|
Thanks everyone. I was thinking it would be easy to just get some cheap 10gb adapters and get them connected to a switch but now I know that it's stupid. I'll hold off on this personal project until I can afford the correct equipment.
|
#
?
Jan 28, 2020 01:33
|
|
|
|
| # ? Apr 18, 2024 08:10 |
|
|
falz posted:Yes DAC are vendor coded as well and it depends on the device on the receiving end to get angry or not. Our mx480s with the mpc7-mrates didn't either. DAC...AOC...what's the difference...
|
|
#
?
Jan 28, 2020 06:23
|
|
|
doomisland posted:Our mx480s with the mpc7-mrates didn't either. DAC...AOC...what's the difference... IIRC DACs actually get coded as a different type of transceiver than standard SFP+ and AOCs do in their EEPROM.
|
|
#
?
Jan 28, 2020 07:08
|
|
|
doomisland posted:Our mx480s with the mpc7-mrates didn't either. DAC...AOC...what's the difference... Speaking of those, gently caress their support costs, we want to shed them all in a few years due to this.
|
|
#
?
Jan 28, 2020 13:30
|
|
|
For all of the vendor nonsense reasons above, I hope folks are using vendor codeable optics with a little USB box thing. We use flexoptix, but there are many options including just having a pcb to do the coding.
|
|
#
?
Jan 28, 2020 13:31
|
|
|
Kazinsal posted:IIRC DACs actually get coded as a different type of transceiver than standard SFP+ and AOCs do in their EEPROM. Yeah they do we were dumping the EEPROM data for our support guy to look at. It would sometimes work but other times not work. Good work by all involved.
|
|
#
?
Jan 29, 2020 05:27
|
|
|
Anyone going to NANOG in San Fran next week? If so PM me and we can laugh about the new CDP vulnerability over some beers.
|
|
#
?
Feb 7, 2020 06:56
|
|
|
Not going to NANOG sadly but the new CDP vulnerability baffles me. I'm not entirely sure how you're realistically supposed to exploit a phone via a protocol that doesn't get forwarded through the switch it's plugged into. Presumably you have to power the phone off an injector and plug the phone into an unmanaged switch, which, at that point, your environment is an impossible mess and you deserve to have someone, uh, root your desk phone? I did like that it also mysteriously affects NX-OS. Yes, boss, I'm sure I'll get right on rebooting all of our fabric interconnects because someone might break into our datacenter with a bunch of weird optics and a laptop and plug directly into the FIs so they can perform the devilish and world-ending act of rebooting them.
|
|
#
?
Feb 8, 2020 00:31
|
|
|
I don't know who screwed up where but I just got 75 separate eDelivery license e-mails for 75 DNA Center licenses. It's smart licensing anywayyyyyyys 
|
|
#
?
Feb 8, 2020 01:18
|
|
|
They chained it with another bug that allows them to send unicast/broadcast malicious cdp packets to the phone. Also lol at running the cdp daemon as root.from the white paper posted:However, an additional flaw was discovered in the parsing mechanism of CDP packets in the VoIP phones, enhancing the impact an attacker can achieve using the vulnerability. The CDP implementation in the VoIP phones doesn’t validate the destination MAC address of incoming CDP packets, and accepts CDP packets containing unicast/broadcast destination address as well. Any CDP packet that is sent to a switch that is destined to the designated CDP multicast MAC address, will be forwarded by the switch, and not terminated by it. Due to this discrepancy, an attacker can trigger the vulnerability described above by a unicast packet sent directly to target device, or by a broadcast packet sent to all devices in the LAN — without needing to send the packet directly from the switch to which an VoIP phones is connected to.
|
|
#
?
Feb 8, 2020 01:19
|
|
|
"Looks like my phone in insecure boss, I'll leave it unplugged until this vuln is fixed"
|
|
#
?
Feb 8, 2020 12:27
|
|
|
"Have you tried unplugging it and never plugging it in again?"
|
|
#
?
Feb 11, 2020 15:58
|
|
|
Pile Of Garbage posted:"Have you tried unplugging it and never plugging it in again?" This was my solution to the problem of "I have a desk phone"
|
|
#
?
Feb 11, 2020 16:22
|
|
|
The crazy money Citadel is offering for network engineers is because they're terrible right?
|
|
#
?
Feb 16, 2020 01:43
|
|
|
Depends on what your define terrible. They are demanding and you're always on call but they have ridiculous pay and even more rediculous bonuses until the market crashes
|
|
#
?
Feb 16, 2020 02:31
|
|
|
There's no amount of money you could offer me to be on call again unless there were very clear stipulations about it that are never broken, that is, you can be called in between these hours on these days. Last time I worked somewhere they had an on-call roster, of course, three out of the four people on the roster weren't equipped to deal with real oncall problems so effectively the fourth person always ended up being shadow-on-call and when they were rung it was always a drop everything emergency.
|
|
#
?
Feb 16, 2020 02:52
|
|
|
Two problems: Number 1: I have the problem of some old HP A5120's acting like hubs, not switches. They are respecting VLAN segregation but they are spewing out every packet for that VLAN on said ports. Config is here, but it feels like there's some kind of deeper issue. Rebooted the switches and updated to the latest firmware. Not all the switches we have do it, maybe only like 2-3? These are in the budget to be replaced but it might not happen until the end of they ear.  20MB worth of traffic going to each of those ports...verified with Wireshark. I can see all kinds of traffic between other hosts (but just for that VLAN). Other switches behave as expected and I can't see any traffic other than my own. Switch that does it vs one that doesn't....total traffic graph for the switch, basically x times 40-ish ports  Number 2: I need a second DHCP scope? I've never done this. We have an older Mitel system and we have 172.27.30.30-254 for DHCP, and we have 224 leases in use. If I add another subnet, x.x.x.31 for example... how do I handle the VLAN end of it? All ports that are setup for voice would be on 30 and 31 then? It sounds like it should be simple. We have another scope on our wifi gear and one on our Windows servers, but a second scope for just the phones is what I've never done (never been in an environment with > 200 phones) Bob Morales fucked around with this message at 14:08 on Feb 17, 2020 |
|
#
?
Feb 17, 2020 14:06
|
|
|
Bob Morales posted:Two problems: What’s the platform MAC limit, and is it possible you’re reaching it? Most platforms will revert to flood mode when the MAC table fills.
|
|
#
?
Feb 17, 2020 15:09
|
|
|
ragzilla posted:What’s the platform MAC limit, and is it possible you’re reaching it? Most platforms will revert to flood mode when the MAC table fills. There are ~670 MAC addresses in the table
|
|
#
?
Feb 17, 2020 15:11
|
|
|
The traffic is unicast, not multicast or broadcast? The purple color on those observium graphs is a bit different from mine, usually associated with non- unicast.
|
|
#
?
Feb 17, 2020 15:35
|
|
|
Bob Morales posted:
I assume you meant having a second voice vlan with 172.27.31.0 /24 scope and yes, that would work. You aren't limited to one voice vlan per device, just a switchport can only be on one voice vlan. Or expand the current DHCP scope if you only need a few more and you don't need 28 statics on that scope.
|
|
#
?
Feb 17, 2020 16:01
|
|
|
falz posted:The traffic is unicast, not multicast or broadcast? The purple color on those observium graphs is a bit different from mine, usually associated with non- unicast. Unicast. Mostly camera traffic from 4-5 hosts.
|
|
#
?
Feb 17, 2020 17:30
|
|
|
Cyks posted:I assume you meant having a second voice vlan with 172.27.31.0 /24 scope and yes, that would work. You aren't limited to one voice vlan per device, just a switchport can only be on one voice vlan. Or expand the current DHCP scope if you only need a few more and you don't need 28 statics on that scope. I could only expand the current scope by... ten? And it turns out like 30 machines are getting DHCP from Windows (and aren't on the 30 vlan, they're on the same VLAN as the PC on that particular port...not sure why the hell that's happening)
|
|
#
?
Feb 17, 2020 17:38
|
|
|
You can likely reuse the vlan and add a secondary IP address.
|
|
#
?
Feb 17, 2020 17:38
|
|
|
Bob Morales posted:Unicast. Mostly camera traffic from 4-5 hosts. Is it destined to a NLB host or something that isn’t replying with its own MAC? That would cause flooding. dst mac is in the table where you’d expect ?
|
|
#
?
Feb 17, 2020 18:26
|
|
|
Partycat posted:Is it destined to a NLB host or something that isn’t replying with its own MAC? That would cause flooding. dst mac is in the table where you’d expect ? Yea, the mac address is in the table for both the src and dst [timg]https://i.imgur.com/X9tZgLQ.png[/img] Wireshark PC is 172.27.15.185 fwiw
|
|
#
?
Feb 17, 2020 18:55
|
|
|
Bob Morales posted:Two problems: Why is DHCP configured on this switch at all?
|
|
#
?
Feb 19, 2020 20:36
|
|
|
Pile Of Garbage posted:Why is DHCP configured on this switch at all? It's not - dhcp server is on the phone system (vlan 30) and the windows server
|
|
#
?
Feb 20, 2020 00:01
|
|
|
This isnt really a bug but I've still found it annoying: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt04894/?rfs=iqvred After the CDPwn exploit we pushed out new firmware (12.7) to our phones. With the new firmware comes a feature called "lower your voice" where a little cartoon guy pops up shushing the user telling them to pipe down. Info here: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKUCC-2050.pdf As of right now there is no way to globally disable this in call manager. Our helpdesk is getting a bunch calls from loudmouths asking to turn it off.
|
|
#
?
Feb 21, 2020 14:36
|
|
|
There are enhancement request cases for this and the call blocking feature to have admin control . The vulnerability rating is high , but , depending on your environment you can defer this load for a while - supposedly one that fixes the bugs in 12.7 is due next month mid month
|
|
#
?
Feb 21, 2020 20:20
|
|
|
You don't need a L3 switch in each telco closet on every floor of the building, as long as they each run back to your core stack of switches (that are L3), right? L2 switches are like 1/3rd the price and when you're replacing ~20 of them... Someone here bought 1 HP Aruba 2930 instead a 2540, and we're not going to be replacing all the others just yet, but want to plan for it.
|
|
#
?
Feb 27, 2020 21:57
|
|
|
It depends on your network design, but no, it's generally not necessary to have a L3 switch on every floor. Just put the gateway IP on the L3 in your core and use trunk ports up to the floors.
|
|
#
?
Feb 27, 2020 22:08
|
|
|
Depends on the type of traffic as well - if I had a second building linked back over a fibre and things like printers, PCs, wireless displays were on different VLANs to each other I'd probably want to handle that routing in place rather than bringing it all back to the core switches. If all your traffic ends up coming from/going to an Internet destination or you have something like ClearPass in place then yeah don't bother complicating things.
|
|
#
?
Feb 27, 2020 22:24
|
|
|
For Workstation traffic we have a stack of distribution switches that are the L3 gateway for the clients between the different L2 closet switches. The dist switches are trunked to the core. It keeps all the Workstation chatter off the core.
|
|
#
?
Feb 27, 2020 22:50
|
|
|
Bob Morales posted:You don't need a L3 switch in each telco closet on every floor of the building, as long as they each run back to your core stack of switches (that are L3), right? L2 switches are like 1/3rd the price and when you're replacing ~20 of them... IIRC the 2540 do basic L3 now? They just dont do anything more than static routing methinks. Also depends on your throughput requirements for the floor, do you need failover PSUs, whats your PoE wattage requirements, etc. Also the 2500s dont do stacking if thats a thing yall are wanting. If all you need is basic, low wattage, moderate throughput switching with 10Gb SFP+ uplinks then the 2540s are great. The 2930s are more hardware resilient and have better specs. Source based on requirements.
|
|
#
?
Feb 27, 2020 23:19
|
|
|
If I wanted an Aruba L3 switch I'd be looking at the CX models now, I get the impression that the ProVision stuff (29xx, 38xx from the HPE days) isn't going to be what new things are built on.
|
|
#
?
Feb 27, 2020 23:31
|
|
|
Thanks Ants posted:If I wanted an Aruba L3 switch I'd be looking at the CX models now, I get the impression that the ProVision stuff (29xx, 38xx from the HPE days) isn't going to be what new things are built on. 6300M is twice as much as a 2930F  quote:WHY CHOOSE ARUBA CX SWITCHES? 
|
|
#
?
Feb 28, 2020 13:56
|
|
|
Bob Morales posted:You don't need a L3 switch in each telco closet on every floor of the building, as long as they each run back to your core stack of switches (that are L3), right? L2 switches are like 1/3rd the price and when you're replacing ~20 of them... Just so you know, if you are planning to replace them with Cisco switches, there is no L2 only license with DNA, which is required for the new 9k Catalysts. (Which will most likely be the model you would buy if you are going new Cisco)
|
|
#
?
Feb 28, 2020 14:01
|
|
|
We're replacing all our C3560X switches with Meraki MS390. My first dip into the Meraki world outside of wifi.
|
|
#
?
Feb 28, 2020 15:00
|
|
|
|
| # ? Apr 18, 2024 08:10 |
|
|
Bob Morales posted:6300M is twice as much as a 2930F Yeah but they're good. Hopefully the AOS-CX stuff rolls down the range a bit into the more affordable boxes, ProVision is showing its age and NetEdit is really good. Also don't compare M and F variants.
|
|
#
?
Feb 28, 2020 16:28
|
|