|
Tony Montana posted:So I wrote ACL 180: This is a neat idea but wouldn't it essentially severe your connection because of the implicit deny all? You could install some sort of netflow solution to help you see all this traffic without needing to disrupt normal operations. You didn't say how big your network was, but ManageEngine NetFlow Analyzer has a free 30 day trial, after which it is limited to two interfaces. Maybe that would help?
|
#
?
May 25, 2009 16:20
|
|
|
|
| # ? Apr 28, 2024 09:53 |
|
|
What is your routine when upgrading remote critical routers? Personally I triple check the IOS image checksum, verify bootvar and all that. I also dump out BGP and multicast summaries so that I can verify that the routers come up in the same state that they went down in. Any other neat tricks and quirks that might come in handy?
|
|
#
?
May 25, 2009 17:36
|
|
|
routenull0 posted:You have to put the ACL in the proper direction on the interface. Inbound or Outbound. You have it set to inbound, meaning traffic coming from the internet, not in from your lan. Actually, debug ip pack doesn't need an access-list to be applied to an interface, but it does need the traffic to be process switched. I'm wondering if that's part of the problem here, although NAT is in the CEF path now, so I don't know why the inbound flows would be process switched but the outbound flows wouldn't. Personally, I think the easiest way to look at this would be with 'show ip nat translation'
|
|
#
?
May 25, 2009 17:58
|
|
|
routenull0 posted:You have to put the ACL in the proper direction on the interface. Inbound or Outbound. You have it set to inbound, meaning traffic coming from the internet, not in from your lan. para posted:This is a neat idea but wouldn't it essentially severe your connection because of the implicit deny all? The ACL isn't bound to the interface. It's there just for use with the debug. jwh posted:Actually, debug ip pack doesn't need an access-list to be applied to an interface, but it does need the traffic to be process switched. I'm wondering if that's part of the problem here, although NAT is in the CEF path now, so I don't know why the inbound flows would be process switched but the outbound flows wouldn't. Jesus jwh, now I need to go and look up 'process switched' in a Cisco context. You should really get some certs, you're easily as gun as many of the TAC engineers I've worked with. I'm going to try 'ip nat translation', see how I go. As for extra monitoring software, I've got a couple that I am familiar with anyways. It's more trying to get IOS to do it, more of an exercise for aspiring Cisco techs as I think mastering debug outputs puts you in a much better position to understand what is happening. Here is something else, how do people feel about the term 'engineer'? I personally have a bit of a problem with it, I just don't feel I've done the heavy math and science required to call myself an engineer. I know even Cisco calls their technical employees 'engineers', I had a contractor called a 'network architect' the other day. It just makes me feel uncomfortable, I dread running into someone that says 'engineer? oh cool, I graduated from Adelaide Uni, where did you?'.
|
|
#
?
May 26, 2009 01:26
|
|
|
nex posted:What is your routine when upgrading remote critical routers?
|
|
#
?
May 26, 2009 02:11
|
|
|
Tony Montana posted:Jesus jwh, now I need to go and look up 'process switched' in a Cisco context. You should really get some certs, you're easily as gun as many of the TAC engineers I've worked with. I'm going to try 'ip nat translation', see how I go. Tony Montana posted:Here is something else, how do people feel about the term 'engineer'? I like it more than analyst or administrator, because when I think of an engineer, I think of someone building something. Or running around with explosives and a bolt action rifle, but I blame that on Battlefield 1942. Either way, there's no Analyst class in Battlefield 1942, so I think engineer wins. I once did get chastised however for referring to myself as an engineer- some guy took offense to that, and claimed that if I hadn't passed the state engineering exam, I wasn't "legally allowed to call myself an engineer." However that guy was a jerk, so whatever. jwh fucked around with this message at 05:44 on May 26, 2009 |
|
#
?
May 26, 2009 02:58
|
|
|
I agree with JWH. Also I majored in Computer Engineering, and HAVE taken all of the math and science classes. Network Admins are not the same thing at all.
|
|
#
?
May 26, 2009 17:25
|
|
|
jwh posted:I once did get chastised however for referring to myself as an engineer- some guy took offense to that, and claimed that if I hadn't passed the state engineering exam, I wasn't "legally allowed to call myself an engineer." However that guy was a jerk, so whatever. Should have asked him if he had passed the bar exam, otherwise he can't legally tell you what you're legally allowed to be called.
|
|
#
?
