It is 2020 and Facilities just purchased a total campus door access control system... That runs entirely on 10 Half Duplex Networking |
- It is 2020 and Facilities just purchased a total campus door access control system... That runs entirely on 10 Half Duplex
- IGMP - Traffic to querier
- How many vendors do you deal with?
- Wake devices on LAN from usb device?
- Default leak from front door VRF to GRT - NAT overload
- Overlay network mesh options: Nebula, Wireguard, Tailscale
- Small Business Access Security Question/Help Needed
- Firewall Design and Implementation
- Need advice on how to setup VPN
- Numerous new data drops aren't working, but standard cable testers say it's fine. Is there a fancier device I can buy/rent that will give more info on in-wall cabling?
- MAC-sticky not working on cisco switches.
- Can someone help me to understand this issue with DNS updating slowly?
- Dynamic DNS for home office VPN, worth it?
- Develop Firewall Rule
- How is the Decision Made for a Device to Join Either the Access or Voice VLAN?
- Most cost efficient product for IPSec mesh?
- Unable to ping L2 SW on other side using Unifi AirFiber P-2-P
| Posted: 01 Sep 2020 07:59 AM PDT Yeah. Each door gets a small module that mounts above the ceiling tile. This module accepts input from the card reader, switches power on/off to the mag locks, etc. It is managed and powered over Ethernet. Each module has a NIC that only operates at 10 Half Duplex. Most of our switches technically support it for now, but I worry about our next access switch refresh. I get the feeling we're going to end up buying a bunch of EOL or crappy Netgear 100MB switches to "convert" this connection. [link] [comments]  |
| Posted: 01 Sep 2020 04:23 AM PDT I was always under the impression that within a simple L2 network, an IGMP querier was there only to send periodic membership queries so switches can build tables of which port needs to send what and to who. That the querier is just an arbitrary node in the network which someone has decided will send querier messages. But.... I've just taken some training which very clearly says that the physical network link to a querier needs to have sufficient bandwidth such for all multicast data traffic on the network, because all multicast data traffic will be sent to the querier, regardless of whether it has been requested by a listener or not. That's just not how I thought it worked and seems to go against the whole principle of intelligent multicast data routing / the reason for IGMP in the first place. Note that my L2 network is not connected by a router to another at L3. In that case, I can see why someone might say 'dimension the link to the router such that it can handle all potential multicast streams' just in case a remote network asked for them. This is strictly a single L2 network using IGMP snooping - no PIM etc. Who's correct? Me or the training? [link] [comments]  |
| How many vendors do you deal with? Posted: 01 Sep 2020 04:01 PM PDT Hi all! So recently I got to Thinking as it's a topic that has come up very often at work. The idea of being a silo skilled engineer, or a jack of all trades. Now what I want to know is how many vendors do you think a good engineer should have a deep understanding to along with the technology space.I don't just mean being able to push a policy, I mean being able to debug it deep dive. More so at times cross skilled across different technologies ( automation , AWS, Azure ). I'm still fairly new to networking and security (4 years) and at times I'm finding it hard to get certified on vendors as we support what I think is a lot for a single engineer to know (8 different vendors of firewalls +-) cloud based and on prem. I have my preferences on vendors but I am more curious as to if I'm being a baby when it comes to how much I want to learn or if it is truly a case of too much? Also worth adding along with firewalls and azure there is still a good amount of routing and switching and wireless and some very limited VOIP.. [link] [comments]  |
| Wake devices on LAN from usb device? Posted: 01 Sep 2020 10:21 AM PDT We have about 20 of these little machines at our corporation that we need to be able to use WOL on at random times. The included ethernet adapter does not support WOL, so waking the device when it is 100% off is not an option. There are no open PCI slots. However, when the computers are in sleep mode, a mouse or keyboard can wake it from sleep mode. I'm wondering if there is some sort of a USB device that could virtualize a mouse and wake the computer remotely? EDIT, SOLUTION FOUND: Okay, as I'm typing this, a coworker found this repo using a raspberry pi zero (and presumably would work with a pi zero w). This answers my question but I figured I'd post it anyways so someone else that needs this will find a solution! [link] [comments]  |
| Default leak from front door VRF to GRT - NAT overload Posted: 01 Sep 2020 06:18 AM PDT A bit stumped on this. I've gotten this to work with VRF to VRF plenty of times, but in this scenario I'd like to do VRF to GRT. Does this config look right? This is IOS-XE (CSR1000v) in GNS3 This is all local to the "R1" router: https://imgur.com/jsRnMSL [link] [comments]  |
| Overlay network mesh options: Nebula, Wireguard, Tailscale Posted: 01 Sep 2020 02:08 PM PDT Hi all, I am trying to find an open-source alternative to Tailscale that offers similar speed to Wireguard. Preface, I'm not much of a networking guru. I understand that a solution might just be to "set it up myself with wireguard" but am looking to simplify the process if possible. I want to run kubernetes nodes on VM's that live on different networks, which are both NAT'ted and un-NAT'ted. I also need to be able to add and remove nodes from the network dynamically (static config would not work well in my case). I believe the best option here is a low-latency VPN. Tailscale makes this very easy. You install it and start it and it just works, UDP hole-punching included to get across NAT's and easily adding network nodes dynamically. However, Tailscale is freemium and closed source. Nebula by slackhq does something similar. However, looking into it more closely, it runs at half the speed of wireguard. If it ran faster this would be perfect. The best option would be some open-source solution that utilizes linux kernel wireguard, and can dynamically add nodes to the network while providing UDP hole-punching. I've been unable to find anything like this, so wondering if the community has found anything good for this. [link] [comments]  |
| Small Business Access Security Question/Help Needed Posted: 01 Sep 2020 11:14 AM PDT In short, I am helping my completely IT illiterate brother in law setup a network for his small business. A while back he had an ex-employee login and mess with their stuff and is wanting more security. I am great with figuring out computer stuff, but personally I have never really been involved in enterprise networking. I have decided on a Ubiquiti DM, +8 switch, +2 or 3 AP's for hardware as it seems reasonable in price and pretty straight forward to setup (I don't mind opinions if you think there is something better/easier out there). My main question and concern is, what will be the best way to get the best security from his ex-employees gaining access to their network? Typically in big office settings that I'm used to, everyone has a login, and access to VPN through a login (like fortinet). Is this possible with this setup and what would I need to do? I was thinking of a guest network and just changing the password once a week or something, but that seems like a lot of work for a guy that is computer illiterate. I tried searching for this answer, but either don't know how to narrow down searches, or don't know what its called to really get good answers. Any help or direction is greatly appreciated. [link] [comments]  |
| Firewall Design and Implementation Posted: 01 Sep 2020 05:43 AM PDT We are planning for implementing the Server Farm Firewalls with the following points into consideration
In addition to the above, we are also looking for a Web Application Firewall (f5, Imperva) for web servers in DMZ. The current design is collapsed core. Server Farm access switches are directly connected to Core. The core does inter-VLAN routing and has a default route to pair of Internet edge firewalls which terminate internet connections, VPN and DMZ I'm looking for a validated design to deploy the solution. Which firewall would best fit the above requirements Palo Alto, Fortinet, or FTD. [link] [comments]  |
| Need advice on how to setup VPN Posted: 01 Sep 2020 03:39 PM PDT Dear all, I'm deploying a VOIP phone Cisco SPA 504G connected to Cisco 3750G which is coolnnected to mikrotik router. I have configured the phone by accessing the webpage. Now I want to create a VPN on my mikrotik routerboard 750G to avoid the port blocking by my ISP. I have successfully configured internet connection. But now I am stuck on this. I know there are site to site VPNs in mikrotik but how these pptp and others work as I have only one mikrotik and it will act as server. Any link or help will be greatly appreciated. Thanks [link] [comments]  |
| Posted: 01 Sep 2020 03:09 PM PDT We recently had a small ~3,000sq/ft office wired for data, CAT6a. I've found a few data drops that don't seem to work; devices won't communicate with the switch when using them (but using the same device and switchport, but over another drop works fine). Confoundingly, the data cabling installers basic cable tester says the drops are fine, and my Fluke Intellitone Pro 200 also says that it's fine. Good contact on all pairs, but yet devices simply won't talk over these drops. Is there some kind of higher quality network cabling testing device that I can buy/rent that will give more info? Something so that I can go back to my cabling vendor and be like "See? It's fucked. Fix your shit." [link] [comments]  |
| MAC-sticky not working on cisco switches. Posted: 01 Sep 2020 02:55 PM PDT I'm rusty and I could be doing something wrong but I cannot figure this out =(. I have a setup of five switches
All of the switches can ping and ssh/telnet into the main switch. But when I put the mac-sticky command every port switchport port-security mac-address sticky. It shows nothing when I do show mac-address table | in (insert last 4 of mac). I would really appreciate if if someone can tell me what I'm doing wrong. [link] [comments]  |
| Can someone help me to understand this issue with DNS updating slowly? Posted: 01 Sep 2020 08:43 AM PDT We have a very secure but antiquated system that's used by everyone in the company. It requires a computer's current IP to match existing DNS records in order for a user to login to it. That presents a problem when you have a laptop on Wi-Fi with an IP on one VLAN (10.x.1.x). Then the laptop plugs into a dock that has an Ethernet connection. Then the laptop gets switched to another VLAN (10.x.2.x). The DNS record still shows the 10.x.1.x IP. The user tries to login to this system. They're denied access because they have the wrong IP. We get a help desk call saying they can't login. Nslookup shows the 10.x.1.x IP. We have to remote to their computer, run "ipconfig /registerdns" and hope it works fast. Most of the time they can login immediately. I've been told by the vets at my company and by the software vendor the only way around this is to give everyone a static IP. That's gonna be a no from me, dawg. There's one vet from another company that used the same system and gave everyone static IPs. I'm new to getting this much into the weeds in networking and backend systems. Can someone explain why this might be happening and if there's anything that can be done to speed up the DNS update process? [link] [comments]  |
| Dynamic DNS for home office VPN, worth it? Posted: 01 Sep 2020 08:02 AM PDT I have a situation where a small business had to relocate to a home office, and the customer is claiming that the ISP won't give them a static IP in their neighborhood. Has anyone ever used a dynamic DNS service for a client SSL VPN before? If so, what have your experiences been like? AnyConnect will be used specifically. [link] [comments]  |
| Posted: 01 Sep 2020 12:20 PM PDT Dear Redditeers, I need to develop a firewall rule to allow a certain application (https://www.saal-digital.eu/software-download/download/?ClientPlatformType=0). Wireshark & DNSQuerySniffer allowed me to narrow down that all communication happens through port 80&443, TCP, IPv4. The initial request is a DNS request but then my issue starts: the following requests are to wildly varying IPs. I tried Whois lookups for those domains and tried adding those neighboring IP ranges to also add all future variations. I did not manage to find the proper ASNs to that company. So, long story short: how do you profile a 3rd party application to create your firewall rules? [link] [comments]  |
| How is the Decision Made for a Device to Join Either the Access or Voice VLAN? Posted: 01 Sep 2020 08:59 AM PDT I work for a large enterprise. On our client access switches, the standard port config for a client connection looks something like: description **Client Access Port* switchport mode access switchport access vlan x switchport voice vlan y Access ports usually contain end user devices such as PCs, printers, etc. while the voice vlan is dedicated to IP phones only. I notice that when a PC connects to a port with this config, it gets a DHCP address from the access vlan (our data vlan) and if I connect an IP phone to the same port it gets a DHCP address from the voice vlan. Recently, I have worked on a few projects where we have installed various "Cisco Webex SMART kit" specifically these devices: When these tablets are connected to the network, they automatically get an IP address in the voice vlan. The person I am working with responsible for provisioning these devices tells me they need to be in the data vlan instead. This is fine, I can change the IP of the device no problem and it should still work on that port. I was just curious as to what the mechanism or logic was to how a device decides which subnet to request a DHCP address for when connected to a port with both an access and voice vlan associated to it. Any insight would be greatly appreciated. [link] [comments]  |
| Most cost efficient product for IPSec mesh? Posted: 31 Aug 2020 06:46 PM PDT As lame as it may sound to some of you, I find one of the best benefits of many SD-WAN products is the ability to create an automate mesh of IPSec tunnels between sites. However, most SD-WAN price tags are too high to justify for just that use case, for instance, considering I need 1 Gb of aggregate throughput: You can see the PA-820 (which says it can do 1.3 Gb IPSEC) is sooo much cheaper than either Cisco option, however it only supports LSVPN for auto-IPSEC (hub-spoke only). Even their new SD-WAN solution only supports hub and spoke currently. What are good options for auto/mesh IPSec, maybe something that has some NAT traversal support? [link] [comments]  |
| Unable to ping L2 SW on other side using Unifi AirFiber P-2-P Posted: 31 Aug 2020 05:43 PM PDT Hello! I am running into this problem trying to ping & SSH to the other Cisco switch. I have two Unifi AirFiber setup as Point-2-Point to connect both buildings together. I have a Cisco 2960x on the new building set up as a Layer 2 and using the command "IP default-gateway" (the gateway of the switch configured as an L3). I can ping both Unifi AirFiber IP address, I can see the Unifi controller and Unifi WAPs, but I cannot ping or SSH to the switch using the IP address on the VLAN (VLAN-ID 93 in this case). Both network devices are in the same network scheme, which is 10.1.20.X/24. Do I need to put the switch on the new building as an L3 and put the static IP address? Thanks! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment