vSphere Network Security Policies
The idea of security in a vSphere vSwitch is a concept not usually discussed in vSphere peer groups or curricula. They are somewhat specialized features that are normally either not used, or irrelevant due to the presence of another switching architecture such as the vDS (including the Cisco Nexus 1000v) or VM-FEX, where these policies also exist and are much more feature-rich. Thus, the idea of performing these functions on a native vSwitch is usually not talked about.Quiz #7 – MLS QOS
You have recently moved to a new company as a network administrator and you've started doing an audit of the existing network. Your network uses an end-to-end QOS approach between multiple offices. Access switches trust QOS markings received from IP Phones and higher layer devices trust the markings received from access switches, as seen in diagram below.
Windows 2008/Vista/7 ARP Cache
1360422920.604391 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:152) (ttl 128, id 311, len 60) ...1360422949.068248 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:171) (ttl 128, id 330, len 60) ...1360422952.102077 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:173) (ttl 128, id 332, len 60)Password Recovery – Nexus 5548
Recently I had to recover the admin password on the Nexus 5548. The Cisco doc was a little bit uncleared so I figured I’ll make some notes on it.
First thing reboot the switch. The power supplies on these don’t have a on/off switch so you’ll have to pull the power cable.
When you see the output of “Loading system…” press the break command sequence Ctrl+]. This will bring you into the boot mode:
Version 2.00.1201. Copyright (C) 2009 American Megatrends, Inc. Booting kickstart image: bootflash:/n5000-uk9-kickstart.5.2.1.N1.1b.bin.... ............................................................................... ........................Image verification OK INIT: I2C - Mezz absent Starting system POST..... Executing Mod 1 1 SEEPROM Test:...done (0 seconds) Executing Mod 1 1 GigE Port Test:....done (32 seconds) Executing Mod 1 1 PCIE Test:.................done (0 seconds) Mod 1 1 Post Completed Successfully POST is completed can't create lock file /var/lock/mtab~193: No such file or directory (use -n flag to override) nohup: redirecting stderr to stdout autoneg unmodified, ignoring autoneg unmodified, ignoring Checking all filesystems....r. done. ^]Loading system <
I was interested to see what commands are available in this mode, there are few that I’ll use for the recovery (->):
switch(boot)# ? Continue reading
Layer 2 ASA And OSPF
So recently I had to configure an OSPF adjacency between two routers.
I thought simply permitting multicast traffic to the All Routers and All DR/BDR Routers would permit OSPF Hellos across the link and allow OSPF adjacencies to form. In fact what I saw was routers entering the EXSTART state and the neighbourship failing. I checked the manual, for an OSPF adjacency to form, the following conditions need to be satisfied:
- Area IDs need to match
- Neighbours need to be on the same subnet
- MTUs need to match
- Hello/Dead timers need to match
- Authentication (if any is configured)
So, what I saw was the routers entering the EXSTART state and the neighbourship dropping. Bear in mind, at this point, the only thing permitted through the firewall both ways was multicast traffic to 224.0.0.5 (the AllSPF Routers multicast address) using the OSPF protocol (IP protocol 89). So for some reason the DBD exchange was not taking place.
My initial reaction was to check MTU size. I’d seen a similar issue before where an MTU mismatch (jumbo frames on one side, 1500 bytes on the other side) meant while the non-backbone area’s routes made Continue reading
PBR – Policy Based Routing using Route map
How does the internet work - We know what is networking
About Policy-Based Routing Policy-Based Routing – PBR gives you very simple way of controlling where packets will be forwarded before they enter in the destination-based routing process of the router. It’s a technology that gives you more control over network traffic flow because you will not always want to send certain packets by the obvious […]
RFC’s to read for CCIE R&S Lab
As my lab date gets closer I am reading a lot more than I thought I would be, I thought it would be non-stop labbing but I have discovered that I am learning a lot more than I ever thought I would from reading. I have created a page for RFC’s here the list is by […]
The post RFC’s to read for CCIE R&S Lab appeared first on Roger Perkin - Networking Articles.
OSPF – P-bit Setting in Type-7 LSAs
This post represents the solution and explanation for quiz-5.
It explains one of the Loop Prevention mechanisms in OSPF by using the P-bit in the LSA.
Proxy and Reverse Proxy Server
How does the internet work - We know what is networking
This will be a short Reverse Proxy Caching Overview that will explain what proxy is and what is reverse proxy all about. Normal proxy cache topology is one where the server called proxy server will be some kind of intermediate device between client and server. Proxy will receive all requests from clients and it will […]
An Introduction to the Nexus 6000
There's a new Nexus in the family, the Nexus 6000. Here are the highlights.
| Nexus 6001 | Nexus 6004 | |
|---|---|---|
| Size | 1 RU | 4 RU |
| Ports | 48 x 10G + 4 x 40G | 48 x 40G fixed + 48 x 40G expansion |
| Interface type | SFP+ / QSFP+ | QSFP+ |
| Performance | Line rate Layer 2 and Layer 3 | |
| Latency | 1μs port to port | |
| Scalability | 128K MAC + 128K ARP/ND (flexible config), 32K route table, 1024-way ECMP, 31 SPAN sessions | |
| Features | L2/L3, vPC, FabricPath/TRILL, Adapter FEX, VM-FEX | |
| Storage | FCoE | |
| Visibility | Sampled Netflow, buffer monitoring, latency monitoring, microburst monitoring, SPAN on drop/high latency | |
Quiz #6 – Routing protocols over IPsec
Your company is extending their network with a Remote Office in a different city. You configure an IPsec tunnel between the HeadQuarters and the Remote Office, then you run EIGRP over it, but soon you find out that the tunnel flaps up and down continuously. What is the problem?
PVTD-VR
I have just published a virtual appliance with a free 30 hosts license. Enjoy. For more information about Private VLANs and what PVTD is all about, visit my website at http://marathon-networks.comCCIE Review Questions
I updated the CCIE page to include CCIE Supermemo questions. Please go to CCIE Supermemo Questions. As time progresses I’ll update more and more of these.
EBGP Peering Not Established over a Default Route
This post represents the solution and explanation for quiz-4. The quiz shows that, although the BGP speakers can reach each other, they do not establish an eBGP session. Read more to understand the problem.
Quiz #5 – OSPFv3 Default Route into a NSSA Area
Your company's network consist of a CORE block running OSPF Area 0 and multiple buildings with 2x distribution switches per building running OSPF NSSA areas.
You have asked your junior colleague to configure OSPFv3 (for IPv6) to match the same design as OSPFv2 (for IPv4), but something goes awfully wrong.
Getting IPv6 Done: A Step-by-Step Framework for Planning an IPv6 Deployment
It often happens during one my IPv6 training courses that a participant comes up and asks (or puts it as something that was missing from the training) – “What are the specific steps for deploying IPv6?”. This often leaves me … Continue reading