As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Sysadmin] Routing to null

1282931333499

Posts

  • lwt1973lwt1973 King of Thieves SyndicationRegistered User regular
    You might just have to remember a password someday as your auto-fill might fail.

    "He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
  • SeidkonaSeidkona Had an upgrade Registered User regular
    Easy way to get me to mute you on slack. Ask me to reset your password after I have already told you the platform is on fire and we don't have time.

    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • lwt1973lwt1973 King of Thieves SyndicationRegistered User regular
    Anyone have a recommendation for a good wireless mic/headset for use with Zoom? A user is asking for one.

    "He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
  • wunderbarwunderbar What Have I Done? Registered User regular
    I think I've mentioned this before but are our shop we have the more senior guys cover the tier 1/ticket system for one morning or afternoon a week to give the entry level guy a break to work on other stuff uninterrupted. I don't mind it, it's only a few hours a week and we average like 4 tier 1 tickets a day so it's generally not a big deal.

    My shift is this morning. there have been 10 tickets in 3 hours. I want to die.

    XBL: thewunderbar PSN: thewunderbar NNID: thewunderbar Steam: wunderbar87 Twitter: wunderbar
  • Bendery It Like BeckhamBendery It Like Beckham Hopeless Registered User regular
    edited September 2019
    Disclaimer: I'm shite when it comes to network hardware
    I'm working with an HP Aruba J9774A and trying to figure out how to enroll it in 8021x. I know how to do the actual enrolling part but figuring out the best method here is causing me to scratch my head. This application seems to be a little too specific for the googling.

    The goal is to create an authorized switch in a small engineering lab that the user can connect an authorized PC to for domain network access, while also being able to communicate with unauthorized embedded linux devices on the local switch.
    I just found out the solution that has been put in place is to just force auth the port... so basically rendering 8021x pointless because all a user needs to do is unhook the switch and connect a PED. I do not like this.

    Any of y'all running HP Network switches and know if this is possible? The other option is I just set them up with a secondary nic and give them their 30 dollar netgear switch back. I don't like this either because then there is a rogue switch running around and some chuckle head might put us in a routing loop again.

    Bendery It Like Beckham on
  • LD50LD50 Registered User regular
    This is your friendly reminder that its always DNS.

  • SiliconStewSiliconStew Registered User regular
    Disclaimer: I'm shite when it comes to network hardware
    I'm working with an HP Aruba J9774A and trying to figure out how to enroll it in 8021x. I know how to do the actual enrolling part but figuring out the best method here is causing me to scratch my head. This application seems to be a little too specific for the googling.

    The goal is to create an authorized switch in a small engineering lab that the user can connect an authorized PC to for domain network access, while also being able to communicate with unauthorized embedded linux devices on the local switch.
    I just found out the solution that has been put in place is to just force auth the port... so basically rendering 8021x pointless because all a user needs to do is unhook the switch and connect a PED. I do not like this.

    Any of y'all running HP Network switches and know if this is possible? The other option is I just set them up with a secondary nic and give them their 30 dollar netgear switch back. I don't like this either because then there is a rogue switch running around and some chuckle head might put us in a routing loop again.

    You set up your access ports as an 802.1x authenticator on one VLAN and also configure the second, unauthorized VLAN for 802.1x. Devices that successfully authenticate get put on the first VLAN, the linux devices that can't authenticate stay on the second VLAN.

    The trunk port used as an uplink to the upstream network needs to be configured as an 802.1x supplicant so the switch can authenticate itself to the upstream switch. This would prevent someone swapping out the entire lab switch to gain unauthorized access.

    Then you'd need to configure a route between the authenticated VLAN and the unauthorized VLAN to allow the PC's to talk to the linux devices. Put traffic ACL's in place to prevent the unauthorized devices from sending traffic anywhere you don't want it.

    Just remember that half the people you meet are below average intelligence.
  • MyiagrosMyiagros Registered User regular
    Stay the hell away from anything from GoAnywhere software. Download one free program and I've been spammed with email and calls for the past two months.

    iRevert wrote: »
    Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
    Steam: MyiagrosX27
  • Bendery It Like BeckhamBendery It Like Beckham Hopeless Registered User regular
    Disclaimer: I'm shite when it comes to network hardware
    I'm working with an HP Aruba J9774A and trying to figure out how to enroll it in 8021x. I know how to do the actual enrolling part but figuring out the best method here is causing me to scratch my head. This application seems to be a little too specific for the googling.

    The goal is to create an authorized switch in a small engineering lab that the user can connect an authorized PC to for domain network access, while also being able to communicate with unauthorized embedded linux devices on the local switch.
    I just found out the solution that has been put in place is to just force auth the port... so basically rendering 8021x pointless because all a user needs to do is unhook the switch and connect a PED. I do not like this.

    Any of y'all running HP Network switches and know if this is possible? The other option is I just set them up with a secondary nic and give them their 30 dollar netgear switch back. I don't like this either because then there is a rogue switch running around and some chuckle head might put us in a routing loop again.

    You set up your access ports as an 802.1x authenticator on one VLAN and also configure the second, unauthorized VLAN for 802.1x. Devices that successfully authenticate get put on the first VLAN, the linux devices that can't authenticate stay on the second VLAN.

    The trunk port used as an uplink to the upstream network needs to be configured as an 802.1x supplicant so the switch can authenticate itself to the upstream switch. This would prevent someone swapping out the entire lab switch to gain unauthorized access.

    Then you'd need to configure a route between the authenticated VLAN and the unauthorized VLAN to allow the PC's to talk to the linux devices. Put traffic ACL's in place to prevent the unauthorized devices from sending traffic anywhere you don't want it.

    I really appreciate your response, I'll be trying to convince my network admin we need to revisit this and try again. he uh... doesn't like when I suggest he may have done something incorrectly.

  • ThawmusThawmus +Jackface Registered User regular
    People who can't accept that there's always a better way to do shit shouldn't be in IT

    Twitch: Thawmus83
  • SeidkonaSeidkona Had an upgrade Registered User regular
    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • ThawmusThawmus +Jackface Registered User regular
    Entaru wrote: »

    I had a friend who would send sms messages to people in this manner.

    You'll note I said "had" because the entire township decided to murder him in the street for it.

    Twitch: Thawmus83
  • a5ehrena5ehren AtlantaRegistered User regular
    Entaru wrote: »

    Someone posted this in our internal Yammer...and some people actually came out and said they disagree with this. I can't even imagine that thought process.

  • EchoEcho ski-bap ba-dapModerator mod
    I do my best to teach people the miracle of shift-enter for line breaks in messages.

  • SeidkonaSeidkona Had an upgrade Registered User regular
    a5ehren wrote: »
    Entaru wrote: »

    Someone posted this in our internal Yammer...and some people actually came out and said they disagree with this. I can't even imagine that thought process.

    It was a honey pot to see who you were kicking off Yammer, right?

    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • twmjrtwmjr Registered User regular
    I generally just don't reply until they get to the actual question; they usually figure it out after awhile.

    Also, I'm extremely on board with someone having purchased a domain to have only that post shown.

  • lwt1973lwt1973 King of Thieves SyndicationRegistered User regular
    No, I have no idea how your predecessor programmed your router/firewall/device. So if you change something on it, you might want to figure that out.

    "He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
  • LD50LD50 Registered User regular
    I feel bad because this is one holy war I legit don't have an opinion of. I don't do it myself but it doesn't bother me if someone else does it to me.

  • SeidkonaSeidkona Had an upgrade Registered User regular
    LD50 wrote: »
    I feel bad because this is one holy war I legit don't have an opinion of. I don't do it myself but it doesn't bother me if someone else does it to me.

    Hi.

    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • SniperGuySniperGuy SniperGuyGaming Registered User regular
    We have a server that manages the cameras for our building and when we got the DNS server installed, we organized the cabling better in that room and rearranged things. Which of course meant that we had to unplug stuff and when we plugged it back in, the camera server didn't have internet access. Network access yes, but no internet. Made a static IP in the DHCP server and all that, checked the IP settings of the device, all seemed good. Oh well, cameras are working, so I left it alone. Then a week or two later I was told it needed to have internet access by the guy that runs the cameras, and he had no idea how it had been setup previously. Turns out the machine had two NICs for some reason and we had both ethernets plugged in, which was apparently supposed to happen.

    So I swapped the ethernet cords and oh hey look at that it works now. Sometimes my job feels silly.

  • DarkewolfeDarkewolfe Registered User regular
    Being a vendor now rather than operations means that 80% of my life is now diagnosing that the issue is decidedly not my product but something their ops team has messed up. It's actually a really frustrating thing, because I still do most of the heavy lifting of analysis, and then never get to fix it since it's inevitably something else.

    What is this I don't even.
  • SeidkonaSeidkona Had an upgrade Registered User regular
    Darkewolfe wrote: »
    Being a vendor now rather than operations means that 80% of my life is now diagnosing that the issue is decidedly not my product but something their ops team has messed up. It's actually a really frustrating thing, because I still do most of the heavy lifting of analysis, and then never get to fix it since it's inevitably something else.

    Living the dream!

    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • RadiationRadiation Registered User regular
    Darkewolfe wrote: »
    Being a vendor now rather than operations means that 80% of my life is now diagnosing that the issue is decidedly not my product but something their ops team has messed up. It's actually a really frustrating thing, because I still do most of the heavy lifting of analysis, and then never get to fix it since it's inevitably something else.

    Just had my first taste of that a bit yesterday. Its usually pretty easy to determine its not my area and send the customer off, but I had someone asking how to get our tool to work with Cisco ISE, so I have to churn on that next week. I'll likely write an integration guide for the rest of the team to reference or other customers.

    PSN: jfrofl
  • LD50LD50 Registered User regular
    Entaru wrote: »
    LD50 wrote: »
    I feel bad because this is one holy war I legit don't have an opinion of. I don't do it myself but it doesn't bother me if someone else does it to me.

    Hi.

    Hi!

  • mcpmcp Registered User regular
    If I respond to 'hi' they'll know I'm watching and I can't later pretend I didn't see their question.

  • Bendery It Like BeckhamBendery It Like Beckham Hopeless Registered User regular
    edited September 2019
    Disclaimer: I'm shite when it comes to network hardware
    I'm working with an HP Aruba J9774A and trying to figure out how to enroll it in 8021x. I know how to do the actual enrolling part but figuring out the best method here is causing me to scratch my head. This application seems to be a little too specific for the googling.

    The goal is to create an authorized switch in a small engineering lab that the user can connect an authorized PC to for domain network access, while also being able to communicate with unauthorized embedded linux devices on the local switch.
    I just found out the solution that has been put in place is to just force auth the port... so basically rendering 8021x pointless because all a user needs to do is unhook the switch and connect a PED. I do not like this.

    Any of y'all running HP Network switches and know if this is possible? The other option is I just set them up with a secondary nic and give them their 30 dollar netgear switch back. I don't like this either because then there is a rogue switch running around and some chuckle head might put us in a routing loop again.

    You set up your access ports as an 802.1x authenticator on one VLAN and also configure the second, unauthorized VLAN for 802.1x. Devices that successfully authenticate get put on the first VLAN, the linux devices that can't authenticate stay on the second VLAN.

    The trunk port used as an uplink to the upstream network needs to be configured as an 802.1x supplicant so the switch can authenticate itself to the upstream switch. This would prevent someone swapping out the entire lab switch to gain unauthorized access.

    Then you'd need to configure a route between the authenticated VLAN and the unauthorized VLAN to allow the PC's to talk to the linux devices. Put traffic ACL's in place to prevent the unauthorized devices from sending traffic anywhere you don't want it.

    I really appreciate your response, I'll be trying to convince my network admin we need to revisit this and try again. he uh... doesn't like when I suggest he may have done something incorrectly.

    For those who would like an update on this issue, I framed it as, "Hey, this is what the lab would look like, from everything I've read and the discussions I've had around this, this should work. If our current hardware just isn't able to support this because Vlaning, or something else I think we should investigate a hardware solution that does" My director and network administrators take on this request "It doesn't work that way" and "you don't know how it works".

    Interview tomorrow with another company.

    Bendery It Like Beckham on
  • mcpmcp Registered User regular
    Everytime I try to do anything with these Cisco Meraki MX's there's some kind of bullshit involved.

    Using the API to export all the group policy l3 rules we have for an audit.

    They have some prewritten scripts that will do that for the default l3 rules, but not the group policy rules.

    Not a huge deal, I write my own.

    Looking through the output, there's no source or source port for any of these rules. Double check the json file the API gives you, and yeah... They just left that info out.

    What the fuck man

  • MyiagrosMyiagros Registered User regular
    At my normal Wednesday client and a guy comes and asks me if I got his message the other day. Tell him no, never saw one. Then it dawned on me that it was probably the phone call I ignored because it was 5:30pm and I am off the clock. One more reason to call our office and not my personal cell number.

    iRevert wrote: »
    Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
    Steam: MyiagrosX27
  • MyiagrosMyiagros Registered User regular
    mcp wrote: »
    Everytime I try to do anything with these Cisco Meraki MX's there's some kind of bullshit involved.

    Using the API to export all the group policy l3 rules we have for an audit.

    They have some prewritten scripts that will do that for the default l3 rules, but not the group policy rules.

    Not a huge deal, I write my own.

    Looking through the output, there's no source or source port for any of these rules. Double check the json file the API gives you, and yeah... They just left that info out.

    What the fuck man

    I like Meraki for setting up basic stuff but it gets tedious I find with content filtering. A client has full on filtering in place where they can only access sites on the whitelist and every few months I have to dick around with the Office 365 portal login for an hour because a URL somewhere changed.

    iRevert wrote: »
    Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
    Steam: MyiagrosX27
  • mcpmcp Registered User regular
    I'm not sure what the use case for Meraki firewalls is, but it's gotta be razor thin.

    The client VPN fails pci compliance, and there's nothing you can do about it.
    The active directory integration requires ntlmv1.
    You can't set up groups for sources, destinations, ports. On group policy l3 rules you can't even put multiple ports into a rule, so creating a group policy for a domain controller takes like 20 rules.
    The site to site VPN firewall has a section for inbound rules. It doesn't do anything. In the documentation it says it doesn't do anything and will be removed at some point. The fuck is that about?
    Still have to test more, but it seems like the whole sd-wan is torn down when one site to site tunnel goes down and has to be rebuilt.
    If you type 'konami' into their suggestion box, it loads a god damn browser game.

    They call their shit enterprise, it is not.

  • MyiagrosMyiagros Registered User regular
    At an old job my boss sent me to a day long course on Meraki stuff as we needed someone that knew something about them. At that time we had one or two clients with Meraki APs but no firewalls, switches, etc.

    Got back to work the following day and was telling them about some of the features and how it could be useful having a firewall in place instead of just the APs and was met with, "ya, maybe, but we don't make any money off of the subscription renewals so there's no point".

    Then why the fuck did I go do this course?!?!

    iRevert wrote: »
    Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
    Steam: MyiagrosX27
  • wunderbarwunderbar What Have I Done? Registered User regular
    new hypervisor blade in a chassis. Dual Xeon CPU's, 384GB of ram. Dual SSD's in RAID 1 for the OS drive. Chassis has 10Gb networking.

    Dell lifecycle controller still takes 10 minutes to load.

    XBL: thewunderbar PSN: thewunderbar NNID: thewunderbar Steam: wunderbar87 Twitter: wunderbar
  • MugsleyMugsley DelawareRegistered User regular
    Contractor has a dehumidifier on a piece of equipment. They tell us we have 2 weeks to get power to it and turn it on.

    Ok, tell us what plug and cable we need.

    Contractor: "ok, here you go"
    Us: "well the plug has 4 pins but the wire has 3 conductors"
    :rotate:

    We have 4 days remaining to get the dehumidifier running.

  • Bendery It Like BeckhamBendery It Like Beckham Hopeless Registered User regular
    Oh hey I got the sysadmin job at other company.
    Guess I do know what I'm talking about.

  • SeidkonaSeidkona Had an upgrade Registered User regular
    Oh hey I got the sysadmin job at other company.
    Guess I do know what I'm talking about.

    Go you!

    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • Bendery It Like BeckhamBendery It Like Beckham Hopeless Registered User regular
    I would like to thank everyone who's answered my questions over the years, y'all helped me get here :) thanks sysadmin thread.

    These next couple weeks are gonna be fun, I'm nervous but really excited.

  • BSoBBSoB Registered User regular
    edited September 2019
    Hey, if you need someone to wander in my server room and start messing with the fucking electrical box. OK, I guess. But maybe my UPS screaming at me when your guy flips the wrong breaker isn't the best way to notify me that this is happening.

    BSoB on
  • wunderbarwunderbar What Have I Done? Registered User regular
    ahahaha

    XBL: thewunderbar PSN: thewunderbar NNID: thewunderbar Steam: wunderbar87 Twitter: wunderbar
  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    mcp wrote: »
    I'm not sure what the use case for Meraki firewalls is, but it's gotta be razor thin.

    The client VPN fails pci compliance, and there's nothing you can do about it.
    The active directory integration requires ntlmv1.
    You can't set up groups for sources, destinations, ports. On group policy l3 rules you can't even put multiple ports into a rule, so creating a group policy for a domain controller takes like 20 rules.
    The site to site VPN firewall has a section for inbound rules. It doesn't do anything. In the documentation it says it doesn't do anything and will be removed at some point. The fuck is that about?
    Still have to test more, but it seems like the whole sd-wan is torn down when one site to site tunnel goes down and has to be rebuilt.
    If you type 'konami' into their suggestion box, it loads a god damn browser game.

    They call their shit enterprise, it is not.

    Their wireless APs are phenomenal. Their firewalls ("security appliances")... well, my experience isn't terribly different than yours.

    The use case we've found for them is Internet-only guest wifi at branch offices. We don't use SD-WAN, we backhaul all of our production traffic back to HQ. But because we use Meraki APs, when we rolled out guest wifi, it made sense to drop in Meraki MXs and segregate off the guest Internet traffic on completely different connections. We don't give a shit about group policies or client VPNs. They're cheap simple firewalls that are easily manageable over the cloud.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Thawmus wrote: »
    Entaru wrote: »

    I had a friend who would send sms messages to people in this manner.

    You'll note I said "had" because the entire township decided to murder him in the street for it.

    I can't say this is something I care about, but I sympathize with the author because people who put in tickets or send me emails without details bother me in almost exactly the same way.

    "I'm having trouble with my email."

    What trouble? Is there an error message? Describe it. You're an adult, use your fucking words, don't make me drag it out of you.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
This discussion has been closed.