Messages

Also realize that many systems with redundancy will report total uptime, and module uptime. We have a pair of ASAs with a cluster up time of 5 years, but each ASA has up times of only 26 days. So even patching you can get good uptime numbers.

-Otanx

"ip multicast helper-map" command may work. It makes the router forward a multicast address to an unicast address. I have used this is the past to make a broken application work, but it is ugly.

-Otanx

I am sure it is OS dependent, but what if you shut the switchport to the client, and then no shut it. Does the loss of link cause the client to try and renew the lease?

-Otanx

So today I was reading the release notes for 4500 update when I ran across this line.

Before you proceed, observe the following rules for hostname:

    Do not expect case to be preserved

Uppercase and lowercase characters look the same to many internet software applications. It may seem appropriate to capitalize a name the same way you might do in English, but conventions dictate that computer names appear all lowercase. For more information, refer to RFC 1178, Choosing a Name for Your Computer.

So being the cynic that I am I read this as "We had a bug with host names, and capital letters, but instead of fixing it we are just going to point to an RFC from 1990 that says use lower case."

Appropriate RFC link.
Name Your Computer - https://tools.ietf.org/html/rfc1178

The RFC is good for a laugh. A quote "It is especially tempting to name your first computer after yourself, but think about it.  Do you name any of your other possessions after yourself?  No.  Your dog has its own name, as do your children."

edit - And for you underscore people another quote from the Cisco release notes - "Interior characters can only be letters, digits, and hyphens; periods and underscores not allowed."

-Otanx

for the love of god, please use delimiters.

Windows servers don't like hostnames exceeding 15 characters, so many admins I've worked with keep it simple and compacted

We ran into that when doing a revamp of our naming convention. The proposed convention was 18 characters. Lucky for us the first project to use the new names was a Windows server. Back to the drawing board to make it 14 or less.

-Otanx

Last year I renewed my CCNP, got my CEH, finished my degree, and took the SANS SEC502 course (didn't do the cert). This year I am looking at CCNA:S, something from Juniper, Bluecoat class, but probably not certifying, and maybe VCP if the local community college actually offers official classes that work for my schedule. Also will start studying for the CCIE, but I don't plan on an attempt till 2016.

-Otanx

The thing with using an internal CA is that you need to have an OCSP server that is reachable by the spokes before the tunnel comes up. That also means the spokes have to have a DNS server reachable without the tunnel as well to resolve the name of the OCSP server.

-Otanx

Right now, AES 128 is actually more secure than AES 256. Fun fact. Cranking it up is not necessarily the best sort of thing to do.

Are you referring to the "key schedule" problem with AES256, or something else? Unless you have to meet government requirements I would think 128 is good enough technically. However, perception of management is that double is better.

-Otanx

SANS. I did SEC502 in October. The class was pretty good. A lot of the topics were stuff I knew, but getting to play with the labs, and actually see it was cool. Will probably do 503 or 504 next. If you go to a SANS conference make sure you go to as many after hours "SANS@Night" talks you can. A lot of good information. Also the vendor lunches were informative for a vendor lunch. Do Net Wars. It is not optional. Do it. I was torn as I wanted to hear another speaker that conflicted with the net wars event. Did net wars and loved it. If you don't do pen-testing all the time it is awesome to actually gain root on a linux system.

-Otanx

Not sure how well it would work, but GRE tunnels, BGP peer over the GRE. Can now pass communities as the provider does not see them. However, you don't want the overhead so an inbound route-map that sets next-hop out to the same provider the GRE tunnel rides over. Doing the communities natively across the link would be better, but this may work as long as I don't have to support it.

-Otanx

Host names are LOC-TYPE-INSTANCE so VEGAS-RTR-01. For DNS every interface goes into DNS as an A record (VEGAS-RTR-01-G0-0 or VEGAS-RTR-01-LOOP0. Then the root host name gets a CNAME pointed to the interface we use to manage the device.

For firewall rules each host gets an object with it's IP. We don't put the IP in the name as IPs change too often in our environment. Then an object group gets created for services (DNS, NTP, TACACS, WEBSITE1, WEBSITE2, etc) then the host object is nested into the groups of services it offers. Ports are object groups based on services. So DNS would have a DNS-PORTS group with both tcp and udp 53. Finally an object group for clients of the service. This may contain ranges (i.e. DNS clients group is 10.0.0.0/8) Then rules are based off of these objects - DNS-CLIENTS to DNS-SERVERS on DNS-PORTS. There is overlap with some things. If a server is hosting two websites then one rule would not be hit, but this way if we move one website then changing the rule for that will not break the other website.

-Otanx

Hello, my name is Bob and I am an alcoholic... wait wrong meeting? sorry. My name if Frank and I have a gambling addiction... wrong meeting again? oops.

My name is Charles and I have a networking addiction. Been in IT for more than 10 years. Really focused on networking for about the last five. Currently a tier 3 engineer with a consulting company. Mainly focused on enterprise networking with a heavy leaning towards security. Live in Las Vegas, NV. Married to another geek (wife is a CISSP, and working on VCP), no kids. Two cats named TCP and IP (yes those are really their names). Hobbies include reading, gaming, IT and playing with electronics.

-Otanx