Posted: 04 Dec 2021 04:52 PM PST

(Ours is a fairly large company equivalent to a cloud provider and we see DDOS attacks everyday and quite large as well)

Existing conditions:

We have an in house solution that scrubs traffic (using a10 devices) once it has identified it as a DDOS attack.
We have edge ACL and bgp filters which block the usual bad actors (rfc 1918 etc)

We still see a lot of spoofed attacks.

My manager and his manager are half convinced that we need to implement uRPF (BCP38) on our edge routers and asked me to design/implement this solution. The goal is that we avoid spoofed attacks instead of trying to mitigate them.

After an initial analysis, I found that this solution (strict urpf) would prevent spoofed traffic but it would most definitely drop legitimate traffic from customers as well since a lot of our peers, exchanges are sending traffic from prefixes they've not announced on that Edge router directly. (They might have announced it in some other region or site to us) Is this normal? In an ideal world this shouldn't be the case but internet is not ideal.

Loose uRPF wont work because we have almost the entire ipv4 internet prefixes in our rib.

I mentioned that this solution wouldn't work to my manager and he says i need to come up with a solution doesn't matter what tech. So I'm not sure how to proceed at this point

Some other things:

We pretty much have the entire internet (ipv4 prefixes) in our edge routers RIB.

We use juniper ptx.

Im sure I didn't include all the info you need to give me an input since there is so much info, so please do ask whats needed and I'll reply in the comments or update the post.

submitted by /u/Greenwindranger
[link] [comments]

ICX 6610-48P does not route between VLANs

Posted: 04 Dec 2021 12:17 PM PST

Hi all,

EDIT1: Placing the 192.168.21.2 on a different VLAN than VLAN 1 allows me to ping between VLANs. I don't use VLAN 1, but would still like to know why that is even though the problem is effectively solved.

EDIT2 (ISSUE SOLVED): u/417SKCFAN solved the issue in the comments. VLAN 1 acts differently than in Cisco land, and I would have to set my native VLAN in order to use it. Thank you all for the help!

I am transitioning over from Cisco to Brocade, and I am having some confusion. I added my VLANs, added router interfaces to each of them, and added my ports. I am able to ping connected devices from my switch, but am unable to ping the devices from devices in other VLANs, and it doesn't seem to be routing the traffic between them.

Say I have a device in vlan 1 (192.168.21.2), I can't ping the device in VLAN 2 (200.1.1.2) from that first device, while the switch is able to ping both. I also can't ping any of my router interfaces from (192.168.21.2). How do I get the switch to route between my VLANs? Do I have to enable routing? (I read that all you need is the correct firmware). My show ip interface, shows that all router interfaces are part of default-vrf. Do I have to create a VRF?

Thanks for the help!

show flash:

SSH@ICX6610-48P Router#sh flash Stack unit 1: Compressed Pri Code size = 10545591, Version:08.0.30uT7f3 (FCXR08030u.bin) Compressed Sec Code size = 7762230, Version:08.0.30nT7f1 (FCXS08030n.bin) Compressed Boot-Monitor Image size = 370695, Version:10.1.00T7f5 Code Flash Free Space = 46399488

show ip route:

SSH@ICX6610-48P Router#sh ip route Total number of IP routes: 9 Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric BGP Codes - i:iBGP e:eBGP OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 Destination Gateway Port Cost Type Uptime 1 10.0.5.0/24 DIRECT ve 5 0/0 D 58m7s 2 10.0.6.0/24 DIRECT ve 6 0/0 D 58m7s 3 10.0.8.0/24 DIRECT ve 8 0/0 D 58m7s 4 10.0.100.0/24 DIRECT ve 100 0/0 D 58m7s 5 10.0.102.0/24 DIRECT ve 102 0/0 D 52m31s 6 10.0.103.0/24 DIRECT ve 103 0/0 D 58m7s 7 10.0.200.0/24 DIRECT ve 200 0/0 D 58m7s 8 192.168.21.0/24 DIRECT ve 1 0/0 D 58m7s 9 200.1.1.0/24 DIRECT ve 2 0/0 D 58m7s

show ip interface:

SSH@ICX6610-48P Router#sh ip int Interface IP-Address OK? Method Status Protocol VRF Ve 1 192.168.21.1 YES NVRAM up up default-vrf Ve 2 200.1.1.1 YES NVRAM up up default-vrf Ve 5 10.0.5.1 YES NVRAM up up default-vrf Ve 6 10.0.6.1 YES NVRAM up up default-vrf Ve 8 10.0.8.1 YES NVRAM up up default-vrf Ve 100 10.0.100.1 YES NVRAM up up default-vrf Ve 102 10.0.102.1 YES manual up up default-vrf Ve 103 10.0.103.1 YES NVRAM up up default-vrf Ve 200 10.0.200.1 YES NVRAM up up default-vrf

show run:

SSH@ICX6610-48P Router#sh run Current configuration: ! ver 08.0.30uT7f3 ! stack unit 1 module 1 icx6610-48p-poe-port-management-module module 2 icx6610-qsfp-10-port-160g-module module 3 icx6610-8-port-10g-dual-mode-module stack disable ! ! ! ! vlan 1 name DEFAULT-VLAN by port router-interface ve 1 ! vlan 2 name SwitchRoutedTraffic by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 2 ! vlan 3 name down-stream1 by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 4 name down-stream2 by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 5 name med-trusted-users by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 5 ! vlan 6 name low-trust-users by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 6 ! vlan 7 name iot-users by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 8 name guest-users by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 8 ! vlan 10 name static-external by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 11 name web-proxy by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 12 name external-dc-joined by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 20 name internal-services by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 21 name vdi by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 22 name uag by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 23 name automation by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 60 name 5GDev by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 70 name med-trust-lab by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 71 name lab2 by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 80 name low-trust-lab by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 90 name k8s-cluster by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 100 name management by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 100 ! vlan 101 name management-vpn by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 102 name dedicated-management by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 untagged ethe 1/1/9 ethe 1/1/21 ethe 1/1/48 router-interface ve 102 ! vlan 103 name power-control by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 103 ! vlan 104 name wifi-control by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 105 by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 200 name data-fabric by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 router-interface ve 200 ! vlan 201 name user-vpn by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! vlan 248 name vuln-scanner by port tagged ethe 1/1/5 to 1/1/8 ethe 1/1/17 to 1/1/20 ethe 1/1/40 to 1/1/43 ethe 1/1/47 ethe 1/3/1 to 1/3/2 ! ! ! ! ! aaa authentication web-server default local aaa authentication login default local console timeout 30 enable super-user-password ..... enable aaa console enable user password-masking no fast port-span ip dhcp-client disable ! no telnet server username AridDay-local password ..... password-change any cdp run fdp run ! ! web-management https web-management frame bottom web-management page-menu ! ! ! ! ! ! ! interface ethernet 1/3/1 speed-duplex 10G-full ! interface ethernet 1/3/2 speed-duplex 10G-full ! interface ethernet 1/3/3 speed-duplex 10G-full ! interface ethernet 1/3/4 speed-duplex 10G-full ! interface ethernet 1/3/5 speed-duplex 10G-full ! interface ethernet 1/3/6 speed-duplex 10G-full ! interface ethernet 1/3/7 speed-duplex 10G-full ! interface ethernet 1/3/8 speed-duplex 10G-full ! interface ve 1 ip address 192.168.21.1 255.255.255.0 ! interface ve 2 ip address 200.1.1.1 255.255.255.0 ! interface ve 5 ip address 10.0.5.1 255.255.255.0 ! interface ve 6 ip address 10.0.6.1 255.255.255.0 ! interface ve 8 ip address 10.0.8.1 255.255.255.0 ! interface ve 100 ip address 10.0.100.1 255.255.255.0 ! interface ve 102 ip address 10.0.102.1 255.255.255.0 ! interface ve 103 ip address 10.0.103.1 255.255.255.0 ! interface ve 200 ip address 10.0.200.1 255.255.255.0 ! ! ! ! ! lldp run ! ! ip ssh timeout 30 ip ssh idle-time 20 ! ! end

submitted by /u/AridDay
[link] [comments]

finding a device's ip

Posted: 04 Dec 2021 08:49 AM PST

Hello! I was wondering if anyone knew of a way to find a devices ip address by directly connecting to its ethernet port. I have a mac directly connected to a NVR id like to get the ip address from to do some configuration to. I was going to try Wireshark but i believe it requires me to know the subnet that it is on (i dont have that information).

submitted by /u/MikoNara
[link] [comments]

Which of these four books is recommended for gaining a deeper insight into the TCP/IP suite?

Posted: 04 Dec 2021 06:29 PM PST

I would like to gain a deeper insight into the TCP/IP suite.

I've seen four books recommended. I don't wish to read them all, as they will most likely have overlapping knowledge.

The books are:

Which of these four should I get?

Thank you.

submitted by /u/_OSCP
[link] [comments]

Issues with ASA passing vpn traffic to next hop

Posted: 03 Dec 2021 03:45 PM PST

I have an ASA with a vpn tunnel on it. That tunnel has a network object-group in its encryption domain with 14 addresses in it.

Of these 14 destinations, 12 pass traffic onto the directly connected next hop firewall, and 2 do not reach the next hop. I verified routing for each address and they are all the same, and no ACL is blocking the traffic.

I tried deleting and re-adding the two addresses to the object-group.

Any ideas?

I am able to bring up the tunnel using packet tracer to initiate traffic on those IPs, so the IPs aren't missing from the other side.

submitted by /u/IhateTomScott
[link] [comments]

Breaking News

Tech Support

Saturday, December 4, 2021

I’m supposed to come up with a DDOS preventive solution on our edge network. Need inputs Networking

I’m supposed to come up with a DDOS preventive solution on our edge network. Need inputs Networking

No comments:

Post a Comment

Popular

Blog Archive

Fashion

Beauty

Travel