Friday, December 29, 2017

[Cisco]: If you have another choice, choose that one.

I've worked with Cisco products ranging from ASA firewalls, 5508 WLCs, Routers, Switches, ISE, ACS, Prime (MSE), Firepower, etc. They have simply gone downhill these past two years very quickly. I'm not entirely sure as to why, but nonetheless, they have. If you ever have the choice between a Cisco product and another product, don't pick the Cisco one.

ISE For basic functions, the ISE works great. Device admin AAA functions for example are wonderful.

-Client Posturing: It's SCCM MDM integration starting with ISE version 2.1 (now on 2.3) does not support anything other SMBv1. Yes, you read that correctly. You have to open your network to one of the most common vectors of attacks to "securely" posture your devices coming onto the network. (what could possibly go wrong?!) Worse yet, Cisco hasn't announced any plans to change this. In the various bugs relating to this, Cisco simply states "Customer unwilling to downgrade to SMBv1" as its solution.

-VM Snapshots: Yes, many vendors don't officially support VMware snapshot as a way to back up their servers. But then again, the ISE VM is the only VM I know of starting with version 2.2+ (at least in the environments I've worked in) that stops all services and requires a reboot once Symantec forces a snapshot for its backup process. Ciscos offical way to back up the server is to recreate a VM from an .OVA file, then upload the config via FTP or NAS. This could take 30 minutes to hours depending on the environment. Regardless, its much, much slower than a backup should take in the current year of our technological advancement. The official response from Cisco when contacted was "how often do you really have to rebuild this server?" Wow how comforting.

-MISC: It also will miscategorize endpoint profiles, even more so "if you put too many factors" (TAC reply) determining the device.

3850 Switches: Overpriced garbage stick to the 3750X's if you can. IOS releases have been almost always crap. In the past two years, many of their "Cisco recommended" releases simply stop passing Management plane, then Data plane traffic after a few weeks. IOS files are getting to the point where you can't even boot its .bin file due to its size. You must take every other bootable IOS off of the device first leaving no back up until you've performed an upgrade. Transferring an IOS file over Xmodem is something I've done once, and made dang sure I never had to do again.

ASA Firewalls: Much like the switches, they will put out releases that will just stop traffic after a certain number of packets are processed by the firewall. Sometimes, they'll even include it in the release notes while still having the bad release available for download. It also still uses a JAVA GUI. Disgusting and slow.

5508 WLC: Much like all the other previous devices, their software releases have sucked. They just had a recent release, Cisco recommended, that resolved the KRACK vulnerability. I upgraded to it, only to have zero APs associate to the controller. The release notes stated the upgrade path was direct. Once I upgraded to another non-vulnerability software version, they associated. This may seem small, but it takes a very long time to change the software on the WLC.

Cisco TAC: Their customer support has never been this bad ever. I always get a TAC Engineer who never reads the initial case notes. I will put everything they can possibly request, and they will still, on script, ask the exact same questions as if I only wrote the title of the case, and nothing else. Lately every single TAC Engineer interupts me when I am talking. None of the issues I have had could be resolved either. Since they weren't just basic "opps I forgot to check this one setting" type of issue. Hilariously enough, during a network down event due to a Firewall Software Upgrade, our Cisco account manager asked why we didn't try and do a webex with TAC. The TAC Engineer on the phone was also flabbergasted when I told him "no, we have a network down event, we cannot webex".

Sorry for the long post. I've just had enough of Cisco's shit.



No comments:

Post a Comment