Blogpost Friday! Networking

---

• Blogpost Friday!
• Avast port scanning and trying SSH & FTP logins on gateway
• TCP/IP Question from a programmer (windows)
• Service Provider Network without MPLS
• Question about point-to-point with Meraki.
• Cisco ISE DACL
• Eigrp Static Neighbors
• Cisco Nexus VPC peer link configuration best practice
• Strang Configuration?
• Process for providing cellular signal in underground bunker
• Google V6 DNS North America - ICMP stopped working
• tcp/8090: Confused by Firewall Log Entries
• Help interpreting ASA log info
• Best way to configure customer uplink in our datacenter infrastructure
• How to see outbound traffic to an AS?
• How does BGP prioritize lesser vs more specific prefixes? And can it even be done?
• Need steps and best practices for fixing network.
• Cisco ASA5505 L2TP/IPSEC Traffic limit
• Routing one network interface to another throught my windows10 machine
• A faster way to verify the ports on twisted pair cable?
• Devices connected to switch cannot ping the internet, but the switch can
• Has anyone done IOx on Catalyst 9K switches? Question about USB options.

Blogpost Friday! Posted: 30 Jan 2020 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. submitted by /u/AutoModerator [link] [comments]

Avast port scanning and trying SSH & FTP logins on gateway Posted: 30 Jan 2020 05:29 AM PST I recently discovered in our corporate network Avast also performs a port scan to default gateway and tries to perform SSH and FTP login with some default credentials. Could be part of the smart shield, but is not really wanted behavior for all Avast clients. Also read a post on Avast harvesting URL click data: https://www.extremetech.com/internet/305344-avasts-free-antivirus-harvests-all-your-clicks-sells-them-to-third-parties Any thoughts on this or anyone else noticed this? submitted by /u/Mitssumi [link] [comments]

TCP/IP Question from a programmer (windows) Posted: 30 Jan 2020 01:33 PM PST We had a situation where client talks to server (both Windows machines). The server showed that there is a TCP connection open. "netstat -a" showed it as ESTABLISHED to client_ip. But when we ran "netstat -a" on client it did not show any connection to the server. There is a firewall (physical box) between Client and Server and normally connections work. So question to networking gurus :) Is it possible? If it is possible does it mean that Firewall or one of the switches at fault here? ​ PS: I am a developer and until now i did not think it is possible to have TCP connection in "ESTABLISHED" state on the Server and not to even exist on a Client. submitted by /u/gevorgter [link] [comments]

Service Provider Network without MPLS Posted: 30 Jan 2020 03:14 PM PST I'm wondering if there are any service provider networks out there that aren't using MPLS? If so how are you achieving customer segregation? A side question, any providers have 2 or more separate networks? When I say separate I'm talking physically separate. Things like dedicated Metro Networks, dedicated Internet Networks, etc? submitted by /u/Jackol1 [link] [comments]

Question about point-to-point with Meraki. Posted: 30 Jan 2020 11:02 AM PST We basically need to get a wired connection from one building to another. There will be one workstation in building B. Underground or aerial cables are not an option here. It's a very industrial situation and I'm not sure that straight WiFi will pick up from A to B, and the workstation will also have a VOIP phone. We are thinking of doing point-to-point or setting up one AP at one side and a wireless bridge to Ethernet on the other side. What is the best cost-effective way to do this? I guess "best" would be something like a Meraki MR74 on both sides, but that's pretty pricey. Any thoughts? submitted by /u/Zebulon_V [link] [comments]

Cisco ISE DACL Posted: 30 Jan 2020 11:12 AM PST Just had a cisco tech tell me that to many DACLs on a switch with overuse the switches memory. Is this true? are scalable groups really the better way of doing things? submitted by /u/jollyjunior89 [link] [comments]

Eigrp Static Neighbors Posted: 30 Jan 2020 01:41 PM PST For various reasons, we're looking to configure our hub sites with static neighbours instead of letting EIGRP automatically determine it. Devices are all within the same AS and all local to site. Site has 2 routers and 2 core switches running EIGRP. R1 and R2 both neighbour to each Core Switch but not to each other. What I've found is if R1 & R2 both learn a route (10.0.0.0/24 e.g.) via a VPN tunnel, the core switches see both routes via R1 & R2(expected). If i then tear down the tunnel on R1, the core switches still see the route via R2 but the other router doesn't. I would expect the Core's to advertise this route to the other router but it doesn't show (Successor, Feasible or neither) Without neighbouring the routers directly, can you think of what would cause this? submitted by /u/Olivanders1989 [link] [comments]

Cisco Nexus VPC peer link configuration best practice Posted: 30 Jan 2020 02:58 PM PST I've got to configure a pair of new Cisco Nexus 93180's in non-ACI mode and they will need to be in a VPC domain together. Traditionally we have used the dedicated management port for peer-keepalive communication (which does go through separate upstream switches), but I am thinking this is not ideal as it is just a single link.. I 'm considering creating an SVI in it's own separated VRF for this communication going across the port-channel/trunk between the two switches (the VPC peer-link). Am I way off here? Or do they actually need to be separate links as they currently are? Is the original method not an issue, or am I right to re-think it and do it differently? I have briefly read through this long Cisco guide, but I didn't see where it directly addressed it. https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf submitted by /u/ReadOnlyLog [link] [comments]

Strang Configuration? Posted: 30 Jan 2020 10:20 AM PST I have an interesting situation at work, where something is most definitively NOT configured by any sort of standard, and I honestly have no idea how this even works, so I figured I would throw this out there and see if anybody can shed some light as to how the heck this is even working. ​ I have a 600Mbps link between my main site and my DR. First I will list the main site relevant config. MAIN SITE: interface TenGigabitEthernet1/1/6 switchport trunk allowed vlan 1,313 switchport trunk native vlan 350 switchport mode trunk interface Vlan1 description MAIN_NET ip address 172.17.0.5 255.255.0.0 ip pim sparse-dense-mode end interface Vlan313 ip address 10.254.255.2 255.255.255.252 end Pretty striaght forward stuff. Seems like a trunk port that I think is running over a L2 (Probably MPLS link) to our DR site ​ ​ THEN, I get to the DR Switch interface GigabitEthernet0/19 switchport mode trunk end interface Vlan1 no ip address no ip route-cache ! interface Vlan333 description Integral ip address 172.17.1.150 255.255.0.0 no ip route-cache ! ip default-gateway 172.17.0.5 ​ This would all make sense. . if the 172.17.1.150/16 were on vlan1. . because that would match with what is at my main site, but its not. It has been changed to vlan 333 here, and I honestly just dont know how that is possible. submitted by /u/jdfishtorn [link] [comments]

Process for providing cellular signal in underground bunker Posted: 30 Jan 2020 06:08 AM PST I recently deployed a new site which is entirely underground in a bunker, it's relatively large (7 Cisco 1815i access points) and have recently been asked to find costings for providing regular cell signal (phone/sms) across the site. I have absolutely 0 knowledge in this field, so wouldn't know where to start. It will be open to the public and is based in Holland (The Hague, specifically). Any advice would be much appreciated. submitted by /u/Acrylicus [link] [comments]

Google V6 DNS North America - ICMP stopped working Posted: 30 Jan 2020 06:31 AM PST Has anyone had any issues with pinging Google DNS's V6 address in North America this morning? We have a few device setup scripts that ping Google's V6 DNS as a check to make sure the device has V6 setup correctly. Wondering if anyone has any info or if it's working for other people. Trying to figure out if I need to update the scripts or reach out to my ISP and see if it's something specific to them. submitted by /u/sanisbad [link] [comments]

tcp/8090: Confused by Firewall Log Entries Posted: 29 Jan 2020 06:45 PM PST I'm trying to wrap my head around this, I'm looking through my pfSense firewall logs, and I see entries where the source is on a virtual address of a VPN connection. https://imgur.com/miE7mMr - all of the traffic in question is on tcp/8090. I run OpenVPN clients on my router, so the source ip is virtual ip addresses of those VPN clients, but what traffic would be attempting to enter my network on those virtual private addresses? I assume this is not nefarious behavior, I actually suspect it has something to do with OpenVPN checking if the connection is alive or something, but thus far I've been unable to find any information to verify this. submitted by /u/NFicano [link] [comments]

Help interpreting ASA log info Posted: 30 Jan 2020 08:22 AM PST We are getting thousands of connections like the following below. Our SIEM is alerting us because they think it is FTP connections but according to the ASA syslog data it looks like it is actually ICMP and the source port is 21? Does anyone have any idea what kind of traffic this is? I can't find any information about an ICMP port 21. Thanks in advance! ​ Built inbound ICMP connection for faddr 18.229.160.179/21 gaddr 65.X.X.X/0 laddr 65.X.X.X/0 Built inbound ICMP connection for faddr 18.231.45.117/21 gaddr 65.X.X.X/0 laddr 65.X.X.X/0 Built inbound ICMP connection for faddr 13.232.231.197/21 gaddr 65.X.X.X/0/0 laddr 65.X.X.X/0 submitted by /u/blacklabelmmm [link] [comments]

