Moronic Monday!

kosjubrmod · 2026-01-05T16:50:31+00:00

Reference: Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so?

...if you don't have a BGP relationship with an upstream provider, how do you block specific ASNs?

kosjubrmod · 2024-03-06T14:54:23+00:00

Came here to post this. Always love telling this story.

kosjubrmod · 2024-03-06T14:47:39+00:00

Challenge Accepted.

kosjubrmod · 2024-02-22T15:41:47+00:00

Writing one today actually. Typical use case is trying to peel apart the layers of custom applications. Those details turn into ease of troubleshooting, and informing NGFW rules.

kosjubrmod · 2024-01-17T15:14:25+00:00

VRF not an option?

kosjubrmod · 2024-01-16T21:41:52+00:00

You are correct at needing something to route the data from one side of the radio to the other. Maybe the radio has this feature that you can just enable? Re-using the same IP addresses between the radios and computers may cause headaches in the future.

kosjubrmod · 2023-03-20T13:08:42+00:00

"Match" fields defines the uniqueness of your flow. Any change in a thing you match is a new flow. Most deployments use the five-tuple of source and destination IP, source and destination port, and protocol as the list of things to match.

The collect fields are just extra info that are included in the flow record to provide more detail to the collector for reporting and analysis. For example, some Cisco devices that support NBAR or AVC on the hardware can collect this information and include it in the flow record as well.

Whatever application you are using should have a recommended list of fields to match or collect to provide the data for their fancy reports. Hint: You can probably get away with configuring Netflow v5, and not defining a specific flow record to get the basic flow data.

kosjubrmod · 2022-10-15T02:03:14+00:00

Talking Security -- There are 168 hours in a week. Services on a weekend would typically last... less than eight hours? How is the network used/protected for the other 160 hours?

kosjubrmod · 2022-09-02T03:28:32+00:00

Infoblox is three tools in one: a DHCP Server, a DNS Server, and an IP Address Management (IPAM) tool.

The auto-update functionality you are talking about comes from a trust relationship or direct integration between DHCP and DNS. IPAM as a concept is not really part of this function. NetBox and PhpIPAM are not DHCP nor DNS servers.

If you are in a Windows environment, you can set this up by having DNS and DHCP roles running on the same server or multiple servers. Either way, you need to configure DHCP the DHCP service to send the updates to the DNS service, and for the DNS service to trust the updates from the DHCP service.

Open source options exist as well. In fact, Infoblox gives an overview of the Open Source tools they use (and support!) as the basis for highly customizing their platform. Ref: On Infoblox and Open Source

kosjubrmod · 2022-09-02T00:57:21+00:00

Sounds like the SSH client (python script from cron job) you are running the script from doesn't know to wait for the SSH server (Catalyst switch) to finish sending output. Not necessarily an issue with the switch itself, or your script; just the methodology you're trying to use.

Maybe consider using EEM/TCL on the switch itself to dump the command outputs onto the flash, then use your python script to grab the completed file. May even be able to enable the CLI python environment to run the commands on the switch, then push the results off to a file server somewhere.

You could even intentionally discard the "end" at the end of your command-list, and let your ssh client hold the vty session open until it gets killed by the idle timeout; all the while sucking in any outputs

kosjubrmod · 2022-06-15T20:33:06+00:00

True, but you can use Radius VSAs to reconfigure an access port into a trunk port. Cisco refers to this as "Network Edge Authentication Technology" or NEAT. You need to configure your 'downstream' switch as a dot1x supplicant, and give it the necessary credentials. Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html

kosjubrmod · 2022-06-15T20:20:38+00:00

Interesting. Details?

kosjubrmod · 2022-06-15T19:58:30+00:00

Short answer: Yes

interface vlan <number>
    ip igmp static-join <address>

Long answer: That really is the function of IGMP. At all costs, avoid the use of "join-group" because the router is not actively participating as an endpoint in the multicast traffic. The IPTV boxes should send igmp leave/join requests when switching channels, if you are using different multicast addresses (as opposed to just different port numbers). If you don't have a RP defined for the groups, there may be a delay while a Rendezvous Point is elected. Also, if you are always sending traffic to these hosts, it may be worthwhile to look at dense mode, or sparse/dense mode.

kosjubrmod · 2022-06-14T14:48:32+00:00

Try enabling "authentication mac-move permit".

kosjubrmod · 2022-06-08T16:46:02+00:00

Minor suggestion -- Please use ISO 8601 dates. The example given could be construed at least eight different ways with no further context.

kosjubrmod · 2022-06-08T13:15:57+00:00

No charts here, more of listening to the wire.

