Network defense course project guidance. Networking |
- Network defense course project guidance.
- BGP graceful failover for maintanance
- Puzzled over a trunk that wont work unless it's running on a 100Mb/s interface
- 100GB infiniband or 100GB ethernet?
- 3 weeks with glitchy/intermittent RDP over ASA 5512-x VPN, Cisco TAC just keeps "checking internally"
- 4 digit ASN?
- Async Octa cable question
- Datacentre Network Re-design - An easier way to manage ACLs?
- Cisco anyconect vpn issue
- Palo Alto Free Certification Discount Codes
- Using SCP and/or SFTP in Cisco Prime Infrastructure
- Exchange Server 2013 SMTP Relay via F5
- Need suggestion for a setup to provide automatically IP addresses with isolation in between.
- ICX6610 unable to ping
- Anyconnect profile doesn't stick after pc reboot
- F5 one arm configuration multiple VLANs and routing
- What “proof” should I get to have someone look into an issue I feel we are having?
- Fiber install cost
- Cisco FTD, Fortigate or Palo for RA VPN
- ICX6610 unable to ping
| Network defense course project guidance. Posted: 01 May 2020 10:19 AM PDT I am working on my Network Defense course project and I'm looking for some guidance. We have to create a fictional company and then provide security measures. My idea for the company is on-demand remote IT services so I have some concerns about covering all the bases for remote connection. Here is my company plan and the corresponding security measures I have devised so far: Workstations / Servers: VLAN 1: 1x CEO/Operations manager, 1x HR, 1x accounting / payroll, 1x outreach / media coordinator, 2x Sales persons. VLAN 2: 6x Remote IT Specialists. VLAN 3: Management server + IDPS console, storage server. DMZ Segment: Webserver, mail server, database server. My network map is where I'm beginning to second guess myself: Internet > Packet Filtering Router > Firewall > Switch > IDPS Sensor > VLAN 1 > IDPS Sensor > VLAN 2 > IDPS Sensor, VLAN 3 > IDPS Sensor > DMZ. Router: appropriate ACL lists. Firewall: set to block all inbound remote connections on the appropriate ports but allow outbound remote connections. Switch: close unused ports, assign static IP addresses per port. IDPS / VLANs: appropriate routing to the IDPS management server. DMZ: Harden the bastion servers, disable all unnecessary features etc. Are there aspects or different security measures I should be implementing? Especially in the case of remote connections? Any advice would be greatly appreciated, this project has got me second guessing myself and stressed out trying to make sure I cover all my bases. [link] [comments]  |
| BGP graceful failover for maintanance Posted: 01 May 2020 03:29 PM PDT I have eBGP running with my ISP on two distinct core1 and core2 routers (Nexus L3 switches), now i want to do maintenance on core1 so planning to smooth way to shift all my traffic to core2 (in less time with less packet loss), I have option like shutdown neighbor peer gracefully and other option which my ISP suggested to send BGP community 65062:12345 which will make my peer backup (12345 my ISP ASN). This is what i am planning to configure to send community tell me if anything wrong here? is this correct? I have 5 subnet of /24 prefix (do i need to add them with community or above snippet will do all magic) or shutdown neighbor would be BEST option :) [link] [comments]  |
| Puzzled over a trunk that wont work unless it's running on a 100Mb/s interface Posted: 01 May 2020 07:24 PM PDT I know what you're probably thinking - but hear me out. Recently, a vendor ran two CAT6 links from an IDF inside the org (CAT5e patch panel) to a terminal outside the building to support network connectivity for a temporary structure we've put up. I installed a 3750 (48x FE copper, x4 GE SFP) in the structure and configured it to trunk with a 6500 chassis which sits inside the IDF. When it came time to plug everything in, I found that the interfaces which were supposed to be trunking were actually in a notconnect state. The configs are super simple - no VLAN pruning or native VLAN bullshit. Just "switchport mode trunk" on both sides. So, I started looking at the hardware. I swapped SFPs (tried multiple GLC-TE and GLC-T copper SFPs), tried multiple GE interfaces on the 3750 and 6500, swapped cables (CAT5e and CAT6), verified speed/duplex settings, etc. Nothing worked. I finally yanked the trunk link from the GE interface of the 3750 and slapped it into a FE interface - and behold, it worked! Trunk was up, phones started registering, etc. For the sake of troubleshooting, I swapped out the 3750 for a brand new 9300 and tried again. No dice. The trunk simply won't come up on a 1Gb interface. I need the 1Gb uplink to support some bandwidth-hungry equipment which will sit in the temporary structure. I only have two copper lines, so the best I can do with a port channel is 200Mb/s on the 3750. The vendor claims that they used CAT6 cables all the way through and terminated on a CAT5e patch panel in our IDF. I assume , but do not know, that the temporary structure (which was brought to us by a vendor and already has some cabling infrastructure) uses CAT5e at least, since they have their own gigabit switches which they offered to provide for us. I'm at a loss at this point. How else could this be broken for 1Gb connections, but not 100Mb connections? [link] [comments]  |
| 100GB infiniband or 100GB ethernet? Posted: 01 May 2020 06:32 PM PDT hi all, I'm tasked with building out a 100GB Infiniband network for a group of Nvidia GPU servers which will use GPUdirect RDMA. The issue is we have a storage appliance that is 100GB ethernet (GBe) only. It is a toss-up what is more important for our users, storage performance or GPU direct RDMA performance. Having the "fastest" is important. We have nothing built so far, we are in the planning stages, also money isn't too much of a factor. Of course, we don't want to spend money just to spend money. I am new to Infiniband, GPUs and RDMA and don't want to miss something to cringe/embarrass on later. Should we build-out with:
advice, opinions, pros/cons. thanks! [link] [comments]  |
| Posted: 01 May 2020 03:46 AM PDT Events/Troubleshooting/Attempted solutions so far - Beginning of April - The ASA I inherited, running 9.9(1), started crashing due to bug CSCvi16029, so I updated it to 9.9(2)66, and also upgraded my ASDM to 7.12.1 and my AnyConnect to from 3.x.x to 4.8.02045 on April 8. April 9 - Everyone except for my IT-coworker and I are unable to RDP into their workstations. They can connect the VPN and ping their workstations, but get that "Remote Desktop can't connect" error (this never happened before). I also cannot RDP via VPN into any other workstations or servers on the network besides my own, which isn't configured any differently in RDP settings than any of the other machines. Discovered that RemoteVPN->DNS setting is pointing to old decom'd DC, so I fixed the setting and am able to reach payroll server until HR person tried to RDP into it and then everyone was locked out again except myself to my own workstation. April 13 - Everyone's ability to RDP suddenly came back up, then dropped, then came back up again by the end of the day. I discovered a No NAT rule that allows all trusted users access to all necessary internal VLANs, and the only "deny" ACLs I could find are blocking QUIC and "hostile traffic" which doesn't seem to have anything to do with RDP. April 21 - RDP stopped working again for office staff, so I did a packet capture while unsuccessfully trying to RDP into the payroll server: 1: 14:52:58.060497 x.x.x.x.55749 > x.x.x.x.3389: S 3006513269:3006513269(0) win 8192 <mss 1366,nop,wscale 2,nop,nop,sackOK> Tried sh cap asp | inc x.x.x.x (payroll server ip) which showed no drops from the firewall. April 22 - I noticed on the the Firewall Dashboard in ASDM that the workstations denying RDP access are listed at "Top 10 Protected Servers under SYN Attack" and sure enough, there are the ip addresses of the Business Officec computers plus the 3389 port #. I then learned this, and lowered the TCPMSS to 1300 and everyone's RDP started working again for almost a week ... April 28 - Discovered that the RemoteVPN->DNS setting keeps reverting back to the old decommissioned DC, so I sent this info to Cisco TAC. Yesterday - the Business Manager and I were able to to RDP into everything, but other staff could not connect to their workstations. I asked Cisco TAC if the ASA has some kind of DNS mapping in its config that's causing the VPN/DNS settings to revert, so they looked at my "show tech" and noticed that a firewall-object-network object had been configured linking the old DC to the ip address which now belongs to the new DC. So, I fixed that to point to the new DC. The Business Manager lost her ability to RDP around 2pmEST, so I did a packet trace to her machine, and am waiting to hear back fro Cisco still, and there's a Zoom Board Meeting on Tuesday that's breathing down my neck ... Ingress Capture – RDP packet Egress Capture – RDP Packets Edit - first of all, this subreddit is full of amazing, helpful, brilliant people. Secondly, support is awesome to have and there's no way to know everything about everything in this field and I honestly regret the critical tone of my title. Everywhere is a hot mess right now and I'm no exception ... I believe I may have isolated the issue - deep within an undocumented setting in the Content Filter, I found a tiny range of IP addresses with a "full bypass" in the VPN internal client subnet. I broadened the IP range a little, did a /release /flush /renew on my laptop, and now RDP works (for now?). Since the Content Filter is in place to monitor student internet activity, it didn't occur to me that it might be interfering with VPN traffic in a totally different subnet. Especially since the packet traces were showing a TCP connection to the target machine. And the RDP issue started the day after the ASA software update, but this just goes to show ... Dang. [link] [comments]  |
| Posted: 01 May 2020 05:43 AM PDT While checking the current price for IPv4, I noticed that also 4 and 5 digit ASNs are being auctioned. As there were actual bids and closed sales, some for a significant amount of money, I came to wonder about the inherent value in a two byte ASN. I would have thought that by now almost everybody supports 4 byte ASNs. Is there some actual value in having a 2 byte ASN or is it more a vanity thing? [link] [comments]  |
| Posted: 01 May 2020 12:06 PM PDT So in all my years doing Cisco stuff, I have never had to use an octa cable. I was told that I can connect it to the console port of a device and BAM I have access. I can not figure out how to make it work. The devices I connected to are not live at this time, no MGMT IP or anything due to a facility time limit. Can i use this connection or do I have to go configure these devices a bit? [link] [comments]  |
| Datacentre Network Re-design - An easier way to manage ACLs? Posted: 01 May 2020 06:15 AM PDT Hi all, I've got two questions relating to data centre networking, firstly is if I've got our new re-design correct in my head and secondly following that plan we'll have an increased reliance on ACLs on our switches and I wanted to know if there's an easier GUI based way to manage ACLs. Firstly, our current set up consists of an HA pair of firewalls doing all L3 in the DC, including all inter-VLAN traffic which is the main reason we want to move away from this set up. The firewalls have an internet breakout, WAN link DMZ and multiple other VLANs on them, prod, test, dev, voice, SQL etc. We currently manage rules between VLANs using the firewalls which have a decent GUI making it simpler to manage and harder to make mistakes. South of those firewalls is a pair of nexus 5k switches, 3 UCS chassis and a iSCSI SAN. The problem with this is that there's only a 1gbps link between the nexus and the active firewall with all of the default gateways for our VLANs being sub interfaces on the 1gbps interface. Not a great design I know, we used to have a pair of 3925s doing our inter-VLAN routing with ACLs controlling traffic between VLANs. They were a bit of a pain to manage as there was only me at the time who had knowledge of working with them. Our MSP suggested those routers were unnecessary when they upgraded our firewalls (the previous ones only had 10/100 interfaces). We've grown a lot since the last upgrade though and are back in a position where we need to re-think things. The plan is to use the Nexus switches for the inter-VLAN routing (they're currently only doing L2). Create a new small subnet between the Nexus switches and the firewalls and set the default route on the Nexus to point at the new firewall IP. This plan takes all of the inter-VLAN traffic away from the firewalls, freeing them up to do what they were intended for. However, we lose the nice GUI based method for controlling our inter-vlan traffic and would be back to ACLs on the Nexus switches (something I'd like to avoid). Is there a solution that can help us manage the ACLs with a GUI and ideally where changes can be verified before being made? We use proper Cisco in our datacentre but are migrating to Meraki in our branches and their dashboard has spoilt me with how easy it is. I realise it's a wordy post so thanks for sticking with me. [link] [comments]  |
| Posted: 01 May 2020 11:01 AM PDT Cisco anyconnect 4.7.x Cisco ise 2.3 Cisco asa 5525 ver 9.9 Win10 The issue is constant disconnect/ reconnect notifications for users while on VPN. User do not have to resubmit username or password. Annoyance users getting disconnected during calls. Not everyone having this issue. This has been occurring before covid19 forced everyone to vpn. Now more people complaining about it. Cisco tac blamed isp. Right now user request their notifications off so they don't see it. Need any and all help. Thanks [link] [comments]  |
| Palo Alto Free Certification Discount Codes Posted: 01 May 2020 08:12 PM PDT |
| Using SCP and/or SFTP in Cisco Prime Infrastructure Posted: 01 May 2020 10:20 AM PDT Thank you in advance for any answers. We have been using Cisco Prime for switch management and pushing updates from prime to the switches via TFTP successfully but due to security we are being told to start using SCP orsftp to push iOS updates. I've been trying to get this working but had no success. I used ssh to get into prime and set up a device:/SCP folder in prime. I then in the GUI went to where you would add your server, added the server, ip, admin username and password and tried to add the download location but it won't allow device: because apparently the : isn't allowed so I tried device/scp which failed verification. I went online and someone suggested localhost/scp which failed also. Has anyone set this up successfully that can tell me what I'm missing? We are using ver 3.4 [link] [comments]  |
| Exchange Server 2013 SMTP Relay via F5 Posted: 01 May 2020 05:29 AM PDT Hi, We are trying to use two CAS servers to load balance all internal application relay. he is the problem I have run into. All connections made from F5 automatically connects to the default receive connector rather than the custom receive connector. The only way we can connect to the relay connector from the F5 VIP is if we allow 0.0.0.0-255.255.255.255 on these connector. With anonymous relay allowed we cannot allow open relay on this VIP. Is there any way we can make F5 to use the correct connector. BTW , SNAT enabled for VIP. Thanks [link] [comments]  |
| Need suggestion for a setup to provide automatically IP addresses with isolation in between. Posted: 01 May 2020 09:23 AM PDT Hey everyone, I could appreciate some talk and help with this scenario. I want to create a three-point WiFi network with 50-100m in between each device. For now at least, may increase in range in the future. Planning on using three Ubiquity LocoM2 devices or something similar and provide wireless internet access. When clients connect to the said network they should get an IP address via DHCP but due to security concerns, I need to have them isolated from each other. Each client should seem like in different subnet and without possibility to scan or detect other devices connected to the same network. The whole plan is like this:
Can the basics of guest zone/network suffice for this scenario? I have to mention that I have limited experience with larger-scale wireless networks. Here is my initial diagram, please chime in for corrections. https://i.imgur.com/Wog0ViG.png Thinking about the cabling and ethernet length limitations, also I may be able to omit the switch if the supplied router will have at least 4 ports. Is all this plausible, am I on the right track? Thanks [link] [comments]  |
| Posted: 01 May 2020 05:17 PM PDT Hey there, I've ran into a snag that I can't really understand. I'm new to switching and it's been pretty rough so far. I picked up the 6610 after reading through the ICX series sticky thread. I have all the firmware on it and its ready to go but configuring it is being a pain. First I'll say that my router/modem is still on the outside of the switch, so when accessing the switch to ping it is going through my routers WIFI, to the LAN port and then to the switch. At the moment there is nothing on the other side of the switch. I am attempting to make 3 different VLANs in the switch VLAN 10 for the DMZ, VLAN 20 for internal network, and VLAN 30 for management. My router has the internal network at 10.100.0.0/8. What I am finding is A) I cannot ping an interface if the port is tagged, only untagged and B)I cannot ping the port if the mask on the interface is anything other than /16. I was trying to make everything /24. For instance VLAN 30 is set to 10.100.1.1/16 and I can ping it through it's 2 ports. But if I set it to 10.100.1.1/24 it won't. And if I try to get around this by then putting VLAN 20 to 10.200.1.1/16 instead of the 10.100.2.1/24 that I would LIKE to, that won't ping either. Other than this, from what I can see the VLANs and the ports are configured identically... so I'm not sure what gives? Like I said I'm new to VLAN's (other than school) and this is my first switch. I'm desperate to finally get this server up and running but I can't even get to that part until I get the switch ironed out. ***Side question. Do static routes have to be defined in the router so it knows to see the switch as the gateway? Thanks guys. [link] [comments]  |
| Anyconnect profile doesn't stick after pc reboot Posted: 01 May 2020 07:03 AM PDT I'm trying to enable start before logon on the anyconnect. I've enabled it on a profile in the ASA. The issue is once the computer reboots the option for SBL is gone. I figured that when using the profile editor on the ASA that it would overwrite the XML file stored on the PC. [link] [comments]  |
| F5 one arm configuration multiple VLANs and routing Posted: 01 May 2020 01:11 PM PDT Hi All, Good day to you! I would like to ask regarding one arm f5 deployment. the requirement is as below we have trunk port from F5 to core switch and cater of a few of vlan server segment, let say vlanA (serverA), vlanB (ServerB) and vlanC (Server C) because we want to load balance different application on different segment. I will define SNAT for all respective VS. My environment is : 1 x management port : ip address : 192.168.240.100 subnet : 255.255.255.0 (VLAN100) 1 x 10Gb port : 8 VLANs trunk VLAN110,VLAN120,VLAN130,VLAN140,VLAN150,VLAN160,VLAN160,VLAN170 -> self ip of each vlans * floating ip of each vlan 1 x HA Port VLAN999 SELF ip address: 10.10.10.1 subnet mask : 255.255.255.0 1 - Do I have to define static route for each VLAN ? 2 - is it require default gateway for Management Port ? e.g. route VLAN110 ->> 0.0.0.0 - 0.0.0.0 - 10.110.10.254 (gateway) VLAN120 ->> 0.0.0.0 - 0.0.0.0 - 10.120.10.254 (gateway) VLAN130 ->> 0.0.0.0 - 0.0.0.0 - 10.130.10.254 (gateway) and so on. thanks, [link] [comments]  |
| What “proof” should I get to have someone look into an issue I feel we are having? Posted: 30 Apr 2020 10:05 PM PDT Have 1Gbps business line from Comcast that we manage in our lab. Enterprise recommends we swap to the "enterprise lab infrastructure" that they manage. The problem is the throughput is total crap compared to what we currently have. Our lab ran internet connection is a Comcast 1Gbps business line. The enterprise one is supposedly a 1Gbps CenturyLink connection they route around over their MPLS circuits in the same city but eventually hits the 1Gbps CL (at least that's what I gather). There shouldn't be any issue to the "end user" between the two. I can understand some variance but the CL connection is a total dog for throughput in comparison to basically 95% of sites. Yeah you can pull up a browser and browse around but downloading any type of packages (OS packages, datasets, etc) it's way slower than 90% of them. We noticed it when updating our servers with drivers (like 400MB NVidia drivers) from Ubuntu mirrors. Our old connection could easily download this at 50-60MB/s (400-500Mbps) and be done in seconds. The new connection we get like 1-5MB/s (10-50Mbps). After seeing this from multiples sources. I went and did some testing from vultr, AWS, FDCServers, Ramnode, DigitalOcean etc. Downloading files from those data centers in the same city (Seattle) on the old connection with 3-6ms pings we can get 80+MB/s. Most of them are 90+MB/s. The new connection varies from 8-12MB/s on one test from one of the providers and all the others are between 2-5MB/s (in seattle). Running tests from different city's LA, San Fran, Denver, ATL, Chicago, NYC, Washington DC. The Comcast connection slows down some depending on the distance but it's routinely above 30MB/s on all of them. The new "enterprise" connection is between 1-2MB/s. I ran the same tests on my home connection (Google Fiber) across the country (AL) to these same data centers in Seattle and get better speeds than this "enterprise" connection. I've complained about it and enterprise just tells me "it's the general internet" we can't do anything. I'm like there HAS to be something wrong somewhere otherwise this thing is borderline useless. If it's the "general internet" get CL to prove that because this thing is dog slow to EVERY damn site. There is not a single site it's even close on. Then they just tell us our TCP window size is too small or some shit when basically the same system 2 feet away is getting 80MB/s. I tested about 15-20 different sources spread across the country. And the comcast connection never had one below 10MB/s (100Mbps) even from ATL to Seattle or Washington DC to seattle. The new connection I think there was 1 or 2 that was 10-15MB/s the rest were in the 5MB/s even from Seattle. Is there anything that you would want to see that would be hard to deny that there is a problem? Maybe it is the "general" internet being shit and CL is total shit in their peering or routing or whatever but is there anyway to prove that? Or am I just wrong and CL is just that bad? If you would like to see my test results I can share if needed. [link] [comments]  |
| Posted: 01 May 2020 10:59 AM PDT Hello /r/networking We are soliciting bids for a fiber install. We have to run the cable in house and have someone come in to do it. We were quoted $4,200 to provide 800 ft plenum armored OS2 12 strand, and then 48 terminations (2 runs out of the 800ft, we'd cut the cable accordingly). Is this reasonable? They are providing the ends to terminate on, FWIW. If not, any idea where I should be? It's northern NJ for reference. [link] [comments]  |
| Cisco FTD, Fortigate or Palo for RA VPN Posted: 01 May 2020 10:51 AM PDT Hi All, I am curious to peoples experience with Cisco FTD firewalls using anyconnect? We're looking to retire a pair of ASA 5525X firewalls. I am more into Fortigate firewalls as I have more experience with them. I have run ASA's in the past but i'm not overly impressed with the platform. However it is rock solid other than in my opinion a poor UI. Also curious to anyone who's running PA or Foritgate in production for RA VPN as I haven't run either for that function. Thanks! [link] [comments]  |
| Posted: 01 May 2020 05:16 PM PDT Hey there, I've ran into a snag that I can't really understand. I'm new to switching and it's been pretty rough so far. I picked up the 6610 after reading through the ICX series sticky thread. I have all the firmware on it and its ready to go but configuring it is being a pain. First I'll say that my router/modem is still on the outside of the switch, so when accessing the switch to ping it is going through my routers WIFI, to the LAN port and then to the switch. At the moment there is nothing on the other side of the switch. I am attempting to make 3 different VLANs in the switch VLAN 10 for the DMZ, VLAN 20 for internal network, and VLAN 30 for management. My router has the internal network at 10.100.0.0/8. What I am finding is A) I cannot ping an interface if the port is tagged, only untagged and B)I cannot ping the port if the mask on the interface is anything other than /16. I was trying to make everything /24. For instance VLAN 30 is set to 10.100.1.1/16 and I can ping it through it's 2 ports. But if I set it to 10.100.1.1/24 it won't. And if I try to get around this by then putting VLAN 20 to 10.200.1.1/16 instead of the 10.100.2.1/24 that I would LIKE to, that won't ping either. Other than this, from what I can see the VLANs and the ports are configured identically... so I'm not sure what gives? Like I said I'm new to VLAN's (other than school) and this is my first switch. I'm desperate to finally get this server up and running but I can't even get to that part until I get the switch ironed out. ***Side question. Do static routes have to be defined in the router so it knows to see the switch as the gateway? Thanks guys. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment