|
I'll empty quote it on my boat too... Mods ban me if I don't have a boat by 2027
|
# ? Oct 29, 2020 23:35 |
|
|
# ? Apr 24, 2024 11:12 |
|
If your application can saturate multi-gig links your prototype using EOL hardware won't be capable of satisfying anything beyond a ping test. Cancel the boat payments, IMO.
|
# ? Nov 2, 2020 20:28 |
Pile Of Garbage posted:If your application can saturate multi-gig links your prototype using EOL hardware won't be capable of satisfying anything beyond a ping test. Cancel the boat payments, IMO. Those are still perfectly good switches I’ll still be using them until they go EOS! I’d be more dubious on old compute and storage, particularly storage being able to keep up. Older stuff is going to bottleneck on IOPs long before your 20gigabit port channels max out.
|
|
# ? Nov 3, 2020 02:15 |
|
I just started at a new company, and the bulk of our clients are on cisco meraki's (or switching over) and oh my they are so easy mode I do find myself looking around looking for options whereas I know the ios way... I haven't used them much, did some firewall rules/vlans/site2site vpn's etc, and it feels like anyone off the streets could do it if they know how to google. That said, am I just on cloud9 about it because I'm so used to every loving enterprise network devices from my old jobs (F5's, Sonicwalls, etc etc - Palo Alto's were actually pretty decent i'll admit) - are meraki's really as good as they seem? or are there glaring problems etc that I just haven't encoutered (due to not using it much yet)
|
# ? Nov 8, 2020 02:13 |
|
What Meraki gear can do, it does well. If you want to do something out of it's feature set, you're SOL. A lot less flexible/customizable than IOS. The logging also leaves something to be desired when you want to figure out why something isn't working properly.
|
# ? Nov 8, 2020 02:59 |
|
If you have to call their support ever you should probably pour yourself a drink. I had to call them this week and I had to wait 50 minutes on hold to get a human. They hung up on me after the first 20 minutes on hold and I had to wait another 30. By the time I actually was working with an engineer, the issue had been found to be an issue with Azure's routing and was resolved by Azure's staff.
|
# ? Nov 8, 2020 03:24 |
|
thanks, sounds good, all of our clients are Vet Clinics (and a few animal hospital) so there really shouldn't any really complicated setups (whereas before I worked at eHealth and Telus); ie. my manager was amazed I was able to block a vlan to all other vlans so it only had access to the internet (via firewall rules). It seems like all the sites with Sonicwalls are getting remediated over to meraki's because they work so well for all our clients with it (150+). And yea, my coworker was trying to get a hold of Meraki support for like 3 hours because upgrading from an MX66 to 68 or whatever was giving some call Meraki error
|
# ? Nov 8, 2020 03:46 |
|
They also don't have a toll free support number, which always peeves me a bit calling from Canada.
|
# ? Nov 8, 2020 07:03 |
|
Do Meraki's all run in CAPWAP tunnel mode or do they also have an equivalent of FlexConnect local-auth/local-breakout available?
|
# ? Nov 8, 2020 07:37 |
|
The APs dump traffic onto the local network unless you have a security appliance in your org. and then you get the option to build an L3 tunnel and break out centrally. The security appliances are poo poo, the switches are overpriced. But if their features line up exactly with what you need there's nothing better.
|
# ? Nov 8, 2020 12:04 |
|
IMO Meraki is just a product line that allows Cisco to get their foot in the door of SMB customers. Once a customer buys in to it and decide that they want to do anything more complicated than access switching they'll be buying 3850s, 5510s or...Firepowers... It's probably not as cheap but if you dealing with a large number of small/medium branches then Fortinet FortiWiFi devices or FortiGate + FortiAP are great. A FortiGate firewall has the same features as a Cisco ISR+ASA+WLC out-of-the-box. Also the UI on Fortinet devices is simply wonderful to use (Backed by a robust CLI ofc). Now I sound like a Fortinet shill. This has been an unpaid message from the guy who loves Fortinet so much he uses that poo poo at home.
|
# ? Nov 8, 2020 12:42 |
Pile Of Garbage posted:IMO Meraki is just a product line that allows Cisco to get their foot in the door of SMB customers. Once a customer buys in to it and decide that they want to do anything more complicated than access switching they'll be buying 3850s, 5510s or...Firepowers... Stay as far away from ASA and firepower as you can. I’m so glad I got to retire those pieces of poo poo. Put in Palo Alto’s or fortinets
|
|
# ? Nov 8, 2020 18:08 |
|
ASAs are fine if you just need to do simple L3/4 ACLs, anything beyond that and it's best to defer to a proper NGFW. I've luckily never used Firepower but I've heard some real horror-stories. From a colleague:quote:one reddit article i read by one guy said "he hopes the guys who built it to be pallbearers at his funeral so they can let him down one more time?
|
# ? Nov 8, 2020 19:03 |
|
ASAs are trash
|
# ? Nov 8, 2020 19:31 |
|
I'm am planning on replacing all of our Meraki access layer switching + APs with FortiThings in early 2021.
|
# ? Nov 8, 2020 19:37 |
|
I have to look after a cluster of 5525Xs and they're such loving garbage. It just inexplicably stops forwarding traffic if one specific firewall becomes the master, but it works fine when it's not. Also gently caress ASDM forever.
|
# ? Nov 8, 2020 20:47 |
|
uhhhhahhhhohahhh posted:I have to look after a cluster of 5525Xs and they're such loving garbage. It just inexplicably stops forwarding traffic if one specific firewall becomes the master, but it works fine when it's not. Also gently caress ASDM forever. Check the syslog settings. Are you forwarding syslog to a TCP port? If the host is unreachable, the ASA stops forwarding. Could be you have some kind of issue reaching it from one and not the others?
|
# ? Nov 8, 2020 22:55 |
|
I think the only reason I would use an ASA or a FirePower running ASA code over a more competent firewall is if I needed to handle a few tens of gigabits of L3/L4 traffic and needed to programmatically change non-persistent firewall rules in a dumb and quick manner via clogin or something like that.uhhhhahhhhohahhh posted:I have to look after a cluster of 5525Xs and they're such loving garbage. It just inexplicably stops forwarding traffic if one specific firewall becomes the master, but it works fine when it's not. Also gently caress ASDM forever. Haaaaaaaave you considered opening a TAC case
|
# ? Nov 8, 2020 23:17 |
|
Jedi425 posted:Check the syslog settings. Are you forwarding syslog to a TCP port? If the host is unreachable, the ASA stops forwarding. Could be you have some kind of issue reaching it from one and not the others? Syslog is UDP and it's done over the OOB management, so it's always reachable. We also only recently got a SIEM anyway and it was happening before. Kazinsal posted:I think the only reason I would use an ASA or a FirePower running ASA code over a more competent firewall is if I needed to handle a few tens of gigabits of L3/L4 traffic and needed to programmatically change non-persistent firewall rules in a dumb and quick manner via clogin or something like that. All the documentation for clustering on ASAs is filled with notes saying TAC don't support this configuration at all. My boss wanted it this way for zero reason, we gain nothing doing it this way over a HA pair because our internet connections are 1gig and we can't active/active them either. He knows that because he was on all the same phone calls as me with our ISP saying we couldn't do that, but acts surprised 1+ years later when it's ever mentioned they aren't active/active or I have to correct him on a phone call. Also, the audacity on you to assume we pay for TAC, or even software updates, on our edge firewall.
|
# ? Nov 8, 2020 23:58 |
|
uhhhhahhhhohahhh posted:Syslog is UDP and it's done over the OOB management, so it's always reachable. We also only recently got a SIEM anyway and it was happening before. Sorry for your loss, I guess. I only mention the syslog thing because it's caused massive production network failures at two jobs in a row.
|
# ? Nov 9, 2020 01:45 |
|
Learned something new today. Wildcard masks are not just stupid ways to write subnets in reverse, you can use them to create rules that only look at say, the last octet of an IP, or even the third, or just look at 2nd and 3rd. We pushed out an ACL config for SSH restriction that for whatever reason, did not take properly, and instead spit out two 0.0.0.0 lines, one with a 255.255.255.0 mask, and one with a 255.255.0.0 mask, which it happily applied under the vty input. My interpretation of that was "ok so we need a 0.0.0.x or 0.0.x.x source IP to fix this for the remote sites, how do we do that?" But apparently the real answer was "Those are wildcards, just use any source IP to reach it that ends with .0 or 0.0" and sure enough testing with a 172.16.1.0 address let us right in. Two other folks on my team I asked if they were aware wildcards worked like that, neither of them were aware either. There's 70+ years network experience between the 3 of us
|
# ? Dec 2, 2020 22:38 |
|
https://blog.ine.com/2010/11/25/performing-access-list-computation-route-summarization-acl-manager
|
# ? Dec 3, 2020 04:08 |
|
Slickdrac posted:Learned something new today. Wildcard masks are not just stupid ways to write subnets in reverse, you can use them to create rules that only look at say, the last octet of an IP, or even the third, or just look at 2nd and 3rd. Having flashbacks to the time we had to try to condense seven thousand ACLs that had wildcard masks like 0.4.109.0 thrown in about a quarter of them, thanks.
|
# ? Dec 3, 2020 04:16 |
|
Thankfully capirca does all that optimization for you.
|
# ? Dec 3, 2020 04:28 |
|
Slickdrac posted:Learned something new today. Wildcard masks are not just stupid ways to write subnets in reverse, you can use them to create rules that only look at say, the last octet of an IP, or even the third, or just look at 2nd and 3rd. They're supposedly exactly for comparative purposes just like this, even in tables in the device when inspecting traffic or matching access lists. The fun part for me are devices that would let you enter something like 10.1.6 and have it turn into 10.1.0.6 or whatever because IPv4 does have that sort of implied 0 notation that IPv6 has. You can turn your type-o into network fun for the whole family.
|
# ? Dec 3, 2020 23:09 |
|
Partycat posted:The fun part for me are devices that would let you enter something like 10.1.6 and have it turn into 10.1.0.6 or whatever because IPv4 does have that sort of implied 0 notation that IPv6 has. You can turn your type-o into network fun for the whole family. code:
|
# ? Dec 4, 2020 15:23 |
|
The IT guy at my job is remote, today he asked me if I knew about VPNs, because there is a reoccurring issue with him not being able to connect. The connection just freezes until he logs into the router and manually restarts PPTP, and then he he can reconnect right away. I think the router model is a Cisco v235, it's on my slack at work I can check tomorrow. I don't know anything about this, is it a common issue? What questions can I lester the IT guy with to
|
# ? Dec 10, 2020 02:08 |
|
Hopefully webex is fair game for this thread. Does anyone know where one can acquire nbr2mp4.tar? Alternatively, does anyone know whether nbr2convert.exe (or nbr2player.exe or any of the other executables packaged with nbr2player.msi package) can be operated via CLI in order to convert from .arf to .mp4? With a little digging I've done, it appears that nbr2player.exe responds to a '-Convert' option, but I can't figure out the exact syntax. For example, ".\nbr2player.exe foo.arf" opens foo.arf in the player, ".\nbr2player.exe foo.arf -Convert foo.mp4" immediately halts with no error message in a manner distinct from an interpretation failure.
|
# ? Dec 10, 2020 05:30 |
|
Not Wolverine posted:The IT guy at my job is remote, today he asked me if I knew about VPNs, because there is a reoccurring issue with him not being able to connect. The connection just freezes until he logs into the router and manually restarts PPTP, and then he he can reconnect right away. I think the router model is a Cisco v235, it's on my slack at work I can check tomorrow. I don't know anything about this, is it a common issue? What questions can I lester the IT guy with to the RV325 does indeed natively support PPTP, but PPTP is also very insecure. as for the actual issue, it’s Cisco’s “small business” line, which is not known for its reliability. services getting crusty after uptime is not shocking. if it were my problem but i was prevented from immediately migrating away from PPTP, i’d make sure it was on the newest recommended firmware release (does this exist for the small business line?), and if that didn’t fix it use the support it hopefully has and pass the issue off to Cisco TAC (does this exist for the small business line?).
|
# ? Dec 10, 2020 09:45 |
|
uniball posted:the RV325 does indeed natively support PPTP, but PPTP is also very insecure. as for the actual issue, it’s Cisco’s “small business” line, which is not known for its reliability. services getting crusty after uptime is not shocking. *Edit* I checked and found the RV325 is EOL, does that effect Cisco TAC availability? Do you have to pay for TAC? Not Wolverine fucked around with this message at 15:44 on Dec 10, 2020 |
# ? Dec 10, 2020 10:59 |
|
Yes you need a smartnet subscription. Honestly I would just see if you can get them to buy a comparable device that isn’t EOL. The one you have appears to go for like $300 so a slightly newer replacement shouldn’t break the bank.
|
# ? Dec 10, 2020 14:38 |
|
Docjowles posted:Yes you need a smartnet subscription. Honestly I would just see if you can get them to buy a comparable device that isn’t EOL. The one you have appears to go for like $300 so a slightly newer replacement shouldn’t break the bank.
|
# ? Dec 10, 2020 15:45 |
|
Not Wolverine posted:I'm not in a position to say "you need a new $300 router" and I also do not use the VPN, I would prefer to have an answer that sounds smarter than "buy a new router" for my remote IT manager. In the meantime, I think I will ask the IT manager about trying t restart PPTP on a routine basis or even a script to reboot the router at midnight until a better solution is found. "You're getting what you paid for"
|
# ? Dec 10, 2020 17:45 |
|
Trying to figure out how the HA on this Fortigate 300D cluster works on the ISP side. The Cisco 3600X is from the ISP. Are they just using it to split the circuit into two physical links? I can't view the configuration of it at all. On the HP 5500 (LAN) side, isn't port mirroring a very odd way of doing this? I mean I guess it works... We're getting a new ISP and they asked if we want to do a LAG or LACP. They can give us two ports, but they just have one router and not a router + switch. Can't find the Fortinet docs that really say much. Diagram attached, image hosts are blocked.
|
# ? Dec 10, 2020 18:30 |
|
Slickdrac posted:"You're getting what you paid for" Add "and the bank is on hold, again." to that statement and you have the exact words I want to tell my boss.
|
# ? Dec 10, 2020 19:38 |
|
take_it_slow posted:Hopefully webex is fair game for this thread. https://web.archive.org/web/20150908182324/https://support.webex.com/supportutilities/nbr2mp4.tar appears to be it. The lack of it existing me to tells me that it may not be compatible with the file format any longer but I don't know. That's the same explanation I ran into for the nbrconvert application, it used to have command line arguments but they were "removed" sort of , but not really . That was from 2015. I think the only suite that still does this is webex events? They all should support .mp4 recording for the most part now, though the layout and content is a bit of an issue yet I think.
|
# ? Dec 10, 2020 21:24 |
|
Bob Morales posted:Trying to figure out how the HA on this Fortigate 300D cluster works on the ISP side. I forget if the D line of devices has an HA port, but are you sure they're doing heartbeat through the switch and not actually doing HA with a cable connecting the 2 devices together? Because, yes, that would be weird, typically you'd configure a port on each device (I know newer models have a specific HA port I THINK Ds might) to act as the HA/heartbeat port. *edit* is your HA an active/active or active/passive?
|
# ? Dec 10, 2020 21:41 |
|
As above, there should be HA links so the firewalls can talk to each other https://docs.fortinet.com/document/fortigate/latest/administration-guide/900885/ha-active-passive-cluster-setup There should also be (logical or physical) switches sat on the WAN and LAN side of the boxes. I would assume the Cisco 3600X is just acting as a switch to provide two links to your firewalls currently, as the router might not have a switch that it can run things through. I'm really not sure why you have a port mirror set up, that seems like it could cause a problem. If you need two ports on the LAN side of things to connect each firewall to then you normally just have them in their own VLAN in a point-to-point subnet and set your routes up accordingly. I've no idea if the 5500 can put a port into L3 interface mode, but that might explain why someone has decided a port mirror (which IIRC has pretty severe performance implications) is the way to fix it.
|
# ? Dec 10, 2020 21:53 |
|
MF_James posted:I forget if the D line of devices has an HA port, but are you sure they're doing heartbeat through the switch and not actually doing HA with a cable connecting the 2 devices together? Active/passive
|
# ? Dec 10, 2020 22:00 |
|
|
# ? Apr 24, 2024 11:12 |
|
Partycat posted:https://web.archive.org/web/20150908182324/https://support.webex.com/supportutilities/nbr2mp4.tar appears to be it. The lack of it existing me to tells me that it may not be compatible with the file format any longer but I don't know. That's the same explanation I ran into for the nbrconvert application, it used to have command line arguments but they were "removed" sort of , but not really . That was from 2015. I think the only suite that still does this is webex events? They all should support .mp4 recording for the most part now, though the layout and content is a bit of an issue yet I think. Thanks for the link - I'm working with .arf files generated between c. 2014-2018 (these are all training presentations - as soon as I got onboard I switched to OBS for the recording), so the tool should be able to convert at least some of them, even if the standard has changed since. I appreciate the help.
|
# ? Dec 10, 2020 22:16 |