|
Are you implying that you are going to route 40gbps through x86? That seems ambitious. I know there are some people hitting over 100gbps, but it's very specialized and not just redhat and iptables. We use vyos for our data center routing and it works great, but no where near those speeds. We cap out at 3gbps or so (2 core vm).
|
# ? Sep 1, 2016 22:45 |
|
|
# ? Jun 10, 2024 01:33 |
|
Honestly I have no idea what I'm doing. I just had my rite of passage of destroying VLANs I needed and had the walk of shame to a console cable. interface Ethernet47 description gateway switchport mode trunk allowed vlan 102 199 localhost(config)#int eth 47 localhost(config-if-Et47)#switchport trunk allowed vlan 1000 gateway-1 :: ~ » packet_write_wait: Connection to 11.1.1.1: Broken pipe methanar$
|
# ? Sep 1, 2016 23:41 |
|
Well there's yer problem right there!Methanar posted:localhost(config-if-Et47)#switchport trunk allowed vlan 1000 you're looking for quote:switchport trunk allowed vlan add 1000 CrazyLittle fucked around with this message at 00:33 on Sep 2, 2016 |
# ? Sep 2, 2016 00:12 |
|
Everyone does that at least once. At least the switch was within walking distance and not across town/state/country/on a tower. Re 40gbs nat, Google CGN? Change your design? Buy more v4 addressees?
|
# ? Sep 2, 2016 00:44 |
Anyone ever seen someone manually load geographically based IP ranges into an ASA to block access from certain countries plus any known bogons? And does Firepowers geo location database work pretty well for blocking access from countries of your choice? As a side note... Is geo ip blocking even worth a poo poo?
|
|
# ? Sep 2, 2016 00:59 |
|
Fudge posted:Anyone ever seen someone manually load geographically based IP ranges into an ASA to block access from certain countries plus any known bogons? And does Firepowers geo location database work pretty well for blocking access from countries of your choice? Yes. Yes. No. e: Geo load balancing can be useful for multi-data center deployments or counter-DDoS strategies. But nobody attacking your poo poo is going to do it from an IP address in their actual country.
|
# ? Sep 2, 2016 01:19 |
|
Fudge posted:Anyone ever seen someone manually load geographically based IP ranges into an ASA to block access from certain countries plus any known bogons? And does Firepowers geo location database work pretty well for blocking access from countries of your choice? At my work, customers ask us to do geo-blocking on ASAs all the time. We do it the first way you mention; we have object-groups pre-written for all the classics and we update them periodically. I haven't used Firepower's geo-ip functions, so I can't speak to that. In my own, likely poorly-qualified opinion, geo-blocking is poo poo. It's poo poo because with IPv4 scarcity where it is, you will probably have blocks moving from place to place as people buy/sell IP space, which means those manual groups have to be updated regularly or you end up potentially blocking desired traffic. It's poo poo because it doesn't stop attacks from determined bad guys at all; if they have even an eighth of a brain, they'll just buy time on a botnet composed of IPs in another region, or on AWS in some other region, or some other Cloud provider with data centers worldwide, probably with a stolen credit card they bought for pennies on the dollar. And it's poo poo because it, like so many firewall-based security solutions, is only as good as the hardware you run it on. I don't care how big your list of blocked regions is, all you're buying yourself is a DDOS when whoever wants to gently caress with you decides to SYN flood your goddamn ASA 5505 that you refuse to upgrade, because the firewall still has to process those packets against your now bloated million-line ACLs. EDIT: Glad to see someone beat me to the same answer.
|
# ? Sep 2, 2016 01:21 |
|
adorai posted:40gbps through x86? If you're willing to apply money you can probably get ~10gbps per core of NAT44 with Snabb
|
# ? Sep 2, 2016 01:38 |
|
CrazyLittle posted:Well there's yer problem right there! I instantly knew what I did when my terminal took more than .5 second to return the prompt The reason we want to do big 1:1 nat is we want a central server that is authoritative for the public address space. Rather than addressing a bunch of things as being 11.1.1.0/24 we address it as 10.0.0.0/24 and nat it 1:1 to the public. if we need to change it for some reason rather than updating every individual server's addressing info we just go the nat box and change the public address that each private maps to. In reality the load will be more like 10-15 sustained but could spike to 40gbit. It's now 8 30 and and I've been standing in the really cold aisle for too long trying to unfuck my own garbage.
|
# ? Sep 2, 2016 01:45 |
|
Fudge posted:Anyone ever seen someone manually load geographically based IP ranges into an ASA to block access from certain countries plus any known bogons? And does Firepowers geo location database work pretty well for blocking access from countries of your choice? Don't forget to completely forget about legacy assignments and assume random universities are in China because APNIC owns the /8.
|
# ? Sep 2, 2016 02:15 |
|
Methanar posted:I instantly knew what I did when my terminal took more than .5 second to return the prompt Haha. Been there several times loving up iptables rules at SMB's that refused to spend a couple hundred bucks on DRAC/LOM cards but would happily pay me that same amount to drive across town and fix it from the console I eventually learned to schedule a "service iptables stop" for time of change + 5 minutes in those environments, which I'd then cancel if the change actually worked. The ghetto "commit confirmed"
|
# ? Sep 2, 2016 02:58 |
|
Methanar posted:I instantly knew what I did when my terminal took more than .5 second to return the prompt This seems like a terrible idea unless you're going to add load balancing in the future. Also sounds like a giant SPOF unless you're going to set up a cluster of boxes, can Linux do stateless 1:1 NAT?
|
# ? Sep 2, 2016 04:19 |
|
Methanar posted:I instantly knew what I did when my terminal took more than .5 second to return the prompt
|
# ? Sep 2, 2016 04:27 |
|
adorai posted:You can use more than one device rather than trying to shove it all through a single device. If this idea for some reason actually goes through it would be a service pool of some sort. Anyway it's now 11:30 and I finally fixed everything I broke today. Net gain: two etherchannels and lots of scribbled paper. e; guess I'm sleeping here tonight. e; guess I'm just not sleeping Methanar fucked around with this message at 06:37 on Sep 2, 2016 |
# ? Sep 2, 2016 04:35 |
|
Methanar posted:I instantly knew what I did when my terminal took more than .5 second to return the prompt How often are you changing your public address space that this would ever be required? Either way, just configure all the machines to use DHCP and go the pub.
|
# ? Sep 2, 2016 07:06 |
|
Can somebody idiot check me on this basic IPv6 question, because I've been working too close to it to not second guess myself. Our ISP have given us a /56 of space, which I am planning to subnet up into a /64 per VLAN on the inside of my network. They have used the first usable IP in that /56 as the address on our side of their demarc, and have basically said "there you go". Am I utterly retarded, or is this no use to us at all, and what I actually need is a point-to-point link between our router and their demarc, and then the /56 to do whatever I want with inside our LAN? I assume at the moment anything destined for an address in our /56 is just being shat out of their demarc at layer 2.
|
# ? Sep 2, 2016 19:18 |
|
Methanar posted:The reason we want to do big 1:1 nat is we want a central server that is authoritative for the public address space. If stateless NAT is OK, then the Nexus 3548 can do 1:1 stateless NAT for ~1,000 NAT entries at very fast speeds.
|
# ? Sep 2, 2016 19:32 |
|
Thanks Ants posted:Can somebody idiot check me on this basic IPv6 question, because I've been working too close to it to not second guess myself. No, you're not. You're going to have an issue if they're just treating it like a LAN connection for the entire /56 and you intend to segment. There are a few options, but the simplest if you don't need/intend to run dynamic protocols with the provider is to have them segment a portion, like a /64, for the actual WAN and route the entire /56 to your equipment on that /64.
|
# ? Sep 2, 2016 22:56 |
|
Thanks. I thought it looked like I was missing a subnet but then part of you says "maybe you don't know what the gently caress you are doing and the ISP is right, because that's their thing after all", ended up having a bit of a 'what the...of course this can never work' moment on the walk home from work today and can't figure out what on earth they were trying to do putting our customer subnet directly on our side of their demarc. I guess it would work if I plugged a switch in and manually addressed my devices And yes, no routing protocols needed as this is just Internet at the moment. I have a ticket open with the provider to give me another subnet, and to ask the guy who set this up what he thought he was doing. Thanks Ants fucked around with this message at 23:39 on Sep 2, 2016 |
# ? Sep 2, 2016 23:25 |
|
If it's a single site, I'm going to doubt you need even a majority of the /56. You can certainly just ask them to use the first /64 for the WAN and static route the /56 to your equipment. No need to get another block. I mean, if you're worried about wasting the rest of the space, you could just ask them to do a /126-/127, but whether they'll want to do that may depend. edit: /126-127 != /128 rattrap fucked around with this message at 01:25 on Sep 3, 2016 |
# ? Sep 3, 2016 00:40 |
|
This provider likes to use /126 subnets for this sort of thing so I'll let them do whatever is normal for them to hopefully avoid any confusion in the future.
|
# ? Sep 3, 2016 11:53 |
|
Dumb question that I'm too lazy to read 500 pages of posts for: anyone seen a nexus 6000 series just randomly drop to a bash prompt on serial? A cursory search of Cisco.com turned up a bunch of stuff about license grace periods expiring, but I don't see any of the relevant output in our remote serial's log of our boot. Typing restart just makes it go through a hilariously long boot process where it complains about not being able to write /var/lock/mtab-289 or some other number, says its booting successfully, and then bash-3.2$ again. I'll be power cycling the device when I get out to the colo tomorrow to see if that changes anything, but I don't have high hopes. What are my next steps? For bonus points, is there something I can run from the command line to get nxos started again?
|
# ? Sep 4, 2016 11:05 |
|
Storysmith posted:Dumb question that I'm too lazy to read 500 pages of posts for: anyone seen a nexus 6000 series just randomly drop to a bash prompt on serial? A cursory search of Cisco.com turned up a bunch of stuff about license grace periods expiring, but I don't see any of the relevant output in our remote serial's log of our boot. Typing restart just makes it go through a hilariously long boot process where it complains about not being able to write /var/lock/mtab-289 or some other number, says its booting successfully, and then bash-3.2$ again. Have you tried bootstrapping it with a new image? I'd open a TAC case and be prepared for an RMA.
|
# ? Sep 4, 2016 18:05 |
|
psydude posted:Have you tried bootstrapping it with a new image? I'd open a TAC case and be prepared for an RMA. yeah, it's looking like it'll be RMAed. Oh well. Its sibling: code:
|
# ? Sep 4, 2016 22:02 |
|
Haha how did you end up going from Netgear -> Cisco Nexus? That's quite the leap.
|
# ? Sep 4, 2016 22:26 |
|
Thanks Ants posted:Haha how did you end up going from Netgear -> Cisco Nexus? That's quite the leap. Growing company with growing needs. At the beginning, we had a database, a filer, and a handful of hand-configured machines. As we grew, we expanded, and the complexity explosion of trying to get everything right while working around their limitations was too much hassle. We were starting to sign customers that didn't want mickey-mouse bullshit taking down their site during business hours, and we got customers where 'business hours' are basically 24/7. I wasn't there, but it was apparently an easy sell because the fragility of our Netgear stack meant that any time we were working in our datacenter to do things like racking hardware, we were a liability, and the cost of a pair of N6Ks and FEXes to use as top-of-racks was offset by the lack of "oops, this piece of poo poo switch did something dumb" issues causing production outages. The amount of money saved on remote hands "I need you to unplug and connect this switch, like, right now" time alone was sizable.
|
# ? Sep 4, 2016 23:23 |
|
Netgear stack is a phrase nobody has ever said.
|
# ? Sep 4, 2016 23:25 |
|
We had 3COM superstacks and HP AdvancedStack hubs... And many other garbage piles you could call a stack. Mostly worked.
|
# ? Sep 5, 2016 00:17 |
|
psydude posted:Netgear stack is a phrase nobody has ever said. "Throw another useless switch on the decommissioned Netgear stack."
|
# ? Sep 5, 2016 02:43 |
|
Methanar posted:Honestly I have no idea what I'm doing. I just had my rite of passage of destroying VLANs I needed and had the walk of shame to a console cable. For another helpful tip about VLANs that everyone screws up at least once: VLANs are created automatically if you do switchport access vlan XXX. They are NOT created if you add a VLAN to a trunk, or even if you create an Interface VLAN XXX. You MUST run a VLAN XXX and then either name it or not and it will be created once you exit that subconfig menu. Just helped someone who'd been troubleshooting that for about 10 hours and didn't know
|
# ? Sep 5, 2016 03:46 |
|
Even when I worked at a small company we were still willing to spring for Cisco and HP network equipment. It blows my mind that companies will run critical systems on trash gear to save a few thousand dollars.
|
# ? Sep 5, 2016 05:58 |
|
When I started my job we were using Motorola cable modems as part of our core network layer. Guess why! Apparently this is how my predecessors decided to handle the need for port forwarding internally. And no, we did not have any cable internet service either. Still amuses me that people wondered why the network poo poo itself literally every day! Sheep fucked around with this message at 13:18 on Sep 5, 2016 |
# ? Sep 5, 2016 13:15 |
|
when i started my job the core network was an HP 5400ZL, which is a great switch, but they had only one VLAN configured that contained all of the servers and all of the clients in the building on the same subnet.
|
# ? Sep 5, 2016 13:24 |
|
Sheep posted:When I started my job we were using Motorola cable modems as part of our core network layer. Guess why! That's special. Budgetary or they're lazy and had them laying around?
|
# ? Sep 5, 2016 13:34 |
|
falz posted:That's special. Budgetary or they're lazy and had them laying around? Sheer incompetence, I think. From the looks of it they had some local IT company come in and do the drops & initial network setup and install and then from there on out the "guy that's good with computers" was called in any time they needed something done. Need port forwarding? Better grab some cable modems!
|
# ? Sep 5, 2016 13:46 |
|
adorai posted:when i started my job the core network was an HP 5400ZL, which is a great switch, but they had only one VLAN configured that contained all of the servers and all of the clients in the building on the same subnet. HP switches are fine if you get a ProView one, but they've gobbled up so many companies now that's is really hard to tell if you're getting something with a usable CLI or some dogshit awful web managemet.
|
# ? Sep 5, 2016 14:22 |
|
psydude posted:Netgear stack is a phrase nobody has ever said. One of my customers has a pair of Netgear switches that stack at 10G via HDMI cables. It makes sense when you look in to it, but drat that was weird the first time I looked at it and saw those ports.
|
# ? Sep 6, 2016 14:49 |
|
wolrah posted:One of my customers has a pair of Netgear switches that stack at 10G via HDMI cables. It makes sense when you look in to it, but drat that was weird the first time I looked at it and saw those ports. Dell 5548s used those too. Yay for non-locking connections.
|
# ? Sep 6, 2016 15:08 |
|
Netgear also seem to love to design their switches in a way that crashing the management interfaces can stop them forwarding traffic. Although I assume that is true for all cheap switches as well.
|
# ? Sep 6, 2016 15:47 |
|
|
# ? Jun 10, 2024 01:33 |
|
We have 480 netgear switches Has anyone ever used a fortiddos appliance? If so is there any good resources for learning how to effectively use them? It seems like I just let it establish it's baseline for what regular traffic looks like and then if the internet suddenly wants to send me 100000x more dns packets than I usually get the appliance will start dropping the traffic.
|
# ? Sep 6, 2016 17:31 |