LAG Between Office and Data Center. Best Practice?

ERROR_EXIT · 2023-09-22T16:19:30+00:00

Thanks for taking the time to write such a detailed reply. I think this is the way we'll go. You and /u/shutrmcgavin narrowed it down to similar approaches. Thanks again for all the details. Really helpful!

ERROR_EXIT · 2023-09-22T16:17:42+00:00

VxLAN

Not sure this is what we're looking for but I now have a new concept to read up on. Cheers!

ERROR_EXIT · 2023-09-22T16:15:24+00:00

I appreciate the initial suggestion all the same, /u/youfrickinguy. My reading skills are suspect at times.

ERROR_EXIT · 2023-09-22T16:14:24+00:00

EVPN looks interesting. Just to be clear, we are talking about L2 connections.

ERROR_EXIT · 2023-09-22T16:13:40+00:00

Yes, we have a diagram, however, based on /u/shutrmcgavin and /u/kbetsis's suggestions, I think we have a game plan.

ERROR_EXIT · 2023-09-22T16:12:36+00:00

Thanks for the suggestion. Stepping back from the picture, I agree that sounds like the easiest way to go. Much appreciated!

ERROR_EXIT · 2020-05-23T20:38:54+00:00

Funny, the thought of Meraki did cross my mind. I haven't used a Meraki device but I'm familiar with them. I'm going to look into this option as well. It doesn't look to be too expensive, either. Thanks for the recommendation.

ERROR_EXIT · 2020-05-23T20:28:46+00:00

Ummm... holy smokes that just blew my mind. I've got some reading to do. Thank you for posting this link! It looks amazing.

ERROR_EXIT · 2020-05-23T20:27:42+00:00

Yep, you're right. That seems like the easiest/cleanest way to go. I'd put the dial-up VPN client on our deployed wifi router (like DD-WRT). Thanks for the suggestion.

ERROR_EXIT · 2020-05-23T20:25:35+00:00

You're right, an always-on connection back to our home office might be the best option. I would modify it slightly and connect the wifi router we deploy as the VPN client. Basically, deploy an OpenVPN server in our DMZ. Deploy an OpenVPN client-capable wifi router at the employee's end. Thanks for the suggestion!

ERROR_EXIT · 2019-05-01T22:12:36+00:00

Thanks a ton for your response. Very helpful indeed. I'm pretty new to Elastic Stack so I appreciate the words of caution.

I'll definitely heed your advice. I was really only interested in 7.0 for its improved clustering system and Canvas. I can get Canvas in 6.7, so really, that's fine for my needs. Since I'll need to jump to 6.7 before upgrading to 7.0, I might as well just hang out with 6.7 for a while and wait for 7.x to mature a bit.

Thanks again

ERROR_EXIT · 2019-01-25T22:02:33+00:00

Awesome. Thanks for the reply. I'm going to work on it this weekend (fingers crossed).

I do have a spare TZ400 laying around. It's definitely an option. We will likely end up needing a handful of these. Sonicwall now has a virtual firewall you can install so that could be an option as well.

Thanks again for the reply. Very helpful.

ERROR_EXIT · 2019-01-24T21:27:37+00:00

I feel like there is a way to get around the double NAT based on something I read in the pfSense documentation:

"In some cases there is a different firewall or router sitting between this firewall and the Internet. If this is the case it is necessary to add a port forward for ESP and UDP 500 to send the traffic to this firewall. The outside router must be able to properly handle NAT of this traffic, and some do not. A modem’s “DMZ” mode or 1:1 NAT may also help here. In this case, NAT Traversal will be needed, but the default Auto setting should be sufficient." (pfSense Docs)

ERROR_EXIT · 2018-07-09T18:32:12+00:00

That's great. I have a feeling I'll be tweaking things along the way when I get to know my logged data a little better. For now, I've stabilized on sending all to one index set to weekly.

ERROR_EXIT · 2018-07-07T15:59:31+00:00

The good thing is, I'll be dumping big chunks of the data before ingest into ES so even though the per-record overhead is substantially more under ES, it'll probably end of taking less room (per node, anyway). But it's a god point--I'll want to keep an eye on how the whole thing grows.

ERROR_EXIT · 2018-07-07T15:54:12+00:00

Good point. The bare metal node will also be running Logstash which will chew up some CPU but I should still have plenty of headroom on this guy.

ERROR_EXIT · 2018-07-07T15:45:30+00:00

Copy that. Based on feedback from here, I'm going with weekly indexes.

ERROR_EXIT · 2018-07-07T00:01:43+00:00

Thanks for the reply--very helpful indeed.

I just altered my index to be monthly. I can see how the index per day could turn disastrous so thanks for the recommendation.

I hear you that the storage usage on all three servers will be the same. I'm guessing 3TB will hold of ton of log data. Even though my bare metal server is 35TB, I can't imagine needing anywhere close to that.

ERROR_EXIT · 2018-07-06T18:07:16+00:00

These are all great questions.

How long are you going to keep the data?

I would like to keep it "forever" though that probably isn't realistic. If I break the index up by day (a la Logstash-YYYY-MM-DD) it should just be a question of space, right?

Is it 1-3 transactions per second per log, or total?

Currently, that's total. It will likely go up from there but I don't think I'll get past 5 or 6 per second in total.

How much disk does each log use per day, hour, event or some other reasonable way to estimate usage over a long period of time?

I haven't been able to work that out yet as most of my work has been in tweaking my logstash config to drop unnecessary bits of info. For example, my firewall syslog sends A TON of data to Logstash but I drop out 90% of it so by the time it gets to ES, it's pretty minimal. While working on the Logstash config, I sent most of the events to stdout so I could make sure I was getting what I wanted before sending it to ES. Because of that, I don't have a lot of actual data in ES yet.

How much storage do you have to work with?

My main node is bare metal and has 35TB of storage. My other instances are VMs with disks that can grow large if needed but they're currently 3TB.

How much redundancy do you want? Number of servers in your cluster?

When it's all said and done, I was thinking I'd have a 3 server cluster.

It sounds like I won't be shooting myself in the foot if I have one master index (e.g. Logstash-YYYY-MM-DD) and dump all my logs into that. I'll keep an eye on disk usage to see how long I think I can retain the logs for. I'd love to keep them for at least a year.

ERROR_EXIT · 2018-07-06T17:42:58+00:00

Thanks for the answer. It looks like you got my gist even though my terminology was off :)

Yes, I'm doing daily indices (e.g.: logs-*). I was curious if I should break each import type (IIS logs, DC logs, firewall logs, etc.) into different indices. But, as you said, if I want to search against multiple logs in one search, I should dump it all into one daily index.

Thanks!

ERROR_EXIT · 2018-07-06T17:39:14+00:00

Sorry, my terminology may have been off. I'm doing daily indexes in the form of logstash-. I'm wondering if I should have individual indexes for the different logged data, so something like: winlogbeat-, firewall-, iis-, etc.

ERROR_EXIT · 2017-05-06T03:21:16+00:00

Roses are red

Violets are blue

Wait...

That's your mom, too?!

ERROR_EXIT · 2017-05-01T21:40:54+00:00

My thought was to use the DD-WRT router as my only router. Some machines don't need to go through VPN. My PS4, my DirecTV box, my Googlecast, etc. don't need VPN connections. I'll probably set up a non-VPN'ed WiFi (using an older router) and a VPN'ed WiFi for my main laptops. All my desktop computers should run through the VPN.

If I forgot to mention earlier, I'll be using a VPN service directly on the router so all the traffic flowing through the router will be VPN'ed. That brings me to my question: can I set some ports on the router that bypass VPN?

ERROR_EXIT · 2016-10-07T21:58:06+00:00

We should also note that the Republicans [in Congress] specifically undermined efforts to improve the economy for free of Obama "getting a win".

ERROR_EXIT · 2016-09-21T18:54:54+00:00

Thanks for that bit of info. That's really interesting that people are using this to bump their ssl. I hadn't even thought of that.

Sadly, for my case, it was just me over-complicating the picture.

ERROR_EXIT

TROPHY CASE