|
I'm working on a terrible train wreck of a project, and it's come to light that we may need ~8gbps of ipsec. Yes, you read that correctly. Is there anything in the Cisco family that could put up these numbers? Any platform. The best I could find was ASA 5585-X with SSP60, which claims 5gbps. Palo 5060 claims 8gbps, but that's cutting it close. Palo 7050 claims 48gbps of AES when fully loaded, but I have no idea how that works in the real world. edit: My mistake, 5060 claims 4gbps. jwh fucked around with this message at 22:24 on Dec 18, 2014 |
#
?
Dec 18, 2014 22:08
|
|
|
|
| # ? Apr 27, 2024 04:12 |
|
|
jwh posted:I'm working on a terrible train wreck of a project, and it's come to light that we may need ~8gbps of ipsec. Yes, you read that correctly. Single tunnel? Multiple tunnels? ASA clustering? If it's securing inter-site transport, could you look at doing something like macsec instead?
|
|
#
?
Dec 19, 2014 00:09
|
|
|
jwh posted:I'm working on a terrible train wreck of a project, and it's come to light that we may need ~8gbps of ipsec. Yes, you read that correctly. What about ASR1006 with ASR1000-ESP100
|
|
#
?
Dec 19, 2014 01:16
|
|
|
What's your average packet size going to be?
|
|
#
?
Dec 19, 2014 04:35
|
|
|
I'm currently building out two sites: a large manufacturing facility and a single rack in a colo. The plan for the factory is a pair of 4500-Xs as core switches and 2960-Xs as access switches in the MDF. For the colo, I'm more familiar with the Nexus line, and I'm wondering if I should use Nexus 5672s or 3172s as the core (only) switches, or if I should be consistent and just match the 4500-Xs. I don't really trust my VAR's opinions, which is the bigger problem.
|
|
#
?
Dec 19, 2014 06:47
|
|
|
KS posted:I'm currently building out two sites: a large manufacturing facility and a single rack in a colo. The plan for the factory is a pair of 4500-Xs as core switches and 2960-Xs as access switches in the MDF. Disclaimer, I work for another var in the bay area! You should totally replace them with us! What sort of features do you anticipate needing? Policy routing? WCCP? MPLS? There are some things that Nexus does really well but if you don't need any of those things then it's not worth it. Do you care about FCoE or unified port? 1000101 fucked around with this message at 08:39 on Dec 19, 2014 |
|
#
?
Dec 19, 2014 08:33
|
|
|
Meraki users: any way to do cross-switch etherchannels with their virtual stacking capabilities, or is that purely for management?
|
|
#
?
Dec 19, 2014 16:49
|
|
|
ragzilla posted:Single tunnel? Multiple tunnels? ASA clustering? Securing intersite transport over public internet, yes. Or, at least, that's what I'm being told at the moment. The connectivity piece is changing nearly every day, and tends to vacillate between some combination of ipsec over public internet and MPLS. This is a lot of radius traffic, so as for average packet size, I'm not really sure, as we haven't received captures from the lab environments. I don't know what kind of TLVs they're sending, or how many.
|
|
#
?
Dec 19, 2014 17:38
|
|
|
jwh posted:Securing intersite transport over public internet, yes. Or, at least, that's what I'm being told at the moment. The connectivity piece is changing nearly every day, and tends to vacillate between some combination of ipsec over public internet and MPLS. http://www.gdc4s.com/taclane-10g-%28kg-175x%29.html 
|
|
#
?
Dec 19, 2014 17:40
|
|
|
jwh posted:Securing intersite transport over public internet, yes. Or, at least, that's what I'm being told at the moment. The connectivity piece is changing nearly every day, and tends to vacillate between some combination of ipsec over public internet and MPLS. This is exactly what Talari does: http://www.talari.com/products/ I've had them running over a year in using a mixture of MPLS and Internet. Largest link aggregates 2 gigs no problem. They have units coming out at 10gig very soon. The only issue that I've had with them is that, by default, they give SSH and Telnet the lowest priority across the WAN. This hit one of our older financial apps pretty hard during heavy traffic. Once we found that, we changed priority and everything has been happy. They have really amazing support as well. Their SE's and support guys are well versed on all facets of networking.
|
|
#
?
Dec 19, 2014 21:31
|
|
|
I'm somewhat familiar with Talari. I looked at them some time ago, but they couldn't support multitenancy. Is Talari encrypting via AES for transport?
|
|
#
?
Dec 19, 2014 23:29
|
|
|
What's the smallest machine/setup you guys can think of to ntop/nmon 100mbps WAN connection? I want to put together something I can ship to a far-end site in order to figure out who's hogging the pipe. Intel NUC + mirrored switch port?
|
|
#
?
Dec 20, 2014 01:26
|
|
|
Talaris can use 128 or 256-bit AES. If you want to get super tinfoil about it, you can split the traffic across multiple pipes and have them re-assembled at the remote end (we actually do this for CAD and other intellectual property replication and backup). I would be interested in a use-case outside of an MSP where multitenancy would be a requirement for an application like this. I'd also be interested in finding other alternatives to the product, just to see if they're doing anything cool or different. We've been able to dramatically reduce our MRC for the WAN by implementing Talaris and upgrading our Riverbeds. Our ROI on the Riverbeds/Talaris was just 13 months.
|
|
#
?
Dec 20, 2014 06:44
|
|
|
The NUC is great for applications like that. I also used a Lenovo Tiny for that before I found the NUCs.
|
|
#
?
Dec 20, 2014 06:46
|
|
|
Speaking of high performing security projects, has anyone looked at firewalls capable of 30G+ of inline IPS? Were using the 5585-Xs with SSP60s and were about to run out of headroom. We need to be able to scale towards 30-50G within 3 years, with upgrades of about 5-10G each year until that point. I am about to start looking at Palo Alto, but a starting point from experience would be great.
|
|
#
?
Dec 20, 2014 16:31
|
|
|
bad boys for life posted:I am about to start looking at Palo Alto, but a starting point from experience would be great.
|
|
#
?
Dec 20, 2014 17:35
|
|
|
Never used the bigger ones, or IPS on the platform but the Juniper SRXs get massive. 100Gbit of IPS claimed. https://www.juniper.net/us/en/products-services/security/srx-series/srx5800/
|
|
#
?
Dec 21, 2014 01:52
|
|
|
Can I ask what your use case is for doing IPS on that much traffic?
|
|
#
?
Dec 21, 2014 10:56
|
|
|
Just imagining the number of false positives to ack with that kind of throughput is enough to make me start dry heaving.
|
|
#
?
Dec 21, 2014 18:18
|
|
|
Maneki Neko posted:Anyone using Cisco NAC/ISE? How sad am I going to be if we look at implementing it for one of our clients? You have to be ATP listed with Cisco to deploy it, unless you are doing wireless only. It's something you need to do thorough prep work, and labbing. I do ISE deployments now for Cisco (along with other stuff). It really depends on what you are doing and what you have for infra already in place. The hard part is the business managers and PMs not understanding why you can't just flip a switch and have everything be roses in 24hrs.
|
|
#
?
Dec 22, 2014 18:01
|
|
|
Martytoof posted:Two probably dumb questions. I'm just dipping my toes into ASA so be gentle. The interface specified in the ping command sets the originating interface and source IP address of the ICMP echo. You can't specify internal interfaces unless something crazy is going on... I could be misinterpreting your comments however. Packet tracer generates a packet in the ingress interface buffer. A special tag is inserted in the IP header and the different processing nodes within ASA write their info in the payload. When it hits the egress interface ASA poo poo cans the packet and writes the packet payload out to console/ASDM. Yes it's a handy way to bring up a L2L tunnel.
|
|
#
?
Dec 22, 2014 18:03
|
|
|
jwh posted:I'm working on a terrible train wreck of a project, and it's come to light that we may need ~8gbps of ipsec. Yes, you read that correctly. ASR. I think that platform has the highest crypto throughput of anything Cisco sells currently.
|
|
#
?
Dec 22, 2014 18:04
|
|
|
Our business has two ASA 5515-X firewalls, and I'm thinking I'll sell them both and replace them with two Dual or Quad WAN load balancing routers that can support VPN to Azure. Anyone know a cost effective choice? Basically I wanna be able to plug in 2 or 3 cable modems from different ISPs into one of the routers so I have the combined bandwidth and failover of the ISPs, and then the second router is a failover for the first. Is that the ideal way to go about what I'm trying? The ASA's look to be worth like $2000 each, and there's Cisco Small Business Dual WANs and Netgear Quad WANs both closer to $200 which handle VPN as well, so why the huge difference in price? We don't use AnyConnect if that's what that's all about.
|
|
#
?
Dec 22, 2014 18:52
|
|
|
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
|
|
#
?
Dec 22, 2014 18:54
|
|
|
Thanks, I'll bookmark that, that saves me from having to pay a Cisco tech to figure it out. Do all these other brands of routers typically support the Cisco IOS language? I have HP Procurve switches and the command line seems identical, but I don't know if I should be expecting that with the Netgear routers or other off brands.
|
|
#
?
Dec 22, 2014 20:10
|
|
|
Look very carefully at the throughput figures. The Netgear stuff is a completely different class and if you had a reason to purchase 5515-X's there is nothing in the Netgear range that won't be slower than your internet connection once you turn up the security features. CLIs for networking kit is nearly all IOS-esque, at least as far as switching goes. Thanks Ants fucked around with this message at 20:29 on Dec 22, 2014 |
|
#
?
Dec 22, 2014 20:25
|
|
|
Unless it's Juniper gear running their crazy moon language.
|
|
#
?
Dec 23, 2014 00:52
|
|
|
Thanks Ants posted:Look very carefully at the throughput figures. The Netgear stuff is a completely different class and if you had a reason to purchase 5515-X's there is nothing in the Netgear range that won't be slower than your internet connection once you turn up the security features. Honestly I don't think we had any reason to purchase the 5515-X's. All my users run Office 365 and Salesforce, demos with GoToMeeting and that's it. No trade secrets or anything here, maybe at R&D branch but that's in another state and our sales building has no reason to VPN with them since I have all our files in sharepoint. The old IT crew was some outsourced union and I assume they got some kind of kickbacks for the unnecessary junk they pushed on this place before I arrived.
|
|
#
?
Dec 23, 2014 01:02
|
|
|
I think you'd be better off sticking with the ASAs and pushing for some training rather than chucking them out and buying something worse, it will serve you better for the future. The 5515-X supports failover, so if you have a pair then they might already be set up like that.
|
|
#
?
Dec 23, 2014 01:17
|
|
|
Thanks Ants posted:I think you'd be better off sticking with the ASAs and pushing for some training rather than chucking them out and buying something worse, it will serve you better for the future. I just want something built for robust Dual WAN / Load Balancing with only basic firewall/VPN. The ASA 5000 series can allegedly do a few ghetto workarounds like routing half the world's ISP's through one ISP and half through another, and even then things like firmware upgrades can break those. That's what I'm finding as I keep Googling at least. I have an assistant dedicated to selling/buying our equipment on eBay so if I can get fair value for the ASAs and replace them with more simple/appropriate equipment I'd like to.
|
|
#
?
Dec 23, 2014 01:32
|
|
|
CrazyLittle posted:What's the smallest machine/setup you guys can think of to ntop/nmon 100mbps WAN connection? I want to put together something I can ship to a far-end site in order to figure out who's hogging the pipe. Looks like the Ubiquiti Edgerouter's got darkstat already in its package repos, and it seems to be working so far on this edgerouter lite I have on my desk. If it ends up getting overloaded I'll pony up for ntopng/nprobe
|
|
#
?
Dec 23, 2014 01:37
|
|
|
inignot posted:Unless it's Juniper gear running their crazy moon language. I have learned to love that moon language. I never want to go back.
|
|
#
?
Dec 23, 2014 02:09
|
|
|
Zero VGS posted:I just want something built for robust Dual WAN / Load Balancing with only basic firewall/VPN. The ASA 5000 series can allegedly do a few ghetto workarounds like routing half the world's ISP's through one ISP and half through another, and even then things like firmware upgrades can break those. That's what I'm finding as I keep Googling at least. I have an assistant dedicated to selling/buying our equipment on eBay so if I can get fair value for the ASAs and replace them with more simple/appropriate equipment I'd like to. The ASAs will kick the poo poo out of anything you cross shop netgear with, they just have a learning curve. Load balancing normal traffic sucks, but you could do equal cost ospf up to your northbound routers?
|
|
#
?
Dec 23, 2014 05:19
|
|
|
Zero VGS posted:I just want something built for robust Dual WAN / Load Balancing with only basic firewall/VPN. The ASA 5000 series can allegedly do a few ghetto workarounds like routing half the world's ISP's through one ISP and half through another, and even then things like firmware upgrades can break those. That's what I'm finding as I keep Googling at least. I have an assistant dedicated to selling/buying our equipment on eBay so if I can get fair value for the ASAs and replace them with more simple/appropriate equipment I'd like to. Load balancing doesn't exist. The only way to outbound "load balance" is to run dual peer BGP full routes. Otherwise it's hacks all the way down, regardless of vendor. Learn the ASAs and set them up to your needs, then move on. Technology isn't a panacea, it requires intelligence and good policy behind it. There isn't a magic box that will do what you want,
|
|
#
?
Dec 24, 2014 00:30
|
|
|
Powercrazy posted:Load balancing doesn't exist. The only way to outbound "load balance" is to run dual peer BGP full routes. Otherwise it's hacks all the way down, regardless of vendor. In addition firewalls aren't routers. I mean they are, but use the right tool for the right job.
|
|
#
?
Dec 24, 2014 03:47
|
|
|
Tremblay posted:In addition firewalls aren't routers. I mean they are, but use the right tool for the right job. Well yeah, I started off saying I want to ditch the ASAs and get Dual WAN routers instead, and we came full-circle back to people telling me to use the ASAs with OSPF for that purpose. Whatever can more or less equally dish out traffic onto two ISPs and have failover to one or the other, that's what I wanna go with. I'm bringing in Cisco techs that can configure anything my gear supports so the question is what's the most appropriate and simple setup?
|
|
#
?
Dec 24, 2014 20:35
|
|
|
Redundant fiber from two providers coming into the routers with a microwave dish on the roof for backup and an opengear with POTS and 4G connectivity 
|
|
#
?
Dec 25, 2014 02:33
|
|
|
doomisland posted:Redundant fiber from two providers coming into the routers with a microwave dish on the roof for backup and an opengear with POTS and 4G connectivity Gotta have separate trenches for that fiber. Backhoes make work of fiber real quick.
|
|
#
?
Dec 27, 2014 20:21
|
|
|
Zero VGS posted:Well yeah, I started off saying I want to ditch the ASAs and get Dual WAN routers instead, and we came full-circle back to people telling me to use the ASAs with OSPF for that purpose. A perimeter router and drop the ASAs behind that.
|
|
#
?
Dec 31, 2014 07:14
|
|
|
|
| # ? Apr 27, 2024 04:12 |
|
|
Tremblay posted:A perimeter router and drop the ASAs behind that.
|
|
#
?
Dec 31, 2014 20:18
|
|
