A WatchGuard Firebox M200 joins the home lab


I had been running a SonicWall NSA 220 “for ages” in my home lab but after 5 years of non-stop service, it died on me. This was not good. The appliance provided both my home office and my lab environment with routing and firewall capabilities. Part of that setup is static and part of it is dynamic as for testing purposes lab environments are built and destroyed. So I needed to fix this asap.TL-DR: a WatchGuard Firebox M200 joins the home lab.


I was looking at buying a pfSense dedicated appliance or a MikroTik router. It wanted to avoid my temporary workaround which was pfSense running in a virtual machine. That is great for temporary testing especially when you need to test various distros depending on the project. Integrating a dedicated appliance in the home lab does have some advantages. The drawback is that it does cost extra money to go get an appliance.

Dedicated appliance

With a dedicated appliance, I can isolate and protect my guest network, my home network as well as maintain a secured IoT segment. If the appliance is a VM I need to make sure it is always running. The appliance is also always ready to whenever I start up my home lab and work environment. Likewise, when I shut that all down the physical appliance still provides services for other needs.

A physical appliance also has the benefit of a small form factor, a 1U size which provides the ability to rack mount it. We need to keep the lab clean and well ventilated to prevent a fire hazard. A desk full of powered on devices is not the way to go.

Last but not least I find that getting some hands-on with the more popular brands these is always a good thing. While they all provide similar functionality and some are more capable than others, they all do have their own particular ways of doing things. This means that working with different appliances helps solve issues in real life as we encounter a variety of appliances out there.

A WatchGuard Firebox M200 joins the home lab

I was in luck, however. After talking shop on our way to some community events, a buddy who runs his own company provided me with some decommissioned WatchGuard hardware to use in the home office lab. I have tried to help him out with various small things over the years and what goes around came around. Thanks, buddy! You see, you don’t have to take dumpster diving to literally.

The M200 and AP 300 during initial configuration

I got a WatchGuard Firebox M200 and a WatchGuard AP300 to go with it. This meant I could rebuild the main firewall/router functionality in the home lab. These products have been replaced by newer editions (M270). They are still excellent products however and provide great functionality to test. In a lab environment, these are great to have around. As I work in environments that require enterprise-level functionality within SME budget this kit hits the mark.

Even with the licenses for the advanced features expired it packs a punch. I also found a way to upgrade the OS to the latest version (v12.4.1). The standard ways require an active license but there is an option that does not. It took me a while to find it but it works and it is legit.

The WAP, which I also upgraded to the latest firmware ( provides Wi-Fi for a guest network and a corporate authenticated network in my default permanent lab setup. More SSIDs and networks can be configured when the need arises for testing various scenarios. Wi-Fi in all its forms plays an essential part in any environment with more mobile and flexible roles than ever before. More recently I was testing 802.1x port authentication for deployments in DevOps environments that leverage Hyper-V quite a lot. You might recall the fact that the Hyper-V switch supports 802.1x since Windows Server 2019 (LTSC 1809) and Windows 10 (1809 and above) which was very timely for the solution I needed to provide.

The fist and most essential configurations

I registered with another free dynamic DNS provider (http://freedns.afraid.org/about-us/) which the M200 on firmware 12.4.1 supports. The previous one I used to was not supported. That was easily done quickly. I don’t need this because “host” stuff at the home lab but mainly because that how I keep my dynamic IP updated in a place where I can grab it with some code to update VPN local gateway settings in Azure and other stuff like that.

The WatchGuard Firebox M200 is now the new core of the home network. I recreated all my VLANs and routes. While I am not yet done with everything, I do have BGP routing running between my lab Azure deployments and my on-premises home lab now. This testing out hybrid connectivity as well as high availability, failover, and transitive scenarios.

Checking my routed VPN to Azure BGP advertised routes

After making sure RDS Gateway was working I created a custom rule to have SMTP work with STARTTLS over 587 next to TLS over 465. But that was about it. Except for one special jump host in a DMZ. For this host, I added rules to enable TeamViewer to work. Which was kind of easy to do as we can specify FQDN names so no matter how many and changing IP addresses are used this helps deal with this. TeamViewer, for better or for worse, is used a lot, and once in a while, I need to test with it.

