- Welcome to Networking-Forums.com.
We're Here to Help!
Recent posts
#1
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by icecream-guy - April 11, 2025, 08:15:30 AMQuote from: CiscoWizard on April 10, 2025, 12:19:21 PMThen I probably shouldn't tell you about the Wellfleet and Bay Networks routers we have in our data center.
Please do, my hacker friends are much interested in your network design and details.
#2
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by CiscoWizard - April 10, 2025, 12:19:21 PMThen I probably shouldn't tell you about the Wellfleet and Bay Networks routers we have in our data center.
#3
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by config t - April 10, 2025, 09:04:06 AMWow. The Avaya sticker they put over the Nortel logo must have fallen off. 10-years ago Nortel Networks had already ceased to exist.
#4
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by CiscoWizard - April 08, 2025, 04:50:37 PMWe've kept it connected in a lab environment, but we've yet to have that same problem. The configs appear to be matched so we weren't thinking it was a configuration issue. The age of the device seems to be the only explanation people have come up with, which I suppose is entirely possible. I've just been hoping it is something that can be solved to fix the current device. I'd still like to replace it with something newer, but it would still be nice to know it was something other than age. That's such a boring solution. 
#5
Security / Re: RADIUS CoA
Last post by config t - April 08, 2025, 04:35:02 PMFrom a practical standpoint "simple and easy-to-maintain" is the way forward with this particular customer. Boundary FW is managed by someone else, other than VTY all of the ACLs live on the core, no east-west FW, and add to that a regular personnel rotation which makes consistent reliable skill sets a dubious proposition.
Personally, I'm a fan of object-groups and do have another customer where the PACL use case is feasible. I just wish they could make decisions faster.
Personally, I'm a fan of object-groups and do have another customer where the PACL use case is feasible. I just wish they could make decisions faster.
#6
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by Otanx - April 08, 2025, 03:54:23 PMIf you swap in the spare does it have the same problem?
-Otanx
-Otanx
#7
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by CiscoWizard - April 08, 2025, 12:03:27 PMYou've read my mind, my friend. If only management would be so quick to agree to that. They're so apprehensive that nothing will come back up once we connect the new equipment that they're refusing the upgrade. We even have a backup of the Nortel on standby in case the original fails to be reinstalled.
#8
Routing and Switching / Re: Unusual Issue with SR3120 ...
Last post by Otanx - April 08, 2025, 10:19:41 AMEven 10 years ago that router was old. Considering how old that is I would assume it is just failing slowly. If it is really important then spend some money and replace it.
-Otanx
-Otanx
#9
Security / Re: RADIUS CoA
Last post by Otanx - April 08, 2025, 10:11:35 AMIf you go to that level of detail that is true. The way I handle it is to put a real firewall between clients and servers. Do most of the filtering there. Then the port based ACLs can be permits to IPs, and a deny for all others to block east/west. Usually only 5 or 6 lines at that point. So a remediation ACL would look something like:
10 permit ip any AD_Server
20 permit ip any Patching_Server
30 permit ip any AV_Server
40 permit ip any Web_Proxy
50 deny ip any any
The normal ACL we used was just a deny to the /16 for client networks, and a permit any. That way a workstation couldn't go to another workstation, and then everything else was handled by the firewall. We also had different ACLs for printers that locked them down to just the print server. We didn't do any guest wired normally, but we did have an ACL with just the Web_Proxy for the few times we needed it.
There are a couple downsides. One is no logging on port based ACLs so that blinds you to some things. Also there is no good way for help desk to identify if a system is in quarantine or not without looking at the switch, or RADIUS logs. The IP is the same so that isn't a clue anymore. Same with log correlation in the SIEM. You need to bring in the RADIUS logs to identify host profiles because the source IP is the same for all clients.
-Otanx
10 permit ip any AD_Server
20 permit ip any Patching_Server
30 permit ip any AV_Server
40 permit ip any Web_Proxy
50 deny ip any any
The normal ACL we used was just a deny to the /16 for client networks, and a permit any. That way a workstation couldn't go to another workstation, and then everything else was handled by the firewall. We also had different ACLs for printers that locked them down to just the print server. We didn't do any guest wired normally, but we did have an ACL with just the Web_Proxy for the few times we needed it.
There are a couple downsides. One is no logging on port based ACLs so that blinds you to some things. Also there is no good way for help desk to identify if a system is in quarantine or not without looking at the switch, or RADIUS logs. The IP is the same so that isn't a clue anymore. Same with log correlation in the SIEM. You need to bring in the RADIUS logs to identify host profiles because the source IP is the same for all clients.
-Otanx
#10
Routing and Switching / Unusual Issue with SR3120 Nort...
Last post by CiscoWizard - April 08, 2025, 07:09:55 AMWe are having an issue with our Nortel 3120 routers as of late. This wasn't something that happened back when I first started, which was over ten years ago. Lately, this issue happens frequently. What happens is, something prevents us from accessing our equipment remotely (with telnet or SSH) or through the console port. The only thing that clears this issue is doing a full reboot of the router. This normally isn't that big of a deal, but the system being controlled through this router is exceedingly important, so having to reboot it is always met with a long list of questions from upper management. They're not always easily willing to accept our solution.
What would cause this issue? Someone else I work with keeps mentioning a memory issue that eventually maxes out, but as I said earlier, this wasn't happening ten years ago. Is there a command or configuration that needs to be changed, or maybe a command that can be used to clear the memory buffers if that is indeed the issue. Below are the results of the "show version" command:
3120_West > show version
HW Assembly REV: A
PCB Assembly REV: A
MB FPGA Revision Number: 0x11
BOOT Device: FLASH
Downloadable FLASH Bootcode Version: r9.2
Physical EPROM Bootcode Version: r9.1_062706
Software Version: r9.3.3
What would cause this issue? Someone else I work with keeps mentioning a memory issue that eventually maxes out, but as I said earlier, this wasn't happening ten years ago. Is there a command or configuration that needs to be changed, or maybe a command that can be used to clear the memory buffers if that is indeed the issue. Below are the results of the "show version" command:
3120_West > show version
HW Assembly REV: A
PCB Assembly REV: A
MB FPGA Revision Number: 0x11
BOOT Device: FLASH
Downloadable FLASH Bootcode Version: r9.2
Physical EPROM Bootcode Version: r9.1_062706
Software Version: r9.3.3