56 mls qos srr-queue input dscp-map queue 2 threshold 3 32 40 46 ! mls qos queue-set output 1 buffers 15 30 35 20 mls qos queue-set output 1 threshold 1 100 100 100 100 mls qos queue-set output 1 threshold 2 80 90 100 400 mls qos queue-set output 1 threshold 3 100 100 100 400 mls qos queue-set output 1 threshold 4 60 100 100 400 mls qos srr-queue output cos-map queue 1 threshold 3 4 5 mls qos srr-queue output cos-map queue 2 threshold 1 2 mls qos srr-queue output cos-map queue 2 threshold 2 3 mls qos srr-queue output cos-map queue 2 threshold 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 0 mls qos srr-queue output cos-map queue 4 threshold 3 1 mls qos srr-queue output dscp-map queue 1 threshold 3 32 40 46 mls qos srr-queue output dscp-map queue 2 threshold 1 16 18 20 22 mls qos srr-queue output dscp-map queue 2 threshold 1 26 28 30 34 36 38 mls qos srr-queue output dscp-map queue 2 threshold 2 24 mls qos srr-queue output dscp-map queue 2 threshold 3 48 56 mls qos srr-queue output dscp-map queue 3 threshold 3 0 mls qos srr-queue output dscp-map queue 4 threshold 1 8 mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14 ! ! Per-interface: queue-set 1 service-policy input MARKING-POLICY srr-queue bandwidth share 1 30 35 5 priority-queue out ! For trunks/uplinks mls qos trust dscp ! Questions: The config above doesn't include class-maps. I assume marking traffic via L3/L4 characteristics is probably the most robust way of ensuring proper marking. The Mitel guide says Mitel gear doesn't mark its own traffic in all cases. Can anyone share an example of good VoIP class-maps? I've heard AutoQoS might be a good option, but I'm pretty averse to "automatic" solutions. Can anyone expand on the pros/cons of it? The config above is for a general-purpose QoS policy, not just for VoIP. I wonder if there's any way to simplify it without unduly limiting QoS options in the future? Thanks in advance! submitted by /u/austindcc [link] [comments]

Allowing Broadcasting from printer over different Sonicwall Interfaces Posted: 30 Jul 2018 12:38 PM PDT I've been asked to consult and help out a company with their network infrastructure and hardening their network a bit. All of their routing is done on a sonicwall tz500. They have a wireless access point connected on X4, in bridge mode, with DHCP on X4. X4 is set in a custom "Wireless" zone. The Wireless zone is only allowed to access the WAN internet gateway IP and the LAN printer IP. Which gives all wireless clients access to the internet and printer (direct IP). There is an address group object which holds "authorized" wireless clients who should be allowed to access the entire LAN as well. These rules are working without an issue. The problem is, there are users complaining that the "Discovery" of the printer is failing. I understand that this is an issue because broadcasting by default wont traverse from the LAN interface X0 to the Wireless zone/X4 interface. Both interfaces have DHCP running on the Sonicwall with different IP pools. Both interfaces have the same subnet mask. Is there a setting I'm missing on the Sonicwall, or a rule I can configure, that would advertise the printer on the "Wireless" zone? Or is it impossible to forward broadcast packets from one interface subnet to another? Edit: I enabled IP Helper and created reflexive rules across the interfaces for Bonjour(mDNS) and NETBIOS hoping that will allow wireless clients to see the printers. submitted by /u/undisclosed-identity [link] [comments]

Network/Telecom Techs, how is fiber in a downtown condo pulled (located in Toronto)? Posted: 30 Jul 2018 12:24 PM PDT Hello, I'm located in Toronto, Canada and I was wondering how the fiber in a downtown condo wired/pulled. I know there's a main communication room in the building, but does each ISP have their own fiber lines that run to each unit? I'm assuming each ISP would have their own Optical Line Terminal and Switch in the communication to manage the ONUs which then goes to a fiber line to their data center, but the physical lines themselves that go throughout the internal wiring of the building, who owns that? Is it part of the building's commons and anyone has access to it or does each ISP pull their own lines? So say if 3 different ISPs (in my case, Bell, Fiberstream, and Beanfield) all offer fiber service in your building, did they all have to run their own lines? Or does the Telecom Tech that shows up have to pull a new line from the Comm-Room to the unit for that particular ISP and that ISP now owns the new line, or do they have an agreement with say Bell, who might have done the initial wiring during construction or a retrofit and they lease the line? I'm just trying to understand when a customer orders fiber to be installed into their unit, is all the fiber in the building pulled ahead of time and the tech just terminates the OLT/ONU connections because those lines are owned by their ISP (or is it owned by the building, please clarify) or is the tech pulling a new line from the communication room to the unit. For example in my building, there is no fiber jack in the wall (only phone and coaxial) but I know there is fiber service in the building (from those three companies) so where is the line coming from? Thanks! submitted by /u/Meshnet29 [link] [comments]

High Availability Firewalls in Azure issue with public IPs Posted: 30 Jul 2018 04:06 PM PDT Hey Guys, So, I have the following scenario and issues: -External Standard load balancer with multiple public IPs -Two Firewalls with their own standard public IP (as required to be able to be inserted on the back end pool of the LB) -Internal standard load balancer (All ports being load balanced to the Firewalls, this is the gateway of all subnets) -LB are all standard Issues: -Cant do NAT one to one because public IPs are on the external Load Balancer. Even if they were on the box there was no way I could assign the same IP to the two Firewall VMs -Because the Firewalls have their own public IP, and this takes precedence over the LB IP for outbound traffic, VMs go out of a different IP then the traffic that comes in (this will most likely create issues for email server, not sure) -Incoming connections come from the external IP of the LB but outgoing goes out of the IP on the Firewalls. Not that knowledgeable on the Azure but is there a way I can make some of this work? Thanks! submitted by /u/kesujin [link] [comments]

Cisco N5K Top Talker interfaces Posted: 30 Jul 2018 08:04 AM PDT Hello all, I was wondering if anybody had any out of the box Cisco N5K commands to find the top talkers on any FEX that might be happening? Thanks! submitted by /u/nirvanachicks [link] [comments]

What's the best unmanaged gigabit switch out there right now? Posted: 30 Jul 2018 03:13 PM PDT Simple small deployment, need a few unmanaged gigabit switches. 8 or 16 or 24 ports. Is there something that is currently the best product to do full line-rate gigabit speeds or should I just get some cheap-o Netgear switches? submitted by /u/Spoonolulu [link] [comments]

Fiber Optic Monitoring System Posted: 30 Jul 2018 01:43 AM PDT We are trying to implement fibre optic monitoring system for 25km cable we have in our infrastructure, main objective is to monitor a vibration as there is a lot of construction and road work int e area, so as soon we receive vibration alarm security is dispatched to the zone to check. Have you used this kind of technology and what would recommend if any? submitted by /u/AS65000 [link] [comments]

Cellular Failover Posted: 30 Jul 2018 07:03 AM PDT Needing some recommendations here. I'm a POS dealer for a bar/restaurant POS system and I'm looking for a viable affordable solution, if any, for doing cellular failover in the event the ISP goes down. I've checked into cradlepoint and it looks well but the problem is I'm looking for something more cost effective. I've spent hours looking at firewall specs that support USB cellular failover but out of all the models I can't seem to find any ones that support to many At&t or verizon cards, or they're just outdated cards. I've looked into Skyus that supports all major US sim's but from what I'm reading it mostly works for Marki's and that may just be too expensive for the merchant. The only reason I need a cost effective reliable solution because my POS system does not support offline processing. Does anyone know any info about Skyus working on other firewalls? I dont want to have to pay a cloud based subscription if possible. Thanks submitted by /u/Blackngold74 [link] [comments]

Basic server depolyment question Posted: 30 Jul 2018 02:11 PM PDT Today I worked on my first ever network deployement/upgrade. All the networking gear was setup and tested in our office before deployment, so once we got there, we decided to keep their old and only production server (physical server, contained Divalto, Active Directory and DNS) and just throw it immediately in our new network design by simply changing its IP address, and it worked just fine. However, when the sysadmin came, he chewed us out for it saying stuff like "you never do that on a server especially not the AD, you don't just change its IP address"...my question is, how true is that statement? can changing a server's ip address really damage the network? or is the sysadmin just lazy and doesn't want to do any extra work? submitted by /u/JustAnotherToxicDude [link] [comments]

Duplicate packets from laptop? Posted: 29 Jul 2018 10:27 PM PDT So having issues connecting to my company's VPN, spin up Wireshark, sure enough I'm seeing 3 duplicates of every packet leaving my laptop. Never seen this, I even disabled all other network interfaces, no dice. Any thoughts? Here's a screenshot of the PCAP: https://imgur.com/a/OMxaO30 submitted by /u/rgt154 [link] [comments]

QUIC and NAT timers Posted: 30 Jul 2018 01:32 PM PDT Any ideas/ suggestions on best practice NAT timeout values for TCP and UDP with fancy protocols nowadays? submitted by /u/rexmundi666 [link] [comments]

GUEST SHELL on IOS XE to run IPERF? Posted: 30 Jul 2018 05:43 AM PDT Has anyone done this? submitted by /u/SuddenWeatherReport [link] [comments]

Noob question about supervision of lan routeur interfaces Posted: 30 Jul 2018 09:06 AM PDT Hi all, First sorry for my bad english (french people are not famous with english language ). I'm wondering about the possibility to ping a LAN interface of a router when this one (the interface) is UP/DOWN. I specify that we ping from outside, not from the router himself, like a "entreprise supervision" configuration. For you, is it possible ? And if not, why ? Because the network in which belong the interface is no longer announced ? Thanks :) submitted by /u/Lionceau35 [link] [comments]

AT on my VPC CIDR for traffic traversing a VPN connection Posted: 30 Jul 2018 08:39 AM PDT Openswan in AWS I am following this video below because AWS doesn't support https://www.youtube.com/watch?v=Ov7cHlcIkHc NAT on my VPC CIDR for traffic traversing a VPN connection? according to this article https://aws.amazon.com/premiumsupport/knowledge-center/configure-nat-for-vpn-traffic/ The third party vendor does not accept private IPs so I am thinking of using open. I just a bit confused as the network guy said we need two public IPs. I believe on we will get attached to the opens server to establish the VP but what is the second one for ? We have a server in a AWS private subnet that I don't want to attach a public elastic IP to. Does the SWAN server need two elastic IPs? they are expecting a public IP from us so I'm assuming the private ip will be translated from the private to the public they are expecting. and coming in who will will VPC know to or swan know to translate their public ip to the private ip server. just trying to understand how many public ips the swan server needs. how will the swan server get the data coming from their a public ip? submitted by /u/redhat2880 [link] [comments]

Failover Routing Question Posted: 30 Jul 2018 07:30 AM PDT I usually use SLA monitoring to do failover routing if a link is down. I have a site where the equipment there does not have the ability to do this and the budget does not allow for adding additional licensing for the SLA monitoring at this time. I want to use weighted static routes to achieve this. My question is how does the routing device (cisco 3850 L3 switch) determine the route is no longer working and use the route with a higher administrative distance? Does the interface have to be marked as down? Also how does it know to fail back to the original route? I tried googling this but without a satisfying result. submitted by /u/Terriblyboard [link] [comments]

Will there be any interruption when changing the hsrp timer on a router pair ? Posted: 30 Jul 2018 01:57 AM PDT Currently its default (hello 3 holdtime 10) , planning to change to hello 1sec or 500 msec and holdtime 2 or 3 seconds. Currently all groups are active on the primary router. Idea is to go into each sub-interface, change the timer, then go to the secondary router and change. Will this cause any conflict or interruption to the traffic? Any other caveats I should know of? submitted by /u/sec_admin [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States