|
|
Pages: 1 2 3 [4] 5 6 ... 10
31
« Last post by clemish on February 04, 2022, 06:08:25 AM »
So, for an SDA Small Deployment, a collapsed design (due to limited hardware) whereby configuring BGP and sub-interfaces on the Firewall peering with the Dist/Core switch (SW1) would be the preferred deployment, understood. Alternatively, in an Enterprise design, I would anticipate the preferred design be to replace the BC1 "router" with a stackable or HA pair of L3 switches port-channeled to the Core/Dist pair/stack of switches (SW1) to ensure high-availability and h/w fault tolerance (replace Loopbacks with SVIs). In other words, we would inject another HA layer in order to perform BGP peering to separate the VRF/VNs between the new layer and the SW1(Dist/Core) pair of switches (/30 VRF subnets in your design). Would this be the appropriate design for SDA Medium/Large deployments?
32
If the network is not big (<25 nodes), you can make the Core/Dist switch a Border/Control Plane and the FW a fusion router. Cisco considers this a small deployment. If you need to scale, you would want to insert a separate Border/Control Plane between the Core/Dist and FW, and make the Core/Dist device a pure underlay. Edge device would never do BGP unless it is Fabric-in-a-Box.
33
If a customer has Edge(Access) switches, then Core/Distribution switches, then Firewall that egresses to the Internet, which device is the standard topology would be considered the ULAY1 device and BC1 router. For inter-VRF & External Connection communications, we need to configure BGP on what I would assume would be the Core/Distribution switch(SW1) with BC1. Do we need to add a router (BC1) in between their Core Switch (SW1) and their Edge nodes (E1) - I would be concerned about injecting another layer of failure (we would need HA devices). We need to design the network to add BGP Peering (SW1/BC1) and the edge nodes wouldn't be doing that, unless you extend L3 switching down to the edge and put BGP on the E1 nodes? Alternatively, we would need to add another layer to the topology so we can have 2 BGP routing peers to VRF the various VNs. Could you help me understand the best practice for the design?
34
« Last post by MC on October 31, 2021, 09:40:53 PM »
Hi Aris, Assuming you have two 9500, you should be able to remove one and add a 9600. Keep in mind the IP for transit /30 VLAN to fusion router may change unless the latest version of DNAC allows you to specify it somehow so be prepared to update config on the fusion device, both interface IP and BGP. Once you get one 9600 running, repeat the same step on the other 9500. The other option is to add the 9600 as stackwise virtual and follow same process. If you find a better approach, please share experience and feedback.
35
« Last post by aris on October 05, 2021, 10:47:05 PM »
Hello all,
I was wondering how difficult is to migrate a 9500 border node to a 9600 when the SDA fabric is up and running. Can they run in parallel and once the physical connections are moved to the new switch the old one can be decommitted.
Thank you.
36
You can certainly use RADIUS probe only for profiling by not enabling SNMP poll or configure IP helper but ISE may not have enough information to accurately identify the device. Enabling device-sensor will collect CDP/DHCP info unless a filter is configured. Here is more info You are not allowed to view links.
Register or Login
37
I am trying to build a Cat3850 as a device sensor and want to use radius only with ISE to both profile and authenticate... is this possible. I don't want CDP, add my ISE through ip helper or enable SNMP... Can ISE be configured without this additional means. I am in a high security area and don't want this integration between the NAD and the ISE
38
« Last post by MC on January 10, 2021, 03:25:08 PM »
Depending on is rules condition is available, you might be able to allow limited AD access when this happens so user can only change password, otherwise, user may need to change password using other OOB method.
39
« Last post by MC on January 10, 2021, 03:22:18 PM »
I am not aware of any limitation and can't see why it wouldn't work. FTD in the cluster should collaborate multicast forwarding although there may be differences depending if you do L2 or L3 load distribution between FTD in cluster.
40
« Last post by samyasa on January 06, 2021, 02:51:30 AM »
Hi
what is the mose that you are using in the switch port (closed mode , Open Mode )?
Pages: 1 2 3 [4] 5 6 ... 10
|
Recent Posts