Using /32 host routes to conserve IPv4 addresses? Networking |
- Using /32 host routes to conserve IPv4 addresses?
- Anyone else having intermittent 802.1x issues with windows 10 clients?
- Can you tell a Cisco device type just by it's serial number?
- Stacking Cisco 9300s
- Tier 1 Peering ISP vs Tier 3
- Re-thinking our SSIDs
- Cisco wifi - Need 9120 supported which sw would you Roll?
- Netmiko multithreading - no output but commands running.
- Ansible Modules support for HP Comware Switches
- Site to site VPN to Azure
- BGP question (involves ebgp<>ibgp with some multihoming and IPVPN magic)
- Fiber cleaning/testing tools.
- No response from CLI after connecting to Cisco 1841
- Anyone familiar with the arris dcx3635-w?
- New to Cisco ISE policy architecture and need a little help/advice
- Datastream distribution from networking noob
- Who's running Stealthwatch ETA on their Cat 9k switches?
- Firewall Rule Set Review
- Cisco netacad "Account Under Compliance Review"
- Secure segmentation in VMWare.
- Alternative to Dynamic Access Policy (DAP) on Cisco FTD
- "Cisco" SG300 and RADIUS do not want to cooperate
- Access-List: Permitting Services to a Host while denying the same services to all and permitting all
- AlienVault OSSIM Help
| Using /32 host routes to conserve IPv4 addresses? Posted: 11 Feb 2020 01:56 PM PST IPv4 addresses are scarce (and expensive) and I'd rather not waste any. I've been labbing a solution using /32 host routes to make sure no IP addresses are wasted. The prototypical FTTx network is basically a /24 hanging off a DIA circuit. Each circuit gets a router and a bunch of active Ethernet switches. Those subscribers that need a static IP are assigned one and a /32 host route on their upstream router port. I get the desired outcome in the lab, but are there any known downsides of using /32 host routes, other than the configuration overhead? A better way of doing the same? Please do tell me not to do this, but preferably with a helping of why not or what to do instead. [link] [comments]  |
| Anyone else having intermittent 802.1x issues with windows 10 clients? Posted: 11 Feb 2020 07:22 AM PST I've been losing years off my life over this mess. We're a full NAC(purple) shop, all edge ports have multiauth enabled. The authentication hierarchy is 802.1x->MAC auth->unregistered black hole. Not unlike a precocious child, these end systems all over the place will intermittently lose their 1x sessions and drop the network access until the interface is reset. I'm 100% certain this behavior is on the client end, but I'll be damned if I can find exactly what's causing it. Typical setup is a voip phone(Cisco) with a PC daisy chained to it, however this behavior persists on direct connections too. Basically, it breaks down like this: Two sessions become established when a PC is logged into, a 1x which takes priority, but it also establishes a MAC session tied to the NIC, which gets thrown into unregistered hellban. Multi-auth has to be on because of the phones, so a full setup will show a 1x session to the PC, a MAC session to the phone with voice policy, and a MAC session to the PC unregistered. This behavior with the sessions is typical and hasn't caused any problems before. All that being said, all endpoints have been pushed to windows 10, along with around a thousand pc's replaced with newer hardware, along with the OS upgrade. At seemingly random intervals the 1x auth session is dropping, which reverts the port back to unregistered and kills the PC's network traffic until the client interface has a state change. I can see it clearly in the logs that the heartbeat between the NAC and client eventually fails from the client side. In simpler terms, the NAC asks the PC "are you still there" at a steady interval, but for reasons I cannot seem to figure out, the PC will stop answering. As designed, the NAC drops that 1x session after the PC stops answering. the PC's don't seem to want to re-authenticate after this happens and it sits in purgatory until the NIC changes state. I've done packet captures from the PC port, the Uplink port on the switch and the interface from the NAC and can prove that this isn't any kind of network failure. I can't figure out for the life of me why these PC's stop answering NAC challenges. GTAC swears it is either OS power management configuration or drivers that need to be updated. I'm pushing the driver angle hard since most of what I have seen have drivers from Microsoft and not Intel. Manually installing drivers straight from Intel seems to lower the occurrence but not fully cure the problem. Any ideas? [link] [comments]  |
| Can you tell a Cisco device type just by it's serial number? Posted: 11 Feb 2020 02:58 AM PST I am trying to determine the device type (router, switch, ap) from it's serial nr (I am going to recieve a large nr of serial nr in order to do zero touch provisioning). The thing is I would like to do data validation before provisioning them (for example check that the serial nr of the router is actually a router serial nr). I've found this explanation of Cisco serial numbers:
I thought the first three letter would be a good indication of the device, but seeing that it's just the location where the device was manufactured I am having doubts that it will work. Does anyone know if for example FOCYYWWXXXX will always be a switch or can it also be a router? [link] [comments]  |
| Posted: 11 Feb 2020 11:44 AM PST Can anyone tell me if it will be possible to stack a Cisco C9300-48UXM with a C9300-48U switch and still get 10G speeds on my C9300-48UXM 10G ports? I have looked at the documentation and just can't clearly tell if it's possible or not, and if it is what the implications will be for my 10G ports on the C9300-48UXM. It mentions in the article link below that mixed stacking between 9300 models and higher scale platforms is not supported, yet a few sentences later says that any combination of C9300 models can form a stack. It also says "Catalyst 9300 higher scale SKUs (C9300-24UB, C9300-24UXB, C9300-48UB) need to be stacked with other higher scale models in order to achieve a stack with the higher scale supported by these models." Documentation: [link] [comments]  |
| Posted: 11 Feb 2020 08:47 AM PST Hi all, I am thinking of switching from a Tier 1 ISP giving us 50u/50d to a Tier 3 ISP giving us 1Gbps. What are the ups and downs of this move? We only need a good connection for our VoIP phones and doing cloud backups at night. Other than that, it's checking email and internal work. I would imagine that there will be a couple more hops between us and our VoIP provider and then some added latency/ping to go with that, eh? [link] [comments]  |
| Posted: 11 Feb 2020 12:39 PM PST Hello, As an attempt to rationalize and minimize the number of SSID broadcasted by our WiFi infrastructure, I came down to a set of 3 networks :
I am quite happy with this breakdown but there is still a gap that I cannot fill : what do I do with "IoT" devices? I guess some are not 802.1x capable, some other won't have a screen for splashpage.How do you manage and connect you IoT devices? I feel like everytime that I need to connect a dumb device that only needs internet access, I have to re-invent the wheel. FYI, we use meraki APs and ISE 2.4 RADIUS if that's of any help [link] [comments]  |
| Cisco wifi - Need 9120 supported which sw would you Roll? Posted: 11 Feb 2020 12:50 PM PST Tropic says it.. Cisco says 8.10.112 (MR1) but we Saw some stuff about ap's going mia in the controller when labbing it (oblight on a vWLC and not the 5520 platform we run in Production).. Any input greatly apreciated! [link] [comments]  |
| Netmiko multithreading - no output but commands running. Posted: 11 Feb 2020 04:32 AM PST EDIT: Okay, so this works up to about ten devices. Any more and it dies. I may just be an idiot trying to do too many threads. Is there a limit? It's a weird one. I know the commands run because I see them (and their correct output) in the debug log. The session just never ends and I don't get any output (outside the first date/time) in my window or my output file. The output file creates successfully. It's like it's hanging or waiting for something once it's run all its commands. Script below: [link] [comments]  |
| Ansible Modules support for HP Comware Switches Posted: 11 Feb 2020 11:54 AM PST I could not find the ansible network modules for HP Comware Switches. Found the below , but not finding any reliable use of these by people. Have folks used Ansible with HP Comware Switches ? https://hp-ansible.readthedocs.io/en/latest/list_of_Feature%20(RW)_modules.html_modules.html) [link] [comments]  |
| Posted: 11 Feb 2020 03:22 AM PST We have setup a site to site VPN connection to Azure using our Cisco ASA. For now we only have one static route (set on the ASA) to route the traffic for the Azure VLAN to the VTI interface. That means that, as it is, only the ASA VPN clients know how to reach the VMs in Azure fro the moment. Since we have a DMVPN network taht is set to advertise networks with EIGRP, I am thinking of adding the Azure network to EIGRP. The ASA is already advertising the VPN clients subnets to the same EIGRP AS as the DMVPN routers. So as a test I have configured an interface on the ASA (with an IP on the Azure subnet by following the instructions here https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91264-eigrp.html ) and I added our Azure subnet to the EIGRP config of the ASA. The Azure subnet starts to advertise but no route shows up. The subnet shows up if i run: show ip eigrp topology But show eigrp route doesn't show the subnet Is that because I already have a static route on the ASA (it sets the gateway for Azure subnet to the VTI interface). If i remove the static route how can I make sure that EIGRP routes all Azure traffic to the VTI interface? [link] [comments]  |
| BGP question (involves ebgp<>ibgp with some multihoming and IPVPN magic) Posted: 11 Feb 2020 01:30 PM PST Good morning. Got a question and really just looking for the "why". I either want to verify I am understanding this correctly, or get pointed in the right direction to educate myself. So i will try and explain the setup best I can, but its pretty simple. So I work on the corporate enterprise side, and we peer with the production side of our company to give users access to customer/development environments. Prod is using us for east<>west traffic because we have a lovely IPVPN connecting our corporate sites. We peer to each other in two places, we will call them PROD-WEST<ebgp>CORP-WEST and CORP-EAST<ebgp>PROD-EAST. With the IPVPN in the middle it looks like this: PROD-WEST(AS1)<>CORP-WEST(AS2)<>IPVPN-ISP(AS3)<>CORP-EAST(AS4)<>PROD-EAST(AS5) So prod has an AWS vpc prefix that they are sending to both my east and west corp sites, which I then in turn advertise into the MPLS. I am basically multi-homing to the prod prefix from my east and west sites. The question i have is in the middle, there in the IPVPN where I can't see... how does the route selecting work? It seems to be working on the "the route I see first is the route I will accept and send through the L3VPN". When I send the route from both sides, the one that gets advertised first gets installed first, even if it has the longer AS-PATH. I basically need to bounce the bgp session on the opposite side to get the "correct" route installed. I know that with the IPVPN it's going EBGP<>IBGP<>EBGP, so the PE for the ISP is getting an IBGP and EBGP copy, but it can't honor the i vs e AD since that would be a looping nightmare. and its not following the AS-PATH rule of law. Is it simply doing the "route uptime" as the route choice? Or is it going off of something with the NLRI? I worked at an ISP many moons ago that did L3VPN, but without access to my lab I can't recall or figure this out. Would I be able to use a community string to set the LP and influence the route in the L3VPN (im sure this is a question for the ISP, which I will pose today, but interested in your thoughts). Let me know if my ramblings don't make sense! Thanks for your time. TL:DR - I have two sites (different ASN) that peers with two different external sites (different ASN), and my two sites peer with a L3VPN managed by the ISP (yet another ASN) - and I am curious as to how the ISP handles the route selection when I am sending the same prefix to them from two different peerings? [link] [comments]  |
| Posted: 11 Feb 2020 07:07 AM PST Hello everyone, I was wondering if there is a top 5 list of fiber cleaning/testing tools that every enterprise should have. Last time I was engaged with a "cleaning/testing tool" like that, I was told that the equipment was worth thousands because of how specialized it was. I am sure there are cheaper solutions, but do you have brands/models to suggest? [link] [comments]  |
| No response from CLI after connecting to Cisco 1841 Posted: 11 Feb 2020 12:23 PM PST Hi Guys, I'm new here so forgive me if this sounds stupid. I'm trying to connect to a Cisco 1841 via putty, when I do and select the correct com port the cli opens but doesn't respond. I have tried changing the baud rates but that hasn't worked. I'm having the same problem on two different 1841s I am also able to connect to a Cisco switch and everything works perfectly. Any help would be appreciated. [link] [comments]  |
| Anyone familiar with the arris dcx3635-w? Posted: 11 Feb 2020 03:45 PM PST I have a small home server setup and in order for me to use certain applications like openvpn and letsencrypt I have to forward some ports, and when I go into the firewall settings and look for port forwarding it's not there and it's called virtual servers and I'm clueless as of how to use it, is is the same as port forwarding? [link] [comments]  |
| New to Cisco ISE policy architecture and need a little help/advice Posted: 11 Feb 2020 08:09 AM PST Hey all, I am working on deploying wired ISE for the first time and and trying to device how to setup my policy sets. I am struggling to decide if I should break policy sets up by campus, building, or floor. Obviously floor has the most granularity, but leads to the greatest processing hit as all policies before it must be processed with each access request (Not to mention the list of policy sets can probably become cumbersome). Alternatively, building and or campus policy sets can lead to cumbersome (In large buildings) and possibly less granular authorization policy lists, but have the advantage of not having as much of an impact on your policy servers. I am hoping to have whatever is put in place be scalable which is the only reason why I worry about this at this point. Without divulging any protected information obviously, do large deployments build ISE by campus, or do they have a PSN at each site and configure policy by floor or something else? As this doesn't have an obvious right answer, I am just hoping to hear what you all think. If you have any documentation on policy set creation best practices or tips, I would love to see them as well as I struggled to find much on the topic. Non vendor specific advice welcomed as well! Thanks all! [link] [comments]  |
| Datastream distribution from networking noob Posted: 11 Feb 2020 03:27 PM PST I've been given a task, to read a data stream into a VM used as a proxy which will then be used to distribute the stream to 5 other VM's. How can this be done, is there tools for this? I've been looking at Apache Flink just because it seems to be a data processing engine but I may not even need to use it [link] [comments]  |
| Who's running Stealthwatch ETA on their Cat 9k switches? Posted: 11 Feb 2020 03:20 PM PST Getting started on a Stealthwatch deployment. Only about 50 switches. One flow collector. IOS XE16.9.2+ is recommended on Cat 9300 for ETA. I have all of my 9300 currently running 16.6.6. Wondering if I really need/should upgrade to 16.9.4 or 16.9.5 for ETA? I have it configured on one of our 9300 and it's fine so far on 16.6.6 but I'm early in the process so I don't really know yet what I might be missing or if I'm going to run into undocumented bugs. Following the ETA deployment guide, plan is to configure ETA on the access ports so that we capture all flows for those devices, not just the inter-vlan traffic. I'll throw this TAC's way as well but I like to get perspective from fellow customers. We use ISE 2.4 for dot1x/mab so it's critical that the version of IOS XE at the access layer works well with ISE. From what I'm reading, Smart Licensing is REQUIRED for 16.9.x on Cat 9300? [link] [comments]  |
| Posted: 11 Feb 2020 02:37 PM PST Which one of these tools would you use for a Firewall Rule Set Review for PCI, and Why? -Tuffin _FireMon -Nipper [link] [comments]  |
| Cisco netacad "Account Under Compliance Review" Posted: 11 Feb 2020 04:06 AM PST has anyone run into this problem trying to login to packet tracer or the natacad page ? I tried contacting their support email and facebook support but they won't respond. [link] [comments]  |
| Secure segmentation in VMWare. Posted: 11 Feb 2020 07:21 AM PST My networking group is working with our applications group about virtualizing one of our enterprise systems. This system has a lot of sensitive information on it. My infosec team is not keen on virtualizing the host and secure network it sits on into our virtual infrastructure for fear of crossing a Host/guest os boundary or the virtual VLAN switching boundaries. Has anyone has any experience with something similar? Is this in fact a threat to our infrastructure? Ask questions if there is anything I need to clear up. thanks [link] [comments]  |
| Alternative to Dynamic Access Policy (DAP) on Cisco FTD Posted: 11 Feb 2020 07:20 AM PST We are in a testing phase with Cisco FTD. Currently we have FP9300's but run traditional ASA managed via CLI, and ASDM. For one of our VPN contexts (used for vendors) we use DAPs to control user access to certain servers. I know DAPs are not currently a feature for remote access on FTD. Has anyone successfully replaced DAPs with an alternative access policy method on FTD? [link] [comments]  |
| "Cisco" SG300 and RADIUS do not want to cooperate Posted: 11 Feb 2020 02:42 AM PST dear /r/networking, I am trying to setup the RADIUS authentication on a Cisco SG300 switch with Windows 2012 NPS. I've checked (also using packet capture) that NPS is sending Access-Accept with Vendor specific attribute set to shell:priv-lvl:15 but when try connecting via ssh or http I can't login and I get %AAA-W-REJECT entries in the switch logs. Any ideas? Relevant configuration is pretty basic [link] [comments]  |
| Access-List: Permitting Services to a Host while denying the same services to all and permitting all Posted: 11 Feb 2020 07:18 AM PST Hi all, I was just checking if this is possible. I need to permit services to a host behind my router from specific hosts (eg 22 and 80), while denying services to same host from any on the internet, but also permitting other traffic. Is this a possibility eg: ACLS: 1. Allow web access to 192.168.1.2 from only 10.10.0.0/24 network 2. Allow SSh access to 192.168.1.2 from only 10.10.0.0/24 network 3. Deny all Web access apart from the above to 192.168.1.2 4. Deny all ssh access apart from the above to 192.168.1.2 5. permit all traffic [link] [comments]  |
| Posted: 11 Feb 2020 09:57 AM PST Hey guys, I'm trying out AlienVault OSSIM on my network. I installed it as a VM using VirtualBox on my Mac, and gave it a standard IP address for my network. I used the same subnet mask, gateway and DNS that I would for any other machine on that VLAN. However, I can't ping it or reach the admin portal webpage. Are there any other steps I need to go through before I can start working with it? TIA. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment