|
Anyone know how to turn on access to SNMP on an old SGE2010? I have the community string set but there’s some kind of firewall rule or something blocking it. It was easy to do on an SG500
|
# ? Nov 8, 2018 00:03 |
|
|
# ? May 30, 2024 06:23 |
|
CrazyLittle posted:I'm looking at 10/40/100gig switches and don't particularly enjoy the $20k pricepoint of Cisco Cat9500 or Arista's new generation. Anyone here use Cisco Nexus 9300, or specifically Cisco N9K-C93180YC-EX ? Any thoughts on these boxes? I probably won't need any fancy features like NAT or MPLS on them since it'll be sitting in between 2+n routers, but netflow might be a nice bonus. say hello to my new stack *edit* ignore the chaff that's being used as a temporary shelf. This was taken while I was still testing the hardware for faults, basic config, etc.
|
# ? Nov 8, 2018 00:18 |
|
Bob Morales posted:Anyone know how to turn on access to SNMP on an old SGE2010? Is SNMP enabled in the TCP services list (I think that’s where it goes)? Also throw Cisco’s SMB switches away they are trash.
|
# ? Nov 8, 2018 00:22 |
|
Thanks Ants posted:Also throw Cisco’s SMB switches away they are trash. I was going to reply "log into the gui, unplug switch, throw into the river" but that seemed a little too snarky at the time
|
# ? Nov 8, 2018 01:23 |
|
Eh I still have a place in my heart for my SG300s which run well and have some reasonable capabilities.
|
# ? Nov 8, 2018 01:32 |
|
Thanks Ants posted:Is SNMP enabled in the TCP services list (I think that’s where it goes)? I think that’s how the 500 worked it was straight forward, there’s an ACL list or something on this one and I don’t want to lock myself out of the loving core stack (yes the core stack is EOL Cisco smb switches...) I just want to get some stats where I can see how much bandwidth we’re using. I didn’t buy em...
|
# ? Nov 8, 2018 02:09 |
|
The 300/500 have a management ACL specifically, which you can set to none or a blank one if you need to clear it - this is separate from other access control lists. Since these things were renamed from 2023 -> SG300 or something like that there’s a chance they are similar.
|
# ? Nov 8, 2018 11:24 |
|
I had to make a view as well as set the community
|
# ? Nov 8, 2018 14:48 |
|
CrazyLittle posted:say hello to my new stack Are those the 93180s down at the bottom? Because drat if they don't look near identical to the NCS5501SE.
|
# ? Nov 8, 2018 15:07 |
|
ragzilla posted:Are those the 93180s down at the bottom? Because drat if they don't look near identical to the NCS5501SE. Yep
|
# ? Nov 9, 2018 16:43 |
|
I think I might have brought this up before but never really got much feedback (or I missed/forgot that there was feedback, apologies in advance if that's the case). With IPv6, is the only way to do failover to get an allocation from the RIR (RIPE in this case) and then take transit from a couple of different ISPs? I suppose you could use private addresses and NAT to public ranges but I think at that point you might as well just turn IPv6 off since it defeats the whole point of doing it. Are client device implementations too immature to make multiple RAs with different preferences a viable solution?
|
# ? Dec 4, 2018 23:49 |
|
A PI prefix from your RIR and talking BGP with your ISPs is probably the simplest way to go about things.
|
# ? Dec 5, 2018 02:47 |
|
From the service provider's perspective there's no reason why they should ever route v6 space that's not theirs nor explicitly granted to them to route. Nor should they accept RA's from downstream for similar reasons. From the client side, you could totally do two providers if you assigned v6 addresses from each provider and then let the client devices figure out the least cost route, but DHCPv6 doesn't seem to want to do multiple dynamic leases at the moment and the majority of client devices seem to be moving in that direction. With PI space you're guaranteed that address space as long as you maintain it, and the only additional cost is some small fees from the RIR and any associated net-eng time at the ISP level.
|
# ? Dec 5, 2018 22:25 |
|
sup friends i'm trying to create a ZBF config on a router inside our corporate network, and i'm not super experienced with zbf. is there a preferred way to differentiate traffic from sources inside a given zone? like if i want to treat traffic coming from the outside internet to my dmz slightly differently than traffic from the rest of the corporate network. right now i just have an acl for an object-group that lists some internal networks. how would i implement something similar in a ZBF?
|
# ? Dec 6, 2018 19:12 |
|
Here's the basic primer on zone-based firewalling: Every interface is part of one (1) zone. You can have multiple interfaces in the same zone. Traffic between two interfaces in the same zone is "intra-zone". When traffic arrives on an interface, that is how the "source zone" is determined. The device looks up what the destination interface would be for that packet (routing table) and uses that zone as the "destination zone". Let's say you have: *You have an outside/internet zone *You have a DMZ zone *You have a corporate network zone If traffic comes in to the outside/internet zone, and is going to travel to your DMZ, you need a firewall rule that has: *Source Zone: Outside/internet *Destination Zone: DMZ *Source IP: Any (probably) *Destination IP: Varies by device, some firewalls want the pre-NAT IP, some want the post-NAT IP You'd also have a rule: *Source Zone: Corporate *Destination Zone: DMZ *Source IP: My_Corp_Network_Subnets *Destination IP: My_DMZ_Network_Subnets Now, even if you put in the Source IP as "Any" for that rule, it still won't let internet traffic in, because the source zone is "Corporate" which will only match traffic that comes into an interface that's in the Corporate zone. Here's an old Palo Alto doc that I love for this: https://mdssh.com/UnderstandingNAT.pdf madsushi fucked around with this message at 19:55 on Dec 6, 2018 |
# ? Dec 6, 2018 19:53 |
|
so i'm going to have this, basically: one interface - outside (faces larger corporate network and also internet) one interface - workstation subnet (i want this mostly open to my corporate network but mostly locked down to the internet) one interface - lab (i want this mostly locked down, only open to the workstation subnet and only outbound connections to the outside interface) i think i have the basics of this down, my main question is on how i differentiate traffic in the outside zone from "mostly ok corporate traffic" to "mostly not ok internet traffic". fortunately i don't have the added complication of dealing with nat, this is all publicly routable.
|
# ? Dec 6, 2018 20:15 |
|
seems like this is fairly easy to do with class maps - i'll work out a basic config and bring it back to you guys.
|
# ? Dec 6, 2018 20:37 |
|
code:
|
# ? Dec 6, 2018 22:58 |
|
Today I had an auditor tell me I should consider replacing my Nexus 5548UP switches because they were end of life and out of support.
|
# ? Dec 7, 2018 05:03 |
|
adorai posted:Today I had an auditor tell me I should consider replacing my Nexus 5548UP switches because they were end of life and out of support. "... Considered. Pass. Next?"
|
# ? Dec 7, 2018 19:20 |
|
CrazyLittle posted:"... Considered. Pass. Next?" Unfortunately it's not exactly that easy. Their report goes to both our board of directors and to the FDIC, so I have to actually articulate why we will not be taking action. In this very specific case it's pretty easy to respond with a link to Cisco's website, but not everything is so simple. This was just one of his uninformed comments. He was able to get out on port 80 and was concerned that our firewall was allowing too much traffic. I asked if he was saying we should not allow our tellers to access the web (with filtering), he responded that of course they should have access to it but the port being open was a security risk. There was also confusion about why we were inconsistently using NTP servers, some devices were using hostnames and some were using IP. His confusion stemmed from not understanding that a hostname resolved to an IP address. There were a few other things he commented on, honestly my mind was blown that anyone was paying this guy to do the job he was doing. We've used this particular audit firm for a number of years and it is generally very well done. For anyone who does not work in finance, believe me, the regulatory burden is real, but mostly because of people who really don't know what they are doing making you do more work. Following the actual regulations is easy.
|
# ? Dec 9, 2018 01:27 |
|
Boooooo hisssss
|
# ? Dec 9, 2018 05:02 |
|
Not knowing the web means port 80 on a loving audit would be me calling the auditing company to send over someone who knew what the gently caress.
|
# ? Dec 9, 2018 05:46 |
|
We just had an old unmanaged switch that sat under our block of 8 desks pop up on a security audit as a potential vulnerability. The next day it was gone (with the octopus of wires left dangling) and they apparently don't plan to replace it. I was told I could try to find an empty port on a network drop, but there isn't one. So it's WiFi only for my team. lol, thanks guys. I'm tempted to ask for 300 feet of cat6 to just run from my docking station to an empty port across the office.
|
# ? Dec 9, 2018 05:58 |
|
GreenNight posted:Not knowing the web means port 80 on a loving audit would be me calling the auditing company to send over someone who knew what the gently caress.
|
# ? Dec 9, 2018 06:52 |
|
Some firms use a transparent proxy and keep web ports closed to the user devices.
|
# ? Dec 9, 2018 17:53 |
|
That makes sense. We use Umbrella which is what I was thinking of.
|
# ? Dec 10, 2018 05:38 |
|
We just got some routers for our 5 remote sites (like 10 PC’s each) Not sure why since we already have CyberRoam VPN devices at each one They are Cisco 7200’s
|
# ? Dec 11, 2018 02:18 |
|
Bob Morales posted:They are Cisco 7200’s wha-wha-WHAT?
|
# ? Dec 11, 2018 02:48 |
|
BIG
|
# ? Dec 11, 2018 03:05 |
|
7201 or chassis? Either way wtf
|
# ? Dec 11, 2018 03:31 |
|
Sounds like a VAR sales engineer somewhere is going to get a big xmas bonus
|
# ? Dec 11, 2018 12:27 |
|
Bob Morales posted:We just got some routers for our 5 remote sites (like 10 PC’s each) lol You can turn up an OC3 ring between them. 622Mb/s of goodness.
|
# ? Dec 11, 2018 22:57 |
|
Hey...7206s and 6509s built worlds. In unrelated news, somehow I'm an NCE at Cisco.
|
# ? Dec 12, 2018 01:36 |
|
Goondolences Edit: we have all of our NCEs performing bug scrubs on every single platform and code we have in production due to a WAAS bug that took down our network for 4 hours. Weekly calls with all of them to disclose any new Sev 1s that could affect our network as well. Kinda feel bad for the guys considering were one of the biggest companies in the world Sepist fucked around with this message at 02:40 on Dec 12, 2018 |
# ? Dec 12, 2018 02:31 |
|
ate poo poo on live tv posted:lol OC-12, you mean! inignot posted:Hey...7206s and 6509s built worlds. I used to be an NCE but they changed all our titles around a year or two back. Didn't know anyone was still called that.
|
# ? Dec 12, 2018 03:54 |
|
Sepist posted:Goondolences cisco code quality has nosedived in the last 5 years it seems. We're only a small enterprise (10k~ clients) and we run into new cisco bugs almost every week. The latest was 3560cx switches rebooting when they get too many SNMP requests (like, say, from a walk). Luckily a code upgrade fixes that one.
|
# ? Dec 12, 2018 04:26 |
|
ate poo poo on live tv posted:lol
|
# ? Dec 12, 2018 04:52 |
|
"Code still warm from compiler. Confidence level: Boots in lab." - tli
|
# ? Dec 12, 2018 16:06 |
|
|
# ? May 30, 2024 06:23 |
|
Can anybody think of a reason why LLDP capabilities wouldn't be showing on a 2960X? Connecting a couple of defaulted IP phones and they're just showing B (Bridge) and not T (Telephone) in show lldp neighbors. As far as I know there's no configuration on the switch ports to filter out specific capabilities. Phones that have been manually configured with a voice VLAN show B and T, a phone that I am testing with and using LLDP-MED for VLAN assignment (switchport voice etc) is not showing T and no traffic makes it out on the tagged voice VLAN (though the switch learns MAC addresses in the access VLAN and the voice one). This seems like the easiest thing in the world but something's not working and it's pissing me off. Next steps are to put the switch on a release that isn't from 2011, and get Wireshark in the middle of everything but this is being done on behalf of some internal networks guys who didn't know that SSH access was a thing, so it's a bit of a struggle.
|
# ? Dec 12, 2018 21:38 |