|
Thanks Ants posted:Are any of the ~*microsegmentation*~ things that vendors offer worth a drat? If someone buys a load of Aruba gear and plans to run ClearPass, how much pain are they going to have? Hasn't microsegmentation been superseded by zero-trust? That's the latest hotness as I understand it, running NGFWs and devices with endpoint clients that communicate info to the firewall which determines policy. My employer has started doing it internally with Fortinet (FortiGate firewalls and FortiClient EMS), one of the first policies they setup was to block access to the internal ERP system from any client running Hyper-V (No I don't know why lol).
|
#
?
Sep 1, 2023 19:30
|
|
|
|
| # ? Sep 25, 2023 17:24 |
|
|
Pile Of Garbage posted:Hasn't microsegmentation been superseded by zero-trust? That's the latest hotness as I understand it, running NGFWs and devices with endpoint clients that communicate info to the firewall which determines policy. My employer has started doing it internally with Fortinet (FortiGate firewalls and FortiClient EMS), one of the first policies they setup was to block access to the internal ERP system from any client running Hyper-V (No I don't know why lol). You need both zero trust access and micro-segmentation. Your users are granted access to resources specifically by policy, and the infrastructure they're accessing needs to segmented so that each thing can only talk to the things it needs to talk to.
|
|
#
?
Sep 1, 2023 19:33
|
|
|
Ah yeah good point!
|
|
#
?
Sep 1, 2023 19:43
|
|
|
Pile Of Garbage posted:That poo poo sounds insane. Also a good use-case for FortiGates with VDOMs if you're doing multi-tenant stuff like that. Also seconding using Ansible for network management, we've had some big wins with it specifically for automating mass management cut-over and firmware upgrades. We do have an ACI environment that we use to host like, 20 or so of our customers, and that works pretty well, but I don’t know exactly why we only use it for some customers. It’s kinda hard to explain, but my division used to be two separate companies that made nearly identical products, both of them were acquired and form our division. Both product suites are still sold and maintained, and have totally separate environments and data centers. Anyways, the environment for the other product does this segmentation using Fortinet VDOMs and a multi context ASA for the hosted environment, and it works fantastically with no risk of maxing out lol. Managing the ACLs isn’t actually that bad. We do use Ansible for some things, but mostly for things like setting up new VLANs for a new customer, upgrades and poo poo like that. The guy on our team who was building it out left the company before I joined, so I’m gonna take the opportunity to get some experience with automation and beef up what we can use it for. Tetramin fucked around with this message at 20:24 on Sep 1, 2023 |
|
#
?
Sep 1, 2023 20:19
|
|
|
ClearPass as RADIUS for auth templates is fine and works well at the edge. Supposedly it will connect with FortiManager to push rules or tags for role based policy into their firewalls to control access dynamically between groups. I’m not positive what the intended architecture is though. Is that like, PVLAN or group based VLAN access so still somewhat horizontal between same role users? Or is it like VXLAN with tags , user role policy based rules that are address agnostic? Aruba also offers dynamic tunneling for users from their edge, akin to how they do so through access points with wired ports. You can backhaul the user to a controller/gateway appliance and drop them on the appropriate network there , if you want that sort of thing.
|
|
#
?
Sep 6, 2023 11:46
|
|
|
I'm doing some network studying for the hell of it and I'm curious... Has there been widespread adoption of TRILL or SPB in enterprises? The last I heard of those two technologies was that vendors were charging an arm and a leg for the feature. I figured if that were the case then admins would throw up their hands and say RSTP is good enough, or maybe the "advent" of leaf-spine and L3 to the TOR made the technology obsolete.
|
|
#
?
Sep 8, 2023 05:22
|
|
|
As far as I know TRILL may underpin some vendor solution but it did not see much adoption and is out of favor , VXLAN EVPN being the new hotness .
|
|
#
?
Sep 8, 2023 12:15
|
|
|
It's much cleaner to do a layer 2 overlay on top of a layer 3 routed network than it is to try to route layer 2. Also you can do it from the edges and don't have to upgrade all the switches.
|
|
#
?
Sep 8, 2023 12:30
|
|
|
|
| # ? Sep 25, 2023 17:24 |
|
|
Partycat posted:As far as I know TRILL may underpin some vendor solution but it did not see much adoption and is out of favor , VXLAN EVPN being the new hotness . SamDabbers posted:It's much cleaner to do a layer 2 overlay on top of a layer 3 routed network than it is to try to route layer 2. Also you can do it from the edges and don't have to upgrade all the switches. Yeah VXLAN is what you want. TRILL was a very short lived thing that never caught on. VXLAN is great because you can get pretty much all of the benefits of splitting out horrible L2 failure domains with a good config when you replace your core and distribution switches. It's better the closer you get to the edge, but it doesn't have to get all the way there. I have a ton of industrial networking that still lives on old IOS flavored industrial switching that goes across the VXLAN infrastructure. Just trunk it to a leaf, slap some anycast gateways on there and you're set.
|
|
#
?
Sep 18, 2023 20:25
|
|