Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

NinjaPablo posted:

When I called Cisco, they said it wasn't vulnerable. I guess all the stuff in ()s in the version confuses me.

I have a feeling the difference lies in the 12.1T vs the 12.1T2 image, of which you are running the latter and I can only assume is more current.

amishpurple posted:

I'll paypal you some money to cover shipping costs to send one to me if you're just going to trash them.

No kidding. I have jack-squat for experience with Cisco equiptment because I have never been at an office that uses the stuff. If I could send you some cash for shipping and a few beers so I had a router to give myself a crash course in, I would love you forever.

Adbot
ADBOT LOVES YOU

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

Alright, this is a rough outline of our network as it stands at the moment:


Not pretty. We operate as a division within the university and are very decentralized with about 7 or 8 different remote sites configured in this manner all pointed back to the resources in the main building. Campus networking maintains the links between the sites and the building routers, along with the DHCP server that all our non-static clients are assigned through.

Not controlling our own DHCP registration has been causing more and more administrative headaches as we are growing rapidly (Thanks for setting the Option 81 flag so nothing registers with our DNS servers! :waycool: ) and I really want VPN links between sites so everything looks physically under our control networking-wise. The other consideration is that we don't need web traffic or that other nonsense going across the VPN link when it could be forwarded to the campus building router and be handled from there, so I assume some manner of routing functionality is in order as well.

So if anyone has hardware recommendations of what I should be looking at or a different way of handling this mess, I would appreciate it. Work should be footing the bill for me to get trained to take the CCNA exam in a few months, but I would like to have a long-term plan on how this is going to be corrected before that.

Oh yeah, the firewalls are Juniper Netscreen boxes and I'm not sure what kind of hardware the campus networking guy are running for their routers, but I do know they have a room with some Foundry equipment in it (FastIron Workgroup and BigIron 4000 from what I have seen).

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

Jeff73 posted:

I have a couple questions:
1. What model(s) are the Netscreen boxes?
2. How feasible is gaining control of your DHCP service? Is it a turf war or do the central folks have a legit reason?
3. What are the address ranges being given to your remote clients? (disguised if public - just looking for prefix lengths, contiguity, etc.)

The netscreen box in the main building is a NS50, while the external sites are all NS5G's. I was talking to the guy who installed them, and it seems like they have the capability to do what we need with the only big problem being that the NS50 might not be able to handle the load and we will need to move to something beefier. I guess the real question is how to get those boxes to push the external traffic out to the building routers we don't control and keep the traffic we do want moving along the VPN link to the main building.

As for DHCP, it is run through the university networking people and all clients must have their MAC registered through an abomination of a web interface. Works great for kids in the dorms, but hampers our operations severely. The end goal would be to cut off DHCP traffic at the building firewalls and drop in a DHCP server with IP blocks that we will be assigned to control from the campus people. That would be done after the sites are linked correctly and that traffic only has to be cut off from a single point.

One of the big messy parts of this is that we are using fully public IPs and there is no way in hell I will be able to change that in to a fully NATed environment at this point. IPs are in the 111.x.x.x/255.248.0.0 range, with each building typically getting 1 to 3 111.x.x.0 DHCP assigned IP blocks to work with depending on the size, along with a static range for weird crap that needs it. Those would obviously change to IPs assigned to the main building once the DHCP traffic is routed through the VPN.

BangersInMyKnickers fucked around with this message at 19:13 on Jul 17, 2007

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

atticus posted:

Jesus christ what a big lovely mess

Big Ten universities only hire the very best and brightest.

One day I hope they can get someone in here far better than me to kick some rear end, create a DMZ for servers that need to be exposed, and put everything else behind a NAT boundary like it should be. For my purposes I would be happy if I could just control our DHCP server and VPN links to push out machine images through a PXE environment. University bureaucracy will most likely keep that from happening until it all blows up in some poor smuck's face and he gets fired.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

Jeff73 posted:

When you say full NAT is not possible, do you mean the university's network policy requires that all hosts use public addresses? If not, I'm surprised they're resisting given that you'd be completely out of their hair except for the bandwidth used by your tunnels and the remote sites' web traffic.

It is more not possible due to internal bureaucracy and the old "ain't broke don't fix it" mentality. Except things ARE broken and people are too busy sticking their heads in the sand because they don't want to take the incentive to fix things or not having any concept of how very hosed up our current operating model is. The university network people tend to be pretty accommodating when it comes to things like this (mostly all they need to do is allocate us a large enough IP block for the extra machines that will be "inside" our building), but they are expressing their doubts as we would be the first ones to successfully pull it off. Other divisions or departments have tried and failed in the past.

It is going to be completely hub and spoke. All servers are located at the central site with just printers and clients at the remote offices on campus.

And I can't tell you how much I appreciate the help here. Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply