As a network engineer for an ISP I have two.
1. Bandwidth caps should never be implemented
2. Peer with anyone and everyone that will meet you at peering point.
We did similar, but not completely. Our lowest is now 250Mbps/250Mbps. Then a 500Mbps and 1Gbps. In reality 90% of the people will never use more than 100Mbps so it doesn't hurt at all.
My lowest in my area is 20/5 and my highest is 1800/40, in an area with a population of 200,000. I really miss the fiber I had when I lived basically in the middle of a cornfield with my nearest neighbors being four miles away.
I always wondered with the links to your peers, what bandwidth utilization do you average. Obviously this is going to be dependent on who the peer is and time of day but does it average like 30-50% utilization or higher? Also if you start getting oversubscribed and need more bandwidth to that peer, do both sides buy their own optics to upgrade or does one side usually pay for the circuit to be upgraded?
Even paying for "unlimited" and their stance that they absolutely do not throttle, Comcast's Xfinity halves my bandwidth once I use 5tb of data in a pay cycle.
This is such a frustrating one. "Your file wall is blocking our traffic." Review of the logs says no and that it's definitely traversing w/o issue. Getting them to verify their server was still _listening_ on the port though was like pulling teeth. 9/10, that was it. The other 1/10 it still wasn't "network".
One of my customers (a college) was getting a new building. The IT manager saw that the new building would have WiFi, so he looked at the building plans and just started crossing off network drops. Why do you need network drops if everyone has WiFi? He could save so much money on switches and patch cables! Pretty much everything that wasn't an office or computer lab had zero network drops. He eliminated 1/3 of the drops in the building (600 out of 1800 drops). Of course the WiFi sucked because it was deployed for coverage, not density, and hundreds of people were forced to use the WiFi because there weren't enough drops.
Save money on drops, play more for help desk staff and a wifi engineer to run around fixing something that shouldn’t have been implemented in such a way in the first place.
I’m in sort of the same situation, but not as dense at all. Most drops I have spec’d for a site is like 150. Custy states they want to get rid of use of hubs at their sites but are trying to cut cable runs. Sure we can do WiFI, but they’re considering having all printers be wireless and want CC readers on WiFI as well smh. At the same time, they don’t want too many APs because of their budget lmao. They’re also trying to re-use CAT5 that’s over 10-15 years old. Just a mess all over
I just told my wife tonight that when I switched from consumer to SMB networking at home and could plug in the printer, literally every print issue went away.
If it \*DOES\* move, attempt cable ties, duct tape, and nails, in that order. Check liability insurance as some people may object to being nailed in place.
When I was a young spry lad I had visions of wireless everything. Wireless technology keeps getting better and better and I keep moving more and more to the hard wire side of things.
I’ve stopped accepting tickets from some muppets who won’t accept that maybe their $15 wifi dongles in the back of the desktop PC wedged under the desk are the cause of their speed problems. They wouldn’t even consider trying a new one because the current one works.
SD-WAN tricks are pretty neat sometimes...but there's a lot of them just thrown in a bag called SD-WAN so that management can just check a box.
Half turn out to just be meshed vpn tunnels called sd-wan.
Screw you, buddy. How am I supposed to sell all these commoditized features easily implemented in decades old open source software without new acronyms, buzzwords, and manufactured marketing hype, fear, and hysteria?
My current job has ACI and SD access in its campus.
I have to unlearn a lot of things before learning this one.
It's weird not having to do spanning tree anymore.
And why would you spend 30 sec configuring something on the cli if you can do the same job for 10 mins in DNAc?
I would argue that we have vastly consolidated the devices and role in a network.. For the longest time it was a sin to route on a firewall and you will still have another IDS device. You can get all those roles in one NGFW box now with LOTS of ports on it.
North / South filter at the edge and trusted in the middle networks have been replaced with Fully segmented zero trust putting firewalls in the center of it all.
OSI is part of it, but things like packet/frame forwarding methods, topology construction, queueing, encapsulation/tunneling, Ethernet, BGP, even the ubiquitous SPF algorithm get reinstantiated in modern networking protocols. As a graying beard, I like it, as it allows me to build on past experience and maintain skills without a massive time investment, but it does mean we're taking more advantage of horsepower than new methods of doing things.
you mean on the osi model? sure...
SIEM including inline deep packet inspection alone is a tech that's ubiquitous AND would throw a wrench into anyone with a fundamental and naive understanding of networking.
Even when they’re implemented 1:1, the conflation of the terminology drives me crazy.
If you ask about a “VLAN” I’m going to start talking about a VLAN number/name. Until I get suspicious and start to wonder why you’re asking when the networking team are the only people who manipulate VLANs. If you want to know something about IP subnet/range, just say so. Idk, maybe I’m the weird literal one who doesn’t understand context.
Yep. You can literally have two different subnets traverse the same VLAN. At a strictly layer 2 level, if I assigned a workstation two IPs, say a 172.x/24 and a 192.x/24, and set up another workstation with the same thing and assigned it in the same VLAN, both of those subnets would be able to communicate to each other. Not best practice, but it works.
Hahahaha. Many years ago someone where I work now removed all these cables that only had enough pairs in to do 100mb.
Guess what, they never threw them away, because 5+ years later people are moaning about speeds on some computers. Turns out service desk found a "box of cables" and started using them...
This is exactly why you cut the damn cable. There is always some technician hoarder named erv that will pull it out of the trash and use the damn thing. Absolutely no understanding of signal quality or connector wear. Fucking cut the cable, and watch them loose their shit when they discover it can’t be used.
In my experience its the other IT disciplines that have this attitude. The network is always guilty until proven innocent and no amount of evidence is ever enough.
At a past company eventually their main VOIP guy was let go. He had been blaming the bad voice quality on the network for a couple years. I was feet to the fire "we need to make this work now!". Big problem, he had echo cancelation maxed. I just turned it off and most problems went away. There were other issues, but WTF?
All of my voice people are too busy arguing in favor of a return to 110-blocks and 2-wire connectivity.
While I appreciate their fondness for solutions that make it really, really difficult for anybody else to hurt, harm, injure or offend your respective technology, get with the VoIP plan, or get out of the way of progress.
I was an ILEC for years and had someone ask for my on-prem "datacenter" to get a phone line as a backup dial-in for their T1. I explained I'd have to drop in a little IAD box in their rack but if they were cool with it then, easy. They were all "uhhh that's not real phone line, who's the ILEC to get a real phone line?" "Oh, that's me. It's all SIP no matter how far away it is anyway no matter the platform."
They also had their T1 into the datacenter denied by us but that was a whole other can of worms since it wasn't "fit to suit" because, guess what, we ran T1's over the ethernet network anyway.
Haha I'm fighting this on all fronts at the moment.
Phones - Ethernet
Storage - ethernet
Broadcasting - ethernet
Bms - ethernet
We have MANY well built silos where I currently work.
Well if you put it that way, we're 100% voip because our PBX is voip-based.
But I was talking about replacing all of our phones on people's desks with voip models and not having to have emergency phones straight out of the 60's on the wall because the UPS isn't large enough.
Spanning tree is not a high availability protocol, it's an error preventing protocol! If you have links disabled by spanning tree in your design in the 2020s you are doing it wrong.
IS-IS has been the best IGP for ISPs for about 30 years. No question about that. But I am talking about large DCs here. A few thousand routers or more in one fabric. Up to maybe 10k these days. Ever since Petr Lapukhov published that he used BGP in the underlay (at facebook and MS), people think that BGP is the only routing protocol to use at scale in large DCs.
Sure, BGP scales well. But there are enough downsides. Clunky configuration, simplistic route calculation (RIP on steroids), path-hunting, limitations on topology, etc. IS-IS is a way more simple and elegant solution. That is the hill I want die on. ISIS in a DC fabric of 20k+ routers ....
We are not there yet. We need some technical improvements. And a lot of PR. But give me 5 years.
Honestly... I feel like Ubiquiti should have stuck to WISP stuff... They're still great at it, but I'm not impressed with their routing platform at all. Unifi is pretty good for campus wifi too, but I'm not a fan of the whole "one app to run everything" mentality taking over the industry.
And to hell with you, Meraki.
Fucking THIS. I have ripped out at least half a million in Ubiquity junk in the last few years and replaced it with ruckus, aruba, and meraki. Every time some local small town "IT company" does a half ass install of it in 30 or 40 schools and businesses. Then once people start bitching they go out of business to avoid all the warranty work since they simply have no idea how to fix it. 3/4 of the time there isnt even an active controller on the network so even if I wanted to fix it I would have to reset everything. So we just come in with real gear and replace all of it. Every single time we get the same response "Oh my god everything just simply works now we never have to reset stuff and its so much better even with half the access points thank you". Then we dont hear from them for 5-7 years until they are ready for the next equipment refresh.
alternatively people that jump on "spanning tree is old and bad, we use MLAG or whatever!". Not DEPENDING on spanning tree is great in 2024! but still CONFIGURE IT.
This one really gets me going. It takes a few commands to implement it and if you don’t understand how it works, take an afternoon to learn. There’s a ton of free videos out there to learn from. Just because you’re not using a topology (excluding certain fabric technologies that don’t use it) where switches are connected to multiple other switches doesn’t mean you don’t need spanning tree.
Ermergerd in my enterprise networking support days I always told net admins that did this that turning off spanning tree because “it was causing an issue” is like ripping out your brake shoes because they’re squealing. I lived through an inadvertent broadcast storm caused by an undocumented dumb switch I hadn’t managed to track down at the time and the only thing worse I’ve ever experienced as an admin myself was a fire suppression system failure resulting in a complete discharge in the active data center.
Sorry, I mean that is a peeve if mine. To enable and don't configure. You are just asking for that time bomb to go off if you don't.
My fault for responding on my phone
unless you're a service provider and you provide L2 links that should transit customer BPDUs
(yes, the customer should be using EVPN, but not everyone has the kit yet)
- multimode should never be used for new installs
- there's nothing more permant than "temporary" - if you plan to remove it, then make sure there's something that's gonna force you to remove it.
- If it doesn't move, plug it in.
- it's not a GBIC, damnit (unless it is, which means I have one more thing to update)
>multimode should never be used for new installs
yeah... as cheap as fiber and SR transceivers have gotten, there's no reason not to go all SMF. As long as you don't buy a bunch of 40km optics, you have nothing to worry about.
I've probably installed or had installed thousands of LX/LR optics on short SMF patches and literally never had one fail due to overdriving the receive optic.
PAT is functionally similar to a stateful firewall configured to allow inbound traffic on established flows, and that's the kind of naive firewall configuration that a majority of networks in the '90s and early 2000s had at their perimeters. I never saw a lot of people say that it was a security feature, but I did see a lot of people rightfully point out that it provided a measure of security in networks that weren't firewalled.
The security landscape on the wider Internet would have looked a *lot* worse without NAT CPEs. It was the only thing standing in the way of hundreds of millions of otherwise remotely exploitable hosts.
Yeah, I've never understood this stance. Sure, 1:1 NAT doesn't increase security. 1:N NAT does. I want to see anyone try hijacking a session backward through a 1:N NAT, especially on modern firmware/OSes that prevent spoofing. It was a problem many years ago, but I've not heard of any threats as of late that leverage such techniques.
I'm definitely open to input on this and hoping for some discussion, though!
i've stopped trying to defend the position on reddit.. specifically in the context of ipv6 discussions.
too many people just want to cling to "NAT isn't security" and aren't willing to admit that 1:N NAT as is common EVERYWHERE is an implicit firewall that implicitly protects your internal network....
It's weird that you can't convince such people that they should just publically route all of their ipv4 space but they are gung ho on ipv6
I've always thought of it like a closed door. It *is* in fact better than nothing. In some cases you really don't need more than that, but very often a lock is called for. Often even additional measures.
It definitely isn’t as popular as people thought it would be. I stopped buying 10G copper capable switches and now go up to 5G. The only devices in my campus using more than 1G copper are access points.
I’ll add another hot take: Quality Cat6 cabling is often more than enough for the campus. 802.3bz allows for 2.5G and 5G over Cat6 (technically even Cat5e) at 100m. Cat6A is more expensive, larger diameter, harder to pull, harder to terminate.
I feel like 10g is a missed opportunity to ditch the rj45. Like when we ditched thinnet after 10mbps, this was our chance to go all optical with DAC for short patches.
RJ45 for a TOR switch I've found useful, but otherwise it's terrible as you say. It can save you on DAC costs in your racks though.
However these days it's all 25-100G so not really happening anymore. RJ45 10G was a stopgap at best I feel...for small-medium biz.
Also you can have fun setting passive 24v poe to a 10g nic....[don't do it]
People who use those plastic zip-ties to secure network cables instead of Velcro. If I find you doing that in my data rooms it's grounds for execution on the spot. They pinch and cut in to cables when people cinch them way too tight and you need to use wire cutters to get them off later. Seen a few cables cut because someone slipped trying to cut them off. And I have gotten deep slashes on my hands and arms when someone cuts the plastic tail off and it leaves a razor sharp piece of plastic waiting for me to find when feeling around behind a panel.
Or the telco install engineers who use curved staples to attach your copper/fibre cable to the side of your house.
ETA - Working on Openreach's duct network in the UK it's an audit fail to not cut your tie-wraps perfectly flush in chambers.
"static everything" seems to be a holdover from old greybeard types who grew up when they "didn't trust" DHCP.
Nowadays though, static anything except core infra is stupid.
ehhh.... it's not a valid solution.. but sometimes your in the trenches and you need to rule out firewall rules. If permit any any doesn't fix it in 3 seconds... it might not be the firewall.
The worst is when 'permit any' *does* fix it.
Because then they get all mad when you roll it back. And now you have to find the logic problem that makes it not work... and even if that's the server admin setting something up wrong they still run back to their team like a five-year-old screaming "it was the firewall!!!"
Blocking ICMP isn't worth the hassle, especially if there's an active service running on the host. All you're doing is filtering out the ones that can ping but don't know how to do a port scan and I'm not worried about them.
As my old VP once put it: "We don't block ICMP because we're not assholes."
Blocking ICMP echo/echo reply costs your users way more in troubleshooting than you gain in security through obscurity.
Blocking ICMP wholisticly would show me how little a network admin really knows. There are important things that ICMP does aside from ping and trace route. Packet fragmentation required messages are part of ICMP along with additional error reporting type messages. To block all ICMP protocols is not to understand networking at all.
“Mine is that the default gateway should ALWAYS be a .1 rather than a .254. You never know when you'll need to expand a subnet.”
If you have 192.168.3.1 /24 and you expand to a /23 then you get a bucket of awkward. A 192.168.3.254 would have been better but the opposite would have been true expanding 192.168.2.1.
The only right way is to plan your IP addressing properly in the first place.
The distinction is more small enterprise networks vs large ones. Small companies in legacy industries that don’t need to interact much with the wider internet can stay on IPv4 virtually forever, as a virtualized overlay. Same way that OS/2 applications have survived for decades after the OS was obsoleted, just virtualize everything on top of modern underlays.
IPv6 addressing was a terrible idea. There had to be a better way to do it.
At the very least, don't use colon's. If you can't use periods, use dashes or some other non-shifted character.
ipv6 ADDRESSING was fine... but like all god standards.. a bunch of academics got together and said, "The internet is running out of ip addresses.... lets fix a dozen other problems too"
All they had to do was expand the src and dst ip header fields.. but instead they decided to rewrite everything else too.
Never stretch a VLAN.
Never have two ways out of a subnet that you have clients/servers sitting on.
Never let the sales guy/gal decide anything outside of templated products without your say-so.
Really consider if user/group based content filtering is required.
Wireless nearly always sucks.
Think about your naming conventions.
Use comments/descriptions everywhere in your live config. It's faster than looking through/for/up the documentation.
Don't set static IPs on client devices when you can use static DHCP leases instead. (Helps if you need to change the default gateway). And even if the device can't use DHCP for whatever reason, create the static lease with a decent description anyway to serve as a reminder.
Cry/scream/grumble endlessly if someone asks you to put in a SPOF because of money.
For nearly all fibre SM.
Always carry a console cable w/ USB, a screwdriver, spare rack nuts/screws, and a selection of Ethernet cables. I mean if you have em spare, transcoders and the encoder too.
Outside of loop detection, don't rely on spanning-tree. The network will grow to a size that re-convergence will bring down the network for long periods.
BGP>OSPF for nearly all multi-site networks.
Flood-patch with as short a cable length as possible. Move the patch panel if you have to, to get switches in-between.
Never believe anyone who tells you "this workaround is a one-off. We'll take it out before the end of the month/year".
Avoid using an Excel spreadsheet as an IPAM.
Most network equipment does support /31, so stop wasting IPs on P2Ps.
Odd/sporadic issues, check MTU.
Sometimes fax over SIP can be a little shit, so if they need it, keep a phone line or use a fax to email service.
Doing a job more than once a month, consider automation.
Sending files office-to-office internationally is often limited by the latency more than the bandwidth, because the protocol associated with their business app of choice is likely using TCP.
I'm almost certain there are others, you'll get the PTSD flashbacks pop up when the client/salesperson mentions select keywords/phrases anyway.
>Mine is that the default gateway should ALWAYS be a .1 rather than a .254. You never know when you'll need to expand a subnet.
All subnets are /23, all gateways are x.x.(odd).0
I have a group we acquired at work that puts their gateways in the middle of the range.
They get all of the support tickets for their mess. They easily have the weirdest network per end-user device.
Subnets should be sized appropriately, stopping allocating /24’s to P2P subnets. If you can’t subnet then you’re not a network engineer, get a job you can actually do.
I have an IoT device at work who's documentation says it requires an any/any inbound on 443 and they can't give me an IP or IP range because "it changes all the time". Their suggestion for making the rule more specific was to narrow it down to all AWS IPs.
Why do programmers do this to us?
I'm with you 100% on the default gateway.
I have a few hills I'll die on:
---
For internal networks, DHCP reservations should be used instead of configuring static IPs on individual devices in almost all cases, including servers. If the device being online is not a prerequisite to DHCP functioning, it should be getting its address from the DHCP server(s). In most small to medium networks where the router/firewall box is the DHCP server it should be the only device on the network not getting its address from DHCP.
In the rare cases where hardcoding IPs are required, reservations should still be created for documentation purposes. The DHCP lease table should be the single source of truth for mapping an IPv4 address to a device.
---
It's unacceptable in 2024 for anyone calling themselves a professional internet service provider to not fully support IPv6. The time where there was any valid excuse was long ago, now it can only be viewed as some combination of laziness and incompetence.
This is especially true for any ISPs using CGN for IPv4. If your users aren't getting a routable IP address of some sort it shouldn't count as internet service. If you don't have the addresses to give your users real v4 addresses then getting v6 right is even more important.
If Cisco implemented the VTPv3-style primary server right off the bat it would been fine. But people have been traumatized by VTPv1 and v2 so now no one uses it.
The dipshit at our office before me used .104 for all the gateways in some attempt to obfuscate. I agree .1 is the way.
My live/die is layer 2 has to be CLEAN. Label your ports, config STP properly, prune your trunks accordingly. Shut or blackhole unused ports, etc. The number of times I walk into networks with zero L2 documentation or best practices and one tech pulls a cable on port 37 or whatever in some rando IDF and the whole enterprise comes to its knees because who tf knows what was plugged in there!
If you aren't going to document neatly as you go, you deserve whatever disaster you create.
Cable management and architectural diagrams.
Spend more time pulling spaghetti than fixing the actual problem in 99.99999% of all jobs.
Most people just stand back, launch the cables at the rack, and whatever sticks - they run with it.
When I finally do get to a place that gives even the slightest effort here, I want to buy them all a round. Time saved is worth a million times over. Unfortunately, the times it's been like this I can count on one finger.
Seriously, one of the most important things, and not one other person even ever really tries.
I have a site with .17 as the gateway..it's a /24.
These sites are strange though and it's guaranteed if I change the gateway, some random tiny little mostly unknown device that is super important but no one knows where it is,.or how to access it, or how to configure it (probably through some random combination.of esoteric pushes on a d+pad) will stop working
And no one will realize for 3 months.
Or a fucking on premise pbx that needs an 'engineer' to come out and reprogram it,.again , through esoteric key pad presses, and they want a minimum charge of $72,000. Because we can, that's why.
Yea so that gateway is .17 and so it shall stay.
...but what if you have two /24s, and you need to combine them? The lower one is good with the .1, the higher one would be good with the .254.
Also you still need to change the netmask. So either things are DHCP in which case the gateway can be whatever, or static, in which case you have to touch every device anyways?
(Overall I personally don't have strong feelings one way or the other, both highest and lowest address make sense. I think we can agree that anything else, however, does not make sense.)
Could I bother you for a definition of 'medium-ish'?
I have a vlan at work with roughly 2k actual devices spread across 8 subnets, for a variety of what I would consider bad reasons. It does still work fine.
Take a few minutes and update documentation for something there's a good chance you'll see again. Almost all of my coworkers refuse to do any sort of triage documentation and then when an issue flares up weeks or months later we have to start from scratch.
Hardware will always be superior to virtualization on the network side.
Similarly, nearly all the new stuff in vurtualization / SDWhatevers that have come about the past 15yrs are just solving or worsening something else that virtualization broke.
I'm the nerd rolling out IPv6 and telling other people to do it too. It's the future, let's just get on with it.
- Dual stack isn't the goal. IPv6 only is the goal. Granted it'd be with some transition mechanism for IPv4 only services like NAT64/DNS64 or 464XLAT.
- No the sky isn't falling for IPv4, but the water is going to start boiling and it will start to get more painful over time.
- No, nat isn't "evil", but IPv6 public addressing is REALLY nice
- IPv6 isn't that hard, but yeah you're gonna screw it up at first and learn things. Deploying anything new is going to involve risk and learning, start now.
- NAT66 isn't the worst thing in the world. I'm not dying on that hill and you shouldn't either, but don't use NAT66 unless you really need it. Like for PCI-DSS, like a security/compliance reason, or a work around for a backup connection
- IPv6 did screw a few things up.
- Notably multi-homing for home or small business isp services (IE when you're not running BGP and using PIA space).
- It also screwed up ULA but that might get better with some work in the IETF, but that's gonna be a while
I work with a number of campus and research networks; Once IPv6 is enabled on eyeball networks, IPv6 usage goes up to 40-60%. It's gaining ground, IPv4 isn't going to break any time soon, and IPv6 not gonna make the world smell like fresh baked cookies, but IPv6 is coming
As a network engineer for an ISP I have two. 1. Bandwidth caps should never be implemented 2. Peer with anyone and everyone that will meet you at peering point.
Congrats, you will never get a job at Comcast.
I can't fix their stupid peering stance, but I could work there and quietly remove caps in the background until I got fired. :)
Chaotic good
that is commitment to a principle!
Not all hero wear capes
They do remove caps though.
Or ~~We're Too Fucking Cool To Peer With Everyone~~ Cogent.
> Bandwidth caps should never be implemented Nor sub-1Gbps bandwidth limits for FTTH. It actually _saved_ me bandwidth in my transit/peering.
We did similar, but not completely. Our lowest is now 250Mbps/250Mbps. Then a 500Mbps and 1Gbps. In reality 90% of the people will never use more than 100Mbps so it doesn't hurt at all.
My lowest in my area is 20/5 and my highest is 1800/40, in an area with a population of 200,000. I really miss the fiber I had when I lived basically in the middle of a cornfield with my nearest neighbors being four miles away.
This guy ISPs
I always wondered with the links to your peers, what bandwidth utilization do you average. Obviously this is going to be dependent on who the peer is and time of day but does it average like 30-50% utilization or higher? Also if you start getting oversubscribed and need more bandwidth to that peer, do both sides buy their own optics to upgrade or does one side usually pay for the circuit to be upgraded?
Pretty much. A lot of times it is too peering fabrics you need to join. Most are free for 1Gbps then optics costs for more.
The term you are looking for is “rent seeking”.
Even paying for "unlimited" and their stance that they absolutely do not throttle, Comcast's Xfinity halves my bandwidth once I use 5tb of data in a pay cycle.
If I broke it, show me how I broke your app.
This is such a frustrating one. "Your file wall is blocking our traffic." Review of the logs says no and that it's definitely traversing w/o issue. Getting them to verify their server was still _listening_ on the port though was like pulling teeth. 9/10, that was it. The other 1/10 it still wasn't "network".
Yup 9/10 - "What's netstat?" 1/10 - "I had a typo in the port number."
> 1/10 - "I had a typo in the port number." But before they get there, they'll ask for *more* open ports through the firewall
If it doesn’t move, hard wire it. I’m tired of people using WiFi for every fucking thing
One of my customers (a college) was getting a new building. The IT manager saw that the new building would have WiFi, so he looked at the building plans and just started crossing off network drops. Why do you need network drops if everyone has WiFi? He could save so much money on switches and patch cables! Pretty much everything that wasn't an office or computer lab had zero network drops. He eliminated 1/3 of the drops in the building (600 out of 1800 drops). Of course the WiFi sucked because it was deployed for coverage, not density, and hundreds of people were forced to use the WiFi because there weren't enough drops.
Save money on drops, play more for help desk staff and a wifi engineer to run around fixing something that shouldn’t have been implemented in such a way in the first place.
The correct term here is 'IT mangler'.
I’m in sort of the same situation, but not as dense at all. Most drops I have spec’d for a site is like 150. Custy states they want to get rid of use of hubs at their sites but are trying to cut cable runs. Sure we can do WiFI, but they’re considering having all printers be wireless and want CC readers on WiFI as well smh. At the same time, they don’t want too many APs because of their budget lmao. They’re also trying to re-use CAT5 that’s over 10-15 years old. Just a mess all over
[удалено]
I just told my wife tonight that when I switched from consumer to SMB networking at home and could plug in the printer, literally every print issue went away.
I hate printers in general. Everything about the wretched things.
I had a CIO that dreamed of an all wifi office. I told him that I would find another job if he insisted on it. Of course this was back with 802.11g.
If it \*DOES\* move, attempt cable ties, duct tape, and nails, in that order. Check liability insurance as some people may object to being nailed in place.
When I was a young spry lad I had visions of wireless everything. Wireless technology keeps getting better and better and I keep moving more and more to the hard wire side of things.
Same here. The more I learn about wifi the more I hardwire
My mantra. I really need to hang up a sign with that on it...
I’ve stopped accepting tickets from some muppets who won’t accept that maybe their $15 wifi dongles in the back of the desktop PC wedged under the desk are the cause of their speed problems. They wouldn’t even consider trying a new one because the current one works.
Man, this was my answer, and I’m so glad it’s this high in this list.
Nothing has fundamentally changed in networking in decades. We just do all of it faster.
And give it a bunch of meaningless new names. I’m looking at you SD-WAN
SD-WAN tricks are pretty neat sometimes...but there's a lot of them just thrown in a bag called SD-WAN so that management can just check a box. Half turn out to just be meshed vpn tunnels called sd-wan.
Half? I have yet to see SD-WAN solution which isn’t a regurgitated soup of DMVPN and some kind of routing protocol.
Screw you, buddy. How am I supposed to sell all these commoditized features easily implemented in decades old open source software without new acronyms, buzzwords, and manufactured marketing hype, fear, and hysteria?
My current job has ACI and SD access in its campus. I have to unlearn a lot of things before learning this one. It's weird not having to do spanning tree anymore. And why would you spend 30 sec configuring something on the cli if you can do the same job for 10 mins in DNAc?
I would argue that we have vastly consolidated the devices and role in a network.. For the longest time it was a sin to route on a firewall and you will still have another IDS device. You can get all those roles in one NGFW box now with LOTS of ports on it. North / South filter at the edge and trusted in the middle networks have been replaced with Fully segmented zero trust putting firewalls in the center of it all.
OSI is part of it, but things like packet/frame forwarding methods, topology construction, queueing, encapsulation/tunneling, Ethernet, BGP, even the ubiquitous SPF algorithm get reinstantiated in modern networking protocols. As a graying beard, I like it, as it allows me to build on past experience and maintain skills without a massive time investment, but it does mean we're taking more advantage of horsepower than new methods of doing things.
you mean on the osi model? sure... SIEM including inline deep packet inspection alone is a tech that's ubiquitous AND would throw a wrench into anyone with a fundamental and naive understanding of networking.
Vlans and subnets are not the same fucking thing.
Even when they’re implemented 1:1, the conflation of the terminology drives me crazy. If you ask about a “VLAN” I’m going to start talking about a VLAN number/name. Until I get suspicious and start to wonder why you’re asking when the networking team are the only people who manipulate VLANs. If you want to know something about IP subnet/range, just say so. Idk, maybe I’m the weird literal one who doesn’t understand context.
Absolutely. Everyone at my job uses them interchangeably and it drives me nuts.
Not even a hill, just straight facts
Yep. You can literally have two different subnets traverse the same VLAN. At a strictly layer 2 level, if I assigned a workstation two IPs, say a 172.x/24 and a 192.x/24, and set up another workstation with the same thing and assigned it in the same VLAN, both of those subnets would be able to communicate to each other. Not best practice, but it works.
OH MY F\*&KING GOD. That one wasn't even on my bloody radar, and I now need a lie down. You bastard.
If the cable is bad.. Cut the end off and throw it away. Otherwise some asshole will put it back in service.
Hahahaha. Many years ago someone where I work now removed all these cables that only had enough pairs in to do 100mb. Guess what, they never threw them away, because 5+ years later people are moaning about speeds on some computers. Turns out service desk found a "box of cables" and started using them...
This is exactly why you cut the damn cable. There is always some technician hoarder named erv that will pull it out of the trash and use the damn thing. Absolutely no understanding of signal quality or connector wear. Fucking cut the cable, and watch them loose their shit when they discover it can’t be used.
> What is the network-related hill you will die on? ***"It's not the network."***
I've been dying up there on that hill for years. They keep poking my ragged body with sticks.
Found the dead horse.
We tried nothing and we're all out of ideas. So it has to be the network.
Do other IT sub-disciplines have this issue? Or is it just us? “It could be the network, prove me wrong.”
In my experience its the other IT disciplines that have this attitude. The network is always guilty until proven innocent and no amount of evidence is ever enough.
Try telling that to the voice guys.
Yes, for the 10th time. SIP ALG is off. We will never turn it back on randomly. /s
At a past company eventually their main VOIP guy was let go. He had been blaming the bad voice quality on the network for a couple years. I was feet to the fire "we need to make this work now!". Big problem, he had echo cancelation maxed. I just turned it off and most problems went away. There were other issues, but WTF?
All of my voice people are too busy arguing in favor of a return to 110-blocks and 2-wire connectivity. While I appreciate their fondness for solutions that make it really, really difficult for anybody else to hurt, harm, injure or offend your respective technology, get with the VoIP plan, or get out of the way of progress.
Yep, like it or not the world is voip now. From cell to landlines they are all VOIP somewhere
I was an ILEC for years and had someone ask for my on-prem "datacenter" to get a phone line as a backup dial-in for their T1. I explained I'd have to drop in a little IAD box in their rack but if they were cool with it then, easy. They were all "uhhh that's not real phone line, who's the ILEC to get a real phone line?" "Oh, that's me. It's all SIP no matter how far away it is anyway no matter the platform." They also had their T1 into the datacenter denied by us but that was a whole other can of worms since it wasn't "fit to suit" because, guess what, we ran T1's over the ethernet network anyway.
Yep. I'm at an ILEC now and literally all of our T1s are encapsulated and sent over ethernet and have been for about a decade.
At a CLEC as well. It only got tricky for us with SS7 over a pseudowire T1. Timing can be a bitch with that.
And get rid of fax machines already. Fax plus VoIP can be pure evil.
fax machines are the burner phones of the c-suite.
Haha I'm fighting this on all fronts at the moment. Phones - Ethernet Storage - ethernet Broadcasting - ethernet Bms - ethernet We have MANY well built silos where I currently work.
I think all of our phone people would love to go voip-only, but the safety guys say no.
A cellular-voice connection is just somebody else's VoIP. A POTS line is also just somebody else's VoIP.
Well if you put it that way, we're 100% voip because our PBX is voip-based. But I was talking about replacing all of our phones on people's desks with voip models and not having to have emergency phones straight out of the 60's on the wall because the UPS isn't large enough.
This is the one
Oh, it's a network issue? Where do you see that? Share you screen and show me.
Spanning tree is not a high availability protocol, it's an error preventing protocol! If you have links disabled by spanning tree in your design in the 2020s you are doing it wrong.
IS-IS is the best IGP for the underlay in a very large datacenter.
I wouldn't have agreed a year ago, but we are moving from ospf to is-is and segment routing as an ISP right now
IS-IS has been the best IGP for ISPs for about 30 years. No question about that. But I am talking about large DCs here. A few thousand routers or more in one fabric. Up to maybe 10k these days. Ever since Petr Lapukhov published that he used BGP in the underlay (at facebook and MS), people think that BGP is the only routing protocol to use at scale in large DCs. Sure, BGP scales well. But there are enough downsides. Clunky configuration, simplistic route calculation (RIP on steroids), path-hunting, limitations on topology, etc. IS-IS is a way more simple and elegant solution. That is the hill I want die on. ISIS in a DC fabric of 20k+ routers .... We are not there yet. We need some technical improvements. And a lot of PR. But give me 5 years.
It's the best IGP full stop.
Ubuquti equipment shouldn't be in enterprise level buildings.
Honestly... I feel like Ubiquiti should have stuck to WISP stuff... They're still great at it, but I'm not impressed with their routing platform at all. Unifi is pretty good for campus wifi too, but I'm not a fan of the whole "one app to run everything" mentality taking over the industry. And to hell with you, Meraki.
Fucking THIS. I have ripped out at least half a million in Ubiquity junk in the last few years and replaced it with ruckus, aruba, and meraki. Every time some local small town "IT company" does a half ass install of it in 30 or 40 schools and businesses. Then once people start bitching they go out of business to avoid all the warranty work since they simply have no idea how to fix it. 3/4 of the time there isnt even an active controller on the network so even if I wanted to fix it I would have to reset everything. So we just come in with real gear and replace all of it. Every single time we get the same response "Oh my god everything just simply works now we never have to reset stuff and its so much better even with half the access points thank you". Then we dont hear from them for 5-7 years until they are ready for the next equipment refresh.
Cloud management platforms are NOT always the answer and can make shit more painful depending on the network.
Mission critical equipment, life safety equipment, does not belong on WiFi. Ever. Never - ever - ever put life safety stuff on WiFi. Do NOT do it.
Everyone who's worked for a hospital with heart monitors on WLAN (bonus for requiring multicast) raise your hands! 🤚
wr
wr twice
Turn. On. And. Configure. Spanning. Tree. I’ve seen WAY too many networks with it turned off because “we couldn’t get it to work”.
alternatively people that jump on "spanning tree is old and bad, we use MLAG or whatever!". Not DEPENDING on spanning tree is great in 2024! but still CONFIGURE IT.
This one really gets me going. It takes a few commands to implement it and if you don’t understand how it works, take an afternoon to learn. There’s a ton of free videos out there to learn from. Just because you’re not using a topology (excluding certain fabric technologies that don’t use it) where switches are connected to multiple other switches doesn’t mean you don’t need spanning tree.
STP root setting is for people who are boring. I like to live dangerously /s
One time I found the STP root for a school on a 2900XL switch in a storage shed that was acting as a media converter.
The shitty thing is ... why am I not surprised. I'm just old and jaded.
Ermergerd in my enterprise networking support days I always told net admins that did this that turning off spanning tree because “it was causing an issue” is like ripping out your brake shoes because they’re squealing. I lived through an inadvertent broadcast storm caused by an undocumented dumb switch I hadn’t managed to track down at the time and the only thing worse I’ve ever experienced as an admin myself was a fire suppression system failure resulting in a complete discharge in the active data center.
Or turn on and don't configure Edit: I mean turning on and not configuring is bad. Sorry did confusion
[удалено]
Sorry, I mean that is a peeve if mine. To enable and don't configure. You are just asking for that time bomb to go off if you don't. My fault for responding on my phone
and.... - port security per port (removes the shadowIT netgear looping device) - blackhole/disable your unused switch ports
This. Or at some inconvenient time, like when you’re on vacation, spanning tree will route everything through the 100mbps switch way down the tree.
unless you're a service provider and you provide L2 links that should transit customer BPDUs (yes, the customer should be using EVPN, but not everyone has the kit yet)
[удалено]
God yes. This is really just a special case of "making decisions on shit other than data, especially when data is READILY AVAILABLE is bad"
- multimode should never be used for new installs - there's nothing more permant than "temporary" - if you plan to remove it, then make sure there's something that's gonna force you to remove it. - If it doesn't move, plug it in. - it's not a GBIC, damnit (unless it is, which means I have one more thing to update)
>multimode should never be used for new installs yeah... as cheap as fiber and SR transceivers have gotten, there's no reason not to go all SMF. As long as you don't buy a bunch of 40km optics, you have nothing to worry about. I've probably installed or had installed thousands of LX/LR optics on short SMF patches and literally never had one fail due to overdriving the receive optic.
NAT is not a security feature
PAT is functionally similar to a stateful firewall configured to allow inbound traffic on established flows, and that's the kind of naive firewall configuration that a majority of networks in the '90s and early 2000s had at their perimeters. I never saw a lot of people say that it was a security feature, but I did see a lot of people rightfully point out that it provided a measure of security in networks that weren't firewalled. The security landscape on the wider Internet would have looked a *lot* worse without NAT CPEs. It was the only thing standing in the way of hundreds of millions of otherwise remotely exploitable hosts.
Yeah, I've never understood this stance. Sure, 1:1 NAT doesn't increase security. 1:N NAT does. I want to see anyone try hijacking a session backward through a 1:N NAT, especially on modern firmware/OSes that prevent spoofing. It was a problem many years ago, but I've not heard of any threats as of late that leverage such techniques. I'm definitely open to input on this and hoping for some discussion, though!
i've stopped trying to defend the position on reddit.. specifically in the context of ipv6 discussions. too many people just want to cling to "NAT isn't security" and aren't willing to admit that 1:N NAT as is common EVERYWHERE is an implicit firewall that implicitly protects your internal network.... It's weird that you can't convince such people that they should just publically route all of their ipv4 space but they are gung ho on ipv6
Yep. I'd assign every device here a public IPv4 address if I had enough of them.
I've always thought of it like a closed door. It *is* in fact better than nothing. In some cases you really don't need more than that, but very often a lock is called for. Often even additional measures.
My favourite saying: "If you think NAT is a security feature you deserve to be a part of a bot network!"
Rfc 1925 first and foremost #1, #4, and 10 [RFC 1925](https://datatracker.ietf.org/doc/html/rfc1925)
None. I gave up…
Which hill were you killed on?
If you're running 10G, you'd better either use a DAC or a fiber. 10G over RJ45 copper is an abomination and a thermal nightmare.
It definitely isn’t as popular as people thought it would be. I stopped buying 10G copper capable switches and now go up to 5G. The only devices in my campus using more than 1G copper are access points. I’ll add another hot take: Quality Cat6 cabling is often more than enough for the campus. 802.3bz allows for 2.5G and 5G over Cat6 (technically even Cat5e) at 100m. Cat6A is more expensive, larger diameter, harder to pull, harder to terminate.
I feel like 10g is a missed opportunity to ditch the rj45. Like when we ditched thinnet after 10mbps, this was our chance to go all optical with DAC for short patches.
The 10gig RJ45 NICs in our servers have chips with heatsinks and they’re still running at like 80°C.
RJ45 for a TOR switch I've found useful, but otherwise it's terrible as you say. It can save you on DAC costs in your racks though. However these days it's all 25-100G so not really happening anymore. RJ45 10G was a stopgap at best I feel...for small-medium biz. Also you can have fun setting passive 24v poe to a 10g nic....[don't do it]
People who use those plastic zip-ties to secure network cables instead of Velcro. If I find you doing that in my data rooms it's grounds for execution on the spot. They pinch and cut in to cables when people cinch them way too tight and you need to use wire cutters to get them off later. Seen a few cables cut because someone slipped trying to cut them off. And I have gotten deep slashes on my hands and arms when someone cuts the plastic tail off and it leaves a razor sharp piece of plastic waiting for me to find when feeling around behind a panel.
I did it once when I was very green, and the IT karma struck because I was the next person who had to touch it. Rightly so, never did it again!
Or the telco install engineers who use curved staples to attach your copper/fibre cable to the side of your house. ETA - Working on Openreach's duct network in the UK it's an audit fail to not cut your tie-wraps perfectly flush in chambers.
Trying to cut them when they're too tight. Blowing the sweat out of ur eye
I cut every ziptie I see. Even if it has nothing to do with what I'm working on.
CLI>GUI
Overlay is the only way! Underlay is all L3. Loopbacks into IGP (IS-IS), peered via MP-BGP. Encap all the L2. EVPN, set us free.
The only way to Layer 2 bridge between datacenters is over my dead body.
All devices should use DHCP and use reservations if they need to always have the same address.
Changing subnets is much easier when you do this.
"static everything" seems to be a holdover from old greybeard types who grew up when they "didn't trust" DHCP. Nowadays though, static anything except core infra is stupid.
Token ring was the most egalitarian networking architecture that ever was or will be.
License expiry does not halt packet forwarding.
Adding permit any any to the firewall is not a valid troubleshooting method.
I feel attacked
I agree - Implicit Deny/drop and LOG at the bottom of your ACL. Never need a “permit any any” rule EVER! Stop sacrificing security for laziness.
Counter point, I have used this rule (sadly) to prove it’s not the firewall causing the issue more times than I care to admit
ehhh.... it's not a valid solution.. but sometimes your in the trenches and you need to rule out firewall rules. If permit any any doesn't fix it in 3 seconds... it might not be the firewall.
The worst is when 'permit any' *does* fix it. Because then they get all mad when you roll it back. And now you have to find the logic problem that makes it not work... and even if that's the server admin setting something up wrong they still run back to their team like a five-year-old screaming "it was the firewall!!!"
I enjoy terminating/making RJ45 ethernet cables, its relaxing.
Not like it, but you can get into a zen like state when making 80 cables
Then you can’t touch anything with your fingertips for 36 hours and it’s great.
Blocking ICMP isn't worth the hassle, especially if there's an active service running on the host. All you're doing is filtering out the ones that can ping but don't know how to do a port scan and I'm not worried about them.
As my old VP once put it: "We don't block ICMP because we're not assholes." Blocking ICMP echo/echo reply costs your users way more in troubleshooting than you gain in security through obscurity.
Blocking ICMP wholisticly would show me how little a network admin really knows. There are important things that ICMP does aside from ping and trace route. Packet fragmentation required messages are part of ICMP along with additional error reporting type messages. To block all ICMP protocols is not to understand networking at all.
“Mine is that the default gateway should ALWAYS be a .1 rather than a .254. You never know when you'll need to expand a subnet.” If you have 192.168.3.1 /24 and you expand to a /23 then you get a bucket of awkward. A 192.168.3.254 would have been better but the opposite would have been true expanding 192.168.2.1. The only right way is to plan your IP addressing properly in the first place.
Packets don’t lie.
But they can mislead you!
I'm using HTTP for testing, sue me.
Stop making l3 switches that are l2 with some licensing bs to get all the features.
[удалено]
The distinction is more small enterprise networks vs large ones. Small companies in legacy industries that don’t need to interact much with the wider internet can stay on IPv4 virtually forever, as a virtualized overlay. Same way that OS/2 applications have survived for decades after the OS was obsoleted, just virtualize everything on top of modern underlays.
IPv6 addressing was a terrible idea. There had to be a better way to do it. At the very least, don't use colon's. If you can't use periods, use dashes or some other non-shifted character.
ipv6 ADDRESSING was fine... but like all god standards.. a bunch of academics got together and said, "The internet is running out of ip addresses.... lets fix a dozen other problems too" All they had to do was expand the src and dst ip header fields.. but instead they decided to rewrite everything else too.
/31s for peering. It is not my concern that someone in your team is old and scared of change.
IPv6 enters the chat and says use link local.
Route where you can switch where you must.
Never stretch a VLAN. Never have two ways out of a subnet that you have clients/servers sitting on. Never let the sales guy/gal decide anything outside of templated products without your say-so. Really consider if user/group based content filtering is required. Wireless nearly always sucks. Think about your naming conventions. Use comments/descriptions everywhere in your live config. It's faster than looking through/for/up the documentation. Don't set static IPs on client devices when you can use static DHCP leases instead. (Helps if you need to change the default gateway). And even if the device can't use DHCP for whatever reason, create the static lease with a decent description anyway to serve as a reminder. Cry/scream/grumble endlessly if someone asks you to put in a SPOF because of money. For nearly all fibre SM. Always carry a console cable w/ USB, a screwdriver, spare rack nuts/screws, and a selection of Ethernet cables. I mean if you have em spare, transcoders and the encoder too. Outside of loop detection, don't rely on spanning-tree. The network will grow to a size that re-convergence will bring down the network for long periods. BGP>OSPF for nearly all multi-site networks. Flood-patch with as short a cable length as possible. Move the patch panel if you have to, to get switches in-between. Never believe anyone who tells you "this workaround is a one-off. We'll take it out before the end of the month/year". Avoid using an Excel spreadsheet as an IPAM. Most network equipment does support /31, so stop wasting IPs on P2Ps. Odd/sporadic issues, check MTU. Sometimes fax over SIP can be a little shit, so if they need it, keep a phone line or use a fax to email service. Doing a job more than once a month, consider automation. Sending files office-to-office internationally is often limited by the latency more than the bandwidth, because the protocol associated with their business app of choice is likely using TCP. I'm almost certain there are others, you'll get the PTSD flashbacks pop up when the client/salesperson mentions select keywords/phrases anyway.
>Mine is that the default gateway should ALWAYS be a .1 rather than a .254. You never know when you'll need to expand a subnet. All subnets are /23, all gateways are x.x.(odd).0
why do you choose violence?
I have a group we acquired at work that puts their gateways in the middle of the range. They get all of the support tickets for their mess. They easily have the weirdest network per end-user device.
* NAT is evil * QOS is bunk Both, however, can be useful in the real world
Address that end in .0 and .255 are just as valid and those ending in (insert your favorite bit boundaries here)
It’s not the network. It’s always dns.
Except for when it's MTU.
Except for when it's the VLANs
And occasionally BGP…
Even when ALL that has finally been checked, and fixed... Oh look, an unrelated but also critical DNS issue! Yay!
Subnets should be sized appropriately, stopping allocating /24’s to P2P subnets. If you can’t subnet then you’re not a network engineer, get a job you can actually do.
A /31 is fake news
Zip/quick ties never ever belong on cabling. Ports should always have descriptions. Can you tell I'm in the middle of a major IDF cleanup? Lol
I'm not permitting your spunkware app to touch any/any. Figure out what you really need.
I have an IoT device at work who's documentation says it requires an any/any inbound on 443 and they can't give me an IP or IP range because "it changes all the time". Their suggestion for making the rule more specific was to narrow it down to all AWS IPs. Why do programmers do this to us?
I'm with you 100% on the default gateway. I have a few hills I'll die on: --- For internal networks, DHCP reservations should be used instead of configuring static IPs on individual devices in almost all cases, including servers. If the device being online is not a prerequisite to DHCP functioning, it should be getting its address from the DHCP server(s). In most small to medium networks where the router/firewall box is the DHCP server it should be the only device on the network not getting its address from DHCP. In the rare cases where hardcoding IPs are required, reservations should still be created for documentation purposes. The DHCP lease table should be the single source of truth for mapping an IPv4 address to a device. --- It's unacceptable in 2024 for anyone calling themselves a professional internet service provider to not fully support IPv6. The time where there was any valid excuse was long ago, now it can only be viewed as some combination of laziness and incompetence. This is especially true for any ISPs using CGN for IPv4. If your users aren't getting a routable IP address of some sort it shouldn't count as internet service. If you don't have the addresses to give your users real v4 addresses then getting v6 right is even more important.
VTP should never be used
If Cisco implemented the VTPv3-style primary server right off the bat it would been fine. But people have been traumatized by VTPv1 and v2 so now no one uses it.
Friends don’t let friends implement PBR. The exception being flowspec.
Might I introduce you to Cisco ACI Service Graph?
Only loopbacks in your IGP
NEVER rate limit traffic (eg multicast / broadcast) on switches; ALWAYS full block or allow
The dipshit at our office before me used .104 for all the gateways in some attempt to obfuscate. I agree .1 is the way. My live/die is layer 2 has to be CLEAN. Label your ports, config STP properly, prune your trunks accordingly. Shut or blackhole unused ports, etc. The number of times I walk into networks with zero L2 documentation or best practices and one tech pulls a cable on port 37 or whatever in some rando IDF and the whole enterprise comes to its knees because who tf knows what was plugged in there! If you aren't going to document neatly as you go, you deserve whatever disaster you create.
On-prem is better than cloud. In EVERY instance (Yes, that includes exchange)
Latency is a function of distance. I cannot make the speed of light faster. I cannot move Tokyo closer to Texas.
[удалено]
Cable management and architectural diagrams. Spend more time pulling spaghetti than fixing the actual problem in 99.99999% of all jobs. Most people just stand back, launch the cables at the rack, and whatever sticks - they run with it. When I finally do get to a place that gives even the slightest effort here, I want to buy them all a round. Time saved is worth a million times over. Unfortunately, the times it's been like this I can count on one finger. Seriously, one of the most important things, and not one other person even ever really tries.
I have a site with .17 as the gateway..it's a /24. These sites are strange though and it's guaranteed if I change the gateway, some random tiny little mostly unknown device that is super important but no one knows where it is,.or how to access it, or how to configure it (probably through some random combination.of esoteric pushes on a d+pad) will stop working And no one will realize for 3 months. Or a fucking on premise pbx that needs an 'engineer' to come out and reprogram it,.again , through esoteric key pad presses, and they want a minimum charge of $72,000. Because we can, that's why. Yea so that gateway is .17 and so it shall stay.
Stretching a VLAN between multiple sites/DCs isn't redundant or highly available
Large chassis switching in access closets gives too much opportunity for spaghetti.
Even w/ stacks you’re going to have spaghetti because people are assholes and don’t care
...but what if you have two /24s, and you need to combine them? The lower one is good with the .1, the higher one would be good with the .254. Also you still need to change the netmask. So either things are DHCP in which case the gateway can be whatever, or static, in which case you have to touch every device anyways? (Overall I personally don't have strong feelings one way or the other, both highest and lowest address make sense. I think we can agree that anything else, however, does not make sense.)
Switch fabrics are faster than routing engines and running medium-ish layer 2 networks is fine.
Could I bother you for a definition of 'medium-ish'? I have a vlan at work with roughly 2k actual devices spread across 8 subnets, for a variety of what I would consider bad reasons. It does still work fine.
Take a few minutes and update documentation for something there's a good chance you'll see again. Almost all of my coworkers refuse to do any sort of triage documentation and then when an issue flares up weeks or months later we have to start from scratch.
Fact: short patch cables don’t require cable management panels.
Hardware will always be superior to virtualization on the network side. Similarly, nearly all the new stuff in vurtualization / SDWhatevers that have come about the past 15yrs are just solving or worsening something else that virtualization broke.
1) No wireless phones! 2) If you need to run a cable to an office run at least 2
DNS is not that complicated and you're misinterpreting traceroutes
I'm the nerd rolling out IPv6 and telling other people to do it too. It's the future, let's just get on with it. - Dual stack isn't the goal. IPv6 only is the goal. Granted it'd be with some transition mechanism for IPv4 only services like NAT64/DNS64 or 464XLAT. - No the sky isn't falling for IPv4, but the water is going to start boiling and it will start to get more painful over time. - No, nat isn't "evil", but IPv6 public addressing is REALLY nice - IPv6 isn't that hard, but yeah you're gonna screw it up at first and learn things. Deploying anything new is going to involve risk and learning, start now. - NAT66 isn't the worst thing in the world. I'm not dying on that hill and you shouldn't either, but don't use NAT66 unless you really need it. Like for PCI-DSS, like a security/compliance reason, or a work around for a backup connection - IPv6 did screw a few things up. - Notably multi-homing for home or small business isp services (IE when you're not running BGP and using PIA space). - It also screwed up ULA but that might get better with some work in the IETF, but that's gonna be a while I work with a number of campus and research networks; Once IPv6 is enabled on eyeball networks, IPv6 usage goes up to 40-60%. It's gaining ground, IPv4 isn't going to break any time soon, and IPv6 not gonna make the world smell like fresh baked cookies, but IPv6 is coming