What is the difference between tunnel | transport mode in IPsec

How does the internet work - We know what is networking

Intro IPsec making VPN connection possible. I enables to basically simulate a leased line across public Internet and thus enable us to get secure connection across unsecured environment. It enables encryption, authentication and protection of our data when sent across insecurity of the world’s biggest internetwork – Internet. It’s the cheap way to simulate a leased […]

What is the difference between tunnel | transport mode in IPsec

Lessons Drawn from the Rise of Server Virtualization

It has become common to draw analogies to the rise of server virtualization during the early-mid 2000’s to attempt to understand how network virtualization will change the way we build data center networks, both virtual and physical.

This is a useful tool, as there are clear similarities.

Server virtualization changed the amount of time it took to get a new compute resource up and running from weeks (order hardware, rack gear, install OS) to hours or even minutes.  It allowed location independence, so admins could start VMs wherever capacity was available, and move them around at will.

Network virtualization is starting to provide similar benefits to the network.  Creating a new virtual network can be done in minutes, compared to hours if we have to file a ticket with the networking team to provision a new VLAN and plumb it across a the physical network.  And the scope of VM mobility can be increased radically, as VMs are no longer bound by size-limited physical L2 domains.

But there is one place the analogy breaks down, at least with networking from OEMs with the traditional proprietary appliance approach.

First, let’s back up briefly and examine something I glossed over when talking Continue reading

Closing Comments on Old Posts

One of the great things about this site is the interaction I enjoy with readers. It’s always great to get comments from readers about how an article was informative, answered a question, or helped solve a problem. Knowing that what I’ve written here is helpful to others is a very large part of why I’ve been writing here for over 9 years.

Until today, I’ve left comments (and sometimes trackbacks) open on very old blog posts. Just the other day I received a comment on a 4 year old article where a reader was sharing another way to solve the same problem. Unfortunately, that has to change. Comment spam on the site has grown considerably over the last few months, despite the use of a number of plugins to help address the issue. It’s no longer just an annoyance; it’s now a problem.

As a result, starting today, all blog posts more than 3 years old will automatically have their comments and trackbacks closed. I hate to do it—really I do—but I don’t see any other solution to the increasing blog spam.

I hope that this does not adversely impact my readers’ ability to interact with me, but it is Continue reading

SDN Use Case: Content Filtering

K-12 schools face unique challenges with their IT infrastructure.  Their user base needs access to a large amount of information while at the same time facing restrictions.  While it does sound like some corporate network policies, the restrictions in the education environment are legal in nature.  Schools must find new ways to provide the assurance of restricting content without destroying their network in the process.  Which lead me to ask: Can SDN Help?

Online Protection

The government E-Rate program gives schools money each year under Priority 1 funding for Internet access.  Indeed, the whole point of the E-Rate program is to get schools connected to the Internet.  But we all know the Internet comes with a bevy of distractions. Many of those distractions are graphic in nature and must be eliminated in a school.  Because it’s the law.

The Children’s Internet Protection Act (CIPA) mandates that schools and libraries receiving E-Rate funding for high speed broadband Internet connections must filter those connections to remove questionable content.  Otherwise they risk losing funding for all E-Rate services.  That makes content filters very popular devices in schools, even if they aren’t funded by E-Rate (which they aren’t).

Content filters Continue reading

New fiber connector is nifty

Corning has recently teamed up with Intel in introducing some new optical equipment. Corning's contribution (fibers, connectors) likely mean there will be some unfamiliar looking optical infrastructure in your data center soon.

The fiber is a new 1310nm singlemode variety that Corning touts as "bend-insensitive". The minimum allowable bend radius of this fiber is 7.5mm. This is impressive, but expected under ITU-T G.657.B.

More interesting is the MXC connector. This is a push-on connector with a locking tab like the 8P8C connectors used for twisted pair Ethernet. It supports up to 64 fiber strands, each running at 25Gb/s.
MXC connector. Image from Corning-Intel Whitepaper.

The only place I've seen this fiber or connector in use is on a prototype 100G CLR4 transceiver shot by Greg Ferro at the Intel Developer Forum a couple of weeks ago.
Greg's shot of CLR4 transceivers with MXC connectors.
The CLR4 alliance explains that their approach puts four channels running at 25Gb/s each onto a single pair of single mode fiber, and specifically calls for LC connectors on the transceiver, so I'm a little confused about why these transceivers are sporting MXC connectors.

It seems the MXC connector will be used not Continue reading

Protecting Junos config

In the middle of a migration, and I just discovered the ability to protect parts of the Junos configuration from modification by other users. Could be quite useful!

[edit]
root@VMX1# show system services
[edit]
root@VMX1# protect interfaces
[edit]
root@VMX1# show interfaces
##
## protect: interfaces
##
ge-0/0/0 {
description "LINK TO VMX0";
vlan-tagging;
mtu 2000;
encapsulation flexible-ethernet-services;
unit 10 {
vlan-id 10;
family inet {
address 10.1.1.2/30;
}
}
}
[edit]
root@VMX1# set interfaces ge-0/0/1 description "LINK TO NOWHERE"
warning: [interfaces] is protected, 'interfaces ge-0/0/1' cannot be created
[edit]
root@VMX1#


It’s the Applications, Stupid (Part 2 of 3)!

In part 1 of this series, I mentioned a customer that was starting to understand how to build application policy into their deployment processes and in turn was building new infrastructure that could understand those policies. That’s a lot of usage of the word “policy” so it’s probably a good idea to go into a bit more detail on what that means.

In this context, policy refers to how specific IT resources are used in accordance with a business’s rules or practices. A much more detailed discussion of policy in the data center is covered in this most excellent networkheresy blog post (with great additional discussions here and here).  But suffice it to say that getting to full self-service IT nirvana requires that we codify business-centric policy and encapsulate the applications with that policy.

The goals of the previously mentioned customer were pretty simple, actually. They wanted to provide self-service compute, storage, networking, and a choice of application software stacks to their vast army of developers. They wanted this self-service capability to extend beyond development and test workloads to full production workloads, including fully automated deployment. They wanted to provide costs back to the business that were on par Continue reading

Connecting Virtual Routers to the Outside World

Stefan de Kooter (@sdktr) sent me a follow-up question to my Going All Virtual with Virtual WAN Edge Routers blog post:

How would one interface with external Internet in this scenario? I totally get the virtual network assets mantra, but even a virtual BGP router would need to get a physical interconnect one way or another.

As always, there are plenty of solutions depending on your security needs.

Read more ...

GET VPN, it is all about group.

GET VPN uses a group security paradigm comparing to the traditional point-to-point security paradigm like DMVPN, GRE IPSec or SSL. Do not confuse with any-to-any mesh which is the result of n(n-1)/2 point-to-point security associations between n peers. We are talking about group security association (SA), group states and group keys. Because each group member […]

White Box Switching: Goodbye Trident II, Hello Cavium XPliant

Original Design Manufacturers (ODMs) that produce incumbent profit busting white box switching technology could soon be releasing the next wave of programmable networking based on technology from a silicon company best known for it’s encryption products. Cavium have released the XPliant chipset which it acquired from a $90m purchase earlier this year. This chipset comes in four flavours varying from 880 Gbps to 3.2 Tbps. This results in devices having 128×25 Gbps switching lanes allowing switches with 32x100GbE, 64x 50/40GbE, or 128x 25/10GbE ports in a single device. The highest speed Cavium device is currently twice the speed of the next highest merchant silicon offering, however merchant vendors will catch up with the speed aspect before too long. The important part here to remember is this chipset is programmable and is touted to be released with support for Generic Network Virtualisation Encapsulation (GENEVE) out of the box, along with a “simulator” for product designers to test their code against. All designed to increase the speed to market and decrease delay.

Let’s take an ODM switch from the likes of Accton that is currently based on the venerable Trident II chipset. Current merchant silicon chipsets limit the features to those Continue reading

IPv6 Networking Detection Case #141 – Part 2: The Solution

Part 2: The Solution Ready for part 2? Have you read part 1 w/ the facts and clues?  If not, go read that now before you continue. Part 1: The Facts and Clues   Review the Facts and Clues Again   Last we played we were ON R1 and unable to ping the IPv6 address […]

Author information

Denise "Fish" Fishburne

Denise "Fish" Fishburne
CPOC Engineer at Cisco Systems

Denise "Fish" Fishburne, (CCIE #2639, CCDE #2009:0014, Cisco Champion) is a team lead with Cisco's Customer Proof of Concept Lab in Research Triangle Park, N.C. Fish loves playing in the lab, troubleshooting, learning, and passing it on.
Twitter

The post IPv6 Networking Detection Case #141 – Part 2: The Solution appeared first on Packet Pushers Podcast and was written by Denise "Fish" Fishburne.

SDN control of hybrid packet / optical leaf and spine network

9/19 DemoFriday: CALIENT, Cumulus Networks and InMon Demo SDN Optimization of Hybrid Packet / Optical Data Center Fabric demonstrated how network analytics can be used to optimize traffic flows across a network composed of bare metal packet switches running Cumulus Linux and Calient Optical Circuit switches.


The short video above shows how the Calient optical circuit switch (OCS) uses two grids of micro-mirrors to create optical paths. The optical switching technology has a number of interesting properties:
  • Pure optical cut-through, the speed of the link is limited only by the top of rack transceiver speeds (i.e. scales to 100G, 400G and beyond without having to upgrade the OCS)
  • Ultra low latency - less than 50ns
  • Lower cost than an equivalent packet switch
  • Ultra low power (50W vs. 6KW for comparable packet switch)
The challenge is integrating the OCS into a hybrid data center network design to leverage the strengths of both packet switching and optical switching technologies.

The diagram shows the hybrid network that was demonstrated. The top of rack switches are bare metal switches running Cumulus Linux. The spine layer consists of a Cumulus Linux bare metal switch and a Calient Technologies optical circuit switch. The bare metal Continue reading

Report: Burrito Quest I

At Docker, we are lucky to be able to spend time exploring San Francisco, one of the world’s great cities in terms of culture, architecture and, of course, burritos. Forget about crabs or sourdough, what San Francisco does best is the burrito, that noble combination of beans, meat, cheese, salsa, and love, all in a convenient wrapper that let’s you eat it one-handed. And. like the City itself, the burrito is incredibly diverse. Do you prefer black beans or pintos? Are you a carnivore who craves the al pastor and the carne asada, or do you seek out the elusive perfect chile relleno burrito (the turducken of Mexico)?

So many options, so many questions. As an engineer-driven company, we needed to know the optimal solution. We had to know where to find the City’s finest burrito.

And so it came to be that Burrito Quest was born. We decided that once a month we would walk to another potential purveyor of the perfect burrito. In order to build a comprehensive test harness, we decided that each user would pursue their own story, be it a simple pollo or a bold lengua. or even a chili relleno, the turducken of Continue reading

Thinking About Intel Rack-Scale Architecture

You may have heard of Intel Rack-Scale Architecture (RSA), a new approach to designing data center hardware. This is an idea that was discussed extensively a couple of weeks ago at Intel Developer Forum (IDF) 2014 in San Francisco, which I had the opportunity to attend. (Disclaimer: Intel paid my travel and hotel expenses to attend IDF.)

Of course, IDF 2014 wasn’t the first time I’d heard of Intel RSA; it was also discussed last year. However, this year I had the chance to really dig into what Intel is trying to accomplish through Intel RSA—note that I’ll use “Intel RSA” instead of just “RSA” to avoid any confusion with the security company—and I wanted to share some of my thoughts and conclusions here.

Intel always seems to present Intel RSA as a single entity that is made up of a number of other technologies/efforts; specifically, Intel RSA is typically presented as:

  • Disaggregation of the compute, memory, and storage capacity in a rack
  • Silicon photonics as a low-latency, high-speed rack-scale fabric
  • Some software that combines disaggregated hardware capacity over a rack-scale fabric to create “pooled systems”

When you look at Intel RSA this way—and this is the way that Continue reading

Private VLANs when, where, & how.

Recently PVLANs came into a design discussion, which in turn led into me reminiscing on my Route/Switch days. So naturally when I wanted to re-visit the topic if anything to make sure I still remembered everything what was important and to see if any features have been added with the new IOS’s. It’s been a […]

Apple Working Hard to Improve Siri?

That’s right, in the face of strong competition from “Google Now” (home of “Ok Google”) and Microsoft’s Cortana, Apple’s software developers are working hard to add features and improve Siri’s capabilities and responses. After all, with Microsoft running commercials recently where Cortana … Continue reading

If you liked this post, please do click through to the source at Apple Working Hard to Improve Siri? and give me a share/like. Thank you!

[SDN Protocols] Part 4 – OpFlex and Declarative Networking

This entry is part 5 of 5 in the series SDN Protocols

In this post, we will be discussing a relatively new protocol to the SDN scene – OpFlex. This protocol was largely championed by Cisco, but there are a few other vendors that have announced planned support for this protocol. I write this post because – like OVSDB – there tends to be a lot of confusion and false information about this protocol, so my goal in this post is to provide some illustrations that (hopefully) set the record straight, with respect to both OpFlex’s operation, and it’s intended role.

Before I get started, I would be remiss to not point you towards a brilliant article by Kyle Mestery titled “OpFlex is not an OpenFlow Killer“. At the time the article was written, Kyle was working for Noiro, a team within the INSBU at Cisco focused (at least primarily) on open source efforts in SDN, and the creators of OpFlex.

 

The Declarative Model of Network Programmability

Before we get into the weeds of the OpFlex protocol, it’s important to understand the model that OpFlex intends to address. OpFlex is the protocol du jour within a Cisco ACI based Continue reading

1 3,714 3,715 3,716 3,717 3,718 3,853