I (don’t) like Big Buffers.
Recently Arista released a white paper surrounding the idea that having deeper buffers running within the network can help to alleviate the incast congestion patterns that can present when a large number of many-to-one connections are happening within a network. Also known as the TCP incast problem. They pointedly targeted Hadoop clusters, as the incast problem can rear its ugly head when utilizing the Hadoop Cluster for MapReduce functions. The study used an example of 20 servers hanging off of a single ToR switch that has 40Gbps of uplink capacity within a Leaf/Spine network, presenting a 5:1 oversubscription ratio. This type of oversubscription was just seen in the recent release of the Facebook network that is used within their data centers. So its safe to assume that these types of oversubscription ratios are seen in the wild. I know I’ve run my fair share of oversubscribed networks in the past.
Treating the Symptom
This particular study actually prods at what is the achilles heel of the traditional leaf/spine network design. All nodes being within 3 switch hops, (ToR <-> Spine <-> ToR), does provide a predictable pathing within the minds of the network operators of today, but I posit that Continue reading
IKEv2 VPN – ASA/IOS
In our next blog post, we will focus on configuring an IKEv2 VPN between the ASA and IOS.
Is there anything special about that configuration? Yes and no. It is still “just” IKEv2 that will take care of negotiating our tunnels, but there will definitely be a difference in how we configure one platform versus another. Remember – tunnel interfaces are not supported on the ASA, at least as of 8.6, and this generally means that we will not be able to use tunnels (FlexVPNs) on IOS, too (there is actually one small exception to this rule, but it will not be discussed in this article).
Let’s take a look at our simple network:
We’ll try to build a VPN tunnel between R10 and ASA3 that we will then use to protect traffic flowing between VLANs 10 and 8. I am going to start with the ASA configuration.
First and foremost – the Policy. Note that PRF must generally be the same as what you have selected for Integrity/Hashing:
crypto ikev2 policy 10
encryption aes-256
integrity sha384
prf sha384
group 14
We will authenticate the tunnel using pre-shared-keys, and since authentication method is no longer negotiated in IKEv2 we Continue reading
Python paths and Cron logging
I created two new twitter accounts yesterday and the amount of followers in such a short time is great to see. Feel free to follow them here – @bgp4_table and @bgp6_table The accounts get updated through Python, and that Python script is run via a cron job once every six hours. I noticed that when […]VRF Lite on Nexus 5600
One of the networking engineers using my ExpertExpress to validate their network design had an interesting problem: he was building a multi-tenant VLAN-based private cloud architecture with each tenant having multiple subnets, and wanted to route within the tenant network as close to the VMs as possible (in the ToR switch).
He was using Nexus 5600 as the ToR switch, and although there’s conflicting information on the number of VRFs supported by that switch (verified topology: 25 VRFs, verified maximum: 1000 VRFs, configuration guide: 64 VRFs), he thought 25 VRFs (tenant routing domains) might be enough.
Read more ...New CCIE RSv5 Workbook Labs & Enhancements
Foundation Lab 2 has now been added to the CCIE RSv5 Workbook. This lab is great for working on your configuration speed and accuracy when combining multiple technologies together. It also has a great redistribution section that I hope you’ll all enjoy 
More Full Scale, Troubleshooting, and Foundation labs are in progress and will be posted soon. I’ll post another update about them when they are available.
In addition to this we’ve added some feature enhancements to the workbook in response to customer requests and feedback. First, there is a new Table of Contents for the workbook that allows you to view all tasks, and to check off tasks that you’ve already completed. This will help you track your progress as you’re going through the workbook.
You can additionally check off the progress of a task in the upper right hand portion of the individual lab page.
Multiple bookmarks are now supported, and will be added to a section under the Table of Contents. When you open the workbook it will now also prompt you to load your latest bookmark.
Lastly, configuration solutions are now hidden by default when you open a lab. This will help prevent “spoilers” in the Continue reading
Know Your ASIC Inside!
We all tend to want to position a new idea and compare it to an old or familiar reference point. As the industry learns how to internalizeIPsec VPN Mikrotik to Linux
After writing the Mikrotik IPsec VPN article and I got some questions about how Mikrotik will work with a Linux device to build an IPsec VPN. I did notice that the questions were more oriented for a copy / paste solution, so I’ll provide one that it’s working. If you need more details about why the solution is like it this, please let me know.
Also don’t forget to customize the solution as you need.
DDoS flood protection
Denial of Service attacks represents a significant impact to on-going operations of many businesses. When most revenue is derived from on-line operation, a DDoS attack can put a company out of business. There are many flavors of DDoS attacks, but the objective is always the same: to saturate a resource, such as a router, switch, firewall or web server, with multiple simultaneous and bogus requests, from many different sources. These attacks generate large volumes of traffic, 100Gbit/s attacks are now common, making mitigation a challenge.
The 3 minute video demonstrates Flood Protect - a DDoS mitigation solution that leverages industry standard sFlow instrumentation in commodity data center switches to provide real-time detection and mitigation of DDoS attacks. Flood Protect is an application running on InMon's Switch Fabric Accelerator SDN controller. Other applications provide visibility and accelerate fabric performance applying controls reduce latency and increase throughput.
An early version of Flood Protect won the 2014 SDN Idol competition in a joint demonstration with Brocade Networks.Visit sFlow.com to learn more, evaluate pre-release versions of these products, or discuss requirements.
Mikrotik IPsec VPN
If you did not hear yet about Mikrotik I can’t say I blame you. Not exactly something you’ll find in SOHO network shops next to brand like TP-Link, Linksys or Netgear. Mikrotik is a company
in Latvia that produce network hardware under the name of RouterBOARD. The devices are excellent and the RouterOS support an amazing amount of feature for a SOHO product.
Ansible Named a Top 10 Open Source Project by OpenSource.com
We are pleased to announce that Ansible has been named a Top 10 Open Source Project for 2014 by Opensource.com. Be sure to watch Michael DeHaan's presentation on why your IT infrastructure should be boring, read his interview with Opensource.com's Jen Krieger and learn about one of his favorite Star Trek quotes.
View the full list here.
Business Drivers Talk at Interop 2015
This talk is a case study around some of the issues and solutions for TelePost Greenland. I’ll have to give credit to Denise Donohue and the folks there as I go along through the slides, but it’s a unique network with some extreme requirements — and therefore some interesting solutions.
Cisco Just Killed The CLI
Gallons of virtual ink have been committed to virtual paper in the last few days with regards to Cisco’s lawsuit against Arista Networks. Some of it is speculating on the posturing by both companies. Other writers talk about the old market vs. the new market. Still others look at SDN as a driver.
I didn’t just want to talk about the lawsuit. Given that Arista has marketed EOS as a “better IOS than IOS” for a while now, I figured Cisco finally decided to bite back. They are fiercely protective of IOS and they have to be because of the way the trademark laws in the US work. If you don’t go after people that infringe you lose your standing to do so and invite others to do it as well. Is Cisco’s timing suspect? One does have to wonder. Is this about knocking out a competitor? It’s tough to say. But one thing is sure to me. Cisco has effectively killed the command line interface (CLI).
“Industry Standards”
EOS is certainly IOS-like. While it does introduce some unique features (see the NFD3 video here), the command syntax is very much IOS. That is purposeful. There are two Continue reading
Open Networking Has Arrived
“My servers run on Linux. My team knows how to manage Linux servers and networks. It just makes sense for my switches to run on Linux too.”
What most people don’t know is that many high-end network switches already run on Linux.
Switches from Cisco®, Extreme Networks® and Arista® use Linux to run their switch hardware (the operating system is hidden behind abstractions and APIs). As well, most of these share the same switching silicon products from Broadcom® and Intel®.
We are in the midst of a major transformation in networking. Innovation from companies like Cumulus Networks® and Edge-Core® are leading the way, disrupting the way new networks are deployed and old networks are upgraded.
In my role as head of product engineering at Tuangru, almost every small-to-mid size hosting service provider I talk to is considering open networking. Why? Because it just makes sense.
Open network hardware is more affordable and easy to acquire. The Linux software is familiar and, in most cases, admins prefer it over the next CLI and syntax versions available.
The rise of DevOps and cloud technologies like OpenStack are driving higher levels of automation and uniformity. Continue reading
Compliance and Automation Using Ansible
Compliance is a big deal in many industries, from e-commerce and PCI, to healthcare and HIPAA, to federal government and FedRAMP. At the core, compliance is all about making sure that IT systems are secure. The controls for the various industries will inevitably have some overlap; there are fundamental security controls that (should) apply to all IT systems. However, as technology advances, even the fundamental controls need to be refreshed in order to address the ever increasing advancements in security threats.When the need comes for your IT environment to be both compliant and automated, Ansible makes the most sense.
Why? For simple but very powerful reasons; readability, encryption, architecture and transport.
Architecture:
For starters, Ansible requires the smallest architecture. In it’s simplest form, none whatsoever, just its installation on your laptop (presuming linux or OSX). Even in our enterprise offering it is a single server. With Ansible there is no notion of Masters, Slaves, Masters of Masters, etc.
Secondly, you don’t/shouldn’t need to change anything. If you run a linux shop, SSH over port 22 is probably already in place for all servers and if you’ve been doing any sort of Windows automation, you likely already have remote Continue reading
Unreliable Multicast means Unreliable VMware VSAN
Howard Marks from Deep Storage and long-term curmudgeon sent Ethan & I the following email: As I continue to tilt at the VMware windmill I’m facing fanbois telling me that all you have to do is plug the EVO:RAIL in and turn it on. This of course leaves out the fact that the little sucker still […]
The post Unreliable Multicast means Unreliable VMware VSAN appeared first on EtherealMind.
Great Wi-Fi Starts with Proper Design
I’m sure that we have all experienced poorly designed Wi-Fi networks. When a technology is so ubiquitous, so easily accessible, and is increasingly the most relied upon method of Internet access for mobile devices and cloud computing, then there are bound to be some issues. Unfortunately, the prevalence of underperforming Wi-Fi networks is still much too common for my liking.
Great Wi-Fi starts with proper design. There are various approaches to WLAN design that have evolved over time, ranging from providing basic coverage to maximum capacity and situations in-between.
At one end of the spectrum, we have a basic coverage oriented design. This was the historical way of designing a WLAN that simply involved ensuring adequate signal strength from access points was present in desired locations. At the other end of the spectrum is a design focusing on maximum capacity. This involves careful RF planning in order to integrate the most Wi-Fi cells as possible into a physical area.
The problem with both of these approaches is that they are the extremes and aren't applicable for many wireless networks. Basic coverage designs may still work for warehouses and some retailers and maximum capacity designs are great for stadiums and Continue reading
Comware5: Send test SNMP traps and syslog messages
When configuring a network device to be managed by an NMS such as HP IMC, you may want to send some test syslog or snmp traps to verify the correct operation of your settings. You can generate traps/logs by triggering … Continue reading