Re: Interceptor 3.0 - User Experiences

jhelmly · 02-16-2009

Thanks for the information on the secure vault alarm. I will have to try that.

As for the CDP support, we had requested back in 2008 / 2009 for the Interceptors to provide the same CDP support the Steelheads already support. The disappointment was that the Interceptors tied that support to WCCP/PBR, thus making it useless for the normal inline Interceptor configuration. With the extra connections typical of the Interceptors, having CDP available would greatly ease the verification and troubleshooting of connections on new installations.

PerryLucas · 06-25-2009

CDP is a Cisco proprietary protocol, you'll likely see 802.1AB Link Layer Discovery Protocol implemented before CDP, especially since it is available on non-Cisco hardware.

As for the secure vault, here is the fix:

no stats alarm secure_vault_unlocked enable

I also found it useful to disable the oversubscription load balancing alarm:

no stats alarm oversubscription_alert enable

The reason for this is I have a pair of 6050's in one data center behind the Interceptor 3.0 release steelheads, which detected my 7050's at another data center. Despite there being little traffic between the data centers, the interceptors thought they would have been oversubscribed and really generated a false positive. I have a feature request in now for a threshold setting so that this alarm can be re-enabled.

Other than that, I have had the Interceptor 3 release running for about a month now in production and getting ready to start upgrading other production Interceptors. We don't use RBAC accounts in our infrastructure, so really no experience there (We map TACACS to either the built in Admin or Monitor account).

jhelmly · 02-16-2009

Now that Interceptor 3.0 has been out for about 2.5 months, does anyone have any feedback for the rest of the forum on their experiences (good or bad)? I am reluctant to deploy in production until I see some evidence that Interceptor 3.0 is stable.

Here are some starters based on my own experience and the few comments I have seen so far:

- I must admit I was disappointed that I could not use CDP unless I used OOP (WCCP/PBR). I have been asking for CDP for three years on the Interceptors since we find it very useful for troubleshooting, especially with new installs.

- I also had secure vault alarms, for which a case has been opened since the Interceptors does not use SSL or have a secure vault. Though since it does have a Web GUI, I guess I need to request it receive the 6.5 feature to allow for management of the Web GUI certificate so it can also meet policy requirements.

- I noticed someone post about not being able to create role based accounts. How many other features of the 5.x / 6.x GUI did the Interceptors not get with 3.0?