Cisco FMC FW loggs - alternatives Networking |
- Cisco FMC FW loggs - alternatives
- SPAN on ISR4431 with NIMs
- Palo Alto Policy Question
- How important it is to have WAF / DDoS protection?
- Push multiple commands to Cisco IOS?
- Sys admin trying to fix slow upload speeds
- Source or destination (Route-Policy) ASR9K
- Singlemode or Multimode - Top of rack to server
- Config Consistency Check for Group of Devices
- Private IP adressing
- What tool / SW do you use to test VOIP traffic out
- "Cleanest" wireless packet capture?
- [Juniper] Anyone use floating static routes for WAN failover?
- Looking for input on network redesign and best practices.
- Asset tracking
- Possible to have a ring topology with a circuit switch connecting from one node in the ring to another...
- Sanity Check - DAI / IPSG
- Assigning VLAN IPs without changing ports?
- Office is a security disaster
- da Hell ACL?
- Question about L2 vs L3 on a large scale
- FortiGate VMX
| Cisco FMC FW loggs - alternatives Posted: 24 Sep 2018 06:02 AM PDT Hi, Does anyone have a suggestion a third party logging software for FMC? We just went from CP R77.30 to FTC 6.2.3 and Im hating my life everytime I have to check the Firewall logs... thanks! [link] [comments]  |
| Posted: 24 Sep 2018 12:34 PM PDT I've got a 4431 with some NIMs that I'd let to set up a SPAN on. I'd like to SPAN the traffic going across the vlan for the internal facing connection to one of the NIM ports. The commands are available but when I set the source for the session monitor to the vlan it says "vlan settings on SPAN not supported" and when I set the source as the internal facing interface it says "only NGIO switch is supported for local SPAN". I am not able to find any documentation online regarding either of these error messages. What gives? [link] [comments]  |
| Posted: 24 Sep 2018 12:30 PM PDT I'm new to the Palo Alto ecosystem and have been asked to re-write some firewall rules as part of a migration. In this example, I want to allow the public access to a mail server. I am using a Service Group to open up explicit ports for this task, but was dong some reading about using Applications too. The applications didn't really suit my needs, but it left me with a question. If I configure the Applications & Service, does it act like an "and" where ports from both would be allowed? [link] [comments]  |
| How important it is to have WAF / DDoS protection? Posted: 24 Sep 2018 12:55 PM PDT For a hospital network, how important do you see WAF / DDoS protection services? Most of our services are 'internal', not published to internets but to our users connected via private MPLS or fiber connections. However we have some portals and services that people use over the internet. We're trying to figure out if we should go with F5 BIG-IP and have the WAF / DDoS features, or if we could live with haproxy or similar OSS products. We have lots of services where the app is bought from an external consulting company. They install it, and it runs. However we're not sure (in the networking team) if the app is ever updated. Do you think we should get the protection services, or any ideas or experiences regarding this? It is of course always about the money :) And as we've never had problems, customers are not really interested in paying more for the service... We have our own IP address blocks we could advertise via DDoS scrubbing service and just get the clean traffic in. Thanks for any ideas! [link] [comments]  |
| Push multiple commands to Cisco IOS? Posted: 24 Sep 2018 11:24 AM PDT Let's say I am working on a remote device. I need to apply 2 commands, the first command will cause me to lose connectivity to the device, and the 2nd command will restore connectivity (I need to convert a port from a switchport to a routed ported, so I need to issue "no switchport" and then "ip address dhcp") Is this possible in IOS? When I issue the first command I'll lose SSH access, making me unable to issue the 2nd command [link] [comments]  |
