Huge Databreach at Marriott/Starwood Networking |
- Huge Databreach at Marriott/Starwood
- Anyone running BGP on servers?
- Dec. 2018 - Does anyone use Cisco VIRL? Is it worth it now?
- VXLAN Design Question - Firewalling and VXLAN
- Why border/service leafs?
- Wrong Subreddit? I am looking for some good cheap / free beginner Avaya training
- Breaking RFC 1519
- Loopback Adaption for Mac (Mojave) with GNS3
- Question about failover routing
- OpenVPN
- How far are we from MDS emulators for FC SAN on GNS3/EVE-NG?
- Testing Loop Prevention
- Interesting lil problem
- Summarization and Redistribution Question
- Trouble with DNSSEC, Windows Server 2016
- 2 SFF machines, 1 Lenovo with Win10, 1 HP with Debian, both kick users off the local switch when asleep/frozen.
- Setting up a branch IPsec tunnel on a 1918 address behind 1:1 NAT on Cisco gear
- Remote Infrastructure Management Server
- Multicast issue with Informacast
- Cisco SG350 privilege levels
| Huge Databreach at Marriott/Starwood Posted: 30 Nov 2018 09:58 AM PST Apparently not only were their servers exposed via RDP to the internet, but they also had open telnet to their switches. I mean, wow. [link] [comments]  |
| Anyone running BGP on servers? Posted: 30 Nov 2018 09:49 AM PST We're thinking about options to migrate VMs to other DCs, for DR purposes and because we might need the local capacity for services requiring lower latency and then move the non-critical stuff to other DCs. Today options seem to be either VXLAN EVPN or running BGP on the servers and advertising /32 "service addresses". If we'd "stretch the L2" with VXLAN EVPN we'd probably have some issues with firewalling, as we'd like to firewall everything. If we migrate VMs to another DC and they're still in the same IP subnet how can we get the return traffic to the new FW, or should we just route the traffic via the original FW and then over the EVPN to new DC? Running BGP on servers seems like an option to fix this. We would have to clone the FW rules to every DC FW but we'd get the traffic flowing through the local FW. Of course this might sound scary for the server guys :) Basically I'm wondering if anyone is doing BGP on the servers and how has it worked out? [link] [comments]  |
| Dec. 2018 - Does anyone use Cisco VIRL? Is it worth it now? Posted: 30 Nov 2018 02:18 PM PST I know there is an archived thread in this subreddit, but it is over a year old. Can anyone give an updated review regarding VIRL? [link] [comments]  |
| VXLAN Design Question - Firewalling and VXLAN Posted: 30 Nov 2018 06:22 AM PST Question for those of you VXLAN experts. If a person wants to do an HA pair of firewalls (lets say through PAN), and they want to run one firewall in DC A and another in DC B. Because it is in HA they need to be in the same network. So the admin creates 10.0.0.0/24. Each firewall is going to a pair of leafs. Is it possible to run ospf on the 10.0.0.0/24 network on the leafs if they are running in anycast gateway mode? If not, then how can you stretch the layer 2, when you also want to use layer 3 to advertise things like your default route from your firewalls. [link] [comments]  |
| Posted: 30 Nov 2018 09:19 AM PST In VXLAN fabrics, why would you have separate border/service leafs? Instead of just connecting your firewalls/routers/whatever to any two leafs you decide? [link] [comments]  |
| Wrong Subreddit? I am looking for some good cheap / free beginner Avaya training Posted: 30 Nov 2018 12:41 PM PST As the title says, I'm not entirely sure this is where I should post this but My company uses Avaya for communications and it seems that there is no one here who is a dedicated expert with it. (We use vendors a lot for assistance with it.) I was going to try and leverage my value and get more comfortable with it. Any useful resources like books, videos, guides or cheap courses you would recommend? Thanks a ton everyone! EDIT: I should note too, I currently have access to a spare G430 and phones to play with as well. [link] [comments]  |
| Posted: 30 Nov 2018 05:22 AM PST I have a problem and I'm hoping someone has some advice for how to best deal with a vendor. Their situation bothers me. So a vendor installed a network for a new initiative in what is a more or less shared space. This system required networking, as you would expect, they needed a couple of things, provided a couple of things, etc. So, long story short: their gear: gateway/router/firewall ... The gear we provided: switches. We chose stacked multilayer switches because of the requirements they set forward. We gave them admin access, to all the things, so they could round out the config for final implementation. So yesterday, I went in to see how they're doing with it, and get some minor training on supporting their equipment (I'll help with onsite work since the vendors location is pretty far away). I found out that they're setting up Windows on a /24 network, x.x.101.y (where x is always the same across all network subnets) and they're setting the default gateway to x.x.100.1 I don't even understand how that works, at all, or why Windows would allow any communication to happen. They're not using vlans, so their x.x.100.y gear is on the same L2 domain as their x.x.101.y, but as far as I can tell, everything is set to /24. This hurts me a little bit, but for some reason, it works. Communication happens. I have not ever been witness to a network breaking CIDR boundaries like this. What is happening? Why does this work? What are the pitfalls here? Obviously I just want to claw my eyes out and re-arrange the network into vlans and set up the L3 switch to route everything correctly, however, I have no access to set up routes in their gateways, so I'm pretty stuck. Is this worth pursuing? I mean, for the purposes of shielding my client from a bad network design? Or will the problems be minimal and I shouldn't worry about it. Thanks. [link] [comments]  |
| Loopback Adaption for Mac (Mojave) with GNS3 Posted: 30 Nov 2018 10:21 AM PST I have a python script I am trying to test that utilizes some libraries and is running locally on my Mac (using Mojave). The script connects to network devices via SSH and I want to test it on multiple devices (easiest in GNS3). So I want to be able to SSH from my terminal/python script into the devices in GNS3. The only tutorial I can seem to find that accomplishes this uses a tool called TunTap, but this tool cannot run in Mojave. Does anyone have experience doing this who can assist me or point me in the right direction? [link] [comments]  |
| Question about failover routing Posted: 30 Nov 2018 09:38 AM PST I need some help with designing a solution. I've got a old dell 6224 that is my core. It connects to 2 routers, 1 directly and 1 through a VPN. Both those routers are the next hop to my target address. I'm trying to find a reliable way to route to the router 2 if router 1 goes down or vice versa. Our network is pretty static so we've been using just static routes. However using weighted preference on the Dell switch doesn't seem to work well. Any ideas? Thanks [link] [comments]  |
| Posted: 30 Nov 2018 09:29 AM PST I have a Mikrotik routerboard rb951g-2hnd This are my network configuration. I have two bridges.. Bridge one for all my Ethernet and WLan And bridge 2 for my guest Wifi Each bridge as a DHCP server and IP address range. My router is behind a private IP subnet and as such, I can't access my router and devices from the internet. I hosted an OPENVPN service on cloud. I am able to connect my other devices (mobile phone and laptop) to the openvpn server in cloud. These are my challenges. I was able to configure my router as an OpenVPN client on the interface, and you could see that it's connected. So 1) how can I route some specific traffic through the VPN i.e maybe allow my Guest wifi on bridge 2 to connect through the VPN while everything on bridge 1 remains the same. 2) how can I access my router configurations (winbox, webui ssh) and network devices on my router (NAS, server) through the VPN from the internet? Since all my mobile phone and laptop are connected to the same OpenVPN server as the router. [link] [comments]  |
| How far are we from MDS emulators for FC SAN on GNS3/EVE-NG? Posted: 30 Nov 2018 01:14 PM PST We now live in a time with NXOSv 9000 and IOSv. Is SANOSv coming? [link] [comments]  |
| Posted: 30 Nov 2018 05:38 AM PST I've been task with testing our VXLAN fabric for loop prevention to see how it effects the environment. Obviously I can create a loop by attaching a rough switch to multiple ports, but I'm looking for other scenarios to test. What do you guys have? Thanks! [link] [comments]  |
| Posted: 30 Nov 2018 09:10 AM PST Hey /r/networking. I am writing here to see if anyone has some insight or a path to investigate further into a strange little issue. We have some compliance in our environment and because of this leverage Solarwinds UDT. This lil issue essentially makes the UDT unreliable because if it is not functioning as intended... and providing false alerts, it does not serve it's purpose. The issue I am running into... about once per day, sometimes twice, I will get an alert that a Rogue MAC address has been detected. The MAC address is vendorless and appears to be generated randomly. There doesn't appear to be a timestamp correlation to when this occurs, it just happens when it damn well pleases. Fortunately, using SW UDT, I can see what switch this has a direct connection to. It is not always the same path through the network, but often passes or direct connects to a specific port. I mirrored out the port (well, the port that is most commonly flagged, it's not consistent) to an unused one & ran a dumpcap/shark on the wire for the past 24 hours and it came back with three separate hits across the span of 24 hours. Filtering out the results is interesting (well, to me anyways, I'm not a super network guru-type). The packet that this exists in appears only once in the span of roughly 3 hours. It is always a single source:dest mac set and both of them are vendorless. A strange occurrence that has happened once (that I've noticed since capturing) is the mac address exists as "concurre_00:00:34" The protocols I've seen listed associated with the packet are: "0x0c78" and "0x748c" (so far anyway). Somewhere in here, the managed switch must be registering this in it's arp table, or I'm guessing it wouldn't be detected? When I've http'd into the switch to view the arp table, it does not exist there either. It blips and disappears, almost as if it's relying on this for some internal function that I am unaware of. I have no doubt it is something in the environment that is doing this and I'd like to remove it so that the UDT solution can function as intended. As it stands now, it's unreliable because of this. I'm stumped. Any seen something similar to this or have a better path? Glad to answer anything, but can't always respond immediately. Hope everyone had a nice holiday & I greatly appreciate your time. [link] [comments]  |
| Summarization and Redistribution Question Posted: 30 Nov 2018 09:01 AM PST Currently each of our sites has two connection to our WAN, one via layer 2 metroE and one via MPLS, metro e is our primary. We are using EIGRP over the metro E and we are redistributing EIGRP over BGP for MPLS. We are looking to summarize the routes being advertises at each site. The config for EIGRP seems simple enough. The problem that I am running into is that when I add the ip summary-address command to the interfaces (I tried adding it to both ints going to both WAN providers) , it summarizes the EIGRP route but then we bounce over to the MPLS network because the EIGRP routes redistributed through EIGRP are not summarized and those are now the most specific routes. Am I missing something huge here? Or is my design just stupid? Any help would be much appreciated. This is our current config for routing. router eigrp 100 network 10.20.0.0 0.0.255.255 network 192.168.50.0 network 192.168.201.0 redistribute static passive-interface GigabitEthernet0/0.99 passive-interface GigabitEthernet0/0.100 passive-interface GigabitEthernet0/0.200 passive-interface GigabitEthernet0/0.300 ! router bgp 65005 bgp log-neighbor-changes redistribute eigrp 100 neighbor 192.168.202.17 remote-as 13979 distance bgp 190 190 190 [link] [comments]  |
| Trouble with DNSSEC, Windows Server 2016 Posted: 30 Nov 2018 04:03 AM PST I'm trying to teach myself to properly implement DNSSEC across a local AD domain, and I keep getting broken trust chain errors. I'd like to fix the trust chain if possible, I have activated DNSSEC at my registrar and It checks out as secure. https://dnssec-analyzer.verisignlabs.com/sglrit.com I then followed this tutorial to activate DNSSEC on my local AD domain. I then used powershell to export DS records from my local nameserver and entered the records at my public nameserver Then I ran the following commands in CMD to test that everything was working. Output below. The DIG command shows an RRSIG, so I see that the server is signing something, but the DELV command shows a break in the trust chain that I have no idea how to resolve. Is this as good as it gets? or is there something I can do to get proper validation from local AD up to root domain? [link] [comments]  |
| Posted: 30 Nov 2018 07:41 AM PST I have an endpoint with a handful of users connected to an unmanaged Netgear-ish switch, of the GS108 variety. These 2 machines I mentioned are business units with i5 CPUs and about 8GB of RAM, for whatever reason, will kick everyone else off the network ONLY when (A) The Windows machine goes into a deep sleep. Generally reproducible. (B) The debian machine freezes/becomes completely unresponsive (Used for signage, was using incognito firefox with Grafana, happened once so far.)
My instinct feels like the managed switch up the chain is just ignoring all requests made when the offending machine sleeps and, if I may, shits out a bunch of requests or broadcasts or multicasts. I don't have time to trouble-shoot when it has occurred, and it is rare to happen, because getting those users back up is more valuable. I do not think spending a lot of time on this is valuable but the obscure nature of the situation strikes my curiosity. If it can be solved, great. [link] [comments]  |
| Setting up a branch IPsec tunnel on a 1918 address behind 1:1 NAT on Cisco gear Posted: 30 Nov 2018 08:38 AM PST Standing up a quick-n-dirty temporary solution for a site affected by a natural disaster. Local WISP gave us a "static" IP, which is really 1:1 NAT. They gave my ISR an rfc1918 address, that DMZs to a public IP. All traffic to that public IP is 1:1 translated to the 1918 address. All my experience with s2s ipsec is with real pubic addresses on all endpoints. I know ipsec can do NAT traversal, but I've never configured it in Cisco land and my google-fu turns up nothing relevant to this use case. [link] [comments]  |
| Remote Infrastructure Management Server Posted: 30 Nov 2018 03:52 AM PST Hello, Is the RIM Server only for monitoring purposes? For example, can I set DNS/DHCP service on this server or is it just for monitoring what is on other servers? [link] [comments]  |
| Multicast issue with Informacast Posted: 29 Nov 2018 08:03 PM PST We use Informacast at our offices to send pages and such to a group of phones. I recently finished setting up the network for a new location of ours. The paging and other multicast related things (AV devices) were functioning as intended. About a week ago we got a report that the folks in the new location were suddenly receiving only a beep without any audio when a page was sent. They have a combination of Cisco 7800 and 7900 series phones (none are receiving audio at the site). Knowing that Informacast uses Multicast I checked to make sure that any L3 interfaces along the path to the new site had pim enabled, which they did. I then began googling about the issue and tried the steps that were outlined including: disabling igmp snooping on the voice vlan and enabling IGMPv3 on the L3 interfaces. Still no audio. Has anyone experienced these sort of issues with it? It works fine at our other locations with the same configuration. It's worth noting that the switches at the new location are a combination of Cisco 9300 and 9400 with IOS-XE 3.6.x whereas most other sites have 3750x's. [link] [comments]  |
| Posted: 30 Nov 2018 02:01 AM PST Hi Guys, I'm quite used to Cisco IOS but haven't done a huge amount with the SG series. On our IOS switches we generally create a privilege level and limit what commands it can execute. However, while reading about the SG350's I have come across the following: Manual:
CLI Reference Guide:
What isn't overly clear is whether I can customise a privilege level as I can with IOS and choose a specific set of commands. Has anyone done this on the SG350 series? I'd also be interested as to what "subset" of commands level 7 can use as this doesn't appear to be expanded on in the manual. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment