Vimal Kant Gairola

Could you could you help me understanding more more about group? Hello. My name is. I'm working with BT Group for last, like, almost four and a half years. Um, part of, uh, Diviners, we can call a center of excellence team in VT. So we are the major key players in or you would say a key role we have in BT in terms of the SD WAN product. We basically deal with 5 products right now, which are Nokia and Nuance and Cisco Webtailor, VMware, VeloCloud, Palo Alto, Prisma SD WAN, and Fortinet SD WAN. So I'm leading 3 products right now. Palo Alto, VeloCloud, and we uh, well, with Taylor right now. So I'm handling 4 to 5 people, okay, here, and our SME here. So everything like, we manage all the SD WAN changes here. We do all the design related work, the incubation work, do the pilot side, DC sites, migrations here, As well as we do the work for product line team. We work closely with product line team and tech engineers, okay, in order to roll out any software, do some testing, new version testing, new feature testing that is to be done by us. We are not account specific team. We are a global team. So we basically are the, you can say, 3 plus level escalations for all the accounts teams in BT who are managing their own customers. Okay? So that is what we really do. And talking about my experience, I have totally from 9 years of experience working. Uh, I have worked with network operations, network designing, mobile net mobile networks as well as Internet networks as well as enterprise telecom networks, have a good solid understanding of, uh, at CCNP and CCI level, multi product level experience working with Palo Alto or Elkhida, Lucent, as well as and what you say, Nokia. Okay? So I have a mix in I have I've worked in a multi vendor environment and have a good solid understanding of network engineering. Thank you.

Configure a secure and scalable way to manage distributed file across different network segment including LAN WAN. Well in that case basically okay so in that case secure scalable way to manage distributed firewall across different network segment including LAN WAN and cloud networks. Okay in that case if you want to use a firewall network and want to secure your all zones so LAN you can basically create as your one of the trusted zone okay where you have all the users with something like private IP address 10 or something 172.192.168 the other zone which is WAN it can be an untrusted zone okay and one even with the cloud networks it can be a part of your what you can say a DMZ I won't say it is a DMZ it will also be a part of WAN but it will be a secured WAN okay so there will be the three zones from LAN okay from the trust zone to untrusted zone okay and also the to the cloud network so basically you need to have different different policies here the firewall policy first you need to allow the traffic from LAN to WAN and LAN to your cloud network okay WAN can be anything like accessing normal internet apart from any application which is not hosted on cloud network okay in order for any traffic which is coming from the LAN side you want that traffic to basically break out okay to cloud based on the types of traffic you want to okay it can be done like the same way from LAN it should be coming from the LAN side and it can go to cloud application if in case it's a cloud based application of if it is not you can go via the second thing based on the policy based routing you can set the next hop depending on the filtering based on source as well as destination combination like this destination is not hosted on the cloud network so you can select a different path policy here or to send it directly to local breakout or normal internet on if there's you know that this traffic is like hosted on the cloud application you can use the next hop as the you can what you can say IKEA tunnel or IPSec tunnel which you have created with your cloud provider maybe Prisma or Zscaler that is what you can do here the tunnel so any other local traffic you can send it by local internet breakout but for the internet based traffic it can be go the cloud application page it can be sent by the IP sector so it will be a zone based combination here

the network monitoring strategy that could alert for issues in both LAN and VPN connection. Study it could alert for issues in both LAN and VPN. Well in that case the network monitoring strategy which I'm understanding is a centralized monitoring which you are referring to that could alert for issues in both LAN and WAN. Okay based on that one you can do network monitoring I think you can use SNMP, you can use netconf. These type of protocols are famous for any type of monitoring okay to fetch the information data. For the monitoring purpose as well because these protocols basically fetch at a particular rate particular interval the statistics from the devices okay so anything which is coming any type of traps any type of alarm which is generated on the device itself can be sent to the centralized controller it can be any what you say 7 or any type of your SNMP server which is hosted and it can show you the those ones okay. Apart from the network monitoring strategy it can show you both the LAN interfaces down link degradation okay if you have defined certain parameters IP SLA tracking these type of thing it can show from the LAN and WAN perspective depending on the VPN connection it can show you those IPSec tunnels or GRE tunnels are going up and down you are seeing some fragmentation issue we are seeing some key mismatch those types of things okay so that can be done as well okay from the VPN connection perspective and talking about the implementation you just need to have an SNMP configuration on your device or you can do the netconfig like I said and every device to these days support the netconf and netconf basically works on your SSH protocol okay port number 22 so I don't think that it will be in challenge for that one

in a VPN solution that integrates with both IAS and AWS and Azure to provide secure remote access to your organization resources. Secure VPN access basically remote access it will be something like you need to you need to have an integration like whenever your remote users okay are trying to access the enterprise application okay from your what you call BYOD devices your laptops or maybe your personal mobile whenever they are using the client okay so basically they can what they can use is install the application Cisco AnyConnect, Palo Alto global product or any other application they can use okay from there you can do they can use basically the internal applications once they have their valid credential and the multi-factor authentication is enabled the token will be generated then they can secure login after that the depending on the VPN solution that integrates with both AWS and Azure so it will basically directly connect from the remote user to the local site okay VPN concentrator which you call where we have the breakout okay for the local traffic as well as internet so in order to if that you remote user wants to access some internal application it can use basically the local range okay it can go by the data center or the login from the VPN concentrator if it really wants to go to AWS and Azure hosted application it can be set up and like I said from your VPN concentrator devices those devices will be set you will have a IPSec or GRE tunnels towards the AWS and Azure okay cloud sometimes you can have a device itself installed on the AWS and Azure cloud as well okay that will run basically IPSec connection from your end device to the to the router or router installed on the AWS or Azure okay so that is what it usually do and inside that one the VPN solution yeah I guess that's just the one

Would you validate network resilience and recovery procedure for enterprise scale SD infrastructure? Enterprise scale SDN structure, we need to validate network resiliency network resiliency. I mean, you should have, uh, basically, a fallback. Okay? Just in case if you do see in normal SDN structure, there are something like the IP sec tunnels. You will basically form to the Zscaler Prisma Cloud for Internet access. Resiliency, if we talk about let's suppose if we lose the, uh, both the IP sec tunnels to different different cell nodes. Okay? So that time, you should have a local Internet breakout as well at least for those application. So the critical one that can use basically, your local inter backup. Talking about the resiliency, resiliency is basically, uh, the one if you can install on the side 2 routers, that will be hardware level redundancy. If you can store 2 basically links, it will be a link level redundancy. And recovery procedure recovery procedures are basically the one which I would refer to. Like, your both devices should be connected by what you call t lock or shunt link or sometimes you call it as bypass pairs in different different diction terminologies. Okay? So that can help you, basically, whenever you lose one of the link MPLS or Internet, it can use the other link to go to the network. Okay? Recovery, basically, recovery procedures are basically here sometimes for the enterprise grade. The recovery, um, enable to send recovery procedures. Recovery, what you can say, you need maybe for the recovery when you lost one of the devices. You can check from the t lock interface, like, whether the link is up if the device is completely down. Okay? Else, you will need a remote access for that one. Okay? Maybe a console access, then you can check whether the WAN interface is down, why it's not forming the control connection with the controller. That's why it's not visible to you on the control itself. Okay? And, yep, tested resiliency. I've seen already told resiliency, network level redundancy. Recovery procedure for an recovery is just a minute. I think I think that's it for this one.

Develop a strategy to prevent QS policy in a mixed environment of CCI. Okay. Basically, and for the QS policies, in order to do that one, first, you need to do a classification. Okay? Always, you need to first classify your traffic, okay, based on what type of traffic it is. Sometimes it's voice critical video. Sometimes it's just you know, normal Internet traffic, Netflix, Google. Okay. So first, that should be the classification part you always do. Once the classification is 2, then we basically assign them to different different queues. Okay? Different different queues have different different types of police and, uh, bandwidth, which is there. Okay? So you define different different bandwidths. 1st, you do basically classify divide, uh, traffic. Depending on classifying the traffic, you will basically send all the traffic to different different forwarding classes. Okay? And different different forwarding classes will basically have a different different police scheduler just in case if the device is get, uh, just in case if the, uh, interface gets congested. So there's a percentage of bandwidth link link bandwidth percentage assigned to each forwarding class. There's a policer. They can be concept of hard policer, soft policer. Hard policer is used when you don't want any traffic to go beyond certain level. Okay? So it will basically drop all the traffic after that one. So if basically, whenever a traffic goes way beyond a certain threshold, it will basically, uh, downgrades its, uh, class map. Okay? It will downgrade its class so that it can be sent by the other class in that one. Okay? After that, the classification after that, the forward is assigned to forwarding class depending on the level of scheduler for the outgoing queue. Okay? The outgoing interface scheduler, based on that one only, you will have that one, like, which traffic needs to be prioritized. Okay? Which traffic needs to be note. Okay? Like, it can be sometime when, uh, weighted as well as non weighted. In case of sometimes when there is a congestion, we have congestion avoidance algorithm, red, random access, okay, and weighted random access algorithms as well, okay, which we can use in order to send this type of traffic first instead of this one. These are basically the congestion and avoidance algorithms we use in that case.

Hope so the best script intended to configure be run on the network switch. Okay. For me, darling. Okay. I reported it. Only configure the last view in the. Expected to add and bring up on Ethernet 0. Okay. Bconfigadd ethernet0colonvlan. Ifconfig ethernet0 LAN up. And then you're gonna you don't even configure the last VLAN in the list. Why? Uh, because we are using a for loop, so VLAN should be there. Do config We configure at eth0vlanfconfig It's an s zero. VLAN pump. Not getting this one. Maybe it's a loop. That's why it's always get at 400. Why it's going only with, sorry,

The following Python function, which is intended to filter out non whitelisted port from a network configuration distillery. What changes would you make to correct the logic? Okay. Def filter ports, network config. Okay. Filter config blank for service. Put in network config dot item. The support of our report filter config service. So 22/80/21. Okay. Then it will be created as 1, 22, 80, and 21. This will be a new list. And if we do port in network config dot items, Items will be this 1 only. If port in white listed port. Okay. Logic. Felt out no ownership. So that will be year 21. But what we are doing is when we are doing network config key and value combination key value key value, That is fine. Key and value concept. Then filter ports. Filter port is going b network config. Okay. Network config will go to the network config. Okay. Network config will then be updating an empty tuple. Right? It's not a mesh. It's a tuple. Okay. Okay. I think it's a tuple. You won't be able to add any thing to filter config because it's a tuple. No. It's a dictionary blank dictionary. Oh, sorry. It's a blank dictionary. Okay? After that one blank dictionary, what we are doing is port is in the white listed port. Okay? Port matches with the whitelist. Well, then we are filter config service equal to port. I don't think that it will work like this. I think we need to change here from both equal I think it will be filter config. Uh, if you're creating it as a dictionary, then sorry for getting the syntax, but I think the folder conf underscore config service equals to port. That needs to be changed.

Design network data can scale horizontally. Okay. Improv a multi cloud environment in Azure and AWS. Network architecture. Scale horizontally. So scale horizontally is the concept, basically, when we are increasing the number of sharing the load. Okay? So it will be something like you are increasing the, uh, basically, you are increasing the number of okay. Machines are there, but you are not even in scale. You are increasing the number of hosts. Okay? Depending on that one, you will increase the number of processors and CPU. Okay? So that is what you will scale horizontally. Um, not getting the question. I'm sorry for that.

Develop recovery plan to ensure business continuity following a security breach comprising LAN and WAN connectivity. Okay. You're saying business continuity even in the LAN breach security breach, are they providing the LAN? Uh, business continuity is basically the link availabilities or the network availability via the redundant path in just in case if there's a breach, okay, in the network. And breaches can be due to somebody violating the or somebody you forget to apply some access list on the networks, and still you have the path, so business continuity should be there. So what business continuity basically do is you will have still have that one. The network is up and running, but the breach will be identified and it will be blocked. And you will get the log as soon as somebody breaches that one. Okay? So network will be blocked for that particular segment. That's why we have the zone's concept in the network, trusted, untrusted zone. So if there's a breach, something somebody basically managed to get to the trust zone from the untrusted zone, then they will definitely will have the access. So, actually, in that point of time, we will what we will usually you can do is we can block it based on that number of attempts it can do in in the network. Okay? So there should be a limitation as well as there can be a security breach. In case of a recovery plan for this one, what we basically do is we can, uh, shut those ports. We need to have a backup plan for that one. I think that is what the question is about.