Moronic Monday! Networking |
- Moronic Monday!
- How to address a network closet shared with another tenant
- Split Tunnel JAMF on a Palo Alto
- Cisco ACI - new APIC version mismatch, need to downgrade
- Access webadmin from different VLAN
- Is CRL checking required for wired 802.1x on Windows?
- 10 pair phone cable termination
- recommended book/video tutorials for learning Ansible for network engineers (for beginners)
- Contractor to Federal Employee?
- VLANs between Aruba and Netgear for VoIP
- IPS signatures for CVEs
- Jumbo frames on DIA hand off.
- Dynamic DNS
- Virtual server question
- How to: non-interactive login to devices that don't support pubkey auth
- NX-OS Modify Distance for certain prefixes
- Proxy implementation help
- WAN Attacks is it just whack-a-mole?
- Analyzing Netflow/SFlow to identify TopTalkers
- Benefit of Azure training within the industry?
- EIGRP Floating Default Route Question
- CDP with tcpdump - How to tell between "trunk" or "access" port?
- Wireless bridge eating away frames
- IT inventory tool?
- MP-BGP AFI number 16 (DNS)
- What is the advantage of RED QoS vs FIFO?
| Posted: 01 Aug 2021 05:00 PM PDT It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected. Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it. [link] [comments]  |
| How to address a network closet shared with another tenant Posted: 02 Aug 2021 10:52 AM PDT Hey guys, we recently had a tenant move into one of our sites that has been vacant for some time since our users moved out. Keep in mind, this tenant is completely separate from our organization so we are not required to provide and network services. Upon their initial move-in, they asked if they'd be able to hop onto our network for internet access and we explained to them that our network/equipment is off-limits. We did allow them to use the 2nd-floor portion of the patch panel so that they could install their own equipment and be able to patch accordingly. They agreed to this and that was the end of that. Over the weekend, our switch at this site dropped. Went in this morning and found that they had unplugged about 15 of our cables directly from our switch (not from the patch panel) and also must've unplugged our fiber uplink and then failed to reseat the SFP because the site was offline the entire weekend. This put a very bad taste in our mouths. The point of this post is to ask the best way to address sharing a network closet with another tenant. Sure, we know that we need to install a network cabinet and physically secure our equipment from them but what else may you recommend we do? Any specific guidelines we should lay out with them in regards to not touching our equipment? What would you suggest the best way to address this situation be? Thanks!! [link] [comments]  |
| Split Tunnel JAMF on a Palo Alto Posted: 02 Aug 2021 03:38 PM PDT Has anyone successfully split tunneled JAMF on the Palo Alto Global Protect Client. It seems that application paths need to be configured. I have the below items configured in the "Exclude Client Application Process Name" for split tunneling so far: /Library/JSS/bin/jamf-pro I can push a bash script to "sudo jamf recon" and "sudo jamf policy" and split tunneling works. But if I run those locally on the machine it does not work. Any ideas or any successes out there? [link] [comments]  |
| Cisco ACI - new APIC version mismatch, need to downgrade Posted: 02 Aug 2021 02:53 PM PDT My google-fu is apparently really week. I have some new APIC's that I need to swap into my existing fabric and eventually replace all my current APIC's. But the new ones are running at 5.0 (no support for first gen leaf/spine switches) so I need to downgrade them to my desired firmware. I am completely lost on how to do this. I've already decommissioned one existing APIC, and added the new one in it's place by running through the wizard and connecting the fabric. I was hoping I could commission the new one and downgrade it inside the GUI. I got all the way to commissioning it, and now it seems to be stuck on Data Layer Partially Diverged. Anyone know the right process for this? [link] [comments]  |
| Access webadmin from different VLAN Posted: 02 Aug 2021 05:42 AM PDT Cisco SB200 managed switch is on a network with IP 192.168.1.2 and VLAN 1. It's connected to a Ubiquiti dream machine pro which has a built in VPN server that assigns 192.168.3.x addresses for those users. It does routing between them. I can see every phone, printer, and pc on the network and fully access all the devices from my VPN connection EXCEPT the Cisco switch. It doesn't respond at all unless I'm on the 1.x subnet. I see in the admin screen that it asks for a management VLAN and that is set to 1. Is there a way to allow an additional VLAN to login to it, or maybe ALL VLANs to login? It's a small private company so I'm not worried about others gaining access. Just that I can't gain access myself without utilizing one of the PCs through Remote Desktop. [link] [comments]  |
| Is CRL checking required for wired 802.1x on Windows? Posted: 02 Aug 2021 02:39 PM PDT I'm running into sporadic issues with Windows clients failing to authenticate with wired 802.1x. We're using an internally signed certificate on our authentication server and it is trusted by the clients. The server certificate does have CRL/OCSP distribution points listed. Logs from the machine do show that during authentication the client is failing to reach out to the CRL distribution point, which makes sense since we do not have a pre-auth ACL allowing that. However, it's not clear to me if that's actually causing the failure. Our Microsoft engineer states that it is the cause but cannot provide any documentation on the CRL requirement. I believe he's just assigning causality due to them both happening at nearly the same time. Windows documentation states that the client does not require CRL checking of the server certificate when Wireless 802.1x occurs. I can not find the same statement about Wired 802.1x. Furthermore our Cisco engineer has never seen this as a requirement for wired 802.1x To try and narrow it down I removed all cached CRLs/OCSP from a client and was able to authenticate successfully. This tells me that CRL verification is not required and goes against what the Microsoft engineer is stating. Does anyone know if CRL checking is required during Windows 10 wired-802.1x authentication? [link] [comments]  |
| 10 pair phone cable termination Posted: 02 Aug 2021 11:09 AM PDT I am installing a regular 19" Rack for all switches in a particular floor for a 4 story building. the thing is the main PBX is in floor one and running from it is 10Pair cables to each floor cabinet how do you terminate them in the Rack cabinet are there any solutions like network patch panels and patch cables? how do you do it properly? your input is highly appreciated [link] [comments]  |
| recommended book/video tutorials for learning Ansible for network engineers (for beginners) Posted: 02 Aug 2021 04:45 PM PDT Are there any books/videos I can invest it to further expand my knowledge. I wanted to buy Ansible: Up and running (O'Reilly press) but the reviews I have seen online for that book aren't great. What books/video series do you guys recommend that would take me from absolute beginner to expert thanks [link] [comments]  |
| Contractor to Federal Employee? Posted: 02 Aug 2021 04:23 PM PDT I currently make about $160k per year as a federal contractor doing network engineering. There's a couple GG-13 positions opening up at my office that I have a really good chance of getting offered. The position would mostly be doing the same thing, just more of a design role. The only thing that is making me uncertain is it would be about a 20% decrease in salary depending on the step. I'm pushing 40 and looking for something more stable but the pay decrease is significant enough that it's making me uncertain. Have any of you made this transition? Any advice would be appreciated. [link] [comments]  |
| VLANs between Aruba and Netgear for VoIP Posted: 02 Aug 2021 04:23 PM PDT Here's the goal: Connect VoIP phones to their gateway by going through the existing Data network. Here's the environment: Most of the main building has network drops with 2 wall ports; 1 for the VoIP network (192.168.1.x/24) and 1 for the Data network (10.0.1.x/24). VoIP network is completely segregated. Clients (Polycom phones) plug into (a wall port -> patch panel ->) a Netgear Prosafe GS752TP (Switch 1) and then into an EdgeWater 4550/v2 gateway device (Gateway IP 192.168.1.1) and get their IP with DHCP. However, we have one building (more of a trailer) that is connected only to the Data network. The switch out there is an Aruba HP 2530-24G Switch (J9776A) (Switch 2) which connects to the main building into another Prosafe GS752TP (Switch 3). Currently there is no routing or VLAN configuration, all ports on all switches are simple access ports, including the ports linking Switch 2 to Switch 3. I need to put some phones in the other building. My plan was to (on Switch 2) create a VLAN for voice (we'll call it VLAN 25), tag specific ports on Switch 2 as VLAN 25 so anything plugged into them (phones) would be tagged as VLAN 25, tag the link between Switch 2&3 with VLAN 25 to ensure network traversal. Then on Switch 3 create VLAN 25, then tag the link to Switch 2 with VLAN 25. Then I'd need to connect physically Switch 3 to the EdgeWater gateway, and tag that link with VLAN 25 so that only VoIP traffic will get routed to that gateway, and everything else will continue to the regular 10.0.1.1 gateway. I've been at this for a few hours with various tweaks to configuration, all with no success. Any guidance would be greatly appreciated! Edit: I put Routing flair, but that might not be the most appropriate. It kind of falls under Design and Troubleshooting as well [link] [comments]  |
| Posted: 02 Aug 2021 04:15 PM PDT Is there an API available for querying Cisco IPS/Snort protections against CVE's? [link] [comments]  |
| Posted: 02 Aug 2021 08:10 AM PDT I just recently received a 10gig DIA from our carrier and found out that they are handing over the circuit with Jumbo frames enabled. Is this something that is normally done now with circuits this large? [link] [comments]  |
| Posted: 02 Aug 2021 02:41 PM PDT Hello! I have the following scenario and could use some help. I am planning a solution where there will be 3 active connections off of my firewall. 1st, 2nd and 3rd will of course each use a different IP address public facing, and we have port forwarding being used at the moment out of the primary ISP. Port forwarding needs to remain intact and functional regardless of the IP address, therefore I was considering a Dynamic DNS service. This way the IP would become irrelevant and I could issue out a URL to give to the users to access network services through the port forwards. All insight is appreciated! - TheHungryNetworker [link] [comments]  |
| Posted: 02 Aug 2021 02:01 PM PDT Noob question. After recently switching out a router, We were having some issues with our virtual servers. We have a physical server with a virtual host and 3 VM's on it, but we could only ping one of the VM's, the host and other VM's were unreachable. I'm shadowing an analyst and it was determined that the issue was physical cabling which was misconfigured after the router switch. I'm curious if two things:
[link] [comments]  |
| How to: non-interactive login to devices that don't support pubkey auth Posted: 02 Aug 2021 12:26 PM PDT Edit for those confused: I'm sick of typing in my password to log in to switches/routers, but not all of them support SSH public key auth, which is the preferred way to log in to a ssh device without typing a password. This outlines a way I came up with that gets the same result (password-free login), for devices that don't do pubkey auth. tl;dr: more of my job is shifting to python/ansible/NMS, but at the end of the day I'm still a cli jockey. I ssh into devices all the time, and most of the deployment I manage doesn't support pubkey auth (yet). so I get to type my ssh password over and over. until now I accepted that's just life until we get everything up to cat9k. but then something snapped, and I went on a mission to find a way to get (reasonably secure) non-interactive login, without rsa keys.
It got tricky when looping the jumphost into the mix, which can use pubkey auth. In the end I got what I wanted by using relevant bits of `` host * ProxyCommand ssh -W %h:%p -q austindcc@jumphost PreferredAuthentications keyboard-interactive # We need to disable StrictHostKeyChecking because sshpass intercepts the new hostkey confirmation, and returns nothing. Note: This does NOT suppress the key mismatch alarm, only the initial connection prompt to a new device. # Also add this to the jumphost's /etc/ssh/sshd_config StrictHostKeyChecking no ```
``` function auth() { read -sp 'Cisco password: ' pass export SSHPASS=$pass } function deauth() { export SSHPASS='' } function jump() { # calling For extra frictionless logins, I added Now after first login or manually calling Limitations:
[link] [comments]  |
| NX-OS Modify Distance for certain prefixes Posted: 02 Aug 2021 10:32 AM PDT It's well known that BGP backdoor isn't available on nx-os, but I can see a route-map set distance option to modify the distance for eBGP. Does anyone know if this works on received routes? I need to make the EIGRP path (if present) to be preferred. If this works, it seems odd that there are many posts about emulating backdoor on nx-os either suggesting alternatives or suggesting to modify the distance at the address-family level (e.g. here or here). My planned config is: If anyone has tried setting the distance, I would appreciate any pointers. All the best James. [link] [comments]  |
| Posted: 02 Aug 2021 10:11 AM PDT I'm trying to implement a Squid proxy for clients to interact with a web application on a different server. Currently, I am using a url rewrite to access the web application. After the rewrite, the clients are directly connected to the web app. So they go to proxy.example.com, and it just forwards them to google.com I'm trying to find a way for the clients to visit proxy.example.com, which acts as a man in the middle for google.com. So all traffic, authentication, etc to google.com appears to come from proxy.example.com and while the client can see/interact with google.com, the url never changes from proxy.example.com. Am I overthinking? Is is even possible? [link] [comments]  |
| WAN Attacks is it just whack-a-mole? Posted: 02 Aug 2021 07:11 AM PDT I'm wondering if anyone could provide suggestions on best practice design or offer some practical advice on how to proceed with an issue I'm having. We have a Cisco 5515 ASA as WAN Firewalls, entire enterprise consisting of 20 or so satellite offices connect to INET over MetroE throug our DC, we have a few IPSec tunnels and DMZ link as well. The problem is we are constantly being DDOS attacked which brings the performance of the 5515 to a crawl impacting services to our internal networks. Our solution is to block those IP's on our Edge Routers by adding an ACL, which only then normalizes the FW's. My question, is this our only resort to block the attackers via ACL on the edge router, is this the best design for our enterprise? It just doesn't seem very efficient that we operate this way! Any recommendation greatly appreciated! ISP1 ISP2 | | | | | | PublicIP/30 PublicIP/29 R1----------HSRP--------R2 | | | | PublicIP/30 | FW1---------HA----------FW2 [link] [comments]  |
| Analyzing Netflow/SFlow to identify TopTalkers Posted: 02 Aug 2021 06:31 AM PDT Hi! I want to have a better tool to identify top-talkers and details about that afterwards. Can you recommend me any software to: - capture netflow - be able to choose a time-frame - get top-talkers of that timeframe and drill down, what they did (possibility to group by host, protocol, etc.) What I am currently evaluating is: - ntop - Does not really provide good historic data - Scrutinizer - Has some problems, but seems to be quite good. Pricing seems steep - ManageEngine Netflow Monitor - VERY limited Is there anything, you can recommend? Thank you and best wishes! ITStril [link] [comments]  |
| Benefit of Azure training within the industry? Posted: 02 Aug 2021 06:28 AM PDT Hello all, I hope this is not a violation of Rule 5. I'm CCNA studying CCNP working in a senior network admin position. An opportunity has presented itself to me via my company for free Microsoft taught Azure training with certificate vouchers. I'm wondering how beneficial this would be for me to invest time into? My location is definitely more than a few years behind on tech (DOD branch) so it has no utility at the moment. Is the civilian side seeing a big pickup on Azure and other cloud networks? Any opinions appreciated. [link] [comments]  |
| EIGRP Floating Default Route Question Posted: 02 Aug 2021 02:26 AM PDT Hi Guys, looking for some advice on the best way to skin this feline: As you can hopefully see I have a MAN which I'm migrating from MPLS to SD-WAN. Previously both MPLS circuits terminated in SiteB but now we've split our circuits between SiteB and SiteC. The SD-WAN Routers aren't Cisco and can't join the EIGRP peers, so the Routers attached to them will have to have static routes to 0.0.0.0 and have that redistribute into EIGRP. I was going to define a delay onto the interface between EIGRP R3 and it's SD-WAN router and let metrics calculate themselves out, but my colleague just pointed out he doesn't think a 'redistributed static' will look at that delay to calculate it's metric. All router's currently have 'redistribute static' under their EIGRP process... I think the best thing for me to do is to change that to ' redistribute static metric K1 K3 K4 K2 K5' on either R2, R3 or both to ensure that traffic normally lands at SiteB SD-Wan router unless it's interface is down then it should land at SiteC.... Thoughts and advice very welcome, thanks in advance. [link] [comments]  |
| CDP with tcpdump - How to tell between "trunk" or "access" port? Posted: 02 Aug 2021 05:26 AM PDT I am currently using `tcpdump -nv -s 1500 ether dst 01:00:0c:cc:cc:cc -c 1 -i eth0` to get CDP information from a connected ethernet cable. But, it seems that the output is the same, whether the port is set to access on vlan 5, or trunk with native vlan 5. How can I tell if connected to a Trunk (.1q) or Access port? [link] [comments]  |
| Wireless bridge eating away frames Posted: 02 Aug 2021 07:22 AM PDT Hi folks, I am having a weird issue with one network. A print server losses connection to the printer if it is over a wireless bridge. But if the server is running a constant ping to the printer, it works no problem. It looks like the following: |Print-Server|-----|Switched-network|-----|AP| ))) |AP|-----|Switch|-----|Printer| I mirrored the respective access ports on both ends and sniffed the traffic from the server and the printer. Somehow, the TCP packages leave the server but never arrive to the printer if the ping is not active (it also works for the first few seconds after we turn off the ping). We have also tested it without the WLAN-bridge and all the packages arrive well. It is obviously something in the bridge causing the problem, but I have not idea what to look for. Other services/host connected to the remote switch do work without an issue. I would like to sniff the APs' ports as next step, but hadn't had the change yet. We are using Unify Switches and APs with some old Cisco switches that will be replaced soon. We are able to replicate the issue in a lab environment with just 2 switches and 2 APs. If we remove the APs, the problem goes away. Do you guys have any idea what may be causing the problem? Or what I am actually looking at here? Thank you very much in advance. [link] [comments]  |
| Posted: 02 Aug 2021 07:11 AM PDT Hi. I want to know what software do you recommend for IT Inventory (routers, printers, Apps, etc.). I would love to have a centralized view of my entire IT infrastructure, including physical and logical topology. Firmware version and stuff like that would be great. I have experience with ITSM by ITOP, but I am just wondering what other options could be beneficial too. Thank you. [link] [comments]  |
| Posted: 01 Aug 2021 08:55 PM PDT I was studying stuff around MP-BGP, and ended up looking at the IANA AFI number assignments and noticed a DNS entry (number 16) which looked interesting. It does not have any reference and I cannot seem to find anything valuable in the first few pages on google, and I skimmed the MP-BGP RFC but that doesn't really tell anything about how the different families operates. Maybe there are some documents/mailing lists from when IANA decided the assignments? [link] [comments]  |
| What is the advantage of RED QoS vs FIFO? Posted: 01 Aug 2021 11:37 PM PDT If RED drops packets without caring about priority, what is the point of it compared to something like FIFO? I'm not sure what the advantage of using RED would be. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment