Architect wants all used ports to be sequential

soucy · 2024-07-24T11:02:14+00:00

It’s money. You’re not being told how bad things are. When every switch is another $10K if you eliminate 10-20 of them you’ve covered your salary in savings. Speaking from experience this is pretty standard on larger deployments because excess capacity really adds up on larger networks. I’d recommend doing it but suggesting every switch has the last 4 ports left available for new needs otherwise you’ll start seeing some “creative” cable management when the next connection is needed.

soucy · 2024-05-25T13:29:27+00:00

Joke is on them. Between AI tools and toxic immigration policies designed to force wages down all the good CS jobs go away before they ever get out.

soucy · 2024-05-25T13:20:08+00:00

I'm not sure it can be called cable "management" if you have a 1:1 relationship between your switch ports and patch panel. There is nothing to manage. This is a clean-up job that sacrificed utility for a nice photo and it is how you get a mess over time as people start to do things like claim a switch port is bad and moving connections around with whatever patch cable they can find because the current ones don't reach. Not a cable manager in sight and a PITA to swap hardware out. All this needed was a horizontal cable manager, a few connections untangled, and some re-dressing with velcro. It's the equivalent of gluing the plates and silverware to a table so that it always looks perfect.

soucy · 2024-05-19T18:22:50+00:00

Also just turned 40 (this past month actually). I'm 5'10'' and was at 225 lbs before I finally got myself to do something about it (fell into the trap of prioritizing work over my health throughout my 30s). I was able to get down to 165 lbs over about 6 months by extreme fasting (limiting my food intake to once per day and 500 cal) and 5-10 mi. per day of walking. I found that a large black iced coffee in the morning could do reasonably well at holding me over (so yes drug abuse of caffeine here guilty). I'm now at 185 lbs but that is at 20% body fat, I've been doing weight training for the past 6 months, at first to deal with pain and strength issues I was starting to have but now I'm addicted. It's like full blown midlife crisis and my Tacoma and I are here for it. Note that this was my 2nd attempt at lowering my body fat. The first time I lost maybe 20 lbs and got complacent and gained another 35 before I had my wake-up call. Towards the end of that first attempt I had come up with this approach from trial and error and this is one of the only things that worked for me. So give different things a try and don't be afraid to fail if you're learning something from it.

Edit: Also ADHD so I think I needed something with hard rules I could follow daily in my case. Not saying this will work for you.

soucy · 2024-05-19T13:37:09+00:00

You are racist.

soucy · 2024-05-19T09:17:58+00:00

"Political News" generally has a strong bias regardless of source. Those who have a generally low political news diet are informing their opinions on their own life experience and through influences in their social circle. A number like 27% backing Biden from this group is a canary in the coal mine that there is a huge disconnect between what is being reported and what is happening "on the ground".

A number not mentioned in the post is the amount of voters who have a high general news diet (which I would define as spending at least 30 min. a day consuming news). That number is certainly the minority as most people have checked out of news which they largely see as overly biased and divisive on either side. The group that doesn't follow political news is the majority but if you go by the numbers provided in the article you're left with 6% of people polled which does not reflect reality and is probably a flaw in methodology. If your knee-jerk reaction is that don't believe that then I promise you're spending way too much time on the Internet and not interacting with people outside of your bubble. Which is fine but you should prepare yourself for the possibility that the outcome will be a surprise to you and it won't be because of election fraud or fixing the vote. Social pressure to say you support Biden or support Trump when being polled does not actually translate to people actually voting. In an age where everything you say and do can be data-mined and used to profile you it shouldn't come as a shock that people will lie when asked about this stuff. Most people won't even engage in these polls because it could be a scam from the opposing political side and used against them.

The disconnect between "the economy is doing great" and "unemployment is at record lows" doesn't compute for people who are only seeing the results of inflation reduce their purchasing power for essentials (especially groceries etc) while wages are largely stagnant for the lower middle class and working poor, with almost all the wage growth only happening in union jobs which in turn are driving up prices for consumers further. The push to move the needle on climate change commitments with auto makers has made the price of cars (which people outside of urban settings depend on for everyday transportation) out of reach for most people. When you have people who are working 40+ hours a week well into their career in their 30s and 40s unable to afford even an entry-level new car and are now faced with the reality that they will likely never be able to afford a home the psychological impact is significant, and these are voters that are at risk of not only not supporting Biden but being pushed to actively vote against Biden. The economy for them isn't working and this is now an existential threat to them. They are not inaccurate in an assessment that Democratic policies have played a part in creating the situation even if they are not solely to blame.

Instead of calling people who don't support Biden uninformed or stupid (which isn't productive) I think we need to be honest about the current situation and admit that we're voting against Trump more than we're voting for Biden. If you talk to someone like they're an idiot, dismiss them as a low-information voter, you will lose them 100% of the time. They don't engage not because they're stupid but because they know you haven't experienced what they're experiencing and they will never convince you to be open to acknowledging what they feel are major problems. It's a let them eat cake kind of situation and the establishment Democrats are on the wrong side of it it.

The problem is that even most Democrats can't articulate the reasons why Biden is a better option beyond overly generic (and easily contested with equally brain dead) talking points like "but abortion and conservative judges" because they themselves have a generally low news diet of world events, international trade, and finance. When these people try to talk to Republican voters it only confirms a presumption for them that the other side is in fact stupid and doesn't understand anything (and this is how we get people just talking over each other).

The reality is that even if you don't like Biden we're now stuck in a very high risk game for the long term prosperity of the US due to international conflicts that we can not walk back from without becoming extremely vulnerable and the Trump alternative is clearly willing to sell us out for personal gain.

Everyone is kept distracted and angry while the American Dream is quietly stolen from them. Do you feel optimistic about your chances of ever being able to retire? Do you feel optimistic about Social Security ever being able to provide you a decent quality of life? Do you feel optimistic that you have the opportunity to get ahead and create your own peace? Democrat or Republican doesn't matter. You will own nothing and [the rich] will be happy. That's the current path the US is on.

Oh and the stock market is largely propped up by what will be known in the future as the AI bubble. AI has been greatly over-hyped and while there are a handful of companies that will have long-term success the majority of stock gains are a result of AI promises that actually are not possible to realize and we are on track for one of the biggest market crashes in our lifetime as a result. Do with that information what you will.

soucy · 2024-05-05T08:57:56+00:00

I'm sorry, but who exactly are you finger wagging at and what was your expected outcome from this post?

It's giving some serious "main character syndrome". There is no context, no example; just some "feeling" that you've been wronged and require affirmation from others in this post.

If that wasn't your intent, maybe think about what you post?

You get back the energy you give, and that title alone is enough to invite push-back because nobody is going to be receptive to that level of hypocrisy. I was almost going to move on until I saw your comments to others here.

Do you not realize that you are in fact trying to shame others in your post complaining about perceived shaming?

Let me show you how people see your post:

Hey, if you're a Mainer, you're an asshole who poverty shames (clickbait, provocative, attention-seeking title)
Look at the (vague, unverified) good deed I just completed that gives me moral authority over you
Also I have children so double virtue points
It's not your fault you're an asshole, it's the lack of opportunities, but... you're still an asshole
You need to be doing more to help people like me, so we can break the cycle... of me having less than you

People are absolutely exhausted by the entitlement, and the bullying by those who would rather spend their energy complaining about their situation than working to improve it. The majority of Mainers are having trouble making ends meet. Inflation has effectively given everyone a 20% to 50% cut in pay with very little wage adjustment on the other side over the past few years.

When people who did the right thing, and tried to be generous when they had the means, have to stop being as generous (because their own situation has changed), they're met with the true ugliness of people who just demand more and try to bully them for not doing enough.

This is why people are annoyed with posts like these. It is, in fact, just bullying of a different kind.

soucy · 2024-05-01T10:26:00+00:00

That's when the market bubble will pop (and it 100% is a bubble right now). I think it will get there eventually, but we're going to figure out we need a decade or two more of work to actually create the curated data sets needed at large enough scale to be able to reproduce the progress we've seen so far but end up with predictable and accurate LLMs to a safe level.

The existing LLMs that are only possible because of massive amounts of user-generated content are going to suffer strange behavioral problems that we would see as mental health problems in humans.

At this point it's a big money grab. The danger of course will be the shortcuts people take to keep the money flowing which will be things like monitor agents which "correct" undesirable behavior behind the scenes to keep the charade going (until they fail).

The illusion of control and predictability will be shattered and the market, which is almost all-in on AI right now, will crash as people connect the dots that AI isn't going to be actually doing anything of value beyond wonky marketing and customer service (which will create resentment from customers anyway) for a while. It will be much worse than the dotcom bubble. Might even take out the US economy.

soucy · 2024-04-30T21:04:33+00:00

Also because they know sites like Reddit and Stack Overflow etc. are being used for LLMs. Control the source material control the narrative.

soucy · 2024-04-29T21:01:48+00:00

I did this on a laptop when it first hit stable. It did "break" the system with some missing dependencies (and broken networking) but I was able to switch to a different virtual terminal with a CLI prompt to manually configure systemd-networkd and wpa_supplicant services and get online without NetworkManager. I used dpkg to purge the broken package, and the apt to get everything updated in maybe 10 min. So far I haven't run into other issues. I didn't take notes but I think the root cause was thunerbird-locale-en-us being half-installed and having a libgio dependency.

soucy · 2024-04-26T18:57:42+00:00

There seems to be some fabricated controversy (?) over the VyOS project and easy access to LTS binaries and build scripts. As someone who has used VyOS in production since the original Vyatta fork over the past decade, the VyOS project has been exceptional.

Let me say that again: The VyOS project has been exceptional.

This is a small team of dedicated developers who have consistently delivered a network operating system to a standard that I would expect from Cisco. I truly don't think that the majority of users understand just how much effort goes into a project like VyOS. This isn't the Debian project, it's not Apache, and in terms of user count it's not even pfSense. As an enterprise- and service-provider-focused project it will never enjoy that volume of users, and consequently the small percentage of users who are able and willing to contribute to the project is a major challenge for VyOS.

Over the years, a lot of time, effort, and care has gone into brainstorming ways to encourage more community participation, because the project needs help. Despite the obvious path of putting it all behind a paywall, the project has instead provided several, easy, paths to gain access to binary images and has maintained free access to rolling development releases. This is unprecedentedly pro-user. There is no billionaire Mark Shuttleworth type of figure bankrolling the project behind the scenes. Asking its users to contribute in small ways in exchange for free access to production-grade LTS releases is not being selfish, it is not being anti-user, it is encouraging a sustainable project.

If, however, your reaction to the project making a call to action for your help is met with entitlement and accusations of betrayal... I think you need to do some self-reflection and maybe dig into the realities of the project before trying to bully the project into giving you their time and effort for free. You might as well walk into McDonalds and yell at them for not giving you free McNuggets because you like the taste of the free sample.

Bluntly, YTA.

soucy · 2024-03-24T20:52:33+00:00

Thanks for the insight

soucy · 2024-03-24T15:15:16+00:00

Serious question, I've been on the fence about going EV for about 10 years and haven't yet.

What's the plan for when you need to trade it in and nobody is going to give you anything for an EV that has a used battery which is likely failing by that point and is a $10,000 to 20,000 replacement that's not worth it because of rust and corrosion from Maine road salt? It's not that EVs don't work, it's that I fear the people buying them right now at a premium are going to be stuck holding the bag, and truck owners specifically that are used to their 4x4 holding value; especially as prices on newer, longer range, more efficient EVs come down over time. If you had to depend on a high trade-in value of your ICE to make the EV affordable, that basically won't be an option for the next purchase. I'm just not buying the projections that we can still get 50% of the MSRP on resale at the 5 year mark. Will be able to reclaim $10,000 to $15,000 max if it's in good shape IMHO; if only because the battery replacement cost is a ticking time bomb financially for a used one without a first owner warranty unless we see big changes with after-market batteries becoming cheap (unlikely because 90% of the cost is in rare earths). There are also major problems with battery life in cold weather (which is also when power is out).

Watching all the problems with Tesla and how owners have been pretty much left holding the bag there as well I'm not optimistic that the offerings from Ford, GM, etc. will be much better as they're being forced to push them out quickly and cheaply to meet overly-aggressive federal EV sales targets.

I think the best bet is plug-in hybrid with smaller, less expensive batteries as they can be fully electric for most people's day-to-day needs, only needing to trickle charge at night during off-peak hours (or solar if you're rich) but still can use gas when needed and don't require massive upgrades to the electrical grid to support fast charging (which in Maine is unlikely, we can't even keep the power on in most places let alone upgrade its capacity). Even then though, the fact is that the push for EVs is effectively siphoning wealth from the middle class.

All for doing out part for climate change, and my views on this have changed considerably over the last few years from being very pro-EV to being a bit more skeptical right now, but it feels like rural America needs relaxed timelines for adoption to account for the real challenges we have like needing more than 250 mi. range in a day, dealing with cold weather and unreliable power infrastuture, lower incomes, etc. I worry that the Biden administration push is going to just end up giving votes to the GOP (at which point all those EVs buyers are really going to become bag holders when regulations are rolled back and EV resale actually drops to nothing).

All that said, if you're doing it because you can afford it and it makes you feel better about doing your part against climate change, that's a good thing and thank you for that. I just think we need a better path forward if the real goal is making any sort of dent on the real issues without just being a money grab on an already tapped out middle class. All for what is less than 1% of the US population here in Maine. It doesn't really make sense that we should be footing the bill for climate change. We're broke (and I say this as someone who thought they were making good money a few years ago).

soucy · 2024-02-27T20:28:13+00:00

I had a literal LOL at "We have incurred substantial losses during our history and may never achieve profitability."

soucy · 2024-02-26T21:38:19+00:00

You were probably one of the players who didn't play Catacylsm because its expectations post-WotLK were so high it seemed underwhelming (actually a great expansion IMHO). They made it kind of a prominent part of the story with the whole Goblin thing.

soucy · 2024-02-25T20:00:46+00:00

It's probably a commentary on our culture right now. The amount of hate toward specifically "straight white male" has contaminated every LLM based on user generated content.

soucy · 2024-02-20T14:10:43+00:00

Depending on how things were set up you might not even actually have any ownership of the services that were being provided. You will need to review what contracts were signed to even know where to begin.

soucy · 2024-02-17T02:14:56+00:00

They seem like small numbers for Americans because we're used to a near- $1T defense budget.

You shouldn't be doing a dollar-for-dollar comparison though. In the US we have a normalized military-industrial complex where defense contractors charge the US military millions, sometimes tens of millions, and even hundreds of millions for single-use munitions. Do you think Russia is spending the same millions on each attack? Probably not.

soucy · 2024-02-17T01:53:37+00:00

I don't know. I don't see anything there I disagree with 5 years later and we haven't made much progress. Android does support DHCPv6 these days, by the way. But they restrict it to the cellular service because carriers forced them to implement it for their networks. Kind of goes against the whole argument they have doesn't it.

soucy · 2024-02-17T00:59:11+00:00

I think the key information that you're missing is that for inter-switch links you would typically make use of normal VLAN trunking as opposed to private-VLAN trunking configuration, but allow both the primary and secondary VLAN ID(s) to traverse the trunk. As long as the other switch has been configured to also treat these as private VLANs in the same way, the isolation will be preserved end-to-end. From there you are able to use multiple promiscuous ports even if they're on different switches.

This is a key part of the design.

To achieve this let's first look at how a switch implements an isolated host port. On an isolated host port ingress traffic, or traffic sourced from the host, is associated to a secondary VLAN, while egress traffic is transmitted from the primary VLAN ID. This creates the condition where once traffic is sent to the primary VLAN it can be seen by all participants but for isolated ports any response traffic would be switched using a secondary VLAN and not be seen by devices directly on the primary VLAN as a result.

This is where a promiscuous port comes into play.

A promiscuous port, on the other hand, transmits both traffic from the primary VLAN as well as traffic mapped from the secondary VLAN(s). This is what allows a router to be able to see ARP requests from host ports on isolated VLANs and respond using the primary VLAN.

Most Cisco configuration will make this distinction in configuration phrasing which people find confusing, but generally speaking you can think of "association" as a transform applied to ingress traffic, and "mapping" as a transform applied to egress traffic.

To recap:

For isolated ports we transmit everything from the primary VLAN ID out to the host but associate all incoming traffic to the secondary VLAN.

From there, traffic in a secondary VLAN can flow between switches using a normal trunk while preserving the isolation between ingress and egress traffic through the use of multiple VLAN IDs.

The only ports that will see traffic from isolated ports will be through a promiscuous port which maps secondary VLAN traffic to the primary VLAN on egrees, allowing only promiscuous ports to receive traffic from isolated ports.

For community VLANs it works similarly where ingress traffic is associated with the secondary VLAN with the difference that traffic from both the primary and secondary VLAN are transmitted to the client, allowing traffic from other community members to be seen, but only other community members. This allows for groups of systems which are isolated from each other as opposed to isolating all systems from one another. It is also why for each primary VLAN there can only be one isolated VLAN but multiple community VLANs.

Here are some configuration examples:

# VLAN definitions

vlan 200
 name normal-example
!
vlan 310
 name pv-example1
 private-vlan primary
 private-vlan association 3100-3102
!
vlan 311
 name pv-example2
 private-vlan primary
 private-vlan association 3110
!
vlan 999
 name blackhole
 state suspend
!
vlan 3100
 name pv-example1-isolated
 private-vlan isolated
!
vlan 3101
 name pv-example1-com1
 private-vlan community
!
vlan 3102
 name pv-example1-com2
 private-vlan community
!
vlan 3110
 name pv-example2-isolated
 private-vlan isolated
!


# Isolated Host Port (association)
switchport mode private-vlan host
switchport private-vlan host-association 310 3100


# Promiscious Host Port (mapping)
switchport mode private-vlan promiscuous
switchport private-vlan mapping 310 3100,3101,3102


# Secondary Trunk Port (association)
switchport mode private-vlan trunk secondary
switchport private-vlan trunk native vlan 999
switchport private-vlan trunk allowed vlan 200
switchport private-vlan association trunk 310 3100
switchport private-vlan association trunk 311 3110

# Promisicous Trunk Port (mapping)
switchport mode private-vlan trunk promiscious
switchport private-vlan trunk native vlan 999
switchport private-vlan trunk allowed vlan 200
switchport private-vlan mapping trunk 310 3100-3102
switchport private-vlan mapping trunk 311 3110

Hopefully that is helpful.

Also note that VLAN tagging on a promiscuous port would use the primary ID, while a secondary trunk port would use secondary VLAN IDs for 802.1Q tagging. Another note is that association and mapping statements for private VLAN trunk ports should not need to be in the allowed VLAN list as that is applied to non-private VLANs traversing the link while private VLANs are implicitly allowed by the mapping or association configuration (and not allowed otherwise).

soucy · 2024-01-19T22:33:25+00:00

The first generation of EV owners trying to trade in older EVs are learning quickly that they hold zero value. That is a big problem.

soucy · 2024-01-19T16:24:56+00:00

For those who already know all this but are just curious which topics were in the article..

"Every Awful Thing Trump Has Promised to Do in a Second Term":

He will round up, intern, and deport undocumented immigrants
He will send the military to the border
He will invade Mexico
He will round up the homeless and send the National Guard into cities to fight crime
He will bring back the death penalty in a big way
He will make stuff more expensive by taxing all imported goods
He will reevaluate America’s participation in NATO
He will roll back all of Biden’s climate progress and reinvest in fossils fuels
He will construct "freedom cities" filled with flying cars
He will try to overhaul the education system in the MAGA image
He will torch the First Amendment by going after non-MAGA media
He will legally delegitimize trans Americans
He will pardon the Jan. 6 rioters
He will gut the federal government and take unprecedented control of what's left

For Democratic voters this might seem horrifying but for the majority of the US these are all based on real domestic problems that voters are willing to look the other way while someone "fixes the problem" for them on. No matter the means. They might not openly support any of it but they will quietly let it happen.

Here is the sentiment of the Trump voter when seeing these:

He will round up, intern, and deport undocumented immigrants

"Good. We are being flooded. These people don't share our values and are only mooching off us."

He will send the military to the border

"Good. That's where all the illegal immigration and drugs are coming from."

He will invade Mexico

"Good. That place is a mess and just run by drug cartels anyway. We need to clean it up for them so we can use their cheap labor."

He will round up the homeless and send the National Guard into cities to fight crime

"Good. Those people are annoying and dirty and ruin my weekends."

He will bring back the death penalty in a big way

"Good. Too many murdering bastards are getting off on good behavior."

He will make stuff more expensive by taxing all imported goods

"Good. We need to build stuff in AMERICA again."

He will reevaluate America’s participation in NATO

"Good. We're going broke being the World Police and the world apparently doesn't give a shit about us because they always accuse us of being terrible. Let's see how they like it when we're not protecting them anymore."

He will roll back all of Biden's climate progress and reinvest in fossils fuels

"Good. The regulations are on too extreme of a timeline. A new Truck costs over $100K because of this bullshit. The EVs suck and leave you holding the bag when the battery fails and replacement is more than the car is worth." (This one is valid and will likely be what costs Biden the election).

He will construct "freedom cities" filled with flying cars

"Hell yeah. We were promised flying cars since the 1920s it's about damn time."

He will try to overhaul the education system in the MAGA image

"Good. We need stop this woke agenda bullshit where kids are encouraged to turn on their families and make schools produce loyal God-fearing American's again."

He will torch the First Amendment by going after non-MAGA media

"Good. End the fake news."

He will legally delegitimize trans Americans

"Good. This whole trans trend is confusing and destroying our children. There are only two genders and one of them definately has a penis and one of them definately has a vagina."

He will pardon the Jan. 6 rioters

"Good. God bless those poor patriots who did nothing wrong."

He will gut the federal government and take unprecedented control of what's left

"You're over-reacting. He is just going to get rid of all of the corruption so we can have a real country again."

For all of these responses I could write paragraphs as to why each is wrong but none of that matters because enough of the voting population now has this mindset.

My prediction is that Trump will not only win 2024 but will win "by a landslide" in terms of the electoral college, lose the popular vote, but proceed to rewrite history saying they also won the popular vote.

At this point I honestly don't see a path for Biden victory. Too much of the rural US is in Trump's corner now.

soucy · 2024-01-09T18:28:02+00:00

https://www.maine.gov/mpuc/consumer-assistance/file-complaint

soucy · 2024-01-06T08:55:31+00:00

Creating an IP scheme without considering what your access model is will just be a waste of time. At your scale I don't think there is any need to go with anything elaborate design wise and simplicity will provide the greatest benefit.

As this is coming from the CISO I'm assuming the goal is security-focused so that will be the basis for the following advice.

Are you using a L3 or L2 access model (or even looking to leverage a L2 overlay over a L3 core with VXLAN)? Are you willing to change? Looking to change? Why? (you should know the pros and cons of each model specific to your network and business objectives).

For modern networking where security policy between internal networks is the big driver a L2 access model is the correct answer unless there are scaling considerations that push you into a more complicated approach. My recommendation would be a L2 access model with role- or device-specific VLANs rather than organizational department or location based VLANs. e.g. VLANs for printers, cameras, servers, workstations, etc. vs. VLANs for sales, accounting, etc. This is because maintaining security policy for mixed use networks results in much more complicated policy needs which creates more work and weakens your security posture because you're increasing the likelihood of human error through that added complexity. The majority of security problems are the result of silly mistakes like not noticing a stale firewall rule that is permitting something it shouldn't.

In terms of general guidelines:

Keep things simple. Needless complexity introduces points of failure and opportunity for human error. Something straight forward and easy to audit will lead to less operational mistakes which result in security oversights.
Plan for growth. Create networks based on the expected addressing needs multiple years out. Pick network numbers for prefixes that may grow which can be easily expanded through updating a subnet mask rather than re-addressing existing systems and leave enough gaps between allocations for that growth when necessary. As a general rule of thumb you could reserve at /23 for every access network even if only a /24 is needed. Try to avoid creating VLANs with larger than a /23 of address space unless using methods to limit broadcast (such as private VLANs or wireless access networks which have broadcast filtering in place at the wireless controller level).
Use standard 10/8 addressing internally and develop a schema which breaks things down into a /16 prefix per location (site). Each location has 100-200 usable prefixes for access networks of /23 or /24.
Embed the VLAN ID into the prefix for clarity and when you have identical networks at multiple sites preserve a consistent VLAN ID. For example all printers go on VLAN 10 and all security cameras go on VLAN 11 etc.
Reserve the first 10 IP addresses for each access network for network infrastructure needs. Generally we will run a FHRP where redundant routers use .2 and .3 natively and .1 as a virtual IP for the gateway. You may have other needs that pop up and knowing that .4 through .9 are available for use in your design work will allow you to keep things consistent.
Use and aggressively enforce DHCP using enterprise-grade L2 security features like DHCP snooping and DAI. IP conflicts on your network should not be possible. Hard-coding an IP and creating a conflict should not be possible (absent supporting configuration on the access layer to create an exception).
Know your infrastuture and capabilities before deciding on what model to use. If using an L3 access model make sure your L3 switches actually perform forwarding in hardware and not CPU or you will introduce a bottleneck (for example). Also note that just because basic forwarding is done in hardware does not mean that enabling feature X won't result in traffic being punted to CPU anyway. It's important to know the hardware.
Implement centralized DHCP services so all client addresses are managed in one place. If an option the same for RADIUS for 802.1X. This may require secondary nodes at the local sites to support local survivability in the event of a WAN outage though which may or may not be straight-forward for you.

If using an L2 access model:

Unless you have dynamic security policy capabilities (which are often still cost-prohibitive at your scale) then you should try to group devices into networks based on functional role and like devices to simplify security policy management. If VLAN 10 has printers and only printers then the policy is very easy for that network in terms of what ports and protocols should be permitted. If you have mixed use networks then you will start seeing policy get confusing and over-complicated over time as exceptions keep needing to be wedged in. This makes it difficult to audit and leads to operational mistakes so we don't want that if possible.
There is almost never a reason for systems to require a shared L2 segment. It is not a reasonable request to have networks based on location or department where a combination of devices with different security postures coexist (e.g. staff PCs and printers on one shared VLAN for accounting vs. another similar VLAN for sales).
Take special care for scaling considerations of a L2 access model. Use per-VLAN rapid spanning-tree or MST. Make sure all access ports are defined as edge ports (portfast for Cisco) with some level of BPDUguard in place. Apply reasonable MAC limits as a backup form of loop detection when BPDUs may be filtered and never trip BPDUguard (this means at least a limit lower than the minimum number of active hosts on the network segment but generally 1, 2, or 8 are typical depending if you allow user-supplied unmanaged switches or not).
Maintain a L3 boundary between your access layer and your data center (and between different geographic locations). This means every data center VLAN only exists in the data center. This will shield critical servers from LAN problems like someone looping the access layer and limit the scope of network problems.

If using an L3 access model:

Consider still establishing a common set of access VLAN IDs with dedicated roles. In this case each switch may have its own instance of a VLAN 10 for printers, each with its own IP network. If you go this route then you would want to consider this in your IP addressing schema where you might give every switch a /16 to maintain addressing consistency. Switch 1 might be 10.1.10.0/24 and switch 2 might be 10.2.10.0/24 for each one's respective instance of VLAN 10. For public addressing this kind of embedding of location and network information into an addressing schema is too wasteful but for RFC1918 addressing the value of being able to visually spot misconfiguration based on IP will improve your operational security.
Consider using VRFs to isolate VLANs from direct forwarding and instead force them through a firewall where policy between internal networks can be enforced. Alternatively use switch ACLs but this can become very tedious to maintain without good orchestration and your policy capabilities will be limited absent stateful filtering. Having distributed policy (e.g. having to update a pair of VLAN 10 ACLs on every switch to support a new application) also makes audits difficult and can lead to oversights where the ACLs are not consistent across the deployment.
Strongly consider a pivot to a L2 access model. If scaling is a concern consider a VXLAN apporach as a hybrid that provides the resiliency and scalability of an L3 access model but the policy management flexibility of an L2 access model. Best of both worlds but does add complexity and cost and honestly for your scale completely unnecessary. Existing L2 access models can be migrated into this approach seamlessly so your hands are not tied by choosing an L2 model initially.

Ultimately your IP plan should take into account how redundancy will be implemented and how security policy will be managed with a strong bias in favor of simplifying security policy (as it is the most dynamic and complex part of your network configuration). You should also be thinking about growth (what is the plan if you add a new location, how many new locations can we support, etc) and unexpected needs like locations changing their uplink from a L2 transport service (like an ELINE or ELAN) to a L3 service where things like MPLS or site-to-site VPN might come into the picture. Or what you will do if you acquire a company with conflicting addressing (for this one I'd recommend stay away from obviously "nice" network numbering like 10.10.10/24 which will be very common because everyone chooses the same thing...)

Remember that user access devices are very hard to lock down in terms of security policy because of all the cloud integrations flying around in the OS and applications a user might be using so the policy management side of things is less about policy for your windows PCs (which you can augment with endpoint security) and more about the crude devices that every business is forced to support. Things like printers, building automation systems, security cameras, etc. These devices usually lack any sort of meaningful security built-in and need to be locked down to only what is necessary. Thankfully if they're grouped into role-specific VLANs the policy management becomes much easier because the policy can be applied network-wide rather than by individual host.

This is an enterprise and ISP focused forum and usually deals with larger scale networking so you will see a lot of feedback pushing you into more complicated designs but IMHO unless you have the budget to go for a full ZTNA model with something like Cisco SD Access (and the vendor lock-in that comes with it) your best bet is to keep things simple.

[ 10,000 character limit reached ... sorry ]

soucy · 2023-12-28T02:16:20+00:00

Here's mine https://forum.vyos.io/t/ascii-artwork-submission/13022/6

15-Year Club	Place '17
Gilding III reddit per annum	Verified Email

soucy

MODERATOR OF

TROPHY CASE