Messages

^indeed. But once the ACL has to be open for all the AD servers or something like that, it takes off and becomes something like 1800 lines for all the ports and IP addresses. This can lead to partial ACL application if things time out. Whereas "VLAN 911" - it's done in just the one line, less chance of a timeout issue.

Yes, and most Windows won't notice the change without an agent. This is why agentless solutions have to hard-bounce the port to get the device to request a new IP address. Any dot1x solution works so much better with agents that replace the Windows supplicant.

I have evil things to say about Windows supplicants, if you would like to hear them...

The more you do post-incident, the better your prep for the next one in terms of minimizing impact.

Ooof, no, I missed that news, I was taking some easy time, recovering from a cold.

Yeah, best to not run the EXE in case the forums are taken over by shill accounts. There's nothing really looking hard at AI development processes, so they are prime targets for supply chain attacks.

Does the ASA even support OSPFv3 routing with IPSEC? I'm coming up with that being a feature only on XE systems.

Nothing at the Cisco site turned up?

Yes, that information is in the CCNA official guide, volume 2.

https://www.amazon.com/CCNA-200-301-Official-Guide-Library/dp/0138221391 <-- not affiliated with me or the site in any way, but it's a solid resource I recommend. This will have examples that you're looking for.

For a real-life example, I can think of many large enterprises where there are major datacenters that connect to large national/regional offices that then support a range of sub-offices. There has to be a routing system in place that allows for geolocation within the enterprise, especially where different nations have different rules on data storage and access.

With that geographic consideration, there's also the overlay of redundancy, where enterprises want to utilize both primary and secondary links in normal times, but have the ability to put all traffic on one link or another in an emergency situation, with QoS policy shaping the traffic to fit the bandwidth available.

So consider an enterprise with datacenters A and B in North America, and datacenters C and D in Europe. It has a smaller datacenter E in Latin America and a smaller datacenter F in Asia.

Due to regulations, it also has a small datacenter G in Germany for handling German data and datacenter H in China for Chinese business operations.

For each datacenter, there is one main regional office and 20 regional sub-offices, so there are 2 main offices in North America and 40 sub-offices. Same in Europe, with 1/20 in Latin America and Asia. Germany has the one main office and 5 more sub-offices and China has one main office and 25 sub-offices.

Each sub-office has one internet link and each main office has two. Each datacenter has four separate internet connections.

Now, if a person takes an order in Germany for delivery in China and sends a message to the Chinese office for their awareness, the message goes from the German sub-office to the German main office to a main office in Europe to a Euro data center to the Asian data center to the Chinese data center to the Chinese main office to the Chinese sub-office.

Given the redundant connections, how would you rate each such that there is one main path to choose based on distance and cost, but still have alternate paths in the event of an outage? But to be sure that each alternate path has its own distance and cost so that slower links or more expensive links are not used in favor of the bulk traffic routes?

And what happens if a datacenter goes down? How does that affect routing decisions? When the datacenter comes back up, what cost/distance factors restore paths that were previously in place? How do we make sure that each main office (and its sub-offices) prefers only one data center over the other, for purposes of load balancing?

I'm here to work through these with you, so if you do some initial work, I'll be happy to coach along.

Indeed! And also in finding IOS images out there on the Interwebs, good luck!

Yes you can. On the KG configure your SNMP server as a GEM server. It only does SNMPv3. I don't remember for sure but I think it was using AES128/SHA for protocols. Also the MIBS can be found on one of the CDs either the KG firmware one or the GEM install one.

-Otanx

I feel a swell of pride as I understand every. single. term. used in this response.

I'd also add that knowing about the cloud and how off-prem networking works is more important today, for certain. At least being familiar with SASE, SD-WAN, and things like that is helpful.

I have never heard of that, what is it?

I see 3 teams mentioned, and sticks are famous for only having 2 ends. They may get zero stick and find themselves spun off to some vulture capital group.

And I just read today that Cisco laid off a huge part of its workforce so it can focus more on AI and Cybersecurity.

WebEx, being neither of those things, is likely to continue to see things not get fixed.

Labbing is definitely a way to go, things have changed, and the labs help you to catch up quick.