January 16, 2017

Network Design and Architecture

Keeping the Cisco CCDE exam secure !

One of the most important thing about CCDE exam is security. We all think that it is secure, it is not cheatable. There is no CCDE dump. We all believe that. CCDE exam has been around for more than 8 years and there are still only less than 400 people in the world. It seems […]

The post Keeping the Cisco CCDE exam secure ! appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at January 16, 2017 08:08 AM

ipSpace.net Blog (Ivan Pepelnjak)

Worth Reading: the Mythical Man-Month

I was discussing a totally unrelated topic with Terry Slattery when he mentioned a quote from the Mythical Man-Month. It got me curious, I started exploring and found out I can get the book as part of my Safari subscription.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 16, 2017 07:39 AM

XKCD Comics

January 15, 2017

My Etherealmind

Arris in bid for Brocade network unit: sources | Reuters

Arris wants to buy the Ruckus wireless business.

Arris is looking to buy Brocade’s network edge business, which is the most valuable of the assets being sold, according to the sources. Arris is not in talks to buy other parts of the business being divested by Brocade that include data centers, switching and software, the sources added.

Apparently talks to buy other parts of the business in whole or part are not working out.

Broadcom had divided up Brocade’s divestiture into three pieces after an earlier deal to sell the whole business to a private equity firm fell apart late last year, according to the sources. A private equity firm could still step up to buy all three pieces, the people said.

Arris in bid for Brocade network unit: sources | Reuters

The post Arris in bid for Brocade network unit: sources | Reuters appeared first on EtherealMind.

by Greg Ferro at January 15, 2017 03:36 PM

Response: Codec 2 700C | Rowetel

Acceptable quality open source voice codec in 700 bps

My endeavor to produce a digital voice mode that competes with SSB continues. For a big chunk of 2016 I took a break from this work as I was gainfully employed on a commercial HF modem project. However since December I have once again been working on a 700 bit/s codec. The goal is voice quality roughly the same as the current 1300 bit/s mode. This can then be mated with the coherent PSK modem, and possibly the 4FSK modem for trials over HF channels.

Codec 2 700C | Rowetel

The post Response: Codec 2 700C | Rowetel appeared first on EtherealMind.

by Greg Ferro at January 15, 2017 03:33 PM

Response: Site Reliability Engineering – Medium

Four rules for SRE:

  1. Always Know When It’s Broken
  2. Avoid Global Changes
  3. Moving Traffic Is Faster Than Fixing
  4. Make Your Mitigations Normal

Good rules, can’t argue with this as starting point. The devil in the detail of all of these and Enterprise IT does none of them.

Site Reliability Engineering – Medium:

The post Response: Site Reliability Engineering – Medium appeared first on EtherealMind.

by Greg Ferro at January 15, 2017 02:21 AM

January 14, 2017

Ethan Banks on Technology

Ubiquiti EdgeRouter Lite ERLite-3 Board Detail

I ran a Ubiquiti Edge Router Lite as my home firewall for a couple of years. The box had a nice GUI with CLI option, and had no problem keeping up with my > 100Mbps Internet connection. The box died after a lengthy power failure that drained the large UPS buffering electrons in my basement equipment rack.

I’m not sure what happened to the ERLite-3, but it’s as dead as the bird in the Python parrot sketch. The firewalls appears to boot. The lights come on, etc. However, the box passes no traffic and responds to no ARP requests. I can get no serial console output from it. I even tried a full factory reset, to no effect.

Until its early death, the little firewall had a trouble-free two year run. For $99 spent according to my Amazon order history, I don’t feel too badly about the loss.

Before throwing it in the bin, I decided to open it up and take a look at the mainboard. Here’s a notated picture for you. Enjoy.

Click image to BIGGIFY and see cropped text.

UPDATES

  1. My thanks to @williamhulley for correcting the first version of this diagram.
  2. @Brownout suggests that the firewall might have bricked due to a problem with the USB key. “Usually it’s the USB key, there’s a procedure on the forums to reinstall EdgeOS on a new one.”

I exercised my google-fu based on Brownout’s input, and came up with this link, “EdgeMax rescue kit (now you can reinstall EdgeOS from scratch).” Seems promising if you want to try to rescue your ERLite!

by Ethan Banks at January 14, 2017 08:05 PM

Network Design and Architecture

Packet loss with Fast Reroute

Packet loss with Fast Reroute Do we still lose packet with fast reroute? One of my students asked me this question. And I would like to share the answer with everyone. Before we discuss whether or not we lose packet with fast reroute mechanisms, let’s remember what fast reroute is. It is pertinent to know […]

The post Packet loss with Fast Reroute appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at January 14, 2017 10:25 AM

January 13, 2017

Ethan Banks on Technology

Stumbling And Fumbling Into Video Blogging

I’m used to writing and to podcasting. I know what the content creation and publication process looks like for written and audio media. The increasing popularity of video has had me and my business partner scratching our heads, wondering how we can best leverage the medium. Or if we even should.

And so, we’ve begun our video adventure the way we’ve always done things. Just go for it. Try it. Hit publish. It won’t be perfect, but that’s okay. Learn and improve.

My first video was a good bit of work, taking roughly eight hours to write, shoot, produce, and publish a ten minute video covering some tech industry news. That’s not scalable, but it was a learning experience. Here was my process.

Write

I get press releases from dozens of marketers and public relations firms, usually several per day. I chose some that I thought folks might be interested in. And then I wrote copy. I know from past projects that many written words translate to many spoken minutes. You have to keep copy tight if you’re writing to a time limit.

I managed to do that, writing just under a thousand words of copy. I did ad lib a bit, but overall, I didn’t stray far from the copy. In fact, you can watch the video and track the words here if you want to see just how close I kept it.

There’s a point of reference for you. A thousand words of copy plus a bit of ad-lib resulted in ten minutes of video.

Shoot

I shot with a green screen background I’ve rigged up in my office. It’s not great, but it is good enough. In the actual shoot, the screen was hanging with no tension. I’m adding clips to give the screen a stretch so that there will be a flatter result that will light more evenly. I need more clips. If you see the right top clip, you see the wrinkle formed. More clips will help.

The point of the green screen is to allow me to insert whatever background I want to in its place. This is easily accomplished with Final Cut Pro X, my video editing tool.

I shot in 4K at 30fps using an iPhone 6S+. I’m only going to publish in 1080p, but shooting in 4K means I can crop, use the highest res graphics possible, etc. and minimize loss of image quality when rendering to 1080p.

I use the same principle when recording audio. I usually record podcasts at 48kHz/24-bit mono for what will ultimately be a 64Kbps mono MP3 when distributed – more bits to work with in editing means plug-ins have more zeros and ones to act on, and presumably makes for a better end result.

I don’t have a good lighting solution yet. For this shoot, I lit my face with a diffused LED panel lamp with a mix of cold and warm LEDs. The light was mounted straight ahead of me. The nature of my office means that I also have a strong side light coming from the south-facing window during the day. In the video, this ended up casting a shadow on the left side of the video behind my head. It looked a little strange. You can see the side-lighting in the green screen shot above as well.

In any case, I need more lighting in the right places to fill shadow behind me. My office is small, so I’m looking into how I can get this done without filling what little floor space I have with box lights, etc. But, box lights might be where I end up anyway.

Another issue in the video is that I’m looking off-camera to read copy. That leaves the video feeling disconnected. However, there are many teleprompter solutions available. Teleprompters like the ones I’m researching use beamsplitter glass. This special glass acts as a mirror for the teleprompter text, while at the same time allowing the camera to shoot you, but not see the text.

Thus, with the right teleprompter, I can read my copy while looking straight into the camera. I’ve done some video work in the past for a large media company using a teleprompter. I know it would work well for me.

