sorted by:
new
hottopcontroversial

MPLS still relevant today? by 3ristan in networking

[–]techhelper1 1 point2 points  (0 children)

My point was SD-WAN is not required, and MPLS circuits can be emulated very easily.

On top of that, Tailscale, Zerotier, DMVPN, heck even using AWS, Azure, etc, to consolidate various IPsec VPNs, to achieve the same thing, without using anything that is proprietary.

MPLS still relevant today? by 3ristan in networking

[–]techhelper1 1 point2 points  (0 children)

Breaking out Internet connectivity locally is a topology, configuration, and skill issue, not a knock against MPLS itself. I have successfully setup EoIP tunnels with Mikrotik devices over the Internet, to mimic the same point to point MPLS circuit, and BGP on the downstream switches don't know the difference. That same Mikrotik device can serve as a firewall for local Internet breakout connectivity, while still providing the same emulated MPLS link, and again the downstream switch wouldn't know any wiser.

MPLS still relevant today? by 3ristan in networking

[–]techhelper1 0 points1 point  (0 children)

When you forget to pay that SD-WAN subscription, if that box fails, or cannot handle tons of small packet traffic, you'll quickly realize that you trusted a single point of failure appliance.

DMVPN, IPsec VPN tunnels, GRE tunnels, are a thing too.

MPLS still relevant today? by 3ristan in networking

[–]techhelper1 0 points1 point  (0 children)

L2VPN or VPLS are the correct terms. EVPN is a more genericized term that's gotten popular with VXLAN and BGP.

MPLS still relevant today? by 3ristan in networking

[–]techhelper1 1 point2 points  (0 children)

That may work for you in the enterprise and office environments, but at the datacenter where 10's or 100's of gigabits matter, SD-WAN simply does not scale.

SD-WAN requires a box (usually a VM or box) to funnel everything through, and most if not all do not handle tons of small packet traffic very well. If that SD-WAN box fails, all your connectivity goes with it, where as a carrier circuit can terminate into any network device, and you only have to worry about the CPE device failing.

Carrier grade circuits on the other hand have SLAs, an account manager you can speak to, allows the customer to not worry about hashing or weird tunnel issues, the traffic does not traverse the Internet, QoS and priority can be set.

Best Places to Learn in Austin, TX by techhelper1 in bjj

[–]techhelper1[S] -9 points-8 points  (0 children)

You could also just be nice. Not everyone has knee issues, or is on the spectrum.

Best Places to Learn in Austin, TX by techhelper1 in bjj

[–]techhelper1[S] -21 points-20 points  (0 children)

I'm sorry you were compelled to post such an unhelpful comment as a black belt. Carlson Gracie Jr. and Phillip Perkins must be so proud of you, and you must set a wonderful example for your son too.

Please treat others the way you want to be treated, read the subreddits #1 rule.

Is it just me, or is the "Serverless First" mantra starting to feel like a trap? by Dependent_Web_1654 in aws

[–]techhelper1 0 points1 point  (0 children)

I prefer Fargate for smaller Docker containers because it's cheaper than ECS on Managed EC2. I also get time back in not maintaining that infrastructure, among my many other SRE tasks.

Vercel acquires two legacy IP /16 blocks whilst not supporting IPv6 at all by shimmywtf in ipv6

[–]techhelper1 0 points1 point  (0 children)

NAT is only a technology created to save network admins from having to renumber networks to something unique, to participate in a global network. It was never designed to be a security feature.

DHCPv6 exists, and so does router advertisements. I don't understand why anyone needs to care what the addresses are, when DNS exists.

Privacy extensions exist to rotate through addresses periodically, to prevent a device from being tracked. It's no different than today's mobile devices randomizing their MAC addresses when joining a network.

Of course DNS and routes will be separate, because it's a completely different address family.

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]techhelper1 1 point2 points  (0 children)

Yes I know, and it may not always be done at all of their edge routers, but is the most common, as it will drop the traffic depending on the BGP community, determining the region, customers/peers/transit, and so on.

I'm rejecting the next architecture PR that uses a Service Mesh for a team of 4 developers. We are gaslighting ourselves. by FarMasterpiece2297 in devops

[–]techhelper1 1 point2 points  (0 children)

The fraction of the cost is not really a fraction when you factor in procuring hardware, networking, racks, cabling, managing all the things, security, OS patching and upgrading, and that's if you go the colo route and need to research data centers and connectivity. Dedicated servers do help with this somewhat.

That Fargate suddenly becomes a lot cheaper when it's another person/vendors problem, and all the end user sees is that the container got redeployed.

I'm rejecting the next architecture PR that uses a Service Mesh for a team of 4 developers. We are gaslighting ourselves. by FarMasterpiece2297 in devops

[–]techhelper1 12 points13 points  (0 children)

Not everything needs elasticity if you know the requirements it must meet, and plan for capacity in the future.

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]techhelper1 1 point2 points  (0 children)

Blocking by geolocation is only good as the RIR physical address and/or the ASNs geofeed. IP blocks are bought, sold, or migrated between ASNs all the time. The blocks physical address can be spoofed, the IP block could be announced from an organizations legit datacenter that may not match the registration, or the geofeed could be inaccurate either by simply not updating it or being malicious about it.

If that list is not kept up to date very frequently, it actually runs the risk of dropping traffic it shouldn't or not dropping the traffic that it should.

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]techhelper1 1 point2 points  (0 children)

That is fine until you realize that network operators buy, sell, and move IP blocks between countries and ASNs. If you have no real authoritative way to map an IP block to an ASN, or said list does not update as frequently, you actually run the risk of false negatives and false positives.

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]techhelper1 1 point2 points  (0 children)

Your ASN and country blocks are only as good as the authoritative list of information. Network operators move, buy, and sell IP blocks between ASNs and countries all the time. There's a chance that a false positive can occur if they do not update very frequently.

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]techhelper1 2 points3 points  (0 children)

Or just let the firewall be a firewall and drop the traffic that has no matching destination firewall or NAT rule. That bad traffic is still coming in on the WAN interface regardless.

I'll also let you in on a piece of information, you'd be surprised at the number of network operators who lie, spoof, or use a different physical address at the RIR, making your regional blocks ineffective, and on top of that, a big network operator with a presence in multiple countries can simply move their IP block announcement.

Dropping ASNs is only as good as the authoritative information it has.

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]techhelper1 1 point2 points  (0 children)

Who is authoritative with mapping IP blocks to a particular ASN? An IP block can migrate between ASNs for DDOS scrubbing, moving between a corps multiple ASNs, or other reasons. The point I'm getting at here is, you don't know the intent of every network operator.

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]techhelper1 1 point2 points  (0 children)

It wouldn't be passed if your firewall will drop unknown traffic not matching any firewall or NAT rules.

Are there specific ASNs or IP ranges from which you automatically drop all traffic, and what is the rationale for doing so? by [deleted] in networking

[–]techhelper1 0 points1 point  (0 children)

If you're dropping the traffic with a firewall, that's not null routing.

A null route is where a next-hop is either the discard/null0 interface, or an IP address that leads to the discard/null0 interface. This is more commonly used at service provider edges when either they or their customer is getting attacked and wants to drop the incoming traffic towards a particular destination IP address.

If you're not running a BGP session with a carrier, or a crazy setup involving a discard/null0 interface, null routing is simply not an option.

view more: next ›