How I Killed Off Cisco And Saved Money And Confusion Along The Way
-
Check out the FRR package in 2.3.4_1, 2.4. Please, if you can, switch a real workload to it and give feedback.
Glad to have you in the pfSense camp but since when do ASAs not tag/trunk dot1q VLANs?
-
I was surprised to find that out also, almost the hard way. There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that… I had mostly 5525Xs and 5512Xs.
Cheers!
-
I was surprised to find that out also, almost the hard way. There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that… I had mostly 5525Xs and 5512Xs.
Cheers!
Ahemm .. Cough..Cough ;)
https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-vlan.pdf
Or
https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/interface-basic.htmlEven my old 5505 can do vlan , but fancy stuff might require a PLUS licence
/Bingo
-
As usual, the Internet is always right! Good find, not a fan of sub-interfacing though…
Cheers!
-
As usual, the Internet is always right! Good find, not a fan of sub-interfacing though…
Cheers!
Why's that? It's nice to be able to keep different services separate, so that you can apply CoS etc, without worrying about where something is plugged in.
-
pfSense generally does the same thing under the hood:
igb0
igb0_vlan100
igp0_vlan200
etc. -
Just not a big fan, albiet, I understand that this is how non-switches do it. No technical reasons, just seems to add complexity to Cisco config.
The one thing that Cisco does that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway. We use that feature often at a few locations, and until pfSense (or BSD even) can do this, we cannot use it to replace the Cisco ASAs at these sites. This is very unfortunate, and leaves me stuck with Cisco until this is sorted out.
Cheers!
-
Just not a big fan, albiet, I understand that this is how non-switches do it. No technical reasons, just seems to add complexity to Cisco config.
Actually, there are a few technical reasons, such as fewer devices in a broadcast domain, isolation of traffic for increased security and CoS can be applied to some traffic. A few years ago, I set up a network in a seniors residence. There was the office traffic on the native LAN and VLANs for VoIP, the residents Internet access and one for network management. The WiFi access points also used VLANs and multiple SSIDs for staff & resident access.
-
that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway.
I use outbound-nat on my management network to reach a few devices that dont have pfSense set as their gateway themselves. In pfSense there is no gateway configured on this management interface and outbound-nat works fine.. Am i missing something in where your configuration.?.
-
Just not a big fan, albiet, I understand that this is how non-switches do it. No technical reasons, just seems to add complexity to Cisco config.
A more complicated network often adds complexity to a firewall/router configuration.
-
Awesome, maybe you can help, although I posted this issue in the NAT section:
https://forum.pfsense.org/index.php?topic=136579.0
Labeled solved as the pfSense documentation states that any interface without an upstream gateway will not be considered for NAT. Opened a ticket with pfSense support, and they stated that they could not find a solution.
Basically, set an outbound NAT on the WAN interface to translate to a DMZ address that has no upstream gateway. Reason being is that I have an IPSEC customer that requires that the network be a DMZ address, as it is currently on the LAN. I was hoping that I could NAT it out, tried a bunch of different configs, even tried using the FW itself as the defined upstream gateway. No matter what I did, the traceroutes from the host to that IPSEC client would go out the WAN and not translate to a DMZ address, then out the tunnel.
Cheers!
-
Posted a reaction about natting on ipsec in that other thread.. Its not the same as for regular interfaces.
