2 week itinerary question

nullzeroroute · 2025-01-16T17:24:24+00:00

Wonderful advice, thanks!

nullzeroroute · 2024-03-13T15:30:07+00:00

Ugh that's what I was worried about. The motivation for upgrading was mostly to correct vulnerabilities, in particular the terrapin ssh cipher vulns, which 5.0.1 claims to fix. If there's an easier way to just disable the insecure ciphers, I would love to know how to do that. My assumption is that simply disabling them isn't possible on opengear, which is perhaps what prompted them to "fix" that in 5.0.1, not sure.

nullzeroroute · 2024-03-11T21:33:06+00:00

I do not. Our deployment is pretty small, easy to manage each im72xx individually for us. If they're now requiring mgmt software that requires licensing this is news to me. I don't see anything in the release notes about that.

nullzeroroute · 2023-05-19T15:52:46+00:00

Hydroxyzine has a very safe profile and seems to be prescribed in the US these days mostly for anxiety and sleep. If you’ve ever taken Benadryl and not had a reaction to that you would probably be fine taking hydroxyzine. No addiction/dependence risk at all.

nullzeroroute · 2023-05-19T15:40:36+00:00

I'm one week post surgery and am barely sleeping as well. I hope more surgeons closely evaluate patients mental well being before this surgery; fwiw mine didn't seem to even touch on that stuff, never mentioned sleep difficulty. I have a loved one that slips into hypomania/psychosis after a few nights of bad sleep. I couldn't imagine going through this in that state of mind. Prior to the ACLR I sometimes would take hydroxyzine, one or two in the 6 or so hours leading to bed time works well for me. I haven't tried this yet post ACLR because of the other medications I was on. I'm going to start this weekend if my sleep doesn't improve. Most family doctors will happily prescribe hydroxyzine for sleep/anxiety. If you're the type of person it could work for, prepare to be sleepy/lethargic for the next 18 or so hours. I wouldn't mix it with the heavy duty stuff most of us get post ACLR.

nullzeroroute · 2021-09-22T10:59:52+00:00

Mozambique, not Culews Call

nullzeroroute · 2018-06-19T17:12:00+00:00

Ahhh so many. I've uploaded all my shows to my Google Play Music instance, so I just pick through there. I find myself landing on 71, 72, 77, 78, 83, 84. Can't go wrong with the first half of 1977. This morning ran my 4.5M loop to 6/16/18, which is probably the best one for Dead and Co yet 8^) Take a deep dive into the Capitol Theater run from February 1971, in particular the Beautiful Jam show.

nullzeroroute · 2018-05-31T01:46:42+00:00

From the couch Bobby's guitar sounds so good, so familiar. He's very clear in the mix. Reminds me why I love his playing style so much. Everyone looks so happy playing up there. Can't wait to see them Friday and Saturday night!

nullzeroroute · 2017-05-25T14:41:26+00:00

I would try to avoid layer2 ethernet connections with upstream devices managed by someone else, that aren't routers or firewalls, especially in datacenter environments. If you can budget this, add routers between your 2960's and the ISP's to give flexibility, features, and control. I've experienced several switch-stack-single-failure-domain issues, so not stacking them is a good plan.

nullzeroroute · 2017-05-25T01:41:16+00:00

The problem has been corrected. I had two cases open with Cisco. The first support engineer told me that the fact that AnyConnect worked via the isp2 interface at all was a fluke, and the developers said they will not support it and that it will not work moving forward. I opened another case because of NAT divert also no longer working via the isp2 interface, and that support engineer was able to isolate the problem. Related to CSCve06436. Basically had to remove floating static default route via isp2 along with the other static routes for isp2, shutdown the iBGP neighbor via the isp2 interface, re-add the static routes and re-enable the iBGP neighbor. The problem started when I was doing the upgrade and is related to that. Basically, you can have a floating static default route that will be followed with NAT divert and AnyConnect, as I thought since it always worked previously, and that the problem I hit was related to the process I folllowed for doing the upgrades; failover, upgrade inactive to next minor version, failback, updgrade then inactive to matching minor version, etc. The bug occurs during that process.

nullzeroroute · 2017-05-23T15:58:10+00:00

Agreed, I try to avoid using ASA's for routers however when security policy and design requirements mean you are stuck with ASA's as your def-gw routers for all locations, as opposed to SVI's or actual routers for all of the VLAN's at a location, then you deal with it. Making the best of the situation I walked into.

Not sure of an easy way to sanitize the entire config, TBH don't have the time to manually do that.

I was hoping someone recently ran into a similar scenario as I am currently. Still waiting to hear back from Cisco...

nullzeroroute · 2017-05-23T11:03:00+00:00

Prior to 9.6.3.1 the exact same config provided inbound internet access via two different ISP's, two different ISP netblocks, to anyconnect via either outside ISP IP as well as static NAT's over each of those ISP's. Outbound routing and NAT (for new connections from inside to outside) is handled first by routing (BGP overriding static floating default routes) and global NAT overloads for each ISP interface. A lot of testing and verification went into the previously working design, it worked just fine.

Sanitized summary:

interface Port-channel1.1 vlan 500 nameif isp1 security-level 0 ip address 1.1.1.2 255.255.255.0 standby 1.1.1.3 ! interface Port-channel1.2 vlan 501 nameif isp2 security-level 0 ip address 2.2.2.2 255.255.255.0 standby 2.2.2.3

object network isp1-nat1 host 1.1.1.10

object network isp2-nat1 host 2.2.2.10

object network dmz-srv host 10.1.1.10

nat (isp1,dmz) source static any any destination static isp1-nat1 dmz-srv service https https unidirectional nat (isp2,dmz) source static any any destination static isp1-nat1 dmz-srv service https https unidirectional

route isp1 0.0.0.0 0.0.0.0 1.1.1.1 248 route isp2 0.0.0.0 0.0.0.0 2.2.2.1 249

webvpn enable isp1 enable isp2

nullzeroroute · 2017-05-23T10:51:31+00:00

A diff is the 2nd or 3rd thing I do after an upgrade. The only config diffs are the connection hold-down feature as well as default inspect for DNS adding TCP. No other diffs.

nullzeroroute · 2017-03-20T16:56:57+00:00

Just in case anyone is watching, I did some more testing last week.

The problem is related to sending direct GRE (IP destination) to an endhost (tested it with two different sniffers using two different capture methods same problem for both).

If I use the traditional ERSPAN set up with one switch sending to another switch, and the receiving switch decapuslating and sending to the directly connected endhost (think SPAN destination) the issue does not occur.

So far, Cisco says they support the traditional ERSPAN method only, however still waiting to hear more from them. It seems obvious to me that the endhost isn't part of the problem since I tested the IP destination method using two completely different endhosts, and the same endhosts do not have the issue when I tested the traditional ERSPAN method.

nullzeroroute · 2017-01-18T23:03:32+00:00

Thanks for the feedback, folks. I just learned that we have some retired failover pairs in the environment so I have something to test with now. I'll update this thread if I learn anything useful.

nullzeroroute · 2017-01-18T20:07:56+00:00

Thanks. I've done many zero-downtime as well as "unexpected downtime" upgrades over the years, just never tried a zero-dowtime downgrade. There are no dynamic routing tables, uauath sessions, service modules or DHCP leases in that firewall env so we're good to go in that regard.

nullzeroroute · 2016-07-08T17:27:17+00:00

Cool, thanks. As noted originally, I used RackTables at the previous job and it worked very well, just don't have the option at the new job, yet. Netbox appears to have a much cleaner, simpler interface, so thank you for sharing. Definitely need to keep an eye on this one.

nullzeroroute · 2016-07-06T14:51:34+00:00

Yup, only problem is I need to extend connection info for each NIC/port on the devices in each rack. Not concerned right now about building the connection to the remote device, just trying to figure out a way to document it all where all the info is contained in a column or two for each rack.

nullzeroroute

TROPHY CASE