More DHCP Snooping
This post is a follow up to Ethan’s post and Edward’s post. Both were very useful to me as I began to plan rolling out this feature. I wanted to verify something TimA said in the comments at the bottom of Ethan’s post, namely that a switch running DHCP Snooping will drop DHCP Discovers from […]
Author information
The post More DHCP Snooping appeared first on Packet Pushers Podcast and was written by Guy Morrell.
Install and configure vSphere Data Protection (VDP/VDPA)
The vSphere Data Protection appliance allows to backup virtual machines with a built-in tool instead of a third-party backup product. VDP is available on all vSphere editions but Essentials Kit. Moreover VDP can be extended to VDPA (vSphere Data Protection Advanced). Basically VDPA has the same features of VDP, except: VDPA has a per-CPU (socket) license, VDP […](Visited 251 times since 2013-06-04, 9 visits today)
SDN, APIs, and DevOps
There was a recent blog by Mark Burgess, founder and creator of CFEngine. It is a must read (on his personal blog). He really makes you think where we are as an industry, question if we are on the right path, and quite frankly calling out certain technologies as pity attempts compared to what is needed. Regardless of all that, we cannot forget one key point, the industry is in fact moving forward right now.
As I read his post, I remembered a conversation that I saw on twitter not too long between John Willis, Lori MacVittie, and Joe Onisick. It was more or less on the intersection of SDN and DevOps.
The article by Burgess and the Twitter conversation really got me thinking.
When you combine these interactions, even at the highest levels, you have to wonder, what is the right approach from both a vendor (product) and user standpoint? Are we on the right path? Do we have it all wrong? Must we fail first before getting it right?
SDN Will Simplify
SDN controllers will totally simplify things, but even then, the APIs they expose are arguably too low level for the average consumer of Continue reading
The article by Burgess and the Twitter conversation really got me thinking.
When you combine these interactions, even at the highest levels, you have to wonder, what is the right approach from both a vendor (product) and user standpoint? Are we on the right path? Do we have it all wrong? Must we fail first before getting it right?
SDN Will Simplify
SDN controllers will totally simplify things, but even then, the APIs they expose are arguably too low level for the average consumer of Continue reading
SDN Lesson #1 – Introduction to Mininet
Intro Welcome to a new series of articles that will be structured as lessons with the target of bringing SDN closer to everyone’s understanding. Each article will present a topic plus one or more exercises that will show that topic in action. The lessons will wrap up with some questions asking the readers to exercise on their own and provide the answers. As you see, the approach is pretty similar... [read more]SDN Lesson #1 – Introduction to Mininet
Welcome to a new series of articles that will be structured as lessons with the target of bringing SDN closer to everyone's understanding. Each article will present a topic plus one or more exercises that will show that topic in action. The lessons will wrap up with some questions asking the readers to exercise on their own and provide the answers.
Working with VMware NSX – Logical to Physical connectivity
In our last post, we talked about how to deploy what I referred to as logical networking. I classify logical networking as any type of switching or routing that occurs solely on the ESXi hosts. It should be noted that with logical networking, the physical network is still used, but only for IP transport of overlay encapsulated packets.
That being said, in this post I’d like to talk about how to connect our one of our tenants to the outside world. In order for the logical tenant network to talk to the outside world, we need to find a means to connect the logical networks out to the physical network. In VMware NSX, this is done with the edge gateway. The edge gateway is similar to the DLR (distributed local router) we deployed in the last post, however there is one significant difference. The edge gateway is in the data plane, that is, it’s actually in the forwarding path for the network traffic.
Note – I will sometimes refer to the edge services gateway as the edge gateway or simply edge. Despite both the edge services gateway and the DLR Continue reading
Network Automation: Shifting Fear Landscape
Networking and Cattle Prods
We have mostly all been burnt to a level of severity that we will or will not admit to by prodding and poking networks. Whether by an unexpected bug, lack of understanding of the thing we are poking, or sheer ‘bad luck’, there’s no avoiding it.
Being burnt by a network is almost like being zapped by a cattle prod. It doesn’t take many times before your brain rewires itself to avoid getting burnt, unless you’re a network masochist, in which case, you’re a special breed. This rewiring has resulted in using the CLI as an investigatory and validation tool as well as a configuration access method. What was that keyword again?
show ip bgp neighbor ?
Due to mistrust in the documentation, lack of desire or over trusting the CLI, our brains have become used to this behaviour and complacency has set in.
As we shift from configuring network elements manually to configuring them by automated template generation and structured API calls, will our well understood knowledge of a networking operating system with all of it’s caveats and nuances become redundant along with our bad habits? So do we just trust an amorphous piece of software Continue reading
Google Now Factoring HTTPS Support Into Ranking; CloudFlare On Track to Make it Free and Easy
As of today, there are only about 2 million websites that support HTTPS. That's a shamefully low number. Two things are about to happen that we at CloudFlare are hopeful will begin to change that and make everyone love locks (at least on the web!).
CC BY 2.0 by Gregg Tavares
Google Ranks Crypto
First, Google just announced that they will begin taking into account whether a site supports HTTPS connections in their ranking algorithm. This means that if you care about SEO then ensuring your site supports HTTPS should be a top priority. Kudos to Google to giving webmasters a big incentive to add SSL to their sites.
SSL All Things
Second, at CloudFlare we've cleared one of the last major technical hurdle before making SSL available for every one of our customers -- even free customers. One of the challenges we had was ensuring we still had the flexibility to move traffic to sites dynamically between the servers that make up our network. While we can do this easily when traffic is over an HTTP connection, when a connection uses HTTPS we need to ensure that the correct certificates are in place and loaded into memory Continue reading
BGP Security Vulnerabilities a Growing Concern
BGP Security Vulnerabilities a Growing Concern
by Cengiz Alaettinoglu, CTO - August 6, 2014
Border Gateway Protocol (BGP), the protocol that connects different networks together, was not designed with security in mind. It is easy to take down portions of the Internet by announcing illegitimate routes to those parts (referred to as route hijacking). A classic example of this attack is a widely popularized incident a few years ago by a Pakistani service provider. The Pakistan government wanted to block YouTube internally. The service providers there injected a BGP route for YouTube and directed YouTube traffic to nowhere. This route somehow leaked outside of Pakistan, and was carried by many service providers across the Internet. This resulted, in effect, in YouTube’s removal from the Internet.
These incidents, many not as high-profile as the YouTube incident, are routine and go back as far as I can remember. The first incident I am aware of is a dial-up Internet provider in Florida taking down the MIT network in the pre-1994, non-commercial era Internet. Early on, these incidents were results of honest configuration mistakes or fat fingering of wrong BGP configuration knobs.
As we all know, the days of Internet innocence Continue reading
Network ping with delay, jitter and MOS
I found a Python script to ping a remote system. I added a very short piece of code to print out Jitter and MOS data. # ./ping.py -c 1000 -t 1 -d 8.8.8.8 Statistics for 8.8.8.8: - packet loss: 2 (0.20%) - latency (MIN/MAX/AVG): 46/281/52 - jitter: 2.1583 - MOS: 4.3 A Nagios compatibile output is […](Visited 302 times since 2013-06-04, 3 visits today)
Understanding IPv6: A Sniffer Full Of 3s
Denise Fishburne explores Wireshark sniffer traces in order to understand the difference between IPv4 and IPv6 addressing.Screen Scraping: Still Sucks
I’ve written before about “Why Screen Scraping Sucks.” Well, I can report that nothing has changed. It still sucks. This time I got caught out by the changed behaviour of the “logging host” command.
Compliance Checks
At a customer site I use HP IMC to perform compliance checks across HP and Cisco networking gear. This has a set of rules that get run against the latest device backups. I have various rules that look for specific patterns – making sure they do, or don’t exist, as required.
My systems should all have two log servers defined. The configs should look something like this:
Rack1SW1#sh run | inc ^logg logging 1.1.1.1 logging 2.2.2.2
So I defined an IMC compliance rule that looked for the existence of “logging 1.1.1.1″ and “logging 2.2.2.2″. I’m using the Advanced mode, which uses regex matching, so I need to escape the “.”.
This worked well. It alerted on systems that had the incorrect (or no) destinations defined.
Wait a minute…I thought you said “logging host”?
Turns out that “logging X.X.X.X” was the original form of this command. At 12.3(14)T, Cisco changed Continue reading
CloudFlare Now Supports WebSockets
CC BY 2.0 from Brian Snelson
I'm pleased to announce that CloudFlare now supports WebSockets. The ability to protect and accelerate WebSockets has been one of our most requested features. As of today, CloudFlare is rolling out WebSocket support for any Enterprise customer, and a limited set of CloudFlare Business customers. Over the coming months, we expect to extend support to all Business and Pro customers.
We're rolling out WebSockets slowly because it presents a new set of challenges. The story below chronicles the challenges of supporting WebSockets, and what we’ve done to overcome them.
The Web Before WebSockets
Before diving into WebSockets, it's important to understand HTTP—the traditional protocol of the web. HTTP supports a number of different methods by which a request can be sent to a server. When you click on a traditional link you are sending a GET request to a web server. The web server receives the request, then sends a response.
When you submit a web form (such as when you're giving your username and password when logging into an account) you use another HTTP method called POST, but the interaction is functionally the same. Your browser (called the ‘client’) sends data to Continue reading
A Full Year of Commercially Available Cumulus Linux Brings Us to Version 2.2
It’s been about one year since we released Cumulus Linux commercially to the market.
Cumulus Linux proved itself quickly as a powerful alternative to traditional networking approaches — not only for the choice it provided with a disaggregated model (choice of both networking hardware and networking OS) or the new business model it provided (a software-only solution with a transparent pricing model) — but also because for the first time, the operating system was a true Linux OS, one that is managed just like Linux on servers, thereby solving many customer challenges around IT automation with tools such as Puppet, Chef, Ansible, Salt, Graphite, and Ganglia readily available on networking platforms. Soon, cloud providers adopted Cumulus Linux and took advantage of various tools to automate rack provisioning, orchestrate switches like servers, and integrate networking with existing workflows.
Cumulus Linux 2.0 brought support for the latest industry-standard hardware platforms with Trident II-based switches and the latest technologies with hardware accelerated VXLANs and Layer 2 gateway integration with network virtualization providers such as VMware NSX. Since then, Cumulus Networks has added many platforms to the HCL, with major partners such as Dell on board, and has had broad coverage for modern Continue reading
ifupdown2, a New Network Interface Manager for Cumulus Linux
Existing tools for network interface configuration have several shortcomings when applied to network switches. These include the lack of ability to handle interface dependencies, incremental updates to interface configuration without disruption, and interface configuration validation. The lack of such functionality increases operational burden. We introduce ifupdown2, a new network interface manager for Cumulus Linux.
ifupdown2 solves these problems through an implementation based on dependency graphs. This article briefly describes network interface configuration on Linux, the problems that arise when configuring a network switch and how ifupdown2 solves these problems and increases operational efficiencies overall.
Background
The Linux kernel understands two types of network interfaces: physical and logical. Physical interfaces represent real hardware and are owned by the device driver that manages the device. Example of physical interfaces include switch ports. Logical or virtual interfaces are created and managed by the kernel. Examples of logical interfaces include bonds, bridges, VLAN interfaces etc. Linux network interfaces are often stacked i.e they exhibit a master slave dependency relationship. Example of stacked network interfaces includes bridge and its ports.
The Linux kernel provides APIs to configure network interfaces. Existing native Linux tools like brctl, iproute2 use one or more of the kernel APIs Continue reading
VMware NSX Use Case – Simplifying Disaster Recovery (Part 2)
Nicolas Vermandé (VCDX#055) is practice lead for Private Cloud & Infrastructure at Kelway, a VMware partner. Nicolas covers the Software-Defined Data Center on his blog www.my-sddc.om,
This is Part 2 in a series of posts the describes a specific use case for VMware NSX in the context of Disaster Recovery. Here’s part 1,
++++++++++++++++++++++++++++++++++
Deploying the environment
Now let’s see have a closer look at how to create this environment. The following picture represents the vSphere logical architecture and the associated IP scheme…
… and the networks mapping:
First of all you have to create three vSphere clusters: one Management Cluster and two Compute Clusters, as well as two distinct VDS, within the same vCenter. Each Compute cluster will be connected to the same VDS. One cluster will represent DC1, and the other one will represent DC2. The second VDS will connect to the Management and vMotion networks. Also, you have to create a couple of VLANs: one VLAN for VTEPs, used as the outer dot1q tag to transport VXLAN frames, two external transit VLANs to allow the ESGs to peer with your IP core and VLANs for traditional vSphere functions, such as Management, vMotion and IP storage if Continue reading
IPv6 and the VCR
IPv6 isn’t a fad. It’s not a passing trend that will be gone tomorrow. When Vint Cerf is on a nationally televised non-technical program talking about IPv6 that’s about as real as it’s going to get. Add in the final depletion of IPv4 address space from the RIRs and you will see that IPv6 is a necessity. Yet there are still people in tech that deny the increasing need for IPv6 awareness. Those same people that say it’s not ready or that it costs too much. It reminds me of a different argument.
IPvcr4
My house is full of technology. Especially when it comes to movie watching. I have DVRs for watching television, a Roku for other services, and apps on my tablet so the kids can watch media on demand. I have a DVD player in almost every room of the house. I also have a VCR. It serves one purpose – to watch two movies that are only available on a video tape. Those two movies are my wedding and the birth of my oldest son.
At first, the VCR stated connected to our television all the time. We had some movies that we Continue reading
Juniper EX – Private vlans
I’ve gone over pvlans before on IOS, so I’m going to cover Juniper’s implementation today. This post will be based on the following topology: There are five hosts and a single router. Host1 and Host3 are in the same community vlan, while Host2, Host4, and Host5 are in isolated vlans. R1 is the default gateway […]DDoS and Geopolitics – Attack analysis in the context of the Israeli-Hamas conflict
Since its inception, the ASERT team has been looking into politically motivated DDoS events [1] and continues to do so as the relationship between geopolitics and the threat landscape evolves [2]. In 2013, ASERT published three situational threat briefs related to unrest in Syria [3] and Thailand [4] and threat activity associated with the G20 summit [5]. Recently, other security research teams, security vendors and news agencies have posited connections between “cyber” and geopolitical conflicts in Iraq [6], Iran [7], and Ukraine [8] [9].
Given the increasing connections being made between security incidents and geopolitical events, I checked Arbor’s ATLAS data to look at DDoS activity in the context of the current conflict between Israel and Hamas. Arbor’s ATLAS initiative receives anonymized traffic and DDoS attack data from over 290 ISPs that have deployed Arbor’s Peakflow SP product around the globe. Currently monitoring a peak of about 90 Tbps of IPv4 traffic, ATLAS see’s a significant portion of Internet traffic, and we can use that to look at reported DDoS attacks sourced from or targeted at various countries.
Israel as a Target of DDoS Attacks
Frequency
Figure 1 depicts the number of reported DDoS attacks initiated against Israel per Continue reading