Messages

And that's what I was thinking and kind of felt was the way to go.  I just needed to voice it out.  Thanks deanwebb!!

Do you have any preferences for endpoint security?  Have you used either Carbon Black or Cylance?

We have a Meraki MX100 running w/ Advanced Security licensing.  This licensing has AMP/anti-malware protection and Anti-virus/anti-phishing.  I was thinking to also add endpoint protection for users, an actual client install.  Do you guys think this is excessive?  Since I have protection at the edge, the endpoint piece isn't needed?

I came across Carbon Black and Cylance, and was impressed with the way they handle threats and monitoring.  I figured if I had the budget, might as well use it and get even better protection.

Why not just VPN the workspaces VPC back to your office?

So I actually did that as I need to get AD servers up and running up in the cloud.  The virtual workspaces reside now in that VPC with a VPN connection back to the office, so now to add security I would utilize Cisco DUO for 2FA.  But the users that require VPN access from home, will need to hit the ASA for CAVPN. 

@wintermute000 are you working with AWS or Azure these days?  Or any other cloud project?

Spill the beans Dean!!! I'm dying to know! ClearPass maybe?

The plan was to have users connect to AWS virtual workspaces, utilizing Cisco DUO for 2FA.  AnyConnect would be installed on the AWS workspace, that would establish the VPN connection to the office.  I was thinking to do yet another 2FA method prior to AnyConnect connecting.

But using AWS workspaces eliminates the unknown configured computers, well in a way because they still have to use there computer.  But this is a little more of a controlled method.

I'm thinking to throw in PacketFence in the mix.

@ristau ISE is a beast, but when you tame it and get it under control it's an epic creature of the network.  A few issues with RSA, with policy nodes losing connectivity and you need TAC to login as admin to fix it.  Hopefully fixed after ver 2.3 patch 3 which we are running now.

We do already have an MX, but as deanwebb brought to light, the CVE list for Win10 VPN is quite long.  Going down the AnyConnect method seems like it would be a safer path.  Cisco AnyClient also integrates with AMP and Umbrella services that we also have, so I thought this was a great plus. And it also boasts for better network visibility, which I myself need to research more what that exactly means.

This is exactly why I came here.  You guys always give me good insight and help.

If I may ask, what are you guys running in your environments?

I'm using Meraki in my environment, so this is why I'm looking at the ASAv for CAVPN.  No AnyConnect support with the MX.   

I had a feeling I was going to get an answer like that, but it's deserved.  So my hutch was on the right track.

Cisco AnyConnect it is!!!

In terms of security, is it better to go with AnyConnect than just using the built in Windows 10 VPN?  A colleague was saying it doesn't matter, but I kind of feel like it does matter.  Or is using AnyConnect just more of a standard.

I did not wait 50 seconds, maybe about 10 to 15 seconds.  That makes sense now.

I haven't played with STP in a long time, almost never needed I pretty much forgot about it.  That did it Simon it was the STP not configured correctly.  What I did was change stp type on switch 2 to rapid-pvst and match my other switch.  These are only two switches in scenario so to answer your question, no other switch defined with lower priorities for the VLANs. 
I made the spanning tree for the vlan 4096 on the main switch and when i plugged in the 2nd switch the network no longer went down like before.

I want to better understand what happened here.  So we had a mismatch in STP type between switches and we then didn't have priority set, so switches were fighting for priority?  Am I correct in this assessment? Thank you for pointing me in right direction Simon.  Ristau I thank you to you too for your help.

Sure thing Simon. Here we go

Code Select Expand


version 15.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SWITCH-875
!
boot-start-marker
boot-end-marker
!
no logging console

!
no aaa new-model
system mtu routing 1500
!
!
!
!
crypto pki trustpoint TP-self-signed-100042752
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-100042752
revocation-check none
rsakeypair TP-self-signed-100042752
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1 priority 24576
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
switchport trunk native vlan 30
switchport trunk allowed vlan 20,30,40
switchport mode trunk
!
!
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan20
description Prod Wireless
ip address 192.168.20.3 255.255.255.0
no ip route-cache
!
interface Vlan30
description Prod LAN
ip address 192.168.1.100 255.255.255.0
no ip route-cache
!
interface Vlan40
description Prod AP network
ip address 192.168.40.2 255.255.255.0
no ip route-cache
!
!
ip http server
ip http secure-server
!
!
no vstack
!
line con 0
speed 115200
line vty 0 4
password 7
login
line vty 5 15
password 7
no login
!
end


The second switch

Code Select Expand


version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Access-SW
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-1516367232
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1516367232
revocation-check none
rsakeypair TP-self-signed-1516367232
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 20,30,40
switchport mode trunk
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 192.168.20.4 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Vlan40
ip address 192.168.40.3 255.255.255.0
no ip route-cache
no ip mroute-cache
!
ip classless
ip http server
ip http secure-server
!
!
line con 0
logging synchronous
speed 115200
line vty 0 4
login
line vty 5 15
login
!
end


Is that correct how I have my SVI's setup?

The VLANs are active but no ports assigned to them.  But I thought since they are part of a trunk they won't show like that, only when they are access ports.  I might have mixed that up, I just remember reading something about that in my studies.

I configured SVI's on both switches.  Originally I only had SVIs on my 2960 which is my main switch. I also confirm they are not "no shut"

Yes I have.  The VLANs exist on both switches too.