VRF Series Article 2 – Extending L3 Segmentation with VRF-lite
In the last article, we took an initial look at L3 segmentation with VRFs. In that case, we created a basic first hop configuration that had isolated pci and data segments. In reality, most networks are far larger and more complex. This article continues down that same path by building proper layer 3 links and IGP adjacency with a Headquarter (Main) location. The starting point from a configuration standpoint is where we left off in Article 1 of this series.
Specifically in this article, we will configure subinterfaces to connect BrWan to Main for each VRF. We will also create a loopback on Main in each VRF to act as a test point that should be reachable from each host. From a routing protocol perspective, we will leverage EIGRP in Named Mode. This mode is a requirement because it is the method that allows the address family command to identify VRFs.
Note: I am working from some VIRL defaults, so I will be including the removal of unnecessary items. Also, I will be shutting down Gigabit 2 since the rest of the topology is out of scope for this article.
Main – HQ Router
//removing unnecessary routing Continue reading
Musing: Google Establishes CA Root Authority.
Google continues to build out its ownership of key Internet infrastructure. Email/Spam filtering, Chrome Browser, DNS
As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology. This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority. To this end, we have established Google Trust Services (https://pki.goog/), the entity we will rely on to operate these Certificate Authorities on behalf of Google and Alphabet.
Thoughts, in no particular order:
- Bought company with root certificates to shorten lead time to control
- Ownership of and widespread use of Chrome web browser, DNS and trusted root certificates means that Google has unprecedented amount of control over user data regardless encryption.
- Can silently MITM any traffic in browser by combining web browser and certificate configuration
- Data gathering from DNS servers for destinations, source addresses/geolocation, usage profiling
- Chrome already prevents many privacy and usability features available in other browsers e.g. Reading mode,
- Adds to data-gathering possibilities from web services that predict searches, URLs and spelling errors built into browser
One of the base Continue reading
VRF Series Article 1 – Basic L3 Segmentation with VRFs
Network engineers are well aware of the Layer 2 isolation properties of VLANs. Their use is so pervasive that they are second nature to most. This article is the first in a series that outlines specifically how VRFs can be used to provide the same type of end to end isolation for Layer 3 that VLANs provide for Layer 2.
In this example, we will work with a subset of the overall topology that I previously shared. Specifically, we are going to configure a router that I’ll call BrWan, a Layer 2 switch, and 3
routers that I’m using to emulate connected hosts (data-x/pci-x).
BrWan will contain the technology configuration that is the primary focus of the article. The other components are configured somewhat generically and using technologies that most are very familiar with.
At the end of this exercise, the requirement is that anything related to “data” can only reach other parts of the “data” network. Similar requirements exist for “pci”. There will be no ACLs used to prevent communication between pci and data, but the isolation requirement is strict. These concepts will be carried forward throughout the series. Later examples will provide a mechanism for some traffic between Continue reading
Segmenting Layer 3 Networks with VRFs
I am creating a multi-part series that focuses on Layer 3 network segmentation. This post serves as a landing point and aggregation place for these topics. As the series is built out, the individual links will be available below.
Articles in this Series
- Article 1 – Basic L3 Segmentation with VRFs
- Article 2 – Extending L3 Segmentation with VRF-lite
- Article 3 – Creating a Shared Services VRF
- Article 4 – VRF-lite in a DMVPN Network
- Article 5 – Stateful Inter-Vrf connectivity
The basic topology is shown below. Each article will consist of the configuration information and relevant validation. This should serve as a very good starting point for anyone struggling with building out a common network with strict security zones requiring areas of isolation.
Other Articles about VRFs
- VRFing 101, Understing VRF Basics
- VRFing 102, Providing Internet Access With Dynamic PAT
- VRFing 103, Using NAT Virtual Interfaces for Global Reachability
- Using a GRE Tunnel VRF to Separate the Physical Interface
- Combining GRE and IPSec with a Front Side VRF
- ce Gateway and Voice VRF – Caveats
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position Continue reading
Python – For Loops
I’m learning the basics of Python and these are my publically available notes for my reference. Hopefully they are useful for my readers as well.
The For loop in Python is used to iterate through different objects such as lists or dictionaries. The power of the For loop is that it can run as many times as needed and then stop without having to define the number of times it should run. It can also be used to run n number of times where we define n ourselves.
I’ll give some examples related to networking to make it more interesting. Let’s say that we want to create a lot of loopbacks so that we can advertise routes in BGP to play around with prefix-lists. We will create 10 loopbacks. This means that the For loop should run 10 times, we can use the range command for this. The iterator will start at 0 and have a stepping by 1 by default which means that our first loopback will be loopback0 and our first network will be 10.0.0.1/32.
for loopback in range(10):
print "interface loopback{}".format(loopback)
print "ip address 10.0.{}.1 255.255.255.255".format(loopback)
APIC-EM Data Export
I was at a Cisco DNA customer event on Thursday. Someone in the audience asked a very good question. Basically they wanted to know if there was a way to extrapolate data from the APIC-EM network management tool. At first glance it didn’t seem to be something that was available in the UI. One of the Cisco representatives quickly and correctly stated that it 
is all available from the API.
My initial thought was that this was a product weakness. Why can’t we just manually extract this stuff to a CSV and import it wherever we want to? Whether due to intentional omission or strategic direction, an API first approach is better. It is better because it allows systems to be glued together and more of our mindless tasks to be automated. So the counter argument to that really revolves around use cases, initial effort and skills gaps. The examples I’m about to provide should help alleviate some of those concerns.
TL;DR — Looking to get APIC-EM data into an Excel spreadsheet? Python can easily grab Host and Device Data and provide it in a format that is easily consumable such as Text, Tab, CSV or other format of choice.
LSA issue @ January 28, 2017 at 02:35PM
A burden of many #NETCONF articles and tutorials is that they are often silent about the #YANG part. This is why we would like to highlight this post by Michael Kashin called ""Getting Started With NETCONF and YANG"" [1]. Not only this article covers the basics of network elements configuration via NETCONF (particularly via pythonShield & Sword – 10 tips to protect yourself online
Last weekend, millions joined the Women’s March in the US and across the world. They stood up for their rights, and the rights of everyone. We need to do the same on the Internet.
The Internet gives everyone a voice, but we need people to protect those voices.
Online harassment and cyber bullying are real. And, some groups are targeted more than others.
Christine Runnegar