Cross-tower Communication

deanwebb · February 28, 2017, 08:42:54 AM

My NAC project is having some fun detours, now that we're going into production. The process goes like this:

1. NAC project requests changes to switches.
2. Changes are implemented.
3. LAN group makes sweeping changes to standardize code on switches.
4. Changes made for NAC are wiped out.
5. NAC project has a sad.

Both my project and the LAN team must do a better job of communication for all this stuff to work properly... Hang on...

OH SNAP THE WLAN GUYS MADE SWEEPING CHANGES TO THE WLCs BRB GOTTA FIX RADIUS

icecream-guy · February 28, 2017, 10:54:44 AM

Here the engineering team is ready to roll out 802.1x, we've configured 1 switch and 1 host, for testing, now they are ready to roll out production 802.1x for the workstation refresh, They asked me to create a RFC for CCB review. They've been doing most of the heavy lifting and I asked them to write the implementation and test plan, they have not yet, and I think they want me to drive this project into production without knowing what exactly they are doing or how they are doing it, I have no idea what the plan is (other than to configure a few ports as workstations get refreshed) to even write the plan (maybe that's the plan). I just logged into ISE for the first time yesterday. (gotta get that on the resume now that I have hands on experience).

deanwebb · February 28, 2017, 11:11:41 AM

You need to draw the line and have a come to Jesus meeting where everyone gets a level-set on the same page... and, uh... synergies.

But, seriously, communication is going to be very important, especially when something breaks.

that1guy15 · February 28, 2017, 12:04:36 PM

This is one of my bigger arguments on why we need to start using version control and repositories for network configuration. Its basically code and just like developers and server guys we have multiple teams and groups who work with and modify this code all the time. This is how they control stepping on each others toes.

I've seen security teams have similar stuff in place for firewall rules since they are changed almost daily but yet none of us network guys really grasp this concept.

We already do config backups to a central repository and utillze this for auditing and monitoring changes. We just need to add the other half and have that same repo push changes out.

I understand though. We are moving along, its just gonna take us a while. We also have some serious hurdles with this one too.

wintermute000 · February 28, 2017, 03:08:20 PM

In enterprise the skills just aren't there in-house and there is often a lot of push back. Not that git is rocket science.

It's frustrating and needs cultural change / political will.

icecream-guy · February 28, 2017, 04:06:44 PM

Quote from: that1guy15 on February 28, 2017, 12:04:36 PM
This is one of my bigger arguments on why we need to start using version control and repositories for network configuration. Its basically code and just like developers and server guys we have multiple teams and groups who work with and modify this code all the time. This is how they control stepping on each others toes.

I've seen security teams have similar stuff in place for firewall rules since they are changed almost daily but yet none of us network guys really grasp this concept.

We already do config backups to a central repository and utillze this for auditing and monitoring changes. We just need to add the other half and have that same repo push changes out.

I understand though. We are moving along, its just gonna take us a while. We also have some serious hurdles with this one too.

We ran like 42 different images and configurations, we tried standardizing on images, and configs, drummed it down to about 10, then we determined differences exist in where in the network these devices reside, wan, core, distro, access, assigned some arbitrary numbers to valuate the possibility of compromise via outside threats, inside threats, vulnerabilities, config variants (i.e. Don't care about trapping bgp events in the access later, etc) and we went back up to like 32 different images and configurations.

that1guy15 · February 28, 2017, 04:49:43 PM

sure its an absolute nightmare doing this. thats why no one has a good tool for it on the market. Cisco is the absolute worst about device specific config and such. And everything is tied directly to hardware. Arista did this right. Single image and config across all platforms.

Im really excited to see the growth of NETCONF in the networking realm as it makes big strides in simplifying config mgmt for us.

yes this is a large shift in mindset for us but its needed and will make everyone's life much much easier.

mlan · February 28, 2017, 05:15:37 PM

Quote from: that1guy15 on February 28, 2017, 04:49:43 PM
Arista did this right. Single image and config across all platforms.

Heaven.