(TIL) Today I Learned...

config t · April 14, 2020, 05:59:51 AM

TIL that there is an MTU setting on the client side. Now that I know it, it seems like a no-brainer, but I never really had to think about it before.

deanwebb · April 14, 2020, 01:16:33 PM

Just remember that Windows will ignore the MTU *always* when sending a cert in an EAP-TLS response.

ALWAYS.

config t · May 05, 2020, 06:52:06 AM

TIL (or re-learned, not sure) the power of..

Code Select

show run | exclude

I have a little project going on to generate config templates integrating an updated MBL and outbound ACL on my edge routers. The Null0 routes number in the several thousand range. Picking out the handful of legit ip routes felt impossible until I had that little epihpany.

deanwebb · May 05, 2020, 10:04:01 AM

TIL how to fix "water hammer".

Otanx · May 05, 2020, 11:13:09 AM

Quote from: deanwebb on May 05, 2020, 10:04:01 AM
TIL how to fix "water hammer".

I had to deal with that a few years ago myself. I was lucky and my brother is a jack of all trades, and was able to take care of it for me.

TIL... Tripwire Enterprise supports IOS 12.4 and PIX firewalls. Nothing newer according to the documents updated in Mar2020.

-Otanx

deanwebb · May 05, 2020, 12:31:46 PM

TIL that I did a good job with a customer last week.

wintermute000 · May 06, 2020, 07:19:34 AM

Quote from: deanwebb on April 14, 2020, 01:16:33 PM
Just remember that Windows will ignore the MTU *always* when sending a cert in an EAP-TLS response.

ALWAYS.

WHAT are you serious, it just somehow magically ignores the NIC setting?or rather it ignores PMTUD responses for some reason?

deanwebb · May 06, 2020, 03:23:29 PM

Quote from: wintermute000 on May 06, 2020, 07:19:34 AM
Quote from: deanwebb on April 14, 2020, 01:16:33 PM
Just remember that Windows will ignore the MTU *always* when sending a cert in an EAP-TLS response.

ALWAYS.

WHAT are you serious, it just somehow magically ignores the NIC setting?or rather it ignores PMTUD responses for some reason?

I think it's a NIC setting override. Because that packet with the cert can be massive, and Windows don't care.

deanwebb · May 07, 2020, 01:39:38 PM

TIL how to paste column data as a row in Excel.

icecream-guy · May 08, 2020, 08:14:50 AM

Quote from: deanwebb on May 07, 2020, 01:39:38 PM
TIL how to paste column data as a row in Excel.

that's handy, I learned that a while ago.
Pivot tables are also lots of fun

deanwebb · May 08, 2020, 10:36:34 AM

TIL that even if a customer has had an architecture diagram in hand for months, that customer can still be surprised by information on it and think that I was trying to sneak something past them. And TI also L that keeping a full email archive is a powerful shield for the firey darts of a customer "surprised".

config t · May 11, 2020, 11:15:04 PM

TIL that setting the DF bit on an ICMP packet will help identify max MTU size along a path.

Code Select

C:\Users\config.t>ping 192.168.1.1 -l 1448 -f

Pinging 192.168.1.1 with 1448 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\david.stern>

I really need to deep dive TCP/IP.

deanwebb · May 12, 2020, 09:46:58 AM

Quote from: config t on May 11, 2020, 11:15:04 PM
TIL that setting the DF bit on an ICMP packet will help identify max MTU size along a path.

Code Select Expand
C:\Users\config.t>ping 192.168.1.1 -l 1448 -f Pinging 192.168.1.1 with 1448 bytes of data: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\david.stern>

I really need to deep dive TCP/IP.

The TCP/IP Guide: http://www.tcpipguide.com/

I LOVE THAT SITE. It walks through all the RFCs, great stuff.

Otanx · May 12, 2020, 10:33:50 AM

That is why you should not block ICMP. Yes there are ICMP types that should be blocked, but if you block them all you end up breaking things.

-Otanx

config t · May 12, 2020, 11:39:40 AM

Quote from: deanwebb on May 12, 2020, 09:46:58 AM
Quote from: config t on May 11, 2020, 11:15:04 PM
TIL that setting the DF bit on an ICMP packet will help identify max MTU size along a path.

Code Select Expand
C:\Users\config.t>ping 192.168.1.1 -l 1448 -f Pinging 192.168.1.1 with 1448 bytes of data: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\david.stern>

I really need to deep dive TCP/IP.

The TCP/IP Guide: http://www.tcpipguide.com/

I LOVE THAT SITE. It walks through all the RFCs, great stuff.

Looks pretty comprehensive. Over 1500 pages of content.

I also have "The TCP/IP Guide" which apparently I haven't opened for a while because I discovered 24 Kuwaiti Dinar under the cover that I completely forgot about (roughly $78).