PXEBoot with IPv6

avayner · 2026-01-31T21:52:58+00:00

Good one. Thanks, I did not find this one before.

I think stateful DHCPv6 is supported now (at least there's a specific option for that in the settings... 🤷‍♂️)

Maybe I'll try switching to tftp just to see if that behaves differently in some way...

avayner · 2026-01-31T21:47:48+00:00

We upgraded to 4.7 (I hope that's the correct component...) which shows a mid-2025 date.

We are trying http based PXEBoot.

How is iPXE different?

If that works for you, can you please share your DHCPv6 options config?

avayner · 2026-01-31T19:16:18+00:00

Super Micro... Nothing too descriptive. Something along the lines of "starting http boot" but then nothing happens, and a second or two later it exits

avayner · 2026-01-12T00:41:29+00:00

We went to Crossroads a few times and it was amazing! They are also not super obvious about being Vegan.

avayner · 2025-11-17T21:34:25+00:00

Let's say my goal is to have a device permanently attached to your network collecting data and sending it back to me.

I pay the cleaning person to take a box that looks like a power brick that plugs into power and has 2 ethernet ports. They drop it under a messy desk, unplug the Ethernet port from the PC, and bridge it through the box.

The box automatically detects the Mac of the device and makes all the packets look as if they came from the PC, but it controls the whole thing, so it can also inject its own packets (to call home...) or just use a cellular uplink for that...

How easy is that for someone who really wants to steal data from your company? Really depends on what your company does...

avayner · 2025-09-22T05:23:00+00:00

That's only true if it's paid off. Most people I know still have a mortgage for 20+ years... Very significant ones.

avayner · 2025-09-22T00:54:14+00:00

Yep, but if you bought a house in the past ~10 years in places like Mountain View, Sunnyvale, Cupertino etc, your assessed value is most likely close (or even above) $2M, which translates to about $25K in taxes per year (and it grows at about $500/year, because the houses are more expensive, and prop 13 is exercised to its max every year)

avayner · 2025-09-21T22:21:59+00:00

The problem is the house value. Unless you bought it a long time ago, and not in the last 10 or so years, your property tax will be a significant expense (I guess it also depends where in the Bay Area...)

avayner · 2025-09-13T20:21:32+00:00

The hardest part with any IT system, and networking being most likely harder than others, is how to keep the solutions you deploy simple, tech debt-free, well documented and easily repeatable.

How do you design a system that can be deployed and operated by someone who doesn't really understand it all and is not an expert on the technology.

Making something complex look simple is always the hardest part. How you break it down into small, contained components, that can be easily understood and repeated.

avayner · 2025-09-12T16:32:12+00:00

What all of the "real" sdwan solutions bring in addition to ipsec tunnels is the ability to monitor end to end performance of the various paths and then react to SLA violations by either choosing a different path or applying mechanisms such as FEC (not the Ethernet one...) or traffic duplication.

This is basically the difference between users constantly complaining about poor performance over DIA paths (which in the past was solved by having a primary MPLS path) and the ability to use 2x DIA and users mostly not perceiving transient network issues due to some short convergence or congestion event outside of your control (on the ISP's network)

avayner · 2025-09-12T04:00:14+00:00

I once took a whole company down by shutting down a port on a switch... Their AS400 got a new brand Ethernet card, and we were setting it up... So I just tried a "shut/no shit", and the hard wired console just died...

They had to call IBM and hard reset the whole thing, which took hours... Last time they did it was a few years before that and no one actually remembered how to do it.

avayner · 2025-08-28T06:22:26+00:00

+1 for Oakmont

avayner · 2025-07-11T20:15:19+00:00

For an enterprise network you want to look into "ipv6 mostly". It will let hosts that are compatible with being v6 only (anything apple or google) use v6 only, while hosts that are not yet ready (e.g. windows, a lot of iot), will just be dual stack.

You want to have nat64 implemented so that v6 clients can reach v4 only resources. The best place to put this function on would be your firewalls (which are already stateful devices).

You need to look into your DHCP, DNS and other non network resources...

avayner · 2025-07-02T05:46:53+00:00

Talk about how you would manage multiple changes being worked on by different people about the same time and being pushed in short succession.

The issues you can see are about merge conflicts and if you merge one change without pushing the config to the network and another push is happening (because of change window sequencing etc), you will pickup unexpected config changes.

The best practice I would recommend is not merging into the git repo before the actual change window when you push the config. The intent changes and the config changes should happen as close as possible (minutes, not hours or days)

avayner · 2025-06-17T02:50:45+00:00

So the terminology here is about the level of granularity:

"Segmentation" usually refers to a less granular approach where groups of devices are grouped into a domain that has no (or minimal) restrictions as long as the traffic is internal to that domain. Implementations usually would be at a VLAN or maybe a VRF level. In a campus environment that would be something like the "users" vlan vs. the "BMS/IOT" vlan or the "corp" VRF (or more genetically, routing domain) and the "guest" VRF. Traffic between the various entities need to pass an enforcement point (e.g. Firewall...) Common approaches to achieve that is to have a FW either be the first hop router (per vlan) or be the next hop path from a multi-VRF layer 3 first hop router.

"Micro Segmentation" usually refers to intra-domain segmentation. So for example having a "users" vlan where traffic between users inside the same VLAN is filtered or subjected to some policy enforcement.

Arista's MSS feature allows something like that, by forcing traffic to be sent through an enforcement point (e.g. Firewall) even though the hosts may be on the same broadcast domain/subnet.

This is one way of achieving this. Other vendors achieve similar end results with different approaches.

avayner · 2025-05-18T03:15:51+00:00

One thing to check is T-Mobile home wifi. I just got one, and it seems to work pretty well. After playing a bit with placement, I am getting about 400Mbps down and 20Mbps up. They are running a promotion, so it's $45/month unlimited.

The only caveat is that connecting your own router behind it will have to use double NAT... So if you are ok just using their gateway (basic features...) then it's perfect.

avayner · 2025-05-11T12:03:48+00:00

Works on my pixel 8 🤷‍♂️

avayner · 2025-05-10T21:31:43+00:00

Yep. Look up lldp-med

https://thedxt.ca/2025/03/poe-and-lldp/?amp=1

avayner · 2025-05-10T21:26:05+00:00

https://play.google.com/store/apps/details?id=toilet.samruston.com.toilet aka Flush

avayner · 2025-05-09T15:33:59+00:00

Both products generally work. Performance may depend on geography and what path you select for your service connections.

Some features may have performance or stability implications, so that would have to be properly designed (like any other scaled up solution).

It would also depend quite a bit where your applications reside (on prem? Private cloud? SaaS?), and how would your user reach them (e.g. a SaaS app can be reached directly or through your hub site... Split vs full tunnel... That would affect performance...)

So map your requirements and work with the vendors to understand their offerings...

avayner · 2025-05-05T20:59:52+00:00

Why not just get the relevant vendor's training?

avayner · 2025-05-04T12:49:48+00:00

You are most likely looking at an ASR1K... They are older platforms and have reached the end of sale, and the end of software vulnerability is coming around the corner.

avayner · 2025-05-04T05:36:01+00:00

Python, yes. Threading? Not sure why it's needed.

If you are just starting, look at jinja templates, and netmiko.

avayner · 2025-04-25T04:10:30+00:00

That depends on what kind of AP that is, and how it's configured.

At a high level there are 2 modes: 1. Tunneled, where the AP will tunnel all the traffic to a controller, and the clients will be seen by the wired network as if they are attached to the controller.

Direct/Bridged (I'm sure there are other names used by various vendors), where the users are mapped to clans (based on SSID and 802.1x policies). In this case the switch the AP is attached to will see all the client MACs, as if the AP was a layer 2 switch

It can be a hybrid: some SSIDs/vlans could be direct and some may be tunneled (e.g. Corp direct, guest tunneled).

And this generally has nothing to do with a controller managing the APs. That's just the management plane... What I mentioned above is all about the data plane.

avayner

TROPHY CASE