How To: Setting up VPN (IPSec tunnel) to an AWS VPC
- Amazon's VPN connection service that uses the customer gateway and virtual private gateway.
- Using a VPN appliance that acts as a gateway terminating IPSec tunnel.
AWS side configuration
- Create a Virtual Private Gateway. This does not take any settings except a tag/name
- Create a Customer Gateway.
- Make sure the Customer Gateway mimic’s your external / gateway router in your infrastructure. (WAN IP). Select BGP or non-BGP according to your router config.
- Create a new VPC, say 10.0.0.0/16
- Connect the Virtual Private Gateway to this VPC. (VPG -> Attach VPC -> Select your vpc)
- Open the route table for this VPC and enable route propagation (VPC -> Route table -> Route Propataion -> Yes)
- Create new VPN
- Choose specific VPG to associate along with Customer Gateway. You can create a Customer Gateway when creating a VPN if you haven't already done step 1).
- Set routing options. Dynamic if your gateway router Continue reading
Packet Tracer in Firepower Threat Defense
I wanted to share a quick post on a feature that I have found incredibly useful on the ASA and has been extended to Firepower Threat Defense. The feature is called Packet Tracer and is an easy way to apply “packet walk” logic to a flow that would be initiated through the platform. Like most things FTD, the Firepower Management Console is the point of contact for initiating the process.
To initiate Packet Tracer in FTD, open the Firepower Management Console and choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.
This will produce the screen that provides health monitoring and troubleshooting for the device. Selecting “Advanced Troubleshooting” will change the view to a multi-tab troubleshooting screen.
Selecting the Packet Tracer tab will allow for input like Source/Destination, Protocol, Port, SGT, etc.
After filling out this information and choosing “Start“, the device would be put through the same process as an initial packet of a new connection. The resulting packet walk is shown in an expandable tree view or raw text (user selectable).
Tree View
Continue reading
Do We Need Chassis Switches Anymore in the DC?
While Cisco Live this year was far more about the campus than the DC, Cisco did announce the Cisco Nexus 9364C, a spine-oriented switch which can run in both ACI mode and NX-OS mode. And it is a monster.
It’s (64) ports of 100 Gigabit. It’s from a single SoC (the Cisco S6400 SoC).
It provides 6.4 Tbps in 2RU, likely running below 700 watts (probably a lot less). I mean, holy shit.
Cisco Nexus 9364C: (64) ports of 100 Gigabit Ethernet.
And Cisco isn’t the only vendor with an upcoming 64 port 100 gigabit switch in a 2RU form factor. Broadcom’s Tomahawk II, successor to their 25/100 Gigabit datacenter SoC, also sports the ability to have (64) 100 Gigabit interfaces. I would expect the usual suspects to announce switches based on these soon (Arista, Cisco Nexus 3K, Juniper, etc.)
And another vendor Innovium, while far less established, is claiming to have a chip in the works that can do (128) 100 Gigabit interfaces. On a single SoC.
For modern data center fabric, which rely on leaf/spine Clos style topologies, do we even need chassis anymore?
For a while we’ve been reliant upon the Sith-rule on Continue reading
Weakening encryption might be an easy fix, but counterproductive in the long-run
The debate on encryption in the EU has followed a familiar path in pitting national security against concerns about civil liberties and privacy. On the one hand, Governments and intelligence agencies have increasingly claimed that the widespread use of encryption could threaten national security.
Frédéric Donck
FTC Worries that Broadcom’s Purchase of Brocade Creates a Fibre Channel Switch Monopoly
The FTC doesn’t want the deal to quash competition with Cisco.
SK Telecom, NTT DoCoMo Beat AT&T in ‘Most Promising’ 5G Operator List
Juniper Research also predicts 5G revenue could top $269 billion by 2025.
ADVA Optical Networking to Acquire Rival MRV for $69M
ADVA has been on a streak of bolstering its optical networking and virtualization platforms.
Microsoft Reorganization Aims to Boost Cloud Business
The reshuffling could result in layoffs.
Submarine Cable Basics
Submarine Cable is probably the most important topic for the International traffic. More than 99% of the International traffic , including data, voice and video is carried over Submarine Cables. But still submarine cables is not very well known topic among the network engineers, especially if you are not working in the Service Provider, […]
The post Submarine Cable Basics appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.
Worth Reading: A brittle and fragile future
The post Worth Reading: A brittle and fragile future appeared first on rule 11 reader.
BGP FlowSpec on white box switch
Unfortunately, FlowSpec is currently only available on high end routing devices and so experimenting with the technology is expensive. Looking for an alternative, Cumulus Linux is an open Linux platform that allows users to install Linux packages and develop their own software.
This article describes a proof of concept implementation of basic FlowSpec functionality using ExaBGP installed on a free Cumulus VX virtual machine. The same solution can be run on inexpensive commodity white box hardware to deliver terabit traffic filtering in a production network.
First, install latest version of ExaBGP on the Cumulus Linux switch:
curl -L https://github.com/Exa-Networks/exabgp/archive/4.0.0.tar.gz | tar zxNow define the handler, acl.py, that will convert BGP FlowSpec updates into standard Linux netfilter/iptables entries used by Cumulus Linux to specify hardware ACLs (see Netfilter - ACLs):
#!/usr/bin/python
import json
import re
from os import listdir,remove
from os.path import isfile
from Continue reading