Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Pile Of Garbage
May 28, 2007





This might be a stupid question and if it is I hope this is the right thread for it: what command do you use on a Cisco 2801 to clear the counters that are shown when you run "show dsl interface atm"? I would have thought that simply running clear counters would work but apparently not. For reference the 2801 is running 12.4.

Adbot
ADBOT LOVES YOU

Pile Of Garbage
May 28, 2007





atticus posted:

check out gear from OnPath - 3900 series.

For bonus lolz look at the product sheet PDF for the 3900 series, page 3. everyone knows dudes hack in ski masks and are married

Those OnPath switches look ridiculous. At least they'd be easy to find in a rack I guess...

Oh and you weren't joking about their stock photo choices in the 3900 series product sheet:



That has to be a subtle goatse reference.

Pile Of Garbage
May 28, 2007





BurgerQuest posted:

For what it's worth I quite like Fortinet's two approaches for centralised management of their various routers/switches/AP's. Fortimanager ties everything in nicely and works in closed environments, managing firmware updates, tracking config changes etc. Forticloud is much less much and ofcourse requires the device to be able to talk to Forticloud over the internet, but it is nice when your device is behind weirdly NAT'd 3G networks/etc as it creates a secure tunnel back to Forticloud and from there you can manage/work with the device.

2c.

You can even get FortiManager as a virtual appliance which is pretty sweet.

Pile Of Garbage
May 28, 2007





This question has probably been asked a million times in this thread so apologies in advance: what is the currently recommended router/switch combo for setting up a home CCNA lab? I've had a look around on Google however most of the guides/sites I found were a year or two old and I'm worried about investing in something that may be obsolete or not support a relevant IOS version.

Pile Of Garbage
May 28, 2007





Powercrazy posted:

CCNA requires pretty much nothing equipment-wise. Get 2 switches as long as they run IOS so that you can figure out trunking and port channels, and get a router.

Lab:
Create multiple VLANs on the switches
Change Spanning tree priority per vlan
Create multiple trunks and portchannels between the switches
Setup router on a stick so that a host on one vlan can get to a host in a different vlan.
If you have two routers create two router on a sticks and figure out how to advertise each network between the two routers using static routes, then do it again using a routing protocol, I'd suggest OSPF.

That's pretty much it.

Equipment:
Two of any of these:
2950/2960
3550/3560

and

one or two of either of these:
2600
1800/2800/3800

Everything else on the CCNA is basically Cisco sales speak/indoctrination. You'll need to know it to pass the test, but it's not super relevant in the real world.

Awesome thanks for the info. Regarding IOS versions would IP Base be fine across all the gear or would you recommend IP Advanced on the routers?


GOOCHY posted:

Just use Packet Tracer unless you absolutely need physical access to gear.

That's an excellent point I completely forgot about Packet Tracer. Can you get Packet Tracer outside of being a registered academy student? I'll probably see if I can grab a copy from one of my work mates.

Pile Of Garbage
May 28, 2007





Riverbed chat? I can dig that. My background is mostly with Citrix NetScaler appliances but at my current gig they are all Riverbed and so far I'm quite impressed. We have approximately 25 units deployed at branches and are seeing +50% data reduction:

Pile Of Garbage
May 28, 2007





Does anyone know how to download the PKI private key in ACS 4.2?

Pile Of Garbage fucked around with this message at 04:57 on Nov 10, 2013

Pile Of Garbage
May 28, 2007





Farking Bastage posted:

Fortigate's are my second choice next to a Palo. Nice little boxes. Outside of going Mikrotik or a hacked up DD-WRT(lol), you can't find a $500 firewall that you can set up for dual WAN failover that I know of.

Seconding the Fortigate love. You get a surprising amount of features even on their low-end, branch office models.

Pile Of Garbage
May 28, 2007





jwh posted:

2). If it's not working, it's almost always either a transform set mismatch, or a security association disagreement. If it's still not working, it's still a transform set or security association disagreement. If it's not working after that, it's an ACL issue.

I'm a Cisco IOS/networking scrub yet I agree with this advice 1000%. If your tunnel doesn't come up it's almost always due to a phase 1 proposal mismatch.

Also I've read the entire thread, albeit starting over 6 months ago! Good advice all round.

Pile Of Garbage
May 28, 2007





Here's some advisories I've collected to save some time:

Blue Coat: https://kb.bluecoat.com/index?page=content&id=SA82&actp=RSS
Check Point: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673
Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Polycom: http://supportdocs.polycom.com/PolycomService/support/global/documents/support/documentation/Security_Bulletin_bash_shellshocked_v1_0.pdf
Riverbed: https://supportkb.riverbed.com/support/index?page=content&id=S24997

Also this guy is posting advisory updates for several vendors: http://www.mnemonic.no/en/Andre-sprak/English/Blog/Status-on-products-versus-vulnerability-in-Bash-CVE-2014-6271/

Pile Of Garbage
May 28, 2007





On the subject of Cisco WLC: in the infinite wisdom of our customer's project manager we have deployed a managed WAP on an off-shore vessel. There is no WLC on-board the vessel so the WAP is being managed by the WLC back at our DC over a 500ms VSAT link. We are using 802.1x for authentication and due to the latency clients are unable to auth 90% of the time when trying to connect. We escalated to TAC who advised that the latency between the WAP and WLC needs to be <100ms for it to work properly. Has anyone else dealt with such a situation before? It's getting to the point where we will either have to deploy a WLC on the vessel or reconfigure the WAP in standalone mode, both of which I'd rather not do because gently caress going back offshore again. Are there any other options?

Pile Of Garbage
May 28, 2007





Thanks Ants posted:

Send someone else to do it?

Yeah that would be nice however I'm the only person on the contract who has a BOSIET certificate. poo poo I'm a server engineer, not a networks guy. Hopefully I'll die in a derrick fire or helicopter crash or something.

Pile Of Garbage
May 28, 2007





jwh posted:

H-REAP won't help you if the radio is configured to 802.1x authenticate back to a remote server.

Put a little WLC out there, it's really the best solution. Probably a 2500 or similar.

I've just taken another look at the WLAN config on the WLC and it's setup to authenticate against RADIUS servers (Old-rear end Cisco 1113 ACS boxes) in our DC so even if we deploy a WLC on-site we could still have issues (I think). We have deployed WLCs at two sites in Korea but that was only to resolve performance issues caused by the back-and-forth of CAPWAP over WAN.

jwh posted:

With your BOSIET certification, aren't you certified to survive helicopter crashes?

More like certified to experience them.

Pile Of Garbage
May 28, 2007





Thanks for the suggestions jwh and ior. There are already DCs on-board the vessel so I'll push the business to deploy a WLC out there (Unless TAC can provide a better option which is doubtful).

Pile Of Garbage
May 28, 2007





Ahdinko posted:

I have a customer across three countries, UK, US and Australia. There is a WLC in each country, and all users authenticate with 802.1x which goes back to some boxes in the UK. The Aus-UK latency is 270-300ms and it works perfectly. So i guess the 802.1x stuff taking a while is ok, it must just be the AP>WLC communication that needs a shorter time?

You've just reminded me of something: we've got an office in Aberdeen with WAPs and no WLC, latency between our DC and the Aberdeen office is ~260ms and AFAIK they have zero connection issues with WiFi out there. We sent debug logs from the WLC to TAC last week and are still waiting to hear back.

Edit: poor choice of words.

Pile Of Garbage fucked around with this message at 11:29 on Feb 16, 2015

Pile Of Garbage
May 28, 2007





Has anyone encountered a situation where the IP address of each hop returned by a trace route is the same as the target IP address? I asked the networks team that I work with but they've never seen such an anomaly before.

Background: we've got a remote site which is connected to our DC via an IPsec tunnel. The tunnel is from a Cisco 2911 at the remote site to an ASA 5555-X at the DC. When I perform a trace route from a server at the remote site to another server at the DC the IP address of each hop is the same as the target IP address. Example:

pre:
C:\>tracert -d 10.180.49.15

Tracing route to 10.180.49.15 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.180.112.126
  2     *        *        *     Request timed out.
  3    54 ms    54 ms    53 ms  10.180.49.15
  4    71 ms    55 ms    56 ms  10.180.49.15
  5    55 ms    55 ms    56 ms  10.180.49.15

Trace complete.
Performing a trace route in the opposite direction from the server at the DC works as expected:

pre:
C:\>tracert -d 10.180.112.1

 Tracing route to 10.180.112.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.180.49.254
  2     1 ms     1 ms     1 ms  10.180.255.1
  3     1 ms     1 ms     1 ms  10.180.55.238
  4     *        *        *     Request timed out.
  5    55 ms    56 ms    55 ms  10.180.112.1

Trace complete.
The main reason I'm asking is that we have another issue at the remote site where connections are getting stuck in a half-open state on the sites Riverbed. These connections are building up and eventually the Riverbed enters admission control due to exceeding its license limit. I suspect that this trace route weirdness is related to the half-open connection issue on the Riverbed. Everything else is working as expected and traffic is flowing fine without issues.

I'm not really a networks person by trade but I know a fair bit and can provide config excerpts if need be. Any help would be much appreciated.

Pile Of Garbage
May 28, 2007






We're running 9.3(1). I don't have an Experts Exchange account so I can't read that thread. Is there a known issue with code-levels >9.0?

Edit: the remote site 2911 is running 15.1(4)M8 if that's at all helpful.

Pile Of Garbage fucked around with this message at 20:58 on Mar 12, 2015

Pile Of Garbage
May 28, 2007





Moey posted:

Stupid Experts Exchange. If you find the link on google, you can scroll all the way down and see the answer. But direct links make you have an account.

Hit the first link.

https://www.google.com/search?q=Was...=utf-8&oe=utf-8

Cool thanks for that. I've checked the ASA config and the statements for inspect icmp and inspect icmp error aren't present so that may very well be the issue. Of course if that fixes it then my suspicion that it was a symptom related to the half-open connection issue is probably incorrect. We're already escalating that one to Riverbed so it's their problem now.

Honestly gently caress spurious inter-site traffic as it's the whole reason I've been dragged into this and it's become the bane of my existence (loving Lync 2010 client is the worst offender in a Windows AD environment).

Pile Of Garbage
May 28, 2007





Anyone here familiar with Cisco Security Manager 4.7? I've been tasked with configuring it to use a SSL certificate issued by our internal-CA instead of the default self-signed one (Required to get AlgoSec to talk to it or something) and I'm having a hard time digging up good documentation. I've found some details in the built-in help but it's obtuse as hell and full of gaps (e.g. it says how to generate a CSR but it doesn't actually say where it puts it). I know what I'm doing when it comes to PKI however Cisco have managed to make it as difficult as possible.

Can anyone point me towards some good documentation?

Edit: I think I've got it nailed down, the process is extremely retarded on Windows:
  1. Generate the CSR by filling in the "Self Signed Certificate Setup" form on the web-interface (Nowhere does it say that a CSR will be generated).
  2. Grab the CSR from the following folder: "<CSM_INSTALL_DIR>\MDC\Apache\conf\ssl" (This location is not documented at all).
  3. Submit CSR to your CA.
  4. Run a loving Perl script on the CSM server to verify and upload the signed-certificate along with any root/intermediate CA certificates.

Pile Of Garbage fucked around with this message at 04:22 on Mar 31, 2015

Pile Of Garbage
May 28, 2007





cheese-cube posted:

Anyone here familiar with Cisco Security Manager 4.7? I've been tasked with configuring it to use a SSL certificate issued by our internal-CA instead of the default self-signed one (Required to get AlgoSec to talk to it or something) and I'm having a hard time digging up good documentation. I've found some details in the built-in help but it's obtuse as hell and full of gaps (e.g. it says how to generate a CSR but it doesn't actually say where it puts it). I know what I'm doing when it comes to PKI however Cisco have managed to make it as difficult as possible.

Can anyone point me towards some good documentation?

Edit: I think I've got it nailed down, the process is extremely retarded on Windows:
  1. Generate the CSR by filling in the "Self Signed Certificate Setup" form on the web-interface (Nowhere does it say that a CSR will be generated).
  2. Grab the CSR from the following folder: "<CSM_INSTALL_DIR>\MDC\Apache\conf\ssl" (This location is not documented at all).
  3. Submit CSR to your CA.
  4. Run a loving Perl script on the CSM server to verify and upload the signed-certificate along with any root/intermediate CA certificates.


Just wanted to bring this back up incase anyone is having similar problems, turns out if you are using a Windows CA to sign the certificate then you are hosed, the certificate will verify and upload fine however Apache will fail to start and throw an exception in mod_ssl. Cisco TAC didn't believe me until I replicated the fault during a WebEx and they later confirmed the fault in their lab when using a Windows CA. We're still waiting on a fix from Cisco but honestly the CiscoWorks platform is rubbish and should be avoided. Any issue you have with it has to go to Cisco's internal development team and you won't hear much back.

Pile Of Garbage
May 28, 2007





cheese-cube posted:

Just wanted to bring this back up incase anyone is having similar problems, turns out if you are using a Windows CA to sign the certificate then you are hosed, the certificate will verify and upload fine however Apache will fail to start and throw an exception in mod_ssl. Cisco TAC didn't believe me until I replicated the fault during a WebEx and they later confirmed the fault in their lab when using a Windows CA. We're still waiting on a fix from Cisco but honestly the CiscoWorks platform is rubbish and should be avoided. Any issue you have with it has to go to Cisco's internal development team and you won't hear much back.

Ok so we finally identified the root cause and managed to get it working. When you upload the certificate using the lovely "SSLUtil.pl" script it combines any root/intermediate CA certificates you give it into a single X.509 certificate file which it then drops in the "<CSM_INSTALL_DIR>\MDC\Apache\conf\ssl" directory along with the signed certificate. Turns out that the script was mangling the combined root/intermediate certificate chain file that it generates by inserting a bunch of random spaces. Manually editing the file to remove the spaces fixed it up and allowed Apache to start without throwing an error.

gj cisco

Partycat posted:

+1 for WLC/NCS/PIM being utterly obnoxious and obtuse.

Seconding NSC being obtuse as hell. I actually logged-on to our NSC install today for the first time as I was on a UCS Administration course and wanted to see how port-profiles are configured on our 1000Vs. I swear it took me a solid 10 minutes of clicking around to find the drat things. IMO NSC beats WLC for being obtuse by a wide margin.

Pile Of Garbage fucked around with this message at 10:25 on May 15, 2015

Pile Of Garbage
May 28, 2007





Having an issue with some Cisco Aironet 2600-series APs using Windows DHCP Server: the APs are getting a lease but are not picking up the WLC management IP from the DHCP options. I've tried using a vendor class with VCI "Cisco AP c2600" and option 241 defined within the class as well as just option 43 with the WLC management IP address specified in TLV format. We've already got 1100-series APs which are working fine using a vendor class on the Windows DHCP server. In addition we have other 2600-series APs at remote sites working using the local Cisco router as a DHCP server. I've tried searching around however all of the Cisco documentation is very vague when it comes to Windows DHCP Server.

Has anyone encountered this issue before and/or have a working reference configuration? We're going to start doing proper diagnostics tomorrow but it would be swell if anyone could offer some advice.

Pile Of Garbage
May 28, 2007





Powercrazy posted:

I've had the same issue with 3600aps. Have you tried specifying option 43 with a HEX ip?

This is how I have it setup on my ISR that I'm using as a DHCP server.

ip dhcp pool AccessPoints
import all
network 172.18.0.0 255.255.255.240
default-router 172.18.0.1
option 43 hex f104.0a01.0a0f
lease 7

option 43 is 10.1.10.15 in hex. with an ethertype (i think) prefixed.

Yeah we've tried option 43 in TLV format, thanks for the reply though. We've brought one of the APs to the office and are going to do some packet captures for diagnosis in a bit so I'm sure we'll get to the bottom of it.

Edit: the guy from our networks team who I was working with just told me that it actually started working sometime after we left the office last night so NFI what was going on. Of course now we're getting a DTLS handshake error but that ain't my problem, I'm just a server guy heh

Pile Of Garbage fucked around with this message at 23:54 on May 27, 2015

Pile Of Garbage
May 28, 2007





Ahdinko posted:

I've never done the option 43 method, i've always done them using DNS, with the CISCO-CAPWAP-CONTROLLER or whatever the record, maybe give that a go?

Huh, never knew that you could use DNS for controller discovery. However in our situation that would not work as some of our remote sites have their own WLCs but use the same DNS zone.

Pile Of Garbage
May 28, 2007





I've got a Cisco RV130W SMB router at home running firmware version 1.0.1.3 and I'd like to upgrade it to 1.0.2.7 which was released yesterday. However it appears that the "Administration > Firmware/Language Upgrade" section in the device's web interface is missing. I haven't had to do a firmware upgrade of the device since getting it in October, 2014 so I'm unsure when this issue arose. Tried Googling but no luck, has anyone encountered this issue before with Cisco SMB routers?

Pile Of Garbage
May 28, 2007





Slickdrac posted:

I can beat that. I told our trial hire guy to order 3 2960s. 1 to be standalone, the other two to be stacked.

He ordered, 1 2960. But made sure to order the stack cable.

He has a valid CCIE...

I can beat that. In my last job we had a new hire who apparently had their CCNA. A router at one of our customer's branch offices went down so we asked the new hire to load a config onto a spare 877 so we could swap it in at the site. He spent 15 minutes trying to plug the serial cable into the DB-9 monitor port on his computer.

Pile Of Garbage
May 28, 2007





Partycat posted:

cheese-cube posted:

DB-9 monitor port

adorai posted:

protip: VGA is DB-15 not DB-9. DB-9 is serial, and would be the correct port to use.

Ugh I'm an idiot and should be fired. Out of a cannon. Into the sun.

Pile Of Garbage
May 28, 2007





Anjow posted:

I've not found a Fortigate or firewalls thread so I'm not aware of another place I could ask this...

I've got a Fortigate firewall on "v4.0,build0689,141215 (MR3 Patch 18)" (it's what my company standardises on) and there is an IPSec tunnel to a 3rd party with a private /16 on our side and a private /24 on theirs. I have a simple policy set up to say to route traffic to and from these subnets over the tunnel.

I don't have any interest in filtering traffic outbound to this customer but I would like to restrict some inbound traffic, however I've not found a way to do this. Does anyone know how I can keep the subnets exchanged the same but introduce restrictions on what connections the 3rd party can initiate towards our customer?

It sounds like you've got the IPsec tunnel configured as a policy-based VPN on the FortiGate. If you configure it as a route-based VPN you can specify policies for both directions which will allow you to restrict inbound traffic. To do this you have to enable IPsec Interface Mode in the Phase 1 configuration of the tunnel. This will create a virtual interface which you can specify both inbound and outbound policies for. Here's a general configuration example: http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/gw-to-gw.114.13.html

Pile Of Garbage
May 28, 2007





Wicaeed posted:

Where's a good point to start learning Cisco UCS?

I've just started a new job where they have a small UCS deployment (two chassis + 2 Fabric switches) but it might be growing in the next year. Right now they only other sysadmin knows it somewhat from a management standpoint, but I'd like to take that knowledge one step farther so that we have to stop bringing in consultants to do things.

There's a UCS Platform Emulator provided by Cisco which is a good way to get to grips with UCS Manager and how it all fits together (Note that the emulator is a virtual appliance so you'll need an ESXi or Hyper-V host to deploy the OVA to). As for learning it, can you convince your boss to send you on the DCUCI course?

Pile Of Garbage
May 28, 2007





Collateral Damage posted:

Slightly off topic question, but I didn't see a general Enterprise Networking thread.. What's your favorite way to paint pretty pictures of your network? The stock Visio stencils are awful (at least in Visio 2010 which is what I have) and google hasn't helped me find something much better. Ideally I'd like some simple but attractive 2D shapes.

(I did find Crayon Network Shapes but I think my superiors would question my sanity more than they already do if I used that. )

Depends on what you're trying to draw. For higher-level diagrams the Cisco stencils are usually the defacto go-to. If you're diagramming complicated Layer 2/3 topologies then it's best to avoid stencils and just use simple shapes. For example, here's a snippet of a Layer 2 diagram:



If you want some fancy shiny stencils (Or physical device stencils) then checkout VisioCafe.

Pile Of Garbage
May 28, 2007





Reiz posted:

I'm guilty of switchport trunk allowed vlan add x. Best part is I was working from home and my internet service went down right afterward, so I spent the next 5 minutes furiously racking my brain and trying to figure out how dropping the other vlans would sever my connection and pondering just how bad of an outage I had just caused.

Then my boss calls me and tells me we've lost connectivity on every VM on whatever host that port was attached to, probably the least appropriate "oh, good!" I've ever said.

I had just finished doing the exact same thing to 11 other ports because I wasn't allowed to use rancid for that job and was just flying through with tab autocomplete. Don't be like me.

In my last job I worked with Fortigates a lot and built up a significant amount of FortiOS muscle memory. This is hazardous because you get used to typing sh whilst in config mode which on FortiOS shows the running configuration within your current context. Of course doing the same thing on IOS in interface config mode leads to hilarious results.

Pile Of Garbage
May 28, 2007





adorai posted:

i just count on my fingers.

v4 on your fingers, v6 on the toes. count em if you got em

Pile Of Garbage
May 28, 2007





Zero VGS posted:

Er, I should specify it's HP Procurves... I don't see a mac-address-table command. I did "show mac-address [the mac address I want]" and it returns Port 19 and VLAN 16, I assume then there's a command to figure out the IP of whatever switch is on Port 19 so I can then Telnet into that and run show mac again?

Zero VGS posted:

I figured it out, "show lldp info remote" tells me the names of all the switches in the ports, then I was able to telnet into the edge switch and find the true port that MAC was connected to.

Pile Of Garbage
May 28, 2007





Judge Schnoopy posted:

Anybody here work with a Cisco blade server chassis?

We're getting tired of HP royally loving us when it comes to firmware updates. We bought 3 super beefy servers for our HP chassis environment only to learn (after they were delivered, and after having HP come on site to scope the upgrade project) that the new firmware is incompatible with our old hardware. Meaning we either replace everything in the chassis or don't upgrade at all. Their idea of blade chassis seems to be "Buy it all at once and replace everything at once, no upgrades after 5 years."

I'm wondering if Cisco has the same bullshit tactics with their blade server firmware or if they continue firmware support on older servers. I'm looking for anybody that's had to upgrade one of these or add new blades and how that experience went.

A word of warning, not sure if it's a regional thing (APAC) or our VAR's fault but we are seeing extremely high failure rates with our UCS B200 M3 blades. Last year we purchased 24 of the blades and we have experienced failure rates >20%. It's always the same issue: blade starts reporting a large amount of uncorrectable ECC errors on a single DIMM then the ESXi hypervisor PSODs and eventually the blade just dies completely. Each affected blade had to be replaced in its entirety. Honestly I'm amazed that Cisco haven't issued a product recall as there's obviously a batch of blades which are faulty.

I'm really not sure if anyone else has experienced the same issue. Apart from that they're pretty good I guess. Just make sure your VAR has lots of spare parts in stock.

Pile Of Garbage
May 28, 2007






Hah I was reminded of that advisory when I was off-shore on a deep-sea pipe-lay vessel about two weeks ago. Both switches in the main stack had cables in Gi1/0/1 and the boots were pressing the button. I'm amazed that it never caused an issue but at the same time I didn't give a gently caress as the vessel finishes its campaign in three weeks...

Edit: hang on I've just re-read that advisory, is the issue not present on 3750 switches? Because that would explain why we never had any issues on the vessel in question. Also I'm probably an idiot.

Pile Of Garbage fucked around with this message at 13:26 on Mar 1, 2016

Pile Of Garbage
May 28, 2007





Veth posted:

Nope, although it's probably only 40 actual users at most. Undoubtedly, we're way off the "Best Practices" path, but day-to-day the three of us who share the IT burden manage OK. Cisco stuff is way over our heads, unfortunately.

It'd be a massively off-topic derail to enumerate the IT WTFs, to be honest. Let's just say that paranoia and "I know a guy who said we need..." heavily influence decision making here.

I hope you're getting two paychecks.

Pile Of Garbage
May 28, 2007





Eletriarnation posted:

If you decide you want to get a Cisco router as a home gateway, a used 2821 isn't a terrible choice to avoid paying a lot or getting limited performance. Its stock fans are pretty loud for home use but they're standard 80mm case fans, so you can buy some quieter ones meant for PCs to keep it cool enough without being distracting. It's still pretty big but you can just stick it in an out of the way place or stack things on it.

I had no problems running a 12/2 DSL connection with a much slower 1710 + WIC-1ADSL combo a few years back, but based on the CPU utilization I don't think it could have handled NAT for more than 15-20Mbps. Not sure about the 2600s but they're probably comparably limited, while the 2821 in comparison has two gigabit ports and seemed like it wasn't trying very hard with the 60/6 connection I had at the time.

There are newer, smaller models with gigabit ports like 891FW or the 1900s but I don't think you could find them for as low prices as a 2800.

Just get an old 877. I've got one and it works perfectly on my 19/2 DSL connection. If you want gig on LAN then stick a better router behind it.

Pile Of Garbage
May 28, 2007





psydude posted:

Speaking of, has anyone here ever blocked ad networks straight up on their perimeter devices? Only major downside I could see is that it might break some content-based sites.

Unless you're relying on regularly updated URL categories for your proxy or whatever then you'd be fighting a losing battle really. Client-side extensions already do (For free) but with better targeting and greater efficacy.

Of course I'm not saying it's impossible, just difficult and impractical. Would love to hear from anyone who's actually tried it.

Pile Of Garbage
May 28, 2007





CrazyLittle posted:

And as Dyn shows, they don't need a terabit to take you down when they can just attack your upstream, or attack portions of your secondary infrastructure.

IMO next year we're going to see attacks which manage to cause collateral damage by saturating transit links between PoPs.

Adbot
ADBOT LOVES YOU

Pile Of Garbage
May 28, 2007





Jokes on them I'm already dead.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply