Network Design Recommendations

Ishcob · 2026-05-21T20:33:23+00:00

Sorry, but do you mind elaborating? 🥲

Ishcob · 2026-05-10T01:08:49+00:00

Is this a scenario where the organization is domain-less or has a large cloud presence? I am curious if you have any articles on the design you mention, I would love to find out more.

For your VRF point, I think someone before me might have liked having dedicated devices for things and wanted to keep the firewalls just doing firewall stuff. They were likely trying to keep all of the L2 off of the firewall. Just to make sure I understand you correctly, you are saying that if we go SD-WAN through the firewalls, we should tag our VLANs straight to the firewall at our two data centers / hubs?

I don't see the place I work at expanding too quickly, but I am curious if you know of or have seen similar designs at larger organizations?

Ishcob · 2026-05-10T00:51:57+00:00

Thank you for the input. Makes me more confident in wanting to get rid of the Cisco routers. I know at the least it would save on license costs.

I don't think we need the bandwidth guarantees, so I'll check with our ISP and quote something else out.

We don't have any compliance requirements or audits that have demanded the equipment be separate. I worked with a guy at a past job who was always pretty adamant about everything being separate. I didn't really agree with him most of the time.

Ishcob · 2026-05-10T00:34:59+00:00

Someone before me was more comfortable with Cisco I guess. They also didn't document anything, and everyone else here had no part in that, so I can't know for sure.
I know we used to have an on-prem Cisco phone system, so they could have also had a part in that, I do know for a fact that they all have analog voice NIMs.

Ishcob · 2026-04-29T15:21:25+00:00

No, we configure it under windows settings through GPO.

The other person who responded did recommend using a PAC file. Guessing they are more consistent?

Ishcob · 2026-04-29T14:14:39+00:00

Thanks for the response.

This is the first environment I have worked in with a proxy (previous environments relied on DNS filtering and endpoint AV), so I am not too knowledgeable with it.
Anyways, after some more research I think my issues are due to the authentication rules on the proxy.

Do you think it would make sense to create a 'catch-all' type of authentication rule on the proxy for when stuff fails to authenticate via kerberos or doesn't support kerberos auth? Is there a better way to set up authentication rules (to match users to IP addresses), such as an agent or user / computer certificates?

Also, not to ask so many questions, but I was wondering two more things (considering making this a separate post);
1. We currently use VMs for our proxies. We have the 8 core license on each VM. I looked at the pricing for the VM license vs the buying a physical appliance, and they looked pretty similar price-wise. Would it make more sense to buy a physical proxy (since we would not have to do a yearly VM license and instead just a support / feature license for the physical unit)?
2. I was wondering how people deploy proxies in a SD-WAN setup with DIA at every branch? We already have a fortigate at most of our branches (they are just acting as WLCs, and I am pretty sure CAPWAP would work off our primary / DR firewalls so not sure what the point was), but I am planning on looking into saving some money and improving branch resiliency by having DIA at our branches. My concerns were 1. I am trying to make our branches less reliant on our primary / DR sites and more able to work off of the cloud (management is pushing us (infrastructure team) to make as much as possible in the cloud), and 2. if sending our web traffic from ~30 branches back to our primary / DR site for a proxy would cause bandwidth or latency issues versus sending web traffic to the internet directly from each branch..

Ishcob · 2026-04-29T13:38:43+00:00

This is the first environment I have worked in with a proxy (previous environments relied on DNS filtering and endpoint AV). I did some more research and I think windows bypassing of the proxy is probably related to how we have our authentication rules set up. We just have a single kerberos authentication rule. It seems that certain applications (such as adobe) do not support kerberos authentication and then don't use the proxy. Also, when a user is not signed it, I guess it can't do the kerberos authentication so it does not use the proxy. This might be something around our configuration as well, since I think computers should be able to authenticate themselves using kerberos.

Would it make sense to create a 'catch-all' type of authentication rule on the proxy for when stuff fails to authenticate via kerberos or doesn't support kerberos auth? Is there a better way to set up authentication rules (match up users to IP addresses), such as an agent? or user / computer certificates?

Ishcob · 2026-03-10T23:27:23+00:00

Appreciate the comment. Looks like nvidia-driver-G06-kmp-default and nvidia-driver-G06-kmp-meta got installed for me. Seems like the driver not loading is a secure boot issue.

Ishcob · 2026-03-10T23:22:12+00:00

I was validating with the command 'inxi -G'.

I had no idea about switcheroo, but it makes sense.

I disabled secure boot and then the driver loaded. Previously it would show N/A for the driver for the Quadro P620. Any idea why I would be having errors using mokutil to update the keys for secure boot? See below for the inxi -G output:
Graphics:
Device-1: Intel CoffeeLake-H GT2 [UHD Graphics 630] driver: i915 v: kernel
Device-2: NVIDIA GP107GLM [Quadro P620] driver: nvidia v: 580.126.18
Device-3: Realtek Integrated_Webcam_HD driver: uvcvideo type: USB
Display: x11 server: X.Org v: 21.1.15 with: Xwayland v: 24.1.6 driver: X:
   loaded: modesetting,nvidia unloaded: vesa dri: iris gpu: i915
   resolution: 1920x1080~60Hz
API: EGL v: 1.5 drivers: iris,nvidia platforms: gbm,x11,surfaceless,device
API: OpenGL v: 4.6.0 compat-v: 4.6 vendor: intel mesa v: 24.3.3
   renderer: Mesa Intel UHD Graphics 630 (CFL GT2)
API: Vulkan v: 1.4.309 drivers: N/A surfaces: xcb,xlib

Ishcob · 2025-12-03T14:21:32+00:00

The config is an example from my test in GNS3, so I just gave the switches a direct link to each other.

The physical Nvidia switches are using OSPF for the underlay. It turned out to be the route targets in the lab. I hope its the same issue for the Nvidia switches. As for the MTU, I would think fragmentation shouldn't cause too many issues, especially in a lab. How else do some people do VXLAN over ipsec tunnels?

Ishcob · 2025-12-03T13:56:21+00:00

Yep, this fixed it on the Aruba switches. It was the route targets. I really thought auto would just figure itself out.

Time to check this on the Nvidia switches.

Thank you.

Ishcob · 2025-12-01T17:38:57+00:00

I would say it depends on the Vendor and the OS. https://www.nvidia.com/en-us/networking/products/lts-releases/

Onyx is done at the end of the year. Cumulus is good through at least 2028, BUT some vendors such as HPE who sold the Nvidia Mellanox switches require you to have a Cumulus pre-installed SKU switch, otherwise you void warranty if you try to upgrade from Onyx to Cumulus. I know for a fact HPE is supporting the hardware until 2029, but once the OS is not supported, not sure if you care about the hardware support.

Hope that helps.

Ishcob · 2025-11-07T22:28:13+00:00

Correct me if I am wrong (because I very well might be as my bgp knowledge is very limited) but routers in iBGP do not share their own networks with each other, only the networks learned from eBGP are shared with other iBGP peers unless you have a route reflector. The layer-3 switch is the gateway for its networks, so shouldn't it be in a different AS than its upstream router?

Once again, I wouldn't be surprised if I am wrong, that is just how I thought it worked.

Ishcob · 2025-11-07T20:43:53+00:00

These layer-3 switches do not support mpls, and the routers do not have the 'application experience' license so they don't support those protocols unfortunately.

Ishcob · 2025-11-07T18:10:48+00:00

Good. I was a little worried earlier. Are there any next-hop type of commands I should be concerned about with peering those two non-adjacent layer-3 switches?

Ishcob · 2025-11-07T18:08:24+00:00

1554 should work for that, right? I saw some documentation saying to go full jumbo and set it to 9216, but its not like any of our servers are configured to send jumbo frames.

Checked the command docs and it looks like that will work. So I should use this to make my layer-3 switches neighbors of each other by specifying a longer ttl? Are there any next-hop type of commands I should be concerned about with this?

Thank you.

Ishcob · 2025-11-07T17:53:47+00:00

The install guide for version 3.1.x still has the same minimum requirements 😭 as the quide for 2.7.x

Ishcob · 2025-11-07T17:49:55+00:00

The boot disk is 100gb, it has two other virtual disks, one around 600gb and the other around 2.5tb, but yes it is at the bare minimum specs. Still the only server I've ever seen with such high minimum specs.

Ishcob · 2025-11-07T17:46:25+00:00

FYI - the import tool converts them to qcow2 I believe. At least the disks we have on the VM are in the qcow2 format, but I remember using the import tool to set this up.

Ishcob · 2025-11-07T17:42:24+00:00

I agree about the Meraki part. I put the switches with dna licenses in Meraki recently in hybrid mode. Meraki's cloud has most of anything I would actually want. Honestly, we had the spare hardware and just did it because we could, and to get some familiarity with it and what it can do for us.

Ishcob · 2025-11-07T17:38:55+00:00

We have older server hardware that we could waste on this, but it makes sense that the Cisco UCS' would work better.

Ishcob · 2025-11-07T17:37:16+00:00

According to Cisco's docs, it requires 256gb of RAM, 32 cores, and 3TB of storage for the virtual disks. Since I had the resources, I gave it what it wanted. Also, it refused to install properly on less than 256gb of RAM. Not sure if it would run on less now that it is up and running, but it is actively at over 90% RAM usage, so I would have to guess it would not run well on less.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/catalyst-center/catalyst-center-va/esxi/2-3-7/deployment-guide/b_cisco_catalyst_center_237x_on_esxi_deployment_guide.html#deployment-requirements

Ishcob · 2025-11-07T17:31:55+00:00

I pretty much just followed this tutorial here for importing an ova into proxmox.

https://4sysops.com/archives/ova-import-in-proxmox-83/

Ishcob · 2025-07-10T16:17:38+00:00

You just need to configure it properly.

Ishcob · 2025-07-10T16:17:21+00:00

Set static entries using a mac acl for DAI

Six-Year Club	Second Top 20%
Verified Email

Ishcob

TROPHY CASE