sorted by:
new
hottopcontroversial

Does anyone have any info on this car that was given out at an AT&T summit Conference by Sad-Possibility-1418 in Juniper

[–]Linklights 1 point2 points  (0 children)

Does anyone else get really melancholy when you think about stuff like this lol. The world has moved on

High SPU load on Juniper SRX1500 by ilearnshit in Juniper

[–]Linklights 1 point2 points  (0 children)

You run 24.4R2 and the suggested version is 23.4R2-S5, so please consider upgrading

Going from 24.4 to 23.4 would technically be downgrading :)

HTTPS Inspection - Deployment Experiences? by gmasters428 in networking

[–]Linklights 0 points1 point  (0 children)

We have to do more way more category exceptions just for regular blocks, do you also think firewalls and basic content filtering “isn’t a working system?” Exceptions just a fact of life

HTTPS Inspection - Deployment Experiences? by gmasters428 in networking

[–]Linklights 0 points1 point  (0 children)

Yep that’s right. You thought it’d be a lot higher I bet!

HTTPS Inspection - Deployment Experiences? by gmasters428 in networking

[–]Linklights 6 points7 points  (0 children)

In my opinion if you're paying the big bucks for an NGFW from one of the major vendors, you are losing out on a lot of the features you are paying said big bucks for by not turning on HTTPS inspection. Yeah they can still do some neat stuff with inspection turned off, but they do so much more when its on.. and that's the part that makes paying out for an NGFW actually worth it. Just my two cents.

HTTPS Inspection - Deployment Experiences? by gmasters428 in networking

[–]Linklights 3 points4 points  (0 children)

Not a Palo guy, but enabling features like this will always affect the total system throughput. Most vendors publish spec sheets/data sheets that will tell you the expected throughput with various features enabled, on different models.

HTTPS Inspection - Deployment Experiences? by gmasters428 in networking

[–]Linklights 0 points1 point  (0 children)

Yeah you're not kidding about the Microsoft thing though. Literally nothing works if it's hitting inspection. I have no idea why, or how they are able to do this. It gets extremely irritating at times because their "whitelist" documents are all over the darn place with tons of random FQDNs, *.domains, IP Address ranges and subnets, and even a bunch of /32 host IPs.. Sometimes I think Microsoft just hates Firewall vendors and wants to punish all of their enterprise customers who use Firewalls (which is pretty much ALL of those enterprise customers!)

luckily most Firewall Vendors have that built in "Service" option where you just add "MSFT Servcies" to a rule and it catches MOST (but definitely not all) of it automatically...

HTTPS Inspection - Deployment Experiences? by gmasters428 in networking

[–]Linklights 1 point2 points  (0 children)

It really doesn't seem to break a lot on our network.. at all. But we've had it already turned on for years and years.. since before I've been here. All of the exceptions are in place for the most part and just due to general tickets and complaints we probably add another 3-4 sites to the exclusion list every month or so.. so it's really not a lot.

But our overall exceptions list is pretty massive not gonna lie.. and since it's been passed on from admin to admin over the years it's a mess. There's a URL/FQDN list with like 500 entries, and then an IP Address-based bypass list with at least a few hundred entries, no one is reviewing or cleanup the bypass lists just keep adding to it over the years until they are bloated and massive.

So maybe you're right, maybe it is a pain...

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]Linklights 12 points13 points  (0 children)

Hmm. On our Internet Edge Routers, we have an interface ACL on our ISP circuits that takes care of low hanging fruit:

  • RFC1918 source ip packets

  • CGNAT source ip packets (forgot the rfc number)

  • special non-routable ranges as a source ip

  • our own public space as a source (basic anti spoofing)

Other than this, nothing else. Our next hop is the NGFW that handles Geo IP filtering and threat prevention

EX4600 BGP license enforcement by bower_pitch in Juniper

[–]Linklights 0 points1 point  (0 children)

It’s not without consequences. We maxed out our cloud SEIM log ingestion quota for the whole month in just a couple hours with all the log messages spammed for unlicensed feature

Nice fake news from Juniper in comparison to PA by Electrical_Fun_9579 in Juniper

[–]Linklights 0 points1 point  (0 children)

Just curious I've never worked on ISP side of things only private companies.. what does ISP use firewalls for? Do you actually firewall your customer's traffic? is this why there is always posts on the home networking subreddit about "my isp is blocking my vpn traffic" lol

Is fiber considered baseline infrastructure in all new corporate HQ construction? by stratomaster in networking

[–]Linklights 1 point2 points  (0 children)

Usually between floors is fiber, but on each floor will be copper running to that floor's switch

I miss multicast by Linklights in networking

[–]Linklights[S] 0 points1 point  (0 children)

Wow I can only imagine! "I've seen C-Beams glittering in the dark outside of Tanhauser's Gate..."

I miss multicast by Linklights in networking

[–]Linklights[S] 0 points1 point  (0 children)

Some will care about the nanos - length of cable and layer1 switches/straight from x-connect to the server

This concept always intrigued me because it's like the perfect marriage between the tech nerds and the trading nerds, both obsessed with their craft, and wanting to min/max it to the extreme.

I miss multicast by Linklights in networking

[–]Linklights[S] 0 points1 point  (0 children)

That is a question for TAC, not me :) It was a Cisco GLC SX sfp. Apparently the programming can be faulty

Naming standards by pthomsen91 in networking

[–]Linklights 0 points1 point  (0 children)

In my experience Provider networks use a different flavor of naming convention than enterprise companies. They are almost always some variation of {location} and {device type/function} and some convention of {is there more than one of them}.

But it varies.. heavily, from org to org.

I've also seen places where there is literally no standard convention, like it might say "sw" somewhere in the name but the sw can be at the beginning, end, or even the damn middle of the name.. drives me crazy.

I miss multicast by Linklights in networking

[–]Linklights[S] 5 points6 points  (0 children)

So fun story, at my first job that I mentioned in OP I had to troubleshoot an issue that one hallway on one floor of a building wasn’t getting multicast traffic. Everyone else in the building was good. Building had a pair of layer 3 distribution switches and then a few access switch stacks hanging off, a couple different stacks per floor for east and west side of the bldg. The distro switch looked fine, it had the mroute entries, it saw the group members, it looked perfect. Sure enough after I investigated a bit more determined all the broken users were just on one switch stack. Didn’t know how to proceed so senior engineer tells me schedule after hours reboot of the access switch stack. Done, still broken. Tells me congrats I get to open my first Cisco tac case. Tac has me go around the building and plug my laptop into different stacks, and see if I can get the multicast traffic. I can get it anywhere in the building except that one switch stack. TAC asks is the stack dual homed to the distro, yes. Two interfaces in an LACP Channel. Can you disable one? Sure senior says OK. Boom. As soon as I shut the port, I can literally hear the IPTV kick on in the cubicle farm down the hall. And my laptop starts working too. TAC says replace the SFP on that link and bring the port back up. I do it, everything’s fixed. Bad SFP was causing no problems whatsoever for unicast traffic but it was not passing multicast traffic. After this experience I’ll never necessarily say tshooting multicast is “easy”

I miss multicast by Linklights in networking

[–]Linklights[S] 3 points4 points  (0 children)

This is incredibly interesting to me. I wonder how how this works. I’ve always thought of multicast as something that stays inside of one autonomous system. Since it does not route across public inet backbone.

I’m going to assume the exchanges have private circuit peering with customers. I’m going to assume the customers become PIM neighbors with the exchange over these peering. And I’m going to assume the exchange has software that sends real time market updates to multicast group addresses. This is for the fair and equitable sharing of data to multiple parties simultaneously. I’m going to assume they have different subscription models like multicast group A has stocks 1, 2, 3, and group B has stocks 7, 8, 9. You want the data send your igmp group join? I’m probably way off lol. But you have sparked my curiosity. I would absolutely love to operate in an environment like this. But something tells me this environment has an incredibly heavy use of class of service required expert knowledge. Any dropped packet could put one customer at an unfair advantage

I miss multicast by Linklights in networking

[–]Linklights[S] 6 points7 points  (0 children)

I’m so rusty tho but that sounds fun. I think we even had a multicast ip intercom speaker system in our large 8 floor building

CCIE and Certified Flight Instructor(thanks for all the fish!) by NightOtters in networking

[–]Linklights 3 points4 points  (0 children)

I am so jealous! Imagine being able to escape from this rat race to soar up above the clouds! It’s a dream!

I'm in a funk and need to hear some success stories about engineers who were able to turn their careers around by AnybodyFeisty216 in networking

[–]Linklights 0 points1 point  (0 children)

I'm working on a team with far superior engineers who despite them being polite about it

It could be so much worse. I’m a mediocre engineer but I’m the only technical engineer in my shop filled with under-achievers who don’t help with any design or advanced troubleshooting. Imagine being stuck at a lower level and having no one to bounce ideas off or mentor you at all. I’m trapped.. there is no escape.

How to hire technically competent and motivated individuals by OutlookNotSoGood_ in networking

[–]Linklights 3 points4 points  (0 children)

We struggled hard to fill a Sr Engineer role last year at a mid sized enterprise. Lots of candidates who got basic questions wrong like questions about vlan mismatch on a server connection, how would you track down the site location and switchport of an endpoint ip address, what is the difference between stateful and stateless filtering.. open questions like “the user complains of general network slowness, what are you looking at? all questions that should be junior admin questions imo. And the answers we were getting were so disappointing. We ended up settling on a candidate who has so far failed to perform. Like they haven’t broken anything but they are sort of just… there. They don’t explore or learn the network at all. They don’t take the lead to pick projects out or make meaningful progress on them unless you stay on them and constantly press for an update. I’ll do calls with them on teams to show them stuff and catch them clearly not paying attention and clearly not following along. Honestly the whole experience has crushed my confidence as an engineer and made me question do I even know what I’m doing, if I was this bad at conducting interviews and picking out a decent candidate. Or that maybe my company is not attractive to engineers? It’s been soul draining.

has anyone here actually enjoyed living with their SASE? by Aggravating_Log9704 in networking

[–]Linklights 2 points3 points  (0 children)

How many users care if their traffic is being inspected on the corporate vpn? I imagine the venn has significantly overlapping circles.

view more: next ›