|
Tremblay posted:Hard code the MAC into the port configuration and only allow one auth'd MAC per that port. Any violation will shutdown the port (default action). I seem to be missing something... 802.1x will work it just seems overkill for this.
|
#
?
Mar 19, 2012 12:38
|
|
|
|
| # ? May 14, 2024 12:05 |
|
|
Short of implementing NAC, you could theoretically put the switch into a known-good state and set up an SNMP trap system to send a shutdown to ifAdminStatus OID if it detects the port going down for any unknown reason. That way if anyone unplugs the phone you'd have to intervene to get the port back online. I mean that would be an absolute hellish nightmare, but I guess if we're just throwing things out. If you can't trust MAC and don't want to go full out NAC then you're basically going to have to go into paranoid mode where you panic at the first sign of anyone pulling an ethernet cable. some kinda jackal fucked around with this message at 12:50 on Mar 19, 2012 |
|
#
?
Mar 19, 2012 12:46
|
|
|
That idea is exactly what I want to implement, but I don't think there is a way to do that without an rw snmp string. There are only 4 public phones that I care about, so I would only implement these security measures on those 4 ports.
|
|
#
?
Mar 19, 2012 14:36
|
|
|
adorai posted:I think his concern was that the MAC is printed right on the phone, so it would be easy to clone. Fair but not a massive problem. This would knock out the stupid people. Port status could be monitored by the NMS. Have it send crit alerts when the port state flips. Do you guys have an IPS/IDS?
|
|
#
?
Mar 19, 2012 16:05
|
|
|
Powercrazy posted:That idea is exactly what I want to implement, but I don't think there is a way to do that without an rw snmp string. Not unless you want to do something crazy hacky like set up a telnet script. But you'd have to hardcode all your passwords and things in there which sounds like a bad security practice. You're probably boned either way you do it.
|
|
#
?
Mar 19, 2012 16:13
|
|
|
Implement port security and scratch out the MAC address label? :P
|
|
#
?
Mar 19, 2012 16:48
|
|
|
Tremblay posted:Fair but not a massive problem. This would knock out the stupid people. Port status could be monitored by the NMS. Have it send crit alerts when the port state flips. Do you guys have an IPS/IDS? Like the situation at most large financial companies, doing anything correctly requires a herculean effort, so while we have an IDS/IPS they are controlled by some other terrible bureaucratic group, so I can't actually use those tools effectively to actually DO anything. Oh well, the imperfect solution of sticky-mac will have to work.
|
|
#
?
Mar 19, 2012 16:56
|
|
|
jwh posted:Like this: Is there a specific program you use to make this?
|
|
#
?
Mar 19, 2012 17:12
|
|
|
Zuhzuhzombie!! posted:Implement port security and scratch out the MAC address label? :P Obviously tongue-in-cheek, but if anyone takes it seriously unfortunately the MAC is used for autoconfiguration on every VoIP phone I've ever touched, so scratching it out just makes the admins' lives harder. Also, device status menus are almost always wide open for anyone to push a few buttons and have the MAC show up on the display. Polycoms and IIRC Snoms even display it as part of the boot process. MAC-based security is pretty much universally a stupid idea. I'm actually not sure what the right answer is, since the attacks made famous by the Pwn Plug recently seem like they'll work anywhere one can gain physical access to a port used by a trusted device. Martytoof's auto-shutdown idea would work, but obviously would make for a hell of a headache when machines need to be rebooted.
|
|
#
?
Mar 19, 2012 19:48
|
|
|
It won't be too bad since it is <5 phones. If we ever have to scale higher than that, then 802.1x is the only solution that I know of. Also the first "solution" that someone told me was to scratch the MAC off. Security through obscurity 
|
|
#
?
Mar 19, 2012 20:27
|
|
|
Powercrazy posted:It won't be too bad since it is <5 phones. If we ever have to scale higher than that, then 802.1x is the only solution that I know of. How about auto smartports? When the switch detects a phone trough LLDP/CDP it configures the port accordingly (clearing the config on link down). Then you can make a secondary macro that is used if it cannot identify a phone - placing the PC / whatever in a dead VLAN perhaps? http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/automacr.html
|
|
#
?
Mar 19, 2012 20:41
|
|
|
Zuhzuhzombie!! posted:ICOMM - Introduction to Cisco Voice and UC Administration I took "ICOMM" or "ACCMU" or whatever it was. I assume every training class has: - idiots - jerks so I ended up with people at the course who seemed to just be using a computer for the first time, and several people who played iPhone and asked the lecturer stupid questions. It was like a flash back to college. If you've done basic system administration for MACs, maybe poked a route pattern, setup some Unity mailboxes and basic integration, then you probably shouldn't waste your time on that. They spent about 15 seconds on packet structure, codec, etc, and moved right on to point 'n click. And when I took it, it was CUCM 6, we had just moved off of 4, and now we're on 8 which has an entirely new pile of things. CVoice is the pro one as far as I can tell, and then you go out and take the CCNA Voice is what I figured. Since I rarely get into it, I haven't bothered, and the deployment guides for the UCM anyways explain much. Unity can go eat it though.
|
|
#
?
Mar 19, 2012 20:57
|
|
|
We have a 12mbit MPLS connection which also services our internet. If one person downloads something big it can cause our latency to jump to 800ms, so I'm looking for a way to rate limit every device to a max of 2 or 3mbit so no one user can saturate the connection. What is the best way to do this?
|
|
#
?
Mar 19, 2012 21:23
|
|
|
wolrah posted:Oh goodie. I have one of those (SF300-24P) coming in for a customer tomorrow. They lost their only PoE switch capable of both Prestandard and 802.3af and this was the most desirable (read: cheapest) replacement option. At least they don't use any managed switch features, it's just there for the PoE, so I should only have to deal with it if I need to remote reboot them. I have a growing number of SG300-24Ps. I'm not sure about heroin but the web interface is about on par for web interfaces for these things. The CLI menu is utterly pointless and needs to be shot. Also I like the "console only" management ACL you can enable, prompting you to have to go to the device and use the console to undo this action. Or, pull the cord since you can't save to apply that if you weren't already using the console in the first place. Upgrade the software. Note the caveats in the 1.1.1.8 release notes. There are 1.1.2.0 notes if you look but they don't really seem to change anything. This gives you an "IOS like" CLI which you can frustrate yourself with. The device can do much of what Cisco's limited edge devices can, but, it's not completely feature packed. If you look at the running config you will have a stroke, but, you can apply configuration commands with ranges or in blocks, it just prints each setting in individual interface config blocks for some reason. VoIP on these used the OUI method but, at least now (didn't dare try it in the terrible stock firmware) you can turn on an auto smartport to pick up on the CDP/LLDP phone capabilities, and run a macro that applies the voice vlan to the port. There are some other quirks to these but they are not the worst thing in the world, and leagues better than whatever office depot unit the departments would have come up with on their own. So far so good.
|
|
#
?
Mar 19, 2012 21:37
|
|
|
Anjow posted:What are the settings on the other side? I had a channel that wouldn't come up not long ago, both sides were set to auto, when one had to be set to passive. You can run both sides active. It will just be... active instead of listening for LACP PDUs first. While my understanding is that LACP is "off" while there is only one active member in the channel group, I am able to use that as a tagged link with a single port for recovery purposes if something blows up. If it were suspended, that obviously wouldn't do me any good. Then again, I've seen LACP implode on a resource constrained switch. It would be nice to have the other side suspend itself, but, it may not anyways.
|
|
#
?
Mar 19, 2012 21:39
|
|
|
Cisco ASA 5505 I'd like to do port forwarding on the Firewall. We want to enable SSH access from the outside, but not on the default port. We have a bunch of users accessing a system via the default port on the inside, so we didn't want to change it on the system itself, just for external users to get to it. external.address.com:222 -> external.address.com:22 Is that possible with just an access rule?
|
|
#
?
Mar 19, 2012 21:53
|
|
|
Partycat posted:This gives you an "IOS like" CLI which you can frustrate yourself with. I have to disagree, if you are familiar with IOS then the SG300s will be a breeze to configure. The only caveat is the 'switchport default-vlan tagged' which you will not be familiar with. Proper config to trunk VLANS 1,2,3 as tagged and 10 as native: code:
|
|
#
?
Mar 19, 2012 22:29
|
|
|
Xenomorph posted:Cisco ASA 5505 Are you trying to change the SSH port for ssh access to the ASA or are you trying to change the SSH port # for a static nat translation?
|
|
#
?
Mar 19, 2012 22:59
|
|
|
I don't think you can change the port the ASA listens on for ssh. if this is some attempt at security, lock it down to specific IPs.
|
|
#
?
Mar 19, 2012 23:13
|
|
|
Xenomorph posted:Cisco ASA 5505 You have to do PAT to pull that off. I think you also want to do something more like external.address.com:222 -> dmz.address.com:22 or inside.address.com What version are you running on the ASA? Or are you talking about enabling SSH from the outside to the ASA? If so, don't. Configure an IPSec VPN instead and connect inside then ssh into the firewall.
|
|
#
?
Mar 19, 2012 23:26
|
|
|
citywok posted:We have a 12mbit MPLS connection which also services our internet. If one person downloads something big it can cause our latency to jump to 800ms, so I'm looking for a way to rate limit every device to a max of 2 or 3mbit so no one user can saturate the connection.
|
|
#
?
Mar 20, 2012 01:45
|
|
|
I have a BT Hub (modem/router) thing that came with our 8Mb ADSL line, and a Cisco ASA 5505 that I need to use to create a VPN connection to our head office. I do customer facing support and sometimes swap people's crumb-filled keyboards out for new ones. I'm not a network engineer but naturally it all got dumped on me becuase I am "the computer guy". I have a decent understanding of networking from personal experience so I know what I need it to do but just can't get it working. I connect the ASA to the Hub and it gets an IP from DHCP. We have five external IPs, but as soon as I assign one to the ASA, the ASA just disappears from the network and the router says it can't see it. I forwarded an IP to my own desktop machine and it worked fine, so as far as I can tell the Hub is doing it's thing fine. I've tried putting the ASA on the static IP that I want and on DHCP but neither works, it just doesn't get an IP from the Hub or doesn't like the way that it is getting it, I don't really know. A different but possibly related issue: if I try to change the internal IP or DHCP range on the ASA it just disappears entirely and nothing can connect to it until I hard reset it. I don't really know what I'm doing and I doubt anyone can help much without actually seeing what is happeneing but I figured it was worth a post.
|
|
#
?
Mar 20, 2012 12:18
|
|
|
WAP question. Have a customer with a LAN made up of three 3750s in different locations trunked together. Got a WLC for vlan 130 and ip range 192.168.130.0. .5 is the IP on the WLC. In one of the locations the WAP stopped working. It would cycle through red/amber/green constantly and quickly. I figured WAP was bad as tech took a working WAP from another location and plugged it in and it was working. I took them a brand new, boxed, WAP. Exact same problem. They swapped the new but not working WAP for one that was working at a different location. That one works at disabled WAPs location and the non working WAP doesn't work at the working WAP's previous location. It also cycles through colors very quickly. The ethernet and radio LED will be green momentarily and then turn off or go amber. The WAP will broadcast a radio signal for about 10 seconds before it turns from green to the cycle. Any ideas before I drive way out there myself?
|
|
#
?
Mar 20, 2012 16:36
|
|
|
Zuhzuhzombie!! posted:WAP question. Sounds like your controller discovery is failing. (though my head hurts from trying to figure out all possible scenarios from your explanation). Make sure you have either DHCP option 43 or a DNS domain name lookup (namely CISCO-CAPWAP-CONTROLLER.localdomain / CISCO-LWAPP-CONTROLLER.localdomain) working from all locations so that the APs can find their way home. (assuming the APs are in a different L3 network than the controller) If all the APs are in the same l2 domain as the controller AND you have a 4400 or 2100 controller, make sure you have blocked the ap-manager ip address from being handed out by DHCP. ior fucked around with this message at 17:02 on Mar 20, 2012 |
|
#
?
Mar 20, 2012 17:00
|
|
|
Zuhzuhzombie!! posted:Is there a specific program you use to make this? Visio
|
|
#
?
Mar 20, 2012 17:20
|
|
|
Zuhzuhzombie!! posted:In one of the locations the WAP stopped working.
|
|
#
?
Mar 20, 2012 17:22
|
|
|
ruro posted:It's going to be easier to decide how much of your bandwidth to allocate to Internet traffic and police or shape all traffic from the Internet to that rate than to try to do it per-user. Unless you happen to have a platform that supports micro-flow policing in path between your 12mbps pipe and your users? That seems unlikely though, given the link speed. Another possibility is to classify Internet traffic to a unique DSCP/CoS value and shape it to 2 or 3 mbps on each user switch port, but that is a lot of effort compared to just shaping/policing organisation wide. It is QoS'd, the issue is one user can make the internet slow for the entire office by downloading just one file, or by running windows update. It's odd, but a 10mbit download stream from windows update can cause an 800ms ping for everybody making the internet pretty brutal. This is why I was thinking of limiting each user so it would only give them an 800ms ping and everybody else would be okay.
|
|
#
?
Mar 20, 2012 19:18
|
|
|
That's not odd at all, that's more or less the expected behavior. As utilization increases, queuing delay increases, and latency increases.
|
|
#
?
Mar 20, 2012 19:32
|
|
|
jwh posted:What is that WAP plugged into? A 3750 interface with the correct vlan. Vlan 130 and the 130.0 /24 range. Vlan 130 is trunked to the WLC on another switch. All switches are trunked together and are not pruning vlans.
|
|
#
?
Mar 20, 2012 19:33
|
|
|
Partycat posted:Cisco 300 stuff... Thanks for the info. It got delayed and finally came in yesterday, but my boss wanted to get it out to the customer ASAP so I only got the chance to upgrade the firmware (it still had a 2010 firmware which did not support Prestandard PoE) and set up SNMP. I haven't touched the CLI but the web UI, as lovely as it is, is leaps and bounds beyond the old Linksys SRW line this thing apparently descends from. I discovered also that if you change the password as prompted to on first login, but then don't save the change (I wasn't expecting that based on previous SRW experience), upgrading the firmware results in an inaccessible device which you then have to factory reset.
|
|
#
?
Mar 20, 2012 20:56
|
|
|
So Cisco is bringing out a new 10gbe switch with decent density and not quite as $kidney as the nexus stuff. But no deliveries before summer 
|
|
#
?
Mar 20, 2012 22:17
|
|
|
citywok posted:It is QoS'd, the issue is one user can make the internet slow for the entire office by downloading just one file, or by running windows update. It's odd, but a 10mbit download stream from windows update can cause an 800ms ping for everybody making the internet pretty brutal. This is why I was thinking of limiting each user so it would only give them an 800ms ping and everybody else would be okay. If you're already running end-to-end QoS internally and your Internet traffic is has a unique DSCP or CoS marking you could configure an egress queue on your access switches for use by Internet traffic only and then shape it? This will probably only work properly on 10/100 access switches though. E.g.: Internet is sole user of CoS 1: mls qos srr-queue output cos-map queue 4 threshold 3 1 int fa 0/1 srr-queue bandwidth shape 25 0 0 2 ! (25 is default for priority queue, remove it if you don't use it). Alternatively you'd probably need some sort of proxy to do it.
|
|
#
?
Mar 20, 2012 22:55
|
|
|
evil_bunnY posted:So Cisco is bringing out a new 10gbe switch with decent density and not quite as $kidney as the nexus stuff. But no deliveries before summer More info? I haven't heard anything about this yet and we are looking at a bunch of 5k's or 3k's for 10gb right now
|
|
#
?
Mar 20, 2012 23:25
|
|
|
Our rep seemed to hint at a 4500 but with just SFP+. I really wish we could get some non-cisco stuff since I have 0 need for the nexus specific features. The most advanced poo poo I need is cross stack etherchannel.
|
|
#
?
Mar 20, 2012 23:30
|
|
|
evil_bunnY posted:Our rep seemed to hint at a 4500 but with just SFP+. Langolas posted:More info? I haven't heard anything about this yet and we are looking at a bunch of 5k's or 3k's for 10gb right now 4500-X, 1U, 40 port SFP+ with VSS support! http://www.cisco.com/en/US/products/ps12332/index.html
|
|
#
?
Mar 21, 2012 11:49
|
|
|
ior posted:4500-X, 1U, 40 port SFP+ with VSS support!  Now if only they'd be able to actually sell one to me.
|
|
#
?
Mar 21, 2012 12:31
|
|
|
ior posted:The only caveat is the 'switchport default-vlan tagged' which you will not be familiar with. Well it's not terrible, there are just some things which are in a different place, but, it is understandable anyways. The smartports are just a bit of a pain for me since I haven't had to deal with them, but, with VoIP here it seems that isn't much of an option to avoid them. What's the purpose of that command you listed? Wouldn't you normally not tag the PVID?
|
|
#
?
Mar 21, 2012 16:21
|
|
|
wolrah posted:Thanks for the info. It got delayed and finally came in yesterday, but my boss wanted to get it out to the customer ASAP so I only got the chance to upgrade the firmware (it still had a 2010 firmware which did not support Prestandard PoE) and set up SNMP. Good to know about the password. I could set the password via the web, but, when I entered the password I wanted into the CLI, it whined about complexity. I pasted the hash of the non-complex password and it shut up, which it should since it's a hash. With SNMP you have to pick a version, or don't, but, I couldn't define a string to be V1 AND V2 with groups, it's one or the other. With basic it doesn't need to be specified and it works.
|
|
#
?
Mar 21, 2012 16:26
|
|
|
Partycat posted:Well it's not terrible, there are just some things which are in a different place, but, it is understandable anyways. The smartports are just a bit of a pain for me since I haven't had to deal with them, but, with VoIP here it seems that isn't much of an option to avoid them. Yes, but when setting native vlan to 10 it will not allow or tag vlan 1 over the trunk without it.
|
|
#
?
Mar 21, 2012 16:28
|
|
|
|
| # ? May 14, 2024 12:05 |
|
|
Zuhzuhzombie!! posted:A 3750 interface with the correct vlan. Vlan 130 and the 130.0 /24 range. Vlan 130 is trunked to the WLC on another switch. All switches are trunked together and are not pruning vlans. As he said the cycling lights mean that it is trying to join the controller. If you look at the console it may give you an idea why it left the controller. AFAIK it won't move between controllers until it loses contact or is booted, so I don't see why DNS would screw with it once it is already online. You could always do "lwapp ap controller ip address X.X.X.X" and specifiy if you wanted to avoid DNS (or configure controller IP in WCS) but I bet the problem is elsewhere.
|
|
#
?
Mar 21, 2012 16:29
|
|