New Office, New Network. Questions.

Nikolai Petrov prnpetrov at yandex.com
Tue Jul 12 12:40:57 UTC 2016


Hello! I have replied to you inline! 

> On Sun, Jul 10, 2016 at 2:53 PM, Nikolai Petrov <prnpetrov at yandex.com> wrote:
> 
>> I thought of taking the chance to remove some
>> "technical debt" and make everything from
>> scratch again.
> 
> Hi Nikolai,
> 
> This is a rookie mistake. Every in-place system encodes business
> knowledge, most of it forgotten and much of it still relevant. From
> your comments I infer that you haven't been doing the job long enough
> to know where the skeletons are buried.

Indeed, I do not have the experience of the previous person who set it up, but I have seen many things that appear not to be good and cause "friction" to the employees.

> 
>> 1. Currently we do not have IPv6 in our network but I
>> have seen the ISP is giving us a "/56 Block" which
>> from what I understand is a couple hundred "/64 Subnets".
> 
> Good for you! We've been urging folks to deploy IPv6 for years and
> you're taking the advice to heart.
> 
> Now stop. IPv6 has enough inherent issues and problems that you'll
> want to deploy it when your configuration is otherwise quiescent. If
> you do it while also making other large changes, you're begging to get
> hurt.

I know, but I think the time I have is more than enough for IPv4 and "if I don't do it now, I may never do it"..

> 
>> 2. The previous administrator did some bad
>> job in some parts of the network. We have
>> an internal router protocol to move traffic between
>> routers, but in some cases he used NAT instead
>> of adding these subnets to the router protocol.
> 
> I urge you to tread lightly. You don't know what business knowledge
> was encoded in this configuration. Maybe the servers respond
> differently depending on whether the source is internal or external
> and some of the origins should be treated to the external rules.

No, this is the same behavior and currently employees have access to routers so they can port forward so other departments can reach their computers. We also use "UPnP" in these routers because some applications need direct host to host communication. Both subnets are trusted in the current design. I wouldn't claim this if I wasn't sure. Currently I have not found a single legitimate use and I have asked users, server administrators, etc.

> 
>> I have found two protocols in our router that are
>> good and support IPv6 and they are OSPF
>> and BGP.
> 
> OSPF is an interior gateway protocol. Use between routers within your
> network. BGP is an exterior gateway protocol. Use it when you want to
> talk to multiple ISPs at the same time.

I was talking about BGP with private "ASNs" to be used internally and if we ever make a BGP connection to the Internet in the future, use a different router table and a route aggregate.

> 
>> 3. In our old network we use "VRRP" which from
>> what I know is a system for routers to shae IPs
>> and load balance or "failover" the traffic. I have
>> seen that IPv6 has a built-in system which is similar
>> and has something like priorities, etc. What
>> happens if I have two routers with same priority?
> 
> If the guy who wrote the stack wasn't asleep at the switch, the host
> will pick one and use it as long as the router keeps advertising it.
> But it's not a good idea to tempt fate - set each router at a
> different priority.

I know, but one team is responsible for marketing and is doing video editing from a file server, so we have a lot of workstations moving at Gigabit speeds. I thought of two solutions:

Buy a switch with a 10 Gb/s port to connect to the file server subnet, which seems overkill because the cheapest I can find has 48 ports and we'll need 7. The second solution was to add a 16-port Gigabit switch and then have 2-3 routers move traffic to the file servers and give each client a different gw. This ensures redundancy and possibly more bandwidth.

> 
> IPv6 router advertisements are nothing like IPv4 VRRP. In IPv4, hosts
> receive a single default gateway. VRRP lets two or more routers decide
> among themselves who will serve up the IP address for that default
> gateway. And then swap it when the router serving the address breaks.
> 
> IPv6 hosts can have more than one default gateway. Each router with a
> path to the Internet can offer act as a default gateway and hosts will
> accept and use it. Preventing machines which should not act as default
> gateways from making offers that the hosts hear and use is one of the
> many idiosyncrasies you'll enjoy debugging when you first deploy IPv6.
> 
>> Also, can I use "VRRP" to load balance traffic to
>> our DNS look-up "recursor"?
> 
> No. VRRP is a failover system. It has nothing to do with load balancing.
> 
> Regards,
> Bill Herrin
> 
> --
> William Herrin ................ herrin at dirtside.com bill at herrin.us
> Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>



More information about the NANOG mailing list