Archive

Category Archives for "Networking"

SDN Certification Update – September ‘14

If you care about building your own SDN skills, SDN certifications should matter to you, at least for the purpose of figuring out what to study (an argument I’ve made in an earlier post.) Since that time, the SDN world has seen several updates to vendor SDN certifications. (I’m also hopeful that we’ll see a few more at the upcoming Interop New York show towards the end of September.) Today’s post summarizes those that merit a look, at least for the purposes of figuring out what you might want to learn to retool for an SDN world.

Latest Highlights

Here’s a quick list of surprises and other goodies from this latest scan of the state of the art:

  • VMWare lets some Cisco CCNAs and CCNPs bypass the need to take a class when getting the first VMWare SDN cert (VCP-NV).
  • Brocade has a free exam voucher program (stated as limited time), plus a free video course, for their “NFV” cert. In theory, there’s no cash cost to study for and achieve this cert!
  • Cisco’s SDN certs have inexpensive (less than $100) video courses for each cert.

Dig into the rest of the post for more details!

 

Big Continue reading

SIGS & Carrier’s Lunch DC Day: An Event Definitely worth Visiting

I spent last Tuesday in Bern attending the SIGS DC Day Event, and came back home extremely pleasantly surprised. The conference was nice and cozy, giving everyone plenty of opportunities to chat about data center technical challenges (thanks for all the wonderful conversations we had – you know who you are!).

Having the opportunity to meet fellow networking engineers and compare notes is great, but it’s even better to combine that with new knowledge, and that’s where the event really excelled.

Read more ...

Using NVI to Allow Internal Hosts to Connect to Public Addresses of Hosted Servers

IP NAT is a very common configuration. One of the challenges that sometimes surfaces is the need for internal hosts to connect to the public address of a locally hosted server. Anyone who has tried to configure something like the following has likely faced this issue.

IP NAT ExampleIn this example, the top of the diagram represents the outside (Internet, ISP, or External Server), the left represents the DMZ area, and the bottom represents the inside. The goal is to enable dynamic port address translation for internal hosts and static port address translation for the host or hosts found in the DMZ area.

This configuration is fairly straightforward and typically covered in the CCNA curriculum. This includes identifying each interface as inside or outside and configuring the appropriate nat statements.

R1 Configuration

interface FastEthernet1/0
 description To INSIDE
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface FastEthernet1/1
 description To ACME WWW
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
interface FastEthernet1/2
 description To OUTSIDE
 ip address 192.0.2.100 255.255.255.0
 ip nat outside
!
ip nat inside source list 1 interface FastEthernet1/2 overload
ip nat inside source static tcp 192.168. Continue reading

No more duplicate frames with Gigamon Visibility Fabric

disclaimer

Gigamon presented their Visibility Fabric Architecture at Network Field Day 8.  You can watch the presentation at Tech Field Day.

CC BY-NC-ND 2.0 licensed photo by smif
Needs deduplication
One of the interesting facets of Gigamon's solution was it's ability to do real-time de-duplication of captured traffic as it traverses the Visibility Fabric (a hierarchy of monitoring data sources and advanced aggregation switches). I've spent some time around proactively-deployed network taps, but never seen this capability before, and I think it's pretty nifty.

The Problem
Let's say you've got taps and mirror ports deployed throughout your network. They're on the uplinks from data center access switches, virtually attached to vSwitches for collecting intra-host VM traffic, at the WAN and Internet edge, on the User distribution tier, etc...  All of these capture points feed various analysis tools via Gigamon's Visibility Fabric. It's likely that a given flow will be captured and fed into the monitoring infrastructure at more several points. Simplistic capture-port-to-tool-port forwarding rules will result in a given packet being delivered to each interested tool more than once, possibly several times.

This can be problematic because it confuses the analysis tool (ZOMG, look at all Continue reading

Getting the Sourcefire Firepower VM working Inline

The Sourcefire NGIPS/NGFW solution is a way to quickly get some interesting information about traffic on a network. One of the things I like about the solution is that actionable information is almost immediately available after deployment.

Sourcefire Screenshot

There are five deployment modes for a Sourcefire Firepower appliance:

  • Routed
  • Switched
  • Hybrid
  • Inline
  • Passive

Passive and inline modes are the two deployment options for the Virtual versions of the Firepower appliances. Inline mode provides significant advantages over simple passive monitoring. Inline mode allows the appliance to block offending traffic or communications that violates the configured policy. Following the installation guide is straightforward and should allow a security engineer to quickly get this solution up and running.

The first time I ran through this process, I couldn’t get traffic to flow through the inline appliance. After struggling a while, I reconfigured the device into passive mode and spanned some traffic over to it. At first I didn’t see any statistics. After realizing that I also needed to configure VMWare to accept promiscuous mode, I quickly started getting interesting information in the Firesight dashboard.

At this point, a thought occurred to me. What if the Firepower appliance had no layer 2 hooks and forwarded traffic that blindly Continue reading

Integrating Spirent into an Automated Workflow Test Methodology

I’ve spent the last few days getting briefed by several vendors in Silicon Valley.  They include A10, Big Switch, Brocade, Cisco, Gigamon, Nuage, Pluribus, Spirent, and Thousand Eyes.  Over the next few weeks, I’ll try and get a few posts out about the briefings, but for the first one I wanted to focus on Spirent.  Many are probably aware that Spirent provides packet generators and while that’s what they sell and are really good at, it’s the strategy, vision, and software integration with their products that was extremely intriguing.  

I’ve engaged with many customers over the past 10 years and the majority have never felt a real need to test performance.  It was and is usually very easy to over provision hardware when it comes to Layer 2 & 3 switching.  This is still the case for the most part too – there are 1 RU and 2 RU switches that can forward traffic faster than those big monster boxes of just a few years ago.

Why Test Now?

There are network functions being virtualized from almost every vendor out there --- this usually falls under the Network Functions Virtualization (NFV) trend.  It’s Continue reading

HTTP to HTTPs redirect with a twist

Lab goal

Create a new VIP/virt - 10.136.85.13.

The main page should be using HTTP but all the other elements should be using SSL.


Setup




The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Alteon configuration

We will reuse group 10 which includes all web servers.

So all is left is to create a VIP/virt with services HTTP and HTTPS

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
 /c/slb/virt 86_13
        ena
        ipver v4
        vip 10.136.85.13
 /c/slb/virt 86_13/service 80 http
        group 10
        rport 80
 /c/slb/virt 86_13/service 80 http/pip
        mode address
        addr v4 10.136.85.200 
 /c/slb/virt 86_13/service 443 https
        group 10
        rport 443
 /c/slb/virt 86_13/service 443 https/pip
        mode address
        addr v4 10.136.85.200

Lines 8-10 - Source NAT. Without it traffic from the server will go directly to client without going first through the Alteon.

Now for the AppShape script:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
when HTTP_REQUEST {
    # exctract the fields from the HTTP headers
    set url [ Continue reading

How to avoid online scams when selling your old iPhone or iPad

A lot of people right now are selling their old iPhones and iPad minis to trade up to the supersized iPhone 6 models. Unfortunately, I suspect some of them are being scammed out of their devices — I nearly was.I’m itching for a 64GB iPhone 6 Plus (Space Gray, please). To partly finance Apple’s turkey-platter-sized phablet, I decided to sell my first-generation iPad mini on Amazon. That’s where my scamming saga begins.Within one day of listing the tablet, I received an Amazon email from "Kimberly." She expressed interested in my mini and asked me to send pictures to her personal Yahoo email address.It seemed like a reasonable request, so I emailed a few pictures to her. She soon replied via her Yahoo email and asked for my Amazon seller name. I was a tad suspicious because she was communicating with me directly instead of going through Amazon’s messaging system, but I replied.To read this article in full or to leave a comment, please click here

Network Break 16

This week, EVO:RAIL & Converged thingies, Cisco's multiple SDN strategies, Don't be a precious snowflake and Congress open source project.

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+

The post Network Break 16 appeared first on Packet Pushers Podcast and was written by Greg Ferro.

Sprint, Windstream: Latest ISPs to hijack foreign networks

Last year my colleague Jim Cowie broke a story about routing hijacks that resulted in Internet traffic being redirected through Iceland and Belarus. Unfortunately, little has changed since then and the phenomenon of BGP route hijacking continues unabated and on an almost daily basis.

In the past three days, the situation has gone from bad to downright strange as we have observed a flurry of this activity. Now, for the first time, we’re seeing major US carriers, Sprint and Windstream, involved in hijacking, along with the return of an operation out of Poland targeting Brazilian networks. We see router misconfigurations regularly in BGP data – could these incidents also be explained by simple command-line typos?

Route hijacking continues

In May my colleague, Earl Zmijewski gave a presentation about routing hijacks at the LINX 85 meeting, describing a comprehensive system that can be used to identify suspicious hijacks on a global basis and without any prior knowledge about the networks involved. While we now detect suspicious routing events on an almost daily basis, in the last couple of days we have witnessed a flurry of hijacks that really make you scratch your head.

To mention a few recent events, last Continue reading

FEMA and Your Business Continuity Plan

I passed the ROUTE exam a few days/weeks/months/something ago and decided to pursue certifications of another sort for a while. The wife and I are trying our best to help the community through our ham radio training, so I decided to go down that path a bit further. One thing I was interested in doing is to do EmComm during declared emergencies. That meant I had to take two FEMA courses online to be allowed in the EOC. I thought they would be terribly boring, but I found them to be quite familiar.

The first course was on the Incident Command System (ICS). The main idea is that, in the event of an emergency of any kind or size, an Incident Commander (IC) is assigned to be responsible for the recovery effort.  This mean analysis of the incident, generating an action plan (a very key component), and execution of said plan. If the IC can complete the action plan by himself, then off he goes. If he or she needs some additional resources like people or equipment, then he or she is empowered to draft that help from any entity that’s involved.

Another one of the big points of ICS is Continue reading

HP proposes hybrid OpenFlow discussion at Open Daylight design forum

Hewlett-Packard, an Open Daylight platinum member, is proposing a discussion of integrated hybrid OpenFlow at the upcoming Open Daylight Developer Design Forum, September 29 - 30, 2014, Santa Clara.

Topics for ODL Design Summit from HP contains the following proposal, making the case for integrated hybrid OpenFlow:
We would like to share our experiences with Customer SDN deployments that require OpenFlow hybrid mode. Why it matters, implementation considerations, and how to achieve better support for it in ODL

OpenFlow-compliant switches come in two types: OpenFlow-only, and OpenFlow-hybrid. OpenFlow-only switches support only OpenFlow operation, in those switches all packets are processed by the OpenFlow pipeline, and cannot be processed otherwise. OpenFlow-hybrid switches support both OpenFlow operation and normal Ethernet switching operation, i.e. traditional L2 Ethernet switching, VLAN isolation, L3 routing (IPv4 routing, IPv6 routing...), ACL and QoS processing

The rationale for supporting hybrid mode is twofold:
  1. Controlled switches have decades of embedded traditional networking logic. The controller does not add value to a solution if it replicates traditional forwarding logic. One alternative controller responsibility is that provides forwarding decisions when it wants to override the traditional data-plane forwarding decision.
  2. Controllers can be gradually incorporated into a traditional network. Continue reading

IDF 2014: Architecting for SDI, a Microserver Perspective

This is a liveblog for session DATS013, on microservers. I was running late to this session (my calendar must have been off—thought I had 15 minutes more), so I wasn’t able to capture the titles or names of the speakers.

The first speaker starts out with a review of exactly what a microserver is; Intel sees microservers as a natural evolution from rack-mounted servers to blades to microservers. Key microserver technologies include: Intel Atom C2000 family of processors; Intel Xeon E5 v2 processor family; and Intel Ethernet Switch FM6000 series. Microservers share some common characteristics, such as high integrated platforms (like integrated network) and being designed for high efficiency. Efficiency might be more important than absolute performance.

Disaggregation of resources is a common platform option for microservers. (Once again this comes back to Intel’s rack-scale architecture work.) This leads the speaker to talk about a Technology Delivery Vehicle (TDV) being displayed here at the show; this is essentially a proof-of-concept product that Intel built that incorporates various microserver technologies and design patterns.

Upcoming microserver technologies that Intel has announced or is working on incude:

  • The Intel Xeon D, a Xeon-based SoC with integrated 10Gbs Ethernet and running in a Continue reading

Tools for Learning Python for Networkers

I’ve been slowly adding to my list of favorite tools and books for learning Python, and I came across a new one this week. So it seemed like a good time to hit the highlights in a blog post, given that so many networkers have some motivation to learn a programming language. Feel free to comment and add your favorite tools to the list!

Context: Networkers Learning a Language (Python)

First, let me throw in a quick paragraph for context. In this world of SDN, NFV, and network automation and programmability, networking people may or may not choose to go learn a programming language. (What are your plans?)

If you do choose to learn a language (as the poll results show so far at least), Python seems to be the best choice if programming is either new to you, or you just haven’t had to (gotten to?) program as a regular part of a job. Python is the simplest to learn of the languages that matter most to SDN, and is becoming the language-of-choice for more and more universities as the first language learned by undergrads.

On to the Continue reading

Troubleshooting an ESXi host using esxtop

THIS POST IS NOT COMPLETED YET The esxtop utility is probably the most useful utility to troubleshoot a high load on an ESXi host using a CLI. There are eight views: c (default): CPU, sorted by CPU USED by default. d: disk adapter i: interrupt m: memory, sorted by MEMSZ by default. n: network p: power […]
(Visited 73 times since 2013-06-04, 2 visits today)

Open-Source Hybrid Cloud Reference Architecture on Software Gone Wild

A while ago Rick Parker told me about his amazing project: he started a meetup group that will build a reference private/hybrid cloud heavily relying on virtualized network services, and publish all documentation related to their effort, from high-level architecture to device and software configurations, and wiring plans.

In Episode 8 of Software Gone Wild Rick told us more about his project, and we simply couldn’t avoid a long list of topics including:

Read more ...

Alteon AppShape++ Redirects

Lab goals

In the lab we will practice:

  • Redirection - r.dans-net.com should be redirected to 3.dans-net.com
  • Decision by URL matching:
  • If URL length is 1 or 2, not including the leading "/", then redirect to 3.dans-net.com
  • If URL is "/images/number.jpg" or "/icons/number.jpg" then select SRV1
  • URL begins with  "/alpha" or with "/beta" then select SRV2
  • URL contains "cgi-bin" or "gamma" then select SRV3
Both r.dans-net.com and 3.dans-net.com should resolve to 10.136.6.11.

Setup


The loadbalancer is Radware's Alteon VA version 29.5.1.0

Here is the /etc/hosts or c:windowssystem32driversetchosts resolve snippet:


1
2
10.136.6.11     3.dans-net.com
10.136.6.11     r.dans-net.com

Alteon configuration

Fist lets create 3 groups, one for each SRV:



1
2
3
4
5
6
7
8
9
/c/slb/group g1
        ipver v4
        add 1
/c/slb/group g2
        ipver v4
        add 2
/c/slb/group g3
        ipver v4
        add 3

Next, lets configure create the VIP/virt:


1
2
3
4
 /c/slb/ Continue reading

IPv6 Neighbor Discovery (ND) and Multicast Listener Discovery (MLD) Challenges

A few days ago Garrett Wollman published his exasperating experience running IPv6 on large L2 subnets with Juniper Ex4200 switches, concluding that “… much in IPv6 design and implementation has been botched by protocol designers and vendors …” (some of us would forcefully agree) making IPv6 “…simply unsafe to run on a production network…

The resulting debate on Hacker News is quite interesting (and Andrew Yourtchenko is trying hard to keep it close to facts) and definitely worth reading… but is ND/MLD really as broken as some people claim it is?

Read more ...
1 3,310 3,311 3,312 3,313 3,314 3,441