Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Hypnobeard
Sep 15, 2004

Obey the Beard



ragzilla posted:

Is this a compliance thing?
code:
no ip http server
no ip http secure-server
Problem solved!

It's compliance thing, but it's also triggering on other, useful things, like SSH. In addition, the client likes to keep silly insecure things like "web access" available for Reasons, even if they don't make any sense to me.

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

#essereFerrari


What does the web access even look like on IOS? I presume it's loving terrible like most of Cisco's other attempts at a web UI.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

Thanks Ants posted:

it's loving terrible

Methanar
Sep 26, 2013

by the sex ghost
I've never seen a Cisco web UI that isn't predicated on java 6.

Bigass Moth
Mar 6, 2004

I joined the #RXT REVOLUTION.
:boom:
he knows...
A lot of the Telepresence stuff has web UIs that are pretty easy to look at and use.

CrazyLittle
Sep 11, 2001





Clapping Larry

MF_James posted:

Thanks Ants posted:

it's loving terrible


:same:

ragzilla
Sep 9, 2005
don't ask me, i only work here


Hypnobeard posted:

It's compliance thing, but it's also triggering on other, useful things, like SSH. In addition, the client likes to keep silly insecure things like "web access" available for Reasons, even if they don't make any sense to me.

Ssh uses keys not certificates, which can be (re)generated using (conf mode)
code:
crypto key zeroize
crypto key generate rsa general 2048
Don’t do this over ssh, because, reasons. I don’t know if this will also fix https but it might.

KennyG
Oct 22, 2002
Here to blow my own horn.

Thanks Ants posted:

What does the web access even look like on IOS? I presume it's loving terrible like most of Cisco's other attempts at a web UI.

It's basically an ad for their add-on (pay us more money) UI. Does anyone buy that?

Here's a screenshot of what happens when you log in with an admin account to a Catalyst 4500...

ate shit on live tv
Feb 15, 2004

by Azathoth

ragzilla posted:

Ssh uses keys not certificates, which can be (re)generated using (conf mode)
code:
crypto key zeroize
crypto key generate rsa general 2048
Don’t do this over ssh, because, reasons. I don’t know if this will also fix https but it might.

Not sure about zeroizing, but you can safely generate a new SSH key over ssh.

Partycat
Oct 25, 2004

ragzilla posted:

Don’t do this over ssh, because, reasons. I don’t know if this will also fix https but it might.

Because of this I have a script that enables telnet on vty 0 when someone forgets to generate the key but deploys a switch with SSH set for input.

I've never had it cut me off changing the key while connected or changing line input but I'm sure it does.

Docjowles
Apr 9, 2009

Hey nerds I'm back to ask for another book recommendation. Is there a better OSPF book than this ancient tome? https://www.amazon.com/OSPF-Anatomy-Internet-Routing-Protocol/dp/0201634724

I've been super impressed with the BGP books of similar vintage so the age doesn't scare me off. Just want to make sure no one has bothered to write something better in the intervening 20 (:corsair:) years

tortilla_chip
Jun 13, 2007

k-partite
OSPF and ISIS by Jeff Doyle

Methanar
Sep 26, 2013

by the sex ghost

Docjowles posted:

Hey nerds I'm back to ask for another book recommendation. Is there a better OSPF book than this ancient tome? https://www.amazon.com/OSPF-Anatomy-Internet-Routing-Protocol/dp/0201634724

I've been super impressed with the BGP books of similar vintage so the age doesn't scare me off. Just want to make sure no one has bothered to write something better in the intervening 20 (:corsair:) years

Publisher: Addison-Wesley Professional; 1 edition (February 12, 1998)

:stonklol:

Proteus Jones
Feb 28, 2013



Methanar posted:

Publisher: Addison-Wesley Professional; 1 edition (February 12, 1998)

:stonklol:

For IPv4 OSPF hasn't changed since 1998.

There were some updates rolled into the spec around 2008 or 2009, and I'm almost certain the only changes were to accommodate IPv6.

madsushi
Apr 19, 2009

Baller.
#essereFerrari
If you want the nitty gritty, the Moy book is good.

If you want more practical, I've always liked Routing TCP/IP:

https://www.amazon.com/Routing-TCP-IP-1-2nd/dp/1587052024

Covers the IGPs: RIP, OSPF v2 and v3, IS-IS, and more general stuff (route maps). I have a copy of this and it's good.

e: looks like the same author (Doyle) as the "OSPF and IS-IS" book recommended above.

madsushi fucked around with this message at 04:04 on Jan 25, 2018

Kazinsal
Dec 13, 2011



+1 for Routing TCP/IP. We have a copy of that book in the office that people reference daily. I'm seriously thinking about fabricating up a little stand and spotlight for it.

Docjowles
Apr 9, 2009

Thanks as always, goons

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

Holy poo poo I need some help here. I have a loving old rear end Brocade switch (running FW 7.0.0) that a co-worker did not save the config on like a year ago when he configured it, well it finally lost power and lost the configuration for a port that's the trunk port off of our firewall, he didn't document his config nor does he remember how he did it.

I've mostly got it correct, but I can't for the life of me figure out how to turn the port into a trunk port or at least ciscos version of a trunk port. Is dual-mode Brocade speak for trunk port? It seems like it is, but I'm not entirely sure. Their actual trunk command seems more like Cisco's port-channel group, though I'm having issues finding documentation on this old OS version, there's a bunch of poo poo I'm finding that is not actually applicable because the commands just do not exist.

MF_James fucked around with this message at 21:31 on Jan 25, 2018

Thanks Ants
May 21, 2004

#essereFerrari


switchport mode trunk? Is this a FastIron or something else?

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

Thanks Ants posted:

switchport mode trunk? Is this a FastIron or something else?

Just figured it out, dual-mode is trunk mode, it's an FCX648S, which runs fastiron, I think, it's v7.0.0, so seems somewhat old. I'm not sure according to the login it does run fastiron, but half of the commands I found documented online are totally different in the switch, it's awful, but I was right, dual-mode = cisco trunk mode and trunk mode is actually port-channels, loving dumb. Half of the commands on the switch are straight ripped from IOS, the rest are differently named or named the same but do different stuff.

Docjowles
Apr 9, 2009

dual-mode 123 is basically the equivalent of switchport trunk native vlan 123. It tells the port to treat untagged frames as belonging to vlan 123.

Thanks Ants
May 21, 2004

#essereFerrari


If in doubt, smash the tab key and the question mark and fluff your way through

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

Thanks Ants posted:

If in doubt, smash the tab key and the question mark and fluff your way through

That's what I did.


Docjowles posted:

dual-mode 123 is basically the equivalent of switchport trunk native vlan 123. It tells the port to treat untagged frames as belonging to vlan 123.

Yeah.

The REALLY annoying thing is that you cannot dual-mode a port without tagging a VLAN on it first, I didn't think about it at first, but I was like Ok that's fine, weird, but fine. #tag int e 1/1/1 --- Connection lost ---- fuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuck

Yeah so doing that on my only connection into the environment was a bad idea. Thankfully just had them boot the switch and I configured the only other open port, but it's just a weird thing, you have to tag a VLAN on the port, then you can dual-mode (trunk) the port and it'll be happy again.

Docjowles
Apr 9, 2009

MF_James posted:

brocade is trash lmao

Agreed

Thanks Ants
May 21, 2004

#essereFerrari


Trying to figure out which product is with which company now is like following the ball under some cups. I think Qualcomm bought them and then instantly sold off a load of the product ranges to companies that more or less denied knowledge of the products existing and decided that was now their internal IP. It's like a clown running through a minefield.

Moey
Oct 22, 2010

I LIKE TO MOVE IT
I have mixed feelings about Junos ELS. Standardizing things across the board is great, but loving change.

FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE

Thanks Ants posted:

Trying to figure out which product is with which company now is like following the ball under some cups. I think Qualcomm bought them and then instantly sold off a load of the product ranges to companies that more or less denied knowledge of the products existing and decided that was now their internal IP. It's like a clown running through a minefield.

It's not super hard. If it pushes IP packets it's Extreme, if it pushes FC frames it's Broadcom.

If it runs in a VM it's irrelevant since AT&T killed the public versions.

Pile Of Garbage
May 28, 2007



Cross-post, not a question but ya'll will find it relevant:


I've just checked our main edge ASA 5555-X's and they're running fuckin 9.5 :rip:

FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE
^^ Thanks for posting, sucks to be my engineers ^^

FatCow posted:

Mine are 10U, but they need to be one screw (1/2") off from the proper boundaries in order for the holes in the rails to line up.

After a month of back and forth and 2 trips to our office by a TAC escalation manager (RTP, NC supremacy) Cisco accepted that we understand EIA racks and that their rails are incorrectly designed. They are stamping new rails for the ASR 9006 and we're getting a few dozen next week.

If you actually want your ASRs to rack properly you're going to need one of the new rails. PM me and I'll give you enough info for your sales team to find the TAC case.

ed: We've been running 9.6.3(8) on our 5555-Xs with no problems. We'll likely patch tonight to (20).

FatCow fucked around with this message at 02:52 on Jan 30, 2018

Thanks Ants
May 21, 2004

#essereFerrari


Lmao how the gently caress is making rails a challenge.

Jamsta
Dec 16, 2006

Oh you want some too? Fuck you!

A dimwit (me) who really should know better entered this into a 2960S's remote console session while in conf t:

The site's primary router was connected to port 2

code:
interface range gigabitethernet 1/0/1-10
no switchport port-security mac-address sticky
shut
no shut
Customer called us up immediately. Luckily we had a field engineer nearby who cycled the switch.

I am a Cisco nubcake.

Thanks Ants
May 21, 2004

#essereFerrari


reload in blah

Commit confirm is superior

Jamsta
Dec 16, 2006

Oh you want some too? Fuck you!

Thanks Ants posted:

reload in blah

Commit confirm is superior

pro-tip

Pile Of Garbage
May 28, 2007



Jamsta posted:

A dimwit (me) who really should know better entered this into a 2960S's remote console session while in conf t:

The site's primary router was connected to port 2

code:
interface range gigabitethernet 1/0/1-10
no switchport port-security mac-address sticky
shut
no shut
Customer called us up immediately. Luckily we had a field engineer nearby who cycled the switch.

I am a Cisco nubcake.

I've probably told this story before but in my last job I worked with FortiGate firewalls a lot, much more than I did with Cisco gear. With the FortiOS CLI if you type "show" or "sh" in configuration context it will output the current config for whatever node you're editing. Anyway one day we were having issues with internet at the office so I SSH'd to the 2911, enter "conf t", "int gi0/0" and then suddenly muscle memory kicks in and I instinctively enter "sh" to try and show the current interface config. Down goes the inside interface and everyone's internet drops out along with my SSH session. I brought it back up in ~5 minutes via console but it was still embarrassing as hell.

Pile Of Garbage fucked around with this message at 14:30 on Jan 30, 2018

Thanks Ants
May 21, 2004

#essereFerrari


Yuuuuup I've done that

Richard Noggin
Jun 6, 2005
Redneck By Default
That and the inadvertent right click inside a PuTTY session.

Collateral Damage
Jun 13, 2009

It's why I always switch Putty to right-click-menu.

Pile Of Garbage
May 28, 2007



It's funniest when you accidentally paste passwords into IRC.

SamDabbers
May 26, 2003



Middle-click paste is the correct

Adbot
ADBOT LOVES YOU

Grassy Knowles
Apr 4, 2003

"The original Terminator was a gritty fucking AMAZING piece of sci-fi. Gritty fucking rock-hard MURDER!"

cheese-cube posted:

It's funniest when you accidentally paste passwords into IRC.

Good old Hunter2

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply