Detecting Layer2 Loops
We all too familiar with the devastating impact a talented layer 2 loops could have on a data center lacking sufficient controls and processes being in place. If you are using Cisco Nexus switches in your data center, you would be happy to know that NX-OS offers an interesting new tool you should add to […]
Sorry state of JunOS control plane protection
I've been looking into how to protect MX80 11.4R5 from various accidental and intentional attempts to congest control plane and I'm drawing pretty much blank.
Main discoveries so far.
- ISIS always leaked to control plane, even when no 'family iso' or 'protocol isis' on interface
- PVST always leaked to control plane. Even when just 'family inet' configured to interface
- LLDP protocol not matched by ddos-protection feature
- Essentially impossible to protect against attack from eBGP
- ddos-protection feature mis-dimensioned
ISIS
This is pretty bad for anyone running ISIS, as you cannot use ddos-protection to limit ISIS, as it won't distinguish between bad and good ISIS. If you don't use ISIS, just set ddos-protection limit low and you're good to go.ISIS is punted with different code than IP packets, but resolving the punt path it goes to the same path. This path is still seeing full wire rate, i.e. there isn't magic 10kpps limit before it
HCFPC2(le_ruuter vty)# show jnh 0 exceptions control pkt punt via nh PUNT(34) 9134818 1065269880 HCFPC2(le_ruuter vty)# show jnh 0 exceptions nh 34 punt Nexthop Chain: CallNH:desc_ptr:0xc02bbc, mode=0, rst_stk=0x0, count=0x3 0xc02bb8 0 : 0x127fffffe00003f0 0xc02bb9 1 : 0x2ffffffe07924a00 0xc02bba 2 : 0xda00601499000a04 0xc02bbb 3 : Continue reading
Applescript – Rename PDF to Title from Metadata
Today I downloaded a the full set of Configuration and Command references for the HP 12500 Series Switch from HP.com. When I looked in my download finder they were all helpfully named "cXXXXXX.pdf". Interestingly enough the title in the metadata seemed to be correct, so I wrote an AppleScript to batch rename them.
set theFiles to choose file with multiple selections allowed
repeat with theFile in theFiles
set filePath to quoted form of POSIX path of theFile
set theName to do shell script "mdls -name kMDItemTitle " & filePath & " -raw"
set theName to theName & ".pdf"
if theName is not "(null)" then try
tell application "System Events" to set name of theFile to theName
end try
end repeat
References: Apple Support Fourms
Applescript – Rename PDF to Title from Metadata
Today I downloaded a the full set of Configuration and Command references for the HP 12500 Series Switch from HP.com. When I looked in my download finder they were all helpfully named "cXXXXXX.pdf". Interestingly enough the title in the metadata seemed to be correct, so I wrote an AppleScript to batch rename them.
NetBIOS
How does the internet work - We know what is networking
Sytek Inc developed NetBIOS in 1983 as an API (a specification proposed for using it as an interface to communicate by software parts) for software contact over IBM PC LAN networking technology. The Network Basic Input/Output System (NetBIOS) was at first introduced by IBM (a company, which is running IT consultation and computer technology business […]
Applescript – Rename PDF to Title from Metadata
Today I downloaded a the full set of Configuration and Command references for the HP 12500 Series Switch from HP.com. When I looked in my download finder they were all helpfully named "cXXXXXX.pdf". Interestingly enough the title in the metadata seemed to be correct, so I wrote an AppleScript to batch rename them.
Grabbing IETF RFCs and I-Ds in ebook format using rsync
IETF drafts get no love from my Tablet. I 've tried sending drafts to Instapaper for offline reading, I've tried using Readability but all of these fail to render correctly. Is it too much to ask to be able to read RFC's on the go?
Fortunately I found that the RFCs and I-D's are published to tools.ietf.org in both epub and mobi formats. To pull the full list of epub:
rsync -avz --include="*.epub" --exclude="*" rsync.tools.ietf.org::tools/ebook/ /destination
And for mobi:
rsync -avz --include="*.mobi" --exclude="*" rsync.tools.ietf.org::tools/ebook/ /destination
These are pretty hefty downloads so you might want to tailor these to your current needs by creating using a txt file full of include rules, lets call it filter.txt
Working Group RFC & Internet Drafts
Add lines like this to your filter.txt to download the latest RFCs and I-Ds for the WGs you are following:
*lisp*.mobi
*conex*.mobi
*nvo3*.mobi
*tsvwg*.mobi
Published RFCs
To download the mother load of RFCs add the following line:
rfc.mobi
Published RFCs by Area
To download RFCs by Area add the following:
area.rtg.mobi
area. Continue readingGrabbing IETF RFCs and I-Ds in ebook format using rsync
IETF drafts get no love from my Tablet. I 've tried sending drafts to Instapaper for offline reading, I've tried using Readability but all of these fail to render correctly. Is it too much to ask to be able to read RFC's on the go?
Cisco UCS B200 M3: “Invalid Adaptor IOcard”
I received two brand spanking new B200 M3 blade servers for a new project. These bad boys are packing 393GB of RAM and two Intel Xeon E5-2680 2.7GHz 8-core processors each. I wanted to get these installed as soon as possible, so I could make sure the firmware was up to current (they came with 2.0(3c), which is what I’m running) and apply service profiles to them. At the end of the initial deep hardware discovery, I received a strange error in UCSM - “Invalid Adaptor Iocard”:Cisco UCS B200 M3: “Invalid Adaptor IOcard”
I received two brand spanking new B200 M3 blade servers for a new project. These bad boys are packing 393GB of RAM and two Intel Xeon E5-2680 2.7GHz 8-core processors each. I wanted to get these installed as soon as possible, so I could make sure the firmware was up to current (they came with 2.0(3c), which is what I’m running) and apply service profiles to them. At the end of the initial deep hardware discovery, I received a strange error in UCSM - “Invalid Adaptor Iocard”:Grabbing IETF RFCs and I-Ds in ebook format using rsync
IETF drafts get no love from my Tablet. I 've tried sending drafts to Instapaper for offline reading, I've tried using Readability but all of these fail to render correctly. Is it too much to ask to be able to read RFC's on the go?
How to prevent or stop DoS attacks?
How does the internet work - We know what is networking
The response and prevention In order to defend against Denial of Service attacks the combination of attack detection use is typically involved in it, classification of traffic as well as response tools, and the target is to block traffic if identified as illegal and permit the legal traffic only after identifying it. Below is a […]
BGP Decision Process
Cisco’s BGP decision process basically decides which BGP route to take when comparing multiple prefixes to the same destination. It is a rather long process and somewhat tricky. Below, I created a quick reference to its steps.
Before I talk about each step I would like to discuss in what order are multiple prefixes compared. For example if you have three prefixes to 10.2.0.0/16 how do you compare all three at once? By default Cisco’s algorithm will compare the younger prefixes to the older and finally compare the oldest to the winner.
The rest of this post are my notes on the BGP decision process. Hopefully you’ll find it useful.
BGP Preconditions
For any path to be considered valid it has to meet these requirements.
- Next-hop IP address of that path is reachable.
- The local AS number is not part of the AS_PATH (basic loop prevention).
- If BGP synchronization is enabled, the candidate prefix is in the IGP routing table. If using OSPF, router-ID have to match for the OSPF and BGP process.
- The BGP prefix is not dampened.
- With inbound soft resets enabled, make sure that no BGP polices are filtering the candidate prefix.
1 Continue reading
DoS Methods – PDoS, Permanent DoS attacks
How does the internet work - We know what is networking
A PDoS or permanent denial-of-service, also referred to as phlashing, is a severe attack that completely damage a system as a result of which the system’s reinstallation of hardware or replacement is required. A PDoS attack exploits the flaws of security which further permits the administration present far away on the hardware of the victim […]
MPLS – Multiprotocol Label Switching
How does the internet work - We know what is networking
There is so much about MPLS and how MPLS works. Here I wrote some simple introductory lines about it but only from one perspective. The costumer side one. There is nothing here about BGP and all the things that need to be done and configured in order for MPLS to function in ISP cloud. As […]
DoS Methods – ICMP and SYN flood, Teardrop and Low-rate DoS attacks
How does the internet work - We know what is networking
ICMP flood Smurf attack is one specific form of a flooding DoS attack that occurs on the public Internet. It solely depends on incorrect configuration network equipments that permit packets that are supposed to be sent to all hosts of computer on a specific network not via any machine but only via network’s broadcast address. […]
DoS Methods – ICMP and SYN flood, Teardrop and Low-rate DoS attacks
FEX Architectures
Here is an old post I never finished. With the benefits of the Nexus 2000 and the FEX architecture (a earlier post), scalability, simplified management, flexibility, Cisco extended its use further into the servers all the way up to the virtual hosts.This allows much greater control and flexibility. After all network guys should look after […]
Few ways scripting can keep you sane
C’est la vie, it has been almost a year since I posted on the blog, a year full of change, but here I am kicking up again with this simple short post about how scripting could save you time and effort on daily basis. I know most of you might be using those free or [...] No related posts. Related posts brought to you by Yet Another Related Posts Plugin.New version of BGPmon.net
As many of you are aware, BGPmon.net has been offered as a free service since becoming publically available in 2008. From its inception the service has been funded largely by myself. Now, due to ever-increasing popularity, it has become unsustainable to run the service on personal funds and my available time. I have reached a branch in the road: BGPmon.net must either become financially self-supporting, reduce its scope or cease. Clearly the latter options would waste the project’s potential and accomplishments.
So I’m happy to announce that as of today BGPmon.net services will be available in two flavors: a free ‘entry level’ service and a full-featured premium commercial service.
With these changes, BGPmon.net will become more sustainable and provide better support, and allow us to continue improving services while adding new features.
What to expect
Our base services remain free, but with a limited feature set and up to 5 prefixes per account.
The premium commercial service allows you to monitor as many prefixes as needed and provides the full-feature set on a new powerful platform. The routing report, SOAP API and additional email address features are now part of the premium service. Pricing details can Continue reading
DDoS – Distributed Denial of Service attack
How does the internet work - We know what is networking
When a number of systems i.e. one or more than one web server floods the resources and bandwidth of a targeted system then a distributed denial of service attack (DDoS) takes place, Different types of methods are used by attackers in order to compromise the systems. It is the malware that can carry out the […]