Moronic Monday! Networking

---

• Moronic Monday!
• Is having a dhcp server embedded in a WLC a security concern?
• Nortel Baystack 5510-48T icmp within vlan
• BGP path algorithms: Pithy Mnemonic [Wise Lip Lovers Apply Oral Medication Every Night.]
• iptables: Allow local connections
• Anyone figured out how to play with broadcom APIs on open network gear?
• Best practises setting up routers/firewalls - advice
• Junos still uses flash
• MPLS Path Protection vs Fast Reroute
• Juniper DDOS Protocol Violation - VXLAN & L3NHOP? Any ideas what this is...
• Are there interactive Mikrotik scripts that login into multiple routers at once?
• CDN Infrastructure design?
• Use cases for separate hives within Aerohive?
• Anyone feeling Charitable? Somewhat new to networking...Trying to help implement an internal routing protocol between datacenters
• 802.1x labs on EVE-NG

Moronic Monday! Posted: 24 Jan 2021 04:00 PM PST It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected. Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it. submitted by /u/AutoModerator [link] [comments]

Is having a dhcp server embedded in a WLC a security concern? Posted: 25 Jan 2021 02:10 AM PST Hello, basically we were having issues with our guest wireless solution which uses a centos vm dhcp server. As a temporary fix I created a dhcp server within the wireless controller, this fixed the issue but raised questions about whether this was best practice. The dhcp server is now not within the DMZ (I guess it still is logically because the subnet it is leasing is only to the guest vlan). Is this a security concern? submitted by /u/exprozazu [link] [comments]

Nortel Baystack 5510-48T icmp within vlan Posted: 25 Jan 2021 10:15 AM PST Hello, I am trying to add some Unifi APs to my production VLAN 1010. I was able to change the default VLAN of the port and get the correct IP for the VLAN, but I am not able to SSH or PING the device from the my Unifi controller. I have no other physical device on that vlan. I can ping gateway of the vlan just fine. The port in question is port 10. Not sure what I am doing wrong. I can ping VMs within the 2 hosts I have. ​ switch01(config)#sho run ! Embedded ASCII Configuration Generator Script ! Model = Ethernet Routing Switch 5510-48T ! Software version = v6.3.4.028 ! ! Displaying only parameters different to default !================================================ enable configure terminal ! ! *** CORE *** ! sntp server primary address 10.150.10.12 sntp server secondary address 129.6.15.28 sntp enable radius server host timeout 30 ​ telnet-access login-timeout 10 telnet-access retry 5 ​ tftp-server 10.150.10.71 ! ! *** SNMP *** ! snmp-server contact snmp-server name snmp-server location snmp-server community snmp-server community snmp-server notify-filter ! ! *** IP *** ! ip address switch 0.0.0.0 ip address source configured-address ! ! *** IP Manager *** ! no ipmgr snmp ! ! *** ASSET ID *** ! ! ! *** IPFIX *** ! ! ! *** System Logging *** ! logging remote address 10.150.10.47 logging remote level informational ! ! *** STACK *** ! ! ! *** Default Command Interface *** ! ! ! *** Custom Banner *** ! ! ! *** STP (Phase 1) *** ! spanning-tree port-mode auto ! ! *** VLAN *** ! vlan create 1001,1010,1100 type port 1 vlan name 1 " " vlan name 1001 "v1001-House" vlan name 1010 "v1010-Prod" vlan name 1100 "v1100-Guest" vlan ports 10,17,20,39-42 tagging tagAll vlan configcontrol flexible vlan members 1 NONE vlan members 1001 1-34,36-48 vlan members 1010,1100 10,17,39-42 vlan ports 1-9 pvid 1001 vlan ports 10 pvid 1010 vlan ports 11-34 pvid 1001 vlan ports 35 pvid 1010 vlan ports 36-48 pvid 1001 no auto-pvid ! ! *** EAP *** ! ! ! *** EAP Guest VLAN *** ! ! ! *** EAP Fail Open VLAN *** ! ! ! *** EAP Voip VLAN *** ! ! ! *** 802.1ab *** ! ​ ! ! *** 802.1ab vendor-specific Avaya TLVs config *** ! ! ! *** 802.1AB MED Voice Network Policies *** ! ! ! *** QOS *** ! ! ! *** RMON *** ! ! ! *** Interface *** ! interface FastEthernet ALL name port 12 "POE Switch" name port 17 "Cisco_AP541N" exit ! ! *** Rate-Limit *** ! ! ! *** MLT (Phase 1) *** ! mlt 32 bpdu single-port ! ! *** MAC-Based Security *** ! ! ! *** LACP *** ! interface fastEthernet ALL lacp key port 28,30,32,34 111 lacp timeout-time port 28,30,32,34 short lacp mode port 28,30,32,34 active lacp aggregation port 28,30,32,34 enable exit ! ! *** ADAC *** ! ! ! *** STP (Phase 2) *** ! ! ! *** Port Mirroring *** ! ! ! *** VLAN Phase 2*** ! ! ! *** MLT (Phase 2) *** ! ! ! *** PoE *** ! ! ! *** RTC *** ! clock time-zone CST -5 0 ! ! *** Avaya Energy Saver *** ! energy-saver enable ! ! *** AUR *** ! ! ! *** AAUR *** ! ! ! *** L3 *** ! ! ip routing ! interface vlan 1001 ip address 10.150.1.2 255.255.255.0 5 exit interface vlan 1010 ip address 10.150.10.1 255.255.255.0 3 exit interface vlan 1100 ip address 10.150.100.1 255.255.255.0 4 exit ​ ! --- ECMP --- ​ ​ ! No license for ECMP. ! Contact [support@avaya.com](mailto:support@avaya.com) to update Software license. ip route 0.0.0.0 0.0.0.0 10.150.1.1 1 ! ! *** Brouter Port *** ! ! ! *** IPV6 *** ! ! ! *** VLACP *** ! ! ! *** DHCP Relay *** ! ip dhcp-relay option82 ip dhcp-relay fwd-path 10.150.1.2 10.150.10.5 ip dhcp-relay fwd-path 10.150.1.2 10.150.10.6 ip dhcp-relay fwd-path 10.150.10.1 10.150.10.5 ip dhcp-relay fwd-path 10.150.10.1 10.150.10.6 ip dhcp-relay fwd-path 10.150.100.1 10.150.10.5 ip dhcp-relay fwd-path 10.150.100.1 10.150.10.6 interface vlan 1010 ip dhcp-relay broadcast exit interface vlan 1100 ip dhcp-relay broadcast exit ! ! *** L3 Protocols *** ! arp timeout 10 ​ ! --- IP Directed Broadcast --- ​ ! --- Proxy ARP --- ​ ​ ! --- UDP Broadcast Forwarding --- ​ ​ ! --- VRRP --- ​ ​ ! --- Route Policies --- ​ ​ ! --- OSPF --- ​ router ospf router-id 6.136.116.0 exit ​ ! --- RIP --- ​ ! ! *** DHCP SNOOPING *** ! ! ! *** ARP INSPECTION *** ! ! ! *** IP SOURCE GUARD *** ! ! ! *** IGMP *** ! ! ! *** STACK MONITOR *** ! ! ! *** SMLT *** ! ! ! *** SLPP *** ! ! ! *** SLPP-guard *** ! ! ! *** PIM *** ! ! ! *** UNICAST STORM CONTROL *** ! ! ! *** SLAMON *** ! submitted by /u/andrewm659 [link] [comments]

BGP path algorithms: Pithy Mnemonic [Wise Lip Lovers Apply Oral Medication Every Night.] Posted: 25 Jan 2021 06:28 AM PST I found this while reading BGP in the Data Center By Dinesh G. Dutt . Great book but it doesn't come with a workbook sadly. ​ Wise W Weight Lip L Local_prefrence Lovers L Locally Originated Apply A AS_Path Oral O Origin Medication M Med Every E ebgp over ibgp Night N NextHop IGP Cost submitted by /u/Oea_trading [link] [comments]

iptables: Allow local connections Posted: 25 Jan 2021 03:33 AM PST Hello, I am using iptables to block all traffic except from my local network. I also added a rule to allow loopback traffic, but all traffic to localhost is still blocked. Am I missing something? ​ #Default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ​ ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP ​ #Allow loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ​ #Allow local traffic iptables -A INPUT -s 192.168.178.0/24 -i eth0 -j ACCEPT iptables -A OUTPUT -d 192.168.178.0/24 -o eth0 -j ACCEPT submitted by /u/HTP_ProXy [link] [comments]

Anyone figured out how to play with broadcom APIs on open network gear? Posted: 25 Jan 2021 01:00 PM PST I've got a couple of Dell 4112F-ONs. They've got the Maverick Broadcom chip. My understanding is that with Broadcom's APIs you can turn features on the chip off and on and do wonky things with it. I kinda wanted to experiment- has anyone done that before? If so, how did you get started? I see the API mentioned in this brochure, but I'm not sure how to actually find it and access it. I've cruised around their site and it seems like you may have to be a vendor to get access to it? It's not clear though. submitted by /u/fuzzyfoozand [link] [comments]

Best practises setting up routers/firewalls - advice Posted: 25 Jan 2021 03:48 AM PST I am looking for advice around some best practises for setting up small networks using Drayteks 2862n specifically and wanted to see if anyone has any guides or advice they can add on the best practises. Here's what I am thinking I should be doing straight away in no particular order: Change default login credentials Update to latest stable firmware Deny all incoming traffic (Draytek do not have this as default I understand?) Deny all outgoing traffic Allow specific outgoing traffic that's required (80/443) Anything else? submitted by /u/entertheunkown96 [link] [comments]

Junos still uses flash Posted: 25 Jan 2021 03:39 PM PST Junos jweb is terrible! I was just trying to troubleshoot and look at the interface statistics via jweb, but it won't play because it requires Adobe Flash which is EoL and as of 1/12/2021 won't play in the browser according to the Adobe website. Has there been any talk of Junos fixing this so it doesn't use flash? submitted by /u/UnlockedDeru [link] [comments]

MPLS Path Protection vs Fast Reroute Posted: 24 Jan 2021 07:07 PM PST I've been reading about MPLS protection features specifically for RSVP-TE. There are two features that sound very beneficial: path protection (where ingress PE signals a primary and backup LSP) and fast reroute (where transit routers pre-signal bypass LSPs for facility protection). Path protection can be implemented with BFD for sub-second recovery, so seems a really viable option. Fast reroute is great but can lead to suboptimal pathing for the duration of the repair. Is it common to implement both of these, or just one or the other usually? What are the pros and cons to these two methods? submitted by /u/darth_rock [link] [comments]

Juniper DDOS Protocol Violation - VXLAN & L3NHOP? Any ideas what this is... Posted: 25 Jan 2021 10:50 AM PST Hey All.... I activated iBGP between my core routers (sharing full route table) and suddenly our EVPN/VXLAN fabric went down. I have one switch connected to each core router and then the switches are interconnected. Any ideas what VXLAN DDOS protocol violation and L3NHOP are and why I'm getting violations when iBGP is turned up? There's a detailed description here: https://kb.juniper.net/InfoCenter/index?page=content&id=KB35684&cat=QFX_SERIES&actp=LIST VXLAN = VXLAN_L2_L3_PKTS: Any VXLAN exception packets like SIP miss and BFD packets over VXLAN. 2) Arp and IPV6 NS/ND packets with no-arp-suppression disabled.3) Any vxlan packets received over VTEP/Access ports which are not classified into any protocol Q will make it to Q 7. L3NHOP = UCAST_SWITCHED/NHOP_HIT If the packet is copied to CPU through NH table, it will be mapped to this Q. ​ Edit: Quick crappy diagram: https://i.imgur.com/pTHQpAI.png I've raised it with Juniper, just asking if by chance someone here knows what I'm talking about submitted by /u/SovereignGW [link] [comments]

Are there interactive Mikrotik scripts that login into multiple routers at once? Posted: 25 Jan 2021 10:15 AM PST Hello. I am asking this as someone who know no programming at all. Like 0 knowledge in programming. I need a script that can simultaneously login into dozens or more of Mikrotik routers and interactively let me write in commands into them at once? I am willing to write in the IP addresses, usernames and passwords where needed. submitted by /u/komunjara77 [link] [comments]

CDN Infrastructure design? Posted: 24 Jan 2021 06:44 PM PST Hi, I recently got an assignment to build a network with CDN capabilities for a growing company. I've worked with DCs and Service providers (MPLS) before but this is the first time I'm dealing with a CDN infra from scratch. I did a couple of searches on the topic but never got any example of a CDN infra or how you build one. But the way I understand it is, you simply make copies of your data and put it on different locations then register to a DNS provider to direct the clients to the closes edge device. So basically, you simply build multiple small scale DCs on different locations, connect them together and continually replicate/store your data between these PoPs? If anyone can provide some insights or clarifications ( in the perspective of a network engineer) will be greatly appreciated. If you got a good resource/links, please do share them. Thanks in advance! submitted by /u/monk_hasu [link] [comments]

Use cases for separate hives within Aerohive? Posted: 25 Jan 2021 08:35 AM PST I'm still trying to learn how to manage an Aerohive environment that I am inheriting. I've been going over whatever documentation that I could find. But I haven't yet found anything in depth about hives apart from the general definition: A hive is a set of Aerohive devices that exchange information with each other to form a collaborative whole. Through coordinated actions based on shared information, hive members can provide the following services: Consistent QoS (quality of service) policy enforcement across all hive members Coordinated and predictive wireless access control that provides seamless Layer 2 and Layer 3 roaming to clients moving from one hive member to another Dynamic best-path routing for optimized data forwarding and network path redundancy Automatic radio frequency and power selection for wireless mesh and access radios Tunneling of client traffic from one hive member to another, such as the tunneling of guest traffic from a device in the internal network to another device in the corporate DMZ Hive members use WPA-PSK (Wi-Fi Protected Access with a preshared key) to exchange keys and secure wireless hive communications. To authenticate and encrypt wireless hive communications, hive members use open authentication and CCMP (AES) encryption. CCMP is a rough acronym for "Counter Mode with Cipher Block Chaining Message Authentication Code Protocol "that makes use of AES (Advanced Encryption Standard). The members of a hive can be in the same subnet or different subnets, allowing clients to roam across subnet boundaries. What scenario(s) would one consider creating multiple hives versus a single one? Is it good to have one hive per physical location? APs at a branch office would not need to worry about clients roaming to APs at another office 100s of miles away - so all of the peer-information sharing wouldn't be necessary over the WAN right? I also don't know what configuration objects can be shared between hives - or if they need to be separately defined. How much additional management is required if managing multiple hives? Is it extra work to have the same Network Policy and SSID available on all hives for something like an Employee network? Thanks in advance submitted by /u/technicalityNDBO [link] [comments]

Anyone feeling Charitable? Somewhat new to networking...Trying to help implement an internal routing protocol between datacenters Posted: 25 Jan 2021 08:32 AM PST Hello All, I realize this is a broad question with probably not enough info for it to be answered comprehensively but as someone who is newish to networking and is trying to get ahold of a mess I could really use your advice in implementating a routing protocol. ​ Currently we have 3 datacenters - DC1, DC2, and DC3. All three datacenters are connected via interconnect circuits provided by our Colo. Things have turned into a mess as this has grown so rapidly we have never had time to go back and do things right so currently almost everything is being routed using static routes. Also, except for our newish VXLAN setup between DC2 and DC3... most of our setup is using the firewalls as routers and most subnets live on the core firewalls. I've thought about implementing OSPF but due to the 100 network limitation on our devices I dont believe that will work for us and we'd be better off going with something like BGP. To give you an idea of whats in each datacenter...here goes: DC1: All critical subnets live on core firewalls and vlans are tagged on core switches and passed up to the Core FW for their L3 interface We have edge firewalls that are responsible for routing traffic to the other two datacenters. DC2: Again - most subnets live on core firewalls, vlans are tagged on the core switch and passed up to the core for their L3 interface. DC2 does have some L3 Routing on the core switches for a VXLAN overlay in order to extend l2 domains across DC2-DC3(if more details are needed on the underlay i can provide) DC3: Same as DC2. Description of DC by device: Core Firewall: WAN link terminates here, 99% of our subnets L3 interfaces are built here and all routing except for the small amount of VxLAN traffic is done here. Edge Firewall(Could almost consider this the spine?): Responsible for receveiving traffic from the core firewall and routing it to another datacenter Core Switch: Mostly just a l2 switch for core vlans which are trunked up to the core firewall. We are doing some eBGP peering between this and core FW in DC2 and 3 for VxLAN. Edge Switch: Strictly l2 switch. Links from other DC's terminate into this switch and trunk up to the edge firewalls for the l3 interface. So to put it shortly. Most subnets in each DC live on that perspective DC's core firewall except for transit subnets that pass traffic between datacenters in which case that is handled by our edge firewalls/routers(L2 link between DC's terminating into edge switches with L3 interface living on the edge firewalls). The only exception to this is DC2 and DC3 where we have a few extended l2 subnets(VxLAN) whose layer 3 interfaces live on the core switches in each respective DC. These core switches perform EBGP peering with the core firewalls for VPN connectivity, connectivity to other subnets whose l3 interface lives on the core firewall, etc Each extended subnet is within its own vrf and has p2p connectivity with the core firewall local to its datacenter in order for us to be able to control ACL's from a firewall level. ​ I'm aware that this setup is far from optimal but it was done this way because no one on our team was especially strong with Cisco ACL's and we grew from a very small shop to a larger environment pretty quickly. TLDR; In order for us to stop this static routing nightmare I would like to implement something like IBGP peering between the edge firewalls in all 3 datacenters. Then eBGP peering from each datacenters core firewall to its respective edge firewall. Does this sound reasonable? If not, I would appreciate any ideas on how you guys would move forward with implementing an internal routing protocol. Also, If anyone knows of a good guide on how to handle Cisco ACL's I would be very grateful as I'm trying to get away from all this firewall management but as someone who is not primarily a network guy I find ACL's a tad bit confusing. I would like to start moving us to a more spine/leaf setup. IE: Routers up top, leaves (currently core switches) terminate into the routers, Firewalls terminate into the leaves. However I need to learn much more about networking and specifically how to handle ACL's prior to being able to do this sufficiently. I realize I'm asking alot here and will probably get flamed to hell but i figured i'd throw this our and see if someone felt charitable. Thanks, submitted by /u/adubwakka [link] [comments]

802.1x labs on EVE-NG Posted: 24 Jan 2021 05:14 PM PST Good evening admins, Im currently studying for the CCNP SCOR and im having a hard time with EVE-NG and 802.1x labs. Right now in trying to configure MAB and everytime I push the interface specific commands the switch just crashes and shuts down. Ive used 3 different IOL images, all with the same results. Has anyone here tested a 802.1x lab successfully on eve? Which L2 image did you use? Thanks! submitted by /u/Gihernandezn91 [link] [comments]

You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States