January 29, 2015

Cisco IOS Hints and Tricks

Case Study: Combine Physical and Virtual Appliances in a Private Cloud

Cloud builders are often using my ExpertExpress service to validate their designs. Tenant onboarding into a multi-tenant (private or public) cloud infrastructure is a common problem, and tenants frequently want to retain the existing network services appliances (firewalls and load balancers).

The Combine Physical and Virtual Appliances in a Private Cloud case study describes a typical solution that combines per-tenant virtual appliances with frontend physical appliances.

by Ivan Pepelnjak (noreply@blogger.com) at January 29, 2015 07:18 AM

January 28, 2015

Networking Now (Juniper Blog)

7 Smart Ways to Ensure Data Privacy

Today, user privacy is a huge concern. Check out the seven ways to protect yourself and your identity while connected to the network. 

by KyleAdams at January 28, 2015 11:22 PM

PACKETattack

News Analysis: Big Cloud Fabric 2.5 Released

Big Switch Networks has released version 2.5 of their Big Cloud Fabric SDN offering. Read the full press release here. What’s Big Cloud Fabric? BCF is an SDN-based IP fabric where you manage all of the individual switches as one “big switch.” In other words, you manage the fabric as a whole, and not individual switches. Big […]

by Ethan Banks at January 28, 2015 03:47 PM

Packet Pushers Blog/Podcast

MPLS TE Design -Part 3

This is a continuation from Part 2 Fast Reroute Why Fast Reroute? Many NSP’s like ACME have traffic with tight SLAs. For instance below is an ITU delay recommendation for Voice. One Way Delay Characterization of Quality 0-150ms Acceptable for most applications 150-400ms May impact some applications Above 400ms Unacceptable ITU G.114 delay recommendations Having […]

Author information

Diptanshu Singh

Diptanshu Singh

Diptanshu Singh,(3xCCIE,CCDE) is a Sr. Engineer mostly focused on service providers , data center and security. He is a network enthusiast passionate about network technologies so not only is it his profession, but something of a hobby as well.

The post MPLS TE Design -Part 3 appeared first on Packet Pushers Podcast and was written by Diptanshu Singh.

by Diptanshu Singh at January 28, 2015 08:27 AM

MPLS TE Design -Part 2

This is a continuation from Part 1 Case for LDPoRSVP As we mentioned at the very beginning that ACME provides L3VPN and L2VPN services, which requires end to end LSP between the PEs. But due to scaling reasons, ACME decided not to extend RSVP to the edge routers. This creates a problem as there is […]

Author information

Diptanshu Singh

Diptanshu Singh

Diptanshu Singh,(3xCCIE,CCDE) is a Sr. Engineer mostly focused on service providers , data center and security. He is a network enthusiast passionate about network technologies so not only is it his profession, but something of a hobby as well.

The post MPLS TE Design -Part 2 appeared first on Packet Pushers Podcast and was written by Diptanshu Singh.

by Diptanshu Singh at January 28, 2015 08:26 AM

MPLS TE Design -Part 1

In this post we will be exploring different aspects of Traffic Engineering (RSVP-TE) from a design perspective using fictional ISP as a reference. The intent of the post is to not necessarily recommend a particular solution, but to bring up different aspects involved in the design. I am assuming that the reader already has somewhat […]

Author information

Diptanshu Singh

Diptanshu Singh

Diptanshu Singh,(3xCCIE,CCDE) is a Sr. Engineer mostly focused on service providers , data center and security. He is a network enthusiast passionate about network technologies so not only is it his profession, but something of a hobby as well.

The post MPLS TE Design -Part 1 appeared first on Packet Pushers Podcast and was written by Diptanshu Singh.

by Diptanshu Singh at January 28, 2015 08:25 AM

Cisco IOS Hints and Tricks

Is Controller-Based Networking More Reliable than Traditional Networking?

Listening to some SDN pundits one gets an impression that SDN brings peace to Earth, solves all networking problems and makes networking engineers obsolete.

Cynical jokes aside, and ignoring inevitable bugs, is controller-based networking really more reliable than what we do today?

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 28, 2015 07:27 AM

XKCD Comics

January 27, 2015

Packet Pushers Blog/Podcast

PQ Show 44 – The OPNFV Project with Margaret Chiosi

Margaret Chiosi, president of the OPNFV project hosted at the Linux Foundation, discusses OPNFV in a briefing with Ethan Banks.

by Packet Pushers Podcast at January 27, 2015 02:37 PM

The Networking Nerd

More Bang For Your Budget With Whitebox

white-box-sdn-nfv

As whitebox switching starts coming to the forefront of the next buying cycle for enterprises, decision makers are naturally wondering about the advantages of buying cheaper hardware. Is a whitebox switch going to provide more value for me than buying something from an established vendor? Where are the real savings? Is whitebox really for me? One of the answers to this puzzle comes not from the savings in whitebox purchases, but the capability inherent in rapid deployment.

Ten Thousand Spoons

When users are looking at the acquisition cost advantages of buying whitebox switches, they typically don’t see what they would like to see. Ridiculously cheap hardware isn’t the norm. Instead, you see a switch that can be bought for a decent discount. That does take into account that most vendors will give substantial one-time discounts to customers to entice them into more lucrative options like advanced support or professional services.

The purchasing advantage of whitebox doesn’t just come from reduced costs. It comes from additional unit purchases. Purchasing budgets don’t typically spell out that you are allowed to buy ten switches and three firewalls. They more often state that you are allowed to spend a certain dollar amount on devices of a specific type. Savvy shoppers will find deals or discounts to get more for their dollar. The real world of purchasing budgets means that every dollar will be spent, lest the available dollars get reduced next year.

With whitebox, that purchasing power translates into additional units for the same budget amount. If I could buy three switches from Vendor X or five switches from Whitebox Vendor Y, ceteris paribus I would buy the whitebox switches. If the purpose of the purchase was to connect 144 ports, then that means I have two extra switches lying around. Which does seem a bit wasteful.

However, the option of having spares on the shelf becomes very appealing. Networks are supposed to be built in a way to minimize or eliminate downtime because of failure. The network must continue to run if a switch dies. But what happens to the dead switch? In most current cases, the switch must be sent in for warranty replacement. Services contracts with large networking vendors give you the option for 4-hour, overnight, or next business day replacements. These vendors will even cross-ship you the part. But you are still down the dead switch. If the other part of the redundant pair goes down, you are going to be dead in the water.

With an extra whitebox switch on the shelf you can have a ready replacement. Just slip it into place and let your orchestration and provisioning software do the rest. While the replacement is shipping, you still have redundancy. It also saves you from needing to buy a hugely expensive (and wildly profitable) advanced support contract.

All You Need Is A Knife

Suppose for a moment that we do have these switches sitting around on a shelf doing nothing but waiting for the inevitable failure in the network. From a cost perspective, it’s neutral. I spent the same budget either way, so an unutilized switch is costing me nothing. However, what if I could do something with that switch?

The real advantage of whitebox in this scenario comes from the ability to use non-switching OSes on the hardware. Think for a moment about something like a network packet monitor. In the past, we’ve needed to download specialized software and slip a probing device into the network just for the purposes of packet collection. What if that could be done by a switch? What if the same hardware that is forwarding packets through the network could also be used to monitor them as well?

Imagine creating an operating system that runs on top of something like ONIE for the purpose of being a network tap. Now, instead of specialized hardware for that purpose you only need to go and use one of the switches you have lying around on the shelf and repurpose it into a sensor. And when it’s served that purpose, you put it back on the shelf and wait until there is a failure before going back to push it into production as a replacement. With Chef or Puppet, you could even have the switch boot into a sensor identity for a few days and then provision it back to being a data forwarding switch afterwards. No need for messy complicated software images or clever hacks.

Now, extend those ideas beyond sensors. Think about generic hardware that could be repurposed for any function. A switch could boot up as an inline firewall. That firewall could be repurposed into a load balancer for the end of the quarter. It could then become a passive IDS during an attack. All without moving. The only limitation is the imagination of the people writing code for the device. It may not ever top the performance of a device running purely for the purpose of a given function, but the flexibility of having a device that can serve multiple functions without massive reconfiguration would win out in the long run for many applications. Flexibility is more key than overwhelming performance.


Tom’s Take

Whitebox is still finding a purpose in the enterprise. It’s been embraced by webscale, but the value to the enterprise is not found in massive capabilities like that. Instead, the additional purchasing power that can be derived from additional unit purchases for the same dollar amount leads to reduced support contract costs and even new functionality increases from existing hardware lying around that can be made to do so many other things. Who could have imagined that a simple switch could be made to do the job of many other purpose-built devices in the data center? Isn’t it ironic, don’t you think?

 


by networkingnerd at January 27, 2015 09:55 AM

Cisco IOS Hints and Tricks

Video: IPv6 High Availability Components

Last spring I ran an IPv6 High Availability webinar which started (not surprisingly) with a simple question: “which network components affect availability in IPv6 world, and how is a dual-stack or an IPv6-only environment different from what we had in the IPv4 world?

This part of the webinar is now available on ipSpace.net content web site. Enjoy the video, explore other IPv6 resources on ipSpace net, and if you’re from Europe don’t forget to register for the IPv6 Security Summit @ Troppers in mid-March.

by Ivan Pepelnjak (noreply@blogger.com) at January 27, 2015 07:07 AM

January 26, 2015

My Etherealmind

2015 is all about SDN WAN

The technology that gives me a “nerd hard-on” this month is SDN WAN. Here is why.


The post 2015 is all about SDN WAN appeared first on EtherealMind.

by Greg Ferro at January 26, 2015 06:00 PM

PacketLife.net Blog
Cisco IOS Hints and Tricks

IPv6 Renumbering – Mission Impossible?

In one of the discussions on v6ops mailing list Matthew Petach wrote:

The probability of us figuring out how to scale the routing table to handle 40 billion prefixes is orders of magnitude more likely than solving the headaches associated with dynamic host renumbering. That ship has done gone and sailed, hit the proverbial iceberg, and is gathering barnacles at the bottom of the ocean.

Is it really that bad? Is simple renumbering in IPv6 world just another myth? It depends.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 26, 2015 07:34 AM

XKCD Comics

P-Values

0.05 level" and hope no one notices." />0.05 level" and hope no one notices." alt="If all else fails, use "significant at a p>0.05 level" and hope no one notices." />

January 26, 2015 12:00 AM

January 23, 2015

Packet Pushers Blog/Podcast

Confessions of technical interviewer

A technical interviewer, or technically an interviewer. I was interviewed quite a few times since I set of to join the networking crowd, 12 years ago. I also had opportunity to sit on the opposite side, and interviewed people on multiple occasions. Some of my fondest memories of working for my current employer are connected […]

Author information

Marcin Latosiewicz

Marcin Latosiewicz

Network engineer, CCIE #25784.
Technical Services Engineer at Cisco. TAC engineer.
FlexPod wizard, Vblock charmer.
@mlatosie on twitter.

The post Confessions of technical interviewer appeared first on Packet Pushers Podcast and was written by Marcin Latosiewicz.

by Marcin Latosiewicz at January 23, 2015 07:55 PM

Cisco IOS Hints and Tricks

vLAG Caveats in Brocade VCS Fabric

Brocade VCS fabric has one of the most flexible multichassis link aggregation group (LAG) implementation – you can terminate member links of an individual LAG on any four switches in the VCS fabric. Using that flexibility is not always a good idea.

2015-01-23: Added a few caveats on load distribution

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 23, 2015 07:15 PM

Peter's CCIE Musings and Rants

verify the cluster password for CUCM

Hi Guys!

Quick and handy way if you THINK you know the cluster password to verify it, just login to the CLI and execute:

set password security (you may or may not need the user keyword depending on if your on version 8 or above)

This will prompt you for the old password, so you have chance to test what you THINK the old cluster password is before continuing!


More detail here:
https://supportforums.cisco.com/document/65041/how-reset-passwords-cucm#Security_password

by peter_revill (noreply@blogger.com) at January 23, 2015 11:51 AM

Cisco IOS Hints and Tricks
Packet Pushers Blog/Podcast

Destination Based NAT

Here is the scenario: There is a public server on the internet that you have requested access to. The “admins” that control the server agree to allow a single public IP from your entity/company to access the server. The issue arises due to the fact that you “luckily” have more than 1 Public IP at […]

Author information

Korey Rebello

Korey Rebello

Korey is a Principal Network Engineer, Cisco Champion and Military veteran with over 8 years of experience in the IT industry. Currently holds the following certifications; CCNP R&S, JNCIA, and CCNA Security. He is interested in advancing his network passion and knowledge as well as teaching others. Currently responsible for network architecture, design and implementation for a company that maintains a large global network.

The post Destination Based NAT appeared first on Packet Pushers Podcast and was written by Korey Rebello.

by Korey Rebello at January 23, 2015 05:33 AM

Show 222 – Introducing The OpenClos Project

Doug Hanks and Moloy Chatterjee join Packet Pushers host Ethan Banks to discuss the OpenClos project.

by Packet Pushers Podcast at January 23, 2015 03:00 AM

XKCD Comics

January 22, 2015

My Etherealmind

Poster: How To Make a Single Pane of Glass

A Poster for your desk on building a "single pane of glass" network management system.


The post Poster: How To Make a Single Pane of Glass appeared first on EtherealMind.

by Greg Ferro at January 22, 2015 06:00 PM

In Search of Tech

Cisco Wireless Transmit Power Control

Power substation outside a VERY large data center in Atlanta,GA.

I’m going to start out by telling you something you probably already know. Every vendor has their own way of doing things. Sometimes it makes perfect sense, and other times you end up scratching your head wondering why that particular vendor implemented this feature or product. Since I have been spending a lot more time on wireless these days, I came across an issue that forced me to reconsider how transmit power control(TPC) actually works in a Cisco wireless deployment. I thought I would impart some of this information to you, dear reader, in the hopes that it may help you. If you spend a lot of time inside Cisco wireless LAN controllers, this may not be anything new to you.

The Need For TPC

If you have been around wireless long enough, you have probably dealt with wireless installs where all of the access points(AP) were functioning autonomously. While this isn’t a big deal in smaller environments, consider how much design work goes into a network with autonomous access points that number into the hundreds. It isn’t as simple as just deciding on channels and spinning all the access points up. You also have to consider the power levels of the respective access points. Failure to do so can result in the image below where the AP is clearly heard by the client device, but the AP cannot hear the client since it is transmitting at a higher power level than the client can match.

AP-TransmitPowerProblem

 

Now consider the use of a wireless LAN controller to manage all of those APs. In addition to things like dynamic channel assignment, you can also have it adjust the transmit power levels of the APs. This can come in handy when you have an AP fail and need the other APs to increase their transmit power to fill the gap that exists since that failed AP is no longer servicing clients. I should point out that proper design of a wireless network with respect to the client transmit power capabilities should NEVER be overlooked. You ALWAYS want to be aware of what power levels your clients can transmit at. It helps to reduce the problem in the image above.

There’s also the problem that can arise when too many APs can hear each other. It isn’t just about the clients. Wireless systems which adhere to the IEEE 802.11 standard are a half duplex medium. Only one device can talk at a time on a given channel. Either a client or the AP will talk, but not both at once. If an AP can hear another AP on the same channel at a usable signal, the airtime must be shared between those APs. Depending on the number of SSID’s in use, this can dramatically reduce the amount of airtime available for an AP to service a client. You can see some actual numbers with regard to SSIDs and APs in this blog post by Andrew von Nagy.

As you can see from two quick examples, there is a need to control the power level in which an AP will transmit. On controller based wireless networks(and even on the newer controller-less solutions), this is done automatically. I wouldn’t advise you turn that off unless you really know what you are doing and you have the time to plan it all out beforehand.

The Cisco Approach

On wireless LAN controllers, TPC is a function of Radio Resource Management(RRM). The specifics can be found here. I’ll spare you the read and give you the high points.

  • The TPC algorithm is only concerned with reducing power levels. Increases in power levels are covered by Coverage Hole Detection and Correction algorithm.
  • TPC runs in 10 minute intervals.
  • A minimum of 4 APs are required for TPC to work.

It is the last point that I want to focus on, because the first two are pretty self explanatory. The reasoning behind the 4 AP minimum for TPC is as follows:

“For TPC to work ( or to even have a need for TPC ) 4 APS must be in proximity of each other.  Why? Because on 2.4 GHz you only have three channels that do not overlap… Once you have a fourth AP you need to potentially adjust power down to avoid co channel interference.   With 3 APS full power will not cause this issue.”

Those are not my words. They came from someone within Cisco that is focused on wireless. Since that person didn’t know I would publish that, I will not name said person. The explanation though, makes sense.

Let’s see it in action to validate what Cisco’s documentation says.

TPC Testing

I happen to have a Cisco WLC 2504 handy with 4 APs. I set it up in my home office and only maintained about 10 feet separation from the APs. Ideally, I would test it with the APs a lot farther apart, but I did put some barriers around the APs to give some extra attenuation to the signal. I also only did testing on the 5GHz band. I disabled all of the 2.4GHz radios because I don’t need to give any of my neighbors a reason to hate me. Blasting 5GHz is less disruptive to their home wireless networks than 2.4GHz is due to the signals traveling farther/less attenuation of 2.4GHz vs 5GHz signals/antenna aperture. :)

Here you can see the available settings for TPC in the WLC GUI. This particular controller is running 7.6 code, so your version may vary.

TPC SettingsSome notes on options:

    • You can either set TPC to run automatically, on demand, or at a fixed power rate on all APs. TPC is band specific, so if you want different settings for 2.4GHz and 5GHz respectively, you can have that.
    • Maximum and minimum settings for transmit power are available. The defaults are 30dBm for maximum power and -10dBm for minimum power.
    • The power threshold is the minimum level at which you need to hear the third AP for the TPC algorithm to run. The default is -70dBm. You can set it higher or lower depending on your needs. High density environments might require a level stronger than -70dBm, with -50dBm being the strongest level supported. If you don’t necessarily need to run things like voice, you might be able to get away with a weaker threshold, but you cannot go beyond -80dBm.

A Quick Sidebar on Maximum Transmit Power in 5GHz

I set up the WLC with 3 APs active on 5GHz only. You can see that the power levels on the 3 APs are set to 1 in the image further down, which is maximum power according to Cisco. While it seems odd that max power would be a 1 and not some higher number, consider the fact that there are multiple maximum transmit power levels depending on which UNII band you are using in 5GHz. As a general reference, 20dBm would be 100mW and 14dBm would be 25mW. You could get 200mW(23dBm) of power using a UNII-3 channel vs UNII-1, which is maxed out 32mW(15dBm). That is a HUGE difference.

      • UNII-1 power levels for channels 36-48:
        • 1 – 15dBm
        • 2 – 12dBm
        • 3 – 9dBm
        • 4 – 6dBm
        • 5 – 3dBm
      • UNII-2 power levels for channels 52-64(I didn’t test UNII-2 Extended, but I suspect it is the same:
        • 1 – 17dBm
        • 2 – 14dBm
        • 3 – 11dBm
        • 4 – 8dBm
        • 5 – 5dBm
        • 6 – 2dBm
      • UNII-3 power levels for channels 149-161:
        • 1 – 23dBm
        • 2 – 20dBm
        • 3 – 17dBm
        • 4 – 14dBm
        • 5 – 11dBm
        • 6 – 8dBm
        • 7 – 5dBm

To see the supported power levels in terms of dBm on 5GHz, you can run the following command on the CLI of the WLC:

show ap config 802.11a <ap name>

The output will look something like this after you go through a handful of screens showing other stuff:

AP Power Settings

 

 

 

Back To The Testing…

You can see in the image below that with 3 APs active, they are all running at power level 1, which is the default when the radios come online.

3AP-MaxTXPower

So let’s see what happens when I add the fourth AP. If our understanding of TPC is correct, we should see the power levels come down since the APs are so close to each other and will have a signal strength of well above -70dBm between each other.

4AP-MaxTXPowerThe fourth AP now shows up, but the power levels are still maxed out at 1. The AP’s are also using channels on all 3 UNII bands, so there is a huge disparity in output power right now. After a few minutes, the following shows up in the WLC:

4AP-PowerRedux-1Now we can see TPC working. It has reduced all 4 APs to a power level of 2. Once the TPC algorithm kicks in, it will run every 10 minutes until it reaches a level where the fourth AP is just within the power threshold of -70dBm. Let’s see if it keeps reducing power.

4AP-PowerRedux-2Now we are at a power level of 3. Ten more minutes pass and I see the following:

4AP-PowerRedux-3Two of the APs have been reduced to a power level of 4. Ten more minutes passed and power levels reduced even further. At that point, I powered off one of the APs to see if the power levels would go back to 1 since there was no longer a fourth AP. I didn’t get a screen shot in time to see all 4 APs at an even lower power level, but when I did grab a screen shot of the 3 remaining APs, one of them had been dropped to a power level of 5. I believe this happened prior to my unplugging the fourth AP.

Note – Power level decreases happen in single increments only, every time the TPC algorithm runs(every 10 minutes). To put it another way, it downgrades by 3dB max each cycle. Sam Clements pointed out to me via Twitter that when power levels increase, it can happen much more rapidly since the Coverage Hole Detection(CHD) and Correction algorithm is responsible for power increases.

4AP-PowerRedux-4I waited for at least 30 minutes to see if the power levels would return to 1 for the remaining 3 APs, but they didn’t move at all. They stayed just like the above image.

If you want to see this work on the CLI in real time, you can issue the following command:

debug airewave-director power enable

After I had waited for over half an hour, I decided to power off one more AP. When I brought it back online, I saw all 3 of the APs slowly go back to a power level of 1. Here’s the first change I saw in the 3 remaining APs:

3AP-AlmostMaxPowerAnd then shortly afterward, I saw them back at max power.

3AP-MaxPowerAgain

 

It’s All In The Details

For wireless surveys, my company uses the Ekahau Site Survey product. It is a really neat survey tool and we use it for on site assessments as well as predictive surveys. When you define the requirements of the project, you can choose from a bunch of different vendor specific scenarios, or general wireless scenarios. I can apply those requirements to a predictive survey, or an on site survey where I am trying to determine if the existing coverage/capacity is good enough for the business needs.

Here’s a screen shot of the default requirements for the “Cisco Voice” scenario found in version 7.6.4 of Ekahau’s Site Survey program:

EkahauRequirementsPay careful attention to the “Number of Access Points” field. By default, it shows 2 APs with a minimum signal strength of -75dBm. If I am building a predictive survey for Cisco voice, I would need to have all of my coverage areas to see 2 APs at a signal of -75dBm or better. That’s perfectly fine, but I also have to consider the APs and how they determine, you guessed it, transmit power. If I change the value in the “Number of Access Points” field to 3 APs at -70dBm or better, I can build my predictive survey around inter-AP communication as well. In that scenario, I am not looking to cover the entire floor or building to that standard. I just need to make sure that all of my APs can see 3 or more APs at -70dBm or better. Of course, if I am not using Cisco wireless to support a Cisco voice implementation, I need to figure out how that other wireless vendor determines transmit power. Just something to consider when interpreting the results of an actual or predictive survey. It isn’t entirely about the clients and their relationship to the AP. AP to AP communication matters as well!

Closing Thoughts

Understanding how the TPC function works is pretty important when designing Cisco wireless networks. Failure to consider what all is involved in regards to transmit power on your APs could(not WILL, but COULD) lead to problems in the wireless network’s operation. However, if you want to manually set transmit power, that’s an option as well. Opinions differ on running RRM. I’m not sure there is a right or wrong answer. It depends. :) I will say that I almost never see Cisco wireless implementations where RRM is not being used.

I don’t want to end this post without mentioning that some networks may be perfectly fine running APs at max power, especially on the 5GHz side. Your coverage may be enough to where there is minimal channel overlap(easily achievable in 5GHz with 20MHz channels and the use of all 3 UNII bands), and each AP can hear one or two neighboring APs at a decent level due to good cell overlap. You just might not have enough APs to trigger the TPC algorithm to run. That doesn’t mean “you are doing it wrong”. If it works for the business and all your users are fine, who am I to tell you that you need to “fix” it.

Hopefully this was beneficial to you if you needed a clearer understanding of how Cisco’s TPC function works. If you already have a good understanding of TPC and managed to read this far, feel free to shame humiliate correct me in the comments.

by Matthew Norwood at January 22, 2015 08:40 AM

Cisco IOS Hints and Tricks
Packet Pushers Blog/Podcast

PQ Show 43 – HP Networking – Beyond Traditional Network Management

Ken Gott, Product Line Manager, joins Chris Young, Senior Solutions Architect, for a discussion about HP's Intelligent Management Center (IMC) with Packet Pushers Greg Ferro and Ethan Banks.

by Packet Pushers Podcast at January 22, 2015 03:00 AM

January 21, 2015

PACKETattack

News Analysis: Cumulus Linux 2.5 Released + Validated Design Guides

One of my favorite companies to talk to and keep track of is Cumulus Networks, makers of Cumulus Linux, a network operating system that runs on whitebox switches. As I’m not in a build phase on the network I do most of my work on, I haven’t had a chance to try Cumulus Linux […]

by Ethan Banks at January 21, 2015 02:39 PM

Cisco IOS Hints and Tricks

Lock-In Is Inevitable – Get Used to It!

For whatever reason (subliminal messages from vendor marketing departments?), I’m constantly brooding about the vendor lock-in, its inevitability, and the way supposedly disruptive companies try to use the fear of lock-in to persuade na├»ve customers to buy their products.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 21, 2015 07:44 AM

Potaroo blog

BGP in 2014

The Border Gateway Protocol, or BGP, has been holding the Internet together, for more than two decades and nothing seems to be falling off the edge so far. As far as we can tell everyone can still see everyone else, assuming that they want to be seen, and the distributed routing system appears to be working smoothly. All appears to be working within reasonable parameters, and there is no imminent danger of some routing catastrophe, as far as we can tell. For a protocol designed some 25 years ago, when the Internet of that time contained some 10,000 constituent networks, its done well to scale fifty-fold, to carry in excess of half a million routed elements by the end of 2014.

January 21, 2015 04:59 AM

XKCD Comics

January 20, 2015

PACKETattack

News Analysis: Brocade Vyatta Controller Gets a Developer Wiki

A little bird pointed out this link to me, a wiki for the developer community for the Brocade Vyatta Controller (BVC). The big idea is to help foster community for folks building SDN applications for the BVC. What do I mean by “SDN applications”? I mean an application that does something interesting, and interacts with […]

by Ethan Banks at January 20, 2015 04:38 PM

The Networking Nerd

Making Your Wireless Guest Friendly

Wireless

During the recent Virtualization Field Day 4, I was located at a vendor building and jumped on their guest wireless network. There are a few things that I need to get accomplished before the magic happens at a Tech Field Day event, so I’m always on the guest network quickly. It’s only after I take care of a few website related items that I settle down into a routine of catching up on email and other items. That’s when I discovered that this particular location blocked access to IMAP on their guest network. My mail client stalled out when trying to fetch messages and clear my outbox. I could log into Gmail just fine and send and receive while I was on-site. But my workflow depends on my mail client. That made me think about guest WiFi and usability.

Be Our (Limited) Guest

Guest WiFi is a huge deal for visitors to an office. We live in a society where ever-present connectivity is necessary. Email notifications, social media updates, and the capability to look up necessary information instantly have pervaded our lives. For those of us fortunate enough to still have an unlimited cellular data plan, our connectivity craving can be satisfied by good 3G/LTE coverage. But for those devices lacking a cellular modem, or the bandwidth to exercise it, we’re forced to relay of good old 802.11a/b/g/n/ac to get online.

Most companies have moved toward a model of providing guest connectivity for visitors. This is far cry from years ago when snaking an Ethernet cable across the conference room was necessary. I can still remember the “best practice” of disabling the passthrough port on a conference room IP phone to prevent people from piggybacking onto it. Our formerly restrictive connectivity model has improved drastically. But while we can get connected, there are still some things that we limit through software.

Guest network restrictions are nothing new. Many guest networks block malicious traffic or traffic generally deemed “unwanted” in a corporate environment, such as Bittorrent or peer-to-peer file sharing protocols. Other companies take this a step further and start filtering out bandwidth consumers and the site associated with them, such as streaming Internet radio and streaming video, like YouTube and Vimeo. It’s not crucial to work (unless you need your cat videos) and most people just accept it and move on.

The third category happens, for the most part, at large companies or institutions. Protocols are blocked that might provide covert communications channels. IMAP is a good example. The popular thought is that by blocking access to mail clients, guests cannot exfiltrate data through that communications channel. Forcing users onto webmail gives the organization an extra line of defense through web filters and data loss prevention (DLP) devices that constantly look for data leakage. Another protocol that is added in this category is IPSec or SSL VPN connections. In these restrictive environments, any VPN use is generally blocked and discouraged.

Overstaying Your Welcome

Should companies police guest wireless networks for things like mail and VPN clients? That depends on what you think the purpose of a guest wireless network is for. For people like me, guest wireless is critical to the operation of my business. I need access to websites and email and occasionally things like SSH. I can only accomplish my job if I have connectivity. My preference would be to have a guest network as open as possible to my needs.

Companies, on the other hand, generally look at guest wireless connectivity as a convenience provided to guests. It’s more like the phone in the lobby by the reception desk. In most cases, that phone has very restricted dialing options. In some companies, it can only dial internal extensions or a central switchboard. In others, it has some capability to dial local numbers. Almost no one gives that phone the ability to dial long distance or international calls. To the company, giving wireless connectivity to guests serves the purpose of giving them web browsing access. Anything more is unnecessary, right?

It’s a classic standoff. How do we give the users the connectivity they need while protecting the network? Some companies create a totally alien guest network with no access to the inside and route all traffic through it. That’s almost a requirement to avoid unnecessary regulatory issues. Others use a separate WAN connection to avoid having the guest network potentially cause congestion with the company’s primary connection.

The answers to this conundrum aren’t going to come easily. But regardless of this users need to know what works and what doesn’t. Companies need to be protected against guest users doing things they aren’t supposed to. How can we meet in the middle?

A Heaping Helping of Our Hospitality

The answer lies in the hospitality industry. Specifically in those organizations that offer tiered access for their customers. Most hotels will give you the option of a free or reduced rate connection that is rate limited or has blocks in place. You can upgrade to the premium tier and unlock a faster data cap and access to things like VPN connections or even public addresses for things like video conferencing. It’s a two-tier plan that works well for the users.

Corporate wireless should follow the same plan. Users can be notified that their basic connectivity has access to web browsing and other essential items, perhaps at a rate limit to protect the corporate network. For those users (like me) that need access to faster network speeds or uncommon protocols like IMAP, you could setup a “premium” guest network that has more restrictive terms of use and perhaps gathers more information about the user before allowing them onto the network. This is also a good solution for vendors or contractors that need access to more of the network that a simple guest solution can afford them. They can use the premium tier with more restrictions and the knowledge that they will be contacted in the event of data exfiltration. You could even monitor this connection more stringently to insure nothing malicious is going on.


Tom’s Take

Guest wireless access is always going be an exercise is balance. You need to give your guests all the access you can without giving them the keys to the kingdom. Companies providing guest access need to adopt a tiered model like that of the hospitality industry to provide the connectivity needed for power users while still offering solutions that work for the majority of visitors. At the very least, companies need to notify users on the splash page / captive portal which services are disabled. This is the best way to let your guests know what’s in store for them.


by networkingnerd at January 20, 2015 03:36 PM

Security to the Core | Arbor Networks Security

DDoS Attacks in the Wake of French Anti-terror Demonstrations

On January 15th, France’s chief information systems defense official, Adm. Arnaud Coustilliere, announced a sharp rise in online attacks against French web sites:

“Calling it an unprecedented surge, Adm. Arnaud Coustilliere, head of cyberdefense for the French military, said about 19,000 French websites had faced cyberattacks in recent days, …” [1].

As we’ve done in the recent past for North Korea [2], Hong-Kong [3], and Israel [4], we can leverage Arbor’s ATLAS initiative to observe how real world conflict is reflected in the digital realm. ATLAS receives anonymized Internet traffic and DDoS event data from over 330 participating Internet Service Providers worldwide. In particular, we are interested in DDoS attacks before and after Sunday, January 11th. As reported in [1],

“Coustilliere called the attacks a response to the massive demonstrations against terrorism that drew 3.7 million people into the streets Sunday across France.”

In order to gauge this response, we compare the DDoS attacks that took place between January 3rd and January 10th to the DDoS attacks that took place between January 11th and January 18th inclusive.

Attack Frequency

Between January 3rd and January 18th, a total of 11,342 unique attacks were reported as targeting France – an average of 708 attacks per day. The following series of graphs depict the frequency and size of these DDoS attacks for the 8 days before and after January 11th, 00:00:00 GMT.

Figure 1 illustrates the total number of reported DDoS attacks targeting France for the eight-day period before January 11th, and for eight days after January 11th:

France-Fig1-NumAttacks

Figure 1: Total Number of Attacks

We observe a 26% increase in the number of DDoS attacks in the period after January 11th.

Attack Size

Figure 2 compares the average size of DDoS attacks in terms of bandwidth (Gbps) before January 11th, and afterwards:

Figure 2: Average Attack Size (Gbps)

Figure 2: Average Attack Size (Gbps)

Here we observe a 35% increase in average DDoS attack size after January 11th. Specifically, in the eight days prior to January 11th, the average attack size was 1.21 Gbps. After January 11th, the average attack size was 1.64 Gbps.

Attack Size Distribution

Figures 1 and 2 above illustrate that not only were there more attacks after January 11th, the attacks were larger, as well. The following table details this observation:

France-Table1-AttackSizeDistribution247 (5%) of the DDoS attacks in the period prior to January 11th were greater than 5 Gbps while 678 (11%) of the attacks after January 11th exceeded 5 Gbps in size. Thus, while Figure 2 describes a 35% increase in average attack size post January 11, the percentage of attacks larger than 5 Gbps more than doubled.

Peak Attack Sizes

Figure 3 depicts the size of the largest attack before and after January 11th 00:00:00 GMT:

France-Fig3-PeakAttacks

Figure 3: Peak Attacks

January 9th saw a 40.96 Gbps attack, while a 63.02 Gbps attack was reported on January 11th. The January 11th attack was 54% larger than the attack observed on January 9th.

Conclusion

On January 11th, the largest demonstration in French history took place as millions marched in anti-terrorism rallies across the country [5]. On January 15th, Adm. Arnaud Coustilliere, announced an unprecedented surge in online attacks against French websites, calling these attacks “a response to the massive demonstrations” [1]. Arbor’s ATLAS data presented above appears to support Adm. Coustilliere’s claims.

Comparisons of DDoS attack data over the eight-day periods before and after January 11th show:

  • a 26% increase in the number of attacks,
  • a 35% increase in the average attack size,
  • a 100% increase in the number of attacks larger than 5 Gbps and
  • a 54% increase between the peak attack events in the two time periods.

This is yet another striking example of significant online attacks paralleling real-world geopolitical events.

References

[1] http://bigstory.ap.org/article/806d34082511483cafe2deaa1a7e6061/car-hits-injures-officer-french-presidential-palace

[2] http://www.arbornetworks.com/asert/2014/12/north-korea-goes-offline/

[3] http://www.arbornetworks.com/asert/2014/11/ddos-activity-in-the-context-of-hong-kongs-pro-democracy-movement/

[4] http://www.arbornetworks.com/asert/2014/08/ddos-and-geopolitics-attack-analysis-in-the-context-of-the-israeli-hamas-conflict/

[5] http://www.cnn.com/2015/01/11/world/charlie-hebdo-paris-march/

 

by Kirk Soluk at January 20, 2015 03:24 PM

PACKETattack

News Analysis: Anuta NCX 4.0 Feature Updates for OpenStack, NFV, YANG

Anuta Networks’ NCX platform is for multi-vendor orchestration at scale. NCX fits in the SDN space, allowing operators to create service catalogs that can be deployed across a wide variety of gear from various networking vendors, including Cisco, Juniper, Brocade, and Ericsson. I co-hosted a webinar with a live demo of an earlier version […]

by Ethan Banks at January 20, 2015 02:58 PM

Packet Pushers Blog/Podcast

Wi-Fi: The jungle of the Unlisenced

This is a follow-up on the recently published Packet Pushers Show 221 – Marriott, Wifi, + the FCC with Glenn Fleishman & Lee Badman. Let me begin by stating my role in the ecospace: I am currently overseeing the expansion of broadband into Indianfield Co-operative Campground (indianfieldcampground.com) in the town of Salem (A less populous […]

Author information

Mitchell Lewis

Mitchell is a young technology professional with an interest in networking & communications. He takes an interest in the ever changing telecom space as well as other networking technologies (datacenter etc). His main hobby project is overseeing the expansion of broadband into a co-operative campground, shares of which are owned by a family member.

Mitchell currently is a Cisco Certified Entry Level Tech (CCENT Certified) with intentions of obtaining higher as time permits. He graduated from the Connecticut Technical High School system with a focus in Information Systems Technology (Combination of Higher Ed MIS & Computer Science). While there he developed the production computing platform for his academic department( servers, networking, desktop).

He is currently pursing higher education from the UCONN School of Business & welcomes any opportunity to further advance his experience in the IT Field & professional knowledge.

The post Wi-Fi: The jungle of the Unlisenced appeared first on Packet Pushers Podcast and was written by Mitchell Lewis.

by Mitchell Lewis at January 20, 2015 08:09 AM

January 19, 2015

Peter's CCIE Musings and Rants

Tips for dealing with Finesse

Consider this a dynamic article where I will put hints and tips for issues I encounter when dealing with Finesse

- When administrating Finesse, always use the URL that contains the hostname and not the IP address. This makes life a LOT easier. Otherwise you will get errors such as:

"

by peter_revill (noreply@blogger.com) at January 19, 2015 03:04 PM

Cisco Finesse URL

For those wondering what the Cisco Finesse User URL is


https://ip-of-uccx-server:8445/desktop/container/?locale=en_US

by peter_revill (noreply@blogger.com) at January 19, 2015 07:47 AM

Cisco IOS Hints and Tricks

Improving ECMP Load Balancing with Flowlets

Every time I write about unequal traffic distribution across a link aggregation group (LAG, aka Etherchannel or Port Channel) or ECMP fabric, someone asks a simple question “is there no way to reshuffle the traffic to make it more balanced?

TL&DR summary: there are ways to do it, and some vendors already implemented them.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 19, 2015 07:42 AM

Packet Pushers Blog/Podcast

PQ Show 42 – HP Networking – Location Aware Wireless

Technical Marketing Engineer at HP Networking Yarnin Israel and Senior Research Scientist at HP Labs Souvik Sen join Packet Pushers co-hosts Greg Ferro and Ethan Banks for a discussion about HP's Location Aware Wireless technology.

by Packet Pushers Podcast at January 19, 2015 03:00 AM

XKCD Comics