|
MAC Hunt: Your weapons, sh Arp and sh mac-address-table, GO!
|
#
?
Jun 3, 2009 23:32
|
|
|
|
| # ? May 14, 2024 17:46 |
|
|
I hope this isn't a FAQ, but I didn't see it in the last few pages (standard grumble about search). Is there a simple, definitive statement from Cisco anywhere about whether IOS licenses are transferable? If I buy old Cisco gear from, say, eBay, my understanding is that the license isn't transferred, and thus I'd have to buy a new IOS license (which often costs nearly as much as buying new hardware). The Cisco EULA and Terms of Sale seem to support me in this. If IOS licenses can't easily be transferred, though, why don't they crush all those eBay auctions? Is it because the auction technically is for hardware (which theoretically could be re-licensed), or because they know killing the second-hand market would be a PR nightmare?
|
|
#
?
Jun 3, 2009 23:42
|
|
|
Sojourner posted:"FreeBSD 4.10 (STABLE)
|
|
#
?
Jun 4, 2009 02:25
|
|
|
falz posted:That's a linux kernel version, which has nothing to do with FreeBSD. You sure someone didn't just modify the banner to confuse people or be funny? It'd be more then a login banner change because the login prompt is different then IOS. Before I left work I checked the mac address that was associated with the IP and it was coming up as a cisco one, and did a quick nmap/zenmap scan and it said the telnet daemon was the cisco version.
|
|
#
?
Jun 4, 2009 02:31
|
|
|
It'll be interesting to see what pops up when somebody plugs a console cable into this thing.
|
|
#
?
Jun 4, 2009 03:07
|
|
|
Sojourner posted:It'd be more then a login banner change because the login prompt is different then IOS. Before I left work I checked the mac address that was associated with the IP and it was coming up as a cisco one, and did a quick nmap/zenmap scan and it said the telnet daemon was the cisco version.
|
|
#
?
Jun 4, 2009 04:02
|
|
|
Sojourner posted:It'd be more then a login banner change because the login prompt is different then IOS. Before I left work I checked the mac address that was associated with the IP and it was coming up as a cisco one, and did a quick nmap/zenmap scan and it said the telnet daemon was the cisco version. Make sure you're on the same subnet with the affected device before you go after the mac address. Otherwise you could well be looking at the gateway with your nmap.
|
|
#
?
Jun 4, 2009 04:26
|
|
|
falz posted:That's a linux kernel version, which has nothing to do with FreeBSD. You sure someone didn't just modify the banner to confuse people or be funny? God that would be a dick move and I would be out my  .Here's one that will secure anything, the bats do it. code:
|
|
#
?
Jun 4, 2009 04:32
|
|
|
Herv posted:God that would be a dick move and I would be out my This is the one I use on my home lab. code:
|
|
#
?
Jun 4, 2009 04:47
|
|
|
Maybe it's one of them new fangled Juniper "routers". Mine has a FreeBSD login too  But seriously, I can't wait to hear what you find out about this new Linux/FreeBSD/IOS hybrid 
|
|
#
?
Jun 4, 2009 06:54
|
|
|
Now for the thrilling conclusion of Sojous Super Switch Mystery! Cisco blah blah...wait BSD? this is a screen shot taken when I used a console cable to plug into the switch. In total, there are two switches inaccessible due to this. I need book the time a week in advance to take down those switches to insert a new image with xmodem, but this with all certainty eliminates the possibility of an arp-spoof. Anyone got any ideas (And no, no its not an access point..thats from an older hyperterm session.) *edit* Third switch found.. an old 2912. *second edit* Holy table break batman! Image cut down.. Sojourner fucked around with this message at 15:25 on Jun 4, 2009 |
|
#
?
Jun 4, 2009 14:39
|
|
|
Sojourner posted:Now for the thrilling conclusion of Sojous Super Switch Mystery! Assuming you don't mind the switch losing config while you try this: Plug in console cable, unplug switch, hold down mode button, plug in switch, keep mode button held down until the light above port 1 turns off. Wait for the "switch:" prompt to appear then type in: code:code:
|
|
#
?
Jun 4, 2009 15:32
|
|
|
ragzilla posted:Marvel at the wonder that is realizing some joker set your banner to the FreeBSD/kernel stuff. Oh this is classic.
|
|
#
?
Jun 4, 2009 15:57
|
|
|
I need some help with a NAT scenario that's a bit different than what I'm used to dealing with. I'll use this simplified GNS3 scenario since the solution here will transfer to my real-world scenario. Click here for the full 1280x774 image. What I'm trying to do is, using NAT on R0, map 10.4.36.5 to 172.16.3.1. In other words, if I try to access 10.4.36.5 from R1, it's translated to 172.16.3.1. Now here's the tricky part.. this is easy enough to do if I set f0/1 to ip nat inside and f0/0 to ip nat outside and create a static mapping (ip nat inside source static 172.16.3.1 10.4.36.5), but the problem is that I need to have f0/1 be outside interface (since in the real-world scenario, that interface connects to the internet and I need to NAT the inside traffic on f1/1).
|
|
#
?
Jun 4, 2009 17:56
|
|
|
the nicker posted:I need some help with a NAT scenario that's a bit different than what I'm used to dealing with. I'll use this simplified GNS3 scenario since the solution here will transfer to my real-world scenario. So you are trying to do a destination static nat?
|
|
#
?
Jun 4, 2009 18:18
|
|
|
ragzilla posted:Marvel at the wonder that is realizing some joker set your banner to the FreeBSD/kernel stuff.
|
|
#
?
Jun 4, 2009 18:32
|
|
|
Sojourner posted:Now for the thrilling conclusion of Sojous Super Switch Mystery! edit: I bet a dollar this is what's going on. jwh fucked around with this message at 18:59 on Jun 4, 2009 |
|
#
?
Jun 4, 2009 18:55
|
|
|
I would say all bets are off until the config is bypassed, as stated before. Before the xmodem download at least. Someone is definitely a funny guy. No one took my bet, would have pay pal'd it too!
|
|
#
?
Jun 4, 2009 19:04
|
|
|
Back in the day I took a hex editor to command.com in dos and changed "file not found" to "fish not found". I just looked in an uncompressed ios image and there are a lot of plaintext lines...
|
|
#
?
Jun 4, 2009 19:14
|
|
|
Tremblay posted:So you are trying to do a destination static nat? I guess. I just tried this on R0 and it didn't work: quote:Router#sh run According to debug ip packet on R0, it's not even trying to NAT the traffic. It's just trying to route it out f1/0
|
|
#
?
Jun 4, 2009 19:19
|
|
|
What's behind there that you are trying to NAT? How are the routers connected? You said the gns3 simulation is just similar. Is it just one port you need to forward, or everything? Without more info, it seems to me like you just need a regular static route, not NAT.
|
|
#
?
Jun 4, 2009 19:23
|
|
|
cptInsane0 posted:What's behind there that you are trying to NAT? How are the routers connected? You said the gns3 simulation is just similar. Is it just one port you need to forward, or everything? Without more info, it seems to me like you just need a regular static route, not NAT. Just one port would work fine. In the real world it's not a router that I'm trying to access, it's a server. It's just easier to put a router in GNS3 and use telnet to test. It needs to be NAT, routing is not an option. I have no control over R1, it belongs to another organization. They have a route to the 10.4.36 network but that's it. The details of the real scenario are irrelevant - if I can make this work in the simulation, it will work there.
|
|
#
?
Jun 4, 2009 19:39
|
|
|
ok, so just nat whatever port(s) they are connecting to. IP Nat inside source static tcp whateverIP outsideinterface portnumber cptInsane0 fucked around with this message at 19:57 on Jun 4, 2009 |
|
#
?
Jun 4, 2009 19:52
|
|
|
cptInsane0 posted:ok, so just nat whatever port(s) they are connecting to. Like I said in the original post, this works fine if f0/0 is configured as the outside interface and f0/1 is inside, but I need it to work the other way (with f0/1 configured as outside) Whether I do the whole host or just a single port in the translation isn't relevant, I have the same problem either way.
|
|
#
?
Jun 4, 2009 20:06
|
|
|
FYI c3560-ipbasek9-mz.122-50.SE1.bin is dangerously unstable and almost entirely non-functional. SVI's won't answer ARP, configuring an exec banner triggers a crash, periodic unexplained tracebacks, the whole works. Steer clear.
|
|
#
?
Jun 4, 2009 20:56
|
|
|
the nicker posted:Like I said in the original post, this works fine if f0/0 is configured as the outside interface and f0/1 is inside, but I need it to work the other way (with f0/1 configured as outside) I understand you want f0/1 on the outside. You want f0/0 on the inside, and the traffic is coming from what R1 represents? If so, R1 is already attached to F0/0. I understand this diagram doesn't represent your exact topology, but from your diagram, what you are saying makes no sense to me. If you are trying to get traffic to go from R1 to the 172. subnet behind R2, then that involves some routing too. cptInsane0 fucked around with this message at 21:29 on Jun 4, 2009 |
|
#
?
Jun 4, 2009 21:26
|
|
|
Weird Uncle Dave posted:I hope this isn't a FAQ, but I didn't see it in the last few pages (standard grumble about search). Short Answer: They can't really stop (all of) it. Longer Answer: They do make money off of support for the old hardware. If you want TAC support you have to rebuy a license, which is basically more profit for old hardware. Ideally you would buy new hardware and support contracts from Cisco, but if you want to go cheap and just buy the hardware, whenever you need support, then they will charge you at that point.
|
|
#
?
Jun 5, 2009 03:36
|
|
|
Will Cisco do support on a T&M basis? I didn't think that they would. I thought it was SMARTnet or nothing.
|
|
#
?
Jun 5, 2009 03:39
|
|
|
They used to, about 2 years ago. Not sure if they still do. I think you have to buy at least a 6 month SMARTnet contract. But I haven't needed to call TAC in a long time.
|
|
#
?
Jun 5, 2009 03:53
|
|
|
Powercrazy posted:Short Answer: They can't really stop (all of) it. Eh, not always. We've purchased SmartNET on gray market 12000s and never had to re-buy licensing or submit to the joy that is "re-certification".
|
|
#
?
Jun 5, 2009 05:08
|
|
|
ragzilla posted:Eh, not always. Thats most likely because your acct team was feeling nice.
|
|
#
?
Jun 5, 2009 05:18
|
|
|
Harry Totterbottom posted:This is the one I use on my home lab. This is now the banner on each client I've logged into today. Both voice gateways and routers.
|
|
#
?
Jun 5, 2009 05:33
|
|
|
I know you can get away with "buy old router on eBay, plug in, use." I'm asking whether it's, technically speaking, a EULA or other license violation. Buying the router itself is almost certainly okay, since you can (theoretically) relicense IOS, get your gear recertified, and so on. Hardware's hardware, and I doubt Cisco would have grounds to stop the resale of their parts even if they wanted to. Going to the other extreme (buying used router, having friend with CCIE download current IOS image for you to install) is almost certainly not-okay. I know Cisco's EULA says "nontransferable" in a couple places, but that could be boilerplate. And there's a page on cisco.com that I found earlier and can't find again, that described licensing practices, and said that Cisco's policy is not to allow license transfer except in special cases like corporate mergers. Has Cisco ever sued/prosecuted anyone for this? If not, why do they still have all this "don't do it" language all over the place?
|
|
#
?
Jun 5, 2009 05:41
|
|
|
Weird Uncle Dave posted:Has Cisco ever sued/prosecuted anyone for this? If not, why do they still have all this "don't do it" language all over the place? Corporate Leverage. Its not so much the case anymore, but about 10-15 years ago, if you wanted enterprise routers, or any routers at all, it was Cisco or bust. 10-15 years ago was also Cisco's hayday. They were investing millions in the early internet, routing protocols, switching protocols, DECNet, Token-ring, Ethernet, etc. A lot of that has settled down, but when the internet was hot and money was nearly unlimited, it was nice to have an "in" for negotiations with any tech company. To answer your question, when you buy hardware on Ebay, you technically cannot run the software image that comes with it. However just like everything in the corporate environment, this clause is tacitly ignored by every company, until a conflict of interest, or some "other" interest arises.
|
|
#
?
Jun 5, 2009 05:51
|
|
|
Setting the banner on all my lab routers and switches to FreeBSD 4.10 (STABLE) Kernel 2.6.27 on an i686 in honour of this monumental bug discussion 
|
|
#
?
Jun 5, 2009 06:39
|
|
|
Martytoof posted:Setting the banner on all my lab routers and switches to hehe O god so I went looking for banners and I found some loving funny ACSII poo poo. Our firm's router now display this at logon code:
|
|
#
?
Jun 5, 2009 07:20
|
|
|
Once you're gone, the next network consultant or IT guy is going to be really impressed. 
|
|
#
?
Jun 5, 2009 15:54
|
|
|
Okay, so far both c3560-ipbasek9-mz.122-50.SE1.bin and c3560-ipbasek9-mz.122-46.SE.bin both exhibit the same behavior, while c3560-ipbasek9-mz.122-25.SEE4.bin does not- 12.2(25)SEE4 works "correctly," in that it boots, and my SVIs behave as I would expect. Both 12.2(46)SE and 12.2(50)SE1 however won't learn arp entires for anything attached to those SVIs, and as a result debug ip pack is showing encapsulation failed for traffic sourced from that SVI. 000357: IP: s=10.32.100.230 (local), d=10.32.100.254 (Vlan100), len 100, encapsulation failed 3560g-test-sw1#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.32.100.230 - 0015.620a.8441 ARPA Vlan100 Internet 10.32.100.254 0 Incomplete ARPA Okay, pretty standard stuff, so I set up static arp entries on all of the devices, which gets past the encapsulation failure, verify the cef adjacency is good on the routers, and proceed to ping the SVI again- but nothing. Debug ip pack on the 3560 shows nothing. I've tried with both 'ip routing' enabled and disabled with the same results. And here's the best part, 12.2(25)SEE4 works fine. Does anyone know if anything fundamental has changed between 12.2(25)SEE4 and 12.2(46)SE? I'm going to keep downgrading from 12.2(46) until I find code that works. Currently tftping 12.2(44)SE6 up.
|
|
#
?
Jun 5, 2009 16:03
|
|
|
Tony Montana posted:hehe Just use a different character for the MOTD.
|
|
#
?
Jun 5, 2009 16:07
|
|
|
|
| # ? May 14, 2024 17:46 |
|
|
cptInsane0 posted:I understand this diagram doesn't represent your exact topology, but from your diagram, what you are saying makes no sense to me. I was afraid of this, it's a hard scenario to explain. Maybe this will help: R1, which belongs to another organization, cannot have a route to the 172.16.3 network because it overlaps with their own network. They need to be able to access 172.16.3.1 as if it were on the 10.4.36 network. At any rate, I figured it out. It took a bit of trickery and some nat-on-a-stick policy routing. R0 posted:interface Loopback0 CheddarGoblin fucked around with this message at 16:24 on Jun 5, 2009 |
|
#
?
Jun 5, 2009 16:17
|
|