|
bort posted:It used to be recommended that you didn't use either all-zeroes or all-ones. That might be why they're saying that. It won't.
|
# ¿ Sep 13, 2012 03:34 |
|
|
# ¿ Apr 28, 2024 10:01 |
|
ToG posted:Well that's good to know. Is it still considered best practice not to use it? I wouldn't due to the routing loop issue he mentioned earlier. Given how CIDR works these days, you really shouldn't find yourself in that situation, though.
|
# ¿ Sep 13, 2012 03:40 |
|
Mierdaan posted:For anyone following me trying to figure out how ASA NAT works, it was simple in the end. Mostly I was confused trying to figure out what the point is of ACLs that don't actually permit/deny traffic, just exist for the purposes of matching traffic to a NAT ID. When you get right down to it, a NAT is just dynamic policy based routing that uses control lists to source its mapping.
|
# ¿ Nov 21, 2012 01:09 |
|
The $600 ones? And they only run at 5gbps? How affordable for small business applications.
|
# ¿ Dec 28, 2012 20:01 |
|
Yeah, same here. Because if you're at the point where you need 5gbps of throughput on a switch stack, you're probably ready to move up to something a bit higher tier.
|
# ¿ Dec 28, 2012 21:35 |
|
What's the best small-business router, anyway? Mikrotik looks like they've got some pretty legit hardware for next to nothing.
|
# ¿ Dec 29, 2012 16:46 |
|
CrazyLittle posted:How many users, how much bandwidth, and what features do you need? Say around 150 users with only 100 or so on at any given time. It'll be load balancing across 2-3 satellite links, possibly from different ISPs (so it'll need BGP and path control capabilities), and will need QoS.
|
# ¿ Dec 29, 2012 19:28 |
|
CrazyLittle posted:Are you getting full routes from your BGP peers, or advertising IP space, or are you just using it for dynamic failover? This is basically some pro-bono work with an organization that has a tight budget. I'm not entirely sure if the ISPs will provide full BGP routes because this is just kind of in the initial planning stage; it might be easier to use a simpler form of load-balancing and failover. Do 5505s do QoS? That would obviously offload a lot of the stress from the CPU.
|
# ¿ Dec 31, 2012 13:27 |
|
I really wish Cisco would standardize their CLI commands between devices. I was working with a new ASA today and I broke down and installed ASDM because everything was completely different.
|
# ¿ Jan 10, 2013 19:56 |
|
Fatal posted:Seems pretty standard to me, it's the IOS versions that change things dramatically, namely the difference between 8.2 and 8.4+
|
# ¿ Jan 10, 2013 20:27 |
|
What's y'all's opinion of the 4255? I have been super unimpressed with them so far after about a month of use, but then again the guy that I took them over from spent zero time tuning the signatures so maybe I'm not giving them a chance.
|
# ¿ Feb 26, 2013 18:49 |
|
Langolas posted:we went to Palo alto. Just made sense to us, their product is amazing If both I and my boss continue to be unimpressed, maybe we'll start looking into PA for the next FY.
|
# ¿ Feb 27, 2013 02:00 |
|
e^: Just saw that. That smil is a SIPRNet second level domain. Someone hosed up hahahahaha.Nuclearmonkee posted:When I worked in government, albeit local government, I remember extremely strong prohibitions against letting a network device that could have potentially sensitive data in it ever creep out of the organization. Password recovery was also disabled on everything (and verified as such via Solarwinds). I can only assume the Department of Defense is supposed to be more stringent. vv AFAIK, devices carrying classified or sensitive but unclassified information are supposed to be destroyed rather than sold as surplus. To give you an idea of how anal they are about technology - you can't even take a CD that's been in a classified computer and stick it in a machine of a lower classification or and unclassified network. That's a pretty standard USG-wide warning, though, so for all we know it could have come from like the Forestry Service or BLM or something; non secret-squirrel parts of the government need to access them internets too, you know. psydude fucked around with this message at 00:25 on Feb 28, 2013 |
# ¿ Feb 28, 2013 00:19 |
|
Nuclearmonkee posted:Unless they faked the config it appears to come from Special Operations Central Command and is configured with IPs in the 22.0.0.0/8 and 11.0.0.0/8 ranges. Pretty sure those guys are supposed to be super anal. Now it gets to have a rather boring existence serving truck engineers. You'd be surprised at the kind of people who find their way into working on classified networks.
|
# ¿ Feb 28, 2013 00:27 |
|
Every switch I pull out gets its flash memory and vlan.dat configuration erased. And then it's destroyed. And I don't even work on any classified devices.
|
# ¿ Feb 28, 2013 00:31 |
|
WhatsUp Gold FlowMonitor is pretty damned good, but it doesn't run on RHEL.
|
# ¿ Mar 1, 2013 19:08 |
|
What's the advantage of using a nexus over a 6509 in that situation if the network follows a traditional hierarchical design?
|
# ¿ Mar 11, 2013 19:34 |
|
Ninja Rope posted:Are you doing a lot of layer 7 load balancing? Why F5? It's a managed hosting provider, so I'd imagine they're looking to load balance HTTP/HTTPS. I'm also guessing the convenience of the integrated IPS is appealing. Plus the font of the appliance looks pretty rad (this is important).
|
# ¿ Mar 11, 2013 22:57 |
|
Anyone ever used Ubiquiti's wired solutions? I've used their wireless stuff before; the price is certainly right.
|
# ¿ Mar 20, 2013 20:32 |
|
You should've told him to get off his rear end and put out some CCNP books so we don't have to suffer through Odom.
|
# ¿ Mar 22, 2013 12:15 |
|
So I'm installing CSACS 5.3 in one of our networks that isn't running any version of ACS yet. I've had no problem getting 4.2 to work before, but for some reason I cannot get it to allow me into privileged/exec mode. It just keeps coming back with authentication failed each time; I've tried updating the command sets, shell profiles, and triple-checked the service selection rules and default access policies. Any ideas? e: I'm using TACACS e2: Apparently acquisitions didn't purchase a support contract to go with this. Sigh. e3: Figured it out. Under the shell profile, you have to actually go in and set "Maximum privilege level" to Static and then elevate it to 15. For some reason, 5.3 treats "Not in use" as an implicit deny of all privilege escalations. psydude fucked around with this message at 19:23 on Apr 16, 2013 |
# ¿ Apr 16, 2013 16:39 |
|
I'm deploying a wireless network using ISE paired with a WLC 5508. The idea is to have two SSIDs: one that grants users unrestricted access without registration after they go to an Acceptable Use page (much like a coffee shop) and another where users will register and log in, followed by an AUP (much like a college campus). The problem I'm having is that I cannot, for the life of me, figure out how the gently caress to implement the first SSID in ISE. The second one is pretty damned easy, but I seriously can't figure out how to just go straight to the AUP without authentication. Any ideas? I'm hoping it's something really stupidly obvious, because the ISE interface is confusing as poo poo. Using the AUP on the WLC is not an option; it has to be ISE.
|
# ¿ May 3, 2013 17:22 |
|
I'm taking ROUTE in 4 weeks. From what I've gathered, the press book and lab manual go much farther into detail than is necessary.
|
# ¿ May 6, 2013 19:07 |
|
I'm working on a wireless rollout right now. ISE has the least intuitive and most frustrating interface. Why the gently caress do we have to be an all Cisco shop?
|
# ¿ May 6, 2013 23:03 |
|
BoNNo530 posted:Can you tell me a little bit about it? My boss is starting to push for this, especially for wireless, and I just want to make sure we don't end up regretting it. The RADIUS and AAA portion is easy enough to set up; most of the configuration will come on your WLC instead of ISE itself. The biggest problem I have with it is the organization of the menus. There's about 10-15 sub menus for each menu item, each of which are not aptly named for the function of the policy that they control. For someone who hasn't spent 10-15 hours setting it up, it will be a huge hassle to make even the smallest change. As someone who has spent 15 hours setting it up, the menus are still a colossal pain in the rear end. With that said, if you can actually manage to get it set up (a feat in and of itself), it's actually quite good at what it does. The sponsor console is pretty straight forward and idiot proof (unlike the admin console, good lord). The self-service thing is good, but if you plan on using it go into it knowing you'll have to redesign the login screen to make it a bit more user friendly. The reporting is okay: you can see active sessions, when a user has last logged in, which device they used, etc. The (stupid) big issue I'm going to face going before the senior executives is that because we put it in a separate broadcast domain from the WLC, we get an IP address instead of a MAC address. This isn't a huge deal due to a magical thing named ARP, but since they won't shut the gently caress up about how important it is to be able to track a MAC address (despite how easy it is to spoof one), I'm not looking forward to having to explain why it doesn't matter that we can't view it in the ISE console. The device profiles setting has the potential to be very powerful, especially if you give half a gently caress about your users and don't mind setting up an alternate mobile login page/AUP so that they don't have to gently caress around with the clumsy normal login page. All in all, I give it a C+. Okay, but not great.
|
# ¿ May 7, 2013 01:47 |
|
I think maybe my present to myself after completing the CCNP will be going to Vegas or something.
|
# ¿ May 14, 2013 13:39 |
|
ragzilla posted:5515 is rated for 15k new conn/sec, guessing that's tested in a configuration using all 4 built in interfaces (but can't find anything to support that), since this isn't bursty traffic even if you could make rxring deeper that's just going to trade decreased packet loss for latency. I'd have the security guy throttle down Nessus in this setup. Yet another reason why Nessus is the worst thing.
|
# ¿ May 15, 2013 13:34 |
|
I've recently determined that anything Cisco makes that isn't a router or switch is probably terrible. Like their IPS 4200 series ~*Sensor*~s.
|
# ¿ May 15, 2013 19:09 |
|
Might have been linked a while back, but apparently Cisco is opening up EIGRP for multi-vendor support.
|
# ¿ May 15, 2013 20:55 |
|
falz posted:Meh, stick with OSPF so you can actually be cross platform if you want to, regardless of whatever BS Cisco is saying aobut EIGRP being "Open". But, but EIGRP is like a bajillion times easier to configure and maintain (in theory)!
|
# ¿ May 16, 2013 03:24 |
|
Since we don't have a dedicated networking thread: what are the thoughts on Ubiquiti's EdgeRouter Lite? I'm going to be pairing it with a satellite connection to support about 160 users for a DIN. In particular, I'm interested in the internal firewall and QoS support. Won't be doing anything else crazy with it, just static routes for VLAN trunking.
|
# ¿ May 17, 2013 14:47 |
|
Studying for ROUTE has made me so sick of OSPF.
|
# ¿ May 17, 2013 20:12 |
|
Martytoof posted:Oh yeah, that one I knew. Doe the high end Cats run IOS proper or is it some sort of modified environment? I gather it's IOS running on a Unix kernel or something like that, but is the admin-facing interface much different from a regular IOS switch? Higher end Cats run IOS. It's identical to any router IOS with the addition of a bunch of switching poo poo and stuff for line cards.
|
# ¿ May 27, 2013 22:52 |
|
Wired has done a series of puff articles about how it's going to change networking as we know it. But, uh, at least as far as I can tell it won't change much outside of large datacenters who need that flexibility. I'm also wondering how SDN will be more efficient than an ASIC with regards to packet switching.
|
# ¿ May 29, 2013 17:22 |
|
madsushi posted:SDN is about the control layer, not the forwarding layer. You're still using ASICs on your forwarding plane and that's still happening on dedicated/purpose-built switching hardware. You're not stacking a whitebox with a lot of 4-port NICs. So it'll effectively allow you to make layer 3/4 decisions without regard to routing domain?
|
# ¿ May 29, 2013 18:38 |
|
Bluecobra posted:Is per-packet load balancing necessary with 10GbE LACP port channels? I checked to see what hashing algorithm that our switches use and it is using source/destination IP, and source/destination TCP/UDP port per flow. In Linux we are setting the xmit_hash_policy to layer3+4 which generates the hash in the same fashion. On the systems we have to deal with, we will have other problems like disk I/O before a single connection saturates a 10GbE NIC. Probably not, but 5-10 years down the line it might be necessary.
|
# ¿ May 30, 2013 23:41 |
|
What's the opinion on Stonegates? We got two of them in for testing/deployment on a DIN and so far I've learned that the licensing process is kind of a pain in the rear end. I do like the interface a hell of a lot better than ASDM, though.
|
# ¿ Jun 17, 2013 15:23 |
|
I did all of my studying for ROUTE with GNS3. Going to stock up on some 2950s and maybe a 3550 for Switch.
|
# ¿ Jun 18, 2013 17:36 |
|
Sepist posted:I did ROUTE before SWITCH, my reasoning was that my Layer 3 was weaker than Layer 2 so I wanted to make sure I could pass that first Pretty much. I figured I'd get the harder stuff that I have less experience with out of the way first.
|
# ¿ Jun 18, 2013 19:21 |
|
|
# ¿ Apr 28, 2024 10:01 |
|
Major Isoor posted:Really sorry if this is the wrong place to ask (although this is the dedicated Cisco thread, so I wouldn't think so!), or if this sort of question isn't kosher - if it is I'll gladly remove the offending content - but anyway, I'm currently finishing up CCNA2 as part of a Network Administration course I'm doing, and I'm just wondering about which of the final pracs is regarded as the best/simplest/quickest to do, (since I'm running out of time - I've only got a few days left, and I've got the practice+final practical, plus a bunch of Packet Tracer assignments to do) as apparently there's a bunch you can choose from and their difficulty varies a little. (or at least, that's the impression I got from friends who did CCNA2 last semester - apparently the OSPF one is particularly tricky, according to one friend) If you're about to take the actual CCNA soon, brush up on OSPF, IPv6, access control lists, NAT, spanning-tree protocol, and VLANs/VTP.
|
# ¿ Jun 20, 2013 14:18 |