Telecom GOAT? Networking |
- Telecom GOAT?
- Any recommendations for a VLAN and Segments management application?
- Cisco 5506x EOL - move to FPR 1010
- firepower blocks with no reason
- Ubuntu 2 NICs, I would like one for UDP traffic, the other one for internet
- Enterprise password managers?
- Ideas for cheap console server?
- Confusing between TCP/IP 4 Layers and 5 Layers?
- Sessions Persistent cookies on F5's
- Cisco (mostly) blocking second gateway on network
- Using Azure VPN gateway (point to site) Azure AD authentication connect with on-premise servers possible?
| Posted: 29 Nov 2021 07:58 PM PST I think the best bit of kit ever made was the Cisco (originally Cerent) ONS 15454. I'm sure there are a lot of them still in service. Those things were beasts! You could use and abuse them and they kept ticking. We had a dozen in service for years with no equipment failures. Just a well thought out and designed bit of equipment. Also, some of the best documentation and training ever available. There was a procedure mapped out for just about everything. Any others you think deserve a spot in the telecom hall of fame? [link] [comments] |
| Any recommendations for a VLAN and Segments management application? Posted: 30 Nov 2021 02:47 AM PST Hey Network warriors, I was tasked with searching for an application for keeping track of our VLANS and Segments allocations, Like when were they created and by whom for what purpose stuff like that, We were using a private website that we built from scratch but it is quite unaffective since we expanded quite a lot. Does anyone know such software? I don't even know how to call it. We are using SolarWinds as our IT management system, But i don't think it can keep track of any new VLANS or networks added [link] [comments] |
| Cisco 5506x EOL - move to FPR 1010 Posted: 30 Nov 2021 01:04 AM PST I am currently running a failover pair of ASA 5506X with very few issues. I was in the process of renewing the support and noticed the EOL on these boxes. While they can be covered for a few more years yet, I am wondering if I take the opportunity to move to the new FPR devices. I have read that you have 2 choices, ASA mode of FTD mode. I am trying to understand what I might lose going either way. We don't have a large number of requirements, failover, 20+ VLANs, site to site VPN, virtual interfaces, ACLs. As far as I read, I lose the CLI if I go with FTD, but does that still allow me to configure all of the above and what do I then gain from FTD over and above the ASA side of things. For what it's worth, I will be running a pair of 1010 with sec plus. Thanks [link] [comments] |
| firepower blocks with no reason Posted: 30 Nov 2021 02:27 AM PST I'm looking at a problem with some provisioning of devices that require connection to external services with Apple. We have some firepower 4150 firewalls. I have noticed that blocks are occuring of return traffic. I cannot see why this would occur, and the rule referenced is a block rule at the end of the list or rules that someone created to say "no external to internal" basically. I'm a little confused, as surely this is standard stateful stuff and should not hit our last rule of block external to internal inwards It should be part of the normal rulesets. We have connections out, so the block referenced is typically saying the initiator is the external IP, sourced tcp/443, to one of our internal IPs, on the sort of tcp port you might expect, like 49552. Obviously Apple aren't initiating those connections... The fact it is mapped back to an internal IP means it's matching outbound translations, and permit rule. I don't see any reason for the block given, just block. It's a bit of a headache, especially as our accounts seem to have bungled our support contract for the devices. Anyone got any quick ideas about this while I sort out support. People are asking me to whitelist IPs, which is going to be unmanageable, as I notice it's not just Apple external 17/8 as seen in https://support.apple.com/en-us/HT210060, but cdn as well. I'm obviously not going to whitelist akamai am I? :| Sadly I've never done any firepower course, only had the old ccna sec. I see I could maybe create a reputation list or similar to feed a whitelist to the device, so I have little in the way of ideas. I could create a massive list of trust policies outbound in case it is snort, but initial testing didn't seem to help, only phsyically whitelisting IPs seems to have any results. Day to day I personally only really manage ASA devices myself currently, and our guy that deployed the firewalls moved on. I try keep firepowers firmware up to date, though now knowing support is lapse I have deferred upgrade to 6.6.5 from 6.6.4 in case of a fault. [link] [comments] |
| Ubuntu 2 NICs, I would like one for UDP traffic, the other one for internet Posted: 30 Nov 2021 05:43 AM PST I need to configure a computer with Ubuntu 20.04 that has 2 network cards, one is receiving video streaming with SRT and I need to transmit UDP to the other card (my software already transcoded the streams), UDP is now going out thru the first card. Can i block the udp port one of them and set up routes to the cards? Context: This is a client request and I cant explain why one would like to do it this way. It's an interesting concept and I would like to explore the idea further and inquire around. [link] [comments] |
| Posted: 30 Nov 2021 04:17 AM PST Hello everyone. I have been tasked to investigate of a potential enterprise password manager for the network team of around 30 people. Since this is a large organization, things are pretty much silo-ed here, which means no virtual appliances and no cloud stuff. Current setup: we use KeePass with YubiKey as 2FA to access our shared database. The database used to be on a dedicated Windows file-server behind an internal VPN firewall that only the network team would access. It has been migrated to the public cloud now, hence this thread. Ideally what I would want is: - Dedicated hardware appliances; no windows or linux applications, but I guess if there are no appliances, that can be considered. - YubiKey support or other hardware token 2FA support. - Ability to sync the database between an Active/Standby appliance - Backup From what I have seen there are only cloud services or virtual appliances. Does anyone know if there are dedicated appliances for this? [link] [comments] |
| Ideas for cheap console server? Posted: 29 Nov 2021 10:17 PM PST Need at least 8 ports. 19" wide 12U rack. As light as possible, trying to keep it relatively portable. Some I've thought of; Avocent Cyclades. Can be tough to find under $50 with rack ears Anything I haven't thought of? Maybe something else that can be repurposed? [link] [comments] |
| Confusing between TCP/IP 4 Layers and 5 Layers? Posted: 30 Nov 2021 03:45 AM PST I'm confusing between those TCP/IP Modules as we know 4 layers are (Application - Transport - Internet - Link) and Updated TCP/IP Module have 5 layers (Application - Transport - Internet - Data Link - Physical) My questions are : Is Link Layer in original TCP/IP combine between Data Link and physical in updated module? (or there us no exist of physical layer in original one?) What is data type of each layer (packets - segment - frame ..) for both? What is the difference between Link in original module and Data Link & Physical in updated module? Is Link Layer of original module responsible for MAC, Ethernet, Cable and NIC? What is the exactly difference between both of them? [link] [comments] |
| Sessions Persistent cookies on F5's Posted: 29 Nov 2021 06:56 PM PST Hi, I have a query regarding the Session Persistent on F5's, forgive me if some of these queries are "soft", but I'm a novice with F5's still and still getting to grips with them. So an example I'll give is that we have 3 servers in one stack, all 3 are configured in a pool to a VIP, round robin balancing. I get a call off the head off infra/networks asking are these 3 servers being properly load balanced, so I go onto the VIP and see that the statistics for it are showing that it is load balancing perfectly across all 3 servers in the pool, he wanted to know if "sticky sessions" were enabled, after some digging I could see that there was no "Persistent Profile" attached, meaning no session load balancing surely? I have read that by default the F5's perform load balancing based off TCP connections rather than HTTP, so after the initial TCP connection is established, they send that particular TCP flow to the same pool member permeantly, could this mean that flows are still "Session Persistent" in someway? I have a few questions regarding the options and the way the F5's use their session persistent feature to. For the "Cookie" and "SSL" profiles in particular: Are the SSL session ID's readable without the use of an SSL proxy by the F5's? Is the SSL session ID not the same as a "Cookie"? Does the F5 insert its own Cookie to load balance? All the different options on the SSL profile such as "Mirror Persistent", "Match Across Services", "Match Across Virtual Servers", "Match Across Pools" all refer to what in this context? All the different options on the Cookie profile such as "Cookie Method", "Cookie Method", "HTTPOnly Attribute", Secure Attribute", "Always Send Cookie", "Cookie Encryption Use Policy all refer to what in this context? Thanks again for the help everyone [link] [comments] |
| Cisco (mostly) blocking second gateway on network Posted: 29 Nov 2021 10:18 PM PST Hello. We have setup a site-to-site VPN using Softether VPN. Here we have 2 network: Datacenter: 10.0.80.0/24 Customer: 192.168.1.0/24 VPN-Gateway at datasenter is at 10.0.80.254 Custerom VPN gateway is a t 192.168.1.254 Routers at both locations has a static route added: Datascenter: 192.168.1.0/24 -> 10.0.80.254 Customer: 10.0.80.0/24 -> 192.168.1.254 So here is the kicker. We can ping from customer to datacenter through the link, but we cannot ping from the datacenter to our customer. So ICMP can be initiated one way. But no TCP or UDP is allowed. In the logs from the Cicso ASDM we see: Denied ICMP type=0, from laddr 192.168.1.10 on interface inside to 10.0.80.6: no matching session I have tried to run: same-security-traffic permit intra-interface, but no change. AND, if we just add the routes manually on a computer at the customers location, everything just works. And since ping works one way, there is just something in the firewall, or ACL or where Cisco hides this stuff, and no error in the vpn-gateway or routes. Thanks in advance anyone who can help :) [link] [comments] |
| Posted: 29 Nov 2021 08:55 PM PST Hi everyone, I am new to Azure networking. I have a question regarding Azure VPN (point to site). Is it possible to connect Azure VPN (point to site) azure virtual network gateway connect with cisco asa on-premise server? For example : user connects to Azure VPN ( assigned with private IP from azure gateway).from here then user can access on-premise resources ( behind Asa-5506) Thanks [link] [comments] |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment