cisco.com · Domains · Slashdot Mirror

Re:IPv6 by Geordish · 2014-08-13 01:32 · Score: 2 · on The IPv4 Internet Hiccups

Why would that be different than with IPv4? Prefix aggregation, AKA route summary, AKA Supernetting, has been available for a very long time. Unless IPv6 addresses are being handed out in a way that's much more conducive to this, it won't really change anything. This guy agrees (#4)

He is kinda correct, but the RIR's have come up with addressing plans to deal with this.
My info comes from the RIPE region, as its the region I'm in.

Every ISP gets assigned a /29 minimum. This is 2^35 networks (assuming you are using a /64 per network as recommended). If you prove you need more than a /29, fine, you can have it.

The next 3 bits are then reserved for future use. You use up your initial /29? Fine, increase your subnet mask to /28 and carry on. This doubles you address space. Carry on until you are at a /26. That is a LOT of room for growth.

In the IPv4 world this isn't possible. You get your allocation. You run out. You get another etc. Verizon are currently announcing 1,446 IPv4 prefixes from AS701, compared to the 12 IPv6 prefixes. Of the 12 IPv6 prefixes 5 of them are the one prefix they have deaggagated, the rest are customers with PI space.

You have a point about the near term, but long term once IPv4 has died a death (10+ years) the routing table will shrink again.

Re:IPv6 by EvilJoker · 2014-08-13 01:05 · Score: 1, Informative · on The IPv4 Internet Hiccups

Why would that be different than with IPv4? Prefix aggregation, AKA route summary, AKA Supernetting, has been available for a very long time. Unless IPv6 addresses are being handed out in a way that's much more conducive to this, it won't really change anything. This guy agrees (#4)

Further, since IPv6 is a longer address, fewer can be stored. Per Cisco, the Catalyst 6500 can handle 1M IPv4 addresses, OR 512K IPv6 addresses (but not both simultaneously)

(Yes, I know the Catalyst is a switch, not a router, and the summary is bollocks for confusing the two. It was, however, the first mention of it I found)

Re:IPv6 by EvilJoker · 2014-08-13 01:05 · Score: 1, Informative · on The IPv4 Internet Hiccups

Why would that be different than with IPv4? Prefix aggregation, AKA route summary, AKA Supernetting, has been available for a very long time. Unless IPv6 addresses are being handed out in a way that's much more conducive to this, it won't really change anything. This guy agrees (#4)

Further, since IPv6 is a longer address, fewer can be stored. Per Cisco, the Catalyst 6500 can handle 1M IPv4 addresses, OR 512K IPv6 addresses (but not both simultaneously)

(Yes, I know the Catalyst is a switch, not a router, and the summary is bollocks for confusing the two. It was, however, the first mention of it I found)

More info? by Darth+Twon · 2014-08-05 05:56 · Score: 5, Informative · on Ask Slashdot: Good Technology Conferences To Attend?

Without knowing your interests or area of expertise, there are some big ones like:

Spiceworld
Various Microsoft conferences: Exchange, SharePoint, TechEd
Some Cisco stuff

And Probably a whole host of others. Choose a vendor/specialty and search for their conferences.

Nice graphics at Cisco by CAPSLOCK2000 · 2014-07-24 07:32 · Score: 5, Informative · on Comcast Carrying 1Tbit/s of IPv6 Internet Traffic

Cisco has nice graphics of the IPv6-deployement in the world. It's based on the same measurements but presented with nice graphs instead of a boring table of numbers. Look up your own country at http://6lab.cisco.com/stats/in... .

Re:Makes Perfect Sense by sexconker · 2014-07-22 08:44 · Score: 1 · on AirMagnet Wi-Fi Security Tool Takes Aim At Drones

If someone plugs in a router with a spoofed MAC of an allowed device for that port, you'd never know.
Most routers support MAC spoofing in order to forward the MAC of your main PC to the cable / DLS modem. Many ISPs will block a new MAC for a period of time or until your call up and tell them. If you require authentication on a wired port, they could set that up as well.
The only way to prevent a MITM attack is to physically secure the network wiring or centrally manage per-device encryption keys/certificates. And I know you're not doing that. And if you want to claim that you are, I also know you're not doing it for your printers and other devices.

For wireless, if someone plugs in a wireless router you might be able to detect it if you have antennas in range, but you can't stop it.

The air marshal shit Meraki does is completely illegal. You can't jam wifi, which is all Meraki does for "containment". They even fucking admit that it's illegal to use it in their documentation.
From https://meraki.cisco.com/lib/p... , page 8:

2As containment renders any standard 802.11 network completely ineffective, containment measures should taken in your airspace. Extreme caution should be taken to ensure that containment is not being performed on a legitimate network nearby and, action should only be taken as a last resort. Unauthorized containment is prosecutable by law (subject to the FCC’s Communications Act of 1934, Section 333, ‘Willful or Malicious Interference’).
http://transition.fcc.gov/Repo...

Beyond the legality, it doesn't even work in a manner that could be called secure. It creates bubbles of noise where NO wifi works (hello DoS). It becomes a loudness war and the rogue AP will always have a bubble of effective range where it will win out. If you have two Meraki networks near each other, they often get into wars, shutting each other down where their edges meet.

VLANs has nothing to do with wireless security. Segregating your networks with a VLAN is pointless - all the devices that are wireless APs also include routing functions. Use them. VLANs are meant for logically extending a network that is physically separate, not for logically separating a network that is physically connected.

Re:iOS Management Tools for non-macs by MachineShedFred · 2014-07-16 00:57 · Score: 1 · on Apple and IBM Announce Partnership To Bring iOS + Cloud Services To Enterprises

Have you tried actually routing mDNS? Those tools work just fine across subnets, as they are direct IP - it's just an AFP share for Time Machine and a standard CUPS print server. What it sounds like isn't working is Bonjour service discovery (mDNS), which uses multicast.

When NOBODY else will by Anonymous Coward · 2014-07-08 23:59 · Score: 0 · on Tired of Playing Cyber Cop, Microsoft Looks For Partners In Crime Fighting

When they're RIGHT too: How did I know that? This http://yro.slashdot.org/commen... since I had every single one of the bogus domains they seized LONG IN ADVANCE before they did what they did (to proof myself vs. such machinations, along with anyone else that used my program to do the same - PLUS to get more speed, reliability, & even anonymity as well as security too (vs. fastflux + dynamic DNS utilizing botnets)).

* :)

(My program does so, FAR more efficiently than the "so-called 'competition'" that's 'SOULED-OUT' & INFERIOR since they don't do a FRACTION of what hosts can @ faster levels of operation, in kernelmode, vs. slower messagepassing, memory overuse + CPU hogging usermode layering over already slower browsers, in addons (ala "Almost ALL Ads Blocked" - whose author wrote me by email stating "hosts are a shitty solution" & when I confronted him to PROVE that adblock could do more + more efficiently? HE OUTRIGHT RAN!)).

APK

P.S.=> From 1 of my 12 sources in the security community the complete NO-IP list was here July 2nd 2014 from one of my sources in fact -> http://yro.slashdot.org/commen... & MS' only "mistake" was underestimating the amount of traffic they were routing thru their servers, but they were FAR from "wrong" on the fact that NO-IP gets abused all to hell proven here http://blogs.cisco.com/securit... AND HERE http://labs.opendns.com/2013/0... ...

... apk

Re:No-ip isn't shady by ljw1004 · 2014-07-08 10:48 · Score: -1, Troll · on Tired of Playing Cyber Cop, Microsoft Looks For Partners In Crime Fighting

I think No-ip sound very shady...

April 2013: the OpenDNS blog reported that no-ip was the second most popular dynamic-DNS site for malicious software. http://labs.opendns.com/2013/0... -- No-IP responded that they have a very strict abuse "policy", and they want other people to help by reporting violations of the TOS to them. They also scan daily and filter by keyword. http://labs.opendns.com/2013/0...

February 2014, the Cisco blog reported that no-ip had risen to be the worst offender: http://blogs.cisco.com/securit... -- No-ip again responded that they have a strict abuse policy, and they want other people to report violations of the TOS to them, and they scan daily and filter by keyword. http://www.noip.com/blog/2014/...

Were no-ip doing a good enough job at policing themselves? It doesn't sound like it to me, not at all. It sounds like they have a decent "policy" but don't go out of their way to enforce it, their daily manual scans aren't up to what's needed, their keyword filters are easily bypassed. They can sound hurt all they want that OpenDNS and Cisco and Microsoft wrote public blogs or took action rather than reporting the individual offenders to No-IP first. But the fact that No-IP does so badly, and got worse, shows they weren't taking adequate action themselves.

You say they're "very responsive" to reports of abuse. But honestly, if their strategy for combating abuse rests SO HEAVILY upon volunteers to report abuse, and their strategy hasn't been working so far, then they have a bad business model.

Disclaimer: I work at Microsoft, but in an entirely unrelated division (I'm on the VB/C# compiler team).

Not to be confused with... by __aaclcg7560 · 2014-07-02 15:32 · Score: 1 · on Microsoft Backs Open Source For the Internet of Things

The Internet of Everything

Re:It appears that I have to remind you ... by jbolden · 2014-06-16 05:46 · Score: 1 · on Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Routers already have dedicated circuitry and chips for routing. For example:
http://www.cisco.com/c/en/us/p...

They are not now nor will they then be generic computers. Things happen way to fast for a generic CPU.

Re:Somewhere in my mind... by L4t3r4lu5 · 2014-06-11 02:16 · Score: 4, Informative · on Cisco Opposes Net Neutrality

According to the CW article, Cisco didn't mention NN at all. Grant Gross, the IDG journo, made that connection himself. Cisco don't use the term "net neutrality" at all in their press release

Shoddy journalism to blame for this, I'm afraid.

Re:Encryption by Anonymous Coward · 2014-05-27 02:10 · Score: 0 · on PHK: HTTP 2.0 Should Be Scrapped

Annual global IP traffic will pass the zettabyte threshold by the end of 2015 ...

So, at the end of 2015 it'll take ~17432 hardware AES engines just to decrypt the traffic*, ignore all the possible overhead of hashing, public/private key computation, etc. So, perhaps you're right on that front. Realistically, I don't see them actually managing anything close to 2GB/s sustained as once you start including any actual storage for that sort of data, the I/O delays are so substantial.

*This benchmark implies closer to 6GB/s in software/hardware, but it's hard to know from a benchmark how the real world results would be given how many times sha hashing or other steps might need to be taken. In fact the results imply that the first step would be to involve much more hashing into the protocol (with several iterations, several recomputations steps midstream, etc) That's one reason I included the caveat of scaling the problem to counter Murphy's Law as a protocol with a static iteration count that used an "effiicient" amount of CPU time for a 1994 computer * the world population's traffic is much less of an insurmountable obstacle today. If the protocol encouraged scaling the problem up, then at least the problem could be made several hundred times harder to crack, although I'll admit that eventually the new protocol would be done in hardware and eliminate most/all the gains. It's more of a rat race than a final solution. :/

Re:IPv6 needed by houstonbofh · 2014-03-23 11:39 · Score: 2 · on Turkey Heightens Twitter Censorship with Mandated IP Blocking

I doubt Turkey or anyone for that matter can block all of the IPv6 address all the time. The block file would be huge if it was to be done.

I think you are unfamiliar with something called summary routes. https://learningnetwork.cisco....

Apache bug? by cant_get_a_good_nick · 2014-03-21 10:24 · Score: 2 · on Speedy Attack Targets Web Servers With Outdated Linux Kernels

From the comments on the announce page, since (almost) nobody will go over there.

The first site on compromise_1.txt seems to be running “Apache/2.2.26 (FreeBSD) DAV/2 mod_ssl/2.2.26 OpenSSL/0.9.8y”, which does not quite sound like it’d be running Linux at all. As others have already pointed out, I would not blame this on a Linux kernel bug yet.

So, it looks like the "old 2.6.x kernel releases" was really just a signal for "old nonupdated code".

BTW: for those who bitch about "well the 2.6 line was patched and maintained all the way to 2011" they do have a line where they imply the 2.6 kernels are early kernels, not the latter 2.6.20 whatever ones, but it's not a well written article and is easy to miss.

Re:The real truth? by slimjim8094 · 2014-02-17 12:51 · Score: 1 · on Whatever Happened To the IPv4 Address Crisis?

I expected better from a 4 digit UID.

"hardware doesn't support ipv6" - Sure, and it's all being steadily replaced. As everybody replaces their stuff on the normal cycle, the new stuff supports v6. 5 years later, everything supports it - starting at the backbone, moving to the ISP core, then the individual gateways. Case in point - Comcast, Time Warner, Verizon, ATT, etc. Not sure what you mean by "expensive hardware that ISPs have in their data centers" because the big ISPs don't seem to have any trouble with it. Perhaps you mean some shitty ISP nobody's heard of (got any names?) that went out of their way to *not* buy all the v6-compatible gear? Or perhaps they're running 8 year old equipment, even though bandwidth requirements have gone through the roof since then. Well, either way, yeah occasionally upgrading your shit is part of being an ISP.

"virtually all wireless network hardware sold today" - You mean like Aruba and Cisco? Fun fact - my university uses Aruba gear for WLAN and they flipped on native v6 quite successfully. In 2010. Or perhaps you mean consumer gear, like my shitty Arris gateway from the cable company that requested a v6 prefix when I plugged it in and has been happily advertising it to all my machines? And "machines" includes my cellphone, Smart TV, and fucking Blu-Ray player!

"cost the ISPs time and money and aggravation to support" - You'll have to do better than that. IPv6 brokenness is a non-issue, and most of the negligible fraction of people who have a problem are having a problem due to ISP misconfiguration - a support non-issue if the ISP is configured properly. In fact, when the support guys realized that widespread v6 support would essentially eliminate all their "how do I forward a port" support calls, I bet they had to change their pants. If by "support" you mean "configure this shit they bought over the last 5 years"... well, that's known as a "job".

Normally I'd expect a bullshit post full of ad-homenims to be some sort of astroturf but all the ISPs are already fucking doing this so they have no reason to troll forums. So I don't know what your deal is. Maybe you get a jolly from shitting on v6. That's fine, go nuts. We'll all be over here using it happily, spinning up v6-only services in a few years, and leaving you in the dust.

Cisco's Meraki Systems Manager by BlastfireRS · 2014-01-21 04:50 · Score: 1 · on Short Notice: LogMeIn To Discontinue Free Access

This service provided by Cisco seems to be a viable, free alternative:

https://meraki.cisco.com/products/systems-manager

Shame about LogMeIn though; it made troubleshooting my parents' various computer woes over the years a lot easier.

Re:another day by Anonymous Coward · 2013-11-24 12:45 · Score: 0 · on Route-Injection Attacks Detouring Internet Traffic

Khasim is profoundly wrong about several things, but a lot more than "ISPs and Telcos" run BGP. The entire concept of multihoming is based around announcing your netblock(s) to multiple carriers via BGP. This provides the broader internet with two AS_PATHs to you.

This is true, but most of the time if you're not an ISP or telco yourself, you're going to have to detail your IP scope ownership in your Contract agreement with them, and they'll only whitelist those routes. Anything else you attempt to announce simply won't be accepted into their own BGP tables.
However, on your own side of things, you're probably going to just accept any and all routes the BGP neighbor with your ISP announces to you.

The problem is when you're an actual ISP, especially if you're in the transit/peering business, the route tables get to hundreds of thousands of route entries. And while you can try to verify the ones being announced directly to you by the owner of the IP scopes, trying to verify the ones your peers are re-advertising can be impossible... or at least functionally unworkable.
This is the largest and most fundamental weakness in "the Internet". You end up having to Trust your peers, who in turn trust theirs, who in turn trust theirs, etc. all the way back to the source (or within a hop or two anyhow). Because there's no system currently setup to determine if the route you're being presented is really valid or not. And nobody wants to spend the time and effort manually verifying each and every route entry, and in turn verifying that the next guy has properly verified them.

Re:another day by jon3k · 2013-11-24 04:13 · Score: 3, Informative · on Route-Injection Attacks Detouring Internet Traffic

Khasim is profoundly wrong about several things, but a lot more than "ISPs and Telcos" run BGP. The entire concept of multihoming is based around announcing your netblock(s) to multiple carriers via BGP. This provides the broader internet with two AS_PATHs to you.

Protecting Border Gateway Protocol by Anonymous Coward · 2013-11-23 13:12 · Score: 0 · on Route-Injection Attacks Detouring Internet Traffic

"Administrators must understand many important aspects of BGP as a protocol to assess where it may be susceptible to various forms of attack and where it must be protected .. administrators must mitigate the risk and potential impact of associated exploit attempts link

"This document introduces the Border Gateway Protocol (BGP), explains its importance to ... and provides a set of best practices that can help in protecting BGP." link

Re:How do we know that Cisco, etc, has back-doors? by nigelo · 2013-11-15 07:59 · Score: 1 · on How the NSA Is Harming America's Economy

https://www.google.com/search?q=%22Cisco+Lawful+Enforcement%22.&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=rcs

For example:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/lawful/intercept/65LIch1.html

Re:The truth gets out... by Flere+Imsaho · 2013-09-17 11:13 · Score: 1 · on NSA Bought Exploit Service From VUPEN

It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

Oh really? I don't see "everyone else" spending millions to deliberately subvert encryption standards , either.

And since the CAs have been co-opted, SSL is laughable. Try Steve Gibson's cert "fingerprint" service and see for yourself. I tried it, and he gets a different cert for www.google.co.nz than I do. Is it the NSA? Who knows, but someone is up in my business >:-(

Re:Passive monitoring is all that is necessary by h4rr4r · 2013-08-23 14:23 · Score: 4, Informative · on Ask Slashdot: How To Diagnose Traffic Throttling and Work Around It?

SPAN port is the Cisco name for port mirroring.
see
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

Re:yeah, right by oreaq · 2013-08-14 20:27 · Score: 1 · on US, Germany To Enter No-Spying Agreement

I have seen no discussions concerning the hardware and software architecture that is needed for a system supposedly capable of trapping and analyzing all the internet traffic as well as every email and tweet that crosses the wire.

Really? Google "lawful interception". Cisco et al have been including these capabilities in the their equipment since at least 2005.

Re:Stupid by KingMotley · 2013-08-07 02:17 · Score: 1 · on Comcast Working On 'Helpful' Copyright Violation Pop-ups

There are so many things wrong with what you've described. First of all, let's start with the big one. I never said that you wait until the link is saturated before you implement a queuing policy. I said the FIFO buffers are empty except when the line is saturated. Now, sit down and think about what I said, and then what you said, and come back when you realize just how silly your whole message was.

In the meantime, here is a nice image for you if you need help visualizing it: http://www.cisco.com/en/US/i/000001-100000/15001-20000/16501-17000/16756.jpg

Now think what happens when the tx queue & buffer are empty because you are transmitting slower than the line rate. At that point, *ALL* QoS queues are empty. Now, it makes absolutely no difference what QoS queue you toss the next packet into, it will immediately be removed and put into the tx queue, and then immediately pulled into the hardware tx buffers. High priority, low priority, low latency, high throughput, they all work exactly the same. The first one in gets transmitted immediately.

Now, on a microscale, you can consider the line saturated for until that packet has been completely transmitted, although I was referring to the tx queue being full, not necessarily a single packet.

As for your 50Mbps link over a 1gig line, the same thing applies, just that now you are working on a virtual 50Mbps link, and the same saturation issues apply, but now it's only a virtual issue rather than a hardware one. No difference at all, and the fact that you even tried to make the issue more complicated by tossing on yet another layer of uselessness typically means you don't know what you are talking about and just trying to complicate things so you don't have to explain you didn't understand the issue in the first place.

Unfortunately, there are alot of bad network engineers out there, and I just met another one.

Re:and that's why by ls671 · 2013-08-03 15:24 · Score: 1 · on Extraneous Network Services Leave Home Routers Unsecure

It's not because one uses iptables instead of route to do NAT on linux that commercial routers don't do NAT.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

Re:dangerously communistic by Tx · 2013-08-01 00:39 · Score: 1, Informative · on Aussie Wi-Fi Patent Nears Expiry In the United States

There was a failed attempt to put a link to this page into that post.

Re:I love when layers... by The-Pheon · 2013-07-24 11:15 · Score: 2 · on FreeBSD Co-founder Jordan Hubbard Leaves Apple To Join iXsystems

Cisco does own it. You are wrong.

http://blogs.cisco.com/news/cisco_and_apple_agreement_on_ios_trademark/

Here's my cheap and bullet proof setup by ChadE.Miller,CISSP,I · 2013-07-14 09:53 · Score: 1 · on Ask Slashdot: Enterprise Level Network Devices For Home Use?

I use my cable company's cable modem that has 802.11 N, Sophos UTM (free and on a low end AMD mid tower that cost about $200), and Cisco SMB switches that come with a lifetime warranty. Granted, this places wireless outside my firewall and IDS but that's OK because I have multiple ways to work around any issues that may arise. For example, I can remote print to my printers via Google, HP or via dynamic DNS (through a VPN). Here's the URLs: Sophos UTM: http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx Cisco SMB Switches with lifetime warranty: http://www.cisco.com/cisco/web/solutions/small_business/products/routers_switches/100_series_switches/index.html

Re:Can we finally replace Cisco now? by hurwak-feg · 2013-06-20 05:35 · Score: 1 · on Cumulus Releases GNU/Linux For Datacenter Routers

Cisco just opened up EIGRP if you haven't heard. Maybe Cisco isn't so bad. It is not Cisco's fault that there are incompetent people with credentials. It happens in every field. Cisco does make some good products. From my experience the Cisco 6500 series devices last for eons. I know I probably sound like a fan boy. I agree that creating proprietary protocols is harmful to the industry and customers. I may be wrong and a bit idealistic, but I think that companies that make good products can make money even if they don't lock in the customer.

Re:The front door by romons · 2013-06-09 12:35 · Score: 1 · on Inside PRISM: Why the Government Hates Encryption

I know that cisco has facilities for wiretapping built into their routers; I used to work at cisco, on IOS. There were bits of the code that were there to allow law enforcement to control and wiretap flows without the knowledge of root level users (ie, sysadmins). It is documented in the cisco user manuals as 'lawful intercept'. Feel free to look at the user docs.

Unfortunately, knowing how to get the flows doesn't help when the ends are encrypted, unless you have access to the one time pads, or the bad guys are silly enough to depend on NP hard encryption.

Buy a real switch.... by Shishak · 2013-06-08 00:56 · Score: 1 · on Ask Slashdot: How Best To Disconnect Remote Network Access?

Use 802.1x authentication on the switch ports and you can control access anyway you want.

http://www.juniper.net/us/en/local/pdf/whitepapers/2000216-en.pdf
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

Re:And the root cause is... by tftp · 2013-06-07 07:41 · Score: 1 · on One Year After World IPv6 Launch — Are We There Yet?

Theoretically, you could lose some business in the future if you don't support ipv6 and the customer doesn't have access to a 6to4 tunnel.

6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels.

Why would the customer need *that* if they are on native IPv6? They need address family translation services - such as "NAT64 technology provided by Cisco® ASR 1000 Series Aggregation Services Routers." Those have to be provided, one way or another, by ISPs, otherwise an IPv6 connection is useless. Most of valuable Internet resources are IPv4 now, and will stay that for a while. Perhaps Internet-facing HTTP servers are the easiest to migrate, but if that involves the back-end code and servers then contractors and consultants will be having a field day, just like around the year 2000. Lots of that code is out of maintenance, and people who wrote it have moved on already. Consultants would have to figure out what has to be upgraded, and in what order. For example, if the code uses an IP address of the client as a value in calculations, that will have an immediate impact. If the requests are handled on a separate, internal server, that one can stay IPv4 a bit longer. All in all, it's a huge effort. Most businesses will decide to keep existing services IPv4 forever, until they are replaced by new services.

The question is about relevance of PDH/ISDN by Zarhan · 2013-06-02 07:36 · Score: 5, Informative · on Ask Slashdot: What Is the Future of Old Copper Pair Technology?

Like someone else commented, the poster uses terms "Copper" and "ISDN" interchangeably. However, with the inclusion of terms like T1/T3, it's clearly about "what can an old telco-guy do in this newfangled IP-based world with 15 years before retirement". Copper here is a misnomer, a lot of stuff can happen over copper (DSLs being the most obvious example).

I have some familiarity in just how dead the technology is. We have a big customer who just placed a big order for Cisco's PVDM digital modems. Why "big", if the tech is dying? Well, that stuff is going to end-of-sale after this summer and they have lot of legacy systems around the globe that dial in (machine-to-machine stuff, and not easily upgradeable everywhere at once). They are moving to IP-based systems but cannot really do that fast enough. Anyway, one of the biggest vendors of network equipment just decided that they aren't going to sell modems that can talk directly to E1/T1 line (analog 2-port models are still in the selection though). I don't know that anyone else is selling such stuff either (Alcatel maybe?). That technology had it's day, but it's long gone.

There might of course be places where, due to signaling constraints, you need to run a E1/T1, but it doesn't really use any of the features. You just run PPP over that link and be done with it - no one cares about the intricasies of Q.931 framing or setting up calls for such links. Even in telephony, it will continue to have some uses, for example many PBX systems still only provide E1/T1 uplink - even if it's going to be used just to connect couple of feet to the SIP gateway right at the next rack.

Frankly, your father has two choices: Either
a) Get entrenched into some niche that really can keep on going with ISDN-based technologies for the next 15 years - you know, maintain job security by being the "only one left who understands this piece of legacy junk that we cannot migrate away from fast". Frankly, I find such positions hard to imagine - sure, maybe if he was retiring in this decade, it could work, but hardly in the 2020's.
or
b) Join the IP world. Frankly, I would think that with a reasonable effort he could still become an expert in VoIP - you still need skills like provisioning (for QoS), codecs (even the G.711a/mu-law is relevant), and so on. Lot of the concepts in SIP are still based on the good old stuff from telco days. You just need to wrap your head around the concept that instead of TDM sending each frame at exactly right intervals, you get packets that might occasionally get lost or routed wrongly or arrive out-of-order...And frankly, you also don't need to care anymore about stuff like SPID's or TEIs. Which I would think of a relief.

Re:Set up VLANs by LordLimecat · 2013-05-31 03:08 · Score: 1 · on Ask Slashdot: Safe Learning Environment For VMs?

Just a bit more info / helpful "attacks" paper by cisco.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39061

Note that the two VLAN-specific attacks they mentioned both indicate that they require either explicit trunking or DTP auto.

Re:Set up VLANs by LordLimecat · 2013-05-31 02:59 · Score: 1 · on Ask Slashdot: Safe Learning Environment For VMs?

You seem to be misunderstanding what VLAN1 vs tagging vs trunking are.

On Cisco hardware, VLAN 1 is a security risk because it is the management VLAN; any clients on there can SSH or telnet to your switch (if an IP has been set) and attempt to log in. It does not allow tagged traffic to traverse the switch any differently than on any other VLAN.

I did a bit of research to see what you referring to with native VLAN tagging, and came across this helpful refresher:
https://learningnetwork.cisco.com/thread/8721

Basically, on trunk ports only, untagged traffic is assumed to be on the native VLAN. The tagging / non-tagging can only occur on a trunk port, and can NOT "span" a VLAN-- even if your PC is set up with trunking software and you are on a trunk port, your traffic will technically "originate" on whatever VLAN you tag / dont tag it as. I suppose if you were MITMing between two trunking switches you could alter the tag, but the IP destination address would then be incorrect for the new VLAN, and would be dropped at the destination.

Without a router (even if its just a layer 3 switch with "ip route" enabled), there really is not a way for traffic to traverse VLANs. Cisco and most other vendors are pretty clear on this. And as I said regarding tagged traffic on non-trunk ports, that traffic is dropped. Pretty good summary here (references the 802.1Q standard)
https://supportforums.cisco.com/docs/DOC-17237
You'll note that there is an exception for "hybrid links" which I dont have much experience with, but as I recall this requires specifically desginating a voice VLAN on the switchport.

As for changing the settings on multiple ports....
>Config t
>interface range eth 0/1-24
>switchport access vlan 10

Switchports 1-24 are now VLAN 10, and will reject tagged traffic.

You ARE right that there is a little configuration to secure it, but it basically consists of
* Turning off dynamic trunking (the default)
* Setting VTP to transparent
* switching your ports off of the native VLAN, OR not assigning an IP to your switch / only allowing console access, OR changing the native VLAN

Those 3 can be done in about 2 minutes, with maybe 5 commands.