Sign up and stay connected to your favorite communities.

sign uplog in
18
Stickied postModerator of r/networking

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

4
Stickied postModerator of r/networking

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

21

I consulting for a small company that also owns an ISP. The company portion itself has a working internal network, that is setup correctly and the ISP side contains a working management network, that we can access internally, but is NAT'd. I personally have not grown to like this setup, since it means that our management VLAN is routed on our core router, and technically possible to access from CPE's. The design I was thinking is to create much like our internal company network, a separate smaller network, that would route the management networks, not allowing them to be accessible from the customer premise. I have also looked at ACL's as an option if keeping the VLAN gateway on the core router is a better practice, but I just feel like that could be harder to troubleshoot in the future if things change or more networks are added, or exceptions are made. I have kind of laid out how things are set up currently: https://imgur.com/a/ybDuz8N and the proposed changes: https://imgur.com/a/Z9nE72r.

So my question is mainly, are ACL's a better option, or to isolate the management network off the core router (If NAT'd, the management devices could also access the internet through NAT, currently they cannot since the core router does not NAT) or is there another design that I am missing?

21
2

Hi.

I'm refreshing a small business network that is quite old currently it has.

  1. Dell Optiplex GX1 running OpenBSD 6.3 as the entire network's firewall

1.US Robotics 8 port gigabit switch unmanaged

  1. Netgear R6400 in access point mode that hooks into the switch in the OFFICE network.
  2. Custom built server for web and email in the DMZ network.

The physical/logical layout is as follows.

OFFICE-192.168.0.0/24 assigned to 1 physical interface on the OpenBSD firewall that hooks into the switch.

DMZ-192.168.200.0/24 assigned to 1 physical interface on the OpenBSD firewall and hooks into the server with a crossover cable.

WAN-X.X.X.X/X assigned to 1 physical interface on the OpenBSD firewall and hooks into a router/modem in bridge mode.

The router/modem combo was installed as per Charter Spectrum's business Internet package.

The speeds are 65mbit down and 5mbit up.

My goals for replacement equipment are

  1. no fans/moving parts
  2. supports IPV6
  3. low power
  4. high security
  5. very reliable

Ideally when the project is completed I want the network to look like this

OFFICE-vlan10-port1 192.168.0.0/24

DMZ-vlan20-port1 192.168.200.0/24

WAN-same as above.

Here are some options I have looked at.

Option #1

Cisco RV042G

Cisco SG200-08

Option #2

Dlink DSR-250

Dlink DGS-1100-08

Option #3

Netgate SG-1000

Dlink DGS-1100-08

Option #4

Netgate SG-3100

Dlink DGS-1100-08

Thanks in advance for everyone's expertise and assistance in this matter.

151
Posted by
Network Junkie
1 day ago

Since starting my new role over a year ago I need to get some certifications under my belt, but I'm just feeling meh about it all and lack the motivation to study.

I'm still learning new stuff and labbing up to enhance my knowledge, especially when it comes to working a new projects. But as soon as I hear the " you need to get your certs done" I just don't feel that drive to study like I used to.

Anyone else in a similar situation?

151
8

Hey guys,

I was under the impression that the ISR4331 from Cisco had 100Mbit throughput with a license unlocking 300Mbit.

I have been told that it's possible to increase this to 1Gbit, but not officially. Has anyone of you seen this?

4

I have setup working HTTPS access into our APIC's GUI with AAA authentication. This is working just fine but there is a drop down which "domain" that we want to use when logging in (at which point we have to expressly select our AAA domain i built). However when i try to directly SSH into the APIC's I am not able to using the same creds. I am not sure what else to check. Couple of things:

- Yes SSH is enabled for the APIC on Fabric policies>pod policies>policies>management addess

- Yes the clearpass server is the same for SSH/HTTPS, same service, same route, same path, no firewalls blocking 22, ect.

- APIC is 3.0(2k)

I am very much at a loss here what to check. To me it seems like the APIC isnt even trying to authenticate as its a deny almost instantly when attempting. I have no packet capture from apic to clearpass so i cant really confirm if its even attempting, from the clearpass side i dont even see the service being hit to attempt the connection which leads me to believe its on the APIC or the way im logging into the APIC that is the issue.

Anyone want to take a crack at this one. Thanks in advance r/networking

10

Just wanted to hear opinions on such solutions as PacketFence or OpenNAC or any other out there. Pros/cons, etc.

6

We have a yearly review to talk about what we've accomplished the past year as well as what our goals should be for the next year. My boss wanted me to pick a conference to go to. Any suggestions on good networking conferences in the US? If it helps I work in a large enterprise network (University).

2

I thought I understood the phases of an ipsec vpn tunnel, but today I got an e-mail from a vendor which threw me for a loop!

My understanding is that tunnels require the 2 phases - and that each phase was required. Phase 1 to authenticate the peers and establish a secure channel for the IKE exchanges. Phase 2 to negotiate IPsec SA's to setup the tunnel. Both are required to establish a tunnel. You can't build the tunnel without both. This was my understanding.

Today I get an e-mail when the vendor telling me they see 2 Phase 2's and no phase 1 - despite the tunnel being up and active. I don't even know what this means? I was going to respond with this being rubbish but a quick google search and I see some people talking about multiple phase 2's so maybe I'm just missing something.

Furthermore - is it possible for a connection over a tunnel to a specific port to traverse 1 phase while another port to traverse another phase in an instance where you have multiple phase 2's?

I thought I understood IPsec tunnels, but now I'm questioning myself. Any help and explanation would be much appreciated.

6

Hey guys,

We just set up a new server rack in our NCC and are now in the works to tidy up the cables. The problem is we are using two power strips on either side of the back of the rack for power. They take up all of the space on the sides. From the looks of it I won't be able to use the vertical cable management ducts or the horizontal ones.

Looking for suggestions from anyone else that has a similar setup. What was your solution for cable management?

Thanks in advance everyone!

3

Here is my ideal wire configuration

Bad idea in the real world. I know. But this is for my company's mock lab for new equipment we ship out the customers. Our mock team emulates what the client would see once we ship the servers and does some pre-updating and quality assurance. We have a 10.1.1.0 /24 standard for nearly all of our commercial deployments and our servers all have the same 10.1.1.1 through .150 addresses and .254 gateway. We also have some government clients that have other standards using public addressing.

We currently use about 10 ASA 5505s to segregate these 10.1.1.0/24 VLANs and other VLAN subnets, but I want us to move to a rack with if possible, one 5520, or one 5506-X. Our QA/installation team abuses these firewalls and they die randomly, or find their way in trashcans [not kidding]. Not to mention that we have to get in each firewall remotely to do configuration changes for site that have a different standard.

I'd like to centralize one rack, trunk three 3750 access switches to one distro switch, and trunk that to the firewall, which would be running sub-interfaces CAT5e would be conduit-ed from the access switches to each of the tables [each table representing a different client mockup station VLAN]. In the diagram there are only two stations per table but in reality there could be as many as 15-20 datapoints and servers per site. Of course the central problem would be overlap on these 10.1.1.0/24 networks that are being mocked simultaneously.

I've read multiple context firewalling could do this when applied to subinterfaces on an ASA -- multiple say, 10.1.1.254 255.255.255.0 IPs on multiple subinterfaces -- but I have not been able to test it out and the 5520 we have has just a base license offering 2 context instances. I'd like to have at least 4. I'm sure there is a new hardware solution but I'm just the network pipes guy and the higher ups won't want to give us any better equipment when we have literally hundreds of ASA 5505s lying around. I also have a few 5506-Xs but those don't offer Multiple Context firewalling.

Does anyone have any ideas? I am at wits end with these 5505s

8
Posted by
CCNP CCDP
1 day ago

We recently attempted an upgrade on a 4500 chassis from 12.xx to 15.2(4).

We have checked everything from scratch and the configuration is fine. We are 99% sure that we are dealing with a hardware issue, meaning that the GBIC where the optical fiber is connected (MPLS Uplink) is not recognized by the new IOS.

Before upgrade: CORE_SWITCH#sh int gi2/21 status

Port Name Status Vlan Duplex Speed Type

Gi2/21 mpls connected trunk full 1000 Unknown GBIC

After upgrade: CORE_SWITCH#sh int gi2/21 status

Port Name Status Vlan Duplex Speed Type

Gi2/21 mpls notconnect 1 full 1000 Unknown GBIC

We can see the same logs on the device before and after change: %C4K_TRANSCEIVERMAN-3-INCOMPATIBLE: Port Gi2/21: New transceiver (speed 10Gbps) is incompatible with this module But no communication is done when running the new IOS.

We have tried to force interface up but no communication. We have also tried to activate a non Cisco GBIC with: #service unsupported-transceiver and a reboot but still no traffic could be seen on the interface. We cannot see anything plugged to port 2/21 when issuing the command #show inventory

Because this port was unusable, the Switch could not communicate with the neighbors and no routes wore learned. No other alternative was found to move the MPLS uplink on a different port.

This is the GBIC plugged into port 2/21 is Intel branded

2

I am just getting started getting into network security (currently have CCNA and am a network engineer at an ISP) and I do run across customers that have Fortinets, cyberoams etc... that are able to detect and block VPNs.

Now as far as I know VPN traffic just looks like typical encrypted traffic and doing some wireshark captures they look nearly identical. So how to firewalls detect them? Are the IPs compared against a database of known VPN IPs? Does it look at a traffic pattern?

2

Does anyone have some guidance for setting up 2 additional AP for mesh? Having issues getting it figured out but we have an SR2208P switch, AP250, and I would like to set AP130 and possibly AP121 for mesh.

1

On our cisco router, we currently block all unused public IPs, and also block any IPs from the 3 private ranges, since there should never be traffic from a private IP coming in our outside facing interface.

My question is, from a hacking standpoint, is it at all possible to reach a router from outside the local LAN with a spoofed private IP? Like if we didn't have these blocked, could someone actually get in with a spoofed private IP? I cant see how this would work since private IPs are non-routable.

Edit: I am not asking what I need to do to make my router more secure. I am asking how a private IP could get into a router through its outside facing interface with a spoofed private ip if private IPs are non-routable.

1

So I manage some networks and today I have nothing to do, so I'm trying some stuff. Basically I have an area with several overlapping wifi networks that all connect to the internet independently. What I would like to do is have an additional wifi access point that connects to an internet connection no matter what. If it's preferred network cannot pull a ping, then it will try the next, etc.

I can't really find anything about this, or maybe I'm just not searching correctly... Is this possible? And by possible, I mean possible in a slow workday...

1

Noob here.

I am trying to set up Ubiquiti WAPs for a small business. I have installed them and configured everything through the Unifi controller, but I would like to set up separate VLANs so that I can create a Guest Network, tag the VLAN, and have everyone that connects to the guest network not be able to see the office LAN. The APs are connected to 2 different interfaces on the Mikrotik router - 1 is directly connected to ether10, and the others are connected dumb switches that connect to different interfaces on the router.

I know that this is a noob question, but how would I go about trunking all of the Mikrotik ports to accept the un-tagged traffic that it is taking now, as well as traffic for a guest network (say, VLAN 2)? Can I keep the main office traffic un-tagged and only tag the guest network traffic? Would I have to configure this on each Mikrotik port individually? How would I get this guest VLAN connected to the internet?

Thank you in advance.

1
1

I'm looking into fiber termination with quick connectors - and have no idea where to source the connectors and which brand to go with. I'm concerned about reliability, ease of use and price (I know, pick 2, right?).

Any suggestions (also, where to source them in the US?)

54

I have a PCAP file but I am trying the find a zscaler entry. Where do I go in wireshark to find this?

UPDATE SOLUTION SOLVED!

thank you /u/internetvictim for your assistance!

0

Hi, I am using a HP Procurve switch and I have 3 vlans. (Vlan 200, 300, 400). DHCP is being provided from a Windows Server with a DHCP scope for each VLAN. When I set the default gateway of my Windows server to my firewall/router DHCP requests are not passing to Vlans 200 and 400, only to 300 because my Windows server lives on that Vlan. But when I set the default gateway of my Windows server to my switch, it's able to pass the requests to all the vlans. Here is my config, what am I doing wrong? Any help is greatly appreciated. 

vlan 1
name "DEFAULT_VLAN"
no untagged A1-A24
untagged B1-B24,D1-D24
no ip address
exit
vlan 200
name "Voice"
untagged A13-A24
tagged A1
ip address 192.168.100.2 255.255.255.0
ip helper-address 192.168.23.10
exit
vlan 300
name "Data"
untagged A1-A12
ip address 192.168.23.2 255.255.255.0
exit
vlan 400
name "VLAN400"
tagged A1
ip address 192.168.200.2 255.255.255.0
ip helper-address 192.168.23.10
exit
spanning-tree
no spanning-tree bpdu-throttle
spanning-tree priority 0
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager

0
Posted by
Studying Cisco Cert
1 day ago

So, this is a weird one that I've never run into. I should preface that I'm not a Network Admin, I'm more of a System Admin. I've been with this company for a couple of years and this problem has been around since then but I've typically only ever seen it on Windows 7 but am now seeing it on my own machine which is running Windows 10. The network properties show, "No Internet access" but I'm able to access nearly everything just fine but there's the occasional app that will cause problems, something like OneNote or sometimes Outlook on random machines.

I've tried talking to my Network Admin but he just brushes it off as an anomaly and because most everything still works, he's basically chosen to ignore it. I'm of the opinion there's some underlying networking issue but I don't like to say anything without building significant evidence for a case.

Has anyone seen this problem and have any leads on what might be causing this? One thing that's lit a bit of a fire under the Network Admin's ass is the accounting manager complaining that OneNote isn't working and the no internet access message is a common denominator.

Ninja edit: These are all domain-joined machines. 99% Windows 7, a handful of Windows 10 machines. Mostly up to date, have our standard image applied to them. Issue crops up somewhat randomly.

Thanks in advance.

0

I've always found it useful to study by creating practical cases for me to understand. I have created a scenario that has recently peeked my interest.

Network Logic Brainstorming

I want to manage several customers.

I plan to create and IPv6 network to integrate their different IPv4/IPv6 subnetting.

The idea is, I would be able to centrally manage multiple customers' systems and networks. ie patch management, SIEM integration, etc.

Some issues I'm having includes a customer that has two geographic locations using the same IPv4 subnet. Is there a way for me to logically network these as two different geographic locations for the same one customer?

I have some years of experience in network and systems but formal network knowledge is limited to my CCNA. So, any ideas or resources that could point me to best practice for this would be incredibly useful!

0
Posted by
WatchGuard Certified Professional
1 day ago

Currently I work for a TAC and I'm a bit shy about asking a lot of what seem like stupid questions. I feel a little slow coming up to speed with the customers network/setup and feel dumb asking a lot of "could you repeat that" or "can you explain x again". When you're calling a TAC, how much patience do you have for the representative on the other end?

I feel like at the moment, being too shy to ask these "dumb" questions is only making it harder for me to help solve customer issues.

Thoughts?

0
Posted by
It's not the network!
1 day ago

We have been mostly Cisco and have recently introduced a lot more Juniper gear. I see lots of threads where people love Juniper which makes me think we are missing something. Everything we do for configs requires a ton more typing and commands in multiple sections than something on Cisco. Are we doing it wrong? Is there magic we have overlooked?

Community Details

121k

Subscribers

555

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post

r/networking Rules

1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.

Moderators

u/ugnaught
Network Stooge
u/BridgeBum
Former CCSI
u/dubcroster
Artisinal Labelswapper
u/HoorayInternetDrama
Meow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!
u/the-packet-thrower
AMA TP-Link,DrayTek and SonicWall
u/VA_Network_Nerd
Moderator | Infrastructure Architect
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.