[DNS] Can you use multiple DNS hosting services for the same apex domain? Networking |
- [DNS] Can you use multiple DNS hosting services for the same apex domain?
- Deploy New Switch With No Downtime
- Passpoint (Hotspot 2.0) and Cellular Activation
- RADIUS/TACACS/DHCP loadbalancing
- Possible to do the avoid sending request to specific server given the URL?
- Network Tester that shows LLDP
- Router NAT IP changing
- TCP health monitoring tool recommendations
- Office internet Jittery with Packet Loss
- What do you use/require to electronically generate labels for Keystone Faceplate ID Windows, Patch Panels, Devices, Cabinets, and Cables?
- Why are the Redirect Message Type for ICMP messages typically blocked? Also, why do so many block ICMP messages blocked when ICMP is required for routing, route calculation, and error reporting?
- Dockerhost, web server and Reverse Proxy VLAN placement?
- Career advice / increasing skills advice
- Long Linux interface names
- What can and can't the ISP do?
- Port Protection alternative?
- [Cisco] Cisco 2921 BGP task/BGP router CPU spike every day at specific time.
- ISP Default Route for PE Sites
- IPsec+IKEv2 Rekey Intervals: Why so short?
- CWDP-304
- Nokia Radius User Privileges
- I don't understand the point of 7th bit flip in EUI-64 and how it helps
- Microsoft Network Load Balancing
- Vendor choices for hardware
| [DNS] Can you use multiple DNS hosting services for the same apex domain? Posted: 10 Feb 2022 03:08 AM PST Hi folks, My client (an SMB) is running a few websites that got proxied via CloudFlare to their site (e.g. www.example.com, mail.example.com, login.example.com ) Now that they want to purchase an on-prem GSLB service (considering F5 or Citrix), as well as want to use a secondary DNS hosting service for other services and resource records (and the same mentioned websites) that are in the same domain (e.g. mail.example.com, m.example.com, gifts.example.com ) Is it possible to configure the apex domain on such multiple hosting services and have NS configured on their original registrar portal, or do they have to break it down to multiple subdomains and configure NS for them on CloudFlare? There are already NS records on the original registrar portal, pointing to CloudFlare in order for it to resolve properly. [link] [comments] |
| Deploy New Switch With No Downtime Posted: 09 Feb 2022 10:52 AM PST You all were so helpful with my last post, I thought I'd follow up with another I've been mulling over. We are in the process of refreshing our old EOL switches with the 9200 model newer ones. I try to talk to department heads and get them to give me their slowest hour window to swap hardware out, but they either don't reply, don't pick up the phone, say they're going to get back to me, or otherwise put it off. I get it, because from their perspective things are working fine and an outage would be annoying for seemingly no reason. I suggested just doing this after hours but leadership doesn't want us to get comp time unless absolutely necessary so I've just been kicking the can down the road while working on other stuff, but I can't keep doing that forever. Changing the switch would be pretty fast but still take around 10 -20 minutes to rack it and unplug/plug all the ethernet cords to their respective ports, assuming I don't run into any issues. This 10-20 minutes + requires me to get that approval and downtime schedule, leading to a ton of headaches. One idea I have is to create a trunk port on each switch and have the old switch feed the new one while I move everything over, and once everything is moved quickly swap the uplink. That would go from "you're all dead in the water for an hour", to "that's weird my phone rebooted" Thoughts? How would you do this? [link] [comments] |
| Passpoint (Hotspot 2.0) and Cellular Activation Posted: 09 Feb 2022 03:25 PM PST My question is: If I have an unactivated cellular device connected to a WiFi network that has Passpoint and is supported by the carrier, will I be able to activate cellular coverage on my phone without actually having cellular coverage? Background: I have a unique problem in that I have to activate a large number of phones, but I have no cellular coverage. The way that I understand passpoint, is that it also sends the device IMSI to the device carrier, whereas normal WiFI does not. Because of this, would the installation of passpoint AP's allow me to activate these phones? Bonus points for references. I couldn't find information anywhere about this. Thanks for your help! Edit: Sorry forgot to clarify this. I need a CMP certificate in order to install have it active on my LAN, which my company won't allow. Or spend 3k to have them install a DAS. Passpoint is said to be coming by the end of the year, but no one has a real time line. Bureaucracy at its finest. [link] [comments] |
