UI errors, console errors

[sporkman]

Best reset in this case would be remove power, press reset button, apply power, wait 45 seconds, release button. Let it sit for a couple minutes, watch the boot crawl, have a coke.

Also worth noting 6-mini does not have a user accessible serial port - there's one there, but you have to void your warranty to get to it :)

Doubt you'll need teamviewer, you seem like a pretty intelligent sort.

Will do (after seeing what state it's in right now)...

If they give me a 6-mini, it becomes a lab unit, so warranty-shwarranty.

TV is for me to access it. I work remotely in NJ, this crap is all in NYC. Although at this point driving in seems like it would have been the easier option, because I've got a drawer-full of labelled serial cables. Hell, there's even a Courier X2 modem in there. :)

[sporkman]

I wish I had more info to share about the state of this thing, it would probably have been helpful to your dev guy(s?).

So, the tech was unable to find the reset button (I thought it was to right of the green power LED, but he couldn't find it). Anyhow, he plugged-in the console and funny thing was it was up and running, had the prompt indicating my config was in there, but all ports were dark. That was odd. I have to guess that the json file had some junk in there that was screwing something up. Rebooted it, same deal - only power LED, but "show config" was showing ports configured as "active", manually going in and doing "no shut" on interfaces was not bringing ports up, all LEDs but power still dark.

I did a "reload defaults" and got to a default config. All ports came up. I turned down ports that would cause a loop with the switch, manually set the switch IP to what was configured for this site/port and was able to hit the web admin. Did a 1.4.9 firmware upgrade via web, that was OK, loaded my .ncfg file, that was OK and everything was running fine.

I've not spent much time in the "friendly" part of the CLI - it's really pretty nice. Is that something you guys put together or is that part of the Vitesse sw package or some hybrid.

So any final thoughts on that weird state it was in where it seemed like the OS just wasn't talking to the switch hardware?

[sporkman]

Also, I'm not sure what this is telling me (found on the VLAN config tab):

"Note: This IP address is only used for Watchdogs and is non-routable"

It does in fact seem to be very routable. The ssh daemon, lighty, snmpd and some other stuff bind to all of these addresses:

Code: Select all

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN (http)
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN (https)
tcp 0 0 :::22 :::* LISTEN (sshd)
udp 0 0 0.0.0.0:161 0.0.0.0:* (snmpd)
udp 0 0 0.0.0.0:34514 0.0.0.0:* (????)
 

I'm going to go ahead and call this either a bug or a mislabeling in the UI.

If you're taking feature requests, I'd ask that all that stuff ONLY binds to the main IP.

[sirhc]

Also, I'm not sure what this is telling me (found on the VLAN config tab):

"Note: This IP address is only used for Watchdogs and is non-routable"

It does in fact seem to be very routable. The ssh daemon, lighty, snmpd and some other stuff bind to all of these addresses:

Code: Select all

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN (http)
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN (https)
tcp 0 0 :::22 :::* LISTEN (sshd)
udp 0 0 0.0.0.0:161 0.0.0.0:* (snmpd)
udp 0 0 0.0.0.0:34514 0.0.0.0:* (????)
 

I'm going to go ahead and call this either a bug or a mislabeling in the UI.

If you're taking feature requests, I'd ask that all that stuff ONLY binds to the main IP.

Those services may be bound to those secondary IPs but those IPs are not routable and some people might want to access those services via that non routable IP? I do not feel this is an issue.

No they are not routable, the IPs have no gateway. The IP is on the VLAN so the switch can access them direct for watchdog purposes. If you have an IP on the VLAN with no gateway it can only be spoken to from other IPs within the same subnet.

v1.4.8 had security patches, if you feel your switch was compromised by a bot and you are running older code upgrade to v1.4.9. The web service we use did have a security hole and was patched in v1.4.8.

Personally all my infrastructure equipment is on non routable IP ranges so the world can not see them. I use 172.16.0.0 for my switches and other equipment so I can get to them inside my network but the world can not. You can further lock them down with the Access Control List feature of the switch and limit what IPs can even see the switch. If your switch has to be on a public IP you definitely want to use Access Control List and limit who can talk to the switch.

[sporkman]

Maybe "routable" is not the right word. But as it stands, if you have a "real" IP configured on one of the VLANs, inbound traffic makes it to that IP on the switch if that IP is a public IP and there's no upstream ACLs in place. The return traffic will follow the default route, even if the default route is on VLAN 1 instead of VLAN 100 (or any VLAN). To my definition of "routable", that's routable. And with SNMP bound, that's UDP so, if there's any issues with the snmp daemon, even one-way traffic could be an issue if there's a DoS issue with the daemon. And I have no idea what the service on port 34514 is and how safe it is.

A "bind services to this IP" checkbox would be a nice compromise.

Also, was there an announcement that 1.4.8 has a hole? I remember seeing some other notifications when new firmware was released (via the forum messaging system), but I don't remember a recent security notice...

[sirhc]

I think the patch was in v1.4.8, it might have been v1.4.4 will have to check and yes I should make sure it is in the historical release notes:

We use a Linux package called lighttpd as our web service on the switch. The security hole was in that software packages that allowed people to write files to the flash. It did not allow them access to change the config or gain shell access simply write files to the flash which resulted in filling up the flash, a factory default by holding the default button on while powering it up would clear the files and then a firmware upgrade to secure it.

If your going to have any PUBLIC ip on your switch either the main IP or the secondary non routable IP you should definitely use the Access Control List to limit who can talk to it.