|
gooby pls posted:Any good way to get auto qos on a port channel on a 4500x? I ran auto qos on an unused port, copied the input service policy generated to the port channel interface and the output policy to the member interfaces but the output policy command doesn't seem to have stayed on the member interfaces. On some switches/linecards you're not able to apply a hardware QoS policy on an interface sharing an ASIC with another interface that has a different QoS policy. Do any other interfaces have a output policy applied? You can also try shutting down the other ports in the bundle, changing this one and seeing if it sticks.
|
# ? Jun 20, 2017 16:32 |
|
|
# ? Apr 25, 2024 05:36 |
|
Asking for a friend: how do you handle ddos attacks. Monitoring, seeing who is sending what where, detection, mitigation, etc. I've got some fairly basic edge ACLs set to filter out fragments, NTP/DNS traffic from sources that are not white listed, weird things like GRE and SNPP that I've seen sent my way. 99% of the attacks I've seen haven't necessarily been bandwidth saturating, but a large number of small packets. None of this actually helps me though when someone is sending 443 at my internet facing LBs and fall over when they try to negotiate 15k DH key exchanges at once or whatever. Being able to tolerate the internet throwing garbage traffic at you has to be solved problem.
|
# ? Jun 21, 2017 06:38 |
|
Methanar posted:Asking for a friend: how do you handle ddos attacks. Monitoring, seeing who is sending what where, detection, mitigation, etc. I've got some fairly basic edge ACLs set to filter out fragments, NTP/DNS traffic from sources that are not white listed, weird things like GRE and SNPP that I've seen sent my way. 99% of the attacks I've seen haven't necessarily been bandwidth saturating, but a large number of small packets. Get a good heuristic IPS in front of your network and throw more power at the servers/proxies, basically. Otherwise, just ride it out and DO NOT EVER mention anything publicly about it being in progress unless you absolutely have to. There's not much else to be done without global ISPs removing their collective heads from their asses and doing something to seriously help with security working together.
|
# ? Jun 21, 2017 07:53 |
|
State exhaustion attacks will always boil down to the weakest link in your service offering. This is typically going to be firewalls/load balancers/ other stateful devices that are in the "normal" traffic path. You can redirect traffic upstream to offload the state problem (these are your typical scrubbing services (Prolexic, Arbor, etc.).
|
# ? Jun 21, 2017 08:49 |
|
Methanar posted:None of this actually helps me though when someone is sending 443 at my internet facing LBs and fall over when they try to negotiate 15k DH key exchanges at once or whatever. Speaking specifically to this item - on some firewalls (Palo alto and ASA for sure) you can setup a protection policy to perform RED or Syn cookies after a threshold is met on a specific ACL line (EG: After 3k SYN PPS to your LB Gateway, start performing RED on the incoming SYNs until the rate lowers). Being that granular requires you to know what a normal day pps rate is, once you figure that out your golden. It's still going to degrade performance, but it should keep your poo poo up.
|
# ? Jun 21, 2017 13:54 |
|
Is this sort of thing something that could be handled with a local instance of snort and IPtables? Or is it probably too late by then to mitigate by virtue of the traffic has passed through the network card and the kernel has needed to look at it, even if an https listener didn't. Buying firewalls that would be capable of processing the amount of traffic I get would be ridiculously expensive. The best scenario would be each internet facing machine is capable of doing it's own filtering. I've got a lot of things that are internet facing, not just haproxy (although these getting hit particularly sucks and are definitely not IP-portable or acceptable to null route). Some of the machines are pretty massive and are handling at least 1gbps of traffic at any given moment. But it's weird that I know they definitely don't like when someone points a laser at them, even if the attack seems small on the order of a 10k-50k packets per sec.
|
# ? Jun 21, 2017 19:58 |
|
Depends. If its targeted at your application then it may be worth spending CPU for minor mitigation. If you're getting 600Mbps+ being tossed at your hardware it may crush the machine and it will be pointless to do it there. The idea is to bounce the session or traffic off of your service somewhere enough to let the legitimate stuff through. Thus why the suggestion to have your upstream provider can it when its frac on their multiple 100Gbps links before it gets to you.
|
# ? Jun 21, 2017 23:55 |
|
At this moment I have about 20gbps inbound altogether. Highest peak I've ever seen is about 32gbps, although this is growing very quickly. That's my baseline for legitimate traffic. Current CPU utilization is about 50% so maybe you're right, pushing everything through snort would cause everything to grind to a halt, or at least potentially start causing CPU wait. I don't think upstream filtering is really what I want here. Some of my providers provide blackhole community strings, but ultimately I'd still need to write some sort of script to automatically detect an attack, who it's coming from and then advertise the blackhole string. And that's all assuming the source is well defined and something that's reasonable to block, and not some AWS /12 or ISP's /18 which could have legitimate users. Both of which I've seen garbage originate (or spoofed) from.
|
# ? Jun 22, 2017 00:20 |
|
In the interest of cheapness: You could put a bump in the wire IPS inline on another server and use some kind of fail open device like a garland bypass switch to allow connectivity to continue if the IPS dies
|
# ? Jun 22, 2017 00:49 |
|
For me since our normal traffic looks like DDoS (a shitload of short lived http/s transactions from mostly unique IPs), and we do around 70Gb/s over a global anycast network we just endure it. We've been hit a few times but with only like 10Gb/s which caused some slower then normal responses in a specific region but overall didn't affect us. The things that take us down are DNS provider attacks. Otherwise just normal edge hardening. Control Plane Policing, ACL's that block everything except 80/443 to our specific service VIPs. We looked into Remote Trigger Blackhole so that we could save our other services, but unfortunately very few providers support it, and those that do only allow you to null route an entire /24, which is the exact opposite of what we want :/ And and yea, almost everything from the attacks we've gotten has been spoofed sources.
|
# ? Jun 23, 2017 19:33 |
|
ate poo poo on live tv posted:For me since our normal traffic looks like DDoS (a shitload of short lived http/s transactions from mostly unique IPs), and we do around 70Gb/s over a global anycast network we just endure it. We've been hit a few times but with only like 10Gb/s which caused some slower then normal responses in a specific region but overall didn't affect us. The things that take us down are DNS provider attacks. Who're your current transits? Pretty much everyone I transit with has dRTBH down to a /32.
|
# ? Jun 24, 2017 00:41 |
|
Trend is to do on host defenses and just scale that out. Servers can do line rate filtering at 10+Gbps via DPDK/eBFP/XDP. and there are a bunch of toolsets out there with that stuff. IPS and other crap for detection of less volumetric attacks. A big to do is to be able to get the appropriate metrics and then be able to product actionable events on the data for Ops folks to do. Just staring at a dashboard for DDoS detection doesn't work well.
|
# ? Jun 24, 2017 04:40 |
|
Anyone running a virtualized firewall in production? I am replacing a bunch of SRX240 next year, and am eyeballing the SRX345, but now wondering about the vSRX. I have used the vSRX for test stuff, but no production.
|
# ? Jun 26, 2017 16:56 |
|
Is there a historical reason for VLANs in IOS being in their own little file rather than just rolled into the switch config?
|
# ? Jun 26, 2017 20:21 |
|
Thanks Ants posted:Is there a historical reason for VLANs in IOS being in their own little file rather than just rolled into the switch config? Yes, it's from CatOS having a vlan.dat. At least, that was always my understanding. Nowadays I don't know why they still do it.
|
# ? Jun 26, 2017 20:31 |
|
Ios-xe doesn't have it, and monolithic ios is basically dead now so you shouldn't really ever see it modern hardware
|
# ? Jun 26, 2017 23:14 |
|
Thanks Ants posted:Is there a historical reason for VLANs in IOS being in their own little file rather than just rolled into the switch config? It's because vtp is on. switch it to transparent and they'll show in config.
|
# ? Jun 26, 2017 23:19 |
|
Partycat posted:Cucm/jabber contact stuff Hey thanks, I'll play around with this more and try to use it, I was originally looking for a contact list .XML that could be imported client side, as in from the Cisco Jabber application itself, without access to IM&P server, but this sounds like a better way.
|
# ? Jun 27, 2017 01:15 |
|
ragzilla posted:Who're your current transits? Pretty much everyone I transit with has dRTBH down to a /32. A little company that is looking to be bought out called Internap.
|
# ? Jun 27, 2017 02:16 |
|
Anyone at Live right now and planning on doing the NetApp FlexPod event?
|
# ? Jun 27, 2017 02:31 |
|
ate poo poo on live tv posted:A little company that is looking to be bought out called Internap. Ah, the ole virtual transit. It's kind of mind boggling they don't offer dRTBH since all it'd be is making arrangements with their transits in each POP, and translating a BGP community. They wouldn't even need to sink any traffic unless it sourced from another customer of theirs.
|
# ? Jun 27, 2017 12:59 |
|
ragzilla posted:Ah, the ole virtual transit. It's kind of mind boggling they don't offer dRTBH since all it'd be is making arrangements with their transits in each POP, and translating a BGP community. They wouldn't even need to sink any traffic unless it sourced from another customer of theirs. It actually does work well for our anycast network though and the price is right. But yea, it's not ideal.
|
# ? Jun 28, 2017 06:12 |
|
I'm not at live this year (coworkers got to go), but if anyone here does collab and wants to network we can organize on IRC or twitter or something. I'm no Warcop but I don't think I'm completely inept.
|
# ? Jun 28, 2017 23:30 |
|
Bit late to the DDoS show, but if your customer base is largely constrained to one geographic location (Midwest, Europe, whatever), you can shunt incoming requests outside of that region to a sorry page or another data center using DNS load balancing with geolocation profiling.
|
# ? Jun 29, 2017 01:25 |
|
That does assume that your DDoS target is a DNS record and not the IP address itself
|
# ? Jun 29, 2017 01:33 |
|
Partycat posted:I'm no Warcop but I don't think I'm completely inept. Can confirm, PartyCat ain't no slouch.
|
# ? Jun 29, 2017 03:52 |
|
Is there a simple way to keep an OSPF adjacency from forming for a certain amount of time after it goes down? I'm sure you get crafty with EEM or event-options or something, but I'd rather just adjust a "hold-down" time or something like that. The scenario is we have a pair of VPLS circuits, a backup and a primary that goes to all of our datacenters that we download a few gigs/sec over. We have BFD enabled over these things so that if we start dropping traffic, bfd will force the neighbor down, and the backup path will be utilized. This works fairly well, but I'd like to avoid a constant "flapping" situation where there is packetloss over one of the VPLS links, so BFD goes down, but then comes back up, brining up ospf, then bfd brings it down again, etc, etc. Ideally if bfd detects a failure it should force the OSPF neighbor down for say 1minute, then let it attempt to negotiate up again. So whether the change is made with BFD, or OSPF, or whatever, I don't really care. Just as long as the flapping is borught down to a more useful level.
|
# ? Jun 29, 2017 22:03 |
|
ip event dampening
|
# ? Jun 29, 2017 23:31 |
|
I'm having trouble getting a remote site to communicate SNMP with my PRTG server. The remote site has an ASA, inside interface 1 has a site-to-site VPN with my hub ASA. PRTG server is on the inside of the hub ASA. I can ping remote inside interface from the PRTG server. I've told the remote ASA that inside1 is the management interface, enabled SNMP and syslog, gave it the PRTG server as the SNMP and Syslog host. No communication. I'm guessing the problem is that the ASA is not inspecting the outbound SNMP traffic and giving it to the VPN, but I have no idea what else I can do to make this happen. The ASA needs to send SNMP out inside1, receive it back on inside1, and get it inside the tunnel. Any tips or hints on where I should be looking or anything I can double check?
|
# ? Jun 30, 2017 17:22 |
|
tortilla_chip posted:ip event dampening That's only for interface flapping right? Plus it's cisco only. We are an Arista/Juniper shop.
|
# ? Jun 30, 2017 17:48 |
|
Assuming you want a solution specific to the VPLS links your best option is probably SLAX/python scripts on the boxes then. You could tweak the OSPF timers for throttling incoming LSAs, but that's global to the OSPF process and might have some unintended consequences with regard to convergence for other more stable links in your topology.
tortilla_chip fucked around with this message at 19:16 on Jun 30, 2017 |
# ? Jun 30, 2017 19:07 |
|
Judge Schnoopy posted:I've told the remote ASA that inside1 is the management interface Just to be clear, you issued 'management-access inside1', correct? edit: take a gander at this.
|
# ? Jun 30, 2017 19:08 |
|
Hello https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp
|
# ? Jun 30, 2017 20:32 |
|
It's cool there probably aren't like millions of Cisco devices out there allowing SNMP to their external interfaces with community string "public" or anything ... ...
|
# ? Jul 1, 2017 02:23 |
|
Client has messed up massively, or let their architect go a bit crazy, so now they need some PoE switches with more than 8 ports for racks dotted around a building. Not usually a problem, except they want them to be completely silent so I need something fanless. Are there any options other than the Catalyst 2960L-24PS? I don't really pay attention to fans in switches other than the airflow direction because normally they aren't being thrown in such weird places.
|
# ? Jul 1, 2017 21:09 |
|
Thanks Ants posted:Client has messed up massively, or let their architect go a bit crazy, so now they need some PoE switches with more than 8 ports for racks dotted around a building. Not usually a problem, except they want them to be completely silent so I need something fanless. Juniper EX2200-C-12P-2G. We use these for floor switches where we have more people then ports have been built out. Silent and do PoE, haven't had any issues with them since we installed them.
|
# ? Jul 1, 2017 23:13 |
|
ate poo poo on live tv posted:Juniper EX2200-C-12P-2G. We use the 2200 line as well for some access switches, rock solid.
|
# ? Jul 1, 2017 23:48 |
|
Cisco Web Security authentication has been down since this morning, so my email has been blowing up. Good job Cisco, can't just make it pass through if authentication is down? gently caress.
|
# ? Jul 2, 2017 02:45 |
|
doomisland posted:Hello Magical.
|
# ? Jul 2, 2017 13:09 |
|
|
# ? Apr 25, 2024 05:36 |
|
I have a giant Cisco Unity voicemail box I want to get voicemails out of. Problem: the unity web portal sucks rear end, and I'm talking about 100+ voicemails I'd have to manually click on to save as etc. Is there an easier way to export or extract these wavs from Unity? (currently it is not tied to any AD or Exchange infrastructure)
|
# ? Jul 10, 2017 13:51 |