(TIL) Today I Learned...

Started by Seittit, January 13, 2015, 03:50:21 AM

Previous topic - Next topic

Reggle

Network-minded me thinks you can stop it on the firewall too... Those tunnels go towards a location on the internet.
Teredo is UDP/3544 and IPv6IP is protocol 41. Although GPO is cleaner of course.

NetworkGroover

TIL that Xbox Live uses Teredo tunneling.
Engineer by day, DJ by night, family first always

SimonV

Quote from: Reggle on April 21, 2015, 03:12:59 PM
Network-minded me thinks you can stop it on the firewall too... Those tunnels go towards a location on the internet.
Teredo is UDP/3544 and IPv6IP is protocol 41. Although GPO is cleaner of course.

Yes, found that out too when reading up on it. There was also some Teredo traffic being dropped on our edge firewalls but minimal.
Biggest problem was the clients registering their AAAA record in DNS and that a lot of the client-client and client-server communications were tunneled as 6to4.
It's just a major annoyance for the other teams who expect IPv4 output.

Also interesting is that a client always does a second AAAA query when the 6to4 adapter is enabled. 

deanwebb

TIL that I've been filling out my timecard all wrong.  :-\
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Quote from: SimonV on April 22, 2015, 02:44:53 AM
Quote from: Reggle on April 21, 2015, 03:12:59 PM
Network-minded me thinks you can stop it on the firewall too... Those tunnels go towards a location on the internet.
Teredo is UDP/3544 and IPv6IP is protocol 41. Although GPO is cleaner of course.

Yes, found that out too when reading up on it. There was also some Teredo traffic being dropped on our edge firewalls but minimal.
Biggest problem was the clients registering their AAAA record in DNS and that a lot of the client-client and client-server communications were tunneled as 6to4.
It's just a major annoyance for the other teams who expect IPv4 output.

Also interesting is that a client always does a second AAAA query when the 6to4 adapter is enabled. 

I spent at least five mails explaining we are not disablnig IPv6 but 6to4. Summary of Change Request comes in: Disable IPv6 on all computers. Server guys :doh:  Hope they didn't mess up the GPO

deanwebb

TIL how to repair a database table for a webforum. Tapatalk users should be back online now.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

that you can do per tunnel QoS on a mGRE DMVPN. eek!

http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/15_0/sec_secure_connectivity_15_0_book/sec_per_tunnel_qos.html


Also, cisco dcloud 'labs' are 50% sales demo, though being able to type your own show commands beats slideware any day of the week

NetworkGroover

Quote from: wintermute000 on May 24, 2015, 05:57:14 PM
that you can do per tunnel QoS on a mGRE DMVPN. eek!

http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/15_0/sec_secure_connectivity_15_0_book/sec_per_tunnel_qos.html


Also, cisco dcloud 'labs' are 50% sales demo, though being able to type your own show commands beats slideware any day of the week

I'm not a WAN guy, but this sounds like something I'd never want to deal with... then again I hate QoS in general.
Engineer by day, DJ by night, family first always

NetworkGroover

Quote from: deanwebb on April 28, 2015, 10:36:17 AM
TIL that I've been filling out my timecard all wrong.  :-\

Timecard?  I thought it was a base requirement to enslave an engineer with a salary! ;)
Engineer by day, DJ by night, family first always

deanwebb

Quote from: AspiringNetworker on May 25, 2015, 11:21:40 AM
Quote from: deanwebb on April 28, 2015, 10:36:17 AM
TIL that I've been filling out my timecard all wrong.  :-\

Timecard?  I thought it was a base requirement to enslave an engineer with a salary! ;)
We fill out our time allocation so that the higher-ups can determine if we're allocated properly, or if they need to allocate more resources.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

that1guy15

Quote from: AspiringNetworker on May 25, 2015, 11:20:19 AM
Quote from: wintermute000 on May 24, 2015, 05:57:14 PM
that you can do per tunnel QoS on a mGRE DMVPN. eek!

http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/15_0/sec_secure_connectivity_15_0_book/sec_per_tunnel_qos.html


Also, cisco dcloud 'labs' are 50% sales demo, though being able to type your own show commands beats slideware any day of the week

I'm not a WAN guy, but this sounds like something I'd never want to deal with... then again I hate QoS in general.

No they nailed this correctly! Think about a large distributed network with a large number of sites connecting back to the hub office over a variety of link types. Setting up profiles to match each of those and assigning policies and QoS per each profile. Architect once and deploy everywhere.

So the following profiles:
ATT_MPLS_100Mbps
ATT_MPLS_50Mbps
TW_MPLS_50Mbps
T1_WTF_Do_we_still_have_these
Dial_Up_AYFKM

That1guy15
@that1guy_15
blog.movingonesandzeros.net

NetworkGroover

Quote from: that1guy15 on May 25, 2015, 09:26:12 PM
Quote from: AspiringNetworker on May 25, 2015, 11:20:19 AM
Quote from: wintermute000 on May 24, 2015, 05:57:14 PM
that you can do per tunnel QoS on a mGRE DMVPN. eek!

http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/15_0/sec_secure_connectivity_15_0_book/sec_per_tunnel_qos.html


Also, cisco dcloud 'labs' are 50% sales demo, though being able to type your own show commands beats slideware any day of the week

I'm not a WAN guy, but this sounds like something I'd never want to deal with... then again I hate QoS in general.

No they nailed this correctly! Think about a large distributed network with a large number of sites connecting back to the hub office over a variety of link types. Setting up profiles to match each of those and assigning policies and QoS per each profile. Architect once and deploy everywhere.

So the following profiles:
ATT_MPLS_100Mbps
ATT_MPLS_50Mbps
TW_MPLS_50Mbps
T1_WTF_Do_we_still_have_these
Dial_Up_AYFKM

Hehe - like I said I'm not a WAN guy (until I have to be), and I hate QoS (until I have to do it - again) so..... guess it's good I work in the DC where I don't worry about this too much. :P 

LOL @ "T1_WTF..."
Engineer by day, DJ by night, family first always

LynK

not to get off topic, but T1 is still a widely used, and common infrastructure in today's society. We have about 100 or so sites still on T1 MPLS infrastructure.... Not willing to make the price jump to 10MB metro-e, but also wanting new technology... :drama: :drama: I cant wait until they want video here... haha
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

SofaKing

Quote from: deanwebb on May 25, 2015, 07:05:06 PM
Quote from: AspiringNetworker on May 25, 2015, 11:21:40 AM
Quote from: deanwebb on April 28, 2015, 10:36:17 AM
TIL that I've been filling out my timecard all wrong.  :-\

Timecard?  I thought it was a base requirement to enslave an engineer with a salary! ;)
We fill out our time allocation so that the higher-ups can determine if we're allocated properly, or if they need to allocate more resources.

We do the same at my company.  This way the business knows which department to bill for our services.  I work for a large retail company and IT does not create revenue(even though the business can't run without us) so we have to get our funds from somewhere ;)
Networking -  You can talk about us but you can't talk without us!

routerdork

"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln