Palo Alto Networks - Global Protect Cloud Service (GPCS) - rebranded to Prisma Access Networking

---

• Palo Alto Networks - Global Protect Cloud Service (GPCS) - rebranded to Prisma Access
• Ubiquiti AirFiber 24 as a redundant ring
• Issues with VXLAN + live migration in Linux
• 802.1X handle Wi-Fi connection / EAP-TLS - Problem
• VoIP/sip providers in the UK?
• Software or services for captive portal
• Patch your SonicWalls NOW!
• Setting up router with info from Isp help
• Juniper Route Preference Best Practices
• Anyone delivering TV and data on same WAN port with Calix?
• Option82 Tellabs 1000 Shelf
• Hypervisor bridged networking weird behavior for guests
• Out of Order packets GTT East coast?
• N93180YC-EX BIOS update
• Get ip from ip helper on cisco interface?
• NSX over EVPN VXLAN
• Firewall as gateway
• Azure Express Route considerations
• Software for branch management
• nxlogs - netflow to syslogs
• Best policy for traffic across leased fiber?
• Cisco Switch PoE Problem

Palo Alto Networks - Global Protect Cloud Service (GPCS) - rebranded to Prisma Access Posted: 31 Jul 2019 11:12 AM PDT Did anyone try it? All I see is some Firewall As A Service (in the cloud) solution which does not give too much advantage for the big bucks that Palo Alto Networks is trying to charge. What is it for? (if I am missing the bigger picture) Any opinions? greatly appreciated. submitted by /u/elnetworkdude [link] [comments]

Ubiquiti AirFiber 24 as a redundant ring Posted: 31 Jul 2019 11:45 AM PDT I am still fairly new to the networking world, so be gentle :) I manage the network (WAN/LAN/WLAN) for a large school district (75+ sites, 68k students, 7500k staff). My director wants to implement a redundant network using Ubiquiti Airfiber 24 wireless bridges in the case of fiber cuts. We are a growing city and this is happening more and more often. We are a Cisco shop, hub and spoke network (Core switch--> Campus 4500X--> 2960X stack in each IDF.) I'm looking at route policies to that leverages the production fiber connection, then flip to the airfiber connection if the pair is cut and becomes unreachable, but I'm not 100% confident in my thought process. Something like this: interface Vlan100 ip address X.X.X.X 255.255.255.254 no ip redirects no ip unreachables ! interface Vlan101 ip address Y.Y.Y.Y 255.255.255.254 no ip redirects no ip unreachables ! interface GigabitEthernet1/1 description Fiber switchport access vlan 100 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/2 description AirFiber switchport access vlan 101 switchport mode access spanning-tree portfast ! ip local policy route-map AirFiber ip route 0.0.0.0 0.0.0.0 X.X.X.X track 123 ip route 0.0.0.0 0.0.0.0 Y.Y.Y.Y 254 ! route-map AirFiber permit 10 match ip address 101 set ip next-hop X.X.X.X Anyone have any experience with Airfiber deployment and configuration? What is best practice for configuring this with minimal downtime? Do you use L3 with alternate VLANs and IPs for Airfiber? Any help and suggestions are greatly appreciated. submitted by /u/BigTex1986 [link] [comments]

Issues with VXLAN + live migration in Linux Posted: 31 Jul 2019 07:08 AM PDT Long post. Thanks in advance for reading! I have an all layer 3, ECMP underlay network with routing on the hosts. The hosts are Linux machines running Proxmox (qemu/kvm) and have vxlan interfaces defined, without any control plane - the bridge fdb table is statically populated with the other VTEP addresses. Each VXLAN interface is attached to a bridge (regular Linux bridges, not OVS), and VMs get attached to the bridges. When I live migrate a VM, it (mostly) loses its network connection. Here's what I've observed so far: Pinging VMs attached to the same VXLAN, but living on different hosts, works intermittently. I get a reply for maybe 1/3-1/4 of the requests sent. tcpdump on both hosts shows replies exiting the ping target just fine, but the migrated VM's host never seems to receive some of them. The VM cannot ping the gateway at all. It never receives the ARP reply sent by the gateway. The gateway is also a member of the VXLAN, but what's different about it, is it's got 4x ECMP routes into the underlay rather than 2 like everything else, and it's a Fortigate. On all hosts and the gateway, I've checked the bridge fdb table after the migration, and can confirm that the new host sent the gratuitous ARP, and all hosts know that MAC now lives on a new host. For good measure, I've run captures on the old host as well, to make sure no traffic for the VM is still arriving there. There is none. To keep a long story short, I discovered that forcing an OSPF change/route reconvergence on the network fixes it. Then, to dig into that a bit further, I did another migration, started a ping from the migrated VM to a VM on another host (B), and on host B, flushed the route cache (ip route flush cache). This cleared up the problem for all VMs on host B, but no other hosts - including the gateway. We use keepalived to float VIPs between servers on different hosts with VRRP, and that works perfectly, never had an issue with it. Now, after digging a little, it seems like route caching was removed from the Linux kernel, I think in 3.6. so I'm not sure why flushing the route cache solves the problem. In any case, I'm extremely confused. Anyone here have ideas as to what's going on? Edit: One detail I left out: one of the two hosts I was using to migrate the VM back and forth has a bad NIC, and therefore none of the other hosts have ECMP routes to that one. I was thinking at one point, maybe it was related to ECMP hash tables being cached, but this wouldn't make sense as I get the same results on the host with no ECMP routes. submitted by /u/wingerd33 [link] [comments]

802.1X handle Wi-Fi connection / EAP-TLS - Problem Posted: 31 Jul 2019 02:51 AM PDT I'm running EAP-TLS (Radius and Cert Authentication) to handle Wi-Fi connections. Got it working on some Offices over IPSec, but some does not. From TCP dump i found that the NPS server is responding with a challenge. Once the client is sending a new request, it sends a duplicate request which i believe may be the cause of my problem. Access-Request id=253 Access-Challenge id=253 Access-Request id=254 Access-Request id=254, Duplicate Request Packet info Framed MTU: 1400 I believe the packet with with the certificate is getting chopped but have not been able to verify that it has been. I mean, that packet size on both ends of the VPN is the same size. I'm not getting any ICMP's telling the firewall to lower MTU. Firewall config on both ends Fiberconnection with static IP PMTU and DF is set to Clear. On the NPS server, I can't find any event in the eventviewer about this. But if i check the NPS Log textfile, i find the entry and it's correlating packets. Anyone got a good idea to why this happens? submitted by /u/Zleeper95 [link] [comments]

VoIP/sip providers in the UK? Posted: 31 Jul 2019 12:39 PM PDT Our business is based on telephony, we dial out using various VoIP providers, making money off the difference in rates charged and the rate we charge. We currently use Verizon, daisy, Tata, and colt. Verizon give us the best rates but their setup is convuluted and a pain in the arse as we need IPsec tunnels for signalling, can't fail over between sites as SBC up has to be from a designated subnet assigned by Verizon etc. Any hidden gems out there we could take a look at? I'm not aware of the rates or commercials, but really want to move away from Verizon due to setup issues submitted by /u/LittleWanger [link] [comments]

Software or services for captive portal Posted: 31 Jul 2019 03:14 PM PDT I have a lot of customers who are looking to collect social media, email, or some other info in exchange for their 'free wifi' in restaurants mostly (some deli or small shops too). I am fine with setting up captive portals on the technical / hardware / controller side of the house but these are small business owners who also are asking me about doing the captive portal side for them. I found Facebook stopped accepting vendors / partners on their wifi services and it seemed limited to only Facebook and lets face it, not everyone has FB. So I've gotten some pricing from companies such as socialwifi.com for example and I'm shocked at the pricing... for basically collecting info into a database and giving it to each site's owner for marketing, they are charging at least $49/mo/site. If I have to spin up an AWS cloud sever for this purpose, that's fine with me... I too would charge but build it into my hardware support costs and be more reasonable but really I don't know if I want to manage yet another cloud service. Does anyone know any open source options for this or companies who could allow me to resell the services (i.e. sign up for a 10 site account and split it with 10 of my single site customers)? I know this is outside the super technical stuff I come here to keep an eye on regularly but it's related to networking so I'm hoping this is allowed. Thanks in advance! PS: Hardware is currently in OpenMesh but I'm moving these customers to beta.altiwi.com which runs openWRT with cloud controller or I may go to another open source controller... I am sure I can make the hardware work for captive portal needs with whatever vendors or opensource software can collect the data and keep it organized to run reports. submitted by /u/dblagbro [link] [comments]

Patch your SonicWalls NOW! Posted: 31 Jul 2019 03:59 PM PDT submitted by /u/greenonetwo [link] [comments]

Setting up router with info from Isp help Posted: 31 Jul 2019 03:44 PM PDT Stuck setting up a router like this for the first time. Isp gave me the following: IP address Gateway Network mask Dns DNS secondary Am I missing something? If I'm understanding correctly, my WAN/outaide interface would be the Gateway address. I can get the usable range from the ip and mask. Now I get mixed up, Inside interface is the first ip in that range... And a default route of 0.0.0.0 0.0.0.0 to the Gateway address? Apologies for the newbie question, thanks in advance for any help.. submitted by /u/Deviathan [link] [comments]

Juniper Route Preference Best Practices Posted: 31 Jul 2019 03:40 PM PDT I come from the land of Cisco. I'm venturing into the land of Juniper. I've got two Juniper MX20 routers doing OSPF with the other devices in my network. These two routers are in an active/backup type setup. I've then got links to customers hanging off these two routers (eBGP). Basically, connecting my network to customers (extranet type setup). I've noticed that one router will redistribute all it's BGP routes into OSPF and the other device will then favor these because in Juniper land OSPF is treated better than eBGP on the route preference/Admin Distance scale. As opposed to Cisco that treats eBGP over OSPF. ​ There's 1000 ways to skin this cat. I don't know which way is the least headaches and best results. Also what most people are doing in other places (so if someone new comes in, they understand). ​ Is it, change the route preference on the routers so that eBGP is favored over OSPF? Or is it to create a policy so that any routes in my from-customers IP list, don't get accepted back into the routing table? submitted by /u/InternalCode [link] [comments]

Anyone delivering TV and data on same WAN port with Calix? Posted: 31 Jul 2019 03:30 PM PDT Our ISP is getting ready to offer TV service, switch GPON vendors, and the way we deliver service, all at the same time. We currently have 1000+ customers using Zhone 2726 routers and we are switching to a Calix solution. We will be running fiber into a 803G and delivering service to a customer's own router, or a 844E. This has been working great during initial testing with data. We have a data VLAN that goes to a local distribution router, and a TV VLAN that goes back to the central mini headend. The issue that we are running into is that we can not deliver the TV VLAN and data VLAN to the same WAN port on the 844E. When setting this up on the 844G, you can just provision the TV VLAN on a different physical interface. Most of the Calix documentation is for using a MVR setup with a unicast and multicast VLAN for TV service, but this will not work for us as unicast and multicast are being delivered from a single interface on the MHE. My next step will be to work with double tagging actions to see if I can put my 2 service VLAN's into a single VLAN, send it to the 844E, and untag it on separate physical interfaces. Does anyone have any experience setting up multiple service types to the same WAN port? I am not super committed to the way we are wanting to deliver the VLANs, but we will definitely be using the 803G to 844E setup. submitted by /u/sasquatchftw [link] [comments]

Option82 Tellabs 1000 Shelf Posted: 31 Jul 2019 02:34 PM PDT Does anyone know if Tellabs supports Option82 on the 1000 chassis? Thanks submitted by /u/newtelcodude [link] [comments]

Hypervisor bridged networking weird behavior for guests Posted: 31 Jul 2019 01:30 PM PDT I have a weird one that has reached the scope of my knowledge. tldr: The vm's can see the host and vice-versa, but they cannot access anything outside of the bridge. OS: Centos 7 with KVM Role: Development machine. We've been using Xen for 10 years and are trying to transition to KVM. I have a hypervisor/host that is running a LAG configured for LACP. There are 2 active 1GbE connections pulled into the aggregate (p1p1 doesn't have a cable yet). This aggregate (team0) is a port on the bridge (kvmbr0). team0's json config dump: { "device": "team0", "link_watch": { "name": "ethtool" }, "ports": { "em1": {}, "em2": {}, "p1p1": {} }, "runner": { "fast_rate": true, "name": "lacp", "sys_prio": 255, "tx_balancer": { "name": "basic" }, "tx_hash": [ "eth", "ipv4", "tcp" ] } } The bridge has hairpin disabled on all ports by default and STP enabled. kvmbr0 8000.842b2b4f2525 yes team0 vnet0 vnet1 There are two active guests with the above interfaces vnetX. The weird part here my host is completely operational and networking is not an issue. However, the guests can't seem to resolve with DNS. The servers are in a data center where I have little insight into switch configs other than I requested the appropriate switch ports being pulled into the aggregate and the teamdctl reports back active links. I have another hypervisor running XEN but with 10Gb links which works flawlessly with the same bridge and team configuration. I did a tcpdump on my bridge interface filtering for traffic from one of the guests and I can see ARP traffic from the guests but there is no response. below is dump from the guest pinging some other server outside my sub-net (same behavior within the sub-net as well). 20:24:12.314988 ARP, Request who-has rci-colo-gw.<domain>.edu tell sandbox-2.<domain>.edu, length 28 20:24:13.316998 ARP, Request who-has rci-colo-gw.<domain>.edu tell sandbox-2.<domain>.edu, length 28 20:24:16.319140 ARP, Request who-has rci-colo-gw.<domain>.edu tell sandbox-2.<domain>.edu, length 28 I am at a loss here. Suggestions for debugging would be greatly appreciated. ​ The weird part is this same configuration worked for a little bit until I rebooted the host! I've verified IP's and all that. both guests are using the rtl8139 for their virtual network interfaces. submitted by /u/DirtMiles [link] [comments]

Out of Order packets GTT East coast? Posted: 31 Jul 2019 01:10 PM PDT Anyone having issues with intermittent out of order packets with GTT East coast to West coast traffic? This has been an ongoing issue for us for a couple years. We've narrowed it down to when LSP changes to a different path and then the problem starts. Move to a different path and it goes away. GTT can't narrow down the cause though. This traffic comes from the New England region to the western U.S. Was wondering if anyone else experiences this. This is UDP MPEG TSoIP video traffic. Edit: Layer 2 service Current primary suspect = BCP128. submitted by /u/LarrBearLV [link] [comments]

N93180YC-EX BIOS update Posted: 31 Jul 2019 06:34 AM PDT I've got a pair of Nexus 93180YC-EX switches which I was trying to update to nxos.7.0.3.I7.6 but I've held off because one of them is saying it isn't going to install the bios update as a part of the patch like the other is, even though they're currently on the same version. Can anyone explain this? Switch 1: Module Image Running-Version(pri:alt) New-Version Upg-Required 1 nxos 7.0(3)I5(1) 7.0(3)I7(6) yes 1 bios v07.59(08/26/2016):v07.56(06/08/2016) v07.65(09/04/2018) yes 101 fexth 7.0(3)I5(1) 7.0(3)I7(6) yes Switch 2: Module Image Running-Version(pri:alt) New-Version Upg-Required 1 nxos 7.0(3)I5(2) 7.0(3)I7(6) yes 1 bios v07.59(08/26/2016):v07.56(06/08/2016) v07.59(08/26/2016) no 101 fexth 7.0(3)I5(2) 7.0(3)I7(6) yes EDIT: It's a bug. Thanks to /u/isolated_isotope, not TAC, for the pointer. submitted by /u/jasonlitka [link] [comments]

Get ip from ip helper on cisco interface? Posted: 31 Jul 2019 06:28 AM PDT Is it possible to somehow get an ip address in a interface from a DHCP-server who is ip-helper on the same router? Eg: interface Lo100 ip address dhcp interface fa0 ip address 10.10.10.1 ip helper-address 20.20.20.1 Could I some way get interface lo100 to send its DHCP-requests to 20.20.20.1 ? submitted by /u/igigogog [link] [comments]

NSX over EVPN VXLAN Posted: 31 Jul 2019 04:02 AM PDT Has anyone seen or have any experience running an NSX deployment over the top of an existing BGP EVPN VXLAN fabric? I am working on a project where the network team already runs VXLAN on Nexus 9k and the compute team wants to deploy NSX. I don't think they are necessarily wanting the overlays but they want micro-segmentation. I'd love to hear any comments! submitted by /u/bbqluke [link] [comments]

Firewall as gateway Posted: 31 Jul 2019 11:26 AM PDT Hello everyone, When is it ideal to use a firewall as a default gateway for a vlan(users). Im starting a project where the current set up is that there is a ACL on a switch that is controlling access into/out of a vlan. I will be replacing this access control with an ASA. Should I have the users use the firewall as the gateway or should I keep it as the SVI/VRRP address on the switch. ​ Thanks submitted by /u/mpmoore69 [link] [comments]

Azure Express Route considerations Posted: 31 Jul 2019 12:12 AM PDT Hi peers, we currently have an office in Amsterdam that has a fiber connection to a DataCenter (ELAN 1GB link). The datacenter runs ESX clusters VMs. We also have a couple of regional offices (ASIA, US, Europe). The regional offices all have a DMVPN router, there is also a DMVPN router in our dutch office and one in the DC running the VMs. So we have an Internet & I-WAN site-to-site type of network with regional links speed of 100Mbps for the most part. It works well for us. All client VLANS are replicated with EIGRP so all client vlans can access each other and can access also the servers running in the dutch DC. Since the dutch ESX cluster is shrinking in size and getting old, we want to migrate the VMs (around 40 VMs) to Azure and terminate our DC agreement and close the ELAN connection. I have contacted a network provider that can offer us a fiber 1Gb port and quoted us for Express Route at different bandwith (100Mb,200,500,1GB,...). They don't offer BGP, NAT as a managed service so we'll need help from network advisors with that. I am not a network engineer so I am just busy now trying to compare the price involved with keeping stuff on-premises or running in Azure. This is really preliminary work and I understand that I need to work with network professionals but for this reason I want to do some homework before so I ask the correct questions. Since Express Route offers site-to-site topologies I was wondering if there would be any gotchas setting up an Express Route link directly from our Amsterdam Office to Azure and have regional offices reach azure via the DMVPN network via our dutch office, then via Express route...? it's very low traffic anyways we have an accounting application that 1 or 2 colleagues access with a VPN client, connect to a VM in Amsterdam via RDP then run the accounting client on that VM. We are a small shop (15 people in Amsterdam, regional offices from 5 to 30 people in our biggest office in Asia). Occasionally some people in Asia or US require access to a file server VM but thats about it. I saw an option for Express Route premium but I cannot wrap my head around the design implementation for improving regional access (in Asia for instance). Moving forward if we want to build VMs in Asia for our Asian's colleagues we may want to get Express Route links in Asia too, how does it plays out with Premium, do we get premium on our Europe link so we can extend our regional presence or do we need ER links for each regions we want to work with in Azure. EDIT: they dont offer BGP as managed service submitted by /u/ydamihd [link] [comments]

Software for branch management Posted: 31 Jul 2019 08:50 AM PDT Hello, I'm looking for some software to manage all information about branches and HQ for my company. Currently all infos are stored in xls files but it's super non-effective. I've start thinking about CRM solutions (SuiteCRM or similar) but maybe someone have better solution. Informations I want to manage: location (address), IP addressing, installed devices (router and #, switches and #, AP and #...), internet circuits ID and bandwidth, some specific info like number of branch or local director, maybe integration with monitoring solution (SolarWinds) like link to device submitted by /u/pietrucha92 [link] [comments]

nxlogs - netflow to syslogs Posted: 30 Jul 2019 06:04 PM PDT Hi All, Just looking for some help to convert NetFlow logs from an edge( SD-WAN device) to Syslog and send to the SIEM. I am currently using nxlog enterprise trial but happy to explore other options. Any help to achieve this ​ <Extension netflow> Module xm_netflow </Extension> <Extension json> Module xm_json </Extension> <Input udpin> Module im_udp Host hostip Port 2055 InputType netflow </Input> <Output out> Module om_file File "c:\\temp\\netflow.log" Exec to_json(); </Output> <Route nf> Path udpin => out </Route> submitted by /u/supportfreak [link] [comments]

Best policy for traffic across leased fiber? Posted: 31 Jul 2019 08:08 AM PDT We are setting up our first branch office. There is going to be some consulting help on this, but I do not want to leave everything in the hands of them. - We are using a local meraki switch to a remote meraki switch over leased fiber. There will not be a firewall in the process. What is the best way to keep only the traffic that matters from crossing? -Should I block all workstation on the local vlan from the remote vlan? -Should only block broadcast traffic? -I need some active directory traffic between servers, but I want to the branch to use its local resources not the main office. submitted by /u/donttrackme12345 [link] [comments]

Cisco Switch PoE Problem Posted: 31 Jul 2019 07:39 AM PDT Recently, a user started complaining about his phone/pc intermittently dropping connections. The phone refused to power up with PoE, so it was attached to a power supply. A TDR test showed the last two pairs listed short/crosstalk. The cables in the switch room and user end were replaced, and the user's Jack was repunched. The outcome didn't change. I decided to test the phone and PC separately. A TDR test showed that when connected to the computer, all pairs listed as normal. When connected to the phone without the power supply, all pairs were open. When connected to the phone with the power supply, the last two pairs were short/crosstalk. It didn't matter which type of Cisco phone or PC was tested, the results were the same. Has anybody come across this before, and can give a tip on where to go from here? submitted by /u/marsmat239 [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States