Inherited a very messy network, looking for some advice and sanity-checking. Networking |
- Inherited a very messy network, looking for some advice and sanity-checking.
- Splitting single WAN for HA - isolated VLAN?
- MySonicWall.com down
- L2TP VPN issues
- Might be a longshot but figured I'd ask
- NGFW with centralized management for multiple DC
- Do I need EAP(peap) enabled?
- BFD; How much is too much?
- looking for free bgp peer
- Why is my network speed dropping every 15 seconds?
- Cheap 48p + 2SFP+ for ISCSI?
- Wireshark Network Boundaries
- be your own ISP
- Brain-fart atm. Patch panel question.
| Inherited a very messy network, looking for some advice and sanity-checking. Posted: 29 Jul 2018 12:51 PM PDT First off, my job title is more like "engineer" rather than "network engineer", but I will try and keep this focused on the networking aspect rather than the real purpose and description of my job, which is at a non-profit TV station. The network is more interesting, anyway. This is an extremely small organization, something like 15 to 20 people including me. First network that I've been given pretty much full reign over, and unfortunately have been working on for an embarrassingly long time, learning as I go and treading carefully so as not to interrupt service. Being given full reign means full responsibility for the screwups. And this network was, and still largely is despite my efforts, very messy. That would be because of my boss, who I will just go ahead and state is not really too involved nor experienced in this field, and seems to have written no documentation beyond what he inherited, and generally just let the entropy grow. And now his memory is really crap and he can't remember what he did in the first place. I go to him to beg for a new toy and for permission to do something, and he leaves me to it. Managed to bring a buddy of mine in to lighten the workload, although I do have to train him on the side, on what I think matters. More responsibility. So I am effectively the most knowledgeable tech. Which... hooray, I guess? It sure is a satisfying learning environment, anyway. One of my recent changes was running lines from each major switch to a core switch, instead of leaving them daisy-chained like they were. Previously, if the switch that connected the people in the business department to the internet lost its connection, the people in production would also be disconnected from the internet, and so would the switch that our main servers connect to, etc. With this change I have like 0.5% more peace of mind. Will probably do aggregation once I understand it better and probably once I can negotiate for a better category of cable, since I am rather concerned about EMI in the server room. Like I said, non-profit. The core switch is just beneath a Juniper SRX210HE2 which I only recently learned we are not supposed to have any means of access to for our own configuration. It was installed by the ISP I think, just underneath a device for receiving 100Mbit fiber internet, and acts as a firewall and a gateway and a DHCP server. It has just the two gigabit Ethernet ports, one for the fiber internet device, and one for the core switch. Rather annoying. So, we have a flat network, two major subnets (one which allows you to access the internet, and one which does not), and something like two or three more that are not physically connected to the two major subnets. (That would be my doing, trying to keep legacy equipment talking to its brethren and away from the more modern stuff. Still have maybe two or three XP and 2003 servers to move over, once I learn what the heck they even do, if anything) One necessary server is broadcasting to 255.255.255.255 via UDP several times a second to ensure that its brethren devices are up and accessible, and since this is a flat network I am able to see it with wireshark when I am on either major subnet, including when I am on wifi. I very much want that to be contained, but I am not sure how. Speaking of the wifi, my boss previously connected ethernet lines to the LAN ports on our SOHO Netgear devices without disabling the various services on them. A previous major change I made was moving the lines to the WAN ports on the devices and configuring them in WAP mode so we didn't have conflicting DHCP servers, and so people who just HAVE to work on the wifi could actually hit the servers they needed to hit. I currently just RDP from my laptop to a Windows 10 desktop that I cobbled together from parts, and have configured a virtual Realtek adapter so I can access both major subnets, or a USB ethernet device for the segregated switches. For an Arch Linux box that I also cobbled together I just use MACVLAN adapters, which are very easy to whip up if you are okay with using systemd-networkd. Sooooooo, I've done a lot to ensure that equipment stays on managed switches intended for equipment, and that business stays on managed switches intended for business, production for production, etc. But none of it is really segregated, no VLANs. I'm not sure how to introduce that into the setup, since there will be an overlap of NICs of the first subnet and of the second, and in one case I think a device connects to the internet-connected subnet through a device on the second subnet, and I am not sure how that is happening in the slightest. All I know is that I see two MAC addresses listed in the MAC table for a single port on the equipment switch, when as far as I can tell it is not doing anything like the virtual adapters I have set up on my personal workstations. So I am not sure how I will introduce VLANs (or perhaps learn how to do routing) without accidentally preventing some necessary devices from accessing what they need to access. Here is a super basic map drawn in Paint, if more detail is desired then let me know. There are no patch panels in this setup, and it is on the list of stuff to introduce. What I want, basically, is advice on VLANs or perhaps routing, and a sanity check on anything I said that may be a red flag as far as configuration goes. I've said as much as I can think of. [link] [comments]  |
| Splitting single WAN for HA - isolated VLAN? Posted: 29 Jul 2018 02:33 PM PDT I've got an ISP that provides only a single WAN port on their equipment, but I've got an HA firewall setup. I know I can make it ugly and connect the ISP to a 5-port unmanaged switch and then to both firewalls, but I want to do something more fancy. I'm thinking about a small managed switch instead with an isolated VLAN configured for those ports, and then a different VLAN on a different physical port that connects it back to my network for SNMP management and reporting. There'd basically be three connections out of the switch, two from the ISP VLAN that goes into the firewalls for Internet traffic and one from a different VLAN that goes into the LAN for management traffic. Anyone doing anything like this? Any potential issues? I worry about the potential for VLAN hopping and someone bypassing my firewalls through this switch and getting into the LAN, but I'm not sure how realistic that is in the real world. Thoughts? [link] [comments]  |
| Posted: 29 Jul 2018 12:51 PM PDT We've been unable to login to any of our SonicWALL customers' MySonicwall.com accounts; enter login and password, big red "Error". SonicWALL support says they're working on it. [link] [comments]  |
| Posted: 29 Jul 2018 01:52 PM PDT Recently deployed a L2TP vpn through a ubiquiti USG that acts as a radius client and authenticates back to the company server so users can use AD credentials to access the network. The Client side is using the built in windows VPN. For each user as we configured it we tested to make sure they could connect to the VPN and certain users were able to connect with zero issues and other users could not. It seemed like a password or username thing so we verified and re built the connection and it would work again but this afternoon it seemed to happen again. Tested it with test account to see if something server side had failed and the test account connected just fine. Just a couple specific users. I was curious what would cause this. Is it windows vpn client being screwy ? I hate to think I have to rebuild this VPN profile every other week. I'd like to think I'm just over looking something. [link] [comments]  |
| Might be a longshot but figured I'd ask Posted: 29 Jul 2018 01:26 PM PDT Is there anyone out there who has any experience with an old Lucent TNT? [link] [comments]  |
| NGFW with centralized management for multiple DC Posted: 29 Jul 2018 01:31 AM PDT Hi all, I am facing a choice of NGFW solution for several DC for mainly for DMZ and mostly it's voice traffic (SIP/RTP) and also Web services - is about 20 Gb/s. Currently we use the Sonicwall NSA solution on two DC but only as an internal firewall and some devices for offices. Previously, I had no experience with them, but in the current place they have proven themselves including the price. Now we need a solution with a single management of all firewalls, as far as I understand from the demo GMS, there is no possibility to configure a single policy for all EDGE/DMZ NGFW. Who has experience with GMS share it, maybe I'm wrong. I have a desire to replace them with Fortinet/PA with single management. Also what models do you advice for this task in Fortinet/PA series? [link] [comments]  |
| Posted: 29 Jul 2018 12:18 PM PDT We have a SSID for users personal mobiles to connect at our company and we have the eap peap authentication method defined in our NPS. Recently we've been getting a lot of tickets that some mobiles can't connect to wifi. Digging this a little bit, I understand that some mobiles can't connect to peap networks anymore. (Mostly Chinese models) So can I turn this feature off without compromising on security? I'm the only admin there, a complete newbie and I'm honestly lost! Any suggestions would help regarding wireless/NPS. [link] [comments]  |
| Posted: 28 Jul 2018 08:10 PM PDT Is there any reason not to crank up BFD across as many links as possible? Most of my links are private P2P/VPLS/MPLS. Any kind of practical limit to the number of peers you can or should have? Only thing I can think of is # of PPS and/or CPU; 50ms intervals makes 20pps per peer. In an environment with hundreds of peers (i.e. VPN aggregation, multiple and redundant WAN links, etc), that starts looking like real numbers. [link] [comments]  |
| Posted: 29 Jul 2018 02:44 AM PDT Hello, I have my own AS+pi and looking for bgp peering my current isp do not provide such possibility Please advise who can provide or maybe someone can help will be very appreciated Thanks! [link] [comments]  |
| Why is my network speed dropping every 15 seconds? Posted: 29 Jul 2018 10:28 AM PDT Here's a log from the System Monitor in Fedora. image Sometimes the period is not 15, but around 20 seconds. I'm downloading a file from Google Drive via Firefox. [link] [comments]  |
| Posted: 28 Jul 2018 04:50 PM PDT I'm currently using TL SG2452 to host virtual 12TB hdd via ISCSI program called ccboot for 30 clients. and apparently it's not good enough, clients experiencing long loading times, freezing, etc on large sized games. I've been thinking to go 10G (the current server is using quad nic) but the price difference is not reasonable yet in my country, So i'm gonna try 10g uplink, i heard switches with high buffer size would help alot, but their price is insane. I've been having pretty positive experience on Linksys LGS552 (2*8 Mb buffer), but it's for lower spec'ed clients. The clients on LGS552 doesn't access large files all the time, unlike the one on TL SG2452 So i'm not sure if it'll do the job, Any recommendations for cheaper switch with high buffer? Also what is the consensus for buffer needs for ISCSI ? I read high buffer could be a bad thing too Currently looking at arista / cisco, arista has 768 buffer Dell Force10 s60 interests me as well (1.25GB buffer), but i read some people having trouble configuring it [link] [comments]  |
| Posted: 28 Jul 2018 11:41 PM PDT This might be a stupid question but I have a capture file and need to identify the network boundary between a private LAN and public IP addresses. Does wireahrk display the conversations in a way that the private source address is a gateway when communicating with a public IP address or is the source address potentially a host address within the private network and just doesn't show the gateway address. I believe the gateway address to be 192.168.1.200 as it is the only IP address listed as having conversations with public IP addresses. Is this a logical conclusion or should i be considering 192.168.1.254 as the gateway because DNS requests are sent to here and it is a more logical address for the gateway of a private LAN. Regards Ad [link] [comments]  |
| Posted: 29 Jul 2018 02:17 AM PDT I'm looking at redistributing internet bandwidth to about 40 users. Say I have redundant link to the house. I'm thinking I can use OPNsense for a captive portal and traffic shaping, controlling which user can use how much bandwidth. More professionally, I'd like to give every user a router. My idea is they can set a password in their router connected to me by the WAN interface much like they would with an ISP. That way users wouldn't be bothered by captive portals and move a lot of local traffic off my infrastructure into their LAN. Trouble is I know next to nothing about the mechanism typically used between routers' WAN interface and ISP. I'm assuming it must be some sort of tunnel negotiation. Is there an open source "ISP" where I can configure accounts and bandwidths? It seems I'm googling the wrong terms. [link] [comments]  |
| Brain-fart atm. Patch panel question. Posted: 28 Jul 2018 07:43 PM PDT Hey there guys and gals. So I am organizing my server rack atm, and basically I have a PFSense firewall. So what I want to do is make everything look neat, I don't want cables going over my patch panel. So I drew a picture: https://i.imgur.com/EQ0VI0W.png So I want port 4 (green cable) to be connected directly into my switch, port 3 the other red/blue cable is the WAN OUT of the PFSense router/firewall. The red cable on the back of the patch panel would be T568B-T568B. My current setup is: PFSense Patch Panel Switch So basically my question is my logic correct? Thank you for your time and help! :D [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment