Validation Testing Matters

A couple of weeks ago, a CLN Member Posted a question with the heading Does ASA drop active session.

The specific question was as follows–

I have a time based ACL configured on a Cisco ASA. I need to know if the active sessions are dropped by the ASA when the time limit is over.

For example, users are allowed to connect between 12 and 1 PM. If there are any active connections just before 1 PM then will they be dropped at 1 PM?

Many network and security administrators would blindly assume that a time-based ACL would block or allow traffic based on the time-range attached to the individual ACE. Having quite a lot of experience with the ASA, I was skeptical and assumed that any ongoing connections would continue to allow the flow of traffic. I decided to do a little testing and here is what I found.

  1. Viewing the ACL, the time based ACE (line in the ACL) switched from active to inactive about 60-70 seconds after I expected it to
  2. When testing with sessionized ICMP (fixup protocol icmp–to enable ICMP inspection), ICMP Echoes were blocked as soon as the ACE switched to inactive
  3. Testing with TCP, a connection through Continue reading

Configuring a load balancer with VMware NSX

In the previous post a NAT has been configured to allow access from external networks:   Now the edge router will act as a load balancer too: connection to the edge router with destination port 2222 will be balanced on both internal VM using the port 22. Go to “Networking & Security -> NSX Edges”, […]

Configuring NAT and firewall on a NSX Edge Router

On a previous post the edge router has been connected to external network: In this post NAT and Firewall will be configured to allow SSH access to VM1 from external networks. Go to “Networking & Security -> NSX Edges”, double click on the edge router and follow “Manage -> NAT”. Add a DNAT role so […]

But Does it Work?

When I was in the USAF, a long, long, time ago, there was a guy in my shop — Armand — who, no matter what we did around the shop, would ask, “but does it work?” For instance, when I was working on redoing the tool cabinet, with nice painted slots for each tool, he walked by — “Nice. But does it work?” I remember showing him where each tool fit, and how it would all be organized so we the pager went off at 2AM because the localizer was down (yet again), it would be easy to find that one tool you needed to fix the problem. He just shook his head and walked away. Again, later, I was working on the status board in the Group Readiness Center — the big white metal board that showed the current status of every piece of comm equipment on the Base — Armand walked by and said, “looks nice, but does it work?” Again, I showed him how the new arrangement was better than the old one. And again Armand just shook his head and walked away. It took me a long time to “get it” — to Continue reading

PQ Show 42 – HP Networking – Location Aware Wireless

This sponsored podcast is another in our series of recordings made at HP Discover 2014 in Barcelona, Spain. Once again, our special thanks to Chris Young for bringing us technical guests and not just fluffy marketing folks. Technical Marketing Engineer at HP Networking Yarnin Israel and Senior Research Scientist at HP Labs Souvik Sen join Packet […]

Author information

Ethan Banks

Co-host at Packet Pushers

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
TwitterGoogle+LinkedIn

The post PQ Show 42 – HP Networking – Location Aware Wireless appeared first on Packet Pushers Podcast and was written by Ethan Banks.

PfSense VirtualBox Appliance as Personal Firewall on Linux

The tutorial explains how to set up pfSense VirtualBox appliance in order to use it as a personal firewall on Linux. It shows Linux network configuration to support this scenario and provides an installation script that automatically builds a VirtualBox virtual machine ready for pfSense installation. It also describes pfSense installation and shows minimal web configuration needed for successful connection to the Internet.

pfSense Live CD ISO disk can be downloaded from here.

1. Linux Network Configuration

We are going to install pfSsense from live CD ISO image on a VirtualBox virtual machine. To do so we must reconfigure an existing network interface, create a new one and configure new static default routes. A network topology consists of Linux Fedora with installed VirtualBox virtualizer. is shown below.

Picture1-Network_Topology

Picture 1 - Network Topology

A wireless network card is installed in Linux and presented as an interface wlp3s0. The interface wlp3s0 is the interface that connects Pfsense virtual machine to the outside world. This interface will be bridged with a first network adapter (em0) of the Pfsense virtual machine. Bridging host adapter wlp3s0 with the guest adapter em0 (WAN interface of Pfsense) will be done using vboxmanage utility and shown later in the tutorial.

As the Pfsense appliance is Continue reading

CoreOS overview

This blog is part of my ongoing series on Docker containers. In this blog, I will cover basics of CoreOS and some hands-on stuff I tried with CoreOS. As mentioned in my other blog on Docker  orchestration, CoreOS falls in the category of specialized Linux distributions that can host Containers and are suitable for massive server deployments. … Continue reading CoreOS overview

Welcome to MovingPackets.NET!

John Herbert

Welcome to my new home! If you’ve come over here because you used to read my drivel on LameJournal, then thank you! If you’re a new visitor, you are very welcome and I hope you choose to subscribe by RSS or Email so you can get notified of new posts.

MovingPackets.net is the new name for LameJournal. All the networking and computer-related content from LameJournal has been duplicated here at MovingPackets, but the photography content is gone and I’ll attempt to stay focused on things related to moving packets around as I post here going forward.

I have a new site theme, and with the new name as well, things are still likely to change a bit here visually (I have no logo yet for example). Still, there’s no time like the present so I decided to launch the site and I’ll tweak things as we go along with the aim of making the content more easily accessible. I hope you like my new home; it’s going to take a while before it feels comfortable!

Thanks for stopping in at MovingPackets.

John.

If you liked this post, please do click through to the source at Welcome to MovingPackets.NET! and give me a share/like. Thank you!

MovingPackets.NET – The New Name for LameJournal

I’ve been quiet lately, mostly because I’ve been horribly busy but also in part because I’ve been thinking that it’s about time to rebrand LameJournal to something that better reflects the content. And to that end, MovingPackets.net has been born. All the … Continue reading

If you liked this post, please do click through to the source at MovingPackets.NET – The New Name for LameJournal and give me a share/like. Thank you!

QoS Design Notes for CCDE

Trying to get my CCDE studies going again. I’ve finished the End to End QoS Design book (relevant parts) and here are my notes on QoS design.

Basic QoS

Different applications require different treatment, the most important parameters are:

  • Delay: The time it takes from the sending endpoint to reach the receiving endpoint
  • Jitter: The variation in end to end delay between sequential packets
  • Packet loss: The number of packets sent compared to the number of received as a percentage

Characteristics of voice traffic:

  • Smooth
  • Benign
  • Drop sensitive
  • Delay sensitive
  • UDP priority

One-way requirements for voice:

  • Latency ≤ 150 ms
  • Jitter ≤ 30 ms
  • Loss ≤ 1%
  • Bandwidth (30-128Kbps)

Characteristics for video traffic:

  • Bursty
  • Greedy
  • Drop sensitive
  • Delay sensitive
  • UDP priority

One-way requirements for video:

  • Latency ≤ 200-400 ms
  • Jitter ≤ 30-50 ms
  • Loss ≤ 0.1-1%
  • Bandwidth (384Kbps-20+ Mbps)

Characteristics for data traffic:

  • Smooth/bursty
  • Benign/greedy
  • Drop insensitive
  • Delay insensitive
  • TCP retransmits

Quality of Service (QoS) – Managed unfairness, measured numerically in latency, jitter and packetloss

Quality of Experience (QoE) – End user perception of network performance, subjective and can’t be measured

Tools

Classification and marking tools: Session, or flows, are analyzed to determine what class the packets belong to Continue reading

NFD9 Prep: NetBeez

I’m reviewing the presenters for Network Field Day 9, in particular looking at those I’m not familiar with. NetBeez is one of those making their first Tech Field Day appearance.

NetBeez

We all know that our users and the applications they access are incredibly distributed. We don’t control all the network elements, but the network team still gets the blame if things go wrong. You need greater visibility to prove it’s not the network, but getting that visibility is tough. Current options for probes aren’t always cost-effective to deploy across many sites. Many sites don’t have any local server infrastructure.

That’s where NetBeez comes in. They have developed Raspberry Pi-based agents that can easily be deployed to many locations. Plug in power, plug in a network cable, and it phones home. Go to the NetBeez dashboard, and from there you can configure the tests you want the agent to run.

Since the devices are so small, they can easily be deployed to a range of small sites, and can simulate a range of user traffic. Tests include Ping, HTTP, Traceroute, DNS. A particularly nice feature is the ability to run an ad-hoc iPerf test with custom parameters.

The dashboard shows you how the Continue reading

1 3,568 3,569 3,570 3,571 3,572 3,760