At first I had a similar anti-automation view and thought all of it can be done at the CLI why bother - but at large scale or for repetitive tasks it’s very handy. Also it goes beyond just one time commands - using Ansible with YAML and Jinja you can model your data (intent) and template the commands. These templates work at scale so you suddenly have a standardized idempotent automated network.
Approach it this way - automation just replaces the human at the CLI - whatever commands you want, at scale, can be done by a computer for you now. With any / all the output documented for you automatically too. It will change your life.
I started with Jason Edlemans book Network Programmability and Automation and Jeff Geerling’s book Ansible for DevOps
Full disclosure I am also the author of the self published “Automate Your Network” book on Amazon. Ansible, Git, TFS and VS Code introductions for Cisco automation. So if I can suggest my own book too:
Good luck !
AWS baby, thats the magic of it. If I remember correctly Netflix is the same way as its running purely in AWS last I heard.
Between route53, ELB, auto scaling, and health checks there is no real need for network gear in this enviroment. AWS pretty much manages all of the connectivity between all the services themselves in the regions. However this really isnt a surprised as its just a public website being hosted somewhere else.
For those who arent aware, there are Cisco virtual routers you can run if you have the need for it so dont be too dishearten
and there is some network knowledge you need to have when working with VPN connections and direct connect
If your team can't be trusted to keep a simple spreadsheet updated, then there is no point in looking for an alternative solution. Diligence is required for good record keeping regardless of how those records are stored.
That said, http://racktables.org/
Get the Sybex CWNA book off of Amazon. It has everything you need to know as a beginner about things like RF fundamentals.
My smokeping_prober costs nothing and can send pings as fast or as slow as you want.
You can easily collect this into Prometheus and set all of the alerting thresholds you want.
Prometheus can also replace your SNMP monitoring if you want. You can use it to define much better alerting than typical SNMP monitoring, eliminating the need for a low-skill NOC altogether.
Just incase the traffic is SMB, I posted this in another thread.
> SMB is notorious for slow transfers over high latency links (30ms can be considered high in this case). The protocol wasn't designed for this and so doesn't lend itself well to speed over WAN links. Its "chatty" and over higher latency links thats never a good thing. "As an unscientific example, it took 49 packets to transfer a 1KB file via FTP and 196 to transfer the same file via SMB." - http://serverfault.com/questions/322641/how-much-throughput-should-i-expect-to-lose-over-a-vpn-connection
> Anyway... I'm stunned. I'm pretty sure that guy makes easily about 5x what I do, so I'm crying a little on the inside.
So, if you can beat him, join him.
Joking aside. Yes, the first 5 - 6 years of my career was much similar to what you've just described. EXTREMELY annoying to have to spoon feed more senior engineers, while getting fucked about by management for being young. And not getting the $$$ you're worth.
There's only one logical path to take - if there are bad senior network engineers, apply for their jobs.
This might make sense for Network Technicians & Cable Installers:
But Network Engineers would probably go with something more like this:
Have a look at netbox https://netbox.readthedocs.io/en/stable/core-functionality/ipam/ i put in at home first to get the hand of it but then i quickly implemented this at work to replace dreadful spreadsheets that previous admin kept.
FileZilla FTP Server
Solarwinds Free Subnet Calculator
Solarwinds Free NetFlow Collector
TeraTerm (I use this for anything Serial Port related, rather than mucking with my putty config)
TeraTerm is also easier to turn session logging on mid-session than putty.
You also need two of these:
One you use, and another you leave in your laptop bag and never touch or mention to anyone that it exists, so they won't try to borrow it.
With luck, you may go a long time before you NEED a USB to DB9 console adapter.
But when you need one, you probably need it pretty badly.
Portable versions of Wireshark, Zenmap, iperf, putty, and angry ip scanner are my base tools along with installers for solarwinds free tftp server, VirtualBox, and my common ios files. Then usually a copy of my base config, VPN software, and some notes. If you are linux savvy I'm a big fan of a security distro like one of these. Best solution I've found is to use Linux Live to make a thumb drive with your preferred distro, Let it hide the files, and then put your windows tools on top.
I just went through this with my own Macbook pro and so wanted to share:
First, there is a known bug with later iOS versions that makes some serial drivers partially defective. Specifically, it's almost impossible with some serial chipsets to send a break from OSX. This is important becuase on IOS-XE, a break command is the only way to get out of a boot loop and into ROMMON.
We just finished testing a bunch of serial emulator cables and discovered that this cable was the best of the lot. It works without drivers, can send break commands from terminal or iTerm using screen, and from SecureCRT natively. It's also USB-C direct to 8p8c so you only have one cable to carry around.
In a pinch I've used rack shelves from places like Fry's. Is that an option? Something similar to: https://www.amazon.com/AC-Infinity-Cantilever-Universal-Heavy-Duty/dp/B01C9KYUG8
Well said. To add to this, another big idea behind SDN is to give the operator more control over data flows in the network. Traditional methods of controlling traffic with routing protocols often don't provide a lot of "knobs" that we can turn. For example, you can adjust OSPF costs or filter EIGRP routes in a topology. A big idea behind SDN is allowing the engineer to "program the network," which is a bit difficult to wrap one's head around.
By "programming the network," we can use a high-level language to express how we want the network to behave as a whole. This allows us to not worry about tuning individual protocol metrics, or coming up with extremely complex tuning solutions to direct certain traffic in certain directions. Let's say you're doing some maintenance on a certain section of the datacenter, and you want some of the traffic destined for those servers to be routed to a different datacenter or area of the existing DC. Traditionally, you might have to make protocol adjustments which can occasionally have unintended consequences, even when you're really careful (I'm looking at you, OSPF). With a good high-level SDN API, you can simply express this as: "I need this traffic to route this way during this maintenance window." Obviously, that's very high-level, but I think you can get the idea.
I think this is really cool, as it opens up possibilities like we see in sysadmin automation platforms (Ansible, Puppet, etc.) where you can use high-level languages to express exactly how you want your network to behave, and then you don't have to worry about precisely how that is accomplished.
Anyway, those are the things that I think are exciting. I'd recommended the Coursera SDN Class for more info. Just be warned that it is programming intensive.
> Linksys EA8300
You spent $200 on home grade device, when you could have spent $300 on something a lot more capable - https://www.amazon.com/Fortinet-FortiGate-Security-Firewall-Appliance/dp/B01HOOBAZ8/ref=sr_1_1?s=electronics&ie=UTF8&qid=1545018264&sr=1-1&keywords=fortinet+30d
ZenMap (A GUI for nmap) works good for discovering devices on specified subnet ranges. https://nmap.org/zenmap/
Spiceworks has an inventory scanner and you can use that to make a "network map" of sorts... But it's based on flash and garbage UI. I don't think it's been updated for years.
We started using phpipam (open source) recently and like it so far. It has AD/LDAP integration, does automatic scans, and supports VLANs/VRFs as well. It's pretty basic, but does all we need.
Please use the Application Control signature "Hotspot.Shield" to block the VPN. You will need to set the following signatures to Block too: "ISAKMP", "PPTP" and "L2TP". They are used on the iOS app to connect to the servers. Hotspot Shield VPN is one of the most evasive VPN, be sure to update your IPS Definition whenever a new one is available.
Unless you are using a very old operating system, Tahoe isn't used any more.
There isn't really a standard. Each operating system picks what they feel is best.
Examples for Windows and Linux of the TCP congestion-avoidance algorithm used:
Linux up to kernel version 2.6.18 uses BIC by default.
Linux kernel 2.6.19 and later uses CUBIC by default.
Linux's TCP congestion control mechanisms are pluggable, e.g. you can change them on the fly.
Windows XP and earlier uses TCP Reno (or New Reno)
Windows Vista and later also has Compound TCP, which is enabled by default in Server 2008 and can be enabled in Vista and Windows 7 if needed.
From this SuperUser post: http://superuser.com/questions/355143/on-the-performance-of-tcp-implementations-of-linux-and-windows
Network+ might actually be a little below your current level.
I would highly recommend a book called Network Warrior. The book is Cisco-oriented (but not from Cisco), and covers a wide and fairly deep range of topics, including basic network security.
RANCID - http://www.shrubbery.net/rancid/
It stores your configuration changes in an SVN repository and is very clean. You can set it up to email you when a change occurs. I've even set it up to open a ticket in a CMS, so changes can be looked over for consistency, etc.
There is also a variation for it to use GIT, if you prefer it over SVN
Buy a new cable modem that supports 220v.
That will be cheaper than a step-down transformer to provide 120v outlets.
This is probably the right device:
>You was from Denmark right
yep... it was kinda hard getting the pfsense box... first i had to go to https://store.pfsense.org/ and then i had to click BUY! can you imagine that?
you could also go to https://www.pfsense.org/partners/locator.html and find a local reseller. :)
(Cumulus co-founder here)
The X557-AT2 has been a real pain for us and our customers. The good news is that, as you note, it'll all be fixed as of 3.0.
Couple of minor clarifications:
1) While we don't support the FreeScale version of the LY9, we do run on many FreeScale (PPC) platforms, as well as ARM. One of the reasons we based Cumulus on Debian is Debian's great support for many CPU architectures: https://www.debian.org/ports/ That said, it is almost always worth it to pay the few extra dollars for an x86 based switch, since it is easier to get 3rd party (open source or commerical) software on it.
2) Broadcom and Cumulus do native HW L3 routing today. The limitation with Trident2 is that you can do L3 routing, or you have hardware terminate VXLAN tunnels, but not both at the same time. Future chips will be able to do this. Broadcom calls this "RIOT" or Routing In and Out of Tunnels.
> Do you (or any of you) take precautions to protect your eyesight?
Every single day.
Protip: Crank that shit up 2 notches from the max(the daytime auto adjust is for casuals that's why I say crank it up and leave it there). It takes a sec to get use the orange hue to but its sooooo worth been using it for years and will continue to do so.
>As disclosed in the Form 8-K filed on August 6, 2015, we lost $39.1 million in connection with a business e-mail compromise ("BEC") fraud involving employee impersonation.
>This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.
>the Company has recovered $8.1 million of the amounts transferred. Furthermore, an additional $6.8 million of the amounts transferred are currently subject to legal injunction and reasonably expected to be recovered by the Company in due course.
>The Company may not be successful in obtaining any insurance coverage for this loss.
> my guess would be that unmanaged as a feature means the admins who do not really understand networking cannot be asked to troubleshoot it in the future.
Makes perfect sense.
That way when you can't solve the mysterious performance problem, and you hire external consulting, everyone can stand around the switch with hands on their hips and loot at it in disappointment, and agree that in order to troubleshoot the issue, we're gonna have to replace the shitty switch with a non-shitty one.
Spending money twice is always a better approach to an infrastructure design.
I should document that in our best-practices repository.
Here /u/edstorm this is probably what you want:
$599 on Amazon
You'd have to put a gun to my head to get me to buy an unmanaged 10GbE switch. But you do you, and I'll do what I do.
If you must run it on a windowsbox then go for PRTG from http://www.paessler.com/
Otherwise LibreNMS ( http://www.librenms.org/ ) is tehshit, if you dont want a dedicated box to run this on then install Virtualbox and run LibreNMS as a VM-guest at one of your windowsboxes.
Ekahau Site Survey & Sidekick: https://www.ekahau.com/products/ekahau-site-survey/overview/
You can use your laptop or iPad and get a map of the whole area.
Also, if you want a good mobile app, Aruba Utilities for Android is a solid choice: https://play.google.com/store/apps/details?id=com.arubanetworks.arubautilities
We keep all of our keys on this board that has these hook shaped things. Each key is on its own numbered tag that has a special shaped notch. The notch fits into the hooks on the board.
They also make these in a lockable cabinet format.
They make all sorts of variants. Fairly cheap too.
This. We bought a little sampler pack off Amazon (https://www.amazon.com/gp/product/B01HNPGZDU), and loved em. Already ordered a bunch to start using as we replace things.
From our experience, the blue version were a little more loose on our rack, but the reds were perfect. Seemingly more sturdy than the old cage nuts we were using.
>In which case, these flow control algorithms are implemented in the application.
implemented in the application... What fantasy world do you live in?
You might check out DN42, it's a collection of people that connect to each other over VPN, and then peer with BGP to distribute routes. They have a pretty good copy of the internet, with root name servers, IRR and some L2 IX Fabrics. Getting IP space and an ASN is as easy as filling out a web form, and peering is as an email or IRC message away.
I believe the great learning part of DN42, on top of raw BGP knowledge, is working with other people. When you have to interface with another human, who controls a z-end that may be implemented entirely different than your own, it brings a lot of interesting lessons to the surface that you don't find when you do labs alone.
This pretty much gives a non-technical overview.
For the most part the big wigs in DC had to make some sort of drastic change to ensure it wouldn't happen again. I think it is a little overkill personally ESPECIALLY for the IT troops. Having to transition files (configs, IOS, etc) between classified and unclassified networks was a huge pain as they were 100% separated from one another and disk is the only way to get data between them.
We ended up having to put data on a CD on the unclassified network put that CD into a classified machine, upload the data to the classified computer, than dispose of the CD though a really obnoxious process that required all kinds of signatures from people verifying it was done correctly even if it held no classified data. Once it touches a classified network it is considered classified.
There is no reason for them to all have public IPs. If you want you could easily assign each employee a /24 to do with what they will on private ranges.
Try our NetCrunch network monitoring suite. We have built-in physical segments layer-2 maps (that show live traffic), and a powerful framework for dynamic mapping with live widgets in the style of Visio.
That's only a small part of the package however, ideally you'd be able to handle all of your monitoring and management from notification to remediation from the console.
If you guys are billing 200k/mo please spend the money and buy real enterprise grade hardware and stay away from Ubiquity. Trust me you'll thank me later.
I would suggest going with two Aruba Instant Ap's probably IAP-325, you can buy them on Amazon. Aruba Instant APs at a site elect one AP as virtual controller, so you get the benefits of a controller without needing any additional software/hardware. PM me if you have more questions.
Every time an engineer uses a media converter in production, god kills a puppy.
Hell, even something as jank as a Netgear switch with SFP uplink will be better: https://www.amazon.co.uk/NETGEAR-GS110TP-Gigabit-Managed-Power-Over-Ethernet/dp/B00MHLUS8E/ref=sr_1_3?keywords=sfp+switch&qid=1573674768&sr=8-3
Get something you can put into your monitoring solution!
Like almost everyone, I use a SwissGear bag, the 1900 IIRC.
However, I've found that the bag makes almost no difference: aside from a few features, they are all just giant, un-organized bags of holding. The best advice I can give, and the most effective tool I've found, is to sub-divide your bag with smaller organizer bags like this or this. Keep all the "like" stuff together in an identifiable bag. This way:
Depends on size and scale and tolerance for failure.
Unmanaged means you lose:
port-security or 802.1x
IP source guard / arp inspection
If these things are required in your environment, unmanaged is an automatic no go.
Outside of that, cheap unmanaged switches like TP-Link and such tend to flake out a lot. Either they just stop working, or traffic randomly slows to a crawl until they get rebooted. Especially a pain in the ass as they are unmanaged, so you can't even log in and reboot the thing, you have to go physically power cycle it.
You can get a Ubiquiti US-24 for < $250:
Going any lower than that really doesn't make financial sense. It's a device that is going to sit there and work for 5+ years. Any business should be able to plonk down $50 a year for a reliable switch.
When you query the whois server you are not asking for "microsoft.com" (equal to ^ m i c r o s o f t \ . c o m $ if we talk regexp lingo) but rather "* m i c r o s o f t . c o m *" (or in this particular case "m i c r o s o f t . c o m *").
The proper way of asking whois is to use this syntax:
whois 'domain microsoft.com'
For more information see here http://serverfault.com/questions/122228/how-do-i-do-an-exact-whois-search
I used Netspot on OSX for mine, gives you the ability to load in a drawing and set the scale so it gives you distance measurements. You walk around with the laptop and sample the signals at a point and it will draw you a heat map of the signals for the various networks it sees. Really nice app and now comes in a Windows version. The "Pro" version is $150 I think.
Nested VT-x is not possible within VirtualBox. Looks like you need another hypervisor if you want to run a nested ESXi environment with CSR1000v inside it. Why not install it directly inside VirtualBox?
As other have said, compression is the culprit.
a lot of cable-modems these days also do on-the-fly compression to their head-end, and that can also artificially inflate speedtest results, even when not using a VPN. Speedtest.net seems to use hugely compressible data (they're idiots), which leads to massive inaccuracies.
Try the http://www.dslreports.com/speedtest speedtester, or http://www.testmy.net/ tester. They both actually use properly incompressible data, which is the only way to get accurate results.
Thanks for the warm welcome,
I have been working at this over the past couple of weeks. I have done plenty of troubleshooting and debugging, and as of yet have been unable to place my particular issue. I have found people with similar issues to mine : here and here
Neither of which have had real solutions.
I am assuming this is a firewall issue, but, as we have made similar changes to a third site. I am unable to see what is wrong.
We have both the old and new subnets on the same VLAN and, as I said they communicate fine. I was not asking for a hand holding session, I was asking for some advice.
Ekahau HeatMapper is free to use but not open sourced. (http://www.ekahau.com/wifidesign/ekahau-heatmapper)
Never tried it out but I'm happy with the professional SiteSurvey, which is the big brother
Pf Sence can do all you ask for,performance is not an issue as long as the pc running the router has enough ram(1 gig) and a decent cpu. All the documentation and some examples can be found here: https://www.pfsense.org/ The os is very powerful and can require a bit of getting use to because it is based on bsd but with a bit of practice it is easy.
Long time lurker here , anyway my opinion about any IoT device , CCTV , Alarms , Smart-<put appliance name here >, they are all terrible at security, the manufacturers don't care about OS updates , their special OS is usually an old linux/unix Kernel with 1k CVE's
Last project was to deploy a Build Automation Appliance that was required by the manufacturer to be exposed over the DMZ.. not enough the max size of the pin code ? !4 Digits ... and according to the supplier & the partner is secure enough ... We are talking about a >10k € device ( not solution just the device !) not your 20 € IP Cam
If you are in an Enterprise Environment: Create VLAN consider it insecure Block all connectivity to anywhere including internal VM's Consider all Hosts on that network as hostile/ compromised Use a VPN or a NAT with heavy ACL in place, double check all the needed ports and give it the absolute minimum required.
Any "industrial router" would drop any upnp attempts , etc etc.
If you are in an HOME/SOHO/SMB Environment: Create VLAN consider it insecure Block all connectivity to any other network Install OPVPN or better use zetotier https://www.zerotier.com/
If you have sysadmin know-how you can also use a VM to act as a reverse proxy to the IP CAM Ui
To solve the Build Automation Appliance issue whats I did was install a Ubuntu VM , deploy zerotier , close the entire network only allowing access via the VM. Since zerotier has IOS/Androind Clients so all works perfect.
Your life would be easier if you didn't reinvent the wheel and used tcpdump (or at least stored to pcap format) and then analyzed with Wireshark / TShark.
If you modify your format just slightly (remove the leading 0x, add offsets) you could use text2pcap to generate a pcap from what you are already doing or import it directly to Wireshark.
Also recommend buying another router, even a used $20 Netgear or something. Make sure it's compatible with DDWRT, and flashing it with the firmware. Then subnet it and play around with the thing worry free that your main network won't be affected.
I've been eyeballing NIPAP myself.
I prefer an IPAM that makes use of the inherent hierarchy of IP networking. Also feature parity between IPv4 and IPv6 with VRF support is a nice touch with NIPAP. It provides an XML RPC interface which can be used to integrate it with other tools.
Dewalt 12v Max ¼" Screwdriver. Compact, easy to handle, quick bit change, the belt clip is awesome, and the batteries charge fast. Just enough power to get the job done without trying to handle a full size drill. Has 3 LEDs around the ¼" chuck to make it easy to see in dark spots. Pair this with a magnetic bit to hold the rack screws and you're ready to go. Amazon link
There is a better method, in my opinion. Use a rodder and attach pull string fiber and whatever else your heart desires in the conduit with enough electrical tape
Fish Tape Fiberglass Reel Wire Cable Running Rod Duct Rodder Fishtape Puller 6mm https://www.amazon.com/dp/B011WMF6IU/ref=cm_sw_r_cp_api_i_7zCbCbZ4NBPVT
Super easy for a handy man. You could do it.
I would do it for you. I am managing a whole city project dealing with this scenario, daily.
If you must use Open Source for security matters...then only use OpenBSD and "PF" is the firewall for that.
(personally, though I'd just buy a 50-user license Cisco ASA 5505...but that's just me :-)
Luckily there are alternatives: http://www.climbingbusinessjournal.com/is-your-gym-guilty-of-music-piracy/
That being said, in response to the original question, if the SP is offering 3mb guaranteed SLA, then you should be okay streaming music, however doing that while streaming twitch/other live streams would likely cause you some issues.
From their docs: >The following are optional settings which may be declared in netbox/netbox/configuration.py. ...
>Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox (excluding secrets) but not make any changes.
+1 on the UBNT ERL. We deploy them for our non-MSP clients, it costs them $99 and it's a great unit. Make sure to upgrade the firmware to 1.7 for some traffic tracking.
I've not used the VPN options on the ERL since I like SoftEther VPN so much. If you need VPN either site-to-site or mobile VPN, I highly suggest SoftEther VPN server running on a little 512M memory VM.
Mate, get your ISP to set up a direct connect to AWS.
No VPN's, just a private dedicated link with SLA's they have to abide by contractually. If you have a presence in a commercial DC, check out if AWS Direct Connect is available there and then it is a simple cross-connect into AWS. Either way check it out here: https://aws.amazon.com/directconnect/
I have seen decent takeup of AWS Direct Connects and Azure ExpressRoutes with my customers. I work in Australia which has one of highest cloud adoption rates so your mileage may vary. As a bonus, you get discounted rates for data over Direct Connect compared to using the internet.
Netflix puts a huge amount of technical effort into their infrastructure compared to what they need to deliver (a catalog of videos that, compared to e.g., YouTube, is pretty small and extremely static).
There's an interesting Hacker News thread where people do the usual Hacker News thing of calling it overengineered and saying they could do it for much cheaper—which is true, they could, but the performance would be mediocre instead of fantastic. Netflix hires world-class experts in performance because they want to deliver a world-class product.
See also their culture slide deck, which is very different from lots of large companies.
Such an odd attitude / you are not unique in this thinking. The way insurance works: don’t claim anything less than catastrophic. Your rates go up or your insurance gets dropped. Insurance companies don’t magically “pay up”.
The more human way to approach this is work with other company as if insurance did not exist.
Op: yep, panel will work. I’ve seen splices at Graybar: https://www.amazon.com/SF-Cable-Cat5e-Junction-Punch/dp/B0059DRC3G/
If run is easy/short, maybe just rerun cable? 40’ no crawl space? I’d rerun it.
The way I dealt with this problem is to use f.lux. Essentially, it’s a blue light filter as well as a brightness software. It reduces eye strain so much it’s insane. It may take a little time to get used to, but soon you won’t notice it’s there, and it helps a ton. I use it on every computer I own, and try to use it on any computer I spend any extended period of time with. The shortcuts make it extremely easy to use too. Just try it, it’s life changing.
does your router support QoS?.
QoS allows you to prioritize traffic across your network. If you want to be a bit less "selfish" with your bandwidth, you can give http (port 80) and https (port 443) a higher priority. This gives anyone browsing the web a priority higher than that of someone playing a game. If your roommates torrent a lot then just do it by IP or mac address because torrents can use port 80.
You'll probably want to set a static IP address too (I'll need to know your operating system to tell you how)
*edited to include information
While there's a time and a place for solutions such as pfSense, the situation OP describes is probably best served by a commercial, hardware-driven solution. Nexgate's support offerings are also questionable for such an environment: 8-hour SLA, 1-hour max ticket time, "high level" troubleshooting for non-Nexgate devices, etc. https://www.pfsense.org/get-support/software-support.html
Agreed! That or OpenNMS, thought I haven't tried that one.
It just genuinely seems like LibreNMS is created with the user in mind. LibreNMS' wiki is a fantastic resource compared to Observium's documentation, which is pretty bare-bones. Any issues there and you're SOL.
My thoughts anyways...
You say there is no official support for Observium, yet it's an option on your site with a Professional subscription (http://www.observium.org/services/). OP was about to purchase a Professional subscription even know Observium couldn't graph LAGs on his Brocade switches and if you hadn't have been a dick about it, you would have had another customer.
I really hope paying customers don't receive similar treatment when submitting a support request. Hell, even non-paying users (read: potential customers) don't deserve that treatment, unless they are exceptionally rude, which OP wasn't until you got his back up.
We're running Spark backed by Openfire here.
It's got SSL for your encryption needs, integrates nicely with Active Directory, has some good user/group control. And, ultimately, it's just Jabber so pretty much anything can talk to it if you don't like Spark.
Spark works nice on our domain though. We're pushing out the installation with a group policy, and then dropping a config file right into the user's profile. There's absolutely no configuration from an end-user standpoint. They just click the icon and put in the same password they use for Windows.
Very nice. Very simple.
You'll learn a fair bit more about networking than most developers, so that's not nothing. If you took any networking related courses in college, probably worth running through any old textbooks you might have. Otherwise Radia Perlman's <em>Interconnections: Bridges, Routers, Switches, and Internetworking Protocols (2nd ed.)</em> remains the definitive guide to routing.
Aruba JL256A 2930F-48G-PoE+-4SFP+ Switch - $1,049.90
We've bought several of these from Amazon, and haven't had any issue with Aruba/HPE Support.
When you figure this one out, you might want to contact the Chinese Government because they can't figure this out either.
I work in a school also and we have problems with students using Astrill. The main issue with a lot of them is they use multiple different VPN servers e.g. OpenVPN, OpenConnect.
At this stage it is a disciplinary issue and no longer a technical one.
So you're trying to log all the requests that are made from inside your network, to any DNS server anywhere?
If you don't want to run your own local DNS relay then your only real option is to capture the outgoing traffic and analyse it. Tcpdump is probably the simplest way, although there probably are tools out there which are more specialised to just log DNS requests. Fundamentally though it's the same process.
'Registering' in a DNS context has a specific meaning, i.e. creating a new DNS name and it's mapping to an IP address. I think you just want to record the sites that DNS requests are being made for?
When you do this you will also see other types of DNS requests such as SRV records, not only A or AAAA requests to map FQDNn to IP addresses.
Generally if you are having trouble finding a tool to do something it's worth thinking about why you want to do it - if nobody else has wanted to do it before with something as established as DNS then it may not be a very useful thing to do. Hence me asking what you are trying to achieve with this - is it just curiosity? Are you intending to set up a whitelist/blacklist?
Either way my preferred method would be to have my own local DNS resolver and point everything at that. pihole is a good free option for home use, and is excellent as an ad blocker too.
At least in terms of stuff like MySQL on Linux, if you specify localhost (such as connecting a PHP script running on the same box to the database housed on that server) it will connect through a Unix socket and not TCP. If you change to 127.0.0.1 it will use regular sockets. Edge case but good example.
Further reading: http://serverfault.com/questions/337818/how-to-force-mysql-to-connect-by-tcp-instead-of-a-unix-socket
Application in an original meaning of the term:
> the special use or purpose to which something is put:
> a technology having numerous applications never thought of by its inventors.
