Responses for

Network Specialist II job position

with the

Information Technology Department

-
City and Borough of Juneau

December 2024

- Prepared for -

Chris Murray
Director Of Information Technology
Pronouns: He/Him

&

James Zuelow
Systems Operations Manager
Pronouns: He/Him

- Prepared by -

Ravi Teja Pillalamarri

Senior Consultant, Hoosie Community Network
Indianapolis, IN
Ravi Teja Pillalamarri Responses Page 1

1) Consider an enterprise internet feed. Please describe methods to provide high

availability or redundancy in two general cases: With only one reliable ISP
available, and with two or more are available ISPs that differ in speeds and
reliability.

When managing enterprise internet feeds, high availability and redundancy are critical to
ensuring uninterrupted services, especially in scenarios where outages can impact
operations significantly. Based on my experience, the approach to solving this challenge
depends heavily on whether you’re working with a single ISP or multiple ISPs.
• Scenario 1: Single Reliable ISP
With only one ISP available, the redundancy must come from the internal infrastructure
and backup solutions:
• Redundant Hardware and Protocols: The first thing I would do is ensure that the
routers, switches, and firewalls in use are redundant. Setting them up with protocols
like VRRP (Virtual Router Redundancy Protocol) or HSRP (Hot Standby
Router Protocol) ensures failover. For example, if a primary router goes down, the
backup device immediately takes over with minimal downtime.
• Backup Internet Connection: While there’s only one ISP, I’d still include a
backup method, such as a 4G LTE or satellite connection, specifically for critical
traffic. These may not offer the same speed but can prevent a complete outage for
essential operations.
• Proactive Monitoring and QoS: To prepare for outages or performance
degradation, I’d implement robust monitoring tools like PRTG or SolarWinds to
detect potential issues early. Additionally, QoS policies would prioritize critical
traffic like VoIP or database applications during periods of degraded bandwidth.
• Scenario 2: Multiple ISPs with Differing Speeds and Reliability
When multiple ISPs are available, I’d focus on optimizing traffic flow and failover
strategies:
• Load Balancing: One approach I often rely on is dual-WAN load balancing,
which splits traffic between ISPs based on pre-set rules. For example, critical traffic
like video conferencing can be routed through the faster ISP, while bulk traffic like
backups is sent through the secondary ISP.
• Dynamic Routing with BGP: Another solution I’d consider is BGP (Border
Gateway Protocol). This allows the network to dynamically switch paths between
ISPs based on real-time conditions like latency or packet loss. This is especially
useful for high-traffic enterprise networks where uptime is crucial.
• Policy-Based Routing: This provides fine-grained control by defining specific
rules for routing traffic. For instance, I could ensure all database-related traffic
always uses the more reliable ISP while non-essential tasks like software updates
use the slower ISP. This setup maximizes both efficiency and reliability.
Redundancy in these setups isn’t just about failover—it’s also about ensuring optimal
resource utilization and minimizing downtime for critical services.

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 2

2) Explain the relationships between tagged VLANs, untagged VLANs, and subnets
when transiting a router. Please provide examples of situations where VLANs
can be used to isolate traffic, and where VLANs may not be appropriate to isolate
traffic.
VLANs and subnets are fundamental to network segmentation, and understanding their
interplay is key to designing efficient and secure networks. Let me break this down clearly:
• Tagged VLANs: These are used for carrying multiple VLANs across a single trunk
port. When traffic leaves a device on a trunk port, it’s “tagged” with its VLAN ID
for identification. For instance, if a trunk link connects two switches, I’d configure
VLAN 10, 20, and 30 as tagged VLANs to allow all three VLANs to traverse the
same cable. This is especially useful in scenarios where multiple networks must
pass through the same physical connection.
• Untagged VLANs: These represent the native VLAN on a port where traffic isn’t
tagged. For example, a port configured for untagged VLAN 10 would strip VLAN
tags from incoming traffic, making it accessible for endpoint devices like desktops
or printers that don’t handle VLAN tagging.
• Subnets: Subnets logically separate IP address ranges and often align with VLANs
for easier routing. For instance, VLAN 10 might correspond to subnet
192.168.10.0/24, while VLAN 20 maps to 192.168.20.0/24.
• When to Use VLANs for Isolation:
• A practical use case would be isolating guest Wi-Fi traffic on VLAN 100 from
internal corporate traffic on VLAN 10. This ensures guest devices cannot access
sensitive corporate resources.
• Another example is segmenting VoIP traffic on VLAN 50 to prioritize voice traffic
and prevent it from competing with general data traffic.
• When VLANs May Not Be Enough:
While VLANs are great for segmentation, they have limitations. For instance:
• If inter-VLAN routing isn’t configured correctly, devices on separate VLANs may
fail to communicate when needed.
• VLANs alone don’t provide strong security. For example, VLAN hopping attacks
can bypass VLAN boundaries, so additional controls like ACLs (Access Control
Lists) or firewalls are essential.

3) What are some best practices for securing a subnet to meet CJIS data security

requirements, and what are some challenges in maintaining CJIS requirements in

an enterprise environment?

Meeting CJIS data security requirements requires a multi-layered approach, as these

regulations are among the most stringent in the industry. Here’s how I’d secure a subnet
for compliance:

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 3

Best Practices:

1. Encryption: I’d ensure all data in transit is encrypted using IPsec VPNs and data
at rest is secured with AES-256. For example, communications between client
devices and CJIS systems would always be encrypted.

2. Access Control: Role-based access control (RBAC) ensures that only authorized
users can access CJIS data. This would include enforcing least privilege principles.

3. Network Segmentation: CJIS traffic should be isolated on its own VLAN and
subnet, with firewalls tightly controlling access. For instance, I’d use firewalls to
allow access only from specific IP ranges used by authorized systems.
4. Logging and Monitoring: Compliance requires comprehensive logging. I’d use
centralized logging tools like Splunk or Graylog to monitor for unauthorized access
or unusual activity.

5. Endpoint Security: All endpoints accessing CJIS data would be secured with anti-
malware solutions and EDR (Endpoint Detection and Response) tools.

6. MFA: Multi-factor authentication would be mandatory for all privileged accounts

and systems accessing CJIS data.

Challenges:

• Frequent Audits: CJIS compliance requires regular audits, which can be time-
intensive. I’d mitigate this by automating audit preparation using tools like Nessus.

• Cross-Platform Environments: Maintaining uniform security across Windows

and Linux systems is challenging. I’d standardize security policies and use
monitoring tools to track compliance across platforms.

By combining these best practices with continuous monitoring and training, I’d ensure the
subnet remains compliant and secure.

4. Identify some Linux configuration and management tasks that lend themselves to
automation across several devices, paying attention to Debian compatibility.
Describe how you would address those tasks, with an emphasis on repeatability
and portability. (If you provide actual code, functional examples are nice, but
pseudo-code examples are acceptable.)

In my experience, automating configuration and management tasks in a Linux environment

is essential, especially when dealing with multiple devices. Here’s how I’d approach this,
focusing on Debian-based systems, where compatibility and repeatability are key:

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 4

• Tasks Suitable for Automation:

1. Package Management:
o Automating updates and installations using tools like apt combined with
configuration management tools (e.g., Ansible).
o For example, I’d write a playbook to ensure critical packages like OpenSSL
or Apache are installed and updated across all devices.
2. User Account Management:
o Automating the creation, deletion, or modification of user accounts. This is
especially useful when onboarding or offboarding multiple users.
o I’d use Ansible modules like user to create accounts with predefined
permissions, ensuring consistency.
3. Network Configuration:
o Automating the setup of static IPs, DNS settings, or VLAN configurations
using configuration templates.
4. System Monitoring Setup:
o Automating the deployment of monitoring agents like Nagios or
Prometheus. For instance, I could use a script to install and configure agents
across multiple systems for consistent monitoring.
• Implementation:
To address these tasks, I’d use Ansible due to its simplicity and compatibility with Debian.
Below is a sample approach for automating user creation:
yaml
- name: Create users
hosts: all
become: true
tasks:
- name: Add users
user:
name: "{{ item.name }}"
state: present
groups: "{{ item.groups }}"
loop:
- { name: 'user1', groups: 'sudo' }
- { name: 'user2', groups: 'dev' }
• Repeatability and Portability:
• Configuration as Code: All configurations are stored as code in version-controlled
repositories (e.g., Git), ensuring repeatability and easy rollbacks.

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 5

• Template-Based Configuration: Using tools like Jinja2 with Ansible to create

dynamic templates that can adapt to different devices while keeping the core
configuration consistent.

5. At CBJ we use a mix of Windows and Linux servers, leveraging Linux when it
makes sense to reduce licensing costs or when the platform is a better fit for a
particular task. That heterogeneous environment comes with its own management
challenges. What steps would you take to ensure access to Linux servers from a
Windows 10 or Windows 11 management PC?

In a mixed environment of Windows and Linux servers, ensuring seamless access is critical
for efficient administration. Based on my experience, I’d focus on tools and methods that
simplify cross-platform management while maintaining security.
• Steps to Enable Access:
1. Use an SSH Client:
o The simplest solution is to use an SSH client like PuTTY or MobaXterm on
the Windows machine to securely access Linux servers.
o For convenience, I’d configure key-based authentication to eliminate the
need for entering passwords repeatedly.
2. Install WSL (Windows Subsystem for Linux):
o On Windows 10/11, I’d enable WSL and install a Linux distribution (like
Ubuntu). This provides a native Linux shell environment, allowing me to run
commands directly from the Windows machine.
o Example: I could install Ansible on WSL to manage Linux servers without
requiring additional software.
3. Use a Unified Management Tool:
o Tools like Cockpit or Red Hat Satellite provide web-based dashboards for
managing Linux servers. These can be accessed directly from a browser on
the Windows PC.
• Challenges and Solutions:
• Credential Management: Securely managing credentials for multiple servers can
be tedious. I’d use SSH key pairs stored in a secure vault (e.g., KeePass or
HashiCorp Vault) to streamline access while maintaining security.
• Firewall Configurations: If Linux servers are behind a firewall, I’d ensure that port
22 (SSH) is open and restricted to the Windows PC’s IP address.
These steps ensure secure, efficient access to Linux servers from a Windows management
PC while minimizing administrative overhead.

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 6

6. Explain, at a high level, the process for deploying an FCC licensed microwave
link between two facilities. Why might you want to use an FCC licensed link?
Why might you want to avoid an FCC licensed link? What considerations might
you take into account before applying for an FCC license?

Deploying an FCC licensed microwave link between two facilities is a structured process
with several important considerations. Here’s how I’d handle it:
• Deployment Process:
1. Site Survey and Line-of-Sight (LOS) Assessment:
o The first step is conducting a thorough site survey to ensure there’s a clear
LOS between the two locations. Obstructions like buildings, trees, or terrain
must be identified and mitigated.
o Tools like Google Earth Pro or RF planning software (e.g., Pathloss) can help
visualize LOS and calculate link feasibility.
2. Frequency Coordination and Licensing:
o Since this is an FCC licensed link, I’d apply for a frequency license through
the FCC’s Universal Licensing System (ULS). This ensures interference-free
operation.
o Frequency coordination with neighboring links is critical to avoid signal
interference.
3. Equipment Installation and Configuration:
o Install antennas and radios at both locations. I’d ensure proper alignment
using a spectrum analyzer to minimize signal loss.
o Configure radios with the licensed frequency, modulation settings, and
bandwidth.
4. Testing and Optimization:
o Perform end-to-end testing to measure signal strength, throughput, and
latency. I’d optimize alignment and power settings to maximize performance.
• Advantages of FCC Licensed Links:
• Reliability: Licensed frequencies are protected from interference, ensuring
consistent performance.
• Security: Licensed links are less susceptible to unauthorized access or disruption.
• Disadvantages:
• Cost: Licensing fees and equipment costs are higher compared to unlicensed links.
• Regulatory Compliance: Ensuring compliance with FCC regulations requires
ongoing monitoring and record-keeping.
• Considerations Before Applying for a License:
• Environmental Factors: Weather conditions like heavy rain can impact signal
quality, so I’d evaluate the location’s climate.

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 7

• Bandwidth Requirements: Determine if the licensed link can meet current and
future data demands.
• Redundancy: Consider whether an alternative communication method is necessary
in case of link failure.
By following these steps, I’d ensure a reliable and compliant deployment of the microwave
link.

7. Considering the steps needed to convert an IDS to an IPS, please explain the
concept of baselining and why it might be an important step. Is baselining more
important in some situations than in others? If so, please explain.

When converting an Intrusion Detection System (IDS) to an Intrusion Prevention System

(IPS), it’s essential to carefully plan and execute the transition to maintain security without
causing unintended disruptions. From my experience, the concept of baselining is pivotal in
this process.
• High-Level Conversion Process:
1. Initial Assessment:
o Evaluate the current IDS setup, including the types of alerts it generates and
the network traffic it monitors. This ensures you have a clear understanding
of how the system operates.
o Identify rules and configurations that are most effective for detection but
could cause disruptions when switched to prevention.
2. Implementation:
o Transition the IDS to an IPS by placing it inline with network traffic so it can
block malicious activity instead of just detecting it.
o Configure the IPS with initial rules based on the IDS’s most accurate alerts.
3. Testing and Tuning:
o Conduct controlled testing in a lab environment or during non-peak hours to
ensure the IPS blocks malicious traffic without interfering with legitimate
traffic.
4. Monitoring and Adjustments:
o Continuously monitor IPS logs and fine-tune rules to minimize false positives
and negatives.
• Role of Baselining:
Baselining involves analyzing normal network traffic patterns over a period of time to
establish a benchmark. This step is critical for effective IPS deployment because:
• Accurate Rule Creation: A baseline helps identify legitimate traffic patterns,
reducing the risk of blocking harmless traffic.
• Minimizing False Positives: Without a baseline, an IPS may block valid traffic that
slightly deviates from expected patterns.

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 8

• Improved Threat Detection: By understanding normal traffic behavior, anomalies

like unauthorized data exfiltration or unusual port usage stand out more clearly.
• Situational Importance:
Baselining is especially important in dynamic environments where traffic patterns change
frequently, such as:
• Large enterprises with diverse applications and users.
• Networks experiencing seasonal traffic spikes (e.g., e-commerce sites during
holidays).
However, in environments with static and predictable traffic (e.g., industrial control
systems), baselining might be less critical because deviations are rare and easier to identify.

8. Describe a technique for managing DHCP, where clients are in one subnet but the
DHCP server is in another. If you have more than one technique, please compare
them and present the one you prefer, and why.

Managing DHCP across subnets is a common requirement in enterprise networks, and there
are several effective ways to achieve this. Here’s how I’d approach it:
• Challenges:
DHCP broadcasts are confined to the local subnet by design, so relaying these requests to a
server in another subnet requires a workaround.
• Techniques:
1. DHCP Relay Agent:
o Deploy a DHCP relay agent on a router or Layer 3 switch that connects the
client subnet to the server subnet.
o The relay agent intercepts DHCP requests and forwards them to the server
using the DHCP helper address.
o Example: In a Cisco router, I’d configure ip helper-address <DHCP-server-
IP> to relay requests.
2. Centralized DHCP with VLANs:
o Configure the DHCP server to serve multiple VLANs by defining separate
scopes for each VLAN.
o Use DHCP relay agents on switches to forward requests from each VLAN.
3. Local DHCP Server:
o Deploy a local DHCP server in the client subnet. While this eliminates the
need for a relay, it increases maintenance overhead.
• Preferred Technique:
I prefer the DHCP relay agent method because:
• It centralizes management on a single DHCP server, reducing complexity.
• It scales better for larger networks compared to deploying local servers in each
subnet.

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 9

• Comparison:
• Relay Agent: Scalable, centralized, minimal maintenance.
• Local Server: Suitable for isolated environments but harder to maintain.
• VLAN Configuration: Best for networks with distinct VLANs but requires
additional switch configuration.

9. Given a pair of network appliances or servers, you need to design a way for the
two servers to share a network service available by IP address. Please describe
two methods to share the IP address. One method should be a failover mode
(where only one device has the address active at a time), the second method in a
load-balanced mode (where both devices provide the service at the same time.)
Consider the IP address alone, this is not a DNS question.

Ensuring redundancy and high availability for services often requires sharing an IP address
between devices. Here’s how I’d handle this in both failover and load-balanced scenarios:
• Failover Mode (Active-Passive):
• Method:
o Use protocols like VRRP (Virtual Router Redundancy Protocol) or HSRP
(Hot Standby Router Protocol) to share a virtual IP (VIP) between two
devices.
o In this setup, only one device actively holds the IP address at a time. If the
active device fails, the standby device takes over.
• Example:
o Configure two firewalls with a shared VIP for external traffic. If the primary
firewall fails, the secondary automatically assumes the VIP without
interrupting service.
• Advantages:
o Simple to set up and provides seamless failover.
o Ensures that only one device is responsible for the service at any given time,
avoiding conflicts.
• Disadvantages:
o Utilizes only one device at a time, leaving the secondary idle under normal
conditions.
• Load-Balanced Mode (Active-Active):
• Method:
o Deploy a load balancer (e.g., HAProxy, F5, or even DNS-based solutions) to
distribute traffic across both devices.
o Both devices share the IP address and handle traffic simultaneously,
improving resource utilization.

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 10

• Example:
o Two web servers hosting the same application can use a load balancer to
distribute incoming traffic based on server load or client proximity.
• Advantages:
o Maximizes resource utilization by distributing traffic evenly.
o Provides fault tolerance, as the load balancer redirects traffic if one device
goes down.
• Disadvantages:
o More complex to configure and maintain compared to failover mode.
By leveraging these techniques, I’d ensure both redundancy and efficient use of resources
based on the specific requirements of the network and services.

10. You have a group of four untrusted subnets that need to transit a Linux server.
The Linux server will act as a router and firewall controlling traffic to and from
each of the untrusted subnets to a fifth trusted subnet. The Linux server only has
two network interfaces. Describe a method to accomplish this task.

In a scenario where a Linux server is used as both a router and a firewall to manage traffic
between multiple untrusted subnets and a trusted subnet, it’s essential to design the solution
carefully to ensure security and efficient traffic flow. Here’s how I would approach this task:
1. Challenges:
• The server has only two network interfaces, yet it must manage traffic for multiple
untrusted subnets while providing a secure connection to the trusted subnet.
• The configuration must ensure isolation between the untrusted subnets while
controlling access to the trusted subnet.
2. Proposed Solution:
3. Leverage VLANs for Subnet Segmentation:
o Use VLAN tagging to segment traffic from the four untrusted subnets.
o Assign each untrusted subnet a unique VLAN ID and configure the network
interfaces on the Linux server to handle these VLANs.
o For example:
ip link add link eth0 name eth0.10 type vlan id 10
ip link add link eth0 name eth0.20 type vlan id 20
ip link add link eth0 name eth0.30 type vlan id 30
ip link add link eth0 name eth0.40 type vlan id 40
ip addr add 192.168.10.1/24 dev eth0.10
ip addr add 192.168.20.1/24 dev eth0.20
ip addr add 192.168.30.1/24 dev eth0.30
ip addr add 192.168.40.1/24 dev eth0.40

Network Specialist II – CBJ IT Department December, 2024

Ravi Teja Pillalamarri Responses Page 11

4. Implement iptables or nftables for Firewall Rules:

o Configure iptables (or the newer nftables) to enforce strict traffic controls
between subnets.
o Example iptables rules to block inter-subnet traffic and restrict access to the
trusted subnet:
# Block inter-subnet traffic
iptables -A FORWARD -i eth0.10 -o eth0.20 -j DROP
iptables -A FORWARD -i eth0.30 -o eth0.40 -j DROP

# Allow traffic from untrusted subnets to trusted subnet for specific services
iptables -A FORWARD -i eth0.10 -o eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0.20 -o eth1 -p tcp --dport 443 -j ACCEPT

# Block all other traffic to the trusted subnet

iptables -A FORWARD -i eth0.* -o eth1 -j DROP
5. Routing Configuration:
o Enable IP forwarding on the Linux server to allow it to route traffic between
subnets:
sysctl -w net.ipv4.ip_forward=1
o Add static routes as needed to ensure proper traffic flow.
6. Monitoring and Logging:
o Use logging tools like rsyslog or ELK Stack to monitor traffic and detect
anomalies.
o Example: Log all traffic to the trusted subnet for audit purposes:
iptables -A FORWARD -i eth0.* -o eth1 -j LOG --log-prefix "Trusted Subnet Access: "
7. Advantages of This Approach:
• Scalability: Using VLANs allows the server to manage multiple subnets with only
two physical interfaces.
• Security: Firewall rules ensure isolation between untrusted subnets and restrict
access to the trusted subnet.
• Cost-Effectiveness: The solution minimizes hardware requirements by making full
use of existing interfaces.
8. Alternative Solution:
If VLANs are not an option, I’d use virtual interfaces or subinterfaces to achieve similar
segmentation. However, this may add complexity in environments with high traffic loads.

Network Specialist II – CBJ IT Department December, 2024