Blogpost Friday! Networking

---

• Blogpost Friday!
• Request: Follow up to the year old thread "We've eliminated routing protocols from our network!"
• OpenVPN Routing issue.
• Cradlepoint CBA850 for OOBM
• Looking for comprehensive books on IPv6, any suggestions?
• Replacing Distribution Switch with Virtual Chassis
• Trying to configure BIND and DHCPD to use IPv6 and prefix requests
• SonicWall: increasing my DHCP/IP scope/range?
• Does opening a pre-emptive TAC case actually do anything?
• BGPmon EoL
• Passive Monitoring Tool with Graphical Data Output
• Anyone with checkpoint experience have knowledge of automation?
• Perspectives on SD-WAN
• VLan and Default Gateway Switch
• VXLAN EVPN - Control Planes
• What optimizations exist on Access ports that don't exist on Trunk ports (by default)? [Cisco]
• What do you do to stay productive during slow times?
• This Cisco Switch is keeping ARPs from different subnets
• silver peak sd-wan issue: ISP underlay tunnels fail and return in under 1 minute regularly.
• Compatibility of Cisco DACs for Procurve / Aruba
• Is this Network Structure feasible?
• Need advice for firewall for small business.
• Best practice for a DMZ for SME? Is a VLAN with tight ACL good enough?
• Cisco SSL VPN steps for connection

Blogpost Friday! Posted: 31 Jan 2019 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. submitted by /u/AutoModerator [link] [comments]

Request: Follow up to the year old thread "We've eliminated routing protocols from our network!" Posted: 31 Jan 2019 09:54 AM PST Thread is here: https://www.reddit.com/r/networking/comments/7r9n6y/weve_eliminated_routing_protocols_from_our_network/ OP, you deleted your account! Why? Did you get fired? We need an update to see how things are going. Curious who needs to eat crow, you or the rest of us. submitted by /u/MustardEngineer [link] [comments]

OpenVPN Routing issue. Posted: 31 Jan 2019 04:05 AM PST A co-worker and I are trying to setup a connection using OpenVPN. I have done this a few times on my own but this particular co-worker... anyway. His network is 192.168.10.0. He has the OpenVPN server at 192.168.10.1 with a VPN side address of 10.0.8.1. My side has the client connected at 10.0.8.6 with a LAN side IP of 172.21.10.10. When the connection is established, I can see and ping everything on the 10 and 192 networks. He can only see/ping his and the 10 network, nothing on the 172 network. In my novice/amateur knowledge of networking, I am under the impression that he needs a static route in his router to send all traffic bound for the 172 to 10.0.8.6. He says he has tried this and it hasn't worked. Am I missing something? Thanks everyone. submitted by /u/UnexampledSalt [link] [comments]

Cradlepoint CBA850 for OOBM Posted: 31 Jan 2019 01:17 PM PST Hello, Curious if anyone would care to share a typical setup/design of how best to achieve OOBM to a small stack of network devices which would sit behind a cradlepoint CBA850 we are thinking of purchasing? More specifically, since I am assuming we would have/need a static public ip address, we are curious if to gain access to device(s) situated behind the cradlepoint - is it possible and secure enough to simply use the cradlepoint only and lock down access to only specific inbound IP's? OR, is it recommended to throw a firewall in as well for more features + security? We would ideally be connecting to a console server with all networking gear connected to that. thanks submitted by /u/macolino [link] [comments]

Looking for comprehensive books on IPv6, any suggestions? Posted: 31 Jan 2019 03:22 PM PST submitted by /u/spookytus [link] [comments]

Replacing Distribution Switch with Virtual Chassis Posted: 31 Jan 2019 03:13 PM PST I talked to a vendor today about my network requirements and they recommended not having a distribution layer and instead using a virtual chassis to connect all of the switches. Taking that design into consideration here is a diagram I came up with. All of the network switches are EX3400s and the EX2300 will just be for out of band management. As far as a firewall goes we are planning on going with a FortiGate 80E. I can see the good things about it such as it being easier to manage and cutting costs, however I am concerned about there being potential security issues. All devices including servers, workstations, laptops, employee byod devices, cameras, building automation systems, guest devices, etc would be on one stack. I know juniper has firewall filters, but would that and the edge firewall be enough to properly secure the network? I would really appreciate feedback on my network design and suggestions on how to improve it. This isn't a huge network so I can see how it would make sense to go down this route, but I really want to make sure I am making the right decision. submitted by /u/kf5ydu [link] [comments]

Trying to configure BIND and DHCPD to use IPv6 and prefix requests Posted: 31 Jan 2019 02:52 PM PST As the title states. My provider is Telstra and i have confirmed they use IPv6 through IPv4, i have managed to configure my pfSense gateway to use Telstra's IPv6 tunnel to get an external IPv6 address and obtain a sub net prefix. I have the DHCP server built into pfSense using that prefix to issue IP addresses to my LAN BUT... I wish to move all these settings across to my CentOS box that uses BIND and DHCPD to run my IPv4 local LAN and authoritative local domain addresses. Not worried about this right now but, once i get this working locally i want to then configure my external authoritative DNS to allow customers to use my IPv6 to access to services. All the research i have done has come from posts only as recent as 2014, many were older. I think i am close to getting bind to work as a recursive IPv6 DNS server but i haven't been able to test it as i haven't worked out using prefix requests to get a local IPv6 address and then have the DHCP server issue that address as a local IPv6 DNS server. My BIND main config: https://justpaste.it/6juru My Bind zone config doesn't have IPv6 addresses in it yet. My DHCPD config doesn't not have any DHCP6 info in it yet either: https://justpaste.it/72lbs ​ I have also tried to add my DUID of my CentOS box to the DHCP6 server of pfSense to assign a static address but it isn't working. this was my plan to initially test the BIND server. from what i searched down my DUID should be located in the file : /var/lib/NetworkManager/dhclient6-*.lease Mine is: dhclient6-8de8796d-a9f6-4178-8461-3e65658b076b-enp1s0.lease and the content of that file is: https://justpaste.it/2fz0p so i assume my DUID is: \000\004\204\273\203h\011\243\325\225Y\321e\366\247\217\303\014 but that hasn't worked when i put it in the DHCP6 server to be assigned a specific IP address submitted by /u/thatrandomaussie [link] [comments]

SonicWall: increasing my DHCP/IP scope/range? Posted: 31 Jan 2019 01:16 PM PST Basically I'm using 10.10.40.1-10.10.40.254 as my static range, and I have 10.10.41., 10.10.42., and 10.10.43.* as the rest of my DHCP scope. I'm falling short on IP's during high use. Main issue I believe is that they setup wifi on the same scope so even though there are only 350 devices hard wired, that's at least another 300 devices on wifi. What are my options? submitted by /u/wolfrollingstoned [link] [comments]

Does opening a pre-emptive TAC case actually do anything? Posted: 31 Jan 2019 10:47 AM PST We ran into some issues on our last cutover that were rather technically specific that management was unable to comprehend the details of. After laying out a plan of action I keep getting requests to open a "proactive" case. How is this any different from just opening a Sev2 on the day of the case? Because I can't open a Sev2 today and keep it in that status. And if it is a Sev3, I might be assigned an engineer who doesn't work on shift come the day of a cutover. Just wondering if anyone else has found "proactive TAC cases" as effective. submitted by /u/jimothyjones [link] [comments]

BGPmon EoL Posted: 31 Jan 2019 07:15 AM PST I have seen some messages on the blue bird social media suggesting BGPmon EoL will be announced but I can't find anything official for now. Do you guys have more info about it? EDIT : found this: https://bgpmon.net/wp-content/uploads/2019/01/BGPMon.net-EOL-EOS-faq.pdf submitted by /u/micwolljung [link] [comments]

Passive Monitoring Tool with Graphical Data Output Posted: 31 Jan 2019 11:09 AM PST Has anyone found software that ingests packet captures like Wireshark, but makes customizable graphs? Solarwinds came out and tried to sell me on their software, but I don't want SNMP or anything reaching out into my operational network. I just want a windows workstation to take in packets from a monitor port on one of my backbone switches that shows all traffic and display the results in graphical form. Wireshark works great for troubleshooting and identifying issues, but I wanted to stand up a constantly running graphical display of typical traffic and connectivity to a multitude of sites and systems. Does this exist? I read the post about Scapy, but that doesn't seem to fit the bill, as I'm looking for a packaged windows application, even one that would work in conjunction with Wireshark. submitted by /u/matchurian [link] [comments]

Anyone with checkpoint experience have knowledge of automation? Posted: 31 Jan 2019 02:30 PM PST Mainly trying to figure out how (if I even can) automate policy installations for our change windows. Looks like in the GUI theres options for Application and URL filtering and IPS automated updates, but none for just a pure policy installation. Running on R80.10 submitted by /u/jasonrcain [link] [comments]

Perspectives on SD-WAN Posted: 30 Jan 2019 04:36 PM PST A streamlined, centrally-managed approach to branch connectivity appeals to me. Shoving the whole paradigm into a proprietary vendor-specific black box does not. Part of me thinks it's the necessary and good next step forward. As ecosystems become more complex, it makes sense to outsource problem spaces to specialists that inevitably emerge to fill evolutionary niches. Part of me thinks it's a dangerous trap, ripe with short-term gains but setting us up for long-term pains, as we slowly cede our standards-based, "knowable" infrastructure to tightly integrated, proprietary black boxes. Thoughts? submitted by /u/austindcc [link] [comments]

VLan and Default Gateway Switch Posted: 31 Jan 2019 09:59 AM PST I forgot something very basic. Looking to setup some IP Spoofing measures. Have been buried pretty deep in Windows Server environment and looking at IP spoofing protection with our Meraki MX FW and I forgot a concept of general routing/switching. ​ PC/Guest APs --> L3SWITCH ----(Tagged port)-> FW -> ISP RTR Right now we have our core switch operating at L3 and is the default gateway. This will then push the traffic from 3x different vlans to the FW. In order to setup IP Spoofing a requirement when device is using Nat is as such: The source IP address is reachable through a configured static route or local VLAN If the source IP address is contained within a configured VLAN, the source VLAN must match the configured VLAN ID for the source IP's subnet If the source IP address is contained within a configured static route, the source VLAN must match the VLAN ID for the subnet that the next hop IP of the static route is accessible through ​ I completely forgot what happens to a packet at the GW switch in this type of structure and how it's tagged when it gets the to FW. I feel like it could complicate things. Left the Switch as the gateway so we could have better lower level control, was this a bad idea? ​ TL;DR - Core switch is the Default gateway, passes traffic to the FW from local vlans. Forgot how that traffic looks when it arrives at the FW and how it's tagged. Looking to setup some IP Spoofing preventative measure. submitted by /u/Hollow3ddd [link] [comments]

VXLAN EVPN - Control Planes Posted: 31 Jan 2019 06:46 AM PST Hi Guys, ​ Im trying to lab a Cisco nexus (NX-OSv) VXLAN EVPN topology to get my head around this architecture. ​ I know that we are using VXLAN as the data-plane transport but I am having confusion with the control plane. Is multicast required if we are using MP-BGP control plane ? I am lookoing at various blogs and some are configuring with multicast and MP-BGP and some are just using MP-BGP. ​ Some have peerings in the ipv4 unicast address family, some do not - Im confused on the correct way to do this ​ Can anyone shed any light on this and provide any links to labs / blogs that are doing this the "correct" way from a Cisco perspective... ​ Cheers submitted by /u/the_craigus [link] [comments]

What optimizations exist on Access ports that don't exist on Trunk ports (by default)? [Cisco] Posted: 31 Jan 2019 12:26 PM PST In STP, the command spanning-tree portfast only applies portfast if an interface is configured as or negotiated as an Access port. This is an example of an optimization that only applies to Access ports. (I know you can apply it to a trunk using switchport port-fast trunk) My question is, what other optimization exist that only apply to access ports (even if there are workarounds to also apply them to Trunk ports)? submitted by /u/recovering-skeptic [link] [comments]

What do you do to stay productive during slow times? Posted: 30 Jan 2019 09:37 PM PST submitted by /u/jshocks_green [link] [comments]

This Cisco Switch is keeping ARPs from different subnets Posted: 31 Jan 2019 10:55 AM PST I am a bit puzzled by the operation of this one particular cisco switch in my infrastructure. ​ The switch (with the weird behavior) lets say has an IP of 192.168.1.254/24 on int vlan 1. I am using another box to access it via that IP. Let's say the IP of that box is:192.168.2.254/24. My infrastructure routes the traffic between a couple subnets (going through a L3 switch and a firewall), to arrive to the 192.168.1.0/24 subnet. ​ Now the weird part is that the switch itself has ARP entries (shown with the sh arp command) of devices on the 192.168.2.0/24 subnet. The device only has an IP address of 192.168.1.254. Since the 192.168.2.254 is on a different subnet it should not arp it... at all. It should arp its gateway. Makes sense right? Well I look at the MACs associating with the remote subnet and they are all have the MAC address of the default gateway (which is a asa firewall). I know the ASA does proxy ARP, but the ASA is NOT directly attached to the 192.168.2.0/24 subnet. There is another network inbetween until it gets to the 192.168.2.0/24 subnet. ​ Now, the connection to the switch is fine. It is routing as intended. I am just perplexed why the hell this switch 1: does an ARP for an IP on a different subnet and 2: why the hell does ASA respond to the arp, for an IP address it doesn't even have an arp entry for? submitted by /u/NoozeHurley [link] [comments]

silver peak sd-wan issue: ISP underlay tunnels fail and return in under 1 minute regularly. Posted: 31 Jan 2019 10:18 AM PST Been working with support for a while, and since they don't provide a community I thought I'd ask here. starting with code 8.1.7.14 my ISP tunnels seem to fail regularly. They go down for less than a minute. I've monitored latency/ping and all are within acceptable values. Support is telling me it's poor network, but this is occurring between 8 sites at different times, and there's no issues with internet access at the times the tunnels fail. Has anyone experienced this? Support had me change "Quiescent tunnel keep alive time" from 60 to 1 but that hasn't had any effect. I've been asked to change "Enable IPsec Anti-replay Window" to disable and as soon as I find that setting I'll change it. I've since upgraded to 8.1.7.15 but this issue has not improved. submitted by /u/brkdncr [link] [comments]