| Sys admin trying to fix slow upload speeds Posted: 24 Sep 2018 02:41 PM PDT We have 3 sites which is connecting through VPLS. The site in New Orleans and Lafayette are getting their internet from Las Vegas and N.O circuit is rated 100MB symmetrical and I can get between 60 to 80MB but the upload speed is at 10mb. Lafayette has a 50mb circuit I get close to 50 down but 10MB up. Need to know what could cause such a significant drop in upload speed [link] [comments]  |
| Source or destination (Route-Policy) ASR9K Posted: 24 Sep 2018 05:01 AM PDT Hello guys, I'm trying to understand and get better at route-policies. Mostly because of a new connection to another company. But some things just keeps me in the dark. Even tested in a GNS3 lab, which just made it even more confusing. Lets says i have 2 routers directly connected, I'm gonna setup an EBGP peering. On R1 i have an import policy looking like this: Why would it be source and not destination? Today this is running on an ASR9K with source instead of destination, whenever i test in GNS3 with 2x ASR9K i have to do destination for it to work... Another thing, about the ASR policies is this: How da F*** can i ever get routes below /26 into my route from above policy?? [link] [comments]  |
| Singlemode or Multimode - Top of rack to server Posted: 24 Sep 2018 08:45 AM PDT I've read multiple times to always use SMF over MMF. Seems like a blanket rule which does make sense. However, I also see references to the cable being in the ground a lot of the time in these posts. If I have a single rack in a colo facility with 2x 48 port 10gb switches that need to connect to say 20 servers should I be going SMF or MMF? SMF optics are £28 compared to £13 for MMF. The overall price increase isn't that much because I only have one rack, it would be significant though if I had 100 racks. The cables would probably never be over 3m. What's standard protocol for top of rack to server at 10gb? SMF/MMF/DAC? Thanks! [link] [comments]  |
| Config Consistency Check for Group of Devices Posted: 24 Sep 2018 12:01 PM PDT Hi Team, are there any current solutions that compare the configs of group of devices if it is consistent? We encounter issues where the configs are not match creating a single point of failure scenario. [link] [comments]  |
| Posted: 24 Sep 2018 01:17 PM PDT Customer has an old production plant where a PLC resist with an IP address 100.100.100.6/16 They asked me to NAT this internal IP address via a FW to an address in a 10.28.198.0/24 network. First question: is this possible? Should I advice the customer to first change the IP adress to a usable private range? [link] [comments]  |
| What tool / SW do you use to test VOIP traffic out Posted: 24 Sep 2018 12:26 PM PDT I know I could create similiar levels of UDP traffic with many different packet generators, but I'm wondering if there is any specific SW or mode that allows you to configure different # of VOIP calls with different codecs and ideally even give MOSS scores as an output...? What do you use? Thanks! [link] [comments]  |
| "Cleanest" wireless packet capture? Posted: 24 Sep 2018 11:54 AM PDT Hello all, I'm a relative novice when it comes to networking (CCNA Routing and Switching) so I figured I'd reach out and see if anyone has some advice for me. I apologize if the formatting is bad, I'm usually a lurker not a poster!
I'm working on building a lab environment to perform packet capture on wireless IoT devices. I have a Netgear Nighthawk X10 R9000 which is capable of both logging to a .pcap file as well as mirroring the WLAN port for monitoring through its debug functionality. I am slightly concerned though that we do not have any kind of granular control over the captures and no way of knowing if the router might lower the priority of the monitoring processes during periods of heavy congestion or high CPU usage.
I have also set up a second system using an Alfa AWUS036NH broadcasting as an AP connected to an Ubuntu 18.04 machine running Wireshark to perform packet capture. I figured this would give me much better control over the capture process and environment, especially since Linux allows a lot of control over its networking stack.
Is there a better way for me to sniff these packets as they move from the wireless interface into the network? We have some budget to purchase product with so paid solutions are an option, but I just want to make sure I've done my due diligence before we move forward with experimental data capture. Any help or advice would be greatly appreciated! [link] [comments]  |
| [Juniper] Anyone use floating static routes for WAN failover? Posted: 24 Sep 2018 11:27 AM PDT Trying to get this to work but when I initiate a "hard down" situation and pull the ethernet plug on WAN1, I can't ping out WAN2 even though the next-hop is properly in the routing table. I'm thinking it might be an issue with our upstream QFX and the ARP timing. [link] [comments]  |
| Looking for input on network redesign and best practices. Posted: 24 Sep 2018 11:23 AM PDT Hello all. I am looking for some advice and direction on redesigning our network topology. We currently ask the colo to provision a new circuit per customer with the colo providing VRRP, and each leg of the VRRP hand off goes to pair of ASAs in active / standby with static routing. We try to keep things simple but this is getting expensive as the number of customers grow. Current topology per customer Is it feasible to do something like this topology? What are the best practices for a design like this ? This is a little outside my wheelhouse but since there isn't really a "network guy" here , but I am the one with enough know how to get it done. So, I feel like I can get this done with just some L2 switches and keep it simple. Am I mistaken ? Should I look into going L3 and possibly VRRP on our end too ? Lastly, can you all give me some hardware recommendations to accomplish this? We're a primarily a Cisco / Dell shop. Collectively our current customers are using 500Mbps but we'll need 1Gbps within a year. I appreciate any and all help [link] [comments]  |
| Posted: 24 Sep 2018 09:30 AM PDT Top of the morning to you. Looking for help picking an asset tracker for a hospital that has 6 floors. Need to track crash carts. Looking for the cheapest most reliable system. I was thinking maybe over WiFi. Any input is appreciated [link] [comments]  |
| Posted: 24 Sep 2018 09:09 AM PDT Fair example if the sender sends data around the ring and eventually reaches the correct node that copies the data and then sends it on, anc that node, if the design is set up in such a way, send a circuit switch type data back directly to sender... Like a circle with many nodes and then a line from recipient to sender...? [link] [comments]  |
| Posted: 24 Sep 2018 08:58 AM PDT Hello! I have Dynamic ARP Inspection and IP Source Guard implemented on my campus. We are using Cisco 3750X, running IOS 15.2(4)E5. Edit: Yes, I know that DHCP hosts use DHCP snooping binding table. I am not concerned about that. For static IP devices, I was always under the impression that I needed to do all of the following, to make it work with both DAI and IPSG. However, I came across a switch that was missing the "ip arp inspection filter" command - yet everything was still working. (Even after clearing ARP cache). Further testing led me to the below (much simpler) configuration, which also seems to work. This has now made me beleive that DAI uses the following sources for its information:
Can anyone verify that this is true? Obviously, my testing shows that it is - but I was looking to see if it was a fluke, some oddity that I don't know about, or intended behavior. Thanks for your input! [link] [comments]  |
| Assigning VLAN IPs without changing ports? Posted: 24 Sep 2018 08:43 AM PDT Apologies if this seems like a dumb question. I've got two VLANs (4.x and 5.x) added to my network. How do I go about assigning static IPs to devices I want on those networks without manually tracking down the port the devices are plugged into on the switch? For example, if I have a camera on my current 3.x network and I want to move it to the 5.x network, is there a way to just change the static IP to something in that 5.x range without having to track down which port it's plugged into on the switch and changing he VLAN for that switch? The reason I ask is that we have switches all throughout this network (slowly working on changing that, but it is what it is for the time being) and I won't be able to easily figure out which camera is plugged into which switch so that I can login to the switches to change those port VLANs. Thanks! [link] [comments]  |
| Posted: 24 Sep 2018 08:31 AM PDT I'm about to start managing 'computers' for a small office. Very small- one desktop and at most 2 or 3 other laptops, maybe 8 cellphones. Boss doesn't use a computer, the secretary (who will never get fired) sits at the desktop all day shopping on Amazon and scrolling through Facebook. Constantly complains about how slow the brand new iMac is. Running top and netcat was enough to tell me that something was seriously wrong. They're lucky that nothing important was on that computer, because it was a mess. Apparently they've had a lot of issues with phishing emails in the past, I found out later. So. Looks like there's a task on my hands here. Network security isn't my strong suit, but I know a thing or two, I guess. I run some home servers, PFSense and a Pi-Hole. Data is where I'm more comfortable, though. Anyway, some very sensitive data is getting cleaned up, migrated and normalized- but there's no way it can go near that network / computer in its current state, without taking some serious measures. My thinking was to get a firewall appliance, like a SG-3100, then create a VLAN for all the mobile devices. But unfortunately there's no way I can teach this woman not to open every single email attachment, and who knows what else. Any suggestions? TL;DR: Hired to migrate extremely sensitive data at a small company where nobody knows anything about computers. The boss's secretary sits at the desktop all day and opens tons of phishing emails. Am considering a SG-3100, w/ PFSense, but know I need more than that. Please help. [link] [comments]  |
| Posted: 24 Sep 2018 08:22 AM PDT So, I'm trying to restrict SVIs from communicating to each other by using ACL Ie, if I have vlan 10 SVI at 10.10.10.1/24 On that interface, I have permit the 10.10.10.0/24 i.e. sequence 10 permit ip 10.10.10.0/24 sequence 20 deny 10.0.0.0/8 sequence 30 deny 172.16.0.0 0.15.255.255 sequence 40 deny 192.168.0.0/16 sequence 50 permit any So, essentially this should allow any host on the 10.10.10 network to communicate to the 10.10.10/24 network and out the WAN However, any other private address should not be able to communicate to that network. The problem I'm having is, that only works when I use the access-group OUT command, if I use Ip access-group ACLNAME IN, it fails. So, my question is, the ICMP is getting into the interface, but said interface isn't allowed to respond, because of the ACCESS-GROUP OUT command. How do I make said interface do less work, so it doesn't have to apply to the ICMP requests, etc from other interfaces? Ie, make it work with ACCESS-GROUP IN. Or is this just a function of ACLs and SVIs? It makes sense to me that it it's only going to read the ACL AFTER the packet is interpreted, but I"m trying to make sure that the SVI can do less work for latency issues, etc. [link] [comments]  |
| Question about L2 vs L3 on a large scale Posted: 24 Sep 2018 08:17 AM PDT I'm working on a redesign of the following network (link to diagram below). Currently this diagram has a lot of L2 going on in it, this is just an idea and is not currently in production. In a previous job on a campus, we used L2 basically everywhere outside the core and used large trunks to get everything back to there. Obviously we had a robust spanning-tree setup using rapid-pvst etc. However, as many of you know, even the proper spanning-tree setups are prone to issues at some point. At my new work place we are looking at two options: L2 everywhere outside the core like the diagram OR L3 all the way to the edge (or as close as possible). Now take the diagram and pretend the L2 switches in the "Access Layer" are all L3 (little routers) now. My question is this: how would I be able to accomplish segmentation of departments/firewalling them off from the server networks etc if we've got those L3 routers all connected together like that? Sorry if I didn't give enough info, please feel free to ask questions :) Diagram! https://imgur.com/SAf7H7t [link] [comments]  |
| Posted: 24 Sep 2018 07:57 AM PDT Hi! I'm working in redesigning our DC network and I need a little guidance. We have our DMZ and Internal servers VLANs directly attached to our edge firewall (FortiGate), so we can do IPS, AV and those security features for the DMZ --> Internal traffic. When we talk about IPS, we have edge firewalls and nothing more. But now we are moving the DC's VLANs far away from the edge, so I'm loosing my NGFW features between VLANs, and that's a problem. Sec Team is proposing a fisical appliance for the new DC facilities, but I've discovered VMWare NSX network introspection. Soooo, I'm considering FortiGate VMX, which by my understanding can do NGFW between virtual machines. And it can do it inside VMWare! Can any of you spot something problematic that I'm not seeing? I don't trust my VAR's technitian and they are the only ones in my area. You guys are my best chance. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment