As networks begin leveraging intelligent DNS products, there is often a need to do some magic at the Internet edge to redirect to the target provider. Some products actually have this capability embedded. Even though the ASA doesn’t specifically have a defined configuration to do this, we can achieve the same outcome with a few simple NAT rules.
An initial thought would be to build a NAT policy as follows
//define the objects object network obj_any subnet 0.0.0.0 0.0.0.0 object network Umbrella1 host 208.67.220.220 object network Umbrella2 host 208.67.222.222 object service UDP-53 service udp destination eq domain //define the nat rules nat (any,outside) source dynamic any interface destination static obj_any Umbrella1 service UDP-53 UDP-53 nat (any,outside) source dynamic any interface destination static obj_any Umbrella2 service UDP-53 UDP-53
This will sort of work. However, there are two words of caution I would share with this approach. First, DNS sometimes leverages TCP. Second, the last NAT rule will never be used. In this case, even requests to 208.67.222.222 would match the first rule and be re-written to the destination 208.67.220.220.
My recommendation would be Continue reading
As networks begin leveraging intelligent DNS products, there is often a need to do some magic at the Internet edge to redirect to the target provider. Some products actually have this capability embedded. Even though the ASA doesn’t specifically have a defined configuration to do this, we can achieve the same outcome with a few simple NAT rules.
An initial thought would be to build a NAT policy as follows
//define the objects object network obj_any subnet 0.0.0.0 0.0.0.0 object network Umbrella1 host 208.67.220.220 object network Umbrella2 host 208.67.222.222 object service UDP-53 service udp destination eq domain //define the nat rules nat (any,outside) source dynamic any interface destination static obj_any Umbrella1 service UDP-53 UDP-53 nat (any,outside) source dynamic any interface destination static obj_any Umbrella2 service UDP-53 UDP-53
This will sort of work. However, there are two words of caution I would share with this approach. First, DNS sometimes leverages TCP. Second, the last NAT rule will never be used. In this case, even requests to 208.67.222.222 would match the first rule and be re-written to the destination 208.67.220.220.
My recommendation would be Continue reading
I recently listened to Packet Pushers show 395 recently. It is a great discussion on optical networking. One thing I wanted to make everyone aware of was a series of comments on the varying quality of optics and some justification around the premium prices often found on vendor branded optics. While the entire episode is worth a listen, the discussion around vendor optics begins at about 35:20 into the recording.
I work for a vendor and it is doubtful that people would view my opinion as unbiased. I encourage everyone to take a listen below and form their own opinions.
If you are a tech guy or girl, the Packet Pushers Podcast is a perfect addition to the podcatcher.
.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.
I recently listened to Packet Pushers show 395 recently. It is a great discussion on optical networking. One thing I wanted to make everyone aware of was a series of comments on the varying quality of optics and some justification around the premium prices often found on vendor branded optics. While the entire episode is worth a listen, the discussion around vendor optics begins at about 35:20 into the recording.
I work for a vendor and it is doubtful that people would view my opinion as unbiased. I encourage everyone to take a listen below and form their own opinions.
If you are a tech guy or girl, the Packet Pushers Podcast is a perfect addition to the podcatcher.
.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.
It’s that time again where once every 4 years people get very hyped over kicking a ball around a grass pitch, however this time my own country is actually doing pretty well! At the time of wr
Updating an enterprise WLAN to meet today's business needs is complicated. Follow these guidelines to make sure your wireless network provides reliable and secure connectivity.
Illumio’s new head of cybersecurity strategy — former Obama administration executive Jonathan Reiber — literally wrote the book on cyberstrategy at the U.S. Department of Defense.Reiber is Illumio’s .
The company also purchased a seven-story building in downtown Milwaukee, Wisconsin, which it is designating as its North American headquarters.
Jabil, one of world’s most technologically advanced manufacturing solutions provider with over 100 sites in 29 countries is embarking on a digital journey to modernize their technology infrastructure so the company is better able to deliver the right solutions at the right time to their global customer base.
As Jabil embarked on their digital journey with a cloud-first approach in mind, they investigated how to best migrate their applications to the cloud. Jabil partnered with Docker and Microsoft to leverage Docker Enterprise Edition with Windows Server 2016 and Microsoft Azure for this initiative through Docker’s Modernize Traditional Application (MTA) Program – starting with a .NET 4.5 monitoring application to containerize.
Since completing the initial POC, Jabil has continued containerizing more applications and has started scaling their Docker Enterprise usage globally. Sujay Pillai, a Senior DevOps Engineer at Jabil, participated at DockerCon SF 2018 in June and shared with the attendees insights on how Jabil is scaling Docker Enterprise Edition.
One growing use case for Jabil is monitoring of the manufacturing floors. Jabil uses lightweight edge devices to run the monitoring Continue reading
Whole Food/Amazon IT infrastructure expert argues that enterprise IT teams should stop buying products from big vendors and build their own solutions using open source technologies.
If you’re into whitebox, disaggregated or commodity networking, come join the StubArea51.net Facebook group!
All network geeks are welcome
|
||||||||
If you’re into whitebox, disaggregated or commodity networking, come join the StubArea51.net Facebook group!
All network geeks are welcome
|
||||||||
In truth, today’s legacy enterprise networks — many now decades overdue for replacement — were built to fight Cold Wars among the vendor powers. Cisco “big iron” battled Wellfleet “big iron” and, later, Juniper “big iron,” and the throughput/density contests are now the stuff of NetOps legend. But these aging networks are completely ill-suited to fight today’s data-oriented guerilla warfare, where hackers, DevOps, IoT, mobile, open source, and cloud services clamor for attention and have NetOps IT people desperately trying to manage an environment that feels more like a third-world airport terminal flooded with people fleeing a coup than a predictable business utility.
To be fair, Cisco was able to successfully weaponize account control far better than Juniper, Extreme, et al, so they ended up “winning” – and keeping — the large enterprise business to the tune of some 80 percent market share. But this business stranglehold can no longer be defended by the moral equivalent of a proprietary Maginot Line. The new name of the networking guerilla warfare game is software. The new “best practice?” — disaggregated Linux-based open white box switching with a full enterprise feature set – one that is future-proofed with Continue reading
In truth, today’s legacy enterprise networks — many now decades overdue for replacement — were built to fight Cold Wars among the vendor powers. Cisco “big iron” battled Wellfleet “big iron” and, later, Juniper “big iron,” and the throughput/density contests are now the stuff of NetOps legend. But these aging networks are completely ill-suited to fight today’s data-oriented guerilla warfare, where hackers, DevOps, IoT, mobile, open source, and cloud services clamor for attention and have NetOps IT people desperately trying to manage an environment that feels more like a third-world airport terminal flooded with people fleeing a coup than a predictable business utility.
To be fair, Cisco was able to successfully weaponize account control far better than Juniper, Extreme, et al, so they ended up “winning” – and keeping — the large enterprise business to the tune of some 80 percent market share. But this business stranglehold can no longer be defended by the moral equivalent of a proprietary Maginot Line. The new name of the networking guerilla warfare game is software. The new “best practice?” — disaggregated Linux-based open white box switching with a full enterprise feature set – one that is future-proofed with Continue reading
BGP is one of the foundational protocols that make the Internet “go;” as such, it is a complex intertwined system of different kinds of functionality bundled into a single set of TLVs, attributes, and other functionality. Because it is so widely used, however, BGP tends to gain new capabilities on a regular basis, making the Interdomain Routing (IDR) working group in the Internet Engineering Task Force (IETF) one of the consistently busiest, and hence one of the hardest to keep up with. In this post, I’m going to spend a little time talking about one area in which a lot of work has been taking place, the building and maintenance of peering relationships between BGP speakers.
The first draft to consider is Mitigating the Negative Impact of Maintenance through BGP Session Culling, which is a draft in an operations working group, rather than the IDR working group, and does not make any changes to the operation of BGP. Rather, this draft considers how BGP sessions should be torn down so traffic is properly drained, and the peering shutdown has the minimal effect possible. The normal way of shutting down a link for maintenance would be to for administrators to shut Continue reading