Enterprise Network Engineering - Questions?

[MaNiFeX]

Hi All,

I've been hanging on GH for a bit and want to get to know the community better.  I thought I'd offer up my 15 years+ skillset to see if anyone has questions that they'd like to ask a network engineer, from the mundane to the extravagant.  My experience is mainly in enterprise networking and security, but have a general computer science background and experience in most of the Information Technology ecosystem.  I've worked in a variety of environments from SMB, campuses, regional networks, and now national networks.  Topics I can speak to:

• Enterprise Wireless Networking (802.11, captive portals, meshing, roaming, backhauling, etc.)
• Enterprise Networking (Routing, Switching, Firewalls, VPN Tunneling, etc.)
• Large Deployment Techniques
• Vendor Specific Questions (especially with Cisco, FortiNet, HP, Aerohive, DHCP/DNS, Windows Server, etc.)
• Hardware Specific Questions

Really excited to chat Networking!

MaNiFeX

[inanis]

I can't get my coworkers to understand the basics of a routing table, Windows or Linux. How do you go about explaining this to noobz? I tried to write up something simple for them, but we all know no one RTFM.

Example conversation:

Me: For every octet of IP you need a subsequent octet for the mask
Them: What's an octet

Halp!

[MaNiFeX]

I can't get my coworkers to understand the basics of a routing table, Windows or Linux. How do you go about explaining this to noobz?

...

Halp!

OK, this is a fun one.  If you're speaking to a technical audience, I'd start with the idea that if you want a packet, frame, picture of their mom, or whatever to go from one place to another, a router needs to send it to the appropriate destination.  Routing tables are how that's decided by the router.  Now, let's just forget VLANs and for a minute.  We're dealing with Layer3 routing in this question, happy to speak more to VLAN/network pairing. I'm also leaving binary out of this because I'm going to use basic masks and that should at least illustrate why you need masks in a routing table.  For this example, I'm going to use the private networks for ease of explanation.

Company.com's IP/Network Scheme

INTARNET = 0.0.0.0/0.0.0.0
company.com General network = 10.0.0.0/255.0.0.0, 172.16.0.0, and 192.168.0.0
company.com Internal network = 10.0.0.0/255.0.0.0
company.com DMZ network = 192.168.1.0/255.255.252.0
company.com VPN network = 172.16.0.0/255.255.0.0
company.com Employee network = 10.2.0.0/255.255.0.0
company.com Wireless network 192.168.10.0/255.255.252.0
company.com Server network = 10.1.1.0/255.255.255.0

router.company.com = 10.0.0.1
dns.company.com = 10.1.1.2
dhcp.company.com = 10.1.1.3
webserver.company.com = 10.1.1.25
company.com's Employee DHCP pool: 10.1.1.10-10.1.1.250

Often rules go from more specific to less specific, and I'm going to do my best to walk through this example without getting too into masks and how they operate, just that they are needed to define context for both the host (end user's computer) and the router so that packets can get where they need to.  Wrong mask, wrong sized network.  Note, a gateway lives on the router, but is a logical interface to route between networks. 

Here's a walkthrough of a packet finding the appropriate gateway to route to, more specific to less:

company.com routing table

Destination Network/Host	Network Mask	Gateway	Explanation
10.1.1.25	255.255.255.255	10.1.1.1	Host-specific rule - note the mask, denotes only that IP.
10.1.1.0	255.255.255.0	10.1.1.1	Network-specific rule - note the mask, denotes the whole 10.1.1.0 network.
192.168.1.0	255.255.252.0	192.168.1.1	Route to the DMZ - a network spanning 192.168.1.1 - 192.168.2.255.
192.168.10.0	255.255.252.0	192.168.10.1	Route to Wireless Network - same size as above.
172.16.0.0	255.255.0.0	172.16.0.1	Route to the VPN network - 172.16.0.0-172.16.255.255 (very large).
10.0.0.0	255.0.0.0	10.0.0.1	Route to the rest of the company's network - 10.0.0.0-10.255.255.255 (extremely large private network).
0.0.0.0	0.0.0.0	24.15.240.1	Route to the rest of the internet, usually your ISP's gateway.

When a router is looking to send a packet somewhere, it needs to know the destination, the size of the network, and the next hop to get there.  Routing can be done both statically and dynamically, using multiple shortest path algorithms.  Most routing tables that encompass the global internet have reached about 512k routes in size.

Happy to answer more questions and comment on routing tables.  They are the way our networks work.

[MaNiFeX]

I should also note this is a fictional example to illustrate how a routing table works. In this case, a lot of the rules (1 and 2) would result in one rule that encompasses both (#2). 

[jamster]

Here's a question at the other end of the networking spectrum:

For a home user, is there any compelling security reason to be running a dedicated firewall instead of one of those all in one router/switch/wifiAP devices?

This is assuming that the all in one doesn't have insecure 'cloud' or remote access functions enabled, and is running firmware not straight from the manufacturer (dd-wrt/tomato/merlin, etc).

Second question: What's your opinion of Cisco vs Juniper router performance at the medium/large enterprise level?

[MaNiFeX]

Here's a question at the other end of the networking spectrum:

For a home user, is there any compelling security reason to be running a dedicated firewall instead of one of those all in one router/switch/wifiAP devices?

This is assuming that the all in one doesn't have insecure 'cloud' or remote access functions enabled, and is running firmware not straight from the manufacturer (dd-wrt/tomato/merlin, etc).

Second question: What's your opinion of Cisco vs Juniper router performance at the medium/large enterprise level?

Great questions, jamster!

I'm going to start with the easy one.  Juniper vs. Cisco.  They both live/play in the same market, but got their start in different ways.  Cisco is and always has been a large enterprise routing and switching company aiming for the business market.  Juniper started as a carrier-grade routing and switching solution, mostly used at the provider level (ISP, Telco, and peering backbone providers).  They have gotten more popular in the 'smaller' enterprise market like large businesses, universities, hospitals, and government. 

The real difference between the two, and is what influences most people's decisions is the their OS.  Cisco has CatOS, IOS, ASA/PIX, and NX-OS.  Juniper has JunOS.  They both run their flavor of OS on multiple platforms (routers, switches, firewalls, APs, etc.), but they stem from completely different places.  JunOS is a linux-based management OS that manages all the routing/switching ASICs (chips) and network backplane.  Cisco OSes are highly specific to their hardware.  Their most recent OS, NX-OS is a linux-flavored OS that mimics the same design as a Juniper - Linux-based OS managing other processes/chips.

They are both big players in the market and both have their pros and cons.  Cisco: expensive, well supported world-wide, can get parts in 4 hours anywhere.  Juniper - more affordable, highly programmable, more difficult to find engineers that know their stuff, will support with 4 hour replacement as well.


Numero Dos!  Home routing and switching. Thank you for asking, my brother and I just went through this with his setup.

DISCLAIMER: I've long since given up custom router configurations at home because I do that at work all day everyday.  Actually, at home, I run all Macs, have an Airport Extreme and an AppleTV with all my **** loaded into iTunes. Stupid easy, but configurable.  I know, despite knowing Linux for almost two decades and managing a national fleet of wireless routers, I still use Apple products at home.  Why?  They work, they're usually pretty secure, my two young daughters can hack away with out issue, and I never. have. to. touch. them.

Now, on with the answer:  The short answer is: No, only very specific reasons to have a dedicated firewall.  Remember, usable security is a balance of security and usability.  If you are security minded, there are many solutions to a home network. What you outlined will give complete control over your home network.  I used to run a Linksys WRT54G and it was the titties. Pretty good security: white listing, port forwarding, etc.  The linksys firmware was good, but I could load any firmware I wanted on it.  That being said, you might be spending your time in a network-centric OS command line hand-editing firewall rules. 

If you really want to get into security, I'd suggest running a dedicated linux firewall in front of your router (pfSense or iptables).  As long as there are two ethernet ports, you are good to go.  Could be a fun project for a tiny x86 computer, even an old one.  You'll learn linux, how to run httpd, mysql, and all sorts of fun stuff.  Steep learning curve for the less-technical experienced. 

Another option for 'deep' security is a very usable, stable, full featured platform: FortiNet firewalls.  They are great for SMB and home 'heavy' firewalls.  They are very full featured and I've deployed them at over 300 locations nation-wide.  Buy-in for these puppies is about $500, but you get a full-featured web-ui (static routing, advanced routing, VPN, firewall, wireless controller, security controls, host-based security/management, real-time security updates, etc.)  They even sell video security and wireless APs...  great company.

I hope that answered your questions!  Happy to answer more.  Not often I get to chat networking. 

[jamster]

Huh, I should have put this thread on my notify list, sorry about missing your reply weeks ago!

I'll have to re-read your post as it's some silly hour in the morning here, but I did at least finally get around to setting up pfsense yesterday

[MaNiFeX]

Huh, I should have put this thread on my notify list, sorry about missing your reply weeks ago!

I'll have to re-read your post as it's some silly hour in the morning here, but I did at least finally get around to setting up pfsense yesterday

Woot!  Let me know if you need anything!

[Parak]

If you really want to get into security, I'd suggest running a dedicated linux firewall in front of your router (pfSense or iptables).  As long as there are two ethernet ports, you are good to go.  Could be a fun project for a tiny x86 computer, even an old one.  You'll learn linux, how to run httpd, mysql, and all sorts of fun stuff.  Steep learning curve for the less-technical experienced. 

pfsense is fantastic. I run it on a vmware box, and it quite happily routes, firewalls, and vpns my internetwebs at up to a full gig. Very user friendly too. I can vpn in from my phone and connect to an irc daemon (also on vmware) for some IRC on the go, for example

[jamster]

pfsense was dead simple to get working with my home environment (whereas Sophos UTM was a bit of a pain). In fact, it was so simple that now I've got to try to figure out what to do with it next as otherwise it will just become a set and forget device vs something I can play with.

@Manifex: Yeah, what you wrote gelled with long ago explanations of the origins of Cisco and Juniper. The networking guys at work use both, but seem to have a slightly higher regard for Juniper as 'serious' networking equipment when comparing similar levels of router/firewall gear.

[Steezus]

If you don't mind me asking what was your major? I'm going to PSU for Computer Engineering where I could end up doing networking, I even got offered an internship for it two summers form now.

[Altis]

That's a really kind offer, MaNiFeX.

You wouldn't happen to have a new keyboard and looking for some extra typing? 

[Happylomo]

Hey Manifex, I'm thinking to major in networking for my computer science degree. Is there anything that I need to prepare beforehand? Programming language, readings, etc.? Thanks man

[Nalor]

Just a quick note about JunOS from Juniper. It is actually forked from FreeBSD, and Juniper has engineers who work with the FreeBSD kernel. So if you go in expecting Linux, you might run into some differences.

[fknraiden]

I just saw this title and immediately thought you'd dig the thread. then saw it was yours 

[tp4tissue]

I think the most pressing question for most of us here, is how to stop the NSA from knowing when we're watching the pr0nohub.

[SamirD]

So here's a tough problem that seems to be more commonplace now--bypassing country specific IP address restrictions.

My wife's parents are in India, but when visiting there, my wife can't watch her shows because Netflix and Hulu are blocked based on the local IP.  I have several IPsec site-to-sites in the US that I tunnel in from there for work, and I know I can always use that as a way around.

So what I'm trying to design is a dirt cheap, super simple way of getting the parents' television (which isn't smart) to tunnel into my network (different vlan and all that) and then get its stream from the US.  The reason I want to do this vs a VPN provider is to save cost.  Only a one-time investment for the solution this way as opposed to monthly/yearly fees otherwise.

Will love to hear your thoughts!

[MaNiFeX]

So here's a tough problem that seems to be more commonplace now--bypassing country specific IP address restrictions.

My wife's parents are in India, but when visiting there, my wife can't watch her shows because Netflix and Hulu are blocked based on the local IP.  I have several IPsec site-to-sites in the US that I tunnel in from there for work, and I know I can always use that as a way around.

So what I'm trying to design is a dirt cheap, super simple way of getting the parents' television (which isn't smart) to tunnel into my network (different vlan and all that) and then get its stream from the US.  The reason I want to do this vs a VPN provider is to save cost.  Only a one-time investment for the solution this way as opposed to monthly/yearly fees otherwise.

Will love to hear your thoughts!

Hey, sorry to reply late!  I hadn't checked my watched threads recently.  What does your home network have for a router?  Many can host VPN services, so you could just VPN back to your home network.  Another possibility, is if you have a PC at home that stays on all the time is to do a remote desktop connection back there and watch the show via that computer.

The issue here will be latency, which depending on the service, can be a problem, especially with audio/video streaming.  Netflix is pretty good at that though.

Let me know if you want some help on that, despite my late reply.

MaNiFeX

[SamirD]

Thank you for the reply!

Things have changed a lot since my post.  My father-in-law passed away last year, the Roku over there broke, and the Internet access was changed, so there's actually no need anymore for a solution.

My wife still travels there on work, but usually doesn't have time to watch anything.