Configuring the WatchGuard Firebox M200 firewall ploicies


Now that I have the M200 & AP300 up and running the lab and home office are now again capable of simulating and testing business environment scenarios. This matters a lot while testing and learning because it helps me get a better grasp of all the pieces and parts that make up a design or solution. In my humble opinion, this has always been more helpful than pure paper-driven designs. My experimenting in the lab benefits myself, my employers and the community at large. Self-improvement and community contributions are by nature a win-win situation. So I am happy a WatchGuard Firebox M200 joins the home lab.

While I am at it I will upgrade my Azure VPN script from AzureRM to AZ. The reason is that I need to delete the Gateway when not testing as the minimal BGP capable VPN gateway SKU ( VpnGw1) is eating away at my limited Azure at home budget. This is still my main beef with cloud computing. Dumpster diving is a cost-effective CAPEX budget model. OPEX is not a personal budget-friendly model.  It is game over when that runs out.

Design & configuration for fixed port 802.1x authentication via the Hyper-V switch


In this article, I share my first design & configuration for fixed port 802.1x authentication via the Hyper-V switch. This is geared especially toward developers and engineers. These are a mixture of internal staff and contractors, using AD joined as well as BYOD clients. The gist of this article is actually you need to learn about networking, 802.1x, RADIUS/NPS. You can just consider the Hyper-V switch as an unmanaged switch in most scenarios here.

In a previous blog 802.1x Support with the Hyper-V switch is here!, I shared how you can now enable 802.1x for use with the Hyper-V switch in Windows 10 1809 and Windows Server 2019 or later. Note that this a requirement for the Hyper-V host only, lower OS versions of the guests are fine.

Enabling is as simple as adding a registry key and rebooting the host.

Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmsmp\parameters” /v 8021xEnabled /t REG_DWORD /d 1 /f

The existing situation

In the HQ and branch offices there are VLANs for AD joined fixed port clients, AD joined Wi-Fi clients (SSID CORP-WIFI), and a guest VLAN for non-authenticated device both on Wi-Fi (SSID GUEST-WIFI) and fixed ports. These VLANs are untagged and are on physical access ports (authenticated, i.e. AD joined and non-authenticated, i.e. non-AD joined) on the switch. Or they are different SSID on the WAP.

When a non-authenticated client connects to an authenticated port, Radius authentication fails but the port and as such the client is given access to the guest VLAN. It’s functionally the same as for the unauthenticated ports on guest VLAN.

There are also ports that are authenticated and will not provide guest VLAN access but discard the traffic or even shut down the port when authentication fails. These are in more security-focused parts of the branch offices.

The goal

We wanted to have this functionality available to the developers running Hyper-V. It needs to work for both authenticated and non-authenticated physical clients as well as VMs. Also, we need to provide a solution for when the host has only one NIC (physical or wireless) or multiple (1 or more physical, more wireless). In the case of a desktop with only one NIC, the management vNIC has to authenticate for the host as well as for the VMs.

When you have a wireless NIC such as laptops this also works (bridge). When you dedicate a docking station ethernet port for the vSwitch you’re good to go as well but can also use wireless for the host and the physical NIC for the vSwitch. The same principles work both with AD joined and non-AD joined physical clients. This has been an issue with Hyper-V as the vSwitch did not support EAPoL and authentication was impossible.

The design and configuration

The lay of the land

I have this running in the lab with various PowerConnect switches. These are older 2800 and 5400 series as well as the 5500 series and the N2000 series. It is also in production at one organization with the 5500 series and soon also one with N2000 series.

A functional 802.1x infrastructure for both wired and wireless clients is assumed. This is not an article about configuring that. Many of you have the CA/PKI, NPS/RADIUS, GPO (cert auto enroll, wired/wireless client config) running. I have it in the lab and it’s based on computers certs as well as in production environments. If you don’t, you’ll need to take care of that first.

My lab NPS/radius reauthenticating my guest VM on a Windows 10 1809 Hyper-V host every 5 minutes (for demo purposes). Note the dynamic VLAN assignment in the NPS network policy.


There are multiple ways to achieve a solution. The idea, however, is to avoid anything but access ports toward clients unless unavoidable. So, no trunk, general or however you preferred vendors call it.

To achieve our goals, we configure the physical switch ports as follows:

  • We need to multi-session authentication (we have multiple devices attached to one port that all need to and must authenticate or fail. This does mean there is no option to shut down that port on failure.
  • We leverage dynamic VLAN association (NPS Policy) to move successfully authenticated ports into the corporate VLAN.
  • We leverage the guest VLAN to move unauthenticated ports into so those devices get minimal network access and internet connectivity. This can be a dedicated VLAN for that purpose. Call it what you want (Quarantine, VM-Guest, Isolated).
  • The switch port mode remains in access mode and is not in general/trunk/hybrid mode. Now depending on the switch that might not be possible. In the old budget PowerConnect 2808, the port is in general mode actually and you configure trunk or access via PVID and untagged/tagged allowed VLANs. Let’s keep it simple here, whatever goes on behind the scenes we don’t configure the port as a trunk or so for this unless we really have to.
  • It avoids having to use an unauthenticated VLAN per se (which would involve tagging and I don’t want to go there with the developers).
  • This approach leverages what is already there and requires only port reconfiguration as needed for 802.1x
  • If we need to disable port auth for troubleshooting RADIUS you can opt to either put the access port on the guest or even (whatever suits the needs better and is allowed) on the corporate VLAN by default.

Dynamic VLAN assignment & RADIUS/NPS policies rock here!

But based on the group membership I can give the Hyper-V Host or VM attached to the vSwitch going to that port a different VLAN via Dynamic VLAN assignment in the RADIUS network policies. You can get creative here (infra, dev, test, acceptance, …. they can be in different VLANs when required). Below is lab implementation of a scenario where people bring their own client with Hyper-V. When they need VMs that authenticate with AD that is possible while other VMs get a guest network assigned

I offer this to both internal and external employees now and reduce dependencies on workarounds, physical security and “hope” nothing bad connect to the wire. This is a sweet setup for freelancers, contractors, consultants & employees alike. Combine this with Veeam Agent for Windows 3.0 to protect your client Hyper-V host and VMs. Sweet! It has been a driving factor to upgrade for some of them.


802.1x via the Hyper-V switch works very well. The intricacies are the same as with 802.1x in a purely physical environment that has a mix of managed/non-managed switches going to clients. I’ll repeat myself here and state the same as I did in my other blog post. The point is you’ll have to wrap your head around port authentication with 802.1x and its various options, permutations on the switches and radius servers.

I normally deal with Windows NPS for the radius needs and the majority of my sites have DELL campus switches. But I find my way around any other model as well both big and small names.

Depending on the needs of the users (developers, IT Pros, engineers) for your VMs you will have to configure port authentication a bit differently and you’d better either own that network or have a willing and able network team to work with. Where this is running in production POC I’m in charge of the entire stack so I can move fast, effective, efficient and offer great value for money. One week after 802.1x support with the Hyper-V switch going public. That is agility, that is speed, that is IT at its best.

Speaking at Cloud & Datacenter Conference Germany 2019 and the pre-day

I’m happy to share I have a talk on SMB Direct and RDMA at the Cloud & Datacenter Conference Germany 2019. I’m also speaking for the Hyper-V and Hybrid community Germany the day before the conference where we introduce our first experiences with Persistent Memory (PMEM). This will drive home, more than ever, the need for high speed, low latency and offloaded networks. I am looking forward to seeing you there and I’m honored Carsten is having me over again for this best of breed conference!

Register here: https://www.cdc-germany.de/

There is still time to register for both events if you’d like to attend. Please so do here
https://www.cdc-germany.de/ for the Cloud & Datacenter Conference Germany 2019.


Back in 2010, I introduced the first 10Gbps networking into my solutions. Cost effective and focused on single rack needs. I built my first Leaf-Spine based network somewhere in 2011-2012. Nothing major, but it did lead to the most cost-effective and efficient redundant 10Gbps network in every rack. The solution enabled cross rack and cross row connectivity (3 rows of 3 racks). As we were prepping for Windows Server 2012 we made sure we had DCB in that design covered. We loved it.

We isolated all the needs of the ops team from corporate networking to enable them “to own the stack”. Ops remained the owner of the entire stack. Network, storage, virtualization, data protection, core infrastructure etc. That meant we could do RoCE right and got the networking done at a great value for money ratio. Owning the stack has always been the way to avoid expensive silos. The only people who didn’t like it were those that made money or derived political power by controlling resources. We got shit done fast, efficient and effective at prices well below what people paid for a lot less “service”.

The leaf-spine design has remained a favorite of mine. Perfection is not of this world leaf-spine has challenges just like anything, but that doesn’t distract from the usability to build great solutions. One challenge that always remains is real fair load balancing, congestion, blocking … Depending on your size with a decent deployment you might never know of these challenges let alone how they are solved. With the extension of the network to the clouds, it remained a solid choice in a hybrid world. It also formed the basis for more cloud-like network designs on-premises. Some variations on leaf-spine exist and design choices depend on the context, needs, and possibilities.

