I had to upgrade some Nexus switches at work recently so thought I'd write a post showing the process as it's a bit different to a normal Cisco IOS or even IOS-XE device. In saying that, if you're using install mode on IOS-XE it's not that different. To learn how to use install mode, see my post here. As with any IOS upgrade, first thing you'll want to do is download your NX-OS version and copy it to the switch. I've used FTP for this process but you can use a USB, TFTP, or SCP to transfer the image file as well. 

Recently I decided to deploy a second ISE node in my home lab and run them in a Primary/Secondary configuration. Once i''d configured the secondary node and added it to the deployment, I decided to promote it to the primary (Mostly because the trial license on my Primary ISE node was about to run out) and found that there were some issues once I'd failed over. I actually ended up having to reboot both nodes a couple of times just to get the deployment and all ISE process to start running correctly. Anyway, back to my blog post.

We all know how to upgrade the IOS on a Cisco device right? Download the .bin file, copy it to the device flash, and configure it to boot using the new file. Easy, and IOS-XE is no different. You can still upgrade the IOS-XE version by using whats now reffered to as bundled install mode. This is basically a new way of saying you download the .bin file, copy it to the device and tell it to boot using the new IOS-XE image. IOS-XE however also allows you to use install mode for your IOS-XE installation.

I've been playing around with route based IPSec VPN's lately and decided to write up a post on how to configure an IPSec VPN Tunnel between a Cisco router and a Palo Alto firewall. This will also work between two Cisco Routers or two PA firewalls but i only have one of each in my home lab so that's what i'm using. I'll be doing this lab using the following topology. R1 is a Cisco 860 series router and the firewall is a PA-220. While the Cisco 860 is a really old router, the commands for configuring the IPSec tunnels are identical on current routers.

For a while now i've been having these rather strange connectivity issues at home where occasionally I wouldn't be able to access some websites, but others would work and it wasn't all devices at the same time either. It was very random. I had a look at my PA and couldn't see anything that stood out at first as to what may be causing the issues. This had been going on randomly over a couple of weeks and the issue would come and go within 5 minutes so I only had a short window of time to investigate while the issue was happening.

I've been playing around with Kali Linux lately and trying some of the basic tools for pen testing. Not for anything in particular other than my own curiosity and several times i found that when I connected to the VM Console or attempted to VNC to the server, I would enter my credentials and it would appear to login, but then simply present me the login screen again. No matter how many times i tried, I was not able to actually log in to the server.

When I started my home lab I wanted to make sure that I had real SSL certificates that are signed by a trusted authority. I ended up going with letsencrypt and setup certbot to maintain the certificates and it was working well and auto-renew was working without a problem. I'd done some software updates on my server and noticed that the certbot logs were showing that they were unable to verify the certificates. I ran a manual test of the renew using the command certbot renew --dry-run and kepy getting the below error. 

This is the 3rd and final part of this series on building your own VXLAN Lab using ESXi and the Cisco Nexus Virtual switches. 

• Part 1: VMWare and Virtual Switch Configuration
• Part 2: Underlay and VXLAN Configuration

This post will go through the creation of the VRF's for the Prod and PPD VM's and also configuring the Layer 3 VNI's for each VRF and establishing connectivity between hosts and the external network. 

If you've followed Part 1, you should now have your virtual switches configured, and be able to ping between the Spine switch, the Border Gateway switch, and Leaf Switches. Now it's time to start configuring the underlay routing and then VXLAN itself. 

This is going to be a multi part post on building your own VXLAN lab environment using ESXi and the Nexus 9k Virtual switches. This will be a very simple and small VXLAN Lab with 2 Leaf Switches, 1 Spine switch and a Border Gateway switch, but it will be enough to enable you to get your head around how VXLAN/BGP EVPN works and the benefits of it. 

This post will go through configuring a Palo Alto firewall HA pair using LACP and enabling HA Passive State to speed up failover.  

I was looking into the fail over process on Palo Alto firewalls when configured in and active/standby configuration and having ports in LACP mode and was testing some failover procedures and found that without enabling specific LACP fail over settings there was noticeable packet loss while LACP negotiated on the standby PA. 

Recently I managed to pick up a PA-220 second hand for my lab and while i know it's old, it's still a great little firewall. I've got it up and running and it works well. Yes commiting changes can be quite slow, but for what i'm using it for that's not a big deal. I may try and get a Lab license if I can but really, it's just for me to play around with so will have to see how that actually goes. 

If you've read my recent posts, you'll know that I have a PA-220 firewall in my home lab now and have setup wired and wireless 802.1x authentication in my home network using Cisco ISE. I've now decided that I'd like to make use of the PA User-ID feature in my home network to allow only authenticated users access to specific resources on the network. To do this, I'm going to use the Cisco ISE Radius Accounting logs to send the user information to the firewall and create rules based on username instead of source IP.

I've been playing around with some BGP configuration lately and have come across advertise maps before but never really looked into them. A BGP advertise map is basically a way of telling the router, if this route exists or does not exist, then advertise these routes. 

Recently I've been tasked with replacing some old switch stacks at work with some new shiny Catalyst 9500 switches and started looking into how to Stack these switches as they no longer support stacking modules which at first seemed odd to me given that the backplane for Stackwise was like 160Gbps for the Cataylst 3600/3800 series switches from memory but it seems Cisco have decided to move to a Virtual Stackwise feature which uses the SFP/SFP+/QSFP ports on the switch instead of the dedicated Stacking Ports at the back.