Best way to configure customer uplink in our datacenter infrastructure Posted: 30 Jan 2020 04:21 AM PST Hello r/networking, I'm trying to figure out the best way to make this scenario work. ​ Our design is as follow: we are running L2 equipment in our datacenter (Mix of Juniper and Arista switches, in transition toward Arista now). Among other things, our equipment connects our vmware infrastructure, that is shared across customers. To allow our customers to join this vmware infrastructure from their office, some of them have direct connections coming to our datacenter (some are L3 with MPLS or other flaw, some are L2 , which we are trying to avoid and remove but some are still there). Historically (before I arrive), the way to protect ourselves from the spanning-tree at customer side was to disable spanning-tree on those interfaces. I don't feel comfortable with this so I would like to find a better way. What I have done so fare during the transition, is configure bpduguard on the interfaces that are known L3 devices (so typically routers). This works fine except for some equipment (on which we have no access at all). For those equipments, if I enable bpduguard, the connection is directly shut down. So I have to let it enabled on them. Problem is that some customers have equipment with a lower priority than our equipement, so they become the root bridge. This is exactly what I want to avoid. I tried to put bpdu guard root, but this has the same effect as bpduguard, in the sense that the port is discarded immediately. What are my best options here ? I tought about lowering the priority to 4096 on our equipment, but again it doesn't feel like the ideal solution (if their equipment is set to 4096 as well, and their mac address is lower, they will win the battle). I guess I could also move their vlan to a separate mstp instance, and just let them be the root on their vlans if they want, but it doesn't sound cleaner neither. Thanks for reading :-) submitted by /u/takezo_be [link] [comments]

How to see outbound traffic to an AS? Posted: 30 Jan 2020 12:21 AM PST Hi We are being asked by a vendor to confirm how much traffic we are sending to their AS, how would we get this information? Is there an application we can use to monitor our usage? submitted by /u/_Gyusus [link] [comments]

How does BGP prioritize lesser vs more specific prefixes? And can it even be done? Posted: 30 Jan 2020 01:53 AM PST Hi experts! We have 2 ISPs. We're announcing our /20 subnet to both ISPs. I'm wondering if we could announce a subset of this /20. Does ebgp allow this? can we make as many announcements as we want? (Im thinking if everyone did this, it would fill up the global bgp route list, and may therefore not be allowed?) Should the subnet be registered at RIPE etc? Is there a limit to how small network announcement we can make? Lets say it cant be done. How does BGP prioritize this then. When using static routes, the most specific route is always chosen. Does the same rule apply to ebgp? It doesn't seem like a normal thing to do, since google is not helping me. The use case is. Some of our customers prefer 1 ISP over another, so we want to make different announcements based on that. Please advice. :) submitted by /u/ZyDy [link] [comments]

Need steps and best practices for fixing network. Posted: 30 Jan 2020 07:16 AM PST Hello, I am a sysadmin at a SMB. A few months ago one of our switches died (a Dlink switch DES-325P) before that there were not really too many issues. Most work stations had an Ethernet jack for our network 192.168.0.x and had another jack for our phone system 10.116.x.x that would connect to our Phone server. So after the switch died. My boss just plugged back in anything that would fit anywhere. After that people were not able to connect to the network because they were on the 10.116 network and not the 192.168 network. After manually giving out IP addresses most people are able to work. Another thing to note. Our WIFI is now affected as well handing out 10.116 addresses and no one can do anything that requires and internet connection with their phones. I know a bit about networking I have my CCENT but I only worked with cisco switches , routers and firewalls. What I really am asking is the proper steps to go about fixing this so that every port has the correct network attached to it and the wifi works again. If it is manually checking every port number and seeing where it lies on the switch or it is some setting in DHCP I am missing. Any help would be greatly appreciated. ​ Thank you submitted by /u/notmyworkaccount11 [link] [comments]

Cisco ASA5505 L2TP/IPSEC Traffic limit Posted: 30 Jan 2020 07:16 AM PST Hello everyone. I'm trying to use L2TP/IPSec on Cisco ASA 5505 as LNS and Win 10 native L2TP client as LNC. The main goal is to connect Win10 to ASA and then forward traffic to Internet. L2TP/IPSec connection between Win10 and ASA establishes successfully but RTT is too high and in a few minutes (or maybe about 2 MB of traffic) after connection I can't get access to Internet from Win10 at all. I changed MTU = 1400 and MSS = 1300, but the issue still hasn't been resolved. I was pinging 8.8.8.8 from Win10 through the tunnel (because tunnel interface is a default gateway) and saw the following results: Ping when connection just has been established (RTT is high, but it's not as strange as next) When I download a webpage I saw a 3 or 4 ping packets drop After a couple of webpages all ping packets were dropped but tunnel still alive. Topology looks something like that: Radius Server <==> Internet Cisco ASA5505 (Outside DHCP local address) <==> ZyXEL router (NAT global address) <==> Internet Win10 <==> Internet Zyxel router does NAT on ports 500, 4500, 1701 to ASA address. ASA5505 Configuration I don't have any ideas where is the problem and how to troubleshoot that. And when I decided to make this post I thought I can download ping and topology pictures there but unfortunately I can't. :( Sorry for my English. I really need help with that. Thanks for your replies. submitted by /u/Soundtrip165 [link] [comments]

Routing one network interface to another throught my windows10 machine Posted: 30 Jan 2020 05:18 AM PST Hello, I'm having some issues establishing connection from a usb linux machine and the internet. the situation is this, i have a bashbunny from hak5 that i want to test. the guide simply says to connect the linux machine via usb and configure a fine so that the machine will allow NDIS simulation through usb. Done that i've been able to ssh into the machine via IPV4, the machine is up and running and everything is fine. Problem is, the guide that explains how to route internet comunications from the linux machine is very poor, it basically says to go in Control Panel\Network and Internet\Network Connections and select the ethernet device, giving it an ip address, then go to the network interface connected the internet and allow internet sharing with the bashbunny. i have done all of this but the linux machine is not able to ping it's default gateway (my computer) nor any website or ip. i can ssh into that but cant ping it? can somebody explain why? If someone could help me i would appreciate, what should i do? I already searched for similar issues, but nothing i found on their documentation/forum/discord worked. submitted by /u/Pol8y [link] [comments]

A faster way to verify the ports on twisted pair cable? Posted: 30 Jan 2020 04:36 AM PST I'm coming in after another guy and of course nothing is labeled. I have close to 500 Cat 5 lines i need to verify the port on. The lines don't have anything connected yet, which just make it that much more difficult. Right now I'm just plugging in a raspberry Pi and watching the log for the port to come up but it's pretty slow. Is there any way to do this faster or is this just going to be a long weekend? submitted by /u/WalrusSneakers [link] [comments]

Devices connected to switch cannot ping the internet, but the switch can Posted: 30 Jan 2020 03:29 AM PST Hi! I have an annoying issue, and I think I am missing something really simple and fundamental. I have a Cisco WS-C2960X-48LPD-L and it's connected to a Cisco ASA to a physical interface that has 4 logical interfaces with different VLANs on each (and different subnets). The ASA has 4 src-nat definitions allowing those interfaces to masquerade behind the external address of the ASA. I can connect to the switch via SSH from a different internal network, and it can ping out to the internet just fine from the CLI. The issue is that if I connect a host to one of the interfaces on the switch, configure a suitable static IP address on the host (for the VLAN of the port it is connected to) and try and ping out to the internet, it never gets there, and just times out. Few mistakes I made before I got to where I am were: I hadn't specified the default-gateway for the switch itself so I could never connect to it. Fixed that and can now talk to the switch I hadn't defined src-nat rules to allow traffic from any of the 4 subnets/VLANs out to the internet. Fixed that and from the CLI the switch can ping 8.8.8.8 The firewall rules for the various logical interfaces I've added have an any/any rule. I just can't see what I need to do to get a host connected to the switch to talk to the internet. The switch itself can, but a device connected to it cannot. ​ EDIT: The switch can also ping internal hosts on different subnets. The switch itself has no other devices connected besides whatever I am connecting to test with. submitted by /u/starcaller [link] [comments]

Has anyone done IOx on Catalyst 9K switches? Question about USB options. Posted: 29 Jan 2020 05:52 PM PST Has anyone tried out the IOx Application Hosting on the Cisco Catalyst 9000 series (9300 in my case). I was interested in giving this specific example a try in my lab at work as a i have an available 9300 - I'm not a bit hosting/container expert but I can see an advantage in generating traffic like this direct from a switch using iperf. But just as i had a USB stick ready to go I stumbled upon this note: "Internal flash and front panel usb (usbflash0:) do not support for application hosting." So reading into this, officially, you have to get a Cisco 120GB-SDD to use this feature: Now I get how this works. If i don't use the official, expensive (probably, didn't bother checking) Cisco branded drive its unsupported. But wondering if anyone has got this working with a thumbdrive in usbflash0 (front panel) or if a regular SSD will work in that usbflash1 (back port). Before I go messing around with drives and wasting a bunch of time I was hoping the community might have some advice. A broader questions would be what checks could a Cisco Switch do to determine whether it is an official Cisco USB SSD and what is the recommended drive format for a Cisco switch these days? submitted by /u/angryeyebrows [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States