|
Powercrazy posted:I can't understand why people want the actual device graphic. Just stick with simple Rectangles and circles for Routers/Switches. There's a difference between high-level overviews (simple shapes are fine) and meticulous documentation (you want EVERY port mapped). Sometimes you need to Visio every single cable.
|
#
?
Mar 14, 2012 08:18
|
|
|
|
| # ? May 13, 2024 22:49 |
|
|
Bluecobra posted:Their list pricing has always been retarded. Even though their switches are now listed in my Dell Premier account, I still need to go through my account manager to get the correct pricing. We're paying about $15K for a 1U stackable 48-port wire rate 10GbE switch (plus 4 40GbE ports) which isn't too shabby.
|
|
#
?
Mar 14, 2012 11:14
|
|
|
madsushi posted:There's a difference between high-level overviews (simple shapes are fine) and meticulous documentation (you want EVERY port mapped). Sometimes you need to Visio every single cable. If you care about every single port than a graphical visio representation isn't what you want. You want a spreadsheet that would look similar to this: pre:Port VLAN HOST Gig1/1/2 234 NYESX203 Gig1/1/3 345 NY-VSPHERE etc. Meticulously mapping each port with Visio seems like the wrong tool for the job.
|
|
#
?
Mar 14, 2012 15:06
|
|
|
Powercrazy posted:If you care about every single port than a graphical visio representation isn't what you want. Like I said, sometimes you need to. I once did a massive Visio spelling out every single port in our core chassis and where it went to distribution switches and servers. It was printed out on a huge poster and it's in the wall of our datacenter now. Management wants it, they get it.
|
|
#
?
Mar 14, 2012 17:02
|
|
|
madsushi posted:I once did a massive Visio spelling out every single port in our core chassis and where it went to distribution switches and servers. It was printed out on a huge poster and it's in the wall of our datacenter now. Management wants it, they get it.
|
|
#
?
Mar 14, 2012 17:41
|
|
|
Can anyone see any reason Cisco side why this etherchannel won't bundle and come up/up? interface GigabitEthernet1/0/51 description Portchannel to MPLS switchport trunk encapsulation dot1q switchport trunk allowed vlan 60 switchport mode trunk channel-group 1 mode active end interface GigabitEthernet1/0/52 description Portchannel to MPLS switchport trunk encapsulation dot1q switchport trunk allowed vlan 60 switchport mode trunk channel-group 1 mode active end interface Port-channel1 description Portchannel to MPLS switchport trunk encapsulation dot1q switchport trunk allowed vlan 60 switchport mode trunk end show etherchannel sum Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 1 Po1(SD) LACP Gi1/0/51(D) Gi1/0/52(D) Port-channel1 is down, line protocol is down (notconnect) Hardware is EtherChannel, address is 0000.0000.0000 (bia 0000.0000.0000) Description: Portchannel to MPLS MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed, link type is auto, media type is unknown input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out
|
|
#
?
Mar 14, 2012 17:59
|
|
|
What are the settings on the other side? I had a channel that wouldn't come up not long ago, both sides were set to auto, when one had to be set to passive.
|
|
#
?
Mar 14, 2012 18:41
|
|
|
Also are the actual member interfaces up/up? Any logging? What are you trying to port channel to?
|
|
#
?
Mar 14, 2012 18:44
|
|
|
madsushi posted:Like I said, sometimes you need to. I once did a massive Visio spelling out every single port in our core chassis and where it went to distribution switches and servers. It was printed out on a huge poster and it's in the wall of our datacenter now. Management wants it, they get it. For that I use an actual picture of the device and draw on it. Is there even a visio icon for a front view of a 6500, with options for each available blade and unfilled slot? I seem to recall there was but I can't find it now.
|
|
#
?
Mar 14, 2012 20:08
|
|
|
I guess I'm in the minority, but I always think generic network device icons look so much more professional -- and just that much cooler -- than specific device icons 
|
|
#
?
Mar 14, 2012 20:12
|
|
|
I find product stencils to be distracting, but that's my own opinion. Minimalism is important when you're working with complex illustrations.
|
|
#
?
Mar 14, 2012 20:38
|
|
|
Like this:
|
|
#
?
Mar 14, 2012 20:42
|
|
|
Anjow posted:What are the settings on the other side? I had a channel that wouldn't come up not long ago, both sides were set to auto, when one had to be set to passive. Yeah. I need to start being an rear end in a top hat and assuming that it's not my fault. "Oh, you know how I told you everything was auto? Well... I need you to hard code stuff. I just realized I have to set speed on our side and that's probably why you're still down." Of course, this comes after 2 hours of me wondering WTF is going on with my side.
|
|
#
?
