Lab: Configure IS-IS on Point-to-Point Links
From a very high-level perspective, OSPF and IS-IS are quite similar. Both were created in the Stone Age of networking, and both differentiate between multi-access LAN segments and point-to-point serial interfaces. Unfortunately, that approach no longer works in the Ethernet Everywhere world where most of the point-to-point links look like LAN segments, so we always have to change the default settings to make an IGP work better.
That’s what you’ll do in today’s lab exercise, which also explains the behind-the-scenes differences between point-to-point and multi-access links and the intricate world of three-way handshake.
ADCS Cert Templates for ISE Lab
In my ISE lab I’m going to be using EAP-TLS and TEAP, which means I’ll be needing user and computer certificates. The goal is to be able to enable the 802.1X supplicant via GPO and to distribute certificates automatically without requiring any user input. Another post will cover GPO, in this post I’ll cover creating the certificate templates in ADCS.
When opening the CA app, there are a number of templates provided by default:
There are already templates for User and Computer, but it’s better to leave the default templates alone and create new ones. First, we’ll create a template for user certificates. Start by right clicking Certificate Templates and selecting Manage:
Then we’re going to right click the User template and select Duplicate Template:
This is going to open up a new window with properties of the template:
Go to General and give the template a name:
Don’t select the Do not automatically reenroll option or it won’t be possible to renew certs before they expire.
Then go to Request Handling. We’re going to uncheck the Allow private key to be exported option as this is considered more secure:
Make sure Enroll subject without requiring any Continue reading
NOG.HR: A NOG Meeting Worth Attending
I never know what to expect when I’m invited to speak at a regional (or in-country) Network Operator Group (NOG) meeting. Sometimes, it turns out to be a large conference (PLNOG and ITNOG come to mind); other times, it’s just a few people gathered around free donuts and coffee1. Last week’s Croatian NOG (NOG.HR) meeting was in the Goldilocks zone between the extremes: plenty of interested networking engineers, but not large enough to be overpowering.
Also, it was such a nice experience ;)
The IPv6 Transition
I wrote an article in May 2022, asking “Are we there yet?” about the transition to IPv6. At the time I concluded the article on an optimistic note, observing that we may not be ending the transition just yet, but we are closing in. I thought at the time that we won’t reach the end of this transition to IPv6 with a bang, but with a whimper. A couple of years later, I’d like to revise these conclusions with some different thoughts about where we are heading and why.Global Protect VPN SAML SSO with Entra-ID
In this blog post, we will look at how to use Entra-ID SAML SSO with GlobalProtect VPN. This guide assumes you are already familiar with GlobalProtect VPN and have an existing VPN solution with other forms of authentication. If you are new to GlobalProtect VPN, feel free to check out my other blog post, which is linked below.
Palo Alto Global Protect VPN Configuration Example
In this blog post, we will cover how to configure Palo Alto Global Protect VPN. We’ll go through setting up the portal, gateway, authentication profile, IP pools, split-tunnel, security policy, NAT policy and other necessary components.
Suresh Vina
Adding GlobalProtect to the Admin Centre
- Sign in to the Microsoft Entra admin centre and navigate to Identity > Applications > Enterprise applications > New application.
- Add the Palo Alto Networks - GlobalProtect application.
- Once added, select Palo Alto Networks - GlobalProtect > Single sign-on.
On the Set up single sign-on with SAML page, click the pencil icon in the Basic SAML Configuration section to edit the settings.
💡
In the Basic SAML Configuration section, for the Entity ID and Reply URL, ensure that you include
:443 after the URL, otherwise, it won't work. I Continue readingHedge 247: SONiC and other NOSs
SONiC has been around for a while–is there a solid commercial play for this open-source operating system? If so, what is it? What is the future for open-source and other network operating systems? Mike Bushong joins Tom Ammon, Eyvonne Sharp, and Russ White to discuss SONiC and open source network operating systems.
download
HN754: Secure AI by Design with Palo Alto Networks (Sponsored)
AI is finding its way into more and more consumer and business applications. In particular, the widespread use of Generative AI raises a serious question: how secure is it? In this sponsored Heavy Networking episode we discuss security risks of AI tools and ways to mitigate those risks. Our guest is guest Rich Campagna, Senior... Read more »TNO006: Network Operations is Where It’s At
Join Mike Bushong, an industry expert, and host Scott Robohn as they talk about why Network Operations is the next big thing and why you should start with the end in mind for NetOps. Their proposal is that NetOps shouldn’t just get a seat at the table; they should get 51% of the vote. They... Read more »Arista-20 Years of Growth and Innovation
Today marks the 20th anniversary of Arista!
Over that time, our company has grown from nothing to #1 in Data Center Ethernet, a highly profitable $100+ billion S&P 500 company doing $6+ billion in annual revenue.
Public Videos: PCI DSS for Networking Engineers
Michele Chubirka (currently at Google) kindly allowed me to make her PCI DSS for Networking Engineers webinar public (available without registration or login).
The webinar covers an older version of PCI DSS (version 3.0; the current version is 4.0.1), but as fundamentals never change, you might still find it useful.
Global Protect Internal Host Detection & Internal Gateways – Lessons Learnt
I already had Palo Alto GlobalProtect VPN configured with an external gateway and portal, allowing me to connect back to my home network when I'm outside. Even when I'm inside my internal network, I can still connect to the VPN. However, I wanted to use the Internal Host Detection feature of GlobalProtect VPN, so that if I'm on my internal network and try to connect, it won't connect to the external gateway. Throughout the configurations, I learned a few lessons. Let’s dive in.
If you're completely new to GlobalProtect VPN, please check out my introductory blog post linked below.
Palo Alto Global Protect VPN Configuration Example
In this blog post, we will cover how to configure Palo Alto Global Protect VPN. We’ll go through setting up the portal, gateway, authentication profile, IP pools, split-tunnel, security policy, NAT policy and other necessary components.
Suresh Vina
Please note that this setup was tested on PAN-OS 10.2.9-h1 and the GlobalProtect macOS client version 6.2.4.
What is Internal Host Detection?
If you're already in your office or internal network, there's no need to connect to the VPN, what’s the point, right? This is especially relevant if you're using an Continue reading
Building a Simple HTTP Source for Firewall EDL
Recently, I wanted to add a list of domains to the Palo Alto DNS policy to block them from resolving. However, I soon realized that I couldn't just add a list of domains directly to the firewall, I needed to use an External Dynamic List (EDL). Palo Alto and I believe other firewalls as well, require a simple HTTP URL that hosts a list of domains or IP addresses. While there are amazing EDL projects available, in this blog post, we'll explore the simplest way to deploy an EDL.
Python HTTP Server
Python's HTTP server module lets you create a basic web server using just a single command. This server can serve files from a directory over the network, making it an excellent tool for quick testing and file sharing without the complexity of setting up a full-fledged web server.
All you need to do is create a list of domains, save it as a text file, and run python -m http.server 8085 from the directory where the file is saved. You can use any port, but remember that a lower number of ports like 80 require admin privileges. Once the server is running, navigate to http://IP_ADDRESS:8085/domains.txt in Continue reading
IPB162: IPv6 Basics: Address Provisioning
IPv6 address provisioning is the topic of this latest installment of the IPv6 Basics series. The hosts focus on Stateless Address Auto Configuration (SLAAC) and Dynamic Host Configuration Protocol for IPv6 (DHCPv6). The differences between SLAAC and DHCPv6 are explained, including their use cases, the complexities of address management, and the importance of understanding... Read more »The story of web framework Hono, from the creator of Hono
Hono is a fast, lightweight web framework that runs anywhere JavaScript does, built with Web Standards. Of course, it runs on Cloudflare Workers.
It was three years ago, in December 2021. At that time, I wanted to create applications for Cloudflare Workers, but the code became verbose without using a framework, and couldn't find a framework that suited my needs. Itty-router was very nice but too simple. Worktop and Sunder did the same things I wanted to do, but their APIs weren't quite to my liking. I was also interested in creating a router — a program that determines which action is executed based on the HTTP method and URL path of the Request — made of a Trie tree structure because it’s fast. So, I started building a web framework with a Trie tree-based router.
“While trying to create my applications, I ended up creating my framework for them.” — a classic example of yak shaving. However, Hono is now used by many developers, including Cloudflare, which uses Hono in core products. So, this journey into the depths of yak shaving was ultimately meaningful.
Hono truly runs anywhere — not just on Cloudflare Continue reading
Comparing IP and CLNP: Finding Adjacent Nodes
Now that we know a bit more about addresses in a networking stack (read the whole series) and why CLNP uses node addresses while TCP/IP uses interface addresses, let’s see how they solve common addressing problems like finding adjacent nodes.
Let’s start with the elephant in the room: how do you know whether you can reach a host you want to communicate with directly? In the following diagram, how does A know whether B is sitting next to it?
Adding ADCS Role to ISE Lab Domain Controller
This post describes how to install Active Directory Certificate Services (ADCS) onto a domain controller. It’s for labbing purposes which means I’m going to run this all on a single server instead of a more realistic setup with offline root, issuing CA, and possibly intermediate CA. Don’t use this post for anything designed to go into production!
To add the ADCS role. Go to Server Manager, click Add roles and features. Click Next until you get to Server Roles. Select Active Directory Certificate Series:
Click Add Features. Click Next. Click Next. Then a warning is displayed that it’s not possible to change the computer name or domain settings:
Click Next. Select Certification Authority and Certification Authority Web Enrollment:
Selecting Certification Authority Web Enrollment will install IIS and a small web site will be built to provide certificate services.
Click Add Features. Click Next. Click Next. Select Restart the destination server automatically if required:
Click Install. The installation starts:
When the installation has finished, click Close. Click AD CS in Server Manager. Click More… where it says Configuration required for Active Directory Certificate Services:
Click Configure Active Directory Certificate Services on the destination server:
Select an Continue reading