|
Nuclearmonkee posted:To be fair, it could also have been a firmware bug that's hopefully resolved in an update. That would be next on my list if you are 100% confident the config is correct. Thankfully we don't do firepower at all, we have a config standard that removes BVI as well (for devices that need it), though I don't think the 5515/5516s come by default like the 5506's. I do long for Fortinet's as lovely as that sounds, but it looks like we're moving to SonicWALL
|
#
?
Sep 17, 2019 20:38
|
|
|
|
| # ? Apr 28, 2024 19:41 |
|
|
Are the Firepower 1000-series poo poo as well, or is it too early to tell
|
|
#
?
Sep 17, 2019 20:44
|
|
|
MF_James posted:Thankfully we don't do firepower at all, we have a config standard that removes BVI as well (for devices that need it), though I don't think the 5515/5516s come by default like the 5506's. I do long for Fortinet's as lovely as that sounds, but it looks like we're moving to SonicWALL Nothing lovely about wanting fortinets for a VPN terminator or if you really need a hardware firewall for some reason.
|
|
#
?
Sep 17, 2019 20:44
|
|
|
Thanks Ants posted:Are the Firepower 1000-series poo poo as well, or is it too early to tell I have one they gave me to mess with. It's still Firepower but at least there's no ASA in there. You can accomplish almost the same thing with an ASA running the FTD image, though you can't run anything after 6.2 on 5506-x and 08-x, which is still the recommended version anyways so lol. New coat of paint on the turd basically. If you have the budget to buy this, buy something better instead imo. If you are trapped in Cisco land and have a need for a lot of small 5506-x ish sized appliances they are at least better than what came before. Nuclearmonkee fucked around with this message at 20:57 on Sep 17, 2019 |
|
#
?
Sep 17, 2019 20:55
|
|
|
Nuclearmonkee posted:I have one they gave me to mess with. It's still Firepower but at least there's no ASA in there. You can accomplish almost the same thing with an ASA running the FTD image, though you can't run anything after 6.2 on 5506-x and 08-x, which is still the recommended version anyways so lol. Is this some new code that's not FTD? Because FTD is Firepower as hypervisor and an ASA dataplane, so the ASA piece is still in there but all hidden behind the veneer of FMC/FDM.
|
|
#
?
Sep 17, 2019 21:46
|
|
|
ragzilla posted:Is this some new code that's not FTD? Because FTD is Firepower as hypervisor and an ASA dataplane, so the ASA piece is still in there but all hidden behind the veneer of FMC/FDM. No it's still FTD. You just don't have to touch the ASA bits directly
|
|
#
?
Sep 17, 2019 21:54
|
|
|
It's honestly kind of impressive that Cisco has nearly unlimited resources and what comes out of it is the ASA platform.
|
|
#
?
Sep 17, 2019 22:44
|
|
|
I am losing management access to ASAs all across my network, getting connection refused and pcaps show the ASA resetting the connection. Running iOS 9.6.3.1. I have a case with TAC since the ASA at my office is currently affected and I can serial into this one, but we aren’t getting anywhere. He told me removing the SSH config and re adding would fix but it didn’t. Rebooting the device resolves until it happens again. Anybody have any loving idea? Even ASDM access breaks when this happens. In other news our Cisco TAM is takin me to a ball game in a suite on Thursday lol
|
|
#
?
Sep 17, 2019 23:00
|
|
|
Docjowles posted:It's honestly kind of impressive that Cisco has nearly unlimited resources and what comes out of it is the ASA platform. Also Spark. And everything Meraki that isn't their APs.
|
|
#
?
Sep 17, 2019 23:02
|
|
|
Thanks Ants posted:Also Spark. And everything Meraki that isn't their APs. We just had meraki pitched to us and we’ve been fairly interested. Could you elaborate on your problems with it? Bosses really want to turn down MPLS circuits at locations where we can get two DIA connections and meraki seemed fairly decent for our needs. We aren’t planning to switch to their switches or even really APs at the moment, we’d just be getting their edge devices.
|
|
#
?
Sep 17, 2019 23:08
|
|
|
I think they're fine if you go all-in and have basic requirements that fit perfectly onto their standard use case, but they didn't work for us because they don't do IPv6, don't do BGP unless you run beta software, are useless at doing VPN tunnels to non-Meraki peers (won't advertise the network to other AutoVPN sites) unless you use a different device to connect the tunnel and make a static route entry, and despite being Cisco they still don't use AnyConnect for the client VPN, instead you get some poo poo IPsec service. Really basic things like source NAT are also completely absent.
|
|
#
?
Sep 17, 2019 23:18
|
|
|
We are already in static route hell at our head end. No bgp advertisement is a bit of a pain, we are already needing to maintain static routes at the head end like crazy. I am going to use what you said in a bit of a pitch against it if it comes up though, thanks. I have a feeling this push to cut opex by cancelling MPLS is gonna go away by the time they see the licensing costs anyways.
|
|
#
?
Sep 18, 2019 01:55
|
|
|
We use Meraki and have around 70 AP's across 3 sites. Works loving great compared to the WLC we replaced. We have MPLS + DMVPN connections to each site.
|
|
#
?
Sep 18, 2019 02:06
|
|
|
Meraki APs are great, we've got about 600. Far less headaches compared to the Zebra/Extreme they replaced. No complaints about their switches, we have 200 of those. Their MX line we haven't bought in to because as mentioned above, they're rather limited in interoperability with other vendor's gear, it really needs to be all-Meraki edge devices to even be worth it. Don't expect anything like Anyconnect or DMVPN compatibility because despite now being Cisco owned, they still operate as an autonomous unit and are generally left to go do their own thing. less than three fucked around with this message at 05:19 on Sep 18, 2019 |
|
#
?
Sep 18, 2019 05:11
|
|
|
Tetramin posted:I am losing management access to ASAs all across my network, getting connection refused and pcaps show the ASA resetting the connection. Running iOS 9.6.3.1. I have a case with TAC since the ASA at my office is currently affected and I can serial into this one, but we aren’t getting anywhere. He told me removing the SSH config and re adding would fix but it didn’t. Rebooting the device resolves until it happens again. Did you try loving with firmware? I’m on 9.8 train but since it’s ASA I’d try 9.6.4 or something on your local one just to see if it makes a difference
|
|
#
?
Sep 18, 2019 15:26
|
|
|
We're getting a pair of 10 gig switches for our datacenter. Aruba 3810m vs Cisco Nexus 3524xl. Any reason not to go with Aruba? drat near half the cost, even including optics.
|
|
#
?
Sep 18, 2019 19:50
|
|
|
GreenNight posted:We're getting a pair of 10 gig switches for our datacenter. Aruba 3810m vs Cisco Nexus 3524xl. Any reason not to go with Aruba? drat near half the cost, even including optics. Still buy unbranded optics
|
|
#
?
Sep 18, 2019 19:56
|
|
|
I wouldn't necessarily consider the Provision range of Aruba switches to be datacentre boxes, but if all of the things you need the switches to do can be achieved by the Arubas then I'm sure you will have no issues with them.
|
|
#
?
Sep 18, 2019 20:18
|
|
|
Thanks Ants posted:I wouldn't necessarily consider the Provision range of Aruba switches to be datacentre boxes, but if all of the things you need the switches to do can be achieved by the Arubas then I'm sure you will have no issues with them. Basically we're migrating 4 ESX boxes from 8x 1 gig switch ports to 4x 10 gig ports each. That's all they'll be used for.
|
|
#
?
Sep 18, 2019 20:59
|
|
|
Nuclearmonkee posted:Did you try loving with firmware? I’m on 9.8 train but since it’s ASA I’d try 9.6.4 or something on your local one just to see if it makes a difference That’s been kind of my last resort option. Been holding off on upgrading it until TAC tells me to but it’s been tough connecting with the engineer cause shits been crazy busy for me lately. Maybe I will just go ahead and do that.
|
|
#
?
Sep 19, 2019 00:42
|
|
|
Tetramin posted:That’s been kind of my last resort option. Been holding off on upgrading it until TAC tells me to but it’s been tough connecting with the engineer cause shits been crazy busy for me lately. Maybe I will just go ahead and do that. ASA 9.6 stops getting software updates in September 2020, so you're switching trains in the next 12mo anyway. -edit- What's your management ACL? Could be CLOSE_WAIT stuck connections (CSCvr15503). That wouldn't clear up until rebooted. Similar would be CSCuw02009 which has recent activity but is _supposed_ to be fixed. But either way if it's sending RSTs it's probably a software defect. ragzilla fucked around with this message at 14:40 on Sep 19, 2019 |
|
#
?
Sep 19, 2019 14:32
|
|
|
This might not be the correct thread, but we were getting some Orion alerts for high interface usage on one of our ASAs this morning. According to Netflow this is all HOPOPT traffic, which I've been doing a bit of reading on and it seems like it's possible this could be some kind of attack? Or could this be some sort of error with the Netflow gathering? Screenshot from Orion:  The source/dests are all strange too, like 0.101.0.53 or similar. Didn't notice any performance issues during the time of the traffic, but I just spotted whatever this is and I'm a bit confused.
|
|
#
?
Oct 1, 2019 22:02
|
|
|
Tetramin posted:This might not be the correct thread, but we were getting some Orion alerts for high interface usage on one of our ASAs this morning. According to Netflow this is all HOPOPT traffic, which I've been doing a bit of reading on and it seems like it's possible this could be some kind of attack? Or could this be some sort of error with the Netflow gathering? That's an IP null attack which will show as HOPOPT. https://www.corero.com/resources/glossary.html#IP%20NULL
|
|
#
?
Oct 1, 2019 23:47
|
|
|
Doesn't it show the protocols and ports?
|
|
#
?
Oct 1, 2019 23:58
|
|
|
falz posted:Doesn't it show the protocols and ports? IP null attack is a flood with null for the protocol in the IP header, which is what HOPOPT legitimately uses.
|
|
#
?
Oct 2, 2019 00:28
|
|
|
Nuclearmonkee posted:That's an IP null attack which will show as HOPOPT. Should we be checking for compromised devices on that network then? Or could this be coming from the outside? falz posted:Doesn't it show the protocols and ports? Orion is giving me the protocol in the Netflow but for some reason I’m not seeing ports or really anything that makes it easy to narrow down. I found it late in the day so I’ll do some more checking tomorrow, Im not very familiar with the net flow interface in Orion yet.
|
|
#
?
Oct 2, 2019 00:29
|
|
|
On the netflow summary page, using the flow navigator on the left, you can change to Detailed in the first section. Then choose the endpoint that your screenshot is from and you can filter by that protocol, and the time range it was in. This should give you a page that has Endpoints that generated the traffic and Conversations between devices if there was a source and destination
|
|
#
?
Oct 2, 2019 12:46
|
|
|
Heres hopefully a quick question. About a year ago while we were doing an equipment refresh I made a point to enable bpduguard on all of our access switches to prevent some horrific episodes that have happened here in the past. Well I finally had a port go err-disabled and had a heck of a time getting back up. I had to remove the access and voice vlan from the port config, re-enable the port, then add the vlan config back. Is that the normal way of doing it or is there a quicker way? Also the port in question was an end user bringing in some stupid android TV box thing that caused the port to shutdown. He's a firefighter and said he wanted it to play Kodi on overnight shifts...
|
|
#
?
Oct 8, 2019 16:33
|
|
|
BaseballPCHiker posted:Heres hopefully a quick question. code:
|
|
#
?
Oct 8, 2019 18:33
|
|
|
Usually a shut/no shut is enough to bring an error disabled port back up. Chances are your Android stick thing was plugged into the LAN and also connected to a Wi-Fi network, I've seen AirPort Express things where people have used them to play music cause the same problem, except in that case the switch port priorities weren't configured very well so it ended up shutting down the access point port.
|
|
#
?
Oct 8, 2019 19:21
|
|
|
Yeah those are easy enough to get into bridge mode where that can happen. Recovery is good if it’s the kind of thing that should recover , as it can still cause anomalies until it’s shut again . Or someone hooks up a mini switch that’s too smart that eats BPDUs
|
|
#
?
Oct 8, 2019 22:23
|
|
|
We currently receive an internet service into our head office and our provider gives us an additional /29 through a static route. We also have a second site with an internet service through the same provider and would like to use it as backup. It appears the best way to manage this is with BGP due to the need to retain the /29 during an outage on the main link. The sites are connected to each other by dark fiber. What’s the best way to manage the migration from static to BGP? Being that both services are with the same provider I assume we can ask them for a private ASN and have them accept our advertisement while they delete their static. Are we able to bring everything up and test it working before they delete the static? What sort of downtime could we expect for the various routing changes? We’re using OSPF internally and the internet services have their own /30s.
|
|
#
?
Oct 9, 2019 08:51
|
|
|
Generally speaking, routers will prefer a static route over dynamic, so you can set up the BGP peering without interrupting anything. Though you should confirm this with the ISP first just in case. Once you get the sessions up and they see the route being advertised, they can drop the static route. This should cause little to no downtime if everything was done correctly. You'll also want to do something to ensure the ISP prefers your primary site (path prepending, MED, etc, they probably have a preferred method they'll ask you to use). It's worth noting this doesn't require BGP. Your ISP can configure a static route toward each site and prefer the one for the primary site. If that link goes down, it will use the route to the backup site. But using BGP will give you more control, which is usually a good thing.
|
|
#
?
Oct 9, 2019 15:09
|
|
|
greatapoc posted:We currently receive an internet service into our head office and our provider gives us an additional /29 through a static route. We also have a second site with an internet service through the same provider and would like to use it as backup. It appears the best way to manage this is with BGP due to the need to retain the /29 during an outage on the main link. The sites are connected to each other by dark fiber. I hope you're planning on a couple of hours of downtime and doing this outside of normal work hours along with upkeep. It's easy on the provider's side of things (setup 2x ebgp connections, remove static route). Your side will be more hellish since now you need to change your internal routing (you do know you need to sync all bgp speakers on your side) most likely along with firewall changes, etc. Once you start putting BGP in place and moving ranges around, you now have to deal with things like asymmetric routing issues (packets in one site, out the other) that firewalls break, or island issues (what happens if fiber breaks, which site is best?). BGP is a sledgehammer - are you sure you don't just need something simple like a dynamically updated DNS entry to direct external apps inbound?
|
|
#
?
Oct 9, 2019 18:53
|
|
|
Docjowles posted:It's worth noting this doesn't require BGP. Your ISP can configure a static route toward each site and prefer the one for the primary site. If that link goes down, it will use the route to the backup site. But using BGP will give you more control, which is usually a good thing. I did consider that but my concern was that if something breaks on the access tail their router port would likely still be up/up and not remove the static route facing that site. unknown posted:BGP is a sledgehammer - are you sure you don't just need something simple like a dynamically updated DNS entry to direct external apps inbound? It is a bit of a worry as it’s something I’ve never done before. If there’s an easier way I’m all ears. ’m comfortable with the routing for the outbound stuff I’m just not 100% on the inbound. We’re using Palo Alto firewalls and I believe if we make them active/active it should take care of any asymmetrical routing issues. Currently all of the servers using the public IPs are housed at the main site so they shouldn’t be impacted for external use during a fiber break to the backup.
|
|
#
?
Oct 9, 2019 19:11
|
|
|
What services are hosted out of your location that have to fail over to the other? Is it more cost effective to remove/migrate those somewhere else?
|
|
#
?
Oct 9, 2019 19:16
|
|
|
Don't use bgp unless you really know what you're doing. Weighted dns with health checks is probably a better idea as mentioned. But I have no idea what the service is
|
|
#
?
Oct 9, 2019 20:17
|
|
|
greatapoc posted:We’re using Palo Alto firewalls and I believe if we make them active/active it should take care of any asymmetrical routing issues. No. This is dead wrong. Don't do that. Active/active mode is a last-resort-hail-Mary option and isn't something to run unless you absolutely have to. As mentioned above the biggest issue migrating to BGP in an environment like that is how you handle your internal routing - if you have an IGP like OSPF it's not too hard, you just need to make sure you peer the border routers over iBGP and setup local preference. You can do that without an outage window prior to cutover as the BGP learnt routes won't be preferred over your currently configured statics. If you don't already have an IGP, you're looking at re-configuring the core of your network as well as BGP, it's a lot of changes all at once.
|
|
#
?
Oct 9, 2019 20:44
|
|
|
Thanks Ants posted:What services are hosted out of your location that have to fail over to the other? Is it more cost effective to remove/migrate those somewhere else? A few web servers, mail server and some proprietary services that need to be public. Weighted DNS did not even enter my mind so I think we may actually be able to work with that. Thank you for the suggestions.
|
|
#
?
Oct 9, 2019 20:47
|
|
|
|
| # ? Apr 28, 2024 19:41 |
|
|
Mail you can fix by using something like Mimecast (or moving to Office 365), and if the public services are just HTTPS endpoints then something like Azure Traffic Manager can handle it. More advanced products will give you WAF capabilities as well. Always keep it as simple as possible.
|
|
#
?
Oct 9, 2019 21:01
|
|