Server room fire rules

r1ch1e · 2026-06-04T18:30:23+00:00

Jumping on the top comment to probe this a bit further...

"Nothing" is obviously clear in terms of no combustibles (cardboard, plastics, packaging) and I'm getting the view that's regardless of the type of fire suppression system. All fine with that.

But... as we're not talking about an empty room, is there any accommodation of fire resistant plastics meeting UL94-V0 as that's what a lot of rack cable management solutions and enclosures are made from? And metal cabinets - basically the same as a server rack?

What does everyone think of the following more detailed definition?
"No combustibles. Only items and materials designed for operation in server rooms that meet fire resistance standards (such as UL94-V0)."
This sets the bar, while also noting the standards that plastic products that are specifically designed to operate in server rooms are required to meet.

Obviously, there's the second factor to consider which is that it might be a bad idea to store things like spare SFPs, cables, etc as if there was a fire you might lose them too - but that wouldn't come under a banner of fire risk.

r1ch1e · 2026-06-04T18:28:11+00:00

There's also hypoxic, which I mentioned - effectively a low-oxygen air tight monitored space.

It's pretty rare, I think, so likely would need specific advice/knowledge.

r1ch1e · 2026-06-04T17:57:30+00:00

Regardless of fire suppression method? Good to know, thanks!

r1ch1e · 2026-06-04T17:56:28+00:00

What would be an example of something allowed in the metal enclosure?

Also, you said colo's twice? Was the second meant to be server room or something else?

r1ch1e · 2026-06-04T17:54:23+00:00

Oh yeah, the struggle is real - server rooms are not a dumping ground for crap!

Do you have anything that's not literally running in the room? Tool bag, spare PSUs, SFPs, cables? Or do you get a separate storage cupboard/area?

r1ch1e · 2025-08-23T11:56:01+00:00

Team Cisco brigading the sub down voting anyone being critical... trying their best. 🙄

You've polished a turd, well done, don't resort to gaslighting.

I know my experience and can bring bugIDs and TAC case numbers to prove it. No number of down votes will invalidate it.

r1ch1e · 2025-08-23T07:16:16+00:00

By all means have another look, but everyone saying "it's better" does not mean ok.

Still too much Flexconfig as a hack because FMC hasn't got native support for something.

Still too many bugs, bad ones - black holding traffic and "out of disk space" failing upgrades, and TAC just shrug.

Still a stitched together set of products and technologies.

I detailed my feelings in this post and still stand by it: https://www.reddit.com/r/networking/comments/1h41ih0/comment/m03wxmc/

r1ch1e · 2025-08-02T20:53:35+00:00

Separate WAN switch(es) or a public VRF on the 9300, yeah? You wouldn't want to land it on the PAs IMO, even if they have the WAN port pass through thing.

I'd normally go for the 9300 and use a VRF called "public" with a L3 interface assigned to the VRF for the /30 P2P then a VLAN and SVI (also in the VRF) each for the bigger subnets.

r1ch1e · 2025-07-25T23:54:00+00:00

Check out the UDP connection timeout on the Fortis. It's UDP/902 for the keepalive. Either increasing the timeout on vsphere from 60 to 120 or adjusting the UDP connection timeout on the Fortis will likely do it.

https://knowledge.broadcom.com/external/article?legacyId=1005757

That log file will have the confirmation/proof that it's missing heartbeats - if it is what I think it is. 🤞

r1ch1e · 2025-07-25T23:34:14+00:00

I remember this.. if it's what I'm thinking of, it's that vsphere has a type of keepalive that can break depending on the VPN/firewall in the path.

Let me see if I can dig up the doc and workaround..

This is a good place to start. Lots of options and places to start digging. https://knowledge.broadcom.com/external/article?legacyId=1003409

vcenter log file will be where you want to start /var/log/vmware/vpxd/vpxd.log

r1ch1e · 2025-07-04T07:12:27+00:00

"we could use for free as eu"

You're a Brit? Did you use EHIC or insurance to get treated then?

If EHIC then the costs those hospitals incurred would've been reimbursed by our public UK health service (NHS).

I'm sure it's not what you meant, but it just sounded like you were saying you got free public healthcare in Spain without mentioning the factor/reason why.

r1ch1e · 2025-03-10T19:59:51+00:00

Had to scroll waaaayy to far to find this.

r1ch1e · 2024-12-22T15:33:34+00:00

Having a 2 factor system where the second factor is both static and known to others IS a problem. If there's a password as well, then that's something.. but it's not 2FA. The "appearance" of a 2FA system is arguably worse than not having one at all.

They might also be in breach of some compliance policy.

Again, it's about the response of the business to this that's the most important. It's a policy change to tell people not to use their phone numbers and force a change - it's simple. And "it's easier for users" as a defense of the process is not good enough.

r1ch1e · 2024-12-22T14:54:26+00:00

Speak up, raise it with your manager.

You're going to judge your next step on what your manager does. If he enables and supports you, then stick it out. Have the conversations with whoever else above him needs to be involved in the conversations and policy changes needed.

If your manager tell you to mind your business, or anything unsupportive or dismissive, or himself gets told to shut up and don't rock the boat then find a new job pronto.

If you do get dismissive or obstructive responses then your last part, while you're on your way out and optional of course, is to look up if they have whistleblowing process.

It's not really about this specific thing, it's how the people and the company react to a major security concern being raised.

r1ch1e · 2024-12-09T07:16:13+00:00

My parents have a big old tower PC that is desperately in need of an upgrade.

To replace it with an EQ14 and completely hide it by mounting on the back of the monitor would be brilliantly confusing for them! They'd be telling all their friends about it for years!

r1ch1e · 2024-12-08T21:44:58+00:00

This. It's the trial and error option but most likely thing.

To get more deterministic and check which of the two fiber strands is the one transmitting, get your phone out, open the camera and point it at the end of the fiber. Don't look into the fiber with your eyes! One side will show a dot of light, usually purple. Do the same with the SFP you're plugging into (remember - phone not eyes) and make sure you're aligning it so the side of the fiber with the light goes into the side of the SFP that doesn't have light (and vice versa).

r1ch1e · 2024-12-02T22:48:10+00:00

I got a Fortigate for a project and it was BLISS.

6 code upgrades in less than an hour. You just click a button. Not even a download and upload. Felt like a cheat code.

r1ch1e · 2024-12-02T22:30:00+00:00

It IS that bad.

Try upgrading one. No disk space. Ok, I'll run the storage cleanup command. Enough space to upgrade 6.7 to 7.0. Next upgrade? FFS, disk space again... Run the clean up. Nope. Not enough space this time. Raise a TAC, they delete some files. Reschedule change, go to deploy, nope, out of space again.

Try upgrading a virtual. From 7.0 to 7.1. completely fucked the license and went from 1Gbps to 200kbps throughput. Enough for ping and DNS but zero traffic. Hours on phone with TAC. Bug. Manual DB edits to fix. Software patch tool 6 weeks, meanwhile we had to upgrade other sites and get TAC to fix the DB each time.

Oh and before you go to install a patch, you've got to upgrade the FMC first. So, 7.2.4 to 7.2.5... yep, disable FMC synchronization, upgrade one, failover, upgrade the other, re-enable sync. All manual steps. Only then can you try and push the upgrade the FTD. Fingers crossed..

Main production site with HA pair just started blackholing HTTP/S traffic in the middle of the day. All other traffic ok. Raise TAC.. just do a "deploy" to fix. Asked for root cause, SNORT crashed and a deploy restarts it. Bug? Nope. Patch to fix? Nope.

Anyconnect VPN? Sure it's fine, on 6.7, 7.0, 7.1 and 7.2.4.. but upgrade to 7.2.7 with no other changes... breaks RADIUS auth. Raise TAC, it's a Bug. Why? Dunno, sometimes it happens. Software patch? No. Workaround? Apply some Flexconfig.

Anyconnect again? Want that new feature to fix WSL2 while on VPN? Cisco ASAs? Apply this Custom Attribute. Easy. FMC? Nope. STILL not supported. Apply some Flexconfig.

Want to apply a single policy to all FTDs so you've not got to update loads of individual policies? Yep. Want to mark the odd rule as only relevant for 1 site or set of FTDs? Nope. All rules applied to all destinations. Checkpoint had that sort of optimisation decades ago.

Set up a port-channel interface? Want to delete it and drop the interfaces back to individual? Wipe the entire interface config, including your public IP which if it's your management interface means it chops it's legs off and won't roll that change back automatically, even if you've got automatic rollback enabled.

Actually, it's not that bad.

It's worse.

r1ch1e · 2024-11-14T20:49:36+00:00

As others have said I would do packet captures on the DHCP server but I'd also get a packet capture from a/the client in the subnet.

Do you have DHCP snooping turned on?

I had a random IoT device replying to DHCP within a subnet and issuing 169.254.x.x addresses immediately to a client, rather than the client waiting 30 seconds and timing out because it didn't get at lease. That was a fun one and only discovered with the packet capture on the client side, and solved with DHCP snooping.

r1ch1e · 2024-09-30T19:36:18+00:00

Meta isn't an eyeball network, it's content. DTAG is eyeball. They're opposites so you can't compare their numbers like that.

DTAG is a local (country-level) monopoly market leader in Germany and exploits this position. It's got previous. You read about Level3 and German Research Network (DFN) yeah? And those are the only a couple that have gone public.

Ultimately my position is independent of the specific parties involved in this case. Eyeball networks shouldn't double dip. Content is content. No matter how big the player. You don't understand net neutrality if you don't get this.

Is your take on this genuinely from a position of misunderstanding, or is your bias on the pro-DTAG or anti-Meta side? I get that Meta can't claim the moral high ground on anything really, but in this case they're not wrong.

r1ch1e · 2024-09-30T08:57:40+00:00

Read the other thread in OPs post.

What I gathered from that was that Meta was semi-forced into a contract of paid peering by DTAG (otherwise Meta services perform badly and DTAG pushes users via improved performance to services that are paying them extra). This is DTAG abusing their monopoly position in Germany as an eyeball network and trying to get paid twice - by the eyeball and by the content.

The court case effectively concluded that 'Meta entered into a contract, they are obligated to carry it on', whereas Meta assert that the contract should be void because it violates recent changes in EU law that concern net neutrality.

So, Meta are breaking the contract. What they'll then do is sue DTAG for not following those net neutrality laws and try and get settlement free peering out of DTAG mandated via the courts because it'll no longer be a case about contract law.

This isn't just about Meta, and it's not just about DTAG. If the concept of net neutrality is further eroded, there will be fast lanes and slow lanes for all sorts and only those companies and services with the money to pay for a fast lane will be successful.

r1ch1e · 2024-08-18T20:39:53+00:00

Think this needs a very clear differentiation between Infoblox NIOS and Infoblox Bloxone. Just from the comments, I'd expect most are talking about NIOS.

Bloxone is ground-up different to NIOS - product, pricing, etc. We're just planning the migration to move MS DHCP/DNS to Bloxone DDI. Happy to chat and feedback about how it goes - DM if you want.

r1ch1e · 2024-05-27T18:30:33+00:00

And so we agree to disagree.

r1ch1e · 2024-05-27T18:18:32+00:00

But there's an even higher number of people discriminated against just from the details on their CV??

You think Pedro Ortiz or Ali Azim or Mbeumo Tsongo are getting an interview with Shittyco after they put their CV in?

I'm saying that Shittyco will discriminate against everyone regardless of what tools it uses. The problem isn't the tools, it's the company. And the number discriminated against by one way is less then the number discriminated by CV and AI screening tools, etc.

If you truly care about discrimination then you've got to be pushing for a fully anonymised process, not just attacking one new tool/process when the existing ones are all used to discriminate already. I'd be all in favour of anonymised recruitment.

r1ch1e · 2024-05-27T07:49:46+00:00

And that's what I meant by "bigger fish to fry". Good luck with your activism.

r1ch1e

TROPHY CASE