|
Soooo, I am sure everyone in here would be appalled at the setup I am working with, but this is one of the items coming up on my hit list to fix before I look for a better job. I am configuring a Catalyst 3750 do to some slight vlan/routing out at our newly acquired colo. I was browsing through the current config of these switches at my work (two of them in identical setups), and realized that we do not have any true management network setup. How unusual is this for a small/mid sized company (around 280 employees)? I understand that this leaves everything on my network open to everyone/everything. Thinking about it now, if someone wanted to be malicious and was not an idiot, it would not be too difficult. Also what are some best practices on this? Setup a completely different subnet for management that only certain workstations can access? Also, our 3750's are currently running iOS 12.2 (I believe). Is there much work behind getting that up to date? Moey fucked around with this message at 00:42 on Jun 6, 2012 |
# ¿ Jun 6, 2012 00:37 |
|
|
# ¿ May 6, 2024 09:05 |
|
No one here is dedicated to networking, or any item in general. I have pretty much taken over the VMware portion of everything. I have finally corrected everything on our two sites. We just got a colo, so now along with the rest I am looking into the networking, because I have a few days to get this together. As for software updates, I was told that we are still paying for updates, so I should be able to figure out how to update the iOS. Edit: on my phone right now, yes everything has passwords. Moey fucked around with this message at 05:32 on Jun 6, 2012 |
# ¿ Jun 6, 2012 05:27 |
|
ragzilla posted:This isn't uncommon at all. Everything has passwords right? Looks like we are running iOS 12.2(53)SE2, and the current for that switch is 12.2(55)SE5. Not worrying about features, should updating to the most current iOS be valuable from a security perspective (vulnerability patches)?
|
# ¿ Jun 6, 2012 16:19 |
|
Tremblay posted:See if there are any PSIRT notices against the release you are running. Seems to be 5 published, I do not think any of them apply to our scope of use. Thanks for this! Now just to make myself a little more competent in getting this configured!
|
# ¿ Jun 6, 2012 17:57 |
|
Powercrazy posted:Those who can't do, teach. I am debating on printing this poster size for my office.
|
# ¿ Jun 30, 2012 21:14 |
|
Cross posting from the poo poo that pisses you off thread. Was trying to avoid this thread as I think I know the "cisco crowd" answer already (and also I am not a "network guy" by any means, be kind). What is the best way for me to hand out DHCP addresses on a new network segment with an existing DC? I think I have it boiled down to two ideas, but want to get some feedback. 1: Setup my new network segment on its own VLAN. Setup a trunk going into my existing production VLAN allowing all traffic. Add in a second virtual NIC into my existing DC tagged to that new VLAN. Configure to hand out DHCP on that NIC to the new segment. 2: Setup my new network segment on its own VLAN. Setup a trunk going into my existing production VLAN allowing all traffic. Setup an IP helper on all switches within that new segment pointing to my existing DC. This is just something temporary to handle about 250 devices moving into an existing location. Once the dust settles after the move, devices will be properly segregated onto their own VLAN.
|
# ¿ Jan 26, 2013 02:23 |
|
less than three posted:I'd say use 2, or have a switch act as a DHCP server if you don't need the AD integration. Only DHCP service devices are going to be Windows servers. Currently those are domain controllers that handle everything since it is a smaller environment (AD/GC, DNS, DHCP, NTP). Not looking to build a second Windows DHCP server for this segment as this is just temporary until the network gets finalized (currently pretty flat network). adorai posted:You only need the helper on one device per VLAN. We have helper addresses for a few hundred subnets, all pointing back to a single DHCP server, it works quite well. Very easy to manage as well. Is that the more sane route? This will just be a temporary VLAN until the network gets properly segmented. The more I think about it the more I think ip helpers will work best. Edit: With IP helpers, my Windows DHCP server will know what network segment these broadcast requests come from and hand out a proper IP address right?
|
# ¿ Jan 26, 2013 02:54 |
|
ragzilla posted:Correct, the relay (helper) puts it's IP address in the DHCPDISCOVER which tells the DHCP server which subnet the request is for. It then sends an OFFER back to the relay agent which forwards it to the device that requested it. Will probably take this route. The extra vNIC within the server now seems like extra work for no reason. Thanks pals!
|
# ¿ Jan 26, 2013 04:31 |
|
This may seem like a dumb question, but on most switches the management VLAN is not routable correct? So if I was to setup a management IP for all my switches, I would need to dual home (or isolate) a workstation on that network to manage them?
|
# ¿ Jan 27, 2013 23:45 |
|
Thanks for the quick response. The environment in question is running on all layer 3 Dell switches (pretty similar to Cisco from my tinkering, but keep in mind I am not a "network guy"). A 8132F as the "core" backbone switch connected to stacks of 6248 and 6248P layer 3 switches for workstation/phone access. Everything is connected in star topology fashion. Everything was deployed using the default VLAN (1) with management on that VLAN as well. On these switches you cannot do routing on the management interface. We have about 250 more devices coming into this setup, and it was decided that we will start segragating the traffic now as we are running out of available IPs (starting with the new devices, then moving to the existing network later on). The plan is to have the new stacks of access switches running on a different VLAN/network segment and a trunk connecting the new VLAN/segment and existing. This wouldn't have been a problem, except for when I went to implement it, I realized that I cannot enable routing on the existing default VLAN. This is where I hit my wall in designing this as best as possible.
|
# ¿ Jan 28, 2013 00:03 |
|
I guess I am pretty confused here. I'll try to elaborate some more. Existing network is 10.1.1.0/22 New network we are trying to setup is 10.2.1.0/22 Core Switch is all VLAN 1 at 10.1.1.1 Created VLAN 40 with an IP address of 10.2.1.2 I created a trunk on port 1 that connects to a new switch for the new network. Allowed VLAN access for VLAN 1 and 40 Access switch is all VLAN 40 at 10.2.1.1 Created VLAN 40 with an IP address of 10.1.1.2 I created a trunk on port 1 that connects to the core switch. Allowed VLAN access for VLAN 1 and 40 From the core switch I can ping my existing network, 10.2.1.1 and a workstation connected to the new network. From the new switch, I can the workstation on the new network, 10.2.1.2, but nothing further From a workstation on the old network (with gateway point at 10.1.1.1) I can ping 10.2.1.2 and 10.2.1.1 but not the workstation on the new network. If it would help for me to draw up a diagram with labels please let me know.
|
# ¿ Jan 28, 2013 00:47 |
|
It does. I'll test when I get back home tonight. I think i am close but have not changed the gateway on any of the switches (not sure why I didn't check that). Both core and new switch are showing routes to each other though.
|
# ¿ Jan 28, 2013 01:36 |
|
I am in the process of re-organizing our network. Biggest segment will be a /23 for that sites phones, but there will most likely be only 210ish devices on there. Looking back, I could probably make that a /24...bort posted:/16 After I left my old job they needed to expand a scope and didn't really know what they were doing, so the two /23 scopes went into a giant /16....
|
# ¿ Feb 7, 2014 00:08 |
|
Martytoof posted:Totally sales, and they'll vet you after the fact with a phonecall. If it's relevant to your workplace, just tell them you're in a position to recommend their products etc etc. Only one AP per company. Found out an old employee here already snagged one.
|
# ¿ Feb 11, 2014 21:28 |
|
Anyone care to help me with what should be a simple problem? Working with a Cisco 2811. Trying to set a static route going to an interface. Whenever I enter the static route and it takes it fine, but doesn't show up when I do a "show ip route". It does show up with "show run". The interface shows as up. Any ideas on what I am missing? I don't normally deal with routers much, so I am working a lot from google.
|
# ¿ Feb 14, 2014 17:30 |
|
Jelmylicious posted:Is the next hop you are pointing the route to in your routing table (as directly connected)? The route in question is not showing up at all in the routing table (show ip route). It does show up when I do a "show run" though.
