Does anyone else here remember when Cisco Pix firewalls were basically rack mounted PC's and had floppy drives? Networking |
- Does anyone else here remember when Cisco Pix firewalls were basically rack mounted PC's and had floppy drives?
- Cisco Firepower - what to expect
- After trying to help an affiliate engineer set up an IPSec tunnel for several hours...
- Suggestions for Nexus training?
- Advice for network monitoring products
- Need advice on how to install new network device
- Just a funny little close call story from this evening...
- [Troubleshooting] Site-to-Site VPN between EdgeRouter X and SonicWall
- 3rd Opinion: OM1 to OM 3
- Crazy Fiber question
- line issue cleared during diagnostics - que ?
- Zscaler issues
- Honoring XFF header through Cisco ASA
- Do you travel for work? Would you like to? Just getting a feeler for the community.
- What are you guys using for access layer switches?
- SonicWall TZ300 vs Cisco ISR 921
- Company Doing a Vulnerability Scan Wants VPN Access
- I pinged the listed Default Gateway on a device, and I received a reply from an IP on a different unrelated subnet. Help me understand how that can happen?
- Automate unscheduled switch config changes with software
- FortiGate or Palo Alto which would you choose?
- re-IPing a Public IP network to Private IP
- Shrubbery Tacacs+
- IOS and IOS-XE: y u no PIM Anycast RP?
- NagiosMonitoring for FlexFabric Switches
| Posted: 06 Feb 2019 08:48 AM PST Was just thinking about this for some reason, any other old-timers out there remember these days? Each of the NICs was an Intel PCI NIC like you might slap in a server, behind the thumb screws there was the floppy drive. If you had a failover unit, that's what that 15(?)-pin connector was for. The DB9 connector was obviously for Console access. [link] [comments]  |
| Cisco Firepower - what to expect Posted: 06 Feb 2019 12:48 AM PST It's been a while i started to think about to share my 2 years experience with technology but i was not quite convinced or in other words - i felt so disappointed even start to think about doing so because of all the issue with the technology itself. So you can ask - why now?Well, couple of months ago i found "rant" article with a follow up ... (available here: https://www.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/ and here: https://www.reddit.com/r/networking/comments/9vynr9/cisco_firepower_rant_ii/) ... and i knew i had to add my "2 cents" since we are seeing lot of similarities (and not only that) One funny thing - when first "FP rant" was released, one of the TACs contacted me directly asking if that's me :) Well, let's start To introduce myself, i'm network engineer currently working mostly with FP technology (FMC, FTD, FXOS etc.). Experienced with other NGFW/traditional enterprise vendors and products such as: Checkpoint - both Splat/Gaia sensors, Provider-1, Security management FortiNet - FortiGate sensors, FortiAnalyzer Juniper - Netscreen sensors, NSM In our case, we are talking about scalable dynamic data center / telco environment with huge amount of the changes within the platform itself. What are we using FMC4k appliances in HA for central management a database, some FP4k & FP9k appliances in logical FTD-HA as well as some 5512 ASA firewalls. No virtual devices in place (not that's making any difference) We started with 6.1.x version and now we are having three different environments running 6.2.3.x, 6.3.x and even 6.4 beta. Honestly, it does not make that much of a difference speaking of SW version since there's minimal progress overall and it's all because of the - pardon my French - most idiotic FW design i ever seen in my life!!! DESIGN, DESIGN, DESIGN!!!This is a root cause of all evil and because of the design decisions made here, i was able to successfully develop a tourette syndrome after all those years working with the product. I'm not quite sure what decisions were made during development, but if you think that using legacy ASA code along with FTD services without re-design is way to go, i can assure you that it's not . This product has to be redesigned, otherwise i see no option how this product can be even close to enterprise NGFW solutions of other vendors. Well, to rephrase - you can try, but we already know the results, and man ... what a disaster it is For sensor, you have so cold LINA engine which is nothing else but legacy ASA code (ACL filter) with magical FTD services on top of it and rabbitmq messaging between those. Cooked as unified FTD image. Just imagine it as VM running on top of hypervisor provided by FXOS. Speaking of VM on FXOS, new 6.3.0 version is finally allowing to run multiple FTD instances. You can share resources, interfaces and so on. Even routing between instances is possible. I haven't had time to test this fully yet, but again - marketing slide is one thing, real experience is something different. From design perspective, each and every FTD is consuming 2 CPU resource for management plane. Those cannot be shared. Imagine running 12 FTD instances on top of FXOS. This is resulting in 24 CPU cores utilization only for management plane. Not possible to allocate those for data plane or share among instances. What a waste. Usability is just a pain as well - you have different set of commands on each layer, some of those are not even ported correctly or not showing same results! Basic troubleshooting commands such as "capture" are not the same on both LINA/FTD. It's even worse on latest 6.3.0 version if compared to 6.2.3.x Forget also about "grep" feature for "show route" in 6.3.0 FTD, it's gone. Why? Don't ask me ... Sure, you can still "workaround" some of these by switching between layers to get some results. You just need to develop a huge sense of humor and same level of understanding and forgiveness (luckily, i learned that already as a married man) Then you have OPS perspective. Since beginning, we are unable to handover this technology to operation. This is causing overhead for me as network engineer and for my employer as well (believe me, i have better things to do than creating cases and trying to figure out how to solve and address daily issues) FMC is not any better. First surprise is slowness. Second surprise is efficiency. It run 2 fragile databases and we were able to corrupt both by non-graceful shutdown. Amount of limitations is also alarming, it's not allowing you to route management using anything else but default route for IPv6, traffic logs can be shown but it's nightmare to export them (forget about more than 400k lines). Deployment times are joke (regardless what change is performed, you are wasting time cause FMC has to download whole FTD config and deploy changes back + validate on FTD/ASA). More in section below LIFE WITH FIREPOWER - EXPECTATIONS vs REALITYIt's quite challenging. As mentioned above, we consider design as main issue and almost every issue is caused by that fact. FTD/FMC When we first started, i couldn't understand how there can be a product on the market with no backup/restore functionality. Honestly, i still don't understand. When reported, it has been even marked as "feature request" and not a bug. Yes, you read that correctly. To have backup/restore possibility for NGFW enterprise product, you need to file a feature request yourself. At the end, we manage to have it re-categorize as a bug but it caused a lot of pain. And sure, because of the design (sftunnel FMC to FTD) it's not even possible to restore if the device is removed from FMC. Forget it, it's gone. No ETA for fix! (6.4 affected as well) Sure, you can use API's for that and we are doing so, but until 6.2.3.x those were useless! It's getting better tho. But still, if we want to create our own backup/restore using APIs, due to our policy and design construct, it's taking ages (hours) to finish device configuration (FTD-HA - interface/zone/routing perspective) Even, worth to mention - try to keep FTD and FMC version to be the same. We have experienced some APIs inconsistency in versions are not the same (you won't find this in guideline). Speaking of FMC, this whole "FTD to FMC" procedure is 100% brainless. You need to remove FTD from FMC because of some issues? Sure, you can do so, but FMC will not preserve any configuration related to HA (forget about monitoring interfaces, secondary IPs and so), any routing/routing related configuration or bond of logical zones with interfaces. If your policy package is constructed in such way (as zone based FW) you will experience an outage - you have no chance to interrupt this action and FMC will just push configuration "as is". Funny is that for version 6.2.0.x this has not been even mentioned in the guideline. We performed re-registration of FTD due to some issues and we caused an outage. Assigned TAC found reference since bug was in database already. I still remember - this "routing information removal" bug was having priority 6 - enhancement that time! (maybe it still has same prio, haven't checked that for long time). Another critical bug affecting FMC-HA deployment resulted in deletion of "random" ACL lines from the devices to which configuration was deployed. It literally removed couple of lines causing an outage. In 2018/2019 you would expect full IPv6 support as well. Reality is bit different. Version 6.3.0 is the first release supporting object search for IPv6 in FMC. Until now, FMC was unable to parse/handle ":" and there were no results. You cannot even tract objects within policy package ("where used" is not there yet). Because of this and all other limitations of FMC, we are running 3rd party database with some excel sheets to backup and to search efficiently. I'm not even mentioning amount of the cases raised for FMC for past 2 years for all the limitations and missing features of the product. FMC is unable to do the delta comparison, dry run, lock the policy, revert saved changes, search efficiently, track objects, create reports for audit purposes (due to known limitations of the whole engine, there's 400 000 line limit hardcoded for traffic log/intrusion log report) And it is slow. Sometimes you have to withdraw changes you made to policy package cause it's saving it for 5+ minutes and it' easier for you to start over. And if you want to laugh a lot, try to implement static IPv6 route. You simply cannot! Why? Apparently, there's a good explanation for that but we have not received it. Maybe they did not see use case for that :) Same applies for capture feature on FTD, prior to version 6.2.3.x you could not specify IPv6 address to the filter. As a workaround, you have to capture whole interface (with no port type filter, otherwise you will get IPv4 only) and grep or use 3rd party software to work with. Flexconfig feature to substitute missing or not implemented ASA-like commands is still in diapers. Prior to version 6.2.3 this even resulted in unsuccessful rollback in case you inserted set of commands with typos or with commands that were not taken by FTD fot whatever reason. Your configuration got wiped afterwards and FTD just crashed and went to the default state. Considering time of the deployment (8 mins for standard config and 19 for snort enabled platform) you can easily do the math. This has improved in 6.2.3 version but it's still fragile. We experienced same for NAT. Basically, if you are able to implement a change in FMC which is in direct conflict with FTD, FMC will try to deploy it, no matter what. This is resulting in rollback (and you should start praying to have a successful one). Policy package construct is also weird. FTD is using same construct as for ASA. If you are creating a rule which consists of 1 source IP, 1 destination IP and 1 port, you are ending up nicely with 1 ACL rule. This rule is then redistributed to FMC. Modern NGFW rule-base construct is fully aware of nested groups, nested objects and zone. Because of this simple combinatoric, rule expansion is actually rising "to infinity and beyond". In our case, we are facing situation using NGFW zone based firewall without zones because of this limitation (or call it a design). And for sure, this is well described in the guideline so we just have to keep our heads down and work with it somehow. When same configuration was deployed to other vendor SOHO box that's using object based construct, it went through successfully without any expansion issues. Sure, competitors has some limitations as well, but in this case our ACL construct consumed all memory available and crashed. I almost forgot, if you are using the product, do me a favor. Try to ping any routed unreachable host with ping count of 2000 as an example or execute a trace route towards that IP address. Share the results :) SNORT ALMIGHTYFor Cisco, to buy Sourcefire was definitely a right move, as IPS/IDS this device works well for the current and former Sourcefire customers. While trying to develop a strategy, we wanted to run some IDS-like solution first to see how many false positives are we getting and what's the impact on system resources. What we did was the scan of the platform using built-in Nmap solution, comparison with our 3rd party scanner and creating some host profiles. First, Nmap installed on FMC is version 6.01 from 2012 is outdated (you can even easily check vulnerabilities for such version). Seems vendor is OK with it since this is a version installed on 6.3.0 version Second, network discovery profiles are missing for whole variety of enterprise OS versions. Latest VBD database is also outdated. Recommendations are then not accurate and when we tried to feed FMC using tailored script and changed the value for OS, recommendations were still the same. Why would you even use recommendations if you cannot rely on it? How many false positives could we expect then? Another open topic is a granularity of intrusion policies, or in other words - how many policies should/could we implement. Sure, there's no specific answer to that and it all just depends. Out of the record, customer are usually using single digit number of policies (at least per rumors we've heard) I recommend you to check CCO live slides if you have an access to, there are full of recommendations, best practices and so on. Unfortunately, this is not giving us the answers for Nmap & discovery profile issues we are having. UPGRADE, TEST, REPEATLike every other vendor, Cisco is providing major/minor/patches releases on some agreed basis. This is nice. Theoretically speaking of course.If i would get a penny for every promise regarding stability, usability etc. i could quit my job, move to some paradise island and drink mojitos all day long. We are taking every single possibility to move this product further, we have two testing platforms for beta releases and/or for releases that are installed before released to our production environment and i'm getting tired of it. Most of critical topics (and man, we have some!) were supposed to be targeted on version 6.2.3. Cisco committed to deliver stability. Stability that should help us to at least get rid of all inconsistencies while deploying or changing configuration. Amount of the TAC cases raised right after the upgrade is in direct conflict with this statement. Nothing has changed! And version 6.3.0 is not any magical as well. They added backup/restore for FTD which is quite limited, in case your device is removed from FMC, you cannot restore it anyhow. End of story. We don't mind the upgrades, we are even happy to see that there's a time line for major/minor releases in place and if the patch is necessary to be provided, it is provided mostly ad-hoc. Unfortunately, if the design will not change we can do upgrades indefinitely. It simply doesn't work for us. Long story short: working with this technology in dynamic environment is resulting in huge amount of cases, bugs, troubleshooting requests with no real progress. This is not something i made up, this is pure engineer/end user experience. I personally feel like a beta tester of the product WHAT ABOUT VENDOR?TAC experience is great, these folks are doing their best to help us and address all issues we are having with the product. Advanced FP team is trying to solve or at least advise how to avoid such issues for the future. On the other hand, the BU is for us nothing but a black box. We have very limited visibility once bugs/feature requests are raised. I'm not in the position to judge, but if i'm waiting almost 2 years for critical design related bugs to be addressed, there has to be something wrong. Not even mentioning all feature requests we raised. You can try to guess what's the progress there ... I really want to be surprised but i have already lost most of the patience. CONCLUSIONIf you are asking who should go and buy this product, it's hard to say. If you are in strong partnership with Cisco or if you are just replacing old ASA firewalls with new Firepowers, it might go bit better for you than for us. If your are not doing lot of intrusive/design or conceptual changes, you might even like the product. It is well suited for "set and forget" deployments or i see nice implementation for voice&video environments where only Cisco technology is used. On the other hand, if you do not requite centralized management, i would stick with ASA. Maybe CDO (Cisco Defense Orchestrator) might be an answer for you, but we did not test it since our deployment requires "on-prem" solution and CDO is unable to provide that. I believe that Cisco is pushing here, APIs are also improved and on version 6.4 beta it seems to be more or less stable. If your environment is dynamic, and/or you have no preferred NGFW vendor for now and Firepower was in your scope as well, my recommendation is to avoid it. It's not worth at the moment and i believe that it will not be worth the money until it's completely redesigned to at least get close to other vendors. TL;DR: I can only say the same as user laclobunu 6 months ago. Don't buy it, it's not worth your time, energy, mental health and money. [link] [comments]  |
| After trying to help an affiliate engineer set up an IPSec tunnel for several hours... Posted: 06 Feb 2019 03:16 PM PST ...I literally wrote his config for him in Notepad and attached it to an email. What are some of your experiences with gross incompetence within the field? [link] [comments]  |
| Suggestions for Nexus training? Posted: 06 Feb 2019 07:45 AM PST Lots of R&S experience here across the big players, but no quality time in a nexus environment. I'm getting passed over on interview opportunities and need to ramp up on that tech. Any suggestions on a good place to start? [link] [comments]  |
| Advice for network monitoring products Posted: 06 Feb 2019 12:16 PM PST As the title suggests, I am looking into picking a new network monitor and going away from the free monitoring such as Cacti as they no longer fit my needs. I have a bunch of experience using Solarwinds Orion and really like their product but dealing with their sales team is like buying a used car. Once you show them any kind of interest in their product they wont leave you alone. So I really don't want to go down that route with Solarwinds... So what else is out there that you guys would recommend? [link] [comments]  |
| Need advice on how to install new network device Posted: 06 Feb 2019 08:59 AM PST I manage a few laundry's tech side of things. The owners are installing a card payment system into all of their laundries called spyder wash. These require a central hub to be installed and I am being told it has to be plugged directly into a modem due to the encryption they use, it will not work being plugged into a router. I have an existing router and modem with a private network for DVRs as well as a separate isolated network for the guests. Is there a way I could connect this hub to the modem without getting a second ISP to the location? Could I put a switch between the modem and router and connect it to that? [link] [comments]  |
| Just a funny little close call story from this evening... Posted: 05 Feb 2019 08:36 PM PST So a coworker of mine and our new manager went to another nearby location about 30 mins away from the main office to replace a UPS which had died (the battery swelled and popped the chassis cover then the thing failed - never seen that happen before). After replacing the UPS the HP Procurve 2610 switch was not coming up, and it had a Fault light on the front. Couldn't ping anything. I started sweating as we just had to replace a switch at another office a few days ago which used our only spare POE switch, we had nothing on hand to replace a defective switch. After a couple tries to blindly reboot the switch I asked my coworker if he had a console cable with him. Shockingly, he did. He hooked it up, power cycled the switch, and the following was on screen (he sent me a photo but it's really low quality so I'll retype): Flash memory needs reprogramming or chassis could be faulty. Use a PC as the console and perform the update procedure from the backup floppy diskette. If unsuccessful w/ downloading, then try replacing chassis. Blahblahblah irrelevant text, then a simple => prompt. I stared at the photo for a moment and my thought process went something like this: "Fuckfuckfuckfuck this aint good... we don't have a replacement... looks like we have corrupted flash so no OS to boot from...WAIT...this is an HP...they have two flashes!" A quick Google search led me to the command "jp 2" which told the switch to boot from secondary flash... one minute later BAM we were back up and running again, and I just had to Google how to tell the switch to always boot from secondary flash. So, thanks HP and your dual flash! You saved our asses for now so we can get a replacement switch ordered & shipped out to the site. [link] [comments]  |
| [Troubleshooting] Site-to-Site VPN between EdgeRouter X and SonicWall Posted: 06 Feb 2019 10:06 AM PST So I've been pulling my hair out since early this morning trying to figure out why this S2S VPN won't connect. Every document I've found online tells me what I should do but it's still not connecting. This is with an EdgeRouter X running 1.10 and a SonicWall TZ400 running 6.5. The first image is the settings for the EdgeRouter and the results of a "show vpn log" command. The next images are the settings for the SonicWall. As far as I can tell, every setting is right but they still won't hook up. The EdgeRouter is connected to a Comcast Gateway that is in Passthrough mode, so there shouldn't be anything stopping it at the NAT, DMZ or Firewall level. The SonicWall already has 3 active S2S VPNs through a Verizon FIOS connection so that should be fine. Can anyone tell me what I'm missing that isn't allowing this to connect? [link] [comments]  |
| Posted: 06 Feb 2019 03:43 PM PST Got into a heated discussion with my boss regarding the purchase of OM3 patch cables (2 meters). Our entire backbone is OM1 and so is almost every other fiber run. He also knows that OM1 and OM3 are not really compatible, but went ahead and purchased OM3 cable and argued that: because the OM3 patch cable is fairly short, it shouldn't cause a significant loss of signal and he wanted to future-proof this install. Admittedly, I get a little hard-headed about this stuff and I can't really fathom why you would do this intentionally. Is mixing MMF standards okay for short distances ? or is it a recipe for headaches down the line? [link] [comments]  |
| Posted: 06 Feb 2019 03:30 PM PST I had fiber between two Juniper Ex3300-48P switches working. It stopped and found fiber had been cut. I ended up pulling new fiber since the other one was very old. Multi mode fiber and gbits are for multi mode. Plugged in fiber today and no link. Tried switching ends on fiber on one end and still no link. It does flash quickly for a few times then stops. Any ideas? Thanks for the help in advance [link] [comments]  |
| line issue cleared during diagnostics - que ? Posted: 06 Feb 2019 03:18 PM PST Hi, "line issue cleared during diagnostics" is this some sort of cop-out from the ISP, in lieu of actual RCA, or does some magic really happen when they run a particular line test? I couldn't find anything on the net about it, but I do seem to recall from previous life working with carriers, that this kind of explanation was provided every now and then. Would anyone know in more technical detail how is that possible, for constant prolonged packetloss to be cured by a given kind of diagnostics? Cheers [link] [comments]  |
| Posted: 06 Feb 2019 03:03 PM PST Any Zscaler users out there? I'm having intermittent performance issues in all the Zens we terminate into (SF,LA, Denver Dallas). Not really getting anywhere with TAC after 2 days. If anybody else is experiencing similar let me know, thanks! [link] [comments]  |
| Honoring XFF header through Cisco ASA Posted: 06 Feb 2019 02:41 PM PST Recently I found out that Cisco ASAs are removing XFF from the HTTP header. Is there an option to not strip it off when traffic passes the Firewall? [link] [comments]  |
| Do you travel for work? Would you like to? Just getting a feeler for the community. Posted: 05 Feb 2019 05:05 PM PST I work for a VAR and for most the folks in the partner space, travel to some extent is involved. The amount of travel varies WILDLY from firm to firm and position to position, I would just love to get a feel for those out there that are road warriors. I work from home and travel as needed for client projects. I traveled ~ 50 nights last year, personally I would of preferred double that. I have a gf that doesn't mind having the house to herself and we don't have/want any kids. Pros
Cons
How many of you guys out there travel for work, hate it - and why? Conversely, I would love to know how many of you guys out there travel and love it - and why? A lot of people seem to hate work travel and only enjoy it when they are young and single, but I tend to enjoy it to a point (max of 10-12nts/month) [link] [comments]  |
| What are you guys using for access layer switches? Posted: 05 Feb 2019 07:24 PM PST We're doing a new build in a remote site and are looking to possibly not use cisco for our access layer. We're an Aruba wireless, cisco wired shop but for this site, we're gonna do Ubiquiti for wireless and are thinking about another vendor for access switching. We don't do a whole lot, all normal stuff. Dot1q, port security, LACP, PVST+ and poe. We're considering Ubiquiti, Aruba and Extreme. We're looking for the best balance between price and reliability. If we do cisco, we would be doing the 2960-X. Forgot to add, this is going to be supporting 1000 users. [link] [comments]  |
| SonicWall TZ300 vs Cisco ISR 921 Posted: 06 Feb 2019 11:45 AM PST Good afternoon my fellow Engineers. I manage about 170 locations that all have SonicWall TZ300's with about 5-10 employees at each location. I recently ran across the Cisco ISR 900 series routers, specifically the 921. It appears they're similar in price, and the 921's may possibly be cheaper. I need to confirm with our Cisco rep. However, before I do all of that, I'm curious if anyone has experience with SonicWall and Cisco SMB gear and if they prefer one over the other and why. I have about 20ish locations that I'm going to be rolling out new gear to so I'm tossing around the idea of trying out the ISR 921's. Obviously I'm aware that in general, Cisco is better than SonicWall, and all SMB gear is meh, but still looking for opinions. Thanks [link] [comments]  |
| Company Doing a Vulnerability Scan Wants VPN Access Posted: 06 Feb 2019 11:33 AM PST We have a security assessment coming up and I was told they need VPN access into our internal network to do a vulnerability scan and I'm not sure what to set up. I was thinking about a Clientless SSL VPN connection but I'm not sure. The company emailed me and said they just need remote access and will be connecting to an Ubuntu server to run the vuln scan. Any tips on what to do? They didn't really give me much information. My company firewall: ASA 5510 using ASDM 7.2 Edit: So I was informed that a Site-Site might be the way to go. This is what I have right now. IPsec Site-Site Peer IP Address: 123.123.123.123 (company"s public IP) Connection Name: 123.123.123.123 (company's public IP) Interface: Outside Protected Networks Local Network: Not sure what to put here. I'm used to putting a certain IP but I assume a vuln scan needs the entire Remote network: 123.123.123.123 (company's public IP) IPsec Enabling Group Policy Name: DefaultGrpPolicy |x| Enable IPsec IKE Authentication PSK: ****** Device Certificate: None Encryption Algorithms IKE Policy: IPsec Proposal: 3des-sha [link] [comments]  |
| Posted: 06 Feb 2019 07:25 AM PST Hi all, I was troubleshooting an issue on a computer that I was doing support for, and I was having some odd networking issues. There was a different device (a printer) on the network with an IP address in the 192.168.18.X (IP known by looking in the device settings) range with subnet mask 255.255.255.0 in the network (known by ipconfig on the computer). The IP address of the computer I was working with was also in the 192.168.18.X range (known by ipconfig), but was different from the IP of the printer and neither was the network or broadcast address. So, I attempted to reach the printer IP address via browser, and did not reach it (connection timed out). So then I tried to ping the printer IP from computer but I got this odd response: Reply from 10.128.128.128 . Destination net unreachable. Now, I thought this was very odd, because obviously the reply seems to be coming from a completely unrelated subnet. So, using ipconfig, I found that the Default Gateway on the computer was 192.168.18.1. So, the same subnet as the printer and computer. So then I tried to ping the Default gateway's IP and got the same reply: Reply from 10.128.128.128 . Destination net unreachable. Now I'm thoroughly confused. Why is the reply coming from this address? So, I knew users had internet access, so I ran tracert to google.com just to see the path it was using to leave the local network. The tracert went successfully straight through the default gateway's IP address and out to the public internet. So I don't understand why I was getting the replies from the 10.128.128.128 address when pinging the Default Gateway, but the gateway works fine when using tracert. Can someone help me understand how this might be possible and what I am missing? (FYI, I do not own or manage the network, so I don't have any way to know more than what can be known from the computer) Thanks! [link] [comments]  |
| Automate unscheduled switch config changes with software Posted: 06 Feb 2019 04:38 AM PST I have a legacy set of HP switches that I need to find options for replacement incase of failure. It's in a classroom setting where the classroom can be split into 4 smaller classrooms and each part can have duplicate addresses The current network has a one large 5400zl (room level) and a number of 2524s (access level) that tweak configuration based on how a user (teacher) selects the setup of the room. They do this using a windows based management console, which runs an in-house tool to upload the correct config to the correct switch. This is all behind the scenes and they do no admin work themselves. The problem I'm having is that this tool was built specifically for these switches and is broken by a firmware update, so I'm certain that any new switch I look at will not work. I'm looking for a COTS replacement to this tool (or a way to create another tool) that will do the required configuration updates to a newer switch. I've considered Solarwinds NCM/Kiwi catTools but I'm not sure these give me the software based solution I need. I'm by no means a network engineer, as I mainly do software, so sorry if this seems obvious! Any ideas? Thanks [link] [comments]  |
| FortiGate or Palo Alto which would you choose? Posted: 06 Feb 2019 05:56 AM PST Since we're speaking about Firewalls around here today, we just finished up a POC and I'd like to take a measurement of how people feel about these two firewalls. I liked both of them but am unsure which direction to go. Our needs are pretty basic, terminate IPSEC tunnels on them (we have both internal firewall HA sets and an external pair), remote connectivity for employees, web filtering, malware detection, SSL decryption etc... We also would need to use Panorama or FortiAnalyzer to look at User Productivity logs that are older (say around 90 days of data). What are your all's thoughts? Any big gotchas I should consider before I consider switching over our entire infrastructure to these? I would be ripping and replacing 4 instantly, adding another 2 in the next couple of months, and then another 2 in about a year. It's potential with remote sites and protecting that data it could grow up to about a total of 30 with very small firewalls at some remote locations. [link] [comments]  |
| re-IPing a Public IP network to Private IP Posted: 06 Feb 2019 05:54 AM PST Happy Hump Day, I've been tasked with moving a 30,000 user network from a public IP'd network to a private IP'd network. I've done some searching but would like to get ideas or a basic plan of attack for this project. Background of the current network state: - Flat Layer 2 design from access to core Unfortunately, this is in the beginning stages of the project and all the information I have on the network. Any ideas, things to watch for, obvious no no's would be much appreciated. Thanks in advanced! [link] [comments]  |
| Posted: 06 Feb 2019 09:11 AM PST http://www.shrubbery.net/tac_plus/ I'm just curious if anyone has this deployed in the wild on larger networks, and if so, how does it work for you? Did you come across any gotchas? Is there any other or better Tacacs+ daemons out there? [link] [comments]  |
| IOS and IOS-XE: y u no PIM Anycast RP? Posted: 06 Feb 2019 05:24 AM PST Shower thought: Does anyone know why PIM (not MSDP) Anycast RP has never been implemented in IOS and IOS-XE? Cisco can position the N77 however they wish, but frankly, many of us will never use Nexus outside of the data center. [link] [comments]  |
| NagiosMonitoring for FlexFabric Switches Posted: 06 Feb 2019 03:00 AM PST Hi @all, we are running several FlexFabric Switches in our Network fabric (7900 / 5900 / 5800) Most of them are configured in a IRF-Domain an we now search for a Nagios Monitoring Check for those switches. Did anyone of you monitor those switches with nagios? If yes which check do you use? Hope someone can help me :) Greetings, Rattle [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment