|
falz posted:Sooo not yet but it will replace pix os. Is it an acquisition? The way I understand it is that Firepower is both the module they bought that used to be SourceFire which was an additional IPS/IDS feature you could buy in the past and install in an ASA and now also the name of their next gen firewall devices. From what I was told by our var you can buy the current generation of Firepower firewall's and still run the old ASDM code on them for another 3-4 years until they're unsupported. If it really is as awful as it sounds we may go that route and hope for improvements in a couple of years. I'd be interested in taking a look at the Palo Alto's but that would be such an uphill battle to fight to get a different vendor in here.
|
#
?
Sep 1, 2018 02:11
|
|
|
|
| # ? Apr 23, 2024 23:10 |
|
|
BaseballPCHiker posted:
This is true but you will still have to keep track of FXOS code underneath even if running ASA on top
|
|
#
?
Sep 1, 2018 06:29
|
|
|
My preference is arista for switching, juniper for routing/VPN/Natting and Cisco for office poo poo that I don't' have to manage.
|
|
#
?
Sep 1, 2018 07:51
|
|
|
Docjowles posted:No, Brocade is bad and you are correct for being mad at how awful they are to work with Brocade FC switches and MPRs were (Are?) pretty good IMO.  The worst network gear I've ever worked with is Nortel ERS. It's just so incredibly obtuse and backwards compared to Cisco or anything else really.
|
|
#
?
Sep 1, 2018 16:23
|
|
|
I’ll cop to never having used FC of any kind, including Brocade, so I can’t speak to that. Their Ethernet switching and routing, though, 
|
|
#
?
Sep 2, 2018 02:29
|
|
|
ate poo poo on live tv posted:My preference is arista for switching, juniper for routing/VPN/Natting and Cisco for office poo poo that I don't' have to manage. Currently running Juniper for Firewall/Core switching and routing then Meraki for access and wifi (and site to site VPN). I'll have to look into Arista at some point.
|
|
#
?
Sep 2, 2018 02:47
|
|
|
Docjowles posted:I’ll cop to never having used FC of any kind, including Brocade, so I can’t speak to that. Their Ethernet switching and routing, though, The happiest moment in my career so far was in my last job switch, knowing I'd never have to work on an ADX (the Brocade load balancer, basically a dollar-store F5 LTM but somehow even worse) again. I almost want to buy one to take out to the desert and shoot. gently caress those things. Their FCs were solid as hell, though. I'll bet places I worked at 10 years ago are still running those things without a blip.
|
|
#
?
Sep 2, 2018 05:22
|
|
|
Jedi425 posted:The happiest moment in my career so far was in my last job switch, knowing I'd never have to work on an ADX (the Brocade load balancer, basically a dollar-store F5 LTM but somehow even worse) again. I almost want to buy one to take out to the desert and shoot. gently caress those things. That’s basically all I’ve ever used brocade for, never had any issues. Though their licensing model was insane, you had to pay to use ports, they were just disabled until you payed to unlock them.
|
|
#
?
Sep 2, 2018 22:13
|
|
|
The MLX family stuff was solid. Until Brocade bought them and completely neglected any meaningful development on the line.
|
|
#
?
Sep 2, 2018 23:26
|
|
|
BaseballPCHiker posted:The way I understand it is that Firepower is both the module they bought that used to be SourceFire which was an additional IPS/IDS feature you could buy in the past and install in an ASA and now also the name of their next gen firewall devices. Firepower is really bad. Compared to Palo Alto it's not even in the same field. It's also not really any cheaper so there's literally no reason not to look at alternatives. Firepower is literally the sourcefire stuff bolted ontop of an ASA bolted inside a standalone UCS chassis. All of the parts tenuously hang together with glue and shoestring (and perl) and it's just terrible. I also really don't see it getting any better unless they go back to the drawing board and rewrite the entire OS from scratch which is extremely unlikely.
|
|
#
?
Sep 2, 2018 23:29
|
|
|
Is anyone getting into SD-WAN much? I have a requirement which I'm pretty sure is so simple that it can be handled by a few Meraki MX boxes (for all their limitations, the SD-WAN stuff looks OK, at least for the money). I have three sites with a fibre Internet service at each, and a backup connection, and just want to link them all together in a way that can carry on working if a fibre goes down. In theory I would just use Meraki stuff for this, but one of the sites is being hosted on someone else's infrastructure and I can't put any physical gear in there. Meraki have a vMX product but it's just a really expensive way to get AWS VPN working and does nothing else. What are my options for vendors that can do this without bending me over for a huge amount more than Meraki would cost? Currently looking at Nuage, Velocloud (VMware) and Riverbed but haven't got onto the pricing part yet. And the simpler the deployment, the better. To make things slightly trickier I need something that can deploy as a VM as well as a physical box - I don't want to be building out VM infrastructure as part of this where it doesn't exist already.
|
|
#
?
Sep 5, 2018 21:42
|
|
|
I know this is the Cisco thread, but has anyone messed with Extremenetworks SPB switch fabric crap? It was pitched to my boss and he is sold hard and I not sure about it yet and curious if anyone has used their .aq stuff or any other implementation of 802.1aq.
TooLShack fucked around with this message at 23:46 on Sep 6, 2018 |
|
#
?
Sep 6, 2018 23:09
|
|
|
So I have been working with a viptela vedge 1000 today trying to get it to keep sip sessions alive through an SBC but no dice. I tried looking up any sip awareness or alg it might have but I came up blank. Am I dumb or is it just not sip aware?
|
|
#
?
Sep 7, 2018 00:31
|
|
|
EVPN won for a reason. e: To be fair that was mostly for scaling and policy motivations, so SPB might work for your use case. tortilla_chip fucked around with this message at 00:34 on Sep 7, 2018 |
|
#
?
Sep 7, 2018 00:32
|
|
|
What's the meraki cost? Silver peak also has SD-WAN with acceleration available, but you'd be looking at 200/mo per site at least for 200M
|
|
#
?
Sep 7, 2018 00:56
|
|
|
Thanks for the suggestion. Meraki hardware would be about £3k per end in hardware costs, and then £1200 in licensing annually. I'll look at Silver Peak - 50Mbps might be enough as well. I'm not even sure the Meraki qualifies as SD-WAN, more "VPN over multiple services with automatic path selection", and I'm aware that price is pretty much the lowest I can hope to pay. It would be perfect if their virtual appliance wasn't poo poo.
|
|
#
?
Sep 7, 2018 01:08
|
|
|
If you have distance between your offices, you could look at their Boost option as well. SP is sort of the original WAN accelerator, that's just the name for adding that tech on top of their path selection. If you have VMware, velo is an obvious choice for more basic path stuff
|
|
#
?
Sep 7, 2018 01:19
|
|
|
On the SD-WAN chat what's the thought on Fortinet's offering? Our guys know this platform best and I keep getting sales requests where customers are talking SD-WAN like IPSLA never existed anyway. Meraki makes me barf... enterprise lite? edit. we use Exinda for in-path acceleration/QoS etc for what it's worth.
|
|
#
?
Sep 7, 2018 13:28
|
|
|
It looks like a very immature product - the amount of manual setup required compared to the competitors being one of the obvious differences https://cookbook.fortinet.com/client-side-sd-wan-ipsec-vpn-deployment-example-expert/
|
|
#
?
Sep 7, 2018 16:42
|
|
|
No one ever said that about Cisco iwan. If you had a brownfield deployment you couldn't leverage APIC-EM and had to do the whole thing by hand. I have been involved in a few ISP led velocloud installations, they seem to be pretty smooth overall. I'll be messing around with a viptela lab shortly. If you're gonna do SD-WAN you need to see a troubleshooting demo of the vendors you're interested in because everyone sure as hell will want to blame these new clouds for a bad phone call
|
|
#
?
Sep 7, 2018 17:15
|
|
|
Is there any reason to add a VTP domain name to a router?
|
|
#
?
Sep 7, 2018 17:48
|
|
|
If you're going to have VTP on for some reason, then you should define it so that it doesn't pick up the domain from some unknown source in the future. I believe the default behavior is to join the first one it sees.
|
|
#
?
Sep 7, 2018 18:03
|
|
|
On the subject of SD-WAN, assuming everyone agrees it is just a buzzword for VPN with cool routing features, what is the current recommendation for something that would slot into an existing OSPF heavy network? We have metro E to most locations, and want some better bulk transfer and backup options.
|
|
#
?
Sep 8, 2018 14:04
|
|
|
No, Mr Head of Infrastructure, you can't just set the source IP of a new connection for your pings if you have no routes in place that use the interface connect to the service you're trying to test. If you bothered to go as far as a traceroute with a source IP you'd see the packets going out to your old ISP and then dropped at their CE. Emailing me repeatedly saying that you're sure everything is set up properly and not doing any of the troubleshooting isn't going to get your service working any sooner.
|
|
#
?
Sep 12, 2018 18:38
|
|
|
I was told to put this here (I think), so here goes: Hello, I have a bit of a networking pickle I am trying to sort out and seem to be running into various walls. I have a LAN IP range of 10.1.1.0/24, and I am running out of room on it for new hosts. Pretty much the entire network is static, with a small DHCP scope around 10.1.1.186-192 or thereabouts (that has probably been clobbered by statics by now). I would like to transition to a /23 or /22, but most setup guides I have found deal with setting up from scratch, not changing over from an existing network. My router is a sonicwall of some sort, I want to say an nsa 2600 but I am not 100% sure. I have some VPN stuff that hooks in at 10.0.x.y, so they in theory shouldn't be clobbered if I mess with the netmask on the 10.1.1.0 network. There are a series of esxi hosts that would likely need to be readdressed, but I can go onsite for that. The pertinent question is, how do I transition from a /24 to a /23 or /22 supernet? Will this knock out the /24 till everything is moved, or will things on /23 just not be able to reach the /24 and vice versa? Thank you for the advice.
|
|
#
?
Sep 12, 2018 19:10
|
|
|
First, subnets start at 0, so a /22 would be 10.1.0.0 - 10.1.3.254, so you know. If you keep everything in 10.1.1.0 while transitioning, it should be pretty easy. You can just change the subnet mask on everything and it'll keep working, as long as nothing is trying to talk to something in 10.1.0.0 or 10.1.2.0 or similar. All of your firewall rules will need to be updated. All of your routes need to be updated. I'd start by changing the subnet masks on your network gear (router, firewall, etc) and then changing PCs as you can. Once everything has the new subnet, you can start assigning addresses in the added space.
|
|
#
?
Sep 12, 2018 19:31
|
|
|
madsushi posted:First, subnets start at 0, so a /22 would be 10.1.0.0 - 10.1.3.254, so you know. Would this also change the IP of the sonicwall, and therefore the default route for the existing network? What would happen on the offchance some misconfigured device tries to talk to the new subnet during the transition? Will that crash the network? Or will it just not be able to reach anything?
|
|
#
?
Sep 12, 2018 19:36
|
|
|
Lonoxmont posted:Would this also change the IP of the sonicwall, and therefore the default route for the existing network? Yes, the first thing I would change would be the SonicWall. The IP address stays the same (I assume 10.1.1.1) but the mask changes to /23 or /22. The default route stays the same: 10.1.1.1 (or whatever). Nothing should break, and if you don't put anything in those subnets (10.1.0 10.1.2 10.1.3) then nothing will try to talk to it. The worst-case of changing subnets is that some things can't talk to other things, but you're minimizing/removing that by not adding anything new until all devices are changed over.
|
|
#
?
Sep 12, 2018 19:46
|
|
|
This is why I love reserved or static DHCP , because I dot have to chase statically configured garbage around that ends up being some embedded poo poo I have no password to.
|
|
#
?
Sep 12, 2018 23:14
|
|
|
Partycat posted:This is why I love reserved or static DHCP , because I dot have to chase statically configured garbage around that ends up being some embedded poo poo I have no password to. Lies. Everyone loves updating printers/copiers when the subnet/dns/gw changes.
|
|
#
?
Sep 13, 2018 01:25
|
|
|
madsushi posted:First, subnets start at 0, so a /22 would be 10.1.0.0 - 10.1.3.254, so you know. For > /24.
|
|
#
?
Sep 13, 2018 02:49
|
|
|
It seems like people frequently miss the purpose of the subnet mask. Which is to determine if a given address is in the same network as another address, or if it will have to be sent to a router to forward. When you think about it that way, increasing the netmask doesn’t seem as scary. It’s just increasing the range of addresses that don’t have to be routed. If you were previously talking to hosts in networks that are now covered by your expanded subnet, yeah, that is a problem. But if that space isn’t spoken for, go hog wild, there is no harm increasing the mask everywhere. And then start addressing hosts into the larger network.
|
|
#
?
Sep 13, 2018 04:31
|
|
|
Docjowles posted:It seems like people frequently miss the purpose of the subnet mask. Which is to determine if a given address is in the same network as another address, or if it will have to be sent to a router to forward. Having very large subnets means you also have a larger broadcast domain, so be wary of that as it can cause problems as you add more hosts (like larger impact during broadcast storms etc.)
|
|
#
?
Sep 13, 2018 21:04
|
|
|
Since LAN traffic trending in business is client to server , it's probably not a problem to change the mask and fix stragglers. The other naughty option is to add a subnet to the VLAN and leave the original alone. Won't hurt anything except broadcast oriented protocols usually.
|
|
#
?
Sep 14, 2018 00:51
|
|
|
What do y'all think about Wireguard? We're considering replacing some of our GRE+ipsec tunneling at work with Wireguard, we only use it for cross VPC traffic in AWS to support tunneling to a remote VPN endpoint for one of our customers. Right now we're using some VyOS routers to tunnel and encrypt between VPCs (using local AWS routing wont work since the network we're routing doesn't actually exist in AWS). x-posted in the infosec thread (but may be more of a routing question)
|
|
#
?
Sep 14, 2018 19:25
|
|
|
Docjowles posted:It seems like people frequently miss the purpose of the subnet mask. Which is to determine if a given address is in the same network as another address, or if it will have to be sent to a router to forward. That is why the real pros just have a flat 10.0.0.0/8 network!
|
|
#
?
Sep 14, 2018 19:53
|
|
|
rage_meme.gif
|
|
#
?
Sep 14, 2018 21:53
|
|
|
ElCondemn posted:What do y'all think about Wireguard? We're considering replacing some of our GRE+ipsec tunneling at work with Wireguard, we only use it for cross VPC traffic in AWS to support tunneling to a remote VPN endpoint for one of our customers. Right now we're using some VyOS routers to tunnel and encrypt between VPCs (using local AWS routing wont work since the network we're routing doesn't actually exist in AWS).
|
|
#
?
Sep 14, 2018 22:09
|
|
|
beepsandboops posted:It looks really cool and I've heard nothing but good things about it, but it seems like it's still very much in its infancy and I don't know if I'd trust using it in any system I have to maintain long-term. Yeah, this is definitely in the "Neat project, looks promising, but going to stick with IKEv2 until it matures" bucket.
|
|
#
?
Sep 15, 2018 01:39
|
|
|
|
| # ? Apr 23, 2024 23:10 |
|
|
madsushi posted:Yes, the first thing I would change would be the SonicWall. The IP address stays the same (I assume 10.1.1.1) but the mask changes to /23 or /22. The default route stays the same: 10.1.1.1 (or whatever). Docjowles posted:It seems like people frequently miss the purpose of the subnet mask. Which is to determine if a given address is in the same network as another address, or if it will have to be sent to a router to forward. ElCondemn posted:Having very large subnets means you also have a larger broadcast domain, so be wary of that as it can cause problems as you add more hosts (like larger impact during broadcast storms etc.) Thanks guys, looks like I got lucky, and all that happened was the sonicwall has to do the routing for the new range until I get all the /24 changed to /22 on the clients on my end. So everything stayed up and running, but until everything has the new hostmask it is still a bottleneck through the sonicwall (I presume). At some point I will probably get around to moving the default gateway etc where the sonicwall lives to somewhere closer to the beginning of the address space, where networking stuff should go. Not looking forward to running through all the clients again for that.
|
|
#
?
Sep 20, 2018 17:58
|
|