The Software-Defined Nerds of Tomorrow
This is one of my favorite times of the year. Despite the terrible weather that Ohio usually affords the month of March, I brave the wet cold and return to my alma mater for this year’s round of senior presentations. During the five-year IT program, students are required to learn just about anything and everything you can imagine in IT. This ranges from software development of all kinds, database administration, systems administration, network services and even pure route/switch.The Man in the White Suit
I know this is a technical blog, but I’ve always agreed with those that believe the best way to deliver a message is through a story. As imaginative and creative as I feel I can sometimes be, writing fiction just isn’t one of my strong points. So, rather than tell you an original story of my own I’m going to relate […]
Author information
The post The Man in the White Suit appeared first on Packet Pushers Podcast and was written by Steven Iveson.
IDP – FN, TN, TP, FP
I have talked with a few security administrators that seem to struggle with the understanding of FN, TN, FP, TP. I have decided to try to create a simple method to remember.True/False = This either CORRECTLY or INCORRECTLY identifies an attack
Positive/Negative = This performs and event that takes an ACTION or is ACTION-LESS
True Positive (TP) - A legitimate attack (CORRECTLY) which triggers an IDP to produce and alarm/alert or mitigate the risk (ACTION)
False Positive (FP) - An IDP believes there is an attack taking place (INCORRECTLY) and produces an alarm/alert or mitigates the risk (ACTION).This can cause disrupt legitimate traffic and flood your IDP with alerts drowning real alerts that may be taking place. Some traffic that may cause false positives include:
- Legitimate applications that do not follow RFC's
- Legitimate traffic in one part of an organization that may not follow normal behaviors in another part of the organization causing alerts.
- Signatures that we written poorly and identify both legitimate and illegitimate traffic.
False Negative (FN) - There is an attack that has NOT been identified (INCORRECTLY) and no alarm/alert/mitigation was raised (ACTION-LESS). This causes a false sense of security. This can be caused for a variety Continue reading
When Am I Going to Use This?
I imagine that prior to the industrial revolution, people didn’t struggle with niche skillsets that didn’t transfer. They didn’t need to wonder if they were spending countless hours learning something with no particular use outside their current job, listen to well-meaning friends and spouses assure them they’re worrying about nothing, only to face a layoff […]
Author information
The post When Am I Going to Use This? appeared first on Packet Pushers Podcast and was written by Keith Tokash.
Show 141 – The Pace of Change Is Picking Up – #NFD5 Discussion
Greg Ferro and Ethan Banks of PacketPushers.net host a discussion with Dr. Peter Welcher, Brent Salisbury, and Stephen Foskett about many of the presentations from the Network Field Day 5 event held March 6-8, 2013 in San Jose, California. The leading podcast topic was software defined networking, as that was the vendor focus during the […]
Author information
The post Show 141 – The Pace of Change Is Picking Up – #NFD5 Discussion appeared first on Packet Pushers Podcast and was written by Ethan Banks.
Testing AAA Authentication with ACS – Part 1
Confirming that local authentication on the switch and ACS is working after you finished your configuration perform the following:Run the "test" command on the switch
sw1#test aaa group tacacs+ ro PASSWORD legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
sw1#test aaa group tacacs+ admin99 PASSWORD legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.
Even though the second attempt was rejected it still confirms that ACS rejected the request and is fully operational.
Step 1. Lets have a look at the ACS server. Once logged in navigate to "Monitoring and Reports" and click "Launch Monitoring and Report Viewer"
Step 2. A new window pops up. Navigate to "Reports", "Catalog", and click "AAA Protocols".
Step 3. On the right pain under reports click "TACACS Authentication. As you can see the first 2 entries correlate to what was seen on the switch. A pass and a fail.
Step 4. Lets look at some more details by clicking the magnifying glass under details. Lets look at the authentication that passed. As you can see there is alot of details. The big thing here is the "Status"
Step 5. Lets look Continue reading
MPLS LDP-IGP Synchronization
This post represents the solution and explanation for quiz-8. Adding a new link into the MPLS cloud created an outage for the customer. Read to understand how LDP-IGP Synchronization might help.
Firewalls: Expensive, Broken Routers
In a previous post on IPS, I made a fairly negative comment on the value that you get from enterprise firewalls in the modern environment. At the time, I said that I was just going leave that comment hanging and see what happened. Well, precisely no one challenged me on it, which means either everybody […]
Author information
The post Firewalls: Expensive, Broken Routers appeared first on Packet Pushers Podcast and was written by Neil Anderson.
Using IP SLA Delay Feature to Safely Monitor Lossy Links
IP SLA is a great feature if you want to add some automation and intelligence into the network. SLA is no SDN/OpenFlow, but it can be very useful. It can also take down a network. Let’s say you are using DMVPN for a number of spoke locations in your network. You have a primary Internet […]
Author information
The post Using IP SLA Delay Feature to Safely Monitor Lossy Links appeared first on Packet Pushers Podcast and was written by Charles Galler.
Compiling Firmware for Opengear ACM5000
Opengear gave me two ACM5000 units as a part of my attendance at Network Field Day 4 in October of last year. The gift has not influenced my opinion of the company nor their product: I continue to think they're a bunch of amazingly clever people, and that they make the best out-of-band access equipment on the market. I recommend them without hesitation nor reservation.I've been waiting anxiously for the release of the Custom Development Kit (CDK) based on release 3.6 code, and it's finally out. The README that comes with the CDK is a bit dated, and not super easy to follow, so I'm sharing my notes on rolling custom firmware here.
I started with Ubuntu 12.04.2 Server i386 installed inside VMware Fusion on my MacBook. I pretty much took the defaults, allowing VMware to manage the install for me (how cool is this feature?)
Remote Access
Pretty soon I was looking at an Ubuntu login prompt in the VMware console, I logged in and then did:
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install openssh-server
ifconfig eth0
Downloads
Now I could log in via SSH, so I was done Continue reading
Weird NX-OS stuff
Some weird NX-OS stuff!
For enabling 'FEX' feature on the Nexus 7K switches, following steps are required:
config t
vdc Production
install feature-set fex
feature-set fex
Wonder why FEX cannot be enabled by entering feature fex or feature-set fex on the switch.
When you do a 'show feature', FEX shows up as disabled. On a 'show feature-set', FEX shows up as enabled.
After configuring an interface as a fex-fabric mode,
Cisco developed two commands on NX-OS to do the same thing. Define a hostname for the switch. 'switchname' and 'hostname'.
No feedback really required here. Boring post. I could just delete it. Naah I'll keep it. Peace m/.
Nexus 7000 vPC configuration
vPC configuration on a pair of NX7K switches
For a pair of Nexus 7009 switches running NX-OS 6.0(4), configuring vPC (virtual Port Channel) was an easy breezy task. In a few minutes and less than 15 commands, the two switches stood up as a vPC pair. There are 3 non default VDCs and each VDC has its own vPC domain, vpc peer-links and vpc peer-keepalive links. Cisco recommends each VDC has its own unique vPC domain ID. The port-channel ID need not be unique across the VDCs. Also, vPC will not work if port-channel members are interfaces allocated to separate VDCs.
On the CLI, switch to the non default VDC.
Each feature needs to be enabled on individual VDCs. Simply enabling it on the admin VDC does not propagate the features to the non default VDCs. For vPC, we need link aggregation control protocol for port-channel load-balancing (LACP) and the vPC feature.
feature lacp
feature vpc
The two switches need to exchange heartbeats to maintain a vPC role over the vPC keep alive links. Cisco recommends this traffic must be isolated to a VRF. If we do not specify a VRF for the keep alive link, by default Continue reading
VPN-IPSEC
Its been a while but I am going to try to post weekly.Here is a sample configuration for IPSEC VPN between in 2 routers.
Note: 172.16.1.X/32 are loopback interfaces.
R1
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2
Define pre-shared key
(config)#crypto isakmp key 0 $pass@word$ address 192.168.1.2
Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac
Create ACL to match interesting traffic
(config)#access-list 150 permit ip 172.16.1.1 0.0.0.0 172.16.1.2 0.0.0.0
Create Crypto Map
(config)#crypto map VPN-MAP-R1-R2 10 ipsec-isakmp
(config-crypto-map)#set peer 192.168.1.2
(config-crypto-map)#set transform-set TRANS-R1-R2
(config-crypto-map)#match address 150
Apply Cypto Map to Interface
(config)#interface fas0
(config-if)#crypto map VPN-MAP-R1-R2
Create a route
(config)#ip route 172.16.1.2 255.255.255.255 fas0
R2
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2
Define pre-shared key
(config)#crypto isakmp kep 0 $pass@word$ address 192.168.1.1
Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac
Create ACL to match interesting Continue reading
IPv6 Next-Hop Best Practices
The concept of a link-local address is new to some, seeing as the term is not widely talked about in IPv4 circles, despite the fact that some folks see them daily. In IPv4, the range 169.254.1.0 through 169.254.254.255 has been reserved for this purpose. You may see this in the “ipconfig” output of a windows host that failed to pull a DHCP address. In IPv6, fe80::/10 is reserved for this purpose, though link-local addresses are always configured with a fe80::/64 prefix.IPv6 Next-Hop Best Practices
The concept of a link-local address is new to some, seeing as the term is not widely talked about in IPv4 circles, despite the fact that some folks see them daily. In IPv4, the range 169.254.1.0 through 169.254.254.255 has been reserved for this purpose. You may see this in the “ipconfig” output of a windows host that failed to pull a DHCP address. In IPv6, fe80::/10 is reserved for this purpose, though link-local addresses are always configured with a fe80::/64 prefix.Surprised by Spam
I attended my first in person meeting of the ISOC Advisory Council this last week — I’m a newly minted co-chair, and already haven’t been participating as much as I should (just like I don’t blog here as much as I should, a situation I’m undertaking to resolve!). We had a long discussion on the […]
Author information
The post Surprised by Spam appeared first on Packet Pushers Podcast and was written by Russ White.
IPv6 Host Networking and Insomnia
I’ve been running IPv6 on my home network for a while. The solution in place has evolved over time, from terminating tunnels to a linux VM using gogo6 all the way to front-ending with a Cisco ISR using Hurricane Electric, the goal has always been the same - to practice what I preach. Running IPv6 at home and REFUSING to turn it off when problems arise is one of the best ways to learn the protocol.IPv6 Host Networking and Insomnia
I’ve been running IPv6 on my home network for a while. The solution in place has evolved over time, from terminating tunnels to a linux VM using gogo6 all the way to front-ending with a Cisco ISR using Hurricane Electric, the goal has always been the same - to practice what I preach. Running IPv6 at home and REFUSING to turn it off when problems arise is one of the best ways to learn the protocol.Juniper PTX3000 – thin is in…
Juniper just launched the PTX3000, which has some nice features – such as being small enough to be installed by one technician, and pushing 0.5Gbps per cubic inch. The thing is, we still can’t work out who is going to buy these things…
Anywhoo, here’s the info on the Juniper website, with a nice side-view so you can marvel at its 10 inches:
Six Things About F5 BIGIP v11 iApps
F5 Networks’ Local Traffic Manager (LTM) is my load balancer – okay, Application Delivery Controller, if you insist – of choice. The LTM platform is as feature-rich and well-supported as they come, with all sorts of customizability as well as the iRule scripting language (a superset of TCL) that lets you do fancy transaction manipulation. […]
Author information
The post Six Things About F5 BIGIP v11 iApps appeared first on Packet Pushers Podcast and was written by Ethan Banks.