• Breaking News

    [Android][timeline][#f39c12]

    Wednesday, February 26, 2020

    Network admins - the nice ones Networking

    Network admins - the nice ones Networking


    Network admins - the nice ones

    Posted: 26 Feb 2020 12:45 PM PST

    I love the network admins I meet. Most just are good people who work hard. I try not to put people into a box based on their job title. I've noticed that network admins seem to be good people that others stand on top of. :) You guys are usually alright.

    I'm sure there are plenty of assholes out there but I haven't met many in the networking neck of the woods.

    submitted by /u/i_vant_my_burd
    [link] [comments]

    Anyone use wireshark for troubleshooting?

    Posted: 26 Feb 2020 03:55 AM PST

    Looking to get pointed in the right direction. I work on a networking team as a jr network admin. Trying to learn more about troubleshooting with wireshark. Our sysadmin team uses Citrix for our thin client images and an issue we have a lot of the times is slow boot times. How could I use wireshark to troubleshoot that issue? And what I mean is what are some types of things to look for in the packet captures that would point it to being a network related problem? I know from the server side, the sysadmins tell us they see a lot of "retries" from time to time. From videos I have watched, that is something you would see in wireshark correct? Thanks!

    submitted by /u/hhhax7
    [link] [comments]

    Needing some advice/direction on organizing policies

    Posted: 26 Feb 2020 08:46 AM PST

    I manage a growing network. With growth comes the need for standardization and/or organization of things like firewall policies. Being a small-medium company still, we don't have a lot of resources in terms of manpower, so efficiency in ongoing upkeep is pretty important.

    I'm currently replacing some firewalls and redesigning policies to better meet some of our compliance requirements. I'm trying to take the approach of pre-defined "contracts" between subnet-subnet pairs and group-subnet pairs (controlling user network access based on directory group membership).

    Oh, how I wish it were that easy. There's always some edge case. "Well if I rename this group or this contract like this, it accounts for this one edge case too." But I feel like I'm going down a rabbit hole with that, and realizing there's no way I'm going to design something that doesn't need to account for random exceptions without compromising the security of the base contracts. One thing that I think is good is we built the subnets around access control. So subnet 1 contains only data or systems with security classification A, etc. This makes the user piece fairly simple.

    Anyway, what I'm looking for is some general guidance on this topic. Some specific questions I have are:

    1) Assuming I can capture the bulk of the traffic with the contract approach (subnets 4 & 5 always allow traffic between services X, Y and Z), how/where is the best place to manage those versus individual exceptions? Is it okay to just co-mingle them all on the same device, same policy list? Or is there a better practice to separate those?

    2) Any general tips on naming conventions that make it easy to identify things?

    3) As far as individual exceptions to the standard contract policies, do you guys use any system to keep track of those, other than just the comment field on the policy object? I'd like to have a standard set of fields that are repeatable and searchable to make it easier to audit the policies and avoid duplicates/overlap. Given that there are a few people who help manage the network, I want to make sure there's some technical enforcement on these practices.

    For reference, these are data center private cloud environments, not campus or corporate networks. As far as traffic control points, I'm open to any of: gateway, hypervisor, VM host firewall. We're already using all of these, and I'd like to continue to use all of them in complimentary ways (inter-subnet traffic within a site would never hit the gateway). I'm just trying to figure out how to tame it all and keep it manageable going forward.

    submitted by /u/wingerd33
    [link] [comments]

    ASR9901 licensing question

    Posted: 26 Feb 2020 04:28 PM PST

    We are looking at getting some ASR 9901's, but we are struggling to get any concrete answers on how the licensing works. We've reached out to our Cisco SE's and VARs but I don't think we are going to get any answers out of them as they don't know much about ASR9K.

    • We're looking at the ASR9901 120G as we only need about 5-8 10G ports running.
    • We only need 5 VRFs.

    From what I have figured out we just need to get the I-VRF license along with the ASR9901 120G and we are good to go?

    Other than VRF count, is there any extra functionality added in the AIP license over the I-VRF license?

    Additionally, is there any good resource that explains the ASR9901 licensing? I think I have a good picture now, but I have pieced it together from dozens of PDFs and forum posts.

    Thanks.

    submitted by /u/comancheslide
    [link] [comments]

    Multicast issues with pim sparse mode - multicast drops after 5 minutes

    Posted: 26 Feb 2020 11:47 AM PST

    I am having an issue getting multicast pim sparse mode working correctly. In the diagram linked below the orange square site has a pair of Dell S4048-ON in peer routing and VLT. These S4048-ON have the following configurations for multicast done on both peers:

    ip multicast-msdp ip msdp-peer x.x.x.2 connect-source loopback 0 ip pim bsr-candidate Loopback 0 ip pim-rp-candidate Loopback 0 # AV vlan for multicast interface vlan x ip pim sparse-mode exit # L3 between offices interface vlan y ip pim sparse-mode exit 

    The N4000 has the following config:

    ip multicast-routing ip pim sparse-mode #L3 between offices interface vlan y ip pim exit #AV vlan for multicast interface vlan x ip pim exit 

    The problem is that I can get multicast to work from Source in the blue area to stream to destination 2 without cutting out. If I multicast from source to destination 1 on the same L2 network on two separate switches connected to that core the multicast drops every 5 minutes. If I disable pim on the av vlan on the N4000 multicast in that office works without cutting out but I can then no longer view these video sources in the other office.

    On the N4000 I can see the two S4048-ON switches as RP.

    Diagram is here

    Any suggestions why multicast keeps dropping out?

    submitted by /u/DanielJay23
    [link] [comments]

    iptables and KVM

    Posted: 26 Feb 2020 08:56 AM PST

    Hello Reddit,

    I am privately renting a root server that I have a few VMs running on.Portforwarding using iptables works like a charm, lets encrypt works fine.

    From inside my VMs I can reach the Webservers on the Lan IP but not on the public IP.This is probably due the POSTROUTING chain not being triggered as the package is not being received on the external interface.

    Instead I suppose it gets generated by the kernel and therefore the rule does not get triggered.
    I can edit the VMs hosts file, however that makes the SSL Cert to be shown as unvalid.

    While this is "just" painful for http, for my locally hosted mailserver it means that for all other servers I hook up to it, i have to find the option to skip certificate verification, if they have that setting.

    So: Any Idea how to make the VMs reach the other showing valid SSL certs?

    Here is the relevant part of my config:
    (yes it's a mess and some parts make no sense)

    # Generated by iptables-save v1.6.1 on Wed Feb 26 16:50:48 2020

    *mangle

    :PREROUTING ACCEPT [348622202:173048463273]

    :INPUT ACCEPT [173518206:8889353392]

    :FORWARD ACCEPT [175103462:164159066617]

    :OUTPUT ACCEPT [25051161:224861128471]

    :POSTROUTING ACCEPT [200147905:389019603904]

    -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

    -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

    -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

    COMMIT

    # Completed on Wed Feb 26 16:50:48 2020

    # Generated by iptables-save v1.6.1 on Wed Feb 26 16:50:48 2020

    *nat

    :PREROUTING ACCEPT [1678938:116363785]

    :INPUT ACCEPT [791489:48881748]

    :OUTPUT ACCEPT [56160:4430993]

    :POSTROUTING ACCEPT [19352950:1161196586]

    -A PREROUTING -d 85.214.YY.YYY/32 -p tcp -m tcp --dport 5022 -j DNAT --to-destination 192.168.122.77:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p udp -m udp --dport 587 -j DNAT --to-destination 192.168.122.204:587

    -A PREROUTING -d 85.214.XX.XXX/32 -p udp -m udp --dport 25 -j DNAT --to-destination 192.168.122.204:25

