Get Out of the Way
I have a lot of memories that have emerged from my years as a network engineer — from funny stories to profound moments to those times when I felt like a complete idiot (because we’re all idiots sometimes). One of those formative moments was when I was agonizing over the decision to leave the Global Escalation Team in customer support and move into an engineering focused role. I agonized over the change for a number of reasons.
I was moving out of something I knew well, directly supporting customers in a very real way. The Escalation Team was the last stop in customer support. If we couldn’t solve it, it couldn’t be solved. That meant a lot of high pressure customer interaction, doing troubleshooting work on really hard, really big problems. I learned a ton. The Escalation Team was also the top of the hill in my world. There wasn’t anyplace, really, I could imagine wanting to be more than working directly with customers, being able to say at the end of the day, “I helped someone solve a real problem,” or even better, “I helped someone learn how to solve a real problem.” Not only for external customers, Continue reading
Introducing Universal SSL
The team at CloudFlare is excited to announce the release of Universal SSL™. Beginning today, we will support SSL connections to every CloudFlare customer, including the 2 million sites that have signed up for the free version of our service.
This morning we began rolling out the Universal SSL across all our current customers. We expect this process to be complete for all current customers before the end of the day. Yesterday, there were about 2 million sites active on the Internet that supported encrypted connections. By the end of the day today, we'll have doubled that.
For new customers who sign up for CloudFlare's free plan, after we get through provisioning existing customers, it will take up to 24 hours to activate Universal SSL. As always, SSL for paid plans will be provisioned instantly upon signup.
How does it work?
For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains. Those certificates include an entry for the root domain (e.g., example.com) as well as a wildcard entry for all first-level subdomains (e.g., www.example.com, blog.example.com, etc. Continue reading
Building a Small Cloud with UCS Mini
During the last round of polishing of my Designing Infrastructure for Private Clouds Interop New York session (also available in webinar format) I wondered whether one could use the recently-launched UCS Mini to build my sample private cloud.
Read more ...High availability in horizontally-scaled applications
The networking industry has a somewhat unique relationship with high availability. For compute, storage, and applications, failures are somewhat tolerable because they tend to be more isolated (a single server going down rarely impacts the rest of the servers). However, the network’s central role in connecting resources makes it harder to contain failures. Because of this, availability has been an exercise in driving uptime to near 100 percent.
It is absolutely good to minimize unnecessary downtime, but is the pursuit of perfect availability the right endeavor?
Device uptime vs application availability
We should be crystal clear on one thing: the purpose of the network is not about providing connectivity so much as it is about making sure applications and tenants have what they need. Insofar as connectivity is a requirement, it is important, but the job doesn’t end just because packets make it from one side to the other. Application availability and application experience are far more dominant in determining whether infrastructure is meeting expectations.
With that in mind, the focus on individual device uptime is an interesting but somewhat myopic approach to declaring IT infrastructure success. By focusing on building in availability at the device level, it is easy Continue reading
Shellshock protection enabled for all customers
On Thursday, we rolled out protection against the Shellshock bash vulnerability for all paying customers through the CloudFlare WAF. This protection was enabled automatically and immediately starting blocking malicious requests.
We had a number of requests for protection from Shellshock for all our customers, including those on the Free plan.
After observing the actual Shellshock traffic across our network and after seeing the true severity of the vulnerability become clear, we've built and tested a special Basic ShellShock Protection for all customers.
That protection is now operating and enabled for every CloudFlare customer (Free, Pro, Business and Enterprise). Paying customers have the additional protection of more complex Shellshock rules in the CloudFlare WAF.
Every CloudFlare customer is now being protected from the most common attack vectors based on the Shellshock problem and paying customers continue to have the more advanced protection that was rolled out yesterday.
The Seven Layer Model is Dead
Whether we have the funeral in New Orleans style (with a lot of brass and, well, other stuff), or in the more somber style we’re all so accustomed to– or even perhaps dance down the road singing, “ding dong, the model’s dead” — it’s time to pack the seven layer model into a virtual coffin […]
Author information
GNS3 on Fedora Linux
Here are mu notes about installation GNS3 version on Fedora Linux. It shows the basic steps required to successfully install and configure GNS3 for VirtualBox, Qemu, IOU, and Dynamips support. Configuration of individual VirtualBox, Qemu, IOU and IOS images is not discussed.
1. GNS3 GUI and Server Installation and Configuration
1.1 Install Dependencies
$ sudo yum install python3 python3-setuptools.noarch python3-PyQt4 python3-devel gcc
1.2 Download and Extract GNS3 GUI and Server
$ git clone https://github.com/GNS3/gns3-gui.git
$ git clone https://github.com/GNS3/gns3-server.git
$ cd gns3-gui/
$ sudo python3 setup.py install
$ cd ..
$ cd gns3-server/
$ sudo python3 setup.py install
1.3 Configure GNS3 Server Settings
Navigate to Edit-> Preferences-> GNS3 server-> Local server and change path to gns3server.
2. IOU Installation and Configuration
IOU stands for IOS on Unix. IOU images are IOS images that are compiled for x86 / Sparc CPU architecture.
2.1 Install Dependencies
$ sudo yum install gcc gcc-c++ git
2.2 Create Symbolic Link and Prevent IOU to Call Home
$ cd /usr/lib
$ sudo ln -s ./libcrypto.so.10 libcrypto.so.4
$ su -c "echo '127.0.0.127 xml.cisco.com' >> /etc/hosts"
Ansible for Network Automation – Part 2
This blog is part of my series on Devops for Networking. In the previous blog, I covered basics of Ansible and how to get started with it. In this blog, I will cover a sample application that I wrote with Ansible. This Ansible application builds on UCS sdk utility that I covered in a previous blog. The … Continue reading Ansible for Network Automation – Part 2
Ansible for Network automation – Part 1
This blog is part of my series on Devops for Networking. Ansible is a very popular Devops tool and serves similar purposes as Puppet, Chef etc. Ansible has the unique feature that there is no need to install agent on the device side and this makes it very popular for Network device configuration since Network … Continue reading Ansible for Network automation – Part 1
Network device configuration using templates with Jinja2 and YAML
This blog is part of my series on Devops for Networking. Typically, Network device configurations for CLI based systems are stored as text files and when its necessary to change parameters like gateway address, vlan, ntp server etc, the script is manually edited and then reapplied to the device. This process is manual and prone … Continue reading Network device configuration using templates with Jinja2 and YAML
It’s the Application Development, Stupid
I love reading blog posts on Plexxi blog (you SHOULD add them to your RSS reader) and the “It’s the Application, Stupid” series from Mat Matthews is no exception. What pleasantly surprised me was that a large enterprise came to the same conclusions I’m preaching for the last few years.
One More Thing: Keyless SSL and CloudFlare’s Growing Network
I wanted to write one more thing about Keyless SSL, our announcement from last week, before attention shifts to what we'll be announcing on Monday. Keyless allows us to provide CloudFlare's service without having private SSL keys stored locally on our edge servers. The news last week focused on how this could allow very large customers, like major financial institutions, to use CloudFlare without trusting us with their private keys.
But there's another use that will benefit the entire CloudFlare userbase, not just our largest enterprise customers, and it's this: Keyless SSL is a key part of our strategy to continue to expand CloudFlare's global network.
CloudFlare's Global Network Today
CloudFlare's network today consists of 28 edge data centers that span much of the globe. We have technical and security requirements for these facilities in order to ensure that the equipment they house remains secure. Generally, we're in Tier III or IV data center facilities with the highest level of security. In our San Jose facility, for instance, you have to pass through 5 biometric scans, in addition to multiple 24x7 manned guard check points, before you can get to the electronically locked cabinets housing our servers.
There Continue reading
Wi-Fi SNR to MCS Data Rate Mapping Reference
I previously posted a picture of an SNR to MCS data rate mapping table that I have compiled based on various sources of credible research. Keith Parsons has kindly put this information into a printable format for reference. You can download them below.It should be noted that individual devices perform differently. These tables are simply generic estimates that are a good approximation for many Wi-Fi devices. In other words, it's not perfect.
 |
| Click to Download Full Version (PDF) |
This table maps client SNR values to MCS indexes for the purpose of determining the data rates that clients can achieve based on the signal quality of their connection to the AP.
SNR is also related to RSSI. Two RSSI values are of importance: the Minimum Receiver Sensitivity and the Expected Receiver Sensitivity. The 802.11 minimum receiver sensitivity tables often referenced in research and testing material are the required minimum RSSI values that a radio should be able to decode a given modulation type and encoding rate (MCS index) with a packet error rate (PER) less than 10%. Most 802.11 radios provide better receiver sensitivity than the minimum requirement. Therefore, the "Expected Receiver Sensitivity" reflects the typical receive sensitivity Continue reading
Celebrating CloudFlare’s 4th Birthday
Since CloudFlare launched to the public four years ago today, we've always considered September 27th our birthday. We like to celebrate by doing something nice for our team and also for our customers. Two years ago, for example, we brought a cake into the office and then enabled free IPv6 support for all our customers.
Saturday is our birthday this year, so we decided to celebrate it a few days later when we'd all be back in the office on Monday, September 29th. That actually corresponds to the day we presented at the finals of the TechCrunch Disrupt startup contest where we launched. We ended up coming in second. Mike Arrington, the founder of TechCrunch, said we were basically "muffler repair for the Internet."
Looking back, that's actually not a bad description. At core, CloudFlare's mission is to help build a better Internet by fixing its biggest problems -- its metaphorical rusty mufflers. This year, we thought it would be great to repair a big, ugly muffler that should have been fixed a long time ago.
This Monday, we'll bring a cake into the office. (It'll have to be a lot bigger as our team has grown substantially.) Continue reading
HP switches: copy configuration between different device models
A couple of days ago I did a planned software upgrade of an HP5406zl. Since the installed firmware version was quite old it was not possible to update directly to the latest release, an upgrade path must be followed: This is…Knowing Your Audience…and Showing It
We all know that you’re supposed to “Know Your Audience.” Doing so improves engagement, and avoids faux pas like “Suggested Tweets.” But recently I realised that this doesn’t have to be subtle. Drop hints early on in your presentation that you’ve taken the time to understand the audience – it can really lift the mood.
Suggested Tweets – Just Say No
Companies that obsess about the wrong kind of metrics think that all they need is to get their message repeated many times. So they give employees & partners a list of “suggested tweets.” These are pre-written Tweets that people can send out from their own Twitter accounts, to “generate buzz.” I have seen many companies do this, and it is overwhelmingly lame. It devalues the message, and devalues those who send out these “suggested tweets.”
In the lead-up to the recent Cisco UCS event, many members of the Cisco Champions program sent out the same set of tweets. When I see the same tweet from several people in my stream, it’s obvious what’s going on. If you’re running a marketing Twitter account, then yeah, I expect marketing messages. But if you’re a real person, and I’ve Continue reading
TCP Is a Stream Protocol
I hope you know TCP provides a reliable stream service not reliable packet delivery, but you might not have realized all the implications – I found an old post by Robert Graham explaining how things really work and how you can use them to bypass quick-and-dirty IDS that rely on signatures instead of doing proper protocol decodes.
Classic IOS as a DNS Server
There is an occasional need for a DNS server in the absence of a dedicated host. This may occur in the following situations–
- Using PAT, Public DNS may return a non-RFC1918 address for internal server
- Lab/Demo Environment
- Other Name Resolution challenges in SOHO, SMB or Branch Office
When these corner-case challenges present, an IOS router may be beneficial by providing basic DNS functions. Assuming the router already has Internet connectivity, the configuration is straightforward–
//enable the dns server functionality IOS-DNS(config)#ip dns server //if public requests should be resolved, configure one or more name //servers as resolvers and confirm domain-lookups are enabled IOS-DNS(config)#ip name-server 8.8.8.8 8.8.4.4 IOS-DNS(config)#ip domain-lookup
At this point the router should perform DNS resolution by relaying requests to the public name servers in the configuration. Hosts could use any IP address on the device in their DNS configuration. ACLs should be used to block DNS requests to interfaces that aren’t servicing clients.
To create DNS records for local resolution, the ip host command can be used.
IOS-DNS(config)#ip host ?
WORD Name of host
view Specify view
vrf Specify VRF
IOS-DNS(config)#ip host www.example.com ?
Default telnet port number
A.B.C.D Host IP address
additional Append addresses
mx Configure a Continue reading
Change HTTP reply content with AppShape++
Lab goal
When a clients asks for beta/a2.html, return "Hello" instead.
Use VIP 10.136.85.14
Use VIP 10.136.85.14
Setup
The loadbalancer is Radware's Alteon VA version 29.5.1.0
1 | /c/slb/real 1 |
Alteon configuration
First, lets configure the VIP/virt.
Remember routing! The returning traffic needs to go through the Alteon, otherwise TCP will break. So we also need to configure Proxy IP/SNAT so return traffic will go through the Alteon.
Remember routing! The returning traffic needs to go through the Alteon, otherwise TCP will break. So we also need to configure Proxy IP/SNAT so return traffic will go through the Alteon.
1 | /c/slb/virt 85_14 |
Next we need to write the Appshape++ script:
1 |
Plexxi Pulse—Preparing for Big Data
Plexxi Pulse—Preparing for Big Data
As enterprises launch Big Data platforms, it is necessary to tailor network infrastructure to support increased activity. Big Data networks must be constructed to handle distributed resources that are simultaneously working on a single task—a functionality that can be taxing on existing infrastructure. Our own Mike Bushong contributed an article to TechRadar Pro this week on this very subject where he outlines the necessary steps to prepare networks for Big Data deployments. He also identifies how software-defined networking can be used as a tool to alleviate bandwidth issues and support application requirements when scaling for Big Data. It’s definitely worth a read before you head out for the weekend.
In this week’s PlexxiTube of the week, Dan Backman explains how Plexxi’s Big Data fabric mitigates incast problems.
Check out what we’ve been up to on social media this September. Enjoy!
The post Plexxi Pulse—Preparing for Big Data appeared first on Plexxi.