Language:

en_US

switch to room list switch to menu My folders
Go to page: First ... 12 13 14 15 [16] 17 18 19 20 ... Last
[#] Wed Apr 14 2021 15:10:12 UTC from IGnatius T Foobar

Subject: Re: Vlans

[Reply] [ReplyQuoted] [Headers] [Print]

That's a great question to be asking if you are getting started with VLANs.

It might help to know that a packet "on the wire" with a VLAN tag has a special ethertype (0x8100) so it isn't going to be recognizable as any other type of traffic. You also need to know whether your Cisco switch ports are configured as "trunk" or "untagged". If your switch is VLAN-aware, as nearly all Cisco switches are, then a trunk port can handle all of your VLANs on the same wire.

To route *between* VLANs, either directly or with some functions added (like a firewall or NAT), your layer 3 routing device must have interfaces on all VLANs. There are two ways to do this:

1. The old way, which no one does anymore, is to have separate connections from your switch to your router for every VLAN. The switch ports are "access ports" (one VLAN with no tag) and the router ports are not VLAN aware.

2. The preferred way, is for the switch and router ports to both be running in "trunk" mode. Then on your router you have "subinterfaces" which are VLAN aware. For example:

GigabitEthernet1.123 would be on physical port GigabitEthernet1 and operating on VLAN 123
GigabitEthernet1.567 would be on physical port GigabitEthernet1 and operating on VLAN 567

Then you might assign 192.168.0.1 to Gi1.123, and 7.5.5.5 to Gi1.567, and do your routing as usual. This is referred to as a "one arm" routing device because it speaks to both (all) networks on the same cable.

[#] Wed Apr 14 2021 18:51:22 UTC from ParanoidDelusions

Subject: Re: Vlans

[Reply] [ReplyQuoted] [Headers] [Print]

Thanks for the answer. I am not sure if this is the way I'm going to go, or just figure out a way to multi-home the box with dual NICs - but I want to get started in understanding the differences between either approach. 

The hardware and experience required to get the VLAN set up seems like a lot for my goals. But, currently, I have more immediate fish to fry - on to the Linux room and more questions... 

 



[#] Thu Apr 15 2021 10:08:45 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2021-04-14 09:20 from IGnatius T Foobar
There is such a thing as "lawful intercept". If the data center
operator receives a warrant for something on your server, they are
typically not permitted to tell the server owner that data or network

traffic is being extracted.
This is true regardless of whether your server is "managed" or simply

colocated.

As to whether the employees of the data center would snoop on customer

servers just for fun -- that is a matter of whether you are using a

reputable hosting company. At my data centers it is grounds for
termination, and we *will* find out; all access is logged and the
cameras are always rolling. But if you're using a mom-and-pop hosting

company with a 1000sqft data center, then yes, you can expect them to

poke around when they're bored.




I don't know how much they are paying you, but it is not nearly enough. If I were looking for a datacenter in which to host my servers loaded with nuclear launch codes, I would be calling your firm already :)


[#] Thu Apr 15 2021 17:50:39 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

If you have nuclear launch codes, let's talk :)

[#] Thu Apr 15 2021 18:15:52 UTC from zooer

[Reply] [ReplyQuoted] [Headers] [Print]

Wow, that comment reminded me of this thing:

https://www.theregister.com/2006/07/18/usb_nuclear_war_button_box/

or

https://www.thegreenhead.com/2007/05/big-red-button-doomsday-device-usb-hub.php

My ex-boss got me one for Christmas.  He wanted me to use it when I air-traveled.



[#] Fri Apr 16 2021 05:09:28 UTC from test2

[Reply] [ReplyQuoted] [Headers] [Print]

citadel black

 



[#] Fri Apr 16 2021 12:21:36 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

lol



[#] Fri Apr 16 2021 14:54:14 UTC from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

I love that they compare themselves to the cheap Chinesium knockoffs. 

"When you're about to unleash total nuclear annihilations on the population, only trust the very best!" 

 



[#] Fri Apr 16 2021 15:00:57 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2021-04-15 13:50 from IGnatius T Foobar
If you have nuclear launch codes, let's talk :)



I have warez, a bunch bunch of PHP applications running for small local businesses, chat and email, all of it running in a server from the late 2000s because I am poor. What do ya' think?

[#] Tue Apr 20 2021 18:57:31 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Thanks but no ... what I really need is nuclear launch codes. There are some pests I need to wave away.

[#] Tue Apr 20 2021 19:12:48 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

I have codes.  They dont work anymore but i have codes :P

Tue Apr 20 2021 14:57:31 EDT from IGnatius T Foobar
Thanks but no ... what I really need is nuclear launch codes. There are some pests I need to wave away.

 



[#] Thu May 06 2021 22:15:34 UTC from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

Synology has a neat firewall that will refuse all traffic from geographic regions... i.e., China, Russia, India... 

It is a single rule for each country you want to block. It is easy to implement. I'm sure it isn't foolproof, but it is a great option for a SOHO/Personal use model. 


I wish Proxmox had a feature like this. It looks like with Proxmox, you have to put in entire subnets to block, and this slows down the firewall. 


https://forum.proxmox.com/threads/how-to-block-ip-list.37801/


I mean, they're not getting anywhere. They're just hitting the SSH port, trying root, failing, and going away. 


But it fills my logs and makes me want to nuke China. 

 



[#] Thu May 06 2021 22:20:51 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

You could run your firewall/router/etc as a VM. I did that for a bit with pfsense, mostly playing around.  

I guess i sort of do now, as to get into my network from the outside its a VPN connection, from inside a vm. 

Thu May 06 2021 06:15:34 PM EDT from ParanoidDelusions

Synology has a neat firewall that will refuse all traffic from geographic regions... i.e., China, Russia, India... 

It is a single rule for each country you want to block. It is easy to implement. I'm sure it isn't foolproof, but it is a great option for a SOHO/Personal use model. 


I wish Proxmox had a feature like this. It looks like with Proxmox, you have to put in entire subnets to block, and this slows down the firewall. 


https://forum.proxmox.com/threads/how-to-block-ip-list.37801/


I mean, they're not getting anywhere. They're just hitting the SSH port, trying root, failing, and going away. 


But it fills my logs and makes me want to nuke China. 

 



 



[#] Fri May 07 2021 02:44:37 UTC from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

Yeah, I considered that. Could it be set up as a container instead of as a full VM? 

I could also pop a hardware firewall in between the Cisco and my network. 


Thu May 06 2021 18:20:51 EDT from Nurb432

You could run your firewall/router/etc as a VM. I did that for a bit with pfsense, mostly playing around.  

I guess i sort of do now, as to get into my network from the outside its a VPN connection, from inside a vm. 

Thu May 06 2021 06:15:34 PM EDT from ParanoidDelusions

Synology has a neat firewall that will refuse all traffic from geographic regions... i.e., China, Russia, India... 

It is a single rule for each country you want to block. It is easy to implement. I'm sure it isn't foolproof, but it is a great option for a SOHO/Personal use model. 


I wish Proxmox had a feature like this. It looks like with Proxmox, you have to put in entire subnets to block, and this slows down the firewall. 


https://forum.proxmox.com/threads/how-to-block-ip-list.37801/


I mean, they're not getting anywhere. They're just hitting the SSH port, trying root, failing, and going away. 


But it fills my logs and makes me want to nuke China. 

 



 



 



[#] Fri May 07 2021 10:58:34 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

I think i read somewhere that containers have some network limitations ( someone else was trying the same thing ), but in theory i dont see why it would not work.

I tend to prefer full VMs. But its just a preference. Im still old school. ( go figure )



[#] Fri May 07 2021 13:23:30 UTC from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

Well... adding an entire other full machine increases the footprint of the machines I have to maintain and keep secure - so running an external Firewall moves away from the simplifying I was trying to achieve with virtualizing. 

It becomes a kind of catch-22. I had a dream where I had started a corporate IT job and I was kind of taking stock of the lab equipment in the cube that had been left by the last guy and how I was going to set it up and what it involved... the boss, a button down woman came in and after a few words with her, I realized I was going to have to reconfigure the machines so that the screens would be facing INTO the cube, not out into the walkway between the cubes. Then she gave me two printed memos and the second one wanted me to manage the PR for some new platform or product - and I was already thinking, "Don't you have a PR department to do this kind of shit? Why is it getting sent to IT engineering?" 

And I think the point here is - I've been doing a lot of professional calibre IT implementation and engineering here in my home office - it is clear that I can pick up complex new technologies and deploy them with "world class results," still - even after years of not working directly in the industry at this level. But... there are a number of reasons why I'm *not* doing this. 

#1 - The people you end up working for and the things they think are covered under the umbrella of your title. 
#2 - The way the complexity and scope of your obligations and duties seems to suffer from huge scope creep. 

#3 - If I get too wrapped up in it - I can't even get away from it when I sleep and dream. And I get too wrapped up in it.  

So...  I'm going to go spend the weekend in the woods, with no signal. 

 

Fri May 07 2021 06:58:34 EDT from Nurb432

I think i read somewhere that containers have some network limitations ( someone else was trying the same thing ), but in theory i dont see why it would not work.

I tend to prefer full VMs. But its just a preference. Im still old school. ( go figure )



 



[#] Fri May 07 2021 16:40:42 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

It also another single point of failure. If you run a host farm with fail over, worst case you move your firewall vm to another host. 

Fri May 07 2021 09:23:30 AM EDT from ParanoidDelusions

Well... adding an entire other full machine increases the footprint of the machines I have to maintain and keep secure - so running an external Firewall moves away from the simplifying I was trying to achieve with virtualizing. 

It

 



[#] Fri May 07 2021 21:55:18 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

It's not really a great idea to think of a container as a lightweight VM.   Containers are not intended to be persistent.  You launch a container with an app in it, you knock it down and launch it somewhere else, or in several places, whatever you want, and you *don't* save your production data in the container's writable layer.

The idea behind a container is that you launch it, it attaches to its data source somewhere, it exposes a service, and then you figure out a way to get connections into that service (such as registering it with a load balancer).   You wouldn't want to run a firewall in this mode.

But yes, nuking China is *always* a good idea.  If you run any service on the Internet, you can count on the Chinese hammering it with brute force attacks 24/7/365.



[#] Fri May 07 2021 22:47:55 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Ya they are good for propping up multiple front ends when you get hammered by customers, but your server(s) doing the work ( db, workflow engine, whatever ) is on a real VM.

 

I have never been a fan of them. 



[#] Sat May 08 2021 17:42:58 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

You can run the database in a container too, as long as you have a way of keeping its data somewhere other than the container's writable layer.  For example, I maintain a system where a bunch of applications in containers connect to a MariaDB instance running in another container, but that container has /var/lib/mysql mounted as a persistent volume.  I can upgrade the MariaDB container at any time (yes, with an outage) and keep the data.

The clouderati expect you to connect to "their" database-as-a-service, which will have clustering and load balancing.  They probably still run it in containers.

 



Go to page: First ... 12 13 14 15 [16] 17 18 19 20 ... Last