"Catastrophic" breach of Ubiquiti Networks back-end systems Networking |
- "Catastrophic" breach of Ubiquiti Networks back-end systems
- Dell OS10 - BGP Idle Issue?
- I've pretty much had it with Cisco's FTD firewalls
- Cisco BDI/L2VPN problems with IPv6
- Switch recommendations that allow tiered GUI access
- Comcast limiting WANs to /29 or smaller
- DR/BDR Election
- Juniper config / compatibility with IBM/BladeOS VLANS
- Is this snake oil? ExitLag networking
- PocketEthenet is it accurate?
- Can we extend Cisco ACI VxLAN to Nutanix AHV ?
- Selecting router for small business -- PA-220, Fortinet, Cisco ?
- Any Aruba shops also using CER?
- Firepower FMC 4600 Upgrade
- Proper fiber optic entrance in sealed server room
- Dell X1052p - Gateways
- HSRP - LAN _ asymmetric routing
- Changing DNS away from WinServer, running Bind9 on Ubuntu, Search Domain not working. DHCP Option 119?
- Dell FN410 user question
- Aruba CX EVPN Scale Limits?
| "Catastrophic" breach of Ubiquiti Networks back-end systems Posted: 30 Mar 2021 12:06 PM PDT |
| Posted: 30 Mar 2021 08:15 AM PDT Hello, I'm running Dell OS10 firmware 10.5.2.3 on some Dell S5248F-ON switches and currently experiencing a weird issue with BGP sessions staying in an IDLE state and I was wondering if anyone else has experienced this same behaviour before? When the neighbouring BGP peer's interface flaps or we perform a manual shutdown/no shutdown on the interface or the server is rebooted; the BGP session obviously goes down, although, it will constantly stay in an "IDLE" state on my switch and will never attempt to establish a connection. A packet capture shows the peer initiate/establish the TCP handshake and sends its initial OPEN message but we respond with an RST packet which is expected if our BGP state is stuck in IDLE. It's definitely not a Layer 1-3 issue since ARP/ping is working perfectly fine without any problems and we have routes to the BGP peer. Control plane ACLs are fine as well with the traffic permitted. Performing a shutdown/no shutdown or a "clear ip bgp x.x.x.x" on the neighbour on the OS10 switch still does not resolve the problem and the neighbour remains in an IDLE state. It's only when I delete and re-configure the BGP neighbour again does it resolve the problem and we can bring the BGP peer online. Although, if the BGP peer was to go down again it would remain in IDLE. I am going to raise a case with Dell but any help would be appreciated if you've ran into this problem before :) [link] [comments]  |
| I've pretty much had it with Cisco's FTD firewalls Posted: 30 Mar 2021 01:53 PM PDT So my company recently purchased a pair of FTDs to replace our EOL ASAs in our data center. A while back I made a post regarding my frustrations in configuring them. A lot of you recommended FMC to manage them. Unfortunately, we didn't have it at the time and I spend weeks manually configuring them since EvERyThiNG needed to be an object to be a part of an ACL or NAT. Whatever, I built the config and recently deployed them and all has been fine. WooHoo! Well I was able to convince my boss to purchase FMC for us since it's a much better management platform especially since we'll be buying more FTDs. I stood up an FMC vm and now I'm to understand that adding a device to it will COMPLETELY DELETE THE CONFIG!!!! WTF?! Even worse is the fact that there is no way to migrate the old config back into the device through FMC. This seems a absolutly asinine to me!! How can cisco not have a streamlined way to do this?! Has anybody gone through this, and have any advice on what to do? [link] [comments]  |
| Cisco BDI/L2VPN problems with IPv6 Posted: 30 Mar 2021 07:45 AM PDT Hello redditors, I have this situation and seeking wisdom from you all. I've got an ASR1004 that serves as an edge for IPv6 then I have routers from other brands as endpoints, they are connected via an MPLS backbone, those other routers don't support 6PE, 6VPE or anything like this, but they do support L2VPNs. This is the configuration in the ASR: Here's the situation:
So I am guessing there's something I am missing here, perhaps anykind of multicast/flooding support I have not enabled? Thank you all for the help in advance [link] [comments]  |
| Switch recommendations that allow tiered GUI access Posted: 30 Mar 2021 06:29 AM PDT What options are out there for access switches for about 350 users spread over 9 locations? I have Cisco 3850s right now but looking to upgrade to something a little more "GUI friendly" for a fellow co worker who doesn't know Cisco commands. I have never been a proponent of paying monthly for access to my equipment like Meraki, but after working with Ubiquiti access points over the past 2 years, I totally understand "you get what you pay for". Don't need too much for access switches just POE, GBE, port security, etc. Would mainly upgrade for ease of access for simple tasks for coworker and perhaps true remote access to my switches. Also if it matters, I may dump Ubiquiti in the next year too. [link] [comments]  |
| Comcast limiting WANs to /29 or smaller Posted: 30 Mar 2021 09:59 AM PDT So I'm working on a client build and need additional static IPs. The client currently has a /29 WAN subnet and a /26 LAN subnet (comcast's words not mine). From the discussion with them the WAN subnet is the network between their equipment and ours. the LAN subnet is a block of public IPs that is routed to the first client usable IP in the WAN subnet. We asked them to swap the /29 and /26 as we needed more than 5 actual devices on the outside of the firewall. Their response was that they will only do a /29 or /30 for the WAN. Anyone else ever run into this? I know I've configured clients with /28 and larger WAN subnets but I can't recall off the top of my head if it was with Comcast. Their reasoning BTW was to save IPv4 addresses which makes no sense since we use the same number of IPs either way. [link] [comments]  |
| Posted: 30 Mar 2021 12:42 AM PDT here is a direct quote from encor ocg
this flat out wrong the router complies with existing DR on set segment in order to keep the stability of it , i know the answer but i tested it in order to keep my sanity and yeh still the quote wrong . am i missing something , or im misunderstanding the point in the book ? [link] [comments]  |
| Juniper config / compatibility with IBM/BladeOS VLANS Posted: 30 Mar 2021 05:15 AM PDT I have a large number of switches interacting with MSTI across ~12 VLANs and each port also has a PVID, and this works for me across IBM/BladeOS, HP Procurve, and Ubiquiti EdgeOS switches. I'm trying to add some Juniper switches, and currently I'm trying a used EX4200. I've got "everything" configured up to the point I trunk in the uplink and pass along a trunk to a downstream switch. My understanding from the Juniper docs is that I should be able to And then all defined VLANs from the upstream switch should pass tagged to the 10Gibt module 10Gbit port 2. What is unclear is if the PVID on the bladeos side would pass, or this would be tagged only. I have tried also adding to match PVID 1 being untagged on the upstream BladeOS switch. I then, using a ge interface should be able to do the same for a downstream EdgeOS switch. However, in practice, it doesn't seem to work. Can anyone point out what I'm missing in the junos config? Or what their equivelent of VLAN1 in the other switch models would be (i.e. the default VLAN, untagged etc, what VLAN a client would get if plugged in even if other VLANs are tagged)? [link] [comments]  |
| Is this snake oil? ExitLag networking Posted: 30 Mar 2021 04:00 PM PDT Hey all! I took a networking class in college and graduated with a degree in CS. Despite my understanding of networking I'm having trouble imagining how a system like ExitLag could even work. https://www.exitlag.com/ I understand that sure they could give better fps via giving the game your playing higher priority, but I don't see how traffic could get any faster between you and the game server. Does this app somehow route your packets through a priority network? How do they manage such a system? Any explanation would be greatly appreciated, I live right near a city so I don't need such an app, but I feel hesitant to recommend a system to friends which seems almost impossible to execute and feels fake. Thanks all! [link] [comments]  |
| Posted: 30 Mar 2021 03:58 PM PDT So I'm an Industrial Controls Engineer. And borrowed one of these to test to see if it will work for me. I decided to try it because I've never been able to justify one of the fluke meters even though I've wanted one for years. The real deal breaker with the fluke stuff is it's just too big. I often fly and my kit needs to be light and small. This seemed to fit and the price is good. The problem is.... I'm not sure it's working right. I had a cable with the brown white/brown wires reversed on one end and it passed the wiremap test. I did discover it on the link test once it was plugged into a gigabit device though. Still shouldn't the wiremap do what a $30 cable tester should do? I also had another cable give me strange issues. It's a longer cable, the TDR test says 130 meters and I believe it. The wiremap passed, OK good, the Link test passed, but gave me inconsistent reading on delay skew, OK maybe there's an issue with that cable. I tried the BER (Bit Error Rate) and 10 Mbit would work and didn't give any errors but 100 Mbit and 1000 Mbit gave me an error that the loop back plug wasn't found. (it was found for the 10Mbit and a subsequent wiremap gave a nice little chart of what a loop back plug should do so i KNOW it was there lol). So the Million Dollar question now is... is the cable or the tester bad? I checked the manual for the PocketEthernet and it did not list a max length for the test. Though using a loop back plug would effectively make it 240m maybe that pushed it over the limit. I also tried the TDR graph to see at what distance i might have a pinch or whatever and found that i needed to calibrate. Well I need at least 5m cable to calibrate which of course i don't have and my 120m cable gives an error. I'll post more when i try the calibration again with a short but not too short cable. Edit* after typing that I looked up the actual maximum length of ethernet and it's only 100m so maybe that's my problem I'm going to actually measure it with my laser. well I did measure and with all the turns it adds up to 335ft which comes out to 102m so I'm still thinking it should have worked So my main problem is i don't have a better tester to compare the results to. Has anyone else really given this tester a go? I found a couple reviews online but they are all basically company press releases and the sites that published them should be ashamed. yes I mean you smallnetbuilder.com [link] [comments]  |
| Can we extend Cisco ACI VxLAN to Nutanix AHV ? Posted: 30 Mar 2021 03:50 AM PDT Hello guys, Is it possible to extend ACI VxLAN to Nutanix AHV OVS (using Opflex agent maybe), in other words can we integrate it to ACI ? [link] [comments]  |
| Selecting router for small business -- PA-220, Fortinet, Cisco ? Posted: 30 Mar 2021 09:47 AM PDT TL;DR: Small business looking to update router and switches. Need some recommendations (PA-220, Fortinet, whatever else) that don't require an expert to configure. ---- My work has somewhat basic networking needs with maybe 6 PCs running (no domain or anything fancy like that). There are a couple of access points for wireless devices, mostly for guests. And there is an analog CCTV setup using DVRs that are also on the network. They've been running a Zyxel router for at least 10 years (maybe a USG-50 IIRC). There is no one in a dedicated position to oversee any of this, so it frequently falls to me. The last few times they've tried to do anything (add a new computer, switch out a malfunctioning AP), the Zyxel has been really causing real headaches. I'm trying to push for a new router. I would also like to get a couple of 3750 switches as they would like to phase out the analog CCTV cameras in favor of PoE IP cameras. I've been reading tons of posts on what to do going forward, but I am not positive of the best choice in equipment. I can usually get by with most things, even some command line stuff, but I am not interested in learning a whole programming language to have to configure a piece of equipment (e.g., Cisco). A few hours of config would probably be the most of what I would be looking for. It seems that PA-220 and Fortinet 30 are some viable options, but I am trying to avoid complicated licensing issues. Typically, I would opt for used equipment to save cash. [link] [comments]  |
| Any Aruba shops also using CER? Posted: 29 Mar 2021 09:18 PM PDT this question goes out to a specific group. I need info on how you implemented E911 using Cisco Emergency Responder while using aruba switching. I'm in this dilemma right now that we're going to refresh our switching. Right now it's down to Cisco and Aruba. I really don't want to go the cisco route but the main selling point is C's obvious compatibility. I'm not the voip guy and much of what i know is from youtube videos and other searches, so mostly abstract. I want to know if it'll work and if so, what will be the difference? [link] [comments]  |
| Posted: 30 Mar 2021 02:59 PM PDT Does anyone understand the requirements for BIOS/Firmware updates as it relates to deploying a version of the FMC which doesn't list a hotfix in the downloads section for it? In our case, upgrading to 6.6.1. Release notes only refer to 6.6.0 AND 6.6.x but is not specifically 6.6.1. In the FMC downloads. there is a hotfix listed under version 6.6.0 for BIOS/Firmware but not under version 6.6.1. Pushing aside the "you should be upgrading your BIOS and Firmware regularly" statements, do we need to update the BIOS/Firmware in order to deploy 6.6.1 if we haven't done so and are skipping over 6.6.0? Then there is this nugget in one of the circular-linked documents that state " If the FMC is already up to date, the hotfix has no effect." Does that mean it doesn't patch after the fact or that the patch is included in up to date versions of FMC code? I don't really think the latter is true since BIOS/Firmware versions stay the same after an upgrade of the FMC but since it is unclear ... Anyway, I did ask Cisco TAC and the technical account team assigned to us but no one seems to be confident on what the correct answer is. I figure Reddit-folk probably knows more anyway. [link] [comments]  |
| Proper fiber optic entrance in sealed server room Posted: 30 Mar 2021 01:21 PM PDT I'm trying to find the proper way fiber optic conduits should enter a sealed server room. The server room will be completely sealed for FM-200 fire suppression. Most of the time the cabling company we do business with use 4inch Carlon conduits. An other company is taking care of sealing the room, installing cable tray and firestop sleeves. Is there any fire stop sleeve compatible with 4 inch Carlon ? What's the proper way to do this ? [link] [comments]  |
| Posted: 30 Mar 2021 11:34 AM PDT I googled etc and already found threads where other users have the same issues. Just no clear solution. A customer has a Dell X1052p switch. That switch should be reconfigured for another site. I upgraded the FW, did a reset, logged in via default IP 192.168.2.1 The goal is to have it in a tagged management LAN with ID 99. So I created the VLAN, configured 2 trunk ports transporting that ID (plus ID 1), and then tried to add a second IPv4 adress on VLAN99 (additional to the default DHCP adress on VLAN 1). After applying that I lose connection. Every time. Why? Maybe the gateways are missing? But where to add, the switch shows these fields greyed out. A thread talked of "Level 2+ per default" and "no gateway needed". Do I have to add the gateway as a route entry in "Routing"? If yes, what's the right order not to lock myself out? any help appreciated here, I should get that working tmrw .. thanks! [link] [comments]  |
| HSRP - LAN _ asymmetric routing Posted: 30 Mar 2021 11:22 AM PDT Here is a topology: LAN|------ SW1-------------Firewall1----ISP1 LAN| -------SW2-------------Firewall2----ISP2 SW1 and SW2 are interconnected as well and run HSRP. (VIP: 192.168.1.10) Now, I have vlan 11 stretched between SW1, SW2, and firewalls. SW1 is 192.168.1.1, SW2 is 192.168.1.2, Firewall1 is 192.168.1.3, Firewall2 is 192.168.1.4. SW1 is active in the HSRP group and acts as a default gateway for end devices in vlan11. I will end up having asymmetric routing. Is it a problem? A PC in vlan11 sends a message to the Internet. It goes to 192.168.1.10, SW1 sends it up to Firewall1 192.168.1.3, firewall sends it out to the internet. The message comes back and the firewall1 192.168.1.3 is going to send it down to PC firectly bypassing SW1. I noticed on my Macbook that when I ping sth, it keeps showing 'redirect network: addr: 192.168.1.3' suggesting it can actually 'bypass' the default gateway of HSRP. Everything else works. There is no NAT in place or firewalls on SW1 and SW2 so... is it good? [link] [comments]  |
| Posted: 30 Mar 2021 11:19 AM PDT Hey all. Thanks in advance for any troubleshooting tips you might have. I'm running a network with a Unifi gateway router that's doing DHCP. We are trying to get away from a Windows Domain environment, but we have a DC running the DNS. We have a lot of Linux in our environment, many different client distros based on whatever the users feel like using. I've set up an Ubuntu Server running Bind9 for DNS and I'm having quite a few issues with it, primarily Search Domain related but there's other problems I'll have to tackle later. Lets say I'm on an Ubuntu desktop (20.10) and my DHCP from the Unifi gateway (10.1.1.1) is pointing to the Windows DC at 10.1.1.5. If I do a ping to another server, lets call it Goku, it knows to translate "goku" to "goku.corp.capsule.com". If I point the DHCP to my new DNS server running Bind9 on Ubuntu, it fails to translate that. It does resolve if I ping "goku.corp.capsule.com", but not the shortened name. Nothing is domain joined to the AD, so it shouldn't be getting info that way, but it functions more efficiently as a DNS by being able to translate the shortened name by putting on the "corp.capsule.com" suffix. I've tried multiple different things, some work but aren't efficient, other things just don't. In all of the zone files I have on my Bind9 I put "$ORIGIN corp.capsule.com." with the trailing period since I think Bind9 needs it. I COULD edit my /etc/resolv.conf and put in either "search corp.capsule.com" or "domain corp.capsule.com", but that's a terrible option because you don't want to try and get 100 individual users to edit their resolv file or append a DNS Suffix to their network adapter settings. And YES I have put the domain string in the Network section in the Unifi controller. There's a nice field there for it and everything but it doesn't actually work for me (at least not on my ubuntu machine). I've tried setting the DHCP Option 119 but I'm having trouble with it. The unifi controller isn't accepting "corp.capsule.com", I translated it to hex and it took it, but it's not actually working. I've googled a ton of guides on how to configure it, some of them suggest preceeding numbers to indicate the length of the characters like "4(corp hex)7(capsule hex)3(com hex)00" but it rejected this outright with Invalid Payload and I also tried "4corp7capsule3com". It accepted this but doesn't actually work for the search domain. I clearly don't know what I'm doing on this one, just trying things to figure out how it works but I'm coming up with nothing. How can I configure my network to assume my domain suffix for short name lookup? More specifically for Linux clients, the main option in the Unifi Networks section probably works for Windows just fine. [link] [comments]  |
| Posted: 30 Mar 2021 10:50 AM PDT I'm working with a Dell switch and double checking the config matches what it should be per the specs, a more jr admin built it. So I found an extra user I'm not familiar with and don't know how to remove. bsd-username [User] secret [Hash] I did a ? After bad in both enable and config-t and couldn't find any commands listed. I tried just putting no in front of it in config-t mode and it didn't recognize anything that starts with bsd-, much less bsd-username. I searched google and found a "solved" question on the Dell forums that is this exact issue .. but the OP just says he figured it out without providing any explanation Could it be something under the username command tree I'm missing? [link] [comments]  |
| Posted: 29 Mar 2021 11:29 PM PDT Does anybody out there have hands-on experience with a large-scale Aruba CX EVPN deployment? I'm at the very end of the design phase of a campus refresh that uses EVPN to deliver L2 and L3 services across campus on top of a single underlay network. We're planning to start installing equipment in the next couple of weeks, and I'm suddenly getting conflicting information about the EVPN scaling limits of the CX 6300 and CX 8325 platform. My configuration is working fine in the lab at a small scale, but the number of VTEP peers is being called into question, and my entire design hinges on being able to run VTEPs on every switch stack across campus. The Aruba Dynamic Segmentation "VNBT" 10.05 guide lists the VTEP peer limit at 256, which my campus just fits inside of. The "show capacities-status" output on the 6300 lists the limit at 512, which gives me tons of headroom to expand. But now my local support engineer is telling me the "real" limit is only 64 VTEP peers, which burns my entire design to the ground. Does anybody out there have a definitive answer? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment