RE: Switch opinions
http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, September 16, 2010 1:31 PM To: NT System Admin Issues Subject: Re: Switch opinions Or even divisions of HP... On Thu, Sep 16, 2010 at 12:53 PM, Ben Scott mailvor...@gmail.commailto:mailvor...@gmail.com wrote: On Tue, Sep 14, 2010 at 6:22 PM, Rohyans, Aaron arohy...@dpsciences.commailto:arohy...@dpsciences.com wrote: Cisco doesn't offer power supply or fan replacements in their warranty... All HP is doing here is offering free brakes/tires with every car purchased... big deal. How many are we anticipating on replacing? And in the grand scheme of things, how much is this really going to cost you (or not cost you)? Well, if I have to replace a $2000 switch because a $1 fan failed, quite a bit. Cisco only supports their product 5 years after EoL... Well, there's a reason the product went EoL... and more than likely, it's had an already extensive career in the network. In my experience, in many organizations, network equipment has a much longer lifecycle than computers. A great many places *still* don't need anything more than 100 megabit to the desktop. So a 10-15 year usable lifetime isn't unrealistic. Obviously some shops need to upgrade more often than that, but many don't. I like that with ProCurve, I get to decide when my equipment is obsolete; HP doesn't do it for me. Cisco doesn't offer free TAC support. OK, but does HP offer free support on all their products, or just ProCurve? What does that have to do with what switch I should buy? By that logic: Cisco owns LinkSys, LinkSys's stuff is cheap consumer crap, therefore, all of Cisco's stuff must be cheap consumer crap. I can almost guarantee they don't see the types of issues Cisco sees, let alone do they have the technical depth that Cisco does in the TAC. You get what you pay for - or don't pay for. I believe HP has been making switches longer than Cisco has. They certainly got a huge installed base, and have extensive layer two experience and knowledge. If you're talking routers, yes, Cisco has a definite edge. But we're talking switches. I highly doubt HP guarantees next day delivery on all RMA items... there's fine print there somewhere (or conveniently excluded). They do indeed promise immediate shipment via next day carrier. Strictly speaking, delivery is up to the carrier, I presume. In my experience, if HP doesn't have your part they'll ship you something better. Until recently, the *entire* ProCurve warranty statement was (paraphrased), HP guarantees the product against defects in materials or manufacture for the lifetime of the product. That's it. Full stop. One sentence. It's since grown come caveats for software and GBIC modules, but it's still very short and straight-forward. I wish more companies would take the lesson. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Switch opinions
I think you're missing my point here... though I may not be clear enough. My point is one of support value, rather than support cost. Is HP cheaper than Cisco when it comes to support? ... yes, hands down. Does HP provide the same level of support from a value perspective as Cisco? ... I would have to say no. Again, you get what you pay for. You're not paying for high value support... thus, HP will gladly throw new equipment your way and let you talk to a low-end tech all day long if it'll make you happy. It's worth it to them. Cisco, on the other hand, takes a different approach... you pay for support, but have access to a large pool of technical resources when things go awry... even access to the developers themselves. Keep in mind also that Cisco offers one of the best online documentation systems of any manufacturer in the world... becoming familiar with Cisco products is not hard... and it's free. As to the price difference... we could argue features all day long... but how do you define comparable switches? Yes, both are Ethernet switches and both operate at 10/100/1000Gb... and if that's all you're after, then you shouldn't be looking at Cisco. Cisco offers some of the most granular and technologically advanced features in their product lineup... comparing these two switches requires a baseline for comparison. To some, Cisco's cheap in terms of what you get for the cost. To others they're ungodly expensive, but those others typically aren't concerned with the added features that you get with Cisco... thus HP makes the most sense, or any other vendor for that matter. HP is probably lower in overall device failures... but they have less than 20% of the switching market share. Compared to Cisco's 70%, that would make sense. I'm not arguing the quality of HP/Cisco switches here. You're right, both are rock solid! Aaron T. Rohyans Senior Network Engineer CCIE #21945 DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Thursday, September 16, 2010 4:04 PM To: NT System Admin Issues Subject: Re: Switch opinions It's a lame attempt to acquire market share by offering free support on the product line. ... That's not a selling point IMO. Free support? Perhaps in your view, Mr. MoneyBags, but getting a comparable product for with better priced support is of value to many people. And HP can afford to offer free support because they don't appear to incur a great deal of expense dealing with the hardware they're selling.That's their choice -- it's not a gimmick. I have worked in more places sporting Cisco gear than HP networking gear (probably 4-1), but my experiences with both have been very good. HP is ahead (lower) when it comes to the percentage of device failures, but that's not as telling as it might seem, because the Cisco gear was older. The point, though, is that there is no discernible difference for me in the quality of the Cisco switches vs the HP ProCurve switches. None. Both are solid, quality devices backed by strong technology companies. Given that point, why should I pay more for stuff that JUST WORKS, when I don't have to? My technology budget needs to cover lots and lots of things, not just switches and routers, so I need to be prudent with those dollars. If you look at the TCO for networking equipment, HP comes out ahead in many ways for many size organizations over Cisco. If it weren't for the fact that ripping and replacing an entire network is fraught with peril (and simply not a good use of time/money if things are working), then I would very often ditch Cisco switches for HP ProCurve on the 5-year TCO alone. And I'm sure I'm not alone on that point. This doesn't mean that I think that Cisco is bad. But it does mean that I think that the price differential of their equipment over HP buys you no material advantage. ASB (My XeeSM Profile)http://XeeSM.com/AndrewBaker Exploiting Technology for Business Advantage... On Thu, Sep 16, 2010 at 3:14 PM, Rohyans, Aaron arohy...@dpsciences.commailto:arohy...@dpsciences.com wrote: ...Well, if I have to replace a $2000 switch because a $1 fan failed, quite a bit. In 15 years of working with this stuff, I can count on one hand how many fan failures I've had in Cisco gear... and even HP for that matter. Most gear is designed to be resilient enough that the most you're going to have to worry about is a pesky log message that a fan is running sub-optimally or has failed completely. My point is that HP knows this... as does Cisco... the odds
RE: RE: Switch opinions
Wow... how long did it take you to write this on a Droid? Here goes... Three points: - Please substantiate your allegation that HP support for networking is somehow inferior because you're not paying for an expensive support contact. (I've spoken to quite a few techs from both organizations) What? This point is like asking someone to substantiate why darkness is dark... is it dark, or just the absence of light? Is cold actually cold or just the absence of heat? It's just general opinion in the industry... and widely accepted at that... Google it. Why do you think HP is where it is and hasn't passed up Cisco long ago in this market? Especially since (supposedly) they've been making switches longer. - I mentioned that Cisco had more failures *percentage-wise*. I did not make the comparison on sheer number of incidents, as that would have been skewed by market share. Fair enough... - Please provide me a use-case where a Cisco switch is proven to provide some functionality that an HP ProCurve cannot accomplish without incurring costs our complexity that negate the cost differential. That's a pretty complex sentence there chief... build me a car that's equivalent to a Ferrari without incurring costs our complexity that negate the cost differential. Impossible? That's what makes the cost differential... the functionality (granular/modular QoS, Advanced Security, etc.) that an HP ProCurve cannot accomplish. This debate is pointless... Aaron T. Rohyans Senior Network Engineer CCIE #21945 DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Thursday, September 16, 2010 5:48 PM To: NT System Admin Issues Subject: Re: RE: Switch opinions Three points: - Please substantiate your allegation that HP support for networking is somehow inferior because you're not paying for an expensive support contact. (I've spoken to quite a few techs from both organizations) - I mentioned that Cisco had more failures *percentage-wise*. I did not make the comparison on sheer number of incidents, as that would have been skewed by market share. - Please provide me a use-case where a Cisco switch is proven to provide some functionality that an HP ProCurve cannot accomplish without incurring costs our complexity that negate the cost differential. You've already agreed with the equality of quality. These are all part of the value proposition. -ASB: http://XeeSM.com/AndrewBaker Sent from my Motorola Droid On Sep 16, 2010 4:49 PM, Rohyans, Aaron arohy...@dpsciences.commailto:arohy...@dpsciences.com wrote: I think you're missing my point here... though I may not be clear enough. My point is one of support value, rather than support cost. Is HP cheaper than Cisco when it comes to support? ... yes, hands down. Does HP provide the same level of support from a value perspective as Cisco? ... I would have to say no. Again, you get what you pay for. You're not paying for high value support... thus, HP will gladly throw new equipment your way and let you talk to a low-end tech all day long if it'll make you happy. It's worth it to them. Cisco, on the other hand, takes a different approach... you pay for support, but have access to a large pool of technical resources when things go awry... even access to the developers themselves. Keep in mind also that Cisco offers one of the best online documentation systems of any manufacturer in the world... becoming familiar with Cisco products is not hard... and it's free. As to the price difference... we could argue features all day long... but how do you define comparable switches? Yes, both are Ethernet switches and both operate at 10/100/1000Gb... and if that's all you're after, then you shouldn't be looking at Cisco. Cisco offers some of the most granular and technologically advanced features in their product lineup... comparing these two switches requires a baseline for comparison. To some, Cisco's cheap in terms of what you get for the cost. To others they're ungodly expensive, but those others typically aren't concerned with the added features that you get with Cisco... thus HP makes the most sense, or any other vendor for that matter. HP is probably lower in overall device failures... but they have less than 20% of the switching market share. Compared to Cisco's 70%, that would make sense. I'm not arguing the quality of HP/Cisco switches here. You're right, both are rock solid! Aaron T. Rohyans Senior Network Engineer CCIE #21945 DPSciences Corporation 7400 N. Shadeland... From: Andrew S
RE: Switch opinions
doing. [3] http://www.hp.com/hpinfo/newsroom/press/2008/080527a.html; No doubt... not sure when/if I argued against this? HP has a great product... and they certainly have the credentials. I still think Cisco has a better (though more expensive) product. Is this just shared as an FYI, or was there a point here? ...I doubt Cisco really has *that* much of an edge in knowledge. So now we're even: We both doubt the other's vague, unsourced, unquantifiable statements. Sure... sounds good. Agree to disagree. ...You asked about liability; I answered. If the sun explodes, you'll never get your replacement product. But yes, they really do promise to ship overnight, which Cisco does not. In writing. ...Let me get this straight: HP quotes Cisco's own contract, and does better, but that... doesn't mean they're better? Fine... they'll ship overnight, and their terms are better. Never argued that. I'm only arguing that HP is taking the fine print about a worst case scenario on the RMA process and showing how they do it better - when in fact they are bound by that *same* worst case verbiage... they just don't come out and say it. Kudos to them, but I just don't think it's a major selling point. Your mileage may vary. Shame on Cisco, I suppose. ...I had a customer whose 10/100 managed repeater finally died. HP shipped a 10/100 managed switch. Oh OK... argument resolved then. ...Others on this list have reported similar stories. Let them speak... ...Doubt all you want, that's what they've done. But I guess you'd rather deny facts than consider the possibility that Cisco is overpriced. Hah! What? When did I ever deny facts that Cisco is overpriced? They ARE some of the most over-priced products out there. But they ARE also some of the best products out there. ...Interesting. Three paragraphs up, you're claiming that HP citing Cisco's warranty *in writing* isn't a fair comparison. But now you want something in writing. What? Not quite sure what you're getting at here... But yes... since this warranty is apparently the end-all-be-all warranty of warranties, and HP will give you something better when your product dies, where *in writing* does it say this? ...But anyway: HP will, at its option, repair or replace the affected products. Page 11 of our ProCurve license-and-warranty booklet, HP P/N 5990-8862. They don't promise something better, but they promise to repair or *replace*. In writing. Exactly... they don't promise to replace with something better. Just that they'll repair/replace at their option. Interesting verbiage don't you think? I thought hands down you just got a new one when yours didn't work? Aaron T. Rohyans Senior Network Engineer CCIE #21945 DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Thursday, September 16, 2010 6:04 PM To: NT System Admin Issues Subject: Re: Switch opinions On Thu, Sep 16, 2010 at 3:14 PM, Rohyans, Aaron arohy...@dpsciences.com wrote: In 15 years of working with this stuff, I can count on one hand how many fan failures I've had in Cisco gear... Well, from what you say, you change out your gear relatively often, since that's part of your technology and depreciation cycle. Or so you argued earlier. So how it makes sense that you wouldn't see failures that might happen after a longer period of time. My point is that HP knows this... as does Cisco... the odds of their gear failing like this are slim unless due to a defect in production... If Cisco knows that, why does Cisco exclude fans and power supplies from their warranty? Equivocate all you want -- HP's got the better warranty. ...In my experience, in many organizations, network equipment has a much longer lifecycle than computers. A great many places *still* don't need anything more than 100 megabit to the desktop. So a 10-15 year usable lifetime isn't unrealistic. Obviously some shops need to upgrade more often than that, but many don't. I like that with ProCurve, I get to decide when my equipment is obsolete; HP doesn't do it for me. How is Cisco forcing you to change out your gear just because a product goes EoL? They aren't, but you are suggesting that if equipment is 5 years past end-of-life, then one shouldn't be using the equipment any more. Perhaps that's just your opinion, and not Cisco's mindset. Fair enough. But if I'm still using that equipment, Cisco won't support it -- HP will. ...What does that have
RE: Switch opinions
If I'm not mistaken, a lot of Cisco's switches now come with a limited/enhanced lifetime warranties... similar to HP. SMARTNet is primarily for Cisco's support offering (not necessarily as a hardware replacement offering... although it's used for that quite frequently) - in which you can get expedited support in the event that issues arise, or you need help with configuration. Just wanted to point that out :). I know HP's support is free, but technically both vendors offer lifetime hardware warranties If that's all you're after. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945 DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Raper, Jonathan - Eagle [mailto:jra...@eaglemds.com] Sent: Tuesday, September 14, 2010 2:40 PM To: NT System Admin Issues Subject: RE: Switch opinions It is going to be interesting to see how the whole Cisco/HP Networking/Server thing is going to pan out ultimately. My understanding was that HP Cisco had kind of a friendly agreement to stay out of each others' spaces for a while there, but now that HP has entered the server arena going head to head against HP and everyone else, it will be interesting to see if HP steps up their networking game... Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians Associates, PA jra...@eaglemds.comBLOCKED::mailto:%20jra...@eaglemds.com www.eaglemds.comBLOCKED::http://www.eaglemds.com/ From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Tuesday, September 14, 2010 2:29 PM To: NT System Admin Issues Subject: RE: Switch opinions +1 Both our old 3500-series Cisco and our current 3750 series are, unless you know the CIOS CLI stuff thoroughly, are a pain to manage. Support renewal is expensive (SmartNet - smart for Cisco, I guess...) I would seriously consider staying with HP (which was not my choice to make a couple of years back...) -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA(r) 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.orghttp://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. Raper, Jonathan - Eagle jra...@eaglemds.com wrote on 09/14/2010 01:20:16 PM: We've used the Catalyst family since the 3500 series (3512 3524) back in 2001. We've used the 3550, 2950, 3560 3750/3750G. In the last year, we've replaced everything with all PoE, 3560-48, 3750-24, 3750-48. I like them, personally, but they are expensive and don't have a lifetime warranty like the HP line - SmartNET is not inexpensive, either. I have used ProCurve (2424M 4000M). I've also worked with 3Com D-Link, but can't remember the specifics on either - for D- Link, it was their high-end gear, if D-Link has such... What do you need in a managed switch, aside from being able to look at port statistics? Do you have vlan and qos needs? Is VoIP in your environment (or in your future? - if so, whose VoIP product do you use or think will you use?) Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians Associates, PA jra...@eaglemds.com www.eaglemds.com From: Evan Brastow [mailto:ebras...@automatedemblem.com] Sent: Tuesday, September 14, 2010 1:32 PM To: NT System Admin Issues Subject: Switch opinions Hi guys, I'm looking at replacing my HP ProCurve switch and am looking at a Cisco Catalyst 2960S-48TS-S 48 port managed switch. Anyone have any experience with this switch or this family of switches? Obviously Cisco is a pretty good name, but it's been a while since I've bought anything of theirs. Thanks! :) Evan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to
RE: Switch opinions
page on the Cisco site... Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians Associates, PA jra...@eaglemds.comBLOCKED::mailto:%20jra...@eaglemds.com www.eaglemds.comBLOCKED::http://www.eaglemds.com/ From: Rohyans, Aaron [mailto:arohy...@dpsciences.com] Sent: Tuesday, September 14, 2010 2:57 PM To: NT System Admin Issues Subject: RE: Switch opinions If I'm not mistaken, a lot of Cisco's switches now come with a limited/enhanced lifetime warranties... similar to HP. SMARTNet is primarily for Cisco's support offering (not necessarily as a hardware replacement offering... although it's used for that quite frequently) - in which you can get expedited support in the event that issues arise, or you need help with configuration. Just wanted to point that out :). I know HP's support is free, but technically both vendors offer lifetime hardware warranties If that's all you're after. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945 DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Raper, Jonathan - Eagle [mailto:jra...@eaglemds.com] Sent: Tuesday, September 14, 2010 2:40 PM To: NT System Admin Issues Subject: RE: Switch opinions It is going to be interesting to see how the whole Cisco/HP Networking/Server thing is going to pan out ultimately. My understanding was that HP Cisco had kind of a friendly agreement to stay out of each others' spaces for a while there, but now that HP has entered the server arena going head to head against HP and everyone else, it will be interesting to see if HP steps up their networking game... Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians Associates, PA jra...@eaglemds.comBLOCKED::mailto:%20jra...@eaglemds.com www.eaglemds.comBLOCKED::http://www.eaglemds.com/ From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Tuesday, September 14, 2010 2:29 PM To: NT System Admin Issues Subject: RE: Switch opinions +1 Both our old 3500-series Cisco and our current 3750 series are, unless you know the CIOS CLI stuff thoroughly, are a pain to manage. Support renewal is expensive (SmartNet - smart for Cisco, I guess...) I would seriously consider staying with HP (which was not my choice to make a couple of years back...) -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA(r) 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.orgmailto:richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.orghttp://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. Raper, Jonathan - Eagle jra...@eaglemds.commailto:jra...@eaglemds.com wrote on 09/14/2010 01:20:16 PM: We've used the Catalyst family since the 3500 series (3512 3524) back in 2001. We've used the 3550, 2950, 3560 3750/3750G. In the last year, we've replaced everything with all PoE, 3560-48, 3750-24, 3750-48. I like them, personally, but they are expensive and don't have a lifetime warranty like the HP line - SmartNET is not inexpensive, either. I have used ProCurve (2424M 4000M). I've also worked with 3Com D-Link, but can't remember the specifics on either - for D- Link, it was their high-end gear, if D-Link has such... What do you need in a managed switch, aside from being able to look at port statistics? Do you have vlan and qos needs? Is VoIP in your environment (or in your future? - if so, whose VoIP product do you use or think will you use?) Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians Associates, PA jra...@eaglemds.commailto:jra...@eaglemds.com www.eaglemds.comhttp://www.eaglemds.com From: Evan Brastow [mailto:ebras...@automatedemblem.com]mailto:[mailto:ebras...@automatedemblem.com] Sent: Tuesday, September 14, 2010 1:32 PM To: NT System Admin Issues Subject: Switch opinions Hi guys, I'm looking at replacing my
RE: Bandwidth problems
Perhaps your Firewall is responding ICMP Packet-Too-Big messages from your provider and/or transit systems. Or, perhaps is using a path-MTU-discovery mechanism. I'm somewhat surprised that the Sonicwall engineer hadn't seen MTU issues like this. They are very common with VPNs - and although that's not what you're dealing with here... the same principles apply. Have you tried turning off/blocking ICMP at your outside interface (more than just Echo/Ping) to see if the problem goes away? Aaron T. Rohyans Senior Network Engineer CCIE #21945 DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Lists - Level5 [mailto:li...@levelfive.us] Sent: Thursday, August 26, 2010 3:57 PM To: NT System Admin Issues Subject: RE: Bandwidth problems We have internal IPS/IDS, and mail filters already setup. We have tracked down the issue with Sonicwall today, apparently our MTU size is fluctuating. It was set to default 1492, I lowered it to 1404 and then this command : ping google.com -f -l 1400 worked just fine, however an hour later it would come back saying needed to fragment the packet, so now we are running with an MTU of 1360 or 1366 or something . Very odd problem, we are migrating away from the current provider and the powers that be are wondering if this is being done purposefully. Sonicwall engineer said he doesn't recall seeing an MTU size working for 10-15 mins then suddenly be too big. From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Thursday, August 26, 2010 12:11 PM To: NT System Admin Issues Subject: Re: Bandwidth problems You don't NEED the security stuff? Can I ask why?!? ASB (My XeeSM Profile)http://XeeSM.com/AndrewBaker Exploiting Technology for Business Advantage... Signature powered by http://www.wisestamp.com/email-install?utm_source=extensionutm_medium=emailutm_campaign=footer WiseStamphttp://www.wisestamp.com/email-install?utm_source=extensionutm_medium=emailutm_campaign=footer On Thu, Aug 26, 2010 at 11:38 AM, Lists - Level5 li...@levelfive.usmailto:li...@levelfive.us wrote: Rich, all the security stuff is disabled, we didn't need it anyway but I took it off as a precaution the other day. From: Richard Stovall [mailto:rich...@gmail.commailto:rich...@gmail.com] Sent: Wednesday, August 25, 2010 12:19 PM To: NT System Admin Issues Subject: Re: Bandwidth problems Do you have any of the SonicWall security services or content filtering licensed and enabled? Have you cranked up alerting to tell you if the SonicWall might be blocking something because of one of those services? That 5500 should be powerful enough to handle quite a bit of throughput. On Wed, Aug 25, 2010 at 11:55 AM, Level 5 Lists li...@levelfive.usmailto:li...@levelfive.us wrote: I have been troubleshooting a bandwidth problem where connections are dropping. We ran some different tests like speedtest and pingtest as well as a trial of visualware. Everything points to tcp max delay (300ms) being a major issue and suggests packet loss. I have run some tracerts for the ISP and they say its not their side. I tend to believe them a little because if we unplug our Sonicwall and go directly the problem goes away. As a test I rolled out a new Sonicwall 5500, reconfigured it and the problem still exists. We are jumbo framed enabled internally, and our procurve mgmt software has some intermittent issues throughout the network but nothing specific. Does anyone have any good tools they could recommend to test internal connectivity, the few tools i see just test speed which seems to be running just fine (qcheck). Thx ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9078340 or send a blank email to leave-9078340-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.cominline: image001.jpg
RE: Cisco ASA - Domain Admin account?
Michael's right... LDAP queries to AD just require a user to bind with. If you wish to do LDAP Attribute Mapping within the ASA (map users to different tunnel parameters), then it'll require a Domain Admin account. HTH, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Mayo, Bill [mailto:bem...@pittcountync.gov] Sent: Tuesday, June 08, 2010 2:53 PM To: NT System Admin Issues Subject: RE: Cisco ASA - Domain Admin account? Not of which I am aware. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, June 08, 2010 2:51 PM To: NT System Admin Issues Subject: Cisco ASA - Domain Admin account? Question next: Any reason a Cisco ASA would need an Domain Admin account to communicate to Active Directory? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Hijacked Thread: All WAN over VPN? (Was: RE: Network/WAN question)
This is where technologies such as GETVPN come into play - tunnel-less IPSec encryption on an any-to-any network. Generally speaking, it only works on private networks (such as MPLS) where every IP Address is routable throughout all sites, but it can work over the Internet if engineered to do so (such as the case with mGRE). Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't -Original Message- From: James Hill [mailto:james.h...@superamart.com.au] Sent: Thursday, May 13, 2010 5:54 PM To: NT System Admin Issues Subject: RE: Hijacked Thread: All WAN over VPN? (Was: RE: Network/WAN question) To me the fact you don't need vpn is one of the main selling point for these products (and mpls networks in general). MPLS networks seem to have been more common place here in Aus than the US until recently. I certainly haven't bothered with vpn's for many years now as they just add more complexity. I can understand why some people add the extra layer of security though. However if you feel you have to run a vpn then I'd say get a better provider. -Original Message- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Friday, 14 May 2010 6:34 AM To: NT System Admin Issues Subject: Hijacked Thread: All WAN over VPN? (Was: RE: Network/WAN question) I have a related question: If you are separated, site to site, with a large layer 2 fiber network... would you put the traffic between routers over a VPN? Or is it common place for companies to trust their providers not to have a man in the middle, and just route? I can't imagine anybody actually does this without an IPSec or OpenVPN tunnel of some kind... But I'm curious if there are. --Matt Ross Ephrata School District - Original Message - From: Kim Longenbaugh [mailto:k...@colonialsavings.com] To: NT System Admin Issues [mailto:ntsysad...@lyris.sunbelt-software.com] Sent: Thu, 13 May 2010 13:05:09 -0700 Subject: RE: Network/WAN question It sounds like you have 10 PPP circuits to your remote sites, each currently a T1. You're replacing the T1s with Ethernet circuits. Just replace this: Main Site (172.20.x.x) -- T1 Wan link (192.168.x.x) -- Remote Site (172.21.x.x) With this: Main Site (172.20.x.x) -- Ethernet Wan link (192.168.x.x) -- Remote Site (172.21.x.x) Your broadcast and collision domains would remain separate, just like they are now. Unless your existing routers have the Ethernet port to handle the new Ethernet Wan, you'd have to do your routing with the L3 switches anyway, so why not dump the routers and have just one piece of network gear at each remote site to manage. How would this work without routing? How's traffic on 172.20.x.x get to 172.21.x.x, since those are separate subnets? When setting up the Fiber, because layer 2, I do NOT have to have a seperate network for that WAN link anymore. I can set it up like: Main Site (172.20.x.x) -- Fiber Link --- Remote Site (172.21.x.x) -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Thursday, May 13, 2010 2:42 PM To: NT System Admin Issues Subject: Network/WAN question Hello. Looking for input on our current/proposed network. We have 10 sites. Each site is connected via T1 lines. There is a router at each site that handles the routing. We are replacing the T1 lines with fiber. The company leasing us the fiber is handing off an ethernet port at each site (all layer 2). My question is... Our current WAN setup with the T1s looks like this: Main Site (172.20.x.x) -- T1 Wan link (192.168.x.x) -- Remote Site (172.21.x.x) The WAN link itself is on it's own network. When setting up the Fiber, because layer 2, I do NOT have to have a seperate network for that WAN link anymore. I can set it up like: Main Site (172.20.x.x) -- Fiber Link --- Remote Site (172.21.x.x) The downside with this is, broadcasts would still travel over the Fiber link since the WAN link is not on a seperate network. It does however, simplify things for me a bit. The question is, which of the two methods would you use? Putting the Fiber WAN link on it's own network or, not? One other question. Since my HP switches at the main/remote sites are able to do IP Routing, would you also remove the routers (which are needed with the current T1 WAN links) completly from the enviroment and do all routing at the switch level? I'm leaning
RE: VPN issue
Cisco just released (as in a few weeks ago) a 64-bit version of the older IPSec client. It is in BETA and not supported... it's just there so users are forced to move if they don't want to/can't. Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Tuesday, May 11, 2010 12:17 PM To: NT System Admin Issues Subject: RE: VPN issue I thought you had to move to AnyConnect for Windows Vista and 7 to work? From: Cameron [mailto:cameron.orl...@gmail.com] Sent: Tuesday, May 11, 2010 12:14 PM To: NT System Admin Issues Subject: VPN issue Good day all! Win 7 (patched) Cisco VPN client version 5.0.01.0600 connecting to Cisco VPN concentrator Connection - Wireless Internet Stick The VPN client connects and authenticates, but does not allow pinging within the corporate network. Obviously this means that no applications that need to connect to corp servers are working. (Lower version client has no issues with XP - same authentication settings). The concentrator does show me connected so I'm pretty sure it's at the O/S level that something is being blocked. I've tried all sorts of changes, but apparently I'm missing something somewhere. Any ideas? other than percussive maintenance! Cheers, Cameron ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Cisco x64 IPSec Client
Hey guys, For all that care, Cisco just released a BETA version of their 64-bit IPSec VPN client for Windows. The IPSec client-suite will no longer be supported in a few years, but they at least listened to people who asked for a 64-bit version - i.e. those that did not/won't move to AnyConnect in the near future. I know a lot of people here are hesitant to move to AnyConnect, so this should be great news. Especially those who are hesitant to use 3rd party products (Shrewsoft, Greenbow, etc.) for 64-bit IPSec applications. Anyway... thought I'd share with you all... just check the download section of Cisco's website as there's no formal announcement. Thanks! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: CISCO VPN Client
If you guys are using the newest AnyConnect version (v2.4.0202), there is an issue with DNS resolution that has yet to be fixed. You'll definitely see issues with Exchange 2007... the solution is to downgrade one step until the bug is fixed. Just FYI... Thanks! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Ray [mailto:rz...@qwest.net] Sent: Thursday, February 18, 2010 11:21 AM To: NT System Admin Issues Subject: RE: CISCO VPN Client The error I got was The VPN client driver has encountered an error. This just happened last night, didn't put any effort into looking at it. This morning I overhead one of our programmers saying he was having issues connecting, so he was getting the client, but then he couldn't seem to RDP to his work PC. Unfortunately he didn't bother to get the exact error messages. -Original Message- From: Terry Dickson [mailto:te...@treasurer.state.ks.us] Sent: Thursday, February 18, 2010 9:08 AM To: NT System Admin Issues Subject: RE: CISCO VPN Client Not that I can help, but what issues? We still use the Cisco VPN Client and many of our machines are Win7 64 machines. Since Cisco will not make a 64bit version of the VPN Client we are looking at the anyconnect solution also. -Original Message- From: Ray [mailto:rz...@qwest.net] Sent: Thursday, February 18, 2010 9:48 AM To: NT System Admin Issues Subject: RE: CISCO VPN Client We're starting to see some issues with Win7 64 clients connecting. -Original Message- From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Thursday, February 18, 2010 8:19 AM To: NT System Admin Issues Subject: Re: CISCO VPN Client The AnyConnect from Cisco uses a cert and is webbased, it is very easy to work with and the users are happy with it. -- From: Charlie Kaiser charl...@golden-eagle.org Sent: Thursday, February 18, 2010 10:14 AM To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: CISCO VPN Client Hmmm. Yeah; that's a lot of overhead. Seems a shame to have to switch apps because of a bad guy. That's an effective DOS attack, eh? I'd hesitate to switch apps because I'd be afraid they'd do the same thing. But I don't know the AnyConnect app either. I seem to remember the VPN client could use certs as part of the auth. I wonder if that feature could be utilized to block non-client access? I haven't used the Cisco client for a year or so so I don't recall the available options. *** Charlie Kaiser charl...@golden-eagle.org Kingman, AZ *** -Original Message- From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Thursday, February 18, 2010 7:59 AM To: NT System Admin Issues Subject: Re: CISCO VPN Client They change every 20 or 30 hits. Mostly out of country. I started by setting up rules to block them but then I had about 100 rules to block and it became an all day job. Easier to move the authorized users to AnyConnect which is supported and kill the VPN Client which has end of lifed anyway. -- From: Charlie Kaiser charl...@golden-eagle.org Sent: Thursday, February 18, 2010 9:54 AM To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: CISCO VPN Client Is there a way you can block the source IP(s) before they get to the VPN endpoint? *** Charlie Kaiser charl...@golden-eagle.org Kingman, AZ *** -Original Message- From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Thursday, February 18, 2010 7:45 AM To: NT System Admin Issues Subject: Re: CISCO VPN Client I have Kiwi Syslogger setup to email me every failed attempt to authenticate through the VPN. It went from 2 or 3 a day from lusers to 2500 to 5000 a day and all accounts I don't have in AD and all originating from the VPN tunnel. So disabling the tunnel didn't work, had to remove the reference to the tunnel entirely. Now we are back to 2 or 3 a day. From: Bob Fronk mailto:b...@btrfronk.com Sent: Thursday, February 18, 2010 9:25 AM To: NT System Admin Issues mailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: CISCO VPN Client How did you discover this was happening? From: David W. McSpadden
RE: Who out there knows Cisco?
If it’s a 72xxVXR, then yes it's worth it. None of the VXRs chassis are EoL. Great routers. The original NPE-400s are EoL, so you'll want to consider updating the NPE. The OC3 Port Adapters *alone* are easily worth the price. Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, January 18, 2010 1:18 PM To: NT System Admin Issues Subject: OT: Who out there knows Cisco? I've got an opportunity to buy a used Cisco VXR (exact model unknow) with 2 PA-POS-10C3 cards and a DS3 card for about $1500, from a company that's going out of business. Anyone think this is a really good deal, or is this thing past EOL? Any ballpark figures on getting support for it? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: VLAN question
Short answer - yes! What your phone vendor is referring to is simply VLAN segmentation and it is an *essential* part of a well performing IP Telephony system. The phones likely have the capability to run an 802.1q trunk to your HP switch. What this essentially does, is allow the phone to 'tag' its traffic using 802.1q headers for a specific VLAN (i.e. your new Voice VLAN) as well as tag it with a specific Class of Service (CoS) value (i.e. 802.1p - CS3 or CS5)... blah blah blah blah blah. The PC sends it's traffic normally (un-'tagged') through the phone and into the 'Native' VLAN of the switch (Native = your Data VLAN). Now, what this means to you is that your PCs will operate normally as they did before, but your phone will LOGICALLY separate its traffic from the rest of your network. Although it rides over the same cable, the traffic will be logically separate as it enters/leaves the switch. The fact that your phone tags its traffic with CS3/CS5 (Media = CS5, Signaling = CS3) also allows you to establish proper Quality of Service (QoS) trust boundaries as well as provide proper Queuing/Policing/Priority mechanisms to ensure that your phone traffic maintains precedence over your data traffic. Remember, phones are unforgiving to network latency/packet loss. So, anytime we have the opportunity to 'screw' over normal PCs by shoving phone traffic ahead of them - we should do it - their traffic is much more forgiving to latency/packet loss. Advantages to what your phone vendor is proposing: * Creates a separate broadcast domain for your phones - phones are very chatty (no pun intended J) and tend to broadcast A LOT... why should your PCs have to listen to these broadcasts when it doesn't pertain to them - and vice versa? * VLANs provide a decent level of protection in the event you suffer from a broadcast storm on one of your subnets - i.e. you loop your network by accident and the most you'll do is kill that one VLAN. As it is now, if you were to accidentally loop your network, you'd kill both phones and PCs. With VLAN segmentation, hopefully the most you'll kill is your PC side - leaving your phones unharmed J * The ability to build in QoS mechanisms (YES, you NEED QoS even in a LAN environment) based on 802.1p tags or VLAN assignment (although, you *could* provide QoS without VLANs using 802.1p tagging... but that's no fun J) * Easier traffic management (even for traffic outside of phones - perhaps now you could put those 'chatty' printers into a VLAN by themselves!) * With proper QoS, your phones will no longer 'compete' for the wire with your PC - they'll be given preferential treatment Disadvantages: * A more complicated (but well performing) network * More subnets to manage/account for/route * Really all you need is LAN QoS (proper trust boundaries and priority queues setup in your switches) to resolve your issues here.. VLANs *will* add complexity * You will have graduated from $50 switches, to $500 switches overnight All in all, I would completely agree with your phone vendor. As it stands right now, your phones are sharing the same media/broadcast domain as your PCs and, thus ,'competing' for access to your network. VLANs are mechanism used to thwart this competition. If you have the ability, have your vendor reconfigure the Voice Gateway to operate in a new test VLAN... place one or more phones into this test VLAN (on unused switchports) and test your call quality. I think you'll see the difference! Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't From: Evan Brastow [mailto:ebras...@automatedemblem.com] Sent: Thursday, December 17, 2009 6:40 PM To: NT System Admin Issues Subject: OT: VLAN question Preface: I have no idea what I'm talking about. With that out of the way, I have a network consultant and a phone supplier that are a little bit at odds. We just purchased an Allworx IP phone system. All was going well until it was made active today and because apparent that voice quality was horrible. The IP part is only internal... External calls go over standard analog lines. But the problem is with internal calls as well as external. The Allworx phones share a 100Mbps network with the computers. We're a small company (smaller than ever) with about 25 computers and 19 phones, BUT, a lot of those phones and computers are out in production areas and receive VERY little use (i.e., someone
RE: Protecting LAN access from Wireless Access points
What sort of switch are these APs connected to? Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus... There are 10 kinds of people in this world... those who can read binary, and those who can't -Original Message- From: Angus Scott-Fleming [mailto:angu...@geoapps.com] Sent: Wednesday, December 16, 2009 3:26 PM To: NT System Admin Issues Subject: Re: Protecting LAN access from Wireless Access points On 16 Dec 2009 at 16:03, Mark Robinson wrote: Hi, I currently have two wireless access points that provide wireless access to the corporate LAN in two meeting rooms. To satisfy PCI compliance, I need to install a firewall between each access point and the LAN and only allow traffic from our corporate IP range through to the LAN. Has anyone done this before, and can you recommend any firewalls that will do the job? I have installed Smoothwall onto a PC and played around with it but I´m not sure if it´s the best solution for what I need. Thanks, Mark Smoothwall will do the job, as will IPcop (a fork of Smoothwall which I prefer) and pfSense and most other FLOSS firewall distros. In IPCop you would set up a RED - BLUE - GREEN network with 3 NICs, RED being the Internet, GREEN being the LAN and BLUE being the WAPs. I have this at one of my sites. My green LAN is 10.79.2.x while my blue LAN uses 192.168.79.x. The blue LAN can only see the gateway, they don't even know about the 10.79.2.x space. IPcop can provide DHCP services for the blue LAN as well as for the green LAN. http://ipcop.org/ -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 +---+ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco RSPAN Question
Reflector-ports need to be configured to be just any empty port on the 3550. RSPAN and SPAN use the ASIC of an available switch port for 'processing power'. Thus, the port you pick *cannot* be in use as the ASIC tied to it will be 'stolen' by the SPAN/RSPAN process. Newer switches have a dedicated ASIC built-in to support SPAN/RSPAN sessions without using a reflector-port, but the older switches require it. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Wednesday, November 25, 2009 11:26 AM To: NT System Admin Issues Subject: Cisco RSPAN Question Ok, can one of you Cisco Gurus straighten me out please? Trying to configure an RSPAN session between 2 devices on 2 switches. The 'source' PC (the one who's traffic I want to see) is on a 3550 switch on fa0/24. The 'destination' PC (my computer running a packet capture) is on a 6509 switch on gi8/38. I've created the RSPAN vlan and its propogated out via VTP. My problem is, I'm not understanding what the 'reflector-port' is. Is that just any empty port on the same switch as the source computer? So my commands are below. on the source switch monitor session 1 source interface fa0/24 tx monitor session 1 destination remove vlan 800 reflector-port fa0/?? on the destination switch monitor session 1 source remote vlan 800 monitor session 1 destination inteface gi8/38 Thanks all and have a happy Turkey Day! *** John C. Kelsey, MCSE Senior Network Analyst DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *: jckel...@drmc.org mailto:jckel...@drmc.org *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Citrix question, could use some guidance
...You really need to be a serious packet-head like Aaron Rohyans in order to best use and support those beasts. Should I take offense to this? J Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Webster [mailto:carlwebs...@gmail.com] Sent: Saturday, November 14, 2009 8:18 PM To: NT System Admin Issues Subject: RE: Citrix question, could use some guidance IMO, Citrix would love to get rid of the Citrix Access Gateway (CAG) and have everyone move to the NetScaler. NetScaler is NOT cheap but provides a huge amount of functionality and provides Global Load Balancing Support (GLBS) [I believe that is the correct term]. GLBS allows every NetScaler in an environment to monitor each other for very intelligent DR. NetScaler has all the functionality of the CAG and also has the Advanced Access Control software built-in. You really need to be a serious packet-head like Aaron Rohyans in order to best use and support those beasts. Webster From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Saturday, November 14, 2009 7:05 PM To: NT System Admin Issues Subject: RE: Citrix question, could use some guidance Or if you have extra funds take a look at the Citrix Access Gateway appliance (might be renamed soon, not too sure about that). it's not free (not much is from Citrix), but it keeps direct connections from your XenApp servers, and you can run end point scanning, which I really like. A bit OT but my new CAG is slower than my old one (which is used for another system), something to do with the interface redesign, I was told. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Webster carlwebs...@gmail.com 11/14/2009 4:27 PM I wrote a 7-part series on Learning the Basics of XenApp 5 for Server 2003. Part 1 is here http://www.dabcc.com/article.aspx?id=9785 and you can easily find the other parts. All my Citrix articles are here: http://www.dabcc.com/Webster . What you are trying to do is not recommend or safe. You need to add the FREE Citrix Secure Gateway software on that server. I wrote a 3-part series on doing that. Webster -Original Message- From: Jeremy Anderson [mailto:jer...@mapiadmin.net] Subject: Citrix question, could use some guidance Morning / Afternoon everyone. I got tossed a project that was a former engineer / consultants baby. Basically I was given a Citrix XenApp 5.5 server and told to make it work. The last time I saw Citrix it was running on NT4, but with dreams of bonuses and being showered with praise at my amazing tech skills I said sure. (actually I am afraid of my boss and there was no way to say no). There is no documentation from the former engineer, and he will not communicate with me. I am ok with that. I have the XenApp server running, AD integration, published apps all working properly. I am sure that there is some cleanup, and security lock downs that I will have to do, but for now, it works. Published apps work. The Farm and all roles exist on one 2003 server. So here is my problem. I can not get this to work from outside of the firewall. Inside, everything works fine. On the VPN, everything works fine. From the Internet, I can log into the web page, see my published apps. When I click on the Published app, it says Unable to launch your application, Contact your help desk. Cannot connect to the Citrix XenApp server. Could not find the specified Citrix Xenapp server. So I have made sure that all the ports are open in the firewall, and I can telnet to the ports. Firewall is open. My question here is, I cant just open this to the Internet can I? I need some sort of SSL relay, or Citrix Gateway server or something right? Am I missing something here? Citrix documentation says Securing connections to published applications with SSL/TLS. If plug-ins communicate with your farm across the Internet, Citrix recommends enabling SSL/TLS encryption when you publish a resource. If you want to use SSL/TLS encryption, use either the SSL Relay feature (for farms with fewer than five servers) or the Secure Gateway to relay ICA traffic to the XenApp server. You can also use SSL Relay to secure Citrix XML Broker traffic. http://support.citrix.com/proddocs/index.jsp?topic=/xenapp5fp2-w2k3/ps- gs-intro-using-xenapp-fp2.html So do I need to configure a SSL relay, install a Secure Gateway? I am so confused on this issue, and I am thinking it doesn't help that Citrix changes their product names more than I change my pants. Can anyone please just tell me or provide me a link, or some Google search terms on how to make published apps work on the Internet? ~ Finally, powerful
RE: Citrix question, could use some guidance
J I'm just giving you a hard time! Thanks for the compliment! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Webster [mailto:carlwebs...@gmail.com] Sent: Monday, November 16, 2009 10:44 AM To: NT System Admin Issues Subject: RE: Citrix question, could use some guidance NO!, that was intended as a high compliment. IIRC, the cheapest NetScaler is $25,000. To implement GLBS would require, at a minimum, $50,000 in hardware costs. I would want a serious packet-head, like you, to handle a setup like that. To implement full local HA and GLBS would then require a minimum investment of $100,000 just to cover two sites. I will let the packet-heads handle that stuff. I will stick to XenServer, XenApp, XenDesktop and Provisioning Server. Those four items keep my plate overflowing. Webster From: Rohyans, Aaron [mailto:arohy...@dpsciences.com] Subject: RE: Citrix question, could use some guidance ...You really need to be a serious packet-head like Aaron Rohyans in order to best use and support those beasts. Should I take offense to this? J Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco sho int (reliabilty)
*Some* CRCs and Input errors are normal on circuits After clearing counters and issuing the 'sh int' command, you have way too many. Reliability is a measurement that some routing protocols use to determine which link to take if multiple paths exist to a given destination. It should be 255/255 (indicating 100% uptime). Whenever a circuit flaps for any reason, reliability is decremented by 1. Your circuit has gone up and down several times it looks like. Hard to say where the issue lies, but I would first give your carrier a call and have them run intrusive testing on the circuit (since no one can use it anyway). Have them test *through* the CSU to the CPE side of the DMarc. In fact, if they'll do it, have them loop up the T1 controller on your router and run testing to that. If it's a carrier issue, this will find it. What kind of DMarc extension are you running? Is the router right next to the Smart Jack? Can you swap cables? Just some thoughts... HTH, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:arohy...@dpsciences.com http://www.dpsciences.com/ http://www.dpsciences.com/ From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: Thursday, October 29, 2009 12:17 PM To: NT System Admin Issues Subject: RE: Cisco sho int (reliabilty) I just cleared the counters, and now see: Received 135 broadcasts, 0 runts, 0 giants, 0 throttles 258862 input errors, 172196 CRC, 86489 frame, 0 overrun, 0 ignored, 177 abort 38629 packets output, 3695862 bytes, 0 underruns Not a cisco expert here, but can this tell if the problem points to the carrier or my equipment? From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: Thursday, October 29, 2009 12:12 PM To: NT System Admin Issues Subject: Cisco sho int (reliabilty) When I do a sho int serial0, I get this: reliability 138/255, txload 2/255, rxload 1/255 I assume the reliability should always be 255/255, unless there is a problem? Users are can't get into any applications over this circuit. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: ADSL router with different subnets on each port
Is the built-in ADSL port a requirement? If not, there are plenty of options out there to do what you want... (Cisco 871, 877, ASA 5505, etc) If so, the 857w has a built-in 4 port switch as well as ADSL, but will not allow you to utilize more than 1 wired VLAN. You can, however, use Secondary IPs on the VLAN interface if all you need is for this router to route between two different subnets sitting behind it Messy but it'll work. I only bring this up because I happen to have a near brand new one that is sitting in my closet collecting dust J Other option would be to purchase an 1841 or better with 2 WIC slots... throw an ADSL WIC into one slot (also have one of those if you need J) and a HWIC-4ESW to have 4 Ethernet ports. The el-cheapo option would be to purchase an old 1721 off of eBay and throw an ADSL WIC + WIC-4ESW (*not* HWIC) into it to achieve the same effect. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:arohy...@dpsciences.com http://www.dpsciences.com/ http://www.dpsciences.com/ From: HELP_PC [mailto:g...@enter.it] Sent: Thursday, October 08, 2009 1:40 PM To: NT System Admin Issues Subject: ADSL router with different subnets on each port I am looking for an ADSL router where I can address different subnets (at least 2) on each of the normal 4 port hub included Is it possible ? TIA GuidoElia HELPPC ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco VPN Client Weirdness
This is the *only* PC with these issues? i.e. Other PCs can access this vpngroup within your PIX and get to resources just fine? If so, check MTU settings on the client... try pinging internal resources using ping 1.1.1.1 -l 32 from DOS. If that works, start bumping up the value after -l higher and higher until pings fail. Then, use the Set MTU utility to decrease the maximum MTU for the client. If this *isn't* the only PC suffering from the problem... check your NAT settings. If you can connect just fine, but not access any resources... chances are, they're being NATed on the return trip and shouldn't be. Hope this helps, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, September 03, 2009 5:05 PM To: NT System Admin Issues Subject: Re: Cisco VPN Client Weirdness Windows FW is disabled. Can't access internet - spit-tunneling is disabled Good idea - I turn up the log settings and observe! Roger Wright ___ Sent from Tampa, Florida, United States On Thu, Sep 3, 2009 at 4:39 PM, Charlie Kaiser charl...@golden-eagle.org wrote: Once you connect the VPN, can you access any local or non-vpn resources? Like go to google.com? Is windows firewall running? What does the VPN log show? Anything of interest? *** Charlie Kaiser charl...@golden-eagle.org Kingman, AZ *** -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, September 03, 2009 1:40 PM To: NT System Admin Issues Subject: Cisco VPN Client Weirdness ArghI'm pulling my hair out on this one! New R500 laptop with Cisco VPN client on Windows XP. I can make the tunnel connections all day long but can't hit any resources inside the network. I've noticed that when the VPN is active my gateway IP is the same as the VPN-assigned machine IP so I guess that makes sense. But this happens regardless of which VPN endpoint I hit, which creds I use, wired or wireless NIC, etc. And on this machine only. And when comparing the client settings with another they appear identical. I've removed and reinstalled the OS, the Cisco client, reverted to a previous version, logged in locally, etc, etc, - no go. Any suggestions? Roger Wright ___ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco VPN client on Vista 64 bit
The older IPSec client is going away in favor of the AnyConnect SSL VPN Client (which works on all 32/64 bit platforms). Eventually, Cisco will add IPSec support for the AnyConnect client (so that it connect using SSL, or traditional methods), but for now it is completely SSL based. You get 2 free Premium licenses with the Base License of an ASA - standard. You can purchase AnyConnect Essentials licenses (which give you everything you need to create a full VPN tunnel) for about $200 for 100 users - so the price is reasonable. The Premium version of the licenses add the capability to do WebVPN Proxy as well, but will run you significantly more. You cannot run Essentials/Premium licenses simultaneously... it is one or the other. For simple VPN tunneling capabilities (like what the older IPSec client did)... the Essentials is what you want and you can pick up 100 licenses for next to nothing. As someone else mentioned, you can also generate a self-signed cert on the ASA for free, but your users will need to click through a few warnings in order to connect (similar to how IE forces you to acknowledge that you are going to a secure site that it doesn't trust). I always recommend enrolling with a 3rd party CA (Entrust, Verisign, GoDaddy, etc.) to make installations and subsequent connections go smoothly. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 8:24 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit ahahhaah Well I guess theres that too. Wow it's early. From: David W. McSpadden [mailto:dav...@imcu.org] Sent: Friday, August 07, 2009 8:23 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Just more licenses... - Original Message - From: Owens, Michael mailto:michael.ow...@dys.ohio.gov To: NT System Admin Issues mailto:ntsysadmin@lyris.sunbelt-software.com Sent: Friday, August 07, 2009 8:19 AM Subject: RE: Cisco VPN client on Vista 64 bit So wait - when Windows 7 comes out, (and supposedly everyone goes to it) Everyone will need to buy new ASAs, or more SSL lisenses? I read that Ncp secure entry client, works... I dont suppose anyone has given it a shot? http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:11 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit ASA will generate a self-signed cert for you and on X64 you will use AnyConnect. Depending on how you set it up you can make it so that only preinstalled users can access it. I just finished getting ours up and running with 2 clients using the AnyConnect, and now have to look at getting an expanded license so that I can use the AnyConnect more. Jon On Fri, Aug 7, 2009 at 8:02 AM, N Parr npar...@mortonind.com wrote: Load a cert and away you go, it's all web based. From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 6:59 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit I was afraid you'd say that. It actually isn't MY ASA. I do side work for a company I used to work for... one of the big wigs there still refuses to use anyone but me, and he pays me well! Anyway I guess I walked into this one. :) With the SSL lisenses, how do you connect? Mike From: Eldridge, Dave [mailto:d...@parkviewmc.com] Sent: Friday, August 07, 2009 7:53 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit Nadda. Did your asa come with 3 ssl licenses? Mine did and that is what I use. It will be interesting to see what they do with 64 bit 7. From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 5:50 AM To: NT System Admin Issues Subject: Cisco VPN client on Vista 64 bit I think I remember seeing someone post about this a while back... Is there something that will connect to an ASA (preferebly free) since apparently Cisco has never made (and has no intention of making) a 64
RE: Cisco VPN client on Vista 64 bit
Not entirely sure - but from what I've heard, it's either or... i.e. you buy 100 Essentials licenses now... then down the road you cannot upgrade to a premium... you have to purchase an entirely new set of 100 Premium licenses. Thus, your ASA becomes a Premium only SSL box. Your users will remain unaffected as it's the same AnyConnect client for both license structures. You'll just get the ability to do WebVPN proxy as well. That (IMHO) is why they made the Essentials package so much cheaper - +/-$200 now is justifiable for quick connectivity, but sooner or later you'll probably have to spend the real money on the Premium licenses. Also, with version 8.2 of the ASA code, Cisco now gives you the ability to do Flex Licensing. Flex Licensing allows you to buy, say 100 Essentials and 100 Premium licenses, throw them onto a License Server (another ASA), then have all 200 of your License Server licenses be allocated dynamically to multiple ASAs around your environment (each child ASA will enroll with the License server to request SSL licenses as the needs arise). Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:41 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Aaron, How hard is it to switch from one license form to another? I will be looking at that soon. Jon On Fri, Aug 7, 2009 at 8:32 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: The older IPSec client is going away in favor of the AnyConnect SSL VPN Client (which works on all 32/64 bit platforms). Eventually, Cisco will add IPSec support for the AnyConnect client (so that it connect using SSL, or traditional methods), but for now it is completely SSL based. You get 2 free Premium licenses with the Base License of an ASA - standard. You can purchase AnyConnect Essentials licenses (which give you everything you need to create a full VPN tunnel) for about $200 for 100 users - so the price is reasonable. The Premium version of the licenses add the capability to do WebVPN Proxy as well, but will run you significantly more. You cannot run Essentials/Premium licenses simultaneously... it is one or the other. For simple VPN tunneling capabilities (like what the older IPSec client did)... the Essentials is what you want and you can pick up 100 licenses for next to nothing. As someone else mentioned, you can also generate a self-signed cert on the ASA for free, but your users will need to click through a few warnings in order to connect (similar to how IE forces you to acknowledge that you are going to a secure site that it doesn't trust). I always recommend enrolling with a 3rd party CA (Entrust, Verisign, GoDaddy, etc.) to make installations and subsequent connections go smoothly. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 8:24 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit ahahhaah Well I guess theres that too. Wow it's early. From: David W. McSpadden [mailto:dav...@imcu.org] Sent: Friday, August 07, 2009 8:23 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Just more licenses... - Original Message - From: Owens, Michael mailto:michael.ow...@dys.ohio.gov To: NT System Admin Issues mailto:ntsysadmin@lyris.sunbelt-software.com Sent: Friday, August 07, 2009 8:19 AM Subject: RE: Cisco VPN client on Vista 64 bit So wait - when Windows 7 comes out, (and supposedly everyone goes to it) Everyone will need to buy new ASAs, or more SSL lisenses? I read that Ncp secure entry client, works... I dont suppose anyone has given it a shot? http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:11 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit ASA will generate a self-signed cert for you and on X64 you will use AnyConnect. Depending on how you set it up you can make it so that only preinstalled users can access it. I just finished getting ours up and running with 2 clients using the AnyConnect, and now
RE: Cisco VPN client on Vista 64 bit
Well - you're describing two different licenses - so yes, back to your point, Cisco is getting difficult on license options J The ASA platform itself has several different licenses (Base, Security Plus, VPN Edition, etc.). All come with the 2 free Premium SSL Licenses. What we're referring to here is an *additional* license to buy on top of your Base/Security Plus/VPN Edition license to give you the capability to run more concurrent SSL users. SSL is just a licensed feature of your normal ASA license if that makes sense. As is Phone Proxy, Advanced Endpoint Assessment, etc. So, from what you're describing, your normal platform license will always remain the Security Plus license, but you will be upgrading the SSL features of the Security Plus license to include more concurrent SSL users. Hope that makes sense J Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 10:05 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit That last sounds expensive unless we can use a 5505 to be the license server. I think we have the Premium license now it is called Security Plus and gave me the 2 AnyConnects I have now but does give me an option to add additional licenses. Cisco is getting just as hard as Microsoft at dealing with on licenses. Jon On Fri, Aug 7, 2009 at 9:56 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: Not entirely sure - but from what I've heard, it's either or... i.e. you buy 100 Essentials licenses now... then down the road you cannot upgrade to a premium... you have to purchase an entirely new set of 100 Premium licenses. Thus, your ASA becomes a Premium only SSL box. Your users will remain unaffected as it's the same AnyConnect client for both license structures. You'll just get the ability to do WebVPN proxy as well. That (IMHO) is why they made the Essentials package so much cheaper - +/-$200 now is justifiable for quick connectivity, but sooner or later you'll probably have to spend the real money on the Premium licenses. Also, with version 8.2 of the ASA code, Cisco now gives you the ability to do Flex Licensing. Flex Licensing allows you to buy, say 100 Essentials and 100 Premium licenses, throw them onto a License Server (another ASA), then have all 200 of your License Server licenses be allocated dynamically to multiple ASAs around your environment (each child ASA will enroll with the License server to request SSL licenses as the needs arise). Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:41 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Aaron, How hard is it to switch from one license form to another? I will be looking at that soon. Jon On Fri, Aug 7, 2009 at 8:32 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: The older IPSec client is going away in favor of the AnyConnect SSL VPN Client (which works on all 32/64 bit platforms). Eventually, Cisco will add IPSec support for the AnyConnect client (so that it connect using SSL, or traditional methods), but for now it is completely SSL based. You get 2 free Premium licenses with the Base License of an ASA - standard. You can purchase AnyConnect Essentials licenses (which give you everything you need to create a full VPN tunnel) for about $200 for 100 users - so the price is reasonable. The Premium version of the licenses add the capability to do WebVPN Proxy as well, but will run you significantly more. You cannot run Essentials/Premium licenses simultaneously... it is one or the other. For simple VPN tunneling capabilities (like what the older IPSec client did)... the Essentials is what you want and you can pick up 100 licenses for next to nothing. As someone else mentioned, you can also generate a self-signed cert on the ASA for free, but your users will need to click through a few warnings in order to connect (similar to how IE forces you to acknowledge that you are going to a secure site that it doesn't trust). I always recommend enrolling with a 3rd party CA (Entrust, Verisign, GoDaddy, etc.) to make installations and subsequent connections go smoothly. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245
RE: Cisco VPN client on Vista 64 bit
All you need is the Essentials then - gives you the same functionality of the older IPSec client (full tunnel back to corporate). If you don't care about the WebVPN stuff, then you don't ever need to worry about upgrading again to Premium - just stick with the Essentials from here on out. Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 10:43 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Yeah it makes sense but I wish they would have just stayed cut and dried and not followed the crowd and gone with this licensing structure. So do I need the Premium license or can I get away with an Essentials license. The AnyConnect will work on a Mac so I don't need or want the Web based VPN operational, which is how it is setup now. (No web based VPN) I have several staffers that on the next OS refresh will be going to X64 on their machines and they will need the VPN. Jon On Fri, Aug 7, 2009 at 10:26 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: Well - you're describing two different licenses - so yes, back to your point, Cisco is getting difficult on license options J The ASA platform itself has several different licenses (Base, Security Plus, VPN Edition, etc.). All come with the 2 free Premium SSL Licenses. What we're referring to here is an *additional* license to buy on top of your Base/Security Plus/VPN Edition license to give you the capability to run more concurrent SSL users. SSL is just a licensed feature of your normal ASA license if that makes sense. As is Phone Proxy, Advanced Endpoint Assessment, etc. So, from what you're describing, your normal platform license will always remain the Security Plus license, but you will be upgrading the SSL features of the Security Plus license to include more concurrent SSL users. Hope that makes sense J Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 10:05 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit That last sounds expensive unless we can use a 5505 to be the license server. I think we have the Premium license now it is called Security Plus and gave me the 2 AnyConnects I have now but does give me an option to add additional licenses. Cisco is getting just as hard as Microsoft at dealing with on licenses. Jon On Fri, Aug 7, 2009 at 9:56 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: Not entirely sure - but from what I've heard, it's either or... i.e. you buy 100 Essentials licenses now... then down the road you cannot upgrade to a premium... you have to purchase an entirely new set of 100 Premium licenses. Thus, your ASA becomes a Premium only SSL box. Your users will remain unaffected as it's the same AnyConnect client for both license structures. You'll just get the ability to do WebVPN proxy as well. That (IMHO) is why they made the Essentials package so much cheaper - +/-$200 now is justifiable for quick connectivity, but sooner or later you'll probably have to spend the real money on the Premium licenses. Also, with version 8.2 of the ASA code, Cisco now gives you the ability to do Flex Licensing. Flex Licensing allows you to buy, say 100 Essentials and 100 Premium licenses, throw them onto a License Server (another ASA), then have all 200 of your License Server licenses be allocated dynamically to multiple ASAs around your environment (each child ASA will enroll with the License server to request SSL licenses as the needs arise). Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:41 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Aaron, How hard is it to switch from one license form to another? I will be looking at that soon. Jon On Fri, Aug 7, 2009 at 8:32 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: The older IPSec client is going away in favor of the AnyConnect SSL VPN Client (which works on all 32/64 bit platforms). Eventually, Cisco will add IPSec support for the AnyConnect client (so
RE: Cisco VPN client on Vista 64 bit
If you're using the traditional IPSec client, I believe you can have up to 25 clients, *plus* 2 additional SSL VPN Clients, for a total of 27 concurrent users. Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 11:45 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Just so I know for sure on a 5505 with the Security Plus license I can have 10 total VPN clients accessing the device with only 2 of those being the AnyConnect that is correct, right? Jon On Fri, Aug 7, 2009 at 11:18 AM, Jon Harris jk.har...@gmail.com wrote: Good to know EDU pricing on Essentials is sweet. Jon On Fri, Aug 7, 2009 at 10:50 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: All you need is the Essentials then - gives you the same functionality of the older IPSec client (full tunnel back to corporate). If you don't care about the WebVPN stuff, then you don't ever need to worry about upgrading again to Premium - just stick with the Essentials from here on out. Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 10:43 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Yeah it makes sense but I wish they would have just stayed cut and dried and not followed the crowd and gone with this licensing structure. So do I need the Premium license or can I get away with an Essentials license. The AnyConnect will work on a Mac so I don't need or want the Web based VPN operational, which is how it is setup now. (No web based VPN) I have several staffers that on the next OS refresh will be going to X64 on their machines and they will need the VPN. Jon On Fri, Aug 7, 2009 at 10:26 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: Well - you're describing two different licenses - so yes, back to your point, Cisco is getting difficult on license options J The ASA platform itself has several different licenses (Base, Security Plus, VPN Edition, etc.). All come with the 2 free Premium SSL Licenses. What we're referring to here is an *additional* license to buy on top of your Base/Security Plus/VPN Edition license to give you the capability to run more concurrent SSL users. SSL is just a licensed feature of your normal ASA license if that makes sense. As is Phone Proxy, Advanced Endpoint Assessment, etc. So, from what you're describing, your normal platform license will always remain the Security Plus license, but you will be upgrading the SSL features of the Security Plus license to include more concurrent SSL users. Hope that makes sense J Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 10:05 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit That last sounds expensive unless we can use a 5505 to be the license server. I think we have the Premium license now it is called Security Plus and gave me the 2 AnyConnects I have now but does give me an option to add additional licenses. Cisco is getting just as hard as Microsoft at dealing with on licenses. Jon On Fri, Aug 7, 2009 at 9:56 AM, Rohyans, Aaron arohy...@dpsciences.com wrote: Not entirely sure - but from what I've heard, it's either or... i.e. you buy 100 Essentials licenses now... then down the road you cannot upgrade to a premium... you have to purchase an entirely new set of 100 Premium licenses. Thus, your ASA becomes a Premium only SSL box. Your users will remain unaffected as it's the same AnyConnect client for both license structures. You'll just get the ability to do WebVPN proxy as well. That (IMHO) is why they made the Essentials package so much cheaper - +/-$200 now is justifiable for quick connectivity, but sooner or later you'll probably have to spend the real money on the Premium licenses. Also, with version 8.2 of the ASA code, Cisco now gives you the ability to do Flex Licensing. Flex Licensing allows you to buy, say 100 Essentials and 100 Premium licenses, throw them onto a License Server (another ASA), then have all 200 of your License Server
RE: VLAN tagging in Windows 2003 x64
Kinda sounds like you don't have the native VLAN setup correctly on your trunk. For instance, if your server is part of VLAN 100, your trunk config would be: interface fa0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 100 Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:arohy...@dpsciences.com http://www.dpsciences.com/ http://www.dpsciences.com/ From: Webb, Brian (Corp) [mailto:brian.w...@teldta.com] Sent: Friday, July 24, 2009 3:43 PM To: NT System Admin Issues Subject: VLAN tagging in Windows 2003 x64 Anyone seen any issues with VLAN tagging on a Windows 2003 x64 machine? We are trying to move a NetBackup server from an x86 machine to an x64 machine and are having problems getting the multiple VLANs on a single NIC to work. We have had our network people check the Cisco trunking config 3 different times and they say it is right. Ping works to all VLANs. Tracert works to all VLANs and shows only the one hop as expected when going to a machine a VLAN that is tagged. RDP fails when connecting to a host on a tagged VLAN, but works when the target is on the default VLAN (or VLAN that can be reached by route on the default VLAN). Any ideas? We are using the most recent HP teaming NIC drivers with the 2 built in HP NICs teamed in a fault tolerant with preference config and the tagged VLANs are listed in the HP network configuration. Brian Webb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: VLAN tagging in Windows 2003 x64
Also - you could set an access VLAN on the trunk to accomplish the same thing - interface fa0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport access vlan 100 Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:arohy...@dpsciences.com http://www.dpsciences.com/ http://www.dpsciences.com/ From: Webb, Brian (Corp) [mailto:brian.w...@teldta.com] Sent: Friday, July 24, 2009 3:43 PM To: NT System Admin Issues Subject: VLAN tagging in Windows 2003 x64 Anyone seen any issues with VLAN tagging on a Windows 2003 x64 machine? We are trying to move a NetBackup server from an x86 machine to an x64 machine and are having problems getting the multiple VLANs on a single NIC to work. We have had our network people check the Cisco trunking config 3 different times and they say it is right. Ping works to all VLANs. Tracert works to all VLANs and shows only the one hop as expected when going to a machine a VLAN that is tagged. RDP fails when connecting to a host on a tagged VLAN, but works when the target is on the default VLAN (or VLAN that can be reached by route on the default VLAN). Any ideas? We are using the most recent HP teaming NIC drivers with the 2 built in HP NICs teamed in a fault tolerant with preference config and the tagged VLANs are listed in the HP network configuration. Brian Webb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Slow network - cause?
5 minute output rate 33000 bits/sec, 71 packets/sec 2594866 packets input, 484441142 bytes, 0 no buffer Received 7990 broadcasts, 0 runts, 0 giants, 0 throttles 3257 input errors, 3257 CRC, 1451 frame, 787 overrun, 0 ignored, 2442 abort 2748601 packets output, 426296137 bytes, 0 underruns 0 output errors, 0 collisions, 182 interface resets 0 output buffer failures, 0 output buffers swapped out 7 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up **3257 input errors, 3257 CRC, 1451 frame, 787 overrun, 0 ignored, 2442 abort** Are these incrementing? Looks as though you have some issues going on here You might want to have the carrier test the circuit during off-hours. Have them test *through* the CSU to the CPE side of the DMarc. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: Tuesday, June 30, 2009 10:16 AM To: NT System Admin Issues Subject: RE: Slow network - cause? And this is my WAN interface... ~~~ Serial0/0/0 is up, line protocol is up Hardware is GT96K with integrated T1 CSU/DSU Description: = MPLS VPN Internet address is yyy.yyy.yyy.yyy/yy MTU 1500 bytes, BW 512 Kbit, DLY 2 usec, reliability 255/255, txload 16/255, rxload 40/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 401 Queueing strategy: Class-based queueing Output queue: 0/1000/64/398 (size/max total/threshold/drops) Conversations 0/8/128 (active/max active/max total) Reserved Conversations 1/1 (allocated/max allocated) Available Bandwidth 6 kilobits/sec 5 minute input rate 81000 bits/sec, 56 packets/sec 5 minute output rate 33000 bits/sec, 71 packets/sec 2594866 packets input, 484441142 bytes, 0 no buffer Received 7990 broadcasts, 0 runts, 0 giants, 0 throttles 3257 input errors, 3257 CRC, 1451 frame, 787 overrun, 0 ignored, 2442 abort 2748601 packets output, 426296137 bytes, 0 underruns 0 output errors, 0 collisions, 182 interface resets 0 output buffer failures, 0 output buffers swapped out 7 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: Tuesday, June 30, 2009 10:13 AM To: NT System Admin Issues Subject: RE: Slow network - cause? Here is my LAN interface...does this look ok? FastEthernet0/0 is up, line protocol is up Hardware is Gt96k FE, address is 0015.faca.6d62 (bia 0015.faca.6d62) Description: = Cisco 1841 s/n XX Internet address is 192.168.5.1/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:23, output 00:00:00, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 56000 bits/sec, 70 packets/sec 5 minute output rate 73000 bits/sec, 58 packets/sec 2712737 packets input, 451757850 bytes Received 1674 broadcasts, 0 runts, 0 giants, 0 throttles 2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 2572522 packets output, 506280768 bytes, 0 underruns 0 output errors, 971 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Tuesday, June 30, 2009 9:31 AM To: NT System Admin Issues Subject: RE: Slow network - cause? Check for any port mis match or any rate limiting implemented? From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: 30 June 2009 14:18 To: NT System Admin Issues Subject: Slow network - cause? I have a site-site VPN network. My main site connects to 8 remote sites over a frame relay MPLS cloud. Connection between me and 7 sites is perfect... no problems. One of my sites however, is experiencing very slow network connectivity. If I ping the remote router from my workstation, I get 40% - 60% replies with 20-30ms response times (the response
RE: OT: Cisco ASA and inspect esmtp
I would disable it... still causes problems J It really doesn't do that much except verify that ESMTP/SMTP connections maintain consistency with IETF/RFC standards. Any unknown commands that are not setup within the ESMTP Inspection are re-written to x before being passed to your mail server (or from your mail server). Thus, you'll see some weird failures when sending mail as remote/local mail servers don't understand what x is. With ESMTP Inspection disabled, you're just allowing remote/local mail servers to pass any/all commands to/from your mail server. Since your mail server will only accept commands that it knows about (naturally), you don't really need to shed this consistency check off on the firewall... just rely on your server to maintain the consistency. This is a link to an IOS Based Firewall, but the ASA is based on the same inspection techniques: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configura tion_example09186a008064730a.shtml Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: Candee Vaglica [mailto:can...@gmail.com] Sent: Tuesday, June 23, 2009 8:52 AM To: NT System Admin Issues Subject: Re: OT: Cisco ASA and inspect esmtp It's still a problem with the ASA; I turn it off. On Tue, Jun 23, 2009 at 8:48 AM, Eldridge, Dave d...@parkviewmc.com wrote: I have a vendor that is having trouble sending emails to me and wants me to turn off inspect esmtp. I know the older pix had some issues with this but not the newer (8.03) ASA. Those with asa's what have you done with esmtp inspect? On or Off? I have a ccie colleague that hasn't seen any issues with the ASA and version 8 so I am hesitant to break something that is working. Tia dave This e-mail contains the thoughts and opinions of the sender and does not represent official Parkview Medical Center policy. This communication is intended only for the recipient(s) named above, may be confidential and/or legally privileged: and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please return to sender and delete the message from your computer system. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: VPN Tunnel not stable in Vista
Check your MTU values... ICMP Echo is only sending a 32 byte packet (+ IPSec overhead), so it will naturally be successful. Vista, I'm sure, is sending much bigger packets. To try and find your maximum MTU to set the connection to, you can use a Ping: ping 192.168.1.1 -l 1500 (if it fails, decrement until it is successful) ping 192.168.1.1 -l 1460 (decrement and continue if it fails...) ping 192.168.1.1 -l 1400 (once successful, adjust your VPN to use the new MTU value) HTH, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office:�� (317) 348-0099 Fa�� (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ -Original Message- From: Lee Anderson [mailto:lee.mortg...@att.net] Sent: Tuesday, June 09, 2009 9:47 AM To: NT System Admin Issues Subject: VPN Tunnel not stable in Vista Good Morning All, I am having trouble with a VPN connection in Vista. I am able to negotiate and build out the connection, we can ping across, but as soon as we send any traffic across it is dies. XP machines work fine using same VPN endpoint. I am running Vista Ultimate SP 1 and OpenVPN GUI V1.0.3. I have turned off Vista basic controls such as firewall IPV6. Downloand 4MB upload 400kb. The connection does not seem to be stable. Please let me know if you have an suggestions or direction. TIA Lee ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Routing
That's just the nature of cheap switching. If you look at a Wireshark (Ethereal) capture of the conversation between your two hosts, you'll see tons of re-transmissions and TCP Window adjustments as the hosts try to negotiate the link. Try dumbing the hosts down to 10Mb/Half (or Full) and see if your problems go away. I believe you can also pick up a Cisco 3560 8 port 10/100 switch for around $800-$900 that will handle the L3 activities that you need. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ -Original Message- From: Jacob [mailto:ja...@excaliburfilms.com] Sent: Tuesday, May 12, 2009 12:59 PM To: NT System Admin Issues Subject: RE: Routing You can also get a low end Netscreen (or what ever it is called today) for a few hundred dollars. I have a 172.16.X.X and a 10.1.1.X separated with a Netscreen 25. Copying large file is not an issue. -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Tuesday, May 12, 2009 9:10 AM To: NT System Admin Issues Subject: Re: Routing Why are you using the Linksys? If you need to firewall off a group of users you need a real enterprise-grade firewall, not cheap consumer crap. A PIX 506E in only a couple hundred USD these days and will blow a Linksys out of the water in terms of performance and reliability. If you're using the Linksys as a basic router (no NAT, no firewall, etc) you really really need to get an enterprise-grade L3 switch - HP 2900 or HP 3400cl or Cisco 3550. Said switches have IP routing implemented in the switch fabric ASICs. Steve Ens wrote: I have a private 192.168.1.x network within my 10.0.0.x LAN. It is separated with a cheapie Linksys router. Anytime the user inside the 192 subnet tries a large file copy to a share in the 10.x subnet, it crashes out after a few minutes. I've ruled out cabling and workstation related issues. Would I have to adjust the MTU or add a static route on the linksys? Any ideas? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: DMARC to Office Install
More often than not, the ISP wants *you* to do it. The carrier is always responsible for issues up to and including the DMARCation point (Smart Jack). They *do not* want to be responsible for in-house wiring/issues as you extend the DMARC to your equipment (hence the reason they charge so much to run it for you). It's easier for the ISP to just guarantee trouble-free service to the DMARC - beyond that it's in your hands. Not to mention the rat's nest of wires a lot of ISPs would run into if they required the LEC to run the extension in your building. There'd just be too much finger pointing. Hope this helps, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Monday, May 04, 2009 4:48 PM To: NT System Admin Issues Subject: RE: DMARC to Office Install *shrug* I can only tell you that we use our in-house guys to run all in-house wiring. I suppose if there were any wiring to be done, they'd be the ones to do it. So far, I've been lucky and haven't had to do much. I will say that when we upgraded our PBX recently to an IP-capable system, that the vendor ran the wires from the PBX back to the IP switch, but they were the only vendors to do that. When I worked for an ISP a few years back, whenever we ordered a dedicated T1 for a customer, the LEC would run a cable from the pole to our DMARC and we'd handle it from there. From: Sam Cayze [mailto:sam.ca...@rollouts.com] Sent: Monday, May 04, 2009 4:29 PM To: NT System Admin Issues Subject: DMARC to Office Install Is it normal practice of the ISP to have the customer hire and pay for a 3-party technician to run a feed from the DMARC (basement) to our office/rack area? Never seen it before with the few ISPs I have worked with... Just checking... -Sam No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.323 / Virus Database: 270.12.17/2095 - Release Date: 05/04/09 06:00:00 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpgimage002.jpg
RE: Cisco parts source
I can probably source those for you myself if you're interested. I know I have 2 and probably have 3 if I can dig it up. Thanks! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: Jim Majorowicz [mailto:jmajorow...@gmail.com] Sent: Tuesday, March 10, 2009 1:17 PM To: NT System Admin Issues Subject: Cisco parts source Anyone got a recommendation for a source on Refurbished Cisco parts? I need 3 WIC-1ENET cards for a Cisco 1760. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: QoS for VoIP on Cisco router
Looks good to me! J What is the speed of the link? Looks like a 384Kb/s FT1. Is this a Point to Point T1, or a DIA (Dedicated Internet Access) T1? How saturated is the link during congestion (you can do a show int ser0/0/0 during congestion and look at the rxload and txload to get an idea)? I'm assuming it's using HDLC based on the lack of extra config on the serial interface. What does the output of show policy-map interface serial 0/0/0 give you during times of congestion? Any drops? Is it matching traffic correctly? Hope this helps, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ http://www.dpsciences.com/ From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: Friday, March 06, 2009 9:17 AM To: NT System Admin Issues Subject: QoS for VoIP on Cisco router Could someone check my router config? I am no cisco expert (not even a CCNA)...but... I am trying to configure quality of service for voice over IP. I believe I have it set up correctly, but the users are still getting choppy phone conversations when there is other network traffic on the circuit. Here's a snip of the config: boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 ! no aaa new-model ! resource policy ! memory-size iomem 25 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route ip cef ! no ip dhcp use vrf connected ip dhcp binding cleanup interval 10 ip dhcp excluded-address 192.168.6.1 ! ip domain name yourdomain.com ! class-map match-any af41 match ip dscp af41 class-map match-any ef match ip dscp ef ! policy-map 75_24 class ef priority percent 75 class af41 bandwidth percent 24 class class-default fair-queue set ip dscp default ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 192.168.6.1 255.255.255.0 duplex auto speed auto no keepalive ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 ip address xxx.xxx.xxx xxx.xxx.xxx.xxx service-module t1 timeslots 1-6 max-reserved-bandwidth 100 service-policy output 75_24 ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0/0 ! no ip http server ip http access-class 23 ip http authentication local ip http timeout-policy idle 60 life 86400 requests 1 ! ~~ Any help/guidance is greatly appreciated. Thanks, Dave ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question
1.1.1.1= Outside IP Address 192.168.1.1 = Inside Host IP Address Asa(config)# static (inside,outside) tcp 1.1.1.1 22 192.168.1.1 22 netmask 255.255.255.255 0 0 Asa(config)# access-list OUTSIDE_ACCESS_IN permit tcp any host 1.1.1.1 eq 22 Asa(config)# access-group OUTSIDE_ACCESS_IN in interface outside Hope this helps, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, February 27, 2009 10:10 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question You can I think do the port forwarding but I don't know how. I have a stack of books on the ASA that I am only just getting to read. I have to find out about the port 80 filtering first (the reason I spent for the books). Jon On Fri, Feb 27, 2009 at 9:53 AM, Kelsey, John jckel...@drmc.org wrote: No VPN. I thought I could just do port forwarding, but apparently I can't. *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Friday, February 27, 2009 09:48 To: NT System Admin Issues Subject: RE: Cisco ASA Question I'm not familiar with the ASA devices, but are you creating a VPN tunnel through the device first? I would think you would need to do that to access resources on the internal network. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, February 27, 2009 9:42 AM To: NT System Admin Issues Subject: Cisco ASA Question Hi all, Working on a Cisco ASA 5505, trying to get to a machine on the inside interface via SSH from a machine on the outside interface. I can SSH to the ASA itself, but can't figure out how to get to a host behind it. I tried all kinds of ACL's, no joy. Any suggestions for a ASA noob? Thanks all! *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *: jckel...@drmc.org mailto:jckel...@drmc.org *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Site to Site VPN... What works?
Cisco ASA 5505 @ $350 each. The GUI is vastly improved (v6.5+) and makes administration a snap. It's a great little box for the price considering all you get: Firewall QoS (Basic LLQ) Routing (Static, EIGRP, OSPF, RIP) VPN Termination (Traditional IPSec and SSL) IPS (Basic 100 signatures) Failover (w/ the right licensing) VLANs (3 w/ base license) The list goes on... but I just thought I'd mention it. Almost all the features above are obtained with the *Base License*. Additional licensing is only required if you want more than 2 simultaneous SSL VPN connections, Failover support, 3+ VLAN support, etc. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, February 25, 2009 11:09 PM To: NT System Admin Issues Subject: Re: Site to Site VPN... What works? +1 on this. I've benchmarked the linksys WRT54G against other comparible models before, it it rated at the bottom of the list when depending on hardware encryption performance. I like it as a home routing device, but I dont recommend it for site-to-site when performance needs to be maximized. -- ME2 On Wed, Feb 25, 2009 at 10:14 PM, Phil Brutsche p...@optimumdata.com wrote: I don't know if I would go that route, just on a basis of CPU horsepower. Most of the options I listed have either hardware cryptographic accelerators or enough horsepower to do it in software. The Linksys WRT54G(L) boxes have very, very weak CPUs and do not possess the necessary hardware acceleration. Derek Lidbom wrote: If it were me, I would have to drop $100 on two Linksys WRT-54GLs and try: http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_Bridged_VPN_ Between_Two_Routers I've had lots of luck with dd-wrt in other scenarios, and you could double your purchase and have redundant backups as easy and re-flashing an image (I'm assuming the VPN doesn't add complications with that). -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: 2 T1's + 2 seperate routers = load balanced?
There are several ways to achieve some form of load balancing 1. Get another router to sit directly behind the 2 T1 routers and act as the default gateway for your LAN. Use this router to policy-route traffic across the two T1s. You won't achieve true load-balancing, but you can at least segment your junk traffic to one T1 and your business critical traffic to another. Plus, you have an automated failover solution in that if one T1 goes down, the router can automatically redirect traffic to the still active T1 router. 2. You'll have to use BGP to create a peering between you and your provider. Then, use BGP to influence which T1 will receive traffic. I doubt your provider will do this for you though as it's a lot of work for a small customer J. 3. Combine the circuits into one router and ask your provider to run MLPPP with you (this is probably the best solution). 4. Buy a load balancer like Radware or the like and let it manage the load balancing for you. Hope this helps, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: Cameron Cooper [mailto:ccoo...@aurico.com] Sent: Friday, February 13, 2009 10:41 AM To: NT System Admin Issues Subject: 2 T1's + 2 seperate routers = load balanced? We moved a T1 from our remote office to our main office and now have the two T1's running. What we would like to do is load balance or combine the two T1's to create a bigger internet pipe for our main office. At the moment we have two different routers, Adtran NetVanta 3200 and a Cisco 1841 T1, can we take the two different routers and create the bigger pipe or will we need to purchase a router that will allow us to do this? ---___ Cameron Cooper IT Director - CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021Fax: 847-255-1896 ccoo...@aurico.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Firewall Recommendations
Well... being a Cisco bigot J, I'll throw in the ASA. You can do everything on your list except for the last two bullet points with the base license (even on the 5505 if you wanted). Actually, you *can* filter based on malicious web traffic and get user by user reports, but it becomes cumbersome the more you do. I'd recommend Websense or N2H2 or even an Ironport for the user by user reporting and web content filtering if you're looking to do a lot. Or, to keep it all in one device, you can load up an ASA 5510 with the Content Security blade (CSC-SSM10) to get the filtering/reporting you're after. That will cover Anti-Virus/Anti-Spam/Malware/URL Filtering/Reporting but does require a license bump. Or, just stick with the basic ASA and use OpenDNS. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: Doige, Clayton [mailto:clayton.do...@cme-net.com] Sent: Friday, January 30, 2009 10:36 AM To: NT System Admin Issues Subject: Firewall Recommendations Hi all, for the past few years we have used Watchguard Firewalls quite happily, but over the past few months the machines seem to be getting more problematic, and the problems mount with each successive firmware release. Some of the key functions that we require, over and above being a good firewall of course are below, and I am hoping you can share your opinions on what are the best and worst devices to get the job done? Features: * SSL VPN (needless to say really) * The ability to log in to an https page on the firewall: we have set the watchguard up so that it will not open ports until a user first logs in to the firewall via an https page * The ability to authenticate against active directory in the above scenario: we have a separate forest set up strictly for this purpose (allows the same firewall login across all of our sites this way) * The ability to report web traffic usage on a user by user basis, as opposed to machine IP Address * Some sort of web content filtering, both by type of file, and classic content types, such as gambling etc Many thanks in advance for any and all feedback Clayton Doige IT Project Manager CME Development Corporation T: 020 7430 5355 M: 07949 255062 E:clayton.do...@cme-net.com W:www.cetv-net.com __ This electronic mail message and any attached files contain information intended for the exclusive use of the person(s) to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this message or its contents may be subject to legal restriction or sanction. If you have received this message in error, please notify the sender immediately by electronic mail and delete the original message and any attachments without retaining any copies. _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco Catalyst command question
snmp-server enable traps just enables the switch/router to begin sending trap events as they occur to the host that you provided in the snmp-server host command. Once you turn it on... issue the show run command and you'll see that the switch actually enabled a bunch more automatically for you. The snmp-server community command is what needs to be setup to allow an SNMP station to poll it for information (Read Only), or write information to it (Read Write). For simple SNMPv1, I like to use this config: access-list 99 permit 192.168.1.0 0.0.0.255 snmp-server community R3aD0n1Y R3adWr1t3 99 snmp-server location 1234 Some Street, Nowhereville, NW snmp-server contact John Smith - (123) 555-1212 snmp-server chassis-id CATSWITCH01 For a more secure implementation, look into v2 or v3 of SNMP as they add encryption and authentication to messages that traverse the wire. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 849-6772 x 7626 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, January 07, 2009 2:38 PM To: NT System Admin Issues Subject: Cisco Catalyst command question I need to enable SNMP on my Catalyst. I've found 3 SNMP commands, and need to know which/how to use them: Snmp-server enable traps - Is this the command to enable SNMP? How do I use this generically, to simply turn snmp on so that my network monitoring tool can identify the box, and monitor the ports? Snmp-server host - Do I need to specify the machine that's going to be doing snmp queries, or can I just leave it open? Is it dangerous not to specify a host? Snmp-server community - self explanatory, to set the community string, with the access rights. From what I'm reading in the Command Reference, it appears that I want to use the snmp-server host command, specify the specific host, and leave it at that. Is that the approved method? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: A little OT: Cisco VPN Concentrator
You mean CVPN3005 to ASA? Either way, we can get it setup :) Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 849-6772 x 7626 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ -Original Message- From: Bob Fronk [mailto:b...@btrfronk.com] Sent: Tuesday, January 06, 2009 3:38 PM To: NT System Admin Issues Subject: RE: A little OT: Cisco VPN Concentrator Anyone with PIX to ASA conversion experience care to weigh in? Sticking with Cisco due to current Cisco VOIP project and remote sites. -Original Message- From: Bob Fronk [mailto:b...@btrfronk.com] Sent: Tuesday, January 06, 2009 3:12 PM To: NT System Admin Issues Subject: RE: A little OT: Cisco VPN Concentrator Ok... time to shop for an ASA. -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Tuesday, January 06, 2009 3:06 PM To: NT System Admin Issues Subject: Re: A little OT: Cisco VPN Concentrator I skimmed the tech docs, faqs, and vvarious other sheets too. 4mbps max throughput is the number I saw. I read about limiting issues when using compression, and another vague reference to the amount of simultaneous connections. All vague, with no substance. -- ME2 On Tue, Jan 6, 2009 at 2:59 PM, Brian Prentiss bprent...@gmail.com wrote: Data Sheet http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/ product_data_sheet09186a00801d3b56.html On Tue, Jan 6, 2009 at 12:58 PM, Brian Prentiss bprent...@gmail.com wrote: http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_VPN_3005_Concentra tor This doc states max as 4Mbps. Apparently it is software only, and is discontinued at this point. I think the suggested replacement is an ASA (sized depending on what kind of throughput the requirements are). I couldn't find a data sheet. I hope that helps, Brian On Tue, Jan 6, 2009 at 12:22 PM, Bob Fronk b...@btrfronk.com wrote: I am using a Cisco VPN Concentrator 3005 as an endpoint for mobile users and small remote sites. Lately I have found that remote sites can only pull down 2.8mpbs over the VPN. We have a DS3, so I would expect the remote clients to be able to pull down their full bandwidth, depending on connection (DSL / Cable). I have tested this at two sites, each with over 10mbs available to them for download. When off VPN, they get the full 10mbps, when VPN is connected (which forces all traffic across the VPN) the download speed drops back to 2.8mbps. I can't seem to locate the bottle neck producing setting inside the VPN concentrator. Appreciate any suggestions. Thanks. Bob ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
