VRF Series Article 3 – Creating a Shared Services VRF

For those following the VRF Series, we currently have a topology built that consists of a segmented Layer 3 first hop network and remotely networked by carrying the isolation from the BrWan router to Main. This article covers, shared services, the next step in our journey to understanding VRFs for Segmented Layer 3 Networks.

The configuration focus is solely on the router Main. The shared services VRF that will be created could serve as a place to connect something that all other VRFs must have access to. Organizations should evaluate their requirements closely before deploying this configuration.

An organization that requires stateful inspection between two areas may choose to connect two or more VRFs together using an L4 or Next Generation Firewall (we will cover this in Article 5). The security ramification of having a shared services VRF, as described in this article, is that devices connected in this area could be used as a proxy into other areas. Therefore, careful planning and proper device level security is important prior to deploying this type of architecture.

The technologies covered here include:

  • IGP w/ Route Redistribution (EIGRP)
  • BGP w/ Route Redistribution
  • VRFs with Route Targets/Route Distinguisher vlaues

VRF_No_Int_Index

The logic of Continue reading

The Relentless Yet Predictable Pace Of InfiniBand Speed Bumps

High performance computing in its various guises is not just determined by the kind and amount of computing that is made available at scale to applications. More and more, the choice of network adapters and switches as well as the software stack that links the network to applications plays an increasingly important role. And moreover, networks are comprising a larger and larger portion of the cluster budget, too.

So picking the network that lashes servers to each other and to their shared storage is important. And equally important is having a roadmap for the technology that is going to provide

The Relentless Yet Predictable Pace Of InfiniBand Speed Bumps was written by Timothy Prickett Morgan at The Next Platform.

IDG Contributor Network: Hackers could use hidden mal-audio to attack Google Now

There's a fabulous story about a slew of Amazon Echo devices that took it upon themselves to order expensive doll houses from the ecommerce retailer all because a news show host uttered the phrase “Alexa ordered me a dollhouse” on air. The machines heard it from the TV switched on in the room.Researchers say it’s not an unlikely scenario. They say not only can attackers issue mal-audio voice commands to any AI listening device that is in audible range, but they can also do it using hidden voice commands. Those are commands that might not even be noticed by the user.To read this article in full or to leave a comment, please click here

IDG Contributor Network: TechDemocracy: Helping execs and boards ensure cybersafety

I sit on a number of not-for-profit and commercial boards of directors. I am lucky in that I have a pretty good understanding of how their technology landscape can introduce risks into the business. As someone who spends much of his time in the tech world, I can bring this knowledge and awareness into the companies I work with. But that isn't the usual way things work. Most boards of directors are made up of individuals who have little or no awareness of their organization's technology footprint and the impacts it can have when something goes wrong. This is the problem space that TechDemocracy, a global cyberrisk assurance solution provider, is trying to solve with its Intellicta platform.To read this article in full or to leave a comment, please click here

IDG Contributor Network: 6 ways to launch a targeted cyberattack

The threat of a targeted attack for any business is real and substantial. It's vital to ensure that your organization can identify constantly evolving threats, find abnormal and suspicious activity, and take effective action to keep your data safe. Consider that, on average, attackers are in a network for more than 140 days before they're detected, and 60% of network intrusions are eventually traced back to credentials, according to according to Microsoft. Most successful targeted attacks follow six steps or stages, though it's important to remember that these steps often run in parallel. Multifaceted attacks are common, so a robust threat response plan should address all six steps and avoid jumping to conclusions.To read this article in full or to leave a comment, please click here

New products of the week 1.30.17

New products of the weekImage by NSSOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Blue Medora vRealize Operations Management Pack for Amazon AuroraImage by bluemedoraTo read this article in full or to leave a comment, please click here

6 highly useful & entertaining podcasts for IT & network pros

While I acknowledge that my first choices for podcast listening tend toward entertainment (All Songs Considered, The Moth, This American Life), I also encourage myself to consume to those that might help me better understand networking and keep up on the general technology scene. Here’s a short list of podcasts that enterprise IT pros might find useful --and even enjoyable.Voices from DARPA I’ll admit that this podcast intimidated me before I first listened to it, but it’s actually quite digestible even if you’re not a Ph.D. The Defense Advanced Research Projects Agency kicked off the series in September and pumps out one or two episodes per month, based on interviews by Ivan Amato with program managers from DARPA’s six technical offices (Biological Technologies, Defense Sciences, Information Innovation, Microsystems Technology, Strategic Technology, and Tactical Technology). Topics have included “Molecule Man”, “Space Sentinel” and “The Semiconductor Whisperer”, the latter of which gives a great short history of semiconductors and a look to the future. All episodes so far are less than 30 minutes long and several are under 20 minutes long. To read this article in full or to leave a comment, please click here

Restoring Space 15.2 data to 16.1

The upgrade from Space platform 15.2 to 16.1 is one of the worst procedures I’ve seen in quite a while.   It is complicated because the underlying CentOS is being upgraded at the same time, so I guess that’s part of the reason, but still, it could be a lot slicker and better tested.

In summary, you have to apply a couple of patches, the second of which backs your 15.2 data up somewhere else – ideally over SCP to a remote server.  You then shut down your 15.2 VM, install a fresh 16.1 VM with the same IP addresses, and restore the data to it.

Sounds easy, but the 16.1 installation part can generally only be done by the customer’s VMware admin because it needs console access.  So you’ve got to rely on them following lots of instructions quite well.

Recently a customer experienced some kind of failure in the restoration part, leaving me with a fresh installed 16.1, but no data.  I SSHed on to the VM and could see the standard menu, but wasn’t offered any option to attempt another restore.   After digging around for a while, I found Continue reading

Response:New Office 365 subscriptions for consumers plunged 62% in 2016 | ITworld

Another “public cloud isn’t for everyone” story:

By charting Office 365’s new subscribers using a trailing 12 months — the latest quarter plus the three previous — to eliminate seasonal spikes, the suite’s waxing and waning over the past four years becomes apparent. From its Q1 2013 debut until Q4 2015, Office 365 subscriber growth was always steady, sometimes spectacular.

Solid approach to charting and yes, Office 365 did well but:

After Q4 2015, however, the trailing 12-month numbers fell, a decline fueled by the plateau of 0.9 million each quarter from the second onward. That resulted in a gain of just 4.3 million subscribers throughout 2016, a reduction of 62% from the year before.

Office365 new subs 100706400 large

Oh, the path to public cloud isn’t always a growth market? That’s not the story from the clouderati. Oh dear.

New Office 365 subscriptions for consumers plunged 62% in 2016 | ITworld : http://www.itworld.com/article/3162708/enterprise-applications/new-office-365-subscriptions-for-consumers-plunged-62-in-2016.html

The post Response:New Office 365 subscriptions for consumers plunged 62% in 2016 | ITworld appeared first on EtherealMind.

Uber was right to disable surge pricing at JFK

Yesterday, the NYC taxi union had a one-hour strike protesting Trump's "Muslim Ban", refusing to pick up passengers at the JFK airport. Uber responded by disabling surge pricing at the airport. This has widely been interpreted as a bad thing, so the hashtag "#DeleteUber" has been trending, encouraging people to delete their Uber accounts/app.

These people are wrong, obviously so.

Surge Pricing

Uber's "Surge Pricing" isn't price gouging, as many assume. Instead, the additional money goes directly to the drivers, to encourage them come to the area surging and pick up riders. Uber isn't a taxi company. It can't direct drivers to go anywhere. All it can do is provide incentives. "Surge Pricing" for customers means "Surge Income" for the drivers, giving them an incentive. Drivers have a map showing which areas of the city are surging, so they can drive there.

Another way of thinking about it is "Demand Pricing". It's simply the economic Law of Supply and Demand. If demand increases, then prices increase, and then supply increases chasing the higher profits. It's why famously you can't get a taxi cab on New Years Eve, but you can get an Uber driver. Taxi drivers can't charge more Continue reading

About 150 Delta flights in the US canceled after systems outage

About 150 flights of Delta Air Lines in the U.S. were canceled and some others were delayed on Sunday on account of an IT systems outage, the airline reported.Delta said more flight cancellations were expected.The IT systems outage at Delta is the latest of a number that have affected airline operations recently.Delta reported earlier that its teams were working to fix quickly a systems outage that has resulted in departure delays and cancellations. It did not provide information on the systems issue that had caused the outage.“Not all delays and cancellations are being reflected on Delta systems, including delta.com, the Fly Delta App, airport information screens or through our Reservations agents,” the airline said. It reported at 11:45 p.m. EST that a ground stop had been lifted.To read this article in full or to leave a comment, please click here

ASIC Programmability from Barefoot Networks

Full disclosure : I was lucky to be among a group of networking influencers invited to Silicon Valley to visit some networking companies and see what they were offering to the market.  I was flown out and given accommodations at the expense of Gestalt IT – the company that organized the event.  I was given some swag by each company, but I was never paid to write a positive review on the product.  Heck, I’m not even expected to write at all.

Think about the fastest switch in your network and why it’s so fast.  Traditionally, it’s because the manufacturer has developed a very efficient ASIC that does switching very well (give me some leeway here and forget about routing, encapsulation, etc.), but it really can’t do anything else.  Want a new switching feature?  Well, your switch can’t do that if the ASIC doesn’t support it.  No big deal – the manufacturer just needs to make a new ASIC that supports it, right?  This sounds simple, but, generally, this is a many-years process and requires a hardware update on your end.  This is not a good solution in a world where new features and technologies Continue reading

VRF Series Article 2 – Extending L3 Segmentation with VRF-lite

In the last article, we took an initial look at L3 segmentation with VRFs. In that case, we created a basic first hop configuration that had isolated pci and data segments. In reality, most networks are far larger and more complex. This article continues down that same path by building proper layer 3 links and IGP adjacency with a Headquarter (Main) location. The starting point from a configuration standpoint is where we left off in Article 1 of this series.

Specifically in this article, we will configure subinterfaces to connect BrWan to Main for each VRF. We will also create a loopback on Main in each VRF to act as a test point that should be reachable from each host. From a routing protocol perspective, we will leverage EIGRP in Named Mode. This mode is a requirement because it is the method that allows the address family command to identify VRFs.

Note: I am working from some VIRL defaults, so I will be including the removal of unnecessary items. Also, I will be shutting down Gigabit 2 since the rest of the topology is out of scope for this article.

Main – HQ Router

//removing unnecessary routing  Continue reading

Review: Dell Latitude E7370

As part of my Linux migration (see my initial progress report), late this past week I started setting up my first non-Apple laptop since 2003. In this post, I’d like to share my thoughts on my new laptop, a Dell Latitude E7370.

First, let’s get the specs—the “speeds and feeds”—out of the way:

  • Intel Core m7 CPU
  • 16 GB of RAM
  • 512 GB NVMe SSD
  • 3200x1800 touchscreen
  • Intel HD graphics and Intel 802.11a/b/g/n/ac wireless

Based on the specs alone, it’s easy to see this laptop is no slouch. It’s certainly comparable to the latest-generation of MacBook Pro laptops, except for the touchscreen (which the Macs don’t offer/support).

Subjectively, I have to say I’m impressed with the E7370. I travel quite a bit, so size and weight are important. This laptop looks and feels more svelte than my previous laptop, a 13” MacBook Air. From a comparison perspective, I’d say it’s on par with my son’s 11” MacBook Air. The build quality is great, and the laptop feels solid and sturdy. The display is crisp, sharp, and bright, and battery life (so far, without any OS-level tuning) has been respectable. Unlike some previous ultrabooks I’ve seen, Dell’s done Continue reading

Musing: Google Establishes CA Root Authority.

Google continues to build out its ownership of key Internet infrastructure. Email/Spam filtering, Chrome Browser, DNS

As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology. This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority. To this end, we have established Google Trust Services (https://pki.goog/), the entity we will rely on to operate these Certificate Authorities on behalf of Google and Alphabet.

Thoughts, in no particular order:

  1. Bought company with root certificates to shorten lead time to control
  2. Ownership of and widespread use of Chrome web browser, DNS and trusted root certificates means that Google has unprecedented amount of control over user data regardless encryption.
  3. Can silently MITM any traffic in browser by combining web browser and certificate configuration
  4. Data gathering from DNS servers for destinations, source addresses/geolocation, usage profiling
  5. Chrome already prevents many privacy and usability features available in other browsers e.g. Reading mode,
  6. Adds to data-gathering possibilities from web services that predict searches, URLs and spelling errors built into browser

One of the base Continue reading

VRF Series Article 1 – Basic L3 Segmentation with VRFs

Network engineers are well aware of the Layer 2 isolation properties of VLANs. Their use is so pervasive that they are second nature to most. This article is the first in a series that outlines specifically how VRFs can be used to provide the same type of end to end isolation for Layer 3 that VLANs provide for Layer 2.

In this example, we will work with a subset of the overall topology that I previously shared. Specifically, we are going to configure a router that I’ll call BrWan, a Layer 2 switch, and 3

VRF_Branch

routers that I’m using to emulate connected hosts (data-x/pci-x).

BrWan will contain the technology configuration that is the primary focus of the article. The other components are configured somewhat generically and using technologies that most are very familiar with.

At the end of this exercise, the requirement is that anything related to “data” can only reach other parts of the “data” network. Similar requirements exist for “pci”. There will be no ACLs used to prevent communication between pci and data, but the isolation requirement is strict. These concepts will be carried forward throughout the series. Later examples will provide a mechanism for some traffic between Continue reading

1 2,370 2,371 2,372 2,373 2,374 3,858