[c-nsp] OT - Infoblox vs. Bluecat

[Paul Catchpole]

Hi Charles,

Firstly, disclosure time, over a year ago, I was UK 
SE/Implementation-engineer for Bluecat's sole disty in the UK, up until 
the point they pulled distribution and went direct-to-reseller. During 
that time I rolled out implementations including a UK ISP, a UK-wide 
distributed corporate install, and a global rollout, amongst others.  
I'm currently working for a UK university (as a Network Specialist, not 
DNS/DHCP) which runs a 1xProteus,6xAdonis setup.

I'm not clear from the comments so far whether everyone's commenting on 
running an Adonis-only setup just using the Adonis Management Console. 
If that's the case, then it's a limited solution that works well for 
small single-administrator setups and is good at replacing existing *nix 
home-grown boxes.

I've never seen a large install not running a Proteus, and I think it'd 
be fair to say that without it, there can't be any concept of actual 
IPAM. The Uni is on 2.5-latest (with one patch) and my own Proteus is on 
2.3.

Back when I was actually installing this stuff, Infoblox didn't have 
anything to compare with Bluecat's Proteus, in my opinion. Nothing that 
could offer a simultaneous overview and management of IP 
addressing/subnet topology and DNS at the same time, for any number of 
simultaneous administrators, from a web gui.

The point about actually having root access on the boxes, as well as the 
code being unpatched (for BIND and DHCPd) makes quite a difference in 
security-concious environments. It was a major sell into most installs I 
did, including the Uni here - and without it, they wouldn't have got the 
US defence deals I think.

There's been some good additions recently too, including reconciliation 
- using SNMP to match the switch CAM/ARP tables with what's in the 
Proteus and flagging discrepancies. Service monitoring has been improved 
a lot too. You can now import and export without having to know the 
Bluecat-only (ish, supposedly) tricks and XML schema.

I'd agree that there've been bugs, I've raised a few myself. The only 
one to have bitten me properly has been the XHA (Cluster) instability - 
it was historically far too sensitive to minor network glitches, causing 
the cluster to fall apart and go dual-active. It's also a right royal 
pain to readdress a cluster - for example due to a datacentre move. 
That's been stable for us at the uni, on the hostile residence network, 
for a good while now. I've another one regarding the SOAP API flagged at 
the moment but it's engineer-committed.

I will happily admit though that I've not kept up with Infoblox to see 
what they've developed since buying out the french graduates who'd 
developed a 'proper' IPAM solution. It may be that they're competitive 
now! :) I moved on to become Borderware UK SE for a while and I'm now 
trying to regain my Cisco roots and I'm at the uni to do that as they've 
just afforded 4x N7Ks and the rest in a full replacement.

Anyhoo, if anyone wants a play on a real Proteus, I can provide a guest 
account on mine, if you unicast me. It still has some of the sample 
datasets on it from my SE days and provides live DNS for my hosting 
environment. I can answer specific questions about bugs I've seen in the 
past if you've got any, or anything else really. I'm quite open to being 
a bit biased, but my experiences with the kit are real...

If anyone wants it, I can put them in touch with the European SE, Frey 
Khademi, who's been with the company since it had 15 employees and knows 
far more than me - someone I have a lot of respect for.

-----

IPv6, and they wrote back "I am sorry but, we don't support DNS over IPv6."
So unless things have changed drastically from late October, it would appear
that BlueCat's claims for IPv6 support are false.

-----

I've not tried with Adonis only, but with the Proteus, they certainly do 
support IPv6 DNS records, see below for a sample query of 
ipv6.greenferret.net (on Adonis/Proteus 2.3). As for addressing the 
actual Adonis on IPv6, I can't imagine why it shouldn't but I'll have to 
try it and see!

DHCPv6 is supported but limited at the moment in some ways. Partly 
because, I think, that BCN aren't very clear on market direction and 
none of their massive customers are screaming loudly enough to go a 
certain way with it.

; <<>> DiG 9.4.1 <<>> AAAA ipv6.greenferret.net

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 647

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;ipv6.greenferret.net.          IN      AAAA


;; ANSWER SECTION:

ipv6.greenferret.net.   3600    IN      AAAA    2001:470:1f09:3d7::2


;; AUTHORITY SECTION:

greenferret.net.        3600    IN      NS      adonis2.greenferret.net.

greenferret.net.        3600    IN      NS      adonis3.greenferret.net.


;; ADDITIONAL SECTION:

adonis2.greenferret.net. 44787  IN      A       85.234.158.213

adonis3.greenferret.net. 44787  IN      A       85.234.158.216



I'll try it and let you know!
---

Cheers,

Paul

Church, Charles wrote:
> I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before.  Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another?  I've googled, but most articles are 5 years or more old.  Off-line responses encouraged.  The planned use is for govt, so full access to the kernel is nice for hardening/verification.  Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind.  Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice.
>
> Thanks in advance,
>
> Chuck
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

-- 
Paul Catchpole CCNA
Network & IT Security Engineer
Bluecat Certified Professional

www.paulcatchpole.co.uk
paul at paulcatchpole.co.uk
07939 04 08 06