Vimal Kant Gairola

Could you help me understand more about groups? Hello. My name is. I'm working with BT Group for the last almost four and a half years. Part of the Diviners team, which we can call a center of excellence team in VT. So, we are the major key players in, or you would say, a key role we have in BT in terms of the SD WAN product. We basically deal with five products, which are Nokia, Nuance, Cisco Webex, VMware, VeloCloud, Palo Alto, Prisma SD WAN, and Fortinet SD WAN. So, I'm leading three products right now: Palo Alto, VeloCloud, and we're working with Taylor on the third one. So, I'm handling four to five people, and our SME here. So, everything like this: we manage all the SD WAN changes here. We do all the design-related work, the incubation work, pilot sites, DC sites, migrations here. As well as, we do the work for the product line team. We work closely with the product line team and tech engineers to roll out any software, do some testing, new version testing, new feature testing that needs to be done by us. We are not account-specific team. We are a global team. So, we are basically the three-plus level escalations for all the accounts teams in BT who are managing their own customers. Okay? That's what we really do. And, talking about my experience, I have nine years of experience working. I have worked with network operations, network designing, mobile networks as well as internet networks, and enterprise telecom networks. I have a good solid understanding at CCNP and CCIE level, with multi-product level experience working with Palo Alto, Elara, Lucent, as well as Nokia. Okay, so I have a mix of experience. I've worked in a multi-vendor environment and have a good solid understanding of network engineering. Thank you.

Configure a secure and scalable way to manage distributed firewalls across different network segments, including LAN, WAN, and cloud networks. In that case, a secure and scalable way to manage distributed firewalls across different network segments, including LAN, WAN, and cloud networks, would be to implement a zone-based policy. In this case, if you want to use a firewall and want to secure all zones, you can create a trusted zone, such as LAN, where you have all the users with private IP addresses, such as 10.x.x.x, 172.x.x.x, or 192.168.x.x. The WAN zone can be an untrusted zone, and the cloud network can be a part of a secured WAN. There will be three zones: the trusted LAN zone, the untrusted WAN zone, and the cloud network. You need to have different policies for each zone. The firewall policy should first allow traffic from LAN to WAN and LAN to the cloud network. The WAN zone can access normal internet, apart from any application not hosted on the cloud network. For any traffic coming from the LAN side, you want that traffic to break out to the cloud based on the types of traffic you want to allow. This can be done by selecting a next hop based on the filtering of the source and destination combination. If the destination is not hosted on the cloud network, you can select a different path or send it directly to local breakout or normal internet. If the traffic is hosted on a cloud application, you can use a next hop, such as an IKEv2 tunnel or IPSec tunnel, which you have created with your cloud provider, maybe Prisma or Zscaler. Any other local traffic can be sent by local internet breakout, but for internet-based traffic, it can be sent to the cloud application page via the IPSec tunnel. It will be a zone-based combination here, where you have to configure different policies for each zone to ensure secure and scalable management of distributed firewalls across different network segments.

the network monitoring strategy that could alert for issues in both LAN and VPN connections. Studying it could alert for issues in both LAN and VPN. Well, in that case, the network monitoring strategy which I'm understanding is a centralized monitoring which you are referring to, that could alert for issues in both LAN and WAN. Okay, based on that, one you can do network monitoring. I think you can use SNMP, you can use netconf. These types of protocols are famous for any type of monitoring, okay, to fetch the information data. For the monitoring purpose, as well, because these protocols basically fetch at a particular rate, at a particular interval, statistics from the devices, okay, so anything which is coming, any type of trap, any type of alarm which is generated on the device itself can be sent to the centralized controller, it can be any SNMP server, which is hosted, and it can show you those, okay. Apart from the network monitoring strategy, it can show you both the LAN interface is down, link degradation, okay, if you have defined certain parameters, IP SLA tracking, these types of things, it can show from the LAN and WAN perspective, depending on the VPN connection, it can show you those IPSec tunnels or GRE tunnels are going up and down, you are seeing some fragmentation issue, we are seeing some key mismatch, those types of things, okay, so that can be done as well, okay, from the VPN connection perspective. And talking about the implementation, you just need to have an SNMP configuration on your device, or you can do the netconfig, like I said, and every device these days supports the netconf, and netconf basically works on your SSH protocol, okay, port number 22, so I don't think that it will be a challenge for that one.

in a VPN solution that integrates with both IAS and AWS and Azure to provide secure remote access to your organization's resources. Secure VPN access basically allows remote access, which requires an integration like whenever your remote users are trying to access an enterprise application from their BYOD devices, your laptops, or personal mobile devices. So, basically, they can use an application like Cisco AnyConnect, Palo Alto GlobalProtect, or any other application they prefer. From there, they can use internal applications once they have their valid credentials and multi-factor authentication is enabled, and a token will be generated, then they can securely log in. Depending on the VPN solution that integrates with both AWS and Azure, it will directly connect the remote user to the local site VPN concentrator, where we have the breakout for local traffic as well as the internet. To access an internal application, the remote user can use the local range, going through the data center or logging in from the VPN concentrator. If they want to access AWS and Azure-hosted applications, they can be set up to go directly through the VPN concentrator devices, which will have IPSec or GRE tunnels towards the AWS and Azure cloud. Sometimes, a device is installed on the AWS and Azure cloud, which will run an IPSec connection from your end device to the router or router installed on the AWS or Azure. That's what it usually does, and inside that, the VPN solution works.

Would you validate network resilience and recovery procedure for enterprise scale SD infrastructure? Enterprise-scale SDN structure, we need to validate network resiliency and network resilience. I mean, you should have a fallback. Okay? Just in case, if you see in a normal SDN structure, there are things like IPsec tunnels. You will form a connection to the Zscaler Prisma Cloud for Internet access. Resiliency, if we talk about, let's suppose if we lose both the IPsec tunnels to different cell nodes. Okay? So, that time, you should have a local Internet breakout at least for those applications. So, the critical ones can use the local internet backup. Talking about resiliency, it's basically the one where you can install two routers, which will be hardware-level redundancy. If you can store two links, it will be link-level redundancy. And recovery procedures are basically the ones I would refer to. Like, your two devices should be connected by what you call a lock or shunt link, or sometimes you call it a bypass pair, in different terminologies. Okay? So, that can help you, whenever you lose one of the links, MPLS or Internet, it can use the other link to go to the network. Okay? Recovery procedures are basically here, sometimes for the enterprise grade. The recovery enables you to send recovery procedures. Recovery is what you can say; you need maybe for recovery when you lose one of the devices. You can check from the lock interface, like, whether the link is up if the device is completely down. Okay? Else, you will need remote access for that one. Okay? Maybe console access, then you can check whether the WAN interface is down, why it's not forming the control connection with the controller. That's why it's not visible to you on the control itself. Okay? And, yes, tested resiliency. I've already told you about resiliency, network-level redundancy. Recovery procedure for an emergency is just a minute. I think that's it for this one.

Okay. Basically, and for the QoS policies, in order to do that one, first, you need to do a classification. Always, you need to first classify your traffic, based on what type of traffic it is. Sometimes it's voice, critical, or video. Sometimes it's just normal Internet traffic, like Netflix, or Google. So first, that should be the classification part you always do. Once the classification is done, then we basically assign them to different queues. Different queues have different types of policies and bandwidth. So you define different bandwidths. First, you do classify and divide traffic. Depending on classifying the traffic, you will send all the traffic to different forwarding classes. And different forwarding classes will have a different policer and scheduler. Just in case if the interface gets congested, there's a percentage of bandwidth link bandwidth percentage assigned to each forwarding class. There's a policer, which can be a hard policer or a soft policer. A hard policer is used when you don't want any traffic to go beyond a certain level. So it will drop all the traffic after that one. If traffic goes way beyond a certain threshold, it will downgrade its class map. It will downgrade its class so that it can be sent by the other class. After that, the classification, the forward is assigned to a forwarding class depending on the level of scheduler for the outgoing queue. The outgoing interface scheduler, based on that one, will determine which traffic needs to be prioritized. Which traffic needs to be noted. Like, it can be weighted as well as non-weighted. In case of congestion, we have congestion avoidance algorithms, like RED, random access, and weighted random access algorithms, which we can use to send this type of traffic first instead of that one.

Hope so the best script intended to configure be run on the network switch. Okay. For me, darling. Okay. I reported it. Only configure the last view in the expected to add and bring up on Ethernet 0. Okay. I configured add ethernet0:0. Ifconfig ethernet0 LAN up. And then you're gonna configure the last VLAN in the list. Why? Because we are using a for loop, so VLAN should be there. Do config We configure at eth0.0 ifconfig. It's an s VLAN zero. VLAN up. Not getting this one. Maybe it's a loop. That's why it's always getting at 400. It's going only with, sorry.

The following Python function, which is intended to filter out non whitelisted port from a network configuration distillery. What changes would you make to correct the logic? Okay. Def filter ports, network config. Okay. Filter config blank for service. Put in network config dot item. The support of our report filter config service. So 22/80/21. Okay. Then it will be created as 1, 22, 80, and 21. This will be a new list. And if we do port in network config dot items will be this 1 only. If port in white listed port. Okay. Logic. Felt out no ownership. So that will be year 21. But what we are doing is when we are doing network config key and value combination key value key value, That is fine. Key and value concept. Then filter ports. Filter port is going b network config. Okay. Network config will go to the network config. Okay. Network config will then be updating an empty tuple. Right? It's not a mesh. It's a tuple. Okay. Okay. I think it's a tuple. You won't be able to add any thing to filter config because it's a tuple. No. It's a dictionary blank dictionary. Oh, sorry. It's a blank dictionary. Okay? After that one blank dictionary, what we are doing is port is in the white listed port. Okay? Port matches with the whitelist. Well, then we are filter config service equal to port. I don't think that it will work like this. I think we need to change here from both equal I think it will be filter config. if you're creating it as a dictionary, then sorry for getting the syntax, but I think the folder conf underscore config service equals to port. That needs to be changed.

Design network data can scale horizontally. Okay, improving a multi-cloud environment in Azure and AWS, network architecture, scale horizontally. So, scale horizontally is the concept, basically, when we increase the number of resources sharing the load. Okay? It's like increasing the number of machines, but not just scaling up the existing ones, you're adding more hosts. Okay? Depending on that, you'll increase the number of processors and CPUs. Okay? That's what you'll scale horizontally.

Developing a recovery plan to ensure business continuity following a security breach involving LAN and WAN connectivity. You're saying business continuity even in the event of a LAN security breach, is ensuring link or network availability via a redundant path in case of a breach in the network. And breaches can occur due to someone violating security protocols or forgetting to apply access lists on the network, but still, you have a path, so business continuity should be there. So, what business continuity basically does is, you still have the network up and running, but the breach is identified and blocked. You also get a log as soon as someone breaches the system. The network will be blocked for that particular segment. That's why we have the concept of zones in the network, trusted and untrusted zones. If there's a breach, and someone managed to get from the untrusted zone to the trusted zone, they will definitely have access. At that point, we usually block it based on the number of attempts in the network. There should be a limitation on the number of attempts as a security measure. In case of a recovery plan for this, what we basically do is shut down those ports. We need to have a backup plan for this one.