Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
Actuarial Fables
Jul 29, 2014



Taco Defender






Thanks everyone. I was thinking it would be easy to just get some cheap 10gb adapters and get them connected to a switch but now I know that it's stupid. I'll hold off on this personal project until I can afford the correct equipment.

Adbot
ADBOT LOVES YOU

doomisland
Oct 5, 2004



falz posted:

Yes DAC are vendor coded as well and it depends on the device on the receiving end to get angry or not.

Hell some newer Juniper hardware (mx204, qfx10k) didn't support DAC at all until Junos 18.

Our mx480s with the mpc7-mrates didn't either. DAC...AOC...what's the difference...

Kazinsal
Dec 13, 2011





doomisland posted:

Our mx480s with the mpc7-mrates didn't either. DAC...AOC...what's the difference...

IIRC DACs actually get coded as a different type of transceiver than standard SFP+ and AOCs do in their EEPROM.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


doomisland posted:

Our mx480s with the mpc7-mrates didn't either. DAC...AOC...what's the difference...
Must've been an Eagle chip thing outside of qfx10k. We hadn't tested on mpc7.

Speaking of those, gently caress their support costs, we want to shed them all in a few years due to this.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


For all of the vendor nonsense reasons above, I hope folks are using vendor codeable optics with a little USB box thing.

We use flexoptix, but there are many options including just having a pcb to do the coding.

doomisland
Oct 5, 2004



Kazinsal posted:

IIRC DACs actually get coded as a different type of transceiver than standard SFP+ and AOCs do in their EEPROM.

Yeah they do we were dumping the EEPROM data for our support guy to look at. It would sometimes work but other times not work. Good work by all involved.

ate shit on live tv
Feb 15, 2004



Anyone going to NANOG in San Fran next week? If so PM me and we can laugh about the new CDP vulnerability over some beers.

Kazinsal
Dec 13, 2011





Not going to NANOG sadly but the new CDP vulnerability baffles me. I'm not entirely sure how you're realistically supposed to exploit a phone via a protocol that doesn't get forwarded through the switch it's plugged into. Presumably you have to power the phone off an injector and plug the phone into an unmanaged switch, which, at that point, your environment is an impossible mess and you deserve to have someone, uh, root your desk phone?

I did like that it also mysteriously affects NX-OS. Yes, boss, I'm sure I'll get right on rebooting all of our fabric interconnects because someone might break into our datacenter with a bunch of weird optics and a laptop and plug directly into the FIs so they can perform the devilish and world-ending act of rebooting them.

less than three
Aug 9, 2007




Fallen Rib

I don't know who screwed up where but I just got 75 separate eDelivery license e-mails for 75 DNA Center licenses. It's smart licensing anywayyyyyyys

gooby pls
May 18, 2012





They chained it with another bug that allows them to send unicast/broadcast malicious cdp packets to the phone. Also lol at running the cdp daemon as root.


from the white paper posted:

However, an additional flaw was discovered in the parsing mechanism of CDP packets in the VoIP phones, enhancing the impact an attacker can achieve using the vulnerability. The CDP implementation in the VoIP phones doesn’t validate the destination MAC address of incoming CDP packets, and accepts CDP packets containing unicast/broadcast destination address as well. Any CDP packet that is sent to a switch that is destined to the designated CDP multicast MAC address, ​will​ be forwarded by the switch, and not terminated by it. Due to this discrepancy, an attacker can trigger the vulnerability described above by a unicast packet sent directly to target device, or by a broadcast packet sent to all devices in the LAN — without needing to send the packet directly from the switch to which an VoIP phones is connected to.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

"Looks like my phone in insecure boss, I'll leave it unplugged until this vuln is fixed"

Pile Of Garbage
May 28, 2007





"Have you tried unplugging it and never plugging it in again?"

Docjowles
Apr 9, 2009



Pile Of Garbage posted:

"Have you tried unplugging it and never plugging it in again?"

This was my solution to the problem of "I have a desk phone"

tortilla_chip
Jun 13, 2007

k-partite

The crazy money Citadel is offering for network engineers is because they're terrible right?

Sepist
Dec 25, 2005

FUCK BITCHES, ROUTE PACKETS


Gravy Boat 2k

Depends on what your define terrible. They are demanding and you're always on call but they have ridiculous pay and even more rediculous bonuses until the market crashes

abigserve
Sep 13, 2009

this is a better avatar than what I had before


There's no amount of money you could offer me to be on call again unless there were very clear stipulations about it that are never broken, that is, you can be called in between these hours on these days.

Last time I worked somewhere they had an on-call roster, of course, three out of the four people on the roster weren't equipped to deal with real oncall problems so effectively the fourth person always ended up being shadow-on-call and when they were rung it was always a drop everything emergency.

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

Two problems:

Number 1: I have the problem of some old HP A5120's acting like hubs, not switches. They are respecting VLAN segregation but they are spewing out every packet for that VLAN on said ports. Config is here, but it feels like there's some kind of deeper issue. Rebooted the switches and updated to the latest firmware. Not all the switches we have do it, maybe only like 2-3? These are in the budget to be replaced but it might not happen until the end of they ear.



20MB worth of traffic going to each of those ports...verified with Wireshark. I can see all kinds of traffic between other hosts (but just for that VLAN). Other switches behave as expected and I can't see any traffic other than my own.

Switch that does it vs one that doesn't....total traffic graph for the switch, basically x times 40-ish ports




Number 2: I need a second DHCP scope? I've never done this. We have an older Mitel system and we have 172.27.30.30-254 for DHCP, and we have 224 leases in use. If I add another subnet, x.x.x.31 for example... how do I handle the VLAN end of it? All ports that are setup for voice would be on 30 and 31 then? It sounds like it should be simple.

We have another scope on our wifi gear and one on our Windows servers, but a second scope for just the phones is what I've never done (never been in an environment with > 200 phones)

Bob Morales fucked around with this message at 13:08 on Feb 17, 2020

ragzilla
Sep 9, 2005
don't ask me, i only work here




Bob Morales posted:

Two problems:

Number 1: I have the problem of some old HP A5120's acting like hubs, not switches. They are respecting VLAN segregation but they are spewing out every packet for that VLAN on said ports. Config is here, but it feels like there's some kind of deeper issue. Rebooted the switches and updated to the latest firmware. Not all the switches we have do it, maybe only like 2-3? These are in the budget to be replaced but it might not happen until the end of they ear.

What’s the platform MAC limit, and is it possible you’re reaching it? Most platforms will revert to flood mode when the MAC table fills.

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

ragzilla posted:

What’s the platform MAC limit, and is it possible you’re reaching it? Most platforms will revert to flood mode when the MAC table fills.

There are ~670 MAC addresses in the table

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


The traffic is unicast, not multicast or broadcast? The purple color on those observium graphs is a bit different from mine, usually associated with non- unicast.

Cyks
Mar 17, 2008


Bob Morales posted:



Number 2: I need a second DHCP scope? I've never done this. We have an older Mitel system and we have 172.27.30.30-254 for DHCP, and we have 224 leases in use. If I add another subnet, x.x.x.31 for example... how do I handle the VLAN end of it? All ports that are setup for voice would be on 30 and 31 then? It sounds like it should be simple.

We have another scope on our wifi gear and one on our Windows servers, but a second scope for just the phones is what I've never done (never been in an environment with > 200 phones)

I assume you meant having a second voice vlan with 172.27.31.0 /24 scope and yes, that would work. You aren't limited to one voice vlan per device, just a switchport can only be on one voice vlan. Or expand the current DHCP scope if you only need a few more and you don't need 28 statics on that scope.

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

falz posted:

The traffic is unicast, not multicast or broadcast? The purple color on those observium graphs is a bit different from mine, usually associated with non- unicast.

Unicast. Mostly camera traffic from 4-5 hosts.

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

Cyks posted:

I assume you meant having a second voice vlan with 172.27.31.0 /24 scope and yes, that would work. You aren't limited to one voice vlan per device, just a switchport can only be on one voice vlan. Or expand the current DHCP scope if you only need a few more and you don't need 28 statics on that scope.

I could only expand the current scope by... ten? And it turns out like 30 machines are getting DHCP from Windows (and aren't on the 30 vlan, they're on the same VLAN as the PC on that particular port...not sure why the hell that's happening)

tortilla_chip
Jun 13, 2007

k-partite

You can likely reuse the vlan and add a secondary IP address.

Partycat
Oct 25, 2004

Life at last
Salutations from the other side


Plaster Town Cop

Bob Morales posted:

Unicast. Mostly camera traffic from 4-5 hosts.

Is it destined to a NLB host or something that isn’t replying with its own MAC? That would cause flooding. dst mac is in the table where you’d expect ?

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

Partycat posted:

Is it destined to a NLB host or something that isn’t replying with its own MAC? That would cause flooding. dst mac is in the table where you’d expect ?

Yea, the mac address is in the table for both the src and dst

[timg]https://i.imgur.com/X9tZgLQ.png[/img]

Wireshark PC is 172.27.15.185 fwiw

Pile Of Garbage
May 28, 2007





Bob Morales posted:

Two problems:

Number 1: I have the problem of some old HP A5120's acting like hubs, not switches. They are respecting VLAN segregation but they are spewing out every packet for that VLAN on said ports. Config is here, but it feels like there's some kind of deeper issue. Rebooted the switches and updated to the latest firmware. Not all the switches we have do it, maybe only like 2-3? These are in the budget to be replaced but it might not happen until the end of they ear.

Why is DHCP configured on this switch at all?

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

Pile Of Garbage posted:

Why is DHCP configured on this switch at all?

It's not - dhcp server is on the phone system (vlan 30) and the windows server

BaseballPCHiker
Jan 16, 2006



This isnt really a bug but I've still found it annoying:
https://bst.cloudapps.cisco.com/bug...894/?rfs=iqvred

After the CDPwn exploit we pushed out new firmware (12.7) to our phones. With the new firmware comes a feature called "lower your voice" where a little cartoon guy pops up shushing the user telling them to pipe down. Info here:
https://www.ciscolive.com/c/dam/r/c...BRKUCC-2050.pdf

As of right now there is no way to globally disable this in call manager. Our helpdesk is getting a bunch calls from loudmouths asking to turn it off.

Partycat
Oct 25, 2004

Life at last
Salutations from the other side


Plaster Town Cop

There are enhancement request cases for this and the call blocking feature to have admin control .

The vulnerability rating is high , but , depending on your environment you can defer this load for a while - supposedly one that fixes the bugs in 12.7 is due next month mid month

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

You don't need a L3 switch in each telco closet on every floor of the building, as long as they each run back to your core stack of switches (that are L3), right? L2 switches are like 1/3rd the price and when you're replacing ~20 of them...

Someone here bought 1 HP Aruba 2930 instead a 2540, and we're not going to be replacing all the others just yet, but want to plan for it.

Filthy Lucre
Feb 27, 2006


It depends on your network design, but no, it's generally not necessary to have a L3 switch on every floor.

Just put the gateway IP on the L3 in your core and use trunk ports up to the floors.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Depends on the type of traffic as well - if I had a second building linked back over a fibre and things like printers, PCs, wireless displays were on different VLANs to each other I'd probably want to handle that routing in place rather than bringing it all back to the core switches. If all your traffic ends up coming from/going to an Internet destination or you have something like ClearPass in place then yeah don't bother complicating things.

less than three
Aug 9, 2007




Fallen Rib

For Workstation traffic we have a stack of distribution switches that are the L3 gateway for the clients between the different L2 closet switches. The dist switches are trunked to the core. It keeps all the Workstation chatter off the core.

Digital_Jesus
Feb 10, 2011



Bob Morales posted:

You don't need a L3 switch in each telco closet on every floor of the building, as long as they each run back to your core stack of switches (that are L3), right? L2 switches are like 1/3rd the price and when you're replacing ~20 of them...

Someone here bought 1 HP Aruba 2930 instead a 2540, and we're not going to be replacing all the others just yet, but want to plan for it.

IIRC the 2540 do basic L3 now? They just dont do anything more than static routing methinks. Also depends on your throughput requirements for the floor, do you need failover PSUs, whats your PoE wattage requirements, etc.

Also the 2500s dont do stacking if thats a thing yall are wanting.

If all you need is basic, low wattage, moderate throughput switching with 10Gb SFP+ uplinks then the 2540s are great. The 2930s are more hardware resilient and have better specs. Source based on requirements.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

If I wanted an Aruba L3 switch I'd be looking at the CX models now, I get the impression that the ProVision stuff (29xx, 38xx from the HPE days) isn't going to be what new things are built on.

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

Thanks Ants posted:

If I wanted an Aruba L3 switch I'd be looking at the CX models now, I get the impression that the ProVision stuff (29xx, 38xx from the HPE days) isn't going to be what new things are built on.

6300M is twice as much as a 2930F

quote:

WHY CHOOSE ARUBA CX SWITCHES?
• Cloud-native OS: Modern, micro-services architecture for
full network programmability and workflow automation

Cyks
Mar 17, 2008


Bob Morales posted:

You don't need a L3 switch in each telco closet on every floor of the building, as long as they each run back to your core stack of switches (that are L3), right? L2 switches are like 1/3rd the price and when you're replacing ~20 of them...

Someone here bought 1 HP Aruba 2930 instead a 2540, and we're not going to be replacing all the others just yet, but want to plan for it.

Just so you know, if you are planning to replace them with Cisco switches, there is no L2 only license with DNA, which is required for the new 9k Catalysts. (Which will most likely be the model you would buy if you are going new Cisco)

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

We're replacing all our C3560X switches with Meraki MS390. My first dip into the Meraki world outside of wifi.

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Bob Morales posted:

6300M is twice as much as a 2930F




Yeah but they're good. Hopefully the AOS-CX stuff rolls down the range a bit into the more affordable boxes, ProVision is showing its age and NetEdit is really good. Also don't compare M and F variants.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply