Validating SGT Inline with Netflow and Embedded Packet Capture
In the last article, Learning TrustSec, An Introduction to Inline Tagging, we took a quick look at manual configuration of SGT Inline Tagging in a manual configuration. We also performed some validation with show commands and proved the operation by enabling enforcement.
In today’s article, we will perform slightly deeper validation of the inline imposition itself. For this process, we will use Netflow and Embedded Packet Capture. I happen to know that there is already EIGRP traversing the link that will help produce some output. Let’s just jump right in with a very basic Netflow configuration.
Netflow Configuration
//you could additionally configure and exporter //if there is a proper netflow collector flow record my_record_output match flow cts source group-tag match flow cts destination group-tag match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port flow monitor my_monitor_output record my_record_output ! interface GigabitEthernet1/0/1 description trunk to c9kSW2 switchport mode trunk ip flow monitor my_monitor_output output cts manual policy static sgt 100 trusted
Verification Using Netflow
c9kSW1#show flow monitor my_monitor_output cache
Cache type: Normal (Platform cache)
Cache size: 10000
Current entries: 1
Flows added: 9
Flows aged: 8
- Active timeout ( 1800 secs) 2
- Continue reading
Validating SGT Inline with Netflow and Embedded Packet Capture
In the last article, Learning TrustSec, An Introduction to Inline Tagging, we took a quick look at manual configuration of SGT Inline Tagging in a manual configuration. We also performed some validation with show commands and proved the operation by enabling enforcement.
In today’s article, we will perform slightly deeper validation of the inline imposition itself. For this process, we will use Netflow and Embedded Packet Capture. I happen to know that there is already EIGRP traversing the link that will help produce some output. Let’s just jump right in with a very basic Netflow configuration.
Netflow Configuration
//you could additionally configure and exporter //if there is a proper netflow collector flow record my_record_output match flow cts source group-tag match flow cts destination group-tag match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port flow monitor my_monitor_output record my_record_output ! interface GigabitEthernet1/0/1 description trunk to c9kSW2 switchport mode trunk ip flow monitor my_monitor_output output cts manual policy static sgt 100 trusted
Verification Using Netflow
c9kSW1#show flow monitor my_monitor_output cache
Cache type: Normal (Platform cache)
Cache size: 10000
Current entries: 1
Flows added: 9
Flows aged: 8
- Active timeout ( 1800 secs) 2
- Continue reading
Validating SGT Inline with Netflow and Embedded Packet Capture
In the last article, Learning TrustSec, An Introduction to Inline Tagging, we took a quick look at manual configuration of SGT Inline Tagging in a manual configuration. We also performed some validation with show commands and proved the operation by enabling enforcement.
In today’s article, we will perform slightly deeper validation of the inline imposition itself. For this process, we will use Netflow and Embedded Packet Capture. I happen to know that there is already EIGRP traversing the link that will help produce some output. Let’s just jump right in with a very basic Netflow configuration.
Netflow Configuration
//you could additionally configure and exporter //if there is a proper netflow collector flow record my_record_output match flow cts source group-tag match flow cts destination group-tag match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port flow monitor my_monitor_output record my_record_output ! interface GigabitEthernet1/0/1 description trunk to c9kSW2 switchport mode trunk ip flow monitor my_monitor_output output cts manual policy static sgt 100 trusted
Verification Using Netflow
c9kSW1#show flow monitor my_monitor_output cache
Cache type: Normal (Platform cache)
Cache size: 10000
Current entries: 1
Flows added: 9
Flows aged: 8
- Active timeout ( 1800 secs) 2
- Continue reading
Masergy Picks Bitglass Cloud Security Tech for Managed CASB Service
The managed security service provider tested Netskope’s and McAfee Skyhigh’s technology before choosing Bitglass.
Up and Running with Kubernetes and Tungsten Fabric
I have a predominantly technical background. You can show me all the slide decks you want but until I can get my hands on it, it’s not real to me. This has greatly influenced what I’m focusing on now that I’m doing more than just technical work - how to reduce the barrier to entry for people to become acquainted with a project or product.
As a result, I’ve been getting more involved with Tungsten Fabric (formerly OpenContrail). Tungsten is an open source Software-Defined Networking platform, and is a healthy candidate for building some tutorials. In addition, I’m new to the project in general - so, even if only for my own benefit, a blog post summarizing a quick and hopefully easy way to get up and running with it seems quite appropos.
Introduction to the Lab Environment
We’re going to spin up a 3-node cluster in AWS EC2 running Kubernetes, and using Tungsten Fabric for the networking. Why AWS instead of something like Vagrant? Simply put, a lot of advanced networking software require a lot of system resources - more than most laptops are able to provide. In this case, a total of four virtual machines (three-node cluster plus Continue reading
Up and Running with Kubernetes and Tungsten Fabric
I have a predominantly technical background. You can show me all the slide decks you want but until I can get my hands on it, it’s not real to me. This has greatly influenced what I’m focusing on now that I’m doing more than just technical work - how to reduce the barrier to entry for people to become acquainted with a project or product. As a result, I’ve been getting more involved with Tungsten Fabric (formerly OpenContrail).Up and Running with Kubernetes and Tungsten Fabric
I have a predominantly technical background. You can show me all the slide decks you want but until I can get my hands on it, it’s not real to me. This has greatly influenced what I’m focusing on now that I’m doing more than just technical work - how to reduce the barrier to entry for people to become acquainted with a project or product. As a result, I’ve been getting more involved with Tungsten Fabric (formerly OpenContrail).Unveiling Cognitive Campus Networking
At Arista Networks, the status quo inspires us to innovate and continue our mission to reinvent the network – from cloud to client. Today, we’re continuing that journey – into the campus network. Let’s face it; the legacy three-tier architecture of access-aggregation-core is wasteful and oversubscribed – creating a perfect storm for market transitions and Arista innovation.
Unveiling Cognitive Campus Networking
At Arista Networks, the status quo inspires us to innovate and continue our mission to reinvent the network – from cloud to client. Today, we’re continuing that journey – into the campus network. Let’s face it; the legacy three-tier architecture of access-aggregation-core is wasteful and oversubscribed – creating a perfect storm for market transitions and Arista innovation.
CloudVision: A Cognitive Management Plane
The last 40 years have seen tremendous growth and progress in the data networking industry. Ethernet, IP, MPLS, GRE, IPsec, MACsec, and VXLAN enable operators to build secure, multiservice, high-performance data planes that interoperate across multiple vendors, multiple operators, and multiple administrative domains. Likewise, BGP, OSPF, IS-IS, LDP, RSVP, BFD, LACP, L3VPN, VPLS, and EVPN enable operators to build scalable multi-vendor control planes that federate across organizational boundaries, supporting mission-critical networks with global reach.
CloudVision: A Cognitive Management Plane
The last 40 years have seen tremendous growth and progress in the data networking industry. Ethernet, IP, MPLS, GRE, IPsec, MACsec, and VXLAN enable operators to build secure, multiservice, high-performance data planes that interoperate across multiple vendors, multiple operators, and multiple administrative domains. Likewise, BGP, OSPF, IS-IS, LDP, RSVP, BFD, LACP, L3VPN, VPLS, and EVPN enable operators to build scalable multi-vendor control planes that federate across organizational boundaries, supporting mission-critical networks with global reach.
Aqua Security Sprinkles Support Over CRI-O Kubernetes Runtime Platform
CRI-O was launched as a lighter alternative to using Docker as the runtime for Kubernetes.
HPE Says Software Is Nimble Storage’s ‘Secret Sauce’
Nimble platforms now support Storage Class Memory (SCM) and NVMe for super-fast, low-latency flash storage.
Why is the Feasibility Condition Less Than?
A reader recently emailed me with this question: Why isn’t the condition for a Feasible Successor set to less than (<), rather than less than of equal (<=), in EIGRP? It certainly seems, as noted in the email, that this rules out a lot of possible possible loop free alternate paths. The network below will be used to illustrate.
First, assume all links are cost of 1 except D->C, which is cost of 2. Here D will choose B as the Successor, and the FC will be set to 2. The RD of C will be 1, so C will be an FS. Now consider two failures. The first failure is D->B. D will immediately reroute to the FS, which is C, without changing the FC. This works, because C’s cost to 100::/64 via D is 4, much higher than it’s cost to 100::64 along C->A. Now consider what happens if A->100::/64 fails. If the timing of the query “works right,” C and B will be notified first, then finally D. Even if D is somehow notified before C, and D switches to C as its FS, the traffic is dropped, rather than looped—so all is happy.
Now change the situation a little. Assume the A->C link is cost Continue reading
Nokia Snaps Up IoT Energy Startup SpaceTime
SpaceTime’s CEO Rob Schilling, a former general manager at SAP, will join Nokia’s IoT unit.
Tune in to Our Q&A tomorrow!
Don’t miss our CCNA/CCNP Kickoff with Keith Bogart Tomorrow!
Join Keith May 8th at 10 am PST/ 1 pm EST for his CCNA/CCNP Kickoff.
This is a FREE live session that is open to everyone. In this open forum, you’ll have the opportunity to ask Keith all of your questions regarding the CCNA or CCNP Routing & Switching exam and related technologies.
Get all of your questions answered by an experienced industry expert! Just click here.