Rant Wednesday! Networking |
- Rant Wednesday!
- Edge router with multi-WAN support
- Can I use MikroTik CRS305 as fiber converters using the SPF+ ports?
- NSX & Gateway firewall
- Dynamic routing based on congestion?
- Detecting that a TCP packet has TCP Options section (detecting SACK)
- Cisco Firepower: is URL-based firewall rule for UDP/443 possible?
- Anyone work with AVB on cisco switches?
- Routing internet fraffic of single IP over IPsec VPN - Fortigate
- Outbound traffic control
| Posted: 29 Mar 2022 05:00 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it. [link] [comments] |
| Edge router with multi-WAN support Posted: 30 Mar 2022 12:30 AM PDT Hi, I am new to networking and currently looking for edge router device to connect my office network to two ISPs, most ideally with load-balancing traffic. However whenever I look at any device I cannot tell if it can handle that. Is it something common for manager enterprise routers to allow that (I mean set multiple ports as WAN) or I should look for something where it is explicitly written that it supports this feature? For instance I am looking at UBIQUITI ER-12P and I cannot tell. [link] [comments] |
| Can I use MikroTik CRS305 as fiber converters using the SPF+ ports? Posted: 29 Mar 2022 12:59 PM PDT We have 2 lines from ISP come to the DMARC. ISP requires to use single-mode fiber to go from DMARC to the server room so they can install their equipment. The problem is we only have multi-mode fiber from the DMARC to the server room. Can I use MikroTik CRS305 and SFP+ fiber plugin to convert the fiber between single-mode and multi-mode? For example, I use 1 MM 10G SFP+ to connect ISP to Mikrotik, our single-mode fiber will connect to that Mikrotik with SM 10G SFP+. Will that solution work ? [link] [comments] |
| Posted: 30 Mar 2022 12:03 AM PDT Dears , We planning to deploy DC using NSX-T for E/W traffic plus virtual Internet Gateway firewall N/S ( NGFW | FG or PaloAlto ) , i have some apps will be published online through permitter internet firewall , so my question here is about internal app that will be accessible from campus network which firewall gona publishing them NSX-T edges or the same thing with perimeter firewall . [link] [comments] |
| Dynamic routing based on congestion? Posted: 29 Mar 2022 04:17 PM PDT Two points up front:
I am attempting to determine what dynamic routing protocols might be able to adjust routes based on congestion, packet loss, and other non-static factors. And I am coming up completely blank - nothing but theoretical research papers on how to select the best route, nothing about which protocols support anything in this area. Right now, I'm running a nearly 20 year old design based on RIPv2, and a bunch of scripts off to the side that ping and probe, and then log into the routers via ssh and manually tweak the priorities assigned in route maps. It's not right, but after 20 years it's been tweeked and tuned into working pretty damn well - but the whole solution needs to be rebuilt because, well, every part of it is 20 years old. The topology is basically a multi-site non-full-mesh with 50+ sites all over the globe. (Hence latencies and bandwidth varies greatly). VPN links between the sites provide private dynamic routing through the mesh, and the entire solution was built on RIPv2, and as such was designed to work well with RIPv2 subnet wise (and it does). (We did try a pilot of OSPF about 10 years ago, it did not go well). I'm open to anything. Basically, I'm hoping someone can grab my nose, and point me with a suggestion of "Well, Protocol XX:XX does what you want, and the feature is named YY". And I'll take it from there. I'm just failing comedically badly in my research. (Or are we still in a world where scripts off to the side are responsible for hand twerking existing dynamic routing protocols manually?) Edit: Regarding the sd-wan solutions, I'm looking, and for this environment "centrally managed", or "cloud managed" may be deal-breakers. Management would have to be entirely internal to the managed networks. (I think. It's another angle that hasn't been fully considered, although it could be on the table if it was truly the right solution.) [link] [comments] |
| Detecting that a TCP packet has TCP Options section (detecting SACK) Posted: 29 Mar 2022 09:41 PM PDT Hi all, new joiner here just to pick your brains about this, I hope that's OK :) I'm not a network guy by any means so please excuse me blithely using any technical terms incorrectly, though please feel free to correct me on that or any misunderstanding I have ! - as I say, this is way out of my field but I'm being asked to code it, so here I am. I'm writing a sniffer program that is taking raw IP data from a socket and digging out what I eventually turn into a TCP packet with the data I want in the payload, that bit is working well, but occasionally the TCP packet has a 12 byte 'TCP options' section included. I've learnt in the last day or two that this can happen when the two ends allow the SACK mechanism and some retransmission of lost data is needed, my problem is detecting when that section exists, i.e. at byte 21 onwards of the TCP packet; is that the data I'm looking for, or the start of a TCP options block, and my data starts 12 bytes after that. I've looked everywhere, I assume somewhere in the preceding TCP header there is a flag saying 'by the way, there are 12 bytes of options at the end' as WireShark spots it and obviously everything else does or I'd probably not be able to post this question :):) - but how do they tell whether it's there or not ?? I've searched all over, waded through explanations of how SACK works, read PDFs of the specification of the options part and found the bit about where the two ends tell each other they support SACK, but nothing about how to find out whether a specific packet has that section. Right now, hacky as it is, I'm detecting it by checking if the bytes 21 onward begin x01 x01 x05 x0A - which is doing the trick since I know that my data won't ever look like that, but it's hardly a great solution, surely there must be a byte flag somewhere in the header that I can grab like I do with the PSH and ACK. Any help much appreciated. [link] [comments] |
| Cisco Firepower: is URL-based firewall rule for UDP/443 possible? Posted: 29 Mar 2022 03:23 PM PDT We are trying to set up Citrix Gateway Service using their Rendezvous V1 protocol. This requires us to allow our Citrix VDIs access via UDP/443 to 30+ URLs, most of which are Azure hosted and have dynamic IP addressing. Due to the impractical nature of trying to allow all of this by IP, I built a rule in Firepower to allow this traffic based on protocol and a wildcard URL. Trouble is, UDP/443 (showing up as DTLS in the firewall logs) doesn't seem to include the URL in the headers like HTTPS does, resulting in a default deny as the traffic doesn't hit my rule. Has anyone run into this conundrum before? Is there any way to make a URL-based rule in Firepower for UDP traffic? [link] [comments] |
| Anyone work with AVB on cisco switches? Posted: 29 Mar 2022 03:08 PM PDT Been trying to figure out an issue with only one of our 9300-48UXM Our uplink Te1/1/1 port is showing as not asCapable We have 4 of these switches in a hub/spoke config and only one switch is acting this way. All the same ports on the spokes go up to the data center. We swapped switches from one closet to the other and the issue stayed in the same closet. We are looking at the fiber and the modules but no luck yet. Just trying to see if anyone has come across this or has some ideas to look at. Thanks in advance! [link] [comments] |
| Routing internet fraffic of single IP over IPsec VPN - Fortigate Posted: 29 Mar 2022 02:36 PM PDT Hi all, I need some help with routing internet traffic on select IPs over two fortigates connected via dialup site to site VPN I've recently setup a new site with a FortiGate firewall in a remote location outside of the UK. I'm trying to get some UK sites working over there on some devices so I planned to run a s2s connection between the remote and the UK site and then route internet traffic on select IPs of the remote site to go out via the via the wan connection of the UK site. I managed to get the site 2 site working via the wizard by choosing dial up as the remote location is behind a NAT. the lan subnet of the remote site (192.168.1.0) successfully talks to the vlan subnet i created at the main site (10.20.49.0/24). On the remote firewall I then created a policy route for a single ip 192.168.1.50 to route 0.0.0.0/0 traffic over the VPN interface with the gateway set to 10.20.49.1 (gateway ip of the firewall on that vlan) On the main uk firewall i created an ipv4 policy to allow all traffic from the s2s vpn zone to the WAN interface. I was hoping this would work but it didn't can someone advise please? Help is really appreciated [link] [comments] |
| Posted: 29 Mar 2022 12:44 PM PDT Guy who is handling infrastructure wants to "control" outbound traffic from back-end. Firewall on the top of the picture isn't managed by him. If he wants to block some port he has to raise a ticket, the same goes with logs etc. Back-end contains mostly windows servers. At the beginning he requested a http proxy which was easy to implement but in very short time it turned out he wanted to have control over all outbound traffic at least of smtp or amqp protocol. I tried to work this out with HAproxy which can work as tcp-proxy in layer 4 but he didn't accept it. Next idea was to put pfsense in the same vlan as backend and set it up as a default gateway for all virtual machines in backend. He didn't accept it either because he would have to change default gateway on all production windows servers and bla bla bla too risky. So I set up a SOCKS5 proxy but it didn't work for him because some of the apps in the backend don't have possibility to use socks5. My last idea is to replace cisco switches to some juniper srx device. So he would be able to log in to device and do whatever he wants to do. Do I miss some other way to control outbound traffic? [link] [comments] |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment