Cisco IPsec VPN breakage on Windows 8[.1] and OS X 10.9

Oh, to be a Cisco IPsec VPN user these days… Now I know that we should get with the program and move to AnyConnect, since Cisco is EOL-ing the venerable Cisco VPN Client in 2014, but we have a large installed base, and since Cisco stopped making IPsec clients for Mac and Linux back in the […]

Author information

Will Dennis

Will Dennis

Will Dennis has been a systems and network administrator since 1989, and is currently the Network Administrator for NEC Laboratories America, located in Princeton NJ. He enjoys the constant learning it takes to keep up with the field of network and systems administration, and is currently pursuing the Cisco CCNP-R/S certification. He can be found on the Twitters as @willarddennis, and on Google Plus.

The post Cisco IPsec VPN breakage on Windows 8[.1] and OS X 10.9 appeared first on Packet Pushers Podcast and was written by Will Dennis.

Securing a DMVPN spoke – Part 2

In Part 1 we went through protecting the spoke from the outside world on the Internet and using the stateful inspection firewall CBAC, Content-Based Access Control, to dynamically allow returning traffic back in. CBAC works great for a single inside zone and a single outside zone. What if your business requirements have more than two […]

Author information

Charles Galler

Charles Galler

Charles is a network and UC engineer for a mainly Cisco reseller. He has worked in the networking industry for about 13 years. He started as a network administrator for a small CLEC (carrier) where he did it all in IT and worked on the carrier network. After the CLEC, Charles went to work for a large healthcare organization in the Houston area and stayed with them for about three and a half years. Now he works for a reseller in the professional services part of the organization. He is currently studying for his CCIE in Routing and Switching and plans on passing it before the end of 2014. You can find him on the Twitter @twidfeki.
Twitter

The post Securing a DMVPN spoke – Part 2 appeared first on Packet Pushers Podcast and was written by Charles Galler.

Dotless

It was never obvious at the outset of this grand Internet experiment that the one aspect of the network’s infrastructure that would truly prove to be the most fascinating, intriguing, painful, lucrative and just plain confusing, would be the Internet’s Domain Name System. After all, it all seemed so simple to start with.

phpIPAM version 0.9 released

Dear all, I am happy to announce new version of phpipam IP address management – version 0.9. Subnet status
New features, like Support for ICMP network discovery, ICMP check IP status in demand, Compressed (grouped) DHCP IP ranges and other were introduced. Most important are:

  • Support for ICMP network discovery;
  • Cron script to check status for selected subnets/hosts with threading suport (pcntl php extension required)
  • ICMP check IP status in demand;
  • Added folders;
  • Compressed (grouped) DHCP IP ranges;
  • Added subsections;

Some instructions on how to setup ICMP scanning will follow.

If you find phpIPAM useful for your company donations would be highly appreciated :)

You can demo it here: http://demo.phpipam.net/
You can download it on sourceforge site: phpipam-0.9.

Special thanks to all the people submitting bug reports, translators and feature testers!

Screenshots:

Subnet status Screen Shot 2013-10-30 at 14.25.57 On-demand check IP last seen UI changes Mail status notifications

Full changelog for this release is:

New features:
----------------------------
+ Support for ICMP network discovery;
+ Cron script to check status for selected subnets/hosts with threading suport (pcntl php extension required);
+ ICMP check IP status in demand;
+ Compressed (grouped) DHCP IP ranges;
+ API server version 0.1;
+ Option to show and group subnets by VLAN in subnets list;
+ Option to show and Continue reading

Out of the Mouths of Customers

It’s a busy week to say the least. Not only are we a sponsor of the 2nd Open Networking User Group (ONUG) meeting, we held our inaugural Technical Advisory Board (TAB) meeting. Leveraging the fact that many of our customers will be attending ONUG, we brought together some of the most forward-thinking networking and business professionals from enterprises, service providers and partners to talk about our company, our product roadmap and our ideal use cases.

Before I get into the highlights, I’d like to give Embrane a high-five because we can actually have a TAB made up of paying customers. In an industry currently dominated by PowerPoint slides and acronyms, having a shipping product that people are using is unique in its own right. Also, where there was a full day of great feedback and dialogue. I’m just going to cover three aspects of the discussion otherwise I would have to write a novel to capture everything.

Platform vs. Product

One of the liveliest discussions was around the value of Embrane to customers. If you’ve been following the Embrane story, you’ll recall we’ve been focusing our marketing message around application-centric networking and more specifically, as of late, application-centric Continue reading

Plexxi – Optimized Workload and Workflow

Plexxi was a vendor that presented at Networking Field Day 6, and was one that really got me excited about what’s possible when you think about what kind of metadata your data center contains, and what products like Plexxi can do with that data once abstracted and normalized the right way. I will be intentionally brief with respect to my thoughts on the hardware - others like Ivan (and more) have already done a better job with this than I ever will.

Plexxi – Optimized Workload and Workflow

Plexxi was a vendor that presented at Networking Field Day 6, and was one that really got me excited about what’s possible when you think about what kind of metadata your data center contains, and what products like Plexxi can do with that data once abstracted and normalized the right way. I will be intentionally brief with respect to my thoughts on the hardware - others like Ivan (and more) have already done a better job with this than I ever will.

Plexxi – Optimized Workload and Workflow

Plexxi was a vendor that presented at Networking Field Day 6, and was one that really got me excited about what’s possible when you think about what kind of metadata your data center contains, and what products like Plexxi can do with that data once abstracted and normalized the right way. I will be intentionally brief with respect to my thoughts on the hardware - others like Ivan (and more) have already done a better job with this than I ever will.

Fixing high CPU use on Cisco 7600/6500

Recently some time ago (this blog post has also been lying in draft for a while) someone came to me with a problem they had with a Cisco 7600. It felt sluggish and "show proc cpu" showed that the weak CPU was very loaded.

This is how I fixed it.

"show proc cpu history" showed that the CPU use had been high for quite a while, and too far back to check against any config changes. The CPU use of the router was not being logged outside of what this command can show.

"show proc cpu sorted" showed that almost all the CPU time was spent in interrupt mode. This is shown after the slash in the first row of the output. 15% in this example: 

  Router# show proc cpu sorted
  CPU utilization for five seconds: 18%/15%; one minute: 31%; five minutes: 42%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process 
  198   124625752 909637916        137  0.87%  0.94%  0.94%   0 IP Input         
  [...]
Interrupt mode CPU time is (a bit simplified and restricted to the topic at hand) used when the router has to react to some user traffic. Now why would the 7600 use the Continue reading

Healthy Paranoia Show 18: Illusion, Lies and Neuroscience with Alex Stone

Ladies and gentleman, prepare to be mystified and amazed by another episode of Healthy Paranoia. Where even the unicorns are nerdy and the evil bit is always set on your packets.  Just in time for Halloween, get ready for some tricks and definitely  treats, because we’re going to discuss the intersection of magic, social engineering […]

Author information

Mrs. Y

Snarkitecht at Island of Misfit Toys

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
TwitterLinkedIn

The post Healthy Paranoia Show 18: Illusion, Lies and Neuroscience with Alex Stone appeared first on Packet Pushers Podcast and was written by Mrs. Y.

Next-hop resolution and point-to-point

I had this blog post lying around as a draft for a long time. I didn't think it was was "meaty" enough yet, but since I'm no longer a network consultant I don't think it'll become any meatier. So here it goes.

Here I will describe the process of L3-to-L2 mapping, or next-hop resolution and how it works with point-to-point circuits like PPP, ATM and Frame relay. It's the process of finding out what to actually do with a packet once the relevant routing table entry has been identified.

It's deceptively simpler than on a LAN segment, but since people generally learn Ethernet before they learn point-to-point nowadays I'm writing it anyway.

When a packet is to be sent to an address on the same subnet a L3-to-L2 mapping is done to look up the L2 destination address (if any) to apply.

The packet is then encapsulated in a L2 frame and sent out the interface.

On a normal Ethernet LAN segment ARP is used to look up L3-to-L2, and the frame will then have that (L2) MAC address as its destination. The frame will then be received by (and only by) the intended destination.

In a point-to-point interface there Continue reading

Quiz #20 &#8211 NAT between Two Partner Companies

Your company has a border router (R2) that is connected to two partner companies: Partner-DB (R1) providing database services and Partner-APP (R3) that provides different application services to your web servers in DMZ (200.200.200.0/24). You are requested to configure NAT according to some requirements.

I’m a Networking Guy, and I’m Here To Talk About Programming

I’m fortunate enough to work and be connected with some stellar networking professionals. I mean it - they’re rock stars. In my quest to surround myself with smart folks like this - in an attempt to at the very least learn by osmosis - I’ve clearly succeeded. I haven’t been in the industry for that long - but I’ve chosen networking (among other things) to be what I want to focus on professionally, and these are the best people to learn it from.

I’m a Networking Guy, and I’m Here To Talk About Programming

I’m fortunate enough to work and be connected with some stellar networking professionals. I mean it - they’re rock stars. In my quest to surround myself with smart folks like this - in an attempt to at the very least learn by osmosis - I’ve clearly succeeded. I haven’t been in the industry for that long - but I’ve chosen networking (among other things) to be what I want to focus on professionally, and these are the best people to learn it from.

Forwarding UDP broadcast traffic mechanisms

How does the internet work - We know what is networking

We will speak here about some basics about Forwarding UDP broadcast traffic. If you were wondering what Forwarding UDP broadcast traffic actually is I will try to explain it here in few words. If you have more that one broadcast domains in your local network, let’s say that you have three VLANs. In normal networking theory it’s normal […]

Forwarding UDP broadcast traffic mechanisms

Spanning Tree Exercise and Revisiting Root Guard

This was actually spurned from a comment I received on another one of my blog posts that you can find here.  Seeing that comment, I white boarded it and realized that I may have been completely wrong in regards to how Root Guard could “break a network”. 

Let’s say we have the following topology:

image

  • Core 1 is the root for VLAN 10 with a configured priority of 4096, and is the secondary root for VLAN 20 with a configured priority of 8192.  We alternate this with Core 2 in order to load balance VLAN traffic.
  • Access 3 and 4 are left in default configuration regarding spanning tree.
  • Two workstations are present – one in VLAN 10, and another in VLAN 20.  Their default gateways are SVIs that are on the Core switches.
  • For simplicity, switch MAC addresses are the number contained in their names.  Example: Access 4’s MAC address is “4”.
  • All link costs are the same.
  • All links between switches are trunks transporting all VLANs.

Let’s work through the spanning tree topologies.

Core 1 – Root bridge for VLAN 10.  All ports designated.

Core 2 – Port 1 will be a root port Continue reading

With SDN, Do We Still Need CCIEs?

"With SDN, we don't need CCIEs anymore. Anyone can run the network with a simple click-and-drag GUI." Really.

"SDN makes the knowledge of traditional networking is not relevant anymore. We need more people who can write code instead." Wow.

"SDN with Openflow removes all the current routing protocols. So why wasting your time to study CCIE?" Speechless.

Let's start with definition.

According to Wikipedia, SDN is "...an approach to building computer networks that separates and abstracts elements of these systems..." There are two important keywords there: separate, and abstraction. Separate means decouple Control Plane and Data/Forwarding Plane function. If in 'traditional networking' both Contol and Data functions are contained within a single device, SDN makes the separation so the Control plane can be moved to a device or system that is located at the central of the network. More intelligent control function that can see the whole network end-to-end.

And the Control plane can be customized, manipulated, re-programmed and so on, regardless the state of the Data plane. This is the first level of the abstraction.

Why is abstraction important? Because we want to separate the complexity. Think about building multiple layers that separate Continue reading
1 3,725 3,726 3,727 3,728 3,729 3,793