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.122.204:25

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.122.204:587

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 1194 -j DNAT --to-destination 192.168.122.188:1194

    -A PREROUTING -d 85.214.XX.XXX/32 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.122.188:1194

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 4190 -j DNAT --to-destination 192.168.122.204:4190

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.122.204:143

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 193 -j DNAT --to-destination 192.168.122.204:193

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.122.204:993

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.122.204:995

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.122.204:465

    -A PREROUTING -d 85.214.XX.XXX/32 -p udp -m udp --dport 465 -j DNAT --to-destination 192.168.122.204:465

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 4022 -j DNAT --to-destination 192.168.122.14:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 7022 -j DNAT --to-destination 192.168.122.204:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 192.168.122.168:80

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 2225 -j DNAT --to-destination 192.168.122.220:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.13:443

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.13:80

    -A PREROUTING -d 85.214.YY.YYY/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.241:443

    -A PREROUTING -d 85.214.YY.YYY/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.241:80

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 3333 -j DNAT --to-destination 192.168.122.141:3306

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 3022 -j DNAT --to-destination 192.168.122.141:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.122.131:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.122.87:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 192.168.122.145:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 9022 -j DNAT --to-destination 192.168.122.81:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 192.168.122.85:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 11022 -j DNAT --to-destination 192.168.122.199:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 12022 -j DNAT --to-destination 192.168.122.223:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 13022 -j DNAT --to-destination 192.168.122.194:22

    -A PREROUTING -d 85.214.XX.XXX/32 -p tcp -m tcp --dport 64738 -j DNAT --to-destination 192.168.122.143:64738

    -A PREROUTING -d 85.214.XX.XXX/32 -p udp -m udp --dport 64738 -j DNAT --to-destination 192.168.122.143:64738

    -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN

    -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

    -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN

    -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

    -A POSTROUTING -s 192.168.122.204/32 ! -d 192.168.122.0/24 -p udp -j SNAT --to-source 85.214.XX.XXX

    -A POSTROUTING -s 192.168.122.204/32 ! -d 192.168.122.0/24 -p tcp -j SNAT --to-source 85.214.XX.XXX

    -A POSTROUTING -s 192.168.122.96/32 ! -d 192.168.122.0/24 -p tcp -j SNAT --to-source 85.214.XX.XXX

    -A POSTROUTING -s 192.168.122.204/32 -o eth0 -j SNAT --to-source 85.214.XX.XXX

    -A POSTROUTING -s 192.168.122.88/32 -o eth0 -j SNAT --to-source 85.214.XX.XXX

    -A POSTROUTING -s 192.168.122.159/32 -o eth0 -j SNAT --to-source 85.214.XX.XXX

    -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN

    -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535

    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

    -A POSTROUTING -s 193.168.122.0/24 -o eth0 -j SNAT --to-source 85.214.YY.YYY

    COMMIT

    # Completed on Wed Feb 26 16:50:48 2020

    # Generated by iptables-save v1.6.1 on Wed Feb 26 16:50:48 2020

    *filter

    :INPUT ACCEPT [1412:206055]

    :FORWARD ACCEPT [0:0]

    :OUTPUT ACCEPT [1433:349768]

    -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT

    -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT

    -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT

    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT

    -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT

    -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT

    -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT

    -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT

    -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT

    -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT

    -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT

    -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT

    -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT

    -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT

    -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT

    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT

    -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT

    -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT

    -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT

    -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT

    -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT

    -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT

    -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT

    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT

    -A FORWARD -d 192.168.122.0/24 -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -i virbr1 -o virbr1 -j ACCEPT

    -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable

    -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable

    -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT

    -A FORWARD -i virbr0 -o virbr0 -j ACCEPT

    -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable

    -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

    -A FORWARD -d 192.168.122.0/24 -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -d 192.168.122.0/24 -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -d 192.168.122.0/24 -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -d 192.168.122.0/24 -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -i virbr1 -o virbr1 -j ACCEPT

    -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable

    -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable

    -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT

    -A FORWARD -i virbr0 -o virbr0 -j ACCEPT

    -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable

    -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

    -A FORWARD -d 192.168.122.0/24 -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -d 192.168.122.0/24 -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

    -A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT

    -A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT

    -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

    -A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT

    -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

    COMMIT

    # Completed on Wed Feb 26 16:50:48 2020

    submitted by /u/orilicious
    [link] [comments]

    Remote Controlled Fiber Optic Disconnect?

    Posted: 26 Feb 2020 02:44 PM PST

    All the (known, yeah, I know..) ingress/egress connections of our system go through disconnects that can be either remotely or locally operated. They can also be operated globally. The device typically used is a cornet systems IPS 16/32
    https://cornet.com/product/ips-16-32-rc-redundant-controller/ ). These work well for copper connections but have no provision for fiber optic connections. One of our partners now wants to drop a fiber connection to us (which is fine), so I'm trying to locate a similar remote/locall operation disconnect device for single mode fiber. 19" rackmount is a plus.

    Does anyone know of or use such a device?

    TIA

    EDIT: Corrected model number of Cornet switch. Added product link.

    submitted by /u/ltgcc
    [link] [comments]

    How do i set my Cisco Air AP1852i-e-k9 to standalone?

    Posted: 26 Feb 2020 02:38 AM PST

    I read that when the image file name includes "k9w8" it runs in Lightweight mode, but #show version doesnt give me an image name in the first place - i feel like i am either doing something insanely wrong, or the AP / iOS is screwed.

    The AP currently runs on 8.3.102.0, i wanted to upgrade it but Cisco apparently hates hobby networkers that dont have a service contract so i cant get a newer version.

    So, even though - as far as i can tell - my AP *should* already be running on Standalone mode (the name doesnt include LAP, so it should be standalone out of the box, and as far as i know its new), i still get heaps of errors regarding CAPWAP and something like "waiting for uplink IP and reachable default gateway" or "[*02/16/2017 04:19:44.9400] grep: /storage/base_capwap_cfg_info: No such file or directory", and i cant #config terminal - i just want to use the AP as a workgroup bridge.

    Can someone enlighten me how the hell i can get to where i want to be? Or should i just get another AP? Im rather new to the field so sorry if i forgot something

    submitted by /u/FlyingThunder2992
    [link] [comments]

    What metrics could be used to determine if network is “OK”

    Posted: 26 Feb 2020 02:23 PM PST

    Right so first disclaimer - I am an IT professional but not a network expert. I have a passing knowledge of tcp/ip networking but besides basic routing tables, QoS configs and VLANs I'm probably a newbie in this sub.

    Right so question is - I work in an organisation with 50k+ employees and over 1000 local offices nationally. I'm not directly involved in the running of our network but in my role it has become clear I need to be able to assess (report on) network health for our many offices.

    Because of this I have many really clever network engineers which I can enlist for help and input, and as it turns out my company doesn't seem to be doing any real operational monitoring of our network. This is a gap I have an opportunity to fill, so questions are:

    1) assuming we have nothing in place at the moment except for basic GB in GB out per site, and average & 95th percentile in/out on a five-minute interval, what else should we measure to get a better view of the network?

    2) Using the metrics we have today, and I know this is probably on a site by site basis and based on a general baseline, can we make any general assumptions around the metrics we have to assess network readiness? As an example - we have a site with 1000 users where I can see the average utilisation is >90% consistently during a normal working day, and we have several incidents raised against this site reporting network issues during the same time period - so based on this I might assume any average % above 90 Is bad for our entire estate. I know it is not as easy as that, but for all of you guys out there who are truly network professionals, what should I ask the guys to look for?

    3) is there anything else I should request to be set up so we are in a better position going forward?

    submitted by /u/CarefullyCurious
    [link] [comments]

    junos 18.4r1 and higher on a Juniper mx80

    Posted: 26 Feb 2020 12:22 PM PST

    Anyone running a juniper MX5/80 on code above 17?

    JTAC recommended release is 15/17 but there is a nifty rpm-tracking feature introduced in 18.4r1 which would come in handy right now

    submitted by /u/LittleWanger
    [link] [comments]

    Cisco Edge switch secure configuration

    Posted: 26 Feb 2020 07:59 AM PST

    We are looking to configure a new Cisco switch to sit between our firewalls and ISP router. The basic configuration would be a few ports connecting to Internet facing devices and a trunk port connecting to the ISP router. There should be zero access, and zero chance of, access to the switch itself from the Internet.

    1. Are there security best practices for configuring this? I have searched for documentation, but most of what I find relates to ASAs, not Cisco switches.
    2. Is it safe to have a management interface VLAN'd off and connected to our internal network? It would be nice for management and monitoring purposes, but makes me a bit paranoid.
    submitted by /u/awarre
    [link] [comments]

    Juniper EX3300 12.3R2.5 Duplicating Packets (I think)

    Posted: 26 Feb 2020 11:36 AM PST

    So, I'm getting VRRP duplicate address errors on my cores. I have dual cores connected via. a single gig trunk to a Juniper stack. I fire up wireshark and sure enough I see the multicast VRRP packets go into the stack (correct) BUT the same packet is coming back from this stack (not correct). I am 100% positive there is not a loop in my network. So either the Juniper is flooding the multicast packet out the same interface it learned it on (should not happen) or I'm thinking there may be a dual nic host with some weird routing daemon running in the background. Normally tracking down a packet is easy (show ethernet-switching table) BUT since it's multicast, the SMAC is my core and the DMAC is 00:01:xxxx. Any ideas how I would figure out what is actually doing the duplication?

    It's interesting that I have 10 vlans running VRRP and only 2 are complaining about duplicate addresses (so whatever is doing the duplication is only doing it on two vlans. No other multicast/broadcast traffic is being duplicated (that I can see).

    Thanks,

    submitted by /u/tpfannes
    [link] [comments]

    BGP prepending questions.

    Posted: 26 Feb 2020 04:04 AM PST

    I have done prepending and it is my own own blocks I am prepending. I saw a configuration were someone prepended blocks of a different AS. Will this work? I have read you can prepend in or out. Are there specific times you would choose one way over the other?

    submitted by /u/maineac
    [link] [comments]

    GNS3VM VSRX HELP

    Posted: 26 Feb 2020 11:13 AM PST

    I've done the usual of importing an appliance using the .gns3a file, and then uploading the QCOW2 from Juniper. My SRX box keeps going on a loop

    Booting 'Juniper Linux'

    Loading linux...

    and that's it! Nothing else. I've increased the RAM to 8192MB and vCPU to 4.

    Does anyone have any suggestions? I am able to use Cisco Vswitches, CSR1000V, Cisco ASA using the same methodology without any issues. This SRX box however is not loading. Using the latest GNS3.

    I've even followed this video but everything he does is the same as mine.

    https://www.youtube.com/watch?v=zrkDbOTJoFw

    +--------------------------------------------------------------------------+

    Use the ^ and v keys to select which entry is highlighted.

    Press enter to boot the selected OS, `e' to edit the commands

    before booting or `c' for a command-line.

    The highlighted entry will be executed automatically in 0s.

    Booting `Juniper Linux'

    Loading Linux ...

    kvm: already loaded the other module

    GNU GRUB version 2.00

    +--------------------------------------------------------------------------+

    |Juniper Linux |

    |Juniper Linux Debug |

    |Juniper-Linux-Recovery |

    | |

    | |

    | |

    | |

    | |

    | |

    | |

    | |

    | |

    +--------------------------------------------------------------------------+

    Use the ^ and v keys to select which entry is highlighted.

    Press enter to boot the selected OS, `e' to edit the commands

    before booting or `c' for a command-line.

    The highlighted entry will be executed automatically in 0s.

    Booting `Juniper Linux'

    Loading Linux ...

    kvm: already loaded the other module

    submitted by /u/kart10
    [link] [comments]

    Intentionally increasing upstream latency but not downstream latency. Any ideas?

    Posted: 26 Feb 2020 10:59 AM PST

    Hello all,

    I am doing some testing of an Azure project I am working on and I am curious how to increase a client's (Windows PC) latency for testing.

    I have done some experimenting by creating a VPN connection to a remote location which adds latency for both upload and download. This was good for my testing but not exactly what I am looking for.

    I am curious, does anyone have any tricks to add latency specifically only to upstream packets but not downstream packets?

    I've done a bit of research but my google-fu is struggling with this one. Software would be ideal for this one as I don't have too much equipment apart from a few Cisco ASAs.

    Thanks for any suggestions!

    submitted by /u/PM_ME_BUNZ
    [link] [comments]

    Cisco NAT/Firewall Question

    Posted: 26 Feb 2020 09:45 AM PST

    I have 3 public IP ranges and 2 devices on the internet. An older Cisco 2900 series router that has 2 interfaces, 1 range lands on one interface, another ip range on another. This device routes all traffic for all those public IPs to an ASA that has a typical inside/outside configuration and its outside interface is home to the 3rd public IP range.

    Say for example that one of the IPs that lives on the 2900 is 10.10.10.3, (the interface is configured as 10.10.10.1/28) and there is a route on that same 2900 that routes traffic for that IP (yes I know) to the ASA.

    ip route 10.10.10.3 255.255.255.255 <ASA outside address>

    And on the ASA, there is a nat rule for that IP that translates it to an internal IP address - even though that IP does not exist on any of the interfaces on the ASA.

    I inherited this situation - I'm not sure how someone even configured it this way. I'm not sure how anything works at all.

    I can't post configs without heavy sanitation so that's a maybe.

    My questions are:

    Am I explaining this in a way you can understand?

    How can a cisco device be set to route to one of its local IP addresses as though it's on another device?

    How is the ASA NATing an IP address that doesn't exist on any of its interfaces?

    What brought this quirk to my attention is that for no apparent reason, some traffic to that IP address 10.10.10.3 mentioned above is being dropped by the ASA under the implicit deny rule even though other traffic coming to that same IP is not dropped. It's like the ASA suddenly realized that that IP doesn't belong to it. But only if the traffic is from certain hosts.

    Now that I've thoroughly confused you, maybe you have some thoughts?

    submitted by /u/OtisB
    [link] [comments]

    Small office network - Homework Topic (basic image included)

    Posted: 26 Feb 2020 07:14 AM PST

    Howdy,

    Not sure if this type of post is allowed after reading the sidebar so I'll try to be specific as possible. I have a homework topic where I have been tasked with setting up a network for a small office who would also like a guest wifi section in their reception. Within their own network they will have 11 Desktop Computers, 1 server and 2 printers.

    My plan for this is to use VLANs on a managed switch to separate the two networks but herein lies the problem as I have never used them before, only briefly looked at them. I have made a very simple mock network in packet tracer but I am unable to add IP addresses to the switches interfaces, it will be a managed one so it will need them, I also have no real idea how to setup VLANs in packet tracer but it does seem straightforward from playing around in the switch settings.

    Basically I am asking if my proposed plan and IP Addressing Scheme is acceptable and will work, is there anything I should add or remove from the word table? Feedback of any kind is appreciated.

    https://i.imgur.com/0Ecu9xp.jpg

    submitted by /u/GiveKibble
    [link] [comments]

    Fingerprinting python requests?

    Posted: 26 Feb 2020 07:04 AM PST

    I'm hacking together an amazon api and when only using python requests without proxying, it prompts for a captcha. When routing this python requests traffic through fiddler, it seems to pass without a problem. Is it possible that amazon is fingerprinting python requests and fiddler changes the networking fingerprint since it's a proxy?