May 26, 2009 17:52
|
|
|
nice. I think his head would explode.
|
|
#
?
May 26, 2009 19:21
|
|
|
cptInsane0 posted:I agree with JWH. Also I majored in Computer Engineering, and HAVE taken all of the math and science classes. Network Admins are not the same thing at all. But you're not agreeing with jwh. He's saying he doesn't have a problem with calling himself an engineer, and once someone picked him up on it but he didn't care because they were silly anyway. I think you're more agreeing with me, that because I haven't done actual engineering at a university it annoys you (that has done it) because I have some Cisco certs and a stack of experience I call myself an engineer. I do hate the 'administrator' term though. You all are probably thinking I'm obsessing over this, but it's important to me.
|
|
#
?
May 27, 2009 02:06
|
|
|
Well, I tend to think of it like this: an engineer builds networks, an administrator takes care of them. I'm being too literal, probably.
|
|
#
?
May 27, 2009 02:13
|
|
|
Ok, well I resolved my debugging problem. Looks like jwh was right on the money, but there are a couple of fundamental misunderstandings that needed to be worked through. I'll attach my notes here incase someone is interested. Feel free to correct me, I've drawn some conclusions that might not be completely right. me posted:Ok, so the intention here is to run a packet debug but restrict the output make it more useful. Something like 'show all SMTP packets going into an interface'. The 'debug ip packet' command will show all ip packets going through the router, however this output is massive and will be hard to sift through to do meaningful troubleshooting. So what we want to do is write an access list defining the output we want to see, then run the 'ip packet' debug filtered through that access list. For my little exercise, any SMTP packet originating from inside the LAN that isn't the mail server (10.1.8.1) and you've found your mailing worm!
|
|
#
?
May 27, 2009 07:38
|
|
|
I agree more with JTW. I did go to college for engineering, but that's not what makes me a network engineer. I could have gotten this job without the college.
|
|
#
?
May 27, 2009 16:28
|
|
|
Paycheck is what counts, not the title. I'll engineer networks even if my title is "poo poo hauler" as long as the paycheck cashes for the correct amount. H.R. Paperstacks fucked around with this message at 16:51 on May 27, 2009 |
|
#
?
May 27, 2009 16:46
|
|
|
Engineer is a more prestigious title than specialist, or analyst or whatever, but it has gotten diluted over the years. So who cares really.
|
|
#
?
May 27, 2009 19:22
|
|
|
Powercrazy posted:Engineer is a more prestigious title than specialist, or analyst or whatever, but it has gotten diluted over the years. So who cares really. Agreed.
|
|
#
?
May 27, 2009 19:46
|
|
|
Latest 3560 code, 12.2(50)SE1 has a weird bug where you can't log into the switch for about three or so minutes after it boots. Pressing enter either at console or via vty results in the switch throwing an authorization denied with no username visible. After a certain amount of time, it suddenly acts "normal" and presents the Username: prompt. I wonder how that one got by QA.
|
|
#
?
May 28, 2009 16:44
|
|
|
Quick question about OSPF. Is there a way to delete just one OSPF route/process instead of reloading the whole thing? I'm not the network person, but we replaced a firewall today, and it wouldn't see it until we actually ran a clear ip ospf and let everything rebuild which caused a blip in connectivity.
|
|
#
?
May 28, 2009 16:45
|
|
|
What wouldn't see the new firewall? The OSPF process on a neighboring router?
|
|
#
?
May 28, 2009 16:58
|
|
|
skipdogg posted:Quick question about OSPF. You should have a "clear ip ospf process <process id>" command to clear a specific process.
|
|
#
?
May 28, 2009 17:17
|
|
|
jwh posted:What wouldn't see the new firewall? The OSPF process on a neighboring router? We switched from our normal netscreen 204 to our backup netscreen 204. cisco gear in question is a 6513 running IOS acting as a core router/switch. We replaced each connection and the drat thing would work, couldn't ping the firewall interface or anything. It was strange, but I'm not the network person. I thought it might have something do with with the ARP cache but clearing that didn't help. The backup firewall originally had a different IP address when we configured it, we switched it to the same IP as the 1st one, but the OSPF route kept referencing the old .100 ip when it should have been .21. It was strange, clearing ospf was a last ditch thing, but it worked.
|
|
#
?
May 28, 2009 17:39
|
|
|
routenull0 posted:Paycheck is what counts, not the title. Truth. I was "Sr. Software Engineer" at the last place I worked and the way they cobbled that title together was the most ridiculous thing seeing as how I had less than a year experience programming at that time, surrounded by people with lesser titles who had been doing it most of their life. For what it's worth I told them I didn't feel right taking the title but they said it was linked to the pay grade so my arguments promptly stopped  Beurocracy! 
|
|
#
?
May 28, 2009 17:59
|
|
|
Let's say you have two access points in bridge mode, one of them was set as the root and the other a non-root. There is very little interference in the air, but they are both set to use the least congested channel. There is one SSID. What would happen if the non-root bridge did not specify the one and only SSID to be the infrastructure SSID? Will it still connect and handle disassociation/associations correctly? Everything I'm reading says that you can optionally specify an infrastructure SSID that will force the bridge to use that SSID for the bridge, but it does not say if it's required if you only have one SSID. However, all the examples I see of other peoples bridge configuration is using the command infrastructure-ssid and are also using just one SSID. Which is why I'm wondering if that command is necessary and what it really does when there is only one SSID in range.
|
|
#
?
May 28, 2009 19:42
|
|
|
Martytoof posted:Truth. I was "Sr. Software Engineer" at the last place I worked and the way they cobbled that title together was the most ridiculous thing seeing as how I had less than a year experience programming at that time, surrounded by people with lesser titles who had been doing it most of their life. For what it's worth I told them I didn't feel right taking the title but they said it was linked to the pay grade so my arguments promptly stopped That's crazy. Sr. Engineering positions usually have pretty strict requirements. For instance, I still have another year or two before I am qualified for most of those positions. I've been doing this a while.
|
|
#
?
May 28, 2009 19:47
|
|
|
cptInsane0 posted:That's crazy. Sr. Engineering positions usually have pretty strict requirements. For instance, I still have another year or two before I am qualified for most of those positions. I've been doing this a while. Yeah, I think my company was completely the opposite. They had a database of pay grades and rather than create a new one for me they just shoved me into some preexisting class. Our job titles were basically meaningless. Not bad for a resume though. I don't feel too bad putting it on there since I don't ever plan to go back into Software Engineering so there's no chance I'd ever be hired to work on actual software based on that.
|
|
#
?
May 29, 2009 03:48
|
|
|
Martytoof posted:Yeah, I think my company was completely the opposite. They had a database of pay grades and rather than create a new one for me they just shoved me into some preexisting class. Our job titles were basically meaningless. Not bad for a resume though. I don't feel too bad putting it on there since I don't ever plan to go back into Software Engineering so there's no chance I'd ever be hired to work on actual software based on that. Old Job: Sr. Network Engineer New Job: Engineer Systems 4 I don't touch systems............... I'll never understand titles and why HR has these matrix forms you need to fill into. Exactly why I fall back on the belief my title can be whatever they want it to be as long as my paycheck is the amount I desire.
|
|
#
?
May 29, 2009 12:07
|
|
|
routenull0 posted:Exactly why I fall back on the belief my title can be whatever they want it to be as long as my paycheck is the amount I desire. Hah, that's some real truth right there. My official titles through the time I've been at my current job: Support Technician Sr. Support Technician (we hired another person) Network Specialist LAN/WAN Specialist Communications Specialist CIO My responsibilities really haven't changed significantly, nor has the wide variety of poo poo I end up doing, but every time I got a raise my boss insisted I have a title change. Somewhere around here I have a small batch of business cards with "Guy who gets poo poo done" in the title field since I jokingly replied to a message asking for my title and the person ordering the cards obviously just hit Forward without reading it.
|
|
#
?
May 29, 2009 22:04
|
|
|
You went from Support Tech to CIO and you still do support? Is it a small firm?
|
|
#
?
May 30, 2009 02:50
|
|
|
Tony Montana posted:You went from Support Tech to CIO and you still do support? <10 employees, like I said my boss just wants me to have a new title with every raise and I just say "sure" because honestly what do I care?
|
|
#
?
May 30, 2009 05:50
|
|
|
I think "Chief consultant" is one of the more absurd titles I see. Dont know why, but it just seems weird. In other news we have just deployed NetMapper from OPNet(in addition to SP Sentinel with VNE from the same company). NetMapper can automagically create physical and logical topology maps of your networks which rules when your network grows over a certain size and has a lot of changes. It loving rules. This tool combined with the policy enforcer and reporting server have already made my workday 100x times less frustrating and effective. An example: Ever set out to trunk a VLAN from one side of your metro to another only to find out that the VLAN id has been taken and someone forgot to update the documentation? Never again, just spit out a updated VLAN map from NetMapper and have a look before starting(and then bitch at someonefor not documenting their work). Check out some bitching diagrams here: http://www.opnet.com/solutions/network_planning_operations/netmapper.html nex fucked around with this message at 10:27 on May 30, 2009 |
|
#
?
May 30, 2009 10:06
|
|
|
Here's one that's stumped the guys at the office for a bit: about 5 or 6 of our switches, older ones (3524s) are no longer accessible via telnet. If you telnet to them you are prompted by a greeting that says "FreeBSD 4.10 (STABLE) Kernel 2.6.27 on an i686 login:" It isn't an IP mixup and we hit a freebsd machine by mistake, its a corrupt IOS so soon I'm going to go up and xmodem a new image, but for curiosity has anyone seen this before? Google came up with nothing.
|
|
#
?
Jun 3, 2009 18:59
|
|
|
Sojourner posted:It isn't an IP mixup and we hit a freebsd machine by mistake, its a corrupt IOS so soon I'm going to go up and xmodem a new image, but for curiosity has anyone seen this before? Google came up with nothing. You're sure about that? What is the mac address you're seeing for the switch management IP? It might be worth cross checking that with the OUI database.
|
|
#
?
Jun 3, 2009 19:09
|
|
|
Sojourner posted:Here's one that's stumped the guys at the office for a bit: about 5 or 6 of our switches, older ones (3524s) are no longer accessible via telnet. If you telnet to them you are prompted by a greeting that says I'm with jwh on this one, that isn't a corrupt IOS. 2.6.27 is a recent kernel release for systems, not something you ever find on an old 3524 switch.
|
|
#
?
Jun 3, 2009 19:32
|
|
|
This sounds more like someone doing ARP spoofing on your management net.
|
|
#
?
Jun 3, 2009 19:50
|
|
|
It's not arp spoofing, I said the same thing when word of this first got to me. It doesn't make any sense at all really. The intrusion detection system isn't being set off, I plugged myself into the management net and wiresharked it, and just for fun and the sake of using a pricey toy, used our fluke etherscope to resolve all the mac addresses to an IP on the network and found no duplicates. Tomorrow at lunch I'm going to investigate more while people are at lunch. What will come of it, public humiliation or the most bizzare IOS error of all time, stay tuned to find out!
|
|
#
?
Jun 3, 2009 20:16
|
|
|
Sojourner posted:Here's one that's stumped the guys at the office for a bit: about 5 or 6 of our switches, older ones (3524s) are no longer accessible via telnet. If you telnet to them you are prompted by a greeting that says Thirding. Catalyst switches are NOT i686 arch.
|
|
#
?
Jun 3, 2009 20:17
|
|
|
You can make this easy, just take a machine that's on that network, ping the IP address of your switch management interface. Try and telnet, and make sure you receive the FreeBSD banner. Then arp -an and look at the mac you have for that IP address. Plug the first 3 bytes into the MAC OUI database lookup: http://standards.ieee.org/regauth/oui/index.shtml
|
|
#
?
Jun 3, 2009 20:29
|
|
|
tortilla_chip posted:This sounds more like someone doing ARP spoofing on your management net. For most places, I can use static ARP entries on the important stuff so this doesn't happen. Worst case, when a gateway has to be replaced due to a failure, you just slap the old mac on the new gateway interface. My  is on just a dupe IP assignment, not poison arp. Comparing the mac addresses (console cable on the switch I guess) to what's in your arp table sounds like where the trail will start.I am sure we have all been fooled by less at one time or another. Public Humiliation it is!
|
|
#
?
Jun 3, 2009 20:29
|
|
|
jwh posted:Plug the first 3 bytes into the MAC OUI database lookup: http://standards.ieee.org/regauth/oui/index.shtml Another on the card is a Broadcomm, Intel, or maybe 3com. Oh and 'the trail will start' part meant checking where that mac address is connected to your network/switchport.
|
|
#
?
Jun 3, 2009 21:04
|
|
|
|
| # ? Apr 28, 2024 09:53 |
|
|
Herv posted:Another MAC Hunt. Its like Duck Hunt, but less fun. And there isn't an annoying dog to shoot at.
|
|
#
?
Jun 3, 2009 21:11
|
|