Brocade : Zone‐Based Firewall

Today I am going to talk about the configuration of the Brocade router as Zone-Based Firewall. The first query in your mind will be that what is this zone based firewalls are ?

Well Zone based Firewalls are interfaces that are grouped into security “zones,” where each interface in a zone has the same security level.

In the Zone Based Firewalls, the packet-filtering policies are applied to the traffic flowing between the various zones in the network which is defined by the network administrator . So the concept is simple that the traffic flowing between interfaces that is there in the same zone is not filtered and flows freely because the interfaces share the same security level and the traffic flowing between the different zones will be filtered accordingly as security level can be different for different zones.

I will come up the Zone based Firewalls for Cisco soon in another article where i can share the configurations with the topology. This article is purely of Brocade where it is worked as Zone Based Firewall.

So below is the network where we defined three different zones which is defined by network administrator as per the demand in the network. The Zones are

One Year Ago Today



One year ago today, fourth of July, was my first day at Google Zürich. It’s been a very interesting journey so far, and from the beginning I spent most of my time to focus on three things: switch to Product Management to learn how to build great product, work on scalable Enterprise networking solution from cloud-based SDN to intent-driven automation, and learn data analysis in-depth from data visualization all the way to Machine Learning, to be used in product development.

As you notice, I rarely post new blog since I joined the company last year. And I find it quite difficult to find any active blog from other Googlers too. Just like any tech company, when we joined all of us signed an agreement containing various obligations including the requirement to hold proprietary information and trade secrets in strictest confidence. But I believe there should be some non-confidential things that we can share in our personal blog.

So why can’t we blog?

First, we are very busy here. And not because we have to, but we choose to.

I mean, there are just too many interesting things to do and to learn at Google. If you work for the Continue reading

Call on Your Government To Support Encryption

Eighty-three organizations and individuals from Australia, Canada, New Zealand, the United Kingdom, and the United States are insisting governments support strong encryption.

The letter, which was sent to government representatives in each of the above countries, called for public participation in any future discussions. It comes on the heels of the “Five Eyes” ministerial meeting in Ottawa, Canada earlier this week.

The Internet Society supports the substance of the letter.  

Mr. Olaf Kolkman

What is Urban and Rural area in networking ?

What is urban and rural area ? What is underserved area in networking ?   These definitions are heavily used in networking. And all broadband network designers take always these definitions into an account while they do their design. I think knowing these definitions as a network engineer is valuable for you.    In general, […]

The post What is Urban and Rural area in networking ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Is there a Global Tier 1 Provider in the World ?

Is there a Global Tier 1 Internet Service Provider in the World ? Who are the biggest networks in the World ?    In the Peering article I explained what is peering , different types of peering such as private and public peering , settlement free peering , paid peering and so on.   To […]

The post Is there a Global Tier 1 Provider in the World ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Three little tools: mmsum, mmwatch, mmhistogram

In a recent blog post, my colleague Marek talked about some SSDP-based DDoS activity we'd been seeing recently. In that blog post he used a tool called mmhistogram to output an ASCII histogram.

That tool is part of a small suite of command-line tools that can be handy when messing with data. Since a reader asked for them to be open sourced... here they are.

mmhistogram

Suppose you have the following CSV of the ages of major Star Wars characters at the time of Episode IV:

Anakin Skywalker (Darth Vader),42
Boba Fett,32
C-3PO,32
Chewbacca,200
Count Dooku,102
Darth Maul,54
Han Solo,29
Jabba the Hutt,600
Jango Fett,66
Jar Jar Binks,52
Lando Calrissian,31
Leia Organa (Princess Leia),19
Luke Skywalker,19
Mace Windu,72
Obi-Wan Kenobi,57
Palpatine,82
Qui-Gon Jinn,92
R2-D2,32
Shmi Skywalker,72
Wedge Antilles,21
Yoda,896

You can get an ASCII histogram of the ages as follows using the mmhistogram tool.

$ cut -d, -f2 epiv | mmhistogram -t "Age"
Age min:19.00 avg:123.90 med=54.00 max:896.00 dev:211.28 count:21
Age:
 value |-------------------------------------------------- count
     0 |                                                   0
     1 |                                                   0
     2 |                                                   0
     4 |                                                   0
     8 |                                                   0
    16 |************************************************** 8
    32 |                         ************************* 4
    64 |             ************************************* 6
   128 |                                            ****** 1
   256  Continue reading

OSPF Configurations in Huawei Routers

Today I am going to talk about the basic configuration of OSPF in Huawei Routers. There is already have a article on OSPF configuration on Cisco routers
OSPF Basic configuration Step by step on Cisco Routers

Apart from the above we have another articles on OSPF as shown below
OSPF Basics
OSPF Point to Multipoint Configuration- Cisco and Juniper
OSPF States
Difference between OSPF and RIP

Lets take an Topology here and below is the diagram for the configuration. We have the following topology as :

  • Router A is connected between Area 1 and Area 0
  • Router B is connected between Area 2 and Area 0
  • Router C is a internal Area 1 Router
  • Router D is a internal Area 2 Router
  • Router E is a internal Area 1 Router
  • Router F is a internal Area 2 Router


Fig 1.1-


# Configure Router A 
Below is the basic configuration of OSPF on Router A
[TTLBITS_A] router id 1.1.1.1
[TTLBITS_A] ospf 1
[TTLBITS_A-ospf-1] area 0
[TTLBITS_A-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 
[TTLBITS_A-ospf-1-area-0.0.0.0] quit 
[TTLBITS_A-ospf-1] area 1
[TTLBITS_A-ospf-1-area-0.0.0.1] network 192.168.1.0 0. Continue reading

Swimlanes, Read-Write Transactions and Session State

Another question from someone watching my Designing Active-Active and Disaster Recovery Data Centers webinar (you know, the one where I tell people how to avoid the world-spanning-layer-2 madness):

In the video about parallel application stacks (swimlanes) you mentioned that one of the options for using the R/W database in Datacenter A if the user traffic landed in Datacenter B in which the replica of the database is read-only was to redirect the user browser with the purpose that the follow up HTTP POST land in Datacenter A.

Here’s the diagram he’s referring to:

Read more ...

37 – DCI is dead, long live to DCI

Some may find the title a bit strange, but, actually, it’s not 100% wrong. It just depends on what the acronym “DCI” stands for. And, actually, a new definition for DCI may come shortly, disrupting the way we used to interconnect multiple Data Centres together.

For many years, the DCI acronym has conventionally stood for Data Centre Interconnect.

Soon, the “Data Centre Interconnect” naming convention may essentially be used to describe solutions for interconnecting traditional-based DC network solutions, which have been used for many years. I am not denigrating any traditional DCI solutions per se, but the Data Centre networking is evolving very quickly from the traditional hierarchical network architecture to the emerging VXLAN-based fabric model gaining momentum in enterprise adopting it to optimize modern applications, computing resources, save costs and gain operational benefits. Consequently, these independent DCI technologies will continue to be deployed primarily for extending Layer 2 and Layer 3 networks between traditional DC networks. However, for the interconnection of modern VXLAN EVPN standalone (1) Fabrics, a new innovative solution called “VXLAN EVPN Multi-site” – which integrates in a single device the extension of the Layer 2 and Layer 3 services across multiple sites – has been created for a Continue reading

The Internet of (Living) Things: Tracking dairy cow eating habits

Consumer Physics is all about enabling people to get a better handle on their field, receiving dock or production line. The company offers the SCiO pocket-sized spectrometer, which enables farmers and agricultural organizations to analyze the makeup of the forage that dairy cows are grazing.In the past there was a dual barrier to really taking action on this data—spectrometers were big and clunky and the data was disconnected from operational systems. But Consumer Physics is closing that loop by making the device smaller and connecting it to a smartphone application and the cloud.+ Also on Network World: John Deere leads the way with IoT-driven precision farming + So, given this Internet of Things play, it is particularly interesting to hear that Cargill, a huge multinational in the food, agriculture, financial, and industrial products and services space is partnering with Consumer Physics to deliver a new joint offering: Reveal. Reveal is a real-time forage analysis service that puts the formerly hard to attain Cargill forage lab analysis in the palm of a hand.To read this article in full or to leave a comment, please click here

A container identity bootstrapping tool

Everybody has secrets. Software developers have many. Often these secrets—API tokens, TLS private keys, database passwords, SSH keys, and other sensitive data—are needed to make a service run properly and interact securely with other services. Today we’re sharing a tool that we built at Cloudflare to securely distribute secrets to our Dockerized production applications: PAL.

PAL is available on Github: https://github.com/cloudflare/pal.

Although PAL is not currently under active development, we have found it a useful tool and we think the community will benefit from its source being available. We believe that it's better to open source this tool and allow others to use the code than leave it hidden from view and unmaintained.

Secrets in production

CC BY 2.0 image by Personal Creations

How do you get these secrets to your services? If you’re the only developer, or one of a few on a project, you might put the secrets with your source code in your version control system. But if you just store the secrets in plain text with your code, everyone with access to your source repository can read them and use them for nefarious purposes (for example, stealing an API token and pretending to be Continue reading

Simple Python Script to Read from Device

There’s a lot of talk about network programmability and I recently had a simple use case that surfaced. The goal was locating a serial number in Cisco Devices. Basically, a script is required that will do the following.

  • Process a list of IP Addresses and/or hostnames
  • SSH into each device
  • Determine if the device has a given SN

There are many ways this can be accomplished, but the method I am using utilizes SSH. This example requires the use of Paramiko to implement SSHv2. The script can match other items in the output of show version and can easily be modified to have multiple matches and return additional information.

Prerequisites

  • Paramiko (can be installed using PIP)
  • Python (tested with 2.7)

It is worth noting that the script I’m sharing will automatically add public ssh keys and therefore may not be appropriate in a high security environment.

The Python and sample device files can be downloaded here.

Python Code

import paramiko
import getpass

#get user/password/substring (for search)
myuser = raw_input("Enter Username For Process: ")
mypass = getpass.getpass()
mysearch = raw_input("Please enter string to search: ")

#get a list of devices from devices.txt - one per line
qbfile = open("devices. Continue reading

Performance progression of IPv4 route lookup on Linux

TL;DR: Each of Linux 2.6.39, 3.6 and 4.0 brings notable performance improvements for the IPv4 route lookup process.

In a previous article, I explained how Linux implements an IPv4 routing table with compressed tries to offer excellent lookup times. The following graph shows the performance progression of Linux through history:

IPv4 route lookup performance

Two scenarios are tested:

  • 500,000 routes extracted from an Internet router (half of them are /24), and
  • 500,000 host routes (/32) tightly packed in 4 distinct subnets.

All kernels are compiled with GCC 4.9 (from Debian Jessie). This version is able to compile older kernels1 as well as current ones. The kernel configuration used is the default one with CONFIG_SMP and CONFIG_IP_MULTIPLE_TABLES options enabled (however, no IP rules are used). Some other unrelated options are enabled to be able to boot them in a virtual machine and run the benchmark.

The measurements are done in a virtual machine with one vCPU2. The host is an Intel Core i5-4670K and the CPU governor was set to “performance”. The benchmark is single-threaded. Implemented as a kernel module, it calls fib_lookup() with various destinations in 100,000 timed iterations and keeps the Continue reading

1 2,008 2,009 2,010 2,011 2,012 3,853