|
Kazinsal posted:The internet in general has always been poo poo, friend. There was 25 minutes of something going down at Ashburn Equinix for sure. Passed for now.
|
# ¿ May 1, 2018 01:34 |
|
|
# ¿ Apr 23, 2024 11:25 |
|
Jbz posted:Huge idiot here, I'm taking the ICND1 in a couple weeks and doing practice exams. Came across this question and I can't figure out why the /17 is the Most Correct answer. If a destination matches multiple routes, it will take the most specific one. https://en.wikipedia.org/wiki/Longest_prefix_match This is actually how 0.0.0.0/0 works. It's the least specific route possible, it will always match if nothing else does. Its not just a hardcoded magic number, its logically consistent with all other routes.
|
# ¿ May 22, 2018 18:53 |
|
Yeah there's no trivial easy way to fix the issue as described. Best you can do is make the one saturated link bigger with a port channel. The other options are multiple spanning tree or using L3.
|
# ¿ Jun 1, 2018 18:02 |
|
madsushi posted:Anyone run Kubernetes and have any opinions on network models / overlays? Looking at a new K8S deployment and there's like a dozen different network models and I'm trying to figure out which isn't terrible. Calico is cool. I also hear really good things about kube-router. I like them because its real IP BGP with no vxlan bullshit. Kube-router can peer with the rest of your network so you have real routes propagating around to normally cluster-internal resources like services or direct pod IPs. Also if you're new to kubernetes networking. This and the two follow up articles for services and ingress are basically mandatory reading. https://medium.com/google-cloud/understanding-kubernetes-networking-pods-7117dd28727 Read it twice. And then read it again when you start actually building things on kubernetes. The different network models are just the implementation of how each node gets a subnet and all nodes are aware of each other's subnets. Methanar fucked around with this message at 20:41 on Jul 13, 2018 |
# ¿ Jul 13, 2018 20:38 |
|
FatCow posted:The container ecosystem not being v6 native is the stupidest design decision I've ever seen. making GBS threads all over a Red Hat product guy about it was one of my best moments. What would ipv6 solve? You'd still need some kind of overlay management.
|
# ¿ Jul 14, 2018 03:30 |
|
madsushi posted:Thanks, really appreciate the info and link. Somehow, there isn't an actual article that I've found describing that. But these two are a pro-reads as well. Most notable is ebgp peering with the rest of your network so you can have real routes to service kubernetes' constructs which is useful if you're split-brained between some things inside of the cluster and somethings outside of the cluster. Especially if you're on-prem and can't use elb to handle ingress for you. (like me ) https://www.kube-router.io/docs/introduction/#what-is-kube-router https://www.kube-router.io/docs/see-it-in-action/ My understanding is kube-router is a drop in replacement for Calico as a BGP node subnet manager, but it also replaces kube-proxy (the thing being the magic of service constructs) and can do microsegmentation all in one binary. Unclear exactly why this is better than its competitors and but apparently Its Good. It comes pre-built with prometheus metric endpoints so you get pretty graphs out of it easily that calico and kube-proxy don't give you.
|
# ¿ Jul 14, 2018 04:19 |
|
madsushi posted:Yeah, I'm on-prem too. Tell me when you start to hate the very concept of ingress from the internet. madsushi posted:
Calico can do ebgp peering as well, you're right. I'm bad at phrasing. I meant the ebgp peering part as a point in favor of a bgp based network vs vxlan. kube-proxy actually has an ipvs mode too. Since 1.9 which was December I believe. https://kubernetes.io/docs/concepts/services-networking/service/ quote:Proxy-mode: ipvs quote:Unclear exactly why this is better than its competitors and but apparently Its Good. At the moment I'm using calico with iptables mode kube-proxy. Its been working well for me. If you do choose something else, let me know how it goes.
|
# ¿ Jul 14, 2018 04:55 |
|
FatCow posted:Unless I'm mistaken there is a ridiculous amount of NAT going on within Kubernetes. We're trying to put VoIP application in containers and the media flows are an absolute nightmare with how it currently exists. To the point where I consider it broken for UDP use cases. I'm not an engineer on the Kubernetes side, but every conversation I've had with the people working directly in it has been disappointing. We'll likely be running anything UDP/RTP in VMs while everything else goes to containers. Okay I'll give you that. My main application is webrtc which is directly accessed by users in the public internet is a loving abomination to make work in kubernetes. Like you say, to the point of it being legitimately broken. Whats the point of I need to operate in the host network namespace anyway. But of course even that's not good enough because the webrtc thing is not on its own. Its got 3 different redises, needs something to term ssl whether thats an ingress controller or haproxy container in the pod, some really stupid endpoint that requires :443 on a public endpoint (looked at rewriting this so the pod could advertise a port and not have a statically required one but lol). But then operating in the host network namespace fucks up everything. I'm on prem and have a fixed number of machines to work with. When I do a deployment everything eats poo poo because if I try to deploy a new pod onto a machine with an existing pod, it fails because ports are already in use. So then the issue becomes I need two separate deployments for one application with different network configurations working together and to figure out how to do service discovery so the webrtc piece in the host network can find its other parts in the real cluster network. But of course that's not all either. I'm on-prem and doing many 10s of gbps of video transmission. Data locality becomes important. Like I guess for the http control traffic I can have an ingress controller infront and do host header matching to direct traffic to the correct container backends based off of how it registers to the core. But then I need dynamic, public DNS of my pods. I was thinking I could delegate a subzone for CoreOS to be authoritative but wait I guess that's actually not possible for externalIPs of services unless I write in the capability to do that. Which I might need to because the incubator project external-dns literally just does not work for ingress controllers at the moment, their slack channel helpfully told me I should just use ELB instead. https://github.com/coredns/coredns/issues/1851 nvm you're right gently caress kubernetes. quote:madsushi posted:
|
# ¿ Jul 14, 2018 19:08 |
|
I'm running kubernetes because I hate myself.
|
# ¿ Jul 17, 2018 17:44 |
|
What's wrong with MMF? I use it for all my trunks. Servers each get two 10g copper DAC to different switches. Am I doing it wrong?
|
# ¿ Aug 28, 2018 06:01 |
|
I will never be complicit in purchasing anything from cisco that is not a router again.
|
# ¿ Aug 31, 2018 21:54 |
|
MF_James posted:What's wrong with their switches? Arista exists.
|
# ¿ Aug 31, 2018 23:56 |
|
Our last round of hiring I was really disappointed that I wasn't able to grill anybody on bare metal anything let alone BGP or networkingisms because everyone who applied had only ever worked on AWS. Was a bit of an eye-opener
|
# ¿ Sep 26, 2018 03:57 |
|
ate poo poo on live tv posted:
I don't quite follow. What I was talking about was a case where we were hiring Linux SREs who could code, or devs who were comfortable doing infra things. Out of like 15 people that I interviewed, only 1 of them had any meaningful non-cloud experiences at all. At the time I didn't realize that working in an physical DC was becoming such a lost art. Particularly where you can't do things like just throw money at Amazon to do your edge load balancing for you or have to consider capacity planning, or etc etc etc I didn't really think it was that unreasonable expect awareness of virtual MAC based HA as an example off the top of my head. Or being able to walk through a troubleshooting scenario where you have data loss because you are emitting jumbo packets to the internet that get fragmented down to 1500 somewhere in the middle, but the ICMP fragment requests get dropped at your edge because of your firewall policy that didn't permit ICMP. Or the classic example of you type "traceroute google.com`. How does this work? Methanar fucked around with this message at 06:28 on Sep 27, 2018 |
# ¿ Sep 27, 2018 06:22 |
|
Methanar posted:
To add to this virtual MAC bit. One of the guys that we did hire set up keepalived on a network that was shared with our NAT installation that was using CARP. There was a few moments of mass confusion when terrible things happened because the guy didn't know that keepalived and CARP were both implementations of virtual MAC HA and that you can't have them share VRRP groups in the same broadcast domain. Methanar fucked around with this message at 06:35 on Sep 27, 2018 |
# ¿ Sep 27, 2018 06:32 |
|
tortilla_chip posted:I would just ECMP and not rely on MLAG.
|
# ¿ Oct 18, 2018 20:56 |
|
So I'm a huge dipshit If I don't want whether a route is originating from within the same ASN or not to be a deciding factor in whether or not to use it, can I just change the AD of iBGP to be 20, the same as eBGP without loving everything up? this is irrelevant Basically, what I've got is this where the best carrier to go over is dependent on which device you're talking to which I don't really like. Here you can see in the first output we're preferring the route with the giant metric of 178100 , even though there is a 0 metric possibility, because the seemingly worse option is originated over eBGP code:
code:
quote:7) Prefer eBGP over iBGP paths. code:
Nope there isn't. uh now what. I'd really rather not throw more Source IP routing at this Methanar fucked around with this message at 06:15 on Feb 2, 2019 |
# ¿ Feb 2, 2019 04:23 |
|
Separate questionscode:
Kind of unfortunate that ones part of the path selection process. I can probably overwrite that attribute as I receive the routes, but ehh. Is there really not a safer way of playing with the internet than blindly setting AS-path prepending or similar and then watching your links and hoping you don't send 11g over a 10g connection? What about when I start setting policy-based routing statements, do I really just yolo it and hope I do it right on the first try? I'm not really sure how you build a test environment for The Internet. Like okay I just read about all this so I understand. I could overwrite the origin attribute on all advertisements received through cogent by doing this. code:
code:
Is it just a normal and fine thing for most people for different BGP speaking routers to have different world views if they make it past the first 7 steps of bgp path selection? Methanar fucked around with this message at 05:40 on Feb 2, 2019 |
# ¿ Feb 2, 2019 04:25 |
|
Tetramin posted:Using a 5500 wireless controller. Trying to move a network from Vlan 1 to 10, have the switchports trunked with a native vlan of 10. The wireless clients can't get DHCP addresses. They do show 'auth: no' for each client but forgetting and rejoining the network doesn't work. We are using flexconnect to define each SSID's vlan. I've read about defining a new interface where you can set DHCP servers, but i thought flexconnect overrides the interface settings? Obviously the flexconnect vlan tagging is changed from 1 to 10, and I set the VLAN settings in advanced like this: Does your new vlan and dhcp server actually share the same broadcast domain? If not you'll need to set up dhcp helper to relay the dhcp packets.
|
# ¿ Mar 23, 2019 05:15 |
|
gns3 is such a pain in the rear end to set up.
|
# ¿ Jun 17, 2019 03:40 |
|
TheManWithNoName posted:Every other WFH employee I’ve talked to uses their personal router and they aren’t having this issue though. Is your DHCP lease expiring? Try statically assigning your phone the IP its dynamically been assigned. I've had an issue before where a lovely consumer router just didn't renew a release until after it had completely expired. It was a dlink something from 10 years ago
|
# ¿ Jun 18, 2019 17:47 |
|
Thanks Ants posted:If I have APs in two offices that are across the road from each other which are connected via a VPN tunnel but otherwise don't share any infrastructure, am I better off putting all the APs into the same logical group and enabling L3 roaming, or trying to turn the Tx power on the APs down to such a low value that you drop off the network before you reach the other building? Build a faraday cage
|
# ¿ Jun 18, 2019 22:43 |
|
klosterdev posted:How well does OSI troubleshooting work vertically? Eg because I know layer 3 works fine (no dropped packets to destination), I can rule out layer 1 as the reason for connectivity issues to that device, but would that also allow me to rule out layer 2? Its possible to have flapping vlans/vxlans, or maybe some kind of l2 qos problems (ASK ME ABOUT ESXI STANDARD VSWITCHES) that cause intermittent issues. Or maybe IP address conflicts and your arp tables are getting confused periodically.
|
# ¿ Jul 5, 2019 23:35 |
|
Docjowles posted:I think that reasoning breaks down pretty quickly. MTU mismatches are a good example. Pings work, TCP sessions get established, etc, basic tests look fine. But when you start to put load on the link, it becomes very erratic, dropping packets left and right. So in that case, layer 3 and up were actually fine, but the MTU at layer 2 was wrong. So your "I can ping, gotta be higher up the stack" premise falls apart. Wrong speed/duplex settings on an interface causing it to be at 10/Half or some poo poo are another one off the top of my head. That would probably look OK during cursory testing, but perform like utter rear end under load. I got red titled. I should probably change it back.
|
# ¿ Jul 6, 2019 01:54 |
|
If for some reason I actually need a hardware firewall, fortigate >>>>>>> ASA They're also extremely good for doing dialin VPNs, I'd choose fortigate way before I'd ever consider doing it myself with strongswan. Especially if you're looking to tie it in with AD and MFA
|
# ¿ Jul 11, 2019 20:26 |
|
ragzilla posted:This is incredibly common as a lot of the fiber out there is standard g.652, and not the more modern and exotic like low water peak and dispersion shifted (unless it's new longhaul intercity builds that use DS fiber to avoid doing DCM, but even that's less useful now with 200G+ superchannel OEO regen GMPLS networks). Its rare I read something that I understand this little.
|
# ¿ Sep 5, 2019 22:11 |
|
MF_James posted:Thankfully we don't do firepower at all, we have a config standard that removes BVI as well (for devices that need it), though I don't think the 5515/5516s come by default like the 5506's. I do long for Fortinet's as lovely as that sounds, but it looks like we're moving to SonicWALL Nothing lovely about wanting fortinets for a VPN terminator or if you really need a hardware firewall for some reason.
|
# ¿ Sep 17, 2019 20:44 |
|
GreenNight posted:We're getting a pair of 10 gig switches for our datacenter. Aruba 3810m vs Cisco Nexus 3524xl. Any reason not to go with Aruba? drat near half the cost, even including optics. Still buy unbranded optics
|
# ¿ Sep 18, 2019 19:56 |
|
Don't use bgp unless you really know what you're doing. Weighted dns with health checks is probably a better idea as mentioned. But I have no idea what the service is
|
# ¿ Oct 9, 2019 20:17 |
|
What goes into the decision to use Juniper rather than Arista, other than Juniper gear already being entrenched and in place?
|
# ¿ Apr 9, 2020 04:53 |
|
Biowarfare posted:Not sure if this is appropriate for a short question, but any recommendations or models on whether some used ciscos are decent for some basic learning stuff/personal project hosting? Right now I'm using a Supermicro whitebox running bird with two dual SFP+ cards installed for routing. I currently have 2 (soon 3) full table transit BGP sessions, and this one would be directly connected to 4 internet exchanges. At least a handful of 10G ports are preferred. Get set up with GNS3. You'll be able to test a million more situations than you ever could with just one metal box sitting somewhere. GNS3 is a tool that runs real ios/eos/juniper/whatever images in VMs for you. You can even hook up real devices like your supermicro to your GNS3 network if you're feeling spicy and want to connect to the real internet for some reason.
|
# ¿ May 26, 2020 07:03 |
|
Biowarfare posted:This is intended for actual deployment, I'm running about 20-30 Gbps of ""production"" traffic right now. I'm just kind of wondering if any outdated ebay-tier cisco gear is worth getting or if they all have problems dealing with fulltable memory-wise or something at that level of end-of-life oldness. Or I have no idea how much real cisco kit costs. At my last job I I bought like 8 of arista 7050SX off ebay used with a 100% success rate for literal 10% the price that Arista themselves would sell them to you. 10/10 would buy again. Has a good API and cisco style cli. Minimal bullshit with offbrand SFPs 48 10gbps ports with 4 40g qsfp https://www.ebay.ca/itm/Arista-DCS-...oYAAOSwnWBdUdGI I didn't run the 7050s with full table BGP, so you might need to check if they'll work for you, but I did run 5x full table BGP off of arista 7280SRs which are also dirt cheap on ebay for what it is. https://www.ebay.ca/itm/Arista-DCS-7280SE-64-F-48x10GbE-SFP-4x40GbE-QSFP-F-to-R-Airflow/323584542483 Methanar fucked around with this message at 07:51 on May 26, 2020 |
# ¿ May 26, 2020 07:46 |
|
Is 'blackhole' a racist term now like blacklisting. "I'm going to blackhole this route" Methanar fucked around with this message at 17:09 on Aug 6, 2020 |
# ¿ Aug 6, 2020 17:05 |
|
I can't wait for No Code to kill every devops/cloud/learn to code job
|
# ¿ Sep 22, 2020 19:04 |
|
Biowarfare posted:I'm curious, does anyone here run a network for fun/learning or just do practice labs/old hardware/etc? If you're European you can get started for about 25-50 euros for your own ASN and some IPv6 blocks, there are a number of nonprofit assocations/clubs that support this like CommunityRack in Switzerland, grifon.fr in France, Coloclue in NL, etc - routed onto the public DFZ. I found this to be a lot more fun than a lab with a bunch of virtual Ciscos. No I actually try to spend as little time as possible doing computer things if I'm not being paid for it.
|
# ¿ Sep 23, 2020 01:37 |
|
Don't depend on network level segmentation as a replacement for proper authn/authz for one. Hostbased firewalling is fine if you can put together an rbac model in ansible or chef. That's how I'd do it tbh rather than trying to maintain n vlans and then managing acls anyway.
|
# ¿ Sep 23, 2020 07:23 |
|
Biowarfare posted:
|
# ¿ Sep 23, 2020 15:39 |
|
ASAs are trash
|
# ¿ Nov 8, 2020 19:31 |
|
ior posted:Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc. https://aws.amazon.com/marketplace/solutions/security/firewalls-proxies How do these sorts of software firewalls/appliances work presumably without their special hardware? Is it just poorly?
|
# ¿ Dec 17, 2020 04:31 |
|
|
# ¿ Apr 23, 2024 11:25 |
|
Pile Of Garbage posted:Exactly the same as the physical appliances and worked perfectly How
|
# ¿ Dec 17, 2020 08:53 |