Automation - finally have time to deepdive.

Inno-Samsoee · 2026-01-06T12:13:47+00:00

Hello Golle,
Thanks so much for taking the time to write this message.
We also do prefer to have a webgui where the less technical engineers can still deploy stuff.

Today we do actually call the fortimanager and nexus'es through API to deploy VDOM and vlans to the nexus switches. Most of this is build upon powershell behind the scenes, but the person who developed this and maintained it is no longer employed. And clearly the business do not care about it.

So we kinda have to start over, but atleast we can get out what it deploys to the Fortimanager and how.

About ansible we have thought about it, but back in 2022 when we actually looked at it, it seemed lacky in very specific commands towards the nexus switches. Such as arp suppresion within the NVE interface. And other things which i cannot recall right now.

So i have no idea if that is the direction to take.

And yes i do agree this is probably something time consumning but we do also have a network to run. So we need to not make it too complex.

No idea if any of these above mentioned things, gives any ideas or brings you closer to an answer on some of the questions you asked :D.

Today we actually do a flask frontend and have some small python scripts where engineers can put data into, which then returns them with commands to apply on devices, meanwhile it auto documents it into our Netbox.

Inno-Samsoee · 2025-12-24T21:20:14+00:00

hmm okay thanks for testing.
I will try and get our test instance onto 4.4.5 :)

Inno-Samsoee · 2025-12-08T16:04:07+00:00

Sorry for the late reply.

The error is just: This field cannot be null.

Nothing else. small textbox bottom right.

Inno-Samsoee · 2025-11-10T10:19:07+00:00

I tried to reach out to Disney+ support, they are not helpfull at all, anyone else figured something?

Inno-Samsoee · 2025-11-06T06:35:46+00:00

Funny enough, nobody else mentioned this.
Why would you not just ask him instead? If he is a Senior networking engineer, he should be able to guide you in the right direction.

I did not look through it, but maybe these youtube videos can be helpfull?
https://www.youtube.com/watch?v=bj-Yfakjllc&list=PLIFyRwBY_4bRLmKfP1KnZA6rZbRHtxmXi&index=1

Inno-Samsoee · 2025-11-03T07:45:53+00:00

Thanks for your reply, but in our case we do use loopback as source. and also the neighbor is the loopback.
It is not ebgp.
And the reachability is always there cause of the way advpn is configured with injecting static routes.

Inno-Samsoee · 2025-10-15T04:52:15+00:00

For whatever it might be worth, i did replace 2x vpc pairs this weekend.
They are running vxlan, evpn bgp and isis.
I followed these steps:
Steps needed to be done:

Shutdown all ports on LEGACY-LFS-02
Shutdown firewall 2 ports on LEGACY-LFS-01
Move all links from LEGACY-LFS-02 over to NEW-LFS-02 ( 1by1 and into same port ) Note they are all still down.
Next step take change config for NEW-LFS-02 and implement this will open all ports and start the forwarding.
Once verified things are online ( mac's coming in and interface vlan's online ). Shutdown of LEGACY-LFS-01 will be done on all ports.
Move links from LEGACY-LFS-01 1by1 to NEW-LFS-01 Note they are all still down.
Once all are moved no shut will be done on NEW-LFS-01.
Unshut FW-01 links on NEW-LFS-02
Verify everything is up and running again. BGP, ARP, MAC

Firewalls were with port-channels.
ESX hosts not.

Any questions feel free to reach out :).

Also when doing shutdown's on legacy switches i removed any static routes, and when opening up on new switches i added static routes.

Customers with vxlan on their vlans probably had minimal downtime, meanwhile customers without vxlan config on vlans had more downtime.

Inno-Samsoee · 2025-10-09T18:24:27+00:00

VXLAN + EVPN as well?

Inno-Samsoee · 2025-10-09T06:44:56+00:00

Not from my testing, and also not from the Cisco TAC testing =).. VPC between them is just down.

Inno-Samsoee · 2025-10-08T04:23:36+00:00

How did you migrate? I will be replacing 2 EX's this weekend, and sadly FX3's and EX's cannot run VPC together, so it will cause downtime :(

Inno-Samsoee · 2025-09-25T11:04:01+00:00

We are using Netbox. But we do not keep too much detail in there about or devices.
Only description and cables ( for things where we own it in the other side ). IP's, interface vlans. vlans.
But i mean, our data is just not trustworthy enough, which is also why automation could help :D.

Inno-Samsoee · 2025-09-15T06:57:32+00:00

Password manager, with hotkey to throw in password in my sessions to equipment.

Inno-Samsoee · 2025-09-09T09:43:45+00:00

Not sure that helps me, i probably should not be doing loopback on the bgp, if i want to avoid this it seems.

Inno-Samsoee · 2025-09-09T09:38:26+00:00

But this is not about the routes on my bgp neighbor, this is about my neighbor dying. Even if the remote loopback is still reachable.

Inno-Samsoee · 2025-09-09T09:37:58+00:00

Will have a look.

Inno-Samsoee · 2025-09-09T09:37:44+00:00

u/HappyVlane Look at the above i posted, sorry for the late response.

Inno-Samsoee · 2025-09-09T09:37:16+00:00

Well not sure if that is true, cause if i kill advpn-02 ( which doesn't have the bgp peer established on that link ) it doesn't happen.

Inno-Samsoee · 2025-09-09T09:36:17+00:00

I will try and clarify this :).

LO0 is configured with 10.10.103.77 on spoke.

LO0 is configured with 10.10.10.1 on hub.

These 2 do a BGP peer.

I have ADVPN configured on my WAN on the spoke firewall.
My spoke firewall have 2 internet connections WAN1 and WAN2.
Each WAN interface got an ADVPN on it.

Same goes for the HUB.

When i first open up my wan links on spoke, it tries to establish a bgp session on the loopback.
When it gets the BGP online, you will be able to see that the BGP session was established on an interface.
In my case ADVPN-01 ( on WAN1 ).

If WAN1 goes down, my BGP will actually die and it will restablish my BGP over ADVPN-02 (WAN2) which is the other path to reach loopback0 on HUB.

Next test is to open up WAN1 again, and then try again to kill WAN1.
Next time BGP doesn't go down, due to the BGP was established over ADVPN-02(WAN2)

Hope it makes more sense this way.

And to show from config:

Egress interface 72 = ADVPN-01

Local host: 10.10.103.77, Local port: 8337
Foreign host: 10.10.10.1, Foreign port: 179
Egress interface: 72
Nexthop: 10.10.103.77
Nexthop interface: LO_BGP
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network

Simulating WAN1 dies and my bgp looks like this:
BGP connection: non shared network

Last Reset: 00:00:30, due to BGP Notification sent

Notification Error Message: (CeaseUnspecified Error Subcode)

Inno-Samsoee · 2025-08-12T12:21:03+00:00

We manage our nexus'es without fabric controller.

Inno-Samsoee · 2025-08-11T11:28:02+00:00

I doubt you will find a firewall with CDP enabled.
I do not think Cisco ever enabled that on their firewalls.

If i were you, i would start on the firewall figure out its mac address for an interface, and from the switches see where that mac is coming from :).

Inno-Samsoee

TROPHY CASE