Om Prakash

Hello, I'm on Zoom. I'm currently working in Telecommunications Limited as a senior manager. So, basically, my current role is for doing a network configuration as routers, which includes firewalls and performing all kinds of network-related steps. Okay? And I monitor the firewalls and monitor the logs, and provide solutions for level three, level two escalated tickets. Okay. Also, I do the daily ticket review and network management, network configurations, and provide designs for advanced network solutions. Okay. I also do SIC and GTN-related configurations. So, I handle the GT and GScaler. It provides the GRouters network solutions, and also does the daily ticket review and holds meetings with customers and our level two team, providing the best solutions based on the requirements. That is my day-to-day task that I'm currently doing with the company. Hopefully.

I'm not very familiar with the COVID framework, so it's new to me.

BRRP is providing the virtual router redundancy protocols. So, it is related to providing the gateway redundancy from LAN to WAN. So, when any traffic goes from LAN to WAN, we provide a virtual gateway, okay, which has a virtual MAC address. So once traffic is initiated from inside to outside, it will get all the resolutions from this VRRP virtual life. We have to configure the priority. Higher priority will be the active, and lower priority will be the passive. We can track the WAN interface based on the tracking of the LAN interface or IP address. So, we have to put the command VRRP and group number, and then try the interface. We provide the tracking so that if the interface is up, it will get the particular priority, whatever we said. If that interface goes down, it will decrease the priority, and that particular router will go into a passive state. So, that your forwarder will be your backup router. So, the MAC address will resolve accordingly. The virtual MAC address for VRRP will be your group ID of your VRRP and also the group address of both as active and vice versa. So, that's why this is done.

This scaling is Citrix NetScaler load balance based on the source and destination basis of the HTTPS traffic. So, it will form clusters between the servers. Okay? So, it will be assigned a priority based on how much HTTP traffic goes from this server to nodes 1, 2, and 3. So, based on that, we'll provide round robin or first in first out or other methods to do load balancing based on traffic loads. So, if there are higher loads, they will be distributed between five or six nodes, and we can configure which one will be first, which one will be second, and so on, will be third. So, we have to set all those parameters to manage incoming and outgoing traffic. So, based on that, the setup will be released. There are three kinds of load balancing. One is the network load balancer, one is the application load balancer, and another is the classical load balancer. In the network load balancer, it does load balancing based on your virtual IP and your physical IP of the server. So, it will load balance only with a public virtual IP and load balance with all those servers. The application load balancer will happen through HTTP and HTTPS, providing load balancing based on topics and HTTPS, SSL, and TLS.

So ISPF is the link state protocol. Okay. So it's providing the dynamic routing. So, basically, this is related to the routings from interface to interface. So this is basically NLRI, network level reachability information. So for that, you have to configure the network interface. Either you can enable with the IP OSPF of area 0 over the interface or you have to go for a OSPF process and then do the network statement. Okay? And you have to provide the address and also you provide the subnet mask. The subnet mask will be in the wildcard switch way. So, like, network 1, 2, 3, 4, and then wildcard will be 0 and then provide the area so that it will cover your floor of your interface address. So you can also do, like, put full address in the OSPF, like network 0 0 0, 255, 255, 255, 255, and area 0. So it will cover all of your address of your router. So if you want to exclude some routers, so you have to put the IP on the same interface, particular interface so that it should not perform the look up and forward packet to that interface. So OSPF is basically providing the cost-based routing. So it will calculate the path cost, so which is the path based on that, it will choose the routes. So it has five kinds of LSAs, like hello database description LSA, LSE, LSR. And it has four kinds of network interfaces, like a point-to-point-to-multipoint, and non-broadcast multi-access and broadcast multi-access. So for non-broadcast multi-access, you have to configure the network statement. And for point-to-point, the hello and dead interval will be 10 and 40. And for point-to-multipoint, the hello interval will be 30 and the dead interval will be 40. And for non-broadcast multi-access, the hello interval will be 40 and the dead interval will be 120 seconds. So that is for OSPF. And for other routing protocols, like EIGRP is doing an equal-cost load balancing, which is not done by OSPF. OSPF is doing the equal-cost load balancing between the equal metrics. So if we have unequal metrics, it will not bring the load balance. So OSPF is providing the full LSA update within 30 seconds. And for EIGRP and RIP, it has some limitations like in RIP, it has only up to 15 hops. And for this is the limitation for classful networks in OSPF. But OSPF is like a hybrid protocol, which is contained the distance-vector and link-state while EIGRP is only a distance-vector protocol. So it's providing the major difference, like how you can configure the network and other stuff.

SSL VPN is like a TLS VPN which provides remote access to connect your office network from home or any remote locations. So SSL VPN is like you have to configure your certificate from the servers, and then you have to upload the CSR and assign the certificate and then upload it in the firewall, then you get your certificate. And once you get the certificate, then you have to assign your pool IP from which pool your customer will get an IP and also assign the interfaces, like, which trust interface that traffic will initiate and what will be the destination address, what will be the gateway. So everything you have to configure and you have to configure the certificate. You have to configure the user details, like, how it will get integrated, whether it will go for LDAP, like, active directory or local authentication, or it will go for ISE, or it will go for any kind of radius. So it will be based on the user profile. So for parameters, you have to configure. First, you have to configure the interface, then you have to configure the SSL certificate, and then you have to configure the crypto profile. And then you have to configure the trusted zone, which will be inside and outside. And then you have to configure the proxy IP, like which remote IP people will use, and then initiate the policy service policy that, what kind of traffic it will initiate source to destination or destination to source. So everything you have to initiate, and then you have to put the client and also put the kind of VPN they want to install. So based on that, you have to provide in that link. So once the client will go for SSL VPN, they have to browse the site and then they have to upload the certificate. So for uploading the certificate, they have to do with the three kinds of certificates, I mean, firstly, the private key, public key, and then CSR. So once the certificate is signed by the customer, it will go and touch with your root CSR. So from the root CSR, it will validate and get the certificate. And once you will get the certificate, then you have to upload your certificate to the VPNs. And once it will get uploaded, we'll validate it with your public key and your organization's details and your serial number, IP's public key is what's set for once it will get nice, then it will validate, and it will forward the URL too. It will validate, and it will allow that, yes, you are the right person, so you can go ahead and proceed to access the sites. So, basically, the TLS connection will happen. Okay. So, taking very important roles in doing the communications privately, public key. So you have to make sure that you have to always keep your private key with yourself. You should not expose it to the Internet or anywhere. So only the private key, you have to sign with CSR, and it will go to validate with the root CSR. So that is the consideration you have. But the private key will be where you have to keep yourself, and it will use to decrypt your certificate or this CSR. So this is the key.

So there are many ways you can check the network hybrid license. There could be some PCs that have been affected by your virus. It's and which is sending so many topics. So based on how it got affected, some ports that may be open and it will try to send unlimited traffic. So also, if you get high load high traffic, you have to apply the QoS policy, and let's see which kind of traffic you want to prioritize. Like, UIP, you have to provide the highest priority, and file and other stuff has to be put into normal traffic, and like, some CPU and other server traffic, and other stuff. So you have to provide the bandwidth. Okay. So, like, class-based with the fair queue, you have to configure. And based on that, you have to provide the service policy, class map, policy map, and service policy, and you have to apply that policy over the interfaces. So also, if possible, you have to check the graph to see how much bandwidth is peaking and what will be the source, and from which source this topic is connected. So you have to use your NetFlow or this network NMS tool. So you can check from which topic this topic is spiking. So you have to tell that particular customer because you have to control the traffic. Either you have to check your PC, see if anything unusual is going on. Maybe some virus has affected it or something in your tag like data or other stuff. So you have to check that PC and resolve or remove it from the system. So if you need a tag, something like that. So four, five steps that you have to take. So three major steps that I told. The 1st step is you have to check the affected PC, and you have to check the network logs from which PC the log is coming, and then you have to install antivirus remotely from the PC. First, you have to fix every antivirus patch and update it, then you have to connect back into the remote. And also, if some backup and other stuff is going on, so I have to tell the customer to take the backup off-peak time, like not in production, also that it will be not a professional setup. So many steps that you have to take before traffic goes into people. And also, check with the provider if any link utilization issue. Like, in the customer side, there may be a high link latency. Are there maybe some issue with the fiber cards? Or if they are using two or three links, two or three links are in one link going down, so they are using backup links. So in that scenario, we have to check the customer and tell them to provide the proper services so that traffic should not get disturbed. So these are the major steps basically like that. We have to contact the providers. And also, we have to check inside the LAN if there are any loops out there. So if any LAN loop is there, so we'll also create high traffic inside the LAN. And also, one side, we have to check if any unusual activity is going on. Our loop happens so that whatever traffic is going out, same things are receiving. So it will create also low traffic situation. So many factors here that people know.

So for migrating to an enterprise system on AWS Cloud, you have to take many steps. Okay. First things, you have to see your Internet speed and Internet bandwidth to ensure you have proper bandwidth. And then you have to check that all your network infrastructures, all IP addresses, and all your servers have taken proper backups, and you have to take the schema for that, like, every IP detail, every network detail, every server detail. Okay? And, you have to have proper licenses. So every backup you have to take, and once you have taken them, then you have to migrate 1 by 1 in sequence. Right? So that it should not get impacted if anything goes wrong or any unusual things happen, so that you can revert with your existing server. So you have to migrate finally, like, 1 by 1. So once you've migrated two servers, you have to first upgrade them and disconnect, and then check if everything goes perfectly in AWS. Then you have to remove the two servers and start the other two. Like, the same way you have to do for other migrations, for network migration or load balance or whatever steps. So you have to migrate step by step. So take precautions, take backups, and move to EC2 instances. And, you have to configure the IP schema so that it doesn't conflict with your internal network. So many factors you have to take into consideration before migrating to the AWS cloud. So security parameters also, like that. You should have proper groups. You should have proper service groups. You should have proper access lists. So they have proper policies in security so that your IP or your networks won't leak into the Internet. Because you're exposing your infrastructure to the public cloud or private cloud. So it may get hacked by someone, because they may get data or a virus, or they can refresh your data. So you have to take consideration. Like, basically, if you're moving your private steps, so you can use your private cloud. And, also, if you're using AWS and DNS or maybe which is related to public, you can put AWS servers and the servers on the public, and you have to provide the proper security like you. You have to take the certificates. You have to take the Jira's trust, like SAML IDP-PSP authentication, so that users can go for private reports to sign in to. And, for web security, like, you have to check the SSL inspections and, deal with, that is the advanced private label inspections and URL filtering and, file blocking steps and which files they can access. So a lot of these steps that you have to keep in mind. And the virus will be updated if you're migrating. So licenses should be upgraded, and, also, you have to use valid licenses. So many steps that you have to take precautions before migrating to the cloud.

Yeah. For MSA is taking a very important role and is crucial to providing security because financial and other data are involved. So, if you are using just a pre-shared key or just using simple username and password, because username and password can be shared, otherwise, they can be used by others so they can access your financial systems. Okay? So, for that, you have to use MFA and so many other stuff. So, like, IDP. Okay? So, IDP will provide your identity protocols. Okay. And, also, you have to use a channel. So, a channel will provide you the metadata, and you have to upload the metadata to the security assessment markup language. So, you have to upload it there, and then, again, you have to download the same metadata file and upload it in your instance so that both are synced up. And, also, in the IDP provider, like password and other companies, so they are doing the IDP management. So, on the IDP steps, you can also use your active directory and your Azure AD. Okay? So, you can integrate your IDP with them, and you can provide the certificates so that certificates should be signed, and you have to download the certificate and upload it in the servers so that if they want to communicate, they have to use the proper certificate and also use the proper metadata file for SAML communications, with a correct email ID, roles, and usernames should be properly authenticated with each other. And, whatever role you assign in the active directory or whatever username you assign, whatever email ID is configured in the active directory or Azure AD. So, it should be synced up, and it should be matched with your local credentials that exist in the servers. So, like, you have to do multifactor authentication. First, you'll authorize with your username and password. Once it's authenticated, then it will ask for your email ID. Once it goes for the email ID, it will send the OTP to your email address. You can also provide your mobile number, so the OTP will go to your mobile number. So, you can configure the settings, it will go to either your email ID or it will go to your mobile. So, once you will authenticate it with one-time password, so it will go for the next step, and you can access. So, overriding the OTP one-time password, you can also configure the Duo service. So, that one is providing the one-time password authentication with your mobile device. So, the mobile token, one-time token will generate every one minute. So, that token also you can reconfigure so that token only will be valid for one minute, and you can pull the OTP, and it will work. So, based on the requirement, you can configure.

It all gets his control. If we provide the full access list, it will provide your user ID details, including your network application ID, location ID, and the user ID. So NAG will provide full integration with usernames and passwords. Okay? So, you can integrate with your active directory, either with the ISC servers, Arthakas, or ADS servers, so that it will provide proper access to your organization and users. Okay. Network and text control will configure with the access list based on your IP requirements, traffic, source traffic, and destination traffic. And you can configure the policy based on your user ID, user group, application ID, location ID, and the kind of traffic you want. So it will provide full-fledged security, so that no traffic can initiate from outside and hide your server or access it from inside to outside. They cannot access until the analyst verifies it, based on your NS, Network Access System. So that will provide a kind of security so that everything inside and outside should be trusted, and this will be checked from your inspection list. It will be based on your requirement. You can configure advanced access controls. Okay? First, make address groups, IP groups, and application ID groups. You have to make your RADIUS server synchronized with your user ID. Yeah, and user ID too. So that whenever you want to configure and assign, you have to assign those things in the security policy, and make sure each parameter matches. Otherwise, it will get unexpected results. If all user IDs mismatch, source IPs mismatch, source groups mismatch, source zones mismatch, and nation zones mismatch, everything should be matched. Then only we'll get authorization. Okay. And protocols would match too. That's it.

Basically, I work for the solution to BevTail. So this is the worst I have very little work. But, yeah, if you tell about the certification steps, I can tell how it will get managed. So, like, the same certifications part that we are going through in the data, same things we have to do in the, this process also. So first, you have to get the certificate. First, you have to obtain a root CA, which can be your NAT and SD or a third-party root CA. Any party that you are obtaining the root certificates from. So, you have to first create your private key and CSR, and then a PEM file will be generated, and that will be your public key. You have to generate the public key and private key from the root CA. And then, from that public key, you have to do the certificate signing request from your other devices, like Bevis or whatever devices you have. You have to generate your own private key and public key. With your public key, you have to sign the certificate. Okay? So once you sign the certificate, then you have to upload the same certificate and the same CSR. Your root CA will validate the certificate with their public key, and they will create the certificate. Then, once the certificate is created, you have to download it and upload it in your V Outer or V Manage or V Smarts, and you have to upload and then validate it with your private key. So once it is validated, then it will form connections from your CS server to your client. So these things you have to repeatedly configure in all the ACE routers and ACE devices. So that is the part of certifications, communications from root CA to third-party CA. This takes very important roles for communications between smart controllers and smart devices to your edge devices. Because if the certificate will mismatch, it will decline the first communications and that communication will not happen. So make sure that whatever you are doing with certificates and signing requests, you have to provide your proper serial number, chassis ID, and, if that will matter, then only it will create the certificate based on whatever chassis ID and everything you configure. So there are six systems involved in this certificate. Okay. First steps that we go through in the root CA process, you have to create a public key, private key, and then download the public key. Then, you have to configure a CSR based on your devices. When you sign the CSR, you have to put your organization ID, serial number, and other secrets. So, the CSR will generate it, then you have to upload the CSR on the root CA and get the certificate. Once you will get the certificate, you have to download the certificate from the root CA and upload it in your device and validate it with the URL and then that's it.