SlideShare a Scribd company logo

Best Current Operational Practices - Dos, Don’ts and lessons learned

Maximilan Wilhelm, profile picture
Maximilan Wilhelm

The document outlines best practices for operational network management, emphasizing documentation, automation, and security measures. It highlights the importance of using managed switches, segmenting networks, and avoiding reliance on vendor features. Additionally, it discusses security concerns related to Cisco's smart install function and the use of best common practices for routing and filtering.

Internet
1 of 16
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Best Current Operational Practices FrOScon 13 Network Track Falk Stern, Maximilian Wilhelm 1 / 16
Agenda 1. Who are we? 2. Do 3. Don't 2 / 16
Who's who Falk Stern Full Stack Infrastructure Engineer IPv6 fanboy Runs his own Kubernetes cluster in his basement Consultant @ Profi Engineering Systems AG Contact @wrf42 falk@fourecks.de 3 / 16
Who's who Maximilian Wilhelm Networker OpenSource Hacker Fanboy of (Debian) Linux ifupdown2 Occupation: By day: Senior Infrastructure Architect, Uni Paderborn By night: Infrastructure Archmage, Freifunk Hochstift In between: Freelance Solution Architect for hire Contact @BarbarossaTM max@sdn.clinic 4 / 16
Document your stu 5 / 16
Document your stu Netbox Racktables i-doit Visio / Excel 6 / 16
Have Infrastructure Logserver Graylog NTP service Logging is useless if every device has a different time Monitor Icinga 2 LibreNMS (editor's choice!) Configuration Management oxidized rancid Have DNS (forward and reverse) Maintain it!!1elf! 7 / 16
Ansible Salt Chef Puppet Automate, automate, automate 8 / 16
Use managed switches They are worth the extra cost Enable Spanning Tree Known to save asses more than once Use redundant paths Always keep a spare device handy Layer 2 pitfalls 9 / 16
Layer 2 pitfalls Enable VTP transparent mode Disable Dynamic Trunking Protocol Always use LACP active mode Always use LACP, not PagP or static Etherchannels 10 / 16
Segment your network Build small Layer 3 islands Route where you can, switch where you must Routers gonna route, only Jeff bridges familiarize with dynamic routing protocols 11 / 16
Get to know Linux flexible, versatile OS for everything Use it for infrastructure tasks 12 / 16
Don't rely on vendor features 13 / 16
Security Disable proxy arp Hosts should have only a single upstream interface Review your firewall rules regularly Have some Use source code management for configurations 14 / 16
Security - Live at Network Track ¯(ツ)/¯ Sehr geehrte Damen und Herren, Cisco Smart Install (SMI) ist eine Funktion zur automatischen Konfiguration von Netzwerk-Switches. Diese wurde zur Verwendung in lokalen Netzwerken entwickelt und sollte nicht aus unsicheren Netzen wie dem Internet zugreifbar sein. [...] CERT-Bund hat von einer externen Quelle Informationen zu IP-Adressen in Deutschland erhalten, auf denen ein Cisco-Gerät mit aktiver Smart-Install-Funktion offen aus dem Internet erreichbar ist. Cisco empfiehlt, die Smart-Install-Funktion zu deaktivieren. [...] Betroffene Systeme in Ihrem Netzbereich: "asn","ip","timestamp" "39225","194.107.207.35","2018-08-24 12:08:43" "39225","194.107.207.37","2018-08-24 12:19:03" Mit freundlichen Grüßen das Team CERT-Bund Bundesamt für Sicherheit in der Informationstechnik (BSI) Referat CK22 - CERT-Bund Godesberger Allee 185-189, 53175 Bonn, Germany 15 / 16
Being part of the DFZ Use BCP38 (Ingress filtering) Use filters on your BGP sessions Maximum Prefixes IRR filters RSPL filters Filter Bogon Prefixes Use communities Customer / Peering / Transit / IXP ... 16 / 16

More Related Content

PDF
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Maximilan Wilhelm
 
PDF
Building your own CGN boxes with Linux
Maximilan Wilhelm
 
PDF
Anycast all the things
Maximilan Wilhelm
 
PDF
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Maximilan Wilhelm
 
PDF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 
PDF
Contemporary network configuration for linux - ifupdown-ng
Maximilan Wilhelm
 
PDF
IPv6 im Jahre 2018
Maximilan Wilhelm
 
PDF
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Maximilan Wilhelm
 
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Maximilan Wilhelm
 
Building your own CGN boxes with Linux
Maximilan Wilhelm
 
Anycast all the things
Maximilan Wilhelm
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Maximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 
Contemporary network configuration for linux - ifupdown-ng
Maximilan Wilhelm
 
IPv6 im Jahre 2018
Maximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Maximilan Wilhelm
 

What's hot (20)

PDF
Intent driven, fully automated deployment of anycasted load balancers with ha...
Maximilan Wilhelm
 
PDF
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
Maximilan Wilhelm
 
PDF
Netzwerkgrundlagen - Von Ethernet bis IP
Maximilan Wilhelm
 
PDF
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Maximilan Wilhelm
 
PDF
Contemporary Linux Networking
Maximilan Wilhelm
 
PDF
Building your own sdn with debian linux salt stack and python
Maximilan Wilhelm
 
PPT
6.Routing
phanleson
 
PPTX
Operationalizing VRF in the Data Center
Cumulus Networks
 
PDF
AS201701 - Building an Internet backbone with pure 1he servers and Linux
Maximilan Wilhelm
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
PDF
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
PDF
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Jide Akintola JNCIE-M&T/SP #496 CCIE-SP#28552
 
PDF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
PDF
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Samsung Open Source Group
 
PDF
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
PDF
OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...
OpenNebula Project
 
PDF
Networking Fundamentals: Local Networks
Andriy Berestovskyy
 
PDF
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
PDF
The Spectre of Meltdowns
Andriy Berestovskyy
 
PDF
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Intent driven, fully automated deployment of anycasted load balancers with ha...
Maximilan Wilhelm
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
Maximilan Wilhelm
 
Netzwerkgrundlagen - Von Ethernet bis IP
Maximilan Wilhelm
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Maximilan Wilhelm
 
Contemporary Linux Networking
Maximilan Wilhelm
 
Building your own sdn with debian linux salt stack and python
Maximilan Wilhelm
 
6.Routing
phanleson
 
Operationalizing VRF in the Data Center
Cumulus Networks
 
AS201701 - Building an Internet backbone with pure 1he servers and Linux
Maximilan Wilhelm
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Jide Akintola JNCIE-M&T/SP #496 CCIE-SP#28552
 
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Samsung Open Source Group
 
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...
OpenNebula Project
 
Networking Fundamentals: Local Networks
Andriy Berestovskyy
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
The Spectre of Meltdowns
Andriy Berestovskyy
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Ad

Similar to Best Current Operational Practices - Dos, Don’ts and lessons learned (20)

PPTX
Commissioning, Managing & Troubleshooting Industrial Networks
Creekside Marketing Group, LLC
 
PDF
Path Solutions Network Monitor V4 Glossy
Brian Gendron
 
PPT
The 3 aspects of network performance management
ManageEngine
 
PPT
network-management Web base.ppt
AssadLeo1
 
PPT
Monitor and manage everything Cisco using OpManager
ManageEngine
 
PPTX
Monitoring network performance- Part 3_Free OpManager training
ManageEngine, Zoho Corporation
 
PDF
1 to 100 Master All Steps of Deployment, Seamless Integration, and Migration ...
TestTest449467
 
PDF
Model-driven Network Automation
Anees Shaikh
 
PDF
Presentation data center design overview
xKinAnx
 
PDF
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PROIDEA
 
PPTX
Security at the Speed of the Network
Hantzley Tauckoor
 
PPTX
OpManager Technical Overview
ManageEngine, Zoho Corporation
 
PPTX
Opmanagertechnicaloverview 160128123947
Sandeep Kumar Yadav
 
PPTX
Overview OpManager
Fanky Christian
 
PDF
Proactive monitoring tools or services - Open Source
B.A.
 
PDF
Quick wins in the NetOps Journey by Vincent Boon, Opengear
MyNOG
 
PDF
NETFLOW ANALYZER 9600 - AN OVERVIEW
NetFlow Analyzer
 
PPTX
New OpManager v12
Inuit AB
 
PPT
Genesys System - 8dec2010
Agora Group
 
PPTX
Adopting SD-WAN With Confidence: How To Assure and Troubleshoot Internet-base...
ThousandEyes
 
Commissioning, Managing & Troubleshooting Industrial Networks
Creekside Marketing Group, LLC
 
Path Solutions Network Monitor V4 Glossy
Brian Gendron
 
The 3 aspects of network performance management
ManageEngine
 
network-management Web base.ppt
AssadLeo1
 
Monitor and manage everything Cisco using OpManager
ManageEngine
 
Monitoring network performance- Part 3_Free OpManager training
ManageEngine, Zoho Corporation
 
1 to 100 Master All Steps of Deployment, Seamless Integration, and Migration ...
TestTest449467
 
Model-driven Network Automation
Anees Shaikh
 
Presentation data center design overview
xKinAnx
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PROIDEA
 
Security at the Speed of the Network
Hantzley Tauckoor
 
OpManager Technical Overview
ManageEngine, Zoho Corporation
 
Opmanagertechnicaloverview 160128123947
Sandeep Kumar Yadav
 
Overview OpManager
Fanky Christian
 
Proactive monitoring tools or services - Open Source
B.A.
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
MyNOG
 
NETFLOW ANALYZER 9600 - AN OVERVIEW
NetFlow Analyzer
 
New OpManager v12
Inuit AB
 
Genesys System - 8dec2010
Agora Group
 
Adopting SD-WAN With Confidence: How To Assure and Troubleshoot Internet-base...
ThousandEyes
 
Ad

Recently uploaded (20)

PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PDF
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Internet___Basics___Styled_ presentation
poonam62133
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
Funds Management Learning Material for Beg
NKKumar16
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 

Best Current Operational Practices - Dos, Don’ts and lessons learned

  • 1. Best Current Operational Practices FrOScon 13 Network Track Falk Stern, Maximilian Wilhelm 1 / 16
  • 2. Agenda 1. Who are we? 2. Do 3. Don't 2 / 16
  • 3. Who's who Falk Stern Full Stack Infrastructure Engineer IPv6 fanboy Runs his own Kubernetes cluster in his basement Consultant @ Profi Engineering Systems AG Contact @wrf42 falk@fourecks.de 3 / 16
  • 4. Who's who Maximilian Wilhelm Networker OpenSource Hacker Fanboy of (Debian) Linux ifupdown2 Occupation: By day: Senior Infrastructure Architect, Uni Paderborn By night: Infrastructure Archmage, Freifunk Hochstift In between: Freelance Solution Architect for hire Contact @BarbarossaTM max@sdn.clinic 4 / 16
  • 7. Have Infrastructure Logserver Graylog NTP service Logging is useless if every device has a different time Monitor Icinga 2 LibreNMS (editor's choice!) Configuration Management oxidized rancid Have DNS (forward and reverse) Maintain it!!1elf! 7 / 16
  • 9. Use managed switches They are worth the extra cost Enable Spanning Tree Known to save asses more than once Use redundant paths Always keep a spare device handy Layer 2 pitfalls 9 / 16
  • 10. Layer 2 pitfalls Enable VTP transparent mode Disable Dynamic Trunking Protocol Always use LACP active mode Always use LACP, not PagP or static Etherchannels 10 / 16
  • 11. Segment your network Build small Layer 3 islands Route where you can, switch where you must Routers gonna route, only Jeff bridges familiarize with dynamic routing protocols 11 / 16
  • 12. Get to know Linux flexible, versatile OS for everything Use it for infrastructure tasks 12 / 16
  • 13. Don't rely on vendor features 13 / 16
  • 14. Security Disable proxy arp Hosts should have only a single upstream interface Review your firewall rules regularly Have some Use source code management for configurations 14 / 16
  • 15. Security - Live at Network Track ¯(ツ)/¯ Sehr geehrte Damen und Herren, Cisco Smart Install (SMI) ist eine Funktion zur automatischen Konfiguration von Netzwerk-Switches. Diese wurde zur Verwendung in lokalen Netzwerken entwickelt und sollte nicht aus unsicheren Netzen wie dem Internet zugreifbar sein. [...] CERT-Bund hat von einer externen Quelle Informationen zu IP-Adressen in Deutschland erhalten, auf denen ein Cisco-Gerät mit aktiver Smart-Install-Funktion offen aus dem Internet erreichbar ist. Cisco empfiehlt, die Smart-Install-Funktion zu deaktivieren. [...] Betroffene Systeme in Ihrem Netzbereich: "asn","ip","timestamp" "39225","194.107.207.35","2018-08-24 12:08:43" "39225","194.107.207.37","2018-08-24 12:19:03" Mit freundlichen Grüßen das Team CERT-Bund Bundesamt für Sicherheit in der Informationstechnik (BSI) Referat CK22 - CERT-Bund Godesberger Allee 185-189, 53175 Bonn, Germany 15 / 16
  • 16. Being part of the DFZ Use BCP38 (Ingress filtering) Use filters on your BGP sessions Maximum Prefixes IRR filters RSPL filters Filter Bogon Prefixes Use communities Customer / Peering / Transit / IXP ... 16 / 16