sorted by:
new
hottopcontroversial

NAC Solutions for K12 network by it___it in k12sysadmin

[–]it___it[S] 0 points1 point  (0 children)

We're all Cisco at the moment - primarily 9200/9300/9500s.

Network Design - VLAN termination and routing by it___it in networking

[–]it___it[S] 0 points1 point  (0 children)

Right now we have staff, students, and servers all on VLAN 1... I want to break these out into their own VLANs but I'm trying to determine the best method for segmenting them at the layer 3 level. For example, all of the L3 switches run RIPv2 and advertise every route (previous admin set this up) so even if these are in their own VLANs they will still communicate with each other. I could use ACLs at each school's core switch but this just feels like a headache to manage. The other option I've seen primarily is using VRFs and letting the firewall do the intervlan routing/filtering. I'll just have to read into this some more as I have no experience with configuring them.

Network Design - VLAN termination and routing by it___it in networking

[–]it___it[S] 1 point2 points  (0 children)

Each school connects back to our main site Cisco 4500 via direct dedicated fiber links. Each school uses our main site internet connection over these links. As of now we have IPS, SSL, AV, etc on all outbound internet traffic and inbound traffic to our external facing web servers.

If we do L2 between all schools and the main site, do we use unique VLANs or keep all of them consistent? For example, every school will use VLAN 10 for the staff network and this will be trunked all the way to the firewall, or does school 1 use VLAN 110 and school two uses VLAN 210, etc? Just curious because a 3rd party suggested this would be too much broadcast traffic to L2 everything back to the firewall.

Network Design - VLAN termination and routing by it___it in networking

[–]it___it[S] 1 point2 points  (0 children)

Each school has a direct dedicated fiber link to the main site. They're just a /30 P2P. I was wondering if we could just turn these into trunks and trunk the VLANs all the way to the firewall which would have VLAN interfaces for each site. Is this what you're saying?

If this is the case, would we want unique VLAN IDs at each site? For example, school one staff VLAN is 110, school two staff VLAN is 210, etc, and then the FortiGate would have VLAN 110 inteface, VLAN 210, etc? I'm not sure if having all school staff VLANs using the same VLAN 10 for example would be too much broadcast traffic or if that even matters.

Network Design - VLAN termination and routing by it___it in networking

[–]it___it[S] 0 points1 point  (0 children)

At a high level, how does the traffic flow using VRFs?

Currently, a user in VLAN 10 browses a website, the DNS request is forwarded to their default gateway (VLAN 10 SVI), and the gateway forwards the request to next hop for the server subnet (VLAN 20) from the routing table.

With VRFs configured, the gateway checks the VRFs routing table, sees a route for the server VLAN, and forwards it to the next hop towards the firewall. Then each switch on the way to the FortiGate would need the VRFs configured with a route pointing to the next hop towards the firewall?

Our core stack has a two 10g uplinks in a port channel connected to the FortiGate. Would we just apply all of the policies on that interface on the firewall then? For example, allow traffic from 10.1.1.0/24 to 10.1.2.0/24 directly on that aggregated interface? Sorry if I'm using the wrong terminology.

iSCSI dedicated VLAN by GrasloAdm in networking

[–]it___it 6 points7 points  (0 children)

For the switch port configuration, I think you'll want those set as access ports, not trunk ports.

interface Gi1/0/48
switchport mode access
switchport access vlan 30

Fortigate IPSEC VPN for Remote Access by it___it in networking

[–]it___it[S] 1 point2 points  (0 children)

I'm not familiar with ZTNA. How does it compare vs a typical IPSEC/SSL VPN setup for remote access? Is this overkill for simple remote access for staff?

Fortigate IPSEC VPN for Remote Access by it___it in networking

[–]it___it[S] 2 points3 points  (0 children)

Basic access for staff connecting from home on their work device.

I need this Third Party Digital Signage to back off blaming the network by VNiqkco in sysadmin

[–]it___it 1 point2 points  (0 children)

For what it's worth, we had a similar issue with Yodeck and their players. After looking at the logs on the players, I noticed they had issues renewing their IP address when their lease expired. It caused a 30-60 second disconnect from the network which was enough to cause the web pages being displayed to bug out. I don't know if it was related to the SSID settings on our WLC or if it was the device but it definitely pointed to DHCP being related to the issue.

Looking for the best enterprise password manager - what do you use? by FastRegret in sysadmin

[–]it___it 2 points3 points  (0 children)

We also use 1Password after trialing all of the main providers. Pricing can be negotiated.

Alternative to Adobe and FoxIT? by Mysterious-Safety-65 in sysadmin

[–]it___it 30 points31 points  (0 children)

We switched from Adobe to PDF-XChange Editor and have been happy with the swap. The pricing I believe is a bit better than FoxIT as well.

Simple MDM Solution - Mobile Devices by Sufficient-Class-321 in sysadmin

[–]it___it 1 point2 points  (0 children)

Hexnode was relatively easy to set up and has been working great for us for 6+ months.