Installing KVM, Libvirt and Open vSwitch on Fedora
In my NetOps to DevOps Training Plan I mentioned installing KVM, Libvirt and Open vSwitch. I did this a few weeks ago and documented it to produce this tutorial. My motivation was to replace my VMware environment at home with something Open Source. I am also a strong believer in "eat your own dog food" and as a lot of the work I am doing in the Open Source community centers around these 3 technologies, I should get used to using them every day...
Prerequsites
Before we get started, I'll assume that you already have a Fedora Minimal Installation that you are ready to work on...
Installing the packages
sudo yum install -y @standard @virtualization openvswitch
That was easy wasn't it!
@standard installs some useful utilities and @virtualization installs libvirt + KVM
I'm sure you can guess what openvswitch does.
Configuration
Now here comes the fun part!
Configure the services
# Disable NetworkManager
sudo systemctl stop NetworkManager.service
sudo systemctl disable NetworkManager.service
# Enable "Proper" Networking
sudo systemctl enable network.service
sudo systemctl start network.service
# Enable the Open vSwitch service
sudo systemctl enable openvswitch.service
sudo systemctl start openvswitch.service
Setting up Networking with Open vSwitch
Our Continue reading
Installing KVM, Libvirt and Open vSwitch on Fedora
In my NetOps to DevOps Training Plan I mentioned installing KVM, Libvirt and Open vSwitch. I did this a few weeks ago and documented it to produce this tutorial. My motivation was to replace my VMware environment at home with something Open Source. I am also a strong believer in "eat your own dog food" and as a lot of the work I am doing in the Open Source community centers around these 3 technologies, I should get used to using them every day...
Setting Up Overlays on Open vSwitch
Most “SDN” solutions involve overlays or at the least HW overlay gateways/ToR of some type. Some sell overlays terminating in hardware, others sell overlays terminating in the server. The encaps include standards like GRE, VXLAN and soon to be Geneve (Generic Network Virtualization Encapsulation: basically the good parts of the other encaps evolved). While none of these overlay networks should ......
Packet Capture in Diverse / Tunneled Networks?
(With the usual caveats that I am just a hick from Colorado, I don't know what I'm talking about, etc.)I just read Pete Welcher's superb series on NSX, DFA, ACI, and other SDN stuff on the Chesapeake Netcraftsmen blog, and it helped me think more clearly about a problem that's been bothering me for a long time: how do we do realistically scalable packet capture in networks that make extensive use of ECMP and/or tunnels? Here's a sample network that Pete used:
Conventionally, we place packet capture devices at choke points in the network. But in medium-to-large data center designs, one of the main goals is to eliminate choke points: if we assume this is a relatively small standard ECMP leaf-spine design, each of the leaf switches has four equal-cost routed paths through the spine switches, and each spine switch has at least as many downlinks as there are leaf switches. The hypervisors each have two physical paths to the leaf switches, and in a high-density virtualization design we probably don't have a very good idea of what VM resides on what hypervisor at any point in time.
Now, add to that the tunneling features present in hypervisor-centric Continue reading
Packet Capture in Diverse / Tunneled Networks?
(With the usual caveats that I am just a hick from Colorado, I don't know what I'm talking about, etc.)I just read Pete Welcher's superb series on NSX, DFA, ACI, and other SDN stuff on the Chesapeake Netcraftsmen blog, and it helped me think more clearly about a problem that's been bothering me for a long time: how do we do realistically scalable packet capture in networks that make extensive use of ECMP and/or tunnels? Here's a sample network that Pete used:
Conventionally, we place packet capture devices at choke points in the network. But in medium-to-large data center designs, one of the main goals is to eliminate choke points: if we assume this is a relatively small standard ECMP leaf-spine design, each of the leaf switches has four equal-cost routed paths through the spine switches, and each spine switch has at least as many downlinks as there are leaf switches. The hypervisors each have two physical paths to the leaf switches, and in a high-density virtualization design we probably don't have a very good idea of what VM resides on what hypervisor at any point in time.
Now, add to that the tunneling features present in hypervisor-centric Continue reading
Installing KVM, Libvirt and Open vSwitch on Fedora
In my NetOps to DevOps Training Plan I mentioned installing KVM, Libvirt and Open vSwitch. I did this a few weeks ago and documented it to produce this tutorial. My motivation was to replace my VMware environment at home with something Open Source. I am also a strong believer in "eat your own dog food" and as a lot of the work I am doing in the Open Source community centers around these 3 technologies, I should get used to using them every day...
Networking is a Service, and you are the Service Provider
The status quo approach to Networking is the biggest barrier to realizing the full potential of Virtualization and the private, public, or hybrid cloud. We must re-think how Networking *Services* are delivered, in a way that comports with automation, decoupling, pooling, and abstractions. I would argue, the solution is a more software-centric approach — Network […]Networking is a Service, and you are the Service Provider
The status quo approach to Networking is the biggest barrier to realizing the full potential of Virtualization and the private, public, or hybrid cloud. We must re-think how Networking Services are delivered, in a way that comports with automation, decoupling, pooling, and abstractions. I would argue, the solution is a more software-centric approach – Network Virtualization. But more importantly, we must re-think how we view Networking as a career skill set and the value we bring to an organization.
This was the message of two keynote talks I recently gave at the Sydney & Melbourne VMUG user conferences. The title of the talk was Three reasons why Networking is a pain in the IaaS, and how to fix it. I will share the slides and a brief summary of that talk in a subsequent post. But before I do that, please indulge me in a heart-to-heart chat from one long time Networking professional (me) to another (you):
I emphasize the word services because if you really think about it, that is what Networking really is – Networking is a Service. It always has been, and will always continue to be a service – a service that will always be needed. Continue reading
Networking is a Service, and you are the Service Provider
The status quo approach to Networking is the biggest barrier to realizing the full potential of Virtualization and the private, public, or hybrid cloud. We must re-think how Networking Services are delivered, in a way that comports with automation, decoupling, pooling, and abstractions. I would argue, the solution is a more software-centric approach – Network Virtualization. But more importantly, we must re-think how we view Networking as a career skill set and the value we bring to an organization.
This was the message of two keynote talks I recently gave at the Sydney & Melbourne VMUG user conferences. The title of the talk was Three reasons why Networking is a pain in the IaaS, and how to fix it. I will share the slides and a brief summary of that talk in a subsequent post. But before I do that, please indulge me in a heart-to-heart chat from one long time Networking professional (me) to another (you):
I emphasize the word services because if you really think about it, that is what Networking really is – Networking is a Service. It always has been, and will always continue to be a service – a service that will always be needed. Continue reading
Networking is a Service, and you are the Service Provider
The status quo approach to Networking is the biggest barrier to realizing the full potential of Virtualization and the private, public, or hybrid cloud. We must re-think how Networking Services are delivered, in a way that comports with automation, decoupling, pooling, and abstractions. I would argue, the solution is a more software-centric approach – Network Virtualization. But more importantly, we must re-think how we view Networking as a career skill set and the value we bring to an organization.
This was the message of two keynote talks I recently gave at the Sydney & Melbourne VMUG user conferences. The title of the talk was Three reasons why Networking is a pain in the IaaS, and how to fix it. I will share the slides and a brief summary of that talk in a subsequent post. But before I do that, please indulge me in a heart-to-heart chat from one long time Networking professional (me) to another (you):
I emphasize the word services because if you really think about it, that is what Networking really is – Networking is a Service. It always has been, and will always continue to be a service – a service that will always be needed. Continue reading
Wi-Fi Tools
A good engineer takes pride in his tools.As with many things in IT, there are many options to choose from and most work equally well provided the engineer has a thorough understanding of how to use them. I happen to use and prefer the following tools, but your taste may be different. Use what you like and know as long as it gets the job done.
Items with an asterisk are my preferred tools for each category.
Information Gathering:
*AirMagnet Wi-Fi Analyzer Pro
*MetaGeek inSSIDer
Fluke AirCheck
Ekahau HeatMapper (Free)
Xirrus Wi-Fi Inspector
WiFi Scanner (Mac)
Kismet (Linux)
Predictive Site Surveys:
*Cisco Wireless Control System (WCS)
AirMagnet Planner
Ekahau Site Survey
Motorola LANPlanner
Aerohive Wi-Fi Planner (online - Free)
Post-Installation Site Surveys:
*AirMagnet Survey Pro
Ekahau Site Survey
TamoSoft TamoGraph Site Survey
Veriwave WaveDeploy
Protocol & Roaming Analysis:
*WildPackets OmniPeek
*MetaGeek Eye P.A. (protocol visualization)
*Wireshark with CACE AirPcapNx and Wi-Fi Pilot (now Riverbed Cascade Pilot Personal Edition)
Wireshark with Atheros Adapter (Linux)
AirMagnet Wi-Fi Analyzer Pro with multi-adapter kit
AirMagnet VoFi Analyzer
TamoSoft CommView for Wi-Fi
Spectrum Analysis:
*MetaGeek WiSpy DBx Continue reading
Weighing AWS VPN Options
Earlier this week, a client asked for some assistance in building a VPN from their corporate office to Amazon Web Services for a project they were doing. I’ve done this a few times before, a few different ways, so I proceeded to give my client some pros and cons of the two most common methods I’ve used. After putting that analysis together, I realized it could be helpful for others so here it is (with the addition of a few snazzy diagrams!).
This post is not meant to be a treatise on AWS connectivity, just a quick analysis with some (maybe) little-considered effects of a given design choice. Amazon documents several other recipes which are, of course, valid in various circumstances. Note that I don’t have any examples of configuration. The AWS documentation pages have very thorough configuration examples for each design.
Option 1
Build the VPNs off the Internet routers themselves. Route AWS traffic in to the corporate network through the firewall. In an ideal world, you’d probably dedicate some routers for this purpose, but I’ve never had anyone do that. We’re talking about a LAN-to-LAN VPN, here; one doesn’t commonly deploy totally dedicated infrastructure for each new Continue reading
HP Comware-based Switches – Configuring filters for BPDU (bpdu-filtering)
The Spanning-tree protocol sends messages every two second in order to keep the LAN stability, protecting the topology from physical loops (blocking the logical loop) and providing high availability in case of any switch fail.
For that matter, the Switches exchange messages called BDPUs which are utterly important for the correct functioning of the network described as above.
There are scenarios when is necessary to deactivate the protocol within a specific interface, utilizing other protocols and features of high availability such as RRPP, Smart-Link, Monitor-Link, etc or when also the Switch needs to transport the information in tunnel form (transparent), for example, QinQ.
In client-sharing environments, it is not recommended that the network alteration be advised for all Swtiches that do not belong to that particular network and have the same Switch in common, for example, Service Provider and Data Center.
The main question in this scenario of BPDU filtering is to certify that the network does not have any sort of loop that can cause a disaster for the Network Engineer’s project.
Certifying those questions, the HP Comware based Switches carry the following commands, that may help finding a solution:
Interface gigabitethernet 1/0/1 stp disable ! Deactivating STP only on Continue reading
ONS2014 SDN Idol finalist demonstrations
The video of the ONS 2014 SDN Idol final demonstrations has been released (the demonstrations were presented live at the Open Networking Summit on Monday, March 3, 02:30P - 04:00P).
The first demo presented is Real-time SDN Analytics for DDoS mitigation, a joint Brocade / InMon solution that combines real-time sFlow analytics and OpenFlow with SDN so that service providers can deliver large scale distributed denial of service (DDoS) attack mitigation services to their enterprise customers using their existing network infrastructure. DDoS mitigation is particularly topical, two weeks ago, a large attack was targeted at CloudFlare, DDoS Attack Hits 400 Gbit/s, Breaks Record, and this past week, Meetup.com has been hit with a large persistent attack, Meetup Suffering Significant DDoS Attack, Taking It Offline For Days. The SDN DDoS mitigation solution can address these large attacks by leveraging the multi-Terabit, line-rate, monitoring and filtering capabilities in the network switches.
ONS2014 Announces Finalists for SDN Idol 2014 provides some sFlow related trivia relating to the finalists.An expert panel of judges selected the finalists:
Slovak Air Force MiG-29 with 2008 Digital Camoflage, 1/48
For best article visual quality, open Slovak Air Force MiG-29 with 2008 Digital Camoflage, 1/48 directly at NetworkGeekStuff.
I am failing to find words to describe this very beautiful 1/48 scale model, but this one is simply very special for me. First reason is that as a Slovak national, it was very enjoyable to be able to build this majestic plane. Second reason is that I was able to finally incorporate proper pre-shading technique along with manually painted (with painfully detailed masking) of the digital camouflage pattern this plane uses. The painting of this one actually took me two weeks of work every evening (yes, I have full time job, so that is the best I can have). Because this plane is so special for me , I will also make this article a little bit different as well. So this time it will not be only a simple few picture gallery, but I will actually go a little bit over the construction right after that.
MiG-29AS in Slovak Air Force
(super quick history)
Slovak Air Force MiG29 – plane number #0921
The Mikoyan MiG-29 (Russian: Микоян МиГ-29; NATO reporting name: “Fulcrum“) is a fourth-generation jet fighter Continue reading
Network Flavors in OpenDaylight
OpenStack uses the concept of flavors to define compute/storage configurations that vary in terms of resource consumption. When we start to consume the network as a resource pool, we need a similar concept. This post explains how this is achieved in the context of the Flavors application in the OpenDaylight project
Fallacies of Distributed Computing
If you haven't read the Fallacies of Distributed Computing you should. Specifically points 2 and 3.
2) Latency is Zero 3) Bandwidth is Infinite
The truth is that not all networks are created equally. We may have some pools of 2:1, 4:1, 8:1 oversubscribed fabric. We may links between data centers at varying bandwidths and costs to the business.
In a cloud network, we can increase our ROI by charging out portions of the network based on their actual cost to the business, but to do this we need to model the network appropriately. Applications also need to consume networking in an abstract way, and the concept of using Flavors as this abstraction is an interesting prospect.
Problem Statement
The problem is that todays cloud networking solutions (OpenDaylight included) are based on "Overlay Networks". The Overlay Network solution only assumes L3 reachability between tunnel endpoints Continue reading
Network Flavors in OpenDaylight
OpenStack uses the concept of flavors to define compute/storage configurations that vary in terms of resource consumption. When we start to consume the network as a resource pool, we need a similar concept. This post explains how this is achieved in the context of the Flavors application in the OpenDaylight project
Network Flavors in OpenDaylight
OpenStack uses the concept of flavors to define compute/storage configurations that vary in terms of resource consumption. When we start to consume the network as a resource pool, we need a similar concept. This post explains how this is achieved in the context of the Flavors application in the OpenDaylight project
Changing Your MAC Address Using Macchanger
Macchanger is a free utility used to change the MAC address of the network adapter. Macchanger can randomly assign a MAC address or assign a specific MAC address of your choosing.
Usage
There are several instances changing the MAC address is necessary, but I use the utility while pentesting a wireless network with MAC filtering enabled and have to assign an approved MAC address to the wireless adapter.
Install
The Macchanger utility is included with Kali Linux, but to install the application, update it, or verify your using the most up to date version run the following command. In the screen shot that follows the install command confirms that the newest version is already installed.
#apt-get install macchanger
Help
Help with Macchanger can be accessed by running the following two commands.
#macchanger --help #man macchanger
Assign a Random MAC Address
I’m using an Alfa USB wireless adapter and I will run the following commands to verify the adapters interface and the permanent MAC address.
#ifconfig #ifconfig wlan1
Macchanger can also be used to verify the manufacture burned in MAC address by running the following command.
#macchanger--show wlan1
Change the MAC address using one of the following commands.
#macchanger -r Continue reading
3Com / H3C / HP Comware based Switches – Edged-port + BPDU Protection
Today we’ll comment on the two features that work as a complement to the Spanning-Tree. The edged-port command gathers many benefits to the STP, for example, the timeout prevention concerning the DHCP process. As for the bpdu-protection, it prevents loop in the “edged” configured ports within the network via HUBs, “Switches HUB”, etc.
Edged-port
The edged-port feature allows the interface to skip the Listening and Learning states of the Spanning-Tree Protocol, setting the ports into the Forwarding state immediately. The STP’s configuration edged-port enable, forces the interface to ignore the convergence states of the STP, including the notification of topology change messages (TCN messages).
The command must be applied to the access ports connected to servers, workstations, printers, etc.
Configuration
[Switch]interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1]stp edged-port enable [Switch-GigabitEthernet1/0/1]quit [Switch]interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2]stp edged-port enable [Switch-GigabitEthernet1/0/2]quit
PS: When a port is configured as a edged-port receives a BPDU, the interface will return to participate on the STP like any other interface.
PS:An Edged-port send BPDUs normally. The edged-port feature is also known as Portfast.
BPDU Protection
The utilization of the edged-port feature is restricted to ports connected to the final equipment such as servers and workstations. Continue reading