Blogpost Friday! Networking |
- Blogpost Friday!
- Field Notice: FN - 70489 from Cisco. PKI Self-Signed Certificate Expiration
- Redundant DHCP setup with multiple routers?
- POE Injector + 10 Gbps Switch
- Cisco Nexus vs Aruba for top of Rack
- Secure NTP on a Catalyst Switch
- Looking for help... VLAN speed?
- Switch for 3 people and 12 servers
- Guidelines for subnet/VLAN sizing
- Secondary IP on Vlan - Gateway question
- Access local server from cloud IP over VPN
- CheckPoint Firewalls: VPN Rules and VPN Compatability
- Unmanaged remote site needs access to internal network: ASA and Cisco routing experts - help?
- [Juniper] Issue advertising a prefix based on community
- Could Unifi USG-Pro replace SonicWall in a small office environment?
- Help with a Vlan setup?
- DMZ and Firewall Practice
- SNMP.... Replaced??
- Setting up multiple servers on the same host name
- Need Advice on SSO via SAML
- PSA google was down in the balkans this morning.
- Free Radius Servers with scalable MAB list?
- FortiGate routing VLANs with different subnets
| Posted: 19 Dec 2019 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| Field Notice: FN - 70489 from Cisco. PKI Self-Signed Certificate Expiration Posted: 19 Dec 2019 02:40 AM PST Self-signed X.509 PKI certificates (SSC) that were generated on devices that run affected Cisco IOS® or Cisco IOS XE software releases expire on 2020-01-01 00:00:00 UTC. New self-signed certificates cannot be created on affected devices after 2020-01-01 00:00:00 UTC. Any service that relies on these self-signed certificates to establish or terminate a secure connection might not work after the certificate expires. This issue affects only self-signed certificates that were generated by the Cisco IOS or Cisco IOS XE device and applied to a service on the device. Certificates that were generated by a Certificate Authority (CA), which includes those certificates generated by the Cisco IOS CA feature, are not impacted by this issue. https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html [link] [comments]  |
| Redundant DHCP setup with multiple routers? Posted: 19 Dec 2019 04:28 PM PST Let's say I have a minimal setup, 2 routers running VRRP for the default gateway, and I want to run DHCP on the routers (Cisco). What methods are there to make the DHCP server on the router redundant? I was thinking of configuring both routers to hand out DHCP addresses, configure router 1 to hand out IPs from .5-.127 and router 2 to hand out IPs from .128-.254. this way they'd never hand out duplicates. Is this kind of setup typical? [link] [comments]  |
| Posted: 19 Dec 2019 09:35 AM PST Hi, I have an odd use case in which a team needs local 10 Gbps switching with POE. I see very few 10 Gbps switches that do it, but maybe I'm just not looking in the right places. I have a simple question about POE injectors: can you plug one into a 10 Gbps (obviously copper) switch port and expect it to work as it would in the more typical use case with a slower copper port? I understand that doing this will necessarily slow down the port to whatever speed the injector is rated for. Thanks! [link] [comments]  |
| Cisco Nexus vs Aruba for top of Rack Posted: 19 Dec 2019 09:45 AM PST Looking for some opinions and real world experience here. We're looking to implement top of rack 24 or 48 port 10gb SFP+ switches for a new Server Rack. Workloads are VMware servers + iSCSI storage + a few misc servers. Switches will be supported by a separate 1gb/s ethernet switch stack for 1gb ports with 10gb/s SFP+ uplinks. We're being quoted both Cisco and Aruba switches for this but aside from the differences in support (HP lifetime vs Cisco Smartnet) what is your real world experience like comparing these switches? Aruba 8320 + 6300M series Nexus 3524P-XL / 3548P-XL [link] [comments]  |
| Secure NTP on a Catalyst Switch Posted: 19 Dec 2019 09:01 AM PST I need to configure NTP on a catalyst switch so that it syncs its own time with a given NTP server but does blocks all other NTP traffic. I think that can be done with NTP access-groups but I'm not sure if I get the commands right. Would this work? ntp access-group peer <ACL that permits the NTP Server IP>ntp access-group serve-only <ACL with deny any any> Edit: Gave this some more thought. Limiting NTP access is obviously for security reasons. Then again the switches are in a management vlan anyway. So the most likely malicious thing in that vlan would be a compromised admin workstation and then we probably have other things to worry about than NTP vulnerabilities. [link] [comments]  |
| Looking for help... VLAN speed? Posted: 19 Dec 2019 03:50 PM PST Hey r/networking, I'm a lone sys admin at my office and that also encompasses our networking equipment. I've run into a bit of an issue that I've been digging through documentation to attempt to figure out but am coming up dry. We've got a pair of Netgear M7100-24X switches that are being used to move data between two clusters of servers and two SANs. These are currently serving as stand-in units while we wait on new switches to be ordered, but in the mean time I've noticed something weird. All of the ports are showing at 1000 Full Duplex, but the VLAN they're a member of is showing up at 10 Half Duplex. As a result of this, data transfer is painfully slow, and it's something that I need to get resolved fairly quickly. Here's the status from the switches: ...and the second switch is identical: I've been digging through the 600+ page Netgear CLI manual, and see that setting interface speed is a very straight forward process, but the way to set the interface speed for your normal interfaces isn't an option when you go into interface vlan 1. Apologies if this is a very straight forward answer that I'm just missing (I think I see a networking home lab in my immediate future), but can anyone offer some insight into this for me? Thank you! [link] [comments]  |
| Switch for 3 people and 12 servers Posted: 19 Dec 2019 11:12 AM PST The job is in the market for a new switch, and I was wondering if anyone had any recommendations for a SMB. It doesn't need to be anything super fancy, this would replace a 16 port Netgear, but it does need to provide metrics to see what's happening with it. It's a small company, and the three employees and the twelve servers will be sharing the switch. Not the most ideal setup, but it will work until I get a bigger budget. I'm the systems engineer in the office, by the way, and while I'm very comfortable with Linux and Unix-like OSs, I haven't worked with networking equipment full time in a while. Needed specs:
Nice to have but not particularly important specs:
Not needed specs:
Budget: <$1K (US), preferably Candidates:
Also, it does need to be new, and I don't need a support contract. I love refurb equipment too, but not right now. [link] [comments]  |
| Guidelines for subnet/VLAN sizing Posted: 19 Dec 2019 03:31 PM PST Anyone have input on best practices for subnet/VLAN sizing in a campus environment? I am particularly interested in how big is too big. I have found a few opinions saying don't go larger than /23. [link] [comments]  |
| Secondary IP on Vlan - Gateway question Posted: 19 Dec 2019 02:33 PM PST I have an HP 5400 Aruba switch. We brought up a secondary subnet under Vlan x as temp migration to move PCs to a seperate VLAN from other stuff. This helped some gateway IP issues and will allow a vlan creation and swapping over mass ports for a cut over for all workstation ports. However, I don't fully understand what is the default gateway for .11 (primary) network with a secondary Vlan in the mix. The 11.x network as added first(primary), the 1.x network was added second, I actually reversed the order so .11 would register when hitting the DHCP server, it didn't work if .11 was the second subnet added. Which gateway is 11.8 using, does it use 11.8 if from the 11.x subnet, or does it use 1.x for both? This all started when I noticed my FW filtering UDP packets from the .11 network to the .1, I'm closer to finding out why..., but I just realized I don't know the exact path is traveling using this secondary Vlan. TL;DR - With the configs above, which gateway is 1.x and the 11.x using, or what is <VLANNAME> gateway IP address used? [link] [comments]  |
| Access local server from cloud IP over VPN Posted: 19 Dec 2019 02:13 PM PST Hi, fairly new at this - pictures say 1000 words -> webserver(192.168.0.5)->router(192.168.0.1)->softetherVPN(77.88.99.11) localPC(192.168.0.9/10.0.0.22)->softetherVPN(77.88.99.11/10.0.0.1) 10.x would be the VPN DHCP 77.x is the public IP of the cloud hosted softetherVPN instance The webserver cannot be a VPN client, nor can it be hosted on the cloud. I need to be able to access the webserver from any device at the public IP of 77.x Im not making much progress with this, any help would be appreciated. Everything I've found so far involves a client on the remote machine, but that's going to work. Thanks in advance ! [link] [comments]  |
| CheckPoint Firewalls: VPN Rules and VPN Compatability Posted: 19 Dec 2019 07:05 AM PST I'm a Network Admin for a company that invested in CheckPoint firewalls a few years ago. We have a couple of issues I was wondering if anyone else had experience wtih. (1) Is there an easy way to apply firewall rules to VPNs? (2) Has anyone else had site-to-site VPN issues between CheckPoint and SonicWall manufacturers? Regarding issue (1), with our old (and missed) Cisco ASA the concepts of a site-to-site VPN and firewall rules were decoupled. If you wanted to create a firewall rule you would simple say something like src:10.1.1.1 dst:10.2.2.2 service:tcp/22 allow. If that traffic happened to be coming over a VPN, or from DMZ > Inside zone, it didn't really matter. I spoke with a tech support agent at CheckPoint about this and they told me to achieve the same level of granularity I'd basically have to create a new VPN rule for each traffic flow. I'm curious if anyone with CheckPoint fierwall experience can speak to this; maybe there's an alternative? As far as issue (2), we have around 15 site-to-site VPN's, and we constantly had issues with two of our VPNs that happend to be terminating to SonicWall devices. After a few months of troubleshooting and not finding much, we ended up moving the VPN's to our older Cisco ASA's and the issues immediately stopped. When the issue would occur, the remote end would be unable to initiate traffic to bring the tunnel up. I would have to log into a server and send a PING or other type of traffic to bring the tunnel up, and then bidirectional traffic would flow just fine from anywhere between 4hrs to a few days. I'm mainly curious if anyone else experienced this issue and, if so, if you ever found a solution. [link] [comments]  |
| Unmanaged remote site needs access to internal network: ASA and Cisco routing experts - help? Posted: 19 Dec 2019 03:08 PM PST Have an interesting problem at work, hoping the Reddit hive mind can help me. The issue: We have a remote site where we don't control the network, but need to put out a device (time clock) that has access to our internal network. We own the site but they use a MSP for their IT (long story), and the only managed device the MSP has is a Cisco 5506 ASA. The pathway: Time clock -> flat, unmanaged network -> 5506 ASA managed by MSP -> our MetroE connection -> our Nexus 9K core -> Our 5525x ASA -> fiber to another site -> Checkpoint firewall -> internal network we need the time clock to reach. Once it hits the 5525x ASA we can handle it easily, getting to the 5525x on the right context is the issue. Further complicating factors: To avoid IP conflicts, our plan was to create a new interface on their 5506 ASA, plug the time clock into that, make a static route pointing to our 9K core (or ASA) and then route from our ASA into the proper internal network. So my questions are: -Can you have an ASA interface act as an access port for an end device? I've tried Googling for this and I think it's possible, just want to make sure. We are trying to avoid throwing in a managed switch unless that is necessary. Any input is appreciated! [link] [comments]  |
| [Juniper] Issue advertising a prefix based on community Posted: 19 Dec 2019 02:39 PM PST Trying to figure out what I'm doing wrong here. Using an MX240. I am trying to advertise a set of prefixes to a neighbor router, one set is from a prefix list, the other based on BGP community. My policy-statement is essentially: I can see the routes from my prefix list being advertised, however the router is not advertising the routes that contain the community mentioned above (nothing in my prefix list contains this community, FWIW). I can see the routes that contain the origin-customer community by using show route community XXXXX:90. As an aside, is it prudent to specify from protocol bgp when setting up policies? The policy is applied directly to a BGP peer, so I think it's already assumed. Cheers. [link] [comments]  |
| Could Unifi USG-Pro replace SonicWall in a small office environment? Posted: 19 Dec 2019 01:17 PM PST |
| Posted: 19 Dec 2019 12:26 PM PST Hello, I am trying to get a vlan setup and am fairly inexperienced with this. I know very basic commands but this is really my first actual time getting to do real hands-on networking. Boss asked me to get a couple of Forti-APs setup for 2 of our sites. He gave me some commands and cut me loose.. trial by fire I guess. So basically what I have is router, switch and a wireless AP. Wireless AP is plugged into port gi0/21 of the switch. Switch is plugged into port on router. I want to make a vlan for wireless. Let's say VLAN 11. Am I correct in guessing that the vlan should be made on the switch? So I made Vlan 11, when I do a show running config, vlan 11 is as follows: Interface Vlan 11 IP address 10.11.20.251 IP helper-address 10.0.14.81 And interface gi0/21 shows: Switchport access vlan 11 Switchport mode access Switchport voice vlan 120 Srr-queue bandwidth share 10 10 60 20 Queue-set 2 Priority-queue out Msl qos trust cos Auto qos voip trust No cdp enable No cdp tlv server-location No cdp tlv app Spanning-tree portfast Spanning-tree bpuguard enable. For the router, I was told to do the following: Interface gigabitethernet 0/0.11 Encapsulation dot1q 11 IP address 10.11.20.1 255.255.255.0 IP helper-address 10.0.14.81 So my issue is that the Forti-AP doesnt get an IP? Before messing with vlans, I plugged up the Forti-AP and it got an on it that was a 10.0.20.215, but since they want it to be a 10.11.x.x network, they had me do the above but now the AP isnt getting an IP?? Any ideas on what I should be looking for? My boss doesnt know too much networking so he hasnt given me any more insight and it isnt urgent so he basically just said to figure it out, but I honestly dont know enough to really see where the issue is. I wont be working on it until next week again but I'd like to see what I can try when the time comes. Any input is appreciated! [link] [comments]  |
| Posted: 19 Dec 2019 04:44 AM PST Hi All, I am currently working on a project where I would like to have a public web server in my DMZ Zone and the LAN obviously secured. My question is what will be the best practice since I never worked with Firewalls, shall I put the firewall before the L3 router or after ? [link] [comments]  |
| Posted: 19 Dec 2019 09:05 AM PST So ive been looking to expand my skills in python and powershell by playing around with snmp Turns out SNMP is being depreciated and the only lead on the replacement is Network Telemetry? But my google research on it is a hit and miss. Does anyone know what SNMPs future is for all networking devices? Or what i should be looking at to pull network information via scripting? [link] [comments]  |
| Setting up multiple servers on the same host name Posted: 19 Dec 2019 06:34 AM PST Hello! I'm the "IT Guy" for my employer and I'm struggling to set a couple things up. We're currently hosting 2 servers at our office, and they both need to be publicly accessible. We only have 1 static IP from our ISP, and the servers are both behind a Unifi Security Gateway. How would I go about setting up the ability to use two hostnames, to each point at one device? Currently we have server.xxxx.com pointing to our IP address, and if I configure the DNS records for server2.xxxx.com it still goes to the same device. Do I need an internal DNS server to point incoming traffic to the correct IP? I cannot get a second static IP from our ISP at this time. [link] [comments]  |
| Posted: 18 Dec 2019 09:57 PM PST Hey guys, i posted a few days ago how to create a Infrastructure that sort of authenticates and logs you in to all the services in our school (we have Moodle and some Services that students created). The initial plan was to make that happen sort of instantly when you connect to the wifi with your student credentials, but now our new plan is to get it working via 1 centred authentication page. So for example, if you want to use Moodle/Service X,y you first go to a page like "auth.domain" and log in there, that requests the access/user token which is needed and if you go to any other service we implement that feature, you are automatically logged in. Has someone got experience in that type of thing and could help me out with some resources? (I currently looked into simplesamlphp but couldnt test it because my test setup is only going to ready in a few days). If my description is not good understandable just ask what you want to know i am going to answer you within 10-20 minutes. Thanks in advance^^ [link] [comments]  |
| PSA google was down in the balkans this morning. Posted: 19 Dec 2019 01:56 AM PST All google services this morning in the Balkan area were down from about 8:30 to 10:00. Some carriers rerouted Google elsewhere for a higher latency. Anyone have any inside info on what happened? [link] [comments]  |
| Free Radius Servers with scalable MAB list? Posted: 19 Dec 2019 01:53 AM PST Hi guys, Does anyone know of any freeware radius servers that support MAB in a scalable/manageable way? - ie just a lookup to an external list/file that we can easily add new macs into. Ideally it would just be a list we can append single device mac addresses into (however, we are talking thousands of mac addresses) This is part of a requirement we have been asked to look at as an interim solution, before we deploy more network segmentation / Proper PNAC/Identity profiling next financial year (I have highlighted that MAB is not secure however people still want to investigate it as an interim solution) I've looked at the documentation for free-radius however the MAB functionality looks like some esoteric regex pattern matching. what we want to do it export known mac addresses from something like solarwinds UDT and import these into a single MAB list within a radius server - oh did I mention that this has to be free ! [link] [comments]  |
| FortiGate routing VLANs with different subnets Posted: 18 Dec 2019 08:59 PM PST Hey all, I've posted this in the Fortinet subreddit, but I feel like this is a networking/routing issue. I am running a FortiGate 100D and I have created 5 VLANs (DHCP server enabled) with 5 different subnets and assigned them to port 1, 3, 5, 7, and 9 on individual interface mode. Here is a list of the VLANs and their IP Addresses: VLAN 10 - 192.168.10.1/24 VLAN 16 - 192.168.16.1/23 VLAN 32 - 192.168.32.1/23 VLAN 64 - 192.168.64.1/23 VLAN 774 - 192.168.7.1/23 I have 3 Cisco SG350 switches and as a test, I trunked 2 ports on one switch, one for VLAN 16 and 32, and connected it to the VLAN 16 and VLAN 32 firewall interfaces. I then set two more ports on the switch as access ports and assigned VLAN 16 to one and VLAN 32 to the other. I then connected two Macs to those access ports, they receive the correct IP addresses just fine. Now by default, there should be no routing between these VLANs as they're in different subnets, correct? Will do my astonishment this is not the case, while the Mac with a VLAN 16 address can't ping the VLAN 32 Mac, the 32 Mac and ping the 16 Mac. I have no clue how this is the case and can use any help on troubleshooting this. There are no IP policies configured on the FG that relate to these VLANs/interfaces/subnets. Here is a picture of the physical set up, here is a screenshot of the Cisco switch VLAN config, and here is a screenshot of the interface setup on the FG. I feel like it's a routing issue, as if I create a zone, add all VLANs in it, and allow intra-zone traffic, both Macs are able to ping each other. I'm just confused to how any of the VLANs can communicate with no IP policies being created yet. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment