Author Archives: Valter Popeskic
Author Archives: Valter Popeskic
This article describes the simplest way to enable MACSec using preconfigured static key-string. The example was tried on Catalyst 3850 and should work on other switches too. There is another article that I wrote years ago which describes a more complex implementation with dot1x etc. MACSec Media Access Control Security is the way to secure point-to-point Ethernet links by implementing data integrity check and encryption of Ethernet frame. When you configure MACsec on a switch interface (and of course, on the other switch connected to that interface), all traffic going through the link is secured using data integrity checks and encryption.
Sometimes you will have some L2 domains (Bridge Domains – BD) in your datacenter that will be used with hardware appliances like F5 NLB or something like an additional firewall, WAF or something similar. That is the case where ACI will not route or bridge but the only L3 point of exit from that kind of segment would be on actual hardware appliance outside ACI Fabric – connected to the Leaf port. We will take an example here and use it throughout the article where BIG IP F5 NLB is used as an L3 termination of L2 BD 10.10.10.0/24. F5
The post How to Advertise a Route from ACI Layer2 BD Outside the Fabric? appeared first on How Does Internet Work.
APIC Controller Cluster You actually need three APIC controller servers to get the cluster up and running in complete and redundant ACI system. You can actually work with only two APICs and you will still have a cluster quorum and will be able to change ACI Fabric configuration. Loosing One Site In the MultiPod, those three controllers need to be distributed so that one of them is placed in the secondary site. The idea is that you still have a chance to keep your configuration on one remaining APIC while losing completely primary site with two APICs. On the other
What is MultiPod? ACI MultiPod was first designed to enable the spread of ACI Fabric inside a building (into two or more Pods), let’s say in two rooms at different floors, without the need to connect all the Leafs from one room to all the Spines in the other room. It was a way of simplifying the cabling and all that comes with building spread CLOS topology fabric stuff. MultiPod also saves some Leaf ports giving the fact that Pod to Pod connection through Multicast enabled IPN network connects directly to Spines. People soon realized that MultiPod will be a great solution
The post ACI MultiPod and how to build MultiDatacenter with Cisco ACI appeared first on How Does Internet Work.
Hello World This is an overview of what I think Cisco ACI actually is. It uses some examples from the lab environment to show you how the things look like when you start to work with ACI. There are other articles in the works which will be online soon and which will go in details through the real configuration of ACI and best practices while doing it. What is this Cisco ACI Fabric? Cisco ACI is a datacenter network Fabric. It actually means that it is a networking system of more networking L3 switches that have a modified, next-generation OS
Edson Erwin invented this highly scalable and optimized way of connecting network nodes in the 1930s and Charles Clos made the telephone nodes interconnection design using that solution. It was even before we had IP networks. He invented it in order to optimize the architecture of telephony network systems back then. It was not used in IP based network for last few decades but it experienced a big comeback with new datacenter design in the last few years. It was first invented only for scalability requirements that it solved beautifully. In new datacenter design, CLOS topology of interconnecting network devices scalability
Again I made it to the list of Cisco Champions, making this the second year in a row! I am so glad that my effort to give back to the community and to all my networking fellows out there paid off again in the shape of this recognition from Cisco. This badge is only a small thing, relating to all the community connections and sharing that my involvement with networking community via social media and this blog, made possible. It only pushes me to get even more done in the future. In 2018 I was involved in a few very challenging new
If there’s no BFD If you have two routers directly connected, like here: In this case, it is normal that one of them will remove the routes learned from the other if the other one goes down completely. It is because the link will go to down state and the routing protocol adjacency will disappear. If two routers are connected through an L2 device (switch) like down here: In this case, when one of them goes down, it will not take down the interface of the L3 neighbour (other router) because the switch will still work fine and it will
The largest chunk of bytes that a transport protocol can forward across specific medium is called MTU – Maximum Transmission Unit. If we speak about Ethernet, which is today the most common, he has by default 1522 bytes MTU. The story about MTU is that the MTU of specific protocol basically defines how much payload (or highest protocols headers + their payload) it can carry in its biggest packet, not counting his own headers. Putting more payload into single packet than the MTU allows will result in fragmentation, the process of slicing the frame into more smaller frames so that
There was an old way of generating Interface IPv6 address using SLAAC process (Stateless autoconfiguration). You simply configured that you want SLAAC autoconfiguration and the interface IPv6 was generated by squeezing “FFFE” in hex (11111111 11111110 bits) between two parts of physical MAC address of that interface. Then, after a while, several comments came to IETF about the use of predictable Interface Identifiers in IPv6 addresses. They were pointing to the ease of correlation of host activities within the same network and across multiple networks. If Interface Identifiers are constant across networks this is negatively affecting the privacy and security of
The post The New Way of Generating IPv6 – SLAAC EUI-64 Address Format appeared first on How Does Internet Work.
There is always the option to edit a file locally on your computer in notepad++ and then upload it to Cisco device. With this trick, you can write or edit a file from Flash memory directly from Cisco IOS console. If you need it for whatever reason, maybe to change something in the config file or something else, this is the way to do it. I was using if for my next article lab where I needed a file on the flash with at least 1600 bytes so I can pull it from neighbouring router with HTTP and check some
I just received an e-mail from Cisco with the notice that I was elected Cisco Champion for 2018. As Cisco says: “Cisco Champions are a group of highly influential technical experts who generously enjoy sharing their knowledge, expertise, and thoughts on the social web and with Cisco. The Cisco Champion program encompasses a diverse set of areas such as Data Center, Internet of Things, Enterprise Networks, Collaboration, and Security. Cisco Champions are located all over the world.” I must say that last 7 years of writing this blog was the primary reason why one should pick me for this flattering
EtherChannel enables bundling multiple physical links connecting same devices into a single logical link. I will try to show you how it is configured and how it works. The issue with one uplink I made an example with 8 clients connected to two Cisco 3850 switches. For start, those two switches are connected together with 1G copper on Interface Ge1/23. The clients are also connected to 1G ports. In this case, when all of those four clients on the left side start simultaneously sending traffic at full speed to different computers on the right side, they will congest the uplink
It is related to Check Point MGMT VM with R80.10 in my story, but you would as well want to resize Check Point gateway firewall hardware box or VM. I was searching for a simple solution and found different ones that didn’t work for me, so here are the steps that you need to go through when you resize your CheckPoint VM disk in vCenter and then need to expand the partition inside Check Point VM in order to use the additional space. Of course, you did choose too small HDD for your VM when you created it and now
Last month I celebrated 6 years of writing my blog. This project reached yesterday his most visited day in history with more than 1500 visitors and more than 31K all together in November. Nice to finally see someone actually reading my rumblings. It was and still is hard work of editing old posts making them better and finding new interesting stuff to write about. Blog is about computer network technologies, you know, the stuff that makes thing get to you and appear on your device’s screens so you can stare at it all the time ? Some other interesting trivia:
What is universal/local bit in IPv6 EUI-64 address? One of my readers contacted me with an interesting question in comments of “IPv6 – SLAAC EUI-64 Address Format” article. The question was: “How come that the ipv6 address after the prefix is 21C:C4FF:FECF:4ED0 if the mac address is 00-1C-C4-CF-4E-D0?” Of course, we all know from the previous article that EUI-64 process is taking the interface MAC address (if that is an Ethernet interface) and it creates 64 bits Interface ID with it by shimming additional FFFE (16bits in hex) in between the MAC address bits. The reader was confused with an
Media Access Control Security or MACSec is the Layer 2 hop to hop network traffic protection. Just like IPsec protects network layer, and SSL protects application data, MACSec protects traffic at data link layer (Layer 2). MACSec is standardized IEEE 802.1AE hop-by-hop encryption that enables confidentiality and integrity of data at layer 2. It encrypts entire Ethernet packet except Source and Destination MAC addresses on any device-to-device, switch-to-switch, router-to-switch, host-to-switch directly connected wired L2 connection. If we compare MACSec with, for example IPsec, MACsec provides same security but on layer 2 for each hop separately. On each hop, packets are
Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used. About Reflexive Access Lists Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not
I was planning for some time now to make a list of books I read recently, here’s the list It should be something like a book reading suggestion list in order to maybe help you pick the right materials in your networking technology learning journey. On the top are the books I used most while studying for my certs but also some of them are the books that I usually carry with me on my Kindle or PDF wherever I go. It is always a good idea to have those books on you so you can have a look at