|
If you want the features of Sec+, you're better off getting a 5515-X from the get-go. You get slightly better performance and it includes Sec+. The 5512-X fills the price gap if you don't want/need Sec+. e: 5512-X ($4295), Sec+ ($1000) = $5295. 5515-X ($5295). That's MSRP. Richard Noggin fucked around with this message at 17:38 on Feb 24, 2015 |
# ? Feb 24, 2015 17:30 |
|
|
# ? May 31, 2024 11:02 |
|
5505s will be getting dirt cheap(er?) when the 5506 drops.
|
# ? Feb 24, 2015 17:41 |
|
Ahdinko posted:and will work in active/active Not if you want VPNs, active/active needs multiple contexts which restrict VPN usage.
|
# ? Feb 24, 2015 17:50 |
|
DeNofa posted:5505s will be getting dirt cheap(er?) when the 5506 drops. I wouldn't buy a 5505 at this point. You're better off with an 891F.
|
# ? Feb 24, 2015 17:54 |
|
Richard Noggin posted:I wouldn't buy a 5505 at this point. You're better off with an 891F. I do hate the ASA, so I'd agree if you just need something to terminate some simple VPNs. But you're doing heavy firewallin'/IPSin' or fancy AnyConnect stuff, ASA is the way to go.
|
# ? Feb 24, 2015 18:29 |
|
BurgerQuest posted:He means Fortigate. Only if you want something full of holes (same goes for Palo). Get a Check Point.
|
# ? Feb 24, 2015 18:45 |
|
ior posted:Only if you want something full of holes (same goes for Palo). Get a Check Point. Nooooooo. Don't utter its name! It gets stronger if you say its name!
|
# ? Feb 24, 2015 20:34 |
|
ior posted:Only if you want something full of holes (same goes for Palo). Get a Check Point. No way man, <your preferred vendor> is full of holes! It has been a good few pages since the last firewall chat, certainly there has never been consensus in the past and you won't get one now. As always, you can't underestimate the value of going with the one you're most familiar with or can get good support for.
|
# ? Feb 24, 2015 22:14 |
|
I would hope my firewall was full of holes, otherwise it would overheat!
|
# ? Feb 24, 2015 22:37 |
|
I've been having the worst networking issues with VMware Fusion, and I've been blaming VMware and Apple for probably two years. It seems the issue might have something to do with Cisco, as well The connection on a Guest system would seem to just "die". It sometimes started back up. Sometimes I had to disable & re-enable networking to get it working again... But then it would just "fail" after a few moments. The issue? ARP collisions with a Host machine MAC and Guest machine MAC. I finally checked our firewall/router and noticed the ARP Collision logs recorded every time the network seemed to "die" on the guest. Device: Cisco ASA 5550, IOS 9.1(2) Host IP: 10.0.0.111, MAC: a.a.a.1111 Guest IP: 10.0.0.222, MAC: b.b.b.2222 Logs are filled with this: code:
How do I best tackle this? We need Bridged networking to get IPs for the guest systems. Xenomorph fucked around with this message at 00:05 on Feb 25, 2015 |
# ? Feb 24, 2015 22:38 |
|
Ahdinko posted:I don't know about any of the ones you mentioned since I've never used them, but since you're asking in the Cisco thread, what about two ASA 5512-X's for your main office, and maybe a 5505 or a single 5512-x for your other office? 5506 is shipping now and has SourceFire integrated. There will be a model with a built in AP that can run standalone or lightweight very shortly.
|
# ? Feb 24, 2015 22:56 |
|
BurgerQuest posted:No way man, <your preferred vendor> is full of holes! Do realize I am trolling. I have my preferences but wont discuss them in a forum, nothing good will come of it
|
# ? Feb 24, 2015 23:12 |
|
Two SRXs in a cluster
|
# ? Feb 25, 2015 00:42 |
|
So who's doing Cisco Collab? How are you tracking licenses to users? It's too easy to add a device for a user or "user" and boom, pay Cisco more money. What's the scoop with Jabber and being able to have a video conference or such? Still WebEx on-prem? Partycat fucked around with this message at 20:05 on Feb 25, 2015 |
# ? Feb 25, 2015 02:41 |
|
goobernoodles posted:Reposting from the general IT thread: Have you take a peek at the Meraki stuff? I have no idea on the pricing compares to the other stuff you've been looking at, but it is pretty simple stuff for small operation as long as you don't mind keeping things on maintenance.
|
# ? Feb 26, 2015 21:40 |
|
You know what really grinds my gears? Cisco's price manipulation. At launch, they had a 10 unit license of FireSIGHT that was something like $10k. It was also required for single deployments. That pushed a lot of smaller shops who wanted next-gen stuff back to the CX line, which just got EOL'ed (along with PRSM). Now, Cisco has 2 unit FireSIGHT licenses for like $1k (list), and they have removed the requirement for FireSIGHT for single unit deployments now that ASDM 7.3.3 supports it natively. I"m guessing they kept the prices high to recoup costs thanks to early adopters, and squeezed every last ounce from the CX line. EOL the CX, drop the FireSIGHT price considerably, and watch everyone who recently bought CX use the trade-up program to get at best, 20% off FireSIGHT.
|
# ? Feb 27, 2015 15:24 |
|
I'm working with an old AIR-LAP1042N that I've cross-flashed to act as a standalone AP. Is there a good "for dummies" thing on how to configure an AP from the CLI? I swear I've gone through the official Cisco docs five or six times but something about the way they're laid out just isn't making it clear for me. Essentially I'm trying to do the following: Set up Gig0 as a VLAN trunk, then I'd use the following VLANs: 30: Private WiFi 40: Guest WiFi 99: Management I'm trying to associate 30 and 40 to the Dot11Radio, but then I'm trying to give the base AP an IP on the 99 VLAN. My understanding is that I need a BVI interface on that VLAN, however the docs seem to indicate that BVI has to be on a VLAN that's associated with a Dot11Radio? I can't believe that's the case so I'm obviously misreading something somewhere. I imagine this is really simple but for some reason this is evading me. I consider myself fairly strong on the Cisco front so I can't really explain what it is. Eventually I'll want to set up all three of the APs around the house and get them meshed but right now I'll settle just to get one up and running edit: I know thee have a Web UI but that thing is seriously on the shortlist to being the worst WebUI I've ever used. Just pretending it doesn't exist. some kinda jackal fucked around with this message at 02:10 on Feb 28, 2015 |
# ? Feb 28, 2015 02:08 |
|
Bridge vlan 30 and 40 between g0 and the radio interface. Use a SVI for the management vlan 99.
|
# ? Feb 28, 2015 08:02 |
|
Martytoof posted:I'm working with an old AIR-LAP1042N that I've cross-flashed to act as a standalone AP. I might be able to pull a config that's close enough to what you want on Monday, if you're still having problems doing what you want.
|
# ? Mar 1, 2015 21:35 |
|
Yeah, I've got the radios bridged to the right dot1q gig0 subifs, but I haven't really had time to debug thoroughly why it isn't working properly. If you have a config handy that would be cool, otherwise I'll hammer on it a littler more next weekend.
|
# ? Mar 2, 2015 04:01 |
|
We had some 1042Ns out there configured as standalone at one point, but all I can find now are some 1242s running as wireless bridges. Everything else has been converted over to controller based. Did locate a newer 702N standalone, and from what I can remember, the configuration should be close enough. This is just a single data vlan with a separate management vlan. code:
|
# ? Mar 2, 2015 22:38 |
|
Thanks! I'll try to throw that on one of my APs tomorrow. Maybe I missed this because I skimmed the reply on my phone but how does BVI1 know which vlan to use? I presume that it needs to know which subif it's going to use to communicate on.
|
# ? Mar 3, 2015 00:14 |
|
The vlan is specified using the encapsulation dot1q command in the sub interfaces that are associated with the bvi. Looking at it again I'm pretty sure that IP address wouldn't be reachable as nothing is allocated to bridge group 1. chestnut santabag fucked around with this message at 04:08 on Mar 3, 2015 |
# ? Mar 3, 2015 04:01 |
|
Hmm, so can I just create a BVI99 and bridge that to Gig0.99? Going to try this out tomorrow, thanks again for the example though.
|
# ? Mar 3, 2015 05:45 |
|
I'm not sure why you'd bridge the management to the radio interface.
|
# ? Mar 3, 2015 05:46 |
|
tortilla_chip posted:I'm not sure why you'd bridge the management to the radio interface. I wouldn't; Gig0.99 would be the subif of my ethernet trunk. Maybe you're thinking of Dot11Radio0.99?
|
# ? Mar 3, 2015 05:58 |
|
Should have quoted, was referring to the example above.
|
# ? Mar 3, 2015 18:29 |
|
I'm going to shill for Opengear because I just bought two of their IM72xx boxes and holy crap are they the coolest purchase I've made in a while. They are console servers with up to 48 ports with software-configurable pinouts. They have dual network, wifi, 56K, and LTE capability. For any of those interfaces, you can assign static IPs or they can update DNS or dyn-dns. They can VPN out over any connection. The 4g connection can be always on, or you can SMS them a "WAKEUP123" message to make them connect only in a network-down situation. They can save console data to internal syslog storage or send it to an external server. They can do IP passthrough and forwarding, so you can RDP or VNC to a server through the out of band networks. They work as Nagios distributed monitors. Then beyond that, they are infrastructure managers as well. They interface with environment sensors, control switched PDUs, and monitor UPSes. You can actually tie a console port together with switched PDUs into a unified view of a managed device. They even have a GPS antenna and can output an NMEA data stream from GPS or (I think) cell if you want an internal stratum 1 time source. Seriously loving cool stuff compared to the Avocents or Lantronix boxes I used at former jobs, and I think I'm still just scratching the surface of their capabilities so far. KS fucked around with this message at 05:51 on Mar 5, 2015 |
# ? Mar 5, 2015 05:45 |
|
Theyre running linux so you can drop to shell and do some other crap. I believe we have one set up with bonding between its two ethernet ports.
|
# ? Mar 5, 2015 06:49 |
|
ragzilla posted:This pains me to even suggest it- but I wonder if enabling directed broadcast on the interfaces, then setting helper addresses to both other subnet broadcast addresses would work. It looks like 137/138 are supported by default. Funny enough, this solution was literally mentioned by Jeremy Cioara in the latest CCNP SWITCH course as a work-around where he encountered a very similar NetBIOS issue. Speaking of CCNP SWITCH - I destroyed my home lab with a nasty broadcast loop, and I just want to make sure I understand the cause. This my home topology: Basically I started turning all my po interfaces off so that I could gently caress around with some STP stuff. I started with my two 2950s, which had this running config: code:
code:
code:
code:
Here's where I think I hosed up. I had added an additional trunk between 3550t and 3550b that was not on my topology, at fa0/13 on both switches. When I went to remove port fa0/23 from the port-channel on 3550b, since link aggregation was just "on" and not using LACP, my other 3550 was still pumping out packets through fa0/23 without really caring. Am I on the right track? Here's what happened from the perspective of 3550b: code:
|
# ? Mar 6, 2015 03:07 |
|
sudo rm -rf posted:Port channels If I'm understanding this right, yes it is a downside of configuring it as channel-group mode on (which you should only have to ever configure if youve got a device on the other end which doesnt do LACP/PagP but hey its the 2015), but ultimately it sounds like an STP misconfiguration. At 3550b, once you did no channel-group under fa0/23, it would taken that link out of the bundle and seen fa0/23 as a second link to get to 3550t and spanning tree should have blocked it, unless it was the root in which case it wouldnt block the link and 3550t would still see it as a single logical link and so would just keep running traffic down it? Ahdinko fucked around with this message at 12:57 on Mar 6, 2015 |
# ? Mar 6, 2015 12:50 |
|
Just as a thought experiment, how would you guys block p2p / bittorrent traffic? A customer of mine got a copyright nastygram and asked me for advice. I can't think of any particularly effective ways to do it that aren't bandaids on the Titanic.
|
# ? Mar 6, 2015 22:18 |
|
CrazyLittle posted:Just as a thought experiment, how would you guys block p2p / bittorrent traffic? A customer of mine got a copyright nastygram and asked me for advice. I can't think of any particularly effective ways to do it that aren't bandaids on the Titanic. Use a firewall from $RANDOM-NGFW-MANUFACTURER to block it.
|
# ? Mar 6, 2015 22:57 |
|
CrazyLittle posted:Just as a thought experiment, how would you guys block p2p / bittorrent traffic? A customer of mine got a copyright nastygram and asked me for advice. I can't think of any particularly effective ways to do it that aren't bandaids on the Titanic. Block everything outbound except for explicitly allowed ports.
|
# ? Mar 6, 2015 23:10 |
|
ragzilla posted:Block everything outbound except for explicitly allowed ports. Sounds like a way to get called about every ticky tack service anybody wants to use.
|
# ? Mar 6, 2015 23:27 |
|
Get a fancy "next gen" firewall?
|
# ? Mar 7, 2015 00:04 |
|
Don't most of the nextgen firewalls just use NBAR to recognize P2P traffic? An encrypted Bittorrent session should be unrecognizable to NBAR. For the customers I have had request blocking but refuse to spend any money, I went the ACL route. Before you put it in place, you need to be completely clear with them that it may interfere with some legitimate traffic. I permit udp 53, tcp 25,80,110,143,443,587,993,995, and icmp.
|
# ? Mar 7, 2015 00:23 |
|
Filthy Lucre posted:Don't most of the nextgen firewalls just use NBAR to recognize P2P traffic? An encrypted Bittorrent session should be unrecognizable to NBAR. Your approach is the surefire way to do it (whitelist approach) if you only have a L4 firewall or router to work with. As you mentioned, there are legitimate uses for Bitorrent like digital distribution of video games that users will probably expect access to, though there are ways to turn p2p behavior off in most clients. Technically NBAR is a Cisco technology, other vendors call it different things, at the end of the day it is just recognizing signatures in packet data to classify flows into an application. How good the product is is completely dependent on how non-lazy the guys who come up with the protocol descriptions/signatures are. Palo Alto in particular also has some dynamic intelligence baked in, costs extra though. Palo Alto Networks claims to use heuristic analysis to be able to police even encrypted Bittorrent sessions. They are a new partner of ours so I haven't been able to dig into their technology much at this point to know the truth. I am guessing any intelligent system would correlate users transacting with things that could be known/static like Bittorrent tracker servers with large flows, but just my speculation. Any IDS/IPS will alarm on BitTorrent. From there you can deal with it on a user-by-user basis, I have seen that handled that way in the past in the enterprise space. Depending on the size of the organization and how much of heathens your users are that may or may not be possible. Host-based approaches can work as well - think MDM, host-based security (Symantec Endpoint), maybe even Windows Group Policy/Firewall. Not an expert on any of those things but I am sure each of them can shut down torrent clients before they even get installed if the machine is corporate owned. If not you are left with any of the network based approaches discussed, with the whitelist method Lucre mentioned the cheapest and most effective.
|
# ? Mar 7, 2015 03:10 |
|
Filthy Lucre posted:Don't most of the nextgen firewalls just use NBAR to recognize P2P traffic? An encrypted Bittorrent session should be unrecognizable to NBAR. I cant speak specifically about how $MY_PREFFERED_NGFW_VENDOR detects BT but I have had 100% success in blocking both newly started and actively running torrents (encrypted and non encrypted) with their 'NBAR'.
|
# ? Mar 7, 2015 11:19 |
|
|
# ? May 31, 2024 11:02 |
|
I'm officially starting to study for my CCENT/CCNA at the end of the month, and I've got a 2620xm and 2950 so far. My 2620 only has one fast Ethernet port though, so I'll need to install a card in one of my empty slots to run my internet through it. What card model number should I be looking to buy and is installing it as easy as fitting it in the empty slot and doing some configuration? I'm completely green to Cisco so I'm trying to figure this stuff out before I'm knee deep in course material. E: it's looking like I could get away with a NM-1FE-TX yeah? crunk dork fucked around with this message at 21:35 on Mar 7, 2015 |
# ? Mar 7, 2015 20:56 |