December 19, 2014

Peter's CCIE Musings and Rants

Cisco AXL Programming for fun and profit (Part 3) - Finally making some API calls and an alternative to the WSDL

Hi Guys!

In Part 1 and Part 2 of this AXL tutorial we very briefly learnt about AXL and SOAP as well as used Web Service Descriptor Language (WSDL) to generate an AXLAPIService class that we can use to call AXL API Methods. At the end of Part 2 you should have been able to connect to AXL without receiving an error message (but nothing useful would have happened).

Let's use some AXL API Methods!

The first method we are going to look at is a method to list phones.

The first part of the code is below, we will go through the relevant information afterwards.

                 ListPhoneReq listPhones = new ListPhoneReq();

                ListPhoneReqSearchCriteria search = new ListPhoneReqSearchCriteria();

                search.description = "%";

                listPhones.searchCriteria = search;

        // You set myphones to show what tags you want to return!!!
                LPhone myPhones = new LPhone();
                myPhones.description = "";
                myPhones.uuid = "";
       = "";
                myPhones.directoryUrl = "";
                myPhones.model = "";
                listPhones.returnedTags = myPhones;

The first step is to create an implementation of the listPhoneReq class as well as an instance of the ListPhoneReqSearchCriteria class as we must provide a search criteria if we want to list the phones, we can make this a wildcard (%) but we MUST pass this tag in our SOAP request, We can tell this is true from the schema:

Since the Schema tells us that a searchCriteria tag must be included, we know we need to set this value before we execute the method to make the SOAP call:

                listPhones.searchCriteria = search;

The next tag we need to set a value for is returnedTags, this controls what tags we want to receive back from our SOAP call. In this case we want to see the description, uuid, name, model and directoryuri, so we create a new LPhone object (since the returnedtags type is: LPhone) and then we assign it to the listPhoneReq object:

                LPhone myPhones = new LPhone();
                myPhones.description = "";
                myPhones.uuid = "";
       = "";
                myPhones.directoryUrl = "";
                myPhones.model = "";
                listPhones.returnedTags = myPhones;

So now we have a totally valid AXL request ready to go, what next? We execute the API call and tell it we expect to see some results:

       ListPhoneRes listPhonesResponse = axl.listPhone(listPhones);


The first line executes the listPhone API Method and places the responses into the new instance of ListPhoneRes, note that the search will only return tags that we specifically asked for (i.e. those that we made as blank values for the object myPhones), the @ symbol is slightly confusing but is only there because the word "Return" is a reserved word in c# and the @ symbol allows us to use reserved words. the [0] is the array element we want to access, since this is a LIST of phones it's obviously going to return as an array.

So don't forget, even though when you are typing out listPhonesResponse.@return[0]. you will see a list of tags you can access:

You won't be able to get any of those tags if you didn't specify them in your search (using the myPhones object.) If you try and use a tag that you didn't specify to return in the search the code will compile but you will receive an error along the lines of "Object Reference not set to an instance of an object)

Hopefully this points you all in the right direction, you need to look closely at the AXL API calls you intend to use and work out what parameters you need to pass as well as what to expect to come back in the response.

Let's use a more direct method of making AXL API calls, the WSDL AXLAPIService.cs file does make life easy, but it's a LOT of code to put into your project if you only want to make one or two simple AXL API calls, so let's look at how we could write the SOAP envelope by hand

(Full credit to Vasoo Veerapens blog, most of the code below is based on his blog article: It was his blog that originally got me interested in investigating all this, I wanted to blog about this myself after I discovered the WSDL method as well as help people who ran into the same issues I did.)

As I mentioned in part 1, the app we are going to eventually end up with is a click to call application, but AXL does not expose any method for us to perform Click To Call, which is why most Attendant console applications etc normally require both an AXL and a JTAPI Connection, with JTAPI being used for call control since that is what it was developed to do and it does an admirable job of it.

Luckily, Cisco DID implement the webdialer as a SOAP API we can use. The relevant schema etc is available here:

Let's take a look at the SOAP request:

 <?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:xsi="" xmlns:xsd="" xmlns:soapenv="" xmlns:urn="urn:WD70">

<urn:getProfileSoap soapenv:encodingStyle="">
<in2 xsi:type="urn:Credential">
<userID xsi:type="xsd:string">peter</userID>
<password xsi:type="xsd:string">cisco</password>
<userID xsi:type="xsd:string">peter</userID>

 By this point we are probably getting a good idea how this works, you use the schema URL to work out what calls you need to use, then send those messages. As always if your having trouble with the XML it's worth testing it with your curl command as we showed in part 1.

OK, Let's see how we implement this method, 

(Again I cannot stress enough that the original code before I modified it was written by Vasoo Veerapens, you can find his blog at:

Below is the code we need to get this going:

First, we need our SOAP request:

            string soapreq;

            // This is our SOAP request to request the profile //
            soapreq = ">?xml version=\"1.0\" encoding=\"UTF-8\"?<";
            soapreq += ">soapenv:Envelope xmlns:xsi=\"\" xmlns:xsd=\"\" xmlns:soapenv=\"\" xmlns:urn=\"urn:WD70\"<";
            soapreq += ">soapenv:Header/<";
            soapreq += ">soapenv:Body<";
            soapreq += ">urn:getProfileSoap soapenv:encodingStyle=\"\"<";
            soapreq += ">in2 xsi:type=\"urn:Credential\"<";
            soapreq += ">userID xsi:type=\"xsd:string\"<";
            soapreq += UsernameVariableHere;
            soapreq += ">/userID<";
            soapreq += ">password xsi:type=\"xsd:string\"<";
            soapreq += PassswordVariableHere;
            soapreq += ">/password<";
            soapreq += ">/in2<";
            soapreq += ">userID xsi:type=\"xsd:string\"<";
            soapreq += UsernameVariableHere;
            soapreq += ">/userID<";
            soapreq += ">/urn:getProfileSoap<";
            soapreq += ">/soapenv:Body<";
            soapreq += ">/soapenv:Envelope<";

 Then, we need to call this request, we put it in some try statements to make sure people have entered a valid IP Address as well as catch any other exceptions we might run into:

System.Net.ServicePointManager.CertificatePolicy = new BruteForcePolicy();
            //Issue the request over SSL

            System.Net.HttpWebRequest req = (System.Net.HttpWebRequest)WebRequest.Create("https://" + CUCMIPVARIABLEHERE  + ":8443/webdialer/services/WebdialerSoapService");
            req.ContentType = "text/html;";
            req.Method = "POST";

// 8.5 is a pretty safe version to use for your SOAP Action
// and supports CUCM 8.5 all the way to 10.5. This code
// may or may not work on CUCM below 8.5

            req.Headers.Add("SOAPAction: CUCM:DB ver=8.5");

            req.Credentials = new System.Net.NetworkCredential(USERNAMEVARIABLEHERE, PASSWORDVARIABLEHERE);

            StreamWriter sw = new StreamWriter(req.GetRequestStream());
            System.Text.StringBuilder soapRequest = new System.Text.StringBuilder();


                //Get response and display
                using (System.Net.WebResponse webresp = (System.Net.WebResponse)req.GetResponse())

                    StreamReader reader = new StreamReader(webresp.GetResponseStream(), System.Text.Encoding.UTF8);
                    return reader.ReadToEnd();

            catch (Exception e)


                return e.ToString();
        catch (UriFormatException UriInvalid)
            return "Invalid CUCM IP address";

I have highlighted in below my return statements for you, as you can see I read the response into a StreamReader and then I convert that into a string. I use the return statement because I have actually implemented this as a class, so I can call a method that takes soapreq as a param along with username and password in order to reuse the method again and again!

You can download the code from here.

In part 4 we will finally pull all of this together and I will provide the source-code for my (crappy) click to call app!

by peter_revill ( at December 19, 2014 09:42 PM

Login Unavailable (23) error message with extension mobility (STANDARD Extension mobility, not cross-cluster)

Hi Guys!

You may or may not receive an error when trying to do Extension Mobility in CUCM 10:

Login Unavailable (23)

Googling that error will show you lots of posts on how this is related to extension mobility cross cluster, if, like me in my situation you are not doing Extension Mobility Cross Cluster but instead just plain old boring Extension Mobility, this error could be quite confusing!

If you check the extension mobility function and extension mobility logs in Real Time Monitoring tool, you will see lines like this:

MApp Request parameters: Logout=null Device Name=SEP3AAAA9D26F61 User Id=peterr Device Profile=null Refresh=null Remote Host IP Address = Via Header Set = false getClusterInfo = null Lang = en_US Charset=utf-8,iso-8859-1;q=0.8 Emcc = true
2014-12-17 18:53:54,770 INFO  [http-bio-80-exec-15 ] EMAppServlet              - EM Request for peterr
2014-12-17 18:53:54,834 INFO  [http-bio-80-exec-15 ] EMAppServlet              - User authentication complete for user peter
2014-12-17 18:53:54,846 INFO  [http-bio-80-exec-15 ] EMAppServlet              - Device profiles for user:peterr =UserInfo:  UserID: djohn Password:  Locale: 1 Authentication proxy rights: falseDevice Profiles:  EM_peterr
2014-12-17 18:53:54,847 INFO  [http-bio-80-exec-15 ] EMServiceCommunicator     - postMsgToLoginService: Service URL :https://localhost:8443/emservice/EMServiceServlet
2014-12-17 18:53:54,880 ERROR [http-bio-80-exec-15 ] EMAppServlet              - Error: Unable to Login user. EM Service returned error code 23

The annoying thing about this error is that it appears that everything goes fine, EM finds the profile (Device Profiles: EM_peterr) but then in the next "step" it says it cannot find the user.

The issue in the end was the "Home Cluster" checkbox under the user, note that this checkbox is NOT checked by default. go to User Management -> End User, click on your user and find this setting:

Note that this setting is for CUCM 10.0 and above. Be sure that Home Cluster is ticked, I always thought that Home Cluster was just used with Jabber, but it appears it is also important from an Extension Mobility perspective.

Finally, you may want to double check your Extension Mobility Services URL, even if you are not using EMCC you MAY need to specify the following parameter:


The new param you won't have seen before is EMCC=#EMCC#

OK Guys just a quick one here, keep this in mind so you avoid this problem!

by peter_revill ( at December 19, 2014 07:24 PM

Packet Pushers Blog/Podcast

Policy-based Tunnel Selection (PBTS) on Cisco IOS-XR

Recently, I had to look after PBTS on Cisco ASR9K platform and faced some issues, here are some results about my tests. PBTS has the same goal as CBTS on Cisco IOS (Class-Based Tunnel selection) but for Cisco IOS-XR. It provides a tool to direct traffic into specific RSVP-TE tunnels (in the future Segment-Routing tunnels) […]

Author information

Youssef El Fathi

Youssef El Fathi

Youssef is a network engineer working for a french service provider. He is also a dual CCIE (RS, SP). You can find him on Twitter.

The post Policy-based Tunnel Selection (PBTS) on Cisco IOS-XR appeared first on Packet Pushers Podcast and was written by Youssef El Fathi.

by Youssef El Fathi at December 19, 2014 03:23 PM

Cisco IOS Hints and Tricks

VRF Lite on Nexus 5600

One of the networking engineers using my ExpertExpress to validate their network design had an interesting problem: he was building a multi-tenant VLAN-based private cloud architecture with each tenant having multiple subnets, and wanted to route within the tenant network as close to the VMs as possible (in the ToR switch).

He was using Nexus 5600 as the ToR switch, and although there’s conflicting information on the number of VRFs supported by that switch (verified topology: 25 VRFs, verified maximum: 1000 VRFs, configuration guide: 64 VRFs), he thought 25 VRFs (tenant routing domains) might be enough.

Read more ...

by Ivan Pepelnjak ( at December 19, 2014 12:55 PM

That’s It for 2014

A dozen webinars, tens of public presentations and on-site workshops, numerous highly interesting ExpertExpress sessions, three books and over 250 blog posts. That should be enough for a year; it’s time to go offline.

I hope your company has a New Year freeze (and not let’s upgrade everything over New Year policy), so you’ll be able to do the same and enjoy some time during the rest of the year with your loved ones. See you in 2015!

by Ivan Pepelnjak ( at December 19, 2014 08:45 AM

XKCD Comics

December 18, 2014


GNS3 1.2.1 installation on Ubuntu 14.04

As mentioned in an earlier post GNS3 is moving ahead fast. Currently at version 1.2.1 the GNS3 is looking great. Compared with the version 1.0 Beta 1 which I had installed, the 1.2.1 is not only more stable, but it has the Menu more clean and compact. For example now there is only one Preferences menu where you can adjust all your settings. Read more on GNS3 1.2.1 installation on Ubuntu 14.04…

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

by Calin at December 18, 2014 04:13 PM

Peter's CCIE Musings and Rants

Moving from UCCX Windows to UCCX Linux? CaSe MaTtErS!

Hi Guys

Quick gotcha I found working for a customer that I wanted to make sure you know about: when working with UCCX and moving from the Windows Version to the linux version, remember that the document files are, as per linux being case sensitive, case sensitive! be sure to make sure your scripts refer to the upper or lower case correctly.



by peter_revill ( at December 18, 2014 12:11 PM

Renesys Blog

What’s Next for Cuba?

Nearly two years ago, we broke the story about the activation of the first submarine cable connecting Cuba to the global Internet – a cable that, prior to its activation in January 2013, mysteriously lay dormant on the ocean floor for nearly two years. When the Cuban government issued a confirmation in the days following our report, it contained the following statement:
   When the testing process concludes, the submarine cable being put into operation will not mean that possibilities for access will automatically multiply.

In other words, Cubans should not expect greater access to the Internet just because the ALBA-1 submarine cable was now in operation. Yesterday’s historic agreement to begin normalizing relations between Cuba and the United States contains a pledge by the Cuban government to “greatly expand its citizens’ access to the Internet.” What exactly this pledge entails will determine how the Internet evolves in Cuba in the near term. Decision makers in Cuba should look at another country that recently opened up its telecom sector and is presently experiencing an explosion in Internet growth: Myanmar.

Cuban Isolation


The isolation of Cuba is plainly evident when looking at a map of the submarine cables in the Caribbean. While numerous cables crisscross the Caribbean, they all avoid landing on Cuba. That is, all except for ALBA-1 submarine cable, built by Alcatel Submarine Networks and financed by the Venezuelan government.

How much can the lack of Internet development in Cuba be attributed to the US trade embargo? Recall that in 2009, the Obama administration lifted the ban on US companies providing telecommunications services in Cuba as well as cleared the way towards the installation of a new submarine cable to connect Cuba to the US. However, this measure changed very little and no cable has been built to the US.

As part of this week’s announced plans to normalize relations with Cuba, the United States has lifted the ban on exporting telecommunications equipment to Cuba. How much this restriction accounted for the present lack of Internet development in Cuba isn’t clear. Even without access to US vendors, Cuba could acquire equipment from vendors from other nations. For example, they could have been upgrading their infrastructure with Chinese gear, but they weren’t doing that. Perhaps due to the fact that under sanctions, Cuba had very little foreign reserves with which to purchase expensive foreign imports like oil, cars, or networking equipment, and nobody was volunteering to subsidize their infrastructure.

It is really Cuba’s pledge to provide greater access to the Internet to its citizens that could be the most transformative development with respect to the Internet in Cuba.

Internet in Cuba

The following graphic depicts the current layout of the Cuban Internet as represented in Internet routing (BGP). US Department of Defense Autonomous Systems (ASNs) along the bottom represent Internet service to the Guantanamo Bay Naval Base. Otherwise, all Internet access goes through the Cuban state telecom ETECSA (AS11960). ETECSA has four international providers connecting it to the outside world. Telefonica and Tata provide service over the ALBA-1 submarine cable and Intelsat and NewCom are satellite providers.


In the transit shift plot below, we can observe how ETECSA has distributed traffic to its providers over the past two years. The entrance of Telefonica in January of last year (dark grey) coincided with the activation of ALBA-1. The brief period of service from Cable & Wireless Jamaica (yellow) corresponded to the activation of ALBA-1’s branch to Jamaica, intended for backup purposes.


From a purely technical standpoint, the activation of the ALBA-1 cable was a dramatic improvement for ETECSA’s connectivity to the outside world. Submarine cable fiber optics offer far greater amounts of bandwidth with much lower latencies than the bulk satellite service that they had been reliant on for years. From a performance standpoint, it was a tremendous improvement. However, now the challenge for the Cuban government is to extend that connectivity from Siboney Beach to the Cuban people. Below is a screenshot from Dyn Internet Intelligence showing latencies to Havana, Cuba from cities around the world.


Almost all of Cuba’s international Internet traffic has been passing through the United States for as long the Internet has existed in Cuba. For example, the satellite ground stations for the satellite service they currently use are on the East Coast of the United States. (Note: Tata service to Cuba was formerly via satellite and used a ground station in Canada. Of course, Canada also primarily connects to the outside world through the US) The Telefonica and Tata service across the ALBA-1 cable eventually eventually makes its way to Miami to reach the global Internet. For technical reasons and not necessarily political, it is very hard to avoid the gravitational pull of the United States when routing international Internet traffic in the western hemisphere.

The networks for Guantanamo Bay Naval Base presently go over satellite, but last year the DoD announced that it would run its own submarine cable from Florida to Guantanamo Bay to offer better Internet service for the military installation. According to a DoD official testifying at a war crimes tribunal, “it’s going to be for the entire island in anticipation that one day they’ll be able to extend it into mainland Cuba.” So perhaps the second submarine cable to serve the nation of Cuba might come via the Gitmo detention center.

Myanmar as a model for Cuba

If the Cuban government is truly committed to opening up greater access to the Internet for the Cuban people, its decision makers should carefully review the case study of Myanmar over the past three years. Like Cuba, Myanmar was considered one the last green fields of telecom – countries with virtually no telecommunications infrastructure. But just as the transformative growth did not come from Myanmar’s state telecom MPT, ETECSA is unlikely to be leading the way in Cuba. This isn’t a knock on ETECSA, it’s just that legacy fixed-line incumbents are not equipped or manned for the task of rapid deployment of mobile infrastructure. Cuba needs outside help, but to do so Cuba would need to adopt a capitalist mentality.

Presently, Myanmar is experiencing an unparalleled explosion in the growth of Internet access due to the entrance of two private foreign mobile operators that won licenses in a competitive bidding process in 2013. See the AFP piece about what is happening in Myanmar in the clip below:

Despite being one of the poorest countries in Asia, 15-year licenses went for $500 million dollars and the winners had to pledge to build out infrastructure to cover 90% percent of the population in a country of 60 million people spread across the jungles of southeast Asia.

Why did entering Myanmar seem so attractive that over a dozen international mobile operators competed for these licenses? It likely had to do with the fact that Myanmar dispensed with the typical protectionist requirements that can stifle interest such as requiring domestic partners or putting caps on foreign ownership. Outside companies felt like they could come in and operate without being loaded down with requirements that might decrease their profit potential. The result is a rapid growth of Internet access that is having profound impacts on life in Myanmar from empowering women to connecting up libraries. For an example closer to home, Cuba might consider the example of Mexico, where President Peña Nieto’s telecom reforms have eliminated caps on foreign ownership in a bid to increase competition and reduce prices.


In the past two years, there have been some modest steps towards greater access to the Internet in Cuba. These have included the activation of the ALBA-1 submarine cable, opening of Internet access points, and the introduction of mobile Internet service. However, access to the Internet is still limited for a variety of reasons including price of service and outdated technology.

Cuba’s pledge to increase Internet access for their citizens is a very hopeful sign and appears to be a departure from its warning last year that the activation of ALBA-1 “will not mean that possibilities for access will automatically multiply.” We will have to wait and see what precisely this pledge entails to really understand its implications for the future. However, there is reason to believe that impressive growth being experienced currently in Myanmar could be replicated in Cuba – but it would require a capitalist approach for one of the world’s last remaining communist countries. In Cuba, such a mind shift would be … revolutionary.

The post What’s Next for Cuba? appeared first on Dyn Research.

by Doug Madory at December 18, 2014 11:29 AM


What does “scale out” vs. “scale up” mean?

When researching data center network architectures, you will find the terms “scale out” and — rather less frequently — “scale up” used. What do these terms mean? I’m going to discuss these terms in a networking sense. If you search, you’ll find that applications and storage also have concepts of scaling out vs. […]

by Ethan Banks at December 18, 2014 10:36 AM

Cisco IOS Hints and Tricks

Cisco BGP soft-reconfiguration and received-routes relation

A while ago I received the following question: “Why I’m not seeing the prefixes received from the BGP peer when using the show ip bgp neighbors x.x.x.x received-routes while the soft-reconfiguration inbound is not enabled?” Read more on Cisco BGP soft-reconfiguration and received-routes relation…

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

by Calin at December 18, 2014 09:48 AM

Packet Pushers Blog/Podcast

HTIRW: Standards Bodies

(yes, I know, it’s been a while… But it’s time to get back to this series) Up to this point in this series, we’ve been discussing the more technical aspects of how the Internet really works. Now I want to shift gears a little, and talk about some of the more political aspects — standards […]

Author information

Russ White

Principal Engineer at Ericsson

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about — or don't really care about. You can find Russ at 'net Work, the Internet Protocol Journal, and his author page on Amazon.

The post HTIRW: Standards Bodies appeared first on Packet Pushers Podcast and was written by Russ White.

by Russ White at December 18, 2014 08:00 AM

December 17, 2014


Is Juniper About To Kill Their Entire Security Line? It Seems Not.

This is a quick follow up to a post I made a bit ago about rumored changes to Juniper’s security portfolio. I left that article with one big question in my mind.  Is Juniper on the verge of shuttering their entire security portfolio, including the SRX firewall platform and Firefly Perimeter (vSRX)? The answer […]

by Ethan Banks at December 17, 2014 10:05 PM

What is a data center operating system (DCOS)?

I’ve become aware of a new industry term called the “Data Center Operating System” (DCOS). The big idea seems to be abstracting away individual elements of the data center, allowing compute nodes to get spun up on top of infrastructure building blocks, whether physical or cloud. In theory, you supply hardware or cloud […]

by Ethan Banks at December 17, 2014 09:48 PM

Packet Pushers Blog/Podcast

Show 217 – IETF, YANG Proliferation and the Lack of Cooperation and Co-ordination

This week are talking about the IETF and it's inability to cope with massive change in networking around SDN and NFV. For example, there are more than 70 drafts on NETCONF models for common networking tasks that often overlap or repeat the same work. What does this means for standards development ?

by Packet Pushers Podcast at December 17, 2014 05:12 PM

My Etherealmind

How Many Hosts In An VLAN or IP Subnet and Why ?

It is common to allocate /24 or /22 subnets to a single VLAN but William writes to ask why and whether is related to broadcasts. What is the best subnet size for VLAN allocation and why ? The answer isn't what you think.

The post How Many Hosts In An VLAN or IP Subnet and Why ? appeared first on EtherealMind.

by Greg Ferro at December 17, 2014 05:00 PM

XKCD Comics

Christmas Shipping Deadline

The US Christmas shipping deadline for the xkcd store is December 19th! If you want to get anyone xkcd Christmas presents, you should order by then.

The xkcd store features body slipcovers, secret passageway concealers, picture tape, and more!

December 17, 2014 12:00 AM

December 16, 2014

Internetwork Expert Blog

New CCIE RSv5 Workbook Labs & Enhancements

Foundation Lab 2 has now been added to the CCIE RSv5 Workbook.  This lab is great for working on your configuration speed and accuracy when combining multiple technologies together.  It also has a great redistribution section that I hope you’ll all enjoy ;)  More Full Scale, Troubleshooting, and Foundation labs are in progress and will be posted soon.  I’ll post another update about them when they are available.

In addition to this we’ve added some feature enhancements to the workbook in response to customer requests and feedback.  First, there is a new Table of Contents for the workbook that allows you to view all tasks, and to check off tasks that you’ve already completed.  This will help you track your progress as you’re going through the workbook.

You can additionally check off the progress of a task in the upper right hand portion of the individual lab page.

Multiple bookmarks are now supported, and will be added to a section under the Table of Contents.  When you open the workbook it will now also prompt you to load your latest bookmark.

Lastly, configuration solutions are now hidden by default when you open a lab.  This will help prevent “spoilers” in the config before you’ve had a chance to attempt the lab.  To see the solution configs, click the Expand button as seen below.

If you want to hide the configuration solution again you can click to collapse.

We’re always looking for additional ways to improve our products, so if you have any suggestions you can submit feedback through the workbook labs themselves, post on our Online Community, or feel free to send me an email directly at

Happy labbing!

by Brian McGahan, CCIE #8593, CCDE #2013::13 at December 16, 2014 09:54 PM


IPsec VPN Mikrotik to Linux

After writing the Mikrotik IPsec VPN article and I got some questions about how Mikrotik will work with a Linux device to build an IPsec VPN. I did notice that the questions were more oriented for a copy / paste solution, so I’ll provide one that it’s working. If you need more details about why the solution is like it this, please let me know. Also don’t forget to customize the solution as you need. Read more on IPsec VPN Mikrotik to Linux…

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

by Calin at December 16, 2014 09:04 PM

Mikrotik IPsec VPN

If you did not hear yet about Mikrotik I can’t say I blame you. Not exactly something you’ll find in SOHO network shops next to brand like TP-Link, Linksys or Netgear. Mikrotik is a company in Latvia that produce network hardware under the name of RouterBOARD. The devices are excellent and the RouterOS support an amazing amount of feature for a SOHO product. Read more on Mikrotik IPsec VPN…

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

by Calin at December 16, 2014 05:43 PM

My Etherealmind

Unreliable Multicast means Unreliable VMware VSAN

Howard Marks from Deep Storage and long-term curmudgeon sent Ethan & I the following email: As I continue to tilt at the VMware windmill I’m facing fanbois telling me that all you have to do is plug the EVO:RAIL in and turn it on.  This of course leaves out the fact that the little sucker still […]

The post Unreliable Multicast means Unreliable VMware VSAN appeared first on EtherealMind.

by Greg Ferro at December 16, 2014 01:22 PM

Cisco IOS Hints and Tricks

Just Published: Scaling Overlay Virtual Networking Videos

The edited videos for Scaling Overlay Virtual Networking webinar are available on Content site. Nuage Networks sponsored the webinar; the videos are thus publicly available (without registration).

by Ivan Pepelnjak ( at December 16, 2014 09:11 AM

The Networking Nerd

Cisco Just Killed The CLI


Gallons of virtual ink have been committed to virtual paper in the last few days with regards to Cisco’s lawsuit against Arista Networks.  Some of it is speculating on the posturing by both companies.  Other writers talk about the old market vs. the new market.  Still others look at SDN as a driver.

I didn’t just want to talk about the lawsuit.  Given that Arista has marketed EOS as a “better IOS than IOS” for a while now, I figured Cisco finally decided to bite back.  They are fiercely protective of IOS and they have to be because of the way the trademark laws in the US work.  If you don’t go after people that infringe you lose your standing to do so and invite others to do it as well.  Is Cisco’s timing suspect? One does have to wonder.  Is this about knocking out a competitor? It’s tough to say.  But one thing is sure to me.  Cisco has effectively killed the command line interface (CLI).

“Industry Standards”

EOS is certainly IOS-like.  While it does introduce some unique features (see the NFD3 video here), the command syntax is very much IOS.  That is purposeful.  There are two broad categories of CLIs in the market:

  • IOS-like – EOS, HP Procurve, Brocade, FTOS, etc
  • Not IOS-like – Junos, FortiOS, D-Link OS, etc

What’s funny is that the IOS-like interfaces have always been marketed as such.  Sure, there’s the famous “industry standard” CLI comment, followed by a wink and a nudge.  Everyone knows what OS is being discussed.  It is a plus point for both sides.

The non-Cisco vendors can sell to networking teams by saying that their CLI won’t change.  Everything will be just as easy to configure with just a few minor syntax changes.  Almost like speaking a different dialect of a language.  Cisco gains because more and more engineers become familiar with the IOS syntax.  Down the line, those engineers may choose to buy Cisco based on familiarity with the product.

If you don’t believe that being IOS-like is a strong selling point, take a look PIX and Airespace.  The old PIX OS was transformed into something that looked a lot more like traditional IOS.  In ASA 8.2 they even changed the NAT code to look like IOS.  With Airespace it took a little longer to transform the alien CLI into something IOS-like.  They even lost functionality in doing so, simply to give networking teams an interface that is more friendly to them.  Cisco wants all their devices to run a CLI that is IOS-like.  Junos fans are probably snickering right now.

In calling out Arista for infringing on the “generic command line interface” in patent #7,047,526, Cisco has effectively said that they will start going after companies that copy the IOS interface too well.  This leaves companies in a bit of conundrum.  How can you continue to produce an OS with an “industry standard” CLI and hope that you don’t become popular enough to get noticed by Cisco?  Granted, it seems that all network switching vendors are #2 in the market somehow.  But at what point does being a big enough #2 get the legal hammer brought to bear?  Do you have to be snarky in marketing messages? Attack the 800-pound gorilla enough that you anger them?  Or do you just have to have a wildly successful quarter?

Laid To REST

Instead, what will happen is a tough choice.  Either continue to produce the same CLI year and year and hope that you don’t get noticed or overhaul the whole system.  Those that choose not to play Russian Roulette with the legal system have a further choice to make.  Should we create a new, non-infringing CLI from the ground up? Or scrap the whole idea of a CLI moving forward?  Both of those second choices are going to involve a lot of pain and effort.  One of them has a future.

Rewriting the CLI is a dead-end road.  By the time you’ve finished your Herculean task you’ll find the market has moved on to bigger and better things.  The SDN revolution is about making complex networks easier to program and manage.  Is that going to be accomplished via yet another syntax?  Or will it happen because of REST APIs and programing interfaces?  Given an equal amount of time and effort on both sides, the smart networking company will focus their efforts on scrapping the CLI and building programmability into their devices.  Sure, the 1.0 release is going to sting a little.  It’s going to require a controller and some rough interface conventions.  But building the seeds of a programmable system now means it will be growing while other CLIs are withering on the vine.

It won’t be easy.  It won’t be fun.  And it’s a risk to alienate your existing customer base.  But if your options are to get sued or spend all your effort on a project that will eventually go the way of the dodo your options don’t look all that appealing anyway.  If you’re going to have to go through the upheaval of rewriting something from the ground up, why not choose to do it with an eye to the future?

Tom’s Take

Cisco and Arista won’t be finished for a while.  There will probably be a settlement or a licensing agreement or some kind of capitulation on both sides in a few years time.  But by that point, the fallout from the legal action will have finally finished off the CLI for good.  There’s no sense in gambling that you won’t be the next target of a process server.  The solution will involve innovative thinking, blood, sweat, and tears on the part of your entire development team.  But in the end you’ll have a modern system that works with the new wave of the network.  If nothing else, you can stop relying on the “industry standard” ploy when selling your interface and start telling your customers that you are setting the new standard.


by networkingnerd at December 16, 2014 03:32 AM

December 15, 2014

Packet Pushers Blog/Podcast

Network Break 24

It’s time for the Network Break! Sit back, grab a coffee, and join us for an analysis of the latest IT news, vendor moves and new product announcements. We’ll separate the signal from the noise--or at least make some noise of our own.

by Packet Pushers Podcast at December 15, 2014 03:53 PM

Cisco IOS Hints and Tricks

Webinars in 2014, and a Quick Peek Into 2015

I promise engineers who renew their subscription 4-6 new webinars a year. It’s time to see whether I kept that promise in 2014.

TL&DR summary: it was a great year, but I still missed a few things.

Read more ...

by Ivan Pepelnjak ( at December 15, 2014 03:48 PM

My Etherealmind

Are SDN Controllers a Security Risk ?

No. When compared to the operation of existing networks, SDN is much more secure.

The post Are SDN Controllers a Security Risk ? appeared first on EtherealMind.

by Greg Ferro at December 15, 2014 01:32 PM

Packet Pushers Blog/Podcast

BGPSEC: Protections Offered

In my last post on the subject of BGPSEC, I explained the basic operation of the modifications to BGP itself. In this post, I’ll begin looking at some of the properties — both good and bad — of these extensions to BGP. To being, we’ll look at the simple network illustrated here, and see what […]

Author information

Russ White

Principal Engineer at Ericsson

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about — or don't really care about. You can find Russ at 'net Work, the Internet Protocol Journal, and his author page on Amazon.

The post BGPSEC: Protections Offered appeared first on Packet Pushers Podcast and was written by Russ White.

by Russ White at December 15, 2014 08:00 AM

XKCD Comics

December 14, 2014

Peter's CCIE Musings and Rants

Cisco AXL Programming for fun and profit (Part 2) - Generating a class based on

Hi Guys!

Part 1 showed us the basics of AXL and gave us a very brief overview of how it works, now we are going to look at C# with Visual Studio and how we can use that to talk to AXL.

Full Disclosure: I am not 100 percent on all my programming. So I may use the wrong terminology at times, if you notice a mistake please mention it in the comments.

We are going to use the AXL toolkit to generate a .cs file (which is a C# Class) that includes built-in methods for all the AXL API calls available in the schema.

(Note: If your using CUCM 10.5, I have uploaded the .cs file I generated for myself here. Feel free to  use it but be sure to read this blog post so you can see how to add the appropriate references.)

OK, Probably the first thing you want to do, is go ahead and download the AXL Toolkit, this is actually found on the plugins page on CUCM under applications:

Once you have downloaded this, unzip it to a directory you can easily remember.

Next, open the visual studio 2008 command prompt and cd to the directory where you unzipped the AXL toolkit., then go to the schema directory, then the particular version of CUCM you want to write your application to use.

Inside this directory you should see a file called AXLAPI.wsdl

WSDL stands for Web Services Description language and is used to describe the API's available on a particular webservice, things like what calls are available and what parameters are expected, sound familiar? Sounds like our schema document. The main difference is that the wsdl is very much machine-readable, as you will see once we generate a C# class based on it's contents.

OK, once your in the directory, run this command:

wsdl.exe AXLAPI.wsdl axlsoap.xsd

This is a tool available with c# that takes the AXLAPI and converts it into a usable class, lots of programming languages like PHP, java, etc. have tools that can read these wsdl files and generate appropriate code to interact with them.

Once you have run this command, a .cs file will be generated, but we need to modify a few aspects by hand.

Under your unzipped axltoolkit, change to this directory: client\DotNet. Inside you will find a readme.txt file that explains the changes we need to make to the .cs file before we use it in our project.

To quote the readme:

Create an ICertificatePolicy-derived class which will later be associated with our service. This class is a brute-force approach to policy and certificate management. This is necessary in  AXL due to usage of HTTPS.

    public class BruteForcePolicy : System.Net.ICertificatePolicy
        public bool CheckValidationResult(System.Net.ServicePoint sp, System.Security.Cryptography.X509Certificates.X509Certificate cert,
                System.Net.WebRequest request, int problem)
        return true;

To do the above, you could create a separate .cs file, or just add the class at the bottom of your AXLAPIService.cs file, which is what I did (incidentally, I am fairly sure your not meant to do it this way, I am fairly certain you are meant to create a separate file per class,  a real programmer setting me straight on this in the comments would be awesome.)

Next, you need to modify the constructor for the actual class itself (the constructor is what initiates the class for use in your project), Search for:

public AXLAPIService

in your .cs file, and change the method to read as such:

    public AXLAPIService(string ccmIp, string user, string password)
        System.Net.ServicePointManager.CertificatePolicy = new BruteForcePolicy();

        this.Url = "https://" + ccmIp + ":8443/axl/";
        this.Credentials = new System.Net.NetworkCredential(user, password);

 To fix issue C they give you a couple of options, I opt to use HTTP 1.0 as it's just plain easier, but if you are security concerned because this is going to a live environment etc. Option 3 might be your best bet.

This piece of code overrides the GetWebRequest method and implement's it's own interpretation. Add this as a method in your class.

        protected override System.Net.WebRequest GetWebRequest(Uri uri)
            System.Net.HttpWebRequest request = base.GetWebRequest (uri) as System.Net.HttpWebRequest;
            request.ProtocolVersion = System.Net.HttpVersion.Version10;

            return request;

 Once this is done, save this file and create a new Windows Application in Visual Studio.

Open the Solution explorer pane, right click on the project and click "Add -> Existing Item"

Browse until you find your .cs file we edited earlier and add it to the project, if you now attempt to build the project, you will see lots of this error message

"Error    5    The type or namespace name 'Services' does not exist in the namespace 'System.Web' (are you missing an assembly reference?)   "

We need to add this library as a reference, in the same right click menu, click "Add reference", scroll until you see system.web, add this to the project, then add

Your app should now build, but now we want to try and actually initiate our AXL.

Using the VS designer, add a button to the form and double click it, this will take us to the onclick event handler, where we will connect to AXL!

OK, Let's use the code below:


                AXLAPIService AXL = new AXLAPIService("", "axluser", "axlpassword");

             catch (Exception AXLException)

As you can see, I have hard coded the AXL values for now, obviously go ahead and replace them with whatever values are appropriate for you, I have also placed this method into a try and catch statement since the user/pass etc. might be incorrect.

 If you can click the button without getting an error message (and because we have not threaded this application, it will take a while to respond) then you have successfully connected via AXL! Congratulations!

In Part 3 we will actually do something useful with it!

(Final note: depending on what version of the schema you are using, you might get the following error message when attempting to connect)

As I could not work out how to fix this, and I suspect it's an issue in the WSDL file I took out these methods and the appropriate objects since I don't expect ill be updating softkeys with AXL any time soon. If this happens to you, you can download my .cs file here. :)

by peter_revill ( at December 14, 2014 08:09 PM

Cisco AXL Programming for fun and profit. (Part 1) - The basics of AXL calls and how to test.

Hi Guys!

So I have finally managed to figure out HOW to do something I have been wanting to do for ages: Interact with CUCM via AXL.

This will be a multi-part series as several steps are involved. By the end of it I will have shown you how to make a (crappy) click to call application in c# with AXL! 

AXL is a SOAP API that uses XML to allow you to perform requests on CUCM, you can do things like list phones, make calls, change voicemail pilots, run sql commands, etc. All sorts of things! But you can do this programmatically, so you can write software to do things like always update users line text label or alerting name to match their LDAP configuration, or maybe use it to pull route lists, route patterns etc and generate documentation!

There are quite a few steps involved to do this. Here is what you will need:

- Some sort of C# editor, I personally am using Visual Studio 2008, Yes this is an old version but the c# class I generated from the WSDL file (more on this later) did not seem to work with Visual Studio  2012 and I have seen a few forum posts complaining of this. So for now just know you need a C# editor of some description.

- CURL is helpful for testing, it's a command line application used for sending and receiving HTTP requests, we will use it to prove AXL is working. You might already have it on your Linux/Mac machine, and it's also available for windows

- a CUCM with an AXL enabled application user, the user should have the following access role listed:

OK, before you break out the coding skills, the first thing you will want to do is test that AXL is actually working with this user, this is where CURL comes in, and in fact if your not a c# programmer but your desperate to get access to AXL, this is actually a fairly easy way to send requests to CUCM. You could even use it with perl etc.

So with that in mind, open a text editor and write the following:

<soapenv:envelope xmlns:ns="" xmlns:soapenv="">



<ns:executesqlquery sequence="?">

<sql>Select name from device where tkclass = 1</sql>





Save this as whatever file name you like, in this example they call it request.xml

Next, we execute this request on the command line, replacing administrator with your AXL users username, request.xml with whatever you named the file, and of course the CUCM IP address:

 curl -k -u Administrator -H "Content-type: text/xml;" -H "SOAPAction: CUCM:DB ver=8.5" -d @request.xml https://[CCM-IP-ADDRESS]:8443/axl/


This is also a great way to test AXL if your ever setting up something like Unity or ARC that requires AXL access.

OK, So AXL is ready to go! Let's talk more about AXL, XML and SOAP in general.

(Full disclosure: I am a network engineer with only a reasonable grasp on programming, I am positive there is plenty of things below that are just plain wrong. If you notice something please point it out in the comments!)

The first part you probably noticed in the SOAP request is this:

<ns:executesqlquery sequence="?"> <sql>Select name from device where tkclass = 1</sql> </ns:executesqlquery>

If you where a HTML programmer, you might look at that and think, where do they get those particular elements from? The answer is the namespace, which is defined in the SOAP header

<soapenv:... xmlns:soapenv=""><xmlns:ns="">

This namespace defines the tags you can use when sending your SOAP requests, these tags are essentially the API.  Some API calls have mandatory elements/tags,
for example

<ns:executesqlquery sequence="?"></ns:executesqlquery>

must have the tag <sql> included so it knows what SQL command to execute!</sql>  

This raises an obvious question: How do I know what tags are available? 

The Schema document available at Cisco can tell you this, and tells you what parameters are required, what parameters are returned, etc. etc.The latest schema can be found here:

The schema and the parameters, just like the tables inside the database for CUCM will obviously change with each version, although confusingly enough your header may say Version 8.5, you will have new tags that you can only use with the latest versions of CUCM. For the sake of learning, let's take a look at the runsql tag:  
As you can see this diagram shows the parameters required for the API call, the schema helps you realise what parameters you might need.

 In our example where we have just been using CURL, the AXL API will give us a response in XML format that looks something like this:  

<soapenv:envelope xmlns:soapenv=""> 
<soapenv:body> <ns:executesqlqueryresponse xmlns:ns=""> 
<return> <row> <name>Sample Device Templat e with TAG usage examples</name></row> 
<row> <name>Auto-registration Template</name></row> 
<row> <name>SEP0019D2C92685</name></row>

<row> <name>SEPAAABBBDDDCCC</name></row> 

<row> <name>SEP08D09F9FE80D</name></row> 

<row> <name>IPC_PREVILL</name></row> 

<row> <name>ipc_test</name></row><



The response follows the same rules as the request you made, the namespace will tell you what each of the elements mean. Now we have a brief introduction to AXL and a brief explanation of how to use CURL to get used to the idea of performing AXL calls, let's get started on Part 2. 

by peter_revill ( at December 14, 2014 07:01 PM

Cisco IOS Hints and Tricks

L2VPN over IPv6 with Snabb Switch on Software Gone Wild

Highly customizable high-speed virtual switch written in Lua sounds great, but is it really that easy to use? Simon Leinen was kind enough to get me in touch with Alex Gall, his colleague at Switch, who's working on an interesting project: implementing L2VPN over IPv6 with Snabb Switch.

Read more ...

by Ivan Pepelnjak ( at December 14, 2014 07:47 AM

December 12, 2014

Networking Now (Juniper Blog)

The Impending FIPS 140-2, Random Number Generator Crisis

In just over a year, your FIPS 140-2 cryptographic module may lose its certification

by bshelton at December 12, 2014 10:48 PM

My Etherealmind

The End of Fixed Voice

IP Telephony is an end stage market. Here is why.

The post The End of Fixed Voice appeared first on EtherealMind.

by Greg Ferro at December 12, 2014 06:00 PM

Internets of Interest – 12 December 2014

Collection of useful, relevant or just fun places on the Internets for 12 December 2014 and a bit commentary about what I've found interesting about them:

The post Internets of Interest – 12 December 2014 appeared first on EtherealMind.

by Greg Ferro at December 12, 2014 04:00 PM

XKCD Comics

December 11, 2014

Packet Pushers Blog/Podcast

Show 216 – HP & SDN In The Campus – Sponsored

At HP Discover Barcelona 2014, the Packet Pushers had the chance to chat with Heather Giovanni, Craig Mills, and Chris Young about the HP 5400R and SDN in the campus. HP has a full line of switches and routers that some know about, and some just haven’t yet explored. The 5400R is a multi-slot chassis offering an array of blade choices, including switch ports and an x86 blade running a hypervisor such as VMware’s vSphere. That allows the single 5400R chassis to be a branch-in-a-box solution, or a way to hang interesting network services right off of the chassis backplane. The 5400R is also interesting in that HP is positioning it, in part, for software defined networking (SDN) in the campus. SDN in the campus doesn’t get much air time - SDN in the data center gets much more of the attention. But for enterprises, SDN in the campus represents some interesting opportunities. Starting with SDN in the campus, say between buildings or major network segments, is less risky than SDN in the data center. The “blast radius” if something goes wrong is a bit smaller. Data center issues tend to affect everyone, while segmented campus networks offer naturally isolated boundaries. The idea here is to start with SDN in the campus, sort out what works and what doesn’t work, and then start rolling out the winning SDN features into the data center as a known quantity. There are several use-cases for SDN in the campus that have emerged. Policy management. The word “policy” might be the next overused IT buzzword, right up there with “cloud.” But, the notion of policy is important. In a real world network engineering sense, policy is the idea of both knowing who is using the network and what they are allowed to do when connected. “Who” could mean a person, but could also mean an application. In the context of switching, an application that is used to define policy translates the wishes of a business into access lists, forwarding paths, and access controls. Therefore, policy is enforced for a traffic flow through the network because of the way the switch has been programmed to manage them. In HP’s case, this is done using OpenFlow. Security. One obvious application of policy is security. How is this traffic behaving? Does this traffic match a particular pattern that suggests malware or other risky influence? Then direct those specific traffic flows to areas of the network where they can do no harm, or perhaps be examined in more detail. Programmatic identity control. What is this device that’s connected to the network, and who is using it? Those are the big questions behind identity control. Knowing what a device is, what software that device is running, and who the user is accessing the network through that device is data that can drive what can be accessed on the network by traffic originating from that device. A natural question that comes up in the mind of network engineers around SDN as related to policy is how, exactly, is the security enforced by a switch? We’ve talked a lot about OpenFlow on Packet Pushers over the last few years, so you might have heard that OF as originally deployed had a scaling problem. Many thought OF would be a replacement for traditional packet forwarding methods, replacing OSPF, BGP, spanning-tree, etc. The challenge comes in trying to manage network flows in hardware across a data center. If using TCAM to program specific flow entries, a common ASIC limitation was roughly 8K entries - not very many in a data center of any size. While several strategies exist to deal with this issue, HP’s solution is what they call hybrid SDN. The idea of hybrid SDN is to place a single OpenFlow entry at the top of the list that matches all flows, and instructs the switch to process the flow "normally." That is to say, forward the flow using the protocols networks have been using for years. Out of the gate, that’s the behavior of an HP switch running in OF mode. All traffic matches this global wildcard OF entry,

by Packet Pushers Podcast at December 11, 2014 04:30 PM

Cisco IOS Hints and Tricks

Facebook Next-Generation Fabric

Facebook published their next-generation data center architecture a few weeks ago, resulting in the expected “revolutionary approach to data center fabrics” echoes from the industry press and blogosphere.

In reality, they did a great engineering job using an interesting twist on pretty traditional multi-stage leaf-and-spine (or folded Clos) architecture.

Read more ...

by Ivan Pepelnjak ( at December 11, 2014 04:09 PM

Potaroo blog

The Resolvers We Use

The theme of a workshop, held at the start of December 2014 in Hong Kong, was the considerations of further scaling of the root server system, and the 1½ day workshop was scoped in the form of consideration of approaches to that of the default activity of adding further anycast instances of the existing 13 root server anycast constellations. This was a workshop operating on at least three levels. Firstly there was the overt agenda of working through a number of proposed approaches that could improve the services provided by the DNS root service. The second was an unspoken agenda concerned with protecting the DNS from potential national measures that would “fragment” the DNS name space into a number of spaces, which includes, but by no means not limited to, the DNS blocking activities that occur at national levels. The third level, and an even less acknowledged agenda, is that there are various groups who want to claim a seat at the Root Server table.

December 11, 2014 03:15 AM

December 10, 2014

Packet Pushers Blog/Podcast

Community Podcast: 8xCCIE Neil Moore and Orhan Ergun – CCIE Preparation

Orhan Ergun and Neil Moore talks about CCIE Preparation. Neil Moore has 8xCCIE and this makes him the first and only 8xCCIE in the world. Orhan Ergun has CCIE and CCDE and they both share their experiences.

by Orhan Ergun at December 10, 2014 06:00 PM

4 Inevitable Questions When Joining a Monitoring Group, Pt.3

Leon Adato, Technical Product Marketing Manager with SolarWinds is our guest blogger today, with a sponsored post — the third in a four-part series on the topic of alerting. In the last two posts in this series, I described two of the four (ok, really five) questions that monitoring professionals are frequently asked: Why did […]

Author information

Sponsored Blog Posts

The Packet Pushers work with our vendors to present a limited number of sponsored blog posts to our community. This is one. If you're a vendor and think you have some blog content you'd like to sponsor, contact us via

The post 4 Inevitable Questions When Joining a Monitoring Group, Pt.3 appeared first on Packet Pushers Podcast and was written by Sponsored Blog Posts.

by Sponsored Blog Posts at December 10, 2014 04:30 PM

Cisco IOS Hints and Tricks

Performance Tests and Out-of-Box Performance

Simonp made a perfectly valid point in a comment to my latest OVS blog post:

Obviously the page you're referring to is a quick-and-dirty benchmark. If you wanted the optimal numbers, you would have to tune quite a few parameters just like for hardware benchmarks (sysctl kernel parameters, Jumbo frames, ...).

While he’s absolutely right, this is not the performance data a typical user should be looking for.

Read more ...

by Ivan Pepelnjak ( at December 10, 2014 09:39 AM

Networking Now (Juniper Blog)

December 2014 Microsoft Patch Tuesday Summary

It’s Microsoft Patch Tuesday! In the December edition there are 7 updates; three are marked "Critical" and four are rated "Important". A total of 25 vulnerabilities were fixed over 7 bulletins this month. One of the Critical update MS14-080 is an all version Internet Explorer (IE 6 to 11) patch. This single update resolves 14 CVE's (Common Vulnerability and Exposure).


Here is a list of Security bulletins which were rolled out in today's Patch Tuesday release.

by atyagi at December 10, 2014 07:10 AM

Packet Pushers Blog/Podcast

RPKI: BGP Security Hammpered by a Legal Agreement

Resource Public Key Infrastructure (RPKI) is a relatively new standard for establishing BGP route origination. I wrote a brief introductory article here. Apologies  for the self-promotion, but rather than rehash the basics here, I raise another issue that needs community attention: ARIN’s Relying Party Agreement (RPA: PDF link). Having said that, some basics are needed. […]

Author information

Andrew Gallo

Senior Information Systems Engineer

Andrew Gallo is a Washington, DC based Senior Information Systems Engineer
and Network Architect, responsible for design and implementation of the
enterprise network for a large university.

Areas of specialization include the University's wide area connections,
including a 150 kilometer DWDM ring, designing a multicampus routing
policy, and business continuity planning for two online datacenters.

Andrew started during the internet upswing of the mid to late 90s
installing and terminating fiber. As his career progressed, he has had
experience with technologies from FDDI to ATM, and all speeds of Ethernet,
including a recent deployment of several metro area 100Gbps circuits.

Focusing not only on data networks, Andrew has experience in traditional
TDM voice, VoIP, and real-time, unified collaboration technologies.

Areas of interest include optical transport, network virtualization and
software defined networking, and network science and graph theory.

The post RPKI: BGP Security Hammpered by a Legal Agreement appeared first on Packet Pushers Podcast and was written by Andrew Gallo.

by Andrew Gallo at December 10, 2014 01:15 AM

XKCD Comics

December 09, 2014

The Networking Nerd

Vendor Whitebox Switches – Better Together?


Whitebox switching has moved past the realm of original device manufacturers and has been taken up by traditional networking vendors. Andre Kindness (@AndreKindness) of Forrester recently posted that he fields several calls from his customers every day asking about a particular vendor’s approach to whitebox switching. But what do these vendor offerings look like? And can we predict how a given vendor will address the whitebox market?

Chocolate In My Peanut Butter

Dell was one of the first traditional networking vendors to announce a whitebox switch offering that decoupled the operating system from the switching hardware. Dell offered packages from Cumulus Linux and Big Switch Networks alongside their PowerConnect lineup. This makes sense when you consider that the operating system on the switch has never been the strong suit of Dell. The PowerConnect OS is not very popular with network engineers, being very dissimilar from more popular CLIs such as Cisco IOS and its look-alikes.  Their attempts to capitalize on the popularity of Force Ten OS (FTOS) and adapt it or use on PowerConnect switches has been difficult at best, due to the divide been hardware architecture of the two platforms.

What Dell is very good at is offering hardware at a greatly reduced cost. By utilizing this strength, they can enter the whitebox market successfully by partnering with OS vendors to provide customer options. This also gives them time to adapt FTOS to more switches and attempt to drive acquisition posts down once the port of FTOS to PowerConnect is complete.

Peanut Butter In My Chocolate

What happens when a vendor sees software as their strength? You get an announcement like the one last week from Juniper Networks. Juniper has put a significant amount of time and effort into Junos. The FreeBSD base of the system gives it the adaptability that Cumulus enjoys. Since Juniper sees Junos as a huge advantage, their oath to whitebox switching was to offer hardware that reduces the acquisition cost. Porting Junos to run on the OCP-based OCX1100 allows Juniper to use silicon that is more in line with merchant offering price points. The value to the customer comes from existing experience with Junos allowing for reduced learning time on the new platform.

So how will the rest of the market adopt whitebox switching offerings? HP will likely go the same route as Dell, as their software picture is murky with products split evenly between HP Procurve OS and 3Com/H3C Comware. HP has existing silicon manufacturing facilities that allow for economy of scale to reduce acquisition costs to the customer. Conversely, Brocade will likely leverage existing Vyatta development and investment in projects like OpenDaylight to standardize their whitebox offerings on software while offering OCP-style hardware platforms.

The 800-pound Whitebox Gorilla

And what of Cisco? Cisco had invested significant time and effort into both hardware and software. IOS is being renovated with API access and being ported into containers to broaden the platforms on which it can operate. The Cisco investment in custom silicon development is significant as well, with only the Nexus 3000 and 9000 series using merchant offerings from Broadcom. Their eventual whitebox offering could take any form.

Cisco feels very strongly about keeping IOS and its variants exclusive to Cisco hardware. Given that they sued Arista Networks late last week for patent infringement in EOS, it should be apparent how strongly they feel about IOS. That will be the impetus that pushes them to offering some limited custom silicon that is capable of running third-party operating systems. This allows Cisco to partner closely with one of those developers to ensure peak performance and tight integrations with whatever hardware Cisco includes.  They would likely offer this platform with a bundle of SmartNET support services, recouping the costs of producing the switch with some very high margin services.

The possibility of porting IOS to an OCP-like reference platform is remote at best. A whitebox IOS offering would still carry a high price tag to reflect Cisco R&D and would be priced too high above what customers would be willing to pay for total acquisition cost.  It would also open the door for someone to “port” that version of IOS to run on platforms that it shouldn’t be running on.  At the very least, it will expose Cisco in the market as having too high a price tag on their intellectual property in IOS and give competitors like Juniper and Big Switch ammunition to fight back.

Tom’s Take

When evaluating vendor whitebox offerings, be sure your assessment of the strengths matches theirs. Wide adoption of a given strategy will solidify that approach in the future. Be sure to give feedback to your local account teams and tell them the critical features you need to be supported. That will ensure the vendor has you in mind when the time comes to produce a whitebox offering.  And remember that you always have the option of going your own way.  Nothing says that you have to buy a solution with bundled services from traditional networking vendors.  If you’re willing to fly without a safety net for a while, you can find some great deals on ODM switches and OSes to run on them.

by networkingnerd at December 09, 2014 04:04 PM

Cisco IOS Hints and Tricks