| Blogpost Friday! Posted: 13 Feb 2020 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. submitted by /u/AutoModerator [link] [comments] |
| Cisco took down my router, but how? Posted: 14 Feb 2020 05:45 AM PST Hello All, We had a Cisco TAC call yesterday in order to troubleshoot a VPN tunnel. Phase 1 comes up, but phase 2 never negotiates. So through a Webex I let their engineer work on the router and he wanted to create object groups to match the style of access lists on the other side of this tunnel. I didn't think it makes a difference, but I'm all for building test access lists to test this theory out, so that's what he was going to do. I sat on the call and watched him type and had a Putty log running. I was remote through a gateway to my desktop in the office. After he created a new test access list and modified the dynmap for this particular client to use the new access list, we lost all external connectivity. I was disconnected from my session and users in the office reported they no longer had internet access.Since I was remote, I had to call a coworker to just reboot the entire device. Once it was back online I was able to get back in. Below is the Putty log for changes that the Cisco engineer made. I am not very familiar with Cisco IOS, but I'm fairly certain creating a new ACL and calling that ACL in a dynmap should not affect anything but that dynmap. I'm hoping someone here can look at this output and tell me where we screwed up so I can avoid doing that in the future. We have another call scheduled with Cisco, but I'm a little nervous to let them make any changes until I understand why this went down. Any thoughts are greatly appreciated! :-) I have sanitized the log so that none of our IPs are in this log, nor any of the names we actually use. I also left spacing alone as it's off in a couple of places and I'm not sure if that is relevant. ROUTER#conf t Enter configuration commands, one per line. End with CNTL/Z. ROUTER(config)#object-group network Vendor2Client ROUTER(config-network-group)#network-object host 1.1.1.151 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#network-object host 1.1.1.152 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#network-object host 1.1.1.153 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#network-object host 1.1.1.148 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#network-object host 1.1.1.149 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#host host 1.1.1.151 ROUTER(config-network-group)# host 1.1.1.152 ROUTER(config-network-group)# host 1.1.1.153 ROUTER(config-network-group)# host 1.1.1.148 ROUTER(config-network-group)# host 1.1.1.149 ROUTER(config-network-group)#host 1.1.1.150 ROUTER(config-network-group)#exit ROUTER(config)#no object-group network Vendor2Client ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)#object-group network Client2Vendorobject-group network Client2Vendor ROUTER(config-network-group)#host 1.1.1.151 ROUTER(config-network-group)# host 1.1.1.152 ROUTER(config-network-group)# host 1.1.1.153 ROUTER(config-network-group)# host 1.1.1.148 ROUTER(config-network-group)# host 1.1.1.149 ROUTER(config-network-group)#host 1.1.1.150 ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)#exit ROUTER(config)# ROUTER(config)# ROUTER(config)#object-group network Vendor2Client ROUTER(config-network-group)#host 192.168.15.150 ROUTER(config-network-group)#host 192.168.15.149 ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)#exit ROUTER(config)#access-list test_test extended permit icmp object-group Vendor2Client object-group Client2Vendor ^ % Invalid input detected at '^' marker. ROUTER(config)#ip access-list ? extended Extended Access List helper Access List acts on helper-address log-update Control access list log updates logging Control access list logging match-local-traffic Enable ACL matching for locally generated traffic persistent enable persistency across reload resequence Resequence Access List role-based Role-based Access List standard Standard Access List ROUTER(config)#ip access-list e x t ROUTER(config)#ip access-list ext e ROUTER(config)#ip access-list extended test_test ? <cr> ROUTER(config)#ip access-list extended test_test ROUTER(config-ext-nacl)#permit ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling object-group Service object group ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol ROUTER(config-ext-nacl)#permit icmp ROUTER(config-ext-nacl)#permit icmp ? A.B.C.D Source address any Any source host host A single source host object-group Source network object group ROUTER(config-ext-nacl)#permit icmp obj ROUTER(config-ext-nacl)#permit icmp object-group Vendor2Client object-group Client2Vendor ROUTER(config-ext-nacl)# ROUTER(config-ext-nacl)# ROUTER(config-ext-nacl)#exit ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)#c crypto map dynmap 95 ipsec-isakmp ROUTER(config-crypto-map)#no match address VPN-CLIENT-ACL ROUTER(config-crypto-map)# ROUTER(config-crypto-map)#match add ROUTER(config-crypto-map)#match address test_test ROUTER(config-crypto-map)# ROUTER(config-crypto-map)# ROUTER(config-crypto-map)#exit ROUTER(config)#exit ROUTER#sh run | be
Edit: Here is the dynmap before he made edits: crypto map dynmap 95 ipsec-isakmp description CLIENT_MAP set peer 1.1.1.253 set transform-set client-transform set pfs group5 match address VPN-CLIENT-ACL
Edit2: Here is the ACL before he changed anything: ip access-list extended VPN-CLIENT-ACL permit ip host 192.168.15.150 host 1.1.1.148 permit ip host 192.168.15.150 host 1.1.1.149 permit ip host 192.168.15.150 host 1.1.1.150 permit ip host 192.168.15.150 host 1.1.1.151 permit ip host 192.168.15.150 host 1.1.1.152 permit ip host 192.168.15.150 host 1.1.1.153 permit ip host 192.168.15.149 host 1.1.1.148 permit ip host 192.168.15.149 host 1.1.1.149 permit ip host 192.168.15.149 host 1.1.1.150 permit ip host 192.168.15.149 host 1.1.1.151 permit ip host 192.168.15.149 host 1.1.1.152 permit ip host 192.168.15.149 host 1.1.1.153
submitted by /u/zero_sarcasm [link] [comments] |
| Cisco DMVPN and IPsec with PKI cert authentication? Posted: 14 Feb 2020 01:58 PM PST Hey Folks, I'm reviewing a setup which involves IPsec, DMVPN and pki cert. authentication and I'm currently having confusion on how this setup/design works. To give a background of the setup, We have Spoke-A which is connected to Hub router using DMVPN with IPsec profile. This DMVPN tunnel being use to advertise/receive routes from other spoke sites. During the verification, I'm seeing that multiple trustpoint is being used before the tunnel to fully formed/built. to further understand I would like to confirm the ff. especially the flow based on the sample configuration and the diagram I have created. Question: From Spoke Site A - static crypto map has been applied "ST_CRYPTO" and in my understanding this will be use to build an IPSEC traffic that will be use to reach the trust point servers? During the implementation we need to manually authenticate and enroll the pki trustpoint and with these certificate in placed how can SPOKE router used this certificate? Note: From the current config, can't able to find any related to rsa-sig type of authentication in crypto isakmp. Once the certificate has been placed, By default router saves it to NVRAM so for instance that router reboot we don't need to authenticate or re-enroll the router? Can you give input regarding with this design and why we need a remote route just to connect to the trust point instead of directly connecting to Hub router? Kinda confuse about this setup and in how the spoke routers use its certificate to authenticate to HUB. Diagram: https://imgur.com/KKescvV Sample Config: Spoke router A Int Gi0/0 ip address 136.18.100.1 255.255.255.0 ip vrf forwarding PUBLIC crypto map ST_CRYPTO ! interface Loopback0 ip vrf forwarding INTERNET ip address 172.16.1.1 255.255.255.255 ! # PHASE 1 crypto isakmp policy 1 encr aes 256 group 5 1 crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp profile ST_CRYPTO vrf PUBLIC match identity host remotedevice.com PUBLIC ! crypto ipsec transform-set TRANS_ST_CRYPTO esp-aes 256 esp-sha-hmac mode tunnel ! crypto map ST_CRYPTO 1 ipsec-isakmp set peer 222.77.0.1 set transform-set TRANS_ST_CRYPTO atch address ST_CRYPTO_ACL ! ip access-list extended ST_CRYPTO_ACL permit ip host 172.16.1.1 any ! rypto pki trustpoint TRUSTED_H enrollment url http://222.77.0.1:80 <---- REMOTE DEVICE serial-number none fqdn spokesitea.com ip-address none fingerprint <> subject-name CN=spokesitea vrf PUBLIC revocation-check none rsakeypair TRUSTED_H 1024 auto-enroll 75 regenerate ######### DMVPN ######### interface Tunnel0 (DMVPN CONFIG) ip vrf forwarding PUBLIC tunnel protection ipsec profile DMVPN_CRYPTO shared ! crypto isakmp profile DMVPN_CRYPTO vrf PUBLIC match identity host domain test.com ! crypto ipsec profile DMVPN_CRYPTO set transform-set TRANS_DMVPN_CRYPTO set isakmp-profile DMVPN_CRYPTO ! crypto ipsec transform-set TRANS_DMVPN_CRYPTO esp-aes 256 esp-sha-hmac mode transport ! crypto pki trustpoint DM_PKI enrollment url http://192.168.1.1:80 serial-number none fqdn rtrspokea.com ip-address none password xxx fingerprint xxx subject-name CN=rtrspokea vrf PUBLIC revocation-check none source interface Loopback0 rsakeypair DM_PKI 1024 auto-enroll 75 regenerate
Remote Device interface G0/0 ip address 222.77.0.1/30 crypto map CRYPT_RM ! crypto isakmp policy 1 encr aes 256 group 5 ! crypto map CRYPT_RM 1 ipsec-isakmp dynamic CRYPT_RM_DYNMAP ! crypto dynamic-map CRYPT_RM_DYNMAP 10 set transform-set TRANS_CRYPT_RM set isakmp-profile CRYPT_RM-profile ! crypto ipsec transform-set TRANS_CRYPT_RM esp-aes 256 esp-sha-hmac mode tunnel ! crypto isakmp profile CRYPT_RM-profile vrf IN ca trust-point cert-self match identity address 0.0.0.0 match certificate CERTSELFMAP ! crypto pki trustpoint cert-self enrollment url http://10.168.1.1:80 serial-number none fqdn rdevice.com ip-address none subject-name CN=xx-rdevice vrf IN revocation-check none rsakeypair cert-self 1024 auto-enroll 75 regenerate authorization list pkiaaa authorization username subjectname cname ! crypto pki certificate map CERTSELFMAP 10 issuer-name co certself-pki ! crypto pki server certself-pki database archive pkcs12 password xxxxxx grant auto hash sha1 lifetime certificate 1095 lifetime ca-certificate 1825 auto-rollover 275 database url bootflash:/
Hub Router interface Tunnel0 (DMVPN CONFIG) tunnel vrf PUBLIC tunnel protection ipsec profile C_IPSEC shared crypto isakmp policy 1 encr aes 256 group 5 ! crypto ipsec transform-set TRANS_C_IPSEC esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile C_IPSEC set transform-set TRANS_C_IPSEC ! crypto pki trustpoint RTR_PKI enrollment url http://192.168.1.1:80 serial-number none fqdn rtrhub.com ip-address none subject-name CN=xx-rtrhub revocation-check none rsakeypair C_IPSEC 1024 auto-enroll 75 authorization list xxxx authorization username subjectname cname ! crypto pki certificate chain RTR_PKI
Thank you submitted by /u/1searching [link] [comments] |
| HP Procurve Switches authenticating against a secondary NPS server - not working? Posted: 14 Feb 2020 01:25 PM PST Hey All Trying to add some basic redundancy to my NPS setup.. Currently I have NPS01 server, and its fully functional for my switches to authenticate against. I spun up NPS02, exported my config from NPS01 and imported it back into NPS02. I ran radius-server host x.x.x.x key "enterkeyhere" and this shows in my running config. But, if I disable NPS service on my NPS01 server, I am then unable to authenticate. In my event viewer, I seem to have successful logon events, following by Token Right Adjusted Events, but my putty will not authenticate. Anyone have any suggestion? appreciate it submitted by /u/sysadminmakesmecry [link] [comments] |
| Path MTU with centrally switched SSID issue Posted: 14 Feb 2020 10:39 AM PST Rather than seeing "Kick starting Dynamic Path MTU Discovery" after a failed ICMP (as expected based on this cisco documentation), I am seeing messaged about a "reliable queue" CAPWAP_PATHMTU: Received ICMP Dst unreachable CAPWAP_PATHMTU: Src port:5246 Dst Port:54799, SrcAddr:xxx.xxx.xxx.xxx Dst Addr:xxx.xxx.xxx.xxx CAPWAP_PATHMTU: Calculated MTU 1421, last_icmp_mtu 1432 CAPWAP_INFO: Path MTU message could not reach WLC, Removing it from the Reliable Queue CAPWAP_PATHMTU: Path MTU message could not reach WLC, Removing it from the Reliable Queue SSID is centrally switched. Controller is located at an offsite datacenter. Meraki security appliance is used for routing. Can anyone explain, point to documentation, or provide variables for me to look into? submitted by /u/repetativeTasks [link] [comments] |
| Supplier remote access Posted: 14 Feb 2020 08:12 AM PST Hi there, How do you guys grant access to (software) suppliers needing to do maintenance on one of the internal systems they are responsible for? Eg. Software vendor needs to do an upgrade of their application on an internal server, so access to the OS (Windows) is required The company policy is to deny all TeamViewer/anydesk like applications. Can your suggestion prevent hopping to other systems? TIA submitted by /u/Wired70 [link] [comments] |
| Ciena PacketWave 8700 and Rancid Posted: 14 Feb 2020 11:03 AM PST Is anyone using the Ciena Packetwave platform with Rancid? I inherited some Ciena packetwave switches from a position change and I cant seem to get them into my rancid for anything. Does anyone have a working rancid script for the Packetwave series? submitted by /u/geeks81 [link] [comments] |
| DHCP security on DELL FTOS switches Posted: 14 Feb 2020 04:00 PM PST Hey Guys, I know there is a way to allow only one port on the switch to broadcast DHCP messages, but is there a way to allow only the internal layer 3 switch to broadcast DHCP messages? I looked everywhere but can't figure it out. We use Dell S4810s and Dell S60s with ranging FTOS operating systems versions 8.3 - 9.10. I can't figure out how to isolate the dell switch itself, to be the sole broadcasting DHCP server. We keep running into rouge devices that are broadcasting DHCP addresses and messing things up. Once the IT team plugged in a sonic wall to our isolated media network, and then the host computers started getting the wrong IP scheme! Please any help, other than telling me that I need to install an additional piece of hardware, would be appreciated. -MudKing submitted by /u/MudKing1234 [link] [comments] |
| MTU on trunk links Posted: 14 Feb 2020 03:52 PM PST Can someone please explain to me how I can have an MTU of 9214 on the trunk ports on the enterprise switch, but all the host ports and the hosts themselves are 1500MTU. Would all packets be sent across the trunk link in 1500 bits? I'm just curious why the previous network administrator made his trunk ports 9214 between switches, but all the hosts are 1500. Does the jumbo frames between the switches actually help performance? submitted by /u/MudKing1234 [link] [comments] |
| How to enable the signal strength slider when opening Air Magnet site surveys? Posted: 14 Feb 2020 07:23 AM PST I can't seem to find how to enable the signal strength slider in a site survey file that someone else captured. I need to raise the threshold to determine when a spot on a floor plan exceeds the minimum signal strength standard from 1st AP and 2nd AP. submitted by /u/Sasquatchwasframed [link] [comments] |
| How does your org manage change requests and shared rules for firewalls? Posted: 13 Feb 2020 06:05 PM PST I'm trying to improve information availability and change management on my team. Since we're upgrading some of our boundary equipment, it seems that now is the best time to try and change things for the better. From my experience, it seems that Palo's lend themselves to enterprise management much more so than Juniper or Cisco variants. However, our Palo deployment is relatively young and we still have plenty of other vendors to support. Excepting the Palos, all of our management of other vendors is CLI-only. Basic information / issues: All FW Change requests are submitted via ticket. Post-deployment, customers frequently do not maintain records of their ticket. Internally, it is up to the engineer to track the tickets they work (e.g. it is not tracked in a central location outside of the ticketing system). Customers frequently request after-the-fact additions to their changes (sometimes submit a new one, sometimes not). No internal documentation or tags/notes on the FW on a per-ticket basis for rules. What the above means is that, depending on the person doing the ticket, we may have one rule that allows the original request but the follow-on rule (even if it is technically only adding a single IP) may be a separate rule entirely. This has lead to pretty severe bloat with rules, especially if the ports or IPs submitted are superfluous. Does your org implement timely rule reviews and delete any unused or modify 0-hit rules? This issue is somewhat compounded by having multiple DMZs and multiple egress points, so some DMZs may have a rule or NAT that needs to be replicated / advertised / etc. in case of failover, which may add a layer of complexity to tracking changes or migrating rules. Additionally, how does your org standard object names or rule sets? This is, again, dependent on the engineer and there may be objects such as "1.1.1.1-32-DEPT1" or "DC1-DNS." It's not terrible, but I'd like some type of order. And finally... with all of this combined together, sometimes we have rules that just draw blanks. No idea why it's there, who it belongs to, etc. but we still need them to exist. The ultimate goal is to eliminate that and make the rules easily trackable and engineer-readable. Would appreciate any suggestions! submitted by /u/downgraded [link] [comments] |
| Can't get more than 1 UDP/RTP video stream on my network Posted: 14 Feb 2020 06:48 AM PST Can anyone help me out with UDP or RTP video streaming? I'm trying to send 5 video feeds from 5 different PCs running OBS to a central PC where I can stream them. I can consistently get 1 video stream to open on UDP and RTP but nothing more (even though I know the ports are open) submitted by /u/AtticusNari [link] [comments] |
| Vlan randomly dropping Posted: 14 Feb 2020 06:48 AM PST We are experiencing an issue where a vlan is randomly going up and down on one of our switches and then stabilizing. Neither the uplink interface nor the host interface are bouncing. What could be causing this to happen? Log Buffer (4096 bytes): eb 14 04:12:07 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:12:17 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:12:17 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:12:48 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:12:48 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:12:53 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:12:53 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:12:59 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:12:59 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:01 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:01 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:05 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:05 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:06 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:06 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:14 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:14 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:18 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:18 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:20 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:20 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:24 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:24 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:26 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:26 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:32 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:32 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:42 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:42 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:46 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:46 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:46 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:46 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:14:18 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:14:18 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:15:26 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:15:26 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:15:57 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:15:57 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:16:09 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:16:09 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up Uplink FastEthernet1/8 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 7001.b5f3.8f8a (bia 7001.b5f3.8f8a) Description: Uplink MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 52/255, rxload 53/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:04, output hang never Last clearing of "show interface" counters 23:57:55 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 32 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 20994000 bits/sec, 2344 packets/sec 5 minute output rate 20532000 bits/sec, 2108 packets/sec 104294441 packets input, 114856748374 bytes, 0 no buffer Received 485390 broadcasts (458835 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 458835 multicast, 0 pause input 0 input packets with dribble condition detected 95047409 packets output, 110239191014 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Host FastEthernet1/3 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 7001.b5f3.8f85 (bia 7001.b5f3.8f85) Description: Server MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:04:05, output 00:00:00, output hang never Last clearing of "show interface" counters 23:58:45 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 14000 bits/sec, 5 packets/sec 5 minute output rate 46000 bits/sec, 9 packets/sec 661276 packets input, 261701907 bytes, 0 no buffer Received 5957 broadcasts (3610 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 3610 multicast, 0 pause input 0 input packets with dribble condition detected 1076200 packets output, 676022355 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Vlan Interface Vlan666 is up, line protocol is up Hardware is EtherSVI, address is 7001.b5f3.8fc1 (bia 7001.b5f3.8fc1) Description: Private Network Internet address is 192.168.1.20/24 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 1d00h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 2 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 219640 packets input, 25640446 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 14057 packets output, 2612243 bytes, 0 underruns 0 output errors, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out
submitted by /u/rangeview [link] [comments] |
| FMCv Version with Restore and Re-association Posted: 14 Feb 2020 06:46 AM PST Hi everybody, Weird issue I know (but what isn't weird with FMC/FTD?), but here's the TLDR: Can I re-associate a FMCv with a FTD appliance if the FMCv is running a newer version from the last policy deployment? Longer version: I need to restore a FMCv from backup after hardware failure. My most recent backup was off of 6.2.x. At the time of failure, my FMC was running 6.3.x and I don't have a backup from 6.3.x. Last policy deployment to FTD was from 6.3.x. I've rebuilt my FMC on 6.2.x and restored from my 6.2.x backup. Do I need to upgrade to the version of 6.3.x I was using at the time of failure and then re-associate with my FTD appliance, or can I upgrade from 6.2.x to the the latest gold start (6.4.0 plus 6.4.0.7 patch) and then re-associate? I realize I could just ask TAC but I value real-world experience more with some of these FMC/FTD quirks. Thanks and enjoy your Friday. submitted by /u/Subnetmask9473 [link] [comments] |
| When to disable CEF Posted: 14 Feb 2020 06:33 AM PST i am currently learning about CEF and i came across the command "no ip route-cache cef", which i do understand what it does, essentially, it enables Fast-switching/process switching on an interface. What i don't seem to understand is to why would someone disable cef on an interface. Could a wise networker provide me with a use case of disabling CEF on an interface? Thanks submitted by /u/GNGOGH [link] [comments] |
| Juniper 4200 port based authentication help Posted: 14 Feb 2020 08:16 AM PST Hello all, Non-sysadmin net administrator trying to implement port-based authentication on an ex4200-48P, using NPS as an authentication server. nps server 10.0.0.1/24 switch 10.0.1.253/24 set system login user remote full-name "radius user" set system login user remote uid 2012 set system login user remote class super-user set system radius-server 10.0.0.1 secret "secret" set system radius-server 10.0.0.1 source-address 10.0.1.253 set system authentication-order radius set system authentication-order password set protocols dot1x authenticator interface ge-0/0/x.0 supplicant single This switch has a l2 connection to a core switch which has access to the radius server. Radius authentication for logging into the switches with LDAP does work great, but i just cannot get the computer to authenticate. I keep getting an error on the computer that says "Contact your network administrator\nA problem with your user account needs to be resolved" and i cannot find any useful logs on the NPS server. I have tried the config on a few different switches, some version 15, but it will not give me any ground. I followed this guide to originally get it all setup https://ericrochow.wordpress.com/2012/09/26/configure-juniper-routers-for-aaa-with-microsoft-nps/ Certificates templates were made using https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements I tried posting on r/Juniper but havent had any luck. The NPS server does have the juniper vendor specific options, and is pingable from the computer/switch. Has anyone ran into this? submitted by /u/Milkelton [link] [comments] |
| Anyone out there using BackBox for Network (router/switch/fw/etc) backups? Thoughts? Posted: 14 Feb 2020 03:30 PM PST Typically I hate to ask about particular products but I was recently looking at BackBox to backup some Cisco/checkpoint/citrix devices. Anyone out there use the product and have any Pros/Cons or even alternative products for backing up their infrastructure? Today we backup routers/switches using the built-in archive feature of Cisco IOS devices and backup firewalls/etc whenever we think about it. Have you been in that same position of just backing up whenever and have you moved to a professional backup solution and did it work for you? Was there any real-world wins with a solution where you were like.. damn.. thank god we had this? (lame that I think of this on a Friday night... haha) submitted by /u/Motavar [link] [comments] |
| Cisco Firewall Log Question Posted: 14 Feb 2020 03:28 PM PST We have a Cisco ASA5540 and today saw some logs that baffle me. Feb 14 14:54:50 %ASA-5-106100: access-list ACL-OUTSIDE denied tcp outside/b.b.b.b(51222) -> inside/c.c.c.c(55555) hit-cnt 1 first hit [0x214ded14, 0x0] where: b.b.b.b is a public IP (hostile IP) c.c.c.c is an internal LAN IP There are no NAT policies whatsoever that are related to c.c.c.c but we get the deny log trying to translate it from public to private. Shouldn't the firewall automatically block this is there is no matching NAT policy? I'm not sure if this is port scan activity but how would you specifically make the firewall translate something to a specific IP if there's no matching policy? I'd think the connection would just be denied since there was no established connection. submitted by /u/LinuxPhoton [link] [comments] |
| Windows traceroute actually doing ping Posted: 14 Feb 2020 02:37 AM PST I have a windows server that always returns a hop count of 1 for any destination. It sends out the ICMP packets as though they are pings with a TTL of 128 even though I am executing tracert. Anyone know how to cure this? E.g.: C:\Users\X>tracert 8.8.8.8 Tracing route to dns.google [8.8.8.8] over a maximum of 30 hops: 1 10 ms 9 ms 9 ms dns.google [8.8.8.8] Trace complete. submitted by /u/L1onH3art_ [link] [comments] |
| NSX-T Training Posted: 14 Feb 2020 05:56 AM PST I just found out that I have to go to NSX-T training out in Phoenix. VMware is hosting the training, but it's for three week spanned across three consecutive months (which means three round trips). Has anyone taken training on NSX-T? Is it beneficial? submitted by /u/modboom [link] [comments] |
| VPLS Tunnel Between Cisco and Juniper Help Posted: 14 Feb 2020 07:02 AM PST Ok /r/Networking, I am way over my head and running out of time. We currently run mostly Juniper equipment where I work, but it looks like we will be adding in some Cisco. We have a VPLS connection to extend Layer 2 for some phones. This is not negotiable and has to work. We are slowing changing the equipment out as well since this is over a pretty large geographic area and need to make the Cisco and Juniper equipment play nicely together. Ideally we would only need to make changes to the Cisco congif as the Juniper is in production and working as is. I was not the one who originally designed this setup, and that person is no longer with the organization and it seems like they made this more complicated than it needs since there is a GRE tunnel involved as well as BGP, LDP and IS-IS. Since this is a lengthy problem I am going to try and save space by trimming the configs down to what I believe is the most relevant of pieces. The equipment is a Juniper SRX 550 running 12.3X48-D70.4 and The Cisco is C9300-24UX on CAT9K_IOSXE 16.12.02. Juniper Section: set interfaces ge-6/0/11 vlan-tagging set interfaces ge-6/0/11 mtu 9000 set interfaces ge-6/0/11 encapsulation flexible-ethernet-services set interfaces ge-6/0/11 unit 100 description "Juniper - Cisco TEST VLAN" set interfaces ge-6/0/11 unit 100 encapsulation vlan-vpls set interfaces ge-6/0/11 unit 100 vlan-id 100 set interfaces lo0 unit 0 family inet filter input LIMIT_MGMT_FILTER set interfaces lo0 unit 0 family inet address 10.230.139.254/32 set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.1139.00 set protocols bgp local-address 10.230.139.254 set protocols bgp local-as 65001 set protocols bgp group VPLS_iBGP type internal set protocols bgp group VPLS_iBGP family inet unicast set protocols bgp group VPLS_iBGP family l2vpn signaling set protocols bgp group VPLS_iBGP neighbor 10.230.44.254 set protocols mpls interface gr-0/0/0.1 set protocols isis interface gr-0/0/0.1 set protocols isis interface lo0.0 set protocols ldp interface gr-0/0/0.1 set protocols ldp interface lo0.0 set routing-instances Cisco-Juniper_VPLS_VLAN100 instance-type vpls set routing-instances Cisco-Juniper_VPLS_VLAN100 interface ge-6/0/11.100 set routing-instances Cisco-Juniper_VPLS_VLAN100 route-distinguisher 10.230.139.254:100 set routing-instances Cisco-Juniper_VPLS_VLAN100 vrf-target target:65001:100 set routing-instances Cisco-Juniper_VPLS_VLAN100 protocols vpls site-range 100 set routing-instances Cisco-Juniper_VPLS_VLAN100 protocols vpls interface ge-6/0/11.100 set routing-instances Cisco-Juniper_VPLS_VLAN100 protocols vpls no-tunnel-services set routing-instances Cisco-Juniper_VPLS_VLAN100 protocols vpls site 100 site-identifier 2 set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit set interfaces gr-0/0/0 unit 1 tunnel source 10.230.139.4 set interfaces gr-0/0/0 unit 1 tunnel destination 10.230.44.4 set interfaces gr-0/0/0 unit 1 family inet mtu 9000 set interfaces gr-0/0/0 unit 1 family iso set interfaces gr-0/0/0 unit 1 family mpls mtu 9000
Cisco Section: l2 vfi ER-VFI point-to-point neighbor 10.230.139.254 100 encapsulation mpls ! l2 vfi ERVV100 manual vpn id 100 ! interface Loopback0 ip address 10.230.44.253 255.255.255.255 ! interface Loopback2 ip address 20.20.20.20 255.255.255.0 ! interface Tunnel1 ip address 10.230.44.254 255.255.255.255 ip mtu 9000 mpls ip tunnel source 10.230.44.4 tunnel destination 10.230.139.4 ! interface TenGigabitEthernet1/0/11 description "Cisco - Juniper Test VPLS" no switchport no ip address no keepalive ! interface TenGigabitEthernet1/0/11.100 encapsulation dot1Q 100 mpls ip mpls label protocol ldp xconnect 10.230.139.254 1 encapsulation mpls ! router isis ! router isis tag1 net 49.0002.0192.0168.1140.00 ! router bgp 65001 bgp router-id 10.230.44.253 bgp log-neighbor-changes neighbor 10.230.139.254 remote-as 65001 ! address-family ipv4 network 10.230.44.152 mask 255.255.255.248 network 20.20.20.20 neighbor 10.230.139.254 activate neighbor 10.230.139.254 send-community extended neighbor 10.230.139.254 soft-reconfiguration inbound exit-address-family !
The GRE tunnel is working and I have gotten some of the sections to come up, but not everything. I feel like I am either really close or completely off base with the Cisco config. The problem is this is just too far out of my depth and I have read so many articles on this that things are blurring together. The added complexities as well as it being a Juniper/Cisco setup aren't helping. Here are some of the tests I have ran: root@TEST-Juniper-SRX> show ldp database Input label database, 10.230.139.254:0--10.230.44.253:0 Label Prefix 3 0.0.0.0/0 27 10.64.0.0/16 16 10.64.96.0/20 17 10.64.240.0/22 18 10.64.248.0/22 19 10.64.254.0/24 20 10.64.255.0/24 65 10.177.203.0/24 64 10.178.8.0/24 63 10.191.18.64/27 62 10.191.18.96/27 61 10.191.18.128/27 60 10.191.32.0/24 59 10.191.33.0/24 58 10.191.34.0/24 57 10.191.35.0/24 56 10.191.36.0/24 55 10.191.37.0/26 54 10.191.37.192/27 53 10.191.37.224/27 52 10.191.54.112/28 51 10.191.187.0/24 3 10.230.44.0/25 21 10.230.44.144/29 22 10.230.44.152/29 3 10.230.44.160/29 3 10.230.44.253/32 23 10.230.44.254/32 66 10.230.139.254/32 3 20.20.20.0/24 24 Sanitized IP 50 Sanitized IP 49 172.16.1.0/24 48 172.17.188.0/22 47 172.17.248.0/22 46 172.18.10.0/24 45 172.18.11.0/24 44 172.18.162.0/23 43 172.18.164.0/22 42 172.21.0.0/24 41 172.21.132.0/24 40 172.21.133.0/24 39 172.21.134.0/24 38 172.21.135.0/24 37 172.24.8.0/22 25 172.25.148.0/29 26 172.25.148.8/29 36 192.168.11.0/24 35 192.168.68.0/24 34 192.168.99.0/24 33 192.168.121.0/24 32 192.168.125.0/24 31 192.168.126.0/24 30 192.168.129.0/24 29 192.168.133.0/24 28 192.168.249.0/24 67 L2CKT CtrlWord ETHERNET VC 1 Output label database, 10.230.139.254:0--10.230.44.253:0 Label Prefix 300048 10.230.138.254/32 3 10.230.139.254/32 Input label database, 10.230.139.254:0--10.230.138.254:0 Label Prefix 3 10.230.138.254/32 300304 10.230.139.254/32 Output label database, 10.230.139.254:0--10.230.138.254:0 Label Prefix 300048 10.230.138.254/32 3 10.230.139.254/32 root@TEST-Juniper-SRX>
As you can see, we have another VPLS on the Juniper that is working and I find it odd that the Cisco seems to be just vomiting all of their LDP info to the Juniper. Checking on the VC of the Cisco I get this: Cisco-Test#show mpls l2 vc detail Local interface: Te1/0/11.100 up, line protocol up, Eth VLAN 100 up Destination address: 10.230.139.254, VC ID: 1, VC status: down Last error: Local access circuit is not ready for label advertise Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 1d17h, last status change time: 1d17h Last label FSM state change time: 23:18:09 Signaling protocol: LDP, peer 10.230.139.254:0 up Targeted Hello: 10.230.44.253(LDP Id) -> 10.230.139.254, LDP is DOWN, no binding Graceful restart: not configured and not enabled Non stop routing: not configured and not enabled Status TLV support (local/remote) : enabled/None (no remote binding LDP route watch : enabled Label/status state machine : local ready, LruRnd Last local dataplane status rcvd: No fault Last BFD dataplane status rcvd: Not sent Last BFD peer monitor status rcvd: No fault Last local AC circuit status rcvd: No fault Last local AC circuit status sent: DOWN(not-forwarding) Last local PW i/f circ status rcvd: No fault Last local LDP TLV status sent: No fault Last remote LDP TLV status rcvd: None (no remote binding) Last remote LDP ADJ status rcvd: None (no remote binding) MPLS VC labels: local 67, remote unassigned Group ID: local 65, remote unknown MTU: local 9000, remote unknown Remote interface description: Sequencing: receive disabled, send disabled Control Word: On (configured: autosense) SSO Descriptor: 10.230.139.254/1, local label: 67 Dataplane: SSM segment/switch IDs: 0/0 (used), PWID: 3 VC statistics: transit packet totals: receive 0, send 0 transit byte totals: receive 0, send 0 transit packet drops: receive 0, seq error 0, send 0 Cisco-Test#
I have tried looking into why the "Local access circuit is not ready for label advertise" but all I ever find are bug reports so that isn't exactly helpful. This is all in a test lab so I can run any tests and make any changes you guys and gals recommend. submitted by /u/williamfny [link] [comments] |
| Any cheap alternatives to Fluke cable testers? Posted: 14 Feb 2020 06:43 AM PST Title. My Org won't spend to get us newer ones, ours are super old and batteries don't hold a charge, even swapping batteries didn't really help. submitted by /u/TheAspiringGoat [link] [comments] |
| How long of a water leak sensor should I get for our network closets? Posted: 13 Feb 2020 05:18 PM PST I've just been tasked with deploying water leak sensors in my company's network closets to help warn us of any impending water damage. Luckily (knock on wood), I've never had to deal with water damage like that before, so I wanted to hear some of your experiences. I think I want to get ones with sensing cables that alert you if any part touches water, but I'm wondering how long the cables should be. If you've used water sensors before, what cable length has worked well for you in the past? Where did you run the cables in relation to your network racks? Thanks! submitted by /u/billthegoat [link] [comments] |
| PEPlink Posted: 14 Feb 2020 04:51 AM PST |
| Weird Comware/HP A5120 Problem Posted: 14 Feb 2020 12:11 PM PST I have a stack of 3 HP A5120 switches, connected with stacking cables. Some ports act like a hub - it basically sends all packets out those ports! I can verify this by looking at the traffic graphs on each port (from a tool like Cacti), or using Wireshark. Any suggestions? There are a couple other switches here that don't have this problem and are the same model. Config file is here - https://paste.ubuntu.com/p/wqxwDPYRBz/ submitted by /u/robvas [link] [comments] |
| Cheaper cisco eBooks? Posted: 14 Feb 2020 06:47 AM PST Hi,
At my new job, they are using cisco FTD firewalls and I want to get a better understanding of this product. I saw a well rated book on amazon, but it's 55$ ! for the eBook. Is there a way to get is cheaper? I couldn't find it anywhere else. submitted by /u/Ineedafkingusername [link] [comments] |
No comments:
Post a Comment