KIClet: Cisco UCS vHBA Template Bug
I found a bug in the vHBA Template creation screen on Cisco UCS 2.0. It’s not too bad, but still a little annoying, and can cause you to have some problems depending on how you have your VSANs set up. If you notice, the default VSAN is selected for my vHBA template. I have named my VSANs “fabric-a” and “fabric-b”. If I drop down the VSAN selector, I have the ability to select the VSAN I have associated with fabric A:Future residential INET users, I’m so sorry
I never believed IPv6 will be NAT free, but as idealist I hoped there is good chance there will be mostly only 1:1 NAT and each and every connection will get own routable network, /56 or so, residential DSL, mobile data, everything
Unfortunately that ship has sailed, it's almost certain majority of residential/non-business products will only contain single directly connected network, since we (as a community, I don't want to put all the blame to IPv6 kooks) failed produce feasible technical way to do it and spent too much time arguing on irrelevant matters. I'm reviewing two ways to provide INET access on DSL, no PPPoX, as it's not done in my corner of the world, and show why it's not practical to provide the end customer routable network
Statically configure per customer interface
At DSLAM (or other access device) customer would be placed in unique virtual-circuit (Q, QinQ...) all would terminated on unique L3 logical interface in PE router. Interface would have static /64 ipv6 address and ipv6/56 network routed to say ::c/64. IPv4 could continue to be shared subnet via 'unnumbered' interface.
This is by far my favorite way of doing residential IPv6 it, it supports customer Continue reading
Log only protocol events
Sometimes it may be very useful to monitor only protocol and link events especialy during maintenance windows. Hereafter, I monitor : - Link UP/DOWN - ISIS adj UP/DOWN - OSPF neighbor UP/DOWN - LDP neighbor/session UP/DOWN - MPLS LSP UP/DOWN - RSVP neighbor...KIClet: NX-OS Default Switchport State
Cisco switches (and the vast majority of other vendors) ship their switches with all ports in the enabled state. This allows someone with no networking background to plug stuff in, the switch starts learning MAC addresses, and everything works just fine. Sometimes it’s necessary from a security perspective to change this default behavior, so the network engineer is forced to “no shut” every port he or she wishes to use.New Post Type: KIClets
My time lately has been just blasted. I’m being placed into new projects with a large company that involves just about every technology found in a datacenter, and as a result, my spare time is….nonexistent. My knowledge levels in many areas continues to increase, and my need to spew some of it onto the internet in the form of helpful posts, or opinions is not quenched, but unfortunately I do not have a ton of time to dedicate to full-on blog posts during the week.New Post Type: KIClets
My time lately has been just blasted. I’m being placed into new projects with a large company that involves just about every technology found in a datacenter, and as a result, my spare time is….nonexistent. My knowledge levels in many areas continues to increase, and my need to spew some of it onto the internet in the form of helpful posts, or opinions is not quenched, but unfortunately I do not have a ton of time to dedicate to full-on blog posts during the week.KIClet: NX-OS Default Switchport State
Cisco switches (and the vast majority of other vendors) ship their switches with all ports in the enabled state. This allows someone with no networking background to plug stuff in, the switch starts learning MAC addresses, and everything works just fine. Sometimes it’s necessary from a security perspective to change this default behavior, so the network engineer is forced to “no shut” every port he or she wishes to use.Next Subjects
I've planned to write posts during the next weeks regarding these subjects: - Enhanced-SCB's detailed migration procedure on MX960: get the full power of your MX and your 3D cards. - Understanding Hashing / Load-balancing on MX: for ichip/TRIO based cards....Blogging the Cloud Track at Cisco Plus 2011
I attended the Cisco Plus Canada Roadshow in Calgary recently and sat in on a day of presentations related to Cisco's data center/cloud offerings. The sessions where quite good and I ended up taking quite a few notes. I thought I'd blog my notes in order to share what was presented.
The four sessions were:
Introduction
Hello, I've opened this blog to share my passion for networking and especially networking on Junos platform. I provide technical information only based on my experience, my tests in Lab and the public documentations. I'm a french guy and my english is...Resetting Admin Password on a Cisco ISE Appliance
A great little “feature” of Cisco's Identity Services Engine is that out of the box, the administrator account expires after 45 days if the password is not changed during that time. The documentation says that if you have trouble logging in you should click the “Problem logging in?” link and use the default administrative user/pass. This is of course ridiculous and does not work.
Below are the steps for properly resetting an admin password and for changing the security policy so the lockout doesn't happen again.
Getting the WordPress TMAC and GASP Plugins to Play Nice
Two of the WordPress plugins I use on this site are Twitter Mentions as Comments and Growmap Anti Spambot Plugin. The first, TMAC, watches Twitter for any tweets that link to a post somewhere on this blog and submits those tweets as new comments on that particular post. GASP's job is to keep spammers from submitting spammy comments by placing a Javascript-driven checkbox in the comment form. A user must check the box to confirm they are not a spambot before submitting their comment.
Both of these plugins are great and work really well on their own.
However, when both plugins are in use and TMAC submits a comment, GASP inspects the comment to see if the checkbox has been marked, finds that it hasn't been, and silently rejects the comment. (Aside: the exception to this is if you are a logged-in user and you initiate a manual TMAC check, any new tweets will successfully pass through GASP).
Configuring VRF-Lite on IOS and Junos
This post is going to provide a very basic introduction to configuring VRFs on Cisco IOS and Juniper's Junos. There's so many configuration combinations and options for virtual routing that it would be impossible to go through everything in great detail. At the end of the post I'll provide links to documentation where you can get detail if you want it.
Its time we retire Authentication Header (AH) from the IPsec Suite!
Folks who think Authentication Header (AH) is a manna from heavens need to read the Bible again. Thankfully you dont find too many such folks these days. But there are still some who thank Him everyday for blessing their lives with AH. I dread getting stuck with such people in the elevators — actually, i dont think i would like getting stuck with anybody in an elevator, but these are definitely the worst kind to get stuck with.
So lets start from the beginning.
IPsec, for reasons that nobody cares to remember now, decided to come out with two protocols – Encapsulating Security Payload (ESP) and AH, as part of the core architecture. ESP did pretty much what AH did, with the addition of providing encryption services. While both provided data integrity protection, AH went a step further and also secured a few fields from the IP header for you.
There are bigots, and i unfortunately met one a few days ago, who like to argue that AH provides greater security than ESP since AH covers the IP header as well. They parrot this since that’s what most textbooks and wannabe CCIE blogs and websites say. Lets see if securing the IP header Continue reading
How does Openflow and SDN help Virtualization/Cloud
Introduction to Software Defined Networking and OpenFlow
Often time I hear the term Openflow and Software Defined Networking Networking used in many different context which range from solving something simple and useful to literally solving the world hunger problem (or fixing the world economy for that matter). I often get asked to explain the various aspects of how Openflow is changing our lives. So here goes a explanation of the religion called Openflow (and Software Defined Networking) and various ways its manifesting itself in our day to day life. Again its too much to write in one article so I will make it a series of 3 articles. This one focuses on the protocol itself. The 2nd article will focus on how people are trying to develop it and some end user perspective that I have accumulated in last year or so. The last article in series will discuss the challenges and what are we doing to help.
Value Proposition
The basic piece of Openflow is nothing more than a wire protocol that allows a piece of code to talk to another piece of code. The idea is that for a typical network equipment, instead of logging in and configuring Continue reading
Packets of Interest (2011-12-12)
Here's a summary of interesting articles/posts that I've come across in the last couple of weeks.
Redundancy Protocols vs Stacking: Pros and Cons
I was recently asked whether or not I preferred to use a router redundancy protocol like HSRP, VRRP, or GLBP, or stack switches together to form a sort of “virtual router”, and use that for redundancy. Just like anything else, the immediate answer is “it depends”, but there are a few things to remember when considering a redundant design with your routers or Layer 3 switches. First, redundancy protocols can be found nearly everywhere.Redundancy Protocols vs Stacking: Pros and Cons
I was recently asked whether or not I preferred to use a router redundancy protocol like HSRP, VRRP, or GLBP, or stack switches together to form a sort of “virtual router”, and use that for redundancy. Just like anything else, the immediate answer is “it depends”, but there are a few things to remember when considering a redundant design with your routers or Layer 3 switches. First, redundancy protocols can be found nearly everywhere.Example Puppet 2.7 git pre-commit script
I had a hard time finding a decent pre-commit script for puppet 2.7. This is composed of snippets I found at code.seas.harvard.edu. The pre-commit script will check the puppet syntax of the changed .pp files, and also check if an attempt has been made to properly document the .pp file.
#!/bin/sh
#
# install this as .git/hooks/pre-commit to check Puppet manifests
# for errors before committing changes.
rc=0
[ "$SKIP_PRECOMMIT_HOOK" = 1 ] && exit 0
# Make sure we're at top level of repository.
cd $(git rev-parse --show-toplevel)
trap 'rm -rf $tmpdir $tmpfile1 $tmpfile2' EXIT INT HUP
tmpdir=$(mktemp -d precommitXXXXXX)
tmpfile1=$(mktemp errXXXXXX)
tmpfile2=$(mktemp errXXXXXX)
echo "$(basename $0): Validating changes."
# Here we copy files out of the index into a temporary directory. This
# protects us from a the situation in which we have staged an invalid
# configuration using ``git add`` but corrected the changes in the
# working directory. If we checked the files "in place", we would
# fail to detect the errors.
git diff-index --cached --name-only HEAD |
grep '.pp$' |
git checkout-index --stdin --prefix=$tmpdir/
find $tmpdir -type f -name '*.pp' |
while read manifest; do
puppet Continue readingAn Introduction to Layer 3 Traffic Isolation
All network engineers should be familiar with the method for virtualizing the network at Layer 2: the VLAN. VLANs are used to virtualize the bridging table of Layer 2 switches and create virtual switching topologies that overlay the physical network. Traffic traveling in one topology (ie VLAN) cannot bleed through into another topology. In this way, traffic from one group of users or devices can be kept isolated from other users or devices.
Traffic Isolation Using VLANs
VLANs work great in a Layer 2 switched network, but what happens when you need to maintain this traffic separation across a Layer 3 boundary such as a router or firewall?