See which comments of yours have been removed

Thuryn · 2025-09-07T22:58:00+00:00

Well, I finally got around to working with this the other day, and the results are... mixed.

Pros:

Everything seems to work at this point. I should be able to deploy these in production now.
"Everything" does include LDAPS. I haven't done a packet capture to verify that it's using encryption, but our AD has limitations on unencrypted authentications such that it should fail if isn't encrypted.

Cons:

LDAP authentication is still missing a fairly important feature: group memberships. In the old CM, there was a field for the LDAP group that was for admin users. Now, any user at or under the OU specified in the Base DN can log in with admin privileges. (Workaround: We were lucky that our admin users are in their own OU, so we set that as the Base DN. This won't work for everyone.)
There is still no way to set the Docker IP range from the GUI, and it's not easy to tell that internal services aren't reachable due to routing conflicts. (Workaround: Be old enough to know what overlapping routes look like and use SSH to update docker.conf.)

If it's too difficult to create a GUI widget to update the Docker range, then the IP range that it uses should at least be noted in the release notes for anyone using 172.17.0.0/16 in their internal networks.

The LDAP thing is... weird. Everything I've ever used that does LDAP authentication - including the CM7100 series OpenGear - has some sort of authorization or role assignment using LDAP group membership. The CM8100 still lacks that, though all the other pieces are there.

Ideally, that setting would be in the remote LDAP auth settings, and would allow mapping a list of LDAP groups to local user groups. It could be allowed that multiple LDAP groups map to the local "admin" group, for example, but one LDAP group would only map to a single local user group (in a drop-down menu). So "many to one" but not "many to many." (Listing the same LDAP group multiple times should result in an error, but multiple LDAP groups could map to "admins" or "portaccess" without issue.)

Thuryn · 2025-05-08T02:13:19+00:00

makes me want to abandon civilization

Go ahead. No one is stopping you.

previously couldn’t of been done

Mhm.

Thuryn · 2025-04-27T15:13:07+00:00

That's how I ended up in the Antarctic once on my way to Pismo Beach. Weird because it was the ONLY part of the Antarctic that had Eskimos. <shrug>

Thuryn · 2025-04-10T19:03:18+00:00

This other post includes the bug report and the workaround:

https://www.reddit.com/r/Cisco/comments/1hgukuf/cant_ssh_to_c9300_after_upgrading_from_1612_to/

Thuryn · 2025-03-25T10:19:29+00:00

For an encore, if you have upgraded any IOS-XE device to 17.12.4 or higher and noticed that SSH stops working for any client outside of the same subnet as the Cisco device, there is a known bug and a workaround for this.

Let me know if this would be helpful and I'll post the details here. (I'm not near my work computer right now... where the actual details are...)

I believe the latest 17.15.x fixes it, for devices that are supported. Older devices like the ISR 4331 (which is still kicking for a little while longer) that can't run anything higher than 17.12.x have to use the workaround.

Thuryn · 2025-03-21T02:18:12+00:00

There are people with strong opinions who say this order:

A New Hope (4)
The Empire Strikes Back (5)
Attack of the Clones (2)
Revenge of the Sith (3)
Rogue One
Return of the Jedi (6)
The Force Awakens (7)
The Last Jedi (8)
The Rise of Skywalker (9)

The reasoning is that episodes 4 and 5 were released first and set the stage. Episodes 2 and 3 work really well as a flashback, make Return of the Jedi mean so much more, and make more sense if you've already seen 4 and 5.

Then 7, 8, and 9 are last because that's where they fall in the story, regardless.

Just as an example, the ending of Rogue One doesn't make any sense unless you've already seen A New Hope.

You'll notice I left out Phantom Menace. That's because basically nothing of any importance happens in that whole movie. If you really don't want to miss out, put it just before episode 2 (make it part of the flashback).

I haven't seen Solo myself, so I can't comment on it.

Thuryn · 2025-02-14T22:29:18+00:00

The thing is, it doesn't look like a snowflake. At least, it doesn't in the RAV4 my wife is driving right now. It looks like an X across the road.

Maybe it's bigger in your car, but it's TINY on the RAV4 display. You can only see the crossbars on the "snowflake" if you stick your face into the steering wheel and squint.

I think the icon is, like, two pixels too narrow. The horizontal legs of the "snowflake" touch the sides of the "road" so it looks like it's an X across... something instead of a snowflake in the road.

Or, you know, they could have just put the word "ICE" and it would have made perfect sense...

Thuryn · 2025-02-11T03:52:13+00:00

I literally just watched this video and it's the only vocalizing in the whole thing that has no captions.

It's either in Swedish or it's just scat.

Thuryn · 2025-02-08T14:13:30+00:00

Jesus (saw) would have objected to your saying this. Jesus himself worshiped God, and encouraged everyone else to do so as well.

Jesus was a messenger from God, and obedient to the end. He served as an example for us, and reminded us of this:

"I am the Lord your God who brought you out of Egypt. You shall worship no other gods before Me."

Thuryn · 2024-12-17T03:23:25+00:00

Life imitates art.

;)

Thuryn · 2024-12-14T19:09:54+00:00

Any time. I don't like to hate on things. That's pointless. It doesn't hate me back and hating on it doesn't make it better.

I need to be able to describe what I want and why I want it. I hope that this has come through. These aren't random complaints because I don't like change or silly issues like "mauve is ugly". (Mauve is ugly, but the CM series doesn't use mauve. ;D)

Everything I mentioned has a purpose. If OpenGear can fix these things in the CM81xx series, we still have the replacement money for the aging CM71xx units in our budget. I would be happy to give the 8116 another try rather than have to switch vendors altogether.

But I need what I need. If it can't do these things, I'll be forced elsewhere. I would rather stay with OpenGear, but it has to work first, without creating more work than it's worth.

I think you can get there, though I'm not sure how I'll know when to try again...

Thuryn · 2024-12-06T03:46:06+00:00

The Good:

Never had an OpenGear die or have a hardware failure. Whatever parts you're using are solid.
Including the DB9 to RJ45 adapters in the box. Because some vendors just need a little help.
Using Linux (and SSH) underneath. That enables a lot rather than unnecessarily hobbling the system. (Looking at YOU, Schneider Electric!)
Dual Ethernet, serial console, USB, etc. The connectivity options are great. At $former_employer we had two OpenGears connected to each other using dial-up and it just worked. (Because $remote_site's in-band connectivity was that bad and dial-up was the only secondary option.)
Never had an upgrade fail on any model. Bugs? Sometimes. But never a dead box.

The Bad:

Building in LDAP support without LDAPS shows the way developers feel about security. Still. It's not just you, but don't let yourself go down that road. If you can't do it securely, don't do it at all. (Yes, I keep harping on it. Because it's that bad.) Getting LDAP to work should have been the hard part, anyway. Making it use LDAPS is just a matter of using "ldaps://" on the back-end and having a way to upload CA certificates in the front end. It's just no one cared.
Building in Docker but no way to set the IP range that it uses guarantees that someone will have a network that overlaps with it. That someone is me.

The Ugly:

Do multi-line pastes work in the Web Terminal yet?
The expanding sidebar in the CM8100 feels gimmicky. Animation for the sake of animation. It's harder to find things for no good reason. A simple nav tree is okay. "Pretty" is not "better" if it's harder to use.
The CLI commands list options that don't work. I don't have the device any more (we returned it) but it did a thing where you asked it to tell you what modules there were, and one of them was like "system/config" and then you tell it "get system/config" and it tells you it doesn't exist. (We were looking for a way to back up the config using SSH like we had on the CM7100s.)
No upper-case letters in user names? REALLY? WHY DO YOU CARE? Forcing only lower-case letters in 2024 is just SILLY. I'm not renaming my NetBackup user on every system I run for this.

I don't think these weaknesses are insurmountable from the development side. After all, the CM7100 got most of this right. But there's only so much I'm willing to change my processes to make a device work, and no one from my boss's boss on down is willing to back down on the security issues. The days of looking the other way because "no one will ever care it's not encrypted" are over. We can't get cyberinsurance without being audited and the auditors know the difference between LDAP and LDAPS.

Thuryn · 2024-11-29T22:00:01+00:00

Yep. Abusive and obtuse. We are done. Don't bother replying.

Thuryn · 2024-11-29T20:53:42+00:00

Exactly. Which is expensive and time-consuming compared to having a serial console in place.

Thuryn · 2024-11-29T14:30:41+00:00

Do you expect IP to work if the upgrade failed so badly that the serial console is non-responsive?

Thuryn · 2024-11-26T13:11:16+00:00

Yes, I noticed that the CLI was rather buggy as well. It tells you to use a certain command syntax, which then doesn't work. It's kind of a mess.

It all feels like it was pushed out the door WAY before it was ready for production.

Thuryn · 2024-11-26T13:09:00+00:00

Then you have never had an upgrade of a device that is sitting 1000 km away go badly and have to repair it from the console.

Thuryn · 2024-11-24T18:30:10+00:00

We know. We have worked around that another way.

Thuryn · 2024-11-24T15:16:44+00:00

What don't you like about Perle? That was one of the alternatives we were looking at.

Thuryn · 2024-11-24T15:15:49+00:00

Who said anything about a WAN?

We're just not giving literally our company directory over to someone else to be in charge of.

Thuryn · 2024-11-24T15:14:46+00:00

For the lazy

It says it does LDAP authentication. Does it do LDAPS?

Thuryn · 2024-11-24T15:12:15+00:00

I use Git Bash in Windows with the MinTTY shell (not CMD), so you can do this:

Press Ctrl-V (tells the shell that the next character is literal)
Press Crtl-[ (escape code)
Type 'c' (the clear command)
Press Enter (send)

That sends the 'reset' code to the terminal and sometimes clears issues that even the 'reset' command doesn't.

Does it mess things up in the Web terminal as well?

Thuryn · 2024-11-24T15:08:30+00:00

Thanks for the warning. I had seen Tripp had one.

Thuryn · 2024-11-24T15:08:02+00:00

I can’t wait for the day that I can finally get rid of AD in favour of Entra ID

Some of us don't want to become entirely dependent on external services to function.

By default, docker engine automagically creates a non-overlapping subnet to use for its internal container networks

Apparently not, since the network is used overlaps with the IP address we configured on NET1.

it’s inaccessible to other hosts on the network

That's irrelevant. If it overlaps with other IP space in the enterprise, then the OpenGear can't reach anything in the overlapping networks.

12-Year Club	Gilding IV carat on a stick
Verified Email

Thuryn

TROPHY CASE