NetworkingNexus.net

Friday Distraction: Who’s Leaking >/24 to Global BGP?

[It occurred to me after finishing this that I should have done everything based on ASN, but play time is over for the day...]

An interesting conversation with my friend @denise_donohue led to this question: what providers are leaking prefixes longer than /24 to the global Internet?

Following my continuing theme of "fun stuff you can do by combining IOS and Bash", I ran a two step process via one of my BGP routers to get the answer:

$ ssh routername 'show ip bgp prefix-list GT24' > /tmp/gt24.txt

$ grep "^*" /tmp/gt24.txt | awk '{print $1}' | sed 's/*>i//g' | awk -F. '{OFS=".";print $1,$2 ".0.0"}' | sort -u | xargs -i whois {} | grep netname | sort -u

Here's the breakdown:

Extract just valid BGP prefixes from the router output:

grep "^*" /tmp/gt24.txt | awk '{print $1}'

Extract just the prefix itself and substitute ".0.0" for the last two octets, normalizing to the parent /16, then remove duplicates:

| awk '{print $1}' | sed 's/*>i//g' | awk -F. '{OFS=".";print $1,$2 ".0.0"}' | sort -u

Send those prefixes one-by-one to the "whois" command, extract the "netname" field, Continue reading

Healthy Paranoia Show 11: Bro – the Outer Limits of IDS

Join Mrs. Y, Taylor Banks and esteemed Nerd Captain Ivan Pepelnjak for another exciting episode of Healthy Paranoia! In this installment, we discover the day the security industry stood still for Bro IDS with expert and project contributor Liam Randall. Just a few of the fun facts you’ll learn include: The real meaning of “bromance.” […]

Author information

Mrs. Y

Snarkitecht at Island of Misfit Toys

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

The post Healthy Paranoia Show 11: Bro – the Outer Limits of IDS appeared first on Packet Pushers Podcast and was written by Mrs. Y.

A Small Yellow Wooden Door: Thinking Practically About SDN

As I do most days, I took a walk in the woods at the back of my garden after a hearty dinner. I was quite surprised to come across a small wooden yellow door I’d never seen before, set into the trunk of a tree I’d never noticed until today. I opened the door and squeezed […]

Author information

Steven Iveson

Steven Iveson, the last of four children of the seventies, was born in London and has never been too far from a shooting, bombing or riot. He's now grateful to live in a small town in East Yorkshire in the north east of England with his wife Sam and their four children.

He's worked in the IT industry for over 15 years in a variety of roles, predominantly in data centre environments. Working with switches and routers pretty much from the start he now also has a thirst for application delivery, SDN, virtualisation and related products and technologies. He's published a number of F5 Networks related books and is a regular contributor at DevCentral.

The post A Small Yellow Wooden Door: Thinking Practically About SDN appeared first on Packet Pushers Podcast and was written by Steven Iveson.

PQ Show 23 – OpenFlow and SDN – ONF Testing & Interoperability with Michael Haugh

In this show we speak with Michael Haugh, the chairperson of Testing and Interoperability Working Group https://www.opennetworking.org/working-groups/testing-a-interop at the Open Networking Foundation. Michael is a Senior Product Line Manager and oversees Ixia’s Carrier Ethernet go-to-market strategy and product line on the Ixia core and IxN2X platforms. Michael has been in networking for 17 years and […]

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

The post PQ Show 23 – OpenFlow and SDN – ONF Testing & Interoperability with Michael Haugh appeared first on Packet Pushers Podcast and was written by Greg Ferro.

Handling Tech Support Interaction Effectively

Network engineers deal with technical support frequently. That’s the nature of the networking business: the products often don’t work as advertised or break down under their own complexity. Throw in some ambiguous documentation that leaves you scratching your head, and you’ll finally resort to opening a case with the vendor to resolve the issue. In […]

Author information

Ethan Banks

Co-host at Packet Pushers

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks

The post Handling Tech Support Interaction Effectively appeared first on Packet Pushers Podcast and was written by Ethan Banks.

Data Center design constraints

Designing a data center network with nexus switches involves virtual port channels (vPC), fabric extenders (FEX) and at times virtual device contexts (VDC). In this blog, we will take a look at some design constraints faced when dealing with the following hardware:

Cisco Nexus 7000 series switches

Cisco 2000 FEX

Cisco F2 series line cards

Cisco M1/2 series line cards

1. vPC/FEX

The biggest difference between a 7K switch and a 5K switch is the ability to configure enhanced vPC and dual home FEX to two parent 5K switches. The reason you need enhanced vPC is because you can dual home a end host (server/PC) to two separate FEX and dual home the FEX to two separate parent 5K switches.

You CANNOT dual home FEX to two separate 7K switches YET. Cisco does not support this feature in NX-OS. So if you have a design where you want to connect a single attached device (server/PC) to a pair of 7K switches, you either connect the device to the primary vPC peer switch or connect a catalyst switch like a 3750 and vPC it to both 7K switches. But again, what are the chances of a 3750 failing over a Continue reading

Cisco Nexus 7K ISSU features

Cisco Nexus 7000 ISSU

In this blog, we will look at some features of an In Service Software Upgrade (ISSU) on a Cisco Nexus 7009 switch. This blog does not walk you though each step in the ISSU process, but tries to focus on certain intervals in the ISSU process that might be worth a second glance.

The switch was upgraded from 6.0(4) to 6.1(3) because only 6.1(3) supports host vPC to two upstream 7K switches.

It is important to note, that in a HA pair of two 7K switches, if you're performing an ISSU on switch 1, you should not perform ISSU on switch 2. That defeats the purpose of HA because switch 1 assumes switch 2 is now the primary vPC peer, since switch 1 is in the process of upgrading and will require reloading its supervisor engines (one at a time).

In spite of this, if you still perform an ISSU on switch 2, while switch 1 is being upgraded, the upgrade check will complete on switch 2, but the system will prompt an error stating switch 1 is going through an upgrade so switch 2 cannot be upgraded. This little thing might go Continue reading

Quiz #11 &#8211 NAT both Source and Destination

Your company makes a new contract with a Partner Company for a new research project. To provide network connectivity, NAT is being configured on your side but something does not work as desired. What is it?

Dealing with Corrupt Opegear Firmware

It was inevitable. Now that I'm proudly compiling my own cellular router firmware, I'm also becoming familiar with the process of recovering from corrupt firmware.

I'm using an Ubuntu VM (described in the previous post) running in my MacBook for recovery purposes.

The Opengear instructions for recovering from bad firmware suggest that holding down the reset button is required, but I find that my router attempts to load firmware from the network no matter what. Maybe that's because I've wiped out my configuration? <- Update: yes, this seems to be the case. I haven't nailed it down exactly, but my router doesn't try to netboot every time.

Here's how I'm using that Ubuntu VM:

Required Packages
sudo apt-get install -y tftpd-hpa dhcp3-server

Recovery Software Image

cd /var/lib/tftpboot

sudo wget ftp://ftp.opengear.com/release/recovery/ACM500x_Recovery.flash

Configure DHCP Service

sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.orig

cat > /tmp/foo << EOF

option domain-name "opengear-recovery.com";

option subnet-mask 255.255.255.0;

subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.200 192.168.0.253;

}

host myopengear {

hardware ethernet 00:13:C6:xx:xx:xx;

fixed-address 192.168.0.10;

filename "ACM500x_Recovery.flash";

The Software-Defined Nerds of Tomorrow

This is one of my favorite times of the year. Despite the terrible weather that Ohio usually affords the month of March, I brave the wet cold and return to my alma mater for this year’s round of senior presentations. During the five-year IT program, students are required to learn just about anything and everything you can imagine in IT. This ranges from software development of all kinds, database administration, systems administration, network services and even pure route/switch.

The Software-Defined Nerds of Tomorrow

The Man in the White Suit

I know this is a technical blog, but I’ve always agreed with those that believe the best way to deliver a message is through a story. As imaginative and creative as I feel I can sometimes be, writing fiction just isn’t one of my strong points. So, rather than tell you an original story of my own I’m going to relate […]

Author information

Steven Iveson

The post The Man in the White Suit appeared first on Packet Pushers Podcast and was written by Steven Iveson.

IDP – FN, TN, TP, FP

I have talked with a few security administrators that seem to struggle with the understanding of FN, TN, FP, TP. I have decided to try to create a simple method to remember.

True/False = This either CORRECTLY or INCORRECTLY identifies an attack
Positive/Negative = This performs and event that takes an ACTION or is ACTION-LESS

True Positive (TP) - A legitimate attack (CORRECTLY) which triggers an IDP to produce and alarm/alert or mitigate the risk (ACTION)

False Positive (FP) - An IDP believes there is an attack taking place (INCORRECTLY) and produces an alarm/alert or mitigates the risk (ACTION).This can cause disrupt legitimate traffic and flood your IDP with alerts drowning real alerts that may be taking place. Some traffic that may cause false positives include:

Legitimate applications that do not follow RFC's
Legitimate traffic in one part of an organization that may not follow normal behaviors in another part of the organization causing alerts.
Signatures that we written poorly and identify both legitimate and illegitimate traffic.

False Negative (FN) - There is an attack that has NOT been identified (INCORRECTLY) and no alarm/alert/mitigation was raised (ACTION-LESS). This causes a false sense of security. This can be caused for a variety Continue reading

When Am I Going to Use This?

I imagine that prior to the industrial revolution, people didn’t struggle with niche skillsets that didn’t transfer. They didn’t need to wonder if they were spending countless hours learning something with no particular use outside their current job, listen to well-meaning friends and spouses assure them they’re worrying about nothing, only to face a layoff […]

Author information

Keith Tokash

Keith Tokash, CCIE (R&S) #21236, began his career in 1999, and has spent the last decade running around large content and small ISP networks. He spends his spare time with his newborn son, on the mat at the local Jiu-Jitsu gym, and trying to keep his fat yap shut.

The post When Am I Going to Use This? appeared first on Packet Pushers Podcast and was written by Keith Tokash.

Show 141 – The Pace of Change Is Picking Up – #NFD5 Discussion

Greg Ferro and Ethan Banks of PacketPushers.net host a discussion with Dr. Peter Welcher, Brent Salisbury, and Stephen Foskett about many of the presentations from the Network Field Day 5 event held March 6-8, 2013 in San Jose, California. The leading podcast topic was software defined networking, as that was the vendor focus during the […]

Author information

Ethan Banks

Co-host at Packet Pushers

The post Show 141 – The Pace of Change Is Picking Up – #NFD5 Discussion appeared first on Packet Pushers Podcast and was written by Ethan Banks.

Testing AAA Authentication with ACS – Part 1

Confirming that local authentication on the switch and ACS is working after you finished your configuration perform the following:

Run the "test" command on the switch

sw1#test aaa group tacacs+ ro PASSWORD legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User was successfully authenticated.

sw1#test aaa group tacacs+ admin99 PASSWORD legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User authentication request was rejected by server.

Even though the second attempt was rejected it still confirms that ACS rejected the request and is fully operational.

Step 1. Lets have a look at the ACS server. Once logged in navigate to "Monitoring and Reports" and click "Launch Monitoring and Report Viewer"

Step 2. A new window pops up. Navigate to "Reports", "Catalog", and click "AAA Protocols".

Step 3. On the right pain under reports click "TACACS Authentication. As you can see the first 2 entries correlate to what was seen on the switch. A pass and a fail.

Step 4. Lets look at some more details by clicking the magnifying glass under details. Lets look at the authentication that passed. As you can see there is alot of details. The big thing here is the "Status"

Step 5. Lets look Continue reading

MPLS LDP-IGP Synchronization

This post represents the solution and explanation for quiz-8. Adding a new link into the MPLS cloud created an outage for the customer. Read to understand how LDP-IGP Synchronization might help.

Firewalls: Expensive, Broken Routers

In a previous post on IPS, I made a fairly negative comment on the value that you get from enterprise firewalls in the modern environment. At the time, I said that I was just going leave that comment hanging and see what happened. Well, precisely no one challenged me on it, which means either everybody […]

Author information

Neil Anderson

Neil is a freelance network security architect and contractor working with a number of clients in Scotland and Europe. He is CCIE #18705 and also holds a CISSP. He can often be found sampling beer in remote locations and ranting about tech to anyone too stupid to run away. If you're very unlucky, he may talk to you in Gaelic.

Neil can be occasionally be found on Twitter.

The post Firewalls: Expensive, Broken Routers appeared first on Packet Pushers Podcast and was written by Neil Anderson.

Using IP SLA Delay Feature to Safely Monitor Lossy Links

IP SLA is a great feature if you want to add some automation and intelligence into the network. SLA is no SDN/OpenFlow, but it can be very useful. It can also take down a network. Let’s say you are using DMVPN for a number of spoke locations in your network. You have a primary Internet […]

Author information

Charles Galler

Charles is a network and UC engineer for an integrator. He has worked in the networking industry for about 15 years. He started as a network administrator for a small CLEC (carrier) where he did it all in internal IT and worked on the carrier network. After the CLEC, Charles went to work for a large healthcare organization in the Houston area and stayed with them for about three and a half years. Now he works for a reseller in the professional services part of the organization. He is currently studying for his CCIE in Routing and Switching and plans on passing it sometime. You can find him on the Twitter @twidfeki.

The post Using IP SLA Delay Feature to Safely Monitor Lossy Links appeared first on Packet Pushers Podcast and was written by Charles Galler.

Compiling Firmware for Opengear ACM5000

Opengear gave me two ACM5000 units as a part of my attendance at Network Field Day 4 in October of last year. The gift has not influenced my opinion of the company nor their product: I continue to think they're a bunch of amazingly clever people, and that they make the best out-of-band access equipment on the market. I recommend them without hesitation nor reservation.

I've been waiting anxiously for the release of the Custom Development Kit (CDK) based on release 3.6 code, and it's finally out. The README that comes with the CDK is a bit dated, and not super easy to follow, so I'm sharing my notes on rolling custom firmware here.

I started with Ubuntu 12.04.2 Server i386 installed inside VMware Fusion on my MacBook. I pretty much took the defaults, allowing VMware to manage the install for me (how cool is this feature?)

Remote Access
Pretty soon I was looking at an Ubuntu login prompt in the VMware console, I logged in and then did:

sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install openssh-server
ifconfig eth0

Downloads

Now I could log in via SSH, so I was done Continue reading

« Previous 1 … 3,656 3,657 3,658 3,659 3,660 … 3,694 Next »