|
Pile Of Garbage posted:I've not worked with that device in particular but that's kinda a by-design thing tbh. Figured it'd be worth asking at least. Not a big deal to reimage it just really don't want to.
|
#
?
Mar 20, 2023 22:54
|
|
|
|
| # ? May 14, 2024 00:48 |
|
|
Pile Of Garbage posted:Can anyone point me towards somewhere that I can get an IOS image for my Cisco 897VA router? IIRC there was a few sites around that were just big old folders of IOS images. I just use the device in my home network and don't have a support contract or anything. I'm looking for c800-universalk9-mz.SPA.159-3.M7.bin specifically. I know this is a month old post, but Cisco posted a whole mess of old IOS images for devices that are out of support on archive.org a few years back. https://archive.org/details/cIOS-firmware-images Doesn't look like they have the specific image you were looking for, but it might be helpful for someone else.
|
|
#
?
Mar 27, 2023 20:08
|
|
|
What's the best way to capture traffic from a single internal IP that could possibly go to multiple external IPs over 443 on an ASA? I have the list of external IPs but they are not a single block and I'm obviously trying to scope the capture down a bit since I don't want to sift through a bunch of 443 traffic to find what I need. Should I create an object group, apply to an access-list and capture hits on the access-list? Or can I use that object group directly in the capture command? The issue is that client connects to a vendor Citrix environment, but at some point it stopped working for :reasons:; vendor claims it's on clients end, but the only port that should be required is 443, which is definitely not blocked, I've told the client but I'd also like to make sure we do our due diligence to make sure that the ASA isn't doing something dumb.
|
|
#
?
Mar 27, 2023 21:54
|
|
|
MF_James posted:What's the best way to capture traffic from a single internal IP that could possibly go to multiple external IPs over 443 on an ASA? Yeah do an object-group and access-list if you have the destination IPs object-group network shitrix net host a.a.a.a net host b.b.b.b access-list shitrix_cap permit tcp host <src ip> object-group shitrix eq 443 capture shitrix_cap interface <closest to destination> access-list shitrix_cap
|
|
#
?
Mar 28, 2023 00:07
|
|
|
 if you or your customers are in Russia/Belarus and have Cisco gear: https://gagadget.com/en/business/232400-cisco-systems-pulled-out-of-russia-and-destroyed-2342m-worth-of-equipment/.
|
|
#
?
Apr 6, 2023 00:10
|
|
|
Pile Of Garbage posted:
Makes sense. The alternative was the government seizing the equipment anyway.
|
|
#
?
Apr 6, 2023 05:44
|
|
|
Presumably this is something that partners have that aren't usually available to end customers, but does anybody know if there are battlecards available that would let me quickly see what the equivalent switch models to Aruba ones are from the Cisco/Juniper/Aristas of the world? This isn't a super high budget deployment so I think CX 6300s as a core (possibly would need to jump to a pair of CX 8100s to get a decent quantity of 10Gb+ ports) and then some CX 6200s in remote cabinets. Use case is a manufacturing business so all the segmentation features will be good for various CNC machines since they're all running operating systems that only the vendor touches, most of which are EOL. We'd probably manage them through Aruba Central even though I'm not massively happy with it and it seems pricey, everything else looks worse. It would be helpful to get an idea of what the equivalent in Juniper land is so I can get some really rough pricing together before going out to VARs, so they don't waste my time trying to pitch something that is way over budget.
|
|
#
?
May 25, 2023 20:40
|
|
|
What's a solid enterprise device that can auto cutover to a backup internet connection without issue? My new job has an FTD connecting sites and Azure and no router or anything else. Main ISP goes down it's a huge loving effort to migrate to the backup ISP.
|
|
#
?
Jul 22, 2023 23:09
|
|
|
GreenNight posted:What's a solid enterprise device that can auto cutover to a backup internet connection without issue? My new job has an FTD connecting sites and Azure and no router or anything else. Main ISP goes down it's a huge loving effort to migrate to the backup ISP. Most firewalls can handle active/active or active/passive failover, Fortigate's can, SonicWALL, Palo, whatever. I assume the FTD can it's just not setup correctly, but maybe I'm wrong. Without issue is also not going to happen, if you're using a connection, that connection goes down, you're going to notice a blip; if people are only browsing the web they probably won't but anything else will at least notice a 30-60 second drop while the device sees that the connection is down and performs failover. Any active connections are severed so VOIP etc will drop calls but otherwise it's fairly smooth.
|
|
#
?
Jul 22, 2023 23:46
|
|
|
Yeah but what about incoming VPN connections that use a public ip of isp#1 and azure tunnels configured with public IPs?
|
|
#
?
Jul 22, 2023 23:59
|
|
|
BGP over IPSEC and weight them in azure Edit: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable heres a primer. Not sure if it’s BGP over IPsec but it’s how you do it easily ultimately i am a moron fucked around with this message at 00:08 on Jul 23, 2023 |
|
|
#
?
Jul 23, 2023 00:04
|
|
|
We're half way through migrating from IPSEC to VTI. I'm not an expert but I'm told VTI is way better.
|
|
#
?
Jul 23, 2023 00:11
|
|
|
The gently caress is VTI lol
|
|
|
#
?
Jul 23, 2023 00:16
|
|
|
Virtual Tunnel Interface. Basically you actually have interfaces at the end of the tunnel you route to instead of magical policy based routes that Cisco started with. I prefer VTI over policy based because it's easier for other people to understand and it just makes more sense.
|
|
#
?
Jul 23, 2023 00:38
|
|
|
Yeah we've been migrating from policy based IPSEC tunnels to BGP VTI tunnels and I'm not a Cisco guru by any means. But failover aint fuckin working.
|
|
#
?
Jul 23, 2023 00:54
|
|
|
GreenNight posted:Yeah we've been migrating from policy based IPSEC tunnels to BGP VTI tunnels and I'm not a Cisco guru by any means. But failover aint fuckin working. So, is the issue the FTD continues to send traffic at the VTI that's down? https://www.reddit.com/r/Cisco/comments/l1r6jw/firepower_azure_vpn_using_bgp/ I have heard FTD sucks but tbf this sounds like you all are doing something wrong, because I have worked with a bunch of ASAs that can perform IPSEC failover just fine and I (likely correctly) assume FTDs can do the same. Changed the link because derp I looked up ASA and not FTD config, couldn't find a Cisco article on it, but that reddit dude did it. MF_James fucked around with this message at 01:19 on Jul 23, 2023 |
|
#
?
Jul 23, 2023 01:00
|
|
|
100% convinced it’s not setup correctly. Good to have that confirmed.
|
|
#
?
Jul 23, 2023 01:04
|
|
|
Route guru's... I've been tasked with taking over an existing design that cannot change and I'm scratching my head how to handle redundancy outside of simply using SLA monitors and tracking in the HSRP config. The routers are running HSRP on the LAN side and BGP on the WAN side and I cannot add the firewalls in to participate in BGP. The switches are L2 only. The routers only have p2p links between data centers. Ex. RT01 <-> RT01 The diagram is pretty much exactly how everything is cabled. Diagram for ref:  Now, take this and replicate 5 more satellite sites off of each side that cannot be used as backup transit with the same HSRP on LAN and BGP on WAN p2p link side. 
|
|
#
?
Jul 28, 2023 15:57
|
|
|
Can you explain what kind of redundancy you’re looking for? (Or what failure you’re explicitly trying to work around?) I *think* you’re implying that you are worried about the case where a P2P link fails, and traffic arrives at the “wrong” router. If you don’t like link tracking, or you want to be able to detect routing condition failures further down the BGP chain, you could just have the routers speak BGP to each other on the LAN side through the switch or via a back to back link capable of all the traffic the site could generate. You could then end up in a suboptimal but “fine as a backup” condition where traffic arrives at router 1 and immediately gets redirected to router 2 in case router 1’s link gets lost.
|
|
#
?
Aug 6, 2023 18:32
|
|
|
Dalrain posted:Can you explain what kind of redundancy you’re looking for? (Or what failure you’re explicitly trying to work around?) Totally forgot to mention the failure scenario I'm concerned about... Yeah if/when a P2P link fails between RT01 and DR RT01 since they're running HSRP on the LAN side. I'm not opposed to tracking but when I add in 5 other remote sites it's going to get messy. Sounds like BGP on the router LAN side will be the way to go since the BGP session with the p2p peer will go down if the link fails. I was experimenting with it a bit but haven't yet tested it by bringing down a p2p link. Am I just over thinking this?
|
|
#
?
Aug 7, 2023 05:57
|
|
|
MF_James posted:So, is the issue the FTD continues to send traffic at the VTI that's down? I don't know about this particular case but just know that FTD can always suck more than ASA.
|
|
#
?
Aug 22, 2023 17:18
|
|
|
I have a really stupid, slightly embarrassing question. When creating ACLs do you need to consider usable hosts in a subnet? Like, if you have 8 hosts, would all 8 hosts pass if you filter with 255.255.255.248?
|
|
#
?
Aug 25, 2023 18:10
|
|
|
It's a mask, so you don't need to think about network address or broadcast if that was your question.
|
|
#
?
Aug 25, 2023 18:20
|
|
|
Also be careful, ACLs sometimes use wildcard masks instead of subnet masks depending on your platform. 0.0.0.7 would be the wildcard equivalent of 255.255.255.248, they're just inverse of each other.
|
|
#
?
Aug 25, 2023 19:02
|
|
|
Filthy Lucre posted:Also be careful, ACLs sometimes use wildcard masks instead of subnet masks depending on your platform. 8 not 7
|
|
#
?
Aug 25, 2023 21:41
|
|
|
Having flashbacks to discontiguous masks for the CCIE. Plz stop.
|
|
#
?
Aug 25, 2023 21:53
|
|
|
MF_James posted:8 not 7 7 https://en.wikipedia.org/wiki/Wildcard_mask
|
|
#
?
Aug 25, 2023 23:00
|
|
|
tortilla_chip posted:Having flashbacks to discontiguous masks for the CCIE. Plz stop. That gave me a flashback to sitting with a coworker maybe four years ago looking through a multiple thousand entry long ACL of nothing but discontiguous wildcard masks. Thanks for that.
|
|
#
?
Aug 25, 2023 23:14
|
|
|
It's good to make configs completely unreadable to save a few lines just in case you wanted to ever write an ACL that applied to a specific value for the second octet in an address.
|
|
#
?
Aug 25, 2023 23:19
|
|
|
"But what if someone needs to match every odd numbered host where the second octet is divisible by 16?!" - some semi-technical project manager somewhere at Cisco in the early 90s
|
|
#
?
Aug 25, 2023 23:29
|
|
|
Lol thanks y’all. My problem was that I needed to match 8 hosts (.90-.97) and was wondering how much it could be condensed. The 9500 this is on is close to exceeding the max amount of ACLs and exhausting the TCAM. A ton of the segmentation is on this switch. We are working on getting a new firewall to move it to. But because of that I was wondering if I could use a /29 to match all 8 of those hosts, but I couldn’t because the /29 starts at .88. Ended up doing 2 /31s and a /30 lmao. Tetramin fucked around with this message at 03:36 on Aug 26, 2023 |
|
#
?
Aug 26, 2023 03:31
|
|
|
I loathe ACLs on IOS devices. We've got a pair of Cisco ISR 4331 routers at work which sit at the WAN edge and have an ACL configured for filtering inbound traffic. It's not that big, only about 100 entries and yet we repeatedly encounter a bug where when we add entries to the ACL it just breaks and the newly added entries refuse to match traffic. We've escalated to TAC twice and each time they're just like "oh yeah idk just recreate the ACL." So yeah now we're up to INTERNET-IN-05 or something 
|
|
#
?
Aug 26, 2023 09:48
|
|
|
Kazinsal posted:"But what if someone needs to match every odd numbered host where the second octet is divisible by 16?!" - some semi-technical project manager somewhere at Cisco in the early 90s I've seen this in the wild, but only as the result of Capirca having LOU optimization enabled.
|
|
#
?
Aug 26, 2023 14:38
|
|
|
Pile Of Garbage posted:I loathe ACLs on IOS devices. We've got a pair of Cisco ISR 4331 routers at work which sit at the WAN edge and have an ACL configured for filtering inbound traffic. It's not that big, only about 100 entries and yet we repeatedly encounter a bug where when we add entries to the ACL it just breaks and the newly added entries refuse to match traffic. We've escalated to TAC twice and each time they're just like "oh yeah idk just recreate the ACL." So yeah now we're up to INTERNET-IN-05 or something I think the thing I find most baffling about ACLs on... I'm not sure if it's all IOS variants or not, but definitely at least some, is that you can't remove an ACL entry. You have to remove the whole list, then re-create it.
|
|
#
?
Aug 26, 2023 15:02
|
|
|
I end up doing that with Ansible because I want to have a remark at the top of the list . I have C8300s that I broke the ACLs on as well, by using a FQDN type in it thinking it would do something but instead throws a trace back and then is broken until reload . Other times they just don’t work like with NTP peer groups and a named host . Oh well .
|
|
#
?
Aug 26, 2023 17:03
|
|
|
Tetramin posted:The 9500 this is on is close to exceeding the max amount of ACLs and exhausting the TCAM. A ton of the segmentation is on this switch.
|
|
#
?
Sep 1, 2023 10:03
|
|
|
PancakeTransmission posted:Wtf how? Lmao. Well I just checked and the core TCAM utilization for ACEs is at about 14300 used with a max of 18400, so not super close right now. We have 195 VLAN interfaces right now on the switch. it’s a software company and each customer gets its own VLAN and hardware(or VMs) in our hosted environment. The segmentation is largely done on the core switch, not many things have access to each other by default. Apparently sometime before I got here 1.5 months ago, they did cross over the ACE limit when someone did some additions to an object group that was used in a ton of the ACLs. At that time they were duplicating a lot of the rules for each VLAN I guess, so now things have been condensed so that the default rules sit in a single ACL instead of copying them to every one, and we try to use subnets where we can over using single hosts. Pretty crazy stuff, apparently if the TCAM is maxed out, random rules just break and don’t work. We will be moving the segmentation over to a firewall sometime in 2024, as it should have been in the first place lol. Tetramin fucked around with this message at 14:47 on Sep 1, 2023 |
|
#
?
Sep 1, 2023 14:44
|
|
|
Tetramin posted:Lmao. Well I just checked and the core TCAM utilization for ACEs is at about 14300 used with a max of 18400, so not super close right now. That’s crazy. How are they even being managed effectively? Hopefully through Tower/AWX or some kind of external interface or is this just some poor bastards managing huge amounts of ACL entries by hand?
|
|
#
?
Sep 1, 2023 17:03
|
|
|
That poo poo sounds insane. Also a good use-case for FortiGates with VDOMs if you're doing multi-tenant stuff like that. Also seconding using Ansible for network management, we've had some big wins with it specifically for automating mass management cut-over and firmware upgrades. On the opposite end of the spectrum over a decade ago I came into a multi-tenant "private cloud" environment where all the customer servers were on the same loving /24. One of the first things I did there was setup separate VLANs lol
|
|
#
?
Sep 1, 2023 19:06
|
|
|
|
| # ? May 14, 2024 00:48 |
|
|
Are any of the ~*microsegmentation*~ things that vendors offer worth a drat? If someone buys a load of Aruba gear and plans to run ClearPass, how much pain are they going to have?
|
|
#
?
Sep 1, 2023 19:09
|
|