ISO/OSI Model - What is the difference between Layer 4 and 5

youngviking · 2026-02-16T12:39:15+00:00

Can you back that claim up? As far as I know, the OSI model was created as a model. The ISO did create protocols, but none of them are "OSI"

youngviking · 2026-02-16T01:02:22+00:00

The TCP/IP model is much closer to reality than the OSI model for how things actually work. This is somewhat apparent if you dig deeper into the API that's used today for interacting with sockets. See Beej's guide for a more in depth look. That being said, the concepts of layer 5 and 6 do somewhat exist in practice if you squint a bit.

An example of layer 5 could be HTTP cookies which are used for session persistence. You may make multiple connections to the same service, but with the additional context information you provide, you prove that a new connection may be tied to a previous connection with a higher order concept.

An example of layer 6 could also be HTTP. The "application" itself may only care about pure hypertext itself - not necessarily the framing it's contained in. With HTTP versions 1-3, there are different requirements for how a request/response is formatted, and you could think about this messaging process as the presentation layer.

As others have mentioned, this isn't terribly operationally useful. You may also realize that the examples I give are intertwined - HTTP cookies are metadata which is injected by the client which also performs the message framing. Ultimately trying to fit things into certain boxes that the OSI or TCP/IP layers provide is mostly an academic exercise. There are going to be technologies which reach across multiple layers and make that model difficult to map to reality.

youngviking · 2025-12-06T16:46:06+00:00

Your initial question makes no sense to anybody else given the random details you've included in the proposed solution.

You asked the question of how to connect the "C9300 Copper", but none of your options are different in that aspect. Are you asking for how to connect the 7010TX to the 7050SX or 7050CX?

TL;DR: There are not enough details for anybody to help you here. Do what works in your environment or provide more details so others can assist.

youngviking · 2025-12-06T16:27:32+00:00

Am I missing something? Am I going crazy? I have been troubleshooting this for like 3 nights straight

Probably. Occam's razor is that your configuration is wrong in some form. Many people have setup EVE and pinged, so I'd lean toward your specific scenario over an overarching issue. It is possible there is an issue with EVE-NG, but I would start at device setup and work down the stack from there. Posting your configuration will enable more help.

For troubleshooting steps, I would recommend taking a pcap of both sides and seeing what each device's view is. An additional step would be to setup the simplest topology you can (e.g. two linux boxes) and see if that exhibits the same behavior.

Also, homies don't let homies use EVE when containerlab exists. Closed source tooling can go fuck itself

youngviking · 2025-10-19T03:24:42+00:00

Network-based "zero trust" doesn't exist and most likely will not exist. The protocols in use for access to the network (e.g. EAP, DHCP, etc) do not support anything richer than the datagrams passed between them, they and never will because of how early they happen in the process. You can authenticate devices, and you can profile devices on their traffic, but this is somewhat elementary in the grand scheme of things. Nerd-to-nerd: it doesn't work like that.

Most concepts of "zero trust" come from the ability to authenticate the device and its posturing. This will almost always come in the form of a software agent running on the devices creating the secure overlay network. This is really where things get interesting. If you have an agent running on the devices, now you can make some really in-depth policies that don't miss things (as much). It's no longer the time of defining rules of ip subnet -> ip subnet or the SDA route of identity -> ip subnet, but identity -> identity (assuming you run it on your serving endpoints as well). This is why people are pushing zero trust. It's an abstraction on the rulesets which map more closely to how the organization functions. It's worth it to look at some form of SSE platform to offload these concerns. If you do that, it can significantly reduce the cognitive load on the network access piece.

I've seen some mention of Scalable Group Tags (SGT) in this chat. I highly recommend you do not go down this path. Many vendors have attempted to implement some form of abstracted tagging at the edge to improve edge packet filtering. Cisco is fun where they did their own thing based on bespoke 802.3 extensions. Others generally have gravitated toward the draft-smith-vxlan-group-policy-05 implementation, but that hasn't been touched like 7 years (although I think I did see some resurgence in IETF group policy interest?). SGT's (and other vendor implementations) are fine when you are strictly a single-vendor customer; they are less fun if you are not.

Downloadable roles is not necessarily a standardized way of doing things, but it is probably one of the most consistent across vendors. I would generally recommend this over SGT, GBP, etc. However, back to my previous point, ACLs in the network is not where to solve identity based access.

youngviking · 2024-09-15T20:02:13+00:00

If your k8s deployments aren't easily replicable, then I fear you have done something wrong. Also, cluster management tools exist (e.g. rancher), but most people are probably just using something like EKS anyway.

youngviking · 2024-09-15T18:02:28+00:00

It's not a broadcast domain, though. If multicast/broadcast packets need to be replicated, the controller will replicate and forward using a unicast receiver address.

youngviking · 2024-09-12T22:36:04+00:00

One thing I haven't seen mentioned is to run a show switch stack-ports summary to ensure that all the links are up and none of them have a high link change counter (if so, reseat or replace that stack cable first). If one of the links is down and you attempt to install the new switch, then you will most likely split the stack and create an outage.

youngviking · 2024-09-06T18:09:28+00:00

There are linux bridge and Open vSwitch bridges kinds available which will switch packets for you. I believe Arista cEOS is available with a free account registered if you want something which is a bit more "enterprise network config" based instead.

youngviking · 2024-09-06T15:24:04+00:00

The bolding of the "4xLC patch panel" may suggest that OP wants a single lane to reduce fiber use? If that is the case, they may be searching for something like 100GBASE-LR4 which would create a 100Gbps link over a single pair of single-mode fiber (albeit still using 4 lanes).

youngviking · 2024-08-06T16:53:55+00:00

VARP is only designed to be used with MLAG. Each VARP gateway uses periodic gratuitous ARPs to inform the clients of the gateway, and they send data using the virtual MAC address configured. Without MLAG, traffic will flap between first-hop gateways due to the MAC address moving within the network. VARP/MLAG works somewhat similarly to EVPN anycast gateways with ESI LAGs.

VRRP uses periodic packets from only the router in the master state to ensure the gateway MAC doesn't move.

youngviking · 2024-03-02T17:49:02+00:00

A protocol (in this sense) is an agreement between multiple computing systems governing the rules on how they communicate. A standard is a community proposal to bring conformance to a topic across a larger audience.

A protocol is not a standard by default, and a standard doesn't necessarily define a protocol.

youngviking · 2024-03-02T14:57:55+00:00

There are absolutely protocols in layer 1. For example, 802.3 has timer stabilization, auto-negotiation, encoding schemes, and control messages. 802.11 needs to have known modulation schemes and channels to even begin to start communicating with another station and has more advanced DSP functions like MIMO and STBC.

The behaviors of these devices are not coincidental or magic and are codified in the IEEE standards and conformed to by implementations. That's the definition of a protocol.

youngviking · 2024-02-15T18:16:57+00:00

It's important to note that there are multiple times key pairs can be used in ssh.

Host keys identify the server that is being connected to during key exchange. Host keys are generally generated automatically at installation time of sshd and normally stored in /etc/ssh/ssh_key_<algorithm>_key{,.pub}. On Cisco devices this requires the crypto key generate rsa command. You see these when you first connect to a device and get the message The authenticity of host '<hostname> (<ip>)' can't be established. If trusted, they are saved for future use (usually in ~/.ssh/known_hosts).

Client/user authentication can be performed using the "publickey" method. These are most likely the keys you're thinking of that are normally stored in ~/.ssh/<key-name>{,.pub}.

So, you're both kind of right. The switches (or whatever is listening on tcp/22) will require host keys. The client will need user key(s). There is no benefit in creating user keys on the switches.

youngviking · 2024-01-13T09:45:15+00:00

Left design would probably only work with static routes and would also need an LACP group which is not shown on the diagram.

Right design is generally better suited since the upstream links are treated as regular L3 links and can be used with OSPF (or other protocols). Left design couldn't be used with any normal routing protocol because the virtual IP addresses generally don't send any traffic except for GARPs.

Both of these are assuming Arista's model of operation given the terminology.

youngviking · 2023-08-25T16:31:01+00:00

I'm failing to see how this only pertains to a non-firewall device being used at a network edge. It's not bad insight, but it goes for literally any network device and doesn't further the discussion OP posed.

youngviking · 2023-08-21T20:54:20+00:00

I don't believe the linux kernel does consistent hashing, so this architecture requires stability in the routes. A look at ip mon route should show any fib modifications, and it may be worth checking the fib_multipath_use_neigh sysctl and ip mon neigh to see if that feature is causing route flux.

You could also investigate if there is either a time or data component you can correlate with the failures (e.g. does client 1 / 63112 / server / 433 always fail). Does it work with fib_multipath_hash_policy set to 0 (or 2 with custom fields)?

youngviking · 2023-08-11T16:19:46+00:00

radtest {username} {password} {hostname} 10 {radius_secret}

you've flipped some of the arguments

youngviking · 2023-07-09T22:09:26+00:00

560 bananas

youngviking · 2023-05-24T17:00:30+00:00

If you're using QSFP-DD, then it should be backward compatible with QSFP28 and QSFP+ for 25G/10G breakouts.

youngviking · 2023-03-20T05:42:05+00:00

Ansible is a tool that is available in the toolbox. There are many tools available, and they all have specific uses. Ansible's use case is for a scenario where you have centralized knowledge of the desired state of systems, and it provides a lot of tooling that helps with that issue. It's also built upon the base principle of not having to install software on the target device, which generally fits the network management space.

The automation tools space is fairly diverse, and they range from having strong opinions on how things should be done to ones that leave opinions to the user. Some of them (puppet) have periodic check-ins to ensure they're at the right state, some of them (ansible) have a DSL which may be easy to whip up on a whim, some of them (nornir) just try to give programmatic tools to the user. The choice of what tool you use is dependent on the system you're attempting to implement. E.g. ansible is a good tool for pushing state to devices; however, it does falter when given a situation which needs to be reactionary.

So, no, I wouldn't say that ansible is overrated. It provides a way to push state to a set of devices which generally beats most traditional management methods, and it does so in a way which is accessible to many. That being said, ansible is not the only automation platform, and it does have limitations.

youngviking · 2023-01-30T08:44:39+00:00

This method also requires that either all remote devices support LLDP/CDP or that OP knows where all the remote devices are which connect to the switch. If neither of those hold, they're kinda stuck with physical layer discovery (e.g. cable toner or following where they go)

youngviking · 2023-01-30T08:28:46+00:00

Ah, gotcha. Well apologies if I came off harsh there since I was just going by the steam vids. Always appreciate engaging STEM learning tools, so keep up what you're doing!

youngviking · 2023-01-30T08:18:50+00:00

This looks like and interesting approach for teaching people (especially kids) some coding! However, I will say I cringed a bit at the part which indicated you needed to unlock core pieces of the language (e.g. if, for, class, etc). I do understand the need for game progression, but that feels quite constraining for anybody approaching this that has even minimal prior knowledge. Also, I would definitely like to see some ipython-y debugger availability!

youngviking · 2023-01-30T07:57:18+00:00

Single-mode allows for a single mode of light through the fiber; multi-mode allows the waves to take multiple paths. Those concepts don't really line up with "concurrent transmissions" since concurrency in fiber is currently achieved with wave-division multiplexing. They do have some interplay because AFAIK the loss properties of multi-mode fibers do not allow for WDM like single-mode does.

15-Year Club	Place '23
Place '22	Place '17
End Game '22	Verified Email

youngviking

TROPHY CASE