Archive

Category Archives for "Networking"

Real-time traffic visualization using Netflix Vizceral

The open source sflow-rt/vizceral project demonstrates how real-time sFlow network telemetry can be presented using Netflix Vizceral. The central dot represents the Internet (all non-local addresses). The surrounding dots represents addresses grouped into sites, data centers, buildings etc. The animated particle flows represent packet flows with colors indicating packet type: TCP/UDP shown in blue, ICMP shown in yellow, and all other traffic in red.
Click on a node to zoom in to show packets flowing up and down the protocol stack. Press the ESC key to unzoom.

The simplest way to run the software is to use the pre-built Docker image:
docker run -p 6343:6343/udp -p 8008:8008 sflow/vizceral
The Docker image also contains demo data based on Netflix's public cloud infrastructure:
docker run -e "RTPROP=-Dviz.demo=yes" -p 8008:8008 sflow/vizceral
In this case, the detailed view shows messages flowing between microservices running in the Amazon public cloud. Similar visibility could be obtained by deploying Host sFlow agents with associated modules for web and application servers and modifying sflow/vizceral to present the application transaction flows. In private data centers, sFlow support in load balancers  (F5, A10) provides visibility into interactions between application tiers. See Microservices for more information on Continue reading

Delivering Dot

Since March 30, 2017, Cloudflare has been providing DNS Anycast service as additional F-Root instances under contract with ISC (the F-Root operator).

F-Root is a single IPv4 address plus a single IPv6 address which both ISC and Cloudflare announce to the global Internet as a shared Anycast. This document reviews how F-Root has performed since that date in March 2017.

The DNS root servers are an important utility provided to all clients on the Internet for free - all F root instances including those hosted on the Cloudflare network are a free service provided by both ISC and Cloudflare for public benefit. Because every online request begins with a DNS lookup, and every DNS lookup requires the retrieval of information stored on the DNS root servers, the DNS root servers plays an invaluable role to the functioning of the internet.

At Cloudflare, we were excited to work with ISC to bring greater security, speed and new software diversity to the root server system. First, the root servers, because of their crucial role, are often the subject of large scale volumetric DDoS attacks, which Cloudflare specializes in mitigating (Cloudflare is currently mitigating two concurrently ongoing DDoS attacks as we write this). Continue reading

Cisco Firepower 2140 BOQ with licensing models

As per my previous article on the new Next Generation Firewall Cisco Firepower 2100, Today I am going to talk about the hardware and the actual BOQ required for the features mentioned in the header.

I got so many requests from the people to provide the BOQ for the Cisco Firepower 2140 with AVC+IPS Licensing model. In this article I will come up with all the licensing model of Cisco Firepower 2100 Next generation firewall.

If you missed my earlier article on Cisco Firepower 2100 series Next Generation Firewalls, below is the link for your reference.

Cisco Firepower 2100 Next Generation Firewalls Introduction

So lets discuss about the BOQ for all the 3 licensing model in Cisco Firepower 2100 Series Next Generation Firewalls. Before i come with the BOQ, one thing i want to tell you that with the NGFW image of the Cisco Firepower 2100 Series AVC is inbuilt feature. AVC stands for Application visibility and you can have all the management on the Firesight management console which can be either on VM or by using the dedicated appliances.

We have three licensing model and they are :

  • L-FPR2140T-T= This License stands for the NGIPS feature in Cisco Firepower Continue reading

Network automation best practices for DevOps

Optimizing a network for maximum efficiency almost always requires some level of automation. From provisioning resources to configuring processes and applications, network automation can improve upon the consistency of network operations while also reducing the resources needed to maintain the network. That being said, network automation can be exceedingly complex as well. Following network automation best practices is necessary to ensure that automation doesn’t interfere with or compromise the network.

Create a centralized hub for automated services

As networks grow, it can be tempting to add new services and tools one by one. Unfortunately, piecemeal additions can quickly become haphazard and difficult to maintain. Automated services should always be controlled through a single API or centralized hub, to improve upon reporting, maintenance, consistency and optimization.

Network automation suites have been developed to be robust enough that they can use the same code base for computing, networking, and storage, thereby significantly simplifying network optimization and other related processes. Ansible is one example of a network automation tool that can help you embrace DevOps as a network automation best practices, though there are many others. IT departments will find the process of automation easier to manage and maintain when filtered through a Continue reading

Hurricane Irma

Yesterday, we described how Hurricane Irma impacted several Caribbean islands, with the damage including a significant disruption to Internet access.

Source: accuweather.com

As Irma is now forecast to hit southern Florida as category 5 this weekend with gusty winds reaching up to 155mph, it is also expected that Internet infrastructure in the region will suffer.

At the time of writing, we haven’t noticed any decrease in traffic in the region of Miami despite calls to evacuate.

Resilient Data Centers

Contrary to popular belief, Internet wasn't built for the purpose of resisting a nuclear attack. That doesn't mean that datacenters aren't built to resist catastrophic events.

The Miami datacenter housing servers for Cloudflare and other Internet operators is classified as Tier IV. What does this tiering mean? As defined by the ANSI (American National Standards Institute), a Tier IV datacenter is the stringent classification in term of redundancy of the critical components of a datacenter: power and cooling. It guarantees 99.995% uptime per year, that is only 26 minutes of unavailability. Tier IV datacenters provide this level of uptime by being connected to separate power grids, allowing their customers to connect their devices to both of these grids. They Continue reading

Cisco Next Generation Firewalls : Cisco Firepower 2100 Series

Today I am going to talk about the Cisco Next Generation Firewalls named as Cisco Firepowers. Firepower is gaining the market with the best features of NGFW. Cisco uses both images of ASA and NGFW with various features.

In this article I am specifically talking about the Cisco Firepower 2100 Series. You can have two different models with the various licensing models in Cisco 2100 series firewall. One model is Cisco Firepower with ASA image where you can have the same capabilities of ASA CLI model and the other Cisco model is Cisco Firepower with NGFW image. 

Let's talk about NGFW image, Cisco Firepower 2100 with NGFW image ( Next Generation Firewall) having Application visibility inbuilt and have three other licensing which will provide you the features of NGIPS ( Cisco Next-Generation Intrusion Prevention System) , AMP ( Advance Malware Protection) , Content filtering ( URL filtering ). 

Fig 1.1- Cisco Firepower 2100 Series

Now If you are going to have the customer who wants the next generation firewalls, ofcourse Cisco Firepower with NGFW image is there to support you. Let me talk about the general features of Cisco Firepower 2100 Series Next Generation firewall with the Continue reading

[minipost] Protecting SSH on Mikrotik with 3-strike SSH ban using only firewall rules

After working with Mikrotik / RouterBoard routers for a long time, I recently needed to replace an aging old wifi router at my parents and the recent brand of very cheap Mikrotik WIFI integrated routers (RB941-2nD-TC shown on left) that you can get under 20,-EUR was a great deal with an added bonus that I want to manage all this remotely and not visit physically every time there is a wifi problem.  So following my previous post on how to put a little script into Mirkotik to email you it’s public address whenever it changes (a mandatory to manage parent’s home router using dynamic public IP from ISP) I was also concerned about publicly opened SSH port and wanted at least basic protection on it. Most of you are probably using already some great tool such as fail2ban on linux, that scans log files and if it notices three bad logins to SSH from an IP, it will put the IP into a blocking filter on the local linux iptables firewall so it can no longer harass your system. Well I needed something similar on my home Mikrotik router/firewall, but without impacting its performance or doing a lot Continue reading

Worth Reading: Time is not on your side

Many of the presenters, like Truman Boyes of Bloomberg and Peyton Maynard-Koran of EA, discussed the idea of building boxes from existing components instead of buying them from established networking vendors like Cisco and Arista. The argument does hold some valid ideas. If you can get your hardware from someone like EdgeCore or Accton and get your software from someone else like Pluribus Networks or Pica8 it looks like a slam dunk. You get 90% to 95% of a solution that you could get from Cisco with much less cost to you overall. —Networking Nerd

The post Worth Reading: Time is not on your side appeared first on rule 11 reader.

Cumulus content roundup: September

The Cumulus content roundup is back! This month, we’ve journeyed to the far-reaches of the Internet to bring you the best articles, blog posts, and videos about network automation trends. Now, the latest news about containers, clouds and configurations is a click away. Wondering what the CNCF is up to? Or are you more interested in bringing connectivity and visibility to your network? Read on to satiate your curiosities and find the answers to your burning questions. Then, let us know what you think in the comments section below.

Cumulus’ current content

Introduction to Host Pack: Are you searching for software essentials that remove the difficulties of container networking while also bringing visibility and connectivity to the entire stack? Then Host Pack is the product for you! Watch this video to learn about what Host Pack can do for you.

What is FRRouting?: FRRouting (FRR) is the open source software that makes Host Pack’s connectivity so revolutionary. This page goes into deeper, more technical detail about how FRR was developed and how it is used in Cumulus Networks’ Host Pack. Read about FRR here.

NetDevOps: important idempotence: What exactly is idempotence, and what does it have to do with Continue reading

Worth Reading: Improving metrics in cyber resiliency

With the growth in cloud computing, businesses rely on the network to access information about operational assets being stored away from the local server. Decoupling information assets from other operational assets could result in poor operational resiliency if the cloud is compromised. Therefore, to keep the operational resiliency unaffected, it is essential to bolster information asset resiliency in the cloud. To study the resiliency of cloud computing, the CSA formed a research team consisting of members from both private and public sectors within the Incident Management and Forensics Working Group and the Cloud Cyber Incident Sharing Center. —The Cloud Security Alliance

The post Worth Reading: Improving metrics in cyber resiliency appeared first on rule 11 reader.

Network Longevity – Think Car, Not iPhone

One of the many takeaways I got from Future:Net last week was the desire for networks to do more. The presenters were talking about their hypothesized networks being able to make intelligent decisions based on intent and other factors. I say “hypothesized” because almost everyone admitted that we aren’t quite there. Yet. But the more I thought about it, the more I realized that perhaps the timeline for these mythical networks is a bit skewed in favor of refresh cycles that are shorter than we expect.

Software Eats The World

SDN has changed the way we look at things. Yes, it’s a lot of hype. Yes, it’s an overloaded term. But it’s also the promise of getting devices to do much more than we had ever dreamed. It’s about automation and programmability and, now, deriving intent from plain language. It’s everything we could ever want a simple box of ASICs to do for us and more.

But why are we asking so much? Why do we now believe that the network is capable of so much more than it was just five years ago? Is it because we’ve developed a revolutionary new method for making chips that are ten times Continue reading

Discussion with Maldivian Operator Dhiraagu (AS7642)

I discussed the BGP Router Reflector design, Settlement Free Peering , Transit Operator choice, Internet Gateways and the Route Reflector connections, MPLS deployment option at the Internet Edge and many other things with the Operator from Maldives. Operator name is Dhiraagu. Autonomous System Number is 7642.   Engineer from the ISP Core team, who is […]

The post Discussion with Maldivian Operator Dhiraagu (AS7642) appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

1 1,532 1,533 1,534 1,535 1,536 3,346