MY_BLOG

Welcome to part 2 of this guide. If you've completed part 1, you should have the base configuration applied and the device interfaces all configured, so it's now time to build the VXLAN underlay. For the VXLAN Underlay, you will need to configure OSPF, and the required multicast configuration in preparation for VXLAN BGP EVPN.  

As with the base configuration role, for the underlay I created another role called dcb_underlay. Below is my folder structure for this role. 

It's been quite a while since I've had time to lab anything but I finally managed to get back into it and decided why not do a bit more on Ansible and VXLAN so, I setup another micro PC in my home lab so that I could build out a second VXLAN "DC" of Virtual N9K switches. My goal with this one is to configure the entire thing with Ansible outside of the standard configuration that is applied using POAP. For the second "DC", I'm going to use the same spine and leaf design with a single spine switch and three leaf switches.

I've been playing around with API's on my Palo Alto firewall a bit lately and have been looking for a way to automate backing them up in my home network as any good engineer should. I was doing the slow and silly manual thing by regularly logging in and exporting the device state and configuration and also do the same thing any time I made any changes and that's just not ideal for many reasons, the main one being it relied on me actually remembering to do it. So I figured since i'm currently looking into automation and Ansible etc, why not try using API's to backup my firewalls.

Lately at work I've been testing dual-homed FEX connectivity in an Active/Standby configuration on the Nexus 9300 platform. Dual-Homed FEX are only supported on specific Nexus switch models and NX-OS versions etc and depending on the Nexus platform in various configuration types. There's a Cisco article on which topologies are supported on which platforms that can be found here.

Recently had an issue with failed backups on my Cisco ISE server which turned out to be due to high disk usage. The alarm was initially saying the disk usage was above 70-80+%. I was able to verify this by logging into the CLI of the Cisco ISE server and using the command show disk. (I've removed some output for simplicity sake)

In the modern age of networking or IT in general, if you've worked in the industry for more than 5 seconds you'll have heard the term software defined..... fill in the blank or network automation. They're the buzzwords of the era and everyone wants it even if they don't know what it actually means or does. Personally I've never been a fan of software defined or automated anything. I've always been a firm believer that when it comes to automation in networking, you auto-not use it.

Recently I wrote an article on creating an IPSec Route Based VPN using a Cisco router and a Palo Alto firewall. Today I though I would expand on the Cisco configuration a bit and run through a basic Policy Based VPN configuration. Personally I much prefer route based VPN's because of the flexibility of having an actual interface etc but there are always times when a policy based VPN is required. This example is of a simple policy based VPN configuration between two Cisco routers.

The other day I went to log into my ISE server but the CLI admin password stopped working. Not sure exactly what happened though because I was able to log in about 15 minutes before that with the same password for my admin account. So, not having any other way to log in, i needed to perform a password reset on the admin user and decided to write up this post. In order to reset the admin password for ISE, you will need to have a copy of the ISE iso file downloaded and access to VMWare ESX host or VCentre.

If you've been following my posts on 802.1x, you may have noticed that I have been skipping over the authorisation profile stuff a bit and just configuring the policies with a very generic permit access. So I decided that that's what this post will touch on. There is a lot you can do with Cisco ISE in regards to authorisation profiles so I will only be covering some of the basics. 

I've been playing around with my lab firewall lately testing some API stuff and I decided to walk through how to update the firewall Web GUI certificate with one that is signed by a trusted CA, which in my case, is my own home PKI servers. If you would like to build your own PKI server, then please see my post here.