RESTful control of Cumulus Linux ACLs

Figure 1: Elephants and Mice
Elephant Detection in Virtual Switches & Mitigation in Hardware discusses a VMware and Cumulus demonstration, Elephants and Mice, in which the virtual switch on a host detects and marks large "Elephant" flows and the hardware switch enforces priority queueing to prevent Elephant flows from adversely affecting latency of small "Mice" flows.

This article demonstrates a self contained real-time Elephant flow marking solution that leverages the visibility and control features of Cumulus Linux.

SDN fabric controller for commodity data center switches provides some background on the capabilities of the commodity switch hardware used to run Cumulus Linux. The article describes how the measurement and control capabilities of the hardware can be used to maximize data center fabric performance:
Exposing the ACL configuration files through a RESTful API offers a straightforward method of remotely creating, reading, updating, deleting and listing ACLs.

For example, the following command creates a filter called Continue reading

Show 191 – Netvisor – the Pluribus Network Hypervisor – Sponsored

Pluribus Networks has a unique approach to Software Defined Networking that turns a network switch into a server and application platform. In this sponsored show, Sunay Tripathi deep dives into Netvisor and explains how it can fit into your network architecture.

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+

The post Show 191 – Netvisor – the Pluribus Network Hypervisor – Sponsored appeared first on Packet Pushers Podcast and was written by Greg Ferro.

[minipost] Mikrotik/RouterBoard port-knocking example for firewall/NAT openings

For best article visual quality, open [minipost] Mikrotik/RouterBoard port-knocking example for firewall/NAT openings directly at NetworkGeekStuff.

The situation is very simple, you are away from home (imagine visiting a friend or being at work), but you desperately would like to access your internal LAN FTP/Samba/etc… , but you do not have with you your own notebook or any device with a VPN capability to tunnel to your home securely. So what to do ? You do not really want to open your home firewall and NAT whole internet to the internal PC or server on your LAN. Lucky for you, there exists a trick under a name of “port-knocking” where you can send to your home firewall a sequence of TCP or UDP packets with specific ports (the ports act as a password) and your home system can temporarily open the firewall and NAT to only your source IP from which these packets arrived. In this quick example I will show you how to do this on Mikrotik (where I do this for several years now) and I will point you to generic linux tutorial for the same using iptables in links below.

Main Example

Target: I want to access my Continue reading

Giving a Monkey a Loaded Gun

Automating the configuration, provisioning, and management of particular workflows for cloud gets a lot of attention these days.  While automation makes perfect sense for deploying workloads faster, there are also other areas where automation can be leveraged to improve the overall operational efficiency of the IT Ops team. 
One of these areas is automating the validation of configuration changes.   This could mean validating changes deployed via the CLI for existing networks or validating changes made by SDN controllers for those new shiny physical AND virtual networks.  It doesn’t matter.  Connectivity tests can also be automated.  Much more can be automated than configuration and policy for data centers.

I remember doing annual power shutdowns of the data center and IDFs where I worked years ago.  I remember doing OS upgrades on critical network devices.  I also remember the chaos and the amount of people that needed to be on a bridge validating “everything looked okay” when the devices came back online.  Was everything always okay?  Hardly, but it wasn’t until business started on the following Monday, those one off issues were uncovered and fixed.  If there were tools verifying routing tables, Continue reading

Cisco COO Claims Amazon as Huge Customer and Other Insights

In this transcript from Seeking Alpha, Gary Moore, Chief Operating Office of Cisco claims that " eight of the global ten over-the-top providers like Amazon are huge Cisco customers". For network architect & strategy types, it's worth reading to see how Cisco intends to extract more revenue from your budget. In particular there are several references to Cisco "analytics service offerings" which Mr Moore states are opportunities for upsell in SmartNet maintenance. It might be worth looking into those products to prepare a "defense against the dark arts" from Cisco account managers.

The post Cisco COO Claims Amazon as Huge Customer and Other Insights appeared first on EtherealMind.

Understand Etherchannel Load Balancing.

Let’s try to define what EtherChannel is and why it exists nowadays as a powerful feature.

Author information

Michał Janowski

Michał Janowski

I was happy to finish light studies with a specialization active turism :). Than moved to IT world and participated in postgraduate studies which relied upon CCNA exploration course. After that I got my first job in IT as a software tester in Nokia Siemens Networks where I was responsible for verification of code running on radio equipment (3g, LTE). Now, as a Cisco TAC enginner I am helping cutomers resolving problems in their networks. I belong to unit responsible for Catalyst switches, so forgive me as most of my posts would be influenced by the technology I know the best.
LinkedIn

The post Understand Etherchannel Load Balancing. appeared first on Packet Pushers Podcast and was written by Michał Janowski.

Glue Networks at ONUG 2014

Glue Networks had a presence at the last ONUG, where Tom Hollingworth was able to get an overview from Glue’s founder, Jeff Gray:

As you can see, Glue’s product targets the WAN, and specifically addresses the difficult provisioning tasks that most shops do manually. These include but are not limited to:

  • Provisioning (and deprovisioning) of QoS resources for various applications like SAP and Lync based off of need and time of day.
  • Bringing up remote sites in a standardized, cookie-cutter manner
  • Creating and changing PfR (performance routing) configurations on the WAN.

Jeff visited our Tech Field Day round table at ONUG 2014 and gave us a more detailed introduction to the product:

First, some things I think this product does (or will do) well. The configuration of PfR or QoS en masse is a low-hanging use case I’ve mentioned before and even if I can do it using scripts today, having a single tool that does it in a simple way will provide value. These specific configurations are difficult and error-prone, so anything that tackles this is going to be useful.

I also did enjoy hearing about the options for getting the config onto the device. Jeff listed three options for Continue reading

Glue Networks at ONUG 2014

Glue Networks had a presence at the last ONUG, where Tom Hollingworth was able to get an overview from Glue’s founder, Jeff Gray: As you can see, Glue’s product targets the WAN, and specifically addresses the difficult provisioning tasks that most shops do manually. These include but are not limited to: Provisioning (and deprovisioning) of QoS resources for various applications like SAP and Lync based off of need and time of day.

Glue Networks at ONUG 2014

Glue Networks had a presence at the last ONUG, where Tom Hollingworth was able to get an overview from Glue’s founder, Jeff Gray: As you can see, Glue’s product targets the WAN, and specifically addresses the difficult provisioning tasks that most shops do manually. These include but are not limited to: Provisioning (and deprovisioning) of QoS resources for various applications like SAP and Lync based off of need and time of day.

Illuminating The Etumbot APT Backdoor

The Arbor Security Engineering Response Team (ASERT) has released a research paper concerning the Etumbot malware.

Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12.  Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities.

Indicators suggest that the Etumbot dropper is delivered via spear phishing and is contained inside an archive file intended to be of interest to the target. The attackers use the Unicode Right to Left Override technique and document icons to disguise malicious executable content as document files. Once the dropper is executed, the backdoor is activated and a distraction file of interest to the target is opened for viewing.  ASERT has observed several Etumbot samples using distraction documents involving Taiwanese and Japanese topics of interest, and has also observed recent development activity which indicates that attack campaigns are ongoing.

Once installed, the backdoor connects to it’s Command & Control server and receives an encryption key. RC4 encryption, along with HTTP transactions intended to blend in with typical traffic are used for backdoor communications. Etumbot’s core functionality Continue reading

Platforms, Code, and Why I do it

If you read this site often, you already know I’ve been doing quite a bit of work with Ansible specifically as it pertains to networking.  While I will be showing another video very soon in a follow up post, I wanted to take a step back and cover a few things before doing so.  The focus here is less about the technology and more my general mindset around automation PLATFORMS, code, open source, and why I do it.  Just something I’d like to share because I’m occasionally asked questions around these topics.
Culture 

It’s not about the tool, in my case Ansible, it’s about the process, methodology, and ideas that go into thinking differently.  For me personally, Ansible just had a lower barrier for entry, but I’ve grown to quite like it.  Actually, I liked it from the get-go.   In order to effectively embrace platforms like Ansible, there needs to be a change in culture first.  It was amazing to see the emphasis on culture during the recent DevOps days in Pittsburgh.  I tuned in and out during the live stream and it seemed every time I had a chance to watch, it Continue reading

Coffee Break – Show 8

[player] This is “The Coffee Break”. A podcast on state of the networking business where we discuss vendors moves and news, analysis on product and positioning, and look at the business of networking. In the time it takes to have coffee break. Thanks to Steven Hill from Current Analysis for joining us this week. Show... Read more »

Coffee Break – Show 8

This is “The Coffee Break”. A podcast on state of the networking business where we discuss vendors moves and news, analysis on product and positioning, and look at the business of networking. In the time it takes to have coffee break. Thanks to Steven Hill from Current Analysis for joining us this week. Show Links […]

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+

The post Coffee Break – Show 8 appeared first on Packet Pushers Podcast and was written by Greg Ferro.

NANOG 61

The recent NANOG 61 meeting was a pretty typical NANOG meeting, with a plenary stream, some interest group sessions, and an ARIN Public Policy session. The meeting attracted some 898 registered attendees, which was the biggest NANOG to date. No doubt the 70 registrations from Microsoft helped in this number, as the location for NANOG 61 was in Bellevue, Washington State, but even so the interest in NANOG continues to grow, and there was a strong European contingent, as well as some Japanese and a couple of Australians. The meeting continues to have a rich set of corridor conversations in addition to the meeting schedule. These corridor conversations are traditionally focused on peering, but these days there are a number of address brokers, content networks, vendors and niche industry service providers added to the mix. Here’s my impressions of some of the presentations at NANOG 61.

Cumulus Networks, sFlow and data center automation

Cumulus Networks and InMon Corp have ported the open source Host sFlow agent to the upcoming Cumulus Linux 2.1 release. The Host sFlow agent already supports Linux, Windows, FreeBSD, Solaris, and AIX operating systems and KVM, Xen, XCP, XenServer, and Hyper-V hypervisors, delivering a standard set of performance metrics from switches, servers, hypervisors, virtual switches, and virtual machines - see Visibility and the software defined data center

The Cumulus Linux platform makes it possible to run the same open source agent on switches, servers, and hypervisors - providing unified end-to-end visibility across the data center. The open networking model that Cumulus is pioneering offers exciting opportunities. Cumulus Linux allows popular open source server orchestration tools to also manage the network, and the combination of real-time, data center wide analytics with orchestration make it possible to create self-optimizing data centers.

Install and configure Host sFlow agent

The following command installs the Host sFlow agent on a Cumulus Linux switch: 
sudo apt-get install hsflowd
Note: Network managers may find this command odd since it is usually not possible to install third party software on switch hardware. However, what is even more radical is that Cumulus Linux allows users to download source Continue reading

Conferences: Go

It is slightly paradoxical that since I left networking for the student life I’ve actually been reading more about networking than I was able to during the last years of my working life.  Similarly, I’ve had more time to follow the goings on in the social media, especially when the big conferences were on. Over […]

Author information

Matthew Mengel

Matthew was a Senior Network Engineer for a regional educational institution in Australia for over 15 years, working with Cisco equipment across many different product areas. However, in April 2011 he resigned, took seven months of long service leave to de-stress and re-boot before becoming a network engineer for a medium sized non-profit organisation. At the end of 2013, he left full-time networking behind after winning a scholarship to study for a PhD in astrophysics. He is on twitter infrequently as @mengelm.

The post Conferences: Go appeared first on Packet Pushers Podcast and was written by Matthew Mengel.

CCIE renewed

In the very last day of availability of the  CCIE v4 350-001 written exam I’ve renewed my CCIE for a couple of years more: My plan was to recertify with another track – Wireless or Security – but life happens
Read more ›
1 3,687 3,688 3,689 3,690 3,691 3,794