Somewhere in those years the term “spline” made its appearance in the leaf-spine world and I was puzzled for a moment. What is a Spline? Is nothing more than the smallest possible form of a leaf-spine in a single tier, which is quite popular as it can integrate into existing environments by itself and enable scenarios some big corporations network team won’t or can’t ever enable. Basically, what I did in the early days to get 10Gbps into existing environments without too much pushback. So, it’s both a technical solution and a diplomatic tool as well as a nice marketing term.

What is Spline?

As said, a Spline is nothing more than the smallest possible form of a leaf-spine. That comes down to only 2 switches in a single tier. In this single tier, these 2 switches combine the roles of the leaf and spine, hence the name “Spline”. This is a nice marketing term for two small switches with ample of ports & bandwidth for a small sized deployment were leaf-spine would be overkill and cost prohibitive.

The switches are 1 or maximum 2 units high-density multi-rate devices. This could be anything between 1/10/25/40/50/100 Gbps depending on the model and vendors, available modules and cables used. It’s a viable choice for smaller deployments when one can have some margin for growth and wiggle room.

Mellanox SN2010 & SN2100 are prime example of great switches for a Spline

The modular DELL S6100 ON is another example of a switch to build splines with.

A single tier provides for the lowest latency possible by definition, no tiers need to be crossed – it doesn’t get any better. Predictable (it is always the same) distance and bandwidth is there as, again, there are no tiers to cross.

You can use layer 2 (MLAG, VLT, vPC) or layer 3 (ECMP) interlinks. You don’t lose any flexibility or options here. As such, it will work with traditional virtualization, containers, HCI and with Routing on Host, network virtualization.

What you lose is scale out. You need the leaf-spine to scale out bandwidth and port count in a flexible way. You can scale up by using bigger switches.

Top use cases for spine

Actually, many smaller solutions probably use a “spine” with layer 2 networking for S2D deployments. It’s easy to get 1 to 4 of S2D clusters in a rack depending on the size of the clusters and the number of ports & bandwidth in the switches. With 2 redundant smaller switches that don’t take up more than 1 or 2 units to provide them with ample 25Gbps ports or 100Gbps port you can split up to your needs.

Another prime candidate for a spline is StarWind their storage solutions. They have great offerings for varied needs and don’t force every need into the one type fits all solution of HCI. But in the end, you can use them in any environment where you need lots of bandwidth, high throughput, and low latency.

When and where I don’t like Spine

I don’t like large Spines. They are the same old story with potentially huge chassis switches that bring back all the drawbacks but they have been flattened into a single tier. They are prohibitively expensive, so normally there’s only 2 with a huge amount of ports leading to cabling expenses and logistical issues depending on the data center you’re in. Upgrading one of those 2 huge chassis switches tend to bring down a large part of your network (potentially half) and carries a greater risk. So, we’re back to why leaf-spine became so popular and remains popular.

When I look at it from a reverse perspective it’s like someone took a 1 rack or one deployment stamp design and created a giant version of it. All this in an attempt to scale it up instead of out. In reality, it was probably giant switches looking for a new sales pitch. It might work for some, but I would not design a solution based on this. It might have a familiar look and feel to some people but I never liked them very much, design-wise, concept-wise, money wise … but that’s me. Where you can use them if you have the appetite for that is in client networking. Still not a big fan but hey that’s where I tolerate stacks when needed (limited uplinks) as it doesn’t impact 24/7 operations as much and the clients accept the downtime & risk.


A spline is a great design for a rack-sized deployment. In a pinch you can cross racks or even rows but the cabling of that all can become costly. Depending on what’s allowed and possible in your data-center it might not even be an option. Pro Tip: choose your location wisely and never ever tolerate the one size fits all approach of a hosting provider, corporate network team or co-loco. That basically always means they are optimizing for their needs and budgets, not yours.

When using bigger deployments or where growth is very likely, I go for small leaf-spine deployments instead of scaled-up splines.

A Spline can be converted into part of a leaf-spine, so it allows for change and evolution in your network, you normally won’t lose your investment.

What I do not like about spline is when it is used to leverage those huge chassis switches again. It brings all the drawbacks in cost, lack of scale-out, limited redundancy and higher risk back into the picture. Simply flattening a bad idea in a single tier doesn’t make it great.