0

27 – Stateful Firewall devices and DCI challenges – Part 1

Stateful Firewall devices and DCI challenges

Having dual sites or multiple sites in Active/Active mode aims to offer elasticity of resources available everywhere in different locations, just as with a single logical data center. This solution brings as well the business continuity with disaster avoidance. This is achieved by manually or dynamically moving the applications and software framework where resources are available. When “hot”-moving virtual machines from one DC to another, there are some important requirements to take into consideration:

• Maintain the active sessions stateful without any interruption for hot live migration purposes.
• Maintain the same level of security regardless the placement of the application
• Migrate the whole application tier (not just one single VM) and enable FHRP isolation on each side to provide local default gateway (which works in conjunction with the next bullet point)
• While maintaining the live migration, it can be crucial to optimise the workflow and reduce the hair-pining effect as much as we can since it adds latency.  As such, the distances between the sites as well as the network services used to optimize and secure the multi-tier application workflows amplify the impact of performances.

As with several other network and security services, the Continue reading

0

Everything can be a bomb

This last week, pranksters replaced the US flag on top the Brooklyn Bridge with a white-flag. Nobody knows who or why. Many in the press have linked this to terrorism, pointing out that it could've been a bomb. Not only local New York newspapers have said this, but also CNN.

Such irrational fears demonstrate how deeply we've fallen for police-state fears, where every action is perceived as a potential terrorist threat.

It could've been a bomb, of course. But what could also have been a bomb is a van full of C4 explosives driven across the bridge. There are no checkpoints at either end inspecting vehicles with bomb sniffing dogs. What also could've been a bomb is a ship full of fertilizer that, when ignited, would act as a small nuke. The point is that everything can be a bomb. Instead of using this as justification for an ever increasing police-state, we just need to accept this and live with the danger -- because this danger is, in the end, tiny. A thousand 9/11 events would still not equal cancer, for example.

I mention this because the former 9/11 commission released a new report yesterday stoking the fears of cyber-terrorism, Continue reading

0

Configuring NetFlow on vSphere 5.5

The NetFlow protocol was developed by Cisco to collect traffic statistics. An enabled NetFlow device send to a NetFlow receiver a set of flows via UDP protocol. Each NetFlow contains one or more records: Input and output interface index Timestamps Number of bytes and packets observed in the flow Source and destination IP addresses Protocol, source […]

0

Um, talks are frequently canceled at hacker cons

Talks are frequently canceled at hacker conventions. It's the norm. I had to cancel once because, on the flight into Vegas, a part fell off the plane forcing an emergency landing. Last weekend, I filled in at HopeX with a talk, replacing somebody else who had to cancel.

0

How to run Juniper Firefly Perimeter vSRX on GNS3

Firefly Perimeter is a virtual security appliance that provides security and networking services at the perimeter in virtualized private or public cloud environments. It runs as a virtual machine (VM) on a standard x86 server  and delivers similar security and networking features available on branch SRX Series devices.

However not all the features that are supported by SRX hardware devices are supported. Here is the list of features supported by current firefly 12.1x46-d10 release.

Firefly Perimeter Hardware Specifications

• Memory 2 GB
• Disk space 2 GB
• vCPUs 2
• vNICs Up to 10
• Virtual Network Interface Card type (NIC) E1000

Thanks to Juniper’s software evaluation program we can download the Firefly Perimeter security solution for free and test it out for 60 days. In this tutorial we are going to connect Firefly Perimeter to GNS3 and create a simple lab to test connectivity between two vSRX instances. As GNS3 has built-in support for VirtualBox and Qemu/KVM they both can used as hypervisor.

Firefly Perimeter virtual machines can be download here. You have to use your Juniper account to proceed the download but a valid service contract is not required to to download Firefly Perimeter virtual machine.

Picture 1 - Juniper Login Window

Notice that they Continue reading

0

Big Switch Networks Launches Mature Hardware-Centric Data Centre SDN Solution

Big Switch Networks (BSN) launches Version 4.0 of Big Cloud Fabric for hardware-centric SDN data centre fabric. The Data Centre Fabric solution clearly shows the maturity gained from 5 years of shipping products while adding innovation in switch hardware through Switch Light operating system. At the same time, they have completed the transition from platform to product. A product that really has what you need in a hardware-centric SDN platform and addresses nearly all of the issues the competitors have not addressed. And it is shipping now.

The post Big Switch Networks Launches Mature Hardware-Centric Data Centre SDN Solution appeared first on EtherealMind.

0

I Can’t Drive 25G

The race to make things just a little bit faster in the networking world has heated up in recent weeks thanks to the formation of the 25Gig Ethernet Consortium.  Arista Networks, along with Mellanox, Google, Microsoft, and Broadcom, has decided that 40Gig Ethernet is too expensive for most data center applications.  Instead, they’re offering up an alternative in the 25Gig range.

This podcast with Greg Ferro (@EtherealMind) and Andrew Conry-Murray (@Interop_Andrew) does a great job of breaking down the technical details on the reasoning behind 25Gig Ethernet.  In short, the current 10Gig connection is made of four multiplexed 2.5Gig connections.  To get to 25Gig, all you need to do is over clock those connections a little.  That’s not unprecedented, as 40Gig Ethernet accomplishes this by over clocking them to 10Gig, albeit with different optics.  Aside from a technical merit badge, one has to ask themselves “Why?”

High Hopes

As always, money is the factor here.  The 25Gig Consortium is betting that you don’t like paying a lot of money for your 40Gig optics.  They want to offer an alternative that is faster than 10Gig but cheaper than the next standard step up.  By giving you a cheaper option Continue reading

0

Six Phases of Network Evolution

Last month I was asked to speak about Next Generation Networks at Indonesian Network Operators Group (IDNOG) forum. Whenever I speak about this subject with my customers, I usually use top down approach: started by talking about the business drivers and requirements, NGN architecture, to high level and low level design, before going deep into details to each supporting technology.

This time I decided to take a different approach. Instead, I tried to demonstrate how to build a new SP network from bottom to up. The objective is to show how the network can be transitioned from the simple one that offers a single service, to the one that carry multiple services and become resilient Next Generation Networks. I don't know if the message was received by the attendees, but I run out my 30 minutes time so I continued that effort by conducting the webex session few weeks ago.


The presentation I made for that session inspires me to write down about the six phases of network evolution below. And the phase will end up with the one thing that has become hot topic these days: Software Defined Network (SDN).

Phase 1: It begins with connectivity
When we build Continue reading

0

Kurdish ISPs enable growth of Iraqi Internet

The recent violence in Iraq and the government’s actions to block social media and other Internet services have put a spotlight on the Iraqi Internet. However, an overlooked but important dynamic in understanding the current Iraqi Internet is the central role Kurdish ISPs play in connecting the entire country to the global Internet.

In the past five years, the Internet of Iraq has gone from about 50 networks (routed prefixes) to over 600. And what is most noteworthy this that the growth has not occurred as a result of increased connectivity from the submarine cable landing at Al Faw, as would be expected in a typical environment. Instead the dominant players in the Iraqi wholesale market are two Kurdish ISPs that connect to the global Internet through Turkey and Iran: Newroz and IQ Networks.

Help from the Kurds

The Iraqi Kurdistan region contains four main cities: Erbil, Duhok, Zakho and Sulaymaniyah. Newroz covers the first three, while IQ Networks provides service in the last. However, it would be incorrect to simply classify these providers as city-level retail ISPs. They also carry significant amounts of traffic for the rest of the country.

From the relative peace and stability of Continue reading

0

Listo! Medellin, Colombia: CloudFlare’s 28th Data Center

With the World Cup at an end, so too is our latest round of data center expansion. Following deployments in Madrid, Milan and São Paulo, we are thrilled to announce our 28th data center in Medellin, Colombia. Most of Colombia’s 22 million Internet users are now mere milliseconds away from a CloudFlare data center.

A data center unlike the others

Our deployment in Medellin is launched in partnership with Internexa, operators of the largest terrestrial communications network (IP backbone) in Latin America. Internexa operates over 28,000 km of fibre crossing seven countries in the continent. Our partnership was formed over a shared vision to build a better Internet—in this case, by localizing access to content within the region. Today, it is estimated that as much as 80% of content accessed in Latin America comes from overseas. It is with great pride that, as of now, all 2 million sites using CloudFlare are available locally over Internexa’s IP backbone. Let’s just say we’ve taken a bite out of this percentage (and latency)!

If your Internet service provider (ISP) is not connected to Internexa, Continue reading

0

More fun with #TSA

That's Julian in the center waving at me to stop taking pictures. That's Michael faced away on his right

Coming back through JFK, my bag was stopped in the x-ray. The examiner shouted "bag checked", and sat and waited. And waited. Nobody came. Finally, he shunted it aside to the special bag check area. Where it sat, and sat.

There was as TSA agent standing around doing nothing, except flirting with a cute passenger standing right next to me bag. Finally, I pointed out that my bag needed to be checked, at which point he talked to the x-ray examiner, pulled it out, and checked it (I had a spray can of foot powder I bought because omg I wore my workout shoes that stink to the convention).

So, of course, I asked to see his badge, which was turned away from me, and to talk to his manager. He refused to even tell me his name, but he did get the supervisor, who confirmed his name was "Michael Vails". The manager was quite rude, looking at me in disbelief as I pointed out the guy was standing around flirting with girls instead of checking my bag. He wouldn't let Continue reading

0

Show 197 – Cisco Nexus Updates with Ron Fuller – Sponsored

Repeat guest and friend of the Packet Pushers Ron Fuller chats with Greg Ferro and Ethan Banks about the latest updates to both the hardware and software in the ever-growing and capable Cisco Nexus product line. We get a thorough update in this show, hitting lots and lots of highlights. Discussion What’s new with the […]

Author information

The post Show 197 – Cisco Nexus Updates with Ron Fuller – Sponsored appeared first on Packet Pushers Podcast and was written by Ethan Banks.

0

VMware NSX Use Case – Simplifying Disaster Recovery (Part 1)

Nicolas Vermandé (VCDX#055) is practice lead for Private Cloud & Infrastructure  at Kelway, a VMware partner. Nicolas covers the Software-Defined Data Center on his blog www.my-sddc.om,

This series of posts describes a specific use case for VMware NSX in the context of Disaster Recovery. The goal is to demonstrate the routing and programmability capabilities through a lab scenario. This first part presents the NSX components and details the use case. The second part will show how to deploy the lab and the third part will deal with APIs and show how to use python to execute REST API calls to recreate the required NSX components at the recovery site.

Introduction

When considering dual datacenter strategy with VMs recovery in mind, one important decision is whether to adopt an active/active or active/standby model. The former is generally much more complex to manage because it requires double the work in terms of procedures, testing and change controls. In addition, capacity management becomes challenging as you need to accommodate physical resources to be able to to run all workloads within whatever site. On top of that, stretched VLANs are sometimes deployed across datacenters so that recovered VMs can keep their IP addresses. This Continue reading

0

Response: Improving Flow Based Hashing on ECMP with Cuckoo hashing

There are many algorithms that can be used to for flow-based hashing to provide the best load balancing method over multiple IP or Ethernet connections but I recently learned that Cuckoo Hashing the preferred method.

The post Response: Improving Flow Based Hashing on ECMP with Cuckoo hashing appeared first on EtherealMind.

0

CCIE RSv5 ATC Continues Wednesday, July 23rd

The CCIE Routing & Switching Advanced Technologies Class v5 resumes Wednesday, July 23rd at 8:00 AM PDT (15:00 UTC) at live.ine.com, where we will be discussing MPLS Layer 3 VPN. In the meantime, you will find the streaming and download playlists have been updated and now includes over 63 hours of content.

We have some other great news as well. The CCIE R&S v5 Rack Control panel has been released with the built-in telnet, loading and saving configs and one click device configurations and reset requests. Also, new content will be posted this week to the workbook, including all new troubleshooting labs.

---

0

[SDN Protocols] Part 1 – OpenFlow Basics

Let’s get into our first topic. And what better place to start than with the protocol that arguably started the SDN madness that we’re experiencing today – OpenFlow! I got fairly carried away with writing about this protocol, and understandably so – this is a complicated topic.

That’s why I’ve split this post (which is already part of a series – very meta, much deep) into two parts. This post – Part 1 – will address OpenFlow’s mid to high-level concepts, exploring what it does, why/how the idea of control plane abstraction may be useful, and  some details on how hardware interaction works. The second post – Part 2 – will dive a little deeper into the operation of OpenFlow on supporting physical and virtual switches, and the differences in some popular implementations of OpenFlow.

 

The State of Modern Control Planes

Before we get into the specifics of OpenFlow, it’s important we address the relationship between the control plane and the data plane, and how OpenFlow changes this relationship. You’ve undoubtedly heard by now that one of SDN’s key traits is the “separation” or “abstraction” of the control plane from the Continue reading

0

DevOps Will Adopt Networking

Too many times the question has been asked “How do I adopt DevOps and will I need to become a programmer?”. My own beliefs are almost flipped upside down and my money is on DevOps adopting you; possibly without you even realising it. If you’re reading this, it’s a sign of it already happening or at least the thought process! The answers lead to the questions. There is no spoon.

So what’s NetDevOps? Networking + DevOps. Simples. It’s a thought process and a movement. Not an intended starting point, but a natural end point. A natural and evolutionary extension to your skill set, not a new one.

Instead of rushing towards a “golden bullet” product, it might prove a valid route to start thinking about the network as data derived from configuration schemas. Even if it’s a set of side line exercises from what you do day to day, thinking about the network in data or ‘code’ is a step towards what most magic products are aimed to obfuscate you against. Remember what it was like learning IOS back in the day? CatOS? Linux? First time you used a bash shell? This movement is no different.

Why are products Continue reading

0

Okay, Maybe it IS the Network (Infographic)

Okay, Maybe it IS the Network (Infographic)

---

by Steve Harriman, VP of Marketing - July 22, 2014

“It’s NOT the network.” If you work in networking, this refrain is familiar to you. While we all know the network is sometimes the cause of performance issues, often network engineers spend too much time proving the negative. However, the infographic below, based on a survey of 250 enterprise networking professionals in North America (and 22% in Europe), indicates that the network is the logical first place to look when troubleshooting performance issues. This is because both the scope and size of networks are growing to keep up with the demands of new architectures as well as business requests, making it increasingly more complex to deliver applications and services. These results and others are from a new Enterprise Management Associates (EMA) research paper titled “Managing Networks in the Age of Cloud, SDN, and Big Data: Network Management Megatrends 2014.” 

As authors Jim Frey and Tracy Corbo write in the paper’s introduction: 

“Networks have never been more critical to the success of IT and the business. New virtualization and Cloud technologies and services are remaking the face of IT and the Continue reading

0

[SDN Protocols] Part 1 – OpenFlow Basics

Let’s get into our first topic. And what better place to start than with the protocol that arguably started the SDN madness that we’re experiencing today - OpenFlow! I got fairly carried away with writing about this protocol, and understandably so - this is a complicated topic. That’s why I’ve split this post (which is already part of a series - very meta, much deep) into two parts. This post - Part 1 - will address OpenFlow’s mid to high-level concepts, exploring what it does, why/how the idea of control plane abstraction may be useful, and some details on how hardware interaction works.

0

[SDN Protocols] Part 1 – OpenFlow Basics

Let’s get into our first topic. And what better place to start than with the protocol that arguably started the SDN madness that we’re experiencing today - OpenFlow! I got fairly carried away with writing about this protocol, and understandably so - this is a complicated topic. That’s why I’ve split this post (which is already part of a series - very meta, much deep) into two parts. This post - Part 1 - will address OpenFlow’s mid to high-level concepts, exploring what it does, why/how the idea of control plane abstraction may be useful, and some details on how hardware interaction works.