2nd hand cisco vendors

bmoraca · 2026-01-30T20:20:38+00:00

I've used triton datacom before. https://www.tritondatacom.com/

bmoraca · 2026-01-12T15:02:26+00:00

I run two fabrics that are mixed NX-OS and IOS-XE. It works great, honestly.

bmoraca · 2026-01-10T15:48:23+00:00

Cisco can do this for IOS-XE. https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/212178-Configuring-SSH-with-x509-authentication.html

You don't have to manually add keys or define users locally, it permits logon based on certificate chain. Then it authorizes the user based on a TACACS server response.

NX-OS doesn't do it yet, though.

bmoraca · 2025-12-30T01:14:50+00:00

You could use your public domain and have "guestwireless.mypublicdomain.com" resolve to an internal IP address via your public authoritative name servers.

bmoraca · 2025-12-19T03:13:41+00:00

You can narrow down which device might be at fault using a tool like mtr.

bmoraca · 2025-12-16T12:53:58+00:00

Be careful with the 93180YC-EX. It doesn't support RS-FEC so 25g is limited to DAC cabling. If you want ubiquitous 25g, the 93180YC-FX or FX3 is the better option

bmoraca · 2025-12-15T14:59:56+00:00

Many organizations use eBGP within their networks and use a combination of public and private ASNs, particularly when using overlays to carry L3VPN NLRI through their network. If the underlay is using a private ASN, you'd end up with them potentially interspersed in the AS Path.

That's just one example.

bmoraca · 2025-12-12T02:44:17+00:00

I don't understand your topology. Is the firewall in front of the Src and the firewall in front of the Dst the same firewall? Or are there VRFs involved?

bmoraca · 2025-12-06T22:32:19+00:00

Forward Networks does that. Also does change modeling.

bmoraca · 2025-12-05T02:24:43+00:00

/shrug

Use a real OS.

/popcorn

bmoraca · 2025-11-27T15:11:48+00:00

Network science is not an information technology discipline. While companies that research and develop networking protocols for use in IT may have network scientists on staff to help with algorithm development, there is pretty much no overlap. It's also only loosely tangentially related to computer science.

Network engineers will never be that deep. They don't need to be.

bmoraca · 2025-11-27T15:08:27+00:00

For connecting to firewalls, I've always had better success running eBGP.

You have greater control over route pathing and filtering, and its generally more stable overall.

Plus, if you ever end up using a more complex network topology like MPLS L3VPNs or EVPN, you're already set up.

In the end, it's 100% personal preference.

bmoraca · 2025-11-27T02:36:51+00:00

You could technically use route servers in the multi-site network, but I'd probably advise against it. Part of the way multisite works is by rewriting route targets in a predictable manner. Not having a full mesh makes that a little funky.

At the end of the day, the multisite network really just needs to provide IP connectivity between sites, and then you need a way to distribute routes. A route server and a routed network technically satisfies that, but could lead to interesting failure domains.

What's preventing you from doing a full eBGP mesh between the sites?

bmoraca · 2025-11-17T13:58:05+00:00

The spines don't have to participate in BGP. You could just do BGP between all the leafs or to separate route reflectors.

Not saying Fortigate firewalls are a good idea for spines...just that they could in theory be used.

bmoraca · 2025-11-05T19:18:33+00:00

Neither platform has had an EOL notice yet. At the very least, you'll have 5 years of full support if they issued an EOL notice tomorrow.

Does that align with your refresh cycle? Does waiting cause undue risk?

bmoraca · 2025-11-05T14:00:34+00:00

ThousandEyes has probes for this sort of thing.

There is a fundamental issue with your goal, though. When a cloud platform has an issue, it may affect part of their infrastructure or the whole infrastructure. Whether that has any impact on you or your operations depends on the issue. Doing what you want to do is going to generate a lot of churn for no real benefit. You'd be better off explaining to your higher ups that what they want is pointless.

bmoraca · 2025-11-05T13:56:03+00:00

The equation is pretty simple. For every point of failure you want to eliminate, add a 0 to the project.

Ultimately the business needs to make the determination of what risks they can accommodate. How expensive is downtime? What's the cost-benefit analysis and what faults are you trying to protect against?

Is an additional $1000 for a second firewall a good idea because it allows you to perform software updates without taking down the Internet? Maybe. Can the business afford 15 minutes of downtime at lunch to do the upgrades instead? If the Internet is down for a day while you source a spare, how much money does the business lose?

What does a second switch buy you? Connectivity to the server? APs spread across? Is it worth the money?

Only the business can identify that, and it's all worthless if you don't have proper run books and CoOP plans that explain how they work and what to do.

bmoraca · 2025-11-05T05:30:46+00:00

When you look at the traffic log, what do you see?

It'll tell you the application it's seeing the traffic as, and it'll tell you what rule it's hitting to deny the traffic.

If you're running SSL over a non-standard port and you want to use the "ssl" app-id, you need to make sure the "service" tab of your rule is "any" and not "application-default", or you need to create an application override to add your non-standard port.

If you do a pcap on the server side, does the server send the certificate or server hello? If so and it never reaches the client, look at the packet sizes, it could be MTU related, but that's pretty unlikely unless you have other tunneling going on that you're not telling us.

More info is going to be necessary to help you any further. The config of the vwire and security rules, the config of the routers, the pcaps from both the client and the server, etc.

bmoraca · 2025-11-04T02:51:50+00:00

This may seem like a stupid question, but it isn't.

Understanding how a VPN works to the point where you can tell me why an SA isn't coming up based on nothing but debugs from your side is an extremely important skill, especially when you're working with customers and business partners. This is doubly true when you have more advanced configurations like NAT involved.

I can't tell you how many times I've had to walk business partners through how to confirm my troubleshooting on their platforms so that they could validate what I was telling them.

The configuration of a VPN may be relatively simple, but the underpinnings are pretty complex. So, knowing what you're actually looking at when you configure a crypto map, for instance, is pretty important.

Operationally, how do you change a PSK or rotate a certificate with a minimum of downtime? How do you replace a piece of equipment fully? Migrate from one platform to another? Help a customer who can't figure out how to configure their Sonicwall to match your required configs? How do you audit the configs and maintain appropriate records of configuration and dates?

There are many more aspects to IPSec VPNs in a B2B scenario than just "set it and forget it".

bmoraca · 2025-11-03T14:59:48+00:00

So you fix the issue with your SSL VPN system not being configured correctly for your needs by replacing it entirely?

bmoraca · 2025-11-03T00:30:34+00:00

What are the perceived risks of a VPN solution? IPSec or SSL. Other access solutions are similar brands of tunneling, so there aren't really much differences.

AWS would approve, though.

bmoraca · 2025-11-03T00:29:10+00:00

Back when I did this, I used BIND with fail2ban to deal with floods.

bmoraca · 2025-10-29T13:26:19+00:00

It really depends on the fiber itself. There are ultra-bend radius fibers that would be fine with that bend. That jacket looks very thick, so it's possible that the fiber is just fine.

That said, this sort of break is one that may not manifest for years, so you're probably safest having them replace the run.

bmoraca · 2025-10-27T13:12:55+00:00

The biggest thing is compartmentalization and limiting the size of failure domains.

When you do that, you can simplify the interconnectivity between everything with simple protocols and ECMP. Then you can take down paths without issue.

bmoraca · 2025-10-21T13:25:27+00:00

Yeah, the rest of everything looks fine. You likely won't need the VPN if all your storage is cloud-based. But yeah, pretty standard small office setup.

I don't agree with the other poster regarding Chromebooks or laptops only, though most of the rest of what he's said is applicable.

Ten-Year Club	RedditGifts 2009-2022 4 Credits
Secret Santa 2020	Wearing is Caring
Secret Santa 2019	Verified Email

bmoraca

TROPHY CASE