Apple Thunderbolt Monitor kills network. Networking |
- Apple Thunderbolt Monitor kills network.
- Is China's Great Firewall blocking more VPN-type traffic than usual? Possibly spreading to Hong Kong?
- Cisco's 6500/7600 is now not only EOL, but we're seeing lots of failures now and need to make a move...
- AWS Routing from EC2
- Cisco ISE FTE Support Estimates
- Captive Portal Detection Failures
- Firewall replacement, 3 locations, 30 users and few vlans - thoughts ?
- Cisco 9410R - Stable release for IDF closet
- Anyone have experience with Extreme/enterasys management centre and wireless lan controllers
- NAT between VRFs on nxos
- stupid physical layer question before setting up dual router carp
- Cisco C3750G-48TS Temps
- Cisco ASA 5508-X Configuration. Issues With Launching ASDM
- Cisco ACL syntax checker
- What is difference between Misuse intrusion and Signature Based IDS?
- How to process packet that is destined for another host
- Dell s4148s / OS10 not saving VLAN config
- QUIC protocol
- Brocade two port trunk, one side has one port blocked
- Limiting Bandwidth being helpful?
- Unable to transfer boot image using SolarWinds TFTP
- How to connect remote office to data center through main office?
- Racking my brain (VPN Querys Juniper)
- How to confirm that voice VLAN is working - Juniper EX3400
| Apple Thunderbolt Monitor kills network. Posted: 01 Aug 2019 07:44 AM PDT Been chasing these random network crashes for a bit now and finally got a good packet capture which lead me to this article. https://discussions.apple.com/thread/6443650 This is exactly what was happening and matches the source MAC address too. We only have 4 of these expensive monitors and we've had them for years so I'm not really sure why suddenly one or more was flooding. Just a random find in case anyone else has run into something similar. [link] [comments]  |
| Posted: 01 Aug 2019 01:37 PM PDT Company is based in US but we have an office in Hong Kong. Some of the Hong Kong staff travel back and forth to mainland China regularly. While working within mainland China, they were previously able to connect back to the HK office using L2TP client VPN and access our corporate resources in the US (SMB/filesharing, RDP/RemoteApp, etc.). This week it seems to have changed. They can still establish a client VPN connection to the HK office but are then unable to even ping any resources in the US office. A tracert to Google DNS from the VPN-connected client shows: 1 <1 ms <1 ms <1 ms (my equipment) 2 * 2 ms 2 ms 10.12.5.9 3 4 ms 3 ms 3 ms tswc9250.netvigator.com [203.198.***.***] 4 4 ms 4 ms 2 ms 63-217-17-53.static.pccwglobal.net [63.217.17.53] 5 4 ms 3 ms 2 ms 72.14.209.186 6 4 ms 4 ms 5 ms 108.170.241.33 7 4 ms 2 ms 3 ms 108.170.238.133 8 4 ms 4 ms 2 ms dns.google [8.8.8.8] What the hell is 10.12.5.9??? It's a private IP but isn't our networking equipment. Nmap intense scan on that IP shows: PORT STATE SERVICE VERSION 22/tcp filtered ssh 23/tcp filtered telnet 111/tcp filtered rpcbind 179/tcp filtered bgp 646/tcp open tcpwrapped I usually see public IP hops after our networking equipment so this looks odd to me and I'm wondering if that 10.12.5.9 hop is the great firewall or some kind of government proxy server? I'm probably way off but I'm trying to figure out what changed so I can give a decent explanation to the staff. [link] [comments]  |
| Posted: 01 Aug 2019 11:55 AM PDT Just wondering who else is experiencing the same issues we are now. Recently we have lost a few modules that have been in service for a few years after purchasing on the used market. The latest issue we have is in two different chassis, after issuing reloads (thanks, 768k route update), we're getting this upon bootup on two WS-X6708-10G-3CXL modules, both dying less than a week apart: *Aug 1 12:24:04.127 CDT: %ONLINE-SP-6-REGN_TIMER: Module 4, Proc. 0. Failed to bring online because of registration timer event sm(cygnus_oir_bay slot4), running yes, state wait_til_online Last transition recorded: (insert)-> may_be_occupied (timer)-> occupied (known)-> can_power_on (no_power)-> powered_off (operator_power_on)-> can_power_on (yes_power)-> powered_on (real_power_on)-> check_power_on (timer)-> check_power_on (power_on_ok)-> wait_til_online *Aug 1 12:24:04.347 CDT: %C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Module Failed SCP dnld) With that being said, it seems that these have had a good life, but perhaps it's truly ready to be replaced. Looking at others in the industry (colocation), where you're dealing with large distribution (several hundred ports in each datacenter pod actively in use) to a client base of mostly 1GbE clients, we're seeing more movement to end of row switches with an intelligent core, but ultimately it comes down to how to manage the network that we need to figure out. We do have clients peering with BGP and accepting full routes, so I'm leaning to something like Arista 7280 for the core (already there at the border) and then running a technology like VXLAN down to redundant end of row switches, maybe Arista 7160-48TC6 or similar which gives flexibility to 100GbE uplinks and 40-100GbE potential to clients. So my question to you guys and gals is, without making a move to a vendor that would have a substantially different interface/learning curve for a team that is mostly Cisco certified and experienced (I'm looking at you, Juniper), what would you guys suggest for this? I'd love to stick to a collapsed core design, running distribution routing and switching within one device with full routes and hundreds of ports, but it just doesn't seem feasible now. [link] [comments]  |
| Posted: 31 Jul 2019 07:59 PM PDT Hi Guys Just noticed that as of today, all of our EC2 instances are showing some very odd addresses when performing a trace-route to any of our data-center's servers. As you can see, the CGNAT addresses at the top (100.xx.x.x) are what I have observed as new. Is this is something Amazon does now or is this a cause for a ticket? Routing through a bunch of CGNAT seems very odd. [link] [comments]  |
| Cisco ISE FTE Support Estimates Posted: 01 Aug 2019 08:07 AM PDT Hi all. We have been doing some analysis between NAC solutions and have landed on ISE as our preferred solution. We are in the budging process for next year and in addition to the ISE licensing we are wanting to bake in some headcount costs to support the system. Wondering what everyone's real world experience is with the appropriate number of staff to supporting an install. Here are some considerations to help compare scale: 1) ~22,000 LAN endpoints spread across 60 offices 2) ~1500 VPN endpoints 3) Would be enabling posture checking on VPN connections 4) Would be licensing Plus to allow for device profiling on LAN (I.e., expectation is we won't need to look at every devices connecting but instead only review/approve outliers that don't fit defines profiles). 5) quickly growing environment, fairly standard corporate hardware but probably have 100+ new devices at minimum added a month. Let me know how you are compatible staffed to manage ISE in your world! [link] [comments]  |
| Captive Portal Detection Failures Posted: 01 Aug 2019 01:18 PM PDT I manage a BYOD campus network and we've noticed an increase in T1 tickets regarding getting to the portal. It's been increasing the past few months and we have a few portals so it's not a single portal issue. We have a mix of nomadix and some linux gateways depending on the client count and inspection requirements, issue is the same on both. Is this a MIM precaution newer devices are implementing or are there URL's I should make sure aren't in my whitelist? I made sure the following URL's were not permitted for unauthorized devices. Android Captive Portal Detection:
Apple iPhone, iPad with iOS 6 Captive Portal Detection:
Apple iPhone, iPad with iOS 7, 8, 9 and recent versions of OS X:
Windows:
This should be blocked, correct? [link] [comments]  |
| Firewall replacement, 3 locations, 30 users and few vlans - thoughts ? Posted: 01 Aug 2019 12:46 PM PDT So I am looking to replace our physical firewall (Fortinet) that costs us too much. I was wondering if in fact a physical firewall was needed as we won't use advanced security features and we don't use fancy options. Our setup is 1 main site with 20 users and 2 small remote branches with their local network (3 users each). We would like some site to site vpn between each branch and main site, and there's a DMZ at the main site (+ a few vlans for users and apps). I was thinking that a good router would probably do that at a lower cost than a physical firewall + the management service, but I might be wrong. [link] [comments]  |
| Cisco 9410R - Stable release for IDF closet Posted: 01 Aug 2019 10:52 AM PDT I'm a happy boy who just got 3 9410R chassis for that ISSU functionality. Looking to put these in place with the most stable current version for an IDF that will be supporting approx 20 WAPs and approximately 200 printers/computers. Is there a command to write the file to the secondary supervisor and install it once I've obtained the stable release? [link] [comments]  |
| Anyone have experience with Extreme/enterasys management centre and wireless lan controllers Posted: 01 Aug 2019 10:51 AM PDT Hi all. I've recently moved from a Cisco house to an enterasys/extreme house and was wondering if anyone knows where I can find training material on EMC and more specifically NAC and policy . Much appreciated if anyone has any pointers [link] [comments]  |
| Posted: 01 Aug 2019 02:56 AM PDT I need to nat traffic between an IP range in one vrf to a single overload address in a different VRF on a nexus switch. config im using is roughly like this >>>>>>>>>>>>>>>> switch advertises only the 10.10.10.10 /32 address via BGP to neighbour 1.1.1.2 on other side of e1/1 interface. The 1.1.1.2 neighbour advertises a range of addresses to the switch and these are leaked into the BBB VRF using route targets.The single null route is just used to get the 10.10.10.10 address into the routing table so it can be advertised by BGP The aim is to get all traffic from LIST-BBB going out the e1/1 address to be NAT-ed as 10.10.10.10/32 I cant seem to get this config to work. I initiate connections from the inside but cant see any translations happening. Any ideas where I might be going wrong? When i enter "ip nat inside source list LIST-BBB pool AAA overload" there is no option to specify vrf [link] [comments]  |
| stupid physical layer question before setting up dual router carp Posted: 01 Aug 2019 10:24 AM PDT currently, i have one cable modem (and a /28 public) and a pair of pfsense routers. i'd like to set up carp. here is the stupid question: cable modem to the pair of routers: is it really good practice to slap a 4 port switch here? or is there something better i should be doing? i could use a couple of ports on one of the managed switches and set another vlan up, but this doesn't feel right. my eventual goal is to get a second isp and have redundancy, but it'll be awhile on this. thanks! [link] [comments]  |
| Posted: 01 Aug 2019 06:38 AM PDT I have a spare 3750G running in a closet without A/C offsite. Maintenance sounds like they don't want to put A/C in so I am left with how it is. The temps on the device are fairly stable at 46C. I know through the info sheet on the switch that its max workload temp is at 45C. My question is, should I be worried about the temps long term over the threshold by just a bit? Thanks! [link] [comments]  |
| Cisco ASA 5508-X Configuration. Issues With Launching ASDM Posted: 01 Aug 2019 10:02 AM PDT This is my current configuration file for my new ASA 5508-X. I can't seem to get to the ASDM site to download and install ASDM. I have the ASA 5508 connected directly to my laptop and a local network setup as: IPADDRESS: 10.0.0.1 SUBNETMASK: 255.255.255.0. GATEWAY: 10.0.0.5. I see that I have the boot image and ASDM image on disk0. What can I be missing? Thanks, ASA Version 9.5(1) ! hostname -ASA5508-X enable password NuLKvvWGg.x9HEKO encrypted passwd NuLKvvWGg.x9HEKO encrypted names ! interface GigabitEthernet1/1 description FiOS nameif outside security-level 0 ip address 71.127.146.146 255.255.255.0 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif Management security-level 100 ip address 10.0.0.12 255.255.255.0 ! boot system disk0:/asa951-1fbff-k8.SPA boot system disk0:/disk0:/asa951-lfbff-k8.SPA boot system disk0:/asa951-lfbff-k8.SPA ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu Management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-751.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any nat (any,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 route outside 0.0.0.0 0.0.0.0 172.95.15.2 1 route inside 172.15.10.0 255.255.255.0 192.168.0.253 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet 10.1.1.0 255.255.255.0 inside telnet timeout 2 no ssh stricthostkeycheck ssh 71.127.146.0 255.255.255.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 10.1.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy username admin password Ynj9/UraO5bLRYvg encrypted privilege 15 username Cisco password BFCU0P/1fcmdPi9W encrypted username ciscoadmin password hC8MgdDLCv8NXZ7D encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:8232db09013516245cff6416ec354449 [link] [comments]  |
| Posted: 01 Aug 2019 09:49 AM PDT I am looking for a tool that can syntax check an acl. We are currently using the following and it has been very robust for IPv4 acls: https://github.com/vladak/aclcheck However, this tool isn't nearly as mature for IPv6 acls and it is not under active development. Thought I'd put it out there, does anyone know of a ACL syntax checker? [link] [comments]  |
| What is difference between Misuse intrusion and Signature Based IDS? Posted: 01 Aug 2019 09:41 AM PDT I have been searching the difference between misuse intrusion and signature based over the internet and I have come to a certain point where after reading so many articles the difference between the two seems blurry. [link] [comments]  |
| How to process packet that is destined for another host Posted: 01 Aug 2019 09:40 AM PDT For my experiment with OpenvSwitch, I have 3 docker containers running alpine that are all connected to a single OVS switch on the host machine. I have set up flow rules so that packets from container 1 to 3 will first be sent to container 2, where it will be inspected before being sent back to the switch and then reach container 3. The source is always container 1's IP and MAC, and the destination is always container 3's. The packets are correctly routed to container 2, but then they all get dropped. Which makes sense to me since the destination address is not meant for container 2. My question is how do I configure container 2 so that it will look at those packet and forward to one of its application, or do some local filtering to decide whether it should drop or send the exact same packet back to the switch? Since I'm quite new to this, any hint that points me to the right direction is really appreciated. [link] [comments]  |
| Dell s4148s / OS10 not saving VLAN config Posted: 01 Aug 2019 05:44 AM PDT Has anyone had any issues with the new version of OS10 i think its 10.4.3.3 ? not saving VLAN info on port channels? I have a VLT between two switches and have switchport access vlan 40 assigned on the port channel, i write the memory reload the switch and it isnt there on the config, i run the command and connectivity resumes. bit of a PITA as i will need to reconfigure every time i have to power cycle the switches. [link] [comments]  |
| Posted: 01 Aug 2019 01:35 AM PDT Hi guys, i don't know if the section is correct, if not address me to that correct :) In order to complete a university test, i have to compare QUIC protocol with TCP protocol. I used Wireshark to test both connections and i got some results (Opening connection time for https sites). Now my goal is to extimate the overall connection duration (not just the opening handshake). With TCP i have no problem to understand when a connection closes, but with QUIC i can't understand. Can anyone help me please? Thank youu [link] [comments]  |
| Brocade two port trunk, one side has one port blocked Posted: 01 Aug 2019 05:13 AM PDT I understand on a Brocade TurboIron 24x there are two ways to create a trunk: Method 1: trunk ethe 1 to 2 Method 2: int e 1 to 2 I have both ways done on two TurboIron 24x. Method 1 above for two 10gbe cables between switches, and Method 2 for two 10gbe fiber between a switch and a Tegile storage array serving NFS shares. Issue I have is on switch 2, the method 1 (static trunk) between switches shows the second port, port 19 blocked, and true the LED on that port on the switch is not illuminated. However on switch 1, this same port 19 shows in a "Forward" state and sure enough the LED is lit solid on that physical switch port. How can the link be forward on one switch and blocked on the other, if they are configured the same? Thinking it was a bad Twinax cable, I replaced port 19 between switches with an 850nm SFP+ and a short fiber optic cable. I had the same result where switch 1 showed the port forwarding but switch 2 showed the port blocked. Here's an output of show trunk on switch 1 Here's an output of show trunk on switch 2 Here is how that trunk is configured on both switches... at the very top of the config on both it shows: Here's how the trunk to the operational Tegile storage array looks on switch 1 And how the trunk to the other Tegile storage array controller looks on switch 2 The issue is that yesterday I failed over the Tegile storage array from controller A to controller B. This means the NFS storage traffic to 8 ESXi servers would now originate off of switch 2, so that traffic would have to traverse the switch 2 to switch 1 trunk (ports 18 and 19) back to the "active" vmware adapters. Those vmware storage adapters remain active unless a link failure, then and only then would vmware try to talk off of switch 2. I can't use becon probing instead of link state for failover because I read for stability you need 3 adapters for this and I do not have a third adapter. So the issue I had was the two IP's on the Tegile storage array claimed to be moved over to controller B, but vmware could only ping ONE of those IP's... all storage mapped via the second IP went (inaccessible) and SSH to an ESXi server revealed I could only ping one of the Tegile IP's. So I'm trying to rule out a networking issue because so far Tegile took our config and put it on one of their lab systems and both IP's we have programmed moved properly to their second controller. However the difference is they just spun their test system up for us, whereas we have 400+ days of uptime on our controller, so they do suggest I reboot controller B and try again... but rather than cause another outage I want to investigate why this inter switch trunk has one port showing blocked only on one switch. We have money in the budget to replace the brocades with Arista, however I only have enough money to do 1 Arista switch and then we would be running just 1 switch, or 2 switches but two different vendors (1 arista primary, 1 brocade backup). Next year I can request more money and if approved get a second Arista switch. Thanks for your info. I'm used to Cisco and Extreme Networks. The brocade foundry stuff seems a little foreign to me and limited. [link] [comments]  |
| Limiting Bandwidth being helpful? Posted: 01 Aug 2019 07:40 AM PDT I work in a production type setting. We have means to capture data out on the line and feed them back to the office as well as machines on the floor that connect to the network. Would limiting the bandwidth to these ports do anything beneficial? Just got the thought since the demand from those machines are not that high the file size of the data is tiny. But with something like 30 of them out there would limiting them all benefit the bandwidth as a whole? [link] [comments]  |
| Unable to transfer boot image using SolarWinds TFTP Posted: 01 Aug 2019 07:38 AM PDT I have a new Cisco ASA 5508-X I am configuring. I have SolarWinds TFTP server setup and running. I have created a local ADDRESS=10.0.0.2 NETMASK=255.0.0.0 GATEWAY=10.0.0.5 SERVER=10.0.0.1 IMAGE=asasfr-550x-boot-5.3.1-152. TFTP server just keeps timing out. I get the message: Interface link did not come up. Timed Out TFTP: Operation terminated. Any ideas on what i am doing wrong?? Thanks. [link] [comments]  |
| How to connect remote office to data center through main office? Posted: 01 Aug 2019 07:17 AM PDT Hi all, First off, I am no networking expert by any means... but here is what I am trying to accomplish. My MainOffice has a firewall and a direct VPN connection to our hosted Data center. The RemoteOffice has a firewall and a direct VPN connection to the MainOffice. Only the MainOffice has needed access to the data center until today. Now the RemoteOffice is requesting access to the data center as well. I know I could do another direct VPN connection to the data center from the RemoteOffice, but shouldn't they (the RemoteOffice) be able to connect to the data center THROUGH the existing connection they have to the MainOffice? As it is currently configured, they cannot. I'm not sure where to start looking, so any direction you can point in would be great. MainOffice has a Sonicwall firewall. RemoteOffice has a Cyberoam firewall. I'm guessing that the data center would need to allow return traffic to RemoteOffice subnet, but wouldn't their source be the MainOffice anyway (which they are already allowing)? Thanks! [link] [comments]  |
| Racking my brain (VPN Querys Juniper) Posted: 01 Aug 2019 06:52 AM PDT Hey Guys, I've been racking my brain and cant think of the best way to do the below Requirement: Our customer requires a VPN to be established via a 4G/LTE Modem plugged into a draytek and the IP address will be dynamic. These VPN's will be connecting to one of our core Juniper SRX devices. For the life of me, I can not think of the best way to implement this? I was looking at the Juniper Dynamic VPN config however I read that you require a VPN client for this to work. Note: there will be 50+ sites having to connect back Is this even possible? [link] [comments]  |
| How to confirm that voice VLAN is working - Juniper EX3400 Posted: 01 Aug 2019 06:36 AM PDT I've got IP phones with piggyback computers on them, and decided to try out the auto voice VLAN option on my Junipers. I have configured two phones with the settings but I'm not sure if they're actually using the voice VLAN. I can see that the port is configured and it shows that my data VLAN is untagged and voice vlan is forwarding and tagged, but is there a good way to confirm 100% that my voice traffic is actually going over the voice VLAN? I guess I could disable the voice VLAN on my phone system and see if the phones stop working, but that seems a little archaic. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment