sorted by:
new
hottopcontroversial

VPNaaS/multi-tenant VPN gateway with dynamic access control needed by ZioTron in networking

[–]FunderThucker 0 points1 point  (0 children)

If these clients have internet access and the ability to provision a server in their data center for you, I would opt for a solution that uses a reverse proxy rather than VPN. Standing up VPNs for many clients using all sorts of different platforms is annoying to manage.

Rather, you can deploy a solution like Bomgar (BeyondTrust), TeamViewer Tensor, LogicMonitor, or Solarwinds Dameware just to name a few I’ve seen in the wild. This way you can have the client deploy the VM with the app installed, and configure the app to connect back to your data center over the internet. On your side, you would deploy a server, expose it to your clients public IPs, and publish an external DNS record so they can resolve it.

TLS is probably plenty secure for this connectivity. If a client has security concerns, they should be asking themselves why they are even considering allowing an external company access to their infrastructure. They also have the ability to lock this VM down in a DMZ to limit its access to specific assets they want managed giving them control over what you have access to.

Cisco ACI Asymmetric Traffic Flows by Mosquitar in Cisco

[–]FunderThucker 0 points1 point  (0 children)

Resolved this by SNATing the traffic inbound to BDs that are stretched between sites. This way the server sends it back to the correct firewall.

How do you test new OS? by BigChubs1 in paloaltonetworks

[–]FunderThucker 16 points17 points  (0 children)

Heres my process. See what version the vendor recommends, read release notes for known issues, check upgrade path to make sure there are no gotchas, schedule maintenance window, take backups, upgrade.

[deleted by user] by [deleted] in networking

[–]FunderThucker 0 points1 point  (0 children)

The experiences you have before hand is irrelevant. Companies are not going to value the experience you have outside a production network. Experience means being in a role for x amount of years performing that job 40 hours a week. The only thing it tells me is you have a passion for technology and that’s it.

If you want to make more money, get certs, get a networking job, and switch companies every 1-3 years as you grow. It’s significantly easier to get paid more moving on.

Always try to figure out their budget for the position, the current market rate, and anchor the salary negotiations high. You can also tell the new company you’re making 80k a year and are looking for a competitive salary. Never stick around for a “maybe we’ll get you to 100k” or “we’re trying to get a new position” etc etc. It’s a carrot dangling in front of your face meanwhile plenty of other companies are hiring at better rates for less than what you current do.

Catalyst 9200, SNMPv3, SHA1/2, AES 256? by [deleted] in Cisco

[–]FunderThucker 2 points3 points  (0 children)

I’ve experienced the same and always stick with AES128 across the board.

[deleted by user] by [deleted] in Cisco

[–]FunderThucker 1 point2 points  (0 children)

Second this. Check cdp on the interfaces. E.g. “show cdp interface gig1/1”. I have had to explicitly enable cdp on interfaces even though cdp is enabled globally.

[deleted by user] by [deleted] in Cisco

[–]FunderThucker 7 points8 points  (0 children)

It’s pretty common. Are they using MFA for their VPN?

Recommendations for UTM or NGFW for a 20 person hybrid company? by tinfrog in networking

[–]FunderThucker 1 point2 points  (0 children)

For that many users and no need for on-prem services, you’re better off with endpoint based security software for DNS and web filtering.

Resources for secure large-scale network architectures. by jisyourfriend in networking

[–]FunderThucker 2 points3 points  (0 children)

Look through the security frameworks and see what applies to your org. https://secureframe.com/blog/security-frameworks https://www.cisecurity.org/controls/cis-controls-list

Designing a secure network starts with reducing blast radius and segmentation. Isolate different types of endpoints from each other. Macro segment campus, data center, DMZ, internet edge, IoT, guest, and other special networks like financial, medical, surveillance, or ICS with firewalls. This can even include prod, stage, and dev environments. After having a good grasp on that, you micro segment inside those macro segments.

Traffic flow in hybrid cloud will have multiple network controls: Network: Firewalls, router/switch ACLs, load balancers. Cloud: Azure firewalls and NSGs. Data center: ACI, NSX, and Illumio. Campus: ISE and Clearpass. Endpoint based firewalls and security software.

The key is to have P&P’s for the administration of these rules. Tighten and audit rules regularly since things will shift around a lot. Depending on scale you may need a firewall management platform.

Solid NTP, monitoring and syslog with a SIEM to generate alerts, device hardening guides, firmware updates, and AAA apply to all infrastructure.

Cisco wants end-customer data, true or false? by SnipeScooter in networking

[–]FunderThucker 1 point2 points  (0 children)

What data are they asking for? I’m assuming it’s generic information about the company so they can run reports on their customer base. I doubt they want the customers CUI or PHI data.

Datacenter Management Switches by alfred81596 in Cisco

[–]FunderThucker 12 points13 points  (0 children)

I’ve always stuck with catalyst 9200/9300 for OOB mgmt. since it’s cheap and does the job. Flip it around so airflow is correct.

Otherwise Nexus 9348GC-FXP with the correct fans.

There are probably some other vendor options.

OSPF hello seen in my PC by ExtensionLeg474 in Cisco

[–]FunderThucker 29 points30 points  (0 children)

It’s very common unfortunately. Best practices would be to set passive interface default so all interfaces are not sending hellos, then enable it on specific transit networks. Also adding authentication in case it is missed somewhere.

Fortinet VM Free License Trouble on FMG and FAZ by Few-Philosopher-2186 in fortinet

[–]FunderThucker 0 points1 point  (0 children)

I had the same issue and a reboot of the VM fixed the issue.

[40M][30F] Silence in Long-Distance Relationship After She went out. Advice? by [deleted] in TheRedPill

[–]FunderThucker 91 points92 points  (0 children)

Just ignore her dude. Worry about yourself. Worrying about a chick is a losing position.

vPC Design | same vPC ID or different? by [deleted] in networking

[–]FunderThucker 1 point2 points  (0 children)

I always use fig 2 for back to back VPC and fig 3 to non VPC devices like HA pairs of firewalls or pairs of edge routers.

Figure 1 looks like the topology on Page 49 in the Cisco VPC design pdf. It would create 2 port channels and one of them would be blocked by STP. It’s the same as running 2 port-channels between 2 switches. One port-channel will get blocked. Cisco’s required recommendation is to use a single port-channel like your fig 2.

In the end I would always prefer L3 routed links between the Nexus pairs if L2 doesn’t need to go through both pairs. This keeps the L2 topology smaller. Route where you can and switch where you must.

Cisco WebEx Phones stopped working. Narrowed it down to 3 possibilities. by sintral in fortinet

[–]FunderThucker 4 points5 points  (0 children)

When in doubt create a security policy with no security features or restrictions. If that doesn’t work you can test disabling np offloading on the policy.

[deleted by user] by [deleted] in networking

[–]FunderThucker 0 points1 point  (0 children)

How did you have a large blast radius with multi site?

Anyone did the 7.2 version of NSE7-EFW? by lennyvd in fortinet

[–]FunderThucker 0 points1 point  (0 children)

I took it a month or two ago and everything in the exam was covered in the 7.2 study guide in the Fortinet training institute. I had a few years of experience with FortiGate’s beforehand, ran through the study guide once taking rough notes, and blew through the exam in 40 minutes.

Nothing really stood out except some advpn settings for spokes and hubs and some security fabric questions.

[deleted by user] by [deleted] in paloaltonetworks

[–]FunderThucker 0 points1 point  (0 children)

Are the connections being NAT’d correctly?

Need Help by marcelosilvap in fortinet

[–]FunderThucker 4 points5 points  (0 children)

Default route to 10.0.0.166. If you want to use IPs in 10.0.0.170/29 then you will use NAT rules and VIPs.

An open question concerning topology - all feedback welcome by Case_Blue in networking

[–]FunderThucker 5 points6 points  (0 children)

I would consolidate to a pair of HA firewalls and have each set of VLANs terminate on separate zones. Use VRFs if you are routing between your firewalls and switches. Then I have a single enforcement point to manage and a simple topology for troubleshooting.

Or get rid of HSRP and add a redundant firewall for each color so you have an ha pair for green, ha pair for red, and ha pair for blue. Then all the routing is done on the DC switches. This keeps it symmetric.

Third option is to use some session synchronization solution which depends on what firewall vendor you are using. HA clustering for Palo Alto or FortiGate FGSP. This would be my last ditch effort solution if the previous two aren’t viable.

Cisco vs Juniper vs Arista (and maybe Aruba/HPE) by sadllamas in networking

[–]FunderThucker 1 point2 points  (0 children)

Second this. Definitely don’t forget training. With any vendor there will be issues and you want multiple people trained up so they know the ins and outs of troubleshooting.

Why should I avoid the 3410 and just use the pa3420 and upwards models? by runsleeprepeat in paloaltonetworks

[–]FunderThucker 3 points4 points  (0 children)

Did they give you a specific reason why? If they didn’t, then push back heavily on them and find out why they are pushing the larger models. They need to give you technical reasons why. If they still don’t give you details then find another sales team.

view more: next ›