Discard Routing for RFC1918 Addresses

While working with firewalls for the last few years, I’ve seen many logs polluted with scanning traffic. Obviously this is the type of thing that I want to see when someone is legitimately scanning, or attempting to scan, through the firewall. However, there are a few cases that seeing this traffic is simply an indication of some other issue in the network.

An example I have seen on several occasions is someone configuring a network management station to discover 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8. If not properly handled in the routed network architecture, the associated traffic could make its way to the firewall or even to the ISP. An ASA might block the traffic due to policy, reroute it back toward the internal network, drop it due to the intra-interface hairpin configuration, or forward it onward. In most cases, this traffic will cause a lot of “noise” in the syslogs produced by the firewall.

To fully understand the problem, the diagram below can be used for discussion–

In this example, R1 has a static default route that points to the IP address of FW1. R1 advertises this via EIGRP to its internal neighbors. If a networked host attempts to reach Continue reading

Kubernetes DNS config on bare metal

One of the ‘newer’ functions of Kubernetes is the ability to register service names in DNS.  More specifically, to register them in a DNS server running in the Kubernetes cluster.  To do this, the clever folks at Google came up with a solution that leverages SkyDNS and another container (called kube2sky) to read the service entries and insert them as DNS entries.  Pretty slick huh?

Beyond the containers to run the DNS service, we also need to tell the pods to use this particular DNS server for DNS resolution.  This is done by adding a couple of lines of config to the kubernetes-kubelet service.  Once that’s done, we can configure the Kubernetes service and the replication controller for the SkyDNS pod.  So let’s start with the kubelet service configuration.  Let’s edit our service definition located here…

/usr/lib/systemd/system/kubernetes-kubelet.service

Our new config will look like this…

[Unit]
Description=Kubernetes Kubelet
After=etcd.service
After=docker.service
Wants=etcd.service
Wants=docker.service

[Service]
ExecStart=/opt/kubernetes/kubelet 
--address=10.20.30.62 
--port=10250 
--hostname_override=10.20.30.62 
--etcd_servers=http://10.20.30.61:4001 
--logtostderr=true 
--cluster_dns=10.100.0.10 
--cluster_domain=kubdomain.local 
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Notice that Continue reading

Alteon AppShape++ persistency and multiple scripts per service

Lab goal

Setup

I'll use my Loadbalancer Lab Setup.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

/cfg/slb/appshape/script take_10/en/import


attach group 10

when HTTP_REQUEST {
    group select 10
}

-----END

Your Docker schedule at IBM Interconnect 2015

Box buys Airpost, a startup that keeps tabs on cloud app use

Box has acquired Airpost, a startup that helps enterprises detect and manage the use of cloud applications by their employees.Airpost, a two-year-old startup based in Toronto, announced the acquisition in a blog post on Friday. Box confirmed it has bought the company. Terms were not disclosed.Airpost will close operations on March 1. After that, customers won’t be able to use its product, founder and CEO Navid Nathoo said in an email message.But the concept seems sound: Airpost tells IT departments when employees start using cloud-based apps on their own and provides access controls and protections against potential vulnerabilities in those apps. The idea is to let employees keep using the apps they found and get the productivity they want, while keeping the enterprise secure.To read this article in full or to leave a comment, please click here

Superfish security flaw also exists in other apps, non-Lenovo systems

On Thursday security researchers warned that an adware program called Superfish, which was preloaded on some Lenovo consumer laptops, opened computers to attack. However, it seems that the same poorly designed and flawed traffic interception mechanism used by Superfish is also used in other software programs.Superfish uses a man-in-the-middle proxy component to interfere with encrypted HTTPS connections, undermining the trust between users and websites. It does this by installing its own root certificate in Windows and uses that certificate to re-sign SSL certificates presented by legitimate websites.To read this article in full or to leave a comment, please click here

Nomad: Mobile charging gadgets you need

I’ve tested any number of portable backup batteries designed to keep your phone running when you’re not near a power socket and I thought I’d pretty much seen most of the good ideas … until I opened a box that just arrived from Nomad. Nomad NomadKey with Apple Lightning connector Nomad NomadClipTo read this article in full or to leave a comment, please click here

AppFutura: How to outsource mobile development

If you’re a small company without developers or maybe a group within a large organization that can’t get any love from the corporate development team and you need a mobile app, where are you going to go? The whole process of connecting with third party developers, getting non-disclosure agreements signed, getting bids, correlating bids, and selecting which developers to work with is a daunting and non-trivial workload.Should you be in this particular boat, a service that launched late last year, AppFutura, can help you. AppFutura connects project owners and developers in a systematic way making the mobile app development process potentially less complicated and much more organized.To read this article in full or to leave a comment, please click here

iPexpert’s Newest “CCIE Wall of Fame” Additions 2/20/2015

Please join us in congratulating the following iPexpert client’s who have passed their CCIE lab!

This Week’s CCIE Success Stories

• Florian Brenner, CCIE #46529 (Wireless)
• Kanwal Chawla, CCIE #47128 (Collaboration)
• Ankit Bansal, CCIE #47099 (Data Center)
• Curtis Raams, CCIE #46953 (Collaboration)

This Week’s CCIE Testimonials

Esteban Paniagua, CCIE #46910
“I wanted to say thanks to the iPexpert team, since I contacted sales to book my 5 day lab boot camp the service they provided me was truly world-class!! I attended the Collaboration boot camp with Andy; he was really knowledgeable, willing to go over details during his explanations and had great communication skills. I passed my CCIE Collaboration on the first try, I wouldn’t have been able to do it without your materials and boot camp. Thanks again!”

Curtis Raams, CCIE #46953
“I can certainly confirm that your course was very well structured and combined with your virtual lab over VPN I was able to successfully study and pass the CCIE exam. I studied extensively the 900 page DSG and mock labs provided by Andy Vassar which provided sufficient and detailed learning with extensive explanations and use cases.

I would strongly recommend iPExpert to any person Continue reading

The Longest Match Rule

One of the the concepts that comes up occasionally is that of precedence. For example, one might consider the following routing table entries.

ip route 0.0.0.0 0.0.0.0 1.1.1.1              //default route
ip route 192.168.0.0 255.255.0.0 1.1.1.2      //supernet/cidr route
ip route 192.168.1.0 255.255.255.0 1.1.1.3    //network route
ip route 192.168.1.0 255.255.255.128 1.1.1.4  //subnet route
ip route 192.168.1.20 255.255.255.255 1.1.1.5 //host route

Questions often arise around which path a packet would take when it matches more than one entry. For example, a packet may have a destination address of 192.168.1.20. In this case it matches every single route entry.

The logic is actually simple, even straightforward. A packet will follow the most specific route entry that it matches. So a packet destined to 192.168.1.20 would be routed to a router at 1.1.1.5. If the destination happened to be 192.168.1.21, it would be routed over to 1.1.1.4.

Continue reading

Chip companies working to make Wi-Fi more maker-friendly

Texas Instruments and MediaTek have launched new offerings aimed at making it easier to build IoT (Internet of Things) devices with Wi-Fi connectivity.The chip makers have realized that their future isn't just in selling products to big companies, but also to a growing maker community whose products also need Wi-Fi connectivity.This week TI expanded its SimpleLink portfolio with two new modules, which promise to help add Wi-Fi connectivity without requiring any network experience. A similar promise came from MediaTek earlier this month when it launched a new Wi-Fi development platform.INSIDER: 5 ways to prepare for Internet of Things security threats To jump start Wi-Fi development, TI now offers the CC3100 module BoosterPack and the CC3200 module LaunchPad, which include an SDK and sample boards that can be connected directly to a PC.To read this article in full or to leave a comment, please click here

With $15 in Radio Shack parts, 14-year-old hacks a car

A teenager not even old enough to drive a car was able to wirelessly connect to a vehicle's internal computer network and control various functions.The 14-year-old built an electronic remote auto communications device with $15 worth of Radio Shack parts that were assembled in less than a night.Auto executives at a conference this week sponsored by the Center for Automotive Research revealed how stunned they were by the feat, which actually happened last summer, noting it shed light on the need for greater security as vehicles gain more wireless capabilities.MORE: 10 mobile startups to watch The boy, whose name is not being released, was among 30 other students ranging in age from high school to college undergraduates to PhD students who participated in the third annual Battelle CyberAuto Challenge. The year, make and models of the cars experimented on during the challenge were not disclosed.To read this article in full or to leave a comment, please click here

Python and Jinja2 Tutorial

“How should I get started with Network Automation?” I am often asked this question by network engineers looking to build new programming skills.  If you are brand new to writing Python scripts and are looking for an easy on-ramp to the network automation superhighway, I’d suggest starting with Jinja2 – the de-facto python template engine.  Template building […]

Author information

Jeremy Schulman

Making network automation humanly possible

20 year networking industry veteran. Field sales, automation solution architect, technical business development and software engineer by trade. Open-source contributor to Ansible, Puppet and Chef. I enjoy empowering others to be successful with network automation.

TwitterGoogle+LinkedIn

The post Python and Jinja2 Tutorial appeared first on Packet Pushers Podcast and was written by Jeremy Schulman.

Apple Car to be released in 2020, report claims

In just a week's time, the news cycle around Apple has transitioned from the impending launch of the Apple Watch to reports that the company is actively working to develop an electric car.More than just an anonymously sourced rumor, a number of reputable publications have all reported that Apple is looking to get into the car industry. Tthe Wall Street Journal, for example, reported a few days ago that Tim Cook has already authorized the development of a 1,000 strong team to get things rolling.Stoking the Apple car rumors considerably is a recent report from Bloomberg which relays that Apple has designs to begin vehicle production as early as 2020. Now given that the car manufacturing process for a veteran automaker-- from design to production -- can often take upwards of 7 years, a five year time frame for a newbie like Apple seems curiously short.To read this article in full or to leave a comment, please click here

PlexxiPulse—Simply A Better Network

As enterprises move from experimentation to full-fledged deployments of Big Data, supporting networks need to have the capabilities to support increased bandwidth. Our CEO, Rich Napolitano spoke with CRN’s Meghan Ottolini on this very subject recently. Rich explains how Plexxi’s architecture is designed to scale out to accommodate the next era of technology applications. See below for video footage; it’s definitely worth a look before you head out for your weekend.

Please find a few of our top picks for our favorite news articles of the week. Enjoy!

Nashua Telegraph: Plexxi likes the Nashua network
By David Brooks
There are plenty of reasons to locate a tech startup in one place rather than another. For networking firm Plexxi, part of Nashua’s appeal is institutional memory. “There’s definitely a talent base up here, from the days of Wang, DataGeneral and Digital. That’s a very complex, system-oriented world, ” said Rich Napolitano, who has been CEO since November, and whose first job out of college was at Digital Equipment Corp. in almost the same building where Plexxi now resides.

New York Times: HP Targets Cisco and Facebook With New Line of Open-Source Networking Gear
By Quentin Hardy
Hewlett-Packard said on Thursday that Continue reading

Apple reportedly exposing iOS to first public open beta

wikipedia The Apple community is buzzing today over a report from 9-to-5 Mac that the iPhone and iPad maker will be holding its first public open beta for iOS next month. This would be Apple's latest effort to do away with buggy releases for its mobile operating system. Early adopters of iOS 8 ran into various troubles, as did those early to download the first updates to that OS.To read this article in full or to leave a comment, please click here

Apple reportedly exposing iOS to first public open beta

wikipedia The Apple community is buzzing today over a report from 9-to-5 Mac that the iPhone and iPad maker will be holding its first public open beta for iOS next month. This would be Apple's latest effort to do away with buggy releases for its mobile operating system. Early adopters of iOS 8 ran into various troubles, as did those early to download the first updates to that OS.To read this article in full or to leave a comment, please click here

Network Break 28

Coffee, doughnuts and networking. A perfect combination.

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+LinkedIn

The post Network Break 28 appeared first on Packet Pushers Podcast and was written by Greg Ferro.

Google agrees to Italian privacy authority audits in the US

Google has agreed to on-the-spot audits at its U.S. headquarters in order to comply with Italy’s data protection laws.The Italian data protection authority (DPA) imposed several privacy measures on Google after an investigation into the company’s policies that was completed in July 2014. On Friday, the authority said Google will comply with all demands.The process to verify compliance calls for the DPA to check up on Google’s progress at its U.S. headquarters. It remains unclear when that will happen, though. “There is no precise appointment at the moment but there is an agreement to be able to go there,” a spokesman for the authority said.To read this article in full or to leave a comment, please click here

Enabling and Mounting NFS on CoreOS

I’ve written about CoreOS a fair amount (see here, here, and here), but one of the things that is both good and bad about CoreOS is the automatic update mechanism. It’s good because you know your systems will stay up to date, but it’s bad if you haven’t taken the time to properly address how automatic updates will affect your environment (for example, you’ve manually started some Docker containers instead of using systemd unit files—when the CoreOS system reboots after an update, your Docker containers will no longer be running). Re-architecting your environment to fully account for this change in architecture and behavior is a larger discussion than can be addressed in a single blog post, but in this post I want to at least tackle one small part of the discussion: separating your persistent data. In this post, I’ll show you how to mount an NFS share on a CoreOS instance deployed on OpenStack (or any cloud that leverages cloud-init).

Now, you could probably go into your CoreOS instance and manually make these changes, but that’s still thinking the old way. In addition to thinking about keeping persistent data separate, we (data center/cloud architects) also need Continue reading