Mar 14, 2012 20:50
|
|
|
jwh posted:Like this: Perfect except for the wirehops. Since it is unusual that wires actually touch (in network diagrams never) you can just have the wires cross. If they do actually touch, then you can denote that with a dot on the intersection. Also use colors for the wires that are different than the lines of the elements, or at least a different line weight. ate shit on live tv fucked around with this message at 20:56 on Mar 14, 2012 |
|
#
?
Mar 14, 2012 20:52
|
|
|
adorai posted:Given our minimal need of 10Gbe it's more or less impossible to justify going Nexus 5k, it's simply too damned expensive. The 4900 series appears to be quite expensive as well. Do we have any other alternatives? Without knowledge of my environment, am I stupid for getting the 5548s without the 2224s? It knocks over $8k off my price when including smartnet.
|
|
#
?
Mar 15, 2012 00:54
|
|
|
Particular software you rendered that with?
|
|
#
?
Mar 15, 2012 02:18
|
|
|
jwh posted:Like this: What do the squares represent in this diagram?
|
|
#
?
Mar 15, 2012 03:45
|
|
|
Are you using actual optical SFP's for 10G? If so, why aren't you using twinax for your 10G connectivity? That should save you sufficient cash that you could likely get the FEX's that you want to pick up.
|
|
#
?
Mar 15, 2012 03:45
|
|
|
Trying to use GNS3 for cisco testing. I can't seem to use the crypto command, any reason why? It doesn't appear as an option when i type ? in the CLI. I'm was testing this with a c3640 router on the C3640-is-mz.122-1.image
|
|
#
?
Mar 15, 2012 06:16
|
|
|
lol internet. posted:Trying to use GNS3 for cisco testing. I can't seem to use the crypto command, any reason why? That images doesn't support crypto you'll need to search the  for something with a k8/k9 in it eg:c3640-js-mz.122-1.bin = no crypto c3640-jk9s-mz.122-1.bin = crypto use http://tools.cisco.com/ITDIT/CFN/Dispatch?showAllSoftware=true to find what you need to "find edit: IP PLUS c3640-is-mz.122-1.bin = what you have IP PLUS IPSEC 3DES c3640-ik9s-mz.122-1.bin = what you need nzspambot fucked around with this message at 07:54 on Mar 15, 2012 |
|
#
?
Mar 15, 2012 07:52
|
|
|
abigserve posted:What do the squares represent in this diagram? Servers or appliances.
|
|
#
?
Mar 15, 2012 16:21
|
|
|
Is there a way to combine port-security with a default err-disable? What i want to do is have a port secured with sticky-mac, and if it ever loses link to automatically err-disable. We have IP Phones in public/unmonitored areas and right now someone can just unplug the phone and plug in their laptop and happily have access to the whole network. Yes I know that 802.1x is the "right" way to do this, but that is not something you can just roll out without significant planning and cooperation of all the various organizations. Any ideas?
|
|
#
?
Mar 15, 2012 18:00
|
|
|
Powercrazy posted:Is there a way to combine port-security with a default err-disable? This will shutdown the interface if someone tries to unplug the phone and plug something else in.. switchport port-security maximum 1 switchport port-security violation shutdown switchport port-security
|
|
#
?
Mar 15, 2012 18:22
|
|
|
That is easily defeatable by changing your mac-address to match the phone's (which is conveniently stamped on the phone).
|
|
#
?
Mar 15, 2012 18:29
|
|
|
Powercrazy posted:That is easily defeatable by changing your mac-address to match the phone's (which is conveniently stamped on the phone). This also gains you access to the "Voice VLAN" if configured on quite a few switches. Every one I've bothered to take a look at does it based on the first six of the phone's MAC. Set your computer to 00:04:F2:xx:xx:xx (Polycom) or 00:13:C4:xx:xx:xx (Cisco 79x0) and magically you're a phone.
|
|
#
?
Mar 15, 2012 19:01
|
|
|
Welp, use VACL's to block all traffic except VoIP?
|
|
#
?
Mar 15, 2012 19:11
|
|
|
Powercrazy posted:That is easily defeatable by changing your mac-address to match the phone's (which is conveniently stamped on the phone). They make hardware boxes you can put on the wall jacks. Quite common in public areas. Edit: Hoffman Box is what we've used from time to time. H.R. Paperstacks fucked around with this message at 19:23 on Mar 15, 2012 |
|
#
?
Mar 15, 2012 19:19
|
|
|
Sepist posted:Welp, I do wonder why offices would bother setting up a voice vlan if regular traffic isn't blocked on that VLAN as well.
|
|
#
?
Mar 15, 2012 19:24
|
|
|
CrazyLittle posted:I do wonder why offices would bother setting up a voice vlan if regular traffic isn't blocked on that VLAN as well. A lot of phones use TFTP to autoconfigure from a machine set in DHCP option 66. This is also used for PXE booting PCs. If you can't or don't feel like setting up your boot server to handle both or different DHCP options for different devices, just put them on their own VLAN and problem solved. Same thing if the customer has a data router they can't or won't give up but which does not handle voice well, a voice VLAN makes it really easy to add a second router for voice without having to change anything on the existing network. If you're thinking about it from that side of things, it's just making your life easier and the security aspect might not even come up. Also if someone's on your voice network they can still capture credentials from a config file (either sniffing during a phone boot or just pretending to be a phone themselves and requesting them from the server) since while most phones support config encryption it's generally a real pain to set up and doesn't work with most config management systems. Now they can register to your PBX as one of your phones and look just like any other internal caller.
|
|
#
?
Mar 15, 2012 20:01
|
|
|
CrazyLittle posted:I do wonder why offices would bother setting up a voice vlan if regular traffic isn't blocked on that VLAN as well. The other advantage of a voice vlan is allowing you to save on ports. Once you have IP Phones rolled out, instead of needing a PC port and a Phone port, all you need is a phone port, and the PC plugs into the phone. Network segregation is also useful for applying end-to-end QoS in order to prioritize latency sensitive traffic. Security is NEVER a reason to use VLANs.
|
|
#
?
Mar 15, 2012 20:36
|
|
|
Right - agreed on all accounts. My point is that if you're going to go to the effort to establish a voice VLAN, why not take the extra few minutes to block unrelated traffic? If you allow unrelated traffic on the voice VLAN then you're also allowing people to break your QoS policies by masquerading as a phone to download their sweet sweet porn at prioritized status.
|
|
#
?
Mar 15, 2012 22:45
|
|
|
This is true, however you can't get to the internet from our voice vlan, nor can you join the domain. You can get an IP and get everywhere, but for the user who wants to masquerade as a phone for QoS purposes he is wasting his time. If he wants to do something illicit, well, that is what I'm trying to solve. Oh also our IP Phones are the ones that do the QoS tagging, so even if you were in the Voice Vlan, you still won't get prioritization over the WAN.
|
|
#
?
Mar 15, 2012 23:12
|
|
|
Ultimately if someone has physical access to your network port all you can do is lock it down as best you can. Having said that I find it odd that you have a phone in an area not monitored or at least periodically checked by building security (if you have any), that's just asking for trouble.
|
|
#
?
Mar 15, 2012 23:50
|
|
|
ruro posted:Ultimately if someone has physical access to your network port all you can do is lock it down as best you can. Having said that I find it odd that you have a phone in an area not monitored or at least periodically checked by building security (if you have any), that's just asking for trouble. Why not just use port security on that one port and be done with it?
|
|
#
?
Mar 16, 2012 02:43
|
|
|
Tremblay posted:Why not just use port security on that one port and be done with it? I'd love to. But how would you "lock down" that port.
|
|
#
?
Mar 16, 2012 05:24
|
|
|
Powercrazy posted:I'd love to. But how would you "lock down" that port. After much research I've determined the best solution for you is to put a shotgun in the wall with the trigger tied to the ethernet jack on the phone, soon as they pull it they get shot to death. I think you need to put a sign up letting them know though
|
|
#
?
Mar 16, 2012 15:19
|
|
|
Yea. That is basically what I was thinking oh well. Time to embrace security theater, and maybe push 802.1x on the side.
|
|
#
?
Mar 16, 2012 15:48
|
|
|
even though it's a small business switch and i can't expect much, the configuration interface for the cisco 300 series was designed by someone about to die from an OD of heroin.
|
|
#
?
Mar 17, 2012 01:24
|
|
|
Boner Buffet posted:even though it's a small business switch and i can't expect much, the configuration interface for the cisco 300 series was designed by someone about to die from an OD of heroin. Oh goodie. I have one of those (SF300-24P) coming in for a customer tomorrow. They lost their only PoE switch capable of both Prestandard and 802.3af and this was the most desirable (read: cheapest) replacement option. At least they don't use any managed switch features, it's just there for the PoE, so I should only have to deal with it if I need to remote reboot them. Is it just the same old SRW224G4P interface or did they somehow make it worse after the Cisco rebranding?
|
|
#
?
Mar 17, 2012 01:40
|
|
|
|
| # ? May 13, 2024 22:49 |
|
|
Powercrazy posted:I'd love to. But how would you "lock down" that port. Hard code the MAC into the port configuration and only allow one auth'd MAC per that port. Any violation will shutdown the port (default action). I seem to be missing something... 802.1x will work it just seems overkill for this.
|
|
#
?
Mar 19, 2012 06:10
|
|