Suresh Vinasiththamby, Author at NetworkingNexus.net

Suresh Vinasiththamby

Author Archives: Suresh Vinasiththamby

What Is BGP Confederation?

By design, iBGP requires a full mesh of peerings between all routers so every router can learn routes from all other routers without loops. Prefixes learned from an iBGP peer are not advertised to another iBGP peer. This rule exists to prevent routing loops inside the autonomous system, and it is also the main reason why a full mesh is required. As the number of routers grows, maintaining this full mesh becomes complex and resource-heavy.

BGP confederations are one way to solve the scaling problems created by the BGP full mesh requirement. Another common approach is using Route Reflectors. BGP confederations break up a large autonomous system into smaller subautonomous systems (sub-ASs), reducing the number of iBGP peerings required.

Routers within the same sub-AS still need a full iBGP mesh, but the number of peerings is much smaller now. Connections to other confederations are made with standard eBGP, and peers outside the sub-AS are treated as external.

The confederation AS appears whole to other Continue reading

FortiGate Radius Administrator Login with Cisco ISE

Let’s assume a simple scenario. You have two different teams managing your FortiGate firewalls. One team is made up of network administrators who need full access to the firewalls. The other team only needs limited access and should not be able to make any configuration changes.

A common way to handle this is by using administrator profiles and a remote radius server. You can assign different admin profiles based on who is logging in, without creating local users on every firewall. In this post, we will look at how to achieve this using Cisco ISE and Radius. You do not have to use Cisco ISE, any Radius server can do the job, but this post focuses on Cisco ISE since it is commonly used in enterprise environments.

Overview

For this example, we will have two users, each belonging to a different group with different access requirements. In most environments, group membership is managed by something like Active Directory. For the sake of simplicity, I am going to use local identity groups on Continue reading

Arista Radius Administrator Login with Cisco ISE

Let’s assume a simple scenario. You have two different teams managing your Arista devices. One team is made up of network administrators who need full access to the devices. The other team only needs limited access and should not be able to make any configuration changes.

A common way to handle this is by using role-based access with Radius. You can assign different privilege levels based on who is logging in, without creating local users on every device. In this post, we will look at how to achieve this using Cisco ISE and Radius. You do not have to use Cisco ISE, any Radius server can do the job, but this post focuses on Cisco ISE since it is commonly used in enterprise environments.

Overview

For this example, we will have two users, each belonging to a different group with different access requirements.

bob is part of the network-admin group and needs full access
brad is part of the Continue reading

Build BGP Labs in Minutes, Not Hours with Netlab

What if I told you that all it takes to build a simple BGP lab with two eBGP peers (or even a hundred, for that matter) is a single YAML file? No need to add nodes on a GUI, connect links, or configure interface IPs manually. You just define the lab in a YAML file as shown below, and in about two minutes, you’ll have two routers of your choice fully configured with BGP and an established eBGP session.

provider: clab
defaults.device: eos
defaults.devices.eos.clab.image: ceos:4.34.2

addressing:
  mgmt:
    ipv4: 192.168.200.0/24

nodes:
  - name: r1
    module: [ bgp ]
  - name: r2
    module: [ bgp ]

bgp:
  as_list:
    100:
      members: [ r1]
    200:
      members: [ r2 ]

links:
  - r1-r2

r1#show ip bgp summary 
BGP summary information for VRF default
Router identifier 10.0.0.1, local AS number 100
Neighbor Status Codes: m - Under maintenance
  Description              Neighbor V AS           MsgRcvd   MsgSent  InQ OutQ  Up/Down State   PfxRcd PfxAcc PfxAdv
  r2                       10.1.0.2 4 200                5         5    0    0 00:00:15 Estab   1      1      1

r2#show ip bgp summary 
BGP summary information for VRF default
Router identifier 10.0.0.2,  Continue reading

Network Labs on a Budget

"Can you suggest some specs for a server for my network labs?" is probably the question I get asked the most. People reach out all the time asking for recommendations. The thing is, I never really know their exact situation or what they’re trying to do in their lab. So, I usually just share what I have and what worked best for me, and let them decide what fits their setup.

In this post, I’ll go over the cheapest way to build your own network lab without spending too much.

💡

Disclaimer - This post is based on my personal experience and is meant to be general advice only. Everyone’s situation is different, so please do your own research before buying anything. I’m not responsible if you end up purchasing something that doesn’t suit your needs or expectations.

What We Will Cover?

Buying a used mini PC
Proxmox as the hypervisor (optional)
Linux as a VM
Containerlab/Netlab, EVE-NG, Cisco CML
Proxmox Backup Server (optional)
Simplest Option for Absolute Beginners

TL;DR

You don’t need expensive hardware to build a solid network lab. A used mini PC with decent specs is more than enough to run tools like Proxmox, Continue reading

Netpicker NetBox Plugin and Automation

Netpicker brings together configuration backups, security and compliance checks, and automation in one place. It supports over 150 network vendors, including Cisco, Juniper, Arista, Palo Alto, Fortinet and many more. It also integrates well with other tools like Netbox, Nautobot, and Infrahub for inventory management, and Slurp’it for network discovery. All of these features, including backups, integrations, and automation, are available in the free version. The paid version adds features such as RBAC, approvals, detailed logging, support, and workflows for teams that need more control.

In our previous introductory post, we looked at what Netpicker is, how to set it up, and how it can back up configurations across multiple vendors. In this post, we'll focus on Netpicker Automation and how to use the Netpicker plugin with Netbox, so let's get to it.

Netpicker has partnered with me for this post, and they also support my blog as a sponsor.

Learn more

Prerequisites

This post assumes you already have a functioning Netpicker and NetBox instances. If you're completely new to Netpicker, check out the introductory post first, where we covered the basics like installation and initial setup. For this example, we’re using NetBox Community version 4.3. Continue reading

How to Take Packet Captures in ContainerLab/Netlab?

If you follow my blog, you probably know that I’m a big advocate for using Containerlab and Netlab to spin up network labs. I’ve already covered both tools in detail, so I won’t go over the basics again here. You can check the links below if you’re new to them or want a quick refresher. In this post, we’ll look at how to take packet captures in Containerlab labs. So, let’s get started.

How do I run Containerlab?

I know everyone has their own way of running Containerlab, so I thought I’d share how I set up and run my labs. My daily driver is a MacBook, but I run Containerlab on a server that’s set up as Continue reading

Configuring Palo Alto Administrator Authentication with Cisco ISE (Radius)

Let’s assume a simple scenario. You have two different teams managing your Palo Alto firewalls. One team is made up of network administrators who need full access to the firewalls. The other team only needs limited access and should not be able to make any configuration changes.

A common way to handle this is by using Admin Roles and a remote Radius server. You can assign different admin roles based on who is logging in, without creating local users on every firewall. In this post, we will look at how to achieve this using Cisco ISE and Radius. You do not have to use Cisco ISE, any Radius server can do the job, but this post focuses on Cisco ISE since it is commonly used in enterprise environments.