0

Is Anyone Using DMVPN-over-IPv6?

One of my readers sent me an interesting challenge: they’re deploying a new DMVPN WAN, and as they cannot expect all locations to have native (non-NAT) IPv4 access, they plan to build the new DMVPN over IPv6. He was wondering whether it would work.

Apart from “you’re definitely going in the right direction” all I could tell him was “looking at the documentation I couldn’t see why it wouldn’t work” Has anyone deployed DMVPN over IPv6 in a production network? Any hiccups? Please share your experience in the comments. Thank you!

0

See You in Bern on September 9th

TL;DR: I'll be in Bern on September 9th. If you'd like to drop by and discuss network design or automation challenges, read on…

Read more ...

0

IP Subnetting Part 4: Subnetting a Class C Network

At this point in the PacketU subnetting series, we have worked through the following–

• What is a Subnet?
• Simple Subnetting Examples
• Understanding the Binary

This article takes the concept of subnetting to the next step. Today we are going to look at the concepts required to subnet a Class C network. As we reflect on the Classful IP rules, we recall that a Class C network has the following characteristics–

• First octet begins with binary 110…..
• The first Octet will be in the range of 192 to 223
• The first three (three leftmost) octets represent a Network
• The last octet (rightmost) Octet represents a Host on a network

We also know that this single IP network can be further subdivided into multiple, but smaller, networks. This process is known as subnetting.

Continuing with the syntax used in previous articles, we might represent a Class C Network as follows–

192.168.100.0

In this example--

Blue  represents a Classful Network
Green represents a Host address

In this case the host address value is 0, so only the network is being represented here. Based on this information, we only have one IP network that can be assigned. That one network could Continue reading

0

Scalability Enhancements in Cisco Nexus 1000V

The latest release of Cisco Nexus 1000V for vSphere can handle twice as many vSphere hosts as the previous one (250 instead of 128). Cisco probably did a lot of code polishing to improve Nexus 1000V scalability, but I’m positive most of the improvement comes from interesting architectural changes.

Read more ...

0

Vuln bounties are now the norm

When you get sued for a cybersecurity breach (such as in the recent Home Depot case), one of the questions will be "did you follow industry norms?". Your opposition will hire expert witnesses like me to say "no, they didn't".

One of those norms you fail at is "Do you have a vuln bounty program?". These are programs that pay hackers to research and disclose vulnerabilities (bugs) in their products/services. Such bounty programs have proven their worth at companies like Google and Mozilla, and have spread through the industry. The experts in our industry agree: due-diligence in cybersecurity means that you give others an incentive to find and disclose vulnerabilities. Contrariwise, anti-diligence is threatening, suing, and prosecuting hackers for disclosing your vulnerabilities.

There are now two great bounty-as-a-service*** companies "HackerOne" and "BugCrowd" that will help you run such a program. I don't know how much it costs, but looking at their long customer lists, I assume it's not too much.

I point this out because a lot of Internet companies have either announced their own programs, or signed onto the above two services, such as the recent announcement by Twitter. All us experts think Continue reading

0

AppShape++ and SSL offloading

After running my fist AppShape++ script, I was wondering if it will work with SSL offloading as well.

Lets try it out, using my lab setup again, and I'll be adding on top my previous lab.



First I'll need to create SSL policy on the Alteon VA version 29.5.1.0:

 /c/slb/ssl/sslpol mySSL_Pol
        cipher "high"
        ena

This will select only high security encryption and integrity algorithms.

Next we need to create a self signed certificate:

>> LB1 - SSL Policy mySSL_Pol# /cfg/slb/ssl/certs/srvrcert

Enter server certificate id: mySRV_Cert
------------------------------------------------------------------
[Server certificate mySRV_Cert Menu]
     name     - Set descriptive certificate name
     generate - Create or update self-signed server certificate
     del      - Delete server certificate
     cur      - Display current server certificate configuration

>> LB1 - Server certificate mySRV_Cert# gen
This operation will generate a self-signed server certificate.
Enter key size [512|1024|2048|4096] [1024]: 2048
Enter server certificate hash algorithm [md5|sha1|sha256|sha384|sha512] [sha1]: sha256
Enter certificate Common Name (e.g. your site's name):  *.dans-net.com
Use certificate default values? [y/n]: y
Enter certificate validation period in days (1-3650) [365]: <enter>  
....
Continue reading

0

Internal Networking for the new UCS Modular Chassis

0

Ansible On the Road: September

Continue reading

0

My first week working at Cumulus Networks: Beyond A First Impression

Working at Cumulus Networks – it’s probably the most fun I’ve had at a job in a really long time.

The narrow stairway at 463 (and a half) Bryant Street was my first impression of working at Cumulus Networks. Victoria opened the door, and I said, “Wow, this door is tiny and those stairs- what is this, a speakeasy?” I got the sly, dry smile that I have come to see as indicative of Victoria and was escorted inside to the conference room of what looked like an empty apartment turned into an office. There, I met Kathleen and we chatted for half an hour. It was one of the most informal, comfortable, genuine experiences I’d ever had in a job search.

“Do you think you can commit to working at Cumulus Networks a few months, understanding it’s sort of up in the air right now, the future of this office, etc.?”

“Yeah, I think so. I mean, unless I become like, a famous author over night, or something. Which probably isn’t going to happen.”

Victoria glanced at my resume. “It says here that you published a book.”

“Two, actually. But you know… that’s how I Continue reading

0

Rant: You Are Not A Precious Snowflake. IT Infrastructure Is The Same Everywhere.

Vendors keep telling me that every business is different and customer have different needs. We all buy the same products from the same companies, use the same deployment methodologies and best practices, have the same problems and deliver the same results to the business. You aren't a precious snowflake.

The post Rant: You Are Not A Precious Snowflake. IT Infrastructure Is The Same Everywhere. appeared first on EtherealMind.

0

Verifying end-to-end QoS marking

A not so easy process about QoS involves the verification of end-to-end QoS marking: are the marks maintained through the all network? Before going deep, let’s recap how an IP packet can be marked: The IP field reserved for QoS is 8 bits long and it’s called TOS (Type of Service). RFC791 defines 3 bits for […]

0

Snabb Switch Deep Dive on Software Gone Wild

The pilot episode of Software Gone Wild podcast featuring Snabb Switch created plenty of additional queries (and thousands of downloads) – it was obviously time for another deep dive episode discussing the intricate innards of this interesting virtual switch.

During the deep dive Luke Gorrie, the mastermind behind the Snabb Switch, answered a long list of questions, including:

Read more ...

0

Chef Basics – Hello World for Chef

In my last post, we covered setting up the basic install of the Chef Server, the Chef client, and a test node that we bootstrapped with Chef.  Now let’s talk about some of the basics and hopefully by the end of this post we’ll get to see Chef in action!  Let’s start off by talking about some of the basic constructs with Chef…

Cookbooks
Cookbooks can be seen as the fundamental configuration item in Chef.  Cookbooks are used to configure a specific item.  for instance, you might have a cookbook that’s called ‘mysql’ that’s used to install and configure a MySQL server on a host.  There might be another cookbook called ‘httpd’ that installs and configures the Apache web server on a host.  Cookbooks are created on the Chef client and then uploaded and stored on the Chef server.  As we’ll see going forward, we don’t actually spend much time working directly on the Chef server.  Rather, we work on the Chef client and then upload our work to the server for consumption by Chef nodes. 

Recipes
Recipes are the main building block of cookbooks.  Cookbooks can contain the Continue reading

0

Alteon group selection by HTTP Host header using AppShape++

On the previous post I have used Content Rules to configure group (server pool) selection based on the Host header in HTTP.

This lab is also based on the lab setup I am using.


This time I'll do the same, but with AppShape++, which is similar to F5's iRules.

I want a2.dans-net.com to be served by SRV1 and b2.dans-net.com to be served by SRV2, any other host should be served by all web servers.

I'll use VIP 10.86.3.10 as the VIP. Here is how I edit my /etc/hosts files, which is c:windowssystem32driversetchosts :

10.136.6.10    a2.dans-net.com
10.136.6.10    b2.dans-net.com
First, I'll configured two new groups (server pools):

 /c/slb/group a2_dans
        add 1

 /c/slb/group b2_dans
        add 2

Next I'll write the AppShape++ script which will select a group based on the Host header:

attach group a2_dans
attach group b2_dans

when HTTP_REQUEST {
    switch -glob [HTTP::host] {
        "a2.dans-net.com" {
            group select a2_dans
        }
        "b2.dans*" {
Continue reading

0

How to show captured data from Cisco IOS on the fly in Wireshark/tcpdump

Monitor features in Cisco devices are able to show data flows but Cisco IOS lacks the option to export data on the fly. I wrote tiny GNU/Linux shell script to solve this restriction.

That is something like ASA capture (https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios) via HTTP/HTTPS.

I tested script on:

Router(config)#uname -a
IOSv Router IOS 15.4 Cisco IOS Software, vios Software (vios-ADVENTERPRISEK9-M), Experimental Version 15.4(20131213:232637) [lucylee-ca_pi23 137]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 16-Dec-13 19:50 by lucylee Unknown Unknown IOS

1. Create user and add privilege level 15 (root)

username user secret userpass
username user privilege 15

2. Start HTTP server, authentication style and optional (set max connection to 16 (default 5))

For security reasons you should set HTTP/HTTPS authorization with ACL and instead of HTTP use HTTPS server.

ip http server
ip http authentication local
ip http max-connections 16

3. Configure Monitor settings

Below I created a circular buffer called MY_BUFFER. Linear buffer is limited that means, if buffer is full IOS will stop capture. In circular buffer "old" data will be rewritten when buffer is full.

monitor capture buffer MY_BUFFER size 1024 max-size 9500 circular

Next step is to create a capture point. I created the Continue reading

0

Using BGP data to find Spammers

It’s long been assumed that Spammers use a technique called IP squatting to get around IP reputation lists and to make it harder to find the real source of the spammers. In this blog we’ll take a closer look at Spam operations and their techniques.

IP Squatting
We’ve all read the reports about IPv4 running out of free address space and while that is certainly true there’s still a lot of address space that has been allocated but is not actually routed on the Internet today. A significant portion of that space are prefixes that were allocated a long time ago and folks are no longer using these allocations, forgot about it or have other reasons to not use their IP address space on the Internet. IP squatters look for space that hasn’t been routed for a while and will claim ownership of the space. This can then be used for things such as Spamming. There is vast range address space that is not currently announced on the Internet and it is not uncommon for IP squatters to cycle through this space using one or more prefixes at a time for a brief period.

Below we’ll expose two actual Spam Continue reading

0

NFD8 Is Coming!

This one has seriously crept up on me; it’s only a week until the kickoff presentation for Networking Field Day 8 in Silicon Valley. I’m truly honored to be able to attend another Tech Field Day event, and this one … Continue reading →

If you liked this post, please do click through to the source at NFD8 Is Coming! and give me a share/like. Thank you!

0

Using Differentiated Services to Tame Elephants

This post was co-authored by Justin Pettit, Staff Engineer, Networking & Security Business Unit at VMware, and Ravi Shekhar, Distinguished Engineer, S3BU at Juniper Networks.

********************

As discussed in other blog posts and presentations, long-lived, high-bandwidth flows (elephants) can negatively affect short-lived flows (mice). Elephant flows send more data, which can lead to queuing delays for latency-sensitive mice.

VMware demonstrated the ability to use a central controller to manage all the forwarding elements in the underlay when elephant flows are detected.  In environments that do not have an SDN-controlled fabric, an alternate approach is needed.  Ideally, the edge can identify elephants in such a way that the fabric can use existing mechanisms to treat mice and elephants differently.

Differentiated services (diffserv) were introduced to bring scalable service discrimination to IP traffic. This is done using Differentiated Services Code Point (DSCP) bits in the IP header to signal different classes of service (CoS). There is wide support in network fabrics to treat traffic differently based on the DSCP value.

A modified version of Open vSwitch allows us to identify elephant flows and mark the DSCP value of the outer IP header.  The fabric is then configured to handle packets Continue reading

0

Fibre Channel and FCoE: Some Basics

There’s been some misconceptions and misinformation lately about FCoE. Like any technology, there are times when it makes sense and times when it doesn’t, but much of the anti-FCoE talk lately has been primarily ignorance and/or wilful misrepresentation.

In an effort to fight that ignorance, I put together a quick introduction to how FC and FCoE works. They both operate on the basic premise that you can’t drop any frames. Fibre Channel was built as a lossless protocol, and with a bit of work, Ethernet can also be lossless.

Check it out:

0

Just Published: SDN and OpenFlow – The Hype and the Harsh Reality

If you’re a regular reader of my blog, you know that I spent a lot of time during the last three years debunking SDN myths, explaining the limitations of OpenFlow and pointing out other technologies one could use to program the network.

During the summer of 2014 I organized my SDN- and OpenFlow-related blog posts into a digital book. I want to make this information as useful and as widely distributed as possible – for a limited time you can download the PDF free of charge.

Learn more about the book