0

Interactions between QoS and IPSec on IOS and the ASA

Quality of Service configuration for the traffic entering/leaving a VPN tunnel may require some special considerations. In this article, I am going to focus on interactions between QoS and IPSec on IOS and the ASA.

There are two methods of deploying QoS for VPNs – you can match the original (Clear-text/ unencrypted) traffic flows or the actual VPN (Aggregate traffic). This second option can be useful when you want to apply a single QoS policy to all packets leaving a tunnel, no matter what are the original sources and destinations protected by the VPN.

We have got a VPN tunnel built between R1 and ASA. R6 and 10.1.1.0/24 are protected networks

Let’s start on IOS (R1). The VPN tunnel is already up – we will configure a basic QoS Policy to enable LLQ for delay-sensitive traffic, such as Voice (I assume these are all packets with DSCP of EF). Note that this configuration would normally match all EF-colored packets (including non-VPN EF traffic), but since we won’t have any clear-text EF flows in this network we don’t really care:

class-map match-all VOICE
match dscp ef
policy-map QOS
class VOICE
priority

int f0/0
service-policy output QOS

Voice traffic Continue reading

0

Time To Get More Advanced :: FCIP Pt. 2!

Part 1 of this blog series created a topology, much like you see below, where we configured a single vE (virtual expansion) port from MDS1 to MDS2 across an IP network.  We merged VSAN 10 across this FCIP tunnel and verified it by looking into the FCNS database and ensuring that we saw entries from both sides.  Today we are going to build upon this topology, and get into some more advanced features like changing the default TCP port, setting DSCP values for the two TCP streams, and controlling who initiates the tunnel!

So first things first…the default port for FCIP is TCP port 3225. We will terminate both of our TCP streams on this port (we have 1 stream for control and another for data traffic). Essentially 1 of the MDS’s will initiate the connection to the other, and their destination port will be TCP/3225. Their source port will be some high-number ephemeral port by default (usually over 65000). We can look at the output of a ‘show int fcip #’ to find out who initiated, and on which ports!

MDS1-6(config-if)# show int fcip1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:10:00:0d:ec:1f:a4:00
Peer port WWN is Continue reading

0

Lawmakers target data brokers in privacy bill

Four U.S. senators have resurrected legislation that would allow consumers to see and correct personal information held by data brokers and tell those businesses to stop sharing or selling it for marketing purposes.The Data Broker Accountability and Transparency Act, introduced by four Democratic senators Thursday, also would require the U.S. Federal Trade Commission to craft rules for a centralized website for consumers to view a list of data brokers covered by the bill.Data brokers collect personal information about consumers, often without their knowledge, and resell it to other businesses.To read this article in full or to leave a comment, please click here

0

Lawmakers target data brokers in privacy bill

Four U.S. senators have resurrected legislation that would allow consumers to see and correct personal information held by data brokers and tell those businesses to stop sharing or selling it for marketing purposes.The Data Broker Accountability and Transparency Act, introduced by four Democratic senators Thursday, also would require the U.S. Federal Trade Commission to craft rules for a centralized website for consumers to view a list of data brokers covered by the bill.Data brokers collect personal information about consumers, often without their knowledge, and resell it to other businesses.To read this article in full or to leave a comment, please click here

0

Endpoint Security Meets the Cybersecurity Skills Shortage

Just about every cyber-attack follows a similar pattern:  An end-user is fooled into clicking on a malicious link, downloading malware, or opening an infected file.  This is one of the early stages of the famous Lockheed Martin “kill chain.”Given this pedestrian malware workflow, endpoint security is absolutely key – catch an attack early when it compromises a few endpoints and you can avoid the more ominous phases of the kill chain including data exfiltration. To pull off today’s endpoint security requirements, you can’t assume that you can block all attacks using AV or patching software vulnerabilities.  Rather, you need smart security analysts skilled at detecting and responding to attacks on endpoint devices.To read this article in full or to leave a comment, please click here

0

Red Hat strips down for Docker

Reacting to the surging popularity of the Docker virtualization technology, Red Hat has customized a version of its Linux distribution to run Docker containers.The Red Hat Enterprise Linux 7 Atomic Host strips away all the utilities residing in the stock distribution of Red Hat Enterprise Linux (RHEL) that aren’t needed to run Docker containers.Removing unneeded components saves on storage space, and reduces the time needed for updating and booting up. It also provides fewer potential entry points for attackers.Containers are valuable for organizations in that they cleanly separate the application from the underlying infrastructure, explained Lars Herrmann, Red Hat senior director of product strategy.To read this article in full or to leave a comment, please click here

0

Thirteen new Official Repositories added in January and February

We are excited to highlight thirteen new Official Repositories that were added to Docker Hub in January and February. These repos feature both open-source and enterprise-ready content that will empower dev teams to build and deploy distributed applications.  Check them … Continued

0

ASA File Operation Tips

Delete from the active, upload to the Continue reading

0

Docker buys SDN start-up for container networking

Linux container company Docker this week said it would acquire SDN start-up SocketPlane, a developer of a native networking stack for Docker software.Terms of the acquisition were not disclosed. SocketPlane SocketPlane was founded last fall by former Cisco, Red Hat, HP, OpenDaylight and Dell officials. The company is looking to bring enterprise-grade networking to the Docker ecosystem by developing software designed to address the performance, availability and scale requirements of networking in large, container-based cloud deployments.To read this article in full or to leave a comment, please click here

0

SCALE13x – My talk: Switch as a Server

This past weekend, I had the opportunity to speak at SCALE13x in Los Angeles, on the Switch as a Server — treating your network switches in the same way you treat your servers.  It’s a topic I feel very strongly about!

As strong as my feelings are about open networking, I also love non-automotive forms of transportation!  So I decided to bike to the airport.  SFO has a lot of bicycle facilities so it was no problem to find parking.

 

 

Got to LA on the plane and then Rocket Turtle enjoyed the view by the airport!

 

… and met some of our great customers!

Scale is a unique conference in that they encourage canine attendance  — doggies!

 

 Friday night I helped out with a birds of a feather (BOF) event, giving advice to job hunters.  Did I mention we’re hiring?

On Saturday evening I won the Weakest Geek — a Weakest Link-style geek-themed trivia contest, run this Continue reading

0

Avi Networks’ analytics tools can be a network engineer’s best ally

In late 2014, Avi Networks came out of stealth mode with a product aimed at disrupting the application delivery controlled (ADC) market. Network World's Jon Gold did an excellent job covering the launch and the way Avi is attempting to differentiate itself, so I won't rehash what he has already covered.In the right environment, the value proposition of what Avi is doing should be obvious to anyone covering the software defined networking (SDN) or network functions virtualization (NFV) market. Avi brings a high level of agility to the ADC, enabling customers to deploy ADC resources anywhere they need to in the exact quantity required. The pay-as-you-grow model means organizations are no longer required to overpay for resources they won't need 90% of the time. Instead, they can provision for normal utilization and then purchase more capacity when the workloads require it.To read this article in full or to leave a comment, please click here

0

SDN, NFV and Skill Development for Network Engineers

Many people say there is no value anymore in taking CCIE these days. With SDN and NFV, everything will be done "auto-magically". We don’t even need network engineers anymore! Yeah, right. Last week I went back in Brussels to work on Network Control System, multi-vendor network device management tool from Tail-F that was acquired by Cisco June last year. NCS is the corner store of Cisco Network Service Orchestration framework for Cisco SDN and NFV solution offering. And I’m here to tell you that the world still need lots of network engineers, and CCIEs, or those who have CCIE-level skill set.

But first, let me talk more about NCS, a service orchestration for real-time service provisioning across multivendor networks.

Network devices were, and are still, configured using CLI. Then SNMP was created to help. Soon, we realized SNMP is great to monitor the network but it fails to become configuration management, as stated Continue reading

0

Unser neuer 31er Datacenter: Düsseldorf

Hallo Düsseldorf. Nestled in the center of the Lower Rhine basin lies the bustling city of Düsseldorf, capital of Germany’s most populous state, Northern Rhine-Westphalia. Provided its status as an international business and telecommunications hub, and serving a population larger than the Netherlands, our data center in Düsseldorf is an important addition to our European network. This means not only better performance in Germany and Northern Europe, but additional redundancy for our 10 other data centers throughout Europe, including our first German data center in Frankfurt.

For the local audience: Liebe Freunde in Düsseldorf, euer Internetanschluss ist schneller geworden und ihr könnt jetzt sicher surfen. Viel Spaß.

Not just any data center

Our Düsseldorf data center holds a special place in the heart of our legal counsel Ken Carter. When he’s not helping to build a better Internet, he is likely to be found regaling the office with tales of his adventures in the quaint medieval town of Bad Honnef am Rhein, just south of our new data center. Ban Honnef, most famously known as the world-wide headquarters for Birkenstock, can now add one more tale of note. Equidistant between Frankfurt and Dusseldorf, it is Continue reading

0

Adobe invites help hunting vulnerabilities in its online services

Adobe Systems launched a new program that encourages security researchers to find and report vulnerabilities in the company’s websites and other online services.Unlike companies like Google, Mozilla, Facebook or Twitter that pay monetary rewards for vulnerabilities found in their Web properties, Adobe’s program only promises public recognition for such contributions.“Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score,” said Pieter Ockers, the security program manager at Adobe, in a blog post Wednesday.To read this article in full or to leave a comment, please click here

0

MWC: Israeli startup Waze reveals what life is like under the Google umbrella

Waze, the fast growing urban navigation app, has revealed what life has been like after it was acquired by Google nearly two years ago.The Israeli firm was snapped up by the Silicon Valley internet giant for a reported $1.3 billion (£850 million) in June 2013 in what was one of Google's biggest ever acquisitions.Following the deal, each of Waze's 100 employees at the time received an average of $1.2 million (£780,000) but beyond that the Google acquisition hasn't had much impact on the way Waze operates, according to Di-Ann Eisnor, head of growth at Waze.+ SHOW COVERAGE See all the news out of MWC 2015 +To read this article in full or to leave a comment, please click here

0

MWC 2015: Microsoft partners with AT&T, Deutsche Telekom for SMB Office

Microsoft announced two Office-related partnerships for small- to medium-size business (SMB), with AT&T and Deutsche Telekom, at the Mobile World Congress event in Barcelona this week.The AT&T Mobile Office Suite deal with the second-largest mobile carrier involves Microsoft's Office 365 apps, along with unified access to voice calls, email, calendars, messaging, HD video conferencing, and file sharing, on almost any mobile device.The Microsoft Office 365 suite includes the usual apps – Word, Excel, and PowerPoint – plus Lync, Exchange, Outlook, and OneDrive, all usable from a desktop, laptop, smartphone or tablet. Lync allows for domestic or international voice calls while in the United States.To read this article in full or to leave a comment, please click here

0

OpenDNS trials system that quickly detects computer crime

A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browserOpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.To read this article in full or to leave a comment, please click here

0

Android tune-up: How to boost performance while you wait for Lollipop

Android 5.0 Lollipop has been heralded as the operating system’s biggest step forward to date. Improved battery life and performance through changes to Android’s core runtime and power management systems are among the most anticipated enhancements among users, given their promise of a faster, more efficient experience.At least that’s the theory. Unfortunately, for the 98 percent of Android devices eagerly awaiting their Lollipop update, there’s no way of knowing whether Lollipop will breathe new life into their devices. That’s where third-party developers can fill the performance gap, as they have been since Android’s earliest days.To read this article in full or to leave a comment, please click here

0

Android for Work pushes Google further into enterprise

Google's push into the enterprise gained steam last week when the company finally launched Android for Work, a containerization platform and standalone app for older Android devices that lets IT administrators create separate corporate and personal workspaces on Android smartphones and tablets.Android for Work is Google's latest attempt to address two of Android's most significant challenges for IT: security and fragmentation. The latest version of Android, v5.0, known as "Lollipop," now supports separate spheres for personal and work. Devices running older versions of the OS can access some of the same features in a separate Android for Work app.To read this article in full or to leave a comment, please click here

0

What’s in my toolbag – Update 2 – SergeantClips

Building on the “What’s in my toolbag” series that I revisited last week with the Fluke LinkSprinter, I wanted to talk about the next new item in my tool bag.  This week we will take a look at a product called SergeantClip.  The SergeantClip is used to help with cable management and switch replacements.  I […]

The post What’s in my toolbag – Update 2 – SergeantClips appeared first on Fryguy's Blog.