Video: IPv6 Microsegmentation
The video of my Troopers 15 IPv6 Microsegmentation presentation has been published on YouTube. As with the Automating Network Security video, it’s hard to read the slides; you might want to look at the slide deck on my public content web site.
You’ll find more about this topic, including tested Cisco IOS configurations, in IPv6 Microsegmentation webinar.
Saltstack – Using Pillars and starting to template
In our last post about SaltStack, we introduced the concept of grains. Grains are bits of information that the Salt minion can pull off the system it’s running on. SaltStack also has the concept of pillars. Pillars are sets of data that we can push to the minions and then consume in state or managed files. When you couple this with the ability to template with Jinja, it becomes VERY powerful. Let’s take a quick look at how we can start using pillars and templates.
Prep the Salt Master
The first thing we need to do is to tell Salt that we want to use Pillars. To do this, we just tell the Salt master where the pillar state files are. Let’s edit the salt master config file…
vi /etc/salt/master
Now find the ‘Pillar Settings’ section and uncomment the line I have highlighted in red below…
Then restart the salt-master service…
systemctl restart salt-master
So we just told Salt that it should use the ‘/srv/pillar/’ directory for pillar info so we need to now go and create it…
mkdir /srv/pillar/
Now we’re all set. Pillar information is exported to the Continue reading
The Verizon SuperCookie Won’t Go Away
Update 4/21/2015:It's been pointed out to me that Relevant Mobile Advertising (RMA - the thing responsible for the SuperCookie) and Customer Proprietary Network Information (CPNI) are not the same thing. That may be, but the link in the opt out instructions on Verizon's RMA info page goes to the CPNI settings below. If there's an RMA opt-out lever available to me somewhere on verizonwireless.com, I sure can't find it. I spoke with a new Verizon phone rep today. She claims to have sorted things out. My HTTP traffic still has the extra header attached. We'll see if that changes in the next few days...Verizon Wireless made the news a few months ago when somebody noticed that they were adding extra HTTP headers which uniquely identified subscribers to every web request which traversed their network.
There was something of an uproar about it. I checked at least one of my phones, and was disappointed to find the tracking header attached to my traffic.
Then, less than two weeks ago, Verizon announced that customers would be allowed to opt out of having their web requests marked in this way. Many news outlets covered the announcement, Twitter rejoiced, and I Continue reading
Auvik April Release Notes – WMI Support and Printer Monitoring!
With this release, we’ve put heavy emphasis on broadening Auvik’s visibility and monitoring capabilities. NEW! Support forFun With Route-Maps And BGP
I’ve always been a little bit hazy on the circumstances under which a BGP neighbour needs to be cleared. This extremely informative page from Cisco casts a bit of light on the situation. Especially, the section on when to clear a BGP neighbourship.
The official line is any in/outbound policy update will require the BGP session to be cleared to take effect. Obviously, this depends on the direction the policy is applied when you clear the neighbourship in/outbound.
So my question is whether a new route-map constitutes a policy update. Now this may sound like a stupid question (remember the title of the blog please dear reader). But someone legitimately asked me if applying a new policy constituted an update. So let’s find out.
This is my topology:
This is what I’m doing:
– Loopback0 (10.1.1.1/32) is advertised into OSPF on R1 along with the 1.1.1.0/30 network.
– The 1.1.1.0/30 network is advertised into OSPF on R2.
– BGP is used to advertise the 3.3.3.0/24 network using a peer-group TEST.
– R1 and R2 have an iBGP peering in AS 65000 using the physical addresses of Continue reading
New CCIE SPv4, CCIE RSv5 & Multicast Classes This Week
This week I will be running the following free online classes:
- CCIE Service Provider v4 Kickoff – Tues April 14th @ 09:00 PDT (16:00 UTC)
- CCIE Routing & Switching v5 Overview and Preparation – Thurs April 16th @ 09:00 PDT (16:00 UTC)
- Intro to IPv4 & IPv6 Multicast* – Fri April 17th @ 09:00 PDT (16:00 UTC)
*Free for AAP Members
INE will also be offering the following free upcoming online classes:
- CCNA R&S Overview and Preparation – Tues April 21st @ 09:00 PDT (16:00 UTC)
- CCNP R&S Overview and Preparation – Thurs April 23rd @ 09:00 PDT (16:00 UTC)
- CCNP R&S TSHOOT Overview and Preparation – Thurs April 30th @ 09:00 PDT (16:00 UTC)
More information on these classes can be found here.
CCIE Service Provider v4 Kickoff
This class marks the kickoff of INE’s CCIE SPv4 product line for the New CCIE Service Provider Version 4 Blueprint, which goes live May 22nd 2015! In this class we’ll cover the v3 to v4 changes, including exam format changes and topic adds and removes, recommended readings and resources, INE’s new CCIE SPv4 hardware specification and CCIE SPv4 Workbook, and the schedule for INE’s upcoming CCIE Service Continue reading
7 ways to save money with hybrid cloud backup
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Disasters that affect data aren’t necessarily the type that Hollywood glorifies in blockbusters. The scenarios that could bring your business to a standstill might be caused by cyberattack, human error, blizzard or hurricane, or any number of other common occurrences. When these events happen – and they will happen to every business at least once – they are far more destructive when there is no plan in place for maintaining uptime and productivity.
In many cases today, comprehensive plans rely on hybrid cloud backup. What was once a costly, time-consuming process to back up data to tape has morphed into a reliable practice that can both safeguard your data and restore your business in minutes instead of taking days or weeks. And today’s proliferation of specialized business continuity approaches empowers organizations to save their entire systems soup-to-nuts, down to individual device settings and snapshots. Here’s how hybrid cloud backup can save your data, your reputation and your money:
To read this article in full or to leave a comment, please click here
Which is more secure, Android or iOS? The answer isn’t that simple
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
We love to ask the question, “Which is more secure: iOS or Android?” But if you really want to drive secure mobile productivity you’re going to have to start looking at the bigger picture.
The longstanding Android vs. iOS debate is understandable because these mobile OSes power the majority of devices employees bring to work today. But two trends in the mobile world are uprooting the traditional arguing points -- and changing the mobile security landscape overall. They highlight our need for an actionable, multi-layer security approach, not just putting your hope in the OSes of two major mobile players.
To read this article in full or to leave a comment, please click here
Creating Uplink Port-Channels in UCS Manager
Recently, a customer asked me for a quick how-to for plumbing and configuring northbound port-channels on their UCS B-series setup. The basic install including management access had been completed some time ago, but as projects sometimes go, this one had been back-burnered for some time so we were just getting around to making it work.
I spun up my copy of the UCSPE (obtainable here) and grabbed a few screenshots to provide a quick walkthrough. The customer was able to follow my instructions quickly and with no further follow-up questions, so I figured I’d toss this into a quick blog post for anyone else looking to do the same.
Setup:
Each 6200-series UCS Fabric Interconnect will have a single 4-member port-channel that goes up to the pair of Nexus using a vPC.
Procedure:
1. Preconfigure the ports on the Nexus switches. Since this is a vPC arrangement, each Nexus will require identical configuration:
interface port-channel5 description To ucs6248-a switchport mode trunk switchport trunk allowed vlan 1-50 spanning-tree port type edge trunk vpc 5 ! interface Ethernet1/5 description To ucs6248-a switchport mode trunk switchport trunk allowed vlan 1-50 channel-group 5 mode active no shutdown ! interface Ethernet1/6 description To ucs6248-a switchport mode trunk Continue reading