|
With wireless and lightweight AP's there is no scaling/performance issue for large subnets. The scaling limits come from number of devices per AP. Stadiums and large public even spaces etc get away with flat /16's and of course use client isolation. I would say plan your subnet's to minimize addresses wasted per controller. If you have a single controller for a region and expect ~3000 clients total at the all the offices etc. Then a /20 is a good size. If you have a remote site that requires a dedicated controller, that will have 20 people in the office, a /24 should be fine. (I don't like going smaller then /24 for user subnets). Just avoid doing like 32 /29's or a /24 per floor or whatever.
|
#
¿
May 18, 2021 07:34
|
|
|
|
| # ¿ May 15, 2024 11:00 |
|
|
Methanar posted:What is a BGP EVPN and why might I ever care. You don't want that. But it is a potential routed fix for dumb "business critical apps" that can't handle not being layer2 adjacent so you can still have some kind of DR. It won't work well, and will still be a huge outage if anything ever happens, but it will check a box for an audit about DR.
|
|
#
¿
May 20, 2021 15:53
|
|
|
Thanks Ants posted:< God no. I'm imagining some kind of java gui applet that only runs on IE6 and takes at least 10 clicks with loading screens to get any information.
|
|
#
¿
Oct 2, 2021 19:40
|
|
> You look at the config in your config management platform </
|
GreenNight posted:loving Meraki. So we have a stack of 8 Meraki switches that keep losing connectivity to their cloud. They still pass client traffic but they all show offline, so I can't configure switch ports or anything. I opened a case and this is their response. And what have we learned about shared control planes?
|
|
#
¿
Nov 15, 2021 03:19
|
|
|
GreenNight posted:Our Cisco rep just pinged us and said any new switch orders won't be fulfilled until late 2022. That's how bad supply chain issues are right now. Yep. It's super bad. Who could have predicted that outsourcing all fabrication would have a negative effect on domestic supply chains? Oh well I'm sure a few thousand people were enriched by a few thousand billion dollars. So it's fine.
|
|
#
¿
Dec 9, 2021 06:21
|
|
|
If 100% of my traffic was ingress/egress, then putting the routing on the firewalls can makes sense. Ideally though the firewalls are running ECMP/BGP so that taking any given firewall out of commission for upgrades or whatever doesn't take down the whole DC. No don't put the firewalls into a cluster, that poo poo sucks. Have two standalone firewalls that are advertising specific /32s for whatever public services you are hosting. Those /32's will be advertised to your internet router(s) and the internet routers will advertise your public IP Blocks. If you want to save money you can have your edge routers be the same device as the core-routers and put the internet into a VRF so that all traffic has to transit a firewall.
|
|
#
¿
Dec 13, 2021 19:51
|
|
|
I think I'm missing the correct terminology here, or maybe internet search results are completely polluted these days, but I should be able to do the following. I will have 2 or 4 bastion hosts located in public clouds with public IPs. I have full access to these hosts. I want to have a series of dynamic ipsec tunnels terminate on those bastions. The tunnel endpoint IPs will be arbitrary, and I want to use public-private key's to identify each endpoint. The endpoints will be Juniper SRXs and the cloud bastions will run ubuntu. Originally I was thinking I'd have a series of wireguard interfaces on the servers but as I'm reading more about how wireugard works, I'm not actually sure that an SRX can "speak" wireguard, so I may be forced to use something else on the bastions that I can terminate the IPSec tunnel to. So what is this "something else?" I don't want to use PKI Certs or Pre-shared Keys. I would like to have a generated public/private key-pair on each bastion and on each SRX, and distribute the public-keys between these guys via Chef, and Ansible templates. So basically I should have a list of public keys for the bastions and also for the SRXs and when a new SRX reaches out to a bastion, the bastion should check it's public key list for authenticating the tunnel. These seems like it should be possible to me, but when I'm google searching all I'm finding is self-signed certs which I'd like to avoid because I don't want to depend on a shared DNS or any other external services for this functionality. Nor do I want to manage secrets. e: Apparently the options are only PSK or PKI, which mean generating a bunch of bullshit and most distressingly having to put an expiration date :/ Sigh. ate shit on live tv fucked around with this message at 00:54 on Jan 26, 2022 |
|
#
¿
Jan 26, 2022 00:23
|
|
|
I was originally going with juniper because of the ease of automation via ansible plus I'm a fan of Junos. This is a bit disappointing to say the least.
|
|
#
¿
Jan 26, 2022 01:27
|
|
|
falz posted:I certainly know little about security stuff but is wiregard an actual rfc standard? Yea. Wireguard is slick, but probably too new to be of interest to the vendors, but why the lack of public key auth without having to use a CA?
|
|
#
¿
Jan 26, 2022 09:54
|
|
|
tortilla_chip posted:Comedy option: run a container on your SRX to terminate the Wireguard traffic. I wonder if the little SRX320 can do that. God this sucks. I am trying so hard to avoid PSKs, but apparently the only other alternative is a full CA system which for a backup OBM that is to be used only if poo poo hits the fan is less than optimal. CAs suck. They expire after a year, depend on DNS, and reachability to the CA, and can't be dynamically updated on the SRX. Ok so what is the least lovely way to turn up a CA on my ubuntu hub server? I know almost nothing about how to build that.
|
|
#
¿
Jan 27, 2022 22:44
|
|
|
If you have firewalls in a cluster, do not single home anything to them. Use your core switch and use a lag that connects each member of the firewall cluster to each core-switch. Connect single homed connections, like ISP links to the core-switch, while the firewall use some kind of virtual interface to run whatever protocols you need to run across that single connection. If you have dual connnections, then you'll do the same thing, but the physical connection will terminate on each core-switch, and the firewall will have some kind of virtual interface to run BGP/VRRP etc across those connections.
|
|
#
¿
Mar 5, 2022 04:35
|
|
|
|
| # ¿ May 15, 2024 11:00 |
|
|
MF_James posted:Yeah I mean, I get it, but I wouldn't trust that someone wouldn't gently caress that config up, or the vendor gently caress up, to where it's less secure, I'd prefer to keep an edge switch/stack to separate the edge and LAN. I'm assuming that you don't have seperate edge switches, if you do then yea, use those.
|
|
#
¿
Mar 6, 2022 20:26
|
|