We are using infoblox over here; works pretty well.

Regards,
Ge Moua | Email: ***@umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Can we keep it onlist? I'm interested to know as well. Just had a sales
presentation from Info Blox yesterday, and would like some real world
experiences from users.
--
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

We use InfoBlox and it's pretty good.
We have a grid containing several pairs of HA nodes at various DCs, used for DNS, DHCP and IP Management. We're not using IPv6 though.
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

We've been using Bluecat for several years in a SP environment primarily for
DHCP and we've had a tough go of it, with the product, people, and support
(contact me off-list for more detail). Based on our experience, I think
it's a better fit in an enterprise environment with a single DHCP/DNS
administrator. A few months ago I had a web-based presentation and demo of
the Infoblox product and would probably buy their product the next time.

In regards to IPv6 support, this is from the BlueCat's Adonis v6.0.1 release
notes:
- DNS Service is not supported on XHA in IPv6 networks.
- Cannot configure an IPv6 address on an NIC.
When I asked about DHCPv6, this was the tech support person's response:
"What do you mean by DHCPv6?" And this coming from a DHCP/DNS appliance
vendor. When I pointed them to the Wikipedia article, they came back and
said they don't support it. When I asked for an ETA, they wrote back "I am
sorry, but I don't have any ETA." I then asked if the support DNS over
IPv6, and they wrote back "I am sorry but, we don't support DNS over IPv6."
So unless things have changed drastically from late October, it would appear
that BlueCat's claims for IPv6 support are false.

Frank

-----Original Message-----
From: cisco-nsp-***@puck.nether.net
[mailto:cisco-nsp-***@puck.nether.net] On Behalf Of Church, Charles
Sent: Friday, January 15, 2010 9:10 AM
To: nsp-cisco
Subject: [c-nsp] OT - Infoblox vs. Bluecat

I apologize for this being fairly OT for a Cisco list, but I figured someone
on here has touched some DNS gear before. Anyone work with Infoblox and
Bluecat, and run across a significant reason to choose one over another?
I've googled, but most articles are 5 years or more old. Off-line responses
encouraged. The planned use is for govt, so full access to the kernel is
nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support,
which they both claim to have, as they're both based on recent bind. Secure
mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Thanks in advance,

Chuck

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hi Charles,

Firstly, disclosure time, over a year ago, I was UK
SE/Implementation-engineer for Bluecat's sole disty in the UK, up until
the point they pulled distribution and went direct-to-reseller. During
that time I rolled out implementations including a UK ISP, a UK-wide
distributed corporate install, and a global rollout, amongst others.
I'm currently working for a UK university (as a Network Specialist, not
DNS/DHCP) which runs a 1xProteus,6xAdonis setup.

I'm not clear from the comments so far whether everyone's commenting on
running an Adonis-only setup just using the Adonis Management Console.
If that's the case, then it's a limited solution that works well for
small single-administrator setups and is good at replacing existing *nix
home-grown boxes.

I've never seen a large install not running a Proteus, and I think it'd
be fair to say that without it, there can't be any concept of actual
IPAM. The Uni is on 2.5-latest (with one patch) and my own Proteus is on
2.3.

Back when I was actually installing this stuff, Infoblox didn't have
anything to compare with Bluecat's Proteus, in my opinion. Nothing that
could offer a simultaneous overview and management of IP
addressing/subnet topology and DNS at the same time, for any number of
simultaneous administrators, from a web gui.

The point about actually having root access on the boxes, as well as the
code being unpatched (for BIND and DHCPd) makes quite a difference in
security-concious environments. It was a major sell into most installs I
did, including the Uni here - and without it, they wouldn't have got the
US defence deals I think.

There's been some good additions recently too, including reconciliation
- using SNMP to match the switch CAM/ARP tables with what's in the
Proteus and flagging discrepancies. Service monitoring has been improved
a lot too. You can now import and export without having to know the
Bluecat-only (ish, supposedly) tricks and XML schema.

I'd agree that there've been bugs, I've raised a few myself. The only
one to have bitten me properly has been the XHA (Cluster) instability -
it was historically far too sensitive to minor network glitches, causing
the cluster to fall apart and go dual-active. It's also a right royal
pain to readdress a cluster - for example due to a datacentre move.
That's been stable for us at the uni, on the hostile residence network,
for a good while now. I've another one regarding the SOAP API flagged at
the moment but it's engineer-committed.

I will happily admit though that I've not kept up with Infoblox to see
what they've developed since buying out the french graduates who'd
developed a 'proper' IPAM solution. It may be that they're competitive
now! :) I moved on to become Borderware UK SE for a while and I'm now
trying to regain my Cisco roots and I'm at the uni to do that as they've
just afforded 4x N7Ks and the rest in a full replacement.

Anyhoo, if anyone wants a play on a real Proteus, I can provide a guest
account on mine, if you unicast me. It still has some of the sample
datasets on it from my SE days and provides live DNS for my hosting
environment. I can answer specific questions about bugs I've seen in the
past if you've got any, or anything else really. I'm quite open to being
a bit biased, but my experiences with the kit are real...

If anyone wants it, I can put them in touch with the European SE, Frey
Khademi, who's been with the company since it had 15 employees and knows
far more than me - someone I have a lot of respect for.

-----

IPv6, and they wrote back "I am sorry but, we don't support DNS over IPv6."
So unless things have changed drastically from late October, it would appear
that BlueCat's claims for IPv6 support are false.

-----

I've not tried with Adonis only, but with the Proteus, they certainly do
support IPv6 DNS records, see below for a sample query of
ipv6.greenferret.net (on Adonis/Proteus 2.3). As for addressing the
actual Adonis on IPv6, I can't imagine why it shouldn't but I'll have to
try it and see!

DHCPv6 is supported but limited at the moment in some ways. Partly
because, I think, that BCN aren't very clear on market direction and
none of their massive customers are screaming loudly enough to go a
certain way with it.

; <<>> DiG 9.4.1 <<>> AAAA ipv6.greenferret.net

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 647

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;ipv6.greenferret.net. IN AAAA


;; ANSWER SECTION:

ipv6.greenferret.net. 3600 IN AAAA 2001:470:1f09:3d7::2


;; AUTHORITY SECTION:

greenferret.net. 3600 IN NS adonis2.greenferret.net.

greenferret.net. 3600 IN NS adonis3.greenferret.net.


;; ADDITIONAL SECTION:

adonis2.greenferret.net. 44787 IN A 85.234.158.213

adonis3.greenferret.net. 44787 IN A 85.234.158.216



I'll try it and let you know!
---

Cheers,

Paul
--
Paul Catchpole CCNA
Network & IT Security Engineer
Bluecat Certified Professional

www.paulcatchpole.co.uk
***@paulcatchpole.co.uk
07939 04 08 06

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

When I worked for a previous employer, we evaluated bluecat and infoblox. Bluecat was quickly ruled out because of price and complexity. The Infoblox got a lot more attention and they were great to work with during our eval of the hardware. One manager was ready to purchase and was about to pick u pthe phone and call when another manager railroaded the big boss to go with Windows DNS/DHCP (in a non-AD environment) at the last second.

I *really* liked the manageability, tech support, and expertise of the product. The HA worked great, including DHCP failover. I liked them so much, I've tried to bring them to my current employer, but the solutions are just too expensive for the budget. Another point that I liked was that Cricket Liu (author of the DNS and Bind O'Reilly books and the DNS on Windows Server 2000 and DNS on Windows Server 2003 books) is part of their executive team. They're also MS certified, a plus for my current employer.

I liked the detail in logging, too. Some of the reporting was a challenge, but I was asking for stats (can't remember which) that had to gathered programatically.

Hope this helps all of you!

Chris Gauthier, CCNA Security
Salem, Oregon, USA


----- Original Message -----
From: "Charles Church" <***@harris.com>
To: "nsp-cisco" <cisco-***@puck.nether.net>
Sent: Friday, January 15, 2010 7:09:55 AM GMT -08:00 US/Canada Pacific
Subject: [c-nsp] OT - Infoblox vs. Bluecat

I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before. Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another? I've googled, but most articles are 5 years or more old. Off-line responses encouraged. The planned use is for govt, so full access to the kernel is nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind. Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.

Thanks in advance,

Chuck

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/