|
ate poo poo on live tv posted:Bakeoff! How comparable do you consider these? One is an real router(tm) with FIB of ~10mil and the other is a switch with ~1mil employing jackmoves to make that happen?
|
#
?
Jul 30, 2018 23:01
|
|
|
|
| # ? May 19, 2024 00:43 |
|
|
I have a machine with two interfaces on different networks on my LAN, and is trying to communicate with an ec2 instance. We have a presence at an IX so we have a pretty direct path to Amazon. When a ping goes out one interface, it reaches the ec2 instance fine. When a ping goes out the other, it times out. Both interfaces have the same next hop. Why would they be taking different paths? AFAIK nothing is configured differently with their routing
|
|
#
?
Jul 31, 2018 06:04
|
|
|
quote:two interfaces on different networks on my LAN quote:interfaces have the same next hop Is this machine a gateway for both your LAN networks or did you mean you have two WAN interfaces on it?
|
|
#
?
Jul 31, 2018 12:38
|
|
|
BurgerQuest posted:Is this machine a gateway for both your LAN networks or did you mean you have two WAN interfaces on it? I guess my confusion is: if traffic for both of these interfaces, from Amazon's perspective, are both coming from the same public IP and going to the same public IP, why would they take divergent paths and why would one time out and the other not?
|
|
#
?
Jul 31, 2018 15:28
|
|
|
What's your route table/ACLs look like?
|
|
#
?
Jul 31, 2018 15:48
|
|
|
Do you have NAT set up for both networks on your router/firewall? It's possible that the NAT for the broken network could be using a different public IP, or something else is broken. Do you have problems accessing other internet resources from the problem interface? How do you know that they're taking different paths from your network? Where are the paths diverging?
|
|
#
?
Jul 31, 2018 15:51
|
|
|
falz posted:How comparable do you consider these? One is an real router(tm) with FIB of ~10mil and the other is a switch with ~1mil employing jackmoves to make that happen? tbh, I dont' consider the Arista comparable at all, but that is part of why i'm doing the bakeoff so I can specifically see the consequences and be assured that I'm making the right choice. I have seen around 5million FIB for the MX204, but haven't gotten any numbers for the Arista. But yea, I basically just grabbed a demo-unit because our sales team was offering it. It's slick to mount so that's nice and I generally like Arista's API/CLI/ZTP setup so we use them for our tor switches and for our hadoop network.
|
|
#
?
Jul 31, 2018 16:52
|
|
|
n0tqu1tesane posted:Do you have NAT set up for both networks on your router/firewall? It's possible that the NAT for the broken network could be using a different public IP, or something else is broken. Thanks!
|
|
#
?
Jul 31, 2018 20:30
|
|
|
ate poo poo on live tv posted:tbh, I dont' consider the Arista comparable at all, but that is part of why i'm doing the bakeoff so I can specifically see the consequences and be assured that I'm making the right choice. Probably doesn't matter for your current stuff, but Gen4 MPC10 stuff was just announced the other day too, unsure how or if that will manifest itsself into another tiny godly box. QFX10k3 on there too which is 32x400g in 3ru which seems nuts.
|
|
#
?
Jul 31, 2018 21:26
|
|
|
400G poo poo is coming fast as far as I can tell.
|
|
#
?
Aug 1, 2018 01:36
|
|
|
OpenVPN on EdgeOS died today for some reason and it wasn't obvious why so I replaced it with IKEv2 IPsec and it worked, and even went via IPv6. It is a good day.
|
|
#
?
Aug 10, 2018 18:01
|
|
|
Bit late now but it's worth considering Wireguard for VPNs since there's native support for EdgeOS and it's less resource intensive than OpenVPN.
|
|
#
?
Aug 10, 2018 20:41
|
|
|
You probably won't get better performance using anything but IPsec with hardware offloaded crypto on EdgeOS platforms. Wireguard is neat, but those CPUs are pretty weak.
|
|
#
?
Aug 10, 2018 20:58
|
|
|
Has anybody looked at the Azure Virtual WAN service?
|
|
#
?
Aug 18, 2018 20:54
|
|
|
doomisland posted:400G poo poo is coming fast as far as I can tell. And yet in TYOOL 2018 I can’t convince my coworkers that going single-mode is the way to go. We pay something like $300 dollars for these stupid MTP patch cables. 
|
|
#
?
Aug 28, 2018 02:31
|
|
|
Thanks Ants posted:Has anybody looked at the Azure Virtual WAN service? Did you try it? Is it just ghetto MPLS with IPsec?
|
|
#
?
Aug 28, 2018 02:39
|
|
|
Bluecobra posted:And yet in TYOOL 2018 I can’t convince my coworkers that going single-mode is the way to go. We pay something like $300 dollars for these stupid MTP patch cables. Yea there is the non-trivial problem of the existing multimode (OM3 maybe) fiber plant and of course that means even if you want to start going SMF, you are going to run into compatibility issues when you lose an optic in one of the "old racks" and have to replace it, with an "old optic."
|
|
#
?
Aug 28, 2018 05:49
|
|
|
What's wrong with MMF? I use it for all my trunks. Servers each get two 10g copper DAC to different switches. Am I doing it wrong?
|
|
#
?
Aug 28, 2018 06:01
|
|
|
As far as I am aware it has always been an arguement of equipment costs vs plant longevity. Nothing is wrong with MMF persay, just that it’s usable life for a given application is limited, based on the properties of how it works and the optics involved, and it’s hard to justify costs based on future unknowns.
|
|
#
?
Aug 28, 2018 11:35
|
|
|
There nothing particularly wrong with MMF, however I have seen issues with DAC cables with Forward Error Correction. As long as your DAC and switch support Reed-Solomon Forward Error Correction you're fine.
|
|
#
?
Aug 28, 2018 11:39
|
|
|
MTP is still way cheaper than WDM or coherent for 400g
|
|
#
?
Aug 28, 2018 13:34
|
|
|
Does anyone have any experience with any ASA to Firepower migration tools? I just tried the Cisco one and got 400+ errors from my uploaded config. I really, really, dont want to have to go through this line by line...
|
|
#
?
Aug 30, 2018 20:02
|
|
|
BaseballPCHiker posted:Does anyone have any experience with any ASA to Firepower migration tools? Even our Cisco rep put his hands up and said "yeah, the tool doesn't really work that great", we ended up moving all 200 rules manually...bright side, allowed us to clean up old rules.
|
|
#
?
Aug 31, 2018 15:09
|
|
|
Just bite the bullet and do it manually. It's a good opportunity to revisit the encryption that you might be using on tunnels, audit the rules etc.
|
|
#
?
Aug 31, 2018 15:38
|
|
|
BaseballPCHiker posted:Does anyone have any experience with any ASA to Firepower migration tools? Done it several times with the vFMC and haven’t really had any problems.
|
|
#
?
Aug 31, 2018 16:10
|
|
|
Ah hell I guess I've got a new project now. Hooray.... Although I read that I could still run ASDM code on it and that would buy me another couple of years but that seems like the lazy way out. Anecdotally what have been your experiences with the Firepower firewalls? I've read a ton of negative stuff about them but its hard to tell just how much of it is cranky people use to doing everything in ASDM. This rant I read actually had me slightly concerned: https://www.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/
|
|
#
?
Aug 31, 2018 20:55
|
|
|
That rant is very accurate. My company has started deploying them and trying to manage a fleet of them is a nightmare.
|
|
#
?
Aug 31, 2018 21:05
|
|
|
I try not to touch firewalls wherever possible. Is Firepower Cisco's new firewall line, and if so is it an entire different codebase than Pix? If so, congrats on them.
|
|
#
?
Aug 31, 2018 21:38
|
|
|
You do have to be careful with deployment, even making changes that only affect LINA and not Snort can cause an outage if something fails during deployment for any number of reasons. Not much, less than 1% for sure, but I’ve seen a deployment fail, redeploy with no changes (like just click into the name or description of a policy, save, redeploy), and it works the 2nd time, but you did cause a small outage while the rollback takes place. For this reason you may want to only do deployments after hours for stuff that wasn’t exempted through change control process.
|
|
#
?
Aug 31, 2018 21:42
|
|
|
ASAs are great. Fight me.
|
|
#
?
Aug 31, 2018 21:42
|
|
|
falz posted:I try not to touch firewalls wherever possible. Is Firepower Cisco's new firewall line, and if so is it an entire different codebase than Pix? If so, congrats on them. Firepower is just an IDS, you can integrate it with our ASA (or even get a module that fits into the ASA) to provide IPS functionality. Prescription Combs posted:ASAs are great. Fight me. Considering all the alternatives, I agree.
|
|
#
?
Aug 31, 2018 21:51
|
|
|
I will never be complicit in purchasing anything from cisco that is not a router again.
|
|
#
?
Aug 31, 2018 21:54
|
|
|
ElCondemn posted:Firepower is just an IDS, you can integrate it with our ASA (or even get a module that fits into the ASA) to provide IPS functionality. Kinda sorta. The ASA is going away. The new firewall is called Firepower (eg firepower 2100) it runs the FTD image despite not having near feature parity with the pixOS code. I try to avoid ASA now, I'm not happy with the integration with firepower. Plus once you become comfortable with a Palo Alto theres no going back. Edit: Also I have had to reload sourcefire image due to corrupt DB more times than I wish to count. Sepist fucked around with this message at 22:32 on Aug 31, 2018 |
|
#
?
Aug 31, 2018 22:29
|
|
|
Methanar posted:I will never be complicit in purchasing anything from cisco that is not a router again. What's wrong with their switches?
|
|
#
?
Aug 31, 2018 23:42
|
|
|
MF_James posted:What's wrong with their switches? Arista exists.
|
|
#
?
Aug 31, 2018 23:56
|
|
|
We’ve rebuilt our data center network around Arista and I love it to death. To be fair, we were coming from Brocade/Foundry ICX and CER products. So like, D-Link gear and support would have probably felt like an upgrade, too. But Arista has been very good to work with! Both technically and personally.
|
|
#
?
Sep 1, 2018 00:23
|
|
|
Haven't had the opportunity to work with Arista, all cisco and then garbage barely above consumer grade stuff, and a single brocade switch.... holy gently caress why do you steal 99% of cisco terminology and then make trunk ports NOT TRUNK PORTS!! maybe cisco stole their terms I dunno, but drat was that annoying.
|
|
#
?
Sep 1, 2018 00:28
|
|
|
No, Brocade is bad and you are correct for being mad at how awful they are to work with  Edit: Brocade did eventually kill off the trunk term and start using “lag”. But now their IP has been sold yet again and is basically dead so who cares. And I still hate the way they do VLAN tagging vs Cisco/Arista. But I’m willing to chalk that up to personal preference. Docjowles fucked around with this message at 00:39 on Sep 1, 2018 |
|
#
?
Sep 1, 2018 00:31
|
|
|
Docjowles posted:No, Brocade is bad and you are correct for being mad at how awful they are to work with Our client that uses it is bad an awful and we should drop them but MSP lyfe, so it is very fitting they use it.
|
|
#
?
Sep 1, 2018 00:32
|
|
|
|
| # ? May 19, 2024 00:43 |
|
|
ElCondemn posted:Firepower is just an IDS, you can integrate it with our ASA (or even get a module that fits into the ASA) to provide IPS functionality. Sepist posted:Kinda sorta. The ASA is going away. The new firewall is called Firepower (eg firepower 2100) it runs the FTD image despite not having near feature parity with the pixOS code. Sooo not yet but it will replace pix os. Is it an acquisition?
|
|
#
?
Sep 1, 2018 00:42
|
|