|
What happens on an err-disable? Is the port still "powered on" or negotiable at all? I'm trying to figure out why my Linux machine does not detect anything at all and has no link state change notifications when I have a port err-disabled, but the cable is plugged in still.
|
# ¿ Jan 15, 2018 20:56 |
|
|
# ¿ Apr 26, 2024 16:43 |
|
Not sure if this is appropriate for a short question, but any recommendations or models on whether some used ciscos are decent for some basic learning stuff/personal project hosting? Right now I'm using a Supermicro whitebox running bird with two dual SFP+ cards installed for routing. I currently have 2 (soon 3) full table transit BGP sessions, and this one would be directly connected to 4 internet exchanges. At least a handful of 10G ports are preferred.
|
# ¿ May 26, 2020 06:26 |
|
Methanar posted:Get set up with GNS3. You'll be able to test a million more situations than you ever could with just one metal box sitting somewhere. This is intended for actual deployment, I'm running about 20-30 Gbps of ""production"" traffic right now. I'm just kind of wondering if any outdated ebay-tier cisco gear is worth getting or if they all have problems dealing with fulltable memory-wise or something at that level of end-of-life oldness. Or I have no idea how much real cisco kit costs. Impotence fucked around with this message at 07:38 on May 26, 2020 |
# ¿ May 26, 2020 07:35 |
|
I'm ok with any brand, not a fan of Mikrotik. One of my upstreams in Netherlands uses exclusively Huawei stuff, which is somewhat interesting and not something I've seen to be common. I mostly just want to "move up a tier" from running Linux with software routing python-generated bird2 configs. Emailing the IXP mailing list every time I need to update the kernel and reboot becomes tedious. Have heard a cheap option to be flashing a Quanta LB6M to some Brocade firmware but that seems like hell in itself. I would like at lesat something that can do netflow or equivalent, and bgp flowspec. Impotence fucked around with this message at 20:51 on May 26, 2020 |
# ¿ May 26, 2020 19:34 |
|
I have heavy v6 deploy/use internally, mikrotik ipv6 either dies or works questionably, afaik they don't support BGP large communities 5 years later (which is a necessity in this day and age) My home router is a tik also. But I don't run BGP and have IPv6 at home.
|
# ¿ May 27, 2020 22:38 |
|
I don't understand the whole WAN or site to site or whatever via ISPs, why would you not run your own overlay network / how is there any larger QoS problem than can be enforced by regular SLAs? The compliance thing I can understand but that seems to imply that the two points should be connected by some private link, but that almost certainly won't physically exist at an ISP and it'll just be on shared transport anyway?
|
# ¿ Jul 27, 2020 18:41 |
|
Bob Morales posted:CCNA doesn't hurt, but companies are moving towards more CLOUD EVERYTHING. Companies will still have a LAN of some sort but as people start moving to WFH, servers move to the cloud, networks will get less and less complicated on the LAN side. Whole company is going to move to cloud but then pipe all cloud traffic through a single 100Mbps AWS Direct Connect to some onprem branch office's VDSL line to run a web filter to block any form of adult content.
|
# ¿ Sep 22, 2020 01:42 |
|
I'm curious, does anyone here run a network for fun/learning or just do practice labs/old hardware/etc? If you're European you can get started for about 25-50 euros for your own ASN and some IPv6 blocks, there are a number of nonprofit assocations/clubs that support this like CommunityRack in Switzerland, grifon.fr in France, Coloclue in NL, etc - routed onto the public DFZ. I found this to be a lot more fun than a lab with a bunch of virtual Ciscos.
|
# ¿ Sep 23, 2020 01:16 |
|
madsushi posted:Let's talk east/west firewalls. Let's say I have ~50 different one-off application servers with some exposure to the internet and I want to isolate them from the rest of my network. The traditional way (in my mind) to do this is to use DMZ networks off of whatever perimeter firewall and put the servers in there. But that seems to not scale well once you're talking about like 50 different applications all needing their own DMZ VLAN / having to trunk those VLANs around everywhere, etc. Some of these might also be the inverse of a DMZ, where I have servers where I want to restrict some access to them (e.g. normal users on my corpnet can't RDP to the payroll server or whatever), even server-to-server restrictions. PII/PCI segment for things like payments, payroll, etc and another zone for everything else, all applications use mTLS and client certificates for *all* traffic without exception; does not affect throughput in any way and you don't need 1024 VLANs for no reason - we have legacy applications secured this way by running linkerd/envoy/nginx/whatever else as a proxy that requires client certs for all traffic and then proxies it to localhost:whatever too. wrt k8s: I have huge kubies running for some projects, have everything do automatic mTLS and tcp proxying through abunch of load balancers and you should be fine - k8s pods should not even be exposing things like ssh, just running an application (check out the distroless base images for something to base off of, if new) Impotence fucked around with this message at 09:29 on Sep 23, 2020 |
# ¿ Sep 23, 2020 09:26 |
|
madsushi posted:Most of the services have auth. The issue is closer to: how do I prevent users from having RDP/SSH access to a server while still allowing HTTPS, and how do I expose a server to the internet while also limiting the pivot opportunities if said exposed application sucks. Route all RDP/SSH/etc traffic through a gateway of some sort per zone (region, whatever, onprem dc, building?). Use this gateway to manage keys, who has the ability to ssh to what, issue short-lived keys instead of allowing any user to connect directly. This also produces an audit log. On AWS, we disable all ssh access and use ssm-agent instead (proxy that logs all commands authenticated via IAM) You can look at something like https://github.com/gravitational/teleport (community edition is licenced Apache 2, so should be fine for most corp bs - no GPL) quote:Like if I have to expose some random app to the internet on HTTPS, how do I isolate that server so that you can't pivot from there to the rest of my stuff? I can't trust the host itself to restrict its own outbound traffic. If you are running something like istio or other service mesh with mTLS, they will handle mTLS for you all the way through based on defined rules. If your random $app1 is compromised, but only is configured to be allowed access to, say, "$app1's REST API at x requests per second", even if you don't have firewall rules set up on $app1, it's not possible for it to directly connect to any database, other APIs, act as a jumpbox for RDP, etc. Your application basically gets sent through the mesh proxy first which will be all "no, what is this" and page you. Think of it as "app1 -> local_app1_proxy" + "local_app1_proxy -> remote_rest_api_proxy" + "remote_rest_api_proxy -> rest_api" with checkpoints at every part of it. Impotence fucked around with this message at 19:53 on Sep 23, 2020 |
# ¿ Sep 23, 2020 19:45 |
|
madsushi posted:Yeah, that makes sense, if I'm putting all of my traffic through software, then there are opportunities to restrict the traffic based on config / intent / whatever. I'm thinking more along the lines of traditional networking and an on-prem config where there's no mesh / fabric / orchestration layer to hand this off to. If I was running all of this in EC2 then I could just use security groups, but what are ways to do this on-prem? This is problematic because: - You don't want/have to use a hardware vendor's firewall solution but you basically are asking for SDN and not layer 7 (see next point) - You don't want/have to use layer 7 software solutions[?] (you can run istio, k8s, etc onprem too) - Security groups are not a replacement for authn/authz/mtls/rate limiting/etc Methanar posted:Are you using istio service meshes are a kink
|
# ¿ Sep 23, 2020 20:08 |
|
|
# ¿ Apr 26, 2024 16:43 |
|
Hirez posted:e: 420 bad snype everyday To be totally fair, the same google ip can be anycasted to both US and HK, so i'm not really sure how you would want to deal with geoip. I see palo altos frequently drop all traffic destined toward the US when told to block china, because they think alibabacloud los angeles/san jose = china
|
# ¿ Sep 25, 2021 18:34 |