So I've got a bunch of Ciena 6200 kit in, with some of their professional services folks onsite, helping with the initial setup. I know nothing of this kit, other than from what I'm being told, it's pretty bleeding edge, so much so that not even many people at Ciena know how to use it. The SE who's onsite is apparently claiming that there is no provision to set a default gateway on the management interface. This seems odd to me. What is more odd is that we have to buy a manual for it. There isn't an electronic version available, even. I've created an account on their portal, so when that gets approved, I'll see what sort of documentation I can find, but off the top of anyone's head, does anyone know how to do this default gateway thing on the management interface? It's apparently been IP'd properly, so that much is working... Thanks in advance. Sorry for the lack of content otherwise.
On 7/2/2013 4:30 PM, Jason Lixfeld wrote:
The SE who's onsite is apparently claiming that there is no provision to set a default gateway on the management interface. This seems odd to me.
Me too, which is why I've got a call in to another company regarding their management LAN port that I can't configure with a default gateway either. At least not using the CLI. Is this common and I just noticed it because it happened to me, or is this some collective engineering brain cramp that just took hold? -- Jeff Shultz
it's probably fair to point out that practically all optical vendors don't actually understand 'ip' and 'routing' and 'systems management' ... try doing ntp with ONS boxes? got ntpv>1? then ... oops :( never mind the situations where you install a 0/0 route on a management interface/config and STILL have to /32 route particular services out the same GW as 0/0 ... (not cisco, another busted vendor)... optical people... srsly, get with the program. On Tue, Jul 2, 2013 at 7:39 PM, Jeff Shultz <jeffshultz@wvi.com> wrote:
On 7/2/2013 4:30 PM, Jason Lixfeld wrote:
The SE who's onsite is apparently claiming that there is no provision to set a default gateway on the management interface. This seems odd to me.
Me too, which is why I've got a call in to another company regarding their management LAN port that I can't configure with a default gateway either. At least not using the CLI.
Is this common and I just noticed it because it happened to me, or is this some collective engineering brain cramp that just took hold?
-- Jeff Shultz
On Tue, 2 Jul 2013, Jason Lixfeld wrote:
The SE who's onsite is apparently claiming that there is no provision to set a default gateway on the management interface.
Everyone knows that attacks against your management interface come from devices not on your management network. By removing the default gateway feature, Ciena is improving the security of your network. It's time we created a BCOP specifying that default gateway functionality be disabled or removed in all network deployments, in the interest of security. Security improvements realized in the last few years by dropping all ICMP and TCP DNS at firewall boundaries, not to mention universal deployment of NAT, were just the first few steps to creating a much more secure Internet. Once disablement of default gateway functionality has been become a common practice, the natural reduction in traffic on the Internet should allow most operators to achieve enormous cost savings by powering off all of their equipment. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
On 2013-07-03 3:57 PM, "Brandon Ross" <bross@pobox.com> wrote:
Everyone knows that attacks against your management interface come from devices not on your management network. By removing the default gateway feature, Ciena is improving the security of your network.
It's time we created a BCOP specifying that default gateway functionality be disabled or removed in all network deployments, in the interest of security. Security improvements realized in the last few years by dropping all ICMP and TCP DNS at firewall boundaries, not to mention universal deployment of NAT, were just the first few steps to creating a much more secure Internet.
Once disablement of default gateway functionality has been become a common practice, the natural reduction in traffic on the Internet should allow most operators to achieve enormous cost savings by powering off all of their equipment.
Awesome - sorry, can't resist. :) Paul
On 7/3/2013 1:00 PM, Paul Stewart wrote:
On 2013-07-03 3:57 PM, "Brandon Ross" <bross@pobox.com> wrote:
Everyone knows that attacks against your management interface come from devices not on your management network. By removing the default gateway feature, Ciena is improving the security of your network.
It's time we created a BCOP specifying that default gateway functionality be disabled or removed in all network deployments, in the interest of security. Security improvements realized in the last few years by dropping all ICMP and TCP DNS at firewall boundaries, not to mention universal deployment of NAT, were just the first few steps to creating a much more secure Internet.
Once disablement of default gateway functionality has been become a common practice, the natural reduction in traffic on the Internet should allow most operators to achieve enormous cost savings by powering off all of their equipment.
Awesome - sorry, can't resistŠ. :)
Ah, somehow my eyeballs glazed over the excellent sarcasm that was made evident in the last paragraph.... Either way, my point remains: I want the option. I suspect I'm not alone... -- Jeff Shultz
On 7/3/2013 12:57 PM, Brandon Ross wrote:
On Tue, 2 Jul 2013, Jason Lixfeld wrote:
The SE who's onsite is apparently claiming that there is no provision to set a default gateway on the management interface.
Everyone knows that attacks against your management interface come from devices not on your management network. By removing the default gateway feature, Ciena is improving the security of your network.
While my device is not a Ciena, it has the same issue - and I don't think I'm going to be getting attacks against my management interface on a 10.0.x.x network. I want the option to decide for myself. I'm not all that interested in setting up a management VLAN so this one device in my central office will be happy on it's "virtually flat" network. -- Jeff Shultz
The ALU 7750/7450, etc. routers have a separate routing process/configuration for their OOB mgmt and as of the last time I looked do not support a default gateway. Phil On 7/2/13 7:30 PM, "Jason Lixfeld" <jason@lixfeld.ca> wrote:
So I've got a bunch of Ciena 6200 kit in, with some of their professional services folks onsite, helping with the initial setup. I know nothing of this kit, other than from what I'm being told, it's pretty bleeding edge, so much so that not even many people at Ciena know how to use it.
The SE who's onsite is apparently claiming that there is no provision to set a default gateway on the management interface. This seems odd to me. What is more odd is that we have to buy a manual for it. There isn't an electronic version available, even.
I've created an account on their portal, so when that gets approved, I'll see what sort of documentation I can find, but off the top of anyone's head, does anyone know how to do this default gateway thing on the management interface? It's apparently been IP'd properly, so that much is working...
Thanks in advance. Sorry for the lack of content otherwise.
On Wed, Jul 3, 2013 at 5:41 PM, Phil Bedard <bedard.phil@gmail.com> wrote:
The ALU 7750/7450, etc. routers have a separate routing process/configuration for their OOB mgmt and as of the last time I looked do not support a default gateway.
honestly? this sounds like typical alu :( some of their kit requires either proxy-arp from the default-gw (and no support for default-gw, all of the 'internet' is out the management ether... on that ether link) or 'can we run ospf with your router?' what?? you put ospf processing/handling/debugging (ha!) but you can't point 0/0 at that ip over -> there?? wtf :(
Hi, So just for completeness - the box does support a default gateway and it was pretty simple to figure out once we were able to connect to it over the Web UI. The professional services tech who installed this stuff basically copied data off of a spreadsheet and didn't really have any notion of how the thing really worked so he didn't really have any answers. On 2013-07-02, at 7:30 PM, Jason Lixfeld <jason@lixfeld.ca> wrote:
So I've got a bunch of Ciena 6200 kit in, with some of their professional services folks onsite, helping with the initial setup. I know nothing of this kit, other than from what I'm being told, it's pretty bleeding edge, so much so that not even many people at Ciena know how to use it.
The SE who's onsite is apparently claiming that there is no provision to set a default gateway on the management interface. This seems odd to me. What is more odd is that we have to buy a manual for it. There isn't an electronic version available, even.
I've created an account on their portal, so when that gets approved, I'll see what sort of documentation I can find, but off the top of anyone's head, does anyone know how to do this default gateway thing on the management interface? It's apparently been IP'd properly, so that much is working...
Thanks in advance. Sorry for the lack of content otherwise.
participants (7)
-
Brandon Ross
-
Christopher Morrow
-
Erik Muller
-
Jason Lixfeld
-
Jeff Shultz
-
Paul Stewart
-
Phil Bedard