As we work through this tutorial, we will learn how to use the cloonix graph interface to build a simulation scenario that includes two small IPv6 networks connected to each other by two routers via static routes. We will also learn how cloonix saves network topologies and guest virtual machine root filesystems.
Linux IPv6 network simulation running on the cloonix open-source network simulator
The cloonix open-source network simulator uses KVM virtual machines in the simulated network so, in this tutorial, we will demonstrate real Linux router and host configuration procedures.
First, let’s review the high-level steps we will execute to set up and configure a simulated IPv6 network and then save a network topology and node configurations.
We intend to create a scenario made up of static root filesystems Continue reading
This post is for anyone who’s thought about deploying VXLAN on their network and who like me thinks deeply about stuff, to the point of utter confusion, which hit me on a very hot sunny afternoon. The good news with confusion is, once you’ve cracked the issue (normally one’s correct understanding), the clouds clear and the birds sing.
Virtual Extensible Local Area Network functionality is beginning to hit a wide range of vendor devices. VXLAN provides 16 million (and then some) segments for Layer 2 networks. Some organisations, especially those providing cloud infrastructure currently have or will have problems with the number of VLANs available in 12 bits, which is 4096. In that 4096 number, some are not usable either are reserved for certain things like token-ring and platform specific internal communication.
VXLAN is a simple encapsulation method or a tunnel. It encapsulates the original payload in to UDP packets for transit across an IP network and adds another 50 bytes on to the header tax. At a very high level, VXLAN can be deployed in multicast mode and with unicast. Virtual Network IDs (VNIDs) represent VXLAN segment identifiers. In order to gain connectivity, a network construct Continue reading
Last week, I spent a the majority of my commute time listening to a cybercrime novel by Mark Russinovich. This book, Trojan Horse, is the second of three books in the Jeff Aiken Novel series and didn’t disappoint in any way. In the past I read the electronic version of the first book, Zero Day. Whether or not you work in information security, you’ll likely find these books enjoyable. Having some grasp of the reach and dependance on information systems, I find these books are reasonably plausible. I plan to listen to the final installment in the series during my travels this week.
Disclaimer: I have nothing to disclaim about this article. The links shared are not affiliate links and PacketU receives no compensation from Mark Russinovich or the vendors distributing his work.
The post Book Recommendations — Jeff Aiken Series by Mark Russinovich appeared first on PacketU.
Those studying for certification exams should know what they’re studying for. This is typically found on some sort of syllabus or blueprint. In Cisco parlance, we simply call this the exam blueprint. So those taking ICND1 in hopes of achieving CCENT, would typically research the ICND1 exam blueprint. This is found selecting the link in the Exam Topics section of the exam overview page.
While reading through this type of document, it is important to keep a few things in mind. For example, it is beneficial to continually think about how a vendor may validate knowledge of a particular competency. It is also important to pay attention to keywords like describe, configure and troubleshoot. The keyword describe would typically indicate only a conceptual understanding is required. Configure or troubleshoot might be used to indicate working proficiency with a technology is expected.
As a candidate assesses a given blueprint, they should think about how they could assess someone else’s knowledge. For example, one might consider the task of hiring a network administrator. How could the understanding of collision domains and broadcast domains be assessed? By thinking in these terms, the challenges that networking vendors face in assessing candidates begins to surface
Looking at a blueprint Continue reading
During Cisco Live 2014, the Cisco team tracked me down and talked to me about my role and the value of the Cisco Learning Network.
Broadcast live streaming video on Ustream
Links
The post Interview with David Major, Discussing CLN appeared first on PacketU.
A couple of weeks ago, I asked some questions about an obscure OSPF configuration. I found the scenario fun to write and share. Therefore, I wanted to offer another odd configuration that might challenge readers to think through the resulting behavior of a Cisco device. This particular challenge is a quick and dirty RIP configuration based on the following scenario.
interface FastEthernet0/0 description To Host1 ip address 10.1.1.1 255.255.255.0 ! interface FastEthernet0/1 description To R2 ip address 10.100.100.1 255.255.255.0 ! router rip network 10.100.100.0
interface FastEthernet0/0 description To Host2 ip address 10.2.2.2 255.255.255.0 ! interface FastEthernet0/1 description To R1 ip address 10.100.100.2 255.255.255.0 ! router rip network 10.100.100.0
Assuming Host1 and Host2 are configured with the appropriate address and default gateway, which following two statements are true?
A question like this can reveal whether or not an individual has experience configuring interior gateway protocols. Those who have worked with IOS will Continue reading
Facebook develops it's own operating system for switches. This shows that OS's like Cisco's IOS and Juniper's Junos are under attack and devalues those business. The destruction of the software moat means that customers have far more choice for their networks.
The post Thought: What Facebook Wedge, Cumulus Linux Shows About Network Operating Systems appeared first on EtherealMind.
When the concept of subnetting comes up, there is a need to first establish what networks were like before the Internet Standard Subnetting Procedure was introduced in RFC950. Prior to the use of subnet masks, networked devices made assumtions about the network and host portion of the address. This process by which these assumptions is made was defined in RFC791–
Addresses are fixed length of four octets (32 bits). An address
begins with a network number, followed by local address (called the
“rest” field). There are three formats or classes of internet
addresses: in class a, the high order bit is zero, the next 7 bits
are the network, and the last 24 bits are the local address; in
class b, the high order two bits are one-zero, the next 14 bits are
the network and the last 16 bits are the local address; in class c,
the high order three bits are one-one-zero, the next 21 bits are the
network and the last 8 bits are the local address.
If that leaves you a bit confused, you are in the right place. This article works through the concept of the IP Address Class. Readers should gain the understanding required to decipher things Continue reading
(This post was written by Tim Hinrichs and Scott Lowe with contributions from Martin Casado, Peter Balland, Pierre Ettori, and Dennis Moreau.)
In the first part of this series we described the policy problem: ensuring that the data center obeys the real-world rules and regulations that are pertinent to that data center. In this post, we look at the range of possible solutions by identifying some the key features that are important for any solution to the policy problem. Those key features correspond to the following four questions, which we use to structure our discussion.
Let’s take a look at each of these questions one at a time.
Let’s start by digging deeper into an idea we touched on in the first post when describing the challenge of policy compliance: the sources of policy. While we sometimes talk about there being a single policy for a data center, the reality is Continue reading
SDN/NFV: More than Hot Air in the Windy City
As reported in my last blog post - SDN: Déjà vu all over again? - Packet Design was a gold sponsor of Light Reading’s inaugural Big Telecom Event in Chicago this week. The organizers claim there were about 1,500 registered attendees with two thirds of them representing network operators. There were several really interesting presentations and panel discussions, and I’ve captured four key takeaways here.
Cengiz Alaettinoglu prepping to demo the Network Access Broker
SDN is getting the buzz, but NFV is where the early action is. This theme ran through the conference and there was much discussion on the relative merits of SDN vs. NFV and whether they should be implemented simultaneously or separately. While there are clear near-term benefits – including lower capex and faster time to revenue – for operators who virtualize network functions that today run on hardware appliances, most agreed that this is a first step only. To achieve maximum efficiency and flexibility as well as deliver the best customer experience (see below), an SDN-enabled network function virtualization infrastructure (NFVI) is needed in which pools Continue reading
I wanted to do some analysis of the EIGRP topology table last night, so I fired up a small lab. I was especially interested in how external routes appear there and compare to internal entries. Like all good scientific endeavors, the whole thing got derailed when I made a realization.
Here’s the lab I set up. You can ignore the IPv6 info for this exercise.
It’s a simple little thing. All the networks you see are included in EIGRP 100 for simplicity. I limited the network statements to 192.0.2.0/24 to keep my options open. I went ahead and added Loopback100 on R3 with an address of 3.3.3.3/32 and added a redistribute connected with a route-map to get the route out in the wild. Here’s what I had.
R3#show run | section eigrp router eigrp 100 redistribute connected route-map RM-REDIST-CONN network 192.0.2.0 no auto-summary ! route-map RM-REDIST-CONN permit 100 match interface Loopback100
Alright. All looks good there, so I checked the topology table on R1 and saw it in there as an external and everything.
R1#sh ip eigrp topology 3.3.3.3/32 IP-EIGRP (AS 100): Topology entry for 3.3.3.3/32 State Continue reading
Let's say you don't have a TPM chip, or you hate them, or for some other reason don't want to use it to protect your SSH keys. There's still hope! Here's a way to make it possible to use a key without having access to it. Meaning if you get hacked the key can't be stolen.
No TPM, but key can't be stolen anyway? Surely this is an elaborate ruse? Well yes, it is. My idea is that you essentially bounce off of a Raspberry Pi.
But doing that straightforward is too easy. I've instead made an SSH proxy, and will show you how to automatically bounce off of it. You could do the same by setting up a second SSH server (or the same one), and hack around with PAM and a restricted shell. But this solution can be run as any user, with just the binary and the set of keyfiles. Very simple.
The goal here is to log in to shell.foo.com
from your workstation via
a Raspberry Pi. The workstation SSH client presents its SSH client key to the SSH Proxy
on the Raspberry Pi, and if allowed will connect on and present the SSH Continue reading
I’ll admit, I jumped into docker pretty quickly and found that I was getting a little ahead of myself. After much googling and discussion, I’ve come to realize a couple things about docker that I think are well worth sharing. I’m hoping to share them through a series of ‘Docker Essentials’ type posts.
NOTE: My first post was going to be about how to interact with docker on the CLI. However, there are lots of other resources out there for that. Namely, the really awesome docker documentation. In addition, the CLI provides help/syntax on commands as well. I’ll list a couple of resources that I used and try to explain along the way, but if you don’t recognize a command I’m using look it up!
The docker user guide – http://docs.docker.com/userguide/
The docker CLI reference – https://docs.docker.com/reference/commandline/cli/
The docker guide book – https://github.com/kencochrane/docker-guidebook
Working with images and Containers
On first glance, I made some assumptions about this images and containers that proved to be wrong. So let’s start with some basics.
Images are read-only. That is, they can never be altered. Containers are built using Continue reading