|
cheese-cube posted:Hopefully I'll die in a derrick fire or helicopter crash or something. With your BOSIET certification, aren't you certified to survive helicopter crashes?
|
# ? Feb 13, 2015 22:40 |
|
|
# ? Apr 18, 2024 00:10 |
|
jwh posted:H-REAP won't help you if the radio is configured to 802.1x authenticate back to a remote server. I've just taken another look at the WLAN config on the WLC and it's setup to authenticate against RADIUS servers (Old-rear end Cisco 1113 ACS boxes) in our DC so even if we deploy a WLC on-site we could still have issues (I think). We have deployed WLCs at two sites in Korea but that was only to resolve performance issues caused by the back-and-forth of CAPWAP over WAN. jwh posted:With your BOSIET certification, aren't you certified to survive helicopter crashes? More like certified to experience them.
|
# ? Feb 13, 2015 23:03 |
|
Serfer posted:I did this: Didn't see this answered, but if you want to use split tunneling, it's done like this. We'll assume 172.16.1.0/24 is the LAN and 192.168.200.0/24 is the subnet handed to the clients. access-list acl-split-tunnel permit ip 172.16.1.0 255.255.255.0 192.168.200.0 255.255.255.0 group-policy clientgroup internal group-policy clientgroup attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value acl-split-tunnel
|
# ? Feb 14, 2015 00:24 |
|
I think you really ought to have a DC and a WLC on the platform.
|
# ? Feb 14, 2015 00:59 |
|
cheese-cube posted:On the subject of Cisco WLC: in the infinite wisdom of our customer's project manager we have deployed a managed WAP on an off-shore vessel. There is no WLC on-board the vessel so the WAP is being managed by the WLC back at our DC over a 500ms VSAT link. We are using 802.1x for authentication and due to the latency clients are unable to auth 90% of the time when trying to connect. We escalated to TAC who advised that the latency between the WAP and WLC needs to be <100ms for it to work properly. Has anyone else dealt with such a situation before? It's getting to the point where we will either have to deploy a WLC on the vessel or reconfigure the WAP in standalone mode, both of which I'd rather not do because gently caress going back offshore again. Are there any other options? Either WLC + radius server on the ship/platform or Flexconnect (the new name for H-REAP) with a radius server on the ship/platform. Any other way is going to be a huge pain in the rear end.
|
# ? Feb 14, 2015 01:26 |
|
Thanks for the suggestions jwh and ior. There are already DCs on-board the vessel so I'll push the business to deploy a WLC out there (Unless TAC can provide a better option which is doubtful).
|
# ? Feb 14, 2015 08:31 |
|
You can get a WLC on an card and stuff it in a router also.
|
# ? Feb 14, 2015 15:37 |
|
cheese-cube posted:Thanks for the suggestions jwh and ior. There are already DCs on-board the vessel so I'll push the business to deploy a WLC out there (Unless TAC can provide a better option which is doubtful). If you already have a DC on the ship go for Flexconnect with local auth pointing to the local DC. No need for WLCs on the ships.
|
# ? Feb 14, 2015 15:48 |
|
inignot posted:You can get a WLC on an card and stuff it in a router also. The 'card' WLCs are EOS. Get a virtual one instead.
|
# ? Feb 14, 2015 21:16 |
|
Sooooo I'll be gauche here and ask a FortiOS question in a Cisco thread. Has anyone done much work with VLAN trunking on FortiOS 5.2 before? If I'm configuring a dot1Q trunk between a dot1Q capable switch and FortiOS 5.2, do I need to do any configuration of the base port, or do I just create two new VLANs and use the base port as the physical int that they're assigned to? I don't see anywhere where I'd tag the base port as a trunk of any kind, unless I'm super blind.
|
# ? Feb 16, 2015 00:15 |
|
Edit: I'm stupid. Thought you were asking for the Cisco side config.
Filthy Lucre fucked around with this message at 01:48 on Feb 16, 2015 |
# ? Feb 16, 2015 01:45 |
|
Martytoof posted:Sooooo I'll be gauche here and ask a FortiOS question in a Cisco thread. Has anyone done much work with VLAN trunking on FortiOS 5.2 before? I've done it a lot. If i'm understanding you correctly, you simply need to create new interfaces. The GUI will let you specify the physical interface and the fact it's a VLAN, and the tag. Via the CLI you can specify the type as VLAN and then the physical interface and the tag. Additionally you can do this on switch interfaces too (ie, internal, or other 'soft' switches you've created). These interfaces will show up listed under the physical they're attached to in the GUI. You can then treat them as normal interfaces everywhere else in the Fortigate, eg routing, firewalling, etc. The base interface stays untagged by default, leave it un-configured (eg 0.0.0.0/0) if you're not using that VLAN, or conversely configure native-vlan on the switchport if you want traffic on this treated as something other than VLAN 1 on the switch (seems messy if so). BurgerQuest fucked around with this message at 02:00 on Feb 16, 2015 |
# ? Feb 16, 2015 01:54 |
|
cheese-cube posted:Thanks for the suggestions jwh and ior. There are already DCs on-board the vessel so I'll push the business to deploy a WLC out there (Unless TAC can provide a better option which is doubtful). I have a customer across three countries, UK, US and Australia. There is a WLC in each country, and all users authenticate with 802.1x which goes back to some boxes in the UK. The Aus-UK latency is 270-300ms and it works perfectly. So i guess the 802.1x stuff taking a while is ok, it must just be the AP>WLC communication that needs a shorter time?
|
# ? Feb 16, 2015 10:48 |
|
Ahdinko posted:I have a customer across three countries, UK, US and Australia. There is a WLC in each country, and all users authenticate with 802.1x which goes back to some boxes in the UK. The Aus-UK latency is 270-300ms and it works perfectly. So i guess the 802.1x stuff taking a while is ok, it must just be the AP>WLC communication that needs a shorter time? Nope, the AP will do up to 900ms RTT per Cisco docs. The client when waiting for 802.1x responses will not.
|
# ? Feb 16, 2015 11:51 |
|
Ahdinko posted:I have a customer across three countries, UK, US and Australia. There is a WLC in each country, and all users authenticate with 802.1x which goes back to some boxes in the UK. The Aus-UK latency is 270-300ms and it works perfectly. So i guess the 802.1x stuff taking a while is ok, it must just be the AP>WLC communication that needs a shorter time? You've just reminded me of something: we've got an office in Aberdeen with WAPs and no WLC, latency between our DC and the Aberdeen office is ~260ms and AFAIK they have zero connection issues with WiFi out there. We sent debug logs from the WLC to TAC last week and are still waiting to hear back. Edit: poor choice of words. Pile Of Garbage fucked around with this message at 12:29 on Feb 16, 2015 |
# ? Feb 16, 2015 12:22 |
|
TAC has had a bunch of excellent engineers available in the last few months, and less Convergys doorknobs. If you get a good one, though, clear your schedule cause they get distracted and dematerialize for weeks at a time if you don't take their calls.
|
# ? Feb 16, 2015 13:06 |
|
Partycat posted:they get distracted and dematerialize for weeks at a time if you don't take their calls. As we should. Miss a scheduled meeting with me and you'll be lucky to get another chance
|
# ? Feb 16, 2015 14:38 |
|
Partycat posted:TAC has had a bunch of excellent engineers available in the last few months, and less Convergys doorknobs. If you get a good one, though, clear your schedule cause they get distracted and dematerialize for weeks at a time if you don't take their calls. The number of cases that come in are staggering, and the range from mundane, to holy poo poo wtf is happening is pretty wide too. I think I one point I was working 100 cases simultaneously. There was another guy on my team that was up around 140.
|
# ? Feb 16, 2015 20:53 |
|
Tremblay posted:The number of cases that come in are staggering, and the range from mundane, to holy poo poo wtf is happening is pretty wide too. I think I one point I was working 100 cases simultaneously. There was another guy on my team that was up around 140.
|
# ? Feb 16, 2015 20:58 |
|
Tremblay posted:The number of cases that come in are staggering, and the range from mundane, to holy poo poo wtf is happening is pretty wide too. I think I one point I was working 100 cases simultaneously. There was another guy on my team that was up around 140.
|
# ? Feb 16, 2015 21:08 |
|
adorai posted:I have had one of those "wtf is happening" cases open since JULY of 2014. I have had a few engineers on it, and I can tell they just don't want to take the time to figure it out. It's quite irritating. The cases I've seen like this they just end up using the "solar flare" defense: https://learningnetwork.cisco.com/docs/DOC-10918
|
# ? Feb 16, 2015 23:54 |
|
adorai posted:I have had one of those "wtf is happening" cases open since JULY of 2014. I have had a few engineers on it, and I can tell they just don't want to take the time to figure it out. It's quite irritating. Can you PM me the case number? Be interested to take a look. I don't work in TAC anymore. I'm also not making excuses for less than stellar service at times.
|
# ? Feb 17, 2015 00:30 |
|
Quick question I haven't seen any answers for in my studies. Why wouldn't you set warning levels to log at the highest emergency level all the time (you know, emergency 0, alert 1, etc.)? Wouldn't it only log those when they actually hit that higher warning level anyway?
|
# ? Feb 18, 2015 01:14 |
|
Because there are a lot of "less serious" things that you might want to be aware of, for example, EIGRP neighbor adjacency changes. Tunnel Interfaces going down, or low fan speed, indicating a failing fan tray.
|
# ? Feb 18, 2015 02:30 |
|
I thought it showed all messages for the level you choose and anything below (ie, you set the log for all level 4 notification, but you also get 5,6,7 since they are "lower"). Have I misread? The question rephrased is: why not choose level 0 to get 0-7 notifications logged? You'll get all the "less serious" things but also logs of the major system impacting issues.
|
# ? Feb 18, 2015 03:09 |
|
Because historically it's been not that easy to handle a high log volume and pull out the really important stuff. Things have improved lately with a combination of cheap storage and tools like spunk and logstash/kibana/elasticsearch making it easier to handle a high log volume and extract information from that very effectively.
|
# ? Feb 18, 2015 04:29 |
|
Bigass Moth posted:I thought it showed all messages for the level you choose and anything below (ie, you set the log for all level 4 notification, but you also get 5,6,7 since they are "lower"). Have I misread? I think you have your numbering backwards if you are talking about syslog. That said it's about cutting down on noise and volume. Most devices let you reclass specific messages. This greatly lets you reduce the noise.
|
# ? Feb 18, 2015 04:39 |
|
Tremblay posted:I think you have your numbering backwards if you are talking about syslog. That said it's about cutting down on noise and volume. Most devices let you reclass specific messages. This greatly lets you reduce the noise. Can you reclassify in IOS?
|
# ? Feb 18, 2015 07:32 |
|
Tremblay posted:Can you PM me the case number? Be interested to take a look. Could you do a thing for my case please? I've had a P2 case open since April 2014 and the engineer assigned who is the team lead for that product has just taken to outright ignoring me for the past 2 months. I got put through to a TAC Manager to complain, so the engineer sent me one more email last week saying "sorry for the delay, ill take a look at it and email you on Monday" and has gone back to ignoring me. Its actually the only bad experience I've had with TAC, everything else has been pretty sweet Edit: Taken case number out of post, I don't know if its because you did something or I asked for escalation to a TAC director or that I escalated it to my account manager too, but the guy actually replied to an email of mine holy poo poo. Ahdinko fucked around with this message at 18:04 on Feb 18, 2015 |
# ? Feb 18, 2015 10:44 |
|
less than three posted:Can you reclassify in IOS? This may vary in different versions of IOS but I'm about 99% sure that it is the same functionality, so if you set logging to 1, you are getting 1 or less. Most of my stuff sits at 6 at the moment (so I get 6-0), but I have a pretty small network where I would prefer to know about pretty much anything that happens. If I set logging to 1 I'd probably only ever get a log message when the PSU eventually fails. edit: the exact wording is quote:You can configure logs of a certain severity level, and higher, to be logged for a specific logging category and add this as a configuration element to further limit or expand the number of messages that you want to save, view, and export. For example, if you configure logs of severity level WARNING to be logged for a specific logging category, log messages for that logging category of severity level WARNING and those of a higher priority levels (ERROR and FATAL) are sent to any configured locations. Table 19-1 describes the severity levels and their associated priority levels. So, the misunderstanding probably came from the "and higher". It's not the number that is higher, it is the severity level. A lower number is a higher severity level. 12 rats tied together fucked around with this message at 16:26 on Feb 18, 2015 |
# ? Feb 18, 2015 16:20 |
|
Yes thank you guys I was interpreting things backwards.
|
# ? Feb 18, 2015 16:50 |
|
Has anyone used the Ubiquiti EdgeSwitches yet? Is there any reason not to use them as dumb layer2 access switches (VLANs and trunks being the most complicated thing we do on them) instead of equivalent Catalysts?
|
# ? Feb 20, 2015 21:46 |
|
Mierdaan posted:Has anyone used the Ubiquiti EdgeSwitches yet? Is there any reason not to use them as dumb layer2 access switches (VLANs and trunks being the most complicated thing we do on them) instead of equivalent Catalysts? If you don't need PoE then Edgeswitches are kind of expensive. Also the current batch of hardware going out is missing a serial console port... which is kinda lovely for a managed switch. I've got the 24-port/250w unit on my bench for testing and the web interface is not as fast or as polished as their other hardware. Then again, the toughswitch GUIs aren't so hot either. I'm currently using Zyxel as my "cheap" managed switch vendor, and Cisco for the guys willing to actually pay for it.
|
# ? Feb 20, 2015 21:59 |
|
Reposting from the general IT thread: I’ve been looking for a solution to take the place of a cloud hosted firewall and VPN solution through our ISP for several months now. Made a post a while back. The main factor was simply getting away from this ISP since we’re paying entirely way too much (~6500/mo) for the service we receive, however other factors like the how long it took to do routine tasks on the hosted Palo Alto as well as the clunky VPN client were factors as well. Main office is in Seattle, second office in Portland. 200 employees and roughly 125 actual computer users. Roughly 50/20 desks at SEA/PDX. Exchange is hosted internally, but our website is externally hosted. We don’t have high throughput at this point (20Mb SEA & 12Mb PDX), but I’m looking to improve on that with either changes to our main connection, implementation of additional, cheaper, higher bandwidth connections, as well as potentially a dedicated fiber connection between our two offices. Main goal is to improve the end user experience working in and more importantly outside of the office. Paired with new firewalls, I’m working on a new RDS server, and will be testing Egnyte as a “dropbox” like service to tie into our existing file servers. The main things I’m looking for are: • Good performance – or… good enough that it isn’t a bottleneck. End result is that I want to be able to more effectively improve end-user perception of “speed”. • Good enough security for our needs, which aren’t super high • Site-to-site VPN – ideally cost effective. • Client VPN with no per user licensing • Ability to have 1+ connections for failover as well as active/active. • Traffic Shaping/QoS so that I can divert high bandwidth traffic that doesn’t need to be on the primary connection such as web traffic and backup replications over those. I’ve looked at Juniper SRX240 and 220, Fortinet 200D and 100D, Barracuda NG380 and NG280, and Sophos SG230 and SG210. After comparing costs, specs, pro’s and cons specific to my specific one-man operation working for a construction company, it looks like Sophos is the clear winner. The price is right in line with everyone else, the performance numbers blow everything else out of the water, the hardware appears to be better (ie. Bigger ssd, 8gb ram) to back up those numbers, the reporting out of the box looks much better, and lots of other things like being able to embed a how-to video on the VPN portal page. The biggest single advantage for me over what my initial bias was for – Fortinet – was that the Sophos site-to-site VPN option is insanely easy. The Red 10 setup takes a few minutes – punch in the serial, give it a subnet and a few other things, hand it to someone to take out to a site, and it will set itself up and create a tunnel back home. Not having to travel to sites alone is probably worth it. I should add that I tested the Fortinet and Sophos options in-house. I preferred the Fortinet GUI as it seemed more logical to me, but perhaps it’s just because that’s the one I tested first and got used to it. On that subject, we used Sonicwalls in the past and I always disliked their GUI. That’s why I didn't mention them. Anyway, my main questions are… is there anything I haven’t mentioned that I should be taking into account? Does anyone have experience with Sophos? Any reason not to pull the trigger?
|
# ? Feb 24, 2015 05:02 |
|
Just curious, are you using Integra for the hosted firewall?
|
# ? Feb 24, 2015 05:52 |
|
tortilla_chip posted:Just curious, are you using Integra for the hosted firewall?
|
# ? Feb 24, 2015 06:03 |
|
Buy a Palo Alto
|
# ? Feb 24, 2015 06:09 |
|
Nitr0 posted:Buy a Palo Alto He means SRX.
|
# ? Feb 24, 2015 07:27 |
|
Moey posted:He means Fortigate.
|
# ? Feb 24, 2015 13:42 |
|
|
# ? Apr 18, 2024 00:10 |
|
goobernoodles posted:firewalls I don't know about any of the ones you mentioned since I've never used them, but since you're asking in the Cisco thread, what about two ASA 5512-X's for your main office, and maybe a 5505 or a single 5512-x for your other office? Three 5512-X's + security plus licenses + 50 concurrent user vpn perpetual licenses will cost you as much as two months of your cloud firewall things, will give you up to 250 site to site vpns (licenses included) and will work in active/active and do QoS. As well as handle up to a gig of straight internet traffic, or 200mb of encrypted traffic. Ahdinko fucked around with this message at 17:24 on Feb 24, 2015 |
# ? Feb 24, 2015 17:21 |