Messages

ok so i know were pushing layer 3 as far as we can now, down to the closest were possible...

But say i have a floor of 200 users, new design methodlogy is telling me to give that floor a vlan and have done with it. However... from a security point of view, firstly we are told its ok, you can do all your rules via ldap now and have user groups instead of IP rules. which is great for your standard users.

but what about your linux devs who run VMs, and all your marketing dept that have macs, would you guys from experience or opinion throw them in their own vlans, or use anyconnect (if cisco prosperity) to authenticate them? or any other method to authenticate them against a centralized user base to avoid using IP based rules in yoru firewalls? then only your servers have IP rules?


Next - Layer 3 in the DC:
so were pushing layer 3 all the way down to your sever farms, are any of you gusy using /31s or /30s between your DC switches and your servers? ive seen designs (dont ask me where i cant remember now) referencing this setup as the "new way", i can see the benefits...

Anyway what would you do about your VM infrastructure if your sending /30s, you cant can you, your blade chassis would have to have 1 subnet or would have to have multiple vlans.
were often reminded that vlans are not a security boundary, but you can use the subnet of a vlan to limit access to services based on src dst ip addresses still...
so do you guys put your DBs in their own vlan in the DC? our DBAs like to anyway and they authenticate against IP and SSH key and username/pass!

Food for thought anyway, been rattling around my head for a while and wanted to get opinions on how everyone else does it?
Cheers

Ok so it begins...
Backdrop: Old DC, 2800s routers, 100s of old servers, we are migrating to new fancy DC, not there yet. all current kit full of faults and fans broken etc

Saturday afternoon last year:
Panic panic, ring everyone, text everyone, the sites down! on call engineer logs into our DC routers, we keep losing connectivty, manage to get a sh int off, routers are taking huge ammounts of bandwidth. why?! We must be gettind DDoS'd. Call ISP, yup confirmed DDoS, they blackhole our traffic...
ISP says attach was 15GB

Week after:
Look into DDoS mitigation options, speak to providers/vendors etc
Ransom email from Attacker, give me 1 bitcoin and i will stop...
ignore attacker
Signed up for encapsula cloud scrubbing trial, havent changed DNS yet, still speaking to other vendors.
many vendors boxes are aimed at ISPS, their price brackets are huge, vendords baffled by our ISPs inabliity to protect us...

Saturday again:
Attack, Attack!
everyone get in asap... what can we do?!
Turn on the free trial of scrubber... DNS changes (our TTL 5 mins) login to trial dashboard, see that they are taking hits, gradually we get some site acitvity back

Mr attacker not happy about that... must've search our RIPE records or query some other addresses... Attacks the head office were we are trying to stop him (must of been luck)
Head office taken down now!
Head office is where all orders are processed, connected to live DC via VPN
Worst thing about the head office is its the head office for two sister companies, and we have kit serving both companies on the WAN here :|

Mgmt - we need to not have two companies taken out by this, do something to make sure it onyl effects 1 company if it happens again, can you do it now...
Dual ISPs at head office, shut BGP session with 1 ISP, NAT out of it and DMVPN on it, ISPs public ISP now being used, unfeffected by DDoS hits.

Luckily we have a temp L2 link between the new DC and the old DC. re route all traffic to old DC via the new DC and the L2 link there
We can now get to the live DC regardless of WAN saturation and we still have some services online if he hits head office again.

Week after:
decided on DDoS provider, pay for emergency install ($$$$) get onsite appliance that can take 1GB backed up with cloud scrubbing service (they advertise our AS more attractively than us and send clean traffic down gre tunnels to our routers)

Saturday:
Attack Attack!
on prem device and cloud scrubbing service kicks in, site is up during attack, VICTORY!!
attacks head office, we have cloud service only at head office, divert head office to cloud service too, VICTORY!

Mmeanwhile... police involved, eventually heard that they arrested someone from france, he was ransoming loads of companies for 1 bitcoin...

That was a loonnng three weeks, i think me and my colleauge worked 5 weeks time in the space of that 3 week period.
Safe to say were now at the new DC with new equipment on prem devices and cloud services and back using BGP on both our links at the head office

Phew!

I like the main character, now you mention it it does have a fight club feel to the storyline doesnt it!

ill give Halt and Catch Fire a try, will the missus enjoy it or is it one for the guys only?

when you guys say correct cable length you mean you go to the nearest metre 1, 3, 5, 7 etc or do you make them all?

Just wondering what everyone else is doing, inside the closets, cabinets and DC. unfortunately none of our racks have vertical space or management bars.

so weve been trying a fwe things out recently

weve tried these:-
http://www.netstoredirect.com/cable-management/235240-19-cabinet-cable-dump-panels.html
not great, theres no where to put excess cables and the little slots for cables often cant fit two cables in becuase the slots are soo close to the ports.

these:-
http://www.netstoredirect.com/cable-management/121815-prism-4-ring-cable-managment-bars.html?gclid=CjwKEAjwzuisBRClgJnI4_a96zwSJACAEZKeIs7xJnUEf3a8vEV4B_EKNFyzNIjywrBMkZFyehcDqRoCJcbw_wcB#/u_size-1u
everyone's tried these, pretty useless i think unless your willing to make all your own cables, even then, your never gonna fit 24 or 48 cables into those little rings

i want to try these
http://www.techcare.co.uk/store/neat-patch-cable-management-cabinet-rack?search=neat%20patch
they look pretty good, pricey though!

Anyone else have any good products for mgmt they use?

Thanks

Anyone watching this? i think its great! technically really good too, only flaw ive seen is the IP ending in .37 and changing DNS entires to stop a DOS attack (instantly). but it was a good effort to be technical anyway

Seems like spanning tree everywhere!

Similar issue, access switch in a factory as root, around 300 users, vlan 1 is the only vlan with 10 secondary IPs on it /23 on every IP. needless to say we had a lot of broadcast traffic! also all HP switches were EOL/EOS about 5 years ago. Had 3 fail in 1 afternoon (luckily for the business a Sunday, unlucky for me! ). No documentation, if a nother switch was needed was just plugged into the closest switch to it. daisy chains everywhere. had no idea what was connected to what or where, needless to say had issues everyday until i gradually started wining the battle. The war is not over yet though!

Also if anyone is interested, i have a pretty long DDoS story, (we are an ecommerce retalier, who were DDoS for 1 Bitcoin ransom everyweek!) i could tell you what we did, what the attacker did and what weve done since, its a long story though...

Ta

you know what ive never actually looked at seattle, but just did some quick googling, it looks amazing! haha
I love the outdoors and it looks as it has plenty!

My missus likes Flordia, but i dont think i could work there, i didnt mind visiting but couldnt stay long term, id melt!. Plus from glances of the tech there they dont seem that far ahead as some other states?

None taken, id give my right leg for the opportunity to migrate to the states! haha

yeah were pretty close to some nice warm north sea waters! if your really lucky you might get to swim in 5 or 6 oC in the summer, mmmm cosy! haha

Hi all,

I'm Alex, worked in IT for 14 Years, been a Network Engineer/ Server Engineer for 10 Years finally shook off the server engineer shackles and have been a pure network engineer for the past 2 years.
I was an avid poster on the old networking-forum.com but haven't not been as active the last year or so. Have recently found out everyone has moved across to this new site. so reintroducing myself here

Cheers
Alex

Hi all,

Just moved across from networking-fourm.com, seems everyone lives here now.
Anyway I am in need of a 3rd line Network/Project Engineer in the East Yorkshire area of England, United Kingdom. Please PM me for any details if interested. This is a permanent position

Thanks
Alex