|
We're looking at the 15.0 train on our 3750x stacks for 10g support. Still concerned by some of the reports of memory leakage, etc. What code revs are people happy with?
|
# ¿ Feb 20, 2014 14:40 |
|
|
# ¿ May 14, 2024 10:32 |
|
madsushi posted:LogStash How do you like logstash? Just upgraded to PI 2.1 which still doesn't have a fully baked syslog server (though I see you can edit some configs to support more sev levels). Looking to roll a free syslog server for our networking equipment and maybe some other systems if client/server wants to use it as well. No budget for something like splunk but logstash/kibana looked pretty slick.
|
# ¿ May 9, 2014 14:05 |
|
Have a WLC 5508 on a dmz handling guest internet. Unfortunately the guest wireless is pointing to our internal dhcp/dns. I'd like to really isolate the guest internet from our internal before it bites us in the rear end. I see the option for an internal dhcp server on the WLC but Cisco documentation recommends using it for only small deploys/branch offices. http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110865-dhcp-wlc.html#Internal-DHCP Anyone have any luck using the WLC for handling ~800 guest users or am I better off throwing another device in the guest dmz for handing out addresses? gooby pls fucked around with this message at 14:31 on Feb 11, 2015 |
# ¿ Feb 11, 2015 14:25 |
|
Thanks for the ideas guys. For the time being I enabled dhcp proxy on the WLC and locked down the firewall to only allow dhcp requests from the WLC. At some point I'll move DHCP to the guest internet router.
|
# ¿ Feb 13, 2015 03:09 |
|
Silly question. sh ip route displays a gateway of last resort: Gateway of last resort is 10.88.1.194 to network 0.0.0.0 But the routing table has two 0.0.0.0/0 routes: code:
|
# ¿ Apr 21, 2015 13:42 |
|
In UCS training at Cisco this week. Our teacher has SEVEN CCIEs. Just...how.
|
# ¿ Feb 5, 2016 01:04 |
|
psydude posted:What's their name? I may know their daughter. Mike C. out of Maryland. Teaches for firefly.
|
# ¿ Feb 5, 2016 01:12 |
|
PRTG is free for a 100 sensors and the netflow sensor isn't too shabby.
|
# ¿ Mar 28, 2016 12:01 |
|
Any good way to get auto qos on a port channel on a 4500x? I ran auto qos on an unused port, copied the input service policy generated to the port channel interface and the output policy to the member interfaces but the output policy command doesn't seem to have stayed on the member interfaces.
|
# ¿ Jun 20, 2017 00:09 |
|
They chained it with another bug that allows them to send unicast/broadcast malicious cdp packets to the phone. Also lol at running the cdp daemon as root.from the white paper posted:However, an additional flaw was discovered in the parsing mechanism of CDP packets in the VoIP phones, enhancing the impact an attacker can achieve using the vulnerability. The CDP implementation in the VoIP phones doesn’t validate the destination MAC address of incoming CDP packets, and accepts CDP packets containing unicast/broadcast destination address as well. Any CDP packet that is sent to a switch that is destined to the designated CDP multicast MAC address, will be forwarded by the switch, and not terminated by it. Due to this discrepancy, an attacker can trigger the vulnerability described above by a unicast packet sent directly to target device, or by a broadcast packet sent to all devices in the LAN — without needing to send the packet directly from the switch to which an VoIP phones is connected to.
|
# ¿ Feb 8, 2020 01:19 |
|
I’d check Cisco’s DevNet documentation for Meraki. Some good documentation there on how to interact with the apis. https://developer.cisco.com/meraki/api/#!introduction/meraki-dashboard-api Would also grab postman to manually interact with the apis first to make sure things work as expected before scripting them out further. https://www.postman.com/ For better or worse this is the future of network engineering. I did the devnet associate cert last year and I was able to learn an absolute ton and has made my job much easier in return.
|
# ¿ Sep 22, 2021 21:17 |
|
Look into doing SCEP on your certificate authority if you have one: https://techcommunity.microsoft.com...ers/ba-p/397821 Would allow non domain resources to request a cert which could be used for .1x auth.
|
# ¿ Oct 10, 2021 23:42 |
|
Is there a compliance reason? 99% of my ISE projects are for clients requiring things like centralized TACACS or port security to check off their PCI audit. Spinning up a CA for a domain is pretty trivial if you want to go the eap-tls route with cert auth. Alternatively, most NACs will do MAB (MAC address bypass) but you’d have to compile and maintain a list of MAC addresses for allowed devices.
|
# ¿ Oct 11, 2021 00:08 |
|
Echoing above, Katherine’s blog is excellent. She also did the SISE cert guide which, even if you’re not going for your CCNP Security, is an awesome all around ISE resource. https://www.ciscopress.com/store/ccnp-security-identity-management-sise-300-715-official-9780136642947 I typically use Brad Johnson’s switch templates when doing ISE projects. Most of the commands are commented so you know what you’re entering. The new policy map based configs cut down on individual port config bloat by a ton and allow for more advanced features suck as running dot1x and MAB simultaneously. Check them out here: https://www.ise-support.com/cisco-ise-nad-configuration-templates/
|
# ¿ Mar 7, 2023 13:44 |
|
|
# ¿ May 14, 2024 10:32 |
|
Back up and restore is the way to go for sure. This blog post hits on pretty much everything. https://www.lookingpoint.com/blog/cisco-ise-3.0-major-upgrade Upgrade your licenses, back up your system certs (they’re not in the config back up), and don’t forget to re-join to the domain if you’re doing anything with ad. 2 hours might be cutting it for the upgrade in total, but as long as your devices fail over properly then it should be pretty hitless for end users.
|
# ¿ Nov 1, 2023 01:28 |