Gigabit Ethernet and 10-Gigabit Ethernet standard cheatsheet

Gigabit Ethernet

1GBASE-BX	Single strand of single-mode fiber (frequently labeled as BiDi)
1GBASE-LH	Single or multi-mode fiber pair
1GBASE-LX	Single-mode fiber pair
1GBASE-SX	Multi-mode fiber pair
1GBASE-T	CAT5 cable
1GBASE-TX	CAT6 cable

10-Gigabit Ethernet

10GBASE-BR	Single strand of single-mode fiber (BiDi)
10GBASE-BX	Single strand of single-mode fiber (same as above, BiDi)
10GBASE-LR	Single-mode fiber pair, long range
10GBASE-LRM	Multi-mode fiber pair, long range
10GBASE-PR	Standard for EPON/EFM point-to-multipoint fiber
10GBASE-SR	Multi-mode fiber pair, short range
10GBASE-T	CAT6A cable

Notes on joining Debian 12 hosts to Active Directory (winbind)

These are the packages that need to be installed

winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules

As far as identity mapping goes, tdb handles machine-local users, rid handles domain users for consistency between different UNIX hosts. If consistency between hosts is not needed or if multiple domain must be able to log in, use the autorid backend. If you took pains to ensure RFC2307 compatibility, feel free to use the ad backend.

In /etc/samba/smb.conf :

 [global]
        kerberos method = secrets and keytab
        realm = DOMAIN.TLD
        workgroup = DOMAIN
        security = ads
        winbind enum groups = Yes
        winbind enum users = Yes

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config DOMAIN : backend = rid
        idmap config DOMAIN : range = 10000-19999

        template shell = /bin/bash

        winbind offline logon = yes
        winbind refresh tickets = yes

Then, to join the domain:

# net ads join -U Administrator 

Restart winbind:

# systemctl restart winbind.service

To check that all is well:

# getent group

# getent passwd

See if domain users and groups show up. 

If they don't, check /etc/nsswitch.conf, it should look like this:

passwd:         files systemd winbind
group:          files systemd winbind

Some quality of life improvements

The below section creates automatically home directory for users (in /home/<domain>/<sam account name>)

To automatically create home folders for users that log in, in  /etc/pam.d/common-session, append:

...

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

...

Ensure the host knows its FQDN and is able to resolve/search the domain:

In /etc/hosts:

...

127.0.1.1 <fqdn> <hostname>

...

In /etc/resolv.conf:

...

nameserver <domain controller>

search <domain>

... 

To add the Domain Admins group to sudoers, append the following in visudo:

%DOMAIN\\domain\ admins     ALL=(ALL:ALL) ALL

To restrict logon to specific groups or users, edit /etc/security/access.conf.

Thanks to the excellent documentation of the folks at https://www.server-world.info/!

BGP configuration on Sophos XG/XGS firewalls

Sophos XG firewalls, at the time of writing, do not offer sufficient flexibility for configuring BGP via the web panel (namely, you cannot even set local preference or modify AS paths) and the official documentation for the CLI is scarce at best. Luckily, since 19.5 MR1, the underlying routing engine is the free and open source Free Range Routing/FRRouting, which has plenty of documentation. As of now, the version included with the 19.5 MR1 firmware is the 8.1 stable -- here are the docs.

You can enter the CLI configuration by logging in via SSH or via the web based console selecting Routing Configuration, then Configure Unicast Routing, then BGP Configuration.

Here are some sanitized extracts from a config i did.

router bgp 64512

 

! adding a neighbor

neighbor 10.0.0.2 remote-as 64513

neighbor 10.0.0.2 description Descriptive name

address-family ipv4 unicast

network 172.16.0.0/16

 

! setting prefix list and inbound/outbound route maps for a specific neighbor

neighbor 10.0.0.2 prefix-list PL_COMPANY_A_NET

neighbor 10.0.0.2 route-map RM_COMPANY_A:IN in

neighbor 10.0.0.2 route-map RM_COMPANY_A:OUT out

exit

exit

 

! setting a prefix list whitelist

ip prefix-list PL_COMPANY_A_NET seq 5 permit 172.17.0.0/16

ip prefix-list PL_COMPANY_A_NET seq 50 deny 0.0.0.0/0

 

! setting  local preference for a neighbor (default is 100)

route-map RM_COMPANY_A:IN permit 10

match ip address prefix-list PL_COMPANY_A_NET

set local-preference 230

end

 

! setting as-path prepend for a neighbor

route-map RM_COMPANY_A:OUT permit 10

match ip address prefix-list RM_COMPANY_A_NET

set as-path prepend 64512

exit

Don't forget to "write memory" to save the configuration to disk. This is also necessary to show changes in the web panel.

Exploring the CLI of the Sophos Cloud Switch series (CS101, CS110)

Recently we got some Sophos Cloud Switch units (CS101 and CS110 series), we mostly manage them using the web panel or the CLI, which is extensively documented, but the docs only provide command reference and not a more complete user manual. I'm going to list some mundane operations you can take a quick look at without having to dig the inscrutable Sophos documentation (article is still WIP!)

Showing the running configuration

show current running-config

It is still not a helpful export since it also lists the defaults, in fact, it gives you an unreasonably long wall of text which is completely unusable for getting a glance of the configuration. I still haven't figured a way to get a more terse output.

Saving the running configuration

save

Yep, just "save".

I'm still trying to guess who is the ODM for this platform. It looks like the software is the exact same one as the one used in SonicWall switches.