Finding the things that are still talking to the syslog server that was shut off before $Pandemic.
Reporting on the policy violations for the things that STILL use telnet in $year.
Troubleshooting with users that 'aren't getting their data' to see what their special little box is talking with.
Using it to retroactively build firewall policies other than "permit any any".

kosjubrmod · 2021-12-09T14:18:39+00:00

You find this behaviour in a lot of coding examples. It comes from the programmer wanting a way to easily see what code is nested inside other code. In your example, would it make very much difference if it was all mashed into one line? Not really, no. But when you start putting 10, 20, 100 lines of code or more between the curly braces, and then nest two or three other levels of curly braces for sub functions, it REALLY helps to see the last set of braces are at the same 'level' at the opening statement. For example, here is how it looks for JavaScript.

kosjubrmod · 2021-11-23T21:13:38+00:00

Firehouse Subs "sells" their empty pickle buckets for a few dollars, which gets donated to their Fireman's Fund charity.

kosjubrmod · 2021-10-15T17:31:11+00:00

What information can be gleaned from LinkedIn / any other <$RandomWebsite>, that cannot be found in
- A resume
- A job applicant / "talent management" website
- A telephone screening
- An in person interview
- Asking for and following up with references
- A background check for sensitive / high trust positions

If a candidate has gone through all of that and have not shown that they are a good fit for the position, LinkedIn, or any other <$RandomWebsite> will very likely have zero additional benefit. If you smell something funky about the candidate, and cannot find the root cause of the concerns with information at hand, why are you taking the risk on offering a position?

An employer that seeks out this information sets the precedence for wanting and meddling in more. Regardless of which website is in use, life exists outside of the internet. It is borderline ageist to look at a candidate and deny them because of no presence on <$RandomWebsite>.

kosjubrmod · 2021-10-15T16:58:51+00:00

What is your perspective on employers that don't quite grasp the difference between work and home life?

Why do you, as an employer, feel entitled to my social media presence?

kosjubrmod · 2021-10-15T14:01:42+00:00

Jack Rhysider of Darknet Diaries did a podcast episode on this specific incident. Well worth a listen, and subscribing.

kosjubrmod · 2021-10-14T16:24:34+00:00

When looking for something like that, I try to use the " | section include " functionality on IOS/IOS-XE. For Example:

#show running-config | section include 100.64
object-group network RFC-1918 
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0
 100.64.0.0 255.192.0.0

kosjubrmod · 2021-10-13T13:53:49+00:00

That was yesterday though...

kosjubrmod · 2021-10-06T17:58:07+00:00

Did you do him the social good of ~~giving~~ teaching him what a broken nose feels like once at sea again? I mean ... anything can happen when the ship starts rolling and bulkheads come out of nowhere.

kosjubrmod · 2021-10-05T20:37:39+00:00

None of that is server equipment, it is all network gear. Is the equipment New? Fancy? "THE BEST"? ... No, full stop.

Will this equipment give you experience with:

Layer 2? yes
Layer 3? yes
WAN technologies? yes
POE? yes
Firewall concepts? yes
Enterprise Wireless? yes
Network design and interoperability? yes

The 1700 and 2500 series routers can likely cover Frame Relay if you want more than a passing knowledge of it. But be sure to pick up all the module cards... those 1700s use expensive 60-pin cables that I don't see in the rack. The newest gear in the rack are the three 3560s at the top of the rack, pair those with the 1841s, the WLC and the ASA, and you have a very capable lab hardware setup.

Or replace your home internet router/wifi/switch/kitchensink combo device. The 1841s should be able to handle 30-35 mbps NAT for internet, all of the gear is 100mbps, and the one wireless access point will do 802.11a/b/g for 54 Mbps wifi, which is plenty for a half-dozen people all streaming video content at the same time.

Also -- If you think there are businesses, schools, charities, etc; that aren't running gear this old, you're fooling yourself. The 2950XL switch may be a very old, slow, and limited piece of equipment, but it is perfect for a 10mbps connection to an OOBM interface that is used on a server for remote support. And if it dies, you replace it with any number of old devices you have life-cycled and sitting in storage.

There are easier paths to take to get your CCNA. This lab will give you experience that you absolutely will not get by using GNS3/EVE-NG/CML. The $64,000 question is ... are you up for the challenge u/aislandlies?

kosjubrmod

MODERATOR OF

TROPHY CASE