KIClet: NX-OS Default Switchport State
Cisco switches (and the vast majority of other vendors) ship their switches with all ports in the enabled state. This allows someone with no networking background to plug stuff in, the switch starts learning MAC addresses, and everything works just fine. Sometimes it’s necessary from a security perspective to change this default behavior, so the network engineer is forced to “no shut” every port he or she wishes to use.Next Subjects
I've planned to write posts during the next weeks regarding these subjects: - Enhanced-SCB's detailed migration procedure on MX960: get the full power of your MX and your 3D cards. - Understanding Hashing / Load-balancing on MX: for ichip/TRIO based cards....Blogging the Cloud Track at Cisco Plus 2011
I attended the Cisco Plus Canada Roadshow in Calgary recently and sat in on a day of presentations related to Cisco's data center/cloud offerings. The sessions where quite good and I ended up taking quite a few notes. I thought I'd blog my notes in order to share what was presented.
The four sessions were:
Introduction
Hello, I've opened this blog to share my passion for networking and especially networking on Junos platform. I provide technical information only based on my experience, my tests in Lab and the public documentations. I'm a french guy and my english is...Resetting Admin Password on a Cisco ISE Appliance
A great little “feature” of Cisco's Identity Services Engine is that out of the box, the administrator account expires after 45 days if the password is not changed during that time. The documentation says that if you have trouble logging in you should click the “Problem logging in?” link and use the default administrative user/pass. This is of course ridiculous and does not work.
Below are the steps for properly resetting an admin password and for changing the security policy so the lockout doesn't happen again.
Getting the WordPress TMAC and GASP Plugins to Play Nice
Two of the WordPress plugins I use on this site are Twitter Mentions as Comments and Growmap Anti Spambot Plugin. The first, TMAC, watches Twitter for any tweets that link to a post somewhere on this blog and submits those tweets as new comments on that particular post. GASP's job is to keep spammers from submitting spammy comments by placing a Javascript-driven checkbox in the comment form. A user must check the box to confirm they are not a spambot before submitting their comment.
Both of these plugins are great and work really well on their own.
However, when both plugins are in use and TMAC submits a comment, GASP inspects the comment to see if the checkbox has been marked, finds that it hasn't been, and silently rejects the comment. (Aside: the exception to this is if you are a logged-in user and you initiate a manual TMAC check, any new tweets will successfully pass through GASP).
Configuring VRF-Lite on IOS and Junos
This post is going to provide a very basic introduction to configuring VRFs on Cisco IOS and Juniper's Junos. There's so many configuration combinations and options for virtual routing that it would be impossible to go through everything in great detail. At the end of the post I'll provide links to documentation where you can get detail if you want it.
Its time we retire Authentication Header (AH) from the IPsec Suite!
Folks who think Authentication Header (AH) is a manna from heavens need to read the Bible again. Thankfully you dont find too many such folks these days. But there are still some who thank Him everyday for blessing their lives with AH. I dread getting stuck with such people in the elevators — actually, i dont think i would like getting stuck with anybody in an elevator, but these are definitely the worst kind to get stuck with.
So lets start from the beginning.
IPsec, for reasons that nobody cares to remember now, decided to come out with two protocols – Encapsulating Security Payload (ESP) and AH, as part of the core architecture. ESP did pretty much what AH did, with the addition of providing encryption services. While both provided data integrity protection, AH went a step further and also secured a few fields from the IP header for you.
There are bigots, and i unfortunately met one a few days ago, who like to argue that AH provides greater security than ESP since AH covers the IP header as well. They parrot this since that’s what most textbooks and wannabe CCIE blogs and websites say. Lets see if securing the IP header Continue reading
How does Openflow and SDN help Virtualization/Cloud
Introduction to Software Defined Networking and OpenFlow
Often time I hear the term Openflow and Software Defined Networking Networking used in many different context which range from solving something simple and useful to literally solving the world hunger problem (or fixing the world economy for that matter). I often get asked to explain the various aspects of how Openflow is changing our lives. So here goes a explanation of the religion called Openflow (and Software Defined Networking) and various ways its manifesting itself in our day to day life. Again its too much to write in one article so I will make it a series of 3 articles. This one focuses on the protocol itself. The 2nd article will focus on how people are trying to develop it and some end user perspective that I have accumulated in last year or so. The last article in series will discuss the challenges and what are we doing to help.
Value Proposition
The basic piece of Openflow is nothing more than a wire protocol that allows a piece of code to talk to another piece of code. The idea is that for a typical network equipment, instead of logging in and configuring Continue reading
Packets of Interest (2011-12-12)
Here's a summary of interesting articles/posts that I've come across in the last couple of weeks.
Redundancy Protocols vs Stacking: Pros and Cons
I was recently asked whether or not I preferred to use a router redundancy protocol like HSRP, VRRP, or GLBP, or stack switches together to form a sort of “virtual router”, and use that for redundancy. Just like anything else, the immediate answer is “it depends”, but there are a few things to remember when considering a redundant design with your routers or Layer 3 switches. First, redundancy protocols can be found nearly everywhere.Redundancy Protocols vs Stacking: Pros and Cons
I was recently asked whether or not I preferred to use a router redundancy protocol like HSRP, VRRP, or GLBP, or stack switches together to form a sort of “virtual router”, and use that for redundancy. Just like anything else, the immediate answer is “it depends”, but there are a few things to remember when considering a redundant design with your routers or Layer 3 switches. First, redundancy protocols can be found nearly everywhere.Example Puppet 2.7 git pre-commit script
I had a hard time finding a decent pre-commit script for puppet 2.7. This is composed of snippets I found at code.seas.harvard.edu. The pre-commit script will check the puppet syntax of the changed .pp files, and also check if an attempt has been made to properly document the .pp file.
#!/bin/sh
#
# install this as .git/hooks/pre-commit to check Puppet manifests
# for errors before committing changes.
rc=0
[ "$SKIP_PRECOMMIT_HOOK" = 1 ] && exit 0
# Make sure we're at top level of repository.
cd $(git rev-parse --show-toplevel)
trap 'rm -rf $tmpdir $tmpfile1 $tmpfile2' EXIT INT HUP
tmpdir=$(mktemp -d precommitXXXXXX)
tmpfile1=$(mktemp errXXXXXX)
tmpfile2=$(mktemp errXXXXXX)
echo "$(basename $0): Validating changes."
# Here we copy files out of the index into a temporary directory. This
# protects us from a the situation in which we have staged an invalid
# configuration using ``git add`` but corrected the changes in the
# working directory. If we checked the files "in place", we would
# fail to detect the errors.
git diff-index --cached --name-only HEAD |
grep '.pp$' |
git checkout-index --stdin --prefix=$tmpdir/
find $tmpdir -type f -name '*.pp' |
while read manifest; do
puppet Continue readingAn Introduction to Layer 3 Traffic Isolation
All network engineers should be familiar with the method for virtualizing the network at Layer 2: the VLAN. VLANs are used to virtualize the bridging table of Layer 2 switches and create virtual switching topologies that overlay the physical network. Traffic traveling in one topology (ie VLAN) cannot bleed through into another topology. In this way, traffic from one group of users or devices can be kept isolated from other users or devices.
Traffic Isolation Using VLANs
VLANs work great in a Layer 2 switched network, but what happens when you need to maintain this traffic separation across a Layer 3 boundary such as a router or firewall?
Seamless Data Migration with Avaya’s VENA framework
There are very few technologies that come along which actually make things easier for IT staff. This is particularly true with new technology introductions. Very often, the introduction of a new technology is problematic from a systems service up time perspective. With networking technologies in particular, new introductions often involve large amounts of intermittent down time and a huge amount of human resources to properly plan the outages and migration processes to assure minimal down time. More so than any other, network core technologies tend to be the most disruptive due to their very nature and function. Technologies like MPLS are a good example. It requires full redesign of the network infrastructure as well very detailed design within the network core itself to provide connectivity. While some argue that things like MPLS-TP helps to alleviate this, it is not without cost – and the distruption remains.
IEEE 802.1aq or Shortest Path Bridging (SPB for short) is one of those very few technologies that can introduced in a very seamless fashion with minimal disruption or down time. It can also be introduced with minimal redesign of the existing network if so desired. A good case point example is a recent Continue reading
Multi-Vendor Network Woes
First, I’d like to thank you all for continuing to read my thoughts these last few weeks. Some already know that I passed the CCNP ROUTE exam this past weekend, and that has slowed my ability to write consistently. Fortunately, I laid that beast of an exam to rest and I get to focus on bigger, better things. I’ve been working a project for the past few weeks that’s involved the integration of HP and Cisco networking equipment.Multi-Vendor Network Woes
First, I’d like to thank you all for continuing to read my thoughts these last few weeks. Some already know that I passed the CCNP ROUTE exam this past weekend, and that has slowed my ability to write consistently. Fortunately, I laid that beast of an exam to rest and I get to focus on bigger, better things. I’ve been working a project for the past few weeks that’s involved the integration of HP and Cisco networking equipment.Net-SNMP v5.7 Issues
The last time I upgraded Net-SNMP it wasn't reporting the hrSystemProcesses OID. I wrote about that here. This time around I've upgraded to v5.7 and discovered two issues so far.