|
# ¿ Feb 14, 2014 18:07 |
|
Powercrazy posted:Are you using ip route 192.168.1.0 255.255.255.0 fa0/1.10 The network that is connected to fa0 I have no control over. To my knowledge it is all just dumb switches patched together and is closed outside of this connection in there. Doing a traceroute to the 192.168.1.0 network from that router just loops on the 0.0.0.0 route I have set. Edit: To expand a little more. fa0/1 is setup like so: ! int fa0/1 no ip address duplex auto speed auto ! int fa0/1.10 encapsulation dot1q 10 native ! Double Edit: Here is a quick drawing of what I am talking about. Want to be a clear as possible. R1 is the Router in question I am working with. R2 is the Router at the other end of the T1 link that connects this mess back to our real network POOP is this network that is all dumb switches that I have no control over Moey fucked around with this message at 19:32 on Feb 14, 2014 |
# ¿ Feb 14, 2014 19:09 |
|
Powercrazy posted:So your router doesn't have an IP on the 192.168.1.0 network? Because if not, there is no way devices on that network will be able to get back to the router. And I'm pretty sure the packets aren't even being sent since the router doesn't have a source address for the IP Packet. Correct, no IP on the 192.168.1.0/24 network. Good call on source address IP, I didn't even think of that. Backstory: This was setup long before I was here. R1 recently poo poo the bed and somehow got wiped back to factory defaults. We don't have any documentation on the config. No documentation on the 192.168.1.0/24 network. It runs some very important stuff, but is literally strung together with lovely unmanaged switches. I guess I'll have to do some network scans and find out what is actually out there, then assign an IP like it should be. Thanks for your help. Edit: I am now beginning to learn that the workstations on that network they want to get to are just dual homed onto another lovely network. And for some reason that private network is using public address for all of it's devices. I know it doesn't make a difference since this thing doesn't go out to the internet at all, but still. Moey fucked around with this message at 21:40 on Feb 14, 2014 |
# ¿ Feb 14, 2014 19:45 |
|
Any Smartnet knowledgeable people in here? We are going through our renewal right now and have gotten rid of most of our Cisco switches and stuff. We are still running CUCM with a handful of Cisco phones. We also have a few VG224s, 2811s and ATAs. Can I get away with only renewing software support for CUCM and all of our end user licenses, then just stocking up on some extra used hardware? Will Cisco not support any of our phone setup in everything isn't covered?
|
# ¿ Feb 19, 2014 19:35 |
|
n0tqu1tesane posted:If you've got problems with the 2811s, and you don't have smartnet on them, they may not give you support if the problem is determined to be with the 2811 (configuration or hardware) and not the CUCM. But that would be easy enough to just swap out the hardware with a known working spare. As long as they will still provide support for the CUCM itself, I think we would be fine. If they found it to be hardware related and told us to deal with it because of lack of support, I would be fine with that.
|
# ¿ Feb 19, 2014 20:00 |
|
n0tqu1tesane posted:Well, you could still run into configuration issues, but if you're doing basic h323 voice gateways with the 2811s, there really isn't a ton to go wrong. Yea, very simple config and never really changes. So as long as I have backups of the configs, dropping in a replacement should be a walk in the park.
|
# ¿ Feb 19, 2014 23:15 |
|
Zuhzuhzombie!! posted:I think we're using an old Cisco MARS to handle our syslogs. I actually just chucked one of those into our "storage" building (aka graveyard) not too long ago. No idea how old the thing actually was.
|
# ¿ Apr 16, 2014 15:47 |
|
H.R. Paperstacks posted:We swapped to phpIPAM from GestioIP and the transition has been interesting since phpIPAM doesn't yet allow for importing of IP subnets, only specific hosts within a created IP subnet. Other than that, the software seems much better and the AD integration is nicer. Using GestioIP here as well, no complaints.
|
# ¿ Apr 23, 2014 00:11 |
|
I always use TIA-568B. For whatever reason it really bothers me when I come across 568A stuff.
|
# ¿ Apr 25, 2014 17:11 |
|
I used Kiwi in the past and it worked fine for our smaller environment. Dead simple to setup/use.
|
# ¿ May 21, 2014 17:05 |
|
ToG posted:Are there any free network monitoring softwares that don't suck. Spiceworks doesn't seem to support importing MIBs and I tried setting up Nagios in a Fedora VM and while I got it up and running it's a pain in the rear end to configure. Manually editing text files for each device I want to add is silly. I just want to monitor a few routers and switches using SNMPv3 for lab purposes (20 at most). I am running Opsview Core which is built on top of Nagios. Not too terrible to setup and configure. You can manually edit some files to remove the branding (social media stuff) on their Core version.
|
# ¿ Aug 11, 2014 01:43 |
|
ragzilla posted:So who here had a fun time this morning when the table crossed 512k? I am also looking forward to hearing the horror stories.
|
# ¿ Aug 12, 2014 21:36 |
|
Red Robin Hood posted:I opened a TAC case regarding this issue but they're borderline useless. Little late to this, I had a 3750 that would do this after like 60 something days of uptime. If I left it running, I would lose console access as well. Still would pass traffic though. Ended up being whatever version of IOS was on there had a memory leak.
|
# ¿ Nov 18, 2014 15:45 |
|
This is the one I have been using for like two years now. It has been rock solid. Whatever chipset in there is "newer" so it should be plug and play for most. http://www.amazon.com/Plugable-Adapter-Prolific-PL2303HX-Chipset/dp/B00425S1H8
|
# ¿ Nov 24, 2014 20:33 |
|
inignot posted:Unless it's Juniper gear running their crazy moon language. I have learned to love that moon language. I never want to go back.
|
# ¿ Dec 23, 2014 02:09 |
|
doomisland posted:Redundant fiber from two providers coming into the routers with a microwave dish on the roof for backup and an opengear with POTS and 4G connectivity Gotta have separate trenches for that fiber. Backhoes make work of fiber real quick.
|
# ¿ Dec 27, 2014 20:21 |
|
Nitr0 posted:Buy a Palo Alto He means SRX.
|
# ¿ Feb 24, 2015 07:27 |
|
Get a fancy "next gen" firewall?
|
# ¿ Mar 7, 2015 00:04 |
|
Stupid Experts Exchange. If you find the link on google, you can scroll all the way down and see the answer. But direct links make you have an account. Hit the first link. https://www.google.com/search?q=Was...=utf-8&oe=utf-8
|
# ¿ Mar 12, 2015 22:11 |
|
Any point in using PFS on a site to site VPN if it isn't going over the internet?
|
# ¿ Mar 13, 2015 00:02 |
|
Tremblay posted:How paranoid are you? I don't mean this in a derogatory way. The paranoid guy at the other end of the VPN said to have it off. I don't see why it would hurt to have it on. It is confidential data going over this link, thus the reason it is being tunneled through our LAN. No sweat off my back either way. He manages the data and compliance, I just support a department accessing it.
|
# ¿ Mar 13, 2015 04:52 |
|
Thanks guys. I'll go ahead and just leave it disabled. It would be going from a Juniper SRX to a Cisco ASA.
|
# ¿ Mar 13, 2015 15:45 |
|
ragzilla posted:This could be a bad thing if you ever have to rely on 'reload in 5' and "don't save the config just yet" (hooray for IOS not having a sane config rollback). That is one thing I am loving about all the juniper stuff I manage. Roll back and copy on commit to an internal ftp server.
|
# ¿ Mar 19, 2015 03:52 |
|
Docjowles posted:due to the flooding in Colorado a couple years back creating a gigantic sinkhole in the earth and physically destroying the link. It took techs like 8 hours to splice the fiber in the sinkhole back together in what I can only assume were loving awful conditions. This is a sign to move up the hill....
|
# ¿ Mar 28, 2015 17:22 |
|
|
# ¿ May 6, 2024 09:05 |
|
Anyone here using OSPF for routing between their firewall and their lan? Looks like it isn't best practices and this is how "previous guy" had deployed things.
|
# ¿ Mar 30, 2015 23:56 |