|
adorai posted:Anyone here work for an MSP with a service or specialty on managing WANs? We are going to be replacing our MPLS WAN with a hodgepodge of Metro Ethernet providers. The company that does our circuit monitoring and who can give router config advice for these circuits is wanting a giant pile of money to continue doing so, $150/mo/site. Considering we have over 50 sites, we could easily hire a network guy just for this, possibly also a helpdesk guy as well with the price they are asking. Can anyone give me an estimate of what a reasonable price would be? The primary duties would be initial configuration assistance of the routers, monitoring them for downtime and interface errors, and being on standby to answer general to advanced networking questions regularly (less than 1 hour per month of this). Why not just set up EEM scripts to check for errors, pingdom for monitoring, and pay a consultant a flat fee a month on retainer to answer your questions?
|
#
?
Sep 6, 2012 03:29
|
|
|
|
| # ? Apr 25, 2024 19:00 |
|
|
Sepist posted:Why not just set up EEM scripts to check for errors, pingdom for monitoring, and pay a consultant a flat fee a month on retainer to answer your questions? That's probably what we'll end up doing. We already run cacti and rancid ourselves.
|
|
#
?
Sep 6, 2012 12:29
|
|
|
ASA goons: how boned am I if my boss wants one of our helpdesk guys, who has no Cisco-specific training (or even network training in general) to be in charge of the installation and management/reporting for an ASA IDS/IPS module?
|
|
#
?
Sep 6, 2012 20:16
|
|
|
Completely.
|
|
#
?
Sep 6, 2012 20:18
|
|
|
Mierdaan posted:ASA goons: how boned am I if my boss wants one of our helpdesk guys, who has no Cisco-specific training (or even network training in general) to be in charge of the installation and management/reporting for an ASA IDS/IPS module? Installation, as in racking the device and powering it on, then pulling his cell phone out of his pocket to call someone who knows what they're doing? 
|
|
#
?
Sep 6, 2012 20:36
|
|
|
GOOCHY posted:Installation, as in racking the device and powering it on, then pulling his cell phone out of his pocket to call someone who knows what they're doing? If only.
|
|
#
?
Sep 6, 2012 20:38
|
|
|
It's really kind of nuts how the ASA platforms continue to live in the dark ages with respect to some things, and yet not others. I've heard through the grapevine that the ASA CX functionality (ie., content inspection) may be coming down to the other members of the ASA-X family as an on-box software module, but who can say. It would be nice.
|
|
#
?
Sep 6, 2012 20:39
|
|
|
Mierdaan posted:If only. Yeah, this is a hilariously terrible idea.
|
|
#
?
Sep 6, 2012 22:53
|
|
|
Mierdaan posted:ASA goons: how boned am I if my boss wants one of our helpdesk guys, who has no Cisco-specific training (or even network training in general) to be in charge of the installation and management/reporting for an ASA IDS/IPS module? Ask him if he'd put his secretary in charge of the ASA. When he says no, ask him why not? (don't actually do this)
|
|
#
?
Sep 6, 2012 22:58
|
|
|
Yeah, I'm in a rough spot. I have no problem telling my boss when he's making a bad decision, but in this case that also involves saying that the helpdesk guy can't handle it. Said helpdesk guy is an extremely nice, helpful dude who is great at his job... but this is not his job. Like, the only Cisco knowledge he has right now is how to change a port's VLAN, and he has to consult his written notes for that every single time.
|
|
#
?
Sep 6, 2012 23:49
|
|
|
It's a tough spot to be sure, but I think you need to explain to your boss why this is a terrible idea. I don't know what your environment is like, but perhaps you could suggest it in such a way that doesn't exclude the helpdesk guy altogether. Suggest to your boss that a little CCNA training would go a long long way towards him being able to competently handle a device like this. It wouldn't make him an ASA master, but for the price of a few community college courses and an investment of a year this guy would be able to transition the responsibility to himself in a moderately safe manner. Maybe suggest it as a way to further his career. Just my two cents.
|
|
#
?
Sep 6, 2012 23:56
|
|
|
Yeah that's what I've sorta been suggesting. The problem is that we have another helpdesk guy we're grooming to take over my network responsibilities, so my boss has decided the first helpdesk guy should transition into some sort of nebulous "security" role. And, you know, managing an IDS/IPS would be a great starter project for that  Anyways, sorry, I'll stop whining about my boss.
|
|
#
?
Sep 7, 2012 00:03
|
|
|
Well, at the very least I'd suggest buying the network guy a copy of CBTNuggets' CCNA videos. They're pretty good at giving someone a 1,000 foot overview of networking. Basically if this guy doesn't have an aptitude for networking then he's going to have a terrible time of it the second anything actually happens. Good luck, though!
|
|
#
?
Sep 7, 2012 00:17
|
|
|
I've got one of these on the shelf you can have. http://www.amazon.ca/Cisco-ASA-All-One-Appliance/dp/1587058197 In just 1000 short pages you too can be well versed in the ways of a Cisco ASA version 8.2!!!
|
|
#
?
Sep 7, 2012 00:31
|
|
|
I would approach it that your boss is being unfair to the helpdesk guy. An ASA is a non-trivial responsibility, a complex device and puts a neophyte in a position where s/he can put the business at risk. I think both have their hearts in the right place -- it's good to want to elevate lower-tier IT personnel and I like someone who wants to learn. But the person put in a security position needs to understand the stakes and be trained properly. If your boss won't listen to you, then it's his risk to absorb and you warned him. Maybe that horse ain't thirsty.
|
|
#
?
Sep 7, 2012 00:48
|
|
|
Yeah, I would definitely say it's unfair to the helpdesk guy. The second anything non-trivial is thrown in his lap he is going to get fired. I don't think this is an "if" but more of a "when". So in his case it could be that the road to hell is paved with good intentions. Someone could offer me a job at NASA tomorrow, but I don't expect to be there too long once they figure out I'm no good at what they tell me to do.
|
|
#
?
Sep 7, 2012 00:51
|
|
|
Devil's advocate: there are people I've underestimated who improved dramatically once they got out of the constantly-interrupted world of helpdesk/desktop support. Having to follow instructions to perform a process may only mean the person has no time to absorb the how/why because they need to get back to helping that executive secretary with her Outlook. But you're not wrong to be concerned.
|
|
#
?
Sep 7, 2012 00:58
|
|
|
Nitpick: he's only being asked to managed the IDS/IPS module. I'm still responsible for the ASA itself, not that we do anything very complicated with it. But yeah, he's a very nice older guy who has being doing helpdesk for 20-30 years at several companies. He's great with end-users, has industry-specific knowledge that is really valuable to us, but he doesn't pick up new things very fast. Or at least, he hasn't - we're sending him to some other training next week that is well outside his normal duties, so I'm pretty curious to see how that goes.
|
|
#
?
Sep 7, 2012 01:07
|
|
|
If they're sending him to some training then I think a rudimentary CCNA Exploration course shouldn't be out of the question. I'd definitely suggest that, if only to help him out. But yeah, best of luck to you both edit: I guess my hesitation stems from the fact that managing IDS/IPS seems like a bad job for someone who's not versed in networking. That's pretty mission critical, and in the case of any intrusion the first question asked would be "why was the guy with no network experience put in charge of network security" is all. I didn't mean to imply he couldn't pick up on the concepts or anything, whether or not it would be an uphill battle. But not to sell the guy short, maybe he can make it work
some kinda jackal fucked around with this message at 01:12 on Sep 7, 2012 |
|
#
?
Sep 7, 2012 01:09
|
|
|
Mierdaan posted:...he's a very nice older guy who has being doing helpdesk for 20-30 years at several companies. If that guy was going to rise beyond an entry level skillset he would have done it already. Since ASA is the topic of the moment, anyone know where the ASA is on: -more then two IPv4 OSPF processes? -any IPv6 dynamic routing?
|
|
#
?
Sep 7, 2012 02:10
|
|
|
inignot posted:If that guy was going to rise beyond an entry level skillset he would have done it already.
|
|
#
?
Sep 7, 2012 03:29
|
|
|
CaptainGimpy posted:nope and nope I have a 5510 (8.4) with two different OSPF processes (10 and 20)
|
|
#
?
Sep 7, 2012 08:28
|
|
|
nzspambot posted:I have a 5510 (8.4) with two different OSPF processes (10 and 20) Right, the question was more than two. Two is the max.
|
|
#
?
Sep 7, 2012 12:33
|
|
|
Annoying... We have several (75 or so per chassis) NxT1 MLPPP connected clients that are terminated to Cisco 7200's throughout our network. Customer connections will work without issue for months at a time but then we will start hearing sporadic reports of slowness. When we start hearing clients reporting slow connections we investigate and a 'sh ppp multilink' shows dropped fragments. We'll remove the interleaving and fragment delay, configure "ppp multilink fragment disable" and the "speed" issue immediately goes away. We've opened a few tickets with the TAC and even they can't figure it out. Reboot the chassis during a maintenance window and we don't hear from anybody again about slowness for another 6-8-10 months. Rinse, repeat.  Trying to get our engineering group to consult with TAC again one more time.
|
|
#
?
Sep 7, 2012 22:09
|
|
|
CaptainGimpy posted:Right, the question was more than two. Two is the max. right, I should learn to read 
|
|
#
?
Sep 7, 2012 22:45
|
|
|
GOOCHY posted:Annoying...
|
|
#
?
Sep 8, 2012 00:13
|
|
|
anyone know if a 6509 VSS can do eFSU from vz "uninstalled" code to mz code? don't loll too hard at vz uninstalled... i didn't do it.
|
|
#
?
Sep 8, 2012 01:01
|
|
|
inignot posted:If that guy was going to rise beyond an entry level skillset he would have done it already. Some people really like Tier 1.
|
|
#
?
Sep 8, 2012 19:52
|
|
|
Need a router that can do 500-800 Mbps of AES256 crypto. I'm looking at the ASR1001, but not familiar with the entire Cisco line these days.
|
|
#
?
Sep 12, 2012 02:38
|
|
|
brent78 posted:Need a router that can do 500-800 Mbps of AES256 crypto. I'm looking at the ASR1001, but not familiar with the entire Cisco line these days. Cisco claims 1.8gbps throughput bandwidth, but that's assuming that you do nothing else with that router. I would probably look into an ASR1002 with an ESP10 if you're serious about trying to push 1gbps of encrypted traffic. The base ASR1001 only has a 2.5gbps ESP in there which they list at 1gbps ipsec throughput. You can "upgrade" it to the ESP5 which is 1.8gbps. CrazyLittle fucked around with this message at 05:01 on Sep 12, 2012 |
|
#
?
Sep 12, 2012 04:57
|
|
|
Nexus 5k experiences: yay? nay? I'm thinking about bringing them in as replacements for a number of 3750s. The driver is more affordable 10g density.
|
|
#
?
Sep 12, 2012 23:31
|
|
|
jwh posted:Nexus 5k experiences: yay? nay?
|
|
#
?
Sep 13, 2012 00:27
|
|
|
jwh posted:Nexus 5k experiences: yay? nay? I also recently found a reseller that sells Twinax 10GbE cables for dirt cheap which helps keep connectivity costs down for shorter cable runs.
|
|
#
?
Sep 13, 2012 01:57
|
|
|
I've posted this in the certification thread but it might be better here. I have a study guide that says: Sybex CCNA Study Guide posted:IP Subnet Zero But I'm being told thats wrong and that we only lose 1 subnet (subnet zero). Which is right?
|
|
#
?
Sep 13, 2012 02:23
|
|
|
From Odoms Cert Guide ICND2 pg 177Odom posted:Older editions of this book stated that you should assume that the zero subnet cannot be used, unless an exam question implied that the zero subnet was usable. The current CCNA exams, and therefore this book, allow the zero subnet to be used unless the exam question states or implies that it should not be used. Also in there is the note that since IOS version 12.0 that ip subnet-zero is the default setting and unless otherwise noted in test questions you should assume it is enabled. It was really stupid that my curriculum in comm college for cisco was still on the old no ip subnet-zero standard when the CCNA at the time would have failed me on subnet questions because they hadn't kept up.
|
|
#
?
Sep 13, 2012 02:40
|
|
|
For the current CCNA/ICND2 you may be asked to base an answer on whether or not it's on. It's the default in everything after 12.0 but if i get asked a question assuming No Ip Subnet Zero do i conclude that the first subnet cannot be used? or the first and last subnet may not be used (as the sybex book says).
|
|
#
?
Sep 13, 2012 02:46
|
|
|
Only the first subnet. These get lumped together because of how the binary works. The last subnet in your example (the "all ones" subnet) is not affected by whether ip subnet-zero is on or not. The class C network with the /26 mask would have the .192 subnet available, regardless. It was recommended that you didn't use the all-ones subnet since, for example 192.168.1.255/24 and 192.168.1.255/26 1 in binary, subnet bolded: /24: 11000000 10101000 00000001 11111111 /26: 11000000 10101000 00000001 11111111 bort fucked around with this message at 03:12 on Sep 13, 2012 |
|
#
?
Sep 13, 2012 02:57
|
|
|
jwh posted:Nexus 5k experiences: yay? nay? 10g ToR? Considered Arista?
|
|
#
?
Sep 13, 2012 02:58
|
|
|
bort posted:Only the first subnet. These get lumped together because of how the binary works. The last subnet in your example (the "all ones" subnet) is not affected by whether ip subnet-zero is on or not. The class C network with the /26 mask would have the .192 subnet available, regardless. It was recommended that you didn't use the all-ones subnet since, for example 192.168.1.255/24 and 192.168.1.255/26 both have the same broadcast address. Therefore, a misconfigured client with a /24 subnet mask could cause routing loops on the router that held the 192.168.1.192/26 subnet. I tried it on my lab and the all ones subnet did work as you say, however all the books i check say that using no ip subnet zero means you lose two subnets. That's what has be so confused.
|
|
#
?
Sep 13, 2012 03:03
|
|
|
|
| # ? Apr 25, 2024 19:00 |
|
|
It used to be recommended that you didn't use either all-zeroes or all-ones. That might be why they're saying that. I'd wager the test definitely won't pull a gotcha question on that one, but I don't know for sure.
|
|
#
?
Sep 13, 2012 03:14
|
|