|
Catalyst 2960G-48TC
|
#
?
Mar 14, 2013 21:26
|
|
|
|
| # ? May 31, 2024 16:42 |
|
|
Zero VGS posted:Quick Question: 2960g is probably your best bet.
|
|
#
?
Mar 14, 2013 23:03
|
|
|
4948's got cheap-ish in the last few weeks- sub 1k. Far better than a 2960g if the price is close.
|
|
#
?
Mar 14, 2013 23:14
|
|
|
What does int lex correspond to? When I googled it I found page after page of unsecured internet-facing Cisco devices with ip http server turned on.
|
|
#
?
Mar 14, 2013 23:20
|
|
|
When setting up a redundant WAN link with a GRE tunnel, if I already have an ISR in place, is there an advantage to using a second device, like an ASA, for the VPN?
|
|
#
?
Mar 15, 2013 00:56
|
|
|
falz posted:4948's got cheap-ish in the last few weeks- sub 1k. Far better than a 2960g if the price is close. Thank you for the advice, the 4984's were the same price on eBay, and I made an offer for $700 on one of these and the guy took it: http://www.ebay.com/itm/271171703342 Corporate was pushing for us to buy some switch at MSRP for like $5000 so I'm sure we're better off as long as none of these ports magically burn out like our current Catalyst. How the gently caress do switch ports burn out anyways? I've never in my life seen a port burn out on a PC or server or even consumer-grade routers, yet Catalysts always seem to blow up.
|
|
#
?
Mar 15, 2013 01:33
|
|
|
I'm in the process of rebuilding my home lab in the hopes of actually using it for CCNA/CCNP. Here is what I have ended up with last year: 2x ASA5505 Sec Plus with 1gb ram 2x 1841 3x 2950 2x 2620's 1x 3620 1x 3640 I want to add/replace a few things- what would you guys recommend? I was offered two more 1841's and a 3750 locally. Trying to keep it under $1k.
|
|
#
?
Mar 15, 2013 01:50
|
|
|
the spyder posted:I'm in the process of rebuilding my home lab in the hopes of actually using it for CCNA/CCNP. 3750 would be good for L3 switching. 1841s will be of dubious value considering the amount of routers you already have. You're using one of those 3600s as a frame relay switch right?
|
|
#
?
Mar 15, 2013 01:58
|
|
|
I somehow got 2x 1841's for $30/e and a friend owes me trip through his ewaste buiness warehouse where I know he has at least 4 more. The 3640 is my frame relay router.
|
|
#
?
Mar 15, 2013 03:50
|
|
|
Make sure your 2620s have XM next to them or they are worth jack poo poo. Today I learned that they have 16MB of flash and 32MB of RAM and I couldn't put any sort of worthwhile IOS image on them. Yes the 1841s are poo poo compared to everything else but they are still a drat sight better than non-XM 2600s.
|
|
#
?
Mar 15, 2013 04:08
|
|
|
Tonight has been productive. 
|
|
#
?
Mar 15, 2013 04:29
|
|
|
Zero VGS posted:Thank you for the advice, the 4984's were the same price on eBay, and I made an offer for $700 on one of these and the guy took it: http://www.ebay.com/itm/271171703342 Keep in mind these switches are old and will NOT do IPv6 routing in hardware.  If you are just going to use them for switching they are great though.
ior fucked around with this message at 11:02 on Mar 15, 2013 |
|
#
?
Mar 15, 2013 10:55
|
|
|
I just finished setting up a new interface on our Cisco ASA to act as a locked down guest network. The ASA is also the DHCP server for that interface. Is there a way to have the ASA tell me the hostname of a dhcp client, rather than just the IP/Mac address? I'd use nbtstat, but most of the devices that connect to the guest network will be phones and tablets so that won't work.
|
|
#
?
Mar 15, 2013 16:29
|
|
|
How to kill an ASA CPU easily: service-policy MSS global class-map MSS match access-list MSS (traffic matching anything utilizing https, which is used by 99% of their SaaS product) policy-map MSS class MSS set connection advanced-options MSS-MAP MSS-MAP? Completely empty. So basically 99% of their traffic is punting to the CPU for post-processing, and then the ASA goes "eh" and allows it.
|
|
#
?
Mar 15, 2013 16:41
|
|
|
adorai posted:When setting up a redundant WAN link with a GRE tunnel, if I already have an ISR in place, is there an advantage to using a second device, like an ASA, for the VPN? The VPN like users, or the IPSEC part of the GRE+IPSEC tunnel? For VPN for users, a second device is often a good idea to keep different networks physically separate, for the IPSEC tunnel, there i no advantage other than additional complexity from having a separate device to terminate each tunnel. I would almost always just terminate the GRE+IPSec tunnel on the same device.
|
|
#
?
Mar 15, 2013 23:35
|
|
|
jwh posted:ASDM sucks too uhhh it's pretty good compared to some other vendors interfaces. I'm not a cisco fan at all but ASDM is pretty sweet. manage cisco security devices via cli? I'd rather get my balls stomped.
|
|
#
?
Mar 16, 2013 01:34
|
|
|
I work on Cisco firewalls every day of my life and primarily use the ADSM. I can use the CLI but prefer not to in most cases. There are exceptions.
|
|
#
?
Mar 16, 2013 02:21
|
|
|
I'm on cisco firewalls every day of my life as well (I manage 9 FWSM's plus two ASA's) and I use the CLI for everything. GUI's are inefficient as poo poo unless the device has been build around the GUI being the primary method of operation (Palo Alto, F5 BIGIP interface).
|
|
#
?
Mar 16, 2013 03:19
|
|
|
abigserve posted:I use the CLI for everything Cool... a masochist.
|
|
#
?
Mar 16, 2013 03:33
|
|
|
I will admit that Palo Alto's CLI is utter trash. I think they do it on purpose to make their GUI seem even better than it is.
|
|
#
?
Mar 16, 2013 03:34
|
|
|
This seemed as good a place to ask this as any other. I was cleaning out a client's closet the other day, which was filled with things to be thrown away. LCDs, CRTs, old P4 boxes, external modems, a poo poo load of cables, etc. I found a Cisco 1841 in the mix, that was either the one they upgraded to the 1900 series once they got the 50MB Comcast line, or the one that bit it in the power surge that took out the UPS, 3 POE switches , and their router. Since it was in the trash pile, I claimed it, took it home and tried to see if it still worked, or if it was going to go in my trash can instead. It looks like it was the one that was upgraded, as it powers on and ran just fine. It came with 128MB RAM and a 32MB CF card with 12.3 on it. I had also picked up a pair of P3 laptops with no hard drives but with serial ports. I figured I could try to get a live linux up and running to remote into the Cisco, as I can't find my USB/Serial adapter. It turned out that one of them had RAM that would work in both this router, bumping it to 256MB RAM and my Brother laser printer, bumping it to 192MB RAM. Not too bad for a junk pile. Anyway...I had a spare CF card that I was able to format and toss on a new IOS image, but I have a couple questions. First off the show ver code:2. How can I find the differences in the binary packages? ADVIPSERVICESK9-M vs. IPBASE, for example? 3. Is there any licensing that would make running one vs. the other the equivalent of piracy? I'm looking at a few of the 1841s we have in the field, most are running IPBase (which is what came on the factory 32MB flash), but there's one running the advsecurityk9-mz build. (I apologize, the most I ever have to do with these routers is set port forwards. I'm more the PC/Server tech guy)
|
|
#
?
Mar 16, 2013 16:39
|
|
|
Bootstrap doesn't matter on that platform. Cisco Feature Navigator will show differences between images and is mostly right. Yes you're supposed to have a license for the features you want but x8xx and earlier routers have no way to enforce it via keys.
|
|
#
?
Mar 16, 2013 16:45
|
|
|
Your IOS license is attached to your TAC account, but in practice even Cisco doesn't care that much. Even with 15.0 code I could get any license level I wanted with a simple email.
|
|
#
?
Mar 16, 2013 20:53
|
|
|
I think the main benefit of upgrading your rommon version is a fee things like being able to use USB drives if you're in rommon. After a certain IOS 15 version, all the feature sets became 'right to use' meaning you can enable them and they'll work and show as eval licences until you put a key in. At least this works for me on x9xx routers. I would try and get another router at least and a couple of vlan capable switches for messing around with. And something to run ESXi on with a bunch of NICs.
|
|
#
?
Mar 17, 2013 02:44
|
|
|
Probably a stupid easy answer but here goes: 2 Cisco 1140 autonomous access points. All I want currently is 1 SSID shared between both that wireless clients will connect to based on signal strength. My understanding is that wireless client handoff to another AP happens pretty seamlessly without any extra config. Do I need to set up anything OTHER than creating the same SSID, encryption and passphrase on both and putting them on non-overlapping channels? Is RADIUS required? I don't care about WDS as much since I don't have a controller and it seems annoying to set up with 2 autonomous aps (unless someone has a good guide).
|
|
#
?
Mar 18, 2013 16:15
|
|
|
Haven't seen anything posted about this yet: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4 The short version is that Cisco hosed up massively when implementing their new "type 4" password hashing in IOS 15 and rather than running PBKDF2 with 1000 runs of SHA256 and an 80 bit salt, they instead just SHA256 it once without a salt. This obviously has a massive impact on the ability to brute force a hashed password and reopens rainbow tables as an option. Anyone who has posted a config file to the internet containing type 4 hashes should consider those passwords compromised. It gets better, too. Any device that supports type 4 hashes will not generate type 5 hashes, so to change these passwords you'll need to generate the type 5 hash elsewhere and then you have to do that every time the password is changed until you can downgrade to an older version or Cisco releases a fix.
|
|
#
?
Mar 19, 2013 17:49
|
|
|
Eh. Just use type 7, it's fine. If the local config password is important, say a BGP-peering password or a TACACS authentication password, omit it from the Config.
|
|
#
?
Mar 19, 2013 17:52
|
|
|
Powercrazy posted:Eh. Just use type 7, it's fine. If the local config password is important, say a BGP-peering password or a TACACS authentication password, omit it from the Config. According to Cisco this issue only applies to login users and enable passwords. quote:All the preceding issues apply only to devices running Cisco IOS or Cisco IOS XE releases with support for Type 4 passwords, and only to the "enable secret <password>" and "username <username> secret <password>" commands. Unfortunately while I don't have an IOS 15 device to verify with, the examples they show for how to determine whether your device even supports type 4 seem to imply that at least some of the affected devices will only support 0 and 5 otherwise, so with support for 4 disabling the ability to create 5s those users would seem to be in a tough spot.
|
|
#
?
Mar 19, 2013 17:58
|
|
|
Is there script or small program somewhere that I could run to quickly grab the running config of about ~25 or so Cisco 2960s?
|
|
#
?
Mar 19, 2013 18:15
|
|
|
wolrah posted:Unfortunately while I don't have an IOS 15 device to verify with, the examples they show for how to determine whether your device even supports type 4 seem to imply that at least some of the affected devices will only support 0 and 5 otherwise, so with support for 4 disabling the ability to create 5s those users would seem to be in a tough spot. Haha. I see now. Yea that would be pretty terrible, security risks aside, portability lose sucks from a management perspective.
|
|
#
?
Mar 19, 2013 18:22
|
|
|
Xenomorph posted:Is there script or small program somewhere that I could run to quickly grab the running config of about ~25 or so Cisco 2960s?
|
|
#
?
Mar 19, 2013 21:39
|
|
|
Xenomorph posted:Is there script or small program somewhere that I could run to quickly grab the running config of about ~25 or so Cisco 2960s? This requires Expect: code:
|
|
#
?
Mar 19, 2013 21:59
|
|
|
I need SSH though...
|
|
#
?
Mar 19, 2013 22:22
|
|
|
wolrah posted:Haven't seen anything posted about this yet: Yeah this cropped up at work today when a client requested to know if they were affected. Cisco is going to deprecate type 4 encryption, and revert to type 5 being the encryption used for secret passwords in future releases but still recognize type 4 encryption for compatibility - this will probably happen within the next couple of rebuilds. They say they'll also re-implement SHA encryption properly at some point in the future as a undecided type encryption but won't be type 4 as that will be retained as a sort of read only encryption for backwards compatibility. I think most major version 15 releases in the past 6 months were migrated to type 4 encryption but I couldn't find any mention of type 4 encryption being introduced in the various release notes for versions that have it - I think in some instances, it was introduced in rebuilds. I can confirm that version 15.0(2) for switches uses type 4 encryption with 15.0(1) using type 5 encryption. IOS XE also uses type 4 encryption but I couldn't say when it was introduced. Latest version of 15.0 on an 1841 doesn't seem to be using it but 15.1 upwards does seem to be using it although its not clear when it was introduced into those versions. And like the above said, you can still paste in a type 5 encrypted password generated from another device - you just can't tell the switch to encrypt entered plain text passwords using type 5, it'll only encrypt using type 4. Also if you do downgrade a device that has type 4 encypted passwords to an image that doesn't support type 4 passwords, upon rebooting, it rejects the enable secret and username secret commands from the startup configuration. chestnut santabag fucked around with this message at 22:26 on Mar 19, 2013 |
|
#
?
Mar 19, 2013 22:24
|
|
|
All of that is bad, but if you're using tacacs or even radius, it's functionally irrelevant.
|
|
#
?
Mar 20, 2013 00:12
|
|
|
Powercrazy posted:I need SSH though...
|
|
#
?
Mar 20, 2013 00:24
|
|
|
inignot posted:All of that is bad, but if you're using tacacs or even radius, it's functionally irrelevant. Which is why I just use type 7 for everything. Sometimes it is useful to get the long forgotten enable password from some device.
|
|
#
?
Mar 20, 2013 00:43
|
|
|
So with the Cisco SG300, I am trying to write a recovery procedure for non technical persons. IE, they won't know how to get the device on the network, they just want to get a hot-spare going. I have RANCID backing up the configs, but the configs are a real mess. Some of the commands seem to be at the bottom of the config, that it wants before it parses the information at the top (but it doesn't really need to be at the top, doesn't functionally do anything). Trying to get AAA setup on it, so I am throwing in "aaa authentication enable Console local" to use the local user, except local is not an option and it rejects the command. Local is clearly listed in the command guide, as well as in the backup configuration, but it's not available at the CLI? Anyone ran into this or have any thoughts, orther than throwing these things into the incinerator?
|
|
#
?
Mar 20, 2013 20:23
|
|
|
Anyone ever used Ubiquiti's wired solutions? I've used their wireless stuff before; the price is certainly right.
|
|
#
?
Mar 20, 2013 20:32
|
|
|
|
| # ? May 31, 2024 16:42 |
|
|
Partycat posted:So with the Cisco SG300 ... throwing these things into the incinerator? That's where Linksys products belong, right?
|
|
#
?
Mar 20, 2013 20:35
|
|