|
I just started at a new company in charge of IP networks. The company is a startup and they haven't had a professional network admin before, so bear with me... Going through all our devices, I noticed some extremely weird poo poo on one CE router. Hardware is 871W, IOS is C870-ADVSECURITYK9-M, Version 12.4(24)T. The log is filled with stuff like this: code:
code:
I secured the router with a nazi access list and fired off some abuse reports, so things are under control now. However, going through recent security advisories, I found nothing pertaining. WTF? Pussy Noise fucked around with this message at 10:13 on Nov 5, 2009 |
# ? Nov 5, 2009 10:08 |
|
|
# ? May 29, 2024 04:19 |
|
I assume some type of SSHv1 exploit? Or it keeps receiving a bad message digest from the SSH2 connection and thus terminates the connection. ate shit on live tv fucked around with this message at 10:19 on Nov 5, 2009 |
# ? Nov 5, 2009 10:14 |
|
Powercrazy posted:I assume some type of SSHv1 exploit? Yeah, it has to be. I guess nobody here figured that it might be a bad idea to run a router with a public interface without access control on the vty
|
# ? Nov 5, 2009 10:17 |
|
Hey at least they aren't running telnet login
|
# ? Nov 5, 2009 10:21 |
|
Powercrazy posted:Ah yea I see what you are saying, didn't think about that. But its still not a "terrible" idea, just a useless one. This is bad?? It is how I get the morning going each day.
|
# ? Nov 5, 2009 15:11 |
|
Pussy Noise posted:I just started at a new company in charge of IP networks. The company is a startup and they haven't had a professional network admin before, so bear with me... If you aren't doing it already, force SSHv2.
|
# ? Nov 5, 2009 18:11 |
|
Tremblay posted:If you aren't doing it already, force SSHv2. Also, write an ACL that defines white-listed IPs from which you'll be SSH'ing into the device, and then apply it as a policy to the VTY interface. That will stop the log spam. code:
|
# ? Nov 5, 2009 18:51 |
|
Are there any small/free Windows apps that would allow me to access Cisco CDP information?
|
# ? Nov 5, 2009 21:14 |
|
brent78 posted:Are there any small/free Windows apps that would allow me to access Cisco CDP information? I believe some of the free network mapping tools gather info via CDP.
|
# ? Nov 5, 2009 21:22 |
|
brent78 posted:Are there any small/free Windows apps that would allow me to access Cisco CDP information? Solarwinds might. I know there is one in the paid toolkit anyhow.
|
# ? Nov 5, 2009 22:40 |
|
routenull0 posted:This is bad?? It is how I get the morning going each day. You work for AT&T don't you
|
# ? Nov 6, 2009 00:16 |
|
Ethereal/Wireshark will show CDP packets and is free.
|
# ? Nov 6, 2009 00:16 |
|
saw the cisco telepresense thing on 30 rock tonight, how much does a "500" cost, anyone know? what kind of upstream does it need? v list is cool, i'm familiar with the usual discount ranges StabbinHobo fucked around with this message at 06:42 on Nov 6, 2009 |
# ? Nov 6, 2009 05:03 |
|
StabbinHobo posted:saw the cisco telepresense thing on 30 rock tonight, how much does a "500" cost, anyone know? what kind of upstream does it need? 1.5 Mbps per screen for 720p. 1080p ~5 Mbps a screen, its very pretty. As for price, I could look up list. But pretty much no one pays that. Tremblay fucked around with this message at 06:00 on Nov 6, 2009 |
# ? Nov 6, 2009 05:56 |
|
Ah, telepresence. It is seriously probably one of the best things about working at Cisco. You can setup a telepresence whenever you want, and play "around the world" if you are feeling ballsy. I think for the 3 screen 1080P setup its somewhere around 300K? The 500's are a lot more reasonable both price and bandwidth-wise.
|
# ? Nov 6, 2009 12:47 |
|
I guess this is the best thread to ask this question as I'm having to deal with poo poo I Dont Know(TM): Switch A needs to be connected to Switch B(5km away) over a 1Gb Ethernet connection. We(my partner is, but hes out sick) are trying to tell the provider that we need to rent a 1Gb Ethernet wavelength on their WDM for this. What is the correct telecoms terminology here? Because I dont think they understand me and keep going on about SDH and STM-16 which we are not going to use. 1Gb wavelenght? Ethernet channel? Ethernet framing? LAPS? TLDR; Partner is sick, I'm out of my depth and need this connection up asap. What do I tell them?
|
# ? Nov 6, 2009 19:04 |
|
Unless you want a dedicated fiber, which is expensive and they might not offer it at all, they are offering you a SONet channel. Hence the SDH/STM-16. http://en.wikipedia.org/wiki/Synchronous_optical_networking#SDH_frame Its transparent to you, so don't worry about the framing. You'll handoff to a 15454, or something similar the service provider will do their configuration then you'll receive ethernet at the remote site. I guess you could also see if they can get you a "lambda" or wavelength of MPLS, but that might not be available either and I'm not sure why you would care either way. Another option is a Metro Ethernet pvlan/vpls which is much cheaper but typically only available in "metro" areas.
|
# ? Nov 6, 2009 20:53 |
|
nex posted:I guess this is the best thread to ask this question as I'm having to deal with poo poo I Dont Know(TM): Tell them you want an unprotected point to point circuit that can handle a full Gbps handed off to you with Gigabit Ethernet on each side. What's likely confusing is that the handoff speed and the bandwidth that the circuit can carry does not have to match. I can provision a circuit that hands off with Gig. Ethernet but can't carry more then 50Mbps of traffic. That said, if you aren't going to use a full 1Gbps you can order your circuit at some slower rate and save some transport costs. Unless you're ordering 10Gbps circuits or possibly even OC-48 circuits you're going to get a circuit that is transported over SONET/SDH not a pure wave product. As long as they hand off Gig Ethernet to you the SDH piece is transparent.
|
# ? Nov 6, 2009 21:13 |
|
FatCow posted:Tell them you want an unprotected point to point circuit that can handle a full Gbps handed off to you with Gigabit Ethernet on each side. Ahh, that was the stuff that confused me. Because on our 10Gb circuits we ask for LAN-PHY, and for lower speeds its usually 2,5Gb SDH/STM-16(The cards are hilariously expensive). So I was looking for something similar to LAN-PHY, but only 1Gb. To be honest I have never had to deal with the 1Gb speeds, because we usually have our own dark fiber with either DWDM or CWDM. Thanks guys!
|
# ? Nov 6, 2009 22:35 |
|
What would be the easiest way to deny users from plugging in their own home router/access points on our network? In IOS 12.4, it looks like you can just use an ACL statement that looks at the TTL of a packet, but unfortunately the latest update for our router (6509-e/sup-720) is only 12.2.
|
# ? Nov 9, 2009 20:27 |
|
Sojourner posted:What would be the easiest way to deny users from plugging in their own home router/access points on our network? port-security with MAC limits would stop switches (BPDU guard as well). DHCP snooping could also help. As for users dropping in an AP or router not sure. Wired dot1x would solve these problems, but I wouldn't necessarily call that an "easy" option. You have a documented policy that prohibits these devices I hope? Tremblay fucked around with this message at 21:33 on Nov 9, 2009 |
# ? Nov 9, 2009 21:26 |
|
If youre using cisco switches, bpdu guard may work.
|
# ? Nov 9, 2009 21:29 |
|
You're not necessarily out of luck. A lot of 12.4 features are ported to the 12.2SX train.
|
# ? Nov 9, 2009 21:34 |
|
Sojourner posted:What would be the easiest way to deny users from plugging in their own home router/access points on our network? There isn't an easy way to do this. There should be, but there isn't. 802.1x with some machine certs is probably the only option that really solves all of your problems- the right way. Unfortunately, you'll have to invest in a lot of glue to hold it all together. And even then, if your environment is anything like mine, with a lot of shared edge ports, 802.1x quickly devolves into a series of frustrating, unpleasant design concessions.
|
# ? Nov 9, 2009 23:29 |
|
Sojourner posted:In IOS 12.4, it looks like you can just use an ACL statement that looks at the TTL of a packet, but unfortunately the latest update for our router (6509-e/sup-720) is only 12.2. The version numbering for the switch code does not follow quite the same conventions that IOS versioning does. 12.2whatever for a switch is recent.
|
# ? Nov 10, 2009 01:53 |
|
Thanks, I'll throw some updates/check the software advisor and see if it won't support the TTL ACL statement. Here's hoping!
|
# ? Nov 10, 2009 14:08 |
|
Sounds like a job for CFN! http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
|
# ? Nov 10, 2009 17:40 |
|
tortilla_chip posted:Sounds like a job for CFN! This is a neat tool, and way easier to use then software advisor, thanks! Unfortunately it just confirmed that the 6509-e will not be doing TTL ACLs... :'( Looks like rogue access points will continue to be there.
|
# ? Nov 10, 2009 18:35 |
|
In my specific situation this is more in regard to procurve gear, but I think it is the same as cisco as far as this goes. I am trying to set up spanning tree, and I need to know two things: 1) does my spanning tree config have to have the same name on all switches in order to work properly 2) will changing the spanning tree config name result in a temporary loss of connectivity like adding a vlan does?
|
# ? Nov 11, 2009 03:36 |
|
Got a question for you VPN geniuses: I've recently configured a remote access VPN on a Cisco ASA5505 to assign ip's from a range 10.10.9.0/28 (where the local lan is 10.10.8.0/24) using the IPSEC VPN configuration wizard. Seeing as how it is configured by the wizard, I thought this would work properly and pass traffic between the two networks, however I must have assumed wrong. What happens is this: When I connect with the Cisco VPN client, I receive an IP of 10.10.9.1 and I can ping the lan ip of 10.10.8.1 (and ssh to it). I cannot ping or ssh or otherwise get any connectivity between any other remote lan hosts. I can't figure out if a misconfigured ACL is causing this, or some other configuration error. This is the ONLY VPN configured on this device. When I view the firewall log when I try to ssh to another remote lan host I see this: Built inbound TCP connection 260 for outside: 10.10.9.1/50228 (10.10.9.1/50228) to inside: 10.10.8.12/22 (10.10.8.12/22) followed shortly by: Teardown TCP connection for 259 for outside: 10.10.9.1/50227 to inside: 10.10.8.12/22 duration 0:00:30 bytes 0 SYN Timeout That would indicate to me that traffic is being passed to the remote host, but is not being sent back. Curiously if I SSH into the firewall and try to ping the IP that I am using for the VPN, it times out, and if I 'sh route' I get this: S 10.10.9.4 255.255.255.255 [1/0] via xxx.xxx.xxx.xxx, outside I am utterly confused by this issue, fffffff
|
# ? Nov 11, 2009 23:01 |
|
Do you have a route in your network pointing 10.10.9.0/28 at your inside IP?
|
# ? Nov 11, 2009 23:14 |
|
Wicaeed posted:Got a question for you VPN geniuses: It looks like a subnet mask problem. It looks like your 10.10.8.12 network is with a /22 mask, so traffic on the inside would assume 10.10.9.* would be on their local subnet, and would use ARP to look up the host instead of forwarding it to the default gateway. Try making your VPN net something that will not overlap, or changing the subnet mask to /24 on your 10.10.8 subnet, which looks like is what you wanted all along.
|
# ? Nov 11, 2009 23:18 |
|
That is the firewall log saying that the traffic is being sent to 10.10.8.12 on port 22 (ssh), not a subnet mask of /22FatCow posted:Do you have a route in your network pointing 10.10.9.0/28 at your inside IP? No, but it KNOWS about the network because I CAN ping 10.10.8.1 from a VPN client connected with 10.10.9.1 Well we have an entire /24 subnet dedicated to servers, 10.10.8.x. Is having our VPN clients live on a similarly numbered subnet (10.10.9.0/28) really that bad of an idea? \/\/\/\/\/\/\/\/\/ Wicaeed fucked around with this message at 23:33 on Nov 11, 2009 |
# ? Nov 11, 2009 23:22 |
|
Sojourner posted:It looks like a subnet mask problem. It looks like your 10.10.8.12 network is with a /22 mask, so traffic on the inside would assume 10.10.9.* would be on their local subnet, and would use ARP to look up the host instead of forwarding it to the default gateway. Check to see if sysopt connection permit-vpn is enabled, basically makes all VPN connections (RA or Site to Site) ignore the outside ACL. Also, you should not have overlapping address space for your remote pool, just make it something out of the way, but easily summarizable on a per-site basis. (ex site A is 10.10.0.0/16, site B is 10.20.0.0/16 etc)
|
# ? Nov 11, 2009 23:26 |
|
Wicaeed posted:No, but it KNOWS about the network because I CAN ping 10.10.8.1 from a VPN client connected with 10.10.9.1 To clarify, the ASA's inside is 10.10.8.1 right? Just to make sure. I would add a route on whatever your router is for the 10.10.8.0/24 network to point the 10.10.9.0/28 to 10.10.8.1 (ASA).
|
# ? Nov 11, 2009 23:39 |
|
jwh posted:The ASA knows, of course, because it's the one handing out 10.10.9.0/28 addresses- but other devices won't know how to reach those addresses, unless it's covered by their default. Yeah, and like I said, 10.10.8.1 is the only IP the VPN client can ping/ssh to, however the ASA can't ping that address back. I'll add that and see if that fixes it. Also, when you initially configure a VPN, what interface does it use (inside/outside)?
|
# ? Nov 11, 2009 23:44 |
|
Wicaeed posted:Teardown TCP connection for 259 for outside: 10.10.9.1/50227 to inside: 10.10.8.12/22 duration 0:00:30 bytes 0 SYN Timeout In your post describing the problem, you said 10.10.8.0 was /24 but this log says it's /22. Reinforcing this needs to be looked at.
|
# ? Nov 12, 2009 00:59 |
|
I'm fairly sure that's the destination port. By applying the same logic to the outside interface you'd end up with a mask with 50227 bits.
|
# ? Nov 12, 2009 01:19 |
|
On my asa 5510, I just tried to update the anyconnect client executables. When I try to enable the second with with "svc image disk0:/anyconnect-macosx.pkg 2", it says I need to increase the "cache-fs" size with the cache-fs command. When i try to use cache-fs it says the command does not exists, and I've tried it in global config, webvpn, cache and any other cli mode you could think of. Any insight? *edit* Fixed the problem by going into cache mode, and doing 'disable' then 'no disable', but I'd still REALLY like to know where the hell that cache-fs command is. Sojourner fucked around with this message at 20:25 on Nov 12, 2009 |
# ? Nov 12, 2009 19:58 |
|
|
# ? May 29, 2024 04:19 |
|
CCM 4.x Voice poo poo cross posted from cisco.com: Currently I have two voice gateways with T1 PRI VWICs in each gateway. We have two campuses and each gateway services a campus. I have a bunch of route patterns which are duplicated for each gateway. Basically this means that to dial a 215 area code number, I have a route pattern to send the calls out one gateway and a route pattern to send calls out of the other gateway depending on what calling search space the dialing phone or device has. I'm adding a third gateway loaded with VIC-2FXO cards with POTS lines hooked to it. I want to use this gateway to send 911 calls to the PSTN to better identify the calling location. However, I also need the ability to send a 911 call through one of the other gateways in the event that the POTS line is not able to handle the call for any reason. I assumed I need to go with a Route Group with the POTS enabled gateway listed first, followed by the PRI enabled gateway. The problem I'm having is, if there are any existing route patterns being used by a gateway, that gateway will not appear in the available devices section of the route group config page. Do I have to rip out all of my current route patterns and rebuild them all with route groups or is there a better way to do this? Thanks
|
# ? Nov 12, 2009 20:23 |