| RADIUS/TACACS/DHCP loadbalancing Posted: 09 Feb 2022 03:08 AM PST Looking to potentially loadbalance AAA-related traffic for fairly high-scale deployment (100k+ clients). Planning to use Cisco ISE, but the principles should be the same regardless of NAC solution. The general recommendation from Cisco (BRKSEC-3699 et al) is that the PSN nodes are to be placed logically "behind" the load balancer, such that all traffic, load-balanced or not, is sent through the load balancer. Only traffic matching configured rules are to be load balanced, while the rest of the traffic flows straight through (in essence the load balancer functions as the router for the PSNs). Certain types of traffic are to be load balanced and/or SNAT-ed;
A simplified diagram can be seen here: https://i.imgur.com/osiH22C.jpg This would for the most part be a "set up and forget" scenario (i.e. not a lot of changes, so only maintaing software/updates). Traffic volume (in terms of Mbps) would be low, but req/s would be fairly high. Plan is to use dedicated loadbalancer for this. I think I have the design more or less in place, but I'm looking for recommendations regarding what loadbalancer to choose. Do any of you have any recommendations in terms of vendor/product/solution for a loadbalancer? I know "most" out there can do some of these things, but I suspect some of them come short for the more advanced features (like ignoring DHCP Inform, and loadbalancing DHCP Request to the same PSN as the RADIUS based on MAC-address, etc). Stability? Upgrade processes? Available documentation? Other aspects? Further details for those interested; RADIUS
Stickiness is required, such that the same client and session always is load balanced to the same Cisco PSN node. To ensure this, one or more of the following RADIUS attributes needs to be part of the stickiness:
As far as I know, the general best-practice is to use the following;
RADIUS CoA
TACACS
No stickiness is required, but generally recommended. Easiest to do based on source IP (NAS-device IP). DHCP Network equipment will have load balancer VIP as one of their DHCP servers/relays. All DHCP-packets will therefore be duplicated/sent to the load balancer. Load balancer should drop DHCP Inform. Only forward DHCP Requests. DHCP requests should be load balanced to the same Cisco ISE PSN node as the RADIUS request. Will have to use client MAC address to achieve this (is present in both RADIUS attributes and DHCP request packet). DHCP request will always come after the RADIUS request. [link] [comments] |
| Possible to do the avoid sending request to specific server given the URL? Posted: 09 Feb 2022 03:24 PM PST Heya, I am working with a rather niche experiment for my school. I have a three tier architecture utilizing HAProxy as my LB, Apache as my computational tier (7 VMs, all on the same backend), and MySQL as my DB. What I am trying to do, is essentially avoid using a particular server (not the backend) given a request's URL. I suppose it is something like anti-URL-mapping. I have an Access Control List for each server containing all of their respective "blacklisted" URL's. So, in theory, the logic line would look something like: At first, each blacklist will be empty. Over time, I plan to propagate and diminish each blacklist using HAProxy's socket api. Is what I'm trying to achieve possible without digging deep into source code?Thanks :) [link] [comments] |
| Network Tester that shows LLDP Posted: 09 Feb 2022 10:46 PM PST I just got done with a long day and was thinking while laying in bed how much easier it would be to trace unlabeled patches on the go if there was a network cable tester that provided LLDP neighbor information on a small LED screen. "Connected to: SW01 1/1/48." Does a product like this existing? Or maybe a software that runs LLDP from a network card/adapter on a laptop? [link] [comments] |
| Posted: 09 Feb 2022 06:16 PM PST Experiencing a new issue at a remote site where their WAN IP address is being NAT'd as a different IP. We are using FortiNet router with Comcast ISP. Our WAN port is set to static and assigned one of our 5 blocks. The issue is every few days the site is showing its NATing as a secondary WAN IP assigned to the Comcast modem. We can resolve this by rebooting the modem and then the router -- in that order. After that the traffic routes with the correct statically assigned WAN IP. Comcast points the finger at us. Our config hasnt changed nor do I believe the FortiNet router has this ability. Anyone experience similar issues at their sites? [link] [comments] |
| TCP health monitoring tool recommendations Posted: 09 Feb 2022 09:53 PM PST Does anyone have any recommendations on a tool that can monitor both link health, and tcp connection health? Somewhat specifically, I'm looking for stats in packet reordering. This is to assist investigation of a very strange issue I'm stuck on at the moment;
UDP throughput end to end is fine, so the bandwidth is there. My best guess is that packet reordering and/or some minor packet loss is being massively amplified by the latency and killing TCP - but it's clearly isolated to that Site1>DC1 leg, and doesn't affect Site1>DC1 traffic because that latency is so low. iperf does spit out some out-of-order packet info in the UDP test (only if the site1>dc1 leg is in the path), so it seems like a smoking gun to me, but I'm trying to find a way to collect this information and present it to the link provider as evidence. I've gathered quite a bit of wireshark output and am looking at all of the graphs, but it doesn't clearly illustrate the issue to me. Many thanks! [link] [comments] |
| Office internet Jittery with Packet Loss Posted: 09 Feb 2022 05:43 PM PST Currently moved to a temp office. All equipment is the same as the old one, except for the AP's and the internet itself. This temp office now has 4 high powered Ubiquiti access points vs 2 (4-5 year old) aruba access points. We also went from Fiber to cable but now we have 1 GB of internet vs 100 mbps at the old office. Users at the office (around 15-25) at a time are complaining that zoom calls and internet is slow and laggy. Steps taken to solve issue:
Dropped packets happen on both wifi and wired and from different computers. During the multi ping test, I see dropped packets when ever I access any website or surf the web. I am not sure what could be causing the issue and I am not sure where to go from here. Any help or insight would be greatly appreciated [link] [comments] |
| Posted: 09 Feb 2022 09:15 PM PST Not 100% sure if this is the best place for this, but I can't find the size spec, so I'm not even sure what to look for. Please God don't tell me you print out all your faceplate ID labels on a sheet and cute them to size. I usually hand write my patch panel and faceplate labels in Ultra Fine Sharpie. I have a DYMO label maker at the office that I've labeled cables (rarely) and devices with, but it seems too wide for an ID window and you can't specify the length of the print. I have used that thing to label patch panels, but I've had to trim the length of the sticker down with a scissor. I'm not trying to mess with that. I'm also not trying to be limited by 3 characters, etc. when creating patch panel labels. For cables I usually use sharpies because most of the time it's only a temporary note for myself, but I've used quite a bit of Gardner Bender Wire Marker Books but I've just learned Klein makes seemingly the same product and 3M ScotchCode as well. Wondering if anyone has compared. The 3Ms look more expensive. I like using these books though, they seem to hold up well on the cable and are easily readable without turning the cable over, and I've used the page backs as a notebook on jobs also comes in really handy sometimes since I have those and Sharpies in the tool belt at all times. Of course, I wind up with a scribble pad with only symbols, very few numbers, and only rarer letters left. N, E, S, W, I, X, T, W, A, P will be gone first. But mainly I'm interested into patch and faceplate labeling. I do a lot of random jobs upgrading dusty old stores or in dirty shop environments, so the adhesive quality and durability is important. If I can easily print to specific size media (ie, load different width rolls and choose custom fixed length), and not be limited in character count (within reason), I'd be willing to invest more. Is one of the DYMO Rhino models worth a shit? Some of them look like those wireless barcode scanners, kinda makes me wish they'd have pistol grip and trigger.. I do kind of like that I see one of them (4200) says non-adhesive which would make sense for the ID labels. A case is going to be a must. Do I want to invest in one of the Brother P Touch models � I'm tempted just because of the name. They look vastly different but a few of them just looking like a DYMO Label Maker or Rhino clone, others are looking like a children's LeapFrog, a digital typewriter, a whiteboard eraser, and the others yet are looking like monoliths. Holy cow these have come a long ways, I just found a PT-6 & 8 on eBay looking like a Tamagotchi mated an iPod 1. But I digress. Some other labelling device I'm missing out on? [link] [comments] |
| Posted: 09 Feb 2022 09:05 PM PST It was explained to me like this:
Is this because IP would do this regardless because it's stateless? And as my title states, my professor told me that many institutions straight up block all ICMP messages. But to my understanding, and from what I've read, ICMP is required for routing, route calculation, error reporting, and other essential operations. I understand people want to block network scanning as well as the "ping of death." But there's legitimate functions for ICMP [link] [comments] |
| Dockerhost, web server and Reverse Proxy VLAN placement? Posted: 09 Feb 2022 02:43 PM PST Greetings, I've worked mostly with Backend servers to date and have had very little exposure to frontend, web facing servers. I will be dealing with the following types of hosts - Docker Host - Hosted Services GitLab Wiki AI Image Processing Reverse Proxy I'm planning on playing all of these services on a Front Server VLAN/Segment to separate them from backend services but have a couple of questions. - Should / Can I place the docker host's management interface on a separate network segment from the hosted services? - Should the reverse proxy which is directly exposed to the internet be given it's own discrete docker host or VM? [link] [comments] |
| Career advice / increasing skills advice Posted: 09 Feb 2022 08:11 PM PST Hey there, Somewhat newbie Network Guy (1-2 years experience) here looking for all the advice I can get. Got my Network+, CCNA, and currently work in a Network Support role Was wondering if anyone experienced could tell me Which three peices of equipment should I buy, that I can use to improve my understanding of networking and network skills? Which network skills should I work on? And are there any specific projects I could do that would be particularly helpful to me? Anything I should read or lab? Any courses I should take? Any particular certification I should take next? Looking for all the advice I can get Thanks in advance, Warmly, Billy [link] [comments] |
| Posted: 09 Feb 2022 09:58 AM PST Fellow networking fans, I am working with a number of Linux based networking appliances, these devices have several non-standard interface types which default with an interface name in a very long format (xxx0x00x0x0) ... This in itself causes no issues, but we need to declare multiple VLANs across these interfaces, and the Linux standard of appending the VLAN ID to the interface name makes these even longer. Linux has a 15 user-visible byte limitation on interface names, thus causing a limitation of 99 VLANs due to the interface name! I've come up with a few possible workarounds, but they are all a bit 'cludgy' ... I can create pseudo or bridge interface, add the underlying interface to this, then perform all the VLAN filtering on this new interface ... will this potentially create additional processing overheads as traffic will need to be passed between the physical hardware and software interfaces? I can change the interface name to something shorter (eth0 again!) using hardware/MAC address in the udev persitent rules, but this will require either a manual or scripted way of reading the MAC of each interface and assigning an appropriate name, and all the devices have multiple interface with different MACs. Finally I could use the ip altname option to declare an alias for the interface, but I'm unsure if this will allow me to declare a VLAN to the altname rather than the original interface? Has anyone experienced a similar issue. Are there any industry recognised best-practises for this? [link] [comments] |
| What can and can't the ISP do? Posted: 09 Feb 2022 07:22 PM PST We get international packet loss from time to time. It usually ends up being a carrier somewhere in the middle. We ask ISP to look at it but it's usually out of their realm. What can and can't be done in this scenario? It could be congestion, it could be damage it could be anything but it has happened two days in a row so curious. I usually do pings from my router to each hop until i find the hop with loss. [link] [comments] |
| Posted: 09 Feb 2022 07:35 AM PST I am looking to prevent devices on one VLAN communicating to other devices on the same VLAN. I looked at Port Protection however the way the network is set up will not enable that to work as Port Protection is done per switch. Effectively we have 3 floors with each floor having 5 switches. Switches 1-5, 5-10, 11,15. These switches are not stacked. The first switch on each floor links back to the core switch in our coms room. the 4th and 5th switch on each floor is home to a bunch of access ports for VLAN 20 plus other access ports for various other VLANS. Each switch connects back to the switch above it ultimately back to the core switch. Is there any clever way I can prevent traffic between devices on VLAN 20 or is my only real option to do this to create a separate VLAN for these devices on each switch with separate DHCP scopes and gateways and then add port protection that way? Switches in question are Netgear M4300 series [link] [comments] |
| [Cisco] Cisco 2921 BGP task/BGP router CPU spike every day at specific time. Posted: 09 Feb 2022 04:54 AM PST Hello, Since few weeks we have this strange behavior on one of our routers causing 100% cpu usage every day at the same time causing pingloss. The proces is "BGP Task" but can't really find any information about this. Anybody who can point me in the right direction please? [link] [comments] |
| ISP Default Route for PE Sites Posted: 09 Feb 2022 05:35 AM PST Hi Folks, Currently I work for an ISP where we have PE devices at smaller sites where we don't have the full BGP routing table (as the device can't handle it) However we still want diverse routing and still want that device to transit all routes that are in the BGP table i.e 1.1.1.1 This is currently achieved by advertising a default route via the RouteReflector which sets itself as the NextHop, This works as the RR doubles as a Core, This is however not scalable or correct. So does anyone have any ideas in regards to the Routing for PE's that need diverse paths that can't handle the full table but need to be able to transit routes. For example i want traffic to go from: Customer >> PE >> MPLS NETWORK >> PE >> 1.1.1.1 The current issue is without the full table on the Ingress PE, We can't choose the optimal NextHop Router. [link] [comments] |
| IPsec+IKEv2 Rekey Intervals: Why so short? Posted: 09 Feb 2022 12:00 PM PST Generally in 'best practices' and most vendor defaults you will see P1 rekeys in the range of 8-48 hours and P2 rekeys in the range of 1-4 hours. But why is this the case? I know the canonical answer is 'because that way when one of the keys gets compromised you only leaked X hours of traffic', but with all of the modern cryptography suites in use today should that really be a concern? If an AES128+ key could be cracked in any reasonable timeframe the sheer hashing power available to do so would mean that we have significantly larger problems in the world of cryptography. It seems that introducing rekey functionality at all to IKEv2 is an unnecessary complication if you trust the devices doing the tunneling themselves. The only valid reason to have short timers as far as I can tell is so that you can 'throw away' the encryption key at the end of the P2 interval, reducing the impact of any one vendor having an exploit that allows for disclosure of the in-memory key. However even then I would argue that a rekey time on the order of hours is completely arbitrary, why not have it be seconds or weeks instead? Kicking around 128+ bit keys across the P1 for use with byte range n to n+(some acceptable data 'leak' size) seems more appropriate and computationally cheap. Am I missing anything else here regarding the rationale behind rekeys and the intervals chosen? [link] [comments] |
| Posted: 09 Feb 2022 02:00 PM PST Hi All! I'm looking for some advice. I recently passed the CWNA and although it wasn't necessarily a "walk-in-the-park" it was easier than I expected. (I passed w/ a 90%). I want to continue on and do the CWDP. Can anyone provide a good study path for this exam? Should I buy the new Tom Carpenter book, the old Sybex book, something else? Is there a Udemy or Coursera class that might benefit me? I have been doing Wireless work for a few years at this point and am very familiar with AirMagent and Ekahau and am even ECSE-Design "certified." Thanks in advance! [link] [comments] |
| Posted: 09 Feb 2022 11:07 AM PST So I'm currently trying to setup a Nokia 7250IXR-e as a radius client. It works, however when logging in as a radius user I'm unable to issue command "config system security". Via the radius I issue the command "timetra-default-action = "permit-all"" so in principle all commands should work. Does anyone have a hint on how to configure the radius client in such a way that there are no more restrictions? I believe it should have something to do with "use-default-template", but haven't gotten any further with my research [link] [comments] |
| I don't understand the point of 7th bit flip in EUI-64 and how it helps Posted: 08 Feb 2022 07:01 PM PST I first read about this flipping thing 3 hours ago, since then I'm roaming around the internet to find an answer to the question what the exact purpose of this flip is. I know how transform adresses to EUI-64 format, but why do we actually need that 7th bit flip? According to RFC 4291 https://datatracker.ietf.org/doc/html/rfc4291#page-8 the reason is the following (you maybe need to read the full page to understand it):
I've read that it is a global standard that the 7th bit of every OUI of every mac address (worldwide) is set to 0. So a mac address with 00:0C:BE:EF:CA:FE means it is a universally administered address and not a locally administered address. So let's take a real example: Let's say I have the following prefix 2001:DB8:1:1::/64 with this MAC-address 00:0C:BE:EF:CA:FE If it has been transformed to EUI-64 it must be 2001:Db8:1:1:020C:BEFF:FEEF:CAFE This address could be assigned to any interface on my subnet. Now I have a Router with a serial link on and it doesn't have any mac address. Therefore I have to use an LLA MAC-address for that serial link. Help me here please How exactly does that 7bit flip thing now help me to hand configure the non-global identifier for that link? I can't see the connection how it actually matters? [link] [comments] |
| Microsoft Network Load Balancing Posted: 09 Feb 2022 11:03 AM PST Good Afternoon, I was looking for a solution to not have downtime on my Windows web server and started looking at Microsoft NLB. I setup a test scenario but IIS did not work on the NLB address that I had assigned. IIS works fine on each of the VM's that are part of the NLB cluster but no other machines on the same vlan can reach the NLB address. I have set the address to multicast. I use 2 Dell 4128 switches connected to each of my 3 esxi hosts. The distributed switch inside of VMware is set to "IGMP/MLD snooping" but nothing else on the switches has been configured. Interfaces on the switches are trunk ports to the hosts. All departments are segregated by vlans. Please ask if you need further detail about the environment. Thanks for your time. [link] [comments] |
| Posted: 09 Feb 2022 06:54 AM PST For those who decide on vendor hardware, do you prefer to choose all or majority from the 1/2 vendor or do you choose different vendors. E.g firewall - Palo Alto, switches - Aruba, Access Points Unifi. 3x different vendors and support models and warranty. Or all meraki or Aruba switches and access points with another vendor for firewall/SDWAN or something. Looking to hear opinions. My preference would be most or all from a single vendor for centralised management. [link] [comments] |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment