DHCP Snooping Networking |
- DHCP Snooping
- Librenms Capacity Planning
- Fed vs. Contractor
- ELK for network monitoring - where to go?
- VoIP security query (SBC or Firewall)
- How do you test a connection with telnet? Isn't having telnet open a security risk?
- Ruckus/Brocade MCT vs Stacking
- DC SW <-> FW eBGP?
- Private AS numbering
- Looking for recommendations on a WAP for video signals at a football field.
- Should I go for a Level 2 switch or Level 3?
- Network monitoring tool with configuration management module
- Is SecureCRT license lifetime permanent right to use [with 1-3y update support] or it will deactivate after expiry date?
- Network Printer NICs becoming unresponsive
- Lab Engineer
- Switching issue
- Three Tier Network Design and where to place servers!
- Wired packet capture hardware / best practices?
- Switch uptime
- What are you using for log aggregation?
- Interface descriptions
- Ikev2 Site to Site VPN on a Palo Alto firewall towards a Cisco ASA
- How to test my Site to Site VPN on a new Firewall before deploying it on site.
- HPE Comware - IRF - Forwarding Traffic in an IRF ring topology -> is the shortest path chosen automatically?
| Posted: 27 Sep 2018 04:50 AM PDT While testing this in my home lab, my understanding thus far is:
Would this be accurate? [link] [comments]  |
| Posted: 27 Sep 2018 01:23 PM PDT Is there any capacity planning plugins or integrations that work well with Librenms, would be great to find something that can just grab say the two month graph and draw a long term trend line. Considering writing something myself but figured why reinvent the wheel. [link] [comments]  |
| Posted: 27 Sep 2018 08:52 AM PDT I'm currently an IT contractor and have been recently thinking about if I should look into going over to the Fed side. Been contracting since I separated from the military about 10 years ago. I've read about all the pros and cons of each such as better pay as a contractor but less job stability, pension and TSP on the Fed side, benefits, etc. I'm in a location where there's consistently lots of contractor job openings in my field and in the past it's only taken me a few weeks to get an interview and be hired. Also even if the contract I'm on is won by another company, as a contractor you get first right of refusal so it's not like it's a done deal that you just lost your job. I've always had good benefits, vacation time and matching 401(k)s with my companies. I don't have a family to support or a mortgage (like pretty much ALL the civilians I work with do) so it's not like if I found myself unemployed for a while it would be a big deal. What concerns me about working on the Fed side is what happens if you get hired but end up not liking the position, place you work, co-workers, supervisor, etc. What then? That seems like I would be trapped after I've worked hard to get this "lucrative" government job. I've heard it can sometimes not be easy to transfer to another Fed position, and even if you can, comparing usajobs with contractor sites, there are WAY less openings in my field and location (we're talking single digits compared with hundreds). Compare that with the contracting side, if after I get hired and end up not liking the position, I can be out of there and in a new job within a month or so. Reading all the posts like this, the vast majority say working on the Fed side is better, so I'm wondering if there's anybody else who works in this sector who decided the contractor side was a better fit? [link] [comments]  |
| ELK for network monitoring - where to go? Posted: 27 Sep 2018 11:16 AM PDT Hi all, We've been setting up an ELK cluster which is supposed to be the centralised data lake for our monitoring services and apps. Currently, we have the following data sent to the cluster:
My question is, what would be the best way to analyse this data and gather some informational insights on the network from it? I'd love to get some ideas or hear what you guys have seen/developed for your environments (or some general thoughts on ELK and network monitoring with it). Currently we're struggling to even analyse network failures retrospectively since some of the metrics and data (Syslog?) is not informational or doesn't seem to help that much... My current ideas:
The way I see it now, we have two main issues: how well the solution will fit ELK (just the methods, without even talking about ELK's limitations) and how hard would it be to develop and get to the production scale level... Cheers. [link] [comments]  |
| VoIP security query (SBC or Firewall) Posted: 27 Sep 2018 03:29 PM PDT Hi all, I have a query about VoIP security etc... I'm OK with normal route and switch stuff, but when it comes to unified comms and security, it's a bit of a weak point, so I hoping you guys could help. A diagram of the setup is here: This is only one side,there is another, and it works as an Active/Active setup with VRRP... calls are load balanced "X" doesn't currently exist, but with more users coming online, we feel "X" should... But with what? Initially with some research, everything pointed towards SBC's, some of the contractor guys suggested this would be a good approach too, but looking more into it, our current IP to E1 gateway is doing a lot of the functions of an SBC, so when you factor in costs and licences, also the fact we would be using very little of the features,they seem pointless. Other users (SIP Endpoints) will always be known, so a firewall seemed like the next logical choice, but what type? Effectively we want to reduce/manage the risk of DoS attacks, replay attacks and just general security of the IP to E1 gateways. A routed statefull firewall seemed ideal, with some traffic policing, but how is this setup with VoIP in mind (Cisco ASA)? Also, we need something that is not too complex to make edit to for testing, faultfinding and onboarding of new users (endpoints)...I'm assuming this will be a lot of ACL manipulation? Is VRRP much of a hassle through firewalls? Would a transparent FW be a better option? Does it need to be an ASA at all, or could we just get a router with a security licence to do this? Probably some stupid questions in here, but like I said UC and SEC aren't really something I've much experience in. [link] [comments]  |
| How do you test a connection with telnet? Isn't having telnet open a security risk? Posted: 26 Sep 2018 09:30 PM PDT I'm a data center tech at the moment and I frequently hear engineers on calls saying how their are testing a new connection with telnet. How does that work exactly? Does the telnet port have to be open on the destination host? I would assume that is a security issue. I tried telneting to a server in my lab and I was only able to pick up a SYN + destination host closed connection in Wireshark. I would appreciate if someone could clear this up for me. EDIT: Thank you for all the resources. Lots of cool stuff. [link] [comments]  |
| Ruckus/Brocade MCT vs Stacking Posted: 27 Sep 2018 09:16 AM PDT I'm trying to figure out the pros/cons of Ruckus/Brocade MCT (multi-chassis trunking) vs regular stacking. We have a pair of ICX 7750s that will be LACP connected hub-and-spoke style to a few stacks of ICX 7250s. There's a holy war brewing here were one faction want's to connect the 7250s together through MCT and another faction that says stacking them would be better. The physical connections and redundancy will be exactly the same under both methods. The stacking group say their method is better because there's only one management interface, configs/tables are fully synced between all members and there's no spanning tree convergence in the event of a failure. The MCT group says that's better because there are two independent switches with seperate configs/tables and if someone screws up a live config it won't affect the other member and traffic will continue to flow. I should mention that the 7750s will be in the same rack. Does anyone here have a preference for one over the other and if so, why? [link] [comments]  |
| Posted: 27 Sep 2018 09:39 AM PDT (TL;DR: /27-/31 subnets in DC with eBGP to FW, stupid idea or not?) We run our own MPLS network in the campus, and it has been working great so far. Lot's of different VRFs for different use cases like "office pc" "lab analyzer" "surveillance cameras" "temperature sensors" etc. Every VRF gets the default route from FWs in DC, where we have MPLS capable switches. "Office PCs" for example has lot's of different subnets in different buildings, but they're all in the same VRF and get default route from the DC. Currently our servers are in a single "servers" VRF with multiple subnets and we're thinking of segmenting them to multiple VRFs like the LAN is. At least all the new subnets, where we would create a small subnet holding the servers and then have BGP peering between the DC switches and the FW. So the actual question is: is it a stupid idea to have /27-/31 DC subnets that are terminated on the firewall with eBGP peerings? We have lot's of servers where the management is outsourced, and few where there are regulatory issues why we can't just run the windows/rhel updates there every month. I'd like to keep those as separate from everything as possible. And also if the server doesn't need to talk to other servers why should it? NSX or something would probably be great but getting NSX for just this purpose would cost a lot more than configuring all those eBGP sessions :) We have Fortigate firewalls that can support 5000 BGP peerings IRC. Amount of servers we have is in hundreds not thousands. If this would work fine I could also extend this to our "DMZ". Everything that's being accessed from the internet comes through our load balancers, so the servers would only need to talk to the load balancer. Using private VLANs would probably work but I'm expecting there might be few DMZ servers that need to talk to each other but not to other DMZ servers. Thanks for any ideas! [link] [comments]  |
| Posted: 27 Sep 2018 03:27 AM PDT I am in the process or building an IPSec transit network connecting my various AWS cloud based data centers to various private (on premise) data centers. This is a completely private network. The design is hub and spoke and routing is handled by BGP. All data center locations connect to the various hub routers and the hub routers advertise routes between data centers. Some BGP route manipulation is performed on the hub routers to prefer specific paths etc. The reason for the hub and spoke design is to simplify the configuration when an additional data center is added to the existing network (it just needs to connect to the hub). I have some BGP experience but I am not an expert. The AS numbers provided by AWS for IPSec connectivity (between my hub network and the AWS regions) are obviously controlled by them thus making the connection eBGP (because the AS number will be different from the private AS number I use on my routers). My question is specifically around the suggested numbering of private AS numbers on my own routers. Although I know that within an organization usually the same private AS number is used, I was wondering if it would be an acceptable design to use different private AS numbers for different routers. I use multiple ISPs within my network to run IPSec across multiple paths to the hub routers. When looking at the BGP routes, I find it easier to associate an AS number with a specific router rather than the BGP peer IP so for me it is easier to understand the preferred path. Is there an issue with this design? I would appreciate your input. [link] [comments]  |
| Looking for recommendations on a WAP for video signals at a football field. Posted: 27 Sep 2018 02:12 PM PDT So I am running a Tricaster TC1 and NewTek NDI Sparks that operate on Wifi as part of their feature set. I'm looking at running two of these boxes wirelessly. I realize that I need a robust network. At the field in question, there's very little room for electricity. There's not places to expand it, but we DO have a fiber backbone for our networking. Right now, we have a PoE switch in the booth at the field and 10gb between the field and the switcher (in the main building) I need a WAP (or two) that is going to cover the football field and blanket the area so I can have mobile cameras roaming the sidelines. It sounds like Ubiquiti might be the way to go, but I'm confused on options. This setup would not broadcast a public SSID and would not be connected to anything by the video signals. In fact, it's literally connected to a VLAN with no other traffic on that particular network. What would you guys recommend? [link] [comments]  |
| Should I go for a Level 2 switch or Level 3? Posted: 27 Sep 2018 06:04 AM PDT Hey, We have about 60 retail properties. Each location has an ASA 5506 and about 6-8 devices (Computers, Debit Machine for payments, 1-2 printers and other misc) We'll be deploying voip so the ASA 5506 won't fit the bill as it won't have enough ports. I don't want to throw in just a dummy unmanaged switch which all the vendors keep recommending lol. In the future, we might roll IP camera's as well which is why I'd like to get a 24 port managed switch and vlan off the VOIP phones/IP Cameras. For my case - would a level 2 switch be enough or should I just go with a level 3? Also - do you have any recommendations that won't break the bank? Kind of on a tight budget. I was thinking of the CISCO SG series but I been told to stay away from those. [link] [comments]  |
| Network monitoring tool with configuration management module Posted: 27 Sep 2018 01:31 PM PDT Hi all, We going to setup new monitoring tool in my company. The main requirement is to monitor 500 network devices (Dell, Juniper, Checkpoint) via SNMP + (not required but nice to have) VMware and bare-metal servers monitoring (iDRAC and iLO). Also, we want to have possibility to collect, store and manage configuration from network devices. I have experience with BMC Entuity (Eye of Storm) tool and I know that it can do it, but the report module is really bad and also BMC support is not helpful at all. I expect that PRTG will be a good option (I like that web panel uses HTML5 instead flash or other heavy technology). It is really easy to use, but unfortunately it does not provide any possibility to store and manage configs. Any idea from your site? Of course, we looking for some commercial solution. Please do not propose open-source solutions. [link] [comments]  |
| Posted: 27 Sep 2018 12:51 PM PDT Basically the title. I'm in deep love with SCRT in my workplace and I wanted to install it at home for personal usage as well. I intend to buy the license but their site is absolutely cryptic and I have no idea if the license is perpetual or annual. My other option that has a BIG CONFIRMATION TEXT THAT IT IS FOR LIFETIME on the store page is mobaXterm so in case SCRT is not permanent I will jump on moba. EDIT: Thanks to ppl that replied. Just purchased my side hoe :) [link] [comments]  |
| Network Printer NICs becoming unresponsive Posted: 27 Sep 2018 12:09 PM PDT I work at a corp help desk for a fairly large company with thousands of locations. We typically have the back office printers at all of our units plugged into into a cisco switch, set with a static IP, so they can print via network from the back office computer. The last few months I've seen a strange issue. This issue occurs on multiple models of brother printers, and HP printers. A printer will go completely offline, the switch ports will show down. Printer was previously working, set up by us with proper config, end users are completely locked out from changing settings. First thing I always do is check for port violations because we see those all the time. After a ton of swearing the end user doesn't have the cable plugged in to the switch etc, we've discovered that resetting the printers network settings and reprogramming the IP address, subnet, etc will completely resolve the issue. As a one off, it's not a big issue. But the fact that it keeps occurring, with completely different makes and models makes me wonder. After seeing this several dozen times I asked my level two if they knew what could be causing this. They didn't really have any ideas or seemed too concerned since most of these calls don't make it to them. Are NICs in printers just complete shit that go out all the time? Or is there potentially another cause? [link] [comments]  |
| Posted: 27 Sep 2018 11:06 AM PDT If you work as a Network Engineer for a strictly lab environment, what's it like? Is it boring, fun, challenging? Are you learning a lot? What do you like/dislike about it? [link] [comments]  |
| Posted: 27 Sep 2018 10:30 AM PDT Issue: A non-domain PC(PC-A) can no longer print to a networked printer. When I print from a domain PC(PC-B) it works because the job comes from the Print Server. However I couldn't ping the printer. So I checked the firewall and it is dropping ICMP Replies because there is no matching Request. So for some reason the ICMP Request is going through the switches directly to the printer but the Reply goes through the firewall and gets dropped. Network Map:https://imgur.com/a/TovlpLn Red is the ICMP Request and Green is the Reply/ We're in the middle of a switch refresh so the infrastructure is rather funky. [link] [comments]  |
| Three Tier Network Design and where to place servers! Posted: 27 Sep 2018 02:51 AM PDT Hi all, We are currently having a redesign of our network and heading to a three tier design. My question to you guys is: Where would you place your serves? And why? Core Distribution Access Don't worry about budget or any other scenarios. Just if you could do it a particular way, what would it be Thank you [link] [comments]  |
| Wired packet capture hardware / best practices? Posted: 27 Sep 2018 10:11 AM PDT tl;dr: what laptop hardware/software config do you recommend for performing raw, wired packet captures? I wanted to inspect traffic traversing a trunk, so I SPAN'ned the port like so: ...where Starting wireshark on that interface shows a ton more traffic, compared to when I turn off the monitor session. But it looks like I'm not getting all traffic passing the trunk, and Wireshark doesn't report any 802.1q tags. Mostly bcast/mcast traffic, and I guess some ucast traffic not destined for my IP, but...definitely not all raw traffic. What I tried
Best I can tell, my Latitude's built-in NIC (Intel I219-LM) doesn't support full promiscuous mode, at least in Win10, but I couldn't confirm one way or the other. Edit: stupid new reddit formatting [link] [comments]  |
| Posted: 27 Sep 2018 08:30 AM PDT What's the highest uptime you've seen? I'm looking over our whole switch estate now to check on various things and noticed this one: 3 years, 7 weeks, 1 day, 20 hours, 14 minutes Among the things I'm checking is if these things have the latest software version and guessing by the uptime, that's probably a no. [link] [comments]  |
| What are you using for log aggregation? Posted: 27 Sep 2018 04:39 AM PDT Wondering what people are using for log aggregation? Splunk seems to be the leader but it's very expensive. Can Graylog do much of what you need? We are looking to dump everything into it. AD / Syslog / Firewall Thanks [link] [comments]  |
| Posted: 27 Sep 2018 12:30 AM PDT Hi all, I'm faced with creating a new port description template for our DC equipment (all routers, switches, FW's and loadbalancers.) Right now it's not consistent and for many ports just a mess. To make things worse, because we have certain sections of our network air-gaped, we also have end users directly connected with a thin client on some DC switches. For these ports, we require the MAC address of the thin client in the port description (for now.) Yet again we are also using port security sticky on these ports. This means that the MAC address also appears in the Cisco interface configuration (switchport portfast mac-address sticky.) For now i have the following possible variables which i might (or might not) want to integrate in the description:
These are values which i found in the current interface descriptions across the network. Especially the MAC address seems a bit overkill to me. And the port role could work, but at the same time i can see it confusing my colleagues (shared DATA port with MGMT port for example.) Port roles might also be something which isn't easy to automate unless i setup a database with a port inventory with all the roles. Which is a pain in the ass and only moving the management problem to a different system. Also i'm wondering if the line numbers for the DC interconnects shouldn't be placed somewhere else. Especially if i want a consistent template and the value is only required on ~6 interfaces per DC. I mainly want the following requirements for the new template:
I want to do it right for this time and not redo the whole template in another 4 years ;) So i was wondering if you guys could help me out here. What templates and variables are you using for your (DC) interface descriptions? What works for you and what's something that you clearly wanted to avoid? Thanks in advance! [link] [comments]  |
| Ikev2 Site to Site VPN on a Palo Alto firewall towards a Cisco ASA Posted: 27 Sep 2018 07:27 AM PDT Hi everyone, Has anyone here ever setup a IKEV2 site to site vpn between a Palo Alo firewall and a Cisco ASA. I was just working with a company at setting this up. I manage the Cisco ASA and they manage the Palo Alto. I was unable to establish a successful site to site vpn using ikev2. Once we moved it to ikev1 it came up instantly. I already have many ikev2 vpns running on my ASA to other sites successfully but none of them are to Palo Alto firewalls. The network guys from the company I was working with told me that with Palo Alto, you keed to put in a ikev1 pre-shared key along with the remote and local authentication keys for ikev2... I found it strange that the Palo Alto would need any ikev1 configuration if you are trying to use ikev2 as that would defeat the purpose really. Can anyone clarify what is required to setup a IKEV2 site to site vpn on a Palo Alto firewall. I have done some research but everything I find is just setting up ikev1 from what I can see. Thanks in advance.. [link] [comments]  |
| How to test my Site to Site VPN on a new Firewall before deploying it on site. Posted: 27 Sep 2018 06:06 AM PDT Hello networking Community! You are kind of my last hope since nobody at my workplace or my Web Searches can comprehend the problem I got here. Since I started in IT everybody always tells me ALWAYS test everything before you deploy/configure/change anything! So that's what I'm trying to live by. Here is my Layout. We have a Sophos Firewall SG 210 inhouse and a PFsense Firewall on a remote Site. There is a VPN IPSec tunnel configured between these Firewalls with each having the remote Gateway and preshared Key set. Now we want to replace the PFSense Firewall with a small Sophos Sg 105. The IP/Gateway etc. stay the same only the hardware and config are going to change. That's all good but how am I able to test the new VPN IPsec tunnel between the two Sophos Firewalls, when I only have one physical WAN/Internet Interface/connection for the Inhouse firewall and none for my new Remote Site Firewall. Is there a way that I can create a "pseudo" WAN for the new Firewall to be behind so that I can test the VPN Tunnel? I hope I made my problem understandable. [link] [comments]  |
| Posted: 27 Sep 2018 04:54 AM PDT Hey, I have an IRF of 9 members. The Topology is a Ring. The members are located in different buildings of the campus. My question is: Does an IRF always choose the shortest route internally? Is the shortest route the path with the fewest hops? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment