Computers refuse to route a subnet range to gatway Networking |
- Computers refuse to route a subnet range to gatway
- Upgrade path from basic pfsense routers? (Shadow IT)
- A wireless access point and PoE switch in one?
- Cost effective 1G BGP edge router?
- Breakout Cisco 93108TC-FX
- Packetloss from a openVPN-client to a VLAN it's attached to.
- Difference in ios releases
- After some advice regarding wifi extenders
- Top Remote Access VPN
- Cloud, is it even worth it? (based on cost)
- Let’s talk event-driven automation.
- VACL redirect to firewall
- Mellanox MLAG problem ?
- Session close after SIP - BYE is received
- Cisco WLC new SSID unable to access the internet
- How many WAPs can you put on a single channel using arbitration before you start having issues?
- Cisco Anyconnect integration with Aruba Clearpass
- DHCP Issues - Dell 4148 OS10 Smart Fabric
- Need help migrating an old Firebox SOHO 6 to a new account.
| Computers refuse to route a subnet range to gatway Posted: 28 Nov 2019 01:24 PM PST Ok, Feels like I'm taking crazy pills here, I have a Mikrotik hap, the network is pretty simple, Lan is 192.168.1.0/24, wan is 172.x.x.x I can't remember, and it has a vpn using some ip in the 192.168.10.0 range connected to this other remote site where they use the 192.168.0.0/24 range, The router has no problem getting to the remote site, and all computers have a single IP with a dhcp address in the 192.168.1.0 range. but here is the thing: Computers refuse to send ip packets directed to the 192.168.0.0 range to the gateway. If you make a trace from any computer to 8.8.8.8, everything is fine, do it to 192.168.3.x and you get 3 or 4 jumps before it get lost in the ISP, but if you trace to something in the 192.168.0.x range, i don't get even a single jump, and the MK doesn't get a single packet addressed to that range. I disabled all rules in the MK, no firewall (exept the masquerade for NAT), no VPN, only one route (0.0.0.0/24 to the 172 gateway) or anything beyond the basic. only 2 networks Lan & Wan, and even added an explicit route in a machine (192.168.1.0/24 via 192.168.1.1) but nothing. I'm not a great (or good (or even acceptable)) netadmin, and I'm sure I'm missing something obvious here, I would be grateful for any advice you can give me, I'm returning tomorrow to check if you can change the server address in some s**a* old soft so I can use some other range but 0.0, maybe do packet capture, i hate working with teamviewer. [link] [comments]  |
| Upgrade path from basic pfsense routers? (Shadow IT) Posted: 28 Nov 2019 12:38 AM PST Hi there, I work for an internal tools group inside a relatively-huge company. For various reasons, we've been forced to deploy our own infrastructure pods at various sites to speed things up. At the moment, we use a pair of pfsense boxes as the gateway into the pod, allowing us to have a bit finer-grained access control at that network boundary. (They also allow us to conveniently NAT out certain functions as and when required, and keep other services internal to that pod.) Multiple WAN connections are common, but we don't really do any IPS or IDS, which are corporate IT's problem father up the chain. (These are primarily management devices, not a security barriers!) Now, pfsense is great and all, but it has a few major drawbacks that I'm sure folks using them may be very familiar with (although it has a killer web UI that's absolutely fantastic):
Required feature summary:
What upgrade paths, vendors, etc... have folks tried from a basic setup like this? I'm aware of and have been investigating several (will post results here too for folks to learn from):
EDIT: Adding a hearty THANK YOU to all the folks replying. Got a lot to learn, and you're helping me quite a lot. <3 EDIT2: Sounds like the Juniper SRX series (SRX1500 probably) is an option I need to add to this list. [link] [comments]  |
| A wireless access point and PoE switch in one? Posted: 28 Nov 2019 03:19 PM PST Does anyone know if such a device exists, a small PoE switch with 4-8 ports, which also incorporates a wireless access point? [link] [comments]  |
| Cost effective 1G BGP edge router? Posted: 28 Nov 2019 01:01 PM PST I need to replace an old BGP edge router that's getting a bit long in the tooth. What's currently everybody's favorite BGP edge router with 1G ports? I need full routes on this one, as the backup router only takes defaults. I'm not picky, but I'd like to avoid using Mikrotik or Ubiquiti. Refurbished or eBay is fine. Current setup:
In this particular case I really am fine without an upgrade path to 10G. 1G interfaces are more than enough and will be for the forseeable future. Also I'm looking to contain costs by using 1G interfaces. [link] [comments]  |
| Posted: 28 Nov 2019 08:47 AM PST Hi, I am speccing a new environment for our company. As all of our servers are running 10Gbase-T with the exception of some appliances. We have a much bigger need for Copper then Fibre. We have a separate SAN as well so no need for FCoE. All these would be used for interconnecting 2 small computerrooms (don't dare to call them DC's) for their Internet Traffic(Hosting quite some Internet Services). At each location we need a bit more then 50 ports, so these Cisco Nexus 93108TC-FX seem pretty well for our case. Each location would get 2 for redundancy off course (in vpc). Meaning we need 4. My main issue is QSFP breakout documentation. I can't find the information for these switches. I find for a lot but not for these specifically, is this good or very bad news. Anyway my idea was to cable the QSFP+ ports straigth to a MPO Patchpanel that would break it out in 4*LC ports. Or something like that (don't really know the terminology). So in this way I could connect my 10G Fiber appliances (Palo Alto,Netscaler,...) on this patch panel, keeping it clean. The big question is off course is it possible? It appears that the chipset used is a LS1800FX, and that the 40/100G ports are ports 49-54 , can these be broken out in 10/25G? Supposing the answer is yes, can it be done per 40/100G port or does it automatically count for multiple 40/100G ports (for example 2,3 or 6)? Oops almost forgot I would like to run NX-OS, I do not want to run ACI. [link] [comments]  |
| Packetloss from a openVPN-client to a VLAN it's attached to. Posted: 28 Nov 2019 07:27 AM PST Hello, i am a bit lost with this one und would be gratefull for your help! The Setup Network consists of HP V1910-24G switches. The whole company is still running at VLAN_ID_1 within 192.168.2.0. The server which is running openVPN-server on Ubuntu Server is attached to VLAN_ID_30 within 192.168.22.0. In the future, i wan't to create multiple vlans with VPNs which connect to them. So consider this to be the evaluation setup. The Servers Interfaces The Ubuntu Server is connected to Port 14 on a switch, which is configured like this:
The interfaces of the server: The openVPN config The Problem I can't ping any device in the 192.168.2.0 net besides the gateway/router (192.168.2.1), over the vpn-connection. 99% of the packets get lost. Here i have a tcpdump, showing a ping-packet, that succeded back to the pinging device. Here is a packet which did not reach back to the VPN client. Seems like for something is wrong with the vlan_tag on the packets. How can i troubleshot this? Thank you all! [link] [comments]  |
| Posted: 28 Nov 2019 11:29 AM PST Hello what the hell is the difference betweend: UPD IP SRV 2 ADV IP ENCRYPT ADVANCED IP SERVICES SSH the bin filename absolutly the same. in the releasenote is nothing mentioned. also my google search dint not result in anything. [link] [comments]  |
| After some advice regarding wifi extenders Posted: 28 Nov 2019 03:36 PM PST I have a friend who has asked for some advice regarding his current office set up. He shares a connection with another office, (they are in their own building, and he has an office in one of their spare barnes) where he gets a hard-lines connection (the ethernet cables for his connection run from their router to his office (approx 15 meters) into the barn. However, the wifi-connection (the hard-line is fine) from the main office where the router is located, is very poor, so he would like to look in to purchasing some hardware that he could connect to one of the spare ethernet ports, which would then give him decent wifi signal in the barn. He needs this as their are quite a few devices that require an internet connection, but there are only so many spare ports on his switch to connect to, hence needing to have the ability to connect them via wifi. Inline adapters are out as he isn't on the same circuit as the other office. Is something like this suitable? Just want to know the type of hardware I should be looking for. [link] [comments]  |
| Posted: 28 Nov 2019 10:38 AM PST Hello, I was looking at Cisco Anyconnect and Juniper Pulse VPN Options. The issue is that they charge by user connected. I want it to have Active a Directory integration and a web user portal where the users can login. I'm expecting up to 120 Users at a time being connected. It also has to provide access to only one Vlan. I as looking at the Juniper SRX 340/345 or a Firepower 1120 as a combo firewall unit. We have a budget of about $2500 for both a firewall and VPN. I don't mind looking at different firewall vendors. https://www.cdw.com/product/cisco-firepower-1120-next-generation-firewall-firewall/5617296?pfm=srh [link] [comments]  |
| Cloud, is it even worth it? (based on cost) Posted: 28 Nov 2019 12:32 AM PST What's up everyone, this post was made more with the question towards the big cloud providers as of now, a simple math calculation for the cost of a csr1000v with a f9 load balancer for a period of 1 year came out as expensive as buying a brand new physical (mid-size) Cisco router with a f9 load balancer. Obviously the physical appliances will last for years and eventually come out cheaper, even with the electricity bills included. Am i missing something? for a couple of servers and databases i might find it worthy (if i were to go to a cheaper and not so populair cloud provider) Something else which does look better on many points would be a private cloud that you own and manage, virtualized environment from appliances to servers and databases, with physical switches connecting to this virtual environment. [link] [comments]  |
| Let’s talk event-driven automation. Posted: 27 Nov 2019 05:58 PM PST I think a lot of us here probably agree that network infrastructure configuration management and orchestration is relatively easy to automate, and will probably become the golden standard going forward. What interests me a lot more, is event-driven automation at the network infrastructure level. I think that the most exciting prospects live there. What do you guys think about event-driven automation? What is already out there? What is possible to attain? Here's an example from a NANOG presentation that was recently shared in another thread. https://archive.nanog.org/sites/default/files/1_Ulinic_Network_Automation_At_v1.pdf (Cloudflare's self resilient network (starts on slide 66.)) They basically aggregate collection of network performance metrics with configured IP SLA Probe & RPM Probe results in SaltStack and automatically change configuration to either pull anycast advertisement from certain nodes, or disable peering with a transit provider depending on things like interface load, errors, or packet loss. According to the presentation this results in 120 configuration changes a day on average, all with zero human intervention. This means that their network basically detects certain problems and attempts to correct them automatically. I find that incredibly cool. And yeah, it's probably not perfect, and it didn't seem to mitigate a large scale outage they recently had due to BGP leaking, but how many routine incidents do you think they are able to mitigate with these measures, where users in a certain region who would experience service degradation due to loss and congestion don't even notice anything because they're suddenly routing down a different path or even hitting a completely different anycast node as soon as problems are detected? From an enterprise perspective, I envision event-driven automation in the form of an incident being created automatically triggering a script. The incident must include the user's pc name or IP, and the destination URL they're trying to reach. The script would basically check dns resolution, trace the end-to-end path through the enterprise network from source to dest, and vice versa, as well as dump out interface statistics along that entire path, check firewall logs based on src/dst, and even grab the Mac and port info of the user, and automatically update the incident with all of the collected info. Within seconds of the ticket being put in, the responding technician gets all the information he needs included in the ticket to quickly determine if the problem is likely something on premise, or a distant end problem. Going a step further you could even try to automate "fixing" the problem if certain tests fail. When trying to think of what else could be automated, think of the last network problem you fixed at work. Could you identify what you observed to determine the root cause, what the fix action was, and what the symptoms were? How methodical was your troubleshooting process? Could it have been done by a script. Or, in other words: could you translate your troubleshooting methodology into a set of scripts, essentially "teaching" your network to "think" and act like you? Maybe some of what we fix required deep dives into pcaps and conference calls with vendors, but are there a lot other tasks that that were simple quick finds based on some output we found in CLI. "oh, there's no return route to the host," or "oh, 50k input errors a second. Let's shut this port and try cleaning the fiber and checking the SFP." What else do you all see developing in the future? I know Cisco is doing some interesting things in the campus arena with their SD-Access. It may not be the most popular thing out there, but the general concept is extremely cool and has enormous potential. (Basically certain configuration like vlan, access levels, firewall rules and more can "follow" a user around the network wherever they go.) How do you all think event driven automation can integrate into the network to help us do our jobs better... or put us all out of a job, if that's how you see things. ;) Kidding on that last one. Happy Turkey Day everyone! [link] [comments]  |
| Posted: 28 Nov 2019 07:56 AM PST Hi, I have some vlans with their default gateways on a firewall which is slow to process traffic. I would like to move the gateways onto a switch (SVI). For some traffic that goes between vlans I would like the switch to forward the traffic. For example, a program that copies large datasets on a specific port from a computer in vlan A to a computer in vlan B. For all other inter-vlan traffic I want the Firewall to make the decision on what to allow through. Is this generally possible or is there a better design? (without moving services between vlans or buying a bigger firewall). Thoughts? Cheers, zcs3 [link] [comments]  |
| Posted: 27 Nov 2019 09:36 PM PST 2x SN2700 connected to each other via IPL/MLAG. Latest firmware. It worked for a few weeks but then suddenly clients were not pingable anymore. any idea what these errors mean ? [MLAG_MAC_SYNC_PEER_MANAGER.NOTICE] Failed to grow the pool size, err -12 [MLAG_MAC_SYNC_PEER_MANAGER.NOTICE] Need to mark the MACs as DENY, cnt:0 < record_num:81 [link] [comments]  |
| Session close after SIP - BYE is received Posted: 27 Nov 2019 10:54 PM PST Hello, our palo alto fw does not close the session when the sip bye is received. So the session falls into session timeout timer and by default this is 1hour. This will result in session that are open for more then 3 month and sometimes will get stuck. As for my understanding, ah sip bye should be like a session end. Can someone explain me why the fw thinks it should not terminate the session? Any ideas? As i cannot understand this default behavior. [link] [comments]  |
| Cisco WLC new SSID unable to access the internet Posted: 28 Nov 2019 03:14 AM PST Hi, I have setup new SSID but seem's like I'm not able to access the Internet or even it gateway. We are using just local and not flexconnect. Question:
Checked that there no ALC added on the security tab of the WLC, IS the any thing I'm missing? Note: from ggteway which is the switch I'm able to ping the WLC new SSID interface which is 10.184.58.5. Thanks [link] [comments]  |
| How many WAPs can you put on a single channel using arbitration before you start having issues? Posted: 27 Nov 2019 05:53 PM PST And what do those issues looks like? I'm a computer enthusiast currently studying for an information security certification in the hopes of turning my hobby into a career. Along the way, I do what I can to familiarize myself with any concept I can, and I'm currently doing some reading on networks. I've recently learned about 802.11's channel arbitration and I understand how it works, but I'm wondering what it's limits are. My questions are: 1) Is there a defined limit to how many WAPs can be on a single channel using arbitration, or is it dependent on other factors? 2) If you do use too many on a single channel, what kind of problems do you run into? Would it just result in a simple disconnection? 3) And although unrelated to the main question, are there any known exploitation concerns with channel arbitration, like causing the coordination between the WAPs to falter and interfere with one another? Thank you for your help. [link] [comments]  |
| Cisco Anyconnect integration with Aruba Clearpass Posted: 28 Nov 2019 02:31 AM PST Since i havent managed to find much info online, does any one have experience with using aruba clearpass as radius server for cisco anyconnect client? Is it even supported? We have tried anyconnect with ISE which works obviously but would be interested in testing aruba clearpass. Thanks [link] [comments]  |
| DHCP Issues - Dell 4148 OS10 Smart Fabric Posted: 27 Nov 2019 07:10 PM PST New to Dell switches. I guess the model probably doesnt matter as much as it running OS10 I have setup port 50 and 51 to be VLAN13. VLAN happens to be for iDRAC and other mgmt tasks. I tried setting up DHCP on the switch, and I have tried setting them up as DHCP Helper. Neither one worked. Attempt 1 DHCP straight from the the Smart Fabric Docs Made sure to run no disable So I presume it would hand off DHCP address to our iDracs plugged into the switch. The idrac are set to DHCP. No luck. Seemed pretty straight forward Since that didnt work I tried using DHCP Relay back to our Windows DHCP Server On port 50 and 51 I have a R640 plugged into the idrac ports, I ran ip-helper ipaddr_of_our_server I dont think there is anything else to do other than that. They are set to access ports and have VLAN13 configured. I dont currently have access to the switches to grab the configs, but these are pretty vanilla. When logged into the switch I can ping the server at the office so pretty sure nothing is blocking. I am sure I missed something simple. [link] [comments]  |
| Need help migrating an old Firebox SOHO 6 to a new account. Posted: 27 Nov 2019 09:47 PM PST I have an old Firebox SOHO 6 that was happily running for years under the old administration account. However, I recently replaced all the units with newer models, but I would still like to use this on its own network. (isolated from the main network, as a failsafe more than anything) The problem is, I would like to be able to upgrade the firmware to a newer version, however the machine's serial number is tied to the old administration account... Is there any way that I can migrate that to my account? The employee that managed it before is long gone. Thanks everyone -- this is my first post here so I don't know what to expect! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment