Moronic Monday! Networking |
- Moronic Monday!
- Bad quality peering from US to Netherlands?
- Protocol Authentication
- best practice for selling public IPv4 space.
- Courses / certs that are SDN related?
- Question Regarding FreeRADIUS and Simultaneous-Use With Meraki (Help)
- Isolating wireless access from trusted network on Watchguard T35-W
- Assigning Broadcast as a DNS address
- PVID on avaya switches
- VPN Connectivity problems
- Cisco FPR1010
- Need advice from network guys: iSCSI vs FCoE vs FC
- Anyone else find that Comcast Business is throttling ESP traffic?
- Azure VNET 2 OnPrem with or without Firewall
- SD-WAN Scenario: One head-end with multiple "customers" connecting?
- Random sites, randomly trying to push POS traffic to our firewall
- Keeping up
- (Urgent) What is the job scope of a NTD-Wireless engineer?
- GS108Tv2 not forwarding EAPOL
| Posted: 25 Aug 2019 06:04 PM PDT It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected. [link] [comments]  |
| Bad quality peering from US to Netherlands? Posted: 26 Aug 2019 04:30 AM PDT A customer of ours is running Windows DFS and Veeam backups (Baremetal with the Veeam Agent) from five locations around the globe to our datacenter in the Netherlands. DFS is used to synchronize company-wide information with every branch, the DFS namespace is only 14GB in size. Every branch location has a Read-Only Domain Controller which is also the local Fileserver (DFS), there is a business-type Internet connection with usually 100Mbps up/down speeds. We use ASA 5506-X's to setup a full-mesh IPsec overlay over each location. In addition each location has a IPsec tunnel to our datacenter in the Netherlands which houses their central off-site backup server. The data that is sent in day-to-day operations over the Branch to Branch IPsec overlay is Active Directory related traffic, and the DFS delta's, there doesn't need to be a lot of bandwidth available for this purpose. The most important thing however is the IPsec tunnel for the Veeam Backup. The job contains the entire local filesystem that is differentially backed up over night and fully backed up every month. The size of the dataset is around 1.5TB per location. We are currently experiencing issues with the backup from a branch location in Portland, Oregon. Previously the branch had a Comcast Business connection (I believe Starter Internet with only 50/5Mbps bandwidth). Since they have upgraded to a Allstream Business Fiber 100/100Mbps connection. The full backup isn't able to finish in time before the 180 hour job runtime limit passes. The max bandwidth that we are able to achieve from the US to the Netherlands is about 500kB/s which equates to about 4Mbps, at this rate the backup would need 834 hours (1.5TB / 500kB / 3600sec = 833.333333333 hr) to finish. The minimum amount of average bandwidth we would need is around (1.5TB / 180hr / 3600sec * 8bits = 18.5185185 Mbps) 20Mb/s, we would think this is way less than should be available over the 100Mbps up/down Fiber Internet connection and thus should be achievable. The datacenter upstream ISP has a full 1Gbps connection available and has more than enough bandwidth available when the backup runs. Other branches (they are all in Europe) have no problems running the same type of backup job. We have run multiple tests (Iperf3 with 8 concurrent TCP streams to mimic the behaviour of the Veeam Backup Agent which also uses 8 concurrent TCP streams) over the IPsec overlays and we are not able to achieve more than 25Mbps throughput from Portland, OR to Amsterdam, NL. Withouth the IPsec overlay we are not able to achieve more than 27Mbps throughput over the same path. We have checked the traceroutes and the carrier's BGP Looking glass and can't see a uneccessary long path end-to-end. Our upstream ISP also cannot find an issue with the BGP path. Could this be a bad peering issue? Are there other tests/things we could try?, we have contacted Allstream but their support is useless and the techs we spoke to are only able to troubleshoot last-mile issues (ISP handoff port issues). TL;DR: Customer has branches around the world connected with business ISP's. There is a off-site backup server in the Netherlands. The North-American branch connected via Allstream Business Fiber 100/100Mbps is experiencing end-to-end bandwidth issues that compromises their backup operations (nightly differential, monthly full (1.5TB). Other European branches have no issue running the backup job. Could this be a bad peering issue? EDIT: more specificity regarding the bandwidth tests. [link] [comments]  |
| Posted: 26 Aug 2019 01:08 AM PDT Edit: SOLVED. Protocol authentication uses HMAC, not the plain hash function. HMAC-MD5 will of course be less secure then HMAC-SHA1 but to this date has no known attacks. So my question is moot. Thank you for all the helpers! I'm a total beginner so please excuse my ignorance. I'm currently participating in a basic LAN networking course and have a security question. It seams that network protocols like VTP and HSRP have a password option that is hashed with the message to authenticate that the sender is part of the VTP domain or HSRP group. Everywhere I've read that these authentications use MD5 or SHA1, including on Cisco's site last updated in 2018; https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhp-hsrp-md5.html MD5 and SHA1 have been declared unsuitable for cryptographic use since 2012 and 2010 respectively. I couldn't find change-logs to the protocol that updated the hash function to an up to date cartographic protocol. Are we still using these outdated hashing protocols? Is there a way to manually upgrade the protocol on my own private network? [link] [comments]  |
| best practice for selling public IPv4 space. Posted: 26 Aug 2019 03:38 PM PDT we've been tasked with selling some of our public IP blocks. What are some best practices or even gotchas when it comes with selling IPv4 space? [link] [comments]  |
| Courses / certs that are SDN related? Posted: 26 Aug 2019 05:01 AM PDT exploring things such as controllers, SD-WAN etc. How does one go about obtaining this knoweldge / skills, and what are the prereq? [link] [comments]  |
| Question Regarding FreeRADIUS and Simultaneous-Use With Meraki (Help) Posted: 26 Aug 2019 02:55 PM PDT Hello all, I have a hell of a question for you, and hopefully this fits here (I might be pushing the line a bit). Has anyone here been able to get Meraki working with FreeRADIUS (+ DaloRADIUS) and been able to get Simultaneous-Use working? What I have done:FreeRADIUS
MySQL/DaloRADIUS
ConclusionFirst, here's a radiusd -x PasteBin I redacted IPs but other than that its basically all there. What I find most interesting is you can see FreeRADIUS corectly finds the users group and the attributes. Yet it never sends an access reject. However you can force an access reject by simply typing in a bad password, and packet captures on the AP confirm the Filter-Id attribute makes it to the AP. I would really appreciate some guidance or discussion [link] [comments]  |
| Isolating wireless access from trusted network on Watchguard T35-W Posted: 26 Aug 2019 09:31 AM PDT I am testing a T35-W that we want to replace our existing Sonicwall TZ unit with. I've gotten pretty much everything else figured out but the built in wifi. While I had no problem getting Access Point 1 working within our trusted network as well as the internet, I am hitting a wall getting Access Point 2 configured for guests so as to block access to the trusted network while still giving it internet access. I enabled its DHCP server and assigned it an IP range on a different subnet than the wired trusted network. I left the default gateway setting as Use the interface IP Address. I created a policy that denies access from Guest Wifi to Trusted on all ports. In the end I am able to get internet access to work fine but I am unable to block it from the trusted network, even the IP to the Fireware login screen is still accessible. What am I missing? [link] [comments]  |
| Assigning Broadcast as a DNS address Posted: 26 Aug 2019 05:53 AM PDT Hey Guys, Sorry if I should not be posting this here. Just a query (my networking skills are very rusty). A work collegue of mine was tasked with updating the address of the DNS servers. He accidently put 255 of the 4th octet of the IP address instead of 225. I made him change them all there and then. However i was told by other collegues that I was over reacting and it could of waited. What effect would this of had on a Production network, if 50 servers were using a broadcast address to resolve dns queries? For clarification, its the DNS server setting when you configure IPv4 in Windows. [link] [comments]  |
| Posted: 26 Aug 2019 11:41 AM PDT Hey everyone I'm working on converting some avaya switches to juniper, and I'm trying to wrap my head around the various PVID tags, and figure out what PVID is. I'm not clear if it's a native vlan, or just tags frames outbound. Does anyone here with any background on this have any helpful insight? Untagpvidall, tagpvidall, etc... I've tried researching but getting conflicting information Edit: thanks for down voting someone who's trying to ask a question, much appreciated! 🙂 [link] [comments]  |
| Posted: 26 Aug 2019 11:40 AM PDT Greetings! This is my first post here, so I apologize if this isn't in the spirit of the community, but I'm looking for some assistance, as I'm not too experienced in VPNs. My apologies if this isn't the place for this sort of inquiry. About two weeks ago, all the VPN users for one of my clients stopped being able to connect. This is a new client so I'm still getting up to speed with their environment. They have a Cisco ASA and appear to be using IPSec/L2TP with local authentication. Most of the users try to connect and get a spinning wheel (Windows 10). Some try and are told their username/password don't work. I've been working on it and been getting weird results. I tried connecting with my phone and was able to connect to a network server and see the resources. It worked just fine. But Windows is giving me nothing but problems for all users. I tried a registry tweak I found somewhere that adds a DWORD value to the PolicyAgent key. That let my laptop connect successfully, I think, but when I try to connect to anything on the local network Windows acts like it can't even find it, whether through host name or IP. What's going on? Why on earth does everything work fine on iOS but not Windows? Thanks for any help. [link] [comments]  |
| Posted: 26 Aug 2019 12:11 PM PDT Has anyone had the opportunity to interact with one of the new Cisco FPR1010 next gen firewalls? My rep is trying to sell me on these over the ASA 5506 but they kind of sound like Meraki where it's all cloud controlled. I'm not sure I'm ok with that. [link] [comments]  |
| Need advice from network guys: iSCSI vs FCoE vs FC Posted: 26 Aug 2019 03:27 PM PDT Hi guys, From a network management side, what is the easiest and the best best to implement, from your point of view, for a SAN fabric ? Do you even manage FC fabric ? Or FCoE fabric ? How does it impact your LAN & WAN Pretty wild question I know but I'm looking to open my chakra, as a computer/storage guy. Thank you ! [link] [comments]  |
| Anyone else find that Comcast Business is throttling ESP traffic? Posted: 26 Aug 2019 03:00 PM PDT I have a site with 150/20 service from comcast business. When setup initially, IPSEC throughput over this link was ~120/~15. Performance loss for IPSEC was minimal, and acceptable. Recently, this slowed to ~3-5Mbps over IPSEC. Turn off IPSEC and NAT out the gateway resulted in full 150/20. Then came time for experiments. Multiple time, switching between IPSEC, OpenVPN, and just plain NAT, the results are ESP/IPSEC is 3-5Mbps, OpenVPN over UDP1194 is 130-145Mbps, and plain NAT is 140-150Mbps. Has anyone else found Comcast throttling ESP/IPSEC traffic? I mean, this is comcast business, we pay specifically for unmolested traffic. edit: The other side of this link has 1G/1G service in a DC, and other IPSEC connections that remain fast. [link] [comments]  |
| Azure VNET 2 OnPrem with or without Firewall Posted: 26 Aug 2019 11:02 AM PDT I have a feeling my company is going to be dipping their toe in Azure within the next 12 - 24 months. I'm trying to get ahead of what I don't know by doing some beginner research. I'm also betting that on-prem will be connected to the VNET out in Azure in some sort of capacity. I have seen a few network diagrams and tutorials on how to build a VPN tunnel using an Azure gateway but nowhere do I ever see a firewall between the gateway and the VNET within these diagrams. Am I to treat these gateways as security devices as well? Edit: Specifically I'm talking about a firewall between the Azure Gateway and the Azure VNET [link] [comments]  |
| SD-WAN Scenario: One head-end with multiple "customers" connecting? Posted: 26 Aug 2019 10:36 AM PDT I'm trying to mentally process the feasibility of this scenario: One SD-WAN Head-end with multiple "customers" connecting to it. Hypothetical Backstory Context: I'm a device/service provider and my customers have their own networks but have to route my device/sensor data back to me from remote sites to be aggregated/processed. Currently all incoming customer data is whitelisted by IP (keeping it to only a few IPs per customer), meaning their multiple external-site data sources must be routed back to a central point before being sent my way. Question at issue: Can I host a master head-end SD-WAN device(s) and have multiple customers' edge SD-WAN devices establish automagic dynamic VPN links back to it for the sensor data? Security Concern: This must obviously not allow intra-customer traffic, but ACLs should cover that. [link] [comments]  |
| Random sites, randomly trying to push POS traffic to our firewall Posted: 26 Aug 2019 10:15 AM PDT Scenario: we have a site that has a POS computer. It uses a program to complete transactions and sends it to a server internally in our network. We obviously use this for keeping track of sales and reporting, etc. Randomly, the program goes down. Looking at our logs, our firewall is blocking the conversation between the POS and the server. The problem is that the conversation between the two should never be hitting the firewall to begin with. This has happened 5 or 6 times in the last few months, and the only solution we've been able to remedy it with has been to change the IP address of the POS computer. We've spoken to the people who make the program multiple times as well, and they've said repeatedly they don't see anything wrong with the server as far as they can tell. I'm just wondering if there's something I'm missing here on a networking side of things. I can't think of a reason for why seemingly random POS computers are trying to route through our firewall for an internal conversation. [link] [comments]  |
| Posted: 25 Aug 2019 09:41 PM PDT Hi all, New to actually being in a network engineering position and was wondering if the subreddit might be able to help out. What are some good resources, blogs, YouTube channels, or other things that you all use to try and stay current? Any advise on keeping up with the ever expanding technology? [link] [comments]  |
| (Urgent) What is the job scope of a NTD-Wireless engineer? Posted: 26 Aug 2019 06:53 AM PDT Hey guys, I got an interview invitation for this position and honestly I can't find any info regarding what is NTD actually. Does any of you gusy know what is the job scope and perhaps tips to ace this interview? Your help is much appreciated! [link] [comments]  |
| Posted: 25 Aug 2019 04:35 PM PDT Hi, Device: Netgear GS108Tv2 I have a 2 devices (ONT and a supplicant) in ports 1 and 2. Both on VLAN1 untagged (ports 3-8 are on VLAN4 and aren't messing in between). And packets aren't coming back (not sure if reaching as I can't debug the ONT. Right now I have the following: - IGMP Snooping enabled Still, I see the EAPOL packets going out, but none coming back in. This works flawlessly with a dumb switch Thanks in advance! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment