(TIL) Today I Learned...

Started by Seittit, January 13, 2015, 03:50:21 AM

Previous topic - Next topic

config t

Quote from: Otanx on October 20, 2020, 01:39:34 PM
I know they didn't do it. They know they didn't do it. But we all have to pretend the device did something weird.

-Otanx

:vendors:
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

Gotta be diplomatic, as well, so the customer doesn't open up a ticket with support to investigate why the device didn't commit changes and somehow dropped all the logging about any change activity with the changes that didn't get committed...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

config t

This is a small environment and my legend has been growing over the past year, so I get a little bit of grace to call people knuckleheads occasionally, which can be useful.
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

Quote from: config t on October 22, 2020, 02:13:10 AM
This is a small environment and my legend has been growing over the past year, so I get a little bit of grace to call people knuckleheads occasionally, which can be useful.

Cherish those moments.

CHERISH them.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Quote from: config t on October 22, 2020, 02:13:10 AM
This is a small environment and my legend has been growing over the past year, so I get a little bit of grace to call people knuckleheads occasionally, which can be useful.

Our internal teams I can get away with this(and I do). Over the years they have learned to troubleshoot before escalating. It is nice when I get an email and it has log messages included. Now I just need them to understand what (no connection) in an ASA deny means. They will figure it out about the time we change to another vendor.

-Otanx

config t

Sadly a lot of my troubleshooting requests start with, "Hey can you check the network and see if anything is going on?" No context, no information, not even telling me WHICH network.

Quote from: deanwebb on October 22, 2020, 09:43:47 AM
Quote from: config t on October 22, 2020, 02:13:10 AM
This is a small environment and my legend has been growing over the past year, so I get a little bit of grace to call people knuckleheads occasionally, which can be useful.

Cherish those moments.

CHERISH them.

:XD: It will probably be somewhat bittersweet when it's time to move on in a few years.
:matrix:

Please don't mistake my experience for intelligence.

icecream-guy

well, today I relearned that MTU is not MSS,

With an MTU of 1500, an MSS segment size of 1460, through an IPSEC tunnel, the packets got dropped
With an MTU of 1500. as MSS segment side of 1426, through an IPSEC tunnel, the packets went through.

little things sometimes get forgotten....

:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on November 18, 2020, 12:36:43 PM
well, today I relearned that MTU is not MSS,

With an MTU of 1500, an MSS segment size of 1460, through an IPSEC tunnel, the packets got dropped
With an MTU of 1500. as MSS segment side of 1426, through an IPSEC tunnel, the packets went through.

little things sometimes get forgotten....



This is the TIL for me, as well. That's good to know.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

config t

Quote from: ristau5741 on November 18, 2020, 12:36:43 PM
well, today I relearned that MTU is not MSS,

With an MTU of 1500, an MSS segment size of 1460, through an IPSEC tunnel, the packets got dropped
With an MTU of 1500. as MSS segment side of 1426, through an IPSEC tunnel, the packets went through.

little things sometimes get forgotten....

I still struggle a little bit to understand what MSS is and does.
:matrix:

Please don't mistake my experience for intelligence.

icecream-guy

Max segment size, usually set at the application layer, in our case it was Oracle SQL configuration on the server.
:professorcat:

My Moral Fibers have been cut.

wintermute000

Strictly speaking its a TCP thing

config t

"Essentially, the MSS is equal to MTU minus the size of a TCP header and an IP header:

MTU - (TCP header + IP header) = MSS

One of the key differences between MTU and MSS is that if a packet exceeds a device's MTU, it is broken up into smaller pieces, or "fragmented." In contrast, if a packet exceeds the MSS, it is dropped and not delivered."
:matrix:

Please don't mistake my experience for intelligence.

config t

TIL object-groups in IOS are a thing and now I am looking at our ACLs like  :eek:
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

Quote from: config t on November 24, 2020, 10:35:47 PM
TIL object-groups in IOS are a thing and now I am looking at our ACLs like  :eek:

If they were put in by a contractor that got paid by the line of code, you better believe there's one line for every possible source-destination-port combination.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

object-groups are not an auditors friend,  especially for high-risk protocols,  it is hard to audit, track, and remove to keep the networks safe.
example

Fred at 1.1.1.1  wants to remote desktop to 2.2.2.2,  on december 30th,  this rule will expire in 180 days.
Mary at 1.1.1.1  wants to remote desktop to 2.2.2.2,  on January 15th,  this rule will expire in 180 days.

Now, how does one track the expiring rules in an object group?

Personally, I would use a Host to host ACL for each, and use a time range to disable after 6 months

In Cisco ASA terms, something like,


# time-range thru9-30-2021
# absolute end 00:00 01 October 2021
# periodic daily 0:00 to 23:59
# access-list outside_access extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 3389 log






:professorcat:

My Moral Fibers have been cut.