Compatibility of Cisco DACs for Procurve / Aruba Posted: 31 Jan 2019 09:55 AM PST We are looking to deploy Procurve/Aruba Switches on our edge to replace misc ethernet switches, while leveraging our Cisco Nexus 3524's as a core. I know Cisco switches complain relentlessly about using non-Cisco SFP cables and GBICs so we'll probably get Cisco cables. I know they work between Nexus > our Servers and Storage But anyone have experience using DACs between Cisco and Procurve/Aruba's? We just want proof that they will work. (1gb/s and 10gb/s) submitted by /u/DarkAlman [link] [comments]

Is this Network Structure feasible? Posted: 31 Jan 2019 08:00 AM PST I have inherited 6 sites that I manage under 1 organization. All sites have a Sonicwall router. Site 1 is the datacenter where all services are hosted. All other sites make a PTP VPN connection back to the main office. Each site has its own lan subnet, a few 192.168/24 and a few 172.16/12. Is it possible to reconfigure the sites so that. Each VPN connection is made over a 172.16/32 address and have 10.x.0.0/16 vlans that span every site? If I had direct connections it would be cake, but I've never had to work with a scenario like this before. Here is a Packet Tracer diagram of what I'm trying to accomplish. https://imgur.com/s9JAr8q The top middle router is "The Internet" submitted by /u/AndyDrew23 [link] [comments]

Need advice for firewall for small business. Posted: 31 Jan 2019 07:55 AM PST Hello, I manage a psychological clinic, and we have two locations. I need to upgrade my firewalls in both locations. Our main location has 20 offices, and the satellite location has 6. We have VoIP phones, and use a shared network drive. I'm not incredibly knowledgeable in the whole networking department, so here are my main questions. ​ What hardware should I be thinking about. I know that I need VPN, VoIP and it needs to be PCI compliant. Will I need more than just a firewall (e.g. switch/router) for each location (the main location has a wifi router and a switch in addition to our old firewall). Does it make sense to buy the same firewall for both locations (we do plan to expand our second location in the next 2-3 years). I see that many of the options recommend/require a yearly license. Do I need this or can I have adequate protection with hardware only? ​ Thank you for taking the time to help this. I have been reading other threads that are along these lines, but most of the conversations are over my head. I am currently trying to learn all I can, while still actually doing my job of managing the clinic. submitted by /u/s0b3k111 [link] [comments]

Best practice for a DMZ for SME? Is a VLAN with tight ACL good enough? Posted: 31 Jan 2019 06:08 AM PST Just curious what the best practices are for a DMZ for a SME who might be short on cash? In the past I've gone full segregated network with a separate physical server \ host and air gapped networking infrastructure for externally facing devices. ​ Looking at a SME who don't really have the money nor resources to do this so I'm thinking about how to go about making it cost effective but still secure. ​ One option is thinking about configuring a separate on the firewall and assigning it to a dedicated "DMZ" port then having this port patched into the host on a separate nic which only the VMs in the DMZ can use. Then just using firewall rules to set what can and can't talk between the networks. This is one option although not sure this is scaleable if they have more hosts. I wouldn't want to use 2 or 3 ports on the firewall! ​ Other option is just to create dmz vlan on the firewall and have that going through the existing network infrastructure with ACL \ NO Routing to stop that VLAN talking to anything else then just tagging then on the trunk to the host and creating new DMZ virtual switch just for that VLAN to allow only the externally facing machines. Anything wrong with this if option one isn't a goer? Ideally I'd like to keep it completely separate but is running it over the main network on it's own VLAN secure enough for a SME? ​ ​ submitted by /u/Izual_Rebirth [link] [comments]

Cisco SSL VPN steps for connection Posted: 31 Jan 2019 05:57 AM PST I'm working on a non-working Cisco SSL VPN connection. This is an item that was not working before I started into the role I'm in. The setup is Cisco ASA 5510 with Cisco AnyConnect being used on the outside. ​ I can connect to the VPN and then am prompted with an Certificate error window. I accept the self-signed certificate error. Then I receive two error messages in message history of the AnyConnect client ​ "No Valid Certificates available for authentication" "Connection attempt has failed" ​ I was curious if I can generate a new SSL key then change the SSL VPN trust-point to point to the newer cert. As I have no idea when or what actually broke/failed. I'm only told the VPN used to work fine. ​ Ideally, I would like to know the steps for how the ASA processes the SSL VPN connection. Knowing that would allow me to really understand how it all works and where the failure could be happening. Any ideas? ​ Thanks, Matt submitted by /u/WhiteKnight976 [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States