John Herbert

Author Archives: John Herbert

Decoding LACP Port State

It’s frustrating when the output to a show command gives exactly the information needed, but in a format which is unintelligible. So it is with the Partner Port State field in the NXOS show lacp neighbor interface command which reports the partner port state as a hexadecimal value. To help with LACP troubleshooting, here’s a quick breakdown of the port states reported on by LACP, and how they might be seen in Junos OS and NXOS.

LACP Port State

The LACP port state (also known as the actor state) field is a single byte, each bit of which is a flag indicating a particular status. In this table, mux (i.e. a multiplexer) refers to the logical unit which aggregates the links into a single logical transmitter/receiver.

The meaning of each bit is as follows:

Bit Name Meaning
0 LACP_Activity Device intends to transmit periodically in order to find potential members for the aggregate. This is toggled by mode active in the channel-group configuration on the member interfaces.
1 = Active, 0 = Passive.
1 LACP_Timeout Length of the LACP timeout.
1 = Short Timeout, 0 = Long Timeout
2 Aggregation Will allow the link to be aggregated.
1 = Continue reading

KRACK WPA2 Vulnerability Announced – Upgrade Now

If you haven’t already heard about the KRACK (Key Reinstallation Attack) vulnerability announced today, head over to the information page at https://www.krackattacks.com/ as quick as your fingers will take you because Mathy Vanhoef of imec-DistriNet has found a vulnerability in the WPA2 protocol which has a very wide impact.

KRACKKRACK Attack

The challenge here is that for this isn’t a bug in any particular implementation or commonly-used library; rather, it’s a vulnerability in the protocol itself which means that any correct implementation of the protocol is vulnerable. This also does not just apply to wireless access points; remember that most cell phones can also act as wireless APs for purposes of wireless tethering, so they may be vulnerable too.

Impressively, a number of vendors have released code which has been patched for the vulnerability today, and a number of vendors included fixes before today’s public announcement. However, those are useless if people don’t install the upgrades. I strongly advise going now and finding what your wireless vendor has done, and installing any available patched code.

Ubiquiti Update

Since I know you’re all following my Ubiquiti experiences, I’ll note that UBNT released code Continue reading

Pre-Provisioning Your FEXen For Fun and Profit

In this post, I’ll discuss how to protect your income by using the FEX pre-provisioning capability of NXOS. I discovered the hard way that not pre-provisioning your FEX can have catastrophic side effects. What better story to post on Friday the 13th?

Pre-Provisioning your Cisco FEX

FEXy Time

Attaching a FEX to a Nexus switch is relatively simple; a few commands on each of the two switches the FEX connects to and it’s up and running. It’s also possible to pre-provision the FEX modules in the configuration. The documentation doesn’t make it entirely clear why this would be desirable, beyond the rather cryptic:

In some Virtual Port Channel (vPC) topologies, pre-provisioning is required for the configuration synchronization feature. Pre-provisioning allows you to synchronize the configuration for an interface that is online with one peer but offline with another peer.

Got that? In other words, pre-provisioning makes it possible to configure a FEX module that isn’t there yet, or that is powered down, or is only connected to one side of a VPC pair for some inexplicable reason. Maybe I’ve ordered some
(plural of FEX) and want to configure the ports ahead of time? Whatever the rationale for doing so, I’ve never previously needed pre-provisioning Continue reading

My Lexicon: Fexen

Fexen (noun, pl.; pronounced Fex-uhn)

Usage

Do we have any copper FEXen on those switches?

Explanation

Fexen is the plural of FEX (the Cisco Nexus Fabric Extender modules). Oh, I know, “FEXes” is just as easy to say, but somehow FEXen seems to work better. Try and use this word in conversation today and see how it feels.

We have about 20 FEXen distributed around the data center.

I think you’ll like it.

If you liked this post, please do click through to the source at My Lexicon: Fexen and give me a share/like. Thank you!

iTerm2 Tip: Repeating Commands Using a Coprocess

iTerm2 is a great terminal for MacOS; far better than Apple’s built-in Terminal app, and it’s my #1 recommendation for Mac-based network engineers. One of the many reasons I like it is that it has a feature that solves a really annoying problem.

Iterm Repeat Title

It’s tedious having to issue a command repeatedly so that you can see when and if the output changes. I’ve had to do this in the past, repeating commands like show ip arp so that I can spot when an entry times out and when it it refreshes. The repeated sequence of up arrow, Enter, up arrow, Enter, up arrow, Enter drives me mad.

Some vendors offer assistance; A10 Networks for example has a repeat command in the CLI specifically to help with show commands:

a10-vMaster[2/2]#repeat 5 show arp
Total arp entries: 25       Age time: 300 secs
IP Address         MAC Address          Type         Age   Interface    Vlan
---------------------------------------------------------------------------
10.1.1.65      0000.5e00.01a1       Dynamic      17    Management   1
10.1.1.67      ac4b.c821.57d1       Dynamic      255   Management   1
10.1.1.97      001f.a0f8.d901       Dynamic      22    Management   1
Refreshing command every 5 seconds. (press ^C to quit) Elapsed Time: 00:00:00
Total arp entries: 25       Age time:  Continue reading

My Lexicon: Nexii

Nexii (noun, pl.; pronounced nex-eye)

Usage

I have built a leaf/spine fabric using Nexii.

Explanation

Nexii is the plural of Nexus, obviously. To talk about “Cisco Nexuses” is ugly. Referring to “Cisco Nexus switches” is syllabically inefficient. Nexii is the perfect blend between inappropriate Latin noun pluralization and verbal optimization.

We need to upgrade the software on our Nexii.

You’ll thank me later.

If you liked this post, please do click through to the source at My Lexicon: Nexii and give me a share/like. Thank you!

Microburst: Update on the HTML Home Network Diagram

Moving Packets - Microburst

 

Last week I published an article called Making a Clickable HTML Network Diagram using OmniGraffle. One of the questions I was asked was whether I’d tried doing the same in draw.io or Gliffy. I have not, although I do use Gliffy a fair amount, and I have dabbled with draw.io.

Thankfully, Keith Miller (@packetologist) is on hand to provide the answer! Keith has put together an article mirroring a similar process using the free (and platform-agnostic) draw.io. Definitely worth a read, and a great example of a free tool making our lives way easier.

Link: CLICKABLE HTML NETWORK DIAGRAMS WITH DRAW.IO

Thanks, Keith for the excellent demonstration!

If you liked this post, please do click through to the source at Microburst: Update on the HTML Home Network Diagram and give me a share/like. Thank you!

Task List Tracker for the Mac (DIY Version)

As a Mac user, how do you keep track of the tasks you need to complete? I find myself swamped in things that need doing and every day more things get added to my list. The problem is, in the past I’ve relied too much on my memory to keep track of what I need to do, and I’m sadly aware that there are more things on my task list than I can keep track of, and all too frequently I get into work and think “What was I going to do this morning? I’m sure there was something high priority, but…”

It should be easy, you’d think, to maintain a list of tasks, assign some kind of priority, and have that list readily accessible while using my computer. I suspect there’s an app (indeed, that there are many apps) for that, but while I have tried a few, somehow I’ve not managed to integrate them into my daily workflow. I spoke to a colleague about this, and he said that he keeps a text file on his Desktop listing all his open tasks, and he updates it as needed. If it works for him, maybe it would work for Continue reading

Traceroute Lies! A Typical Misinterpretation Of Output

Sometimes a user with performance issues will proudly present me with a traceroute and point to a particular hop in the network and accuse it of being the problem because of high latency on the link. About 1 time in 1000 they are correct and the link is totally saturated. The other 999 times, well, let me explain.

Traceroute

Traceroute Output

Here’s a typical traceroute I might be sent by a user (IPs and hostnames are altered to protect the innocent):

$ traceroute www-europe
traceroute to www-europe (18.9.4.17), 64 hops max, 52 byte packets
 1  gateway (57.239.196.133)          11.447 ms   18.371ms    25.057 ms
 2  us-atl-edge (137.16.151.202)      13.338 ms   20.070 ms   19.119 ms
 3  us-ga-core (57.239.129.37)       103.789 ms  105.998 ms  103.696 ms
 4  us-nyc-core (57.239.128.189)     107.601 ms  103.116 ms  103.934 ms
 5  us-east-core (57.239.13.42)     103.099 ms  104.215 ms  109.042 ms
 6  us-east-bb1 (57.239.111.58)      107.824 ms  104.463 ms  103.482 ms
 7  uk-south-bb1 (57.240.117.81)     106.439 ms  111.156 ms  104.761 ms
  Continue reading

Microburst: A New Post Type on MovingPackets.Net

A problem I frequently face is that I want to share thoughts and comments on something, but I don’t have the time free to write up a full post. The solution, I hope, is a new post type which I’m calling a Microburst.

Moving Packets - Microburst

A Microburst could be anything from one line to a few paragraphs; basically enough for me to convey a thought without having to go into as much depth as I would usually like to do. For that reason in particular, I think it’s important that I can distinguish my regular, shallow posts from these special, short, shallow posts. Handy, right?

The first Microburst appeared a few days ago, and more will be coming soon. Gird your loins, etc.

If you liked this post, please do click through to the source at Microburst: A New Post Type on MovingPackets.Net and give me a share/like. Thank you!

Not Your Mama’s Security Architecture (Thwack)

It puts a firewall at the edge of the network or it gets the hose again. Think that’s still how security works? I don’t think so, my friend.

On the Solarwinds Thwack Geek Speak blog I look at how security architectures have changed from when our Mama used to create them, and I even take a moment to mention Greg Ferro (because, well, why not). Please do take a trip to Thwack and check out my post, “Not Your Mama’s Security Architecture“.

Not Your Mama's Security Architecture

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at Not Your Mama’s Security Architecture (Thwack) and give me a share/like. Thank you!

Making a Clickable HTML Network Diagram using OmniGraffle

As a Mac user, I have to give my diagramming love to OmniGraffle and I try not to envy the Visio users too much. I maintain that Graffle diagrams subjectively look nicer than Visio, but in terms of features, Visio wins the day. Despite that, sometimes poor old Graffle does so something helpful and in this case, it’s being able to export a diagram as an image with an HTML image map.

The Plan For A Web-Based Network Diagram

My plan was to create a web-based network diagram for my home network where I could click on any device on the diagram and be connected to it using the appropriate protocol handler (e.g. SSH or HTTPS). This hypothetical page would not serve as a diagram of the network, but might also provide useful information for my long-suffering, geek wife, who tells me with despair in her eyes that she has no idea what the network looks like any more after I’ve messed around with it so much. She has a point. After considering making something in HTML, I realized that OmniGraffle would do the hard work for me, and it would be much easier to update later, too.

For Continue reading

CYA! Cover Your Assets (By Securing Them) (Thwack)

Still using local accounts for device access? Don’t know what a Term Process is? You need to CYA!

On the Solarwinds Thwack Geek Speak blog I looked at a variety of security (and related) features which should be configured on all devices. Please do take a trip to Thwack and check out my post, “CYA! Cover Your Assets (By Securing Them)“.

CYA! Cover Your Assets (By Securing Them)

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at CYA! Cover Your Assets (By Securing Them) (Thwack) and give me a share/like. Thank you!

Your Network: The Glue Holding the Business Together (Thwack)

TCP congestion control, buffer bloat and micro bursting are just a few of the things that can ruin your network and, as a consequence, your business.

On the Solarwinds Thwack Geek Speak blog I looked at these issues and more, examining the elements that make up network performance. Please do take a trip to Thwack and check out my post, “Your Network: The Glue Holding the Business Together“.

Your Network: The Glue Holding the Business Together

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at Your Network: The Glue Holding the Business Together (Thwack) and give me a share/like. Thank you!

Microburst: Intent-Washing (See Apstra Fight Back!)

Apstra – the intent-based networking company – was thrilled, perhaps in a somewhat ironic sense, when Cisco announced just before Cisco Live 2017 US that the future was intent-based networking. I hear informally that their appointment book for meetings at Cisco Live was positively spilling over within just a couple of days. Intent-based networking had just been validated by the big guy in the room!

Apstra Logo

A few months later, and the evidence of intent-washing is all too clear, as some other vendors have begun labeling their SDN products intent-based so they can claim table stakes in the next big thing. In fact, I’m sure from Asptra’s perspective, Cisco was, and is, stepping on their toes too, and doing its own intent-washing to stay on message. If I were Apstra, I’d be none pleased to see my message devalued like this, but what can a company in this position do?

Apstra can fight back with a video featuring the bearded legend himself, Derick Winkworth (@cloudtoad), that’s what they can do. This is not to be missed:

This is pure gold. We shall never forget.

If you liked this post, please do click through to the source at Microburst: Intent-Washing Continue reading

Ok, I’m Giving Ubiquiti Networks Another Chance

After quite a few discussions resulting from my Epic Evaluation: Ubiquiti ERPro-8 vs Play-Doh where (spoiler alert!) the Play-Doh™ won hands down after an exhaustive six-month test, I’ve been persuaded to give Ubiqiuti Networks (aka UBNT) another chance. Another two chances, in fact.

Ubiquiti Networks Logo

Ubiqitui Networks Products

As I said in the evaluation post, I was hesitant about recommending against UBNT products not least because I owned four other UBNT devices (three wireless access points and a 48-port switch). Despite being persuaded to try UBNT again, I strongly maintain my previous recommendation to avoid the ERPro-8 like a wedding invitation from Walder Frey. For the rest of the product range I’ve decided to suspend my previous “NO BUY” verdict and reserve my final judgement while I try out some new additions to my home network and see if they can restore balance to the nerd universe.

I would also like to add that while Ubiquiti’s official Support and RMA channels were no help to me whatsoever when my ERPro-8 was behaving badly, I did appreciate one employee reaching out privately and trying to help. The conclusion for now is that flash itself has indeed become irrecoverably corrupted and the device Continue reading

You Need Configuration Management. Really. (Thwack)

Oops, lost a network device. I sure hope we have a configuration backup…

On the Solarwinds Thwack Geek Speak blog I looked at how configuration management can help not just with total loss scenarios, but also with audit and compliance issue. Please do take a trip to Thwack and check out my post, “You Need Configuration Management. Really“.

You Need Configuration Management. Really.

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at You Need Configuration Management. Really. (Thwack) and give me a share/like. Thank you!

Handling A10 PCAP Files Using Automator in MacOS

I’m not a big user of Apple’s Automator tool, but sometimes it’s very useful. For example, A10 Networks load balancers make it pretty easy for administrators to capture packets without having to remember the syntax and appropriate command flags for a tcpdump command in the shell. Downloading the .pcap file is pretty easy too (especially using the web interface), but what gets downloaded is not just a single file; instead, it’s a gzip file containing a tar file which in turn contains (for the hardware I use) seventeen packet capture files. In this post I’ll explain what these files are, why it’s annoying, and how I work around this in MacOS.

A10 Logo

Sixteen Candles

If you’re wondering how one packet capture turned into sixteen PCAP files, that’s perfectly reasonable and the answer is simple in its own way. The hardware I use has sixteen CPU cores, fifteen of which are used by default to process traffic, and inbound flows are spread across those cores. Thus when taking a packet capture, the system actually requests each core to dump the flows matching the filter specification. Each core effectively has awareness of both the client and server sides of any connection, so both Continue reading

The Value of Configuration Consistency (Thwack)

It’s one thing to have a stable network, but it’s another to have consistency in device configurations across the network. Does that even matter?

On the Solarwinds Thwack Geek Speak blog I looked at some reasons why it might be important to maintain certain configuration standards across all devices. Please do take a trip to Thwack and check out my post, “The Value of Configuration Consistency“.

The Value of Configuration Consistency

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at The Value of Configuration Consistency (Thwack) and give me a share/like. Thank you!

New Coder: Stop What You’re Doing!

Let’s get coding! We’ve selected a language, we’ve done some online training, and we’re ready to get coding and automate the first thing we stumble across. How exciting! Aaaaannnnnd STOP.

On the Solarwinds Thwack Geek Speak blog I looked at the “80:20” rule and how to use it to guide where to get the biggest return on investment when spending time coding, then I gave some advice on how to select a task to automate. Please do take a trip to Thwack and check out my post, “New Coder: Stop What You’re Doing.

New Coder: Stop What You're Doing!

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at New Coder: Stop What You’re Doing! and give me a share/like. Thank you!