August 23, 2014

Cisco IOS Hints and Tricks Is on CloudFlare (and IPv6)

After a week of testing, I decided to move the main web site ( as well as some of the resource servicing hostnames to CloudFlare CDN. Everything should work fine, but if you experience any problems with my web site, please let me know ASAP.

Collateral benefit: is now fully accessible over IPv6 – register for the Enterprise IPv6 101 webinar if you think that doesn’t matter ;)

by Ivan Pepelnjak ( at August 23, 2014 12:18 PM

August 22, 2014


Replacing Traditional TV & DVR with Little Streaming Boxes

After nine years with Dish Network, I’ve replaced it with an AppleTV and Roku 3 ($99 each, last time I looked). Having done that, what’s life like without traditional TV & DVR? In a nutshell, it’s just fine. My kids watch a lot of YouTube, and did before I retired Dish. I was bored […]

by Ethan Banks at August 22, 2014 10:02 PM

Missing Synergies & HP’s SDN

As someone who’s been monitoring HP’s SDN strategy for years now, news that Bethany Mayer is headed to Ixia is rather interesting. Despite HP’s networking division having had some successes and gaining small bits of market share here and there, the fact they they are leaders in the SDN space seems to go unnoticed by the […]

by Ethan Banks at August 22, 2014 08:56 PM

What is an Automatic Transfer Switch (Power)?

In response to the power redundancy article I wrote yesterday, a few comments came in. One of them (thanks, Mike!) mentioned an automatic transfer switch (ATS), a useful tool in a redundant power strategy. What is an ATS? There are many types of electrical transfer switches whose primary purpose is to divert the […]

by Ethan Banks at August 22, 2014 07:11 PM

Cisco IOS Hints and Tricks

Cloud Orchestration System Is an Ideal Controller Use Case

A while ago I explained why OpenFlow might be a wrong tool for some jobs, and why centralized control plane might not make sense, and quickly got misquoted as saying “controllers don’t scale”. Nothing could be further from the truth, properly architected controller-based architectures can reach enormous scale – Amazon VPC is the best possible example.

Read more ...

by Ivan Pepelnjak ( at August 22, 2014 09:09 AM

XKCD Comics

August 21, 2014


Street Power vs. UPS Power In Redundant Power Supply Devices

A question came into the Packet Pushers mailbox along these lines. If a unit has two power inputs, should one go to UPS and one to street power, or is it better to have both power supplies fed by the same UPS? The issue with raw street power is that it isn’t conditioned. […]

by Ethan Banks at August 21, 2014 05:55 PM

Packet Pushers Blog/Podcast
Networking Now (Juniper Blog)
Packet Pushers Blog/Podcast

Windows ISATAP Client, Part 2

In Part 1 we discussed how to turn off ISATAP on Windows host—which is a great idea.  Turning off unnecessary components of your network simplifies everything.  But ISATAP can be useful in certain scenarios.  For instance, if you want to test an application on IPv6 you clearly don’t want to turn on IPv6 everywhere and […]

Author information

Dan Massameno

Dan Massameno is the president and Chief Engineer at Leaf Point, a network engineering firm in Connecticut.

The post Windows ISATAP Client, Part 2 appeared first on Packet Pushers Podcast and was written by Dan Massameno.

by Dan Massameno at August 21, 2014 01:24 PM

My Etherealmind

Musing: First thoughts on how Cisco ACI Works

I've been reading the Cisco Application Centric Infrastructure Design Guide. Sometimes I see a product of genius and wondrous use of technology, other times I'm like 'did they do it the hard way or what' ?

The post Musing: First thoughts on how Cisco ACI Works appeared first on EtherealMind.

by Greg Ferro at August 21, 2014 12:19 PM

Cisco IOS Hints and Tricks

The Impact of Data Gravity: a Campfire Story

Here’s an interesting story illustrating the potential pitfalls of multi-DC deployments and the impact of data gravity on application performance.

Long long time ago on a cloudy planet far far away, a multinational organization decided to centralize their IT operations and move all workloads into a central private cloud.

Read more ...

by Ivan Pepelnjak ( at August 21, 2014 09:55 AM

August 20, 2014

Cisco IOS Hints and Tricks

Pmacct – the Traffic Analysis Tool with Unpronounceable Name

SDN evangelists talking about centralized traffic engineering, flow steering or bandwidth calendaring sometimes tend to gloss over the first rule of successful traffic engineering: Know Thy Traffic.

In a world ruled by OpenFlow you’d expect the OpenFlow controller to know all the traffic; in more traditional networks we use technologies like NetFlow, sFlow or IPFIX to report the traffic statistics – but regardless of the underlying mechanism, you need a tool that will collect the statistics, aggregate them in a way that makes them usable to the network operators, report them, and potentially act on the deviations.

Read more ...

by Ivan Pepelnjak ( at August 20, 2014 09:33 AM

XKCD Comics

August 19, 2014

Networking Now (Juniper Blog)

Security for the Cloud Data Center



Securing cloud data centers is an ongoing challenge. Your adversaries—cyber criminals, nation state attackers, hacktivists—continue to develop sophisticated, invasive techniques, resulting in a continually evolving threat landscape.


Because clouds are dynamic in nature, with new application and services being spun up or taken down and virtual workloads being moved, security for the cloud should be dynamic also. That poses the question, are traditional firewalls that are focused on layer 3 and 4 inspection sufficient in today’s threat environment? Also, next-gen firewalls are powerful, yet not designed to protect from the velocity and variety of new attacks being created every day. In today’s world, shouldn’t firewalls be able to take immediate action based on known or emerging intelligence?


With the shift to cloud architectures, traditional firewall administration has become burdensome and fraught with human error due to the sheer complexity of distributed security. What’s needed is an effective network security solution that fights cyber criminals head-on and can adapt to emerging threats without exerting excessive load on the enforcement point.

  1.      Do you know if your infrastructure is under attack at this very moment, and by whom?
  2.      Are you concerned about the performance impact to the cloud if you use advanced security services available from your firewall?
  3.      Are you expanding your network and able to ensure there are no security gaps that can make the network susceptible to exploitation?

What other fears or concerns about securing the cloud data center keep you up at night?


Stay tuned to my blog for ideas on how to address these challenges.

by skathuria at August 19, 2014 12:07 PM

Packet Pushers Blog/Podcast

A History of Load Balancing

A visual representation of the company and, to a lesser extent, product history of the load balancing/application delivery field. My usual F5 bias is present but it seems justified considering their long-held market leading position. I’ve been itching to post this for a while but simply couldn’t stop changing the formatting. I can’t say I’m […]

Author information

Steven Iveson

Steven Iveson

Steven Iveson, the last of four children of the seventies, was born in London and has never been too far from a shooting, bombing or riot. He's now grateful to live in a small town in East Yorkshire in the north east of England with his wife Sam and their four children.

He's worked in the IT industry for over 15 years in a variety of roles, predominantly in data centre environments. Working with switches and routers pretty much from the start he now also has a thirst for application delivery, SDN, virtualisation and related products and technologies. He's published a number of F5 Networks related books and is a regular contributor at DevCentral.

The post A History of Load Balancing appeared first on Packet Pushers Podcast and was written by Steven Iveson.

by Steven Iveson at August 19, 2014 11:09 AM

Cisco IOS Hints and Tricks

Revisited: Layer-2 DCI over VXLAN

I’m still getting questions about layer-2 data center interconnect; it seems this particular bad idea isn’t going away any time soon. In the face of that sad reality, let’s revisit what I wrote about layer-2 DCI over VXLAN.

VXLAN hasn’t changed much since the time I explained why it’s not the right technology for long-distance VLANs.

Read more ...

by Ivan Pepelnjak ( at August 19, 2014 09:58 AM

August 18, 2014

Peter's CCIE Musings and Rants

Cisco CUCM - Self Provisioning, Feature Groups, User Device Templates, User Profiles - What it all means and how to use it to get zero-touch deployment!

How to enable self-provisioning for CUCM 10.5

The problem

A customer once asked me to enable LDAP integration for their CUCM deployment.

"How long will it take?" they asked, "maybe an hour max" I replied. The customer was suprised it was so easy and I found it funny they thought it would take a while!

I enabled it for them, and the disconnect quickly became apparent: They thought enabling LDAP sync would have it so their phone info was automatically pulled from LDAP! Back then this was note the case.

CUCM 10.0 finally gives us this ability! In combination with a feature that has been available since CUCM 9 that allows you to add phones/lines in a template-like configuration. The feature can still be useful for those of you not using LDAP integration.

Building Blocks

Let's look at the parts involved so we can work out what all these new options are and what they do for us. When you create these "building blocks" you would basically create one for each separate set of discreet users, in my example I live in New Jersey, so I have created a collection of these building blocks to represent the settings of the New Jersey site users.

Universal Line Template
The universal line template is where we configure the settings for the line such as partition, call forward settings etc. You can access this via User Management -> User/Phone Add -> Universal Line Template. The settings are shown below

As you can see you can edit the call forward settings, calling search spaces etc. You will also notice the #FirstName# and #LastName#, these are called tags and allow you to have these fields filled in by information pulled down about the user from LDAP or entered by you manually when you create the user in the quick phone/add page (if you don't use LDAP.) I personally feel not enough "tags" exist, for example there is no DirectoryNumber Tag which would be useful, I personally like to put the directory number into the description of each device and each line.

Once you have saved this, it's onto the next building block

 Universal Device Template
Here is where you configure the device itself's CSS, MRGL, Device pool etc. These settings can be customized to what KIND of device your adding (example, you would have a separate universal device template for soft phones and remote destination profiles as an example)

These settings can be found under:
 User Management -> User/Phone Add -> Universal Device Template

User Profile
The user profile can be found under User Management -> User Settings -> User Profile. This links together the device and line template as well as controlling if the user is allowed to self provision or not. As you will see in the screenshot below, you can specify a separate user template for each type of device.
Feature Group Template
Finally, a feature group is used to set some restrictions for the user and to tie their user profile to us

Non-LDAP Users Quick Phone/User add

Let's assume for a minute that your either not using LDAP, not interested in self-provisioning OR your stuck on CUCM 9. All the settings you just configured where not in vain, you can still get great use out of the templates you just created

You can either create a new user with a new username and details:

Or click on either a non-LDAP integrated user or an LDAP integrated user (as per the screenshot below)
Once you have clicked on an existing user and/or created a new user, you can assign that user an extension

Once an extension is assigned you can then click "manage devices" and either move an existing phone over to them (cool! Great for changes) or add a new phone:

Part 2 of the blog will cover how to integrate this with LDAP 

Sources: I got some really good information from the following blog Entry

by peter_revill ( at August 18, 2014 07:40 PM

Cisco CUCM - Self Provisioning, Feature Groups, User Device Templates, User Profiles - What it all means and how to use it to get zero-touch deployment! - Part 2

CUCM Self Provisioning

Hi Guys

In part 1 of CUCM provisioning we talked about the new features available in CUCM 9 to make life easier for adding users, in continuation of this theme we are going to look at Self-provisioning, which allows the user to provision their own phone. LDAP is used to provide this information.

The feature is available in CUCM 10 and is quite nifty.

If you have not read part 1 of this blog, I strongly recommend you do so before continuing.


The basic premise of this feature is very similar to a technology many of you will already be familiar with: Cisco TAPS. Cisco TAPS allowed you to bulk insert phones and then, using a UCCX script have users phone a number in order to self-provision their phones. This is like TAPS but with a few important differences:

- You don't need UCCX
- You don't bulk insert the phones.


The first thing you will need to do (other than setting up the universal device template and user line template that I already outlined in blog post 1) is configure a CTI route point and assign it a number, this CTI route point doesn't have to be anything special but you should assign it a DN that is reachable by phones configured for auto-registration

Second thing, is to enable auto registration with a CSS that can reach the number you assigned to your CTI Route point

Next, you must create an application user, ensure it is enabled for "Standard CTI Enabled" access control group and also ensure that it controls this CTI device you just created

Once this is done, go to the self-provision section under User Management -> Self provisioning

 Once this is done, you will be prompted to reset the service, obviously this is a good idea.

The final step is to configure our LDAP directory:

Go to your LDAP directory page after configuring your LDAP system and specify a directory containing the users, note you could use filters here to control which users from which area in your business are imported into LDAP, so for example, if you had users in NJ who should receive a CSS that is allowed to call international, you would create a seperate LDAP directory entry for these groups that uses a custom LDAP filter that looks for membership in a particular Windows Group. Or you could place them into a separate OU, the point is that you will need to create multiple LDAP directories.
 In the example below I have just pointed to the default AD CN for simplicity

 Next, you will assign the "Feature group" that controls what universal device template and what user line template are assigned to users contained in this LDAP directory.

It's important to select "Apply mask to Synched Telephone numbers to create a new line for the inserted users" also, and enter the mask as you want it to appear based on the imported telephone number field.

Once this is done. Sync the directory, what should happen is that every entry in your LDAP directory with a phone number assigned in LDAP will now create a DN in CUCM that has not yet been associated with a phone:

 When a user first plugs in a phone, and then dials the CTI Route point number (in our case, 9999) they will be prompted to enter the extension of the phone they wish to provision. Once this is done, the phone will be created based on the settings in the line and device template!!

See below an example:

 There you have it!!! Now all you have to do to create a user is simply create it in LDAP, grab a phone, dial 9999 and enter your extension, you could even have the users do this, and the phone will be provisioned!

Finally LDAP integration worth configuring!!

I hope this helps someone out there

by peter_revill ( at August 18, 2014 07:39 PM

My Etherealmind

Blame the System For Resisting Change – Not The People

I often hear vendors and pundits proclaim that Enterprise is resisting change. In particular, they say that individuals in Enterprises can't see the change or won't discuss buying new technology. I see these objections as failure of the current system and much less due to the people.

The post Blame the System For Resisting Change – Not The People appeared first on EtherealMind.

by Greg Ferro at August 18, 2014 05:11 PM

The Networking Nerd

Do We Need To Redefine Open?


There’s a new term floating around that seems to be confusing people left and right.  It’s something that’s been used to describe a methodology as well as used in marketing left and right.  People are using it and don’t even really know what it means.  And this is the first time that’s happened.  Let’s look at the word “open” and why it has become so confusing.

Talking Beer

For those at home that are familiar with Linux, “open” wasn’t the first term to come to mind.  “Free” is another word that has been used in the past with a multitude of loaded meanings.  The original idea around “free” in relation to the Open Source movement is that the software is freely available.  There are no restrictions on use and the source is always available.  The source code for the Linux kernel can be searched and viewed at any time.

Free describes the fact that the Linux kernel is available for no cost.  That’s great for people that want to try it out.  It’s not so great for companies that want to try and build a business around it, yet Red Hat has managed to do just that.  How can they sell something that doesn’t cost anything?  It’s because they keep the notion of free sharing of code alive while charging people for support and special packages that interface with popular non-free software.

The dichotomy between unencumbered idea software and no cost software is so confusing that the movement created a phrase to describe it:

Free as in freedom, not free as in beer.

When you talk about freedom, you are unrestricted.  You can use the software as the basis for anything.  You can rewrite it to your heart’s content.  That’s your right for free software. When you talk about free beer, you set the expectation that whatever you create will be available at no charge.  Many popular Linux distributions are available at no cost.  That’s like getting beer for nothing.

Open, But Not Open Open

The word “open” is starting to take on aspects of the “free” argument.  Originally, the meaning of open came from the Open Source community.  Open Source means that you can see everything about the project.  You can modify anything.  You can submit code and improve something.  Look at the OpenDaylight project as an example.  You can sign up, download the source for a given module, and start creating working code.  That’s what Brent Salisbury (@NetworkStatic) and Matt Oswalt (@Mierdin) are doing to great effect.  They are creating the network of the future and allowing the community to do the same.

But “open” is being redefined by vendors.  Open for some means “you can work with our software via an API, but you can’t see how everything works”.  This is much like the binary-only NVIDIA driver.  Proprietary programming is pre-compiled and available to download for free, but you can’t modify the source at all.  While it works with open source software, it’s not open.

A conversation I had during Wireless Field Day 7 drove home the idea of this new “open” in relation to software defined networking.  Vendors tout open systems to their customers. They standardize on northbound interfaces that talk to orchestration platforms and have API support for other systems to call them.  But the southbound interface is proprietary.  That means that only their controller can talk to the network hardware attached to it.  Many of these systems have “open” in the name somewhere, as if to project the idea that they work with any component makeup.

This new “open” definition of having proprietary components with an API interface feels very disingenuous.  It also makes for some very awkward conversations:

$VendorA: Our system is open!

ME: Since this is an open system, I can connect my $VendorB switch and get full functionality from your controller, right?

$VendorA: What exactly do you mean by “full”?

Tom’s Take

Using “open” to market these systems is wrong.  Telling customers that you are “open” because your other equipment can program things through a narrow API is wrong.  But we don’t have a word to describe this new idea of “open”.  It’s not exactly closed.  Perhaps we can call it something else.  Maybe “ajar”.  That might make the marketing people a bit upset.  “Try our new AjarNetworking controller.  As open as we wanted to make it without closing everything.”

“Open” will probably be dominated by marketing in the next couple of year.  Vendors will try to tell you how well they interoperate with everyone.  And I will always remember how open protocols like SIP are and how everyone uses that openness against it.  If we can’t keep the definition of “open” clean, we need to find a new term.

by networkingnerd at August 18, 2014 01:40 PM

Cisco IOS Hints and Tricks

Do you really need to see all 512K Internet routes?

Last week the global routing table (as seen from some perspectives) supposedly exceeded 512K routes, and weird things started to happen to some people that are using old platforms that by default support 512K IPv4 routes in the switching hardware.

I’m still wondering whether the BGP table size was the root cause of the observed outages. Cisco’s documentation (at least this document) is pretty sloppy when it comes to the fact that usually 1K = 1024, not 1000 – I’d expect the hard limit to be @ 524.288 routes … but then maybe Cisco’s hardware works with decimal arithmetic.

Read more ...

by Ivan Pepelnjak ( at August 18, 2014 07:57 AM

Packet Pushers Blog/Podcast

Common Design Tools and Attributes for Everyone Part-1

There are design tools which we should consider for every design. LAN, WAN and the data center where these common design tolls and attributes should be considered. Many of the principles in this article series might be fit not only for the network part of the design  but also compute, virtualization and storage technologies also […]

Author information

Orhan Ergun

Orhan Ergun, CCIE, CCDE, is a network architect mostly focused on service providers, data centers, virtualization and security.

He has more than 10 years in IT, and has worked on many network design and deployment projects.

In addition, Orhan is a:

Blogger at Network Computing.
Blogger and podcaster at Packet Pushers.
Manager of Google CCDE Group.
On Twitter @OrhanErgunCCDE

The post Common Design Tools and Attributes for Everyone Part-1 appeared first on Packet Pushers Podcast and was written by Orhan Ergun.

by Orhan Ergun at August 18, 2014 05:40 AM

Show 201 – Internet Dies at 512K, Long Live the Internet

The Internet has Died at 512K routes. Ethan & Greg discuss some news and events of the last few weeks and nod nerdishly while noodling about nothing. Yeah, it's a nerd chat show this week.

by Packet Pushers Podcast at August 18, 2014 02:00 AM

XKCD Comics

August 17, 2014

Cisco IOS Hints and Tricks

Network Automation @ Spotify on Software Gone Wild

What can you do if you have a small team of networking engineers responsible for four ever-growing data centers (with several hundred network devices in each of them)? There’s only one answer: you try to survive by automating as much as you can.

In the fourth episode of Software Gone Wild podcast David Barosso from Spotify explains how they use network automation to cope with the ever-growing installed base without increasing the size of the networking team.

Read more ...

by Ivan Pepelnjak ( at August 17, 2014 06:32 PM

August 15, 2014

Cisco IOS Hints and Tricks

Just Published: Brocade VCS Fabric Videos

The Data Center Fabric Architectures update session in late June included a whole new section on Brocade’s VCS fabric and new features they added in Network OS 4.0. The edited videos have been published and cover these topics:

Read more ...

by Ivan Pepelnjak ( at August 15, 2014 08:20 AM

Potaroo blog

Where is Metadata Anyway?

There is an emerging picture that while networks, and network operators, make convenient targets for various forms of national security surveillance efforts, the reality of today’s IP network’s are far more complex, and Internet networks are increasingly ignorant about what their customers do. The result is that it's now quite common for Internet networks not to have the information that these security agencies are after. Not only can moderately well-informed users hide their activities from their local network, but increasingly this has been taken out of the hands of users, as the applications we have on our smartphones, tablets and other devices are increasingly making use of the network in ways that are completely opaque to the network provider.

August 15, 2014 07:00 AM

XKCD Comics

August 14, 2014

Packet Pushers Blog/Podcast

Jr. Network Admin Willing to Work In Columbus, Ohio? Let’s Talk!

Carenection is where I currently work as the Senior Network Architect. We are looking for a Junior Network Administrator. If you’re an experienced network engineer with many years under your belt, this is not your opportunity. But if you’re just getting into the networking field and are looking for a position where you can learn […]

Author information

Ethan Banks

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 2M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks

The post Jr. Network Admin Willing to Work In Columbus, Ohio? Let’s Talk! appeared first on Packet Pushers Podcast and was written by Ethan Banks.

by Ethan Banks at August 14, 2014 07:17 PM

Cisco IOS Hints and Tricks

What Is a Valid BGP Route?

Carlos Mendioroz sent me a seemingly simple question: when is a BGP route invalid? My knee-jerk reaction: when the next hop is not reachable (and I’m not the only one). WRONG – BGP routes with unreachable next hop are still valid, as shown in the following printout:

Read more ...

by Ivan Pepelnjak ( at August 14, 2014 06:50 PM

My Etherealmind

Free Custom Handwriting Font for Network Designs

I've made my own handwritten font for those moments when you are "sketching" network diagrams and it is free for you to use.

The post Free Custom Handwriting Font for Network Designs appeared first on EtherealMind.

by Greg Ferro at August 14, 2014 05:00 PM

Cisco IOS Hints and Tricks

MPLS Load Sharing – Data Plane Considerations

In a previous blog post I explained how load sharing across LDP-controlled MPLS core works. Now let’s focus on another detail: how are the packets assigned to individual paths across the core?

2014-08-14: Additional information was added to the blog post based on comments from Nischal Sheth, Frederic Cuiller and Tiziano Tofoni. Thank you!

Read more ...

by Ivan Pepelnjak ( at August 14, 2014 11:46 AM

My Etherealmind

Cisco Cuts Another 6000 Jobs Q4 2014 – Should I Be Concerned ?

Cisco announced another 6000 job cuts in the Q4 2014 Results announcement yesterday in addition to the 5000 job cuts announced last quarter. Cisco has (or had) approx. 75000 employes so that’s a lot of jobs (more than 20%) in a short period of time and this leaves me pondering the impact to the products […]

The post Cisco Cuts Another 6000 Jobs Q4 2014 – Should I Be Concerned ? appeared first on EtherealMind.

by Greg Ferro at August 14, 2014 07:56 AM

August 13, 2014 Blog

Preliminary Book Topics

As I announced earlier this summer, I'm working on writing a book targeted to people entering the field of computer networking. I've got a fair amount of content fleshed out already, but figured it might help to get some feedback on the tentative structure. The book is being written in a question-and-answer style, organized into chapters by subject.

Below is the preliminary table of contents. It's still very much a work in progress, but I'm curious what people think of this approach. Constructive criticism and suggestions for additional content are welcome!

Continue reading · 28 comments

by Jeremy Stretch at August 13, 2014 11:46 PM

My Etherealmind

Internets of Interest – 13 August 2014

Collection of useful, relevant or just fun places on the Internets for 13 August 2014 and a bit commentary about what I've found interesting about them:

The post Internets of Interest – 13 August 2014 appeared first on EtherealMind.

by Greg Ferro at August 13, 2014 09:04 PM

Peter's CCIE Musings and Rants

Cisco Unity Connection Call back feature

Hi Guys!

This was a feature a customer of mine wanted quite a bit, but I could not find it anywhere!

Main reason is, it's not always called "call back", infact the "Feature" call back on unity connection is some crazy feature in unity connection where if you hang up before a message is finished when you ring back within a certain timeframe it automatically resumes the call from where you left off. I think that's a solution looking for a problem.

Anyway let's talk about traditional callback, so what I specifically mean here is, a user gets a voicemail left for them, they want to call back that caller who the left the message by pressing a button on the phone.

The button they need to press is:


This is NOT an option presented to you unless you select "more options" for the message, it's not a default option so it was a PITA to find out this option exists

Here is the user guide showing all the options users can press during a call

OK, a few things you might want to check if this does not work, first of all the user must have the ability to "reply" enabled in their Class of Service:

If you still get a voicemail greeting instead of transferring to someone who left you a message, if they are an internal user, check that users transfer rules:

If it's an external person, think about how the number is being presented to Cisco Unity, are you dropping the leading 0 or leading 9 for an outside line before sending it to unity? if so you will need to prefix it when unity sends the call back out to CUCM using any method of your choosing.

It can also be the restriction table within unity itself, the table used is the Default Transfer restriction table, be sure to look at that and make sure the number is allowed to be dialled:

by peter_revill ( at August 13, 2014 05:22 PM

Security to the Core | Arbor Networks Security

Five Sinkholes of newGOZ

By Dennis Schwarz and Dave Loftus

It has been a few weeks since news broke of the Zeus Gameover variant known as newGOZ. As has been reported, the major change in this version is the removal of the P2P command and control (C2) component in favor of a new domain generation algorithm (DGA).

The DGA uses the current date and a randomly selected starting seed to create a domain name. If the domain doesn’t pan out, the seed is incremented and the process is repeated. We’re aware of two configurations of this DGA which differ in two ways: the number of maximum domains to try (1000 and 10,000) and a hardcoded value used (0×35190501 and 0x52e645).

Date based domain generation algorithms make for excellent sinkholing targets due to their predictability, and provides security researchers the ability to estimate the size of botnets that use them. With this in mind, we have gathered five days worth of newGOZ sinkhole data. Our domains are based on the first configuration, since this configuration seems to be used the most in the wild.

As with all sinkhole data, many variables can affect the accuracy of victims such as network topology (NAT and DHCP), timing, and other security researchers. However, we feel that the data provides a good estimation of the current scope of this new threat.

Monday, July 14


Four days after the discovery of newGOZ, our first sinkhole saw 127 victims. To corroborate our initial data set, SecureWorks reported seeing 177 victims connect to their sinkhole a few days earlier on July 11.

Friday, July 18


An 89% increase to 241 victims.

Monday, July 21


Over the weekend we saw a 78% increase to 429 victims, mostly in the eastern half of the United States.

Friday, July 25


As reported by Malcovery Security on July 22, they saw a large spam campaign distributing newGOZ by the Cutwail botnet. This campaign appears to have been very successful. On July 25, we saw an 1879% increase to 8494 victims—the rest of the United States is covered.

Monday, July 29


Over the weekend and 19 days after its discovery, our fifth and final sinkhole for this post saw a 27% decrease to 6173 victims. This is most likely due to victims cleaning themselves up from that last spam campaign. Latin America, South Africa, South East Asia, and New Zealand start filling in.


In aggregate and over three weeks, our five sinkholes saw 12,353 unique source IPs from all corners of the globe:


The most infected country was the United States followed by India. The top 10 were:


In addition, a number of organization types were affected, the top being:



Pondering on the five days worth of newGOZ sinkhole data above, some thoughts come to mind:

First, will the threat actor continue to use the same DGA configuration that they’ve been using so far? Empirically, there seems to be more security research sinkholes populating the DGA namespace than actual C2 servers. There is also the second DGA configuration that hasn’t received much use yet. Additionally, as we’ve seen, the actor is willing to completely replace the C2 mechanism altogether.

Second, will the botnet continue to grow and at what rate? The sinkhole data for July 25 suggests that the second Cutwail spam campaign was relatively successful. Will future waves continue this trend?

Finally, with the infection numbers at a fraction of what they were in the P2P version of Zeus Gameover, how long will the threat actor focus on rebuilding their botnet before they return to focusing on stealing money?

by Dennis Schwarz at August 13, 2014 01:43 PM

Packet Pushers Blog/Podcast

Introducing the Multicast “Dating Service” (aka the “RP”), Part 1

In February of 2001 I attended a 5 day multicast class within Cisco taught by none other than  Beau Williamson!  In both his book and during the class, he kept referring to the multicast rendezvous point (RP) as: “a meeting place for multicast receivers and senders (almost like a multicast dating service for multicast routers)” -Developing IP Multicast Networks, […]

Author information


Denise "Fish" Fishburne
CPOC Engineer at Cisco Systems

Denise "Fish" Fishburne, (CCIE #2639, CCDE #2009:0014, Cisco Champion) is a team lead with Cisco's Customer Proof of Concept Lab in Research Triangle Park, N.C. Fish loves playing in the lab, troubleshooting, learning, and passing it on.

The post Introducing the Multicast “Dating Service” (aka the “RP”), Part 1 appeared first on Packet Pushers Podcast and was written by Denise "Fish" Fishburne.

by Denise "Fish" Fishburne at August 13, 2014 12:59 PM

Renesys Blog

Internet Touches Half Million Routes: Outages Possible Next Week

There was minor consternation in Internet engineering circles today, as the number of IPv4 networks worldwide briefly touched another magic “power of 2″ size limit. As it turns out, 512K (524,288 to be exact, or 2-to-the-19th power) is the maximum number of routes supported by the default TCAM configuration on certain aging hardware platforms.

The problem is real, and we still haven’t seen the full effects, because most of the Internet hasn’t yet experienced the conditions that could cause problems for underprovisioned equipment. Everyone on the Internet has a slightly different idea of how big the global routing table is, thanks to slightly different local business rules about peering and aggregation (the merging of very similar routes to close-by parts of the Internet address space). Everyone has a slightly different perspective, but the consensus estimate is indeed just under 512K, and marching higher with time.

The real test, when large providers commonly believe that the Internet contains 512K routes, and pass that along to all their customers as a consensus representation of Internet structure, will start later this week, and will be felt nearly everywhere by the end of next week.

Enterprises that rely on the Internet for delivery of service should pay close attention to the latency and reachability of the paths to customers in the coming weeks, in order to identify affected service providers upstream and work around them while they perform appropriate upgrades to their infrastructure.

table.padded-table td { padding:0px 20px 0px 0px }
Here’s a plot of monthly routing table sizes from our peers, over the last several years. Note that there’s no good exact opinion about the One True Size of the Internet — every provider we talk to has a slightly different guess. The peak of the distribution today (the consensus) is actually only about 502,000 routes, but recognizably valid answers can range from 497,000 to 511,000, and a few have straggled across the 512,000 line already. The number varies from minute to minute as well, and this close to 512K, any minor event, such as a deaggregation by a large provider (fragmenting a network route into smaller ones for traffic engineering purposes) could push the global collective past the critical point. plot2


Putting This Event in Perspective: Don’t Panic

It’s important to put this all in proper perspective (and yes, friends from the media who cover Internet infrastructure issues, I’m especially hoping you read down to this paragraph).

This situation is more of an annoyance than a real Internet-wide threat. Most routers in use today at midsize to large service providers, and certainly all of the routers that operate the core infrastructure of the Internet, have plenty of room to deal with the Internet’s current span, because they were provisioned that way by sensible network operators.

Affected boxes cause local connectivity problems for the network service providers who still run them, so they will be identified quickly and upgraded as we pass the threshold. Their instability in turn causes some minor additional load on adjacent routers.

But the overall stability of the global routing system should be unaffected. In terms of a threat, this isn’t nearly in the same class as some poison-message scenarios we’ve described before, which combine router failure with contagion dynamics.

Origins of the Problem

This has been coming for some time. The Internet keeps growing, which is what it does best. There’s very little indication that the current shortage of IPv4 space has done anything to dissuade new autonomous systems (enterprises, universities, service providers, etc.) from connecting to the Internet and expecting to route some space of their own.

Ironically, exhaustion may be speeding up the growth, as enterprises and service providers learn to use tricks like carrier-grade NAT to get their jobs done in tinier and tinier fragments of the remaining IPv4 space.

The routing table in every border router on Earth has to carry a route to each and every one of those tiny fragments, as free addressable space gets tighter and tighter. And every IPv4 route takes basically the same amount of memory in the router, whether it’s an enormous university-sized block of 64K IP addresses, or a little taste of 256 IP addresses (the smallest generally routable block). That relentless pressure has pushed the distribution of global routing table sizes up and up, as more and more people join the Internet, and find themselves fighting over smaller and smaller crumbs of IPv4 space. plot1

And that means that 512K is right around the corner for everyone on Earth, as early as next week. Here’s a plot of the distribution of routing table size, marching forward, from May 2014 (red) through July 2014 (purple) and up to today (blue). This wave only propagates one way. Someday, sooner than you think, we’ll be facing the 1024K routing table challenge.

The Good News

So far, as the first providers cross the 512K line, we’re not seeing real, serious evidence of increased Internet instability, at least not at the levels that would affect enterprises and service providers worldwide in meaningful ways. Some people who are downstream of affected equipment may be noticing early problems, if they find themselves learning 512K routes today thanks to a deaggregation event that injects thousands of transient routes.

Here we can see the percentage of the Internet that’s affected by routing instability on a daily basis, the kind of flickering change that we’d expect to see if routers everywhere were rebooting. Typically it’s 3 to 7 percent and obeys cycles based on human timescale: less on the weekends, when networking professionals leave the Internet alone, less during the December holidays. We see some increase in 2014, but in recent months and days, no clear trend higher in instability.


What Comes Next

This event won’t be over tomorrow; in fact, it has barely begun. As the routing table size distribution creeps to the right, the number of routers in the world who “see” 512K+ routes will steadily increase. Within a few weeks, nearly every piece of vulnerable gear will have been discovered, as 512K+ becomes the global consensus opinion. We don’t know how many machines that represents, and we don’t know what the net impact will be on local Internet connectivity before it all gets sorted out.

There is irony lurking here, of course, if you read the advisories. You can change the default configuration to reclaim more TCAM for IPv4 .. but only at the expense of support for IPv6, the “next generation” Internet addressing scheme that continues to struggle for widespread adoption. Sadly, this elderly gear was shipped at a time when the world was full of hope for the emergence of a real, live, flourishing IPv6 routing table. There’s far too much TCAM alloted to IPv6, as a result (in at least one case, 256K routes, when the current IPv6 routing table still requires fewer than 20K).

You can reclaim most of that precious router memory for IPv4, and you’ll be fine again .. at the expense of evicting your IPv6 routes from TCAM. That’s probably a decent bet, since anyone who failed to future-proof their deployment and is still running this older gear probably has very, very little IPv6 traffic on their network anyway. For IPv6 aficionados who are are tracking the continuing growth and robust good health of the “legacy” IPv4 Internet, that’s called “cold comfort.”

The post Internet Touches Half Million Routes: Outages Possible Next Week appeared first on Renesys.

by Jim Cowie at August 13, 2014 10:14 AM

My Etherealmind

Huawei Learning Website

Huawei is showing some signs of maturity in the Enterprise market with this Learning website offering free e-learning courses. Unfortunately, it’s seriously restricted to partners or some other weird criteria for membership. Entitlement E-Learning courses currently face to the following types of users: Huawei channel partners; Huawei Authorized Learning Partner(HALP) and the one who passed […]

The post Huawei Learning Website appeared first on EtherealMind.

by Greg Ferro at August 13, 2014 08:07 AM

In Search of Tech

A Training Class Where I Actually Learned Something

brainTL/DR – Canned labs never work for me.

Training for me has always been hit or miss. I have had better luck with in person classes than online training. I realize that everyone learns differently, so I suppose you pick the model that works best for you and hope you get your money’s worth out of it.

Back in June, I had the pleasure of attending the ClearPass Advanced Labs course at the Aruba headquarters out in Sunnyvale, CA. This was not a typical “class”. In fact, every time I referred to it as a “class”, I was reminded by the instructor that it was more of a workshop. The instructor was not there to teach you everything about ClearPass. Their job is to simply function as a proctor and help out when you got stuck on a particular issue. Yes, there was a slide deck, but it was VERY brief and just covered the goals of the day’s activities.

What Made It Different?

In short, the lack of step by step instructions. Many of the training classes I have attended consist of the following:

1. Death by Powerpoint
2. Canned labs

There’s no need to elaborate on the first point since we are probably all familiar with that portion of instruction. It is the second point that I feel the need to expound on.

Canned Labs

You’ve probably seen these. The product covered is beat into your head via numerous slides and then you get to apply what you just learned by doing a lab exercise. The problem I run into is that the exercises are given along with every single click of the mouse and every keystroke. It becomes more of an exercise of: “Can you follow instructions?” I seldom learn from these to the point in which what I am doing actually makes perfect sense. I get no sense of depth in the product and just suffer through each lab exercise until I am done for the day and can go find somewhere to eat my next meal. Sure, I can poke around the product and flip a few knobs here and there, but you basically just wander around aimlessly.

Back To ClearPass

Canned labs do not exist in the Aruba ClearPass Advanced Labs course. There are very minimal instructions given. A few sentences with what needs to be accomplished and that is it. It is up to you and your lab partner to figure out how to accomplish the task. I should point out that you were expected to have some experience with ClearPass prior to attending the course, but the prerequisites could be accomplished without ever having touched ClearPass in a production environment.

To better illustrate the minimal information given, here is a picture of the guidebook for the Aruba ClearPass Essentials course in orange along with the Aruba ClearPass Advanced Labs course in black on top.







Was It Better With Less Information?

Yes! I found myself struggling in certain areas, but was able to work through them with occasional help from the instructor. The benefit was that after a brief period of time, it started to make sense. ClearPass was no longer as daunting as it initially seemed. Don’t get me wrong. It is a VERY deep product with a variety of different ways to accomplish a given task, but as a whole the main pieces began to make a lot more sense. I would not have gotten to that point had every step been written out for me to follow.

If you have ever taken a math class*, you are probably familiar with something along the lines of:

3 + 2x = 15

The astute reader already knows that x=6, but that is because they know how to solve the problem.

(15 – 3)/2 = x

*Note – I was never good at math. It just doesn’t interest me. Please forgive any incorrect logic on my part.

Imagine if you didn’t know that instinctively. You would have had to reason it out. Through enough trial and error, you would eventually reach 6. In that process, you would have figured out exactly how to derive “x” from the given information. You could use the same method in the future and solve the problem much faster. You would have LEARNED, which should be the overall goal of any sort of education.

I realize that developing any sort of training content is not an easy job. Technical content development is even harder. However,  by simply running people through a set list of commands to type, I think the student gets the short end of the stick. They are deprived of the opportunity to explore different approaches to solving a problem. While this doesn’t extend to every aspect of learning(e.g. Landing an airplane has a very specific set of steps that need to be followed in order to avoid crashing.), I think it covers a fair amount of IT work in general.

Closing Thoughts

The ClearPass Advanced Labs course from Aruba was without a doubt the best technical class I have ever taken. In 5 short days, I learned more about that product simply because I was not given all the answers up front. That doesn’t mean I am an expert, or even highly competent with ClearPass. That comes with more experience and exposure to different problems that need solving in that given product. What it does mean is that I returned home knowing a lot more about how it works and the various methods I could use to solve a given problem. 

Consider something like BGP. There are generally multiple ways to influence path selection. While I may use some methods more than others(e.g. prepending, local preference), I am aware of other ways to accomplish the same thing. That didn’t come about because I sat through a bunch of canned labs on BGP and gained immediate insight into how the protocol works. It came about because over the years I have tried various methods and failed. I would have to reassess how to solve the problem another way and try again until I got it right.

Raising kids has taught me that the best way to ensure their success is to let them fail. The exception being safety issues where they could get physically hurt beyond a simple bruise or scrape. If I hold their hand until they are old enough to venture out on their own, they will be woefully unprepared for the world that awaits them.

Your IT staff is no different than my kids, except that they have credit cards and a driver’s license. Don’t hold their hand. Make them work for it. They’ll be better technologists and you as the employer will benefit from their increased knowledge.

If you are involved with ClearPass as an end user, Aruba employee, or Aruba partner, I HIGHLY recommend you send your people to this course. In addition to the massive amount of learning that takes place, if you attend the class at Aruba’s headquarters, they have a really nice cafeteria with a plethora of yummy food. I wish I could eat lunch there every day! That may be due to my love of Asian food though. It is hard to get that out here in Tennessee. :)

As always, I am interested in your comments. What has been your experience with training classes?

by Matthew Norwood at August 13, 2014 05:52 AM

XKCD Comics

August 12, 2014

Honest Networker
Networking Now (Juniper Blog)

August 2014 Microsoft Patch Tuesday Summary

Welcome to the August edition of Microsoft Patch Tuesday Summary. In this edition there are 9 updates; two are marked "Critical" and seven are rated "Important". A total of 37 vulnerabilities were fixed over 9 bulletins this month. One of the Critical update MS14-051 is an all version Internet Explorer (IE 6 to 11) patch. This single update resolves 25 CVE's (Common Vulnerability and Exposure).


Here is a list of Security bulletins which were rolled out in today's Patch Tuesday release.

by prashantk at August 12, 2014 07:24 PM