Hey guys,
I have been struggling with this for the past week and need some advice.
Sorry I am not at work and cat pull the configs at this moment but can post them Monday if needed.
So we recently moved offices and had to drop our Cogent dedicated fiber line and switch to using our backup internet as our primary (Comcast).
Now I don't know if you guys have much experience with Comcast but its a nightmare, for me at least there is no way to put the Comcast modem in bridge mode instead you need to use it as a gateway (which I don't know how they think a 500mhz process with even less ram can handle anything more than 5-6 users let alone a business/enterprise network).
I have IPv4 working great and without issue for years now, and only recently decided to try and make a push for IPv6. Now comcast has given me a /56 prefix and in my experience with setting up IPv4 with them I had to set the default route / route of last resort to the comcast's public ipv4 address (different then the static ip's I was assigned).
For IPv6 its a little weird, I have tried every setup I can think of, from assigning an ip to both GI0/0/0 and GI0/0/1 to leaving them link-local only. No matter the setup nd + cef can see all the neighbors and even setup the next hop on the WAN to the Comcast modem's link-local address, I can also ping the internet from console on the ISR but if I configure a ::/0 route then everything dies. Also I can ping the routers link-local address from any computer within the lan and I can ping the global address's as well, just cant go past that point.
Any traceroutes or tracepaths always end at my routers LAN link-local.
Now I know my setup isnt that large but my company is super cheap and I had to fight tooth and nail for the equipment I got despite the fact that everything I have ordered had resolved all the pre-existing issues that came before me (massive packet drops, horrible latency issues, horrible wifi latency, etc)
Before I can all they had was the Comcast modem & a Meraki mr18 for a minimum of 40-50 users and peaking at 70, switched them to enterprise-grade equipment minus a few business class dumb switches and now instead of no security, I have secured the shit out of it.
Another issue I am having is the IDS I have created works great and does support DPI but unfortunately, none of my switches support mirroring and they are too cheap to drop the $200 to get something decent. I am exploring building a tap but since you cant reliably tap gigabit + lines without dropping some serious money, most tap designs I see max at around 500mbits and I have no interest in bottlenecking the network. I also briefly explored building a pfsense router/firewall but that really doesnt seem like a viable solution for our setup and was wondering if it was possible to to enable spanning tree on the cisco isr LAN port and output it to the Management port, but I dont really have high expectations on that working as the Mgmt is on its own special vlan that cannot be changed.
Any help would be greatly appreciated on both the IPv6 issue and on how to do DPI locally without having to rely on cloudshark.
Thanks
No comments:
Post a Comment