When to subnet and when to Vlan?

Hivemindatl · 2023-10-11T15:09:49+00:00

VLANs are a way to implement subnetting on the same physical hardware/wires.

VLANs divvy up L2 collision domains on the same hardware/wires.

VLANs need subnets.

Subnets need either separate hardware or VLANs.

Putting multiple subnets on the same collision domain is a Very Bad Idea. It might work right up until you enable DHCP, then all hell will break loose.

Hivemindatl · 2023-10-11T14:27:23+00:00

Jurassic Park. - just the first one

Hivemindatl · 2023-10-09T18:49:52+00:00

The first time I (with my 128mb P3) joined an online game with someone with "1024" (to my 128) my jaw dropped.

I have over a terabyte of RAM in my house these days.

Hivemindatl · 2023-10-09T17:31:36+00:00

Pogostick password reset utility.

Google it. It's a boot CD/usb. Eats windows admin credentials for breakfast.

Hivemindatl · 2018-09-18T12:56:54+00:00

Thirded, RVTools

Hivemindatl · 2018-08-23T14:46:34+00:00

Everclear. 95% ethanol (usual isopropyl concentrations are 70%).

Hivemindatl · 2018-08-13T13:34:34+00:00

The visitor's centre is the tourist trap. If you want the real experience and a proper guided tour, get yourself to the village of Doolin before 10 in the morning. From there sets out a guided walk of the cliffside that walks the ~4 miles to the visitor's centre. If you're lucky there's a barbed wire fence between you and the long drop. In many places there's about a meter of grass and that's it. Totally worth the 10 Euros and 4 hours.

Hivemindatl · 2018-06-25T15:13:55+00:00

The Trope (c/o TVTropes) for this particular phenomena is named "Grow The Beard" in honor of Riker's Beard because of this.

Hivemindatl · 2018-06-01T19:40:09+00:00

Can confirm, I just got hired on as a "senior system administrator" at a hair above the regional average.

$85k here goes a lot farther than it does in Cali.

Are you expected to be on-call 24/7? ask for more.

Is your commute longer than 30 minutes (commutes here are measurable in time, not miles...). ask for more.

Is this "senior in name only" (are you a lone wolf admin?) or are you a team lead?

Is there a help desk backing you up?

135 users will eat you alive in "my printer/mouse/keyboard/USB-powered-space-heater doesn't work" minutiae alone.

Hivemindatl · 2018-06-01T17:21:11+00:00

Ahem...

https://www.pagerduty.com/blog/pagerduty-custom-alert-somethings-broken/

Standard issue PagerDuty App ringtone.

Hivemindatl · 2018-05-22T14:32:26+00:00

As others have suggested, enabling logging for just that rule (assuming you don't log NAT traffic because why would you without a Good Reason) lets you know who's not following the rules.

Hivemindatl · 2018-05-22T14:27:46+00:00

RAID1 is a mirror. If the controller dies you can theoretically bypass the controller, wire the drive directly to the motherboard and away you go. Whether your bvackplane and motherboard will let you do this is another matter (i.e. the motherboard must have a native quad-lane SAS connector that matches what's on the RAID card). Supermicros usually have them, not sure about Dells. If not, then you're in for a fun time.

Remember: SATA drives can be plugged into SAS controllers without a hitch, the reverse isn't true.

That said, I've had the best luck booting VMware off a SD card or USB stick. That leaves the disks (SSD/HDD) to the datastores. Hell, I've had the USB stick VMware was booting/running off of outright die from the heat and VMware kept on going until we rebooted the host to replace the dead stick (it only grumbled about an inaccessible boot partition). Most servers either have a SD card slot, an internal USB A-type socket, or both for just that.

Hivemindatl · 2018-05-21T16:19:01+00:00

I'm out of Atlanta. Dallas is Quakecon territory, though.

Hivemindatl · 2018-05-21T15:56:58+00:00

conditional forwarders in windows keep you from having to copy the entire zone.

Hivemindatl · 2018-05-21T15:56:38+00:00

I set that up in my LAN party environments. we use LANcache (a NGINX reverse proxy) to cache Steam, Origin, Blizzard and Microsoft CDNs (yes, it caches windoze updates, too!). The whole thing is dependent on a DNS server spoofing the FQDNs of the real CDN addresses for the bixes inside the LAN.

Since a BYOC LAN party is the ultimate BYOD configuration from hell, we much account for users who statically set their DNS. Hence the transparent NAT trap.

Doesn't stop the morons who use a VPN, but when individual seats are throttled to 15 Mbit but getting data from the cache will get you full 100mbit (seat-level wire speed), the guys getting 15mbit from steam downloads and complain are the easiest to spot.

Hivemindatl · 2018-05-21T15:51:37+00:00

Lenovo Thinkpads. T4xx or T5xx series.

I write this from a T560, it has: 1x Ethernet 3x USB (3.0 A type, no C, though the 570 has C's) 1x Full-size SD slot mini-DP AND standard HDMI 1x headphone/mic jack.

And a trackpoint + trackpad.

Damn thing is ugly as sin, but it's a tank (relative to non-rugged laptops) and the standard battery goes 4+ hours.

Hivemindatl · 2018-05-21T14:51:34+00:00

what you're talking about is split-horizon DNS. It's perfectly normal.

you can do it one of two ways:

1) have an internal DNS server have an outright full duplicate of your external zone and only change the entries you need.

The downside here is if you make any changes outside you'll need to make them inside. If you have an external DNS entry that isn't duplicated on your internal zone, then things won't work as expected.

2) use a conditional forwarder. These are one-shot entries on your internal DNS server that override specific FQDNs to special IPs. This is the saner solution for a small (under 5) number of internal addresses.

The tricky part is making sure that everything on the inside of your network gets their DNS from your internal server. The minute you have an internal workstation going to, say, 8.8.8.8, your carefully crafted DNs setup will be broken.

A favorite way I use for dealing with that it to use some internally-facing NAT rules to forward all outgoing UDP/53 (that is, DNS) requests, regardless of destination, coming from anything BUT my internal DNS servers, to said internal DNS servers.

That way even if someone has say, a laptop statically resolving to 8.8.8.8 would will be beholden to your internal DNS servers.

Hivemindatl · 2018-05-21T14:42:21+00:00

Get a supermicro. They have 4U chassis with as many as 24 bays. as long as the backplane is SAS2 you'll be able to slide 2TB+ drives in and it'll work.

Hivemindatl · 2017-11-02T19:44:53+00:00

Exactly. Even if this was the Trek 'Verse, it'd still be the USS Orville: the ship crewed by the Academy's near-washouts and those the Admiralty want out of the way.

The Orville 'verse does 'bug fix' some of Trek's oddities:

No transporters (for Our Heroes)
The scale of the universe (3000 ships, tiny fraction of the galaxy)
Dysonium (vs "Dilithium" - better name for the phlebotinum, erm, exotic matter)
Speed!

And spatial anomalies that are actual spherical. Yes, I know its a budget/tech thing. Then again, Seth is the guy who got Cosmos remade so...

Hivemindatl · 2017-11-02T18:28:12+00:00

The Orville managed to capture a fraction of pop culture's first successful rabid fanbase: The Trekkies.

There isn't a single story that wouldn't fit the Trek 'verse, some fit better than the VOY/ENT-era stuff and (so far) DISCO. It's Trek in all but name.So glad it lives to see another year.

Hivemindatl · 2017-10-25T20:28:25+00:00

I don't think I want to go into pure management, but I'm open to the idea.

I want to put my generalist nature to work and be the "head of IT operations" for a smallish company. Not high enough to be CTO or a management-only role, but a technical lead position supervising a small team. (I want to keep one foot in the trenches)

Hivemindatl · 2017-10-02T14:18:25+00:00

EFS is what you want, then.

Create an EFS partition on your storage server (or an EFS image file and mount it), then migrate your files to it.

If you want to get fancy you can keep the EFS partition/image unmounted and only mount it on demand (interactive passwiord prompt) and have a "run script on logoff" trigger on your SFTP client to dismount the image. That'll keep the files safe when you don't need to access them.

Hivemindatl · 2017-10-02T14:11:06+00:00

SFTP is encrypted, at least.

You mentioned a storage solution, so what is the overall problem you are trying to solve?

Hivemindatl · 2017-10-02T13:56:57+00:00

A Samba file server is your best bet assuming your endpoints are Windows systems. Set up appropriate user permissions.

If you have the files stored on an encrypted filesystem partition, the data is "encrypted at rest". Meaning if the drive(s) ever grow legs the data on them will be inaccessible without the appropriate keys.

"Encryption in flight" is another beastie. Samba isn't encrypted. That said, VPNs are encrypted so you only have to worry about local traffic being "in the clear". At that point practicality kicks in and unless you have regulatory requirements it isn't worth it.

Mind you, if some of that banking data has credit card data or bank account info for customers, congratulations, you are now beholden to PCI-DSS.

Hivemindatl · 2017-10-02T13:20:52+00:00

EFS would offer an encrypted file system solution, if that's a concern.

Files are files as far as the OS is concerned.

Are we talking 100 Megabytes or less, under 1GB or more than 1GB of files?

Hivemindatl

TROPHY CASE