|
Farking Bastage posted:VTP on switches is awfully nice. I'm guessing you've never had the pleasure of someone attaching a new device to the network with a higher VTP revision number which ends up taking over the VTP domain.
|
# ? Dec 4, 2013 17:02 |
|
|
# ? Apr 23, 2024 07:13 |
|
How do you justify buying Cisco when say the equivalent HP gear is atleast half the price? Aren't you bound by purchasing to get multiple quotes?
|
# ? Dec 4, 2013 18:40 |
|
Are you paying list? Doing it wrong
|
# ? Dec 4, 2013 18:46 |
|
FatCow posted:This would be true if it did loving BGP. NO!!!! Treat a Firewall as a firewall, if you need to route, get a router.
|
# ? Dec 4, 2013 18:59 |
|
ragzilla posted:I'm guessing you've never had the pleasure of someone attaching a new device to the network with a higher VTP revision number which ends up taking over the VTP domain. VTP Version 3 is great!
|
# ? Dec 4, 2013 19:02 |
|
Anyway, now for a real question. Is there robust trouble shooting capability on an ASA, that is without looking at the syslog which is inevitably filled with crap that no one actually cares about but legally they are required to? I'm trying to do a test ping over an IPSec tunnel between a device on the inside of the ASA, and a router on the outside. Here are my configlets: Router: code:
ASA 5520: code:
I feel like I'm missing something, because I get this error on the router: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer xyz.yz.yyz.4 but I don't know how to check what the ASA is complaining about. Anyone familiar with ASA 8.4 syntax, and troubleshooting capabilities? JWH?
|
# ? Dec 4, 2013 19:12 |
|
ToG posted:How do you justify buying Cisco when say the equivalent HP gear is atleast half the price? Aren't you bound by purchasing to get multiple quotes? You really shouldn't buy critical infrastructure based on cost (actually you shouldn't buy very many things at all based on cost alone.) You buy to their strengths. Cisco is great with routing, switching, and I guess VoIP is good too. F5 makes industry leading loadbalancers, Palo Alto has great firewalls, and Riverbed has really good wan acceleration, Aruba for wireless, gigamon for packet aggregation, etc. Why not use the right tools for the job? The only reason for keeping the same vendor for multiple aspects of the network is because of the familiarity of operation, thus Cisco for Routing and Switching, but everything else Cisco makes doesn't follow IOS conventions very well, for better or worse, so there is no advantage to keeping the same vendor.
|
# ? Dec 4, 2013 19:18 |
|
ToG posted:How do you justify buying Cisco when say the equivalent HP gear is atleast half the price? Aren't you bound by purchasing to get multiple quotes? No one is paying cost. We are R&S heavy which cisco is great at, we still use f5 for load balancing since the ACE is rear end, arris for some CMTS, and a mix of ASA and checkpoint (ew) for security.
|
# ? Dec 4, 2013 19:22 |
|
ToG posted:How do you justify buying Cisco when say the equivalent HP gear is atleast half the price? Aren't you bound by purchasing to get multiple quotes? I work in public sector (education) and even when we request quote, our partner still demolishes everyone else for the price they can offer us. Education mark-down is amazing. We use a lot of cisco because we've never paid MSRP. That said, firewalls and routers are Juniper because they're great!
|
# ? Dec 4, 2013 19:42 |
|
Powercrazy posted:Anyway, now for a real question. Is there robust trouble shooting capability on an ASA, that is without looking at the syslog which is inevitably filled with crap that no one actually cares about but legally they are required to? Powercrazy posted:I feel like I'm missing something, because I get this error on the router: Looks like a transform set mismatch. Can you explicitly set the ASA to do sha in phase 1?
|
# ? Dec 4, 2013 20:31 |
|
Powercrazy posted:I feel like I'm missing something, because I get this error on the router: term mon debug crypto isakmp 255 brace yourself for debug logs.
|
# ? Dec 4, 2013 20:50 |
|
ragzilla posted:term mon 255 gives you a ton of poo poo you never need (packet dumps in HEX), usually 128 is sufficient. IOS: debug cry isakmp debug cry ipsec ASA: debug cry isakmp 128 debug cry ipsec 128
|
# ? Dec 4, 2013 22:34 |
|
ToG posted:How do you justify buying Cisco when say the equivalent HP gear is atleast half the price? Aren't you bound by purchasing to get multiple quotes?
|
# ? Dec 5, 2013 01:16 |
|
ToG posted:How do you justify buying Cisco when say the equivalent HP gear is atleast half the price? Aren't you bound by purchasing to get multiple quotes? because HP is pure poo poo
|
# ? Dec 5, 2013 03:10 |
|
nzspambot posted:because HP is pure poo poo It's easier to make the argument for Cisco with core and distribution switches, but it's not as cut and dry as, "HP is poo poo lol". The bottom line is still the bottom line, and when it makes sense to save money on a procurve switch I'll do it.
|
# ? Dec 5, 2013 03:17 |
|
I'm trying to set up a mirrored port on my Cisco 2960, so that I can connect up a network monitoring appliance. I thought I'd set up the SPAN port correctly, but my monitoring appliance is not picking up any data and running a tcpdump on it's monitoring port confirms this. I configured with the following commands (monitoring appliance is connected to gi0/3, and I want to monitor the internet connection which connects to gi0/1): monitor session 1 source interface Gi0/1 monitor session 1 destination interface Gi0/3 code:
When I run 'sh int gi0/3' i can see packets passing out of the port, but nothing is being received by my monitoring appliance. I've checked all cables etc. Whilst it could possibly be the appliance which is hosed, I think it's far more likely that I've misconfigured something on the switch. Any input would be appreciated!
|
# ? Dec 5, 2013 03:51 |
|
Zartans Lady Mask posted:Any input would be appreciated!
|
# ? Dec 5, 2013 03:55 |
|
adorai posted:You say monitoring appliance, what exactly is it? You may have to set your NIC to promiscuous mode. It's a specialised network monitoring appliance, rather than a computer with an extra NIC running Wireshark, and shouldn't require any additional config on it's monitoring port to work. It is a possibility that the appliance is just knackered, but i'd rather rule out my lovely switch config first before getting a replacement.
|
# ? Dec 5, 2013 04:09 |
|
Zartans Lady Mask posted:It is a possibility that the appliance is just knackered, but i'd rather rule out my lovely switch config first before getting a replacement.
|
# ? Dec 5, 2013 04:26 |
|
adorai posted:We pay about 5% more when buying equivalent Cisco and Procurve gear. If it weren't for our voice needs, I wouldn't put in another cisco router ever, but the switches are a pretty decent price. We use fortigate for our firewalls, ubiquiti for our metro Ethernet routers where we do not have voice, ubiquiti for backup VPN links (gently caress paying the $600 for ip security licenses or for a 5505 when an edgerouter does it for $100). Ubiquiti for our wireless, and I think that pretty much covers it. We have a pair of Nexus 5k switches in our datacenter, but we got a pretty good price on them and just have the base licensing. Fortigate's are my second choice next to a Palo. Nice little boxes. Outside of going Mikrotik or a hacked up DD-WRT(lol), you can't find a $500 firewall that you can set up for dual WAN failover that I know of.
|
# ? Dec 5, 2013 04:32 |
|
Zartans Lady Mask posted:I'm trying to set up a mirrored port on my Cisco 2960, so that I can connect up a network monitoring appliance. I thought I'd set up the SPAN port correctly, but my monitoring appliance is not picking up any data and running a tcpdump on it's monitoring port confirms this. I configured with the following commands (monitoring appliance is connected to gi0/3, and I want to monitor the internet connection which connects to gi0/1): I have had certain versions of IOS not do spanning correctly. The fix for me was to add replicate on the end of the monitoring command OR upgrade the IOS.
|
# ? Dec 5, 2013 05:27 |
|
Farking Bastage posted:Fortigate's are my second choice next to a Palo. Nice little boxes. Outside of going Mikrotik or a hacked up DD-WRT(lol), you can't find a $500 firewall that you can set up for dual WAN failover that I know of. Sonicwall TZ-whatevers will do it.
|
# ? Dec 5, 2013 05:45 |
|
DeNofa posted:255 gives you a ton of poo poo you never need (packet dumps in HEX), usually 128 is sufficient. Combined with packet-tracer to dial a tunnel on demand, the ASA can provide a pretty good idea of what's going on. "Phase 1 Completed" will rule out ISAKMP settings. Differing PSK is identified by "mismatched PSK". "Invalid ID info" means there's a network mismatch, and "No proposal chosen" is a Phase 2 mismatch (Transform set/PFS). If you don't get a "Phase 1 Completed" message, you can run sh isakmp sa and look at the state. Assuming you're running main mode, MM_WAIT_MSG2 means there's nothing responding on the distant end.
|
# ? Dec 5, 2013 06:35 |
|
Inspector_666 posted:Sonicwall TZ-whatevers will do it. Yeah, was about to suggest this, but the a la carte licensing can be annoying. Also Ubiquiti EdgeRouter Lite's are only $99 and can do dual-wan failover too if you're handy with Vyatta syntax.
|
# ? Dec 5, 2013 06:44 |
|
Ashley Madison posted:I work in public sector (education) and even when we request quote, our partner still demolishes everyone else for the price they can offer us. Education mark-down is amazing. We use a lot of cisco because we've never paid MSRP. I'm in the same industry in the UK and was told that the last refresh they had HP were almost 50% less than Cisco. With sales of that value I'd have gone with hp too even if Cisco is better. I don't think it's worth paying twice the amount for. Edit: to clarify I'm not talking about procurve. I'm talking about the h3c style hp switches. 7510s and 5800s etc. ToG fucked around with this message at 10:55 on Dec 5, 2013 |
# ? Dec 5, 2013 10:51 |
|
ToG posted:I'm in the same industry in the UK and was told that the last refresh they had HP were almost 50% less than Cisco. With sales of that value I'd have gone with hp too even if Cisco is better. I don't think it's worth paying twice the amount for. We do have some Procurve switches deployed in certain departments that are walled off with their own firewalls, but they're essentially all access ports with nothing special going on. At the time, they were the cheapest per gigabit port than what Cisco had available. No one has approached us about h3c equipment, but I'd be interested to see it.
|
# ? Dec 5, 2013 15:05 |
|
Anyone know how to view EIGRP hello timers on a 7609? Sho ip eigrp interfaces detail gi #/# works on 3750s, 2960s, etc etc, but on my 7609s it doesn't give any information at all.
|
# ? Dec 5, 2013 16:29 |
|
This might be a obscure, but is anyone familiar with Cisco's ROSA products? I've got an Element Manager I'm using as an SNMP trap, but the trap its getting from our 4948E is coming with the incorrect severity levels (linkdown and linkup are being received as INFORMATION instead of CRITICAL or ALARM). Is there a way to change the severity levels on the switch itself? Running 15.0.code:
|
# ? Dec 5, 2013 16:50 |
|
Farking Bastage posted:Fortigate's are my second choice next to a Palo. Nice little boxes. Outside of going Mikrotik or a hacked up DD-WRT(lol), you can't find a $500 firewall that you can set up for dual WAN failover that I know of. Seconding the Fortigate love. You get a surprising amount of features even on their low-end, branch office models.
|
# ? Dec 5, 2013 16:58 |
|
Zuhzuhzombie!! posted:Anyone know how to view EIGRP hello timers on a 7609? "sh ip protocols" should be what you want. That is an extremely useful command that should be run the first time you log into a device you are unsure of the purpose.
|
# ? Dec 5, 2013 17:03 |
|
Powercrazy posted:"sh ip protocols" should be what you want. That is an extremely useful command that should be run the first time you log into a device you are unsure of the purpose. I had used that as well and forgot to mention it. One the device where I can get an interface's EIGRP Hello time, the specific interface is 5 seconds, which means that the interface's hold time is 15. Show IP protocols on both devices gives me: EIGRP NSF-aware route hold timer is 240s and the 7609 gives me the additional information of EIGRP NSF disabled NSF signal timer is 20s NSF converge timer is 120s
|
# ? Dec 5, 2013 17:54 |
|
Cisco just officially announced CCIE v5 a few days ago. The written and lab exams will be available from 4 June 2014 with the v4 exams being retired the day before. So if anybody else is studying for it then they should definitely take this into consideration. Fun highlights: quote:1.1.a Describe basic software architecture differences between IOS and IOS XE Potentially less basic Ethernet stuff like duplex settings. No more ISL. VSS concepts quote:2.3.c Describe WAN rate-based ethernet circuits ISIS is back! I can only assume that this is because of its adoption in various layer 2 technologies like fabric path. No more WCCP.
|
# ? Dec 5, 2013 20:00 |
|
Ugh. Why is this so hard? I've setup many IPSEC tunnels, but I am absolutely failing on 8.4 in the Debug it says "All IKE SA proposals found unacceptable!" But I've checked and rechecked and even change the IKE proposals and still nothing... Can some look at these configs and tell me if I'm missing something obvious? code:
Where is the issue?
|
# ? Dec 5, 2013 21:24 |
|
chestnut santabag posted:Cisco just officially announced CCIE v5 a few days ago. Also, Stephen from GNS3 just emailed out this note: quote:Big Changes to CCIE!
|
# ? Dec 5, 2013 21:26 |
|
Powercrazy posted:Where is the issue? Try a group 2 IKE policy
|
# ? Dec 5, 2013 21:35 |
|
Sepist posted:Try a group 2 IKE policy Nope still nothing. When I debug on the router I get this: pre:*Dec 5 21:11:33.259: ISAKMP:(0): beginning Aggressive Mode exchange *Dec 5 21:11:33.259: ISAKMP:(0): sending packet to xxy.xy.xxy.4 my_port 500 peer_port 500 (I) AG_INIT_EXCH *Dec 5 21:11:33.259: ISAKMP:(0):Sending an IKE IPv4 Packet. *Dec 5 21:11:33.263: ISAKMP (0): received packet from xxy.xy.xxy.4 dport 500 sport 500 Global (I) AG_INIT_EXCH *Dec 5 21:11:33.263: ISAKMP:(0):Notify has no hash. Rejected. *Dec 5 21:11:33.263: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_AM1 *Dec 5 21:11:33.263: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Dec 5 21:11:33.263: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_I_AM1 quote:Dec 05 15:49:08 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = xxy.xy.xxy.101, All SA proposals found unacceptable Claiming it's failing phase 1.
|
# ? Dec 5, 2013 22:15 |
|
Yea that is normal when it doesn't agree on ike policies. I don't see `hash sha` or `lifetime 86400` in your BOSIGW IKE policy and I don' know what the default are off the top of my head. Try adding that to the config and see if it works.
|
# ? Dec 5, 2013 22:30 |
|
Those are the default :/code:
I guess I'll open a TAC case, because this is ridiculous. ate shit on live tv fucked around with this message at 22:41 on Dec 5, 2013 |
# ? Dec 5, 2013 22:34 |
|
Try making a second IKE policy using all non-defaults and see if you get the same thing, that is weird. I have seen quite a few times where the only way to fix a phase 1 failure was actually reloading the ASA.
|
# ? Dec 5, 2013 22:46 |
|
|
# ? Apr 23, 2024 07:13 |
|
Ashley Madison posted:We do have some Procurve switches deployed in certain departments that are walled off with their own firewalls, but they're essentially all access ports with nothing special going on. At the time, they were the cheapest per gigabit port than what Cisco had available. No one has approached us about h3c equipment, but I'd be interested to see it. I think it's worth a look. The commands are very similar to Cisco just different. You use undo instead of no etc. they seem pretty solid but I haven't a lot of experience with them.
|
# ? Dec 5, 2013 22:52 |