Show 212 – HP Networking in the Data Centre – Sponsored

In today's sponsored podcast, HP Networking looks to educate network engineers about HP’s data center portfolio and technologies that make it a formidable choice for architecting today’s data center networks. Tune in to learn how HP is helping customers develop Data Center solutions that deal with today and tomorrow’s challenges.

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+

The post Show 212 – HP Networking in the Data Centre – Sponsored appeared first on Packet Pushers Podcast and was written by Greg Ferro.

The Importance of Knowing Baselines

When observing network utilization (whether that’s bandwidth or some other element you monitor), you have to know your baseline. The big idea is to understand what’s normal for your network, as every network is a little different. Only when you know your network’s baseline does it become possible to detect anomalies. For example, when […]

Increased MTTR is Good?

In Episode 167 of The Cloudcast – “Bringing Advanced Analytics to DevOps”, Dave Hayes brings up an interesting point about Mean Time to Resolution (MTTR). At about 8:30 in, he states:

“In a counter-intuitive sense, you actually want this to be going up…If you’re removing false alerts, and you’re getting better about the quantity of alerts, you’re going to be solving far fewer, more difficult problems, so you should see a slight trend upwards in Mean Time to Resolution”

This is a really interesting way of looking at things. Obviously you don’t want to set your goal as “Increase our MTTR,” but this could be a positive side-effect of improved processes.

I recommend listening to the whole episode. PagerDuty is a very cool product in itself, but this is a broader discussion about operations, analytics, and best practices.

Subscribe to the podcast while you’re there too. Lots of interesting technology discussed there.

Using ssldump to Decode/Decrypt SSL/TLS Packets

Who needs the Wireshark GUI right; let’s do this at the command line and be grown up about things. This is a straight copy of my popular Using Wireshark to Decode/Decrypt SSL/TLS Packets post, only using ssldump to decode/decrypt SSL/TLS packets at the CLI instead of Wireshark. Aside from the obvious advantages, immediacy and efficiency of a CLI tool, ssldump also […]

Author information

Steven Iveson

Steven Iveson

Steven Iveson, the last of four children of the seventies, was born in London and has never been too far from a shooting, bombing or riot. He's now grateful to live in a small town in East Yorkshire in the north east of England with his wife Sam and their four children.

He's worked in the IT industry for over 15 years in a variety of roles, predominantly in data centre environments. Working with switches and routers pretty much from the start he now also has a thirst for application delivery, SDN, virtualisation and related products and technologies. He's published a number of F5 Networks related books and is a regular contributor at DevCentral.

TwitterLinkedIn

The post Using ssldump to Decode/Decrypt SSL/TLS Packets appeared first on Packet Pushers Podcast and was written by Steven Iveson.

DNSSEC: Complexities and Considerations

This blog post is a follow-up to our previous introduction to DNSSEC. Read that first if you are not familiar with DNSSEC.

DNSSEC is an extension to DNS: it provides a system of trust for DNS records. It’s a major change to one of the core components of the Internet. In this post we examine some of the complications of DNSSEC, and what CloudFlare plans to do to reduce any negative impact they might have. The main issues are zone content exposure, key management, and the impact on DNS reflection/amplification attacks.

Zone content exposure

DNS is split into smaller pieces called zones. A zone typically starts at a domain name, and contains all records pertaining to the subdomains. Each zone is managed by a single manager. For example, cloudflare.com is a zone containing all DNS records for cloudflare.com and its subdomains (e.g. www.cloudflare.com, api.cloudflare.com).

There is no directory service for subdomains in DNS so if you want to know if api.cloudflare.com exists, you have to ask a DNS server and that DNS server will end up asking cloudflare.com whether api.cloudflare.com exists. This is not true with DNSSEC. In Continue reading

SDN Job Numbers – 3QCY14

How many SDN jobs are out there so far? If you missed the previous post, well, I’ve been counting them for about five months. Today’s post looks at the numbers for 3QCY14. Check out the previous post for all the picky details about how we gathered the data. This post focuses on the numbers!

 

 

 

SDN in the Job Title, 3QCY14

I’m theorizing that for a term to be in the title of the job posting, that term must be a pretty important part of the job. So, we searched for “SDN” in the title, at Dice.com and Monster.com, did some averaging to keep a week or two spike or drop from skewing the perception, and we’ve created some graphs.

Figure 1 shows the first graph:

  • Searches for SDN in the job title
  • The data is about new job listings per week
  • We use a couple of rolling averages to reduce the bumps in the graph
  • The graph shows both Dice and Monster combined, but with the raw numbers as well

 

Figure 1: SDN in the Job Title, Per-Week New Job Listings, 3QCY14

 

 

SDN in the Job Description

When we find “SDN” Continue reading

Mass Customization

I’ve mentioned in past articles about my belief that networking – both as a discipline and a technology – needs to be more consumable to other disciplines. But what does this mean? I was reminded of a few great examples today that I think are relevant to this idea, and might help explain my point a little more clearly.

Mass Production Meets Customization

The assembly line revolutionized the auto industry. Prior to this, vehicle production was very slow, and extremely costly. The introduction of the assembly line for creating automobiles allowed cars to be created in a predictable, repeatable way. However, Ford famously required all Model T’s to be painted black. Even before the introduction of the assembly line, the Model T was available in other colors, but with the move to mass production, this option was taken away.

The term “mass customization” is essentially the idea that mass production can co-habitate with customization, resulting in a customer experience that is personal and custom-built, but that also gets to experience the low unit cost that comes with mass production.

A great example of mass customization is the Moto X phone, whose commercials famously offer all kinds of customization options Continue reading

Response: Black Energy 2 Malware Router Abuse – Kaspersky

Kaspersky published a research note on Black Energy malware that uses backdoors and exploits on Cisco routers to install a TCL file, perform surveillance or destruction of the device configuration.   And, they revealed that their Cisco routers with different IOS versions were hacked. They weren’t able to connect to the routers any more by […]


The post Response: Black Energy 2 Malware Router Abuse – Kaspersky appeared first on EtherealMind.

Protocol Next-hops in a Junos Route-Reflection Cluster

I’ve finally had time to do some proper studying for JNCIE, and I noticed something that I may have been getting wrong for a looong time.  It is minor, but could have bad consequences in a route-reflection environment.

I have a lab topology set up that looks like this:

Route-reflection in JNCIE study lab

Route-reflection in JNCIE study lab

R1 is advertising a direct network of 10.0.5.0 to the route reflectors R3 and R4.   When I looked at R5 I was expecting to see R1 as the “protocol next-hop” but instead I was seeing R3 and R4.  That didn’t look right to me.

Some explanation first:  When you look at a route using “extensive” you get quite a lot of information but in there are two types of next hop.  The “forwarding next hop” is (literally) the next IP hop to get to the “protocol next-hop” which is the BGP speaker that is advertising the route.   The forwarding next hop is derived from the IGP, but the protocol next hop comes from iBGP.    I was expecting to see the forwarding next hop to be the other end of one of the circuits to R3 or R4 Continue reading

Show News: Network Down Stories and The Nightmare Before Christmas

Last year, we published two shows of horror stories about network outages and these shows generated a HUGE response from the audience. People emailed us about laughing, head nodding and “that happened to me”. Because you loved it, we are going to do it again. Because of time constraints the format will be a little […]

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+

The post Show News: Network Down Stories and The Nightmare Before Christmas appeared first on Packet Pushers Podcast and was written by Greg Ferro.

Suppressing contributors to an aggregate route

This was a new one on me – in the past I have always advertised an aggregate route and then written policy to match the contributing routes so that they can be suppressed.  It turns out there’s an easier way to do this:

root@R3# show policy-options policy-statement AGG
term T1 {
    from protocol aggregate;
    then accept;
}
term T2 {
    from aggregate-contributor;
    then reject;
}

The Case for Hybrids

Plexxi along with Piston Cloud, Colovore, and King Star Computing published a white paper a few months back looking at the cost of a private cloud running OpenStack in a hosted environment versus renting compute instances from Amazon. The details are here. The short story is that in this analysis, at about 129 Cores, the costs for a private cloud start to become better than public cloud. Certainly the efficiency of colocation, commodity computing/storage, and an application oriented network fabric integrated tightly with a cloud orchestration management platform (OpenStack) has a lot of built in efficiencies so its not surprising to see the result of this analysis.

We’ve Seen this Story Before, Haven’t We?

Similarly, years ago in software development circles, the debates about outsourcing were fierce and emotional. Back then, much centered on the cost leverage available to companies to move development to low-cost areas such as India, China, and Eastern Europe. However, over time, companies found that while cost gave them flexibility and resourcing mite, the more important benefit ended up being owning development resources and presences close to emerging markets while leveraging outsourcing partners for on-demand resource expansion. Wow, sounds a lot like Colocation + Hybrid Cloud Continue reading

SDN Job Numbers – 3QCY14

How many SDN jobs are out there so far? If you missed the previous post, well, I’ve been counting them for about five months. Today’s post looks at the numbers for 3QCY14. Check out the previous post for all the picky details about how we gathered the data. This post focuses on the numbers!

 

 

 

SDN in the Job Title, 3QCY14

I’m theorizing that for a term to be in the title of the job posting, that term must be a pretty important part of the job. So, we searched for “SDN” in the title, at Dice.com and Monster.com, did some averaging to keep a week or two spike or drop from skewing the perception, and we’ve created some graphs.

Figure 1 shows the first graph:

  • Searches for SDN in the job title
  • The data is about new job listings per week
  • We use a couple of rolling averages to reduce the bumps in the graph
  • The graph shows both Dice and Monster combined, but with the raw numbers as well

 

Figure 1: SDN in the Job Title, Per-Week New Job Listings, 3QCY14

 

 

SDN in the Job Description

When we find “SDN” Continue reading

Alteon SSL key import wows

I was trying to import a new certificate with an SSL key, but it was without success.

But as usual, before trying that on production, I tried that on my lab setup. It was done without any problems.

But when trying with the production Alteon, running the same 29.5.1 version, I got this message:

> -----END RSA PRIVATE KEY-----
Enter key passphrase:
Error: The private key is not a valid RSA key

Error: Failed to extract key XXXXX

After trying it several times, comparing some random strings inside the key I noticed a lag when I pasted the key to the production Alteon. The reason for the lag was SecureCRT that was configured to insert delays between keys. This feature is extremely useful with pasting large text into NX-OS.


My lab setup is with the default Line Send delay of 5ms and Character send delay of 0ms.

So I tried to use the lap SecureCRT delay setup on my production Alteon, and to my surprise it worked!

So to sum up: when pasting to Alteon 29.5.1, you better use the default SecureCRT delay settings.

One more thing and this will save you precious time digging through the command reference:

"key" and "srvrcert" names must be identical

SDN fabric controllers

Credit: sFlow.com
There is an ongoing debate in the software defined networking community about the functional split between a software edge and the physical core. Brad Hedlund argues the case in On choosing VMware NSX or Cisco ACI that a software only solution maximizes flexibility and creates fluid resource pools. Brad argues for a network overlay architecture that is entirely software based and completely independent of the underlying physical network. On the other hand, Ivan Pepelnjak argues in Overlay-to-underlay network interactions: document your hidden assumptions that the physical core cannot be ignored and, when you get past the marketing hype, even the proponents of network virtualization acknowledge the importance of the physical network in delivering edge services.

Despite differences, the advantages of a software based network edge are compelling and there is emerging consensus behind this architecture with  a large number of solutions available, including: Hadoop, Mesos, OpenStack, VMware NSX, Juniper OpenContrail, Midokura Midonet, Nuage Networks Virtual Services Platform, CPLANE Dynamic Virtual Networks and PLUMgrid Open Networking Suite.

In addition, the move to a software based network edge is leading to the adoption of configuration management and deployment tools from the DevOps Continue reading

Mass Customization

I’ve mentioned in past articles about my belief that networking - both as a discipline and a technology - needs to be more consumable to other disciplines. But what does this mean? I was reminded of a few great examples today that I think are relevant to this idea, and might help explain my point a little more clearly. Mass Production Meets Customization The assembly line revolutionized the auto industry.
1 3,681 3,682 3,683 3,684 3,685 3,840