    I viewed headers sent from fiddler and python requests and they are the same.

    There is no exra proxying/fiddler rules/filters set on fiddler to create a change. I even debugged the headers to see that the ones sent by fiddler and requests were the same. I'm starting to think it's something on the tcp level although I'm not sure because that's beyond my ability

    To be clear, all mentioned proxying is only done locally, so it will not change the public ip address.

    Any ideas? Thanks!

    Stackoverflow Q

    submitted by /u/ImZanga
    [link] [comments]

    HP Networking ACL query

    Posted: 26 Feb 2020 05:55 AM PST

    Hi All,

    I need to configure some ACLs to restrict inter vlan communication. I also want to permit only accepted IP traffic out of the subnet in question.

    Subnet - 192.168.35.0/24

    Firewall - 192.168.10.254/24

    My draft ACL is as below which i intend to apply to the VLAN. I would be grateful if somebody could cast their eyes over it and sanity check it. The default gateway for this vlan is 192.168.35.254 which routes to my firewall 192.168.10.254 - do I need an ACL line for that IP too?

    Inbound Rule

    Block all access apart from my management network 192.168.10.0/24

    Outbound Rule

    Block all traffic out of the network apart from to 192.168.10.5 , 192.168.10.16 , 192.168.10.9

    IP access-list extended "PCI ACL List"

    REMARK "Rules for Inbound Traffic PCI VLAN"

    10 deny ip 0.0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

    20 permit ip 192.168.10.0 255.255.255.0 192.168.35.0 255.255.255.0

    REMARK "Outbound Traffic PCI VLAN"

    40 permit ip 192.168.35.0 255.255.255.0 192.168.10.5 255.255.255.255

    41 permit ip 192.168.35.0 255.255.255.0 192.168.10.16 255.255.255.255

    42 permit ip 192.168.35.0 255.255.255.0 192.168.10.9 255.255.255.255

    Again, do i need a permit ip to 192.168.10.254 (firewall for internet access) ?

    Thanks all

    submitted by /u/Pineapple_Specialist
    [link] [comments]

    What cat6 cables are best for cable management?

    Posted: 26 Feb 2020 04:03 AM PST

    Hi,

    As the heading says. What cat6 cables are best for cable management? Need cables that are a bit softer because it is a bit cold in the data center.

    For connecting inside one rack so no do it yourself RJ45 connectors.

    submitted by /u/SAW_Simba
    [link] [comments]

    Alternatives to BIND DNS servers

    Posted: 26 Feb 2020 06:42 AM PST

    Hi all,

    After a recommendation for a solution to replace BIND DNS servers, we wanted to do a hybrid DNS solution with Route53 private hosted zones but this isn't possible due to a Route53 limitation (we've had this confirmed by AWS support).

    Requirements:

    - Ability to create MX, TXT, A, SRV, CNAME records

    - Authoritative DNS

    - Easy to manage zone files

    - Split horizon DNS (have records for internal and external names)

    Thanks in advance for any suggestions or recommendations

    submitted by /u/brwalk0069
    [link] [comments]

    Cisco Flexconnect in a branch site?

    Posted: 25 Feb 2020 05:53 PM PST

    I have three sites connected in a redundant ring; two of them hold a significant amount of AP's (120) per site with one WLC in each location. The third site is a small branch but has no WLC, but it's reachable via our internal leased backbone fiber via routing. Do I need to configure flex connect to add four Cisco AP's or they can connect without doing so? In Cisco's documentation, I see them changing the AP's from local to flex connect, and the Diagrams show a WAN internet connection (FLEX AP to HQ). How will that be possible if that location has no WLC? Will the WLC detect the AP's in a different subnet?

    If needed, let me know how I will go about this with Flexconnect. Any document, blog or videos will be great!!!

    submitted by /u/hvcool123
    [link] [comments]

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel