Network Segmentation with Zero Trust approach Networking |
- Network Segmentation with Zero Trust approach
- Are Proxyservers still worth setting up in 2021?
- Why use multi-mode fiber, when you can use single-mode fiber?
- Differences between being an IT Network Engineer vs other Network Engineering roles
- Small DC design
- 802.1x (EAP-TLS) security
- Reverse Proxy Concerns
- Gigavue/Gigamon/Gigasmart H series Gigaview visibility platform nodes
- GRE without IPv4/6 transport
- Is there any ways to prevent Cisco Switches and Routers from being reset or tampered with?
- Why does setting up a route reflector restart BGP sessions?
- Cisco iWAN to SD-WAN - pros/cons?
- Aruba / HPE GreenLake offering
| Network Segmentation with Zero Trust approach Posted: 01 May 2021 01:46 PM PDT I am working with an external consultant to design a network for ministry building but I thought to take second opinion from super reddit experts. Our CTO has advised to use zero trust network architecture. It would be two-tier network (collapsed core) We are planning to segment the network with different use cases such as users VLAN A should not talk to user VLAN B, IOT VLAN should not communicate with users and server VLAN. I am thinking to put a DC FW and then firewall the VLANs gateway to DC firewall or do VRFs in core switches and then terminate the VRFs on the DC firewall. It will be grateful if anyone can demonstrated any ideas with rough network diagram. Appreciating any help. [link] [comments]  |
| Are Proxyservers still worth setting up in 2021? Posted: 01 May 2021 03:18 AM PDT I got to manage a school network and my predecessor had set up Squid for content filtering and caching. With almost all of the web traffic being HTTPS - is this still worth it? I mean the content filtering could only be made on the domain level and caching is not really possible either, if my thinking is correct (on HTTPS). My thought would be to skip on the Proxy and do the filtering via OpenDNS or with custom DNS entries. Am i missing out on any benefits that would be worth setting up and maintaining squid? [link] [comments]  |
| Why use multi-mode fiber, when you can use single-mode fiber? Posted: 01 May 2021 03:45 PM PDT It seems you get higher bandwidth, lower attenuation, and more distance from the single-mode fiber. - Why even use multi-mode fiber anymore? - Is the cost of single-mode transceivers really that much more costly than multi-mode transceivers? If so, how much cost are we talking about here, and are there other electronics that are contributing to a much higher cost of a single-mode system? [link] [comments]  |
| Differences between being an IT Network Engineer vs other Network Engineering roles Posted: 01 May 2021 07:19 AM PDT Hi, I am a Network Engineer who is been working the internal IT department of a big multinational company for almost 7 years. I joined the company working as a L1 IT support Engineer providing IT support for the internal employees that were working on multiple locations from different regions. After being 2 years on the ServiceDesk, one of my managers at that time told me that the company will advertise a Junior Network Engineer position soon and he asked me if I was interested to apply for it. Without hesitation I applied for it and got the job and since then I have stayed on the same department until now. I have experienced multiple events in my role for example my company got merged with another one, new people came and others left, I got promoted as a Senior, I passed some Cisco certifications, etc. Recently, I have been thinking about my future because actually I really enjoy my job but at the same time I love networking and I would really like to explore different roles out there. My question would be for those who have experience on multiple networking roles on different companies what are the main differences between working as an Internal IT network engineer vs working for another Network engineering roles such as working for a ISP, Managed Services, supporting the network for a big application platform, etc ? and which is the role that you enjoyed the most? [link] [comments]  |
| Posted: 01 May 2021 03:59 PM PDT Hi everyone! I'm designing a small DC for 2 racks with an opportunity to scale. This scheme is used Cisco devices. Two Nexus9K as distribution switches with N2K FEX switches on access layer. End servers use LACP for a connection into FEXes. N9K use VPC for multi-device LACP supporting. Routers ASR1K use HSRP for vlan gateways and VRFs to separate tenant's vlans. ASRs get default route from ISPs through eBGP and use iBGP for ISP active/passive redundancy. Active HSRP ASR checks Internet connectivity by IP SLA and change HSRP priority in case Internet resource is unreachable. DC topology: https://ibb.co/D7Vywk9
Thanks for your answers! [link] [comments]  |
| Posted: 01 May 2021 03:16 AM PDT Hello, From my understanding, under dot1x a port is either unauthorized or authorized, even if the authentication process is encrypted e2e - What prevents a MITM from waiting until authentication has succeeded and then injecting packets? Even under multi auth which I assume works based on MAC because how else would it identify devices, an attacker can still inject packets by putting the source MAC as the authenticated device's... Am I missing something or is this protocol just bad? For authentication to make sense, the channel would have to be encrypted or each packet be signed with a session secret and a nonce. [link] [comments]  |
| Posted: 01 May 2021 04:23 PM PDT I am deploying DUO reverse proxy (DNG) with 2FA to protect internal web applications Normally, I would put the DNG server in firewalled DMZ, then create firewall rules to allow 443 from outside the network to the DMZ proxy. Create DNS for www.myweb.com points to the IP address of reverse proxy, that's what clients will connect to and that's what presents the TLS certificate. Then point DNG to internal web server and allow port 80 via firewall rules. My main concern is this design secure enough to protect the internal servers from any attack or do we need to move internal web server to DMZ as well? [link] [comments]  |
| Gigavue/Gigamon/Gigasmart H series Gigaview visibility platform nodes Posted: 01 May 2021 03:18 PM PDT Anyone got any experience with these? If I'm understanding this correctly - is this just a managed switch with a few extra things? Can I connect one of the SFP+ ports to my UDMP LAN SFP+ and a bunch of the SFP ports to a managed gigabit switch in a LB/LAG sort of deal (specifically I have a stack of brocade switches), giving >1GB (across multiple clients, I get the thing that a single stream's speed isn't increased by doing this) Also (and seperately) - does anyone know if these have any licensing issues (a la cisco etc)? (Flaired as 'other' because it fits multiple categories) [link] [comments]  |
| Posted: 01 May 2021 05:19 AM PDT I remember reading something about connecting two routers via GRE without IPv4/6 enabled interfaces but I can't recall how it was done. When I was looking about into it it needs a transport protocol like IPv4/6 right? [link] [comments]  |
| Is there any ways to prevent Cisco Switches and Routers from being reset or tampered with? Posted: 01 May 2021 07:07 AM PDT Hey everyone, I'm currently in class for networking and in a 2 weeks I will be doing a culminating event where I have to set up a network according to a logical topology given to me. After I set up a networking, an instructor connected via SSH will try to do things like delete VLANs, Trunk Ports, ect as well as physically having access to my networking trying to mess is up by unplugging cables and so on. All my hardware will be included in the Combat Data Network / Data Distribution System (CDN/DDS-M). I'm aware there's no way to prevent the instructor from messing with the network in any way, but I want him to at least get annoyed while trying to mess up the network. Any tips are appreciated [link] [comments]  |
| Why does setting up a route reflector restart BGP sessions? Posted: 01 May 2021 03:01 AM PDT Hi, while playing in a lab with BGP RRs, I noticed that if a BGP session is already in place without any RR configuration and then I set up RRs, BGP sessions are reset. Although I didn't explicitly find this written in the RFC, I understand at least Cisco and Juniper do this. My question is, why? Can't the RR simply send UPDATE messages for the new routes (possibly withdrawing old ones) so they have the ORIGINATOR and CLUSTER_ID attributes? Why is a session restart required? [link] [comments]  |
| Cisco iWAN to SD-WAN - pros/cons? Posted: 30 Apr 2021 04:47 PM PDT My organization is currently running iWAN for our remote site connectivity. We have the ability to upgrade to the newer post-Viptella acquisition Cisco SDWAN solution. I know there is a detailed guide for making this change, but I was just curious to hear thoughts from anyone that has performed this upgrade. Any growing pains? Weird issues? Is it really that much better? Easier to manage/administrate? Basically just trying to figure out if the juice is worth the squeeze at this point. iWAN has been terribly underwhelming. I know Viptella used to be a great product line. Not sure if Cisco has destroyed that product and technology in true Cisco form yet or if it is a solid solution. Curious to hear from folks that have made the upgrade and your overall thoughts/opinions. Our setup is pretty basic. We've got an internet connection and an MPLS connection to each remote site. The head ends at the datacenters are ASR1001 routers and each remote site has an ISR4451. [link] [comments]  |
| Aruba / HPE GreenLake offering Posted: 30 Apr 2021 07:54 PM PDT What has your experience been with GreenLake offering? Which option are you using basic or advanced services? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment