|
Zaepho posted:Why.. WHY DEAR GOD??  kaspersky and our remote management doesn't give a poo poo, we use the IP address for discovery when setting up new machines. The software resolves the machine name and uses that for literally everything else. Senior admin doesn't understand this.DNS is one of the cleanly configured services on the network. Group policy is currently being hammered out since my manager gave me blanket approval to do what I need to do after pointing out three conflicting policies that still weren't applying correctly.
|
#
?
Feb 19, 2016 05:19
|
|
DNS exists for a goddamn reason.
|
|
| # ? May 18, 2024 11:57 |
|
|
Judge Schnoopy posted:Dhcp isn't switch security though. And it's not actually a security measure, it's just that the network has always been running without it and nobody wants to approve setting it up. My senior admin actually thinks it will break kaspersky and our remote management tools because everything has been coded in as IP addresses. He's wrong but convincing him is futile. If a senior admin doesn't know about reservation in DHCP he/she should be drawn and quartered.
|
|
#
?
Feb 19, 2016 05:20
|
|
|
I know I'm going to get poo poo for bringing this up again, but I'm so glad my new job doesn't involve a production environment. I'm going to live in my own little world of make believe and it's going to be perfect.
|
|
#
?
Feb 19, 2016 05:22
|
|
|
This can only end well. Either you succeed or your delusion makes the fall even more grand.
|
|
#
?
Feb 19, 2016 05:26
|
|
|
If I make it to August and my unemployment resets, I'll be in a better position than I am now. Success has a low bar.
|
|
#
?
Feb 19, 2016 05:30
|
|
|
Judge Schnoopy posted:
edit: print this post and tape it to his monitor.
|
|
#
?
Feb 19, 2016 05:34
|
|
|
DHCP reservations, dynamic arp inspection, dhcp snooping and source guard is the way to go if you REALLY want to keep unauthorized machines off your network. You could also do port-security with static mac addresses but then it's getting too full on. In general though physical security can go really full on and you don't want to jump on that train unless you absolutely have to. Fun fact, if you want to build a classified network every single network connection has to be via fibre (as in, right to the desktop), every conduit has to be see-through and the switches must be secured within a class C rack, within a locked room, within a locked building.
|
|
#
?
Feb 19, 2016 09:50
|
|
|
Can't wait until I'm smart enough to argue with you guys about stuff
|
|
#
?
Feb 19, 2016 12:56
|
|
|
crunk dork posted:Can't wait until I'm smart enough to argue with you guys about stuff This is the internet. You can argue with us about things you don't know anything about!
|
|
#
?
Feb 19, 2016 13:56
|
|
|
Judge Schnoopy posted:Dhcp isn't switch security though. And it's not actually a security measure, it's just that the network has always been running without it and nobody wants to approve setting it up. My senior admin actually thinks it will break kaspersky and our remote management tools because everything has been coded in as IP addresses. He's wrong but convincing him is futile. Judge Schnoopy posted:
 This senior admin is actually so ignorant it's impressive!
|
|
#
?
Feb 19, 2016 13:58
|
|
|
KillHour posted:This is the internet. You can argue with us about things you don't know anything about! Its kind of cool to see different methods or viewpoints on how to best configure things. Helps me get a little practical insight into all this conceptual knowledge I've been gathering this past year and a half or so.
|
|
#
?
Feb 19, 2016 14:03
|
|
|
Kashuno posted:
When I started I came up with a comprehensive plan to implement separate vlans for user data and servers. Senior admin disagreed that I would need to touch every machine on the user network and change the IP addresses.  servers are all segmented within this range, you can spin that to its own vlan and you're done subnet addresses and gateways will change for any computer we migrate to a new network. If we push the user computers to a completely new network we won't have to reconfigure any server networking. I don't want to mess with server networking. but you can just tell the core switch that the computer ips belong to the new vlan and tag the switch ports. That's it. You don't need to touch computers.I promptly dropped the project because I wanted nothing to do with taking the network down and this guy wasn't listening.
|
|
#
?
Feb 19, 2016 14:52
|
|
|
You would have had to touch either the PCs or the servers to put them on different subnets. But it would have been worthwhile.
|
|
#
?
Feb 19, 2016 15:18
|
|
|
And if DHCP was in place I wouldn't have to touch anything! But that's so far outside the realm of discussion, even if I were to section off user PCs to their own VLAN and add reservations for all statically assigned PCs (so effectively nothing would change) I still likely wouldn't get approval to implement DHCP on that VLAN. I have no idea what this network looked like 6 years ago but apparently they were on Novell (and had no idea how to administer it) so they're afraid of letting the Windows domain do their work for them. It was manual before, so let's keep it manual now because we aren't having issues now that we're a mile deep in the rabbit hole!
|
|
#
?
Feb 19, 2016 15:51
|
|
|
Judge Schnoopy posted:And if DHCP was in place I wouldn't have to touch anything! But that's so far outside the realm of discussion, even if I were to section off user PCs to their own VLAN and add reservations for all statically assigned PCs (so effectively nothing would change) I still likely wouldn't get approval to implement DHCP on that VLAN. I have never understood old curmudgeon neckbeard IT types and their paranoia of DHCP. Why make so much stupid extra work for yourself? If someone is skilled enough to get access to the rest of your network do you think them not knowing an IP range right off the bat is going to stop them? BaseballPCHiker fucked around with this message at 16:14 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 15:57
|
|
|
Maybe ya'll can teach me something. We have workstations on one VLAN and printers on another. If a user wants to move a printer, I have to manually go into the switch and config t int gi0/24 switchport access vlan 110 description sales_printer Are you saying there is a better way?
|
|
#
?
Feb 19, 2016 16:05
|
|
|
BaseballPCHiker posted:I have never understood old curmudgeon neckbeard IT types and there paranoia of DHCP. Why make so much stupid extra work for yourself? If someone is skilled enough to get access to the rest of your network do you think them not knowing an IP range right off the bat is going to stop them? DHCP can actually be really useful after an attack for forensics. You have logs of every lease out there, and when they were handed out.
|
|
#
?
Feb 19, 2016 16:07
|
|
|
BaseballPCHiker posted:I have never understood old curmudgeon neckbeard IT types and there paranoia of DHCP. Why make so much stupid extra work for yourself? If someone is skilled enough to get access to the rest of your network do you think them not knowing an IP range right off the bat is going to stop them?
|
|
#
?
Feb 19, 2016 16:14
|
|
|
crunk dork posted:Can't wait until I'm smart enough to argue with you guys about stuff Never stopped me before. Collateral Damage posted:It's the same thinking that leads to people setting static speed/duplex on switch ports. Once upon a time thirty years ago there were rare issues with poor implementations and since then it's "common knowledge" that autonegotiate is unreliable and you should always set static speed/duplex. As a practice, I'd say you're right. But I've had recent issues with auto negotiation that forced me to set port speeds. It's still a thing you need to keep in the back of your mind. GnarlyCharlie4u fucked around with this message at 16:28 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 16:25
|
|
|
GreenNight posted:Maybe ya'll can teach me something. We have workstations on one VLAN and printers on another. If a user wants to move a printer, I have to manually go into the switch and If you know the MAC addresses of all your printers and can set up a RADIUS server, you could do dynamic VLAN assignment based on MAB. Of course, if you can do that you're halfway to deploying 802.1x anyway. If you're in a large environment where it's worth the cost, ISE appliance can greatly help streamline this.
|
|
#
?
Feb 19, 2016 16:26
|
|
|
Collateral Damage posted:It's the same thinking that leads to people setting static speed/duplex on switch ports. Once upon a time thirty years ago there were rare issues with poor implementations and since then it's "common knowledge" that autonegotiate is unreliable and you should always set static speed/duplex. Very little in your environment needs to be static anything. Servers, clients, and basically everything else that isn't a networking switch/firewall/router doesn't need a static IP address assigned at the device. Let DHCP leases and proper use of DNS get the job done. That way things are centrally managed. I remember talking about a project where I was creating a new vlan and subnet range and my boss asking why I wasn't using a excluded range in my subnet. The thought terrified to have a DHCP scope without excluded addresses. When I told him that my plan was to simply reserve whatever IP address that was leased to the device if we had a reason for the IP to not change, it almost seemed to make him panic. What if we have a conflict? What if the DHCP server goes down? Won't the leased addresses be out of order? It took the grand majority of our meeting explaining that yes, in the year of our lord 2015, that DHCP wasn't this unreliable monster he remembered from the 90's. That so much time and effort can be saved my simply centrally managing IP's. GnarlyCharlie4u posted:As a practice, I'd say you're right. But I've had recent issues with auto negotiation that forced me to set port speeds. Its a thing you need to remember for troubleshooting a bad link. Had a cheap thermostat from china that had this same issue about 6 months ago. Still worth the time to not worry about trying to configure anything outside of auto negotiation as your standard config. Sickening fucked around with this message at 16:35 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 16:32
|
|
|
crunk dork posted:Can't wait until I'm smart enough to argue with you guys about stuff Just keep at it and you'll be up to speed in no time. Feel free to argue, it's a good way to learn, and sometimes you speak up and say "I think X is a good solution" and some other person who is an expert will say something like "Well... I personally would do Y, but X will work fine, it's a little simpler, and when you eventually bump up against the limits of X, it won't be too difficult to switch over to Y." And then like three other people agree, and you feel like a genius.
|
|
#
?
Feb 19, 2016 16:35
|
|
|
single-mode fiber posted:If you know the MAC addresses of all your printers and can set up a RADIUS server, you could do dynamic VLAN assignment based on MAB. Of course, if you can do that you're halfway to deploying 802.1x anyway. If you're in a large environment where it's worth the cost, ISE appliance can greatly help streamline this. Yeah we lease our printers, which are actually just big copiers. So the company comes in and replaces, services, etc them at their leisure. IT is never involved unless they get moved. I know jack about 802.1x or ISE so I may have to look into that. We do have a RADIUS server already. We use it so my AD login can login to our switches along with auto wireless authentication for end users.
|
|
#
?
Feb 19, 2016 16:40
|
|
|
Sickening posted:Its a thing you need to remember for troubleshooting a bad link. Had a cheap thermostat from china that had this same issue about 6 months ago. Still worth the time to not worry about trying to configure anything outside of auto negotiation as your standard config. Exactly. I can't see what sort of masochist would even consider having to force speeds/duplex on every single port on a switch.
|
|
#
?
Feb 19, 2016 16:41
|
|
|
GreenNight posted:Yeah we lease our printers, which are actually just big copiers. So the company comes in and replaces, services, etc them at their leisure. IT is never involved unless they get moved. Make your printer leasing company give you the mac address in a CSV, process the changes using port security, and then let them install to their hearts content. Even better, give them a little portal that accepts a MAC and port label (right off the wall) and lets them update it themselves.
|
|
#
?
Feb 19, 2016 16:43
|
|
|
JFC, instructor led courses are so obnoxious sometimes. Finish the loving labs so we can move on, people.
|
|
#
?
Feb 19, 2016 16:50
|
|
|
H110Hawk posted:Make your printer leasing company give you the mac address in a CSV, process the changes using port security, and then let them install to their hearts content. Even better, give them a little portal that accepts a MAC and port label (right off the wall) and lets them update it themselves. Currently don't have any port security setup. Little portal, good idea. Now how to implement.
|
|
#
?
Feb 19, 2016 16:52
|
|
|
Sickening posted:Won't the leased addresses be out of order? I keep trying to explain to people that the actual IP address doesn't matter, and to let DNS do its thing. If you need to authenticate stuff based on IP then make sure reverse DNS works as well. They're going to have a poo poo-fit when everything finally moves to IPv6.
|
|
#
?
Feb 19, 2016 17:09
|
|
|
I need to  Had the performance review. The evalution went really well. But when we were discussing a raise and a promotion. I got shutdown and told we will discuss that at your next performance review, which will be in june. This was only a inbetween performance review. That has to be bullshit right?
|
|
#
?
Feb 19, 2016 17:16
|
|
|
Sefal posted:I need to In the immortal words of Robert De Niro's character in the 1998 hit film Ronin, "If there is any doubt -- there is no doubt."
|
|
#
?
Feb 19, 2016 17:27
|
|
|
Reading these last couple pages about crazy network setups where 802.1x and NPS aren't being leveraged makes me really sad. Don't get me wrong, 802.1x is a huge pain in the rear end, especially if you do PXE deployments, but that's why you have an NPS configuration that drops failed authentications to an incredibly limited VLAN. poo poo has changed. Sickening posted:If a POWER USER doesn't know about reservation in DHCP he/she should be drawn and quartered. Fixed that for you. DHCP is ubiquitous, and if you're a power user of any kind that maintains a home network you should at least have a passing familiarity with it. I'm trying to imagine a world where a Junior SysAdmin somehow doesn't know about DHCP reservations and my brain hurts. Wrath of the Bitch King fucked around with this message at 17:33 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 17:29
|
|
|
Wrath of the Bitch King posted:Reading these last couple pages about crazy network setups where 802.1x and NPS aren't being leveraged makes me really sad. Look it worked in the 90's.
|
|
#
?
Feb 19, 2016 17:32
|
|
|
H110Hawk posted:Look it worked in the 90's. I originally typed "it isn't the 90s anymore" in the post you quoted but deleted it as I didn't want to come off as too snarky. 
|
|
#
?
Feb 19, 2016 17:34
|
|
|
Wrath of the Bitch King posted:Reading these last couple pages about crazy network setups where 802.1x and NPS aren't being leveraged makes me really sad. You'll love this then: We have 1 VLAN. That's it. Just the one.
|
|
#
?
Feb 19, 2016 17:34
|
|
|
So you just have a LAN. Then.
|
|
#
?
Feb 19, 2016 17:35
|
|
|
Sefal posted:I need to Yep. Even if it just a fossilized view of "we only talk once a year" that in itself is bad. But is it bad enough to eject before June?
|
|
#
?
Feb 19, 2016 17:36
|
|
|
Sefal posted:That has to be bullshit right? Would the Sysadmin if the year bullshit you?
|
|
#
?
Feb 19, 2016 17:39
|
|
|
GnarlyCharlie4u posted:As a practice, I'd say you're right. But I've had recent issues with auto negotiation that forced me to set port speeds. Setting static speed might disguise the problem if there's not a lot of traffic over the port, but you likely still have an abnormal amount of drops.
|
|
#
?
Feb 19, 2016 17:42
|
|
|
KillHour posted:So you just have a LAN. Then. haha yup. There's a lot of terrible things here that we're pushing to fix. But government is slow, red tape is thick, boss is reluctant, etc... You don't even want to know the condition of our AD. Collateral Damage posted:Problems with autoneg today are almost always symptoms of a different issue, like lovely NICs or cabling issues. The cable was fine, different ports were tried on the switch, different drops in the office, etc... I thought it was the NIC on this Xerox. A Xerox tech replaced the mainboard already but that didn't fix it. Forcing full duplex/100 made it work and that's good enough for me. gently caress printers. Among other things I've seen similar problems with lovely Chinese security cameras before. Those were fixed with a firmware update. Except that firmware update bricked about half the cameras it applied to... GnarlyCharlie4u fucked around with this message at 17:49 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 17:42
|
|
|
|
| # ? May 18, 2024 11:57 |
|
|
Wrath of the Bitch King posted:I originally typed "it isn't the 90s anymore" in the post you quoted but deleted it as I didn't want to come off as too snarky. I deleted 3 emails this morning after deciding writing a rant to: Idiot A, Idiot A's manager, or my manager would be too bitchy. But seriously when you ask me for the third time in a thread if I am sure the problem is resolved where I have told you personally I don't believe we can even reproduce the issue....  This started me saying I don't have a salesforce account please copy out the relevant details including how to reproduce the issue and IdiotA replying "I don't see you in salesforce but the ticket is here: https://salesforce.com/..."
|
|
#
?
Feb 19, 2016 17:44
|
|