Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
SamDabbers
May 26, 2003



MF_James posted:

Yeah pfsense is fine if you want something at home and don't mind tinkering; heck maybe even in a small business, but I'd still be hesitant due to lack of proper support, I'd rather roll a sonicwall.

Anything bigger and you definitely want to stick with the major players.

Netgate offers paid support with SLA for pfsense. Anybody have any experience with that?

I'm not disputing that it's better to avoid pfsense in larger networks with higher stakes; just curious about how their support compares to that of the major players.

Adbot
ADBOT LOVES YOU

single-mode fiber
Dec 30, 2012

Kazinsal posted:

FTDs? No issues.

That's a first

Kazinsal
Dec 13, 2011




Well, okay, I have other issues with Firepower.

Speaking of, the galaxy brain powers that be bought FTD 21somethings for our new head office and I look forward to taking two weeks' vacation when that site gets lit up.

Tetramin
Apr 1, 2006

I'ma buck you up.
I added firepower alerts for our “security analyst”. Not sure what exactly they do but it definitely doesn’t involve even sending the service desk tickets about potentially dangerous machines on our network. They do send out fake phishing campaigns every couple weeks.

Moey
Oct 22, 2010

I LIKE TO MOVE IT
Thanks FS, 2674 in stock in your "NY warehouse", and you ship my transceivers from Shanghai.

On a side note, these dropped to $59 a pop vs the $380 each I paid in 2017.

Actuarial Fables
Jul 29, 2014

Taco Defender
Is there a good primer out on the internet for understanding SFP+? I understand that you put transceivers in the ports and that transceivers can have different properties, but there's also apparently vendor lockout?

Kazinsal
Dec 13, 2011



I'm not sure if there's really a primer so to speak but the vendor lock-in is pretty straightforward. The EEPROM on an SFP has a section in it that holds things like the vendor OUI and name string. IOS will check against that and reject SFPs that aren't theirs (unless you turn on service unsupported-transceiver, you monster).

Finisar helpfully publishes a condensed version of the memory map used on SFP and SFP+ modules (https://www.finisar.com/sites/default/files/resources/an-2030_ddmi_for_sfp_rev_e2-20140404_updated.pdf). I think QSFP and related use a different memory map; SFP28 uses the SFP/SFP+ map.

Actuarial Fables
Jul 29, 2014

Taco Defender
Ah. That explains why fs.com has a "compatibility" selection.

I'm sure the answer is "it depends on the company/product" but how common is vendor lock-in for SFP+ transceivers? I know Cisco does it from reading this thread, but have others gotten into it as well?

Thanks Ants
May 21, 2004

#essereFerrari


Lots of vendors will throw up warnings about incompatible transceivers. I just buy ones from FS.com flashed with a legit part number so the switch doesn't complain and so it doesn't show up in tech support diagnostic data giving people an easy way out of your ticket, and then keep a couple of legit ones on hand for troubleshooting if required.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
If you're an environment that has hardware from multiple vendors, ease your stocking by getting programmable transceivers from flexoptics or similar. Fiberstore may also have a box like this now as well.

Keep a few first party optics around for support cases.

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k

Actuarial Fables posted:

I'm sure the answer is "it depends on the company/product" but how common is vendor lock-in for SFP+ transceivers? I know Cisco does it from reading this thread, but have others gotten into it as well?


Arista also does lockout but it's a little more annoying. You have to email their support and they will provide you a unlock key tied to your organization.

Nuclearmonkee
Jun 10, 2009


Thanks Ants posted:

Lots of vendors will throw up warnings about incompatible transceivers. I just buy ones from FS.com flashed with a legit part number so the switch doesn't complain and so it doesn't show up in tech support diagnostic data giving people an easy way out of your ticket, and then keep a couple of legit ones on hand for troubleshooting if required.

Also "service unsupported-transceiver" and "no errdisable detect cause gbic-invalid" are your friend

I've never actually needed to use my Cisco optics but we also have one of each set just in case TAC tries to wriggle out of providing support.

Nuclearmonkee fucked around with this message at 17:45 on Aug 12, 2019

uhhhhahhhhohahhh
Oct 9, 2012
My boss is too cowardly to let me use non-Cisco transceivers. We've probably spent £20-30k in the last year on 10gig and 1gig SFPs. I've got about 25 1gig transceivers that our ISP sends out with their NTUs that they never bother to collect sitting in a drawer.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.


Oven Wrangler

Nuclearmonkee posted:

I've never actually needed to use my Cisco optics but we also have one of each set just in case TAC tries to wriggle out of providing support.

Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to.

I'm not saying it doesn't happen, there could be some policy for other products I didn't work with or things might have changed at some point, but curious to know if it's an "abundance of caution" thing or an "I've been burned by this" thing.

Moey
Oct 22, 2010

I LIKE TO MOVE IT

Eletriarnation posted:

Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to.

I'm not saying it doesn't happen, there could be some policy for other products I didn't work with or things might have changed at some point, but curious to know if it's an "abundance of caution" thing or an "I've been burned by this" thing.

I feel like it's an old wives tale at this point.

Tetramin
Apr 1, 2006

I'ma buck you up.

Eletriarnation posted:

Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to.

I'm not saying it doesn't happen, there could be some policy for other products I didn't work with or things might have changed at some point, but curious to know if it's an "abundance of caution" thing or an "I've been burned by this" thing.

Yes

Docjowles
Apr 9, 2009

We had an issue with some Brocade switches where duplicate MAC addresses on the network would cause the device to crash and reboot in a loop. They absolutely tried to pin it on third party optics lol.

abigserve
Sep 13, 2009

this is a better avatar than what I had before

Eletriarnation posted:

Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to.

I'm not saying it doesn't happen, there could be some policy for other products I didn't work with or things might have changed at some point, but curious to know if it's an "abundance of caution" thing or an "I've been burned by this" thing.

Yes. Always buy programmable optics!

falz
Jan 29, 2005

01100110 01100001 01101100 01111010

Docjowles posted:

We had an issue with some Brocade switches where duplicate MAC addresses on the network would cause the device to crash and reboot in a loop. They absolutely tried to pin it on third party optics lol.
Such a brocade thing to do.

BaseballPCHiker
Jan 16, 2006

Eletriarnation posted:

Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to.

I'm not saying it doesn't happen, there could be some policy for other products I didn't work with or things might have changed at some point, but curious to know if it's an "abundance of caution" thing or an "I've been burned by this" thing.

We've had this happen before, and to be fair to Cisco the optics that we were using definitely were at a very low power level, we'd get low threshold warnings quite a bit on the particular interface. Still they looked at that, the low power, and said fix that first. While it was a issue, it wasnt the issue, ultimately.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

Can a cisco device syslog to the same IP twice but on different ports?

I have a want/need to condense 2 syslog "servers" (aka windows 7 workstations set up by my predecessor) and I'd prefer to just have one listen on something like UDP/1025 while the other listens on UDP/514, but I'm not sure if that will actually work; other option is obviously give the new VM 2 IP addresses and just have each one listen on its' own IP.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.


Oven Wrangler
It can't be done in IOS-XR (edit: 6.2.25 specifically), I tried it and you'll just overwrite your existing entry for that host.

Eletriarnation fucked around with this message at 19:33 on Aug 13, 2019

Nuclearmonkee
Jun 10, 2009


MF_James posted:

Can a cisco device syslog to the same IP twice but on different ports?

I have a want/need to condense 2 syslog "servers" (aka windows 7 workstations set up by my predecessor) and I'd prefer to just have one listen on something like UDP/1025 while the other listens on UDP/514, but I'm not sure if that will actually work; other option is obviously give the new VM 2 IP addresses and just have each one listen on its' own IP.

code:
logging host 69.69.69.69
logging host 69.69.69.69 transport udp port 1025 
should work

BaseballPCHiker
Jan 16, 2006

MF_James posted:

Can a cisco device syslog to the same IP twice but on different ports?

I have a want/need to condense 2 syslog "servers" (aka windows 7 workstations set up by my predecessor) and I'd prefer to just have one listen on something like UDP/1025 while the other listens on UDP/514, but I'm not sure if that will actually work; other option is obviously give the new VM 2 IP addresses and just have each one listen on its' own IP.

Just my two cents since I did something very similar a few weeks ago.

I ended up giving the VM 2 NICs and having our syslog servers listen on both. I didnt spend a ton of time troubleshooting but I was never able to get the software to listen on different ports on 1 IP. This very well could have been a limitation of our syslog software but I didnt want to sink any more time on the project and the 2 vNICs have worked well enough. Your mileage may vary.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

Cool, yeah I dropped the commands in and they worked but I wasn't sure if it would actually happen.

Then I realized I could set it to use TCP and just cap the traffic and see if it actually is sending logs messages.

I didn't get a lot of sleep last night OK!

falz
Jan 29, 2005

01100110 01100001 01101100 01111010

MF_James posted:

Can a cisco device syslog to the same IP twice but on different ports?

I have a want/need to condense 2 syslog "servers" (aka windows 7 workstations set up by my predecessor) and I'd prefer to just have one listen on something like UDP/1025 while the other listens on UDP/514, but I'm not sure if that will actually work; other option is obviously give the new VM 2 IP addresses and just have each one listen on its' own IP.

Use samplicator.

Tetramin
Apr 1, 2006

I'ma buck you up.
What are some cheap options for syslog software? We did the free trial of kiwi and it seems fine, haven’t really looked into anything else. I think it’s only like $250 so I assume it’s hard to beat price-wise, but I’m curious what other people prefer.

Docjowles
Apr 9, 2009

rsyslog

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
Are you specifically looking for a Windows syslog server?

rsyslogd is generally used on Linux and is free.

Tetramin
Apr 1, 2006

I'ma buck you up.

falz posted:

Are you specifically looking for a Windows syslog server?

rsyslogd is generally used on Linux and is free.

Hmm maybe I’ll try to replace the syslog server I had our system guys build with a Linux box then. They built me a windows box but if it’s free I can probably change that. I have no attachment to OS for this.

Thanks

CrazyLittle
Sep 11, 2001





Clapping Larry

falz posted:

If you're an environment that has hardware from multiple vendors, ease your stocking by getting programmable transceivers from flexoptics or similar. Fiberstore may also have a box like this now as well.

Keep a few first party optics around for support cases.

Also in the programmable game is Solid-Optics, https://solid-optics.com and then Fiberstore FS is trying to get into the same thing but getting their programming box is kind of a bunch of bullshit.

Actuarial Fables
Jul 29, 2014

Taco Defender
Thanks for the info about SFP, everyone. I have a much stronger understanding of what it's all about now. Maybe one day I'll actually get to apply this information beyond building theoretical networks.

uhhhhahhhhohahhh
Oct 9, 2012

Tetramin posted:

Hmm maybe I’ll try to replace the syslog server I had our system guys build with a Linux box then. They built me a windows box but if it’s free I can probably change that. I have no attachment to OS for this.

Thanks

We're testing out Graylog at the moment, seems pretty good.

Thanks Ants
May 21, 2004

#essereFerrari


Has anybody ever touched BGP on Sonicwalls? I know this is a weird match up but it's what the client has, and this is only for a VPN tunnel to Azure rather than anything stupid. Underneath it all it's ZebOS and all the configuration is done in the CLI anyway so the fact it's a Sonicwall sitting on top shouldn't make a huge difference.

As far as I can see the BGP relationship is working fine - ZebOS says it can see the Azure side of the connection (I got an error when I typo'd the remote AS so I'm pretty sure that both sides are talking to each other), but I never see any routes from Azure. There's not a huge amount of stuff online about BGP on Sonicwalls and Azure, but there's a few bits of documentation about doing HA VPN tunnels to AWS and the configuration is very similar. I've also had a look at other platforms that use ZebOS (F5) and the configuration doesn't reveal any huge differences.

This is the config I have currently
code:
router bgp 64514
 bgp router-id 172.20.2.1
 network 10.6.0.0/17
 network 192.168.1.0/24
 neighbor 10.6.250.6 remote-as 65515
 neighbor 10.6.250.6 soft-reconfiguration inbound
 neighbor 10.6.250.6 maximum-prefix 10
And some output:
code:
ARS BGP>show ip bgp neighbors
BGP neighbor is 10.6.250.6, remote AS 65515, local AS 64514, external link
  BGP version 4, remote router ID 10.6.250.6
  BGP state = Established, up for 01:56:06
  Last read 01:56:06, hold time is 90, keepalive interval is 30 seconds
  Neighbor capabilities:
    Route refresh: advertised and received (new)
    4-Octet ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Address family IPv6 Unicast: received
  Received 271 messages, 0 notifications, 0 in queue
  Sent 277 messages, 0 notifications, 0 in queue
  Route refresh request: received 2, sent 2
  Minimum time between advertisement runs is 30 seconds
 For address family: IPv4 Unicast
  BGP table version 117, neighbor version 117
  Index 1, Offset 0, Mask 0x2
  Inbound soft reconfiguration allowed
  Community attribute sent to this neighbor (both)
  0 accepted prefixes, maximum limit 10
  Threshold for warning message 75(%)
  2 announced prefixes

 Connections established 1; dropped 0
Local host: 172.20.2.1, Local port: 179
Foreign host: 10.6.250.6, Foreign port: 51115
Nexthop: 172.20.2.1
Nexthop global: fe80::1ab1:69ff:fe0d:b632
Nexthop local: ::
BGP connection: non shared network
code:
ARS BGP>show ip bgp summary
BGP router identifier 172.20.2.1, local AS number 64514
BGP table version is 118
2 BGP AS-PATH entries
0 BGP community entries

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.6.250.6      4 65515     274     280      118    0    0 01:57:22        0

Total number of neighbors 1
I'm going to get something that isn't a Sonicwall out to try and see which side the problem is on, but if anybody has any ideas what might be going on in the meantime then I'd appreciate the help.

Docjowles
Apr 9, 2009

I know fuckall about Azure so this might not be applicable. But in AWS you need to set a property on your route tables before they will actually be advertised out through BGP. It could be something similar is going on for you?

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html#EnableDisableRouteProp

Filthy Lucre
Feb 27, 2006

Thanks Ants posted:

0 accepted prefixes, maximum limit 10

It looks like 65515 isn't advertising the routes (or 64514 has a filter that wasn't in your post). What's the BGP config for that side?

Thanks Ants
May 21, 2004

#essereFerrari


I can't see that bit, it's on the Azure remote gateway configuration and abstracted away.

Edit: Trawling through the documentation again shows that eBGP multihop needs to be enabled. I configured that for the neighbour and the prefix appeared almost immediately.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps

Helps to bounce stuff off people, I'll get round to documenting this for work and then I'll post a redacted version somewhere so people can get this set up in less than four hours.

Thanks Ants fucked around with this message at 22:37 on Aug 29, 2019

Moey
Oct 22, 2010

I LIKE TO MOVE IT

CrazyLittle posted:

Also in the programmable game is Solid-Optics, https://solid-optics.com and then Fiberstore FS is trying to get into the same thing but getting their programming box is kind of a bunch of bullshit.

https://www.fs.com/products/75866.html

I really don't have a need for it, but this is pretty cool looking.

You have issues with it?

howdoesishotweb
Nov 21, 2002
Not sure if this is the place for this question, since I’m dealing with Cisco software.

I work in radiology, and I’m trying to work from home occasionally. We connect to our hospital network through the Cisco AnyConnect VPN. I can connect no problem, but the speed is absolute poo poo. I usually get 70mbps download and 11-12 up. Ookla speed test gives me a latency of 11-12 ms. However when trying to download radiology studies to read, I rarely get more than 1-2 mbps. Our IT department says latency to the hospital servers is too long, or the radiology software doesn’t handle remote connections well. However I know other hospitals use the same software without issue. How would I troubleshoot whether this is a VPN issue, whether it be latency or bandwidth?

Adbot
ADBOT LOVES YOU

Nuclearmonkee
Jun 10, 2009


howdoesishotweb posted:

Not sure if this is the place for this question, since I’m dealing with Cisco software.

I work in radiology, and I’m trying to work from home occasionally. We connect to our hospital network through the Cisco AnyConnect VPN. I can connect no problem, but the speed is absolute poo poo. I usually get 70mbps download and 11-12 up. Ookla speed test gives me a latency of 11-12 ms. However when trying to download radiology studies to read, I rarely get more than 1-2 mbps. Our IT department says latency to the hospital servers is too long, or the radiology software doesn’t handle remote connections well. However I know other hospitals use the same software without issue. How would I troubleshoot whether this is a VPN issue, whether it be latency or bandwidth?

It's likely doing split tunneling, so your speed test is just testing your local uplink at home, while the problem is with a lovely connection somewhere between you and the remote machine you are connecting to via VPN, or they are applying some kind of QoS to prevent VPN users from eating too much bandwidth.

Your IT guy is giving you the lazy answer to make you go away, doesn't know how it works, or doesn't want to bother the guy who actually knows how it works.

Nuclearmonkee fucked around with this message at 20:45 on Sep 2, 2019

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply