I've been reading and searching on here as much as I can to try to help me in making a decision, unfortunately when I think I know what to do, I read something else and get confused again.
We are in the process of moving networks within our datacenter and will have 2 drops coming into our half-cabinet. We have about 7 servers in there, some for our own use and some for clients. In all cases, we manage the servers and are the only ones with root access (no need for VLANs for the purpose of protecting IPs etc).
We currently have a single drop and use an HP procurve 2524 layer2 switch that has been in there for over 6 years and never had a single hiccup. We also don't push much traffic at all though. Under 5mbps combined.
My question though is this: moving to the new network we will have 2 drops that are set up as HSRP on their end (upstream of me, I don't have to worry about having two switches). In order to use the dual feeds, we will need a Layer3 switch. One feed will be active, the other is not, both are connected to the switch via a VLAN and provide a gateway for VLAN2 to use. I have never used a layer3 switch, though I'm not *too* concerned since I don't expect we'll be doing anything too complex. My understanding is that one VLAN (VLAN1) will be set up with an IP address assigned to each drop and that VLAN1 will create a gateway for VLAN2. The second VLAN (VLAN2) will be all our "inside" client IPs that will then route through VLAN1.
I was briefly checking out the cisco 3750, but I think it's overkill...? I don't want to spend too much money, since I don't think we need any complex setups, at the same time, I don't want to waste money by buying something that won't work efficiently down the road.
My immediate short-list is now an HP procurve 2610, an HP procurve 3500 J9470A (not the YL), and a Cisco 3560 24-TS.
Of course, then someone mentioned Juniper (whom I have zero experience with either) and hence the title to my thread... I'm thoroughly confused. I was looking at the EX3200-24T.
Ok, so if I have to boil this down to some simple requirements/thoughts... here goes:
1. I only need 24 ports for now.
2. I use SNMP currently to monitor usage for clients (and overall)
3. I like HPs and have used them for layer2, I like their lifetime warranty and software availability
4. I don't have direct experience with Cisco at all.
5. Aside from routing from one VLAN (provider side) to another VLAN (my side), I don't think I need any other special features (hence the hp 2610 being ok I think, since it offers "lite layer3")
6. Some people say HP is great for layer2 but not for layer3? Now I dont' know what to think.
7. Currently use about 2mbps and might jump to 3 or 4mbps, but don't have major needs. I'd like for this switch to be able to last me a while though... so maybe 20~40mbps+? (but still not the hundreds of mbps that others here push
8. If possible, I'd LIKE to limit some servers to 1mbps or 2mbps on a per-port basis... but this is not a hard requirement. (I think this takes the 2610 out).
Budget: I like the $500 price tag of the 2610, but can spend the $1500~$2000 for the HP 3500, Cisco 3560, or Juniper. I would just rather not, if the price/features are not justifiable.
Hopefully I've provided enough information for someone to offer their insight? I think a few strategic key points or questions from someone with more experience might be what I need to help me bust through the "too many choices" fog and end up with the best switch for my situation...
I've been looking at these two Firewalls for a quite some time and I am not sure which one I should go with. Price is not a factor since both are around the same price range.
The firewall is going to be in between my DROP and LAYER3 Switch.
So...FastE -> Firewall -> Layer3
As you can see, I dont want any fancy VLAN stuff or anything like that since my switch can take care of all that. I just want a firewall which is easy to configure and manage and has DDoS protection built-in.
If you have any other hardware based firewalls in the price range of ASA 5505 and Netscreen 5GT then I would want to hear about those as well.
to build a new 10GE network and have received offers from Juniper and Cisco distributors.
Juniper seems to be a bit more expensive. It was our first choice at the beginning untill we saw many big ISP's using cisco 6509 with SUP720-3BXL for routing.
Is there anyone with experience on both products? How about support for both of these?
Which will be a better choice? 5430's CPU speed, bus speed, cache and price beats 5520 easily, while 5520 is only better due to the advantage of HT, which I don't think it improves performance much...
Intel Xeon Harpertown 5430 CPU Speed - 2.66GHz Bus Speed - 1333MHz Cache - 1 x 12MB
Intel Xeon Nehalem 5520 CPU Speed - 2.26GHz + Hyper-Threading Bus Speed - 1066Mhz Cache - 1 x 8MB
I need to protect about 80 servers from certain attacks some of them are being victim of. Altogether, these servers use about 200Mbps being almost all of them webservers. The last time, one of them was a victim of a DDoS attack which made all the rest get some packet loss (because this attack was consuming all the bandwidth we had available).
I was looking at Juniper solutions, however I get a bit confused with all the products they have to offer. First, I was looking at IDP series, but they seem a bit pricey and I believe I donīt need all those IDP functions those devices are capable of. NetScreen is also too expensive for me. Iīm looking at a budget of 10.000$ aprox.
I found SRX series and after taking a look at SRX240 and SRX650 specs [url] those firewall numbers seem very nice and perfect for my problem. Would this be a wise choice? This device would act also as the main router for our racks. Please let me know if there are other recommendations that fit the specified budget (10K).
Can anyone give any real world numbers as to what each model of the Juniper-J series router is capable of? How much do these routers cost, and where is the best place to get them from?
Does anyone have any experience running Juniper SSG-550 firewalls in a high-traffic hosting environment?
I run network operations for a hosting provider in Australia. We currently have two J4350s running as border routers, and we are looking at putting two Juniper SSG-550s behind the border routers to do stateful firewalling / NAT.
We'll be using active/active NSRP on the SSGs for load balancing and failover.
My concern is that these devices may not be able to handle our traffic load. They have a hard-set limit of 256,000 "concurrent sessions" which may not be enough for us in peak times. Almost all of our traffic is HTTP though, so I would imagine sessions would timeout quite quickly?
In one of our racks, we now just have two Procurve (J4900B) switches, and run software firewalls on our CentOS servers. We are now looking towards a hardware firewall to ease managment and reduce load on our servers.
One of our suppliers reccomends the SSG140 from Juniper, and it seems to cover our needs. The SSG320 however seems to have more features, like layer3 routing. Could this device replace our Procurve switches, and act as a firewall/switch?
Anyone familiar with these devices and have some input on what to choose? How does the anti-ddos and bruteforce attack functions work out, do they hold up? Anyone tested the Deep Inpspection Signature module? Is it worth having for a ISP/Webhost?
I am tried of not finding a good documentation on now to configure netscreen-25 firewall.
This is the current setup;
Ethernet Drop -> Netscreen (connected via straight RJ-45)
NetScreen -> Switch (Connected via cross-over cable)
This is the what I want to be able to do...
I am assigned a 76.36.57.32/27 subnet Netmask 255.255.255.224 Gateway 76.36.57.33
1) Make Netscreen accessible via IP 76.36.57.34 for remote management.
2) I dont want netscreen to assign IPs for my wired devices because I've already set all their IPs and those are the ones I want to use.
Now, I did read the manual [url] and went to Network -> Interfaces -> Ethernet 1 Trust *edit* and in the "IP address" box I typed 76.36.57.34 and netmask "/27".
In the "Manage IP" box, I typed 76.36.57.39/27 according to the manual.
After doing all that, I cant access any of my "wired" devices behind firewall and neither can I access the firewall itself with the IP I assigned.
we have this Juniper SSG5 firewall, our very first Juniper and wanted to use it.
While I am able to use it in NAT mode, I have been unsuccessful to use it in route mode.
We have Public IPs from the same segment and I wanted to use it with the firewall but it appears that I can't assign IPs for each port if the IP is from the same segment.
Does it mean that we can't use it other than in NAT mode?
What we want to accomplish is to have one of IPs to act as gateway and filter or route in/out traffic to/from our other IPs.
I have a SSG-320M I manage, and would like to know if I can block traffic to our web servers based on the user agent hitting us? I know user agents that keep using more and more IP addresses to crawl us, one already taking up some 30 or 40 addresses under my policies and its a pain to identify these by hand and keep updating the firewall every few days to add new IP addresses for them. Is there somewhere I can add part of the user agent I do not want to ever see again? Right now I do this by having a policy at the top saying "BadBotsGroup" is denied. But I want to deny anyone with a user agent "OneUserAgent" or "SecondUserAgent"
It seems so important and simple, but I do not see anything about being able to do this. Thanks for help and pointers. Right now we have special code at the top of our sites that blocks these bots, but I would much rather do it in one location at the firewall.
Looking to upgrade to a new switch and have the following in mind. Budget is around 1-2k. We're pushing 500mbps upstream so i want to make sure that the unit can handle that well. Lots of full speed traffic between servers too.
No fancy features required, and the only need is port trunking, which all of these have.
I look at the specs for latency and pps, but I'm not sure if you can trust these figures.
Anyone have experience with the following.
HP Procurve 2910al-24 $1430 latency <2.9us 131 Mpps 176 Gbps Bonus: 10Gb capability with expansion module
We are looking to replace our existing WatchGuard Firebox's with a hopefully more reliable firewall from Cisco's range although I'm a bit lost when it comes to the different ranges.
Could somebody suggest a firewall that is capable of:
1: Both NAT & Drop-in (bridge) mode 2: Pretty low bandwidth requirements, no more than 10mbit/s traffic 3: SNMP Monitoring 4: High availability pairing
I see a lot of DDos related articles here at WHT. We've got hit multiple times by DDos and had to handle those attacks everytime with a different approach.
The largest one and the most well know one (we were in Times Mag, AP news, CNN, slashdot, you name it - just do a search about us on WHT) was Russian botnet cyberattack - we had to anaylyze netflow and then block everything on our edge routers, then on the firewall and then locally on the servers.
Since then we had number of other attacks, some of them we were not able to defend on the server level, while, as you can understand we can't do netwflow and manual intervention evey time somebody gets an attach.
We have very good scripts which allow to mitigate huge number of DDos attack, whet our scripts are finding attacking IPs and blocking them automatically - still some attacks could be blocked only on the router level.
I've read that Cisco Guard (I am interesed in 65xx version of it) suppose to mitigate DDos attacks in automatic mode.
after months of disruption moving servers into a new data centre, our once reliable colocation company has now had nearly 6 hours downtime in the last 16 hours. So much for network redundancy.
I am looking at picking up a switch to mess around with at home. I found the following within driving distance but have no idea of which one will give me more up to date, hands on experience. Any feedback is greatly appreciated.
Used Cisco WS-C5509 Chassis with power supply ( POWER SUPPLY 34-0870-01), and fan (WSC5509FAN) Cisco WS-X5530-E2 Supervisor Engine III Modules Cisco Systems WS-U5537-FETX CISCO 4 PORT 100BASETX UPLINK MODULE Cisco WS-X5234-RJ45 Switch Modules X 8
$160 each.
Cisco WS-C5500 Chassis POWER SUPPLY 34-0773-03 Cisco Ws-x5550 Supervisor Engine Iii G-series WS-X5234-RJ45 X 11
For $200
Cisco WS-C5505 Chassis Cisco WS-X5530-E2 Supervisor Engine III Modules Cisco WS-U5533-FEFX-MMF Supervisor Engine III Uplink Modules Cisco WS-X5225R Switch Modules X 2
I'm trying to learn about network. I bought Cisco 2950 for testing. I set it up and finding out the way to cap its ports at 20Mbps or 50Mbps. Do you know what command or how to do this?
Also what command to check the port speed or to uncap the port?
I am setting up a small ccna lab and i have RIP working and i can ping my lan from both routers, but only certain hosts on the lan from the one router the setup is
1) I was recommended to chose the XL-EN model switches because it seems they have more Memory, but the second one in the list (Catalyst) is not a XL-EN, is that going to have any affect performance wise? or it doesn't really matter?
2) I was also recommended to choose managed switches because that way I can use the SNMP features to measure bandwidth, are any of the switches above unmanaged?
3) I also want to be able to manage the switch remotely, web managed, are any of the switches above web-manageable?
4) Most importantly, when my datacenter give me a 100mbit drop, I dont know which port to plug it in in the 29** series. In the 35** I see it clearly but I am not able to see it in the 29**, any ideas?
5) On some of these switches I see a special port called "Console", what is it? where does that connect to?
6) Do any of the switches above not have a console port?
I have a single /24 and my firewall is on x.2 and routes traffic for each of the servers.
Now i have a new Cisco ASA 5510 that i want to replace the aging firewall currently in place, however i dont want to put the firewall into transparent mode because i dont want to lose all the functionality.
Now with most firewalls your outside subnet cannot be the same as your inside subnet, which is fine if you are using NAT but i dont want to NAT. I need all of my servers to remain with their public ip addresses.
So what is the ideal way to setup something like this? Request my ISP give me a /30 for the ASA outside interface or something? And then ask them to route my /24 through the /30 new subnet?
whether I can grant a specific vlan priority over all other traffic..and if so does anyone know an appropriate site where I can find documentation on how to do so?