NGFW: Anyone using FTD in production? Networking |
- NGFW: Anyone using FTD in production?
- Secret CCIE
- Commercial WAF vs.NGINX with ModSecurity
- MST with an isolated VLAN?
- Managing config, path to automation for MME
- 10G L3 switch with more than 16K BGP routes?
- Excessive ARP broadcasts.
- Network refresh and standardization
- Cisco ISE / dot1x, phones and AP's..?
- Resubnetting: Help confirming the process; ideas for what could be causing an issue on attempt.
- QFX 3500 40G Port Troubles
- Eve-ng and mikrotik
- Corning ONE SD-LAN PON
- Visio networking diagrams question
- Advice planning how to run point-to-point fiber
- Moving off of data center security/networking products to AWS offerings?
- Ruckus Implementation Questions
- How to Simulate Port Flapping with bad cable
- UniFi USG IPsec VPN to SonicWall Need Help
- Is this a network switch I can use to light up wall ports?
- Boson Ex-sim for ICND1 is only 290 questions
- Aruba AP 303 vs 305
| NGFW: Anyone using FTD in production? Posted: 02 Oct 2018 02:31 PM PDT Hi guys, we are currently evaluating multiple NGFW vendors as our old dirty ASAs won't do the job anymore at the internet edge. We got a lot of feedback already and saw multiple products, we also know about the history of Firepower/Sourcefire which is like a real life nightmare... but we don't want to judge based on the past - and a lot of things got promised with 6.2.3 which made the whole solution look way better than it was a year ago. Also there is shiny new hardware available. Anyway: Does anybody run FTD in production and can share some experiences on daily operations. We are absolutely aware that migration and new technologies will always need some effort but in the end we are looking for a stable and mature solution. What we know so far:
Maybe in other words: are there any happy FTD customers out there? Because we couldn't find one yet. [link] [comments]  |
| Posted: 01 Oct 2018 07:35 PM PDT Got my IE in R&S about six years ago. Four jobs later and I stopped listing it on my resume or advertising that I have it. What nobody tells you is the insane politics that go along with it and the way people treat you. Management loves to parade you around. Sarcastic remarks from defensive, insecure coworkers such as "I don't know, go ask him he's a CCIE" or other variations thereof. Unrealistic expectations, people expecting you to know "everything" oblivious to the fact that the test is based on a curriculum of specific topics. Constantly being put on the spot. Every single problem being dropped in my lap. I got sick of it. I'm more if an introvert and the added pressure and attention was affecting my well being. Work life has been much easier now that I only advertise that I have an NP (which I do). Why did I get it in the first place? From the beginning everyone always heralded it as the ultimate achievement. I think I wanted to prove to myself that I could. When I was younger I wanted to be a "rockstar." I've done the large scale enterprise/ISP/MSP space. I have no interest in working for a vendor or a VAR meat grinder. Nowadays I'm content working a nine to five job at a medium size enterprise and forgetting about work the second I leave the office. I do well salary wise and the marginal increase in compensation is disproportionate to the added workload that would go along with "CCIE level" positions. I can't bring myself to let it expire though. I went through hell for over a year to get it. Now at least with the CE's I don't have to take that pain in the ass written every couple of years. I'm curious if anybody else shares my experience? [link] [comments]  |
| Commercial WAF vs.NGINX with ModSecurity Posted: 02 Oct 2018 12:50 PM PDT |
| Posted: 02 Oct 2018 12:33 PM PDT I'm not too hot on MST. Switch 1 and Switch 2 carry all vlans Switch 4 is a new switch to carry a isolated vlan that will be limited to it and Switch 2. Vlan 5 exists on Switch 4 only for management. We run MST with a default config; all vlans are mapped to the instance 0. Will MST need to block either the red or blue link to stop a loop, and do I need to map Vlan 10 to it's own MST instance to stop this behavior? [link] [comments]  |
| Managing config, path to automation for MME Posted: 02 Oct 2018 02:59 PM PDT In telecoms/networking, any recommendations to manage config for E.g. MME nodes? Currently it's done with big spreadsheets for all config, plus imsi etc Ideally we want a central source of truth, easily accessed and updated by authorised people only, version controlled. Initially for recording configuration, but ideally with path to introducing automatic configuration E.g. via netconf. And ideally not vendor specific e.g enm Having a look at Tailf/Cisco ConfD (what a mission to create account to just download the thing, and no official docker container boooo) but it's nontrivial to setup. [link] [comments]  |
| 10G L3 switch with more than 16K BGP routes? Posted: 02 Oct 2018 01:25 PM PDT I'm looking for a 10G switch with support for BGP. The catch is I'd like to buy one that can take a medium amount of routes and not just 16K. The Arista 7050QX series looks to fit the bill. Using UFT mode it appears to be able to take 144K IPv4 routes. For my use case / PoC IPv4 is sufficient. The DCS-7050QX-32S model seems to go for about a grand on eBay, which isn't too bad. Is the Arista a good choice? Any caveats with UFT mode? Should I be looking for something else? Something cheaper or something with more routes per dollar? Suggestions? Warnings? Recommendations? Thanks! [link] [comments]  |
| Posted: 02 Oct 2018 04:40 PM PDT Hi All, I am having an issue with multiple Samsung panels and continuous ARP broadcasts. (100+ panels) Thanks [link] [comments]  |
| Network refresh and standardization Posted: 02 Oct 2018 03:36 PM PDT Hey everyone, I'm looking for recommendations for a network refresh at my office. Been with the company for a few months now and am the single IT guy for 4 office locations that are spread throughout Canada. Currently we have Barracuda firewalls and Meraki wireless in place, for switching we have a huge mix of vendors(tplink, netgear, hp, cisco sg). The Cuda's are no longer on active support, Meraki is until 2022 and we need POE for our Avaya deployment voip throughout offices. We also need client VPN for remote staff functionality. Pretty heavy internal network traffic from file sharing to video conferencing all the time. Needs: New firewalls - site to site vpn - reliable client vpn - IPS/IDS/AV - solid easy reporting - drop ship deployment for new/warranty issues Switches - POE - voip, AP's - 10gb uplinks - easy management interface - drop ship deployment options - redundant PSU's would be handy for remote sites Current network, each site is currently on a /16 subnet and most things are setup statically. - vlans - not currently in place, but looking at setting up for security and IoT items - network speeds are brutal, 3-10mb transfer rates - heavy video conferencing - file sharing, CAD, videos, marketing, office etc Site requirements HQ - FW, 6 switches, 12 AP's site 1 - FW, 4 switches, 6 AP's Site 2 - FW, 1 switch, 2 AP's Site 3 - FW, 2 switch, 4 AP's Budget, not an issue at this point, company isn't afraid to spend the money as things have basically fallen apart currently. I've been looking at everything from Cisco/Meraki/Fortinet/Aruba, i'm not afraid of mixing up platforms to get the best case scenario. Overall just looking for input/advice for either an all in one setup or if i should be looking at mixing vendors but keep something standard through each platform. Thanks! [link] [comments]  |
| Cisco ISE / dot1x, phones and AP's..? Posted: 02 Oct 2018 03:15 PM PDT Out of the frying pan and into the fire as they say. My new project that landed into my lap is to either enable a full blown NAC (overkill) or dot1x on our wired networks. No problem, I did dot1x 11 years ago, this is going to be cake! Except it's not. Then everything was Cisco, now it's not. So here's the challenge - or two specific challenges. Polycom phones and wireless AP's. Desk phones are the Polycom VVX series but a good portion of them have a PC daisy chained to them. AP's are all Meraki. Both support dot1x but the problem is... trunking. Right now we're trunking on pretty much every port as the voice VLAN is tagged on the phone and the PC's is daisy chained on the access VLAN. For the AP's they live on the management VLAN and all of the SSIDs are tagged to their appropriate VLAN. Switches are a mix of Cisco SG500 (ugh), 2960-X and 3850's. My only thoughts right now are no more daisy chaining PC's to the phones, as the phones do support dot1x and to file the AP's into the acceptable risk category as we can't restrict them to one non-Corp VLAN. Anyone else run into this? From all I'm reading ISE wouldn't solve anything for me for this particular use case as it's just frontending RADIUS and basically doing dot1x for me. I could definitely be missing something there, however. [link] [comments]  |
| Resubnetting: Help confirming the process; ideas for what could be causing an issue on attempt. Posted: 02 Oct 2018 01:41 PM PDT Hello. I'm working on an IT staff at my current company. As of this year, we started to run into issues with our available IP Addresses (mainly do to our increased staff numbers and additional Wireless Routers). We currently operate on a /24 subnet. Our company has several branches, but each branches' LAN is basically on it's own, with traffic tunneled direct back through our main branch via adtrans (of which we're moving on from next year). Currently, the main branch in issue is set up simple a on 192.168.0.xxx/24 scheme. We were looking to move into a 255.255.254.0 subnet here so that we'd have the additional 254 addresses. Couple things up front:
This past weekend, the two of us came in with during off-business hours with attempt to make the switch over. However, we ran into an issue towards the end steps, and had to call it quits for that day. I'm looking to get some incite into making sure the process I believe is to be done to make this work is correct, and if so, if anyone has ideas as to what could be causing the problems we had. Statement of what we're trying to achieve:
Process / Steps that we did in preparation:
This is where we ran into problems. As soon as we changed the Default Gateway (192.168.0.254) from 255.255.255.0 to 255.255.254.0..... we started having a LOT of external network issues. I had set my computer statically to to IP = 192.168.1.99, SM= 255.255.254.0, DG = 192.168.0.254, while my other staff statically set in the .0 range so that we could test from both ends. From what I remember, here is generally a list of things that were happening:
On paper, from any research that I had done prior to this attempt, I believe that we had all the steps correct. You first change any static devices to the new subnet mask. Also, you want to prep your DHCP Pool with the new information and make sure they have low lease times so they update with the changes. The LAST thing you want to update is the Default Gateway with the new subnet mask.... and that should be it. There shouldn't be ANY overlap with any of the external branches or conflicting IPs, and we don't have any devices in the 192.168.1.xxx range already. Currently, our branch here is still "prepped" for the switch over. All devices EXCEPT our Default Gateway have a subnet mask of 255.255.254.0. It's just once we switch that over; external connections basically stop working. Is there something that we are blatantly missing in the procedure? On paper, "should this work"? Any general advice on what we might be forgetting to do? If not, then do anyone have any ideas what might be causing this issue? It seems like external connections are getting "confused" by something once we make the switch. Pings seems to get in and out from external sites, and we'll get blips of connect through the gateway (clearly, since I loaded google / facebook / youtube to test several times fine, only for it to complete drop out seconds later). [link] [comments]  |
| Posted: 02 Oct 2018 04:49 AM PDT Hello r/networking long time lurker here. Feel bit ashamed that my first activity for so many years is a question instead of answer, but here we are. I have Juniper QFX3500 device with 12.2X50-D30.4 junos installed. I also tried upgrading to 15.1R7.8, but had another issue there. Problems according to versions: On 12.2: qfx will see pic 2 and UNKNOWN QSFP which tells me device can configure qsfp as ethernet instead of uplink. The OS accept my command : which enables 40g ethernet. But the interfaces wont come up. On 15.1: qfx will only see pic 1 and will recognize the qsfp as NON-JNPR 40G QSFP. tells me the qsfp is FTL4C1QL1C-G3. I tested these qsfp on cisco nexus 3000 series and both qsfp s came up and traffic went through just fine. I am thinking there might be compatibility issues, but seller assured me these were qfx3500 compatible qsfp s and that they tested on similar device and it worked for them. I might be doing something wrong. Does 15.1 Junos need license for pic 2 to come up and see the qsfp s for ethernet configuration? Or am I doing something wrong. [link] [comments]  |
| Posted: 02 Oct 2018 12:46 PM PDT I have been trying to setup CHR in EVE-ng but the Mikrotik nodes are not starting (they start but shutdown after a couple of seconds). Already tried using different versions (from 6.40.4 and up). Has anyone else had this issue? [link] [comments]  |
| Posted: 02 Oct 2018 12:08 PM PDT Has anyone done any work with the Corning ONE solution, particularly their SD-LAN PON option? I need to put together a a validation lab for it but I've never touched it and I can't find a single user or admin manual on the planet. There's one manual I found on the FCC's site but it's purely about DAS extension and nothing about OLT/ONTs. Thanks for the help. Not sure how I'm going to put together a lab when I can't even find a CLI reference doc... [link] [comments]  |
| Visio networking diagrams question Posted: 02 Oct 2018 08:02 AM PDT Is there a possibility in visio to enable Diagonal angled connectors? Right now it's only possible to make horizontal or vertical lines with angled connectors. Something like in this image: http://networkdiagram101.com/wp-content/uploads/2013/05/TIP9-1-4.jpg I know its possible to create a different angle by holding CTRL key and dragging the anchor point, but it's not a perfect 90 degree angle this way. [link] [comments]  |
| Advice planning how to run point-to-point fiber Posted: 02 Oct 2018 11:39 AM PDT Hey /r/networking, I have a background in networking but I ran into a scenario which I have no formal experience with. Scenario: Location A is located too far from the nearest road to have a line run to is from the areas ISP. Location B (a potential neighbor near Location A) is located near enough to the road to have a line from the ISP run to the location. Assume Location B already has a line run and working. I would like to run fiber from Location A to Location B in order to bring internet access Location B. I would like to do this by employing two Unifi PoE, SFP switches. Networking considerations which I am looking for advice on are:
Edit: If thorough advice cannot be given, but you have topics and terms I should research feel free to share them. I do not expect to have my hand held for this project. I'm looking for advice on how to better understand what this process involves so I can increase my knowledge in this amazing field. [link] [comments]  |
| Moving off of data center security/networking products to AWS offerings? Posted: 02 Oct 2018 06:43 AM PDT Has anyone switched from data center security/networking to AWS offerings? i.e. F5 to AWS Load Balancer, Palo Alto FW to AWS FW, Imperva WAF to AWS WAF? I'm trying to get an idea of how mature and flexible the security capabilities in AWS are compared to other security products. If anyone can share their experience with limitations, pros and cons, etc., that would be great. [link] [comments]  |
| Ruckus Implementation Questions Posted: 02 Oct 2018 09:10 AM PDT We are starting a deployment of Ruckus R720's (around 150 AP's) and wanted to get some opinions and feedback on what others have done. We are using a hosted instance of CloudPath. Our test users have found the enrollment process clunky. They have had difficulty installing the app on android and they seem to always miss the step on iOS of going back to settings and switching to the secure SSID. On a BYOD Chromebook the process is bad even to me. Something that has disappointed me is that we use PaloAlto firewalls and were told that we can't send logs to the firewall from the hosted Cloudpath, only from the on-prem version (those logs would provide user-ID to the firewall which is something we want). There has been some discussion that maybe we should just change and go to using RADIUS and have all the users login with their AD accounts. Has anyone gone that way? What pros/cons are there in doing that? All our staff and students have AD accounts so that's not a concern. [link] [comments]  |
| How to Simulate Port Flapping with bad cable Posted: 02 Oct 2018 07:39 AM PDT I want to run a test in a lab environment that induces port flapping by using a bad Cat6 cable. Specifically how do I damage or mis-configure the cable to produce the results I am looking for? [link] [comments]  |
| UniFi USG IPsec VPN to SonicWall Need Help Posted: 02 Oct 2018 06:50 AM PDT Hey All. In need of some clarification/tips/tricks regarding this topic. I am helping out my Dad by working with his IT resource for his company.. The goal is to setup a IPsec VPN Tunnel from his house to his office. At his house I have setup a entire Unifi System, USG, 2x8Port POE switches, 6 AP's etc.. everything is working great and running smooth. At his office he has a SonicWall according to his IT guy I have been talking with. Since at his house the ISP is not static he is worried the VPN connection with be broken every time the ISP renews the IP. He was mentioning something about needing aggressive mode, which I was able to figure out how to enable via the CLI - but need more explanation on that and what it is used for if someone can help. We still haven't reached the point where we have created the tunnel, as he is meeting with SonicWall but I wanted to do my own research and reach out to the community. The goal is to get him off of PC Anywhere... and just directly connected to his office.. but he keeps saying that he will still have to launch a application to his desktop for some work. Apparently not enough bandwidth? (He has a 1gb line at home, and a decent business line at the office) I would love for it to be like my setup. I work from home full time and I use an ArubaRAP directly to a MacBook Pro, once im connected to that network, I can do/access anything as if I was in the office.. Let me know if this makes sense, I may be missing some key parts - been while since I dug really deep into some networking (got my CCNA's in high school haha) Thank you [link] [comments]  |
| Is this a network switch I can use to light up wall ports? Posted: 02 Oct 2018 09:11 AM PDT Hi everyone, not sure if this is a switch or simply a splitter, so I figured I'd ask, and then some background about what we have in this office. Here is the image: https://imgur.com/a/MUCrfeT We have a single fiber connection coming into our building (there is a horrifically cluttered crawl space closet upstairs where a bunch of old phone and networking equipment is tacked to a wall and much of the wires are simply disconnected, likely due to past private techs just disconnecting and leaving whatever was no longer needed with previous upgrades or changes), it goes to a shitty wi-fi router and the main front desk PC is hardwired from there. Everything else is wi-fi, and our connection is so bad we need to look at hard-wiring everything. There are numerous networking ports in our walls, and we are all unclear why nothing was done to keep them lit up, but they aren't functional. So I'm working to determine what of the rats nest in that crawl space is active so that I can test out connections to another (thankfully) marked box that shows the wall connections, there's just nothing plugged into them. If this isn't a switch, I assume what I should probably do is invest in a better router, direct connect it inside that closet, then wire it up to the switch and send cabling from the switch to the box marked with the wall connections. If it is a switch, I assume I still direct connect the router in that closet, plug it into one of the switch ports (no clue which one to use, which is why it's confusing as to whether it is a switch or not, I figured there'd be an "in" and then everything else is "out"), and then again send cat5e to the box with the wall ports that are labeled. Thanks for any thoughts. We're trying to do this in a cost-effective way, and I'm sure that's horrifying to all of you, but we can't afford the several thousand dollars we've been quoted for new fancy wi-fi routers, a new switch, a new firewall, etc. We are a small shop utilizing Office 365 for our system and it seems like we have, through that, pretty decent protections in place for our files. We do want to invest in a stronger, new router, however. But I'm not sure we need a Ubiquiti UAP-AC-HD Wave 2 access point with hybrid clouud UC-CK device management, an Araknis AN-110-SW-R-25 switch, and a Sonicwall TZ300 firewall appliance. My hope is that closet holds the key to our success along with a new router and some cheap Cat5e cables from FireFold. However, while I'm trying to help us save money, I am not at all going to go around pros coming in to assist if that's what it takes. I just also want to ensure due diligence that we aren't buying stuff we don't need. [link] [comments]  |
| Boson Ex-sim for ICND1 is only 290 questions Posted: 02 Oct 2018 01:12 AM PDT Hi networking subreddit, i have a question for boson users, is the 290 questions that you buy for icnd1 or any vendor is updated from time to time or its just you get what you buy, [link] [comments]  |
| Posted: 02 Oct 2018 12:40 AM PDT Does anyone have experience with the Aruba 303 AP in comparision to the 305 AP? We've been using 205 and 305 APs until now but saw that the 303 is a lot less expensive than the 305. We talked to two partners and they both suggested that the 303 should be good enough for our requirements, so we are now thinking on standardizing on the 303 because of the lower cost which would probably allow us to deploy more APs quicker and offer greater coverage overall. Aruba however tries to talk us into staying with the 305 as the 303 "was only made to have a cheap offering to win in biddings and has worse hardware / a slower CPU". However they couldn't really give us any facts why the 303 would be worse for our requirements than the 305. So I am asking, does anyone have experience with both models or any advice to share? Anything to watch out for using the 303 instead of 305? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment