Company Wants to Enforce the Use of VPN for ALL Traffic ALL the Time for Clients *On Premises* Networking

---

• Company Wants to Enforce the Use of VPN for ALL Traffic ALL the Time for Clients *On Premises*
• Are you using Opportunistic Wireless Encryption, also referred to as Enhanced Open for your Guest Networks?
• Aruba ClearPass radius/tacacs+ w/ MFA for switch/router SSH access
• Internet Redundancy
• Cisco DNA. Business Buzzword overkill or is it actually nice?
• Hurricane Ida Aftermath
• Intermittent Network Issues
• Tracker for viptela DIA dual router and dual internet connection?
• Where to filter OSPF routes?
• Lab design help
• VLAN discovery

Company Wants to Enforce the Use of VPN for ALL Traffic ALL the Time for Clients *On Premises* Posted: 31 Aug 2021 10:42 AM PDT Multinational. 40,000 physical clients. I would like to take the pulse of the community as to whether you have heard of anyone doing this, whether you think it's a good or bad idea. It's certainly creating a number of significant logistical nightmares preventing clients accessing anything locally and all traffic going to one of only 4 sites globally. Very limited options for split tunneling - apparently the vendor requires IP addresses and cannot use DNS for that (wtf??) and the list is severely limited in size. Current picture is that all Windows/O365 patch traffic will choking the VPN links. Client will not be able to use local content servers for any app installs. But the flip side.....what exactly is the benefit on prem to warrant VPN for ALL traffic for a device in an office? To me this plan is like a shopkeeper making all his customers climb through a cramped long tunnel to get in and out of the shop to save paying for security staff... Am I missing something??.... submitted by /u/MikhailCompo [link] [comments]

Are you using Opportunistic Wireless Encryption, also referred to as Enhanced Open for your Guest Networks? Posted: 31 Aug 2021 09:55 AM PDT Hi all, I've been spending some time testing and researching wireless deployments and I came across the topic of Opportunistic Wireless Encryption (OWE). There is a WiFi Alliance Certified standard called " Enhanced Open" that is built on OWE. For anyone unfamiliar, this is a method of encrypting wireless traffic without requiring a PSK, which makes it ideal for Guest networks. You don't have to provide a Pre-Shared key to your clients and yet they still have the benefit of encrypted traffic between the clients and the APs. The purpose is to seamlessly encrypt traffic from the client to the AP. One downside is that there is no access control to the network inherent in Enhanced Open. This can be combined with a captive portal to limit access to the network. This certification plan for Open Enhanced was announced back in 2018 but, I've only learned about this in the last few months. I wanted to get a sense of where the rest of the industry stands on this feature. Were you familiar with Open Enhanced before reading this post? Do you currently utilize Open Enhanced/OWE to add an additional layer of security to your guest networks? How would you prioritize this feature when considering vendors for a new WiFi deployment? Are there other ways of securing guest networks that should be considered instead of OWE and is that in response to meeting certain security requirements, ease of implementation, or some other reason. Thanks for taking the time to read and respond to this. If you disagree with my interpretation of OWE/Enhanced open, feel free to light me up in the comments section. I don't want to participate in spreading misinformation! submitted by /u/thestatic1982 [link] [comments]

Aruba ClearPass radius/tacacs+ w/ MFA for switch/router SSH access Posted: 31 Aug 2021 03:53 AM PDT Has anyone here successfully set up an MFA mechanism with clearpass for radius or tacacs purposes? Preferably with Duo or M$ Authenticator. I've seen examples of freeradius w/ google authenticator where the OTP is appended to the password, so a solution like this would probably work alright or use push verification. I've hit page 5 of Google already with little success. It seems like if I use radius and have duo access gateway as a radius auth source it may work for push verification but I haven't verified that as viable yet. Keen to hear from those who have made it work. submitted by /u/obscure_simpsons_ref [link] [comments]

Internet Redundancy Posted: 31 Aug 2021 03:17 PM PDT I'm looking to build out redundant internet to a new backup data center. Is there any new technology out there anyone would recommend that would be helpful? I'm checking to see if there is a new method other than just doing BGP to two different ISPs... submitted by /u/nivek076 [link] [comments]

Cisco DNA. Business Buzzword overkill or is it actually nice? Posted: 31 Aug 2021 11:51 AM PDT Title. Going through training on Cisco DNA right now, and my eyes and ears are bleeding. So much 'automation' and how its open, software driven bla bla bla bla. Has anyone here actually used it? Does it really save time? I run a campus of ~80 buildings across a couple of states. Automating a network deployment would save me..... an hour of work? submitted by /u/Wall_Stair [link] [comments]

Hurricane Ida Aftermath Posted: 31 Aug 2021 08:36 AM PDT Hey Reddit, So the company I work for was based out of Metairie, LA which was just brutally slammed by Ida this past Sunday. We have a generator for power but the office does not have internet at all. We have been trying to use Verizon MyFi hotspots to get some employees online to work but they are spotty and don't work great for more than one person. My question is, is there are better way? I've looked up a better hotspot device made by netgear, or my father is also sending me a KVH TracPhone and suggesting we slap one up on the roof. Or do we just buy each employee a Verizon MyFi and just let them scatter around to try and find service? Any help is much appreciated. submitted by /u/zack24790 [link] [comments]

Intermittent Network Issues Posted: 31 Aug 2021 08:31 AM PDT Hello all, I know I won't be able to put enough detail in this post for you to know everything but here goes nothing. We've started having issues where people would VPN from home and then RDP into their desktop and it would connect for about 15-20 seconds then just reconnecting every few seconds. When they connect its pretty much unresponsive and then it drops again. If I am on the LAN and rdp to that machine I have no problems, but if I try to run a speed test, it starts out fine at 200mpbs and then errors out shortly after, but its not just RDP issues. I can't really download any kind of files from the internet during this time or we've had people on Teams calls that just don't work at all due to the network issues. It's pretty random and happens to multiple computer regardless of OS. Its happened on desktops and some ubuntu servers as well so I've ruled out our AV or hardware. The only thing that seems to fix the issue is a complete shutdown and then start back up. I've run packet captures on our ASA from the IP but don't see anything alarming, a few duplicated packets and out of order but they correct themselves. We do have old cisco catalyst 3560G switches with a pretty flat network and we are working to replace this as well as redo the network configuration but I've got 30 day lead time on equipment. Any help on other things to try would be appreciated. submitted by /u/theamadelorean [link] [comments]

Tracker for viptela DIA dual router and dual internet connection? Posted: 31 Aug 2021 01:44 AM PDT Hi All, I'm setting up a LAB wherein I have 2 vEdge with direct internet connection. vEdge-A is acting as the primary router; it has also a TLOC-Extension to vEdge-B. I also enabled NAT and applied a tracker on vEdge Tloc-extension interface. I'm able to validate that this is working with both lines active/enabled. However, when the tracker goes down. I can see that the packet is still being sent to TLOC-Extension causing the packet to silently drop since internet connection via TLOC-Extension is down. The objective is to reroute the traffic to the active internet connection if the tracker applien on tlo-extension interface at vEdge-A goes down. Here's what I configured. a. Applied a tracker and created a data policy with nat fall-back. from-vsmart data-policy VPN1_DIANAT direction all vpn-list VPN1 sequence 10 match source-ip 10.0.0.0/16 destination-ip 10.0.0.0/16 action accept sequence 11 match source-data-prefix-list VPN1-Sites102060-Services action accept nat use-vpn 0 nat fallback set local-tloc-list color biz-internet public-internet default-action accept from-vsmart lists vpn-list VPN1 vpn 1 from-vsmart lists data-prefix-list VPN1-Sites102060-Services ip-prefix 10.0.50.0/24 b. vEdge-A(Primary): vEdge-A interface: Tloc-Extension: 0 ge0/2 ipv4 192.168.20.2/30 Up Up Up null transport 1500 50:00:00:11:00:03 1000 full 1416 0:00:30:31 39078 46931 Direct=-Internet: 0 ge0/4 ipv4 192.88.88.1/24 Up Up NA null transport 1500 50:00:00:11:00:05 1000 full 1416 0:00:00:03 417 2277 - Tracker is up 0 ge0/2 0 udp 192.168.20.2 200.1.10.1 12386 12346 192.168.20.2 200.1.10.1 12386 12346 established 0:00:00:59 704 115104 704 125527 - 0 ge0/4 0 icmp 192.88.88.1 200.1.1.3 716 716 192.88.88.1 200.1.1.3 716 716 established 0:00:00:05 1 98 0 0 - From NAT statistics able to see that both interfaces are used. The issue is when both interface are enable, Somehow client can't reach the 8.8.8.8 but if I disable one of the link I can see that client can reach 8.8.8.8. REFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS --------------------------------------------------------------------------------------------------------------------------------------------- 0 0.0.0.0/0static - ge0/4 192.88.88.254- - - - F,S (direct) 0 0.0.0.0/0static - ge0/2 192.168.20.1- - - - F,S (Tlocex) ​ vpn 0 interface ge0/4 ip address 192.88.88.1/24 nat ! tunnel-interface encapsulation ipsec color public-internet no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https ! no shutdown ! ! vEdge-A# show running-config vpn 0 interface ge0/2 vpn 0 interface ge0/2 description "TLOC" ip address 192.168.20.2/30 nat ! tracker track_public_internet tunnel-interface encapsulation ipsec color biz-internet restrict no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https ! no shutdown When a Did a TCP dump on both interfaces it seem like no data passing through. Switch#ping 8.8.8.8 repeat 1000 source 10.0.50.10 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.0.50.10 ...................................................................... ............................... vEdge-A# tcpdump vpn 0 interface ge0/4 options "host 8.8.8.8 -n" tcpdump -p -i ge0_4 -s 128 host 8.8.8.8 -n in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_4, link-type EN10MB (Ethernet), capture size 128 bytes # tcpdump vpn 0 interface ge0/2 options "host 8.8.8.8 -n" tcpdump -p -i ge0_2 -s 128 host 8.8.8.8 -n in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_2, link-type EN10MB (Ethernet), capture size 128 bytes Disabled one of the interface SITE-C_ID500_MPLS(config-vpn-0)# interface ge0/4 SITE-C_ID500_MPLS(config-interface-ge0/4)# shutdown SITE-C_ID500_MPLS(config-interface-ge0/4)# commit Commit complete. - Ping works after disabling ................!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <> !!!!!!!!!!!!!!!!!!!! Success rate is 87 percent (878/1000), round-trip min/avg/max = 1/1/7 ms Question: a. Is it possible to use both biz-internet public-internet transport connections, however if the tloc extension tracker goes down the traffic should flow to the active internet connection? How can I achieve that? b. Am I missing something in my configuration? submitted by /u/1searching [link] [comments]

Where to filter OSPF routes? Posted: 30 Aug 2021 04:36 PM PDT on the annoucing router? or on the recieving router? or is it just a matter of preference? submitted by /u/sendep7 [link] [comments]

Lab design help Posted: 30 Aug 2021 08:41 PM PDT ​ https://imgur.com/a/OVLp7gu ​ We're converting a room into pc lab. Due to the room location of the lab, their lab switch runs thru the IDF and ultimately to the FW. So I'm running a transit vlan from lab to FW (the gateway). This prevents this lab network from touching prod. My question is, what's a better way of designing this? submitted by /u/d3adbor3d2 [link] [comments]

VLAN discovery Posted: 31 Aug 2021 05:35 AM PDT Won't mention the brand for now, but I'd like to pose a question to fellows networking-guys: Is it normal, in your opinion, that if you plug a linux computer (with no vlan set on the NIC) in a $that_brand switch port which is set on a tagged vlan only (only 1 tagged vlan and no untagged vlan allowed), you get an ip through dhcp anyway? you won't ping anything, no way to exit the internet, but you get an IP anyway and so you acquire information on what subnet that port belongs to? submitted by /u/merkleID [link] [comments]

You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States