Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - NetworkGroover

#1
Hey all - hope you've been well.

I'm curious, if anyone has a Cisco switch handy, could you configure a port with PortFast, unplug then replug, and post the output of logging messages that get sent versus without PortFast?  I'm curious if the learning stage still gets reported or not.
#2
Routing and Switching / Re: Mgmt in a typical Enterprise
November 10, 2021, 03:21:26 PM
Thanks Otanx and icecream
#3
Routing and Switching / Re: IPv6 - Where Is It At?
November 10, 2021, 12:33:19 PM
I think a somewhat hidden part of this is the undesirable extra demand IPv6 puts on both software development of vendors to support both, and the extra resource demand it puts on the hardware itself to do all the things that we're all used to with IPv4.  IPv6 ACLs for example take way more TCAM memory than IPv4.  That's just one basic function - now expand that through all the functions inside of network devices based off IP addressing - all of that needs to be stored in memory somewhere.
#4
Routing and Switching / Mgmt in a typical Enterprise
November 10, 2021, 12:19:10 PM
In your experience, how does management in terms of VLANs and subnets look in a typical enterprise?  Are there separate management VLANs for different parts of the network (Campus vs. DC, etc.)?  Is it typically further segmented beyond this?  Like a dedicated VLAN for managing APs, versus managing other devices?

How many management VLANs do you believe typically exist in your experience?
#5
Routing and Switching / Re: Campus Challenges
May 14, 2020, 02:45:09 PM
Quote from: deanwebb on May 14, 2020, 01:59:15 PM
Soooooooo...

Back to the campuses...

Let's talk about how some places go insane with AP density... and then others where it literally takes a local city council approval to mount a new AP - where it has to also get approval of the architect firm that designed the building!

Yuck - sounds like layer 8 issues with red tape and/or lack of proper site survey/provisioning.  Layer 8 issues are everywhere.
#6
Routing and Switching / Re: Campus Challenges
May 14, 2020, 01:22:53 PM
I'm totally that dog from the movie, "Up"....

SQUIRREL!
#7
Routing and Switching / Re: Campus Challenges
May 13, 2020, 06:36:13 PM
Quote from: wintermute000 on May 12, 2020, 11:24:00 PM
Otanx take a look at zscaler private access... Exactly what you're talking about, cloud brokered Zero trust access. It works and it will kill traditional client VPN. I've got it running in a lab and my company has done a couple of live deployments it works

Ah yes!  Second this!

Quote from: wintermute000 on May 12, 2020, 11:24:00 PM
Aspiring, if I have to have another cisco DNA licensing conversation I will blow my brains out. NOT A SINGLE customer I've dealt with has anything nice to say about it, especially those standing up licensing servers lol

Yeah man all vendor bias aside, it's absolutely nuts.  People have enough problems.
#8
Routing and Switching / Re: Campus Challenges
May 13, 2020, 06:34:59 PM
Quote from: deanwebb on May 13, 2020, 08:48:11 AM
Maybe we need to start some new threads for the many directions this convo is going in...

Lol sorry  :XD:
#9
*Not for the majority of foks, but may be interesting nonetheless*

Arista SAI for SONiC providing the ability run SONiC or Arista EOS on Arista hardware, with the benefit of said hardware being supported by Arista TAC (OCP Virtual Summit Preso):
https://www.youtube.com/watch?v=JWoNUERqSro&feature=youtu.be
#10
Routing and Switching / Re: Campus Challenges
May 12, 2020, 11:45:10 AM
Quote from: Otanx on May 12, 2020, 09:53:38 AM
I am naive, but I hope as Cisco turns into a services company that maybe they won't EOL their gear as fast. I would be OK with paying a little more extra per year in "support" costs if I can keep the same hardware for 10, 15, or 20 years. Their are only two reasons to replace gear. It can no longer support your needs, or the vendor stops supporting it. With the access layer my needs were met with the 3750G, the argument could be made even the 3750 is fine. I didn't need the 3750X, or 3850. I just needed something that had support so if it failed I could replace it, and I could patch it for bugs/security issues.

Of course this is the real world, and Cisco will just charge more for support, and still EOL their gear as fast as they can without pissing off customers too much.

Idle eng chatter: You could I guess. I would be against moving my network access into the cloud. My internet connection goes down, and all my end points start falling off the network as the re-auth timers hit. We did consider treating our access layer as a "public" network, and having all our endpoints VPN in. This way I auth and encrypt everything. I don't really care who plugs in as they can't do anything. Central control and the bonus of users automatically being able to just work from anywhere.

-Otanx

I mean I've been saying this for years, but have never been taken seriously since I work for a competitor.  As a former Cisco fanboy, I don't know what they are doing/thinking between forcing DNA licensing, and prepare for more rip/replace as they push hard on Silicon One.  It's like they want to push people to competitors.  I'm pretty thick-skulled and see these initiatives as just plain stupid - I can imagine more than a few smart people over at Cisco at least thought to themselves, "maybe we shouldn't do this."  I honestly don't get it.  Are these practices something they're forced to do by investors indirectly?
#11
Routing and Switching / Re: Campus Challenges
May 11, 2020, 12:08:50 PM
Quote from: deanwebb on May 11, 2020, 11:29:09 AM
Don't it, though? And while I've seen advocates for wall-to-wall Cisco, that message gets muddled when talking about Cisco acquisitions that compete directly with other Cisco lines. Aironet and Meraki are the number one example of "wall-to-wall Cisco" still resulting in a bake-off and a knife fight.

Yeah... the whole business unit in-fighting situation is kinda crazy.  I think the idea was good initially to spur competition... but what that methodology has devolved into compared to entire companies being one big team... dunno if it was worth it.
#12
Routing and Switching / Re: Campus Challenges
May 11, 2020, 10:39:19 AM
Quote from: deanwebb on May 08, 2020, 10:52:06 AM
Haven't yet seen a customer environment where Meraki lost connectivity to the controller without also having general Internet loss. Solving the ISP/router issue then solves the Meraki issue.

The NAC/endpoint control/visibility area is a complicated space, to be sure. There are three types of vendors I deal with:

1. No product or function in that space, easy to partner with, always happy to help out.
2. Product of function in one or more parts of that space in a limited way, they can be kinda shifty when it comes to their baby in that space. Otherwise, always happy to help out.
3. Direct competition in one or more parts of that space. They only play ball when a customer forces them to sit down at the table with us and to play nice. They play nice, but they always give me looks like they're Klingons and I'm Captain Kirk with a tribble in my back pocket...

Hahaha spot-on.  And sometimes it gets really ugly like when Nuage was happy to partner with a certain networking vendor, and then proceeded to tell their customers to not buy switches from said partner and instead buy their Nokia switches because only those switches supported their controller. 

What you described above applies just about everywhere.
#13
Routing and Switching / Re: Campus Challenges
May 07, 2020, 05:56:17 PM
Quote from: wintermute000 on May 06, 2020, 07:24:41 AM
Quote from: NetworkGroover on April 29, 2020, 04:16:37 PM
Regarding VXLAN, yeah there are several use cases in a controller-less architecture to provide tunneling capabilities for APs.

Aruba Instant does its own tunnelling and is the gold controller-less standard IMO, never heard of Meraki needing one.
I wouldn't bother with a controller-less product that demands I also provide an overlay.

The problem with security beyond 802.1x/MAB is that its hard to do physically at scale at a reasonable price on switching silicon. Look at the 1000 pound gorilla's attempt which gave us glorified ACLs lol. This is a classic case where complex edge (endpoints) simple core (network) fits IMO - you need CPU cycles and cheap RAM to do layer-7 processing, TLS decryption, signatures yada yada and any attempt to shoehorn that into switching is just not going to end well. The best attempt to fix this I've seen is the Aruba Mobile First stack which is quite elegant IMO in treating wired users exactly like wireless and tunnelling everyone back to the controlller where they can throw CPU and RAM and software at the NGFW problem. Forescout again is putting the smarts somewhere other than the switch and just using the switch as dumb enforcement.

re: POE I think it will keep trucking on, ultimately its the convenience, but I don't know at what point it stops making sense. NObody wants to go back to Cat4000s exploding PSU days, but that's where we're heading with 60W and 90W. At least it makes huge chassis switches make less and less sense - do you want thousands and thousands of watts ready to explode, or a series of pizzaboxes each doing 1k or 2k (I know which is more Arista-y lol).

When you say "does it's own tunneling", it's still an overlay right?  I think the difference is not being forced to do it, and not being locked to a single place to decap those tunnels, among other things.  If you just need to do a local VLAN drop-off, you can do that (at least with Arista and Aruba if it's controllerless) - it doesn't have to go back to the controller first.  If you're referring to the method of tunneling driving changes in the underlying network, there are options besides VXLAN if that's something you don't want to do/have devices that doesn't support it.  Regarding Meraki, if anyone has it deployed I'd love to know because I think I have old info - as far as I know it's still using a controller, just that controller now lives in the cloud, so I'm curious to know what happens if you lose Internet connectivity what the effect are on Meraki APs if any.  Do you just lose mgmt?  Or do you lose the control plane as well?

Yeah - what you're saying about 802.1x reflects what I've heard from the field thus far.  That's probably why you'll continue to see vendors either create their own external product solutions in this space, or partner and integrate with others who already do those parts well (Like Forescout! :) ).

PoE - that's a really interesting viewpoint I hadn't thought of or heard before.  Will be interesting to see what vendors can provide in terms of PoE going down the road without explosions lol... (scary that has to be even mentioned) if high density 60W, and especially 90W, becomes a mainstream thing. And ehhhhh - PoE chassis I'm sure is going to be an option from every vendor in this space.  People just love having that one device to manage, and not everyone in the campus has the DC mindset of managing their environment as a single holistic entity.
#14
Wireless / Re: Cisco vs Aruba vs Ruckus vs MIST
May 04, 2020, 11:08:22 AM
Quote from: deanwebb on April 29, 2020, 10:06:41 AM
There's also the matter of the controller still working after the licenses/support contracts expire... :whistle:

:XD: :XD:
#15
Thanks man!

I'll be doing a live mix of some funky stuff like breaks and glitch hop this Saturday on Twitch.tv if interested.  11:00AM Pacific.  twitch.tv/djelevateus