Network Aware Software: Rubbish idea or OpenDayLight Function?

“Sir, Skynet is self aware…”

Not really the line anyone wants to hear, especially after watching the Terminator films! This however isn’t what this post is about, so if you’re a bit of a rebel, fear not. No network vendor branded termination thing (maybe other than poor documentation or code) will result in your death.

Since the era of the abacus, little consideration has been given to how software that relies upon a computer network actually interacts with it. Sure, most developers know how to drive a socket library and make things happen at a session level, but almost no consideration is given by a developer on how to deploy an enterprise application to a production environment.

This post represents a set of thoughts that have been maturing over the last few months. They are very much my own thoughts and do not represent those of others. I would be interested to hear if you have the same thoughts or any interesting different takes.

Where does this story begin?

Before smart phones and tablets came along, software for the domestic populous provided a means of typing and printing spell checked letters to your pen pals, figuring out your weekly shopping Continue reading

What I Learned by Being Laid Off

There’s nothing quite so unnerving as being laid off. I know, because I’ve been let go in a “limited restructuring” twice in my life. Through the process, I learned some “life lessons,” that apply to just about every engineering in the world. While I’m safely ensconced in a great place at Ericsson, I thought it might be useful to reflect on the lessons I’ve learned — especially as it seems to be layoff season in other places (or maybe it’s layoff season all the time?).

First, it doesn’t matter if it’s about you, the politics, or just a random event. I still harbor a suspicion that both times I was laid off there was more going on in the background than just “we don’t need your services any longer.” There were probably politics. On the other hand, the politics in these situations are always bigger than you, no matter how personal it might seem. There’s always some back story, there’s always some power play in progress, there’s always some internal struggle.

But the truth is — it doesn’t matter. You can either stew on the past, or move on with your life. Stewing in the past isn’t going Continue reading

Common Network Design Concepts Part-2

In the first article of this series, reliability and resiliency has been explained. Every component and every device can and eventually will fail, thus system should be resilient enough to re converge/recover to a previous state. Resiliency can be achieved with redundancy. But how much redundancy is best for the resiliency is another consideration to […]

Author information

Orhan Ergun

Orhan Ergun, CCIE, CCDE, is a network architect mostly focused on service providers, data centers, virtualization and security.

He has more than 10 years in IT, and has worked on many network design and deployment projects.

In addition, Orhan is a:

Blogger at Network Computing.
Blogger and podcaster at Packet Pushers.
Manager of Google CCDE Group.
On Twitter @OrhanErgunCCDE

The post Common Network Design Concepts Part-2 appeared first on Packet Pushers Podcast and was written by Orhan Ergun.

Is Anyone Using DMVPN-over-IPv6?

One of my readers sent me an interesting challenge: they’re deploying a new DMVPN WAN, and as they cannot expect all locations to have native (non-NAT) IPv4 access, they plan to build the new DMVPN over IPv6. He was wondering whether it would work.

Apart from “you’re definitely going in the right direction” all I could tell him was “looking at the documentation I couldn’t see why it wouldn’t work” Has anyone deployed DMVPN over IPv6 in a production network? Any hiccups? Please share your experience in the comments. Thank you!

IP Subnetting Part 4: Subnetting a Class C Network

At this point in the PacketU subnetting series, we have worked through the following–

This article takes the concept of subnetting to the next step. Today we are going to look at the concepts required to subnet a Class C network. As we reflect on the Classful IP rules, we recall that a Class C network has the following characteristics–

  • First octet begins with binary 110…..
  • The first Octet will be in the range of 192 to 223
  • The first three (three leftmost) octets represent a Network
  • The last octet (rightmost) Octet represents a Host on a network

We also know that this single IP network can be further subdivided into multiple, but smaller, networks. This process is known as subnetting.

Continuing with the syntax used in previous articles, we might represent a Class C Network as follows–

192.168.100.0

In this example--

Blue  represents a Classful Network
Green represents a Host address

In this case the host address value is 0, so only the network is being represented here. Based on this information, we only have one IP network that can be assigned. That one network could Continue reading

Vuln bounties are now the norm

When you get sued for a cybersecurity breach (such as in the recent Home Depot case), one of the questions will be "did you follow industry norms?". Your opposition will hire expert witnesses like me to say "no, they didn't".

One of those norms you fail at is "Do you have a vuln bounty program?". These are programs that pay hackers to research and disclose vulnerabilities (bugs) in their products/services. Such bounty programs have proven their worth at companies like Google and Mozilla, and have spread through the industry. The experts in our industry agree: due-diligence in cybersecurity means that you give others an incentive to find and disclose vulnerabilities. Contrariwise, anti-diligence is threatening, suing, and prosecuting hackers for disclosing your vulnerabilities.

There are now two great bounty-as-a-service*** companies "HackerOne" and "BugCrowd" that will help you run such a program. I don't know how much it costs, but looking at their long customer lists, I assume it's not too much.

I point this out because a lot of Internet companies have either announced their own programs, or signed onto the above two services, such as the recent announcement by Twitter. All us experts think Continue reading

AppShape++ and SSL offloading

After running my fist AppShape++ script, I was wondering if it will work with SSL offloading as well.

Lets try it out, using my lab setup again, and I'll be adding on top my previous lab.



First I'll need to create SSL policy on the Alteon VA version 29.5.1.0:

 /c/slb/ssl/sslpol mySSL_Pol
        cipher "high"
        ena

This will select only high security encryption and integrity algorithms.

Next we need to create a self signed certificate:

>> LB1 - SSL Policy mySSL_Pol# /cfg/slb/ssl/certs/srvrcert

Enter server certificate id: mySRV_Cert
------------------------------------------------------------------
[Server certificate mySRV_Cert Menu]
     name     - Set descriptive certificate name
     generate - Create or update self-signed server certificate
     del      - Delete server certificate
     cur      - Display current server certificate configuration

>> LB1 - Server certificate mySRV_Cert# gen
This operation will generate a self-signed server certificate.
Enter key size [512|1024|2048|4096] [1024]: 2048
Enter server certificate hash algorithm [md5|sha1|sha256|sha384|sha512] [sha1]: sha256
Enter certificate Common Name (e.g. your site's name):  *.dans-net.com
Use certificate default values? [y/n]: y
Enter certificate validation period in days (1-3650) [365]: <enter>  
....
Continue reading

Internal Networking for the new UCS Modular Chassis

At the end of the day, any announcement that is NON networking focused NEEDS a networking focus.  I just attended the UCS Grand Slam launch where there were a few announcements for UCS including the new UCS mini, capacity optimized UCS, and the UCS modular chassis (M series).  The latter was of the most interest to me.
The new M series de-couples CPU and memory from other peripherals on board including networking and storage.  CPU and memory exist on a replaceable / upgradeable cartridge and can be upgraded without touching the network or SSDs on board.  This smells and feels like the disaggregation happening in the Open Compute Project (OCP), but of course, the Cisco solution can be managed with all existing and new UCS systems via UCS Manager.  This could definitely be the start of a new computing paradigm for the Enterprise. 

Platform Overview

Each UCS M series chassis has 8 cartridges in a 2 RU form factor.  Each cartridge has two (2) quad core CPUs and 64GB memory, thus each server has a single quad core CPU and 32GB memory.  There are also 4 SSDs and dual 1400W power supplies per Continue reading

My first week working at Cumulus Networks: Beyond A First Impression

Working at Cumulus Networks – it’s probably the most fun I’ve had at a job in a really long time.

The narrow stairway at 463 (and a half) Bryant Street was my first impression of working at Cumulus Networks. Victoria opened the door, and I said, “Wow, this door is tiny and those stairs- what is this, a speakeasy?” I got the sly, dry smile that I have come to see as indicative of Victoria and was escorted inside to the conference room of what looked like an empty apartment turned into an office. There, I met Kathleen and we chatted for half an hour. It was one of the most informal, comfortable, genuine experiences I’d ever had in a job search.

“Do you think you can commit to working at Cumulus Networks a few months, understanding it’s sort of up in the air right now, the future of this office, etc.?”

“Yeah, I think so. I mean, unless I become like, a famous author over night, or something. Which probably isn’t going to happen.”

Victoria glanced at my resume. “It says here that you published a book.”

“Two, actually. But you know… that’s how I Continue reading

Rant: You Are Not A Precious Snowflake. IT Infrastructure Is The Same Everywhere.

Vendors keep telling me that every business is different and customer have different needs. We all buy the same products from the same companies, use the same deployment methodologies and best practices, have the same problems and deliver the same results to the business. You aren't a precious snowflake.

The post Rant: You Are Not A Precious Snowflake. IT Infrastructure Is The Same Everywhere. appeared first on EtherealMind.

Verifying end-to-end QoS marking

A not so easy process about QoS involves the verification of end-to-end QoS marking: are the marks maintained through the all network? Before going deep, let’s recap how an IP packet can be marked: The IP field reserved for QoS is 8 bits long and it’s called TOS (Type of Service). RFC791 defines 3 bits for […]
(Visited 166 times since 2013-06-04, 1 visits today)

Chef Basics – Hello World for Chef

In my last post, we covered setting up the basic install of the Chef Server, the Chef client, and a test node that we bootstrapped with Chef.  Now let’s talk about some of the basics and hopefully by the end of this post we’ll get to see Chef in action!  Let’s start off by talking about some of the basic constructs with Chef…

Cookbooks
Cookbooks can be seen as the fundamental configuration item in Chef.  Cookbooks are used to configure a specific item.  for instance, you might have a cookbook that’s called ‘mysql’ that’s used to install and configure a MySQL server on a host.  There might be another cookbook called ‘httpd’ that installs and configures the Apache web server on a host.  Cookbooks are created on the Chef client and then uploaded and stored on the Chef server.  As we’ll see going forward, we don’t actually spend much time working directly on the Chef server.  Rather, we work on the Chef client and then upload our work to the server for consumption by Chef nodes. 

Recipes
Recipes are the main building block of cookbooks.  Cookbooks can contain the Continue reading

Alteon group selection by HTTP Host header using AppShape++

On the previous post I have used Content Rules to configure group (server pool) selection based on the Host header in HTTP.

This lab is also based on the lab setup I am using.


This time I'll do the same, but with AppShape++, which is similar to F5's iRules.

I want a2.dans-net.com to be served by SRV1 and b2.dans-net.com to be served by SRV2, any other host should be served by all web servers.

I'll use VIP 10.86.3.10 as the VIP. Here is how I edit my /etc/hosts files, which is c:windowssystem32driversetchosts :

10.136.6.10    a2.dans-net.com
10.136.6.10    b2.dans-net.com

First, I'll configured two new groups (server pools):

 /c/slb/group a2_dans
        add 1

 /c/slb/group b2_dans
        add 2

Next I'll write the AppShape++ script which will select a group based on the Host header:

attach group a2_dans
attach group b2_dans

when HTTP_REQUEST {
    switch -glob [HTTP::host] {
        "a2.dans-net.com" {
            group select a2_dans
        }
        "b2.dans*" {
Continue reading

How to show captured data from Cisco IOS on the fly in Wireshark/tcpdump

Monitor features in Cisco devices are able to show data flows but Cisco IOS lacks the option to export data on the fly. I wrote tiny GNU/Linux shell script to solve this restriction.

That is something like ASA capture (https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios) via HTTP/HTTPS.

I tested script on:

Router(config)#uname -a
IOSv Router IOS 15.4 Cisco IOS Software, vios Software (vios-ADVENTERPRISEK9-M), Experimental Version 15.4(20131213:232637) [lucylee-ca_pi23 137]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 16-Dec-13 19:50 by lucylee Unknown Unknown IOS

1. Create user and add privilege level 15 (root)

username user secret userpass
username user privilege 15

2. Start HTTP server, authentication style and optional (set max connection to 16 (default 5))

For security reasons you should set HTTP/HTTPS authorization with ACL and instead of HTTP use HTTPS server.

ip http server
ip http authentication local
ip http max-connections 16

3. Configure Monitor settings

Below I created a circular buffer called MY_BUFFER. Linear buffer is limited that means, if buffer is full IOS will stop capture. In circular buffer "old" data will be rewritten when buffer is full.

monitor capture buffer MY_BUFFER size 1024 max-size 9500 circular

Next step is to create a capture point. I created the Continue reading

Using BGP data to find Spammers

It’s long been assumed that Spammers use a technique called IP squatting to get around IP reputation lists and to make it harder to find the real source of the spammers. In this blog we’ll take a closer look at Spam operations and their techniques.

IP Squatting
We’ve all read the reports about IPv4 running out of free address space and while that is certainly true there’s still a lot of address space that has been allocated but is not actually routed on the Internet today. A significant portion of that space are prefixes that were allocated a long time ago and folks are no longer using these allocations, forgot about it or have other reasons to not use their IP address space on the Internet. IP squatters look for space that hasn’t been routed for a while and will claim ownership of the space. This can then be used for things such as Spamming. There is vast range address space that is not currently announced on the Internet and it is not uncommon for IP squatters to cycle through this space using one or more prefixes at a time for a brief period.

Below we’ll expose two actual Spam Continue reading

1 3,722 3,723 3,724 3,725 3,726 3,854