what did you learn today? (part 2)
- Thread starter continuum
- Start date
Yeah the primary issue right now is time and honestly interest. I'm the only one that cares enough to properly follow through with something like this and I don't have anywhere near the time to do it. If I can get the Apps guy who always wants to do new shinies to actually properly commit to it that would be a start.
If no one cares, then why bother with signed SSL certs at all? Create self-signed certs that last 40 years and be done with it.
Because I care. I'm compromising with some of this by setting up the re-enroll to be automated but it annoys me.
I have my own PKI, but the fun is making sure everything is looked after. When i started here they didn't use HTTPS for anything that ran internally.
Two jobs back that was the case at a company I worked for.
The tune quickly changed when I started logging in and doing simple innocent things, as them, that they couldn't explain. (it was part of my job to train users about not doing stupid things on the network, and fully approved by management...and actually got us to a much more HTTPS oriented stance once the devs realized I wasn't going to stop)
Some of the best were the most harmless. Logging in to a test ticketing system, for example, and "TEST"ing back at the ticket creator. (usually QA)
Offline root and an intermediate.
Offline root and an intermediate.
I know. I've done it. I wouldn't really call it easy. Maybe not the most difficult thing, but definitely time-consuming.
I didn't say easy 
I said simple. Boiled down, a simple root+issusing CA can be pretty straight forward, you just need to know what 9000 million knobs to turn to get both CA certs correct
I said simple. Boiled down, a simple root+issusing CA can be pretty straight forward, you just need to know what 9000 million knobs to turn to get both CA certs correct On that note, the Cloudflare CFSSL (https://github.com/cloudflare/cfssl) does simplify things a lot.
I didn't say easy
Also not simple.
Dunno how it is on Linux, but Windows' CA interface is the crowning definition of anti-intuitive, especially having to go between GUI and Powershell to finish a process that should be complete on both...
I didn't say easy
Simple and easy are rarely the same thing. I did the heavy lifting making all this work, then I became the manager and no one cared enough for me to delegate it. I would really like to have some people that cared as much as me report to me, but I've learned the hard way that I'm an outlier.
I didn't say easy
Simple and easy are rarely the same thing. I did the heavy lifting making all this work, then I became the manager and no one cared enough for me to delegate it. I would really like to have some people that cared as much as me report to me, but I've learned the hard way that I'm an outlier.
Diligence, competence and integrity are always an outlier it seems.
You may have ONE person like that in a team or even in an entire IT org.
The other people are in various parts of the spectrum from "don't care" all the way to actively sabotaging you to make themselves feel better.
---
In other news, I think I have finally found out WTF I don't like Cisco's Hyperflex. Too much of what you need to do with it is either only available in their UCS Manager or in the HX data platform plugin and not in the native vsphere/vcenter.
That means learning an additional CLI and operational process and also having an entirely extra set of dependencies.
Some things that should easily be set/adjusted are only in their special sauce, which is understandable to some extent.
Other things are just annoying.
I guess in some ways if they built the entire thing on top of openstack and made it so only their toolset was visible, that would be preferable. Maybe. Instead of vSAN, looks like they use their special sauce to imitate it. Yes, just like the old Nexus 1000v instead of a standard dvswitch.
The complexity and interdependencies involved mean that I will again be a single point of contact for yet another piece of technology. :/
And I'll be the only one who cares if something doesn't work right (like Hawkbox).
TIrL how to count in Hex...
First WWPN ended in 18.
I copied and pasted it - don't want to make a typo!
Second WWPN would end two digits higher, so brain gave me shortcut answer: backspace twice, punch in 20, done!
Oops, that's decimal...*sigh*
Close call! No outage, and thankfully I check my work between fabrics and noticed half of the paths gone. Derp!!
First WWPN ended in 18.
I copied and pasted it - don't want to make a typo!
Second WWPN would end two digits higher, so brain gave me shortcut answer: backspace twice, punch in 20, done!
Oops, that's decimal...*sigh*
Close call! No outage, and thankfully I check my work between fabrics and noticed half of the paths gone. Derp!!
We are getting hit with the DoublePulsar backdoor, because the patching team did not get 100% of our systems patched with MS17-010.
This missing patch is the gift that just keeps on giving!
This missing patch is the gift that just keeps on giving!
Pfft, new kids and their VIRL's and their eve-ng's. I do labs the OG way. Or in other news get some time to play with some gear before it gets tossed into production.
https://i.imgur.com/GliUoZM.jpg?1
https://i.imgur.com/GliUoZM.jpg?1
Plant Ops decided to turn off chilled water at 7:30AM without telling any of the clients of that chilled water. Only had one ESXi host shut down but still...
Is Plant Ops paying for a new server?
I didn't say easy
Also not simple.
Dunno how it is on Linux, but Windows' CA interface is the crowning definition of anti-intuitive, especially having to go between GUI and Powershell to finish a process that should be complete on both...
I have setup a Domain constrained PKI using a Safenet Luna HSM solution. PITA.... you have no idea. 7 USB keys....
I didn't say easy
Also not simple.
Dunno how it is on Linux, but Windows' CA interface is the crowning definition of anti-intuitive, especially having to go between GUI and Powershell to finish a process that should be complete on both...
I have setup a Domain constrained PKI using a Safenet Luna HSM solution. PITA.... you have no idea. 7 USB keys....
Oh fuck that. I was just dealing with all-software stuff to eliminate self-signed certs for EWSs, SSH, and RDP. Only succeeded with the web stuff. Still never really figured out the Cisco stuff for SSH or the RDP stuff (certs claim inability to find the CRL).
Plant Ops decided to turn off chilled water at 7:30AM without telling any of the clients of that chilled water. Only had one ESXi host shut down but still...
Is Plant Ops paying for a new server?
They did put out a notice, tho, right?
TIL Cisco 40G optics on eBay are only a bit more expensive than Cisco 10G optics on eBay.
$30 to $50 for actual (hopefully not relabeled and reprogrammed) Cisco 40G SR4 optics.
Makes me wonder if someone did a large switch to 100g and dumped it all.
The fiber is more expensive than the transceivers
I will try it and report back
$30 to $50 for actual (hopefully not relabeled and reprogrammed) Cisco 40G SR4 optics.
Makes me wonder if someone did a large switch to 100g and dumped it all.
The fiber is more expensive than the transceivers
I will try it and report back
I'd rather buy brand new (with a warranty) FiberStore optics than eBay "maybe legit" optics.
http://www.fs.com/products/36157.html
http://www.fs.com/products/36157.html
It's called having fun, not being serious about putting it into production in this case. I have a quote out for 40G optics from 3 different vendors.
---
Some people buy "antiques" on eBay. I buy used electronics cheaply and have fun.
I have zero issue with using previous generation used electronics from eBay such as Xenpak 10G-LR or other odd bits and ends.
It's a good way to build up a test lab of gear you can't otherwise accrue through normal purchasing channels.
TIL the PA-4020 clearly has an empty slot for more RAM, which would be really useful given the 1GB it has clearly isn't enough. 20 minutes + for a commit isn't unusual.
I'm sure more RAM will cut it down.
I'll find out after we transition to our 5250 pair.
I wanted the 5260, but the HQ org ordered the 5250, which is extremely shortsighted since we'll be constrained at 40g WAN speeds. Our 10G WAN won't be a problem on the 5250. Our 10G WAN connection is free, and 40G should be free to us within 2 or 3 years and 100G probably a few years after that, given the pattern of our connection upgrades.
EDIT: The empty slot is visible from the front air intake, if you angle a light the right way. You can see the empty tabs for the RAM slot and the filled one next to it.
I'm sure more RAM will cut it down.
I'll find out after we transition to our 5250 pair.
I wanted the 5260, but the HQ org ordered the 5250, which is extremely shortsighted since we'll be constrained at 40g WAN speeds. Our 10G WAN won't be a problem on the 5250. Our 10G WAN connection is free, and 40G should be free to us within 2 or 3 years and 100G probably a few years after that, given the pattern of our connection upgrades.
EDIT: The empty slot is visible from the front air intake, if you angle a light the right way. You can see the empty tabs for the RAM slot and the filled one next to it.
By the time you're looking for 100G, I'd hope you'd have upgraded your hardware at *least* twice.
(oh, and yes, upgrading RAM will definitely help with commit times, at least IME with our security guy)
Also, and I know this is me saying it, but 40G is a *lot* of bandwidth. What are you running at now, at 95th percentile?
Which won't appease my "hey, I bought stuff off ebay for cheap" itch.
A person's gotta have hobbies.
Have you met college students? Any available bandwidth will be consumed. In college we had a dedicated OC3 for the Resnet when ISDN was the fastest home connection and yet it was always congested.
We were maxed out on our 1G connection, mostly due to streaming and cloud use.
QoS at the firewall helped with bringing that down from choking our business use, but 10G is needed.
You know how schools used to have VCRS/projectors/DVD players? Teachers use youtube, netflix, hulu, etc instead now for instructional materials.
Multicasting doesn't help much with this, since each person in each class may be looking at a different video stream that is part of a given course's curriculum.
We're about to add the Veeam/HP StoreOnce backup to another ORG location to go through our WAN link and we may have a second link for cloud based backup.
Just like in the old days, we could never imagine using up our DS3 line, until we did. I'm sure we'll wind up growing to fill that 10G WAN link (actually an active/passive pair, like our current active/passive 1G).
The upgrade twice in that time period doesn't happen in normal public sector .edu, which is why we try to plan ahead as possible and skip the interim upgrade or bake it into the initial purchase.
Forgot it was .edu, but even WAN is running like that? (By WAN, I mean site-site, facility-facility, etc., not internet)
We upped to dualx10G for our main DCs, but don't come close to using it all. Then again, we have around 8000 max users at any time, more focused on work than streaming. (we do use multicast for in-house streaming things like all-hands).
Just out of curiosity, are you not required to do depreciation on capital assets? I honestly don't know, but it greatly drives our justification for upgrading hardware when devices fully depreciate.
Oh, and if I get back to CO soon and can remember, I'll snap some pics of *my* lab, to show what you can buy when you have supportive management that understand the importance of design and test.
We upped to dualx10G for our main DCs, but don't come close to using it all. Then again, we have around 8000 max users at any time, more focused on work than streaming. (we do use multicast for in-house streaming things like all-hands).
Just out of curiosity, are you not required to do depreciation on capital assets? I honestly don't know, but it greatly drives our justification for upgrading hardware when devices fully depreciate.
Oh, and if I get back to CO soon and can remember, I'll snap some pics of *my* lab, to show what you can buy when you have supportive management that understand the importance of design and test.
EDU networks are slammed with traffic everywhere, all the time. inside, outside, everywhere.
Merit's HQ is across the street (Effectively EDU fiber for the state of Michigan) it's crazy. They have their own Netflix CDN and that alone averages about 8Gb/s.
Merit's HQ is across the street (Effectively EDU fiber for the state of Michigan) it's crazy. They have their own Netflix CDN and that alone averages about 8Gb/s.
Our IPSec tunnel to intranet at our HQ is more a political issue than actual bandwidth issues on our side, once harsh QoS policies were enabled for streaming video and social media sites.
They do have bandwidth issues on their side.
https://meincmagazine.com/information-tec ... m-backups/
See this story about PETS built on top of SAP?
They built our work request system on top of SAP and it has many of the same issues/complaints mentioned in the stories about PETS on SAP for NYPD.