[Cisco] I wrote a script to easily convert DHCP leases to reservations Networking |
- [Cisco] I wrote a script to easily convert DHCP leases to reservations
- IPSEC Tunnels, AWS VPCs, address overlap, and you
- PSA: Viasat is aggressively blacklisting Digitalocean IP addresses
- Does anyone have a semi technical contact at century link former Level3 network
- SecureCRT Beta now has support for Windows Local Shell (CMD and PowerShell)
- PuTTY Excel List Suggestions
- Little help requested about iptables
- general load balancer protocol resources?
- Malicious behaviour from our IP addresses used by a customer
- Confusion about F5 internal networking
- How to control broadcast/unicast/multicast in datacenter?
- Connection Limiting - Automated IP Prioritization
- Opinion on contract jobs
- Free: Unlicensed Meraki MX64 and MR18
- SUP-720 mpls is disabled but using 2048 cef routes
- I'm working to secure network devices to prevent ongoing intrusion attempts and need help understanding a couple syslog items.
- Trouble with Netgear GS752TP 48-port Smart-Managed Switch
- ISE default authorization policy with DACL.
- Should the client use the same signature method for 301 redirects
- What does a Layer 3 only network look like?
- Trying to setup 10G SFP From PC to Switch
- Troubleshooting layer 1 Cat5/Cat6 connectivity
- Netgear switch w/ VLAN static route issues
- Microsoft Teams QOS Feedback
| [Cisco] I wrote a script to easily convert DHCP leases to reservations Posted: 30 May 2019 09:48 AM PDT Hey, everyone! As the title indicates, I wrote a Python script that allows you to easily convert a DHCP lease to a reservation on a Cisco IOS device. I created this script because the manual process of having to create an entirely new DHCP pool for a single host a little inconvenient. The script is available on my github page. Here's how it works (formatting may look bad on mobile): 1. Open a command prompt/terminal and run cisco-dhcp-res.py 2. Enter the IP of the device hosting the DHCP pool and credentials to SSH to it. 3. Select the existing DHCP pool of the target lease to be converted: Note: This step of selecting the existing DHCP pool is to obtain settings (default-router, domain-name, DHCP options) that will be applied to the reservation pool. 4. Select a lease to convert from a list of current leases. The script will then confirm the creation of your DHCP reservation. Please let me know what you think. I hope this is useful to at least one person :) Thanks! [link] [comments]  |
| IPSEC Tunnels, AWS VPCs, address overlap, and you Posted: 30 May 2019 01:51 PM PDT Disclaimer: I've primarily worked on the systems side of the house and NOT networking. I don't claim to be a network admin. Just hoping to wrap my head around something as my network admin hasn't really dealt with this situation either. I'm at my wits end with trying to setup a tunnel configuration with a vendor's AWS customer gateway that we are using to perform SQL lookups against a host in our network. The vendor spit out an VPC IPSEC tunnel config to terminate at our edge firewall that we followed to the letter. Here is a link to our current setup -- IP addresses have been changed to protect the ignorant. So the tunnel configuration looks something like: Remote Tunnel Endpoint: 18.188.x.1 Local Tunnel Endpoint: 40.x.x.2 Endpoint 1: 10.18.12.0/25 Endpoint 2: 10.80.0.12/32 (SQL host only) What complicates things is that this host is behind not one but TWO firewalls, because it is in an administrative network that is higher sec than the general user VLANs. The other big issue is that on our network we have an advertisement for 10.0.0.0/8 which overlaps with the private address space of the VPC 10.18.12.0/25. My question is: how do I go about this so that I connect to the VPC from on-prem and vice-versa? What needs to happen as far as static routes, NATs, and ACLs are concerned? [link] [comments]  |
| PSA: Viasat is aggressively blacklisting Digitalocean IP addresses Posted: 29 May 2019 10:47 PM PDT I just talked with the NOC at Viasat and confirmed that they block a huge amount of Digitalocean IP addresses due to malware. I don't think their normal support agents are even aware they have IP blacklists so requests for unblocks have to be escalated to their security team. They seem to be blacklisting entire /24 subnets even if only some of the IP's are sending malicious traffic. I've found this to be the cause of many websites not working including some of my own. The best way I've come up with to test if Viasat is blacklisting an IP from a non-Viasat connection is to try and ping one of the core routers such as 64.125.54.230. Their blocking is also implemented in a very strange way, if you try and connect to a blocked IP address from a Viasat connection every TCP port will accept your connection but do nothing other than accept whatever you write to it and eventually time out after no activity(I assume some box on Viasat's network is intercepting and responding to all TCP connections going to blacklisted IP's). [link] [comments]  |
| Does anyone have a semi technical contact at century link former Level3 network Posted: 30 May 2019 01:51 PM PDT I am in need of some help. Im moving IP addresses between circuits. We have our own AS we have our own (reallocated) prefixes. Just terminated an old circuit which had level3 reallocated IP addresses tied to it. We are trying to get level3 to tie them to the new circuit. Prefix-lists have been updated and the new circuit has been active for some time. For the life of me I cannot get anyone to tell me why tying addresses to the circuit is an outage event. We have been unable to schedule a change as a result. Now they are threating to pull the reallocated addresses. What is the change that ties the routes to the interface if we are BGP neighbors? Do they use high preference static routes or is it a backend database and they are misunderstanding the change. Or does anyone know someone internal I can have a 5 minute conversation with? Thanks in advance! [link] [comments]  |
| SecureCRT Beta now has support for Windows Local Shell (CMD and PowerShell) Posted: 30 May 2019 07:23 AM PDT |
| Posted: 30 May 2019 01:02 PM PDT I'm just looking for suggestions or to see what other people use to manage/organize their PuTTY connection list. What I Have: An excel file the contains all the switches and routers, contains their IP, Hostname, IOS version, Model number, Building location number, what distro pair it belongs to, if it's an access, distro, or core switch. It's easy to sort and filter based on my needs. I can double click the IP and it opens a putty session to that switches IP. The only problem is sometimes excel is slow or it locks up/hard to open other excel files while that file is open. Just seeing if people do something similar but with something else. I really like to be able to see what model the switch, where it's located and what its running. [link] [comments]  |
| Little help requested about iptables Posted: 30 May 2019 10:04 AM PDT Had to repost here, the Linux forum apparently doesn't like you to ask for help ;) So I'm changing a few things here, but here's my setup...I have a small embedded linux SBC, with two network interfaces. Neither are assigned an IP address, in fact they are bridged together. Here's where it gets funky...one side has a server on a subnet (these are changed from the real thing btw) 192.168.1.x/24. The other side has a router on a subnet 172.16.1.x/24. The iptables are setup to allow only snmp (161 and 162) and echo request/reply through - and is working fine. What I can't understand is how in the world the two subnets are talking to each other. Probably overlooking something easy, but I'm not that strong with iptables, and wondering if the FORWARDING in that table from chain to chain is performing the "routing" function for me. I can't post the configuration, I know that would help. But other than creating a few user-defined chains, it seems pretty straight forward, just don't know how these two subnets are talking to each other on a bridged connection. TIA [link] [comments]  |
| general load balancer protocol resources? Posted: 30 May 2019 08:37 AM PDT I have an interview coming up that may cover various load balancing approaches so I'm looking for resources on general load balancing approaches... I don't need resources on proprietary protocols written by Cisco, et. al; I doubt any of that will come up. But in the 5 years or so that I've been working fairly regularly with (at least application load balancers) I've only ever seen two protocols: round-robin and uh...one other one that I cannot remember right now (but I think AWS classic lb's offer it iirc). Anyway if anyone has a link to a good primer on load balancing protocol _basics_ or load balancing best practices I'd appreciate it! - imp [link] [comments]  |
| Malicious behaviour from our IP addresses used by a customer Posted: 30 May 2019 01:32 PM PDT We own a /21 and /22. Depending on the services a customer takes we will provide them with a slice to do with as they see fit. Recently one of our addresses, assigned to a customer, has been the source of repeated login attempts to a couple of routers used by our other customers. We've locked things down more by using ACL's, but I'm wondering who is ultimately responsible for this behaviour? Is it us as the legal owner of the address space, or the customer as we have given them those addresses? We haven't assigned directly to the customer via RIPE, as to be honest the RIPE site kills me every time I log into it. Would we have recourse to pull these addresses from the customer if the activity continued? [link] [comments]  |
| Confusion about F5 internal networking Posted: 30 May 2019 04:28 AM PDT Hi All, I have some confusion around how the F5 Big-IP software is making routing decisions internally. I hope r/networking can help alleviate this frustration. I have a Big-IP set up in HA - everything appeared to be working. I had created nodes, with health checks that passed, and pools with those nodes with health checks that passed. I then created a virtual server referencing that pool and again the f5 health checks passed. However, if I tried to navigate to the IP of the virtual server I wouldn't get a web page response. I believe this is because I had no routes in "Network > Routes" and so it was taking mgmt interface by default for the health checks. After adding routes suddenly all the health checks fail (and I still cannot resolve the web page by virtual server IP). Trying Curl-ing over management I get the correct html: But again, I don't get the html if I try the internal interface: I have both floating IPs and non-floating self-ips on "interface" and "external" vlans. I have put a VM on the same subnet where the internal vlan exists (and tagged its traffic in VMWare) and from there I can ping/curl the web servers so I don't think it is a "real" networking problem - it seems to be me not understanding how to get the F5 working. Of note, all the self-ips I created on external/internal are ping-able from my desktop so again I think it's not a reconfiguration of the "real" networking in VMware/switches. I have followed documentation pretty closely but I think I must be not understand how the f5 handles itself internally... Any help or pointers or links to enlightening documentation is very much welcome! Cheers! [link] [comments]  |
| How to control broadcast/unicast/multicast in datacenter? Posted: 30 May 2019 08:28 AM PDT Folks, I need some guidance about how and what people use in datacenter to control strom, let me give my example, we have almost 180 Cisco nexus 9K/3K/5K switches and all of the switch configured in vPC, at present i have ~2500 physical servers/Virtual servers in multiple VLANs ( not single L2 broadcast domain ). at present we don't have any specific configuration on switch to control any kind of storm ( I am not sure if they are default ON ), following common configuration i have on all switches connected hosts. you can see i don't have any kind of storm-control command on interface level. ( I am not sure what level i should use and what are the best practice) storm-control - What other folks using in datacenter to monitor any kind of storm or method to prevent or protect network? - How big my L2 domain can be in best practice? ( example 1000 hosts in single L2 domain is safe or it can handle more than that?) [link] [comments]  |
| Connection Limiting - Automated IP Prioritization Posted: 30 May 2019 12:00 PM PDT We have 20 separate devices that have a concurrent user limit of 5 each. These devices do not have any type of administrative features that allow the management of incoming connections. Therefore the first 5 users to connect, get in and could stay logged in indefinitely. We have over 40 users that need access to each device at different times. Some with higher priority than others. Our current solution: Implemented an ASA-5506 with separate rules/groups of IP's. One small group, say "Priority 1" contains a handful of high priority IP's. The rest of the users/IP's are in a second group "Priority 2". If at a given time a device is full with 5 connections and someone from Priority 1 needs access, the second rule is disabled and one unlucky IP from the lower priority group is manually disconnected via console command to make room. Is it possible to automate this in any way? Such as automatically disconnecting and temporarily blocking IP(s) from Priority 2 to allow users from Priority 1 to connect. And then automatically unblocking them once Priority 1 disconnects? [link] [comments]  |
| Posted: 30 May 2019 11:55 AM PDT Maybe my search skills aren't the best but I was looking for the group's opinion on contract jobs. How do you view short term contracts or those with a finite end and their impact on your career? I tend to be a slow and steady person who prefers being a regular full time employee, but the ability to earn much more as a contractor is appealing. I know IT/networking is in demand in my area but I am still concerned on how things would go in 11 months, how it would look on my resume, how it would affect my professional contacts. Does anyone have insight they would like to share? [link] [comments]  |
| Free: Unlicensed Meraki MX64 and MR18 Posted: 30 May 2019 03:30 PM PDT Hello: I got an MX64 security appliance and MR18 access point nearly 3 years ago for attending the webinar for each. Their license will expire in 90 days, so I decided to replace the equipment with stuff that has perpetual licenses. Rather than throw these things in the trash, I'd like to see if anyone wants them whether for home or work. All you'd have to pay is the cost of shipping, plus $10 for my troubles. PM me if interested. [link] [comments]  |
| SUP-720 mpls is disabled but using 2048 cef routes Posted: 30 May 2019 07:28 AM PDT We're using a couple of 7600 with sup-720 as border routers; I've noticed that mpls is using 2048 route entries from its cef table, mpls is unconfigured, no bgp vpn also. all labels are marked as drop: I'v been looking how those entries were generated, and how to free them without luck. How can I free that mpls routes?, how where added to the cef? [link] [comments]  |
| Posted: 30 May 2019 02:32 PM PDT Hi, I could use some help with figuring out a security issue I'm working on for a client. Please bear with me as I'm no expert at networking. I'm still learning, especially the security side of things. To keep a long story short, I discovered that there have been attempts to brute force attack certain client modems. To counteract this, I created a whitelist of authorized IP addresses. I disabled ping, ssh/telnet, and web interface access if a source IP isn't on the whitelist. I tested this configuration and it appears to work. Non-authorized IP addresses cannot ping nor get to the login page. However, I've got a concern about two items I am seeing in the syslog. I have posted two lines for you to look at. Items in brackets [ ] have been removed and replaced with a generic name for security purposes. The source IP addresses I'm seeing are from places like China. I'm concerned because I thought the ACL took care of unwanted intrusion attempts so I'm trying to understand what I'm seeing here. Why are there packet drops and ICMP drops showing up in the log if none of the source IP addresses I'm seeing should have access because of the ACL? Are these devices I've pulled these example log items from still at risk?
[link] [comments]  |
| Trouble with Netgear GS752TP 48-port Smart-Managed Switch Posted: 30 May 2019 02:15 PM PDT Hi! I'm pretty new to networking and this is my first post here. I'm trying to help a friend out with a lab build for their business. He has a Netgear GS752TP 48-port Smart-Managed Switch I'm trying to configure, and the GUI is failing me utterly. Whenever I try to assign IP addresses to VLANs, the GUI freezes on me. If I try to restart the application, the switch is no longer recognized, and the only way to get it to recognize the device again is by factory resetting the switch. Google tells me that Netgear has locked the CLI on this model, so I can't try doing it manually apparently. I'm hoping that I'm just making a dumb mistake somewhere and you folks will be able to set me straight. Thanks! [link] [comments]  |
| ISE default authorization policy with DACL. Posted: 30 May 2019 05:25 AM PDT Hello, networking, Hope I can get some insight from any ISE experts out there. Currently we're running DOT1X with EAP-TLS and AD integration and is working just fine. One problem that we're having is with the last "default" rule under policy sets for authorization. For the default rule, with no condition, we configured a profile that has a DACL attached to it. The idea is that whenever there's a failure for any reason whatsoever, it'll hit the default rule and download the ACL. However, this isn't working. When a computer fails, it just says unauth with no access to the network; however, we'd like for it to have access to certain resources. Kind of like if a machine fails, it'll get an DACL with access to certain services only, those services offer remediation so they can successfully pass authentication. We're already running C3PL with an event to put an ACL on the machine if it fails authentication, however, the problem is is that we don't want to maintain ACLs scattered across hundreds of switches. If the systems team decides to add a new server or change an IP on an existing server (which they have before), then we'd have to go to every switch and update each ACL, this is why it's preferable to run it from ISE where it can be updated and deployed to every switch at once. Any insight or help would be greatly appreciated. [link] [comments]  |
| Should the client use the same signature method for 301 redirects Posted: 30 May 2019 07:54 AM PDT We have a customer who is using one of our REST services. The resource they are requesting has moved to a new location. We are responding with a 301 redirect, but when the client attempts to access the new location provided in the redirect response, they get an invalid authorization error. It was root caused to be that the required signature method for the authorization is not being used when accessing the new location. The customer is arguing that we need to change our service since the request for their original resource is failing. Is there any clear specification about how the httpclient is expected to respond to the 301 redirect? Should they be using the same signature method for accessing the newly provided URL in the 301 redirect? I've been reading the specification, but it doesn't seem to be clear. Am I missing anything in the specification or is there a defined industry standard best practice on how this is handled? [link] [comments]  |
| What does a Layer 3 only network look like? Posted: 30 May 2019 05:41 AM PDT Is it just Layer 3 switches like Nexus and 65xxs that have IPs on every SVI all running an IGP? for instance? What differs a "Layer 3 only" network from a Layer2/3 network when it comes to deployment, exactly? To be clear, if I logged onto a random switch in a DC, what would be the giveaway that it's a layer 3 only network? I was having a meeting today and someone mentioned getting rid of STP and replacing it with MPLS to create a Layer 3 only network and it got me thinking what exactly that would look like. Since MAC addresses are clearly still in use for local node access. [link] [comments]  |
| Trying to setup 10G SFP From PC to Switch Posted: 30 May 2019 11:41 AM PDT Hi everyone. I have a HP Z800 with an Intel X520-DA2 trying to connect to my Cisco 2960-S 10G with a 17-05405-01 direct attach copper cable. I am having some issues, firstly this SFP cable is only rated to 4G, which obviously is a limitation but I want to see if I can get this to work before I buy a 10G cable. The cable is detected on windows in the Intel Drivers: https://i.gyazo.com/e2a71ea9b62ef9d321bccdf26132e531.png But the issue seems to be the switch, I already did If anyone has any idea how to make the switch work with this setup please let me know! Thanks [link] [comments]  |
| Troubleshooting layer 1 Cat5/Cat6 connectivity Posted: 30 May 2019 08:30 AM PDT Hello folks, What are people using nowadays for equipment when testing layer 1 connectivity or certifying lines? Our team previously used this big honkin' Fluke DTX but it has seen better days. Looking to invest in something new, just not sure what people are doing since it has been 10 years since I've had to worry about this. I'd prefer to not have to walk around with this massive suitcase that the DTX came in! [link] [comments]  |
| Netgear switch w/ VLAN static route issues Posted: 30 May 2019 05:43 AM PDT Devices are:
Windows Laptop #1 has 192.168.1.254 as its gateway while all other devices have 192.168.2.254. Laptop #2, the MacBook and the iPad are all connected to a MikroTik OmniTik AP on VLAN 2. Laptop #1 is connected to VLAN 1. The switch is a Netgear GS724T with the two following static VLAN routes:
My issue is that Windows Laptop #2 can ping both 192.168.1.254 and 192.168.1.1 however the MacBook cannot ping either of these IP's. The iPad can't access 192.168.1.254 or laptop 1 either. Laptop #1 can reach laptop #2. Any ideas? [link] [comments]  |
| Posted: 30 May 2019 05:16 AM PDT I created this QOS for teams and need some feedback. ip access-list EXTENDED TEAMS-PORTS 20 permit udp any any range 50000 50059 30 permit tcp any any range 50000 50059 exit class-map match-all TEAMS Match access-group name TEAMS-PORTS class-map match-all AUDIO match ip dscp ef class-map match-all INTERACTIVE-VIDEO match ip dscp af41 class-map match-all APP-SHARE match ip dscp af21 class-map match-all BEST-EFFORT match ip dscp default exit policy-map PER-DEVICE-TEAMS class TEAMS trust dscp exit class AUDIO set dscp ef exit class INTERACTIVE-VIDEO set dscp af41 exit class APP-SHARE set dscp af21 exit class BEST-EFFORT set dscp default Interface configuration: service-policy input PER-DEVICE-TEAMS [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment