Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
Coming soon

I must say the firepowers sucked ass along with the cx modules. I was a dip shit and installed them with 5.4 then migrated to FTD. All of it was a night mare. I would say now I have migrated to just 4100's and 2100's now on full FTD 6.2.3 and I am starting to be impressed by it for the first time.

I would ask about how your current setup sits. Are you running all of your access lists in the asa and just using the module for l7 and IPS? Then your migration to the ASA code on 2100 will be easy. If you are running all of your acl's on the module and have them already loaded in your fmc, then you can just apply the same policy to your 2100 ftd and you are off to the races. If you have to convert your ACLs to FMC, then your migration is going to be a bitch. NAT is also going to be a consideration, if you are now going to have to convert ASA NAT to FMC, you better know your NAT.

The 2100's are going to a great platform if you need all of the other features such as AMP/IPS/URL, just know your conversion is going to be tough with the things I listed above. The 2100's also don't take the same bandwidth hit since they have 2 procs, you can turn on services and the throuput is as advertised. All that being said, your roll back needs to be solid if you plan to go down this route, it will also take you more than once to complete the conversion if you have to convert your NAT and ACLs to FMC, just make sure you have a TAC Engineer on the phone immediately, and also ensure you have a good test plan.

You should buy them from somebody like cxtech and/or nhr. They will just send you another one :)

You should buy them from somebody like cxtech and/or nhr. They will just send you another one :)

We've had decent luck with NHR or whatever they are called this week. Curvature I think?

see more


Original Poster1 point · 25 days ago

It looks like it might have been the firewall all along. We wanted the student traffic shunted to this vlan so we could restrict access to Netflix, etc. and, as an unattended side benefit, it also blocks them from accessing our internal network (ie. DHCP server, gateway, etc.)

Thanks very much for your help.

see more

So it was windows firewall? I cant tell you how many times that gets me. The test is always to verify layer 2 in the same switch to verify you don't have an access problem. Glad I could help!

Original Poster1 point · 25 days ago

No, I think it was our Enterprise Firewall. The new vlan is pretty restricted and the internal network was included by accident. Our Firewall guy is really scratching his head on this one.

see more

rise Firewall. The new vlan is pretty restricted and the internal network was included by accident. Our Firewall guy is really

Ask you firewall guy if he saw it proxy arping for everything. The other way you could tell is to check in windows and run in a command prompt for arp -a. Did it see the mac address of the firewall for the destination ips in question?

Load more comments

Are you doing this to make more money? If so, the three years you lose out in in total salary will never be made up in my opinion. A good NOC/Network Engineer with 12 years experience knocking on the door of a CCIE should be making about 100k. So at three years you are losing 300k. By that point you should be 15 year experience knocking on a 125-130k as a Cloud or Network Architect. In my opinion you never make up for that money ever. IT does not require degrees unless maybe management.

Now if there are other reasons then I understand, but you will never make up that 300K you left on the table. Another idea I would have is that you could do online courses while working if you really wanted that degree.

Thank you for your service, I get to play computer games all day as a network engineer because hero's like you fought for my freedom.

Edit; Option 3 get your CCIE, that will be worth more than that degree as well.

Original Poster1 point · 1 month ago

You're not completely wrong. I'll be missing out on a good chunk of salary, and CCIE would generate a lot more money. I've considered studying for CCIE, but I'm just not sure I want to do that. A large reason is that I do want to play college golf, and this is probably the only way I'll be able to do it.

I will have some income though. The military left me slightly broken, and the GI bill will pay for school and housing. So I'll have roughly 36K of tax free income while I'm in school.

see more

I understand man, if you are good enough make a lot of money and try and make the cut to the pro's one day :)

I know plenty of network guys that write statements of work on the golf course lol.

I work for an airline.

My boss decided to implement StackWise instead of ECMP at the last minute in our core infrastructure upgrade. He followed our consulting CCIE's advice when he said, "StackWise isn't officially supported on this version of software, but it looks like the commands are all in there if we want to go ahead and do it."

So, against my advice, he opted for StackWise.

Everything went fine!

Until it didn't...

A "software bug" took the entire stack down... on a Sunday morning no less. By the time we got someone to the data center and rebooted the stack, we had over 1000 flight cancellations and caused over 50,000 delays nationwide.

My new, official position is "FUCK StackWise".

see more

Wow the blast from the past. Every time somebody says stacks are stable, especially if it is a contractor, I ask them how long it has been since they have worked in the field. They usually say 5-10 years, at that point I make sure to let them know that they are discredited. If they claim customers of theirs are stable with it, I usually ask for 5 of their customers phone numbers so I can contact them directly. The third thing I usually ask is how many times have you seen ISSU performed on stacks? At that point they back track on all of those points. If you have not done the work with your boss to have trust in your judgement and proved to him that you are at that level, then its on you. If you have and you are proven, then it is time to leave that job for more money.

Also have you volunteered to do a webex with the vendor and just hand hold him through the simple install?

How long is it going to take you to write the access lists and determine the IPs that he actually needs? If it is going to take you time to do that explain to your boss that least privilege access is a good practice, but it may take you some time to information gather if you have that ability at all to restrict them.

Great reading so far, thanks for the post. This is always the situation that runs through my mind if I get laid off. Some scary stuff down there, but also something that I could feed my family on.

longlurcker commented on

it IS the way that cisco is moving in the future.

To be fair not even Cisco knows what they're doing. Our rep says "we're moving towards X." Next quarter our rep says "we're deprecating X now we're moving towards Y." Next quarter it's something else. They can't even pick what platform they're staying with, much less what software they're going to develop.

see more

I had to laugh at this.

Because if you don't laugh, you'll cry.

see more

Just installed 16.x the recommended on some 12 port 3850's and I hesitated as 3.x was stable for me. They are not in production, so it made me think of the exact thoughts I had while making this decision. Should I go with x that has been partially stable? Or should I install Y because it is the future. Maybe I should install a nexus instead of this piece of shit which represents option z.


Well folks its that time of year, time to renew smartnet! We don't carry smartnet on phones, wireless access points, and ucs blades. I was wondering what reddit does?


We recently removed it on all our access switches. These never require support and it's cheaper to keep a couple of spares around.

see more
Original Poster3 points · 1 month ago

how do you deal with updates for your switches if you need to update code? That is the biggest worry we have.

Some models have limited lifetime warranty now and free updates.

see more
Original Poster2 points · 1 month ago

Some models have limited lifetime warranty now and free updates.

what would those be?

This guy sucks as a sales engineer, his dumb ass can sell wired and wireless networks in the same deal.

My friend once told me that it takes 1.5 years to study for the CCIE and 1.5 years to learn the test. That test is about time management in a lot of ways, there are things in there to make you waste time.

Price might be something to consider. You can get into nexus at a cheaper base price than a 9K. The problem is probably people not understanding how to deploy San A and SAN B topologies. That being said, I would also say depending on how you do your storage in regards to FCOE/FC/ISCSI might play into the mix. The 5Ks might be the match if you don't want a separate fabric to manage.

Wait until you are sitting there thinking you are a complete fraud.

You will be fine and you just need to be able to learn and figure stuff out.

Route your campus and summarize where you can. If you need segmentation or fire walling for a sacred department then put in a firewall. If you want to protect your clients from a threat, or a spread of a threat you won't protect your self by putting /27's everywhere and stubbing them out on a firewall. You will be too busy writing firewall rules instead of real security work. Utilize host firewalls and protect your end workstations by making sure they are compliant and being patched.

came here to say this is the first ever complaint about PA on this forum. Only knock was always price.

There are a ton of complaints about Palo I can make.

  1. Dropping SSL packets in the DP processors and not providing any of that detail to the Management plane.
  2. Mangling SSL traffic in the DP processor causing websites to not load properly (not dropping packets this time)
  3. Limitations of profile exemptions without having to create additional security policies.
  4. No commit confirmed
  5. No easy way to multi-edit, multi-replace, mass add changes without using the migration tool or Excel in the CLI.
  6. Bug with traffic when the Palo is attempting to "un-fragment" traffic in order to scan it. Any more than 62 fragments (yes, I know this is a lot) and the Palo drops the traffic entirely.
  7. Public to private NATs on one hand make sense to someone who knows what they're doing. "outside to outside" or "untrust to untrust". However without knowing, this it complete back asswards.
  8. To make NAT even better, security policies reference the "post-nat" destination zone, not the pre-NAT zone like in the stupid NAT policies.
  9. The hidden "feature" of Bidirectional NAT rules where a secondary hidden via the GUI NAT rule is created that you are unaware of unless you look at the running config in the CLI. (It's amazing that I can create a static NAT rule on a Juniper and all I need to specify is the source zone and that shit works AMAZING).
  10. Palo Alto Networks the Company: The continuous push to request more information from customers networks without providing them any information from that Data. Let me get this straight. You want me to send you "telemetry" data so YOU can benefit with your insanely expensive magnifier service from the firewall, and then have the audacity to not even add this information to Palo Alto traffic / threat logs so I can ALSO benefit from the data? GTFO.

With that being said... Palo while they have many flaws is still what I consider a great product. It's expensive as hell, and may not be my preferred but I can see why so many do love the devices.

see more

Saving this comment for later, like I said never heard a single bad thing about PA.

Load more comments

Thats clean for what it is, you at least took the time to give a shit which is more than 90 percent of people who touch racks.

Original Poster1 point · 1 month ago

If I'm putting my name on some work, i'm at least going to give a minor shit and leave my mark. I can't stand how people just do things with no regard whatsoever for aesthetic

see more

wait till you meet the old burnt out people that fell into this :)

I wish I had project managers at my new gig. The PMs were so shitty that management just said, well engineers just manage your own projects and the PMs can fuck off all day and work on corporate reporting.

write erase reload at 0800

Cloud from scratch, nothing on prem other than some cheap switching and a fast isp.

1 point · 2 months ago

How you gonna that fast isp to all your sites and verify no one is watching porn all day?

see more

How do you stop them today? Do you decrypt ssl in your environment today? Most likely you can't, so you could do it with a cloud dns firewall like umbrella or some other tool.

My old professor would call that shit the "Broken Ring", learn the Ethernet.

Funny thing I have to say about this, converted from Checkpoint to ASA with Firepower and had problems with Citrix too. Ended up being a problem with NAT and a route.

never head of Palo Alto having problems, just expensive everyone on here loves them.

Cake day
June 21, 2017
Trophy Case (2)
One-Year Club

Verified Email

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.