Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Current Operational Practices - Dos, Don’ts and lessons learned

105 views

Published on


Max und Falk versammeln knapp 42 Jahre Erfahrung in der Netzwerk- und Open-Source Praxis. In diesem Vortrag stellen sie schmerzhafte Erfahrungen vor und leiten daraus Best Practices für den Netzwerkbetrieb ab. Zusätzlich werden Best Community Practices vorgestellt und der ein oder andere Schwank aus den Anfangszeiten des Internet in Deutschland erzählt.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Best Current Operational Practices - Dos, Don’ts and lessons learned

  1. 1. Best Current Operational Practices FrOScon 13 Network Track Falk Stern, Maximilian Wilhelm 1 / 16
  2. 2. Agenda 1. Who are we? 2. Do 3. Don't 2 / 16
  3. 3. Who's who Falk Stern Full Stack Infrastructure Engineer IPv6 fanboy Runs his own Kubernetes cluster in his basement Consultant @ Profi Engineering Systems AG Contact @wrf42 falk@fourecks.de 3 / 16
  4. 4. Who's who Maximilian Wilhelm Networker OpenSource Hacker Fanboy of (Debian) Linux ifupdown2 Occupation: By day: Senior Infrastructure Architect, Uni Paderborn By night: Infrastructure Archmage, Freifunk Hochstift In between: Freelance Solution Architect for hire Contact @BarbarossaTM max@sdn.clinic 4 / 16
  5. 5. Document your stu 5 / 16
  6. 6. Document your stu Netbox Racktables i-doit Visio / Excel 6 / 16
  7. 7. Have Infrastructure Logserver Graylog NTP service Logging is useless if every device has a different time Monitor Icinga 2 LibreNMS (editor's choice!) Configuration Management oxidized rancid Have DNS (forward and reverse) Maintain it!!1elf! 7 / 16
  8. 8. Ansible Salt Chef Puppet Automate, automate, automate 8 / 16
  9. 9. Use managed switches They are worth the extra cost Enable Spanning Tree Known to save asses more than once Use redundant paths Always keep a spare device handy Layer 2 pitfalls 9 / 16
  10. 10. Layer 2 pitfalls Enable VTP transparent mode Disable Dynamic Trunking Protocol Always use LACP active mode Always use LACP, not PagP or static Etherchannels 10 / 16
  11. 11. Segment your network Build small Layer 3 islands Route where you can, switch where you must Routers gonna route, only Jeff bridges familiarize with dynamic routing protocols 11 / 16
  12. 12. Get to know Linux flexible, versatile OS for everything Use it for infrastructure tasks 12 / 16
  13. 13. Don't rely on vendor features 13 / 16
  14. 14. Security Disable proxy arp Hosts should have only a single upstream interface Review your firewall rules regularly Have some Use source code management for configurations 14 / 16
  15. 15. Security - Live at Network Track ¯(ツ)/¯ Sehr geehrte Damen und Herren, Cisco Smart Install (SMI) ist eine Funktion zur automatischen Konfiguration von Netzwerk-Switches. Diese wurde zur Verwendung in lokalen Netzwerken entwickelt und sollte nicht aus unsicheren Netzen wie dem Internet zugreifbar sein. [...] CERT-Bund hat von einer externen Quelle Informationen zu IP-Adressen in Deutschland erhalten, auf denen ein Cisco-Gerät mit aktiver Smart-Install-Funktion offen aus dem Internet erreichbar ist. Cisco empfiehlt, die Smart-Install-Funktion zu deaktivieren. [...] Betroffene Systeme in Ihrem Netzbereich: "asn","ip","timestamp" "39225","194.107.207.35","2018-08-24 12:08:43" "39225","194.107.207.37","2018-08-24 12:19:03" Mit freundlichen Grüßen das Team CERT-Bund Bundesamt für Sicherheit in der Informationstechnik (BSI) Referat CK22 - CERT-Bund Godesberger Allee 185-189, 53175 Bonn, Germany 15 / 16
  16. 16. Being part of the DFZ Use BCP38 (Ingress filtering) Use filters on your BGP sessions Maximum Prefixes IRR filters RSPL filters Filter Bogon Prefixes Use communities Customer / Peering / Transit / IXP ... 16 / 16

×