Remote access VPN to Azure, AWS and on prem via single logical VPN gateway Networking |
- Remote access VPN to Azure, AWS and on prem via single logical VPN gateway
- Load balance ELAN's with Nexus 7K question
- I can’t find a good WIFI analyzer for IOS. Can someone shoot me a recommendation?
- MAC Flapping issue across three Fiber ports
- New AP's for Small Business
- Any BGP Ninjas out there? I really need some help troubleshooting an issue.
- Thinking about doing a Nexus Spine/Leaf config with just 4 switches....
| Remote access VPN to Azure, AWS and on prem via single logical VPN gateway Posted: 09 Jan 2021 12:55 PM PST Hello, at my company we have resources in two major clouds (AWS and Azure), plus on prem. We are planning to terminate the vpn in the cloud, while retaining access to the aforementioned resources. Reason is, most of our users traffic goes to the cloud and we want the user to access the closest regional VPN gateway. Anyconnect is preferrable to reduce the administrative burden (namely, we have Anyconnect and would rather not have to migrate). The Cisco proposed solution consists of several ASAv deployed in AWS and Azure, next to a dedicated HA pair on prem (https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-mobility/secure-remote-worker-design-guide.pdf page 16). While this would work, it appears to present a substantial management overhead. Additionally, connectivity is not via a single point of access: one gw for on prem, one for AWS, one for Azure. This requires the user to connect to the right gw based on destination. What I envision:
I guess this can be done by setting up say an AWS cloud transit of some sort with multiple cloud gateways (ASAv) - loosely based on Cisco's document above - and IPsec to on prem/Azure. Feel free to tell me this is a silly idea or that I am totally missing the point. This is uncharted territory for me, being an old school on-prem vpn chap. Thanks! [link] [comments]  |
| Load balance ELAN's with Nexus 7K question Posted: 09 Jan 2021 11:03 AM PST Hello, First off, sorry for the length and how confusing this probably reads. I am linking a diagram that hopefully makes more sense. Though we use Nexus's in our DC's, some of the situations I get myself into get confuse me a bit to the paired nature of the cores. https://imgur.com/a/nYC0kcF <--Diagram I have run into a deign issue that I am not sure how best to rectify. In each of our datacenters we have a pair of Nexus 7706's in VPC. We have a single Point-to-Point circuit between two of our datacenters (DC1 & DC2)which plugs directly into Core-A at each site. There is an IP placed directly on the interfaces and everything works fine. We use EIGRP internally for routing. Recently, we purchased several new point-to-point links from other sites to our primary datacenter (DC1) as well as a redundant p2p between. The way the ISP set it up, since so many new circuits were going to a single location, was to place an NNI at DC1 and all of the new circuits will traverse a single handoff separated by VLAN. That seemed simple enough to me. I just create an SVI at each site with the correlating VLAN and use the PE as a trunk. However, I am having an issue with EIGRP the site that has two circuits connecting each other. The new link plugs directly into core B. Since the cores are VPC pairs, I create the SVI on both cores with their own IP and a shared HSRP IP. When the new link comes up, it establishes an adjacency with the SVI IP between the B cores, but it starts throwing the following errors reset errors for the core A SVI 23:43:06.976 %EIGRP-5-NBRCHANGE_DUAL: eigrp-100 [9341] (default-base) IP-EIGRP(0) 100: Neighbor 172.31.90.20 (Vlan102) is down: retry limit exceeded 23:43:07.048 %EIGRP-5-NBRCHANGE_DUAL: eigrp-100 [9341] (default-base) IP-EIGRP(0) 100: Neighbor 172.31.90.20 (Vlan102) is up: new adjacency My assumption is that the route tries to establish through core B, goes to core A through the VPC link, and then A sends it through its directly connected P2P link and it fails. One of my thoughts to try to fix is to change the first L3 P2P to VLAN 102 and put the two circuits into an ether-channel, but I am not sure that is the best play. [link] [comments]  |
| I can’t find a good WIFI analyzer for IOS. Can someone shoot me a recommendation? Posted: 09 Jan 2021 05:53 AM PST I'm a field tech 1 for an isp and would like to familiarize myself with a WIFI analyzer. I've seen many techs use them and figure it would be a good way to optimize WIFI set up. I haven't been able to find a good free version to use on my iPhone. I'm willing to pay for It, I just want to make sure I pick the right one. Thanks [link] [comments]  |
| MAC Flapping issue across three Fiber ports Posted: 09 Jan 2021 04:20 AM PST Hello everyone, I'm new to the community but I have a strange problem that has been going on over the past couple days that I cannot seem to find a fix for. At our central office we have one main campus with 2 remote buildings that are routed back to us by our ISP. Since around Wednesday morning I have noticed sporadic MAC flapping issues coming across our fiber ports that all have one straight fiber connection from our data center switch to each building. Each of the buildings have spanning tree configured with bpduguard set on all the access ports and all unused ports are shutdown. Our core Cisco 9300 stack is set as the root bridge with everything coming back to it, but no switch is sending any ports into an errdisable mode. We have checked all the sites for physical loops and found nothing. MAC address tables on all the switches do not display any duplicate MAC addresses, nor does a wire shark packet capture produce any broadcast storms. Me and several other engineers that have a lot more experience than me have looked at the issue and we cannot find out what is going on. Our biggest issue is port Te2/1/8 on our switch, has a link to our ISP Calix switch, which has all of our routing and VLANs for the schools, speaking with them they really had no idea what to do, aside from saying the only traffic they saw coming out of their vlan was STP. Would anyone have any ideas as to what could be going on? Because I've ran out. [link] [comments]  |
| Posted: 09 Jan 2021 02:24 AM PST Was told I should post here. Looking for recommendations please Current access points are Cisco Aironet AIR-LAP1142N-E-K9 & AIR-CAP2702I-A-K9 (yes, old). Boss is not happy with the slow speeds Looking at TP-Link AX3600 for replacement in new office, but very open to other managed solutions, and been made aware this may not be well suited for enterprise level. Just not wifi-only managed. New hardware already includes Extreme X440-G2-48P-10GE4 switch & Fortigate 60F with 1gig up/down through ISP. Budget for new AP's is $300-400 USD per. Needs to support 8-40 laptops at once, depending on workplace events, 8 TV's streaming promotional videos, 4 security cameras, 2 HVAC controllers & multiple handheld devices as needed. Office is 4,000 sq ft and has ethernet & power source for up to 4 AP locations Any help is greatly appreciated, as I'm no IT expert, but understand a little and am tasked with procurement [link] [comments]  |
| Any BGP Ninjas out there? I really need some help troubleshooting an issue. Posted: 08 Jan 2021 05:02 PM PST Hello guys. I would ask cisco but we are broke and I have no support on my gear. Imagine my pain. I have two ISPs and two Transit routers (cisco 7604s) Currently I'm getting a just a default route from ISP-A and a full table from ISP-B. Local pref is set higher for my ISP-B and Im using BGP communities on my ISP A to make route to my AS from ISP B more desirable. I've verified that Inbound traffic is coming from my ISP-B and outbound traffic is also going out via my ISP B. Of course I have iBGP between the two TRs. Everything was great until this morning when I asked my ISP B to also send me JUST the default route. As soon as that happened, I started getting massive packet loss. From my ISP B Transit router, i could ping out just fine sourcing from any public interface (i have a bunch). From my ISP A Transit router If i pinged outbound i would get like 30 to 50% packet loss. On my ISP A Transit, i could see i had no route for say 8.8.8.8 and default route was coming from ISP B TR. I could ping between the Two Transit routers just fine. I shut off peering all together with my ISP A (neighbor shut) and i was still getting packet loss! I asked my ISP B to roll back and as soon as they sent me the full table, i was able to ping out without loss from my network! Can anyone shed any light here for me? I'm really confused as to why this would happen. Thanks in advance. [link] [comments]  |
| Thinking about doing a Nexus Spine/Leaf config with just 4 switches.... Posted: 08 Jan 2021 04:09 PM PST Spines: 9332C Leafs: 93180YC-FX I am tired of users complaining and have been given a massive budget to fix our network issue. We will be doing 40 GB. SAN will feed into the leafs via 40 GB connections and then down to the servers via iscuzzy. I am eyeing the Nexus line to make us ACI ready but am not going to go the ACI route. Am I off in my thinking here. Will a small spine/leaf helpour east to west needs? Currently I am on 10 GB. Granted, each server will connect to the same set of access/leaf switches so the hop advantage isn't all there but I am still of the opinion that this is probably the way to go. Would really appreciate anyones experience here. A partner is suggesting we go with 9500 chasis meanwhile the Cisco team is telling us that a spine/leaf set up may be beneficial for our use case. Plus it is cheaper than the 2 9500's being proposed. They are also telling me that going the spine/leaf route allows us to upgrade our bandwidth capabilities with ease if the need arises by adding in more spines/leafs..... [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment