Blogpost Friday! Networking |
- Blogpost Friday!
- Creative users against network security...
- Cisco warning: These routers running IOS have 9.9/10-severity security flaw
- 2019 laptop with rj45 port?
- Content filter blocking our MDM
- Dell Force 10 - VLANs on vlt-port-channel
- How to scale VXLAN/EVPN environments?
- What's you attitude towards Shodan scans?
- Daisy chain IP cameras
- How to route in cisco ASA (from multiple interfaces with same security level)
- NXOS 9.3 vs 7.0(3) on N93180YC-EX?
- VMware ESXi and Protecting VMs with pfSense
- Basic question about (M)STP with non-STP capable devices in path and link cost calculation
- Could plugging in a VoIP phone to a wall port cause loss of network for the whole room?
- Multi-gig Juniper switches
- Creative ASA Site to Site VPN help
- iptables LOG implementation
- Cisco 3750x microcode update
- DMVPN
- Cisco ASA 5525 Site-To-Site VPN Filter Odd Issue
- Multicast question: How is this working?
- I hate SFP/SFP+ modules
- IPsec ikev1 and ikev2 run on same Cisco ASA?
- SoT for ISP Services?
| Posted: 26 Sep 2019 05:04 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| Creative users against network security... Posted: 27 Sep 2019 11:49 AM PDT Hey guys, story of today: We installed 95 APs in the last months to offer wifi in our two buildings and all 6 floors. After that we created 3 ssids. One for customers, one for our internal Wifi (Radius, policy based) and one for the business mobile phones. All that just to add some more security in the network. Today a teammate told me that one of our users said that he dont need "that wifi access". It turned out that he used the mobile hotspot in windows of his notebook, so he could add any wifi device he want to the internal Wifi. What should I say? Some users are really bastards... 10 Minutes later we add a gpo to deactivate that for the whole company. Just be prepared... [link] [comments]  |
| Cisco warning: These routers running IOS have 9.9/10-severity security flaw Posted: 27 Sep 2019 05:03 AM PDT Cisco warning: These routers running IOS have 9.9/10-severity security flaw
[link] [comments]  |
| Posted: 27 Sep 2019 05:11 PM PDT Networking people, what laptop do you all use? Have you all switched to the dongle life already? I can't seem to find a laptop with an rj45 port, it seems the thing now is USB-C maybe usb a and hdmi. Any recommendations? [link] [comments]  |
| Content filter blocking our MDM Posted: 27 Sep 2019 06:40 PM PDT Hello, I'll try to keep this as short as possible. We use an MDM (Jamf Pro) that is cloud hosted. We also use iboss as our web content filter. There is a setting in it that blocks connections using non standard ports. Problem is Jamf operates on port 8443. Is there any way we can remedy this other than disabling that setting. I'm told completely turning it off is unsafe and I can get why. The problem is Jamf is hosted by AWS and their IPs change almost weekly. [link] [comments]  |
| Dell Force 10 - VLANs on vlt-port-channel Posted: 27 Sep 2019 04:07 PM PDT After assigning a local port-channel to a vlt-port-channel, where are the VLANs added? And if it's on a single switch, do they automatically sync? Any help would be appreciated. (interconnect already set up and functional on both S4048s) [link] [comments]  |
| How to scale VXLAN/EVPN environments? Posted: 27 Sep 2019 12:43 PM PDT I've currently got a small Arista evpn/vxlan environment consisting of 4 spines (2 per datacenter), and and 6 leafs (1 border, 2 leafs per dc). Currently, we provision every subnet/vxlan on every leaf switch, but as our datacenter grows, I expect this to be an administrative burden. I am also worried about sprawling every l2-domain across every single switch despite being limited in size (to a /24 per vni/vxlan). So my questions are: is deploying every VNI to every leaf switch best practice in order to maximize IP mobility, or should I consider telling my server team to start pairing up ESX machines so that certain host machines can only vmotion to certain hosts machines in the other datacenter? Essentially limiting the overlay/l2 broadcast domain for that VNI to specific ToR switches If every VNI to every leaf switch is recommended, how do I manage turning up new subnets/Vxlans to every switch as my datacenter grows towards this model? Is the answer always automation? However, I feel that limiting the broadcast domain or "vmotion" to a pair of switches might be the better option. Instead of any address to any ToR switch, to just say DC1 - host1/2 can vmotion to DC2 - host1/2 and build the VNI/VXLAN on those two pods. In regards to cloud deployment, I would think DC1-host-1&2 / DC-host-1&2 and CloudDC-host-1/2 would all have the same VNIs. But in the anycast gateway models I believe you're supposed to provision every VNI on every single ToR. I'm looking at having around 100 switches (50 switches in pairs , so 25 racks in each dc) as far as scale. [link] [comments]  |
| What's you attitude towards Shodan scans? Posted: 27 Sep 2019 04:38 PM PDT Do you just let them do their thing or block them? They make my IPS bark but I don't worry about it too much at the moment. I'm wondering if I should. [link] [comments]  |
| Posted: 27 Sep 2019 12:57 PM PDT I have a very unique task at hand. I am trying to install 300 cameras in a room. The cameras would be laid out in a grid formation. The cameras would only take 1 picture per hour so the bandwidth would be pretty low. Running 300 cables from each camera may be to difficult for this project. Does anyone know of a way to daisy chain Ethernet connections? [link] [comments]  |
| How to route in cisco ASA (from multiple interfaces with same security level) Posted: 27 Sep 2019 02:47 PM PDT I just set up a simple ASA topology... Please see the ASA Topology here. All interfaces are on security level 0 On the ASA, I set int vlan200 as the default gateway (as shown in the topology link above) so now I can ping anywhere from the vlan200 interface. but when I ping from int vlan100 or int vlan 300, it doesn't work. does that mean that the default route i set only works for traffic with source: int vlan200? If i try to create another default route using int vlan100 or 200 I get error "cannot add route entry, conflict with existing routes" my troubleshooting steps:
Anyone know the correct way to configure this so all interfaces on the ASA can reach 10.10.10.11 or any external host? thanks [link] [comments]  |
| NXOS 9.3 vs 7.0(3) on N93180YC-EX? Posted: 27 Sep 2019 09:46 AM PDT Has anyone been successfully running NXOS 9.3 on a 93180? This is the image the switches came with but Cisco's recommended version is 7.0(3). This is my first Nexus setup from scratch. Right now my plan is to downgrade them to Cisco's recommended version but we aren't running a lot of features on the switches. Just basic L2 with vPC. I figured it might be safe to stay at the later version. [link] [comments]  |
| VMware ESXi and Protecting VMs with pfSense Posted: 27 Sep 2019 04:16 AM PDT Hi. I'm migrating a physical web/mail server into VMware ESXi. The network has an existing physical firewall in place. I need to replace the physical server with two VMs. I was also hoping to install pfSense inside of VMware ESXi to logical make a DMZ network for the VMs to connect through. Topology Real firewall -> Real Switch -> VMware EXSi -> Virtual WAN -> pfSense VM -> Virtual DMZ -> web/mail VMs My reasons for implementing it this way. If the VMs are compromised the attacker can't get out of the VMware ESXi network, since with pfSense I'm filtering traffic outbound as well. Even if they managed to they still have the physical networks security measures to deal with. As the real network is already segmented into OFFICE STAFF/DMZ/WAN. I really need some guidance.
Thanks for any help and have a nice day. [link] [comments]  |
| Basic question about (M)STP with non-STP capable devices in path and link cost calculation Posted: 27 Sep 2019 03:37 AM PDT Hi, stupid question but if I have devices (wireless point-to-point microwave links in this instance I'm thinking of) that don't actively participate in STP but do forward BPDUs, this should be transparent to the switches processing STP BPDUs at different ends of the wireless link? So they simply see it as switch1 <---BPDUs --> switch2 when it is in fact switch 1 <-- BPDUs --> microwave link device 1 <-- BPDUs --> microwave link device 2 <-- BPDUs --> switch2 Even though there is a BPDU forwarding device that does not participate in STP between switch1 and switch2? I'm thinking about the way they calculate cost here, and which path would take precedence? My guess is that the switches would see it as 1 hop, even if it is 3 since they cannot know? [link] [comments]  |
| Could plugging in a VoIP phone to a wall port cause loss of network for the whole room? Posted: 27 Sep 2019 10:04 AM PDT Im a layman so please be gentle. I plugged in a VoIP phone from the SW port on the phone to the wall. And then suddenly network for everyone in the office is down. Is that my bad? There was a couple other people hooking up phones a bit earlier, if someone hooked the PC port to the switch would it cause a loop? All phones have been disconnected in case that's the problem, if it was how long should it take for the network to be restored? It's been 10 minutes Edit: network restored. Not sure why. Too scared to try plugging in phone again lol [link] [comments]  |
| Posted: 27 Sep 2019 02:59 AM PDT Question for the Juniper peeps out there. Has anybody have any experience with the new EX2300MP models yet? Is it just another EX, except with a few "special" ports, or are there specific considerations I should know about? I'm assuming they can be added to virtual chassis with other EX2300 models, but haven't found any articles to corroborate. Love to hear your thoughts. Thanks. [link] [comments]  |
| Creative ASA Site to Site VPN help Posted: 27 Sep 2019 01:19 PM PDT I need help finding a creative idea to allow one side of the tunnel to ping a NAT address. Here is the scenario. Site 1 is the primary site it will initiate all of the communications. We create a tunnel to site 2 using NAT as it helps alleviate overlap. Site 1 uses 10.0.0.0/24 as its local Site 2 uses 172.16.0.0/24 for its local traffic. Site 1 creates a NAT rule for anything from 10.0.0.0/24 to 172.16.0.0/24 go out NAT IP 192.168.1.10. Site 2 just has a NAT exemption rule to retain source/destination. Now as we know per the above, if I ping 172.16.0.1(and have ICMP inspection on) I will get a return. However site 2 cannot initiate a ping to 192.168.1.10 as that refers to the whole 10.0.0.0/24 network. I want to give site 2 the ability to ping the NAT address to validate it is alive. Any ideas? [link] [comments]  |
| Posted: 27 Sep 2019 06:51 AM PDT I'm trying to forward traffic from one virtual interface (eth3) to a tun (tun0) interface within a container. I'm able to forward ping and iperf traffic with adding the following iptable rules
I'm unable to forward TRex generated traffic. I see it in eth3 using tcpdump but it isn't getting forwarded to tun0. [link] [comments]  |
| Posted: 27 Sep 2019 03:56 AM PDT hi r/networking! I am trying to upgrade a Cisco 3750x stack running 12.2-55-SE3 to the current starred release 15.2-4-E8. Obviously I am trying to minimise the downtime and I am lucky enough to have a spare stack to practise on. I have tried the following commands:
Both upgrades succeeded, but the microcode upgrade was done after the reload resulting in 30 minutes downtime. I get the following error message during the upgrade:
Then the stack proceeds to reload as normal. Anyone have any ideas? Can I use a different code version to stage the upgrade? [link] [comments]  |
| Posted: 27 Sep 2019 01:36 AM PDT Iv found my self a bit stuck with a dmvpn solution our current dmvpn on 2 routers not in a cluster but master and backup but also running with HSRP has reached its capacity and I need to extend it whilst keeping all the spokes connected. my initial thought was to to just change the subnet mask and update the eigrp but when i Labbed it. it dropped all the spokes because of a miss match on the subnet, so then i thought I would run 2 hubs on the same router. That caused the same issue based on using the same external ip and a different eigrp AS so now im at a loss on how to increase it. has any one done this before? be currently have 500 spokes. on our ASR 1002 and i need to atleaset double it. any advise would be gratefully received. [link] [comments]  |
| Cisco ASA 5525 Site-To-Site VPN Filter Odd Issue Posted: 27 Sep 2019 10:15 AM PDT Hey folks, We were attempting to get LDAP traffic to pass to and from our remote site over a site to site VPN tunnel. The tunnel has been up for weeks, lots of other things work fine, but we were having issues with LDAP from the remote site to our site. Both sides have ASA's. We checked and troubleshot our ACL's on the VPN over and over and to no avail we couldn't get it working. All the correct ports were allowed on both sides, etc. I created a top level access rule in the ACL that points to the VPN to just allow all IP traffic to and from the client at our remote site that was trying to use LDAP. This didn't fix the issue. I said "ok, must be an issue on the remote side's ACL." I removed the access rule I added, saved config, and for some reason it reset the IPsec VPN. After the VPN reset, everything started working.
It's worth noting, before it started working, I could only see LDAP UDP traffic coming from the remote site, and going back out. No TCP connection was being established. After the VPN reset, the TCP connection established and everything started flowing. Appreciate you taking the time to read. [link] [comments]  |
| Multicast question: How is this working? Posted: 26 Sep 2019 06:48 PM PDT We are undergoing a data center refresh at my company and are running multicast on one of the devices that's going to be decommissioned. This device is the rendezvous point (RP). As I've begun reading about PIM-DM, PIM-SM, and BIDIR-PIM in preparation for the multicast change, I've come to believe the current topology is either working by accident or b/c a half-baked BIDIR-PIM setup ends up behaving like PIM-SM. Can any multicast pros corroborate this? I'm about to read RFC 5015 to see whether this is explicitly mentioned. This is a Cisco shop, in case the implementation matters. Some points below.
When I do a Edit: We are doing BIDIR-PIM (or tried to, at least) b/c we have lots of senders/receivers. [link] [comments]  |
| Posted: 27 Sep 2019 08:30 AM PDT What is up with the ridiculous amount of incompatible variations of SFP/SFP+ transceivers/modules in the networking world? Jesus it's so bad. I feel like the networking world just tries to be complex on purpose. [link] [comments]  |
| IPsec ikev1 and ikev2 run on same Cisco ASA? Posted: 27 Sep 2019 06:26 AM PDT We have multiple Cisco ASA IPsec tunnel running over ikev1 but today one of customer asking for create ikev2 tunnel but i am not sure we can run both ikev1 and ikev2 on same Cisco ASA? Is it possible to run both on same box? [link] [comments]  |
| Posted: 27 Sep 2019 02:09 AM PDT Hey all Something has been bugging me for quite some time now and I feel like I need to vent a bit... Hopefully someone has/is in a similar position and can relate. Background: I work as a Network Engineer for a smallish ISP (400k or so customers) and mostly do design/automation. Right now, most network related things are unfortunately being done manually which of course is quite time consuming and error prone. Previously I have been focusing my efforts on simplyfying/standardising network configs as well as automation of most tasks that haven't been related to a SoT (as we've never really had a functioning SoT for devices/services). Lately I have begun to migrate all devices into Netbox (I know it's DC focused, but it's still 10x better than current device database we have) and now automation related to our devices is underway (automatic monitoring, backup, provisioning etc) The issue: But the devices themselves as a service provider is just a small part of course. I have tons of ideas related to automation/provisioning of our services. The issue I'm facing is that our services are not documented in a way that a computer can intepret these... For example, a basic internet service in most cases just says which IP prefix the service is using, no info if it is a route/next-hop ip info/BGP route/directly conencted/which PE Device/Access Device the service is connected to etc. Most of the time if there is any additional info, it is written down in a freetext comments field.. Essentially it requires a human operator to log into the specific PE device in question to see what setup the customer actually has...The system we have in place for storing above service data (inhouse built OSS/BSS system essentially) also doesn't exactly have any good API functionality The current system in place is unfortunately so bad, that people have begun to document services in Confluence (intranet). But as you can imagine, it is not a good SoT in any way when you want to automate things..Only a human can intepret the data stored there. So I'm starting to wonder what type of solutions are out there for these types of issues? For documenting SP services (HSIA, L3/L2 VPN etc). In what type of systems do you guys keep your data about the services you provide? In some form of OSS/BSS system? I feel like it probably shouldn't entirely be the job of a Network Engineer to do this kind of work, but I'm starting to feel like my hands are tied and I can't do any work without there being a decent system in place where via API for example I can fetch data about services in order to provision/configure/monitor them etc. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment