Book Review: Design For How People Learn
Design For How People Learn, by Julie Dirksen (ISBN 978-0321768438)
I saw the title for this book roll across my Twitter feed — can’t remember from who, sorry — from someone who had a blog and was advocating for other bloggers to check this book out. When I read the abstract for the book, I immediately added it to my reading list.
“Whether it’s giving a presentation, writing documentation, or creating a website or blog, we need and want to share our knowledge with other people. But if you’ve ever fallen asleep over a boring textbook, or fast-forwarded through a tedious e-learning exercise, you know that creating a great learning experience is harder than it seems.”
Book Review: Design For How People Learn
Design For How People Learn, by Julie Dirksen (ISBN 978-0321768438)
I saw the title for this book roll across my Twitter feed — can't remember from who, sorry — from someone who had a blog and was advocating for other bloggers to check this book out. When I read the abstract for the book, I immediately added it to my reading list.
“Whether it's giving a presentation, writing documentation, or creating a website or blog, we need and want to share our knowledge with other people. But if you've ever fallen asleep over a boring textbook, or fast-forwarded through a tedious e-learning exercise, you know that creating a great learning experience is harder than it seems.”
Five Functional Facts about TACACS+ in ISE 2.0
The oft-requested and long awaited arrival of TACACS+ support in Cisco’s Identity Services Engine (ISE) is finally here starting in version 2.0. I’ve been able to play with this feature in the lab and wanted to blog about it so that existing ISE and ACS (Cisco’s Access Control Server, the long-time defacto TACACS+ server) users know what to expect.
Below are five facts about how TACACS+ works in ISE 2.0.
Five Functional Facts about TACACS+ in ISE 2.0
The oft-requested and long awaited arrival of TACACS+ support in Cisco's Identity Services Engine (ISE) is finally here starting in version 2.0. I've been able to play with this feature in the lab and wanted to blog about it so that existing ISE and ACS (Cisco's Access Control Server, the long-time defacto TACACS+ server) users know what to expect.
Below are five facts about how TACACS+ works in ISE 2.0.
Speaking Notes: The Data Center Network Evolution
I will be presenting at the Cisco Connect Canada tour in Edmonton and Calgary on November 3rd and 5th, respectively. My presentation is about that three letter acronym that everyone loves to hate: SDN :-)
I will talk about SDN in general terms and describe what it really means; what we’re really doing in the network when we say that it’s “software defined”. No unicorns or fairy tales here, just engineering.
Next I’ll talk about three areas where Cisco is introducing programmability into its data center solutions:
- Application Centric Infrastructure
- Virtual Topology System
- Open NX-OS
Below are the notes I made for myself while researching these topics and preparing for the presentation. At the bottom of this post is a Q&A section with some frequently asked questions.
Speaking Notes: The Data Center Network Evolution
I will be presenting at the Cisco Connect Canada tour in Edmonton and Calgary on November 3rd and 5th, respectively. My presentation is about that three letter acronym that everyone loves to hate: SDN :-)
I will talk about SDN in general terms and describe what it really means; what we're really doing in the network when we say that it's “software defined”. No unicorns or fairy tales here, just engineering.
Next I'll talk about three areas where Cisco is introducing programmability into its data center solutions:
- Application Centric Infrastructure
- Virtual Topology System
- Open NX-OS
Below are the notes I made for myself while researching these topics and preparing for the presentation. At the bottom of this post is a Q&A section with some frequently asked questions.
How a Cisco SE Navigates Cisco.com
At the time that I’m writing this I’ve been working at Cisco for just over 3 years as a Systems Engineer. Prior to that I worked for multiple Cisco customers and was heavily involved in Cisco technologies. I know what a monster cisco.com is and how hard it can be to find what you’re looking for.
Since starting at Cisco, the amount of time I’ve spent on cisco.com has shot up dramatically. Add to that studying for my CCIE and it goes up even more. In fact, cisco.com is probably the number 1 or 2 site I visit on a daily basis (in close competition with Google/searching).
After spending all this time on the site and given how vast the site is and how hard it can be to find that specific piece of information you’re looking for, I’m writing this post as an aid to help other techies, like myself, use the site more effectively.
Layout of this Post
This post is structured to follow (part of) Cisco’s network design lifecycle as a way to help you parse this post later on when you need a quick reference. The sections are:
- Design Phase
- Implement Phase
- Operate Continue reading
How a Cisco SE Navigates Cisco.com
At the time that I'm writing this I've been working at Cisco for just over 3 years as a Systems Engineer. Prior to that I worked for multiple Cisco customers and was heavily involved in Cisco technologies. I know what a monster cisco.com is and how hard it can be to find what you're looking for.
Since starting at Cisco, the amount of time I've spent on cisco.com has shot up dramatically. Add to that studying for my CCIE and it goes up even more. In fact, cisco.com is probably the number 1 or 2 site I visit on a daily basis (in close competition with Google/searching).
After spending all this time on the site and given how vast the site is and how hard it can be to find that specific piece of information you're looking for, I'm writing this post as an aid to help other techies, like myself, use the site more effectively.
When a Port Channel Member Link Goes Down
Mohamed Anwar asked the following question on my post “4 Types of Port Channels and When They’re Used“.
“I need a clarification, where if a member link fails, what will happen to the traffic already sent over that link ? Is there any mechanism to notify the upper layer about the loss and ask it to resend ? How this link failure will be handled for data traffic and control traffic ?”
–Mohamed Anwar
I think his questions are really important because he hits on two really key aspects of a failure event: what happens in the data plane and what happens in the control plane.
A network designer needs to bear both of these aspects in mind as part of their design. Overlooking either aspect will almost always open the network up to additional risk.
I think it’s well understood that port channels add resiliency in the data plane (I cover some of that in the previous article). What may not be well understood is that port channels also contribute to a stable control plane! I’ll talk about that below. I’ll also address Mohamed’s question about what happens to traffic on the failed link.
Control Plane
The control Continue reading
When a Port Channel Member Link Goes Down
Mohamed Anwar asked the following question on my post “4 Types of Port Channels and When They're Used".
“I need a clarification, where if a member link fails, what will happen to the traffic already sent over that link ? Is there any mechanism to notify the upper layer about the loss and ask it to resend ? How this link failure will be handled for data traffic and control traffic ?”
— Mohamed Anwar
I think his questions are really important because he hits on two really key aspects of a failure event: what happens in the data plane and what happens in the control plane.
A network designer needs to bear both of these aspects in mind as part of their design. Overlooking either aspect will almost always open the network up to additional risk.
I think it's well understood that port channels add resiliency in the data plane (I cover some of that in the previous article). What may not be well understood is that port channels also contribute to a stable control plane! I'll talk about that below. I'll also address Mohamed's question about what happens to traffic on the failed link.
About
About the Site Hi! I'm Joel Knight and this is my personal home on the web. I use this site as a platform for expressing my ideas, knowledge, and tools related to Information Technology. The opinions and information expressed on this site — aside from the comments posted by others — are mine and not necessarily those of my employers, past or present. My current employer is Amazon Web Services, Canada.Privacy Policy
This site is privately owned and operated and has no corporate or commercial interests. If you choose to post a comment on this site, any information you provide — most importantly your email address — remains private and is not shared with any third-party. All information you provide when posting a comment is used only for facilitating your interaction with the site or for displaying as part of your public comment on the site.Disclaimer
No Warranties This website is provided “as is” without any representations or warranties, express or implied. The Owner makes no representations or warranties in relation to this website or the information and materials provided on this website. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this website's information is solely at reader's own risk. Limitations of Liability The Owner will not be liable to you (whether under the law of contact, the law of torts or otherwise) in relation to the contents of, or use of, or otherwise in connection with, this website:The Correct Mask for a PE’s Loopback0
As I’ve written about previously (The Importance of BGP NEXT_HOP in L3VPNs), the BGP NEXT_HOP attribute is key to ensuring end to end connectivity in an MPLS L3VPN. In the other article, I examine the different forwarding behavior of the network based on which of the egress PE’s IP addresses is used as the NEXT_HOP. In this article I’ll look at the subnet mask that’s associated with the NEXT_HOP and the differences in forwarding behavior when the mask is configured to different values.
There is a lot of (mis-)information on the web stating that the PE’s loopback address — which, as I explain in the previous article, should always be used as the NEXT_HOP — must have a /32 mask. This is not exactly true. I think this is an example of some information that has been passed around incorrectly, and without proper context, and is now taken as a rule. I’ll explain more about this further on in the article.
Example Network
Here’s the example network:
Note that R2 and R7 are the PEs and they each have a /24 mask on their loopback0 interfaces. The PEs are peering via their loopbacks. OSPF is running between R2, Continue reading
The Correct Mask for a PE’s Loopback0
As I've written about previously (The Importance of BGP NEXT_HOP in L3VPNs), the BGP NEXT_HOP attribute is key to ensuring end to end connectivity in an MPLS L3VPN. In the other article, I examine the different forwarding behavior of the network based on which of the egress PE's IP addresses is used as the NEXT_HOP. In this article I'll look at the subnet mask that's associated with the NEXT_HOP and the differences in forwarding behavior when the mask is configured to different values.
There is a lot of (mis-)information on the web stating that the PE's loopback address — which, as I explain in the previous article, should always be used as the NEXT_HOP — must have a /32 mask. This is not exactly true. I think this is an example of some information that has been passed around incorrectly, and without proper context, and is now taken as a rule. I'll explain more about this further on in the article.
Packets of Interest (2015-07-24)
I’ve been doing a lot of reading and video watching on securing industrial control and automation systems (ICAS) (sometimes referred to as SCADA systems) so this POI has a few links related to that and ends with a link to an editorial piece about privacy and why privacy matters to us all.
SCADA and ICS for Security Experts: How to avoid Cyberdouchery (Blackhat 2010)
This is a funny but also educational and truthful presentation by James Arlen that every IT person needs to watch if they intent to work with and gain any credibility with their counterparts in Operations Technology (OT).
Digital Bond Quickdraw SCADA IDS Signatures
https://www.digitalbond.com/tools/quickdraw/
https://github.com/digitalbond/quickdraw
Quickdraw is a set of IDS/IPS signatures for Snort (and other IDS/IPS software that understands the Snort rule language) that deals specifically with ICAS protocols such as DNP3, Modbus/TCP, and EtherNet/IP. The rules appear to be generic in nature and not focused on any particular ICAS vendor equipment.
Digital Bond also wrote Snort preprocessors for DNP3, EtherNet/IP, and Modbus/TCP which some of the rules depend on. I tried browsing through Digital Bond’s diffs to Snort 2.8.5.3 but they are very hard to read because the Continue reading
Packets of Interest (2015-07-24)
I've been doing a lot of reading and video watching on securing industrial control and automation systems (ICAS) (sometimes referred to as SCADA systems) so this POI has a few links related to that and ends with a link to an editorial piece about privacy and why privacy matters to us all.
The Importance of BGP NEXT_HOP in L3VPNs
In an MPLS network with L3VPNs, it’s very easy for the NEXT_HOP attribute of a VPN route to look absolutely correct but be very wrong at the same time. In a vanilla IP network, the NEXT_HOP can point to any IP address that gets the packets moving in the right direction towards the ultimate destination. In an MPLS network, the NEXT_HOP must get the packets moving in the right direction but it must also point to the exact right address in order for traffic to successfully reach the destination.
The reason it has to be exact is because IOS only assigns MPLS labels to the next hop address and not to each individual VPN route. So when an ingress PE needs to forward a packet from a CE across the MPLS network, the PE finds the label associated with the NEXT_HOP address and uses that as the outer label to get the packet to the egress PE.
Since each NEXT_HOP has a different label, that means each NEXT_HOP is reachable through a different Label Switched Path (LSP). Different LSPs can, and likely will, forward traffic differently through the network.
An MPLS label identifies a Forwarding Equivalence Class (FEC). A FEC is Continue reading
The Importance of BGP NEXT_HOP in L3VPNs
In an MPLS network with L3VPNs, it's very easy for the NEXT_HOP attribute of a VPN route to look absolutely correct but be very wrong at the same time. In a vanilla IP network, the NEXT_HOP can point to any IP address that gets the packets moving in the right direction towards the ultimate destination. In an MPLS network, the NEXT_HOP must get the packets moving in the right direction but it must also point to the exact right address in order for traffic to successfully reach the destination.
Packets of Interest (2015-06-19)
It’s been a while since I’ve done a POI so here we go.
The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns
Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them.
Diffie-Hellman Key Exchange
Diffie-Hellman (DH) is the world’s first public key crypto system. It’s used in everything from secure browsing, to secure shell. This video visually demonstrates how the Diffie-Hellman key exchange works. The best part is that you don’t need to know anything about crypto to follow along.
Passphrases That You Can Memorize – But That Even the NSA Can’t Guess
https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
Use this informative guide to generate secure, human-memorizable passphrases that are suitable for protecting your private PGP key, your private SSH key, and your master key for your password safe.
Encrypting Your Laptop Like You Mean It
https://firstlook.org/theintercept/2015/04/27/encrypting-laptop-like-mean/
A well written article about encrypting one’s laptop. Covers topics such as what disk encryption does and does not protect against, attacks against disk encryption, and Continue reading