|
H.R. Paperstacks posted:Yeah, I could be misunderstanding him as well, but to me it sounds like he wants to perform authentication at the firewall, and if successful, be forwarded on to the actual system hosting the destination service. Are the services behind setup without any authentication mechanism of their own? I could see that with HTTP/HTTPS but not SSH/FTP like he mentions, since you have to provide UN/PW/keys for authentication on the system hosting the actual destination service as well. Inet -> Firewall -> Proxy -> Web Portal At present the firewall is just white listing IPs who are permitted to get to the proxy. The proxy does absolutely nothing besides relay the webpage. The user sends their creds (u/p for now), and then gets whatever access on that login. The desired end state is to have RSA integration at a higher point so we can remove the whitelist. With what's in place/designed so far for that it's basically the same pathway as above, with the proxy being a Fortiweb. The Fortiweb can do RSA authing, but it's authing is limited to sending the auth request to the RSA server, getting the yea verily, and then passing them to the portal, where they have to login again because Fortiweb isn't tagging username along with request. This is all for our userbase who do not use the VPN to log in because they
|
#
?
Oct 10, 2014 16:54
|
|
|
|
| # ? Apr 23, 2024 21:54 |
|
|
friends watch porn posted:I've been tasked to replace an old Cisco 3500XL-series gigabit switch, and seeing as I've never worked with something of this magnitude I figured I could ask in here IMO you are well into older gen or refurb gear at that price point, but, as with anything I'd recommend enumerating what you need it to be able to do, and what you want it to do later. If it's just being a switch for IPMIs or something that's vastly different than "it's the core for our server rack".
|
|
#
?
Oct 10, 2014 17:18
|
|
|
Partycat posted:IMO you are well into older gen or refurb gear at that price point, but, as with anything I'd recommend enumerating what you need it to be able to do, and what you want it to do later. If it's just being a switch for IPMIs or something that's vastly different than "it's the core for our server rack". We have a 1Gbit line from our ISP and the switch in question operates with another identical one in order to deliver internet for 64 apartments. I'll be honest that it's a bit over my head. The switch in question started periodically rebooting itself 1-3 times a day a few weeks ago and I've been told rather than trying to fix it, I should buy a new one. This is basically the setup (old picture, ignore the red circle) 
|
|
#
?
Oct 10, 2014 17:26
|
|
|
Slickdrac posted:So I'll keep it to the things that are actually what the immediate desire is about. Right now, the design looks like this, basically. I'd go further up the chain and make it a policy issue, then use that to drive the right technical solution. What I said on the last page could work here, but would be broken by hosts that sit behind a PAT router (I think). RAVPN is really what this use case is screaming for  .
|
|
#
?
Oct 10, 2014 17:48
|
|
|
friends watch porn posted:We have a 1Gbit line from our ISP and the switch in question operates with another identical one in order to deliver internet for 64 apartments. TBH you can probably grab a stack of 3500XLs dirt cheap. If you're comfortable running old gear and replacing it when/if it explodes, you can get by doing that for some time I'm sure. 3750G class stuff is $500 at this point for 48 port switches and they'll be comparable, though, again, older, and subject to memory/PSU failures as they age. Based on the label the switch is acting as a NAT router, I'd guess? You'll get an IP from your ISP, and be running a DHCP server off the switch, with overloading NAT perhaps? Could be running protected edge, etc. There is absolutely a number of small business or campus access class devices that are within your price range, but, you'll want to think about replacing both. You'll want to get the configuration from the switch, via the console/shell, and if you're going to get on to it to do that, you can see if it's crashing or has any other comment about why it's rebooting itself which could be helpful too. With the configuration, you can see what sort of feature set that you need to target, and find a reliable device at your price point.
|
|
#
?
Oct 10, 2014 18:44
|
|
|
Partycat posted:TBH you can probably grab a stack of 3500XLs dirt cheap. If you're comfortable running old gear and replacing it when/if it explodes, you can get by doing that for some time I'm sure. 3750G class stuff is $500 at this point for 48 port switches and they'll be comparable, though, again, older, and subject to memory/PSU failures as they age. The switches are connected to the server, which is shown the picture. It's a dell poweredge (can't remember the model) running ubuntu 10.x. As far as I understand it, the server acts as DHCP and distributes both an IPv4 address and IPv6 addresses to each individual device connected to the network (if supported). I'm not sure how it works but it runs off a bunch of .py scripts which little or no documentation written by a guy who doesn't live here anymore, which just leaves me. wrt to the faulty switch I can't really see why it keeps rebooting and it keeps getting more frequent (15 times a day). It passes POST just fine and "show logging" doesn't really show anything (unless I'm blind) code:I also set up tftp on the server in order to pull the config.text files from the switches but I keep getting undefined errors eventhough the switch can ping the IP just fine oh god i dont know what im doing kill me now  code:
|
|
#
?
Oct 11, 2014 20:07
|
|
|
friends watch porn posted:Any suggestions to how I can find out why it reboots? It might be as easy as: code:
|
|
#
?
Oct 11, 2014 20:54
|
|
|
Hi. I've recently set up a Cisco C887VA-W-E-K9 to go with our recently upgraded FTTC connection, and am having issues.. Firstly, the provider has pretty much told me that the only supported configuration involves having their modem (BT Openreach, Huawei based I think) in front of our CPE. They won't entertain the idea that the connection could go straight into a Cisco router and eliminate the need for their modem at all. They also told me that they didn't think a Cisco 887 could handle a 80/20 FTTC connection? Anyway.. the connection and general configuration appears to be fine (my first time doing it), but I'm getting LOTS of Reed-Soloman EC errors (?).. code:The line itself seems pretty stable and I haven't had any complaints from staff, but I can't shake the concern that those errors are there. I've got an engineer coming out tomorrow to investigate the line, but to be honest I'm not sure what I should be suggesting (increase the noise?). I've seen the noise margin go as low as 1.8dB incidentally, for what it's worth. It almost seems like it's syncing higher than it's rated for given the distance from exchange etc? Grateful for any help received.
|
|
#
?
Oct 12, 2014 23:53
|
|
|
friends watch porn posted:The switches are connected to the server, which is shown the picture. It's a dell poweredge (can't remember the model) running ubuntu 10.x. As far as I understand it, the server acts as DHCP and distributes both an IPv4 address and IPv6 addresses to each individual device connected to the network (if supported). You'd have to research that a bit more I guess - the PC could be acting as a router/firewall, and if that's the case then the switch you replace won't need to do anything special other than ports and VLANs. friends watch porn posted:wrt to the faulty switch I can't really see why it keeps rebooting and it keeps getting more frequent (15 times a day). It passes POST just fine and "show logging" doesn't really show anything (unless I'm blind). You can do "show version" and get the info from it on why it's restarted. If it's power-on then it may be the power supply making GBS threads out. If it's an exception you should see dump information stored on flash , hopefully. Tracebacks and that dump from the console before it reloads, because, as you see the buffer is not saved. The other fellow is correct regarding the TFTP, as long as the switch itself has been configured with an IP address, which is reachable by the TFTP server. You could also just turn on logging on your terminal and do "show run" and let it spool out that way.
|
|
#
?
Oct 13, 2014 19:29
|
|
|
Partycat posted:You'd have to research that a bit more I guess - the PC could be acting as a router/firewall, and if that's the case then the switch you replace won't need to do anything special other than ports and VLANs. I'm pretty sure that the server acts as a router/firewall Partycat posted:You can do "show version" and get the info from it on why it's restarted. If it's power-on then it may be the power supply making GBS threads out. If it's an exception you should see dump information stored on flash , hopefully. Tracebacks and that dump from the console before it reloads, because, as you see the buffer is not saved. Did a "show version" and got this code:Thanks for all the help though, much appreciated!
|
|
#
?
Oct 14, 2014 18:34
|
|
|
 1) GNS3 really needs a staggered start option 2) How would I HSRP the R1 and R2 links out to the distribution layer? Subints cause overlap, switched ports and using the VLAN ints makes STP freak the gently caress out. I'm sure there's something really stupid I'm missing.
|
|
#
?
Oct 15, 2014 00:23
|
|
|
Share your configs? I would imagine Dist1 would be primary root bridge, Dist2 secondary. From there you want to make R1 your higher priority HSRP router and it should plug into Dist1 and Dist2 switch ports using an l3 link. (i.e. they plug into an access vlan for example.) You won't be able to have R1 have 2 active links to both distribution switches. If Dist1 dies then traffic should go through dist2/R2. Otherwise look at GLBP or see below. Another option would be if your distribution switches are L3 switches then you could run HSRP on them. Then use some point to point links to face R1/R2 and use something like OSPF to sort everything out for you. Host default gateways would be an HSRP address pointing to the distribution switch and the distribution switch would pick a router to get out via OSPF.
|
|
#
?
Oct 15, 2014 03:31
|
|
|
Self-studying for CCENT. I want a router I can practice with at home. I guess the only requirement is that it have IOS 15. Any suggestions for something cheap that'll have all the capabilities I need to learn for the CCENT and CCNA?
|
|
#
?
Oct 16, 2014 00:38
|
|
|
Did anyone mention that Cisco has made VIRL available for download, if you're part of the "/Dev/Innovate" community that I didn't even know existed? http://virl-dev-innovate.cisco.com
|
|
#
?
Oct 16, 2014 00:46
|
|
|
Martytoof posted:Did anyone mention that Cisco has made VIRL available for download, if you're part of the "/Dev/Innovate" community that I didn't even know existed? I'm using the commercial version right now. Works pretty well, just takes some getting used to. Some very cool stuff coming feature wise.
|
|
#
?
Oct 16, 2014 14:39
|
|
|
We've got a systems integrator updating our unified communications setup to the current version. One thing we wanted to do was use non-self-signed certs for the setup. We figured this would be easy but it has turned into a royal pain in the rear end. Our default certificate vendor is godaddy. They apparently automatically append add a subject alternative name for the host, so if I get a cert for jabber.example.com you end up with a cert covering both that host and https://www.jabber.example.com. This is causing major issues apparently -- they can't get the cert to load because the "SAN does not match the CSR." Now, we figured out a workaround for the 8 or so tomcat certs -- just generate them with the generated SANS. But apparently you can't do that for the xmpp services. Now, this seems a bit fishy to me -- presuming one of the most popular equipment vendors in the world had an issue with one of the most popular certificate issuers in the world you'd figure there would be something googleable but we seem to be the only one with this problem. The guy we have also isn't the sharpest knife in the drawer. Also, I've deployed loads of certs and the point of SANs are to have alternates, the main certificate CN is fine. So, my questions are: * is this really the case that these things can't handle SANs? * is there a workaround if so? * is there a better certificate vendor to use for cisco stuff?
|
|
#
?
Oct 17, 2014 02:01
|
|
|
I haven't had that problem with any of the UC stuff yet, but I haven't set up expressway, assuming that's what you're referring to. Any of the UCOS based appliances have not given me any grief, and my certs always come back with "we've added https://www. for you!", from Comodo.
|
|
#
?
Oct 17, 2014 18:37
|
|
|
Thanks for the reply, I think this is for express way, they said something about 10.5.
|
|
#
?
Oct 17, 2014 19:03
|
|
|
Not a Cisco question, but this seems like the sanest place to ask. I'm trying to debug a packet capture using Wireshark, and I'm getting frustrated by the visualization options. What I'd like is something that will assemble the packets into a timeline of connections, something like the waterfall graph in a web browser's developer tools, and let me filter the packets by stream. Wireshark lets you follow a single TCP stream, but finding which one you actually want is still sort of a disaster. Does anyone know anything that might fit the bill?
|
|
#
?
Oct 18, 2014 03:23
|
|
|
The free demo version of RSA NetWitness does a lot of indexing of a packet capture making it navigable on arbitrary characteristics. The free demo only goes up to 1g of pcap data.
|
|
#
?
Oct 18, 2014 14:49
|
|
|
I'm studying for CVOICE and one particular scenario regarding token buckets and excess burst (Be) has ground my studying to a halt until I can confirm my suspicions. Quick scenario: * T1 circuit w/access rate of 1544000 bps. * CIR is 56000 bps. * A single-rate, dual-token bucket w/shape average configured. * Tc = 10 ms * Bc = 560 bps * Be = 560 bps Say the router allocates 560 tokens (bits) to the Bc during one time interval (Tc). However, due to massive congestion none of those tokens are sent on the wire, so they are all moved to Be. Let's say for the next thousand time intervals (10 seconds) that the router is constantly allocating 560 bits exactly each Tc to the Bc bucket. My question: Does this mean that there is a remote possibility the tokens in the Be bucket could never be sent given the router continues completely filling the Bc bucket every Tc? When I originally considered this scenario my first thought was that the Be bucket contents would eventually be moved over to the Bc bucket so it would be emptied, but maybe this makes no sense for some reason that I'm not sure of. I do understand that Bc + Be can be sent together during one time interval given that Bc is not completely filled (is idle in other words) and it conforms to the average CIR. EDIT: Corrected some fallacies in explanation and understanding of Bc/Be usage for shaping, I think. funk_mata fucked around with this message at 21:15 on Oct 18, 2014 |
|
#
?
Oct 18, 2014 20:35
|
|
|
wwb posted:Thanks for the reply, I think this is for express way, they said something about 10.5. Sure, sorry to not have been more specific, I haven't broken into Expressway VCS to set that up. Somewhere in the back of my head I want to say I ran into a report somewhere that the Multi- SAN type certificates don't work with Expressway, and there's also some commentary about internal vs external domains all sort of stuff. I'm only tangentially familiar with it. Supposedly, on the UCOS boxes, via the CLI you can set up web security parameters and specify and alternate name there, which should calm down it's griping. But you'll have a new CSR then, obviously. And, yes, Cisco likes to put things out which don't work or often break, and go back to fix them later. If you run bleeding edge then that's just part of the pain.
|
|
#
?
Oct 20, 2014 18:34
|
|
|
Thanks again. Not a cisco guy at all and they are driving me nuts with this -- it is just an effing cert, stop being so persnickety damnit.
|
|
#
?
Oct 21, 2014 22:33
|
|
|
I've been dealing with an annoying problem at work for the last week or so. All users have Cisco 7941 voip phones. We then use the PC port on the phones to connect to their desktop computers. The issue that's happening is when they go away for an extended period of time (about 4 days) and return to the office and boot up, their PC's have no connection to the internet, yet they have a valid IP when i run ipconfig /all. The solution is to just reboot the phone and then everything is fine after. The IP's are all valid and I know that its a DHCP issue. I don't see any conflicts on the DHCP server, but aside from that I'm not sure what else to debug to narrow this issue down. We don't have a SR Network Admin so its either up to me, or we get a consultant. The configuration on the DHCP server hasn't changed. The DHCP server is a Cisco 3560, and our core switch is an HP 5412R. Any suggestions as to where I should be looking? I have a feeling the issue has to do with the switch since it started happening after we installed it.
|
|
#
?
Oct 22, 2014 19:36
|
|
|
span the port to another station and run tcpdump / wireshark. Figure out if the phone is passing packets from the workstation. It sounds like it isn't.
|
|
#
?
Oct 22, 2014 19:57
|
|
|
I'm forgetting how to breathe currently. 10.0.0.0 200 subnets determine info for fields below for the 4th subnet. Subnet Address:0,32, 64, 92, 10.0.92.0 Subnet Mask: 255.255.224.0 /19 Host Range: 10.0.92.1 – 10.0.127.254 Broadcast Address: 10.0.127.255 Default Gateway: 10.0.127.254 This is right, right? Subnet quota handled by 2^8 Block size from 128+64+32=224 224 > 200 256-224 = 32 (3rd octet) Edit Reviewed my text book and since 255.0.0.0 is the default mask. I would need to have 2^8 subnets (8 being 1 bitsfor the network portion) to exceed the 200 quota. So in reality my mask would be 255.255.0.0. That leaves me with 2^16 hosts. I'm dumb and used the host bits to determine my number of subnets.  Subnet Address: 10.4.0.0 Subnet Mask: 255.255.0.0 /16 Host Range: 10.4.0.1 – 10.4.255.254 Broadcast Address: 10.4.255.255 Default Gateway: 10.4.255.254 real answers. Methanar fucked around with this message at 05:22 on Oct 23, 2014 |
|
#
?
Oct 23, 2014 04:19
|
|
|
10.0.0.0/8 or what? How much space are you subnetting into 200.
|
|
#
?
Oct 23, 2014 04:25
|
|
|
less than three posted:10.0.0.0/8 or what? In terms of classful subnetting. The number of hosts doesn't matter. I need to determine the most appropriate (smallest) mask to use. Methanar fucked around with this message at 04:29 on Oct 23, 2014 |
|
#
?
Oct 23, 2014 04:27
|
|
|
Methanar posted:In terms of classful subnetting. edit: After staring at that for a while, yeah I believe you're correct. I haven't done classful subnetting in years.  Host range starts at .1 though, not .0 less than three fucked around with this message at 04:42 on Oct 23, 2014 |
|
#
?
Oct 23, 2014 04:33
|
|
|
Frag Viper posted:I've been dealing with an annoying problem at work for the last week or so. Did someone put ip source guard in place on the switch? The phones are pretty generic devices - rebooting the phone is really just going to drop link which may prompt the PC to re-bind its lease. Then again, if you're not using VVLAN you may have blown up the phone's ARP table too. Their ARP tables are like ...6 entries or something stupid long.
|
|
#
?
Oct 23, 2014 14:19
|
|
|
IP Source guard is not enabled. And we do use a separate voice VLAN for all our voip traffic. I mean this isn't a huge issue at work, but its annoying that in order to fix it we just have to reboot the phone. Its guaranteed that every Monday morning after a weekend multiple people need this done.
|
|
#
?
Oct 23, 2014 19:23
|
|
|
Is portfast enabled? If you set a static IP on some of the known problem PCs, does the problem persist? Are you using the voice VLAN feature on the switch, or do you set the VLANs on the PCs and/or phones?
|
|
#
?
Oct 23, 2014 19:57
|
|
|
Frag Viper posted:I mean this isn't a huge issue at work, but its annoying that in order to fix it we just have to reboot the phone. Its guaranteed that every Monday morning after a weekend multiple people need this done. Lazy mode: script power-cycling the PoE on all the phone ports and set a cron job for the wee hours on Monday morning before anybody arrives.
|
|
#
?
Oct 23, 2014 20:00
|
|
|
SamDabbers posted:Lazy mode: script power-cycling the PoE on all the phone ports and set a cron job for the wee hours on Monday morning before anybody arrives. I was actually going to suggest this.
|
|
#
?
Oct 23, 2014 20:04
|
|
|
It looks like its an actual known issue with the IOS version, weird.
|
|
#
?
Oct 24, 2014 20:23
|
|
|
Can anyone tell me what the downside of back to back HSRP is? By this I mean having 2 service provider routers running HSRP between them in a /29, 2 customer routers running HSRP between them in the same /29, then statically routing a block to the customer's floating IP.
|
|
#
?
Oct 28, 2014 07:23
|
|
|
Anjow posted:Can anyone tell me what the downside of back to back HSRP is? By this I mean having 2 service provider routers running HSRP between them in a /29, 2 customer routers running HSRP between them in the same /29, then statically routing a block to the customer's floating IP. The only issue I've run into doing this is using the same HSRP group ID (since that ID determines the shared HSRP MAC). The other thing to watch for is unicast flooding due to asymmetric routing patterns (raise CAM timer in your L2 domain, or drop ARP timers on both sides, since a customer's involved I'd usually do the former).
|
|
#
?
Oct 28, 2014 11:59
|
|
|
Nation-wide WAN using 1Gb layer2 ethernet links provided by ISP between sites. Running hub and spoke, 5 regional hubs with 5 spokes each. Total of 30 locations (25 spokes - 5 regional hubs). The 5 spokes are connected via a head office. Which routing protocol to use? I have been designing it with OSPF single area, but the notion of link state flapping has me worried that one bad interface could flood the whole network with SPF recalculations. I could break it into more areas which will increase complexity, or look at another protocol like iBGP? Do many people not use OSPF in a case like this?
|
|
#
?
Oct 30, 2014 18:25
|
|
|
syg posted:Nation-wide WAN using 1Gb layer2 ethernet links provided by ISP between sites. Use interface dampening so flapping links stay outbid the topology then run OSPF/ISIS. If you have a lot of prefixes in the sites and want a fast converging IGP you can limit IGP to loopbacks only and put the site prefixes in BGP (running between loopbacks). ragzilla fucked around with this message at 18:37 on Oct 30, 2014 |
|
#
?
Oct 30, 2014 18:30
|
|
|
|
| # ? Apr 23, 2024 21:54 |
|
|
at what size of network is route summarization important? My network is 60 sites, with a backwards IP scheme. 10.x.y.0/24 subnets primarily, where y is the location and x varies depending on function. The biggest problem is in the cases where I wanted a /23, it didn't really work. example: 10.1.1.0/24 10.2.1.0/24 10.3.1.0/24 10.1.2.0/24 10.2.2.0/24 10.3.2.0/24 Three subnets at one location, and three at a second location. This works really well from an access list point of view, but not so much from a routing table size point of view. How much trouble is this going to cause me a headache? Obviously, at 255 sites, that is my first hurdle, but I can easily just start doing 10.11.1.0/24 etc.. Is it worth my time to change it so that the second octet indicates my location, and then each branch gets a /23 or /22 that is cut up? I know that is the best practice, but it would be a very large undertaking and I need to know at what size of network it will actually matter.
|
|
#
?
Oct 30, 2014 22:33
|
|