|
MF_James posted:Yeah pfsense is fine if you want something at home and don't mind tinkering; heck maybe even in a small business, but I'd still be hesitant due to lack of proper support, I'd rather roll a sonicwall. Netgate offers paid support with SLA for pfsense. Anybody have any experience with that? I'm not disputing that it's better to avoid pfsense in larger networks with higher stakes; just curious about how their support compares to that of the major players.
|
# ? Aug 3, 2019 14:14 |
|
|
# ? Jun 10, 2024 12:45 |
|
Kazinsal posted:FTDs? No issues. That's a first
|
# ? Aug 3, 2019 21:36 |
|
single-mode fiber posted:That's a first Well, okay, I have other issues with Firepower. Speaking of, the galaxy brain powers that be bought FTD 21somethings for our new head office and I look forward to taking two weeks' vacation when that site gets lit up.
|
# ? Aug 4, 2019 01:57 |
|
I added firepower alerts for our “security analyst”. Not sure what exactly they do but it definitely doesn’t involve even sending the service desk tickets about potentially dangerous machines on our network. They do send out fake phishing campaigns every couple weeks.
|
# ? Aug 5, 2019 03:49 |
|
Thanks FS, 2674 in stock in your "NY warehouse", and you ship my transceivers from Shanghai. On a side note, these dropped to $59 a pop vs the $380 each I paid in 2017.
|
# ? Aug 6, 2019 21:40 |
|
Is there a good primer out on the internet for understanding SFP+? I understand that you put transceivers in the ports and that transceivers can have different properties, but there's also apparently vendor lockout?
|
# ? Aug 12, 2019 05:09 |
|
I'm not sure if there's really a primer so to speak but the vendor lock-in is pretty straightforward. The EEPROM on an SFP has a section in it that holds things like the vendor OUI and name string. IOS will check against that and reject SFPs that aren't theirs (unless you turn on service unsupported-transceiver, you monster). Finisar helpfully publishes a condensed version of the memory map used on SFP and SFP+ modules (https://www.finisar.com/sites/default/files/resources/an-2030_ddmi_for_sfp_rev_e2-20140404_updated.pdf). I think QSFP and related use a different memory map; SFP28 uses the SFP/SFP+ map.
|
# ? Aug 12, 2019 05:32 |
|
Ah. That explains why fs.com has a "compatibility" selection. I'm sure the answer is "it depends on the company/product" but how common is vendor lock-in for SFP+ transceivers? I know Cisco does it from reading this thread, but have others gotten into it as well?
|
# ? Aug 12, 2019 06:47 |
|
Lots of vendors will throw up warnings about incompatible transceivers. I just buy ones from FS.com flashed with a legit part number so the switch doesn't complain and so it doesn't show up in tech support diagnostic data giving people an easy way out of your ticket, and then keep a couple of legit ones on hand for troubleshooting if required.
|
# ? Aug 12, 2019 11:30 |
|
If you're an environment that has hardware from multiple vendors, ease your stocking by getting programmable transceivers from flexoptics or similar. Fiberstore may also have a box like this now as well. Keep a few first party optics around for support cases.
|
# ? Aug 12, 2019 12:29 |
|
Actuarial Fables posted:I'm sure the answer is "it depends on the company/product" but how common is vendor lock-in for SFP+ transceivers? I know Cisco does it from reading this thread, but have others gotten into it as well? Arista also does lockout but it's a little more annoying. You have to email their support and they will provide you a unlock key tied to your organization.
|
# ? Aug 12, 2019 13:11 |
Thanks Ants posted:Lots of vendors will throw up warnings about incompatible transceivers. I just buy ones from FS.com flashed with a legit part number so the switch doesn't complain and so it doesn't show up in tech support diagnostic data giving people an easy way out of your ticket, and then keep a couple of legit ones on hand for troubleshooting if required. Also "service unsupported-transceiver" and "no errdisable detect cause gbic-invalid" are your friend I've never actually needed to use my Cisco optics but we also have one of each set just in case TAC tries to wriggle out of providing support. Nuclearmonkee fucked around with this message at 17:45 on Aug 12, 2019 |
|
# ? Aug 12, 2019 17:43 |
|
My boss is too cowardly to let me use non-Cisco transceivers. We've probably spent £20-30k in the last year on 10gig and 1gig SFPs. I've got about 25 1gig transceivers that our ISP sends out with their NTUs that they never bother to collect sitting in a drawer.
|
# ? Aug 12, 2019 18:01 |
|
Nuclearmonkee posted:I've never actually needed to use my Cisco optics but we also have one of each set just in case TAC tries to wriggle out of providing support. Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to. I'm not saying it doesn't happen, there could be some policy for other products I didn't work with or things might have changed at some point, but curious to know if it's an "abundance of caution" thing or an "I've been burned by this" thing.
|
# ? Aug 12, 2019 22:02 |
|
Eletriarnation posted:Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to. I feel like it's an old wives tale at this point.
|
# ? Aug 12, 2019 22:25 |
|
Eletriarnation posted:Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to. Yes
|
# ? Aug 12, 2019 22:38 |
|
We had an issue with some Brocade switches where duplicate MAC addresses on the network would cause the device to crash and reboot in a loop. They absolutely tried to pin it on third party optics lol.
|
# ? Aug 12, 2019 22:48 |
|
Eletriarnation posted:Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to. Yes. Always buy programmable optics!
|
# ? Aug 13, 2019 00:55 |
|
Docjowles posted:We had an issue with some Brocade switches where duplicate MAC addresses on the network would cause the device to crash and reboot in a loop. They absolutely tried to pin it on third party optics lol.
|
# ? Aug 13, 2019 01:32 |
|
Eletriarnation posted:Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to. We've had this happen before, and to be fair to Cisco the optics that we were using definitely were at a very low power level, we'd get low threshold warnings quite a bit on the particular interface. Still they looked at that, the low power, and said fix that first. While it was a issue, it wasnt the issue, ultimately.
|
# ? Aug 13, 2019 16:39 |
|
Can a cisco device syslog to the same IP twice but on different ports? I have a want/need to condense 2 syslog "servers" (aka windows 7 workstations set up by my predecessor) and I'd prefer to just have one listen on something like UDP/1025 while the other listens on UDP/514, but I'm not sure if that will actually work; other option is obviously give the new VM 2 IP addresses and just have each one listen on its' own IP.
|
# ? Aug 13, 2019 19:12 |
|
It can't be done in IOS-XR (edit: 6.2.25 specifically), I tried it and you'll just overwrite your existing entry for that host.
Eletriarnation fucked around with this message at 19:33 on Aug 13, 2019 |
# ? Aug 13, 2019 19:28 |
MF_James posted:Can a cisco device syslog to the same IP twice but on different ports? code:
|
|
# ? Aug 13, 2019 19:30 |
|
MF_James posted:Can a cisco device syslog to the same IP twice but on different ports? Just my two cents since I did something very similar a few weeks ago. I ended up giving the VM 2 NICs and having our syslog servers listen on both. I didnt spend a ton of time troubleshooting but I was never able to get the software to listen on different ports on 1 IP. This very well could have been a limitation of our syslog software but I didnt want to sink any more time on the project and the 2 vNICs have worked well enough. Your mileage may vary.
|
# ? Aug 13, 2019 19:30 |
|
Cool, yeah I dropped the commands in and they worked but I wasn't sure if it would actually happen. Then I realized I could set it to use TCP and just cap the traffic and see if it actually is sending logs messages. I didn't get a lot of sleep last night OK!
|
# ? Aug 13, 2019 19:43 |
|
MF_James posted:Can a cisco device syslog to the same IP twice but on different ports? Use samplicator.
|
# ? Aug 13, 2019 23:20 |
|
What are some cheap options for syslog software? We did the free trial of kiwi and it seems fine, haven’t really looked into anything else. I think it’s only like $250 so I assume it’s hard to beat price-wise, but I’m curious what other people prefer.
|
# ? Aug 13, 2019 23:44 |
|
rsyslog
|
# ? Aug 13, 2019 23:46 |
|
Are you specifically looking for a Windows syslog server? rsyslogd is generally used on Linux and is free.
|
# ? Aug 13, 2019 23:47 |
|
falz posted:Are you specifically looking for a Windows syslog server? Hmm maybe I’ll try to replace the syslog server I had our system guys build with a Linux box then. They built me a windows box but if it’s free I can probably change that. I have no attachment to OS for this. Thanks
|
# ? Aug 13, 2019 23:49 |
|
falz posted:If you're an environment that has hardware from multiple vendors, ease your stocking by getting programmable transceivers from flexoptics or similar. Fiberstore may also have a box like this now as well. Also in the programmable game is Solid-Optics, https://solid-optics.com and then Fiberstore FS is trying to get into the same thing but getting their programming box is kind of a bunch of bullshit.
|
# ? Aug 14, 2019 00:00 |
|
Thanks for the info about SFP, everyone. I have a much stronger understanding of what it's all about now. Maybe one day I'll actually get to apply this information beyond building theoretical networks.
|
# ? Aug 14, 2019 00:07 |
|
Tetramin posted:Hmm maybe I’ll try to replace the syslog server I had our system guys build with a Linux box then. They built me a windows box but if it’s free I can probably change that. I have no attachment to OS for this. We're testing out Graylog at the moment, seems pretty good.
|
# ? Aug 14, 2019 09:59 |
|
Has anybody ever touched BGP on Sonicwalls? I know this is a weird match up but it's what the client has, and this is only for a VPN tunnel to Azure rather than anything stupid. Underneath it all it's ZebOS and all the configuration is done in the CLI anyway so the fact it's a Sonicwall sitting on top shouldn't make a huge difference. As far as I can see the BGP relationship is working fine - ZebOS says it can see the Azure side of the connection (I got an error when I typo'd the remote AS so I'm pretty sure that both sides are talking to each other), but I never see any routes from Azure. There's not a huge amount of stuff online about BGP on Sonicwalls and Azure, but there's a few bits of documentation about doing HA VPN tunnels to AWS and the configuration is very similar. I've also had a look at other platforms that use ZebOS (F5) and the configuration doesn't reveal any huge differences. This is the config I have currently code:
code:
code:
|
# ? Aug 29, 2019 21:44 |
|
I know fuckall about Azure so this might not be applicable. But in AWS you need to set a property on your route tables before they will actually be advertised out through BGP. It could be something similar is going on for you? https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html#EnableDisableRouteProp
|
# ? Aug 29, 2019 21:58 |
|
Thanks Ants posted:0 accepted prefixes, maximum limit 10 It looks like 65515 isn't advertising the routes (or 64514 has a filter that wasn't in your post). What's the BGP config for that side?
|
# ? Aug 29, 2019 22:23 |
|
I can't see that bit, it's on the Azure remote gateway configuration and abstracted away. Edit: Trawling through the documentation again shows that eBGP multihop needs to be enabled. I configured that for the neighbour and the prefix appeared almost immediately. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps Helps to bounce stuff off people, I'll get round to documenting this for work and then I'll post a redacted version somewhere so people can get this set up in less than four hours. Thanks Ants fucked around with this message at 22:37 on Aug 29, 2019 |
# ? Aug 29, 2019 22:26 |
|
CrazyLittle posted:Also in the programmable game is Solid-Optics, https://solid-optics.com and then Fiberstore FS is trying to get into the same thing but getting their programming box is kind of a bunch of bullshit. https://www.fs.com/products/75866.html I really don't have a need for it, but this is pretty cool looking. You have issues with it?
|
# ? Aug 29, 2019 22:59 |
|
Not sure if this is the place for this question, since I’m dealing with Cisco software. I work in radiology, and I’m trying to work from home occasionally. We connect to our hospital network through the Cisco AnyConnect VPN. I can connect no problem, but the speed is absolute poo poo. I usually get 70mbps download and 11-12 up. Ookla speed test gives me a latency of 11-12 ms. However when trying to download radiology studies to read, I rarely get more than 1-2 mbps. Our IT department says latency to the hospital servers is too long, or the radiology software doesn’t handle remote connections well. However I know other hospitals use the same software without issue. How would I troubleshoot whether this is a VPN issue, whether it be latency or bandwidth?
|
# ? Sep 2, 2019 19:33 |
|
|
# ? Jun 10, 2024 12:45 |
howdoesishotweb posted:Not sure if this is the place for this question, since I’m dealing with Cisco software. It's likely doing split tunneling, so your speed test is just testing your local uplink at home, while the problem is with a lovely connection somewhere between you and the remote machine you are connecting to via VPN, or they are applying some kind of QoS to prevent VPN users from eating too much bandwidth. Your IT guy is giving you the lazy answer to make you go away, doesn't know how it works, or doesn't want to bother the guy who actually knows how it works. Nuclearmonkee fucked around with this message at 20:45 on Sep 2, 2019 |
|
# ? Sep 2, 2019 20:43 |