Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«412 »
  • Post
  • Reply
Collateral Damage
Jun 13, 2009



Cisco wishes you all happy holidays with a well timed gift:

https://twitter.com/jschauma/status/1208039264350543873

Adbot
ADBOT LOVES YOU

Partycat
Oct 25, 2004

Life at last
Salutations from the other side


Plaster Town Cop

One of the Webex Teams bots I subscribe to info through sent that out since it breaks UCCE for IVR/CVP

The bot ends with "Hope this was useful, have a fantastic day!" sent on 12/25.

lmao.

Bigass Moth
Mar 6, 2004

I joined the #RXT REVOLUTION.

he knows...


What bot is that? Do you follow any other useful ones?

Partycat
Oct 25, 2004

Life at last
Salutations from the other side


Plaster Town Cop

Charlie, for contact centers, and Fabian for collaboration, though that one is partner oriented but still gives me some dish.

If there's others on there for other areas I'm not aware of them, but, I think each team can sort of do whatever they want. I think the Anyconnect group was using Facebook for a while for some reason.
Other than that , the customer connection program, the various @puck.nether.net lists, and saved bug searches.

I gather if you go to Live they use a lot of teams spaces, so hopefully there are some I can find there this summer between user groups or product teams.

uhhhhahhhhohahhh
Oct 9, 2012


Cool ASA poo poo: upgraded a 5525X to 9.8(2)35 last week and now the ASDM logs are spammed 30 times a second with ICMP logs that are supposedly coming from the next hop for the management interface - a Nexus 9k - which definitely isn't doing any tracking or icmps to this device.

Prescription Combs
Apr 20, 2005
   6

uhhhhahhhhohahhh posted:

Cool ASA poo poo: upgraded a 5525X to 9.8(2)35 last week and now the ASDM logs are spammed 30 times a second with ICMP logs that are supposedly coming from the next hop for the management interface - a Nexus 9k - which definitely isn't doing any tracking or icmps to this device.

That's pretty old code, might wanna consider something in the 9.12(2) interim train

uhhhhahhhhohahhh
Oct 9, 2012


Prescription Combs posted:

That's pretty old code, might wanna consider something in the 9.12(2) interim train

I'd love to but they won't pay for a support contract here so I've got to make do with what I've got. I've got an ASA cluster on the same version in a different DC that isn't doing the same thing.

Unrelated, but has anyone used/deployed Catena on Nexus switches?

Prescription Combs
Apr 20, 2005
   6

uhhhhahhhhohahhh posted:

I'd love to but they won't pay for a support contract here so I've got to make do with what I've got. I've got an ASA cluster on the same version in a different DC that isn't doing the same thing.

Unrelated, but has anyone used/deployed Catena on Nexus switches?

Well that sucks. Logging config any different between the one spamming vs the cluster?

uhhhhahhhhohahhh
Oct 9, 2012


Prescription Combs posted:

Well that sucks. Logging config any different between the one spamming vs the cluster?

Both the same as far as I can see. The workaround would be to disable those syslog messages but then I'd lose ICMP messages for troubleshooting.

BaseballPCHiker
Jan 16, 2006



This is a dumb question but I am willing to expose my ignorance to the people of SA.

What do people who run ASAs do for URL filtering?

We run ASAs at all of our sites, or a few firepower 2110s in ASA mode. More and more we need to make rules to allow stuff for Azure, AWS, etc which uses URLs instead of static IPs. From my limited poking around I've seen some people mention using RegEx expressions within the ASA and that may be what I end up having to do. We fully plan on switching from Cisco firewalls to Palo Altos come our next refresh, and those appear to allow URL based rules right out of the box. So I really only need to come up with something that will make it the next 2 years.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

BaseballPCHiker posted:

This is a dumb question but I am willing to expose my ignorance to the people of SA.

What do people who run ASAs do for URL filtering?

We run ASAs at all of our sites, or a few firepower 2110s in ASA mode. More and more we need to make rules to allow stuff for Azure, AWS, etc which uses URLs instead of static IPs. From my limited poking around I've seen some people mention using RegEx expressions within the ASA and that may be what I end up having to do. We fully plan on switching from Cisco firewalls to Palo Altos come our next refresh, and those appear to allow URL based rules right out of the box. So I really only need to come up with something that will make it the next 2 years.

Cisco Umbrella. It works amazingly well.

BaseballPCHiker
Jan 16, 2006



GreenNight posted:

Cisco Umbrella. It works amazingly well.

I misspoke or am not understanding. Not really URL filtering that I need but rules based on URLs instead of IPs.

Like allow from this URL to this host in DMZ based on these ports, etc, etc.

Although we are supposed to get a year of umbrella free coming up through our VAR so if its something I can leverage to accomplish this than that would be great.

Sepist
Dec 25, 2005

FUCK BITCHES, ROUTE PACKETS


Gravy Boat 2k

If you're using the ASA without FirePower you would have to use regex strings attached to a class-map attached to a policy-map

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Could you do filtering by URL on traffic coming *from* Azure, though? If you had a reverse DNS you could match on then you'd also have a static IP address and could just use that in your rule, perhaps I'm missing something.

Maybe look at ExpressRoute?

BaseballPCHiker
Jan 16, 2006



Thanks Ants posted:

Could you do filtering by URL on traffic coming *from* Azure, though? If you had a reverse DNS you could match on then you'd also have a static IP address and could just use that in your rule, perhaps I'm missing something.

Maybe look at ExpressRoute?

The issue, as I understand it, is that traffic coming from Azure/AWS can be a huge range of IPs. Whichever cloud vendor we're working with thats using Azure/AWS can move their service to different regions or have different source IPs on any given day as they make changes to their environment. So if we do a DNS lookup and get an IP to base a firewall rule off of that same vendor could have a different IP the next day.

Maybe something like Express Route of AWS DirectConnect would work though depending on the cost.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


This looks like it sucks but it does give their IP ranges and you can subscribe to a list to get changes.

https://docs.aws.amazon.com/general...-ip-ranges.html

Prescription Combs
Apr 20, 2005
   6

e: n/m

Pile Of Garbage
May 28, 2007





BaseballPCHiker posted:

This is a dumb question but I am willing to expose my ignorance to the people of SA.

What do people who run ASAs do for URL filtering?

We run ASAs at all of our sites, or a few firepower 2110s in ASA mode. More and more we need to make rules to allow stuff for Azure, AWS, etc which uses URLs instead of static IPs. From my limited poking around I've seen some people mention using RegEx expressions within the ASA and that may be what I end up having to do. We fully plan on switching from Cisco firewalls to Palo Altos come our next refresh, and those appear to allow URL based rules right out of the box. So I really only need to come up with something that will make it the next 2 years.

Do all of your sites breakout internet locally or is everything routed back to a central network via VPN/MPLS? Also what kind of traffic are you having to whitelist and why (e.g. are you just implicitly denying all and allowing as required)?

DropsySufferer
Nov 9, 2008

Impractical practicality


I'm looking to add a very simple script to a cisco switch at work. I did some basic googling and apparently I need to learn about TCL unless there are other suggestions? I'm looking for a basic tutorial on it. I don't want to fully learn to program advanced scripts. I just want to learn the basics for now.

This is all I want to do:

ping 10.1.1.1
sh ip route 10.1.1.1

ping 10.1.1.2
sh ip route 10.1.1.2
.....
ping 10.1.1.8
sh ip route 10.1.1.8

This should be easy to learn and implement?

tortilla_chip
Jun 13, 2007

k-partite

Depends on the flavor of Cisco device. Modern stuff supports native python/bash/lxc

For older gear EEM or TCL

Docjowles
Apr 9, 2009



Yeah... I would encourage you to not learn TCL unless itís literally the only available option, as it is terrible.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


DropsySufferer posted:

I'm looking to add a very simple script to a cisco switch at work. I did some basic googling and apparently I need to learn about TCL unless there are other suggestions? I'm looking for a basic tutorial on it. I don't want to fully learn to program advanced scripts. I just want to learn the basics for now.

This is all I want to do:

ping 10.1.1.1
sh ip route 10.1.1.1

ping 10.1.1.2
sh ip route 10.1.1.2
.....
ping 10.1.1.8
sh ip route 10.1.1.8

This should be easy to learn and implement?

Is this supposed to accomplish something or keep something working? You could look for some Looking Glass proxy cgi script thing to issue such commands via an http get url, and just cron that from a remote server too. Or cron some python script using NAPALM.

DropsySufferer
Nov 9, 2008

Impractical practicality


falz posted:

Is this supposed to accomplish something or keep something working? You could look for some Looking Glass proxy cgi script thing to issue such commands via an http get url, and just cron that from a remote server too. Or cron some python script using NAPALM.

The point is to check if APs are connected to a vlan or not. I do this manually right now.

Partycat
Oct 25, 2004

Life at last
Salutations from the other side


Plaster Town Cop

Docjowles posted:

Yeah... I would encourage you to not learn TCL unless itís literally the only available option, as it is terrible.

I am looking at writing a voice forking Tcl script , and I had to reach out to Cisco to get the verb guide from 2005 they "accidentally" pulled from their website.

That should tell you what you need to know about anything more than basic Tcl.

BaseballPCHiker
Jan 16, 2006



Sepist posted:

If you're using the ASA without FirePower you would have to use regex strings attached to a class-map attached to a policy-map

Ended up going this route for now. It does what we need it to do. Thanks for the tip.

Prescription Combs
Apr 20, 2005
   6

Long shot but anyone have any experience with adtran ONTs? Trying to figure out wtf mine keeps shutting off the ethernet port after handshaking with the gateway. Waiting for my ISP to get back to me in the mean time.

Kazinsal
Dec 13, 2011



Upgraded our ISR 4Ks from 16.6 to 16.9 finally. I wanted to double-check that the crypto limiter was now 250 Mbps without hseck9 as expected over the previous 85 Mbps aaaaaaaand they removed the crypto limiter status output from show platform software cerm-information.

I wonder if I should even bother filing a bug report for this.

less than three
Aug 9, 2007




Fallen Rib

Kazinsal posted:

Upgraded our ISR 4Ks from 16.6 to 16.9 finally. I wanted to double-check that the crypto limiter was now 250 Mbps without hseck9 as expected over the previous 85 Mbps aaaaaaaand they removed the crypto limiter status output from show platform software cerm-information.

I wonder if I should even bother filing a bug report for this.

Do it, though they likely won't be able to figure out if it was intentional or not.

Pile Of Garbage
May 28, 2007





Prescription Combs posted:

Long shot but anyone have any experience with adtran ONTs? Trying to figure out wtf mine keeps shutting off the ethernet port after handshaking with the gateway. Waiting for my ISP to get back to me in the mean time.

Just a guess, some of the ones I've seen can't negotiate speed/duplex so you need to set it to 100/Full instead of auto on your side.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

So today we have DMVPN + PFRv2. We're looking at Meraki MX250. I know jack poo poo about this stuff, would going that route make that big of a difference?

less than three
Aug 9, 2007




Fallen Rib

The MXs aren't really routing devices so if you're using OSPF or BGP to your providers to provide routes it's a painful cutover if you have a lot of sites, it needs to be all MX or bust.

Building greenfield we would have gone MX, but we'd have to do 250 so we stuck with ASR/ISR4K and DMVPN.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

We have 3 sites, so not a burden.

Prescription Combs
Apr 20, 2005
   6

Pile Of Garbage posted:

Just a guess, some of the ones I've seen can't negotiate speed/duplex so you need to set it to 100/Full instead of auto on your side.

Not sure what the actual issue was but they ended up reprovisioning my account and that fixed it.

less than three
Aug 9, 2007




Fallen Rib

GreenNight posted:

We have 3 sites, so not a burden.
If you're not using ZBF on your current devices, I'd say go for it. Doing everything from the portal is so nice.

They hand out trial gear like candy, so you can get some and see if it works for you.

Pile Of Garbage
May 28, 2007





Prescription Combs posted:

Not sure what the actual issue was but they ended up reprovisioning my account and that fixed it.

Typical telco voodoo

Actuarial Fables
Jul 29, 2014



Taco Defender

I have more questions about SFP+, specifically DACs.

Do Direct Attach Cables have the same vendor lockout that transceivers have? If I were to plug in a HPE x242 DAC (J9286B) to an Intel X520-DA1, would the intel adapter get upset?

Kazinsal
Dec 13, 2011



Depends on the vendor. I know Intel gets upset about optic firmware but I believe the X520 doesn't care about DAC firmware.

If you reaaaaaaally want to get tricky with it, you can use ethtool to set the IXGBE_DEVICE_CAPS_ALLOW_ANY_SFP bit in the IXGBE_DEVICE_CAPS field of the card's EEPROM.

e: There is apparently now an allow_unsupported_sfp parameter for the ixgbe driver module on Linux and FreeBSD.

Kazinsal fucked around with this message at 18:18 on Jan 27, 2020

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I've not seen NICs get upset about DAC cables. I'm pretty sure FS will do you one with a different vendor code flashed into each end though if you need it.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Yes DAC are vendor coded as well and it depends on the device on the receiving end to get angry or not.

Hell some newer Juniper hardware (mx204, qfx10k) didn't support DAC at all until Junos 18.

Adbot
ADBOT LOVES YOU

less than three
Aug 9, 2007




Fallen Rib

Cisco DAC cables from our switches to HP servers were a crapshoot depending on the model and firmware

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«412 »