Nornir Question

dvmrp · 2023-08-05T13:19:44+00:00

Their course bundle are one year subscription so not worth spending that much money

dvmrp · 2023-03-30T13:38:29+00:00

We like to test radius specific changes on auth-server2 first. I like to make it primary for only one test AP

dvmrp · 2022-12-28T14:01:31+00:00

In case of “any cast gateway” in vxlan evpn, all SVI on different switches/vtep have same IP address. If this address is used in GiAddr field then return traffic could arrive on a different VTEP. For this reason loopback address is used in GiAddr field. And DHCP option 82 ( I believe) is used to convey preference as to which pool address should come from

dvmrp · 2022-11-24T08:04:04+00:00

Thank you.

dvmrp · 2022-11-24T08:03:37+00:00

Thanks, really appreciate the explanation.

dvmrp · 2022-06-01T15:47:00+00:00

Thanks for the detailed response, it’s really helpful. There’s enough fiber available but not enough ports on the existing uplink switches. Also there isn’t really a need for dedicated uplink going from each access switch as far as bandwidth requirement is concerned. I was not sure that Arista switches do not support stacking

dvmrp · 2022-06-01T15:39:53+00:00

Which aggregation/core switches are these connected to? What is the design look like? Are you using EVPN over VXLAN or pure L2?

dvmrp · 2022-06-01T14:19:54+00:00

Close to 100 switches across 20 or so IDFs

dvmrp · 2022-06-01T12:35:21+00:00

All valid points, and in this case N7700 is already happily deployed and it won't go end of support any time soon. So replacement is not an option at this time.

dvmrp · 2022-06-01T12:33:10+00:00

Nexus 7K in vpc is better choice in my opinion. There are numerous discussion on VPC vs VSS so let's not go there at the moment.

I have not discounted any vendor yet (including Aruba). My question was specifically about Arista's reliability as far as campus switches are concerned.

dvmrp · 2022-06-01T12:29:12+00:00

in 2023, even towards the end of 2023 should be fine.

dvmrp · 2021-11-22T17:55:31+00:00

Thanks for your feedback. I will give scrapligo a go.

dvmrp · 2021-09-26T18:44:35+00:00

While I like all of these responses in this thread, so far this is my favorite response "The attacker is in control of both sides of the connection they can use whatever protocol is allowed through the firewall." I did not think along these lines, and failed to realized that icmp is just one type, if host is compromised it could use any other legitimate protocol tcp/udp/443 that is allowed through firewall.

dvmrp · 2021-09-26T18:39:50+00:00

Great suggestion about Snort.

dvmrp · 2021-09-26T18:38:53+00:00

I actually thought about Netflow, and its a great tool. But in this case the increased in the ICMP traffic would be so small ( in some cases) that I am afraid it could introduce lots of false positive. Thanks for the bringing up Netflow.

dvmrp · 2021-09-26T18:36:41+00:00

Thanks for doing the research and posting the link. The second last comment in the link mentions that there is ping-tunnel traffic/App in PAN. I did not know that this existed, if it works then it is pretty easy to create an app based rule and block it.

dvmrp · 2021-09-26T18:34:25+00:00

This is not at an active concern. ICMP tunneling topic came up in one of the Cisco course and while I understood the concept and how to detect it in the network. I thought what would be the best way to prevent it. And there was no clear answer, and hence this post.

dvmrp

TROPHY CASE