AS1221 (Telstra) BGP hijacks 266 ASNs in 51 countries Networking |
- AS1221 (Telstra) BGP hijacks 266 ASNs in 51 countries
- Is the native VLAN really dangerous?
- MicroSegmentation, intra-VLAN segmentation, DHCP Option netmask /32
- VPN user monitoring from a networking perspective
- Unknown Static IP Discovery on Router-less Network (via ARP?)
- Failover Setup With VPLS
- Aerohive/ExtremeWireless Bonjour Gateway
- How to troubleshoot a network that is having random issues?
- Changing VPC Peer-Link Ports
- C3850 MPLS ip forwarding
- Ethernet Cable Connected To Our Switch Brought Down The Network
- TCP Socket Programming - should I wait until I get a response from server?
- BGP & peering for beginners
- Dealing with Access-List bloat in a Service Provider environment?
- Post-Production Managed Switch - 10gb + 40gb connections
- Two VRF’s (default and new_vrf) to the same ESXI cluster?
- With a budget of $4000, what would you recommend for a network tester for ethernet, fiber & WiFi? Up to 10Gb on both ethernet & fiber. I've been looking at the various Fluke models, but before I pull any triggers.....
- ipsec vpn but natting the destination : cisco ios
- How often are VPNs used across leased lines?
- What emerging technologies will impact networking most in the next five years?
- Network Switch Recs
- First time setting up a Cisco SPAN session...
- VRF aware PBR on Nexus 9k
| AS1221 (Telstra) BGP hijacks 266 ASNs in 51 countries Posted: 01 Oct 2020 07:38 AM PDT Surprised no one is talking about this...
via https://radar.qrator.net/blog/as1221-hijacking-266asns ProtonMail's thoughts on the matter: https://protonmail.com/blog/bgp-hijacking-september-2020/ [link] [comments]  |
| Is the native VLAN really dangerous? Posted: 01 Oct 2020 10:24 AM PDT I've heard some network engineers saying native VLAN should never be used because they could be very dangerous? I don't really understand the danger behind it, I just know I should always put all unused port into a different VLAN other than the native VLAN. So can anyone explain what's the matter behind the infamous native VLAN that makes it so unwanted? Or is it useful in any case? [link] [comments]  |
| MicroSegmentation, intra-VLAN segmentation, DHCP Option netmask /32 Posted: 01 Oct 2020 05:50 AM PDT Hello Guys, I'am wondering what technology you guys are using to segment traffic **within** a given VLAN. Here is the ultimate goal we want to achieve : for users subnet, we would like to redirect ALL the trafic to the gateway (which in our case is a firewall), even trafic towards other computers in the sale VLAN. With Cisco WiFi, it's easy: you just have to check "Forward trafic to upstream" and it's done. However, when it comes to switches (wired), it's another world. Currently, we are kind of using a hack to handle this : we send by DHCP a netmask option with the value 255.255.255.255 (/32). This was tested after observing how some cloud providers are doing. We first tried it in a test subnet, and now a few years laters, we have 10k devices configured like that. With this configuration, all the devices think that they are alone in their subnet and thus send all trafic to the gateway, even if behind the scene the destination is in the same VLAN. This actually works like a charm (at least with all majors "users" OS - Windows/MAC/Linux/BSD/Android/IOS). I'am well aware that it only works for Unicast; Multicast and broadcast are still received but still, there isn't any major risks with multicast/broadcast. However, I literally never seen anyone doing this and there I found close to 0 information about this. So here is my questions : - What do you think about this? Do you see anything that could go wrong? - What would be the "cleanest" way to achieve the same thing? Any other protocol/technology in mind? We are using full C9k Cisco devices in Legacy mode (so no SDA Fabric). [link] [comments]  |
| VPN user monitoring from a networking perspective Posted: 01 Oct 2020 06:28 AM PDT I've been tasked with finding a solution that would allow a networking admin to determine whether a VPN user has a good quality connection to our network through his local network (wired, wireless), through his ISP and past the VPN gateway. So far, I've found three options: - ThousandEyes, but it's strictly a SaaS platform, so no-go - Keysight Hawkeye, but it's way to expensive - Aternity, but doesn't give the expected KPIs What I know the solution must have is a locally installed client on the monitored laptops, an on-prem, centrally managed server(s) and a bunch of KPIs such as ping, jitter, PL, maybe even throughput tests, that can be reported in case of incident. Ideally, I'd like to see the user's WiFi strength, first-hop latency, our VPN gateway's latency, and some other server's latencies within our network. Is there such a tool available? If so, can anyone point me in the right direction? Thanks [link] [comments]  |
| Unknown Static IP Discovery on Router-less Network (via ARP?) Posted: 01 Oct 2020 08:29 AM PDT On some small, self-contained networks consisting of merely a switch (but no router), I've seen applications run that are capable of seeing/finding devices connected to the same switch but that have a static IP belonging to a totally different subnet. For example, if my computer has a static IP address of 192.168.1.5 and I plug in an IP camera that is configured to be 10.1.10.17 (but I don't know the latter, and even if I did I couldn't ping it anyways). Yet software from the camera manufacturer, running on 192.168.1.5, allows me to detect the camera's presence on the network and see details including its IP. How is this done? Is this via ARP? I'm learning about the latter now, and suspect that it's happening with ARP announcements. Long story short, I'm building a headless device (out of a Raspberry Pi) where I'm going to need to perform the same behavior - be preset with a static IP, and plugged into another network containing static IPs that are likely from an entirely different subnet. To be as user friendly as possible, I'd like to write a small/simple application for the user to be able to detect my device in this manner, and ultimately be able to change its IP to conform to their network. Thanks for any suggestions! [link] [comments]  |
| Posted: 01 Oct 2020 07:38 AM PDT Hey All, We are running into an issue that we... well, didn't plan properly for. We have a VPLS circuit connecting 2 data centers. We are using OTV and extending the VLANs to the 2nd datacenter because that is going to be our new primary DC. We are using this for data migration and host creation at the location. The problem we are facing is, should that circuit drop, we have no redundancy. The obvious solution is to get another private circuit, however, that would prove difficult with out time frame that we would need it in. Obviously, the problem comes from extending the VLANs. IPSEC VPN tunnels are not really an option that I am aware of for this. Please correct me if I'm wrong. We have DIA circuits in place, which is why I was hoping to be able to somehow use one of them for redundancy, but I cannot figure out how to pull that off. Any help for this would be greatly appreciated. Thanks! [link] [comments]  |
| Aerohive/ExtremeWireless Bonjour Gateway Posted: 01 Oct 2020 05:31 AM PDT Hi Guys, Just wondering if anyone knows how bonjour gateway works on aerohive/extreme. In my lab I have two vlans, 10 and 20. I configured an AP as BDD master priority 254, I have configured my bonjour gateway settings to scan vlans 10 and 20 and allow various different services such as '._airplay._tcp.' '._raop._tcp.' to 'any any' vlans but still I can only airplay to my TV at home from the vlan the TV resides. I think I just misunderstand the technology, wondering if someone could explain it to me. From my reading, it simply relays multicast info to other vlans such as relaying mdns so devices on other vlans can discover these apple devices. [link] [comments]  |
| How to troubleshoot a network that is having random issues? Posted: 01 Oct 2020 04:19 AM PDT I've been troubleshooting an issue with a client of mine but I can't seem to solve it. Problem : internet will randomly disconnect. What i've done so far : *Found a bad RJ45 which caused disconnects. *Found a sonos with a bad ethernet port that caused high latency in the network. Moved that one to WIFI, latency issue solved. *Swapped a bad modem from the ISP. It wouldn't generate the correct speeds the customer was paying for. After swapping it for a new one that issue was solved *Found an old 10/100 switch. Replaced that one. What's left? I'm about to replace a 24 port switch that's next to the Modem. But I'm not confident I'll locate the problem. Is there any logging software that i can use that might monitor the network so I can find this issue? [link] [comments]  |
| Posted: 01 Oct 2020 06:30 AM PDT I have a couple N9k's who are using a pair of 10g ports as their peer link, and I want to upgrade them to 100g ports. In my config, the peer link is Po1. What would be the best way to move the peer link to a port channel using my 100g ports? I've thought of the following:
I think it's probably obvious that I'm trying to do this with the least amount of downtime and possible trouble. What I'm not sure of, is can I even create a port channel with interfaces of different speeds? I guess I've never tried that before...and will that work? It seems like the first option is the easiest and most straight forward, but I want to make sure I'm not overlooking something. Thanks in advance. Edit: Answer received. Thanks for the quick responses! [link] [comments]  |
| Posted: 01 Oct 2020 07:09 AM PDT In an interesting spot, have a c3850 that is configured to run vpnv4, but is not forwarding packets received to the requisite interface. What I've done: -BGP routes are being propagated for the vrf, and are showing correctly in the routing table -mpls ip is enabled on the connecting interfaces, verified mpls ldp neighbor -Done a capture on the mpls interface and on the end device. Traffic coming from the mpls network makes it to the interface, but isn't routed out the ip interface When traffic originates from the ip side, it is shown on both captures, as ip and as mpls on the outbound interface. I've dug through plenty of Cisco documentation, but am at a loss as to the next step. I'm on the mindset that it's something akin to the "ip routing" command Thanks [link] [comments]  |
| Ethernet Cable Connected To Our Switch Brought Down The Network Posted: 01 Oct 2020 03:35 PM PDT
Looking at the logs the switch port that the phone was connected to was giving out a duplicate ip warning and there were other ports that was giving the message "High Collision Drop Rate" but the port that the phone was connected was not giving this error message. [link] [comments]  |
| TCP Socket Programming - should I wait until I get a response from server? Posted: 01 Oct 2020 07:38 AM PDT I'm new to network programming and I'm making an application that works with TCP sockets on android. Currently I made it so that when a request is send, I wait for answer, then I update UI and after a set period of time I send the request again. If I get certian information back, I want to send a different request. I don't know if this is good approach, but I can't seem to make it work unless I get some sort of answer before making the next request. One problem with this is, that if the server doesn't respond I get stuck, which I could go around with a timeout. [link] [comments]  |
| Posted: 01 Oct 2020 02:46 PM PDT I am currently working for a big telco company as a support but overall I am new to networking (started learning stuff covered in CCNA and CompTia N+). I see an opportunity for myself to have a career there (what I am doing now is dull, boring and not paid well) but it requires me to get a decent knowledge about BGP and peering. So I'd like to ask what is absolutely necessary to know before even getting into those? Also if anyone could recommend sources for learning I would greatly appreciate it. Company's core devices are Juniper'. [link] [comments]  |
| Dealing with Access-List bloat in a Service Provider environment? Posted: 01 Oct 2020 08:36 AM PDT I have been working at a healthcare managed services provider for a few months. We provide solutions and services to thousands of clients worldwide. In the team I work on, we have around 600 clients. They host in our data centers, but they still have devices on their own sites which need to connect back to our data center. I was shocked to learn that we still use access control lists to define access rules for individual hosts. We use Cisco Security Manager and each firewall/router has hundreds of lines in their ACLs. What's worse is that most of those lines are overlapping or redundant rules, and over the years apparently there has been no consistent policy in creating or managing changes done to these lists. New clients are provisioned with a default policy but then there are site specific additions and that's where it gets extremely bloated. Today I got a request from one of our clients to double-check access for about 15 servers and I can't believe I have to sort through lines of individual hosts to double-check that they're all there. And there are many redundant rules, rules with overlapping protocols, etc. I'm relatively new to networking, but what kinds of solutions exist to replace ACLs? Especially in a service provider environment like ours. I'm not sure if it's incompetence or what but again I can't believe it was allowed to get this bad. Also should I feel compelled to try and fix this for each client or would it just be a wasted effort? I have read about using groups and subnets instead of individual hosts, but there are both in our ACLs and they're still overlapping in a lot of policies. It's just a nightmare. [link] [comments]  |
| Post-Production Managed Switch - 10gb + 40gb connections Posted: 01 Oct 2020 08:29 AM PDT Hey All – I thought this would be a good place to ask for some advice. We are a small creative agency in Cleveland and have a fully unifi setup for our network. This includes a Unifi 16-XG switch which is run through a patch panel to our small network of workstations connected over CAT-6A. Right now we've been running a small set of servers, one of them connected to it through two 10Gbase-t connections that are LAG'd together through the unifi profile. We're upgrading our server to an iXSystems M40-HA which features 40gb QSFP+ (I think it's +) ports on it. Right now we have our order in to split that connection into 4 x 10gb SPF+ connections but I think it would be much better to purchase a new switch that has one of those ports on it that we can break out into our workstations. iXsystems agrees but they don't seem to have a preference for a switch, only that it will work with nearly any managed switch and that eBay is a good source of cheap datacenter switches. I'm curious if anyone can give me some guidance on this since a lot of the switches that are cheap scare me off a little bit because I've never worked with them before and something like a Juniper switch while nice, worries me because I'm not sure what kind of licensing issues I might run into with something like that. As of now, we're only using half of the 16 ports on the unifi switch and are using transceivers to convert the copper to SFP+. [link] [comments]  |
| Two VRF’s (default and new_vrf) to the same ESXI cluster? Posted: 01 Oct 2020 01:30 PM PDT I have two Cisco NX switches with two VRFs - I need to be able to have VM's in both VRF's IP ranges in the same cluster. Is this possible? I currently have the switch set up as the "core" where all of the gateways reside, and one switch is where all of the VMware hosts are plugged in. all of the networking is correct and working for the default VRF, but the new vrf is not passing traffic. I cannot even ping the gateway. The two switches can ping each other on the new vrf, and cannot ping anything in the default vrf, which is to be expected (I think). My vswitches are set to tag the correct vlan, and the vlan exists in nx switches. I know I'm doing a bad job of explaining this, but I've been beating my head on this all day and I'm just sure I don't understand what I'm doing. [link] [comments]  |
| Posted: 01 Oct 2020 01:00 PM PDT |
| ipsec vpn but natting the destination : cisco ios Posted: 01 Oct 2020 12:59 PM PDT I've got a VPN to a remote lan which is on a private /16 subnet 10.10.0.0/16. I need to setup the router terminating this vpn so that as the traffic comes in over the vpn (on outside interface) the source subnet (10.10.0.0/16) is natted to a public IP (nat pool is fine) before being sent out of the inside interface on the same router to its destination. I can set this up on GNS3 but it only works in one direction. From inside to outside probably due to the way nat works. I can't think of a way to get it to work in both directions unless I do some like static one to ones? This isn't viable though due to the remote side using a /16 range. thanks [link] [comments]  |
| How often are VPNs used across leased lines? Posted: 01 Oct 2020 04:32 AM PDT Teacher explained today that Full Mesh VPN topology comes with an additional cost per connection. I then asked him "Why? Aren't VPNs used as an alternative to buying multiple leased lines?". He then told me that you'd still want to use a VPN across the leased line. Thinking about it, I understand that this would add extra security, but how often is it really done? Is there any downside to this? [link] [comments]  |
| What emerging technologies will impact networking most in the next five years? Posted: 01 Oct 2020 06:52 AM PDT In order to predict coming changes in networking practices it is necessary to understand which technologies will be most impactful in the near future. For those who work in the industry or have insights into transitions that will be occurring in the fields of networking: which technologies would you deem likely to be most impactful and why? [link] [comments]  |
| Posted: 01 Oct 2020 10:30 AM PDT I am trying to find a 48 port switch that has all SFP slots. I need it to be 10/100/1000 mbps backwards compatible. Some ports need to be LC fiber SFPs for multi mode 850nm fiber, but most will be RJ45 SFPs. Is there any switches anyone could recommend? Ideally we would like Cisco, Dell, or HPE/Aruba. The switch in now is a Dell Power Connect 2848. We need to replace it with the above, to eliminate all of our fiber to Ethernet media converters. [link] [comments]  |
| First time setting up a Cisco SPAN session... Posted: 01 Oct 2020 09:39 AM PDT Hi All, IT guy for my local school district here. We're having trouble with a remote resource who periodically sees a lot of TCP re-transmission errors between our sites. As part of our troubleshooting process, I want to set up a monitor session to mirror our web traffic to a wireshark device. We run a Nexus 5000 series switch. Having never had an opportunity to do this in a production environment before, I wanted to ask whether setting up Cisco port mirroring has any hidden "gotchas" a first timer should be aware of. I am pressed to get this troubleshooting underway as quickly as possible, otherwise I would opt to trial and error during scheduled down-time. I figure worst case scenario if I bork the port settings I can move the copper to an adjacent port I've already set up to perform the same duty, but any advice you can offer would be greatly appreciated. Thank you all for your time and help. [link] [comments]  |
| Posted: 30 Sep 2020 05:59 PM PDT Anyone know if there is a way to achieve this? It rather happily will allow you to do PBR within the given vrf, but any commands along the lines of "set ip vrf <X>" or "set ip x.y.z.z vrf <X>" seem to be unavailable under route maps unlike some IOS based devices, even with the PBR feature set turned on. No commentary on the merits of PBR itself requested or desired. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment