Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Pile Of Garbage
May 28, 2007



Thanks Ants posted:

Are any of the ~*microsegmentation*~ things that vendors offer worth a drat? If someone buys a load of Aruba gear and plans to run ClearPass, how much pain are they going to have?

Hasn't microsegmentation been superseded by zero-trust? That's the latest hotness as I understand it, running NGFWs and devices with endpoint clients that communicate info to the firewall which determines policy. My employer has started doing it internally with Fortinet (FortiGate firewalls and FortiClient EMS), one of the first policies they setup was to block access to the internal ERP system from any client running Hyper-V (No I don't know why lol).

Adbot
ADBOT LOVES YOU

Nuclearmonkee
Jun 10, 2009


Pile Of Garbage posted:

Hasn't microsegmentation been superseded by zero-trust? That's the latest hotness as I understand it, running NGFWs and devices with endpoint clients that communicate info to the firewall which determines policy. My employer has started doing it internally with Fortinet (FortiGate firewalls and FortiClient EMS), one of the first policies they setup was to block access to the internal ERP system from any client running Hyper-V (No I don't know why lol).

You need both zero trust access and micro-segmentation. Your users are granted access to resources specifically by policy, and the infrastructure they're accessing needs to segmented so that each thing can only talk to the things it needs to talk to.

Pile Of Garbage
May 28, 2007



Ah yeah good point!

Tetramin
Apr 1, 2006

I'ma buck you up.

Pile Of Garbage posted:

That poo poo sounds insane. Also a good use-case for FortiGates with VDOMs if you're doing multi-tenant stuff like that. Also seconding using Ansible for network management, we've had some big wins with it specifically for automating mass management cut-over and firmware upgrades.

On the opposite end of the spectrum over a decade ago I came into a multi-tenant "private cloud" environment where all the customer servers were on the same loving /24. One of the first things I did there was setup separate VLANs lol

We do have an ACI environment that we use to host like, 20 or so of our customers, and that works pretty well, but I donít know exactly why we only use it for some customers.

Itís kinda hard to explain, but my division used to be two separate companies that made nearly identical products, both of them were acquired and form our division. Both product suites are still sold and maintained, and have totally separate environments and data centers.

Anyways, the environment for the other product does this segmentation using Fortinet VDOMs and a multi context ASA for the hosted environment, and it works fantastically with no risk of maxing out lol.

Managing the ACLs isnít actually that bad. We do use Ansible for some things, but mostly for things like setting up new VLANs for a new customer, upgrades and poo poo like that.

The guy on our team who was building it out left the company before I joined, so Iím gonna take the opportunity to get some experience with automation and beef up what we can use it for.

Tetramin fucked around with this message at 20:24 on Sep 1, 2023

Partycat
Oct 25, 2004

ClearPass as RADIUS for auth templates is fine and works well at the edge. Supposedly it will connect with FortiManager to push rules or tags for role based policy into their firewalls to control access dynamically between groups.

Iím not positive what the intended architecture is though. Is that like, PVLAN or group based VLAN access so still somewhat horizontal between same role users? Or is it like VXLAN with tags , user role policy based rules that are address agnostic?

Aruba also offers dynamic tunneling for users from their edge, akin to how they do so through access points with wired ports. You can backhaul the user to a controller/gateway appliance and drop them on the appropriate network there , if you want that sort of thing.

funk_mata
Nov 1, 2005

I'm hot for you and you're hot for me--ooka dooka dicka dee.
Clapping Larry
I'm doing some network studying for the hell of it and I'm curious... Has there been widespread adoption of TRILL or SPB in enterprises? The last I heard of those two technologies was that vendors were charging an arm and a leg for the feature. I figured if that were the case then admins would throw up their hands and say RSTP is good enough, or maybe the "advent" of leaf-spine and L3 to the TOR made the technology obsolete.

Partycat
Oct 25, 2004

As far as I know TRILL may underpin some vendor solution but it did not see much adoption and is out of favor , VXLAN EVPN being the new hotness .

SamDabbers
May 26, 2003



It's much cleaner to do a layer 2 overlay on top of a layer 3 routed network than it is to try to route layer 2. Also you can do it from the edges and don't have to upgrade all the switches.

Adbot
ADBOT LOVES YOU

Nuclearmonkee
Jun 10, 2009


Partycat posted:

As far as I know TRILL may underpin some vendor solution but it did not see much adoption and is out of favor , VXLAN EVPN being the new hotness .

SamDabbers posted:

It's much cleaner to do a layer 2 overlay on top of a layer 3 routed network than it is to try to route layer 2. Also you can do it from the edges and don't have to upgrade all the switches.

Yeah VXLAN is what you want. TRILL was a very short lived thing that never caught on. VXLAN is great because you can get pretty much all of the benefits of splitting out horrible L2 failure domains with a good config when you replace your core and distribution switches. It's better the closer you get to the edge, but it doesn't have to get all the way there. I have a ton of industrial networking that still lives on old IOS flavored industrial switching that goes across the VXLAN infrastructure. Just trunk it to a leaf, slap some anycast gateways on there and you're set.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply