|
I misspoke earlier, by "VPN box on my segment", I meant an EdgeRouter Lite. My network is... way too complicated, thanks to studying for certifications. Either way, my parents' router is a Time Warner-provided lovely router with no VPN capability, BUT, it receives the coaxial connection from the cable, so I need another device somewhere in order to make a VPN happen. If that makes sense. So, just using a switch wouldn't help me there. My plan is to switch to just using the ERL on my side, setting it up to receive VPN connections, and then forwarding all the necessary ports (PPTP/L2TP/IKE/whatever) to the ERL from the internet router. That should work, right?
|
# ? Apr 18, 2014 21:52 |
|
|
# ? May 30, 2024 15:57 |
|
Have Time Warner switch the modem to actually be a modem, not a lovely router, and then put your router behind it. NAT is bad enough, double NAT should always be avoided.
|
# ? Apr 18, 2014 22:30 |
|
Cenodoxus posted:I was hesitant to use EdgeOS because I had heard bad things about it as far as 802.1p stability, lack of documentation, etc, but as long as it's relegated to some simple ACL, NAT, and DHCP stuff I think it should be alright.
|
# ? Apr 19, 2014 05:38 |
|
Is UCS, Nexus, and SAN management really that desired? I mean I knew they had cisco certs and all but I thought most of this poo poo was common knowledge when running a datacenter. It also only had light pull in my area sucluding to a few larger businesses such as Norfolk Southern, some colleges, and health care. Flying out to AZ soon for some upgrades n poo poo; also implementing patch policies and net optimization for our 40+ sites. Dilbert As FUCK fucked around with this message at 05:49 on Apr 19, 2014 |
# ? Apr 19, 2014 05:42 |
|
A UCS chassis, Nexus fiber interconnect switch, and a SAN is all part of cisco's Unified Computing umbrella but only big companies are deplying the whole thing - once it's installed a lot of it becomes GUI based administration. We have the full cisco set up but we're a Fortune 500 company and levy Cisco heavily for our set ups so we have a scapegoat when there are failures. The brokerage I worked for in Manhattan was only doing ESXi servers trunked to the core, which is the same concept but without the FIC and no GUI to manage the switch portion of it.
|
# ? Apr 19, 2014 14:41 |
|
adorai posted:I have about 50 of them running on my production network, they are great. While the vyatta documentation has more or less vanished from the internet, there is a lot of documentation on UBNT's website, the vyos wiki, and google cache. Plus the community is pretty good. Interesting, I'll have to check those places out then. Has anybody put one through the wringer yet and verified the 1Mpps claim? I think as long as I can get something able to push 168kpps with NAT and ACLs, I can max that fiber line for large uploads/downloads. Realistically, the only time a residential connection would push 1Gbps for more than a few seconds is on a large transfer, and the payload size should be pretty drat close to 1460 at that point, rather than the 64 bytes used in all the PPS measurements. Dilbert As gently caress posted:Is UCS, Nexus, and SAN management really that desired? Mostly in large corporate IT environments, but it is indeed becoming a thing. My place of employment is trying out the converged concept in our latest DC expansion. Cenodoxus fucked around with this message at 16:46 on Apr 19, 2014 |
# ? Apr 19, 2014 16:43 |
|
Dilbert As gently caress posted:Is UCS, Nexus, and SAN management really that desired? Managing UCS is somewhat different from managing most other blade platforms. If you just dive right in without knowing what you're doing you can make a real mess of things. Nothing regarding network management and SAN management can really be considered common sense.
|
# ? Apr 19, 2014 19:56 |
|
Seconding this. Have about 80 cabinets in it now. We use Metasolv for our circuit inventory (a few thousand circuits). It's expensive and requires a stupid hard client. Don't know much more about it than that because dealing with circuits is for the NOC/provisioning.
|
# ? Apr 19, 2014 21:51 |
|
Dilbert As gently caress posted:Is UCS, Nexus, and SAN management really that desired? I know of at least one F500 who's been looking for a qualified Nexus person in the right market for over a year. UCSes were pretty poo poo in their first iteration, but it's still desirable. It's not common knowledge because convergence doesn't play into very large datacenters and it doesn't play into very small datacenters. It takes an environment large enough to want a SAN and VMware infrastructure, but small enough that there's not a VMware team, storage team, and network team playing ball asking why some guy is managing all that stuff instead of them. If you have spare time when you're in AZ, lemme know.
|
# ? Apr 19, 2014 23:13 |
|
evol262 posted:It takes an environment large enough to want a SAN and VMware infrastructure, but small enough that there's not a VMware team, storage team, and network team playing ball asking why some guy is managing all that stuff instead of them. A lot of large organizations are building teams that have cross-domain expertise because the traditional silos aren't working for them anymore. That said you can keep the UCS entirely in a server team if you wanted you just need to make sure you don't do something stupid with policies or your various templates and pools. They're actually pretty popular in the F500.
|
# ? Apr 20, 2014 00:56 |
|
1000101 posted:A lot of large organizations are building teams that have cross-domain expertise because the traditional silos aren't working for them anymore. That said you can keep the UCS entirely in a server team if you wanted you just need to make sure you don't do something stupid with policies or your various templates and pools. I'm actually doing a large amount of bouncing back and forth between teams right now; the director of networking was shocked to hear I had a DCUCI. I will clarify what I meant by common knowledge, "I thought for shops who bought full nexus/UCS setups...etc" evol262 posted:
|
# ? Apr 20, 2014 01:06 |
|
1000101 posted:A lot of large organizations are building teams that have cross-domain expertise because the traditional silos aren't working for them anymore. I've personally found this to be a process very much in transition, but it's happening, sure. Then again, my experience with teams that have cross-domain expertise is "we're taking down the siloing by role and siloing by department instead", but that's sort of progress.
|
# ? Apr 20, 2014 02:59 |
|
Anyone familiar with some kind of spreadsheet/table program that lets multiple people open and edit at the same time? Think like Google Docs, except not hosted on the internet. Need a better app to carry our IP spreadsheet. Since the sheet has to be fairly particular and full of colors. 4 network engineers and we keep stepping on each others toes/leaving document open and locked/being lazy about updating immediately (naturally). I'm sure this has come up somewhere in the past 293 pages, but vvv-We have 7 networks all sitting on the same private network range logically seperate and the same IP ranges don't always map to the same location. Also, we identify the networks by colors. That's an incredibly important aspect of it and needs to be seriously in your face so you know which data network you're dealing with. Slickdrac fucked around with this message at 18:23 on Apr 21, 2014 |
# ? Apr 21, 2014 17:53 |
|
There's plenty of dedicated IPAM tools you can host yourself that might work better than a spreadsheet. Things like Netdot or the venerable IPPlan.
|
# ? Apr 21, 2014 18:02 |
|
Slickdrac posted:Anyone familiar with some kind of spreadsheet/table program that lets multiple people open and edit at the same time? Think like Google Docs, except not hosted on the internet. Any version of Excel since 2003/7 will let you do this, it's called a Shared Workbook, you can also do it in Sharepoint if you'd like to host it locally.
|
# ? Apr 21, 2014 21:48 |
|
Nebulis01 posted:Any version of Excel since 2003/7 will let you do this, it's called a Shared Workbook, you can also do it in Sharepoint if you'd like to host it locally. Yeah, found that about 10 minutes after posting. Thanks
|
# ? Apr 21, 2014 22:09 |
|
Slickdrac posted:Anyone familiar with some kind of spreadsheet/table program that lets multiple people open and edit at the same time? Think like Google Docs, except not hosted on the internet. I used to use a share point list which worked okay (until someone deletes a row...) Now I just use this: http://phpipam.net works fairly well for the most part.
|
# ? Apr 21, 2014 22:40 |
|
All IPAM solutions suck. Some are just worse than others. I found netdot to be interesting, my org currently uses ipplan even though it too sucks.
|
# ? Apr 21, 2014 23:18 |
|
We swapped to phpIPAM from GestioIP and the transition has been interesting since phpIPAM doesn't yet allow for importing of IP subnets, only specific hosts within a created IP subnet. Other than that, the software seems much better and the AD integration is nicer.
|
# ? Apr 22, 2014 13:06 |
|
H.R. Paperstacks posted:We swapped to phpIPAM from GestioIP and the transition has been interesting since phpIPAM doesn't yet allow for importing of IP subnets, only specific hosts within a created IP subnet. Other than that, the software seems much better and the AD integration is nicer. One of the things I like about it is the self service ip request.
|
# ? Apr 22, 2014 17:14 |
|
H.R. Paperstacks posted:We swapped to phpIPAM from GestioIP and the transition has been interesting since phpIPAM doesn't yet allow for importing of IP subnets, only specific hosts within a created IP subnet. Other than that, the software seems much better and the AD integration is nicer. Using GestioIP here as well, no complaints.
|
# ? Apr 23, 2014 00:11 |
|
Are Palo Alto's still considered good for NGFW? I found a some old posts from this thread and I everything I read looked positive. We've just about had it with our Check Point firewalls. I just found out the other day that our firewalls are susceptible to a simple SYN attack with hping3. According to Check Point support, enabling the SYN attack IPS protection is so detrimental to firewall performance it is better to leave it off.
|
# ? Apr 23, 2014 00:28 |
|
Not sure, when I evaluated their lower end kit I found it lacking a few things I wanted, like good/complete VLAN subinterface/trunking support etc. Ended up going with FortiGate, which are pretty capable routing wise, and also a kickass NGFW or whatever the current buzzwords are. Have deployed 50+ over the last year or two, good times.
|
# ? Apr 23, 2014 02:08 |
|
Bluecobra posted:Are Palo Alto's still considered good for NGFW? I found a some old posts from this thread and I everything I read looked positive. We've just about had it with our Check Point firewalls. I just found out the other day that our firewalls are susceptible to a simple SYN attack with hping3. According to Check Point support, enabling the SYN attack IPS protection is so detrimental to firewall performance it is better to leave it off. You really should read: http://pastebin.com/fqg1eDnC and https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86721
|
# ? Apr 23, 2014 16:51 |
|
BurgerQuest posted:Not sure, when I evaluated their lower end kit I found it lacking a few things I wanted, like good/complete VLAN subinterface/trunking support etc. Ended up going with FortiGate, which are pretty capable routing wise, and also a kickass NGFW or whatever the current buzzwords are. Have deployed 50+ over the last year or two, good times.
|
# ? Apr 24, 2014 02:09 |
|
Getting to love my Fortigates too, but I loathe the CLI. Then again, I'm so comfortable with the Cisco CLI that everything else feels weird so I dunno The only other knock I have against them is that I work for an MSP that deploys a lot of the SMB fortigates (60's, etc) and we see a pretty high failure rate on the storage components. They have a really good support turnaround so it's not a huge issue, but I've probably RMA'd 7 or 8 in the last six-seven months.
|
# ? Apr 24, 2014 02:37 |
|
If you have $$$ Crypton's Easy-IP is pretty decent for IPAM.
|
# ? Apr 24, 2014 07:02 |
|
Martytoof posted:Getting to love my Fortigates too, but I loathe the CLI. Then again, I'm so comfortable with the Cisco CLI that everything else feels weird so I dunno You'll get used to the CLI, I jump between IOS and FortiOS CLI most days. Both could be a lot better, I'm glad they're not worse. And we've also seen maybe 3-4 failures in the storage in the 60C devices.
|
# ? Apr 24, 2014 08:39 |
|
ior posted:You really should read: I have already read all of that but CP support recommends not enabling the SYN Attack IPS protection because it is considered a "critical" performance hit. We already have the firewall, app/URL filtering, IPS, and threat protection blades enabled. The appliances we have just has a Core 2 Quad processor with 8gb of memory. Sure, I can dump these appliances (which are supposed to work) and get a beefy 16 core server, but I think that NGFWs that have hardware acceleration is the way to go. I'll take a look at Fortigate too, thanks guys.
|
# ? Apr 24, 2014 12:50 |
|
This may not end up being Cisco related, but I'm hoping someone here might have some ideas: We just bought a whole bunch of HP 6305s with Broadcom BCM5761 onboard NICs. We use port security here and pretty much all of these machines are periodically locking out ports with an unknown MAC address 00:23:34:1d:90:00. Google suggests this MAC should belong to a Cisco device, but we're not sure where it's coming from or why it's only showing up on/locking ports with this particular HP model. Unfortunately, being contractors, we have limited access to the Air Force's switches to troubleshoot and we've been trying for months, from when we saw the problem with our first couple of these machines, to get them to help with the issue and have gotten nowhere. We've tried updating drivers/firmware updates/BIOS flashing, we've tried using a second Intel NIC and it has the same problem. Because this is Air Force these are kind of the only machines we're going to be getting for awhile and we've got like 150 about to come in. We're all kind of stumped here so I'm hoping maybe you guys have some ideas about what's going on.
|
# ? Apr 24, 2014 20:52 |
|
Assuming it's not a phone or something else obvious, I would, I guess, suggest sniffing the traffic from the machine in an attempt to identify what it is or where it would be coming in, what the nature of the traffic with that MAC on it is, which way it's going, etc. Since you know that the port security violation only occurs when it sees a MAC that's on another port (spoofing/looping/bridging), a MAC that's not explicitly allowed, or too many MACs, and yet it occurred again with multiple NICs, it leads me to believe there is some sort of goofy software thing going on, so maybe by identifying what type of traffic that is you can narrow down to what software would interact with it. I've never seen this happen without someone intentionally bridging the voice VLAN back into the access VLAN, bridging to wireless, or they have some sort of lovely "Level 4" patch cable from an old ISDN phone they plugged in. I've seen plenty of things flood out the MAC table for whatever reason but not spoof the router's address. There's also some sort of Microsoft network load balancing that causes traffic to multicast destinations to wheel all over the network but that sets off storm control and not port security IIRC.
|
# ? Apr 24, 2014 21:56 |
|
I have to take CIPT 1 tomorrow and pass in order to preserve my sacred CCNA (OG ccna not R/S). Shame on me for waiting this late, but drat the retake policy sucks. I know my material pretty well regarding actually doing the content of the things that are in the exam, yet it's a goal of these to nitpick little bits of information out of you that you would just look up, read the help file, or not be able to do at all because they're giving you a fictitious answer. I feel like I'm back in college again.
|
# ? Apr 24, 2014 21:58 |
|
Fellatio del Toro posted:This may not end up being Cisco related, but I'm hoping someone here might have some ideas: Could be a lot of different things, but probably check your teaming configuration and/or shut down all the redundant ports so the servers are running on a single nic each. Also get the network guys to do a show arp for that mac address and see what you get. I assume of course that when you say you are using port security you mean the switches that the Hp's are connected to are using it.
|
# ? Apr 25, 2014 06:40 |
|
This is a really dumb question but it wasnt covered very well in my networking classes. I have been tasked with making cables at work to connect a computer (actually a networkable toolbox) to a switch. Just a simple straight thru wiring on cat5 with an rj45 connector. The only problem is if I google the wiring for this I have found several different wiring patterns. Ultimately as long as they are the same on both ends I know it will work out fine but, I am confused as to what the current "standard" is for straight through wiring. In my classes we spent one day making cables and were handed diagrams for straight cross and rolled. Made them, tested them, end of lesson. Again this is somewhat of an embarrassing question though the physical layer in my experience rarely gets much attention other than hardware replacement and encoding techniques. Compared to the link network and transport layers.
|
# ? Apr 25, 2014 12:13 |
|
Most installations I've seen use 568B.
|
# ? Apr 25, 2014 14:10 |
|
jiffypop45 posted:This is a really dumb question but it wasnt covered very well in my networking classes. I have been tasked with making cables at work to connect a computer (actually a networkable toolbox) to a switch. That's TIA-568A (green pair first) versus TIA-568B (orange pair first). You're correct that they're interchangeable and it doesn't matter how you arrange them when you're crimping both ends of a cable. Just make sure you do it the same at both ends. It's only really important when you're building out structured cabling, because if your contractors did 568B for the wall jacks in each office and you're doing 568A at the patch panel in the network closet, you're going to have a bad day. For this reason most wall jacks and patch panels specify what you should use. I can't remember what the consensus is, though. Cenodoxus fucked around with this message at 17:08 on Apr 25, 2014 |
# ? Apr 25, 2014 17:05 |
|
I always use TIA-568B. For whatever reason it really bothers me when I come across 568A stuff.
|
# ? Apr 25, 2014 17:11 |
|
Moey posted:I always use TIA-568B. For whatever reason it really bothers me when I come across 568A stuff. Depends, sometimes customers stipulate in their requirements docs. Typically I see B though.
|
# ? Apr 25, 2014 17:37 |
|
Yup B. I don't know the historical reason for the difference though.
|
# ? Apr 25, 2014 18:39 |
|
|
# ? May 30, 2024 15:57 |
|
ANSI/TIA/EIA-568-B "Commercial Building Telecommunications Cabling Standard" lists both wiring configurations. T568B is the most prevalent for commercial installations, and was used by AT&T for the original Merlin phone systems. ANSI/TIA/EIA-570-B "Residential Telecommunications Cabling Standards" recommends T568A
|
# ? Apr 25, 2014 20:00 |