Rant Wednesday! Networking |
- Rant Wednesday!
- Fortigate Exporter for Prometheus
- Has anyone heard of Paige (for alleged 2.5x ethernet distance cable)?
- DC Core and Edge Networking - is there any reason against going full MTU 9000?
- Ever done the "ping trick" for NAC?
- IPsec vs SSLVPN discussion - pros and cons differences.
- Google Meet disconnect only on one network
- Network Engineer vs Network Specialist?
- Native VLAN / Dummy VLAN
- What do you recommend for managing and maintaining your network design?
- What if I get locked out while changing IP address on N3024 switch?
- Why can't I create an @ host CNAME record?
- Confused on Setting up Route
- Nokia NSP? Thoughts?
- Mounting Hardware Screws
- Azure as SSH jump box
- End to End QoS and Azure IoT
- Question about Ekahau Sidekck
- Versa SD-WAN BW Subscription
- Slow network and ping loss
- What is the benefits of using Nexus switches over catalyst in campus?
- Question on spanning tree behavior
- Crosscheck Firewall logs and Firewall configs
| Posted: 02 Mar 2021 04:00 PM PST It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it. [link] [comments]  |
| Fortigate Exporter for Prometheus Posted: 02 Mar 2021 07:51 AM PST Hi folks, I am a fan of Fortigate firewalls, I use them myself quite a bit. I am also a long term fan of Prometheus (a commonly used metrics database), and Grafana. A few months back I created an exporter using the Fortigate API to enable people to monitor their Fortigate firewalls using Prometheus. You can find it here: https://github.com/bluecmd/fortigate_exporter. This allows you to monitor your Fortigate over HTTPS, and everything in the chain is free and open-source. To me personally getting away from SNMP and MIBs is a huge win, which is one of the reasons I created this exporter in the first place. There are some community-provided dashboards available to get started: These days the number of contributors is growing and the features and metrics being added is steady. It is still early days for the exporter, a good time to advertise it a bit here so more people can give it a try. Maybe file issues, suggestions, or even try to add some missing metrics you'd like? :-). Happy to take any questions! [[This is a follow-up post from soliciting feedback from the Fortinet community, but I got recommended to post it to this community as well]] [link] [comments]  |
| Has anyone heard of Paige (for alleged 2.5x ethernet distance cable)? Posted: 02 Mar 2021 02:41 PM PST I have a one off AP, approx. 500ft away from the access switch, and I am very tempted to use a multimode fiber + media converters + power injector, but the cabling contractor keeps talking about saving the day with some Paige cable. Having worked with and in the cable management industry, I am usually reluctant in accepting solutions that may attempt to "defy physics", but - in the spirit of comprehensive overview - I thought about asking here for feedback, from anyone having gotten and used this Paige product. [link] [comments]  |
| DC Core and Edge Networking - is there any reason against going full MTU 9000? Posted: 02 Mar 2021 08:32 AM PST Hi all, I have been doubting myself with this question since knowing about overlay networking (with the use of VXLAN). Apparently, in some networking Leaf-Spine topology, all Leaf and Spine interface MTU seems to be set to more than 9000 (in order to cater for both normal and jumbo frames + VXLAN/UDP/IP overhead). Endpoints on two ends of a connection, with default configuration, send normal frames (1500B or less, caught in Wireshark) and communications seem to happen normally. In some cases with dynamic routing (OSPF), it requires to set MTU on both sides to the same (because MTU ignore implementation is unstable across vendors), but most modern DC networking devices nowadays also support jumbo frames. So, maybe there's an exception for legacy routing devices? [link] [comments]  |
| Ever done the "ping trick" for NAC? Posted: 02 Mar 2021 05:11 AM PST Scenario: You have wired 802.1X configuration set up to authenticate devices, and dynamically assign the correct VLAN based on device profile. Non-authenticated ports are placed in a black hole VLAN. Scenario: Some "dumb device" that doesn't generate a lot of traffic eventually has the auth session time out. The port switches over to the black hole VLAN, and deauths. The device just sits there never sending traffic, and thus never reauthenticates. It will basically stay down forever, unless woken up somehow. The Ping Trick: Quickly create a local layer 3 interface on the switch in that Blackhole VLAN, with the subnet that the non-authed device is supposed to be in. Ping the device's IP from that vlan interface. The device will receive the ping (assuming you have control-direction in) and will respond to the ping, triggering the authentication process to finally begin. Once device is up and authenticated you can remove the layer 3 interface again from that blackhole vlan. This is... cumbersome. And won't scale well. Yet, as far as I know, it's really the only go-to solution for the situations I've described. Or is it? How are people handling "dumb devices" that must do MAB now? As long as the device is chatty and sending frames now and then it'll stay authenticated. If it goes silent it'll just de-authenticate, and then because it's placed on a black hole VLAN, it'll never receive any packets that would have otherwise woke it back up. Ideas? I posted about this about a year ago. Still haven't ever seen a solution. I haven't ever really even seen anyone else other than those who post here acknowledge that this is a problem. Usually when I bring it up with vendor reps I get funny looks and the implication that we've set something up wrong, and they've never heard of people having this issue. EDIT: I've lied. I've seen some other solutions proposed by some users. They are all varying degrees of bandaids.
Depending on the vendor and device, some of these are not workable. There should be a way to fix this on the network side, but I'm sure that gets into a philosophical discussion on whether or not this should be fixed on the network side, because it's not a network problem. And yet.. it is. Because it's our switch changing the vlan and de-authenticating the device, and our end user suffers the consequences, because now their device is "down." [link] [comments]  |
| IPsec vs SSLVPN discussion - pros and cons differences. Posted: 02 Mar 2021 05:15 AM PST This is the way I understand these protocols, it may not be 100% accurate, and I'm looking to see what the /r/networking metamind has to say on these topics, and hopefully gain some more insight in the process. Feel free to comment/correct wherever you feel like. IPsec operates at layer 3 and as such seems a good candidate for LAN to LAN connectivity (though Client to LAN IPsec VPN is also reasonably common). It can handle multicast and broadcast traffic (though I never used this). Riding on top of IP (either as ESP or UDP when using NAT traversal mode) it provides a connectionless service, much like plain IP. When used in interface/VTI mode, it provides for a fair bit of flexibility in terms of dynamic routing. Though the way I see it interface or policy mode isn't something that's intrinsic to IPSec itself, but rather to the specific implementation. At the end of the day IKE sets up the tunnel parameters and the encrypted ESP (or UDP) packets flow between the endpoints. The other endpoint neither knows nor cares if the other side used an interface style configuration or a policy style configuration to decide which packets to encrypt and send over. Initially I thought SSLVPN can't be this flexible, but now that I think about it, OpenVPN is essentially SSLVPN and it can do LAN to LAN just fine (including dynamic routing), though I've never come across a commercial SSLVPN that can do this. IPsec provides for tunnel and transport modes. The way I used these is usually I go for tunnel mode (and except for Cisco routers the other devices I played with don't even seem to have a transport mode, unless you dig very deep into the nerd knobs). I've only seen transport mode on Cisco and Mikrotik. The only use case I see for transport mode is, when using GRE over IPSEC, it saves you a bit of overhead, since GRE already has the inner IP header. Though afaik you can run GRE over IPsec with tunnel mode IPsec and it works just fine. Is anyone aware of any other use cases for transport mode? Also, transport mode unless it has GRE on top of it is pretty much useless (you could use it to manage the device itself, but SSH does the same thing just fine so why reinvent the wheel). IPsec is a bit more of a standard than SSLVPN in that a firewall from vendor A will most of the times be able to build a tunnel to a firewall from vendor B (or a Windows/Linux station), whereas SSLVPN implementations are vendor specific and you either need and application from that vendor on the client (or sometimes a browser plugin). But then again, there's OpenVPN SSLVPN uses the same TLS as HTTPS so it works at layer 4 (or above if you want to consider the TLS as a separate session layer). I would say this makes it easier to use from behind a firewall you don't control. Any hotel/airport Guest Wifi will likely allow TCP 443 to pass through without much hassle, and the same can definitely not be said for IKE and ESP. I've never had this happen to me, but I think I read somewhere that it's possible for the TCP flow control/retransmission mechanism governing the SSL connection to interfere with the TCP flow control/retransmission running in the TCP sessions in the tunnel. I imagine that there should be no issues with UDP inside traffic other than negating any advantages that the lightweightnes of UDP may bring. However a scenario in which two flow control/retransmission mechanisms are working independently may do more harm than good seems plausible. The SSLVPN implementations I used were solely for Client to server traffic. All SSLVPN implementations (that I've seen) are essentially tunnel mode. I've not seen any LAN to LAN SSLVPN implementation from the major vendors (which isn't to say such a thing does not exist). What I do remember seeing was an OpenVPN + BGP (using Quagga) though at the time I really did not understand the details of how it worked. Looking back on it though I think it was pretty close to DMVPN in terms of dynamic failover capabilities - though it couldn't go as far as dynamic spoke-to-spoke tunnels, an orchestration layer build on top of it with Puppet took it pretty close. And if I understand correctly OpenVPN is essentially an open SSLVPN implementation. Come to think of it, what do proprietary SSLVPN implementations offer that OpenVPN does not? I'm probably wrong but the only thing I see coming with a proprietary SSLVPN implementation, is the inability to operate with other vendors. SSH "VPN" though I only very rarely used this, seems much like SSLVPN. Any comments welcome here. Writing this post I had to reevaluate how things actually work. In the beginning I thought IPsec was for LAN to LAN whereas SSLVPN was for host to LAN, but midway through I realized that OpenVPN (which is SSLVPN) can do LAN to LAN and host to LAN (and I knew from the start that client IPsec VPN was an option). Functionality wise at least when comparing OpenVPN with IKE/IPsec VPN, I find no meaningful differences (though when it comes to specific implementation there may be significant differences). It may be that the IKE/IPsec offers a bit more interoperability(but I suppose this is due to firewall vendors choosing to invest more into IT, probably the same could have been done with SSLVPN) and that SSLVPN will have an easier time traversing firewalls, but that's about it. Now I'm asking myself, why did we end up with two different protocols that basically do the same thing? Which came first, and why was there another invented when there was already a first one? [link] [comments]  |
| Google Meet disconnect only on one network Posted: 02 Mar 2021 11:44 AM PST I've been at this for about a day now and I am pretty much down to the nuclear option of rebuilding this one problem network. I help out a local K-8 school with their technology and infrastructure needs and ran into a very confusing issue that has me stumped. We have Aruba 303's running IAP, Aruba 2930F as the "core" switch, and a Fortigate 40F for the firewall. Currently have 3 wireless networks, all with their respective VLAN's. DHCP is handled by a 2019 Windows Server DC. The issue I am running into exists on the student network with Chromebooks. They can browse the web, get blocked at naughty sites, etc. but when it comes to joining a Google meet, it completely shits the bed. Initially they are able to join and see the other person, but as soon as 5-10 seconds pass, the quality immediately nose dives and then eventually results in the "lost connection" error. The strange thing is, if we take the same chromebook and put it on a different wireless network, it works without an issue. I did some captures on a Chromebook via Fortigate and noticed an uncomfortable amount of connection resets (RST). The only thing different from the rest of the networks is that the problem network has the web-filtering enabled. I have checked logs for things getting blocked and found nothing. I even whitelisted *.google.com in filter and still no luck. The chromebooks do have a cert that gets installed during enrollment as well. Things I have tried:
Any help/thoughts would be greatly appreciated. I have captures available upon request. [link] [comments]  |
| Network Engineer vs Network Specialist? Posted: 01 Mar 2021 09:57 PM PST I've been working as a Network Specialist for a while and I recently started wondering what the difference is between a Network Specialist and an Engineer? I'm in charge of deploying and configuring Routers, Switches, IP phones and WAP's throughout our campus. I have to design and topologies and IDF rooms as well as the whole wireless setup. I also overlook them to make sure they are running and maintain them, including Jabber, CUCM, and VPN both in setting up and maintaining. I'm sure im forgetting something else. But im alone in our low-budget community college, I love what I do and have wanted to get into networking for a long time. I have no degree yet (currently working on it), also working on getting the CCNA and other certs. I've just been busy studying. What does a network engineer do differently? I'm exhausted and have been using this as an XP gainer, so when I move to a bigger city, I can have a better chance at getting a Networking position. Also, I run cables, organize them, map them in documents. Is it just having a degree? Thanks for the help! [link] [comments]  |
| Posted: 02 Mar 2021 04:07 AM PST Hey everyone, I have a question about native vlan / default vlan. In most cases vlan 1 is the default vlan and it should be changed to i.e. vlan 111 for security reasons. Now I'm wondering if it is the same as a security aspect:
and assign all unused ports to vlan 999 instead of using a native vlan? Or am I completely wrong with that? Thanks [link] [comments]  |
| What do you recommend for managing and maintaining your network design? Posted: 02 Mar 2021 10:46 AM PST In my current organization we have an ibm notes db with all of our devices, host names, subnets, vlans... etc. Along with passwords to log into the devices. Its a terrible way to manage and maintain our information. I am very curious as to what others use. i dont necessarily need a visual refrence, I am not opposed to one either. I was unsuccessful in my google-fu to word what i am looking for so i figured i would ask what you use? [link] [comments]  |
| What if I get locked out while changing IP address on N3024 switch? Posted: 02 Mar 2021 02:26 PM PST Tried posting this on r/dell, but no answers till now, so maybe someone with some experience can chime in. Title says it all, I'm trying to change an external IP to an internal, so that the OpenManage interface is only available through a VPN connection, taking it out of the public network. What are my alternatives if I change the IP address and the VPN connection doesn't work? If I change my IP, I'm not going to be able to connect through SSH. So, will I lose access permanently to the switch? I'm doing the same with the servers and IDRAC, but if I lose access through the IP, I can still connect through a Proxmox console, and from there install the RACADM tools and able to change the IP through the command line. Here, I don't have this option. At least that I know of. So will my switch get lost in the datacenter, if I don't succeed? Would appreciate any insight. [link] [comments]  |
| Why can't I create an @ host CNAME record? Posted: 02 Mar 2021 01:57 PM PST I've worked in tech for a decade and today I found out for the first time that you can't create @ host CNAME records and it's BLOWING my mind. What's worse, is I can't seem to find any info as to WHY DNS won't allow it. The best explanation I've heard is: "A CNAME cannot be placed at the root domain level, because the root domain is the DNS Start of Authority (SOA) which must point to an IP address." Okay, but...but...but...WHY? It seems like if I want to point foo.com at bar.com the solution is...I just...Can't? I mean I can get bar.com's IP and set up an A record, but that's sub-optimal for obvious reasons and I'm really curious 1) why this is the way it is, and 2) how are other people getting around this? I feel like I'm not the only one that's ever wanted to point one domain at another without subdomains and without manually maintaining an A record. Thanks in advance for any insight! [link] [comments]  |
| Posted: 02 Mar 2021 07:39 AM PST I've got this Layer 3 Cisco Switch that I'm trying to do routing with. One host is directly connected to it with IP address 10.10.10.35/16 with interface vlan 1 SVI of 10.10.0.1. The Layer 3 switch is going to a managaed switch which then is conected to three hosts in different subnets of 192.168.60.0/24, 192.168.70.0/24 and 192.168.80.0/24. Ip routing is enabled, but how do I set routes on the switch to all these different subnets. [link] [comments]  |
| Posted: 02 Mar 2021 09:40 AM PST Hey all, We're evaluating new Automation and tooling for our network. I can't get into details but we run 99% Nokia gear. I can't find much on personal experience stuff with it and wanted to ask here. Does anyone here use it? How do you use it? What do you like? What do you hate? [link] [comments]  |
| Posted: 02 Mar 2021 12:13 PM PST Hey Everyone! Over a year ago, we installed some Cisco Firepower 1140 ASAs, and a pack of screws went missing for one set. I'm hoping to get ahold of some replacements so we can get the device secured in before someone drops it on their head or foot. It's a small pair pictured here. I'm not sure what size they are or the best way to acquire them since it's been a year. Can anyone assist? Thanks! [link] [comments]  |
| Posted: 02 Mar 2021 11:25 AM PST Has anyone implemented Azure services as SSH jump boxes to on-prem switches/routers? Trying to figure out if it's possible to get actually rid of VPN completely. Web apps look like easy to do with web application proxy but how about SSH connections? Or maybe something like Apache Guacamole that's published through web application proxy? [link] [comments]  |
| Posted: 02 Mar 2021 11:10 AM PST I have a few Cisco switches, a few extreme networks switches and a sophos XG firewall on a network I inherited. I was asked if our hardware could provide end to end QoS for a few endpoints which need to connect to Azure using MQTT & AMQP for IoT. I don't have a lot of experience with this so I'm hoping someone could let me know how this would work from an endpoint over wifi to an extreme networks switch to a cisco switch to a sophos firewall to Azure. I am trying to do my own reading but it's not so clear. thanks [link] [comments]  |
| Posted: 01 Mar 2021 10:02 PM PST Hello. I have questions about Ekahau Sidekick. I need to perform a physical WiFi survey for a site before implementation of access points. I played around with Sidekick and could determine that it analyses existing APs and SSIDs and can generate a heatmap of the signals being broadcasted, and also can auto-place these existing APs in the best location according to the floor plan. Please note that the building currently has no APs. Is there any way to:
Thank you all for any help. [link] [comments]  |
| Posted: 02 Mar 2021 10:24 AM PST I am working with a partner who is considering offering SD-WAN to customers and we are evaluating Versa as one of the big vendors , the customer is interested in BW subscription scheme for branches and I have looked inside the data sheet and did not find anything relative to that , do Versa support BW subscription? Thanks [link] [comments]  |
| Posted: 02 Mar 2021 01:42 AM PST Hi, so we added a 4th switch to our core stack (ring) and a new SFP LAG uplink to a new access switch stack. With the returning users on monday, shit started to hit the fan. Tests show that ping response times sometimes jump from <1ms to 2ms, sometimes 15ms, or drop completely. I don't see STP blockings on any stack. CPU Load on the core stack jumps up and down from 90% to 40%. I'm kinda lost here, been wiresharking the network for some time, i don't see anything too freaky. Any help or advice for further debugging would be greatly appreciated. [link] [comments]  |
| What is the benefits of using Nexus switches over catalyst in campus? Posted: 02 Mar 2021 08:52 AM PST Hello all, I am not a Data center engineer however i support a customer where they deploy some nexus switches on specific sites , these switches connect firewalls and servers , my question is what is the benefits of using nexsus over catalyst? As for example VPC in nexus is equivalent to VSS , and some catalyst switches support 10/40G interfaces , for sure there is a reason behind it which i am seeking to know :). [link] [comments]  |
| Question on spanning tree behavior Posted: 01 Mar 2021 06:26 PM PST Had a network loop today, first one in a long time. A vendor created the loop on an unmanaged switch that plugs into one of my HPE 2920 edge switches. Spanning tree was enabled and killed the vendor port and the uplink port to the core. It was a VLAN that is on all of my 15 switches. Is it normal behavior for STP to kill the uplink port as well, making the switch an island? I thought it only killed the offending port, the vendor. Just wondering if this is normal or if I have something configured incorrectly. My network is HP/Aruba. Thanx [link] [comments]  |
| Crosscheck Firewall logs and Firewall configs Posted: 02 Mar 2021 08:22 AM PST I was wondering what kind of firewall config anomalies I can detect crosschecking these two datasets. From a paper I got the following six: 1) Shadowing anomaly: A rule is shadowed when a previous rule matches all the packets that match this rule, such that the shadowed rule will never be activated. 2) Correlation anomaly: Two rules are correlated if they have different filtering actions and first rule matches some packets that match the second rule and the second rule matches some packets that match the first rule. 3) Generalization anomaly: A rule is a generalization of a preceding rule if they have different actions, and if the first rule can match all the packets that match the second rule. 4) Redundancy anomaly: A redundant rule performs the same action on the same packets as another rule, such that if the redundant rule is removed, the security policy will not be affected. In addition, our log based mining approach can discover the following non-systematic misconfiguration anomalies. 5) Blocking existing service anomaly: A common misconfiguration case is blocking a legitimate traffic from a trusted network to an "existing" service. This for example might happen as a result of misconfiguring the port number or deleting by mistake the exception rule that allows the traffic from the trusted network. This type of anomaly can be simply detected when mining the log file as the analyst would know that there is a traffic from a trusted network is being denied to access an existing (legitimate) service/port. 6) Allowing traffic to non-existing services anomaly Another case of the misconfiguration is to permit a traffic destined to non-exiting service. For example, the administer configures rules to pass traffic at port 79; however, there is no "finger' service available with port 79. In that case this passed traffic with port 79 will be useless. In that case, one option is we need to block traffic with port 79. This anomaly can be detected after mining log files of both the firewall and the remote hosts. My question, are there any config anomalies besides these 6? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment