sporkman wrote:Also, I'm not sure what this is telling me (found on the VLAN config tab):
"Note: This IP
address is only used for Watchdogs and is non-
routable"
It does in fact seem to be very
routable. The ssh daemon, lighty, snmpd and some other stuff bind to all of these addresses:
- Code: Select all
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN (http)
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN (https)
tcp 0 0 :::22 :::* LISTEN (sshd)
udp 0 0 0.0.0.0:161 0.0.0.0:* (snmpd)
udp 0 0 0.0.0.0:34514 0.0.0.0:* (????)
I'm going to go ahead and call this either a bug or a mislabeling in the UI.
If you're taking feature requests, I'd ask that all that stuff ONLY binds to the main IP.
Those services may be bound to those secondary IPs but those IPs are not
routable and some people might want to access those services via that non
routable IP? I do not feel this is an issue.
No they are not
routable, the IPs have no gateway. The IP is on the VLAN so the switch can access them direct for
watchdog purposes. If you have an IP on the VLAN with no gateway it can only be spoken to from other IPs within the same subnet.
v1.4.8 had security patches, if you feel your switch was compromised by a bot and you are running older code upgrade to v1.4.9. The web service we use did have a security hole and was patched in v1.4.8.
Personally all my infrastructure equipment is on non
routable IP ranges so the world can not see them. I use 172.16.0.0 for my switches and other equipment so I can get to them inside my network but the world can not. You can further lock them down with the Access Control List feature of the switch and limit what IPs can even see the switch. If your switch has to be on a public IP you definitely want to use Access Control List and limit who can talk to the switch.