Rant Wednesday! Networking |
- Rant Wednesday!
- Anyone interested in a BGP-based ad/tracking blacklist?
- How to mount a switch by yourself
- A different motivation for using IPv6
- OSPF questions
- Troubleshooting SSL VPN remote access over a SonicWall, connecting to a network behind a Sophos firewall
- JunOS Bandwidth Rate Limiting
- Is it weird? I can see light coming from MM optics
- Alternative to policy based routing on a Dell Powerconnect 6248?
- Visualization map of data transfer between networks
- Issue with my DMZ configuration
- Juniper QoS and SCCM
- C9300 and Fast Software Upgrades - Anyone try this yet?
- IP/ASN Portability?
- All setup ... and no communication
- Can someone explain how trunking in HP CLI works?
- Cisco Nexus recommendations for iSCSI (SFP+)
- Fortigate firewall appears to not be following standard Aggregate hashing
- FN410s headdesking
- For those that have done/are doing this: How do you manage a full time job and studying for a new cert?
- Unable to access managed switch
- Networking gear without expensive licenses and updates?
- Has anyone on here successfully set up flows from a Cisco switch to use for bandwidth monitoring in QRadar?
- Guest WiFi isolation and multicast?
- DMZ Design Discussion
- Creating my own routing protocol
| Posted: 29 Jan 2019 04:04 PM PST It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments]  |
| Anyone interested in a BGP-based ad/tracking blacklist? Posted: 29 Jan 2019 05:47 AM PST I've been looking into doing a Pi Hole, but I also like handling my own recursive resolution when I had the idea to just resolve those blacklisted domains on a daily basis, build a list of /32s and /128s, then peer my firewall with a server to get the list of IPs and null route them. Does anything like this already exist or is there anyone who sees a use-case outside of home use that could be marketed or even just done as a public service? The really nice thing about this would be that it allows the end user to ignore whole blocks of these "announcements" as needed. It could also use communities to tag certain IPs based on what they are being listed for, EG, Facebook tracking, Google adsesne, known malicious endpoints, Microsoft telemetry (which some might want to leave on), etc. I know that this basically already exists with subscription based content filtering; $_dayjob runs Palo Alto firewalls with all the goodies enabled, but that requires a firewall and can't do all of that at line rate. Route based dynamic blacklists could be run as fast as the router can normally forward the traffic and on any platform that supports BGP. Edit: The answer appears to be "no". Thanks for the feedback! [link] [comments]  |
| How to mount a switch by yourself Posted: 29 Jan 2019 06:31 AM PST Hello, I've in the past had someone hold a Cisco switch, while I screwed it into the rack. I've also been in situations where I've had to mount the switch by myself, and its alway been a circus. Any tips on how to easily mount a switch by yourself? [link] [comments]  |
| A different motivation for using IPv6 Posted: 29 Jan 2019 06:17 AM PST There are a variety of reasons why someone might want to go with or without IPv6. One thing that we recently saw in IPv6 related projects is the "piece of mind" argument (more details on https://ungleich.ch/en-us/cms/blog/2019/01/24/free-your-mind-use-ipv6/) and surprisingly also stability. What do you think? Is piece of mind something that can "be sold" in an organisation to take the step towards IPv6? [link] [comments]  |
| Posted: 29 Jan 2019 01:14 PM PST Let's say we have area 0, 1 and 2. From my understanding, all areas must be connected to area 0, right ? In a case it's not possible to directly connect area 2 to area 0 and area 2 is connected to area 1, you could create a virtual link through area 1 to connect area 2 to 0, is that it ? Last question, if you have several areas (beside 0), you can't/should not connect them between each other ? Traffic should always pass area 0 to talk to another area, am I right ? Thanks [link] [comments]  |
| Posted: 29 Jan 2019 10:38 AM PST To preface, here's a diagram of what I have in place and what I'm trying to do: https://i.imgur.com/MeD93VX.png This is where I'm at currently: I can't ping anything else, access UNC shares, RDP, or contact other applications on different subnets from the central servers. I've been battling with this for a while, not sure what to do, until it occurred to me that there was probably an issue routing back from the Sophos to the 165.X.X.40 gateway, as the P-LAN interface IP on the SonicWall. So, I was finally able to get central to throw a static route in for me on the Sophos: https://i.imgur.com/cThhHWK.png My networking skills are not as sharp as they should be, so this is the point where I've been lost at for the last couple days. I thought that the route would see the 10.1.1.0/24 destination and route it over the 165.X.X.40 address, so the traffic could get back out to the SonicWall, and then over the WAN to the client. What am I missing or doing wrong that it's not working as is? Does this communication require a new firewall rule? And also, why can I ping the production LAN IP (165.X.X.1) when connected remotely, but nothing else? And why can SSL VPN communicate and authenticate against my DC on the P-LAN? [link] [comments]  |
| Posted: 29 Jan 2019 06:28 AM PST I work for a medium sized ISP and we are currently in the process of switching over to Juniper from Brocade. We currently use Ciena for most of our layer 2 devices at the customer premise, and rate limiting is fairly straight forward. For some locations, such as multi tenant buildings, we plan on using Juniper QFX switches. I have been asked to come up with a configuration to set/limit the bandwidth to the speed in which the customer pays. I came up with creating a policer, then using that policer in the firewall filter, applied to the virtual interface in which the customer will connect to. This seems to do the job when applied in inbound & outbound directions on the virtual interface, but I was told that using a policer is not the correct way of doing it. Any Help or suggestions on the correct way to limit bandwidth would be greatly appreciated. Everything I find online says to do it using a policer. firewall { } policer RateLimit_100Mb { if-exceeding { bandwidth-limit 105m; burst-size-limit 2m; } then discard; filter PrivateBlock100Mb { interface-specific; } term Policer { ---OUTPUT OMITTED---- then { policer RateLimit_100Mb; accept; } } term default { then accept; } unit 0 { family inet { filter { input PrivateBlock250Mb; output PrivateBlock250Mb; } address xxx.xxx.xxx.xxx/30; } } [link] [comments]  |
| Is it weird? I can see light coming from MM optics Posted: 29 Jan 2019 10:11 AM PST On 850nm MM optics I can see red light. Typical vision is up to 700nm, so I am wondering if there is some other light the SFPs are pushing out, or is it strictly 850nm? Was I bitten by a radioactive spider or is this normal see light out of MM optics? I tried both 1G and 10G optics from Cisco and FS and I can see red on both. [link] [comments]  |
| Alternative to policy based routing on a Dell Powerconnect 6248? Posted: 29 Jan 2019 04:10 PM PST Hi guys, I have been rebuilding my network recently when I came across an irritating issue with my slightly older core switch. I have set up multiple vlans on my core switch which then are routed into an edge transit vlan to get to the firewall. I am attempting to perform my inter-vlan routing on the firewall so that I can utilise stateful traffic filtering, as well as IPS and AV on some of the inter-vlan traffic. I have already set up OSPF between the firewall and the core in order to accomplish the dynamic routing. In order to achieve what I want here, without just applying all the vlans to the firewall and making my core a layer 2 switch, I will need to route all the traffic through the firewall using the edge transit vlan. This would be done using policy based routing and ACL based route maps to set the next hop, but this is where the issue arises. The major issue with this is that the Powerconnect 6248 switch does not support PBR. I have read that is *may* be possible to redirect traffic to a certain port of the 6248, however I have been unable to find any further information upon researching. If anyone has any ideas how this can be achieved short of buying a better core switch which supports PBR, any help would be greatly appreciated. [link] [comments]  |
| Visualization map of data transfer between networks Posted: 29 Jan 2019 03:45 PM PST Does anyone here know of a website that will show me the network path that internet traffic travels to get from one destination to another? For instance, if I send an email from San Francisco and I use AT&T as my ISP to someone in New York who uses Verizon as their ISP, I'd like to see what networks it travels over between the two cities. Is that possible? To be honest, I do not know what this is even called. I stumbled on "trace routing" but I'm not sure that's what I'm looking for. Specifically I'd like to know which specific network service providers are pushing my data. Thanks! [link] [comments]  |
| Issue with my DMZ configuration Posted: 29 Jan 2019 03:29 PM PST I am trying to configure a DMZ network for my WAP server. Currently I am running into an issue where my DMZ network (172.16.0.0/16) is not able to communicate with my internal lan network (10.10.0.0/24). However, I am able to ping from my internal network to my WAP server. In fact, I also allowed RDP protocol onto the IPV4 policies and it allows me to do a remote session onto the WAP server. The strange thing is that from the WAP server, I am able to ping the network interface (10.10.0.1) of my internal lan. Please see this screenshot of my IPV4 configuration. I understand that I don't need to have ping or rdp enabled, but currently I am just trying make sure the WAP server is able to communicate with my internal servers. My goal with the WAP server is to expose my current internal ADFS server to the public. As for the static route, it is configured with a destination to ALL using a SD-WAN config. I have setup a policy route where the DMZ goes directly out to my spectrum internet on WAN2. This allowed the WAP to be able to communicate with the Internet. [link] [comments]  |
| Posted: 29 Jan 2019 03:06 PM PST I'm not a network administrator. I touch about everything but networking. We use Juniper (Infoblox/ClearPass) network hardware. We have one large campus and a couple hundred branch offices connected by 10 Mbs WAN links which have SCCM Distribution Points on site. I'm trying to find some documentation or examples that I can pass to our network admins to explain how QoS needs to be configured to allow SCCM communication (Primary Server <> Distribution Point and Primary Server/Distribution Point <> Client PC) without impacting other business processes over the the WAN. Supposedly it is already configured to ensure core applications and Voice get the data they need, yet we are still taking both down when we ramp up distributions to Distribution Points and clients without BITS throttling enabled (which we really don't want to do because of the scheduling and various point to point limitations). [link] [comments]  |
| C9300 and Fast Software Upgrades - Anyone try this yet? Posted: 29 Jan 2019 11:10 AM PST Starting in 16.8.1a, FSU is supported to reduce the amount of data plane downtime during an IOS upgrade. Has anyone tried this out yet? The word is it'll cut downtime in half, but I haven't seen it in writing anywhere. Also looks like it doesn't work if there is a microcode update. I'm going to be testing soon but just curious to how the community feels about it. When Cisco patches their latest bug on the C9300 stacks - I'm sure many of us will be looking for faster upgrades if it works well. [link] [comments]  |
| Posted: 28 Jan 2019 11:40 PM PST We own a /21 and a /22 subnet issued by RIPE, we also have a public ASN that we use in the UK. The company is looking to join up its UK and USA networks at some point this year The question is can we announce a subset of our assigned range from a USA DC using the same ASN we use in the UK? Technically speaking I can't see it being an issue. We would peer with a tier 1 in USA with our public ASN and advertise a /24, and amend our advertisements in the UK to no longer advertise the /24 which is now in USA (wouldn't want to announce all from both locations as it could end up transiting our cross-atlantic connections). Are there any restrictions or regulations against doing this? [link] [comments]  |
| All setup ... and no communication Posted: 29 Jan 2019 02:40 PM PST I've been off and on working on this for probably a week or two and I just need to get it put to bed. So, here's what's going on. The Setup I've got a CISCO 2901 as the router The 2901 connects directly to port 24 on my core 2960 (this is a small satellite office) Port 12 on core is connected to port 12 on New for testing purposes. I am remote and have hands in the office during the day. I am connected to a laptop that has a console cable connected directly to new and I can access the core switch from anywhere via SSH. What's Not Working I am unable to even ping the New switch. I can't ping the gateway from the New switch and I cannot ping the New switch. Other than the console cable and the network cable from port 12 on Core to port 12 on New, there's nothing connected to New switch and it's not accessible without the console cable. The Configs Core New [link] [comments]  |
| Can someone explain how trunking in HP CLI works? Posted: 29 Jan 2019 08:23 AM PST First off I am a total noob at CLI in general so please don't kill me. I have an HP ProCurve 2810 and am trying to learn CLI. At the moment I'm playing around with VLANs/Trunking and am confused as to why I can't properly create/assign a trunk port. I created 4 VLANs and I want to assign port 1 as the "trunk" port.... How would I go about doing this on the HP switch? I'm having a hard time understanding what "tagged" and "untagged" means. I also want to restrict VLAN 30 from being able to communicate with other VLANs. Any help would be much appreciated VLAN 1: default - no assigned ports VLAN 10: Main - ports 1 through 6 VLAN 20: Wireless - Ports 7 through 12 VLAN 30: CCTV - ports 13 through 18 VLAN 40: Misc. - ports 19 through 24 [link] [comments]  |
| Cisco Nexus recommendations for iSCSI (SFP+) Posted: 29 Jan 2019 10:17 AM PST Looking for recommendations on the least expensive Cisco Nexus switches that have 48 SFP+ ports and enough buffer memory for iSCSI. L3 capability is not necessary. I'm familiar with the 92160's and was most likely going to go with those but I wasn't sure if any of the 3k series were a better option. [link] [comments]  |
| Fortigate firewall appears to not be following standard Aggregate hashing Posted: 28 Jan 2019 04:20 PM PST I am running into a peculiar issue. My setup: 9Ks are configured in VPC, there's a VPC port-channel going towards FW cluster. Static route towards FW IP. Firewalls are in Active-Passive pair, each one has LACP LAG towards the 9Ks (connected to both of them). They have static route towards VRRP VIP that lives on a VLAN off 9Ks. 9Ks also have BGP sessions with ISPs, receiving default routes and advertising my blocks. So far everything is fairly standard and works just fine. Here's when it gets interesting. Cloudflare's API (api.cloudflare.com) is being advertised via anycast and it just happens that ISP1 prefers to reach it in one of the colo locations, while ISP2 prefers to reach it in another colo location. This by itself should not be an issue, as I would expect that one TCP flow will follow one specific path and one API request would always talk to the same data center. Except that it doesn't happen. What I am seeing that in significant amount of cases (10%-50%) TCP handshake goes to Cisco9K-1, while following HTTP GET request gets sent to Cisco9K-2. It is ALWAYS the HTTP call that gets routed the wrong way, the SYN and ACK of TCP handshake are ALWAYS going to the same switch. This makes me believe that it's something on the Fortigate firewall that is trying to be smart and do some additional load-balancing based on the L7 (as from TCP standpoint the source/destination IPs and ports are identical). It happens despite of the different agg hashing settings on the port. Has anybody run into this? Any suggestions on how to fix it? I can definitely do some routing workarounds on the switches, but ideally I'd want to fix it on the offending device - the firewall. This is a very unique corner case that really shouldn't be affecting many people in the wild and until CloudFlare came into picture, I also didn't notice any issues. But still, would be nice for network devices to follow standard network practices... UPDATE: I have discovered that setting auto-asic-offload to disable for the rule that matches traffic in question completely resolves the issue. So my current suspicion is that ASIC has some other hashing algorithms compared to traffic going through CPU. Initial session setup is getting inspected in CPU and then communication is being forwarded to ASIC - and that's where I am seeing the issue. [link] [comments]  |
| Posted: 29 Jan 2019 09:26 AM PST I have 12 FN410s in PMUX mode that I'm trying to get to a consistent config. I've gotten most of it identical, but am having trouble with one last bit. PO127 is VLTi between two of them (they're in pairs of two). PO128 is uplink to the ToR (VDX 6470's). Some switches show: While others look like: In addition, some of them have an [link] [comments]  |
| Posted: 28 Jan 2019 07:30 PM PST As the title implies, I find myself really struggling with studying and working at the same time. I just recently took my first IT related job, and as I'm sure many/most of you can attest I'm really having to teach myself mostly everything. The "training" I get is very vague, if I receive any training at all. So between learning my new job and studying for my CCNA I seem to be having a hard time making any of the material I study stick. I have the pie in the sky dreams of building my own homelab and practicing and learning on my own...but I just can't see when I'll have the time to do it. Any advice and tips are welcome, even if it's "grit your teeth and bear it, we've all been there before." Thanks in advance to anyone that responds constructively, you are appreciated immensely. Edit: phrasing. [link] [comments]  |
| Unable to access managed switch Posted: 29 Jan 2019 11:31 AM PST This is probably something super simple but I'm unable to figure out and my googlefu is failing me. I have an Edgerouter-X and a SG300 Cisco managed switch. Edge Router: 192.168.1.1 Switch: 192.168.1.2 Everything is working except I'm unable to access the web interface of the switch unless the device is on the 192.168.1.x subnet. Any device regardless of vlan is able to hit the router web interface (192.168.1.1) as well as anything else on the 192.168.1.x subnet besides the switch. The edgerouter is doing the VLANs. I'm kind of stumped here and would appreciate any advice or hints in the right direction. This is a learning experience so I'm not asking to be bottle fed the answer. [link] [comments]  |
| Networking gear without expensive licenses and updates? Posted: 29 Jan 2019 05:15 AM PST We are looking for new networking gear without expensive licenses and supportcontracts for firmware updates. Specs: SFP+ (with minimal 4xQSFP+) or only QSFP+ ports VXLAN/BGP/VRRP With Juniper and Cisco you need to buy a license for VXLAN, BGP like $ 6000,- And also a valid support contract for downloading updates. Arista - No licenses, Paid updates Dell - No licenses, Free updates Mikrotik - No licenses, Free updates Juniper - Licenses and PAID updates Cisco - Licenses and PAID updates Brocade/ExtremeNetworks - - Licenses and PAID updates Which switching brands let you not pay for updates and expensive licenses? [link] [comments]  |
| Posted: 29 Jan 2019 08:52 AM PST Just getting started and trying to compile all the info I need for it. I gather I need to set up flows on my switch or router that I want to monitor but I need to find those instructions and then how to point QRadar at it. [link] [comments]  |
| Guest WiFi isolation and multicast? Posted: 29 Jan 2019 02:49 AM PST Hi all! How do you isolate your guest clients from one another and do you do anything special with multicast traffic on your guest wifi? Thanks. [link] [comments]  |
| Posted: 29 Jan 2019 07:25 AM PST Just looking to get some opinions here on DMZ's and default gateways etc. We normally do our DMZ segmentation on the firewall and push traffic all the way up. I have been reconsidering this after purchasing 10Gb gear and realizing what a bottle neck it is. Is it common to put an SVI on the switch with a VACL to control traffic? To be honest thats all we are really doing with the firewall anyway. We do not do any inspection on that traffic. As I think about it though I would still like the DMZ traffic to end up in the correct zone on the firewall which would probably require PBR on the switch to identify and route traffic accordingly. Anyways just wondering if anyone had some advice on how they like to do things. Thanks in advance. [link] [comments]  |
| Creating my own routing protocol Posted: 29 Jan 2019 08:08 AM PST Hi, I'd like to create my own routing protocol for my dissertation project. I think python is the easiest option for me. Now, the question to you guys, what software would be best to simulate my protocol in? GNS3? Also, I couldn't find any guides how to create my own routing protocol with python and/or on GNS3. Could anyone point me in the right direction? Cheers guys! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment