0

iRules/Tcl – Watch the Comments

It’s pretty common practice to ‘comment out’ lines in scripts. The code stays in place, but doesn’t get executed. Perfect for testing, when you might need more debug output, or you want to run a slightly different set of actions. But you have to be careful when commenting out lines – it might catch you out, and the F5 iRules editor won’t save you.

Normally it’s pretty simple to comment out a line. Here’s a quick Bash example:

#!/bin/bash

FILECOUNT=`ls /tmp|wc -l`

if [ $FILECOUNT -lt 7 ]
 then
        echo "There are fewer than 7 files in /tmp"
        run_command
fi
...

When I’m testing the script, I might not want to actually run that command. So I’ll quickly comment it out like this:

#!/bin/bash

FILECOUNT=`ls /tmp|wc -l`

if [ $FILECOUNT -lt 7 ]
 then
        echo "There are fewer than 7 files in /tmp"
        #run_command
fi
...

The ‘#’ tells the shell to ignore anything else on that line. All pretty straightforward.

Today I was debugging an F5 synchronisation issue, where I got this message on synchronisation:

BIGpipe parsing error (/config/bigip.conf Line 333):
   012e0054:3: The braced list of attributes is not closed for 'rule'.

The offending section looked like this:

when  Continue reading

0

Wires Are The Exception

Last week I went to go talk to a group of vocational students about networking.  While I was there, I needed to send a couple of emails.  I prefer to write emails from my laptop, so I pulled it out of my bag between talks and did the first thing that came to mind: I asked for the wireless SSID and password.  Afterwards, I started thinking about how far we’ve come with connectivity.

I can still remember working with a wireless card back in 2001 trying to get the drivers to play nice with Windows 2000.  Now, wireless cards are the rule and wired ports are the exception.  My primary laptop needs a dongle to have a wired port.  My new Mac Mini is happily churning along halfway across the room connected to my network as a server over wireless.  It would appear that the user edge quietly became wireless and no tears were shed for the wire.

It’s also funny that a lot of the big security features like 802.1x and port security became less and less of an issue once open ports started disappearing in common areas.  802.1x for wired connections is barely even talked about Continue reading

0

Using New Relic Server Monitoring With Cumulus Linux

One of the most visible trends on the Web today is the “SaaS-ification” of the enterprise. Major productivity functions like email and calendaring, customer relationship management (CRM), and IT systems management are gaining greater value by being deployed as cloud-based services. IT and systems monitoring companies like New Relic are thriving in the cloud as well.

Another major trend, one that Cumulus Networks is at the forefront of, is the transformation of the “switch as a server.” If you aren’t familiar, check out Cumulus Networks engineer Leslie Carr’s excellent PuppetConf 2014 presentation. Since Cumulus Linux supports Debian-based packages out of the box, we decided to take New Relic’s Server Monitoring product for a spin. We wanted to see how Cumulus Linux extends Server Monitoring’s functionality to monitoring switches.

Once logged into Cumulus Linux, installing the server agent takes just a few minutes, as expected. Leveraging the documentation and installation guide allowed us to get up and running in minutes.

Since it’s SaaS, there is obviously no server deployment required, so all you have to do is to log in to your New Relic account and start looking at the performance data that is automagically pushed to your dashboard. Here’s Continue reading

0

Python: Building a Simple NETCONF RPC Tool

Python: Building a simple NETCONF RPC Tool

For a while now I’ve been playing with NETCONF primarily with Cisco Nexus devices. It’s struck me how difficult it is to get good information on doing trivial things like building a simple NETCONF RPC wrapper

How would this be generated for instance? This is wrapper that can be submitted to the ‘xmlagent’ or ‘netconf’ subsystem on a Cisco Nexus device. Note the use of namespaces (nf:rpc, nxos:cmd) where nxos is a namespace? XML is easy for the most part. Namespaces on a personal level meant learning something new and how to deal with that knowledge programmatically.

<?xml version='1.0' encoding='ISO-8859-1'?>
<nf:rpc xmlns:nxos="http://www.cisco.com/nxos:1.0" xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="42">
  <nxos:exec-command>
    <nxos:cmd>interface ethernet 2/1; shutdown</nxos:cmd>
  </nxos:exec-command>
</nf:rpc>
]]>]]>

Other than generating it via a text string and formatting placeholders with “%s”, there has to be a better way! Indeed there is!

NETCONF 101

The IPEngineer definition: NETCONF is an IETF standardizsed RFC (6241) defined mechanism to configure network devices over some kind of channel using XML encoded data over a secure layer such as SSH. When the channel is opened, a NETCONF ‘Hello’ exchange takes place between the client and Continue reading

0

See Schprokits Dance! Demo of Unreleased Code

My second “Secret Sunday” post back in August introduced Schprokits, a company founded by Jeremy Schulman, previously the Director of Network Automation at Juniper.

I was truly flattered when Jeremy invited me to be part of a small team testing early Schprokits code (and trust me, I am way outclassed by the rest of the testers!), and having had a chance to try out what is probably only a small proportion of the code, I thought I would take the opportunity to share some early impressions of the software.

TLDR: I’m having fun!

What Is Schprokits?

The Schprokits website says that it is “Inspired By DevOps. Built For NetOps.” Jeremy is trying to take the principals behind DevOps and apply them to something that’s usable by people who don’t program every day but want to automate their networks nonetheless. And so it does. Schprokits “coding” is based around Workbooks and those workbooks contain a number of Actions. Workbooks are written in YAML which is probably one of the easier formats to learn as it’s very human-readable. In case you haven’t seen YAML before, what do you think is going on in the code below?

  actions:
    - info:  Continue reading

0

See Schprokits Dance! Demo of Unreleased Code

My second “Secret Sunday” post back in August introduced Schprokits, a company founded by Jeremy Schulman, previously the Director of Network Automation at Juniper. I was truly flattered when Jeremy invited me to be part of a small team testing … Continue reading →

If you liked this post, please do click through to the source at See Schprokits Dance! Demo of Unreleased Code and give me a share/like. Thank you!

0

Introduction to Using Cisco NX-API

0

Dealing with vs. Celebrating failure

There’s a meme that has been making the rounds through leadership circles for some time around celebrating failure. If you aren’t failing, you aren’t pushing the boundaries. The original premise of this line of thinking is that failure is not something to be feared. But there is a difference between using failure to learn well-earned lessons and declaring success after blowing up on the launchpad.

The failure cliches

It’s worth starting with some of the most common cliches around failure:

• I have not failed. I’ve just found 10,000 ways that won’t work. — Thomas Edison
• Success is not final, failure is not fatal: it is the courage to continue that counts. — Winston Churchill
• There is only one thing that makes a dream impossible to achieve: the fear of failure. — Paulo Coelho
• Only those who dare to fail greatly can ever achieve greatly. — Robert F Kennedy

Doing a simple web search for failure quotes yields hundreds more. The basic gist of the resulting tome of sayings? Anything worth doing is difficult, and achieving anything great is unlikely to happen on the first try.

The side note no one mentions

It is absolutely true that forging a new path Continue reading

0

Do We Have Too Many Knobs?

The last day of Interop New York found me sitting in the Speaker Center with a few friends pondering the hype and reality of SDN and brokenness of traditional network products. One of the remarks during that conversation was very familiar: “we have too many knobs to configure”, and I replied “and how many knobs do you think there are in Windows registry?" (or Linux kernel and configuration files).

Read more ...

0

SDN Deployments/Worries Rise Among Service Providers

SDN Deployments/Worries Rise Among Service Providers

---

by Steve Harriman, VP of Marketing - November 18, 2014

For the second consecutive year, Packet Design surveyed attendees of the SDN/MPLS International Conference in Washington, D.C. about SDN adoption, business drivers, and concerns. The answers – mostly from service providers – were very interesting compared to the 2013 survey. Overall, use of SDN in production networks is up, but so are concerns about everything from industry standards to management skills to tools. Here’s a rundown of the results (also summarized in our announcement). 

Production SDNs Increase 

More than half of this year’s survey respondents (53 percent) said they have some production SDN deployed, compared to only 19 percent of survey respondents in 2013. Of those, about 42 percent have up to 25 percent of their networks SDN-enabled. Only 11 percent indicated having between 26 and 75 percent of their networks as production SDN. 

Business Agility, New Services Up as Top Business Drivers 

The number of survey respondents who consider “agility to respond faster to business demands” as their number one driver jumped by 150 percent (65 percent in 2014 vs. only 26 percent in 2013). Nearly Continue reading

0

MAC Address Aggregation and Translation as an Alternative to L2 Overlays

Not so long ago, if you wanted to build a data center network, it was perfectly feasible to place your layer three edge on the top-of-rack switches and address each rack as its own subnet. You could leverage ECMP for simple load-sharing across uplinks to the aggregation layer. This made for an extremely efficient, easily managed data center network.

Then, server virtualization took off. Which was great, except now we had this requirement that a virtual machine might need to move from one rack to another. With our L3 edge resting at the top of the rack, this meant we'd need to re-address each VM as it was moved (which is apparently a big problem on the application side). So, now we have two options: We can either retract the L3 edge up a layer and have a giant L2 network spanning dozens of racks, or we could build a layer two overlay on top of our existing layer three infrastructure.

Most people opt for some form of the L2 overlay approach, because no one wants to maintain a flat L2 network with dozens or hundreds of thousands of end hosts, right? But why is that?

Continue reading · 1 Continue reading

0

Three Things We Can Learn From Facebook’s Altoona Data Center Network Design

0

Introduction to Using Cisco NX-API

I’ve posted a few times in the past about Cisco’s NX-API and realized I hadn’t provided any guidance on how to get started using the API itself. In this post, I share two videos that are meant to serve as a quick start to those who don’t have a development background and are looking to test NX-API.

The first video looks at the NX-API sandbox and how you map the data represented in the sandbox back into objects that you can use while working in Python.
The second video shows where to get the modules that I use in the first video, namely xmltodict and device.py.

Note: the device module that I use is primarily used with XML data being returned from the device. The easiest thing for those who want to test is to follow the steps outlined in the videos although there are mechanisms to switch to JSON. This device module does not support json-rpc (as that is still fairly new in NX-API).

And, don’t forget, you’ll need to connect to your Nexus 3K/9K via the management interface to work with NX-API.

Videos

Introduction Part 1

Introduction Part 2

Other NX-API links to check out:

Cisco Nexus Continue reading

0

L2 DCI failure remediation with proxy ARP

I had the pleasure of taking an interstate road trip with Ethan Banks last weekend. Naturally, we talked shop a bit.

Somewhere in Connecticut we were speculating about the possibility of using host routes and proxy ARP to restore connectivity between members of a subnet when an L2 DCI fails.

Would a router produce proxy ARP replies for destinations which are members of a directly connected network?

I labbed it up to find out.

Don't do it!

The routers run different HSRP groups. One per data center.

Hosts are configured to use the local HSRP address as their default gateway. There is no FHRP localization other than the configuration on the hosts. This is not a scheme that facilitates VM mobility between sites.

Each router uses an IP SLA monitor to check the L2 interconnect. This is accomplished by pinging the other site's HSRP address. The IP SLA monitor drives a tracking object (track 1). The tracking object drives a second tracking object (track 2) with inverted logic: when the routers can't ping each other track 2 transitions to "up":

 ! IP SLA monitor on R1
 ip sla 1
  icmp-echo 192.168.1.2 source-interface FastEthernet0/1
 ip  Continue reading

0

Prepare Your Site for Traffic Spikes this Holiday Season

The holiday season is approaching, and everyone is thinking about gifts for their friends and family. As people increasingly shop online, this means huge spikes in traffic for web sites---especially ecommerce sites. We want you to get the most out of this year’s surge in web traffic, so we’ve created a list of tips to help you prepare your site to ensure your visitors have a reliable and fast experience.

Make sure your site can handle traffic spikes:

1) Contact your hosting provider to understand the limits of your hosting plan

Even though CloudFlare offsets most of the load to your website via caching and request filtering, a certain amount of traffic will still pass through to your host. Knowing the limits of your plan can help prevent a bottleneck from your hosting plan.

2) Reduce the number of unwanted requests to your infrastructure

CloudFlare allows you to block IP address individually or IPs from entire regions. If you don’t want or need traffic from certain IPs or regions, you can block them using your Threat Control panel. This is useful for sites who know where their visitors usually come from.

For example, if you run an ecommerce site with Continue reading

0

Cisco On Net Neutrality Isn’t What It Seems

Chambers pointed the finger at Net Neutrality for a slow down in purchasing by carriers in US markets and that he perceives it as damaging to Cisco business interests. I find it more credible that SDN/NFV is slowing capital investments than some far off political change.

The post Cisco On Net Neutrality Isn’t What It Seems appeared first on EtherealMind.

0

Complexity vs Security

Many of the ‘security’ measures in our networks add complexity. That may be an acceptable tradeoff, if we make a meaningful difference to security. But often it feels like we just add complexity for no real benefit.

Here’s some examples of what I’m talking about:

• Multiple Firewall Layers: Many networks use multiple layers of firewalls. If you have a strong policy that says all traffic must go via a server within a DMZ, this makes sense. But often we end up with the same connections going through multiple firewalls. We end up configuring the same rules in multiple places. No security benefit, but increased chance of making mistakes, and added troubleshooting complexity.
• Chained proxies: It’s pretty common to use a proxy server, to enforce HR and security controls on what users browse. But some organisations have chained proxies, where an internal proxy server connects to an upstream proxy server to get Internet access. The upstream proxy doesn’t add anything from a policy or control perspective. It’s just another point to configure and troubleshoot.
• NAT/Routing: First let me be clear: NAT is not complete security in itself, but it can form a valid part of your overall network security policy. That Continue reading

0

State of the State for Open vSwitch

This week, VMware will be hosting the Open vSwitch 2014 Fall Conference, with more than 200 attendees and nearly two dozen talks on a variety of subjects from a key participants.  The full schedule is available here, and we’ll be doing a wrap up of some of the takeaways from the conference a bit later.

For the uninitiated, Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.  It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols (e.g. NetFlow, sFlow, IPFIX, RSPAN, CLI, LACP, 802.1ag).  In addition, it is designed to support distribution across multiple physical servers similar to VMware’s vDS or Cisco’s Nexus 1000V. See full feature list here

For more information on OVS, I encourage you to check out the OVS website.

In the mean time, take a read about latest Open vSwitch developments in this post on Network Heresy by OVS core contributors Justin Pettit, Ben Pfaff, and Ethan Jackson.

Accelerating Open vSwitch to “Ludicrous Speed”

Roger

0

But I’ve got an ‘Excellent Signal’!!?

Ever so often I find myself troubleshooting some type of wireless related issue, and while wireless issue’s vary from Slow performance Clients can’t connect Poor voice performance Or even random disconnects, the list is endless. However one of the common things I hear during the troubleshooting process is without a doubt along the lines of: […]

0

The Degree or the Certification: You are Not a Widget

One of the things that bothers me the most about the Internet of Things (IOT) is how blithely we slip from talking about objects as things to people as things. Among all the things I do not want to be, a “thing,” attached to the “Internet of Things,” is not one of them. What does this have to do with the question of whether you should get a degree or a certification? Simply this: You shouldn’t treat yourself as a widget, either.

Let me explain.

I can’t count the number of times I’ve heard people say, “You should get a certification because it provides more bang for the buck.” In fact, in one rather amusing line of reasoning on the subject, Peter Thiel (who started the Thiel Foundation to encourage smart young people to quit college and take up a career instead), said in a recent interview:

Educational institutions are far too often interested in churning out graduates (i.e., getting their money) without imparting the ability to think rather than just work the system.

To paraphrase, you should opt out of college because colleges are just in the game to make money off you, and you’ll make Continue reading