I've been playing around with Ansible a lot lately and mostly with things like compliance checks for network devices, and basic configuration tasks other than my full build of the VXLAN lab which I posted previously and I've seen quite a lot of articles lately about using Ansible for deploying VM's and containers etc so though why not give it a go. I needed to rebuild one of my ISE servers in my lab so thought this would be a great opportunity to try and do it using Ansible.

This post is purely because I spent a very long time googling and was not able to find the answer. I've been doing a lot with Ansible lately for work and have been playing around scripts for essentially fully configuring a Palo Alto firewall from scratch, outside of management. One of the tasks I was trying to work with was to enable jumbo frames on the device and after spending hours googling I found some answers that eventually led me in the right direction so decided I'd write up a quick blog post for it. 

This is the third and final part of the VXLAN Ansible configuration series. If you have followed the previous sections, you should already have the base, and underlay configuration applied and are now ready to configure VXLAN with BGP EVPN.  As with the previous configuration sections, I will be creating another role that will do the following: Finish off the PIM RP configuration, configure the NVE interfaces, the VLAN's and VLAN to VNI mappings and configure BGP, VRF's and the Anycast gateways for all Spine, Leaf and Border Gateway switches. 

Welcome to part 2 of this guide. If you've completed part 1, you should have the base configuration applied and the device interfaces all configured, so it's now time to build the VXLAN underlay. For the VXLAN Underlay, you will need to configure OSPF, and the required multicast configuration in preparation for VXLAN BGP EVPN.  

As with the base configuration role, for the underlay I created another role called dcb_underlay. Below is my folder structure for this role. 

It's been quite a while since I've had time to lab anything but I finally managed to get back into it and decided why not do a bit more on Ansible and VXLAN so, I setup another micro PC in my home lab so that I could build out a second VXLAN "DC" of Virtual N9K switches. My goal with this one is to configure the entire thing with Ansible outside of the standard configuration that is applied using POAP. For the second "DC", I'm going to use the same spine and leaf design with a single spine switch and three leaf switches.

I've been playing around with API's on my Palo Alto firewall a bit lately and have been looking for a way to automate backing them up in my home network as any good engineer should. I was doing the slow and silly manual thing by regularly logging in and exporting the device state and configuration and also do the same thing any time I made any changes and that's just not ideal for many reasons, the main one being it relied on me actually remembering to do it. So I figured since i'm currently looking into automation and Ansible etc, why not try using API's to backup my firewalls.

Lately at work I've been testing dual-homed FEX connectivity in an Active/Standby configuration on the Nexus 9300 platform. Dual-Homed FEX are only supported on specific Nexus switch models and NX-OS versions etc and depending on the Nexus platform in various configuration types. There's a Cisco article on which topologies are supported on which platforms that can be found here.

Recently had an issue with failed backups on my Cisco ISE server which turned out to be due to high disk usage. The alarm was initially saying the disk usage was above 70-80+%. I was able to verify this by logging into the CLI of the Cisco ISE server and using the command show disk. (I've removed some output for simplicity sake)

In the modern age of networking or IT in general, if you've worked in the industry for more than 5 seconds you'll have heard the term software defined..... fill in the blank or network automation. They're the buzzwords of the era and everyone wants it even if they don't know what it actually means or does. Personally I've never been a fan of software defined or automated anything. I've always been a firm believer that when it comes to automation in networking, you auto-not use it.

Recently I wrote an article on creating an IPSec Route Based VPN using a Cisco router and a Palo Alto firewall. Today I though I would expand on the Cisco configuration a bit and run through a basic Policy Based VPN configuration. Personally I much prefer route based VPN's because of the flexibility of having an actual interface etc but there are always times when a policy based VPN is required. This example is of a simple policy based VPN configuration between two Cisco routers.

The other day I went to log into my ISE server but the CLI admin password stopped working. Not sure exactly what happened though because I was able to log in about 15 minutes before that with the same password for my admin account. So, not having any other way to log in, i needed to perform a password reset on the admin user and decided to write up this post. In order to reset the admin password for ISE, you will need to have a copy of the ISE iso file downloaded and access to VMWare ESX host or VCentre.

If you've been following my posts on 802.1x, you may have noticed that I have been skipping over the authorisation profile stuff a bit and just configuring the policies with a very generic permit access. So I decided that that's what this post will touch on. There is a lot you can do with Cisco ISE in regards to authorisation profiles so I will only be covering some of the basics. 

I've been playing around with my lab firewall lately testing some API stuff and I decided to walk through how to update the firewall Web GUI certificate with one that is signed by a trusted CA, which in my case, is my own home PKI servers. If you would like to build your own PKI server, then please see my post here. 

I've used FreeIPA before in my lab environment and was using it to play around with vCenter server authentication but have now decided to expand on my home LDAP authentication by configuring Cisco ISE with an external identity source of my FreeIPA server using LDAP. I wanted to be able to configure access to my various Lab devices by configuring various LDAP groups for different types of access such as read-only and full admin rights etc. This process took a bit of playing around to figure out all of the specific attributes to configure so I thought i'd write up a post about it.

I recently puchased a couple of second hand Cisco Wireless Access Points for my home lap and once I got them home I realised they hadn't been factory reset so decided why not write up a process on how do reset the Cisco 3702 WAP. I decided to connect up a console cable to show the console output during a factory reset. First things first, disconnect the Ethernet cable if using PoE or the power cable if you're using that. Once the AP is turned off, hold down the mode button and connect the Ethernet/Power cable again.