Redundancy Protocols vs Stacking: Pros and Cons
I was recently asked whether or not I preferred to use a router redundancy protocol like HSRP, VRRP, or GLBP, or stack switches together to form a sort of “virtual router”, and use that for redundancy. Just like anything else, the immediate answer is “it depends”, but there are a few things to remember when considering a redundant design with your routers or Layer 3 switches. First, redundancy protocols can be found nearly everywhere.Redundancy Protocols vs Stacking: Pros and Cons
I was recently asked whether or not I preferred to use a router redundancy protocol like HSRP, VRRP, or GLBP, or stack switches together to form a sort of “virtual router”, and use that for redundancy. Just like anything else, the immediate answer is “it depends”, but there are a few things to remember when considering a redundant design with your routers or Layer 3 switches. First, redundancy protocols can be found nearly everywhere.Packets of Interest (2011-12-12)
Here's a summary of interesting articles/posts that I've come across in the last couple of weeks.
Example Puppet 2.7 git pre-commit script
I had a hard time finding a decent pre-commit script for puppet 2.7. This is composed of snippets I found at code.seas.harvard.edu. The pre-commit script will check the puppet syntax of the changed .pp files, and also check if an attempt has been made to properly document the .pp file.
#!/bin/sh
#
# install this as .git/hooks/pre-commit to check Puppet manifests
# for errors before committing changes.
rc=0
[ "$SKIP_PRECOMMIT_HOOK" = 1 ] && exit 0
# Make sure we're at top level of repository.
cd $(git rev-parse --show-toplevel)
trap 'rm -rf $tmpdir $tmpfile1 $tmpfile2' EXIT INT HUP
tmpdir=$(mktemp -d precommitXXXXXX)
tmpfile1=$(mktemp errXXXXXX)
tmpfile2=$(mktemp errXXXXXX)
echo "$(basename $0): Validating changes."
# Here we copy files out of the index into a temporary directory. This
# protects us from a the situation in which we have staged an invalid
# configuration using ``git add`` but corrected the changes in the
# working directory. If we checked the files "in place", we would
# fail to detect the errors.
git diff-index --cached --name-only HEAD |
grep '.pp$' |
git checkout-index --stdin --prefix=$tmpdir/
find $tmpdir -type f -name '*.pp' |
while read manifest; do
puppet Continue readingAn Introduction to Layer 3 Traffic Isolation
All network engineers should be familiar with the method for virtualizing the network at Layer 2: the VLAN. VLANs are used to virtualize the bridging table of Layer 2 switches and create virtual switching topologies that overlay the physical network. Traffic traveling in one topology (ie VLAN) cannot bleed through into another topology. In this way, traffic from one group of users or devices can be kept isolated from other users or devices.
Traffic Isolation Using VLANs
VLANs work great in a Layer 2 switched network, but what happens when you need to maintain this traffic separation across a Layer 3 boundary such as a router or firewall?
Seamless Data Migration with Avaya’s VENA framework
There are very few technologies that come along which actually make things easier for IT staff. This is particularly true with new technology introductions. Very often, the introduction of a new technology is problematic from a systems service up time perspective. With networking technologies in particular, new introductions often involve large amounts of intermittent down time and a huge amount of human resources to properly plan the outages and migration processes to assure minimal down time. More so than any other, network core technologies tend to be the most disruptive due to their very nature and function. Technologies like MPLS are a good example. It requires full redesign of the network infrastructure as well very detailed design within the network core itself to provide connectivity. While some argue that things like MPLS-TP helps to alleviate this, it is not without cost – and the distruption remains.
IEEE 802.1aq or Shortest Path Bridging (SPB for short) is one of those very few technologies that can introduced in a very seamless fashion with minimal disruption or down time. It can also be introduced with minimal redesign of the existing network if so desired. A good case point example is a recent Continue reading
Multi-Vendor Network Woes
First, I’d like to thank you all for continuing to read my thoughts these last few weeks. Some already know that I passed the CCNP ROUTE exam this past weekend, and that has slowed my ability to write consistently. Fortunately, I laid that beast of an exam to rest and I get to focus on bigger, better things. I’ve been working a project for the past few weeks that’s involved the integration of HP and Cisco networking equipment.Multi-Vendor Network Woes
First, I’d like to thank you all for continuing to read my thoughts these last few weeks. Some already know that I passed the CCNP ROUTE exam this past weekend, and that has slowed my ability to write consistently. Fortunately, I laid that beast of an exam to rest and I get to focus on bigger, better things. I’ve been working a project for the past few weeks that’s involved the integration of HP and Cisco networking equipment.Net-SNMP v5.7 Issues
The last time I upgraded Net-SNMP it wasn't reporting the hrSystemProcesses OID. I wrote about that here. This time around I've upgraded to v5.7 and discovered two issues so far.
Packets of Interest 11-11-16
I read two interesting articles on VTP (Cisco's VLAN Trunking Protocol) this week. The first is an older article from networkworld.com that reminds us all that VTP clients are also capable of updating VLANs on the network, not just servers. When I first heard that a VTP client can update a VTP server under the right conditions, I was frankly a non-believer. No way. I'd seen evidence to the contrary in several documents at cisco.VPN Host Checker vs. AD Group Policy
This post is for anyone who administers a Juniper SSL VPN. I saw an issue in our environment recently that was created by an unexpected interaction between two different systems that were working to enforce our computer security policy. Because the way the systems were configured is pretty common and because the issue is not specifically warned against by Juniper, I'm going to share it here.
Address + Port = “Stall Tactics”
I recently listened to Packet Pushers Show 72 on “How we are killing the internet” and want to voice my thoughts on the topics discussed. The majority of the conversation circled around IPv6 adoption, and the state of the internet in light of the existence of tunneling mechanisms being used. Ivan mentioned that we are destroying the internet with all the tunnels (PPPoE, PPPoA, 6to4, 4to6, 6rd, etc) and translation points.Address + Port = “Stall Tactics”
I recently listened to Packet Pushers Show 72 on “How we are killing the internet” and want to voice my thoughts on the topics discussed. The majority of the conversation circled around IPv6 adoption, and the state of the internet in light of the existence of tunneling mechanisms being used. Ivan mentioned that we are destroying the internet with all the tunnels (PPPoE, PPPoA, 6to4, 4to6, 6rd, etc) and translation points.Address + Port = “Stall Tactics”
I recently listened to Packet Pushers Show 72 on “How we are killing the internet” and want to voice my thoughts on the topics discussed. The majority of the conversation circled around IPv6 adoption, and the state of the internet in light of the existence of tunneling mechanisms being used. Ivan mentioned that we are destroying the internet with all the tunnels (PPPoE, PPPoA, 6to4, 4to6, 6rd, etc) and translation points.This New “Cloudshark” Thing
I had heard of CloudShark a while back but was reminded of it by a recent Packet Pushers article. For those that haven’t, CloudShark is a new product that basically claims to be a cloud-based capture file (such as from Wireshark) archiving solution. Viewing the main CloudShark website, you’ll be unable to miss what is obviously their big pull - CLOUDSHARK BRINGS YOUR CAPTURE FILES TO THE CLOUD OMGZ!!! (Did the fact that those words are at the top of each page on their site not give away their enthusiasm?This New “Cloudshark” Thing
I had heard of CloudShark a while back but was reminded of it by a recent Packet Pushers article. For those that haven’t, CloudShark is a new product that basically claims to be a cloud-based capture file (such as from Wireshark) archiving solution. Viewing the main CloudShark website, you’ll be unable to miss what is obviously their big pull - CLOUDSHARK BRINGS YOUR CAPTURE FILES TO THE CLOUD OMGZ!!! (Did the fact that those words are at the top of each page on their site not give away their enthusiasm?junos vrf-import funnies
Consider this configuration:
> show configuration routing-instances VRF1 instance-type vrf; route-distinguisher 42:1; vrf-import [ VRF1-IMPORT VRF-DEFAULT-IMPORT ]; vrf-export [ VRF1-EXPORT VRF-DEFAULT-EXPORT ]; vrf-table-label; > show configuration policy-options policy-statement VRF1-IMPORT from community [ VRF1 VRF2 ]; > show configuration policy-options policy-statement VRF-DEFAULT-IMPORT term cust_routes { from protocol bgp; then default-action accept; } > show configuration policy-options community VRF1 members target:42:1; > show configuration policy-options community VRF2 members target:42:2;
If you configure this on any router on your network, it'll work, VRF will import correct and only correct routes. This will give you assumption, that VRF import in JunOS works like this:
- start with empty array of routes to evaluate policy against
- when you hit 'match community' push matching routes from bgp.l3vpn.0 to the list
- evaluate rules normally against the list
If you create multiple of these to single router, and you only have single 'from community [ X ]' in each, it also works perfectly. However, if you have more than one community in 'from community' AND you have more than one VRF using the 'VRF-DEFAULT-IMPORT' things go wrong. If we have three routes:
- 10.10.1.0/24 RT:42:1
- 10.10.2.0/24 RT:42:1 RT:42:2 RT:42:3
- 10.10.3. Continue reading
no usage scenario for ssh-agent forwarding
Many people, especially those in consulting business have need to access multiple different organization 'jump boxes' from which they can ssh towards the organization servers. And due to security it makes sense to have different ssh key being allowed for different organization servers. For convenience people often allow ssh-agent towards the 'jump boxes'.
Problem with ssh-agent is, that it has no idea who is requesting the key signing, it could very well be organization1 evil admin asking for organization2 key, when sshing into organization2 jump-box, and your agent would simply allow this.
One solution to the problem could be that when ever signing is requested, user gets prompt 'localhost < organization2-jump < organization2 requests sign of organization1 identity, allow yes/no, [ ] always'. Now you'd have idea if sign request is legit or not. However this would require protocol changes to ssh, as ssh-agent has no idea who is requesting signing much less of the full path, which would be absolutely needed to make this feature work.
So I asked openssh dev mailing list, how this problem should be solved. Turns out there is recently added feature in openssh, which could potentially remove need for agent forwarding completely, to access organization1-server through organization1-jump you'd do ssh -oProxyCommand='ssh -W %h:%p organization1-jump' organization1-server, now obviously this is inconvenient, especially if there are more than 1 box through which you need to jump. .ssh/config can help somewhat:
# cat >> ~/.ssh/config
Host org1-ultimate
ProxyCommand ssh -W %h:%p org1-secondjump
Host org1-secondjump
ProxyCommand ssh -W %h:%p org1-firstjump
^d
Now you'd ssh 'ssh Continue reading