Rant Wednesday! Networking |
- Rant Wednesday!
- SD-WAN and HITRUST (Healthcare) Accreditation - Firewall vs. IDPS ?
- Juniper GRE Tunnel Reachability with Static Routing
- ASA Firepower module upgrade?
- Question for Cisco collaboration/callmanager folks…
- How to set up a RADIUS server for public Wi-Fi authentication?
- Alternatives to Cisco for branch office WAN Edge? (non-SDWAN/non-all-in-one)
- Staying in break/fix or going engineering?
- IPsec and Nat on the same interface?
- nat/rule associations - asa
- Modify GlobalProtect Portal to Post Linux Binary Filed
- Network Segmentation in DC with FTD
- What am I missing in dealing with Equinix?
- Testing Cisco OTV in a home lab
- What network tools do you find the most helpful and keep with you at all times.
- Need tips on new cabling job
- Access to remote jumphost
- Looking for recommendations on how to set up a Hotel Network.
- Basic question regarding Windows Server NPS accounting
- Network device found in ARP Table with MAC Address but not in MAC Address Table?
- Traffic monitoring/flow graphing @ Cisco Live 2020
- Cisco ASA ASDM login issue on one interface
- Pfsense Frr wont go past status active?
| Posted: 29 Jun 2021 05:00 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it. [link] [comments]  |
| SD-WAN and HITRUST (Healthcare) Accreditation - Firewall vs. IDPS ? Posted: 29 Jun 2021 02:19 PM PDT Not sure if anyone has encountered this, but I am curious if someone is using SD-WAN devices in a HITRUST (Healthcare) certified environment. Many SD-WAN vendors only provide stateful firewall capabilities in their edge devices, and they will say they that it denies any unauthenticated inbound connections. So this means that any (malicious) connection coming to the branch office from the internet will be dropped (with maybe the header information from the connection being logged and possibly sent to a SIEM depending on the SD-WAN vendor). However, HITRUST seems to require that an IDPS capability be in place at the perimeter network, which in this case would be the SD-WAN device at the branch. I'm not sure how an IDPS would be relevant if the firewall is dropping the packet before it would even reach the IDPS, but I would like to see if how anyone else may have satisfied this control when using SD-SWAN. Thanks ! [link] [comments]  |
| Juniper GRE Tunnel Reachability with Static Routing Posted: 29 Jun 2021 05:50 AM PDT Hello! Currently running a SRX240 with multiple GRE over IPsec tunnels to some small industrial routers. Topology is as follows: SRX LAN --- SRX --- (ISP cloud #1) --- IndRouter --- IR LAN SRX LAN --- SRX --- (ISP cloud #2) --- IndRouter --- IR LAN (SRX and IR in both lines are the same devices, just connected via different ISPs. So both SRX and IR hosts 2 GRE over IPsec tunnels) Traffic to IR LAN is routed via static routes with qualified-next-hops and different preference, smaller one for main tunnel, bigger one for backup. Tricky part is, IR can't do OSPF and BFD, only static routing. So I need a mechanism to failover from main tunnel to backup. And statics over GRE are always up, since the tunnel is always up as well, so failover never happens, even when IPsec / GRE pair is down. The solution I came up with is services RPM probe directed at ISP interface of IR that manually injects are more preferred static route to IR LAN via backup gateway. Config below: My question: what solution would you suggest for this routing scenario? I'm just curious and want to expand my knowledge and share experience with fellow network engineers. Cheers! [link] [comments]  |
| Posted: 29 Jun 2021 04:38 PM PDT Hi, I am in the middle of creating an SSL decryption policy and since I'm not sure how a TLS 1.3 site will behave yet on Firepower, I'm looking at enabling Ciscos, "TLS Server Identity Discovery" and use it to test access rules that trigger on "application" and URL's. Currently we have 2 ASA's that are running Firepower 6.4.0.3-29 and 6.2.0.2-51...I have read that the TLS Server Discovery feature is only available on 6.7 and above, can I upgrade these modules to their latest (stable) image and enable this feature does anyone know? Cheers [link] [comments]  |
| Question for Cisco collaboration/callmanager folks… Posted: 29 Jun 2021 04:20 PM PDT Can CUCM warn you/detect if your inbound/outbound calls aren't working? Either on RTMT, snmp, etc. if not directly on cucm, maybe something on the voice gateway, etc. Or is this something only an end user can detect? Thing is unfortunately we don't have a NOC so that makes us a reactive shop. But nevertheless we should be able to get alerts for major outages like this. We'd still like to find out something is wrong before the end-users do. [link] [comments]  |
| How to set up a RADIUS server for public Wi-Fi authentication? Posted: 29 Jun 2021 06:54 PM PDT Hi, a friend has asked me about setting up public Wi-Fi access for his food court business. He wants customers to have to login, which I understand requires the use of a RADIUS server. I'm a software developer, and while I do have some understanding of networking, I've never done something like this before. Are there any guides on how to set up a RADIUS server (preferably using Linux) and use it to authenticate a wireless access point? [link] [comments]  |
| Alternatives to Cisco for branch office WAN Edge? (non-SDWAN/non-all-in-one) Posted: 29 Jun 2021 11:05 AM PDT Are there any reasonable non-SDWAN alternatives to Cisco for <1Gbps (generally 200Mbps - 500Mbps) at the WAN edge? Looking for something similar in sizing/function to the ISR 43xx/ISR 44xx. Pretty basic requirements. 1Gbps Ethernet, IPSec, OSPF, BGP, etc. As far as I can see Juniper doesn't play in this sizing space any longer. Even open to software-based routers. Looking for a comparison point if nothing else. Thank you for any guidance that you can provide! [link] [comments]  |
| Staying in break/fix or going engineering? Posted: 29 Jun 2021 08:57 AM PDT I have been in break/fix for over 5 years, and I love it. I still have room to grow in my current department, though my mind has been entertaining engineering. I sat with one of our engineers for a half day, and admittedly, it is not as exciting to me. The pay bump would be fantastic, but even the person I sat with, was missing the days of break/fix. No one cares you build something, you move on to the next project. No dropping configs, no customer interaction, nothing but satellite images, project orders, and site survey images. Have any of you been here, and if so, what are your thoughts? [link] [comments]  |
| IPsec and Nat on the same interface? Posted: 29 Jun 2021 04:43 PM PDT So I'm trying to do sort of a split tunneling idea here on a Cisco 1811. Basically I have an wireless access point off a switch port of a 1811 router. The outside interface with a public IP has a site to site vpn back to our core with GRE over ipsec. I applied a NAT config to the internal svi on the router as the inside and the public interface as Outside. The IPsec interesting traffic acl shouldn't apply to my WAP traffic as it's on a complete different subnet, and the interesting traffic acl applied to the NAT config should pick it up Well, it didn't work. After looking up Cisco's documentation on iOS order of operations I could see why it wouldn't work as Nat is clear down on 14 in priority. But the IPsec acl shouldn't apply to my WAP traffic and it should work right? Anyways, when I remove the IPsec crypto map, Nat works, leaving me only to the conclusion that Nat and IPsec can't be applied to the same interface. Or maybe I'm doing something wrong? [link] [comments]  |
| Posted: 29 Jun 2021 12:35 PM PDT Hi all, In ASDM, I see a service column. Are access lists required to allow this traffic through the fw, or can it all be defined with in the NAT section in ASDM with the designated ports = any for original/translated packets with in the NAT rules? Basically, are two rules required, NAT and ACL, or is the NAT rule alone sufficient. If ACL rules are required, in the CLI or ASDM, is there any way to reference a NAT rule and check if there are any relevant access lists associated with the NAT rule, and if so, what they are? Thanks [link] [comments]  |
| Modify GlobalProtect Portal to Post Linux Binary Filed Posted: 29 Jun 2021 12:16 PM PDT I've searched high and low and can't find a way to accomplish this. Has anyone found a to do this without writing a custom page? Other than this the page more or less fits the bill. [link] [comments]  |
| Network Segmentation in DC with FTD Posted: 29 Jun 2021 12:03 PM PDT Hello, Looking to do some segmentation in the DC. I am looking at clustering some FTD 4100 units and placing them in transparent mode between my core and distribution layers. Any recommendations? Is there a better way to go for segmentation/security? [link] [comments]  |
| What am I missing in dealing with Equinix? Posted: 28 Jun 2021 04:38 PM PDT So I've been investigating getting into CH1 via wave/circuit transport. So far I have pricing/planned:
First time dealing with a large datacenter operator, and first time looking at a datacenter connection further than 30 minutes away. For xconnects, do you pay smarthands to install the cable from a patch? Part of the deal? Or do you pre-wire some of your patch panel to ports of your router? Are there gonna be surprise gotchas, besides watching the power limit? [link] [comments]  |
| Testing Cisco OTV in a home lab Posted: 29 Jun 2021 10:31 AM PDT i need to test some scenarios for OTV setup - i have 3 ASR 1001 - i need a L3 switch for each "node"... Do you think i can just use 1 physical L3 switch and carve out vlans(?) to emulate "core switches" for each of the OTV nodes? Or do i really need 3 switches? [link] [comments]  |
| What network tools do you find the most helpful and keep with you at all times. Posted: 29 Jun 2021 09:19 AM PDT I'm looking at purchasing a network cable/link tester. I'm trying to decide between something like the Klein scout pro 3 and pockethernet. What I'm finding is the Klein is more geared towards identifying multiple cable runs and testing vs pockethernet is more iP and link analyzer. My question do you find yourself using features of one more than the other. Are their other tools that are must haves like the untwist tool. [link] [comments]  |
| Posted: 29 Jun 2021 01:41 AM PDT Hey All, I'm trying to improve our standards on how we do new cabling (make it more efficient and cleaner). Currently we are working on a proposal for a client as they need a lot of new cabling and some cleaning up. I have 2 main questions: 1- How do you run and number new cables?
2- Where to run the cables? The client currently has a couple of small network racks dispersed though the different parts of the stockroom which I'm not sure I'm a fan or not. The pro is that there is a clear small network rack per warehouse "room" which makes working in that specific room easy, but de-centralises the network equipment. There will be a big (42u) network rack in the center of the warehouse which means that the furtest point of for cabling would be about 70 meters. It is perfectly doable to run all the cabling to the main rack. Only one smalle network rack would have to be completely re-done. What is your oppinion on both how to do cabling? And should we keep the de-centralised setup there currently is or should we centralise? Thanks upfront for the information, I'm looking to learn and grow! edit: some styling [link] [comments]  |
| Posted: 29 Jun 2021 04:40 AM PDT Hello all, Im trying to get access from our office network to a remote jumphost. The jumphost is accessible over the internet, so the remote jumphost IP is, let say: 200.200.200.200. Im using a Cisco ASA for the configuration part. So the problem is that Im unable to access the remote jumphost from the office network. Here is my configuration: access-list ACL-OFFICE-TO-JUMPHOST extended permit ip 10.120.3.0 255.255.255.0 200.200.200.200 route (interface of the office network) 200.200.200.200 255.255.255.255 (outside IP, let say 209.209.209.209) so it will be: route INSIDE 200.200.200.200 255.255.255.255 209.209.209.209 Here is the complete configuration (made it easier to read) What Im trying to figure out is how the office net 10.120.3.0 will get access to the remote jumphost? Of course something is missing in my configuration part (probably the configuration is also not correct). Appreciate any help. [link] [comments]  |
| Looking for recommendations on how to set up a Hotel Network. Posted: 29 Jun 2021 10:07 AM PDT Hello everyone I work at a Hotel, we are looking for a way to distribute WiFi around, but placing an AP on every room is too labor-intensive and expensive. I´m wondering if using a big omni directional antenna with enough gain would suffice. For reference, the layout is a one-floor hotel, square plot, with rooms on the perimeter, around 300ft per side (100m). The antenna could be fairly centered. Another option would be to get directional antennas on one corner of the lot. Any pointers are well received and greatly apprecieted. Thank you. [link] [comments]  |
| Basic question regarding Windows Server NPS accounting Posted: 29 Jun 2021 06:25 AM PDT Thank you in advance for any help! To set this up: I have NPS servers for multiple sites setup for wireless authentication with a log forwarder for our aggregator that reads the local log file. I also have firewalls that can ingest the accounting messages for identity purposes on the firewall. My question is: If I forward accounting requests, does NPS continue to log to the local log file? [link] [comments]  |
| Network device found in ARP Table with MAC Address but not in MAC Address Table? Posted: 29 Jun 2021 02:07 AM PDT We are rearrange and reconfiguring the switches and this time around we decide to move all non-client devices to a separate switch (like everyone does). To do that, I have to first find what devices are connected to what ports. We have a few door access card terminals and those are going to be moved, but their port numbers were not documented when they were installed 10+ years ago. It is impossible to trace the cable as the terminals were permanently installed on the wall, it will take destructive means to remove it (security measures? idk, ask Admin). We have the IP addresses of the devices. We can find their respective MAC addresses and IP addresses by doing a show arp. However, those devices never shows up when doing show mac address-table. What can I do except resorting to tracing the cable? [link] [comments]  |
| Traffic monitoring/flow graphing @ Cisco Live 2020 Posted: 28 Jun 2021 04:44 PM PDT Found this picture of #CLEUR2020 in the depths of our fileshare and was curious if anybody has an idea what kind of monitoring/dashboard software the NOC might have used? https://postimg.cc/K3KDyqh7 [link] [comments]  |
| Cisco ASA ASDM login issue on one interface Posted: 28 Jun 2021 07:27 PM PDT I've got a home lab set up with a pair of ASA 5510s in the middle splitting the lab up into WAN, LAN, and DMZ zones. I have each zone wide open for management via both SSH and ASDM/HTTPS. I can login using both methods from the WAN and LAN zones but only SSH is working from the DMZ. When I try connecting with ASDM from the DMZ zone I immediately get the message "Unable to launch device manager from 10.10.2.253:8443" Here's what I see in the log: It seems clear that the issue is some kind of SSL error but I have the SSL settings set to "Any" so I'm not sure why this is still happening. The device I'm trying to log in from is a Windows 10 laptop with a fresh install. I can provide more info if needed, I'd love some help. [link] [comments]  |
| Pfsense Frr wont go past status active? Posted: 29 Jun 2021 12:35 AM PDT As far as I can tell I have configured frr correctly within pfsense doing everything as I can see it in the video and documentation (for ipv6 not 4) but it doesn't even seem to try and connect to my neighbour/peer just sitting at active. I have gone through everything several times but just cannot see where I am going wrong. ` [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment