Cisco UCS B200 M3: “Invalid Adaptor IOcard”

I received two brand spanking new B200 M3 blade servers for a new project. These bad boys are packing 393GB of RAM and two Intel Xeon E5-2680 2.7GHz 8-core processors each. I wanted to get these installed as soon as possible, so I could make sure the firmware was up to current (they came with 2.0(3c), which is what I’m running) and apply service profiles to them. At the end of the initial deep hardware discovery, I received a strange error in UCSM - “Invalid Adaptor Iocard”:

How to prevent or stop DoS attacks?

How does the internet work - We know what is networking

The response and prevention In order to defend against Denial of Service attacks the combination of attack detection use is typically involved in it, classification of traffic as well as response tools, and the target is to block traffic if identified as illegal and permit the legal traffic only after identifying it. Below is a […]

How to prevent or stop DoS attacks?

BGP Decision Process

Cisco’s BGP decision process basically decides which BGP route to take when comparing multiple prefixes to the same destination. It is a rather long process and somewhat tricky. Below, I created a quick reference to its steps.

Before I talk about each step I would like to discuss in what order are multiple prefixes compared. For example if you have three prefixes to 10.2.0.0/16 how do you compare all three at once? By default Cisco’s algorithm will compare the younger prefixes to the older and finally compare the oldest to the winner.

The rest of this post are my notes on the BGP decision process. Hopefully you’ll find it useful.

 

BGP Preconditions

For any path to be considered valid it has to meet these requirements.

  1. Next-hop IP address of that path is reachable.
  2. The local AS number is not part of the AS_PATH (basic loop prevention).
  3. If BGP synchronization is enabled, the candidate prefix is in the IGP routing table. If using OSPF, router-ID have to match for the OSPF and BGP process.
  4. The BGP prefix is not dampened.
  5. With inbound soft resets enabled, make sure that no BGP polices are filtering the candidate prefix.

1 Continue reading

DoS Methods – PDoS, Permanent DoS attacks

How does the internet work - We know what is networking

A PDoS or permanent denial-of-service, also referred to as phlashing, is a severe attack that completely damage a system as a result of which the system’s reinstallation of hardware or replacement is required. A PDoS attack exploits the flaws of security which further permits the administration present far away on the hardware of the victim […]

DoS Methods – PDoS, Permanent DoS attacks

DoS Methods – ICMP and SYN flood, Teardrop and Low-rate DoS attacks

How does the internet work - We know what is networking

ICMP flood Smurf attack is one specific form of a flooding DoS attack that occurs on the public Internet. It solely depends on incorrect configuration network equipments that permit packets that are supposed to be sent to all hosts of computer on a specific network not via any machine but only via network’s broadcast address. […]

DoS Methods – ICMP and SYN flood, Teardrop and Low-rate DoS attacks

FEX Architectures

Here is an old post I never finished. With the benefits of the Nexus 2000 and the FEX architecture (a earlier post), scalability, simplified management, flexibility, Cisco extended its use further into the servers all the way up to the virtual hosts.This allows much greater control and flexibility. After all network guys should look after […]

New version of BGPmon.net

As many of you are aware, BGPmon.net has been offered as a free service since becoming publically available in 2008. From its inception the service has been funded largely by myself. Now, due to ever-increasing popularity, it has become unsustainable to run the service on personal funds and my available time. I have reached a branch in the road: BGPmon.net must either become financially self-supporting, reduce its scope or cease. Clearly the latter options would waste the project’s potential and accomplishments.

So I’m happy to announce that as of today BGPmon.net services will be available in two flavors: a free ‘entry level’ service and a full-featured premium commercial service.

With these changes, BGPmon.net will become more sustainable and provide better support, and allow us to continue improving services while adding new features.

What to expect
Our base services remain free, but with a limited feature set and up to 5 prefixes per account.

The premium commercial service allows you to monitor as many prefixes as needed and provides the full-feature set on a new powerful platform. The routing report, SOAP API and additional email address features are now part of the premium service. Pricing details can Continue reading

DDoS – Distributed Denial of Service attack

How does the internet work - We know what is networking

When a number of systems i.e. one or more than one web server floods the resources and bandwidth of a targeted system then a distributed denial of service attack (DDoS) takes place, Different types of methods are used by attackers in order to compromise the systems. It is the malware that can carry out the […]

DDoS – Distributed Denial of Service attack

TCP Small Queues

Some puzzle pieces of a picture puzzle.Linux 3.6 just shipped.  As I’ve noted before, bloat occurs in multiple places in an OS stack (and applications!). If your OS TCP implementation fills transmit queues more than needed, full queues will cause the RTT to increase, etc. , causing TCP to misbehave. Net result: additional latency, with no increase in bandwidth performance. TCP small queues reduces the buffering without sacrificing performance, reducing latency.

To quote the Kernel Newbies page:

TCP small queues is another mechanism designed to fight bufferbloat. TCP Small Queues goal is to reduce number of TCP packets in xmit queues (qdisc & device queues), to reduce RTT and cwnd bias, part of the bufferbloat problem. Without reduction of nominal bandwidth, we have reduction of buffering per bulk sender : < 1ms on Gbit (instead of 50ms with TSO) and < 8ms on 100Mbit (instead of 132 ms).

Eric Dumazet (now at Google) is the author of TSQ. It is covered in more detail at LWN.  Thanks to Eric for his great work!

The combination of TSQ, fq_codel and BQL (Byte Queue Limits) gets us much of the way to solving bufferbloat on Ethernet in Linux. Unfortunately, wireless remains a challenge (the drivers Continue reading

ASA Double Nat in 8.4+

Recently I was faced with an issue outside my normal expertise… those of you that know me realize I am anything but a security engineer. But in reality, you must always expand your horizons. One of the projects I’m working on involves migrating between two edge networks. Obviously, for a time there has to be traffic using both networks while you migrate services from one network to the other. This creates an issue from services that may be NAT’d from the inside of the network, where as the current (read: old) default route takes them out a different connection..
In order to solve this, you need to either change the default route, which may not be possible, or start NAT’ing the source address of your traffic. It took me a bit of time to get the details worked out, so I wanted to share what I found out.

Plain Jane Static NAT

Since 8.3, NAT has changed quite a bit. The most obvious change is the use of Object groups pretty much everywhere. In some ways, this simplifies the config. In others, not so much. Basic static NAT takes the form of a single object group that defines the Continue reading

My MacBook Air Docking Solution

I decomissioned my CustoMac to return it to its origins as a gaming rig. This was mainly due to the fact that trying to keep my MacBook and CustoMac in sync was turing out to be very labour intensive... This means I am using my Macbook Air as my main office PC but its limited I/O was proving to be a little bit of a problem!

My MacBook Air Docking Solution

I decomissioned my CustoMac to return it to its origins as a gaming rig. This was mainly due to the fact that trying to keep my MacBook and CustoMac in sync was turing out to be very labour intensive... This means I am using my Macbook Air as my main office PC but its limited I/O was proving to be a little bit of a problem!

I needed:

  • 1 x DVI or HDMI to hook it up to my monitor
  • 1 x 10/100 or 1000 Ethernet as Wireless is not fast enough (especially for Time Machine)
  • 1 x Headphone and 1 x Mic ports to work with my existing headset
  • 1 x USB for my Webcam
  • 2 x spare USB for Memory sticks etc...

While the new range of Thunderbolt docks will be available later this year from the likes of Belkin and Matrox they will be priced in the £200-300GBP range (Expansys have the Belkin dock listed at £279). While it offers all the I/O I want over a high bandwidth connection I don't think I can justify spending over 1/4 the cost of the laptop itself on one... so I came up with a homebrew solution for under Continue reading

I’m attending the International Summit for Community Wireless Networks

I will be giving a updated version of my bufferbloat talk there on Saturday, October 6.  The meeting is about community wireless networks (many of which are mesh wireless networks) on which bufferbloat is a particular issue.  It is in Barcelona, Spain, October 4-7.

We tried (and failed) to make ad-hoc mesh networking work when I was at OLPC, and I now know that one of the reasons we were failed was bufferbloat.

I’ll also be giving a talk at the UKNOF (UK Network Operator’s Forum) in London on October 9, but that is now full and there is no space for new registrants.


KIClet: NX-OS – Ethernet[X] is down (inactive)

This is a short one. I didn’t see a ton of information on this on the internet so I figured I’d put it forward. I’m using a pair of Nexus 2K FEX switches (N2K-C2248TP-1GE) for 1GbE copper connectivity off of a pair of Nexus 5548UP switches. I needed to set one of the 2K ports to access mode and place it in a VLAN. Pretty simple. After configuring one of the 2K ports through the 5K CLI though, I noticed that the port was listed as “down (inactive)”.

Spanning-tree Requirements for Cisco ISSU

I had a great conversation with a coworker regarding the requirements for the In-Service Software Upgrade (ISSU) feature on Cisco switches. For this post, I’m using Nexus 5548UP switches as a distribution layer to my Cisco UCS environment, and at the core is sitting a pair of Catalyst 6500s, set up in a VSS pair. For those unfamiliar with ISSU, it is a way for Cisco devices to upgrade their running firmware without the need for a disruptive reboot of the device, which is what has traditionally been used for upgrades to IOS, NX-OS, etc.

Book list

It is time I’ll place the list online, so with no farther delays and in the order of importance: 1 Routing TCP/IP, Volume 1 (2nd Edition) - By far, the most important book you must read. ...And remember, if you are using Private VLANs or plan to, make sure you visit my Private VLAN appliance site.

When NTP access-control needs ACL for 127.127.7.1?

The very simple answer is when the local NTP master controller is synching to the IP address 127.127.7.1 instead of 127.127.1.1. Ok, I think I need to clarify few things.  In a number of CCIE workbooks, you’ll get a task to configure NTP access-control on the master NTP router to only peer with R1.  After trying for a long time, you lookup the solution guide and realize that you were missing an ACL entry for the local address 127.127.7.1. Or you finished the task, everything works, you check the solution guide and ask yourself “why did they have an ACL for the IP address 127.127.7.1? I did it without it and it worked.”

This is something that I found to be very frustrating and without any information on the web. After doing some of my own research, it appears Cisco made few changes that are not very clearly documented.

To give you an example, R4 is the NTP master and R6 (150.1.6.6) is the NTP peer.

R4#sh run | i ntp | access-list
ntp master 4
ntp access-group peer 1


access-list 1 permit 150.1. Continue reading