Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.


I'll empty quote it on my boat too... Mods ban me if I don't have a boat by 2027

Adbot
ADBOT LOVES YOU

Pile Of Garbage
May 28, 2007





If your application can saturate multi-gig links your prototype using EOL hardware won't be capable of satisfying anything beyond a ping test. Cancel the boat payments, IMO.

Nuclearmonkee
Jun 10, 2009




Pile Of Garbage posted:

If your application can saturate multi-gig links your prototype using EOL hardware won't be capable of satisfying anything beyond a ping test. Cancel the boat payments, IMO.

Those are still perfectly good switches I’ll still be using them until they go EOS!

I’d be more dubious on old compute and storage, particularly storage being able to keep up. Older stuff is going to bottleneck on IOPs long before your 20gigabit port channels max out.

Hirez
Feb 3, 2003

Weber scored 49 points?



I just started at a new company, and the bulk of our clients are on cisco meraki's (or switching over) and oh my they are so easy mode

I do find myself looking around looking for options whereas I know the ios way... I haven't used them much, did some firewall rules/vlans/site2site vpn's etc, and it feels like anyone off the streets could do it if they know how to google. That said, am I just on cloud9 about it because I'm so used to every loving enterprise network devices from my old jobs (F5's, Sonicwalls, etc etc - Palo Alto's were actually pretty decent i'll admit) - are meraki's really as good as they seem? or are there glaring problems etc that I just haven't encoutered (due to not using it much yet)

less than three
Aug 9, 2007





Fallen Rib

What Meraki gear can do, it does well. If you want to do something out of it's feature set, you're SOL. A lot less flexible/customizable than IOS.
The logging also leaves something to be desired when you want to figure out why something isn't working properly.

Kazinsal
Dec 13, 2011






If you have to call their support ever you should probably pour yourself a drink.

I had to call them this week and I had to wait 50 minutes on hold to get a human. They hung up on me after the first 20 minutes on hold and I had to wait another 30. By the time I actually was working with an engineer, the issue had been found to be an issue with Azure's routing and was resolved by Azure's staff.

Hirez
Feb 3, 2003

Weber scored 49 points?



thanks, sounds good, all of our clients are Vet Clinics (and a few animal hospital) so there really shouldn't any really complicated setups (whereas before I worked at eHealth and Telus); ie. my manager was amazed I was able to block a vlan to all other vlans so it only had access to the internet (via firewall rules).

It seems like all the sites with Sonicwalls are getting remediated over to meraki's because they work so well for all our clients with it (150+).

And yea, my coworker was trying to get a hold of Meraki support for like 3 hours because upgrading from an MX66 to 68 or whatever was giving some call Meraki error

less than three
Aug 9, 2007





Fallen Rib

They also don't have a toll free support number, which always peeves me a bit calling from Canada.

Pile Of Garbage
May 28, 2007





Do Meraki's all run in CAPWAP tunnel mode or do they also have an equivalent of FlexConnect local-auth/local-breakout available?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



The APs dump traffic onto the local network unless you have a security appliance in your org. and then you get the option to build an L3 tunnel and break out centrally.

The security appliances are poo poo, the switches are overpriced. But if their features line up exactly with what you need there's nothing better.

Pile Of Garbage
May 28, 2007





IMO Meraki is just a product line that allows Cisco to get their foot in the door of SMB customers. Once a customer buys in to it and decide that they want to do anything more complicated than access switching they'll be buying 3850s, 5510s or...Firepowers...

It's probably not as cheap but if you dealing with a large number of small/medium branches then Fortinet FortiWiFi devices or FortiGate + FortiAP are great. A FortiGate firewall has the same features as a Cisco ISR+ASA+WLC out-of-the-box. Also the UI on Fortinet devices is simply wonderful to use (Backed by a robust CLI ofc).

Now I sound like a Fortinet shill. This has been an unpaid message from the guy who loves Fortinet so much he uses that poo poo at home.

Nuclearmonkee
Jun 10, 2009




Pile Of Garbage posted:

IMO Meraki is just a product line that allows Cisco to get their foot in the door of SMB customers. Once a customer buys in to it and decide that they want to do anything more complicated than access switching they'll be buying 3850s, 5510s or...Firepowers...

Stay as far away from ASA and firepower as you can. I’m so glad I got to retire those pieces of poo poo. Put in Palo Alto’s or fortinets

Pile Of Garbage
May 28, 2007





ASAs are fine if you just need to do simple L3/4 ACLs, anything beyond that and it's best to defer to a proper NGFW. I've luckily never used Firepower but I've heard some real horror-stories. From a colleague:

quote:

one reddit article i read by one guy said "he hopes the guys who built it to be pallbearers at his funeral so they can let him down one more time?

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

ASAs are trash

Moey
Oct 22, 2010

I LIKE TO MOVE IT


I'm am planning on replacing all of our Meraki access layer switching + APs with FortiThings in early 2021.

uhhhhahhhhohahhh
Oct 9, 2012


I have to look after a cluster of 5525Xs and they're such loving garbage. It just inexplicably stops forwarding traffic if one specific firewall becomes the master, but it works fine when it's not. Also gently caress ASDM forever.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



uhhhhahhhhohahhh posted:

I have to look after a cluster of 5525Xs and they're such loving garbage. It just inexplicably stops forwarding traffic if one specific firewall becomes the master, but it works fine when it's not. Also gently caress ASDM forever.

Check the syslog settings. Are you forwarding syslog to a TCP port? If the host is unreachable, the ASA stops forwarding. Could be you have some kind of issue reaching it from one and not the others?

Kazinsal
Dec 13, 2011






I think the only reason I would use an ASA or a FirePower running ASA code over a more competent firewall is if I needed to handle a few tens of gigabits of L3/L4 traffic and needed to programmatically change non-persistent firewall rules in a dumb and quick manner via clogin or something like that.

uhhhhahhhhohahhh posted:

I have to look after a cluster of 5525Xs and they're such loving garbage. It just inexplicably stops forwarding traffic if one specific firewall becomes the master, but it works fine when it's not. Also gently caress ASDM forever.

Haaaaaaaave you considered opening a TAC case

uhhhhahhhhohahhh
Oct 9, 2012


Jedi425 posted:

Check the syslog settings. Are you forwarding syslog to a TCP port? If the host is unreachable, the ASA stops forwarding. Could be you have some kind of issue reaching it from one and not the others?

Syslog is UDP and it's done over the OOB management, so it's always reachable. We also only recently got a SIEM anyway and it was happening before.

Kazinsal posted:

I think the only reason I would use an ASA or a FirePower running ASA code over a more competent firewall is if I needed to handle a few tens of gigabits of L3/L4 traffic and needed to programmatically change non-persistent firewall rules in a dumb and quick manner via clogin or something like that.


Haaaaaaaave you considered opening a TAC case

All the documentation for clustering on ASAs is filled with notes saying TAC don't support this configuration at all. My boss wanted it this way for zero reason, we gain nothing doing it this way over a HA pair because our internet connections are 1gig and we can't active/active them either. He knows that because he was on all the same phone calls as me with our ISP saying we couldn't do that, but acts surprised 1+ years later when it's ever mentioned they aren't active/active or I have to correct him on a phone call.

Also, the audacity on you to assume we pay for TAC, or even software updates, on our edge firewall.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



uhhhhahhhhohahhh posted:

Syslog is UDP and it's done over the OOB management, so it's always reachable. We also only recently got a SIEM anyway and it was happening before.


All the documentation for clustering on ASAs is filled with notes saying TAC don't support this configuration at all. My boss wanted it this way for zero reason, we gain nothing doing it this way over a HA pair because our internet connections are 1gig and we can't active/active them either. He knows that because he was on all the same phone calls as me with our ISP saying we couldn't do that, but acts surprised 1+ years later when it's ever mentioned they aren't active/active or I have to correct him on a phone call.

Also, the audacity on you to assume we pay for TAC, or even software updates, on our edge firewall.

Sorry for your loss, I guess. I only mention the syslog thing because it's caused massive production network failures at two jobs in a row.

Slickdrac
Oct 5, 2007

Keeper of the Secret


Learned something new today. Wildcard masks are not just stupid ways to write subnets in reverse, you can use them to create rules that only look at say, the last octet of an IP, or even the third, or just look at 2nd and 3rd.

We pushed out an ACL config for SSH restriction that for whatever reason, did not take properly, and instead spit out two 0.0.0.0 lines, one with a 255.255.255.0 mask, and one with a 255.255.0.0 mask, which it happily applied under the vty input. My interpretation of that was "ok so we need a 0.0.0.x or 0.0.x.x source IP to fix this for the remote sites, how do we do that?" But apparently the real answer was "Those are wildcards, just use any source IP to reach it that ends with .0 or 0.0" and sure enough testing with a 172.16.1.0 address let us right in.

Two other folks on my team I asked if they were aware wildcards worked like that, neither of them were aware either. There's 70+ years network experience between the 3 of us

tortilla_chip
Jun 13, 2007

k-partite

https://blog.ine.com/2010/11/25/performing-access-list-computation-route-summarization-acl-manager

Kazinsal
Dec 13, 2011






Slickdrac posted:

Learned something new today. Wildcard masks are not just stupid ways to write subnets in reverse, you can use them to create rules that only look at say, the last octet of an IP, or even the third, or just look at 2nd and 3rd.

We pushed out an ACL config for SSH restriction that for whatever reason, did not take properly, and instead spit out two 0.0.0.0 lines, one with a 255.255.255.0 mask, and one with a 255.255.0.0 mask, which it happily applied under the vty input. My interpretation of that was "ok so we need a 0.0.0.x or 0.0.x.x source IP to fix this for the remote sites, how do we do that?" But apparently the real answer was "Those are wildcards, just use any source IP to reach it that ends with .0 or 0.0" and sure enough testing with a 172.16.1.0 address let us right in.

Two other folks on my team I asked if they were aware wildcards worked like that, neither of them were aware either. There's 70+ years network experience between the 3 of us

Having flashbacks to the time we had to try to condense seven thousand ACLs that had wildcard masks like 0.4.109.0 thrown in about a quarter of them, thanks.

tortilla_chip
Jun 13, 2007

k-partite

Thankfully capirca does all that optimization for you.

Partycat
Oct 25, 2004

Life at last
Salutations from the other side


Plaster Town Cop

Slickdrac posted:

Learned something new today. Wildcard masks are not just stupid ways to write subnets in reverse, you can use them to create rules that only look at say, the last octet of an IP, or even the third, or just look at 2nd and 3rd.

We pushed out an ACL config for SSH restriction that for whatever reason, did not take properly, and instead spit out two 0.0.0.0 lines, one with a 255.255.255.0 mask, and one with a 255.255.0.0 mask, which it happily applied under the vty input. My interpretation of that was "ok so we need a 0.0.0.x or 0.0.x.x source IP to fix this for the remote sites, how do we do that?" But apparently the real answer was "Those are wildcards, just use any source IP to reach it that ends with .0 or 0.0" and sure enough testing with a 172.16.1.0 address let us right in.

Two other folks on my team I asked if they were aware wildcards worked like that, neither of them were aware either. There's 70+ years network experience between the 3 of us

They're supposedly exactly for comparative purposes just like this, even in tables in the device when inspecting traffic or matching access lists.

The fun part for me are devices that would let you enter something like 10.1.6 and have it turn into 10.1.0.6 or whatever because IPv4 does have that sort of implied 0 notation that IPv6 has. You can turn your type-o into network fun for the whole family.

wolrah
May 8, 2006
what?


Partycat posted:

The fun part for me are devices that would let you enter something like 10.1.6 and have it turn into 10.1.0.6 or whatever because IPv4 does have that sort of implied 0 notation that IPv6 has. You can turn your type-o into network fun for the whole family.
I knew about the octal, decimal, and hex notations but didn't realize v4 did zero expansion as well.


code:
PS C:\Users\wolrah> ping 10.10

Pinging 10.0.0.10 with 32 bytes of data:
Reply from 10.0.0.10: bytes=32 time<1ms TTL=64
Reply from 10.0.0.10: bytes=32 time<1ms TTL=64

Not Wolverine
Jul 1, 2007

by Fluffdaddy


The IT guy at my job is remote, today he asked me if I knew about VPNs, because there is a reoccurring issue with him not being able to connect. The connection just freezes until he logs into the router and manually restarts PPTP, and then he he can reconnect right away. I think the router model is a Cisco v235, it's on my slack at work I can check tomorrow. I don't know anything about this, is it a common issue? What questions can I lester the IT guy with to make myself look good help troubleshoot the issue?

take_it_slow
Jul 7, 2011



Hopefully webex is fair game for this thread.

Does anyone know where one can acquire nbr2mp4.tar?

Alternatively, does anyone know whether nbr2convert.exe (or nbr2player.exe or any of the other executables packaged with nbr2player.msi package) can be operated via CLI in order to convert from .arf to .mp4? With a little digging I've done, it appears that nbr2player.exe responds to a '-Convert' option, but I can't figure out the exact syntax. For example, ".\nbr2player.exe foo.arf" opens foo.arf in the player, ".\nbr2player.exe foo.arf -Convert foo.mp4" immediately halts with no error message in a manner distinct from an interpretation failure.

uniball
Oct 10, 2003



Not Wolverine posted:

The IT guy at my job is remote, today he asked me if I knew about VPNs, because there is a reoccurring issue with him not being able to connect. The connection just freezes until he logs into the router and manually restarts PPTP, and then he he can reconnect right away. I think the router model is a Cisco v235, it's on my slack at work I can check tomorrow. I don't know anything about this, is it a common issue? What questions can I lester the IT guy with to make myself look good help troubleshoot the issue?

the RV325 does indeed natively support PPTP, but PPTP is also very insecure. as for the actual issue, it’s Cisco’s “small business” line, which is not known for its reliability. services getting crusty after uptime is not shocking.

if it were my problem but i was prevented from immediately migrating away from PPTP, i’d make sure it was on the newest recommended firmware release (does this exist for the small business line?), and if that didn’t fix it use the support it hopefully has and pass the issue off to Cisco TAC (does this exist for the small business line?).

Not Wolverine
Jul 1, 2007

by Fluffdaddy


uniball posted:

the RV325 does indeed natively support PPTP, but PPTP is also very insecure. as for the actual issue, it’s Cisco’s “small business” line, which is not known for its reliability. services getting crusty after uptime is not shocking.

if it were my problem but i was prevented from immediately migrating away from PPTP, i’d make sure it was on the newest recommended firmware release (does this exist for the small business line?), and if that didn’t fix it use the support it hopefully has and pass the issue off to Cisco TAC (does this exist for the small business line?).
You mention uptime, the router was rebooted a little over a month ago. It's a small office with less than 20 desktops, I doubt the router is getting big too hard. I know I haven't rebooted my home router in months, but I don't know how often this router should be rebooted.

*Edit* I checked and found the RV325 is EOL, does that effect Cisco TAC availability? Do you have to pay for TAC?

Not Wolverine fucked around with this message at 14:44 on Dec 10, 2020

Docjowles
Apr 9, 2009



Yes you need a smartnet subscription. Honestly I would just see if you can get them to buy a comparable device that isn’t EOL. The one you have appears to go for like $300 so a slightly newer replacement shouldn’t break the bank.

Not Wolverine
Jul 1, 2007

by Fluffdaddy


Docjowles posted:

Yes you need a smartnet subscription. Honestly I would just see if you can get them to buy a comparable device that isn’t EOL. The one you have appears to go for like $300 so a slightly newer replacement shouldn’t break the bank.
I'm not in a position to say "you need a new $300 router" and I also do not use the VPN, I would prefer to have an answer that sounds smarter than "buy a new router" for my remote IT manager. In the meantime, I think I will ask the IT manager about trying t restart PPTP on a routine basis or even a script to reboot the router at midnight until a better solution is found.

Slickdrac
Oct 5, 2007

Keeper of the Secret


Not Wolverine posted:

I'm not in a position to say "you need a new $300 router" and I also do not use the VPN, I would prefer to have an answer that sounds smarter than "buy a new router" for my remote IT manager. In the meantime, I think I will ask the IT manager about trying t restart PPTP on a routine basis or even a script to reboot the router at midnight until a better solution is found.

"You're getting what you paid for"

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Trying to figure out how the HA on this Fortigate 300D cluster works on the ISP side.

The Cisco 3600X is from the ISP. Are they just using it to split the circuit into two physical links? I can't view the configuration of it at all.

On the HP 5500 (LAN) side, isn't port mirroring a very odd way of doing this? I mean I guess it works...

We're getting a new ISP and they asked if we want to do a LAG or LACP. They can give us two ports, but they just have one router and not a router + switch.

Can't find the Fortinet docs that really say much. Diagram attached, image hosts are blocked.

Only registered members can see post attachments!

Not Wolverine
Jul 1, 2007

by Fluffdaddy


Slickdrac posted:

"You're getting what you paid for"

Add "and the bank is on hold, again." to that statement and you have the exact words I want to tell my boss.

Partycat
Oct 25, 2004

Life at last
Salutations from the other side


Plaster Town Cop

take_it_slow posted:

Hopefully webex is fair game for this thread.

Does anyone know where one can acquire nbr2mp4.tar?

Alternatively, does anyone know whether nbr2convert.exe (or nbr2player.exe or any of the other executables packaged with nbr2player.msi package) can be operated via CLI in order to convert from .arf to .mp4? With a little digging I've done, it appears that nbr2player.exe responds to a '-Convert' option, but I can't figure out the exact syntax. For example, ".\nbr2player.exe foo.arf" opens foo.arf in the player, ".\nbr2player.exe foo.arf -Convert foo.mp4" immediately halts with no error message in a manner distinct from an interpretation failure.

https://web.archive.org/web/20150908182324/https://support.webex.com/supportutilities/nbr2mp4.tar appears to be it. The lack of it existing me to tells me that it may not be compatible with the file format any longer but I don't know. That's the same explanation I ran into for the nbrconvert application, it used to have command line arguments but they were "removed" sort of , but not really . That was from 2015. I think the only suite that still does this is webex events? They all should support .mp4 recording for the most part now, though the layout and content is a bit of an issue yet I think.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Bob Morales posted:

Trying to figure out how the HA on this Fortigate 300D cluster works on the ISP side.

The Cisco 3600X is from the ISP. Are they just using it to split the circuit into two physical links? I can't view the configuration of it at all.

On the HP 5500 (LAN) side, isn't port mirroring a very odd way of doing this? I mean I guess it works...

We're getting a new ISP and they asked if we want to do a LAG or LACP. They can give us two ports, but they just have one router and not a router + switch.

Can't find the Fortinet docs that really say much. Diagram attached, image hosts are blocked.



I forget if the D line of devices has an HA port, but are you sure they're doing heartbeat through the switch and not actually doing HA with a cable connecting the 2 devices together?

Because, yes, that would be weird, typically you'd configure a port on each device (I know newer models have a specific HA port I THINK Ds might) to act as the HA/heartbeat port.

*edit* is your HA an active/active or active/passive?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



As above, there should be HA links so the firewalls can talk to each other

https://docs.fortinet.com/document/fortigate/latest/administration-guide/900885/ha-active-passive-cluster-setup

There should also be (logical or physical) switches sat on the WAN and LAN side of the boxes. I would assume the Cisco 3600X is just acting as a switch to provide two links to your firewalls currently, as the router might not have a switch that it can run things through.

I'm really not sure why you have a port mirror set up, that seems like it could cause a problem. If you need two ports on the LAN side of things to connect each firewall to then you normally just have them in their own VLAN in a point-to-point subnet and set your routes up accordingly. I've no idea if the 5500 can put a port into L3 interface mode, but that might explain why someone has decided a port mirror (which IIRC has pretty severe performance implications) is the way to fix it.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



MF_James posted:

I forget if the D line of devices has an HA port, but are you sure they're doing heartbeat through the switch and not actually doing HA with a cable connecting the 2 devices together?

Because, yes, that would be weird, typically you'd configure a port on each device (I know newer models have a specific HA port I THINK Ds might) to act as the HA/heartbeat port.

*edit* is your HA an active/active or active/passive?

Active/passive

Only registered members can see post attachments!

Adbot
ADBOT LOVES YOU

take_it_slow
Jul 7, 2011



Partycat posted:

https://web.archive.org/web/20150908182324/https://support.webex.com/supportutilities/nbr2mp4.tar appears to be it. The lack of it existing me to tells me that it may not be compatible with the file format any longer but I don't know. That's the same explanation I ran into for the nbrconvert application, it used to have command line arguments but they were "removed" sort of , but not really . That was from 2015. I think the only suite that still does this is webex events? They all should support .mp4 recording for the most part now, though the layout and content is a bit of an issue yet I think.

Thanks for the link - I'm working with .arf files generated between c. 2014-2018 (these are all training presentations - as soon as I got onboard I switched to OBS for the recording), so the tool should be able to convert at least some of them, even if the standard has changed since. I appreciate the help.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply