- Welcome to Networking-Forums.com.
We're Here to Help!
Recent posts
#41
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by CiscoWizard - April 08, 2025, 12:03:27 PMYou've read my mind, my friend. If only management would be so quick to agree to that. They're so apprehensive that nothing will come back up once we connect the new equipment that they're refusing the upgrade. We even have a backup of the Nortel on standby in case the original fails to be reinstalled.
#42
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by Otanx - April 08, 2025, 10:19:41 AMEven 10 years ago that router was old. Considering how old that is I would assume it is just failing slowly. If it is really important then spend some money and replace it.
-Otanx
-Otanx
#43
Security / Re: RADIUS CoA
Last post by Otanx - April 08, 2025, 10:11:35 AMIf you go to that level of detail that is true. The way I handle it is to put a real firewall between clients and servers. Do most of the filtering there. Then the port based ACLs can be permits to IPs, and a deny for all others to block east/west. Usually only 5 or 6 lines at that point. So a remediation ACL would look something like:
10 permit ip any AD_Server
20 permit ip any Patching_Server
30 permit ip any AV_Server
40 permit ip any Web_Proxy
50 deny ip any any
The normal ACL we used was just a deny to the /16 for client networks, and a permit any. That way a workstation couldn't go to another workstation, and then everything else was handled by the firewall. We also had different ACLs for printers that locked them down to just the print server. We didn't do any guest wired normally, but we did have an ACL with just the Web_Proxy for the few times we needed it.
There are a couple downsides. One is no logging on port based ACLs so that blinds you to some things. Also there is no good way for help desk to identify if a system is in quarantine or not without looking at the switch, or RADIUS logs. The IP is the same so that isn't a clue anymore. Same with log correlation in the SIEM. You need to bring in the RADIUS logs to identify host profiles because the source IP is the same for all clients.
-Otanx
10 permit ip any AD_Server
20 permit ip any Patching_Server
30 permit ip any AV_Server
40 permit ip any Web_Proxy
50 deny ip any any
The normal ACL we used was just a deny to the /16 for client networks, and a permit any. That way a workstation couldn't go to another workstation, and then everything else was handled by the firewall. We also had different ACLs for printers that locked them down to just the print server. We didn't do any guest wired normally, but we did have an ACL with just the Web_Proxy for the few times we needed it.
There are a couple downsides. One is no logging on port based ACLs so that blinds you to some things. Also there is no good way for help desk to identify if a system is in quarantine or not without looking at the switch, or RADIUS logs. The IP is the same so that isn't a clue anymore. Same with log correlation in the SIEM. You need to bring in the RADIUS logs to identify host profiles because the source IP is the same for all clients.
-Otanx
#44
Routing and Switching / Unusual Issue with SR3120 Nort...
Last post by CiscoWizard - April 08, 2025, 07:09:55 AMWe are having an issue with our Nortel 3120 routers as of late. This wasn't something that happened back when I first started, which was over ten years ago. Lately, this issue happens frequently. What happens is, something prevents us from accessing our equipment remotely (with telnet or SSH) or through the console port. The only thing that clears this issue is doing a full reboot of the router. This normally isn't that big of a deal, but the system being controlled through this router is exceedingly important, so having to reboot it is always met with a long list of questions from upper management. They're not always easily willing to accept our solution.
What would cause this issue? Someone else I work with keeps mentioning a memory issue that eventually maxes out, but as I said earlier, this wasn't happening ten years ago. Is there a command or configuration that needs to be changed, or maybe a command that can be used to clear the memory buffers if that is indeed the issue. Below are the results of the "show version" command:
3120_West > show version
HW Assembly REV: A
PCB Assembly REV: A
MB FPGA Revision Number: 0x11
BOOT Device: FLASH
Downloadable FLASH Bootcode Version: r9.2
Physical EPROM Bootcode Version: r9.1_062706
Software Version: r9.3.3
What would cause this issue? Someone else I work with keeps mentioning a memory issue that eventually maxes out, but as I said earlier, this wasn't happening ten years ago. Is there a command or configuration that needs to be changed, or maybe a command that can be used to clear the memory buffers if that is indeed the issue. Below are the results of the "show version" command:
3120_West > show version
HW Assembly REV: A
PCB Assembly REV: A
MB FPGA Revision Number: 0x11
BOOT Device: FLASH
Downloadable FLASH Bootcode Version: r9.2
Physical EPROM Bootcode Version: r9.1_062706
Software Version: r9.3.3
#45
Security / Re: RADIUS CoA
Last post by deanwebb - April 07, 2025, 06:03:22 PM^indeed. But once the ACL has to be open for all the AD servers or something like that, it takes off and becomes something like 1800 lines for all the ports and IP addresses. This can lead to partial ACL application if things time out. Whereas "VLAN 911" - it's done in just the one line, less chance of a timeout issue.
#46
Security / Re: RADIUS CoA
Last post by Otanx - April 07, 2025, 10:11:51 AMThis is why I propose port based ACLs instead of vlan changes when doing 802.1x. Too many variables to handle to make the vlan change work.
-Otanx
-Otanx
#47
Security / Re: RADIUS CoA
Last post by deanwebb - April 05, 2025, 06:35:04 PMYes, and most Windows won't notice the change without an agent. This is why agentless solutions have to hard-bounce the port to get the device to request a new IP address. Any dot1x solution works so much better with agents that replace the Windows supplicant.
I have evil things to say about Windows supplicants, if you would like to hear them...
I have evil things to say about Windows supplicants, if you would like to hear them...
#48
Security / Re: RADIUS CoA
Last post by config t - April 03, 2025, 12:04:46 PMTo answer my own question:
It depends on the equipment string. In this case a voip handset in-line with the PC was causing a failure to detect the network change so it wouldn't initiate DHCP. The answer for this scenario was installing the NAC agent.
It depends on the equipment string. In this case a voip handset in-line with the PC was causing a failure to detect the network change so it wouldn't initiate DHCP. The answer for this scenario was installing the NAC agent.
#49
Security / RADIUS CoA
Last post by config t - April 03, 2025, 11:29:47 AMWhen I impose a RADIUS CoA on a Windows box to maneuver it to an isolation VLAN should it detect the network change and DORA automatically? It seems as if it is failing to initiate DHCP unless the port is bounced.
#50
Forum Lobby / Re: Almost Famous
Last post by deanwebb - March 12, 2025, 03:51:39 PMThe more you do post-incident, the better your prep for the next one in terms of minimizing impact.