Recent Posts

Pages: [1] 2 3 ... 10
1
Routing and Switching / Re: Can I SPAN a SPAN?
« Last post by Otanx on Today at 09:23:30 AM »
You can "write" with a normal SPAN on some devices, but it has limitations. It is not the same as being inline which I am sure Dean knows. On a 6500 you can do "monitor session 1 destination Gi1/1/1 ingress" which sets up the switch to accept inbound packets from the SPAN destination. A common use case is to be able to manage a monitoring device over the same port that is collecting the SPAN. You don't see it too often anymore. Most devices will use a separate management interface. However, another use case (and what I think Dean is trying to do) is for injecting data to interrupt communications. As an example. Endpoint A tries to open a http connection to Server 1. My IDS sees the SYN, and wants to stop this connection. It can inject a RST to both sides spoofing the IPs. This will prevent the connection. Another fun one Dean mentioned is DNS hijack. If my device can respond quick enough I can beat the real server to responding to the client, and get my DNS answer into the cache first. Then all your communication goes to the IP I sent, and not the real server.

It isn't a real replacement to being inline, but there are some nifty security tricks you can do with it.

-Otanx
2
Routing and Switching / Re: Trunking switch
« Last post by ristau5741 on Yesterday at 03:58:21 PM »
post output of show interface gi0/1 trunk on the 2960
and output of show interface fa0/1 trunk on the 3550

would be more helpful than a simple show interface
3
Routing and Switching / Re: Trunking switch
« Last post by fsck on Yesterday at 01:13:47 PM »
Ya, looks like the 2960 doesn't support ISL.  I also confirmed that the VLANs are on both ends.

Both show (notconnect) at the moment because I wouldn't be able to reach the switches if they were connected, to grab the info you asked for.  From what I've read and done in the labs in the past, this should work.

I also saw nothing in the logs on either switch to show the cause of the network dropping or errors.  I swapped cables too just to eliminate a L1 issue.

2960

GigabitEthernet0/1 is down, line protocol is down (notconnect)
  Hardware is Gigabit Ethernet, address is 0023.05f6.8801 (bia 0023.05f6.8801)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 10:32:41, output 10:32:41, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     386690 packets input, 28647766 bytes, 0 no buffer
     Received 363207 broadcasts (363191 multicasts)
     0 runts, 0 giants, 0 throttles
     2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 363191 multicast, 0 pause input
     0 input packets with dribble condition detected
     290931 packets output, 53919609 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out




3550

FastEthernet0/1 is down, line protocol is down (notconnect)
  Hardware is Fast Ethernet, address is 0017.5a61.ed83 (bia 0017.5a61.ed83)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 10:30:40, output 10:30:40, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     290933 packets input, 53921517 bytes, 0 no buffer
     Received 264195 broadcasts (156355 multicasts)
     0 runts, 0 giants, 0 throttles
     1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 156355 multicast, 0 pause input
     0 input packets with dribble condition detected
     386691 packets output, 28647676 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
4
Routing and Switching / Re: Trunking switch
« Last post by ristau5741 on Yesterday at 07:30:38 AM »
If you already checked the cable, and if it's an older switch, the 2960 may still support ISL trunking,
can you configure "switchport trunk encapsulation dot1q" on the 2960 port ?
If you can't, the switch doesn't support ISL trunking and wouldn't be the issue
may be just a matter of the encapsulations are incompatible
post output of show interface gi0/1 trunk on the 2960
and output of show interface fa0/1 trunk on the 3550
also a show vlan brief, to make sure all your vlan's exist.
5
Routing and Switching / Trunking switch
« Last post by fsck on Yesterday at 02:39:41 AM »
I need to add a switch to my network to provide some camera's connectivity.  I am still using older switches right now, but I am having some issues that I'm confused as to why it's happening.

On my 2960 I have the port configured as
interface Gi0/1
switchport trunk native vlan 10
switchport trunk allowed vlan 20, 30, 40
switchport mode trunk
speed 100

On 3550 switch
interface Fa0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 20,30,40
switchport mode trunk


When I connected the 3550 switch with a cross over cable, I drop the whole network.  I can no longer get out to the Internet or communicate between computers on the network.  The logs just show the interfaces going down.  Why would this happen?  I think that's how the port would be configured, if not at the simplest form I tried:
switchport trunk encapsulation dot1q
switchport trunk mode
6
Routing and Switching / Re: Can I SPAN a SPAN?
« Last post by deanwebb on February 18, 2018, 07:02:15 PM »
thanks, interesting

but I'm still curious about your original q: if SPAN can't 'write' either, why did you reject RPSAN due to the same limitation?
In this case, because the customer wants monitor plus transmit with the mirror traffic.
7
Routing and Switching / Re: Can I SPAN a SPAN?
« Last post by wintermute000 on February 17, 2018, 06:19:57 PM »
thanks, interesting

but I'm still curious about your original q: if SPAN can't 'write' either, why did you reject RPSAN due to the same limitation?
8
Routing and Switching / Re: IGMP and PIM
« Last post by wish24 on February 17, 2018, 08:51:13 AM »
basically yeah but you normally just turn on pim on the VLAN SVI and that takes care of IGMP as well by default
Thanks


Sent from my ONEPLUS A5000 using Tapatalk

9
Routing and Switching / Re: Can I SPAN a SPAN?
« Last post by deanwebb on February 17, 2018, 08:41:29 AM »
We can also do L3 responses. We got other tools that a former coworker of mine called "spooky magic."

Preferred enforcement for ForeScout CounterACT is to do a post-connect endpoint assessment via information gathered from DHCP packets, switch SNMP traps, info from a connection to the switch CLI. That's all we get for unmanaged devices. If possible, we want an SNMP string to use on company-managed IoT devices and a local admin account and/or a client for desktop computing devices. Those are the managed devices.

Helping out all this is mirror traffic and/or netflow that indicates what else may be on the network that we can track. All that comes together for our information gathering about endpoints. Also NMAP. We do some NMAP, yeah. Best to let us know where not to NMAP so we don't crash sensitive devices...

Enforcement can be done via applying an ACL on the MAC address, ACL on the switchport, a VLAN change for the endpoint - all done from switch communications. If those aren't available, we can also use the mirror response port to do a DNS hijack and/or a HTTP-HTTPS hijack to redirect traffic such that a non-compliant device is directed to a compliance portal. Last ditch effort is the "virtual firewall" that will basically use the mirror response to act like an IPS and kill off specified TCP traffic.

CounterACT can also do full 802.1X, but not all switches are ready to do full 802.1X, hence the other options, above.
10
Routing and Switching / Re: Can I SPAN a SPAN?
« Last post by wintermute000 on February 16, 2018, 09:17:14 PM »
So why are you even talking about the downsides of RPSAN but considering a normal SPAN in the same paragraph when both have the SAME key downside to your requirement?


It seems to me RSPAN/ERSPAN is much easier and better than putting another switch in the middle, in an unconventional configuration to boot.


Out of curiosity what off-path enforcement options do you have? Dot1x? Switch integration? Can you push security policies, ACLs, etc? API driven integration into FWs/FW and WLAN management platforms?



BTW not a direct dig at your product, but L2 inline security appliances are a nightmare from a design, scaling, redundancy and capacity POV, esp in the DC, though much simpler/lower capacity campus situations are not as bad (esp if you can support port-channel, and the customer accepts fail-open)
Pages: [1] 2 3 ... 10