July 24, 2014

Potaroo blog

Some Internet Measurements

At APNIC Labs we’ve been working on developing a new approach to navigating through some of our data sets the describe aspects of IPv6 deployment, the use of DNSSEC and some measurements relating to the current state of BGP.

July 24, 2014 10:00 PM

Peter's CCIE Musings and Rants

Disabling specific log messages on the ASA to help troubleshoot

The ASA logging gives you lots of great info but it tends to have loads of info coming up all at once. I tend to do a trick where I know the IP address I am looking for, so I constantly type:

show log | inc

then I try and generate the traffic and capture the entry in the log.

However, someone else has a great way to disable specific logs


Great stuff!

by peter_revill (noreply@blogger.com) at July 24, 2014 03:01 PM

July 23, 2014

CCIE Journey

CCIE Journey Special – $500 off 1-Year Premium All Access Pass

INE is offering a $500 off special for a 1 year All Access Pass for our blog readers here. To get the special just click on the INE banner to the left and it will take you to the sign up site for the discount. Not sure how long they will keep the discount going so keep that in mind :)

by CCIE Journey at July 23, 2014 06:04 PM

Cioara's Cisco Blog
Cisco IOS Hints and Tricks

Campfire story: Using the wrong tool for the job

Summer is the perfect time for campfire stories – here’s one about using the wrong tool for the job.

A Long time ago in an IT organization far, far away Artificial Intelligence (AI) was the coolest kid on the block.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at July 23, 2014 09:07 AM

XKCD Comics

July 22, 2014

Networking Now (Juniper Blog)

VMworld 2014 – Juniper at the Hands-on Lab

This is an exciting year for me. I joined Juniper Networks and my first week, I submitted a lab proposal representing Juniper for the VMworld 2014 Hands-on Lab.  Weeks later, it was approved and two weeks ago, I finalized the lab and document.  I am so incredibly excited that for the first time ever, Juniper Networks is represented in the VMworld Hands-on Lab.

What will be covered in the lab you ask? The lab of course covers some, but not all, of our Security virtualized products.  If you would like a complete listing of these products, please review my previous blog post.













The Hands-on lab for 2014 is lab


HOL-PRT-1472 : Juniper Virtual Security for the Enterprise and Service Provider Environment


covers Juniper Junos Space with Security Director and Virtual Director, Firefly Perimeter, and DDoS Secure.  The agenda for the lab is:





Juniper Virtual Security for the Enterprise and Service Provider Environment


Lab Overview


Juniper Junos Space 101

            Introduction to Space

            Introduction to Virtual Director

            Introduction to Security Director


Managing Your Physical and Virtual Infrastructure with Juniper Junos Space

            Use Cases for Juniper Junos Space and Firefly Perimeter

            Deploying Firefly Perimeter

            Virtual Director – Greater Detail

            Security Director – Greater Detail

            Why Juniper for Your Physical and Virtual Infrastructure


Juniper DDoS Secure

            Why Juniper DDoS Secure

            Introduction to Juniper DDoS Secure

            Introduction to Juniper DDoS Secure UI

            Configuration of Testing Environment

            Low and Slow Attack


If you are interested in taking the lab, the hours are:


  • Sunday, August 24: 9:00 am – 7:00 pm
  • Monday, August 25: 10:30 am – 7:00 pm
  • Tuesday, August 26: 10:30 am – 6:00 pm
  • Wednesday, August 27: 8:00 am – 5:00 pm
  • Thursday, August 28: 8:00 am – 3:00 pm


Information on the Hands-on Labs


I look forward to seeing you there! Make sure you stop by and say hi!!!

by banksek at July 22, 2014 08:54 PM

Honest Networker

Guest Post – I Am Interviewed About Interop New York

Folks, this is a first for me on this blog – a guest post. In this case, I was interviewed by TechnologyAdvice’s Clark Buckner about my involvement with Interop. Since I’m a big fan of Interop as a vendor-neutral conference designed to bring together all the IT silos, it was an easy interview […]

by Ethan Banks at July 22, 2014 07:54 PM

Honest Networker
My Etherealmind

Big Switch Networks Launches Mature Hardware-Centric Data Centre SDN Solution

Big Switch Networks (BSN) launches Version 4.0 of Big Cloud Fabric for hardware-centric SDN data centre fabric. The Data Centre Fabric solution clearly shows the maturity gained from 5 years of shipping products while adding innovation in switch hardware through Switch Light operating system. At the same time, they have completed the transition from platform to product. A product that really has what you need in a hardware-centric SDN platform and addresses nearly all of the issues the competitors have not addressed. And it is shipping now.

Advertise here with BSA

The post Big Switch Networks Launches Mature Hardware-Centric Data Centre SDN Solution appeared first on EtherealMind.

by Greg Ferro at July 22, 2014 02:30 PM


Six Phases of Network Evolution

Last month I was asked to speak about Next Generation Networks at Indonesian Network Operators Group (IDNOG) forum. Whenever I speak about this subject with my customers, I usually use top down approach: started by talking about the business drivers and requirements, NGN architecture, to high level and low level design, before going deep into details to each supporting technology.

This time I decided to take a different approach. Instead, I tried to demonstrate how to build a new SP network from bottom to up. The objective is to show how the network can be transitioned from the simple one that offers a single service, to the one that carry multiple services and become resilient Next Generation Networks. I don't know if the message was received by the attendees, but I run out my 30 minutes time so I continued that effort by conducting the webex session few weeks ago.

The presentation I made for that session inspires me to write down about the six phases of network evolution below. And the phase will end up with the one thing that has become hot topic these days: Software Defined Network (SDN).

Phase 1: It begins with connectivity
When we build the network from ground up, the first and most important thing to focus is all about connectivity. Site A can connect to site B. User can access the server. This means we need to build the physical topology, enable layer 2 and L3 routing protocols (IGP, BGP) to provide connectivity. And it is common to deliver only single service (Internet/data) on global routing table.

Phase 2: Converged network and multi-services
Then comes the next requirement to use the same network to deliver multiple services. MPLS is definitely the protocol of choice by industry to provide overlay in the network, even other tunneling protocols can still be used as long as the objective is achieved. The network now must be able to provide L3VPN and L2VPN services over MPLS, High speed Internet, voice over IP, IPTV for both multicast stream and unicast video on demand, even mobile services and multimedia. Convergence happens in access layer too: one IP MPLS network to carry different types of last-mile access networks technology.

Phase 3: Scalability
When we have big number of users accessing multiple services, especially for Service Provider, scalability factor becomes important. Nowadays we use IGP routing protocol only to connect between SP routers while the customer networks are carried using BGP. IGP must be fine tuned and link-state protocol area design must be done properly to make it scalable. BGP RR design becomes crucial when the number of BGP speakers is high. Multiple BGP AS must be able to work between each other to carry the services seamlessly. Even the design of every part of the network need to be unified and consistent in order to make it easier to scale up.

Phase 4: Services level differentiation
QoS will kick in when there is congestion in the network. When there is no congestion, QoS is applied to limit the service in order to differentiate service level provided to end user. QoS implementation in Service Provider network is obviously different with Enterprise network. In SP it's common to share network infrastructure that spread across the nation connected with WAN links, with potential of network congestion, to serve big number of users trying to access multiple services. QoS makes sense to be applied to prioritize certain type of traffic, or to charge the customer differently depending on the agreed service level. In Enterprise network such as LAN campus network or data center, it is already considered low latency network with sufficient bandwidth pipe hence the QoS implementation focus is most likely on the WAN link.

Phase 5: High availability and resiliency
The target for HA and resiliency in the network depends on how much we can tolerate services unavailability. Some customers can afford network downtime for days while others can only tolerate fraction of seconds. Some applications can continue to work, or to resume immediately, when it gets disconnected for more than few seconds while some others can show serious disruption when the network is down within miliseconds. So we need to look at high availability and resiliency from end to end perspective. Physical topology redundancy is good but may not be enough. Link down or network node down detection becomes crucial. IGP can be fined tune to react below 500 ms. Hardware availability combined with NSF, NSR and GR may be able to provide 0 packet drop during route-processor failover. BGP fast convergence is done in forwarding plane, even in control plane it still relies on IGP convergence. Multicast streams can be active-active and in parallel using path diversity to provide always-on IPTV service. MPLS TE and IP FRR may be used to achieve sub-50 ms while waiting for the IGP to fully converged, in exchange of more complexity in the network. And infrastructure security is another factor to consider to ensure network availability.

Phase 6: Manageability, agility and efficiency
"Simplicity is the prerequisite for reliability". In order to provide reliable services it should be simple enough to run the network. Some believe if network management works as expected we won't even talk much about SDN. The fact that the network today has become very complex to manage, even with various management tools available in the market, makes many of us are looking for the solution that seems to be promised by SDN. We still need to run lots of management protocol like SNMP and RMON. We still need to secure management channel through SSH or other encrypted channel. But now we want the network to be agile to adopt to the changes that come from lots of new applications. We need to be able to provision new services quicker. We are talking more and more about automation and network programmability. We want the network to be efficient. We want to hide all the complexity that happens in the network to make it efficient for the operator to run and manage it. And SDN may be able to do so by providing the abstraction to provide the simplicity to run the network.

In the end, with the amount of complexity built up when the network transforms from one phase to the other as above, it's clear why SDN looks promising. It's easier now to understand why people believe SDN is the answer.
Because it's simply the part of the network evolution.

by noreply@blogger.com (Himawan Nugroho) at July 22, 2014 12:31 PM

Renesys Blog

Kurdish ISPs enable growth of Iraqi Internet

The recent violence in Iraq and the government’s actions to block social media and other Internet services have put a spotlight on the Iraqi Internet. However, an overlooked but important dynamic in understanding the current Iraqi Internet is the central role Kurdish ISPs play in connecting the entire country to the global Internet.

In the past five years, the Internet of Iraq has gone from about 50 networks (routed prefixes) to over 600. And what is most noteworthy this that the growth has not occurred as a result of increased connectivity from the submarine cable landing at Al Faw, as would be expected in a typical environment. Instead the dominant players in the Iraqi wholesale market are two Kurdish ISPs that connect to the global Internet through Turkey and Iran: Newroz and IQ Networks. Iraq-International-Internet-Connectivity-Paths-by-Dyn@72dpi

Help from the Kurds

The Iraqi Kurdistan region contains four main cities: Erbil, Duhok, Zakho and Sulaymaniyah. Newroz covers the first three, while IQ Networks provides service in the last. However, it would be incorrect to simply classify these providers as city-level retail ISPs. They also carry significant amounts of traffic for the rest of the country.

logo4        iq-networks-orig-220x48

From the relative peace and stability of Kurdistan, Newroz and IQ Networks sell transit to Iraqi ISPs in the biggest markets — those in the middle and south of Iraq. Central Iraq ISPs, such as Earthlink, ScopeSky, and FastIraq, attain transit from the Kurdish providers by connecting in northern Iraqi cities of Mosul and Kirkuk.

Five years Iraqi Internet growth

The graph below illustrates the overall growth of the Iraqi Internet over the last five and a half years. The total count of Iraqi networks (routed prefixes) is depicted in purple and the networks transited by either Newroz (blue), IQ Networks (green) or both (yellow) are overlaid as a stacked plot in the forefront. At last count, 73% of Iraq networks are routed through these two providers. And if you count unique IP addresses, these two Kurdish providers transit 86% of all Iraqi IP address space.


The remaining networks are either routed through Jordan (e.g. Earthlink to Damamax), various satellite service providers, smaller direct connections to Turkey or submarine cable connectivity at the Al Faw cable landing (most notably ITC service to GTT). Below are recorded remarks by Prime Minister Nouri al-Maliki at the opening ceremony of ITC fiber service during which he said, “fiber optic cables have paved the way in revolutionizing the world of communications and this will now be witnessed in Iraq.”

The following graph is similar to the previous one, but limited to just 2014 to more clearly illustrate recent changes. You can see a discontinuity in June as militants destroyed an interconnection point in Mosul, impacting Internet traffic transited by Newroz from central Iraq. Most notably Earthlink lost its service from Newroz and Damamax in this incident.


Low Risk of Disconnection

In 2012, Jim Cowie classified Iraq as “low risk of disconnection” in his blog post Could it happen in your country?. The conclusion was that due to the diversity of external transit sources (submarine cable, satellite, and terrestrial via Turkey, Iran and Jordan), it would be difficult to completely disconnect the Iraq from the global Internet. It may be cold comfort for those Iraqis who were (and still are) impacted by the recent blackouts, but this back-of-the-envelope analysis was proven correct by recent events.

In fact, it is the latest attempted shutdowns (including the failed attempt last fall during a pricing dispute) that prove, perhaps surprising to some, how resilient the Internet of Iraq is. And that resiliency is primarily due to Kurdish transit.

The post Kurdish ISPs enable growth of Iraqi Internet appeared first on Renesys.

by Doug Madory at July 22, 2014 11:45 AM

The Networking Nerd

I Can’t Drive 25G


The race to make things just a little bit faster in the networking world has heated up in recent weeks thanks to the formation of the 25Gig Ethernet Consortium.  Arista Networks, along with Mellanox, Google, Microsoft, and Broadcom, has decided that 40Gig Ethernet is too expensive for most data center applications.  Instead, they’re offering up an alternative in the 25Gig range.

This podcast with Greg Ferro (@EtherealMind) and Andrew Conry-Murray (@Interop_Andrew) does a great job of breaking down the technical details on the reasoning behind 25Gig Ethernet.  In short, the current 10Gig connection is made of four multiplexed 2.5Gig connections.  To get to 25Gig, all you need to do is over clock those connections a little.  That’s not unprecedented, as 40Gig Ethernet accomplishes this by over clocking them to 10Gig, albeit with different optics.  Aside from a technical merit badge, one has to ask themselves “Why?”

High Hopes

As always, money is the factor here.  The 25Gig Consortium is betting that you don’t like paying a lot of money for your 40Gig optics.  They want to offer an alternative that is faster than 10Gig but cheaper than the next standard step up.  By giving you a cheaper option for things like uplinks, you gain money to spend on things.  Probably on more switches, but that’s beside the point right now.

The other thing to keep in mind, as mentioned on the Coffee Break podcast, is that the cable runs for these 25Gig connectors will likely be much shorter.  Short term that won’t mean much.  There aren’t as many long-haul connections inside of a data center as one might thing.  A short hop to the top-of-rack (ToR) switch, then another different hop to the end-of-row (EoR) or core switch.  That’s really about it.  One of the arguments against 40/100Gig is that it was designed for carriers for long-haul purposes.  25G can give you 60% of the speed of that link at a much lower cost.  You aren’t paying for functionality you likely won’t use.

Heavy Metal

Is this a good move?  That depends.  There aren’t any 25Gig cards for servers right now, so the obvious use for these connectors will be uplinks.  Uplinks that can only be used by switches that share 25Gig (and later 50Gig) connections.  As of today, that means you’re using Arista, Dell, or Brocade.  And that’s when the optics and switches actually start shipping.  I assume that existing switching lines will be able to retrofit with firmware upgrades to support the links, but that’s anyone’s guess right now.

If Mellanox and Broadcom do eventually start shipping cards to upgrade existing server hardware to 25Gig then you’ll have to ask yourself if you want to pursue the upgrade costs to drive that little extra bit of speed out of the servers.  Are you pushing the 10Gig links in your servers today?  Are they the limiting factor in your data center?  And will upgrading your servers to support twice the bandwidth per network connection help alleviate your bottlenecks? Or will they just move to the uplinks on the switches?  It’s a quandary that you have to investigate.  And that takes time and effort.


Tom’s Take

The very first thing I ever tweeted (4 years ago):

We’ve come a long way from ratified standards to deployment of 40Gig and 100Gig.  Uplinks in crowded data centers are going to 40Gig.  I’ve seen a 100Gig optic in the wild running a research network.  It’s interesting to see that there is now a push to get to a marginally faster connection method with 25Gig.  It reminds me of all the competing 100Mbit standards back in the day.  Every standard was close but not quite the same.  I feel that 25Gig will get some adoption in the market.  So now we’ll have to choose from 10Gig, 40Gig, or something in between to connect servers and uplinks.  It will either get sent to the standards body for ratification or die on the vine with no adoption at all.  Time will tell.


by Tom Hollingsworth at July 22, 2014 01:13 AM

July 21, 2014

Packet Pushers Blog/Podcast

Show 197 – Cisco Nexus Updates with Ron Fuller – Sponsored

Repeat guest and friend of the Packet Pushers Ron Fuller chats with Greg Ferro and Ethan Banks about the latest updates to both the hardware and software in the ever-growing and capable Cisco Nexus product line. We get a thorough update in this show, hitting lots and lots of highlights. Discussion What's new with the Nexus 7K product line? New hardware in the form of the 7706, 7710, 7718 chassis. New F3 line cards. Additions to the Nexus 6K line with the 6004X chassis, featuring all removable LEMs. NX-OS continues to mature. The 6.2 code train now has "long lived" releases for customers who wish to standardize on specific builds. The Nexus Validation Testing program continues to grow in scope. New software services include Remote Integration of Services Engines (RISE) and Intelligent Traffic Director (ITD). The Nexus 5K line gets new models in the 5672 and 56128 which feature line rate L3 forwarding. What is Dynamic Fabric Automation, and how has customer adoption been? Links Cisco Nexus 7700 Data Sheet Cisco Nexus I/O Modules Data Sheets (including the F3 modules) Cisco Remote Integrated Service Engine Cisco/Citrix RISE-related White Paper Cisco Nexus 7000 NX-OS 6.2 Release Notes

by Packet Pushers Podcast at July 21, 2014 06:31 PM

Honest Networker
My Etherealmind

Response: Improving Flow Based Hashing on ECMP with Cuckoo hashing

There are many algorithms that can be used to for flow-based hashing to provide the best load balancing method over multiple IP or Ethernet connections but I recently learned that Cuckoo Hashing the preferred method.

Advertise here with BSA

The post Response: Improving Flow Based Hashing on ECMP with Cuckoo hashing appeared first on EtherealMind.

by Greg Ferro at July 21, 2014 03:39 PM

Internetwork Expert Blog

CCIE RSv5 ATC Continues Wednesday, July 23rd

The CCIE Routing & Switching Advanced Technologies Class v5 resumes Wednesday, July 23rd at 8:00 AM PDT (15:00 UTC) at live.ine.com, where we will be discussing MPLS Layer 3 VPN. In the meantime, you will find the streaming and download playlists have been updated and now includes over 63 hours of content.

We have some other great news as well. The CCIE R&S v5 Rack Control panel has been released with the built-in telnet, loading and saving configs and one click device configurations and reset requests. Also, new content will be posted this week to the workbook, including all new troubleshooting labs.

by Brian McGahan, CCIE #8593, CCDE #2013::13 at July 21, 2014 03:01 PM

Cioara's Cisco Blog
Cisco IOS Hints and Tricks

Layer-3 Switching over VXLAN Revisited

My Trident 2 Chipset and Nexus 9500 blog post must have hit a raw nerve or two – Bruce Davie dedicated a whole paragraph in his Physical Networks in Virtualized Networking World blog post to tell everyone how the whole thing is a non-issue and how everything’s good in the NSX land.

It’s always fun digging into more details to figure out what’s really going on behind the scenes; let’s do it.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at July 21, 2014 08:12 AM

XKCD Comics

July 19, 2014

Cioara's Cisco Blog

July 18, 2014

My Etherealmind

My Private Cloud Block Architecture Diagram

Here is a block diagram showing the functional areas in private & public cloud that I use when working with clients. I'm often explaining the full picture of cloud building especially in relation to how the network can be orchestrated to fully accelerate the cloud process. I hope you find it useful.

Advertise here with BSA

The post My Private Cloud Block Architecture Diagram appeared first on EtherealMind.

by Greg Ferro at July 18, 2014 12:36 PM

Cisco IOS Hints and Tricks

Next Chapter in Data Center Design Case Studies

When I published the Data Center Design Case Studies book almost exactly a month ago, three chapters were still missing – but that was the only way to stop the procrastination and ensure I’ll write them (I’m trying to stick to published deadlines ;).

The first one of the missing chapters is already finished and available to subscribersand everyone who bought the book or Designing Private Cloud Infrastructure webinar (you’ll also get a mailing on Sunday to remind you to download the fresh copy of the PDF).

The Amazon Kindle version will be updated in a few days.

by Ivan Pepelnjak (noreply@blogger.com) at July 18, 2014 08:55 AM

XKCD Comics

July 17, 2014

Honest Networker

What is ONIE (Open Network Install Environment)?

On 16-July-2014, I attended a webinar hosted by Curt Brune of Cumulus Networks on ONIE. This post is a distillation of some key points from that webinar. What is the Open Network Install Environment (ONIE)? Conceptually, ONIE (pronounced oh-nee) is a network OS installer used by several whitebox switching vendors to load a network […]

by Ethan Banks at July 17, 2014 04:33 PM

Networking Now (Juniper Blog)
Honest Networker
Packet Pushers Blog/Podcast

Coffee Break 12

The Coffee Break will be renamed to the "The Network Break" and will be getting its own channel on the Packet Pushers Network. But for this week, we talk about the latest news in networking and physical infrastructure.

by Packet Pushers Podcast at July 17, 2014 12:54 PM

Networking Now (Juniper Blog)

A Holistic Approach to DDoS Mitigation and DNS Availability

Today organizations need to be prepared for a number of different types of DDoS attacks on their networks. Today Juniper Networks announced several new enhancements that allows its DDoS Secure solution to help the network better defend itself by using routers as enforcement points.  

by rajoon at July 17, 2014 12:00 PM

Cisco IOS Hints and Tricks

Network Automation @ Spotify on Software Gone Wild

What can you do if you have a small team of networking engineers responsible for four even-growing data centers (with several hundred network devices in each of them)? There’s only one answer: you try to survive by automating as much as you can.

In the fourth episode of Software Gone Wild podcast David Barosso from Spotify explains how they use network automation to cope with the ever-growing installed base without increasing the size of the networking team.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at July 17, 2014 08:56 AM

Internetwork Expert Blog

CCIE Bootcamp Price Reduction

INE is reducing the cost of our live, instructor-led bootcamps by $1,000 each. Our new pricing model will still include access to our workbooks and ATC video courses with the purchase , but will separate out the Lab Exam Voucher and access to our All Access Pass as optional add-ons to provide you with a more flexible options for both your learning style and your budget. If you would like the existing complete, bundled solution, you have until Aug 1 to make a bootcamp purchase.

See this advert for more details.

Look forward to seeing you in a bootcamp soon!

by Mark Snow, CCIE #14073 at July 17, 2014 01:21 AM

July 16, 2014

Packet Pushers Blog/Podcast

Priority Queue – SDN and The Reseller Channel

What is the future of SDN Vendors ? Will all the startups eventually close down to just a few choices or can there be a vibrant ecosystem which can allow for many vendors to survive ? The discussion took a left turn and became an strong discussion of whether resellers will survive the arrival of SDN.

by Packet Pushers Podcast at July 16, 2014 04:00 PM

Networking Now (Juniper Blog)

Infonetics Research Analyst Jeff Wilson Validates Juniper Networks Commitment to Security

Juniper Networks has the ingredients and lineage to remain one of the top three players in network security, according to a report by Jeff Wilson, principal analyst with Infonetics Research. See what he had to say after attending Juniper's annual Industry Analyst Event.

by dthomchick at July 16, 2014 03:11 PM

Peter's CCIE Musings and Rants

Good looking CDR reporting tool for CUCM

Hi Guys

I just saw this CDR reporting tool for CUCM and it actually looks really good

Also please find below a really good Erlang B calculator for working out trunk sizes

by peter_revill (noreply@blogger.com) at July 16, 2014 09:05 AM

XKCD Comics

July 15, 2014


Send Cisco commands via SNMP

In the article “How to save configurations using SNMP“, I have explained how to get the Cisco configuration using SNMP. Now, I explain how to send commands via SNMP using the “ciscoConfigCopyMIB” MIB;  with this MIB, you can replace running/startup configuration, send commands, save the “show” output or reload the device. OK, let’s start :) First of all, check if your PC/Server has the SNMP suite; if not, install the net-snmp software (http://net-snmp.sourceforge.net/). Then open a terminal on your pc and use these commands: snmpset -c [snmp-community-string] -v 2c [ip-device][Random number] i 1 snmpset -c [snmp-community-string] -v 2c [ip-device][Random number] i […]

by Fabio Semperboni at July 15, 2014 09:57 PM

My Etherealmind

Mellanox and bad CLI choices

I’ve been working on Mellanox S-Series switches lately in a largish network with several hundred 10GbE server ports. On the whole, the product has performed beyond my cynically low expectations and the product has good capabilities overall but the command line interface (CLI) is a really poor user experience. How about this gem for configuring […]

Advertise here with BSA

The post Mellanox and bad CLI choices appeared first on EtherealMind.

by Greg Ferro at July 15, 2014 07:02 PM

Networking Now (Juniper Blog)

A Hale and Hearty Network


As I was reading this article describing examples of certain healthcare practitioners using data mining and analytics of patients’ lifestyles (e.g. foods they eat, activity levels, where they live, etc.) to help predict their risk factor for ailments, I started to draw a parallel to the state of the network. I was thinking about how security analytics of a network may help predict the onset of a data breach. The common goal in both cases, human and network, is to maintain a certain level of health – call it an “equilibrium” state, one that doesn’t require immediate intervention or repair.


Inspired by the table shared in the article describing what certain collected data about a patient could indicate about his/her health habits, I came up with a table containing types of network state related which could be indicators for a potential data exploit/breach.


State of Network


Weak password for an online account

This could allow a hacker to uncover the password (by using automated tools), gain access to user data (name, address, phone #, bank account/credit card data) and perform unauthorized transaction (e.g., purchase of product/service or withdrawal of money from bank account) on the user’s behalf.

Multiple unsuccessful attempts to search for usernames and passwords via Web browser exploitation techniques

This could result in a data breach.

Improper isolation of HR records, financial, medical, credit/debit card, or other PII data within Enterprise data center/private cloud network

This could inadvertently allow an insider (e.g. employee) access to the network for obtaining and selling data on black market for profit.

Excessive communication requests to a Web server or other resource, slowing it down considerably or rendering it unavailable

This could indicate someone is trying to gain access to the server for malicious intent.

No application layer protection at Enterprise edge

This could allow a hacker to launch an application-layer attack and access data for further exploitation.


Enterprise and service providers would benefit greatly from self-monitoring and constantly improving the health of networks, to minimize the possibility of a data breach.


One of the ways to do this is via technology, including application-aware, next generation firewalls, and strong SIEM solutions and network security management solutions (for firewall management), which provide visibility, analyze network security posture, and alert administrators about unusual network activity.


In addition, humans themselves should be held accountable for security. For one, it is imperative that the IT security team is proactively monitoring the network security posture, carefully balancing access to certain network resources, applications and data with control over the same. In addition, trust plays a big role in maintaining security and privacy, so it is ultimately the responsibility of individuals (business owners and employees) to not exploit data for personal gain.

by skathuria at July 15, 2014 06:48 PM


Support Science – Donate to My 19-July-2014 Hike Up Mt. Washington!

On Saturday, 19-July-2014, I’ll be hiking up to the summit of Mt. Washington in New Hampshire. Mt. Washington is famous for its terrible weather, extraordinarily high winds on bad days, and arctic-like conditions in winter. Everest hopefuls train on Mt. Washington. Mt. Washington is also home to a number of weather-related scientific endeavors […]

by Ethan Banks at July 15, 2014 03:01 PM

Cisco IOS Hints and Tricks

There Is no Paradigm Shift – Good Applications Were Always Network-Aware

Someone left the following comment on one of my blog posts:

There is a paradigm shift that I don’t think most application developers understand. In a traditional enterprise model, the network is built around the application requirements, now we are saying the application has to build around the network.

I would say there’s no paradigm shift – developers of well-performing applications were always aware of laws of physics.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at July 15, 2014 08:50 AM

The Data Center Overlords

OTV AEDs Are Like Highlanders

While prepping for CCIE Data Center and playing around with a lab environment, I ran into a problem I’d like to share. I was setting up a basic OTV setup with three VDCs running OTV, connecting to a core VDC running the multicast core (which is a lot easier than it sounds). I’m running it in […]

by tonybourke at July 15, 2014 03:10 AM

Packet Pushers Blog/Podcast

Using Big Tools for Small Problems

BGP in the data center? And MPLS? Are you insane? Well, maybe, yes. But then again, I’ve been known to do a lot of crazy things in my time. Isn’t MPLS a core and edge service provider technology, while VXLAN is an enterprise data center technology? But let’s begin with this idea that technologies are […]

Author information

Russ White

Russ White

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about, or don't really care about. You want numbers and letters? Okay: CCIE 2635, CCDE 2007:001, CCAr, BSIT, MSIT (Network Design & Architecture, Capella University), MACM (Biblical Literature, Shepherds Theological Seminary). Russ is a Principal Engineer in the IPOS Team at Ericsson, where he works on lots of different stuff, serves on the Routing Area Directorate at the IETF, and is a cochair of the Internet Society Advisory Council. Russ will be speaking on Network Complexity at RIPE in May, and has recently published a new book, The Art of Network Architecture.

The post Using Big Tools for Small Problems appeared first on Packet Pushers Podcast and was written by Russ White.

by Russ White at July 15, 2014 02:10 AM

July 14, 2014


Planning A Physical Data Center Rack Cleanup

I’m part of a project that’s going to do some physical rack cleanup. As in, the cables are a mess, labeling isn’t consistent, power distribution isn’t quite what it should be, and it’s gotten to the point where doing maintenance on any of the hardware is tough. So, it’s time to tidy everything […]

by Ethan Banks at July 14, 2014 03:01 PM

PacketLife.net Blog

Replacing an MPLS WAN with an Internet VPN Overlay

I received an email last week from a reader seeking advice on a fairly common predicament:

Our CIO has recently told us that he wants to get rid of MPLS because it is too costly and is leaning towards big internet lines running IPSEC VPNs to connect the whole of Africa.

As you can imagine, this has caused a huge debate between the networks team and management, we run high priority services such as Lync enterprise, SAP, video conferencing etc. and networks feel we need MPLS for guaranteed quality for these services but management feels the Internet is today stable enough to run just as good as MPLS.

What is your take on the MPLS vs Internet debate from a network engineer's point of view? And more so, would running those services over Internet work?

This is something I struggled with pretty frequently in a prior job working for a managed services provider. MPLS WANs are great because they provide flexible, private connectivity with guaranteed throughput. Most MPLS providers also allow you to choose from a menu of QoS schemes and classify your traffic so that real-time voice and video services are treated higher preference during periods of congestion.

Unfortunately, MPLS WANs tend to be considerably more expensive than Internet circuits. A dedicated 3 Mbps MPLS circuit might cost three or four times as much as a 50 Mbps business class broadband Internet circuit: These numbers are hard to justify to management who may not appreciate the contexts of reliability and QoS controls. Since private connectivity can be achieved using a VPN overlay on top of plain Internet circuits, can we still justify the cost MPLS WANs? Should we?

My advice would be to stick with the MPLS WAN if you can afford it. A VPN overlaid on top of Internet circuits might work most of the time, but when it doesn't perform adequately, you'll have little immediate recourse. Should you decide on moving to a VPN overlay, do so in phases: Keep the MPLS WAN around for a few months in case the overlay strategy doesn't work out. But if you find that your Internet circuits provide sufficient throughput so that congestion of real-time services never becomes a problem, maybe that's an acceptable solution.


by Jeremy Stretch at July 14, 2014 01:03 PM

Renesys Blog

Brazil’s Winning Internet

table.padded-table td { padding:0px 20px 0px 0px }

Another World Cup is in the books, and it’s fair to say that most people will remember 2014 for the inglorious and improbable performance of the host nation, losing 7-1 and 3-0 in its semifinal and consolation matches. Brazil’s sad exit capped off a year of soul-searching about the nation’s massive investment in hosting the World Cup (and the Olympics yet to come).

But Brazil shouldn’t lose sight of one important silver lining to their World Cup cloud: the startlingly vibrant development of the Brazilian Internet, and the critical role Brazil now plays in the Internet connectivity and ICT development of South America.

Preparations for the World Cup and the Olympics may have helped light a fire under Brazil’s Internet infrastructure providers. Here’s a plot of the growth of the set of autonomous systems (that is, enterprises and service providers who originate IPv4 address space under their own registered Autonomous System Number) in Brazil over time. For comparison, we’ve also included the same statistic for South Africa. By this measure, the two World Cup host countries couldn’t be more different!

Brazil and South Africa invite comparison because of their many parallels: two emerging economies, each the dominant contributor to the GDP of an entire southern hemisphere continent, each having struggled to attract foreign investment and enough north-south Internet submarine cable infrastructure to build a 21st century economy.

Since the start of 2011, Brazil’s count of connected autonomous systems has increased by 213%, from 733 to 2,299. South Africa, in the same timeframe, grew by only 72%, from a meager 107 to 185. Brazil is the more populous country, by a factor of four. But Brazil now boasts 11.6 participating ASNs per million people, while South Africa has only 3.6.


Brazil’s Internet: Growing Strong

What explains the different outcomes in these two World Cup host nations? The answer probably lies in the comparative diversity of the two nations’ Internet ecosystems. Since 2004, Brazil has taken significant steps to create a national system of PTTs (Pontos de Troca de Tráfego): a network of provider-neutral Internet exchange points located in every major metropolitan area.

These neutral points of interconnection make it easier and less expensive for Brazilian enterprises to connect to the Internet as “first class citizens” — utilizing the BGP routing protocols to negotiate simultaneous service from multiple service providers, and reducing their dependence on any single one of them.

In a country like South Africa, a typical enterprise (like a bank, or a factory, or a school) might look at the market prospects, weigh the costs, and elect to simply buy service from Telkom ZA and call it a day. In Brazil, that same enterprise is more likely to consult the experts at NIC.BR, register for an AS number and some IP space, sign contracts with a couple of service providers to route that space, and thereby maintain their provider independence.


Growing At the International Frontier

Local interconnection prospects seem to help improve the diversity and thus the growth prospects of the local Internet ecosystem. By paying the relatively low costs for local interconnection to a PTT in their nearest city, even small local Brazilian providers are able to directly connect to international service providers for Internet transit, rather than relying on a single large Brazilian incumbent to mediate their relationships with the outside world. That disintermediation step keeps prices lower, and the market more competitive, than if a large incumbent took a cut of every Internet transit transaction.

To see the richness of Brazil’s international interconnection, here’s another plot of Brazilian and South African autonomous system populations — but this time, we’re only counting ASNs that have their own direct Internet transit connectivity to an international provider. That is, these are Brazilian companies who buy Internet transit from non-Brazilian companies, and South African companies who buy transit from non-South African companies.

Once again, Brazil outcompetes South Africa by a substantial margin (305 to 48 at last count). This is the same metric that Renesys uses to compute our Internet Risk of Disconnection metric, with any number greater than 40 representing strong resistance to Internet shutdown. Years after their World Cup hosting experience, South Africa has struggled to reach this milestone, while Brazil adds a whole South Africa’s worth of directly connected providers each year.


Economic Implications

It’s hard to distinguish cause and effect, but Internet growth certainly seems to go hand in hand with strong economic growth. In the years since the PTT system buildout began (2004), Brazil’s per capita GDP (in current dollars) has steadily pulled away from South Africa’s.

GDP Per Capita ZA BR

Some part of that growth is attributable to the rise in non-extractive industries (especially services) that generate substantial exports, the kind of services that are enabled by a healthy, growing Internet infrastructure. Here’s a plot of the percentage of national service exports represented by ICT; that is, computer and telecommunications services, computer data, and news-related service transactions. In Brazil, ICT now represents the majority of all service exports; in South Africa, only about 10%, a figure virtually unchanged since the 2010 World Cup.

ICT Service Exports percentage


Growing Pains

Yes, Brazil still has a long way to go in terms of developing a content hosting industry that can reliably keep Brazilian content in-country, instead of sending Brazilians to the US to fetch their content.

Yes, Brazil still has too much dependency on a few specific cable routes through Miami, and yes, the speed of light latencies to non-American destinations are probably always going to be in excess of 200ms — those are the geographic cards Brazil was dealt (click to see details).
Yes, Brazil still has congestion problems at peak hours, at least in some towns and regions that are farther from the PTTs, as demonstrated by this plot of latencies during first round World Cup games. latencies-brazil

But if you were a company seeking to make a technology investment, would you wager on South Africa or Brazil? Strong growth in the Internet ecosystem, and the availability of direct access to international providers, make the answer seem pretty clear.

The basic diversity of infrastructure is in place to make the Brazilian Internet a survivable, high-growth environment in which to grow its ICT industries over the coming decade. There’s no need for extra time or penalty shootouts here; comparing the last two World Cup host nations, Brazil’s Internet is a clear winner.

The post Brazil’s Winning Internet appeared first on Renesys.

by Jim Cowie at July 14, 2014 10:02 AM

Packet Pushers Blog/Podcast

Show 196 – EVPN Introduction & Use-Cases with Russ White + Jeff Tantsura

This week, Packet Pushers' hosts Ethan Banks and Greg Ferro queue up a discussion about a new technology, exploring EVPN with Russ White & Jeff Tantsura from Ericsson. What's EVPN? Well, it's short for Ethernet VPN, and it's a way of using BGP as a routing system for MAC addresses. If that sounds like SPB or TRILL, there are some comparisons that can be drawn, but overall, EVPN is rather different. Give the show a listen, as EVPN has a number of use-cases and broad industry support -- it's an an acronym you're likely to see again. Our Discussion What is EVPN? How is EVPN different from L2VPN services like EoMPLS or VPLS? How does EVPN work? What are the technical advantages of EVPN? What are the EVPN use-cases & benefits for the service provider? What about for the end customer? How far along in the IETF process has EVPN gotten? What vendors are showing support for EVPN? Are there any commercial products yet? Does an end user have to do anything special to support EVPN on their network? Or is it invisible to them like most service provider handoffs? How does EVPN relate to existing data center fabrics? Links RFC 7209 - Requirements for EVPN (IETF) Draft-ietf-l2vpn-evpn-07 - BGP MPLS Based Ethernet VPN (IETF) NANOG 61 Presentation - Ethernet VPN (EVPN): Overlay Networks for Ethernet Services (Greg Hankins) Greg’s Whitebox Networking e-book

by Packet Pushers Podcast at July 14, 2014 04:00 AM