This is going to be a multi part post on building your own VXLAN lab environment using ESXi and the Nexus 9k Virtual switches. This will be a very simple and small VXLAN Lab with 2 Leaf Switches, 1 Spine switch and a Border Gateway switch, but it will be enough to enable you to get your head around how VXLAN/BGP EVPN works and the benefits of it. 

This post will go through configuring a Palo Alto firewall HA pair using LACP and enabling HA Passive State to speed up failover.  

I was looking into the fail over process on Palo Alto firewalls when configured in and active/standby configuration and having ports in LACP mode and was testing some failover procedures and found that without enabling specific LACP fail over settings there was noticeable packet loss while LACP negotiated on the standby PA. 

Recently I managed to pick up a PA-220 second hand for my lab and while i know it's old, it's still a great little firewall. I've got it up and running and it works well. Yes commiting changes can be quite slow, but for what i'm using it for that's not a big deal. I may try and get a Lab license if I can but really, it's just for me to play around with so will have to see how that actually goes. 

If you've read my recent posts, you'll know that I have a PA-220 firewall in my home lab now and have setup wired and wireless 802.1x authentication in my home network using Cisco ISE. I've now decided that I'd like to make use of the PA User-ID feature in my home network to allow only authenticated users access to specific resources on the network. To do this, I'm going to use the Cisco ISE Radius Accounting logs to send the user information to the firewall and create rules based on username instead of source IP.

I've been playing around with some BGP configuration lately and have come across advertise maps before but never really looked into them. A BGP advertise map is basically a way of telling the router, if this route exists or does not exist, then advertise these routes. 

Recently I've been tasked with replacing some old switch stacks at work with some new shiny Catalyst 9500 switches and started looking into how to Stack these switches as they no longer support stacking modules which at first seemed odd to me given that the backplane for Stackwise was like 160Gbps for the Cataylst 3600/3800 series switches from memory but it seems Cisco have decided to move to a Virtual Stackwise feature which uses the SFP/SFP+/QSFP ports on the switch instead of the dedicated Stacking Ports at the back.

I recently upgraded my phone to the new Samsung Galaxy S24 Ultra and have spent the last 24 hours setting it up only to find that when I tried to connect to my Wireless network using my certificates, it wasn't working. It failed on the SSL Handshake and wouldn't accept the Cisco ISE Servers certificate as trusted. 

In an earlier post I discuss MAB authentication for devices that don't support other 802.1x methods for authentication and authorisation to your network. In this post, I'm going to run through how to configure basic device profiling in cisco ISE that can be used in conjunction with MAB in order to make device authentication and provisioning simpler. 

To continue on with my theme of late, I'm going to go through time based conditions and how to apply them in ISE for your 802.1x authentication and authorisation. 

I've been doing quite a lot of 802.1x posts lately and that's mainly because I'm currently in the middle of deploying it in my home network. So to continue on with some more 802.1x, I'm going to run through MAB policies in this post.

In my previous Blog posts i've talked about wired and wireless 802.1x authentication. In this post, i'm going to run through adding a dACL to that configuration. 

I previously went through how to deploy wired 802.1x authentication using EAP-TLS and Cisco ISE. In this post, I'm going to utilise Cisco ISE to do Wireless 802.1x EAP-TLS authentication for my home network. For this Lab I will be using a Cisco 1100 series router running Cisco Mobility Express and a Cisco 3802 AP that is connected to the ME WLC. Below is a quick overview of the Lab topology for this post. 

In this post, i'm going to walk you through setting up your own PKI (Private Key Infrastructure) servers that will include both a Root CA, and an Intermediate CA. For this build, i've deployed 2 Centos Stream 9 VMs. Both are a very small build with a single vCPU, 2GB of RAM and a 20GB HDD because all these guys are going to do is certificates. The reason i created two, was because once I've signed the ICA certificate with my Root CA, I'm going to disable the network on it so that it's not reachable in order to keep it secure. So let's get started.

I've been playing around a lot lately with 802.1x on my home network and have successfully managed to get it setup and working with Freeradius using the standard Freeradius CA certificates for both wireless and wired and it works great. I'll post a blog article in the future on how to set it up using freeradius but for this post, I'm going to use Cisco ISE. Now that I have a second micro PC and 64GB of RAM in it, I have enough compute to deploy a small Cisco ISE server. 

Today I decided to take another look at the Cisco ISE 802.1x certificate issues i've been having and just haven't had time to get back to and found that with version 3.2 of ISE, the admin password will expire by default every 45 days and you receive this nice little error message.