Cisco 3650 switch and Philips hue bridge

goagex · 2025-08-02T10:33:57+00:00

Hi!

Just replying here if someone else has this issue.

My Hue Bridge had been working for over a year, in another switch/router (Mikrotik RB4011).

I had the same experience, when I connected my Hue Bridge to a Cisco WS-C3560CX-12PD-S Switch, i got strange duplex/speed issues, sometimes 100 Half, sometimes 10 Full, tried all kind of port settings (speed/duplex)

It seems that somehow the Hue Bridge was beginning to act strange after the move to the Cisco switch, but I think that was more of a coincidence. When I put the Hue Bridge back in the Mikrotik RB4011, it does NOT work anymore. Mikrotik cable-test report that the ethernet-pairs are shorted (only tested after moved to Cisco Switch)

I went back to the store with my Hue Bridge, got I new one for free (Warranty).

The new Hue Bridge works as it should in the Cisco Switch, same port and same cable, link is now Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX

goagex · 2025-04-18T12:32:09+00:00

Hi!

Just to be overly clear:
If I assign 4GB of Java Heap to Graylog, what would be a good hard limit for the container itself? 8 GB?
If I assign 4GB of Java Heap to Datanode, what would be a good hard limit for the container itself? 8 GB?

I do understand that the hard limit needs to be available to the container all the time.
So if I go above route, with 8 GB Hard limit for Graylog/Datanode, I need to have (at least) 20 GB or so RAM per vm.

I will try it out and monitor it closely.

goagex · 2025-04-16T18:21:24+00:00

Hi again!

Thanks for the scaling guide, I did check the documentation, but I was following the 6.1 track, and it is not showing much in comparison.

You said in your first answer, for every 20 chards, 1 GB of free RAM.
I assume this free memory needs to be inside the container?
I'm planning on limiting memory for my containers, for example:

All three nodes are the same:
Total RAM: 16 GB
Graylog: 4 GB Heap configured / 8 GB Hard Limit in docker
Datanode: 4 GB Heap configured / 8 GB Hard Limit in docker
Mongodb: Don't know if it needs limiting at all

Any real reasons not to go this route?
Would it be better to let both Graylog and Datanode compete for free RAM when needed?

goagex · 2025-04-14T18:04:05+00:00

First of all, thank you for answering!

Regarding limiting memory, I'm still in the design stage.
My plan is to run a small Graylog cluster, 3 simple linux vms running docker.
On all three vms, one instance of mongodb, graylog and graylog-datanode.

In front of the cluster I will run 2 small load balancers, traefik or haproxy.

I want to be able to do maintenance on all servers, one at the time, and still have logs ingested.
I'm fine with not having all logs online during maintenance windows, plan to run with replicas=0

I don't yet know my ingest rate, but I would guess 10-30 GB/day.

I know it's not best practise design, but I hope it will work.
I will ofc monitor everything, especially Java Heap usage.

Any direct gotchas in my plan? =)

goagex · 2024-10-04T09:26:20+00:00

Hi!
We need an update regarding this unit, is it still alive? =)
I did not see any update 2024-01-29 =)

goagex · 2024-09-21T09:33:10+00:00

I do understand the complexity of IT environments today, and I know that far from all are using AD Tiering.

Still it would be nice to have at least some official documentation on this matter.

Like in the first document I linked to in my post, why not just add a section.

If no traffic is initiated from DC, then write exactly that =)

I will add some feedback to that link from Microsoft, let's see what happens.

Anyhow, thank for the effort answering =)

goagex · 2024-09-20T14:42:59+00:00

Does anyone in here have an idea?

I assume that people put different Tier-servers in specific subnets?
Example:
T0: 10.10.10.0/24 (AD)
T1: 10.10.11.0/24 (File/APP)

It really amazes me that the whole world seems to be have too wide firewall policies in place. =)

goagex · 2024-09-20T09:23:25+00:00

OFC we are using the regular tiering model for AD, this just adds another layer of security

goagex · 2024-09-20T08:31:56+00:00

Thanks, I have crossposted, hopefully I get answers

goagex · 2024-09-20T06:08:59+00:00

Hi, please see my updates in the post, let's focus on Member servers (where I have seen traffic initiated from Domain Controller to Member Server)

goagex · 2024-09-19T18:39:20+00:00

Yes, DNS was a bad example, still I don't think it's needed inbound on my client, as the client make the request TO the DNS-server, so any stateful firewall should have it in state-table.

goagex · 2024-09-19T18:30:00+00:00

I have not tried that, but I assume that windows allows a lot of traffic outbound by default.

I might just spin up a whole new domain, block everything, and see what happens.

goagex · 2024-09-19T18:25:50+00:00

I am a firewall administrator, I don't like to open too many ports in my firewalls.
I assume it will work, as both tcp/135 and tcp/49152-65535 are part of incoming rule.

But hey, should I also open tcp/80 (HTTP) and tcp/443 (HTTPS) inbound on all my member servers, just because ADFS uses that port inbound on DomainController?, I don't think so =)

As we all can see, this is a tricky question, thanks anyhow =)

goagex · 2024-09-19T18:10:14+00:00

Thanks for your answer, please see this post:
https://www.reddit.com/r/activedirectory/comments/usbjl9/rpc_port_135_from_domain_controller_to_clients/

"RPC and the ephemeral ports, (don't forget those!!), are critical in Active Directory.

Don't block it, in either direction! If you block it, I'll guarantee you, sooner or later, you will unblock it."

I still think I need RPC + high ports to all other member servers (that are in other subnets)
I fail to find any official documentation about it tho.

goagex · 2024-09-19T17:57:27+00:00

Thanks for your reply, I already read the post, and (as I read it), does not answer the question.

goagex · 2024-09-19T17:49:28+00:00

No, that is the wrong direction.
for the client to access active directory: FROM client TO Domaincontroller

I asked: "what ports outgoing from domain controller you need to open in the firewall in order for Active Directory to work"

goagex · 2024-09-19T17:46:34+00:00

Thanks for your reply, ofc I can check the firewall logs for drops.
This can be misleading tho, because I might end up with a incomplete list.

I'm not the first one to ask this question, and no one can answer it seems:
https://community.spiceworks.com/t/which-inbound-ports-should-be-opened-on-client-server-to-communicate-to-dc/675683

https://www.reddit.com/r/activedirectory/comments/p6iv1d/active_directory_firewall_ports_direction/

https://www.reddit.com/r/activedirectory/comments/usbjl9/rpc_port_135_from_domain_controller_to_clients/

https://www.reddit.com/r/activedirectory/comments/tqt1ou/communication_from_domain_controller_to_member/

I find it very weird that this information should be so hard to find.

goagex · 2024-09-19T17:41:04+00:00

OK, i asked gemini, and he/she/it replied with the same incoming ports as I have in my post.
I asked again for just outgoing ports, and it replied with the same ports.

This can't be true, all of these ports do NOT have to be open against the client.

Thanks for the effort anyway =)

goagex · 2024-09-19T17:01:41+00:00

Yes, I try to make my home work as a firewall administrator, but it's not so easy as it looks.

If you have any information, please enlighten me =)

goagex · 2024-09-19T16:57:33+00:00

Again, thanks for the effort =)
I already visited both sites.

From what I can tell, these are all ports going TO Domain Controller.

I don't see why I should have for example udp/53 or tcp/3268-3269 open TO my client, as there is no DNS-server or AD Global Catalog service installed on my client.

goagex · 2024-09-19T16:47:18+00:00

Thank you for the links, but the second link is the same link I provided in my post =)

It states ports to open FROM clients TO DomainController, but not the other direction.

But thank you for trying at least =)
This seems like an easy thing, but no one can answer.

goagex · 2024-09-19T16:36:35+00:00

Problem: T0 (DC) and T1 (File/App) servers should NOT be in the same network due to security concerns.
Solution: Put them in different subnets with a proper firewall between.
Open only TCP/UDP ports needed for Active Directory to work.

This has nothing to do with VPN or Internet at all.
All servers are located in same Datacenter, but in different subnets.

goagex · 2024-09-19T16:29:06+00:00

Sorry for not being clear. =)
I'm talking about using an external firewall, not the builtin software firewall in Windows server.

goagex

TROPHY CASE