|
Looking for a bit of help from dudes that know a lot more than I do. I'm working wth 2 (well currently 1, because the second one bricked on me) AIR-CAP1532I-A-K9 devices, supposedly they should pull an address from DHCP out of the box instead of being static, which is completely false. I've never once configured cisco gear and I'm trying to blunder my way through this. How can I configure this thing to pull an address from DHCP? It's currently statically assigned 10.0.0.1, but I can't access the web interface, perhaps HTTP/HTTPS is turned off natively or something. I've got console access for the one that isn't broken (the bricked one is not showing anything on the console connection even during reboot, so I'm guessing the flash memory got wiped) but I'm apparently an idiot and don't know how to google for what I'm trying to do. So either A) I need to figure out how to turn on http/https so I can access the web GUI, or B) I need to just figure out how to configure it to pull an address from my DHCP server via the CLI. This was supposed to be easy, configure option 43 on my server and voila, it talks to our WLC and we're good to go, but of course nothing is that easy 
|
#
¿
Apr 23, 2015 20:07
|
|
|
|
| # ¿ May 6, 2024 05:04 |
|
|
Hopefully this isn't a stupid question, but I have no way to test this and I can't really find any definitive answers from googles. We have a couple SG500-52p in a stack, one of them has a bunch of bad ports out of the box so we've just gotten an RMA'd device and I want to swap it out, do we need to pre-configure the device before removing the old one and popping this one in? Does firmware need to match, or will it download from the master? From what I've read we might be able to just plug and play (probably forcing the switch number so things don't get goofy) but other than that it seems like it should download firmware if needed and pull the config from the master, or am I wrong and going to break poo poo? We don't have a way to test this, no spares and this poo poo is running in production so I don't want to cause an outage by going all cowboy on it and just plugging it in without doing due diligence, but I don't want to have to do more work than needed, especially since this will (probably) not be the last time we have to swap one of these in a stack.
|
|
#
¿
Nov 20, 2017 21:03
|
|
|
Thanks Ants posted:It won't sync firmware, you will have to match the firmware versions, set the stacking ports, save the config, power it down, connect the stack cables and power it back up again. Believe me, I don't doubt that, though we have 2 running here (not-stacked) that work fine for cheap access switches, haven't had issues with them, but I'd prefer the real guys though you can't always justify the cost. Thanks for the info though!
|
|
#
¿
Nov 20, 2017 21:09
|
|
|
anthonypants posted:Can I stack a SG350X switch and a SG350XG switch? You can for sure, a client of ours has pre-existing stack of 2 or 4 that are 50/50 of these.
|
|
#
¿
Dec 11, 2017 07:01
|
|
|
Biowarfare posted:What happens on an err-disable? Is the port still "powered on" or negotiable at all? err-disabled the port is effectively shut down, as in, it won't send or receive traffic and you have to manually go in to open the port again. It's being disabled for some reason (negotiation issues are common, sometimes an issue with the modules you're using etc), if you do a "show interface X status" I believe it should tell you why the interface is in that state. v-- Yeah, I agree, it's odd that your device on the other end of the cable is not detecting the lack of connectivity. MF_James fucked around with this message at 21:04 on Jan 15, 2018 |
|
#
¿
Jan 15, 2018 21:01
|
|
|
Thanks Ants posted:it's loving terrible
|
|
#
¿
Jan 23, 2018 19:25
|
|
|
Holy poo poo I need some help here. I have a loving old rear end Brocade switch (running FW 7.0.0) that a co-worker did not save the config on like a year ago when he configured it, well it finally lost power and lost the configuration for a port that's the trunk port off of our firewall, he didn't document his config nor does he remember how he did it. I've mostly got it correct, but I can't for the life of me figure out how to turn the port into a trunk port or at least ciscos version of a trunk port. Is dual-mode Brocade speak for trunk port? It seems like it is, but I'm not entirely sure. Their actual trunk command seems more like Cisco's port-channel group, though I'm having issues finding documentation on this old OS version, there's a bunch of poo poo I'm finding that is not actually applicable because the commands just do not exist. MF_James fucked around with this message at 21:31 on Jan 25, 2018 |
|
#
¿
Jan 25, 2018 21:27
|
|
|
Thanks Ants posted:switchport mode trunk? Is this a FastIron or something else? Just figured it out, dual-mode is trunk mode, it's an FCX648S, which runs fastiron, I think, it's v7.0.0, so seems somewhat old. I'm not sure according to the login it does run fastiron, but half of the commands I found documented online are totally different in the switch, it's awful, but I was right, dual-mode = cisco trunk mode and trunk mode is actually port-channels, loving dumb. Half of the commands on the switch are straight ripped from IOS, the rest are differently named or named the same but do different stuff.
|
|
#
¿
Jan 25, 2018 22:12
|
|
|
Thanks Ants posted:If in doubt, smash the tab key and the question mark and fluff your way through That's what I did. Docjowles posted:dual-mode 123 is basically the equivalent of switchport trunk native vlan 123. It tells the port to treat untagged frames as belonging to vlan 123. Yeah. The REALLY annoying thing is that you cannot dual-mode a port without tagging a VLAN on it first, I didn't think about it at first, but I was like Ok that's fine, weird, but fine. #tag int e 1/1/1 --- Connection lost ---- fuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuck Yeah so doing that on my only connection into the environment was a bad idea. Thankfully just had them boot the switch and I configured the only other open port, but it's just a weird thing, you have to tag a VLAN on the port, then you can dual-mode (trunk) the port and it'll be happy again.
|
|
#
¿
Jan 26, 2018 00:44
|
|
|
I have once again been owned by co-workers because entering "wr" into the CLi is too hard.
|
|
#
¿
Feb 2, 2018 18:47
|
|
|
Bigass Moth posted:But what if I save something I don't like???? that's what the goddamn backup config is for! Honestly this turned out to not be too bad because I was the one that documented the changes and commands needed to do the work, just someone else was doing it, though it's painfully clear that certain someone's have issues with Following Instructions and fail at the ever so difficult Copy-Paste.
|
|
#
¿
Feb 2, 2018 19:16
|
|
|
FatCow posted:So is running RANCID? You're funny, I like you. I work for an MSP.
|
|
#
¿
Feb 3, 2018 03:24
|
|
|
Thanks Ants posted:Isn't Adtran pretty much the go-to for that requirement? Yeah, I'd recommend Adtran's, that's what we use.
|
|
#
¿
Feb 6, 2018 17:56
|
|
|
We use 908's, the T1 is used for data and VOIP, they work perfectly and they are pretty tanky as we have them in some poo poo environments and they are generally fine as long as someone doesn't go loving nuts and power on/off repeatedly.
|
|
#
¿
Feb 6, 2018 21:48
|
|
|
FatCow posted:
This is someone's hell, minus the supposed labels.
|
|
#
¿
Feb 17, 2018 03:06
|
|
|
You should also have your current space in there so you don't miss things.
|
|
#
¿
Jun 28, 2018 19:04
|
|
|
Apex Rogers posted:In any case, I tried the powershell command mentioned here: New-VMSwitch is a hyper-v module command, it's likely you don't have hyper-v installed and, by extension, the powershell commandlets that go with it, which is why you're getting that error. As for how to get NAT working via windows routing, it (looks) like it's done through the "Routing and Remote Access" mmc - https://technet.microsoft.com/pt-pt/library/cc776909%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 I have never attempted to turn a windows device into a router, so perhaps that link isn't going to help, but it seems to be what you're looking for.
|
|
#
¿
Jul 16, 2018 19:06
|
|
|
Methanar posted:I will never be complicit in purchasing anything from cisco that is not a router again. What's wrong with their switches?
|
|
#
¿
Aug 31, 2018 23:42
|
|
|
Haven't had the opportunity to work with Arista, all cisco and then garbage barely above consumer grade stuff, and a single brocade switch.... holy gently caress why do you steal 99% of cisco terminology and then make trunk ports NOT TRUNK PORTS!! maybe cisco stole their terms I dunno, but drat was that annoying.
|
|
#
¿
Sep 1, 2018 00:28
|
|
|
Docjowles posted:No, Brocade is bad and you are correct for being mad at how awful they are to work with Our client that uses it is bad an awful and we should drop them but MSP lyfe, so it is very fitting they use it.
|
|
#
¿
Sep 1, 2018 00:32
|
|
|
Lonoxmont posted:Thanks guys, looks like I got lucky, and all that happened was the sonicwall has to do the routing for the new range until I get all the /24 changed to /22 on the clients on my end. So everything stayed up and running, but until everything has the new hostmask it is still a bottleneck through the sonicwall (I presume). At some point I will probably get around to moving the default gateway etc where the sonicwall lives to somewhere closer to the beginning of the address space, where networking stuff should go. Not looking forward to running through all the clients again for that. If your clients are all windows based, you could use powershell to do it!
|
|
#
¿
Sep 20, 2018 18:40
|
|
|
Lonoxmont posted:Oh? I was vaguely toying with trying to finagle something through Group Policy to do that, but if there is an easier way I am This guy has some powershell that can do it locally, you just need to invoke via remote powershell and possibly step through an array of computer names, make a few other changes, and possibly have it step through each netadapter found in the event you have wireless, wired and other possibilities. The thing I'm not sure about, and possibly someone else can comment on, is if you will run into a problem running the script part-way through due to the changes being made.
|
|
#
¿
Sep 20, 2018 20:28
|
|
|
Chuck Finley posted:Couldn't you just readdress everything major that needs to be statically assigned and then pull the client PC MACs from the ARP table on the SonicWall, put some reservations on via DHCP, presto blamo. Unless I'm missing something here, that seems the most straightforward way unless you really want things to stay statically assigned without the use of DHCP. We recently migrated from a very old server running an also old version of pfSense to a Netgate appliance, resubnetted our entire company LAN (broke up our dwindling /24 full of statics into 5 /22's by dept), and that's essentially how we did it. Pulled the MACs, binded via DHCP, and then slowly told everyone to switch to DHCP (mind you we kept two active firewalls live for the transition). Yeah there are a lot of ways to do it, I was just giving an option that fit within the current framework. I'm often bad about that, I'm used to doing hacky poo poo and not having any options to change things to the correct/a better way of doing things.
|
|
#
¿
Sep 25, 2018 20:19
|
|
|
Sepist posted:king of the router. What if I want to be King of the Hub
|
|
#
¿
Feb 14, 2019 04:34
|
|
|
Working with some SonicWALLs, I'm familiar with them but haven't really touched more advanced features... until now. Trying to implement bandwidth management and I'm having issues finding something out for sure. If I create a BWM object and apply it to multiple policies, is the bandwidth shared across all those policies? i.e. I guarantee 5Mb and limit to 10Mb maximum, will it allow each policy to hit a maximum of 10Mb, or will it share that 10Mb across all policies? I am assuming it's shared, but this customer's circuit is ridiculously under-speced so it's maxed constantly even after applying limitations to a bunch of different policies.
|
|
#
¿
May 29, 2019 20:49
|
|
|
Thanks Ants posted:If you apply a 5Mb limit on multiple firewall rules then each traffic handled by each rule shares that 5Mb, not 5Mb total across all rules. If you do them in an app control policy then you should be able to set the limit and choose the bandwidth management action object to be a shared 5Mb across all the affected policies. Yeah, after screwing around with it for a bit more yesterday I realized that the BWM objects are shared bandwidth. Working with these makes me miss Fortigate devices a lot.
|
|
#
¿
May 30, 2019 17:13
|
|
|
Moey posted:Anyone here working with Fortinet firewalls? What are your opinions on them? I really like Fortigate's but I've never worked with Juniper devices so not sure how they compare. The downside to Fortigate (and a lot of products) is that support can be difficult to work with but otherwise they are pretty drat solid products. Management is relatively easy, a lot of things Just Work, interface is pretty drat user friendly and the CLi 95% of the time makes sense once you understand their structure. Do you have any specific questions?
|
|
#
¿
Jul 11, 2019 18:32
|
|
|
Yeah pfsense is fine if you want something at home and don't mind tinkering; heck maybe even in a small business, but I'd still be hesitant due to lack of proper support, I'd rather roll a sonicwall. Anything bigger and you definitely want to stick with the major players.
|
|
#
¿
Aug 2, 2019 21:45
|
|
|
Sepist posted:Yea we all just came to that conclusion but now I need to compare fortinet as well. I dont think were gonna change because the campus firewalls are palo with panorama and diversifying would be annoying but fortinet is half the price. Doubt saving 10k a year is worth it when our monthly cloud spend is over a million Fortinet's are on par with Palo Alto, but switching is gonna be a pain because you'll have to learn totally new systems. Also, I'm surprised the Fortinet's that are comparable to your Palo Alto's are half the price, I thought they were closer in price than that. What Palo's do you have and what Fortinet's are you looking at to replace them with?
|
|
#
¿
Aug 2, 2019 22:25
|
|
|
Can a cisco device syslog to the same IP twice but on different ports? I have a want/need to condense 2 syslog "servers" (aka windows 7 workstations set up by my predecessor) and I'd prefer to just have one listen on something like UDP/1025 while the other listens on UDP/514, but I'm not sure if that will actually work; other option is obviously give the new VM 2 IP addresses and just have each one listen on its' own IP.
|
|
#
¿
Aug 13, 2019 19:12
|
|
|
Cool, yeah I dropped the commands in and they worked but I wasn't sure if it would actually happen. Then I realized I could set it to use TCP and just cap the traffic and see if it actually is sending logs messages. I didn't get a lot of sleep last night OK!
|
|
#
¿
Aug 13, 2019 19:43
|
|
|
Since we are general networking in here, I'll ask for some ideas/info here. Client is balking at the total cost of ownership of an SG250 48-port switch, he is crying because over the life of the switch he will have paid for the switch a second time in SmartNET costs. I mean, sure, but do you not want a service agreement when the thing goes tits up in 2 years? Also, it's not really that much but WHATEVER Anyway, looking at alternatives, I've come up with Aruba (same issue, actually their support agreements are like double/triple the cost). Looks like there are some low/mid-end HPE branded switches like this https://www.cdw.com/product/hpe-1950-48g-2sfp-2xgt-switch-48-ports-managed-rack-mountable/4360627pfm=srh I'm not at all familiar with, so not sure how they are, anyone have experience? Dell EMC devices like this: https://www.cdw.com/product/dell-emc-networking-x1052p-switch-48-ports-managed-rack-mountable/3860905?pfm=srh Any actual/other recommendations? 48 ports, rack mountable, no PoE needed; it's going to be a client access switch.
|
|
#
¿
Sep 3, 2019 22:13
|
|
|
I would rather kill myself, also they don't have 48 port options and we only have 1U of rack space.
|
|
#
¿
Sep 3, 2019 22:34
|
|
|
So, I'm mildly perplexed by this, the situation is that I have an ASA5515 pair that is logging to a syslog server, I have moved the syslog server to a new machine (from a win7 desktop to a server 2019 VM), since doing that I'm no longer getting netflow logs. We don't have netflow specifically set up, but we are doing debug logging; the only configuration change that was made on the ASA was removing the old server and adding the new in its' place. I confirmed the server is not seeing those logs via pcap on the server, but it does get other debug level logs without issue. I confirmed that those logs appear on the ASA by logging to the console directly. It does not (appear) the traffic is being dropped by the switch, I looked at counters and they aren't going up. I ran a cap on the ASA itself to try to confirm 100% that it's sending the logs to the syslog server, but the capture only shows date, time source IP/port, destination IP/port and packet count, doesn't show the actual content of the packet. Anyone have any ideas about where I can look next? I was really hoping to validate the ASA is sending the logs with more verbose capture but I don't see how to do that. Even if it is, I don't see what the hell could be happening to the packets, they seem to be disappearing into the ethernet
|
|
#
¿
Sep 13, 2019 17:35
|
|
|
uhhhhahhhhohahhh posted:Did you add the new IP in both places? If you're doing it through ASDM, you do it on the device management page and on the Service Policy page. Both places? We don't have netflow explicitly configured, it (should) be sent because logging level is set to debugging and debug-trace is on; if that's what you mean. Doing this all through the CLi, I don't really use ASDM. Perhaps I am mis-using netflow, but I assumed that's what they were... here's an example log that I'm not getting now that I was before: <166><1566403763000>ASA-6-302014:Teardown TCP connection 24157561 for outside: X.X.X.X/443 to inside: X.X.X.X/21135 duration 0:00:00 bytes 0 TCP FINs from inside MF_James fucked around with this message at 18:51 on Sep 13, 2019 |
|
#
¿
Sep 13, 2019 18:45
|
|
|
BaseballPCHiker posted:What syslog software are you using? ALB5515# show run logging logging enable logging timestamp logging buffer-size 65535 logging buffered informational logging trap debugging logging asdm informational logging host inside 192.168.86.6 logging debug-trace Configuration worked fine before changing to the new server, all I did was change the host IP; we're using Log360 it is listening on 513 and 514 UDP. The issue is still that the logs do not even get TO the syslog server, it's not sending anything about connections etc, it's only sending information about login/out/configuration change and possibly a few other little things, but nothing about allowed/denied/created/destroyed connections. uhhhhahhhhohahhh posted:I don't think that's technically netflow, just the standard ASA log about connections being created, ended or denied. Ahh guess it's not netflow then, just need info about the connections.
|
|
#
¿
Sep 13, 2019 19:52
|
|
|
BaseballPCHiker posted:Try putting the port numbers at the end up that IP. Like: logging host inside 192.168.86.6 UDP/513. explicitly marking the port made no change. Gonna have our architect look at it on Monday I guess, I'm just spinning my wheels at this point, unless you come back with your solution. *edit* aaaaaaaaaaaaaaaaaand gently caress everything it's working now, all I had to do was completely remove the logging config and re-add it all... MF_James fucked around with this message at 22:21 on Sep 13, 2019 |
|
#
¿
Sep 13, 2019 22:12
|
|
|
Nuclearmonkee posted:lmao was about to recommend "reboot or rip it all out and put it back to restart the process" I feel dumb for not trying that before but really wtf come on. Live and learn I suppose, now I know not to trust the config of an ASA
|
|
#
¿
Sep 17, 2019 19:42
|
|
|
Nuclearmonkee posted:To be fair, it could also have been a firmware bug that's hopefully resolved in an update. That would be next on my list if you are 100% confident the config is correct. Thankfully we don't do firepower at all, we have a config standard that removes BVI as well (for devices that need it), though I don't think the 5515/5516s come by default like the 5506's. I do long for Fortinet's as lovely as that sounds, but it looks like we're moving to SonicWALL
|
|
#
¿
Sep 17, 2019 20:38
|
|
|
|
| # ¿ May 6, 2024 05:04 |
|
|
Client requirement is to capture all the logs for compliance (they are a bank). Used UDP in the end, but i might have swapped to TCP temporarily, I forget, been a while now. I found that if you have 2 syslog servers configured, it won't send everything to both log servers (I haven't tested if it's because they are the same IP but different ports or if that will happen with 2 completely separate IPs), it will only send everything to the first server in teh list and then admin level events only to the second server.
|
|
#
¿
Nov 22, 2019 22:59
|
|