Picture seems to be from Scapy, see more about this at http://www.secdev.org/projects/scapy/doc/usage.html
Edit: looking up the Mac using http://www.wireshark.org/tools/oui-lookup.html 00:11:43 Dell Inc 00:12:79 Hewlett-Packard Company
Fire up the 30-day trial of NetCrunch. It'll identify the various components in your network, provide you with an inventory, map your network for you, and the predefined monitoring packs will show you where there are any potential issues right off the bat.
As this network is newly built, and has no documentation, you have the chance to write the documentation and make the network your own.
NetCrunch 8 will do all of that for you, and automatically to boot. The layer 2 map is especially good, showing you the physical connections between devices, and the connections grow thicker the more throughput going through, helping you drill down and find bandwidth hogs. Traffic is also covered through NetFlow, both at the device level, and network wide.
You can get better than a "rough" idea with NetCrunch 8. It's got a 30-day free trial license if you just need a temporary solution, and among the normal monitoring/management features, it's got a physical segment mapper that will show you what is connected to what, and on what port(s). Most of your devices will be identified out of the box as well, specifically systems and networking devices. The only thing it won't do for you here is your configs.
I'm not sure if it does ALL of the things you need, but I'm using pfSense pfSense (As a firewall)
BandwidthD will show you who is using how much, OR what domains are getting used how much.
RRD graphs show usage over various periods 8 hours, 1 day, 1 week, 1 month, 3 months, 1 year.
It can also do throttling of various types and blocking of domains.
Edit: I think it can do most of that. It wouldn't exactly generate reports, but you can go look at the data and prind the graphs and tables.
> Theoretically WireGuard should offer: > Faster speeds
Than OpenVPN? Sure.
Than AES-GCM IPsec? It's not clear in practice or theory.
ChaCha20 is faster than unaccelerated AES, but given that most modern ARM and Intel/AMD cores implement instructions to accelerate AES, AES will be faster head-to-head if these instructions are used. Wireguard and IPsec using AES-GCM also have nearly identical framing overheads.
I've openly wondered how Wireguard obtains the 1011Mbps quoted on the site you point to for performance comparisons. After all, it's running over "Intel 82579LM and Intel I218LM gigabit ethernet cards", so 1011Mbps is impossible without some type of compression scheme. I suspect a measurement error, btw.
BTW, that site just quotes the Wireguard site for its numbers. I've asked Jason about it and gotten back a non-committal answer.
Might want to read this, too: https://www.net.in.tum.de/fileadmin/bibtex/publications/theses/2018-pudelko-vpn-performance.pdf
Do you use PostgreSQL? It's got a CIDR data type built-in. Also, have a look here, specifically for is contained within.
You can thank me in scotch and kittens.
I was thinking something g more like this to distribute the fiber weight evenly over the radius like this. But yeah, great minds thinking alike. Or pay the money for the real thing.
I cannot stand tool less keystones. Pick up something like this and never look back. If you still want to go that route get a small pair of channel locks as suggested. I have fat fingers so I find the little divot in the tool really helpful in positioning the wire or plucking a specific one out of the blades on the occasion I need to do such things.
The one I linked is similar to the one I have, Mines about 15 years old so and I think they updated it so it's no longer available.
Zero Trust Network is useless for practical knowledge, it's all theory describing what zero trust could be. You'd want to have a firewall everywhere, on every device, and only allow in and out the people and traffic you want to allow. That's the essence of zero trust.
John Strand's Offensive Countermeasures is excellent and full of methods to harden your network and make things difficult for attackers https://www.amazon.com/Offensive-Countermeasures-John-Strand/dp/1974671690/ref=sr_1_1
The Defensive Security Handbook is pretty good https://www.amazon.com/Defensive-Security-Handbook-Practices-Infrastructure/dp/1491960388/ref=sr_1_5
As far as "how to segment client data" you just need to look at the frameworks for whatever industry you're in. NIST, PCI, GDPR each have documentation explaining what you need to control and the minimum controls to put in place.
in 90% of cases, it's just going to work anyway because modern switches are auto-switching.
for the other 10% something like this may work? https://www.amazon.com/Cable-Matters-2-Pack-Crossover-Adapter/dp/B01I0E5EXU/ref=sr_1_2?dchild=1&keywords=crossover+adapter&qid=1605809943&sr=8-2
Paying the ransom may not necessarily help, there has been cases of the data not being decrypted once the ransom is paid. You are kind of throwing the money into the air and hoping that the asshole who created the virus will pay up.
Are you sure its Cryptowall 3.0? We had a similar thing happen to a computer which contained a heap of very sensitive documents which were not backed up. As a result a lot of time and effort was spent trying to recover said documents. In the end we found this: http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/ was able to decrypt the files, the only downside was requiring a 2mb original file large enough to compare with an encrypted file.
We have had subsequent infections of our computers and I always attempt to run them through that file, it doesnt always work but i am astounded how often it does.
Hope you get lucky with this one mate.
Large complex systems have failure modes that cannot easily be found by testing. Amazon AWS has had a couple of big outages, the RFOs they published are interesting reading (https://aws.amazon.com/message/41926/ for the S3 outage). RFO (Reason For Outage) reports are very useful reading if you can get them.
The Github outage last year has a good write up on how a power fail can have larger than expected effects: https://github.com/blog/2106-january-28th-incident-report
Thanks for your detailed answer. It's for a remote operated robot platform. Hardware is pretty much set at this point I and won't be able to change the dual modem router I have, that's why I was looking into more software-based solutions, but would surely look into the Peplinks if HW update would be possible later on.
Thanks for mentioning the Mwan3, I think I might already have that package installed into the router. Currently reading this guide: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3
I'm willing to put a lot of time and effort into this, but would like to only work with open source solutions. Others have also mentioned SD-WAN so I'm exploring that option as well, not sure if quality-based routing is possible with the open source solutions I've found so far, though.
Might take a look at OBS and Nginx with the RTMP plugin.
This isn't going to provide a multicast stream, Nginx will act as a relay for unicast RTMP streams.
OBS runs on Windows, and VLC should be able to attach to the RTMP stream URL for clients.
It looks like it's just down:
edit: That site has saved me from lots of troubleshooting and lots of trying to convince users that no, it's really not our network. :)
I pen-test for a living, it's a common fear giving up your sensitive information to some random company. Anything you give us from an external point of view is already out there. Just type your ip range into https://www.shodan.io/ and you will find probably more then you expected.
Most all pen-testing companies, even the small boutique shops, are extremely trustworthy. We are the good guys and we are only trying to make the internet a safer place. A lot of us started hacking as a hobby and it ended up becoming our jobs.
That being said, research any company you are interested in before pulling the trigger. I would also recommend talking to others in your field that you trust for recommendations.
There's also FOG, but this isn't really a networking question.
You may want to ask /r/techsupport (to help you get clonezilla working), /r/homelab (for suggestions on imaging software), or if the amount of machines to image is significant, /r/sysadmin.
Oh geez. So now HP is getting onboard the Cisco terminology train. A little late, HP.
Looks like hybrid may allow multiple untagged VLANs on a trunk?
Make it trunk. Tag vlan 2 and 3.
If management interface is a separate physical interface, you're done. If management is on the same port you need to look at controller documentation to see if you should tag or untag vlan 1 on that same link.
It's odd to me that you're running a Cisco WCS but you've got rubbish v1900 series switching. I know this wasn't a solicited opinion so no need to respond to it. I don't hate HP, but throw me at least a 2530/2920 series switch with a proper CLI.
Check out our NetCrunch network monitoring suite. Unlike other options, we license only by number of monitored nodes (so your stacked switches can count as one node) with no limit on the number of sensors/elements/ports/etc monitored on each one. The new 64-bit server that we just implemented can support monitoring over 650,000 sensors on a single installation (which can be VM)
Give our NetCrunch network monitoring suite a try. It'll have the scope and scalability of Solarwinds, at the PRTG pricepoint. It's got comprehensive SNMP support, including SNMPv3 and a built-in MIB compiler. It can not only monitor your logs, but act as a log server (the database is embedded and is not limited in size or length of time you keep your data), and since becoming Cisco partners we have comprehensive NetFlow support (including NBAR and IP SLA). I can even help you out here, if you don't want to use the official channels.
You might want to check out Untangle. They offer a packaged setup of linux tools with an easy to use GUI / web management console. It offers the ability to create custom rules based on LDAP integration, captive portal, antivirus scanning, and even some malware protections. IIRC they offer heavily discounted pricing for edu.
Look into OpenDNS.
No offense, but you won't be able to setup a DNS server on your own network, it's not for the uninitiated.
What network gear are you working with?
One free option is Rancid that supports multiple types of hardware
If you want to pay for something
When I ran a small infrastructure that didn't afford me the luxury of having a VPN router to connect to, I used the OpenVPN appliance in my VPC with one interface in the private subnet and the other interface on the public subnet. Then, install the OpenVPN client on your computer and connect to the appliance and RDP using the IP addresses (or DNS names) you defined on the private subnet. This is a much more secure way of doing things since you're not exposing an RDP port to the entire world.
This is a professional network engineering subreddit. We've just created /r/networkinghelp for questions like this, and there's also /r/techsupport .
But you should check out this guide: link