Messages

We run anyconnect and don't have this issue. I'm afraid I don't know much about the configuration, but based on your symptoms, I would guess there's something going on there. TAC may be your quickest course to resolution.

Sandboxes are pretty clearly an arms race, as hackers learn to detect them and sandbox providers learn to countermeasure the detection.

Note that in this case, they don't actually have to be multicore systems, but they simply need to claim to be.

Similar to the time-bomb stuff they were doing.  Sandboxes came along, then malware started sleeping for x minutes/hours before detonating, then sandboxes started accelerating time, and then malware started doing nontrivial calculations to pass the time instead of sleeping. I'm not sure how the sandboxes are getting around that, but my understanding is that they are.

So one more differentiator:

Our Palo Alto reps have been very generous with demo or lab gear. You could probably talk to them and get a PA-200 to install at your desk or home. If they think you're serious enough, you may even get to keep it.

With ASA's, everything feels like it's tacked on and overly complex. It's very difficult to review even a moderately complex policy, or even to figure out what a policy is accomplishing.This leaves lots of room for human error. I don't feel like they're a good fit for a modern network where heavy segmentation is the rule.

CheckPoints are good solid firewalls. I like them quite a bit. They've got a good, clean interface for managing security policies, and they're easy to work with. But they also feel like they've had a lot of features tacked on, so some things end up being difficult to configure, or some pieces just don't fit together quite as smoothly as they should. And their support leaves a lot to be desired, though they were starting to get better last time I used them (about 2 years ago).

Palo Alto, IMO, is basically CheckPoint rewritten from the ground up, and all those features that seem tacked on in CheckPoint are smoothly integrated. Identity based rules and application identification are just part of the ruleset, which makes it a little harder to learn, but a lot more powerful. I am finding some idiosyncracies with the active/active setup. Active/Active was a lot smoother in the checkpoint world, even if they did violate RFC's in the process (using a multicast mac address bound to a unicast IP).

Fred, if you take out PfRv3, what makes it IWAN - just looks like a DMVPN to me? (except some of the NBMA endpoints are in private not public links - but the DMVPN overlay looks same as any other phase 3?)

Yeah, pretty much just redundant, carrier-independent DMVPN using front-door VRF. Recommendations from our consulting companies are to make sure you have that layer 3 overlay solid before implementing PfR, so it's coming, but probably not in 2015/2016.

Who's deployed IWAN or is in the process of? Any experience or advice to share?

We are about to migrate to IWAN globally, though we're waiting on the PfRv3 part. Fortunately, this will be after Cisco Live, so I'll have a lot of brains to pick before we do it. Our plan is to get a good stable L3 network, and then add PfR if it makes sense.

Wireshark is a necessary tool of the trade, even without span ports. Having them throughout your network certainly makes life nice, though.

Also, while learning, don't ignore the sample captures page: https://wiki.wireshark.org/SampleCaptures

Thanks to Solarwinds NCM, I have configuration management under control. I have real-time backups of the running-configuration along with email notifications, and nightly backups of startup-configs. I have compliance checks to make sure that configuration meets our standards. I'm not a huge Solarwinds fanatic, but NCM is a solid product. For those on a budget, you can do most of that with rancid, as well, and I'm a big fan of that.

What I don't have is a good way to standardize deployment configs for new devices.

At my previous employer, I wrote simple PHP forms where you could enter the relevant information and it would do string replacement to generate a config. It worked fine, but required custom form development each time a new template was written. I've seen similar things with text documents and find and replace.

I've looked at using Ansible for network configs, but it seems like overkill for what I want to do, and the documentation is pretty sparse for this use.

There's also this great article about Stretch's experience writing a very flexible version of templating using django and Python. Unfortunately, he can't release his code. I started trying to write it myself, but my Python skills are currently pretty weak, and I'm finding that even with that guidance, the hill I have to climb to recreate it is really more of a small mountain.

So, what do you guys use to standardize configurations for newly deployed routers and switches?

I really like VPC's.  Separate switches with separate control planes, but all the redundancy benefits and fast failover of VSS or a stack.

So why are nexus switches relegated to the datacenter? Seems to me the 9k's make excellent collapsed cores for smaller remote sites. Why wouldn't you do this?

Further, what are the reasons you wouldn't want to run FEX's at the campus (rather than datacenter) access layer?  I know some of them (no POE, no 100Mbps support), but what else?

One of my favorites is to ask the candidate to diagram a network

While I'd be a little nervous...

That's really the downside of this method. There are some damn good engineers who aren't good at standing up in front of people, even during an interview, and asking them to stand up in front of a whiteboard and explain something makes their nerves go through the roof and you don't get anything good out of them. Sometimes you can put them at ease with a couple easy questions, but other times I've had to back down and find a different way.

I think I would have much more fun in an interview like that rather than the bullet point ones

Trivia doesn't make a good interview. Sit two experienced network engineers down at a table, and each one can beat the other with trivia questions. Unless you have specific requirements, I don't think it makes sense to ask more than baseline questions.  (If you can't explain "botnet" or "what's the difference between EIGRP and OSPF", I'm probably not interested).  Trivia does make for a good happy hour bar game once the person is hired, however.

I am a firm believer that you should have one area you strive to master.

I wish I'd come to this realization sooner. Specialization rocks for career advancement. Being very good at lots of things is nice, but it's a lot easier to find a job if you are exceptional at something.

Remember the whole saying, "Jack of all trades, master of none." It's more true than I realized in my youth.

(That said, being well rounded has also helped me out quite a bit.)

I am not sure what you mean by "make it so that security breaches aren't as big a cost for business" how do you do that?

What if we could find ways to make sure that the person who uses a credit card can be affirmatively identified? Then it doesn't matter who steals my credit card, that person is going to be caught. This would also make the stolen credit card worthless. That's another tough and expensive problem, but it may be an easier and cheaper one than preventing every possible method by which a credit card could be stolen.

One of my favorites is to ask the candidate to diagram a network they've worked on or would like to work on. This can often turn into the entire interview, because every line, circle, square, or other notation can turn into a question. ("Why did you do it like that?", "Would you do it like that again in the future?", "What does that do?", "What if you had to add a public web server into your design?", "Can you explain to me how a client communicates with that web server?")

I want somebody who can communicate their ideas and understands the technology. I realize everybody has their strengths and weaknesses, but failure at these two are dealbreakers for me.

[huge]

Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.

And I honestly see it going the other way. We are going to make it so that security breaches aren't as big a cost for business, and security will take a further backseat.

Make it traceable and retractable. It almost is already. A huge amount of fraudulent transactions are currently stopped before anybody has actually gained anything. This is what's going to get stronger: detection and response. Prevention is a loser's game: the good guys have to plug every hole, while the bad guys only have to find one. To stop this, we need to have recourse after the bad guys found it. 

For 400 devices, are you planning on zero redundancy?

You could do 400 devices with off the shelf switches.  Take a 24-port gigabit switch. Subtract one for your internet gateway, and you'd have 23 available ports for devices.  Connect each of these to another 24-port gigabit switch, and you'd have 23-ports on each of those available.  I'll let you do the math from there.

And I'd fire any engineer who thought that was a good design.