Getting started with Ansible

Getting started with AnsibleThe easiest way to describe Ansible is that it’s a simple but powerful it-automation tool. In the words of its creator Michael DeHaan “I wanted a tool that I could not use for 6 months, come back later, and still remember how it worked.” and it really feels like riding a bike. Even years from now when I take a look at an Ansible Playbook I’m sure I will immediately see what it does. Playbooks, which allows you to run several tasks together, are writting in YAML making them easy to read.

This guide is too short to teach you everything about Ansible. Instead the aim is to give you an idea of how you can use Ansible, and how it can help you manage your IT environment. Even if you don’t end up using Ansible, learning tools like it as Chef or Puppet can help you to think differently about how you operate your network.

Continue reading

Life is busy

I’ve had zero time to update the blog recently. As some of you may know, I recently started a new job with Google. I’ve moved my family and I over from the UK to Dublin, Ireland. To say I’m busy right now is an understatement. Not only is there a ton of reading for me […]

Getting started with Ansible

Getting started with AnsibleThe easiest way to describe Ansible is that it’s a simple but powerful it-automation tool. In the words of its creator Michael DeHaan “I wanted a tool that I could not use for 6 months, come back later, and still remember how it worked.” and it really feels like riding a bike. Even years from now when I take a look at an Ansible Playbook I’m sure I will immediately see what it does. Playbooks, which allows you to run several tasks together, are writting in YAML making them easy to read.

This guide is too short to teach you everything about Ansible. Instead the aim is to give you an idea of how you can use Ansible, and how it can help you manage your IT environment. Even if you don’t end up using Ansible, learning tools like it as Chef or Puppet can help you to think differently about how you operate your network.
Continue reading

Solicited-node multicast address

How does Internet work - We know what is networking

Some time ago I was working on IPv6 implementation and in that period I written an article about NDP (you can read it here). After a while I received some comments that is not written well so I reviewed a huge part of it. It looks my english was far worst two years ago that I was really aware of In the reviewing process I realised that NDP usage of Solicited-Node multicast addresses was not clearly explained. This is the follow-up article which should explain how and why Solicited-Node multicast address are used in NDP. Let’s go! Solicited-node multicast address is IPv6 multicast address used on the local L2

Solicited-node multicast address

VeloCloud & Information Brokerage

VeloCloud was the first presenter at Network Field Day 9. They are one of the new breed of SD-WAN vendors. I’m impressed by what they’re doing, and and the potential it offers for re-thinking the way we do WAN connectivity. But I think the most interesting part is the increased visibility into how networks are performing.

I won’t go into the details of how it all works – Brandon covers some of it here, and you can look through VeloCloud’s site to understand it more. I want to focus on a few details around data analysis, and information brokerage.

Internet Quality Monitoring

In this video, Kangwarn Chinthammit talks about how VeloCloud is using their devices to monitor Internet quality. Because they’re installed in a wide range of locations, with many different WAN connection types, they’re building up some interesting data.

They’ve been able to do some deeper analysis of the data, and break down quality measurements by location, circuit type, hour, and day. Some of the interesting results include:

  • A good ISP in one location may not be any good in another. So you can’t just pick one ISP.
  • Quality varies during the day, and across the year. It might be Continue reading

UNICEF, Airtel team up in Africa to widen access to free health, data analysis apps

UNICEF, the U.N. Children’s Fund, has made its RapidPro suite of apps available to Airtel customers for free across the 17 African countries in which the telecom company operates.The open-source family of applications is designed to help governments deliver rapid and vital real-time information and connect communities to lifesaving services. The apps offer health, education and youth-focused content.By introducing the apps to Airtel users, UNICEF content will be more accessible and data-gathering across regions made easier. RapidPro makes data related to interactions on the platform available in Excel for analysis.RapidPro also allows organizations to create personalized messages based on information collected from users, which could in turn increase response rates.To read this article in full or to leave a comment, please click here

Openstack Juno – Management interfaces

This blog is part of my series on Openstack Juno. In this blog, I will cover different management interfaces to Openstack. Following are the different management interfaces available. Horizon web interface CLI interface to each service. CLI interface is provided by Python script. Internally, the script calls the REST interface. REST interface. This is accessible … Continue reading Openstack Juno – Management interfaces

Openstack Juno services – Swift, Glance, Heat, Ceilometer

This blog is part of my series on Openstack Juno. In this blog, I will cover the usage of Openstack services Swift, Glance, Heat, Ceilometer. Swift: Swift is used for Object based storage. Its similar to AWS S3 service. First, create a container to store objects: $ swift post mycont Upload a file to the container $ … Continue reading Openstack Juno services – Swift, Glance, Heat, Ceilometer

Openstack Juno services – Nova, Cinder

This blog is part of my series on Openstack Juno. In this blog, I will cover the usage of Openstack services Nova, Cinder. I found this blog on Openstack services good in giving a highlevel overview of services and comparing individual Openstack services with Amazon AWS services. Nova basics: Nova is the Openstack compute service. Following … Continue reading Openstack Juno services – Nova, Cinder

CLN 2015 Designated VIPs

I wanted to take a moment and give a well-deserved congratulations to the 2015 Cisco Learning Network Designated VIPs. These fine folks spend a ton of time giving back to the community by helping others in their learning process.

New VIPs for 2015

  • Aref Alsouqi
  • Darren Starr
  • Joshua Johnson
  • Milan Rai

Returning from Previous Year(s)

  • Alain Cadet
  • Chandan Singh Takuli
  • Daniel Dib
  • DelVonte Deary
  • Elvin Arias
  • Erick
  • Jared Hainline
  • Jon K. Johnson (Jay)
  • Riikka Sihvonen

Again, a very warm welcome and congratulations to this group. Your contribution to the community is much appreciated.

Bios and more information for the 2015 VIPs can be found here–

 

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

Readers of this article may also enjoy:

  1. Learning Network VIPs for 2013
  2. Cisco VIRL – The Virtual Internet Routing Lab
  3. Cisco Announces 2014 VIPs for CLN and CSC
  4. Using Cisco’s DevNet “All-in-One VM” as a Free Router Lab
  5. Congrats to Chandan Singh Takuli, CCIE Voice

The post CLN 2015 Designated VIPs appeared first on PacketU.

Exploiting the Superfish certificate

As discussed in my previous blogpost, it took about 3 hours to reverse engineer the Lenovo/Superfish certificate and crack the password. In this blog post, I described how I used that certificate in order to pwn victims using a rogue WiFi hotspot. This took me also about three hours.

The hardware

You need a computer to be the WiFi access-point. Notebook computers are good choices, but for giggles I chose the "Raspberry Pi 2", a tiny computer that fits in the palm of your hand which costs roughly $35. You need two network connections, one to the Internet, and one to your victims. I chose Ethernet to the Internet, and WiFi to the victims.

The setup is shown above. You see the little Raspberry Pi 2 computer, with a power connection at the upper left, an Ethernet at the lower-left, and the WiFi to the right. I chose an "Alfa AWUS050NH" WiFi adapter, but a lot of different ones will work (not all, but most). You can probably find a good one at Newegg or Amazon for $10. Choose those with external antennas, though, for better signal strength. You can't really see it in this picture, but at Continue reading

10 Reasons why the Raspberry Pi 2 Model B is a killer product

The Raspberry Pi 2 Model B was recently released and it’s a serious step up from its predecessors. Before we dive in to what makes it an outstanding product, the Raspberry Pi family tree going from oldest to newest, is as follows:

  1. Raspberry Pi B
  2. Raspberry Pi A
  3. Raspberry Pi B+
  4. Raspberry Pi A+
  5. Raspberry Pi 2 Model B

The + models were upgrades of the previous board versions and the RPi2B is the Raspberry Pi B+’s direct descendent with added muscle. So, what makes the Raspberry Pi 2 Model B great?

  1. The Raspberry Pi 2 Model B has a 40 pin GPIO header as did the A+ and B+ and the first 26 pins are identical to the A and B models making the new board a drop-in upgrade for most projects. The new board also supports all of the expansion (HAT) boards used by the previous models.
  2. The Raspberry Pi 2 Model B has an identical board layout and footprint as the B+, so all cases and 3rd party add-on boards designed for the B+ will be fully compatible.
  3. In common with the B+ the Raspberry Pi 2 Model B has 4 USB 2.0 ports (compared to Continue reading

Discard Routing for RFC1918 Addresses

While working with firewalls for the last few years, I’ve seen many logs polluted with scanning traffic. Obviously this is the type of thing that I want to see when someone is legitimately scanning, or attempting to scan, through the firewall. However, there are a few cases that seeing this traffic is simply an indication of some other issue in the network.

An example I have seen on several occasions is someone configuring a network management station to discover 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8. If not properly handled in the routed network architecture, the associated traffic could make its way to the firewall or even to the ISP. An ASA might block the traffic due to policy, reroute it back toward the internal network, drop it due to the intra-interface hairpin configuration, or forward it onward. In most cases, this traffic will cause a lot of “noise” in the syslogs produced by the firewall.

To fully understand the problem, the diagram below can be used for discussion–

DiscardRouting

In this example, R1 has a static default route that points to the IP address of FW1. R1 advertises this via EIGRP to its internal neighbors. If a networked host attempts to reach Continue reading

Kubernetes DNS config on bare metal

One of the ‘newer’ functions of Kubernetes is the ability to register service names in DNS.  More specifically, to register them in a DNS server running in the Kubernetes cluster.  To do this, the clever folks at Google came up with a solution that leverages SkyDNS and another container (called kube2sky) to read the service entries and insert them as DNS entries.  Pretty slick huh?

Beyond the containers to run the DNS service, we also need to tell the pods to use this particular DNS server for DNS resolution.  This is done by adding a couple of lines of config to the kubernetes-kubelet service.  Once that’s done, we can configure the Kubernetes service and the replication controller for the SkyDNS pod.  So let’s start with the kubelet service configuration.  Let’s edit our service definition located here…

/usr/lib/systemd/system/kubernetes-kubelet.service

Our new config will look like this…

[Unit]
Description=Kubernetes Kubelet
After=etcd.service
After=docker.service
Wants=etcd.service
Wants=docker.service

[Service]
ExecStart=/opt/kubernetes/kubelet 
--address=10.20.30.62 
--port=10250 
--hostname_override=10.20.30.62 
--etcd_servers=http://10.20.30.61:4001 
--logtostderr=true 
--cluster_dns=10.100.0.10 
--cluster_domain=kubdomain.local 
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Notice that Continue reading

Alteon AppShape++ persistency and multiple scripts per service

Lab goal

Create new VIP on 10.136.6.17.

Using an AppShape++ script to choose the preconfigured group/pool "10".

Once the laodbalancer chooses a server, all requests from the client's source IP should go to the same server. This is called persistence or stickiness.

Setup


The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

 

Alteon configuration

First the AppShape++ script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
/cfg/slb/appshape/script take_10/en/import


attach group 10

when HTTP_REQUEST {
    group select 10
}

-----END

Line 1 - This allows to just copy paste the whole text to Alteon's CLI. It defines a script if its not exists, enable it and imports it.
Line 7 - Selects Continue reading
1 3,539 3,540 3,541 3,542 3,543 3,761