- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: PIX VPN [7:81265] posted 12/24/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

I dont mean to start a war here but picked this off


The bug caused memory corruption in several Cisco routers, wiping out entire
routing tables and causing delays while routers rebooted and repopulated
their routing tables. The problem continued all morning, affecting ISPs
across the country from Boston to Memphis to San Francisco
( was among those affected).

Richard Steenbergen, an independent network engineering consultant, says he
experienced a similar situation with another inter-domain routing protocol,
OSPF, which crashed several Cisco GSR 12000 routers at another large
tier-one carrier a couple of years back. He says the bug and the series of
events that triggered it would not likely appear in testing.

Steenbergen blames Cisco's apparent router instability on its IOS routing

"Because of its monolithic design and lack of protected memory space for
individual components, IOS is notorious for bringing down the entire router
if so much as a single error occurs," he says.


But Cisco's McNealis says that if the same problem occured in any other
router, such as one from Juniper Networks Inc. (Nasdaq: JNPR - message
board), it would have had the same effect.

-----Original Message-----
From: libone mhlanga [mailto:libone@xxxxxxxxx]
Sent: Tuesday, December 23, 2003 5:04 AM
To: cisco@xxxxxxxxxxxxxx
Subject: RE: PIX VPN [7:81265]

My 2p.....
I have worked with :
PIX,CVPN,Checkpoint,Cyberguard,Netscreen,F5, and have been to do battle
twice in Brussels for the CCIE cert !

I am currently running two Datacentres with NS-208 on the web-tier and
Checkpoint/Nokias at the app-tier. With F5 BIGIP's at every tier. I also
have PIXes and CVPN's providing L2L vpns and remote access.

Here is the word that differentiates Cisco from the other vendors ...S U P P
O R T !!
My experience is that all these other ( ie non cisco ) products are
brilliant but their support is crap when its outside the US. I find that
they have no real expertise outside the US so if you raise a problem ticket
be prepared to wait till the States wakeup or someboby in the States is
woken up. Case in point ..I currently have a query with Netscreen about
their IDP product which has yet to be addressed 2 weeks on !! 2 f***ing
weeks !! I can bet my bottom # that if I had raised a similar issue with
cisco they would have been all over it like a rash !! I once raised one on
the CVPN3030 and I started of with chap in Brussels who handed it over to a
chap in the Phillipines and was finally sorted by a chappie in Caracas !!
all in 1 day !! F****ing AWESOME !!! As we say over here " the dogs bollocks
!!" ...thats what Cisco are when in comes to supporting their product !!
I actually think the Netscreen can piss all over the PIX but where is the
support over here in the UK for eg ??
Checkpoint documentation is shite !! You have to go to to get
answers. The licensing has given me extra grey hairs just trying to
understand it. Never mind trying to install the f/w manager on a different
box to manage a couple of firewalls elephant gives birth quicker !!
Otherwise a brilliant product.

I could give you more examples but I think you get my point. Basically they
get it wrong when they expand out of the US. No wonder Dubya thinks he is
running for re-election in Iraq :-)

--------- Original Message ---------

DATE: Mon, 22 Dec 2003 08:34:51
From: "Bosco Sachanandani" 
To: cisco@xxxxxxxxxxxxxx

>Hey guys,
>I cant help adding my 2 cents here....
>I have mentioned this in the past.... I have two 525's and a VPN 3005 box
>running... net result? IT SUCKS!!! Generally, the IT management folks have
>an inclination (atleast here in India) to blindly follow Cisco and all there
>is to do with it.....
>As part of another of our large scale network rollouts across the country,
>our vendor (Ericsson to be precise) gave us a solution with every node being
>basically this involves EXTREME switches (Alpine and Summit), a bunch of
>Juniper M20's (these babies are a dream to work on!!! The flexibility and
>stability provided is SIMPLY FANTASTIC in JunOS... I cannot stop praising
>them enough) and Netsreen firewalls (208's to be presice running in HA
>mode). The Netscreen also has capability for port screening and 3DES VPN's
>as part of this product....  I cannot imagine the kind of solution or quote
>that Cisco would have given me for this..
>So all I am saying is, look around mate... there is some Ultra cool stuff
>from Juniper, Extreme and Netscreen (and possibly scores of other carrier
>class vendors) around that can beat the crap out of a Cisco box, any day,
>hands down.....
>Also, the very imp thing that Joseph pointed out....... never be Cisco
>centric unless you have a well designed early retirement plan in place!!
>All the best!
>-----Original Message-----
>From: Joseph RUBINO [mailto:nobody@xxxxxxxxxxxxxx]
>Sent: Monday, December 22, 2003 9:28 AM
>To: cisco@xxxxxxxxxxxxxx
>Subject: RE: PIX VPN [7:81265]
>Site-to-site VPN: 
>first choice: Router on all sites (not VPN concentrators) 
>alternative: VPN concentrator or PIX"
>LOL Jens no offense but I have to giggle here.  Cisco will tell you what
>ever fits their marketing strategy of the day my friend.
>Of course Cisco will tell you a router is the first choice - a 7206vxr with
>the correct image and encryption module costs a hell of allot more than a
>I am a Network Engineer for a large organization that uses a hub and spoke
>architecture where the hub and the spokes are ALL using the VPN
>I have managed both PIX based AND router based VPNS, by way of hands on
>experience I can tell you nothing compares to the VPN3000 Concentrator
>You have to put the Cisco books down and take them with a grain of salt.
>The all mighty Cisco behemoth is NOT the final word on what is networking.
>If you remain Cisco centric as a Network Engineer you will paint yourself
>into an unemployment corner.
>Broaden your horizons my friend and get your hands dirty with ANY piece of
>network equipment you can.
>Example; Cisco's Load balancing solutions (AKA Arrowpoint) SUCKS compared to
>the NETSCALER iON series devices
>I have the CCSP Cert and am one test away from CCNP and I will tell you that
>Cisco's IDS solution is mediocre.  You would do better to set up a Linux box
>with Snort.
>The PIX is hands down the best out of the box firewall solution; HOWEVER, I
>would still jump at the chance to play with a NOKIA Checkpoint or a Sonic
>Remember a good deal of Cisco's product line is the result of buying out the
>company that made it (the PIX is no exception, others include Linksys,
>Arrowpoint, Altiga and the list goes on)
>If your boss told you were using Intertel for VoIP instead of Cisco would
>you quit your job?  If you can make mixed vender environments play nice
>within a Cisco framework and vice versa you are worth tons more than if you
>only know Cisco.
>So when you say "From publications including the CSVPN training Cisco's
>opinion is the
>following:"  (By the way I teach a CCSP course including CSVPN) I say take
>"Cisco's opinion" and take it with a grain of salt.
>What they teach about networking is indispensable (theory et..)- WHAT THEY
>When you REALY want to know the right product listen to what Cisco says and
>than weigh it against what your peers are saying in newsgroups like this
>**Please support GroupStudy by purchasing from the GroupStudy Store:
>FAQ, list archives, and subscription info:
>**Please support GroupStudy by purchasing from the GroupStudy Store:
>FAQ, list archives, and subscription info:

Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
**Please support GroupStudy by purchasing from the GroupStudy Store:
FAQ, list archives, and subscription info:

Message Posted at:
**Please support GroupStudy by purchasing from the GroupStudy Store:
FAQ, list archives, and subscription info: