my Cisco Live 2013 US program
Once again I'll be attending Cisco Live 2013 in the United States. This year it's in Orlando, Florida. Below is my tentative schedule although there were some overlap with a few other session that I would have liked to attend. Hope to see a lot of the people I've met at previous Networkers and Lives there too :-)This is my schedule. There are many like it but this one is mine.
Monday
- BRKOPT-2106 DWDM 101
- BRKNMS-2517 Operations Architecture
- BRKCOM-3003 UCS Ethernet Troubleshooting of the uplinks to the Data Center LAN Switches
Tuesday
Wednesday
Thursday
- BRKOPT-2117 High Speed WAN Interconnections - Evaluating existing and emerging technologies
- GENKEY-1295 KEYNOTE: Tomorrow Starts Here
- BRKARC-3470 Cisco Nexus 7000 Switch Architecture
- BRKRST-3321 Scaling BGP
Wednesday
- BRKARC-3472 NX-OS Routing & Layer 3 Switching
- GENKEY-1296 KEYNOTE: Unlocking the Value of Innovation
- BRKSPG-2904 ASR-9000/IOS-XR hardware Architecture, QOS, EVC, IOS-XR Configuration and Troubleshooting
- BRKARC-3453 Nexus 6000 - Architecture of the next-generation Switch for
Thursday
- BRKRST-3371 Advances in BGP
- BRKOPT-2116 High Speed Data Networks - 40G, 100G & Beyond
- BRKSPG-2333 Securing Cisco ASR 9000 Routers
- GENKEY-1297 Celebrity Closing Keynote
- BRKSPG-2905 ISSU on high-end routers
Show 142 – Huawei – End to End SDN Strategy – Sponsored
SDN innovation has been primarily focused on the data center where centralized network programmability has been shown to be capable of providing many benefits to the complex and dynamic (on-demand) data center environment. Service provider networks will also benefit from SDN. Traversing a service provider network involves crossing different network types, technologies, layers and administrative domains. SDN solutions, including OpenFlow’s programmatic control, will provide capabilities unique to these service provider technologies. Huawei presents an architecture that expands SDN into multiple, task specific, controllers and domains and extends networking control across all of the service provider network dimensions.
Author information
The post Show 142 – Huawei – End to End SDN Strategy – Sponsored appeared first on Continue reading
Protecting the BGP Session with MD5 Authentication
This post represents the solution and explanation for quiz-9. There are some challenges to allow an authenticated MD5 BGP session via a firewall, involving TCP Options. Let's see what happens!
Looking at the spamhaus DDOS from a BGP perspective
It’s been a busy week for network engineers world wide, rerouting around broken optical links and of course the 300Gb/s DDOS attack towards Spamhaus and Cloudflare. This DDOS has been classified as the largest DDOS attack ever recorded and has been written about quite a bit in mainstream media.
There’s been a bit of discussion about how much this DDOS actually slowed down the Internet globally. Fact is that the Internet didn’t come to a halt but the large amount of new traffic that had to be handled by some of the carriers did result in congestion and significant packet loss by some of the Tier1 carriers last weekend. In this blog post we’ll look at this event from the routing perspective, what effects did this have on the Internet Exchanges and we’ll also look at some BGP hijacks related to this attack.
BGP hijack affecting Spamhause
The majority of the attack towards SpamHaus and cloudflare was a brute-force DDOS of attack. But in an attempt to affect spamhause services different techniques were used, one of them was a BGP hijack by the alleged initiator of the attack. Greenhost.nl has a great description on their blog about how AS34109 Continue reading
Complete wipe of a cisco switch configuration
Anyone who learns how to use Cisco IOS CLI knows how to erase a switch to delete the configuration. So this blog will not teach how to erase a switch. What I intend to do is share two screen shots that can help make network admins more cautious when deleting the switch configs, to adhere to security best practice policies.
Consider a scenario when you need to decommission your switches. You don't want to keep the config on the switch, including the VLANs, so you do a write erase and reload the switch, thinking you've deleted everything. This is not always true. You must check the onboard nvram flash on the switch to look for configuration files. If you find a configuration file (a .text file), check that file content with a 'more flash:filename.text' command.
When you do a 'wr er' on a switch you think you've deleted all configs. Look at the following screenshot.
Notice how the private-config.text.backup and config.text.backup files still exist. A 'wr er' will only delete the 'private-config.text' and 'config.text' files. If these files are renamed, the 'wr er' does not delete the renamed files.
So, Continue reading
Friday Distraction: Who’s Leaking >/24 to Global BGP?
[It occurred to me after finishing this that I should have done everything based on ASN, but play time is over for the day...]An interesting conversation with my friend @denise_donohue led to this question: what providers are leaking prefixes longer than /24 to the global Internet?
Following my continuing theme of "fun stuff you can do by combining IOS and Bash", I ran a two step process via one of my BGP routers to get the answer:
$ ssh routername 'show ip bgp prefix-list GT24' > /tmp/gt24.txt
$ grep "^*" /tmp/gt24.txt | awk '{print $1}' | sed 's/*>i//g' | awk -F. '{OFS=".";print $1,$2 ".0.0"}' | sort -u | xargs -i whois {} | grep netname | sort -u
Here's the breakdown:
Extract just valid BGP prefixes from the router output:
grep "^*" /tmp/gt24.txt | awk '{print $1}'
Extract just the prefix itself and substitute ".0.0" for the last two octets, normalizing to the parent /16, then remove duplicates:
| awk '{print $1}' | sed 's/*>i//g' | awk -F. '{OFS=".";print $1,$2 ".0.0"}' | sort -u
Send those prefixes one-by-one to the "whois" command, extract the "netname" field, Continue reading
Healthy Paranoia Show 11: Bro – the Outer Limits of IDS
Join Mrs. Y, Taylor Banks and esteemed Nerd Captain Ivan Pepelnjak for another exciting episode of Healthy Paranoia! In this installment, we discover the day the security industry stood still for Bro IDS with expert and project contributor Liam Randall. Just a few of the fun facts you’ll learn include: The real meaning of “bromance.” […]
Author information
The post Healthy Paranoia Show 11: Bro – the Outer Limits of IDS appeared first on Packet Pushers Podcast and was written by Mrs. Y.
A Small Yellow Wooden Door: Thinking Practically About SDN
As I do most days, I took a walk in the woods at the back of my garden after a hearty dinner. I was quite surprised to come across a small wooden yellow door I’d never seen before, set into the trunk of a tree I’d never noticed until today. I opened the door and squeezed […]
Author information
The post A Small Yellow Wooden Door: Thinking Practically About SDN appeared first on Packet Pushers Podcast and was written by Steven Iveson.
PQ Show 23 – OpenFlow and SDN – ONF Testing & Interoperability with Michael Haugh
In this show we speak with Michael Haugh, the chairperson of Testing and Interoperability Working Group https://www.opennetworking.org/working-groups/testing-a-interop at the Open Networking Foundation. Michael is a Senior Product Line Manager and oversees Ixia’s Carrier Ethernet go-to-market strategy and product line on the Ixia core and IxN2X platforms. Michael has been in networking for 17 years and […]
Author information
The post PQ Show 23 – OpenFlow and SDN – ONF Testing & Interoperability with Michael Haugh appeared first on Packet Pushers Podcast and was written by Greg Ferro.
Handling Tech Support Interaction Effectively
Network engineers deal with technical support frequently. That’s the nature of the networking business: the products often don’t work as advertised or break down under their own complexity. Throw in some ambiguous documentation that leaves you scratching your head, and you’ll finally resort to opening a case with the vendor to resolve the issue. In […]
Author information
The post Handling Tech Support Interaction Effectively appeared first on Packet Pushers Podcast and was written by Ethan Banks.
Data Center design constraints
Designing a data center network with nexus switches involves virtual port channels (vPC), fabric extenders (FEX) and at times virtual device contexts (VDC). In this blog, we will take a look at some design constraints faced when dealing with the following hardware:
Cisco Nexus 7000 series switches
Cisco 2000 FEX
Cisco F2 series line cards
Cisco M1/2 series line cards
1. vPC/FEX
The biggest difference between a 7K switch and a 5K switch is the ability to configure enhanced vPC and dual home FEX to two parent 5K switches. The reason you need enhanced vPC is because you can dual home a end host (server/PC) to two separate FEX and dual home the FEX to two separate parent 5K switches.
You CANNOT dual home FEX to two separate 7K switches YET. Cisco does not support this feature in NX-OS. So if you have a design where you want to connect a single attached device (server/PC) to a pair of 7K switches, you either connect the device to the primary vPC peer switch or connect a catalyst switch like a 3750 and vPC it to both 7K switches. But again, what are the chances of a 3750 failing over a Continue reading
Cisco Nexus 7K ISSU features
Cisco Nexus 7000 ISSU
In this blog, we will look at some features of an In Service Software Upgrade (ISSU) on a Cisco Nexus 7009 switch. This blog does not walk you though each step in the ISSU process, but tries to focus on certain intervals in the ISSU process that might be worth a second glance.
In this blog, we will look at some features of an In Service Software Upgrade (ISSU) on a Cisco Nexus 7009 switch. This blog does not walk you though each step in the ISSU process, but tries to focus on certain intervals in the ISSU process that might be worth a second glance.
The switch was upgraded from 6.0(4) to 6.1(3) because only 6.1(3) supports host vPC to two upstream 7K switches.
It is important to note, that in a HA pair of two 7K switches, if you're performing an ISSU on switch 1, you should not perform ISSU on switch 2. That defeats the purpose of HA because switch 1 assumes switch 2 is now the primary vPC peer, since switch 1 is in the process of upgrading and will require reloading its supervisor engines (one at a time).
In spite of this, if you still perform an ISSU on switch 2, while switch 1 is being upgraded, the upgrade check will complete on switch 2, but the system will prompt an error stating switch 1 is going through an upgrade so switch 2 cannot be upgraded. This little thing might go Continue reading
Quiz #11 – NAT both Source and Destination
Your company makes a new contract with a Partner Company for a new research project. To provide network connectivity, NAT is being configured on your side but something does not work as desired. What is it?
Dealing with Corrupt Opegear Firmware
It was inevitable. Now that I'm proudly compiling my own cellular router firmware, I'm also becoming familiar with the process of recovering from corrupt firmware.I'm using an Ubuntu VM (described in the previous post) running in my MacBook for recovery purposes.
The Opengear instructions for recovering from bad firmware suggest that holding down the reset button is required, but I find that my router attempts to load firmware from the network no matter what. Maybe that's because I've wiped out my configuration? <- Update: yes, this seems to be the case. I haven't nailed it down exactly, but my router doesn't try to netboot every time.
Here's how I'm using that Ubuntu VM:
Required Packages
sudo apt-get install -y tftpd-hpa dhcp3-server
Recovery Software Image
cd /var/lib/tftpboot
sudo wget ftp://ftp.opengear.com/release/recovery/ACM500x_Recovery.flash
Configure DHCP Service
sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.orig
cat > /tmp/foo << EOF
option domain-name "opengear-recovery.com";
option subnet-mask 255.255.255.0;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.200 192.168.0.253;
}
host myopengear {
hardware ethernet 00:13:C6:xx:xx:xx;
fixed-address 192.168.0.10;
filename "ACM500x_Recovery.flash";
The Software-Defined Nerds of Tomorrow
This is one of my favorite times of the year. Despite the terrible weather that Ohio usually affords the month of March, I brave the wet cold and return to my alma mater for this year’s round of senior presentations. During the five-year IT program, students are required to learn just about anything and everything you can imagine in IT. This ranges from software development of all kinds, database administration, systems administration, network services and even pure route/switch.The Software-Defined Nerds of Tomorrow
This is one of my favorite times of the year. Despite the terrible weather that Ohio usually affords the month of March, I brave the wet cold and return to my alma mater for this year’s round of senior presentations. During the five-year IT program, students are required to learn just about anything and everything you can imagine in IT. This ranges from software development of all kinds, database administration, systems administration, network services and even pure route/switch.The Man in the White Suit
I know this is a technical blog, but I’ve always agreed with those that believe the best way to deliver a message is through a story. As imaginative and creative as I feel I can sometimes be, writing fiction just isn’t one of my strong points. So, rather than tell you an original story of my own I’m going to relate […]
Author information
The post The Man in the White Suit appeared first on Packet Pushers Podcast and was written by Steven Iveson.
IDP – FN, TN, TP, FP
I have talked with a few security administrators that seem to struggle with the understanding of FN, TN, FP, TP. I have decided to try to create a simple method to remember.True/False = This either CORRECTLY or INCORRECTLY identifies an attack
Positive/Negative = This performs and event that takes an ACTION or is ACTION-LESS
True Positive (TP) - A legitimate attack (CORRECTLY) which triggers an IDP to produce and alarm/alert or mitigate the risk (ACTION)
False Positive (FP) - An IDP believes there is an attack taking place (INCORRECTLY) and produces an alarm/alert or mitigates the risk (ACTION).This can cause disrupt legitimate traffic and flood your IDP with alerts drowning real alerts that may be taking place. Some traffic that may cause false positives include:
- Legitimate applications that do not follow RFC's
- Legitimate traffic in one part of an organization that may not follow normal behaviors in another part of the organization causing alerts.
- Signatures that we written poorly and identify both legitimate and illegitimate traffic.
False Negative (FN) - There is an attack that has NOT been identified (INCORRECTLY) and no alarm/alert/mitigation was raised (ACTION-LESS). This causes a false sense of security. This can be caused for a variety Continue reading
When Am I Going to Use This?
I imagine that prior to the industrial revolution, people didn’t struggle with niche skillsets that didn’t transfer. They didn’t need to wonder if they were spending countless hours learning something with no particular use outside their current job, listen to well-meaning friends and spouses assure them they’re worrying about nothing, only to face a layoff […]
Author information
The post When Am I Going to Use This? appeared first on Packet Pushers Podcast and was written by Keith Tokash.
Show 141 – The Pace of Change Is Picking Up – #NFD5 Discussion
Greg Ferro and Ethan Banks of PacketPushers.net host a discussion with Dr. Peter Welcher, Brent Salisbury, and Stephen Foskett about many of the presentations from the Network Field Day 5 event held March 6-8, 2013 in San Jose, California. The leading podcast topic was software defined networking, as that was the vendor focus during the […]
Author information
The post Show 141 – The Pace of Change Is Picking Up – #NFD5 Discussion appeared first on Packet Pushers Podcast and was written by Ethan Banks.