Image from Caddie Buddy, one of the teleprompter solutions I’m looking into. Great reviews and a low price. Of course, I need a tablet…

Produce

I produced the video with Apple’s Final Cut Pro X running on loaded iMac Retina 5K model with 32GB of RAM and an Intel Core i7 running at 4Ghz. Sounds like a beast of a machine, eh? Sigh. Not so much. I wish I had more cores, or maybe a Mac Pro. Video rendering (the part you do when you’re done editing the video) takes a long time.

I won’t go into the specifics of FCPX here. If you care about that, go to YouTube and search. The sheer volume of FCPX instructional videos borders on profligate. I will summarize the tools I used, however.

  • Titles for lower thirds, plus a date in the upper left hand corner.
  • Several transforms to move my headshot off-center, to size and place graphics, etc.
  • Video animation with compositing opacity so that graphics would fade in and out instead of suddenly appearing and disappearing.
  • Chroma keying to make the green screen disappear.
  • Secondary audio track inserted, with primary audio track muted. I used the audio from the lapel mic you see in the shot instead of the audio captured by the iPhone.

Another thing I didn’t do that I wish I had done was use a visual flag to signal each segment. That meant I had to go through the entire video carefully to insert the graphics and lower thirds in the right spot.

This was my first project using a Contour ShuttleXpress, a USB rotary dial that makes getting to just the right spot in the video much easier. I use it with my left hand and a trackpad with my right.

Much of my time spent in editing the video was in simply figuring out how to get around in FCPX. For example, if you’ve never done chroma keying, you have watch a video that explains it to you. It’s not hard, but you won’t figure it out just by clicking around if you’re a video editing n00b.

I found this to be a pattern with every FCPX tool — the first time out will take a while. For instance, using transforms drove me a little nuts, because I couldn’t grok how to get the handles to appear consistently on the object I was manipulating. Then I figured out to click on the Transform tool itself when the handles weren’t showing up, and I stopped losing minutes fumbling around in confusion.

The last thing I did when done stumbling and fumbling with FCPX was to add a brief top and tail. Both were the same video clip — a pre-rendered video my business partner made with Apple Motion.

Final rendering takes an enormous amount of time. Every added effect, every title, every graphic, etc. all has to be turned into video frames. FCPX renders in the background constantly with spare CPU cycles, but even so, the final render took dozens of minutes with my iMac cooling fans whirring away.

Publish

First time out, I rendered from FCPX directly into YouTube. Once FCPX is authorized to use your account, you can set YouTube as a sharing target.

I learned a couple of important things about YouTube.

  1. YouTube is going to render in its own way what you upload. This takes a while. You aren’t simply “uploading a video to YouTube.” The process is more involved.
  2. While YouTube is working on your video, the video will only be available at 360p. This is a brief, temporary situation.

The 360p issue was a surprise. I reacted by deleting what I thought were 360p renders, assuming I’d done something wrong that resulted in 360p, and not 1080p. But, the only mistake I made was not waiting long enough. After just a few minutes, the video was available in a variety of resolutions up to 1080p.

However, since I didn’t know about this “360p at first” issue, I deleted my first video. Then I re-rendered the video locally at 1080p, watched it to be sure it was what I expected, and then uploaded that to YouTube, only to have the same 360p result. I executed some google-fu, discovered my blunder, waited, and then the glory of 1080p washed over me.

The next time…

  • I need to sort out a teleprompter. I have a plan.
  • I need to improve lighting. I have a plan here as well.
  • I will flag the end of segments with a piece of colored construction paper, then edit those bits out.
  • Video editing & publication will go much faster. I learned a lot during the initial round of n00bery.

by Ethan Banks at January 13, 2017 05:44 PM

Network Design and Architecture

Is LISP (Locator Identity Separation Protocol) Dead?

Today, there are many networking technologies which haven’t been widely deployed. And among them are Internet Multicast and IPv6 although these two protocols have many benefits .  But probably people are asking the correct question. Do we really need new protocol ? Or can we solve our problem with the existing mechanisms deployed on our […]

The post Is LISP (Locator Identity Separation Protocol) Dead? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at January 13, 2017 04:56 PM

ipSpace.net Blog (Ivan Pepelnjak)

VXLAN Ping and Traceroute

From the moment Cisco and VMware announced VXLAN some networking engineers complained that they'd lose visibility into the end-to-end path. It took a long while, but finally the troubleshooting tools started appearing in VXLAN environment: NVO3 working group defined Fault Managemnet framework for overlay networks and Cisco implemented at least parts of it in recent Nexus OS releases.

You'll find more details in Software Gone Wild Episode 69 recorded with Lukas Krattiger in November 2016 (you can also watch VXLAN Technical Deep Dive webinar to learn more about VXLAN).

by Ivan Pepelnjak (noreply@blogger.com) at January 13, 2017 11:58 AM

My Etherealmind

Response: Introducing Open/R — a new modular routing platform | Engineering Blog | Facebook Code | Facebook

Although this post is from May 2016, Petr Lapukhov at Facebook outlines an method to replace routing protocols with a message bus to enable real network applications.

I’m doubtful that wider networking market would adopt something that doesn’t have BGP in the solution but Facebook has the resources to develop something like this and prove that it works. That could change perceptions. In any case, thought provoking reading.

Introducing Open/R — a new modular routing platform | Engineering Blog | Facebook Code | Facebook: “The Open/R software enables rapid prototyping and deployment of new applications to the network much more frequently than the industry’s standard development process. To create an interoperable standard, the industry’s process is often lengthy due to code being built independently by multiple vendors and then slowly deployed to their customer networks. Furthermore, every vendor has to accommodate for the demands of numerous customers — complicating the development process and requiring features that are not always useful universally.”

The post Response: Introducing Open/R — a new modular routing platform | Engineering Blog | Facebook Code | Facebook appeared first on EtherealMind.

by Greg Ferro at January 13, 2017 10:11 AM

Response: Coming soon with Cumulus Linux 3.2: EVPN

Increasingly coming to the view that BGP-EVPN is a big deal. Neither vendors or customers can imagine their networks without a 30 year old routing protocol so this is the half-pregnant, half-arsed solution that seems likely to gain widespread adoption.

You can mangle BGP configuration with an application and call it SDN. Heck, IXPs have been doing that for a decade so its not new.

Welcome to networking where “its not new” is the byline for SDN.

Coming soon with Cumulus Linux 3.2: EVPN – Cumulus Networks Blog: “Can you summarize the benefits of deploying EVPN?

Cumulus EVPN provides many benefits to a data center, including:

Controller-less VXLAN: No controller is needed with EVPN, as it enables VTEP peer discovery through BGP.
Scale and Robustness: EVPN uses the standard BGP routing protocol for the control plane. BGP is a mature well-known protocol that powers the internet. For data centers that already run BGP, this involves just adding another address-family.
Fast convergence/mobility: The BGP EVPN address family includes features to track host moves across the datacenter, allowing for very fast convergence.
Multi-vendor interoperable: Since EVPN is a standard, it will be interoperable with other vendors that adhere to the standard.
Support for Active/Active VxLAN: Cumulus EVPN supports host redundancy to switch pairs with an MLAG configuration.
Multi-tenancy: Cumulus EVPN supports VXLAN tunnel separation”

The post Response: Coming soon with Cumulus Linux 3.2: EVPN appeared first on EtherealMind.

by Greg Ferro at January 13, 2017 10:08 AM

XKCD Comics

January 12, 2017

My Etherealmind

Video: Business Tech News for January 11, 2017

https: //www.youtube.com/watch?v=poIBwW1gI3E

Arista, NetBeez, Viptela, Silver Peak, Velocloud, ETSI, Extreme Networks are included in today’s press release round up.

Packet Pushers Youtube Channel – https://www.youtube.com/channel/UC7vAUu1TQAwzuq8wajJw4kA

The post Video: Business Tech News for January 11, 2017 appeared first on EtherealMind.

by Greg Ferro at January 12, 2017 10:28 PM

The Networking Nerd

Culling The Community

exclusion

By now, you may have seen some bit of drama in the VMUG community around the apparent policy change that disqualified some VMUG leaders based on their employer. Eric Shanks (@Eric_Shanks) did a great job of covering it on his blog as did Matt Crape (@MattThatITGuy)with his post. While the VMUG situation has its own unique aspects, the question for me boils down to something simple: How do you remove people from an external community?

Babies And Bathwater

Removing unauthorized people from a community is nothing new under the sun. I was a Cisco Champion once upon a time. During the program’s second year I participated in briefings and events with the rest of the group, including my good friend Amy Arnold (@AmyEngineer). When the time came to reapply to the program for Year 3, I declined to apply again for my own reasons. Amy, however, was told that she couldn’t reapply. She and several other folks in the program were being disqualified for “reasons”. It actually took us a while to figure out why, and the answer still wasn’t 100% clear. To this day the best we can figure out is that there is some kind of conflict between anyone working with the public sector or government and the terms and conditions of the Champions program.

The lack of communication about the rules was the biggest issue by far with the whole transition. People don’t like being excluded. They especially don’t like being excluded from a group they were previously a member of. It takes time and careful explanation to help them understand why they are no longer able to be a part of a community. Hiding behind vague statements and pointing to rule sections doesn’t really help.

In the case of the VMUG issue above, the answer as to why the dismissed leaders were disqualified still isn’t clear. At least, it isn’t clear according to the official rules. There is still some debate as to the real reasoning behind everything, as the comments on Matt’s blog indicate. However, the community has unofficially settled on the reasoning being that those leaders were employed by someone that VMware, who is more-than-loosely affiliated with VMUG, has deemed a direct competitor.

I’m no stranger to watching companies go from friends to frenemies to competitors in the blink of an eye. VMware and Cisco. VMware and Scale Computing. Cisco and HP. All of these transitions took two aligned companies and put them on opposite sides of the firing line. And in a lot of cases, the shift in messaging was swift. Last week they were both great partners. The next week shifted to “We have always been at war with Eurasia.” Which didn’t bode well for people that were caught in the middle.

Correcting The Position

How do you correctly go about affecting changes in membership? How can you realistically make things work when a rule change suddenly excludes people? It’s not an easy path, but here are some helpful hints:

  • COMMUNICATION! – Above all else, it is absolutely critical to communicate at every step of the process. Don’t leave people guessing as to your reasoning. If you are contemplating a rule change, let everyone know. If you are looking to enforce a rule that was previously not enforced, warn everyone well in advance. Don’t let people come up with their own theories. Don’t make people write blogs asking for clarification on a situation.
  • If a person is being excluded because of a rule change, give the a bit of grace period to exit on their own terms. If that person is a community leader, they will need time to transition a new person into their role. If that person is a well-liked member of the community, give them a chance to say goodbye instead of being forced out. That grace period doesn’t need to be months long. Usually by the next official meeting or briefing time is enough. Giving someone the chance to say goodbye is much better than telling everyone they left. It provides closure and gives everyone a chance to discuss what the next steps will be.
  • If a rule change is in order that excludes members of the community, weigh it carefully. Ask yourself what you are gaining from it. Is it a legal reason? Does it need to be made to comply with some kind of regulation? Those are valid reasons and should be communicated with enough warning. People will understand. But if the reasoning behind your rule change is spite or retaliation for something, carefully consider your next steps. Realize that every rank-and-file member of the community has their own opinions and vision. Just because Evil CEO made your CEO mad doesn’t mean that his Local SE has the same feelings. And it absolutely doesn’t mean that Local SE is going to subvert your community for their own ends. These are the kinds of decisions that divide people at the expense of keeping your community free of “influences”.

It can’t be said enough that you need to talk to the community before you even begin debating action. There are no community organizations that blindly follow orders from on high. These are places where thinking people interact and share. And if they are suddenly told how things are going to be without any discussion or debate, you can better believe they are going to try and get to the bottom of it. Whether you want them to or not.


Tom’s Take

Kicking people out of something is never easy. Tech Field Day has rules about delegates being employed by presenting vendors. More than once I’ve had conversations with people about being disqualified from being a delegate. Most of them understand why that’s the case beforehand because our policy is straightforward. But if it’s ever changed, you can better believe that we’re going to let everyone know well in advance.

Communities run on communication. Discussion, debate, and ultimately acceptance are all driven by knowing what’s happening at all times. If you make rules under the cloak of secrecy for reasons which aren’t readily apparent, you risk alienating more than just the people you’re looking to exclude.


by networkingnerd at January 12, 2017 06:02 PM

Network Design and Architecture

Introduction to VPN (Virtual Private Network)

Introduction to VPN (Virtual Private Network) Let’s start with the definition. VPN is a logical network and created over shared physical infrastructure. Shared infrastructure can be private such as MPLS VPN of a Service Provider or over the Public infrastructure such as Internet. There are many concepts to understand VPN in detail but in this […]

The post Introduction to VPN (Virtual Private Network) appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at January 12, 2017 05:42 PM

My Etherealmind

Response: Japan researchers warn of fingerprint theft from ‘peace’ sign

Another one from the Biometrics is not useful for authentication dumpster:

The NII researchers were able to copy fingerprints based on photos taken by a digital camera three metres (nine feet) away from the subject.

Japan researchers warn of fingerprint theft from ‘peace’ sign : http://phys.org/news/2017-01-japan-fingerprint-theft-peace.html

The post Response: Japan researchers warn of fingerprint theft from ‘peace’ sign appeared first on EtherealMind.

by Greg Ferro at January 12, 2017 12:00 PM

ipSpace.net Blog (Ivan Pepelnjak)

Parsing Printouts with Ansible Regular Expression Filters

Ansible is great at capturing and using JSON-formatted data returned by REST API (or any other script or method it can invoke), but unfortunately some of us still have to deal with network devices that cannot even spell structured data or REST.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 12, 2017 06:28 AM

January 11, 2017

My Etherealmind

Response: Engineers know how to party! Start your own celebration with Mellanox Ethernet solutions – YouTube

I approve of this positive, supportive and realistic representation of network engineers.

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="281" src="https://www.youtube.com/embed/dYni87y3dL4?feature=oembed" width="500"></iframe>

Engineers know how to party! Start your own celebration with Mellanox Ethernet solutions – YouTube: “”

The post Response: Engineers know how to party! Start your own celebration with Mellanox Ethernet solutions – YouTube appeared first on EtherealMind.

by Greg Ferro at January 11, 2017 10:11 PM

Network Design and Architecture

Orhan Ergun 2017 CCDE Training Agenda

CCDE Training Agenda of 2017 If you have any question or comment please don’t hesitate to ask in the comment box below. 2016 & 2017 CCDE TRAINING AGENDA Bootcamp Type                                                   […]

The post Orhan Ergun 2017 CCDE Training Agenda appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at January 11, 2017 08:01 PM

Honest Networker
ipSpace.net Blog (Ivan Pepelnjak)

Introduction to Docker: Featured Video of January 2017

The featured webinar in January 2017 is the Introduction to Docker webinar, and in the featured video Matt Oswalt explains the basic Docker tasks. Other videos in this webinar cover Docker images, volumes, networking, and Docker Compose and Swarm.

To view the featured video, log into my.ipspace.net, select the webinar from the first page, and watch the video marked with star.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 11, 2017 07:23 AM

XKCD Comics

January 10, 2017

My Etherealmind

Dictionary: optic boom

optic boom

A flash produced when electrons move faster than light, akin to the boom of supersonic jets. Breaking the “light barrier” sounds like sci-fi, but physicists say it can happen in graphene sheets. The discovery could spark development of optical circuits a million times faster than silicon chips.

Link: The 21 Best New Words of 2016 | WIRED https://www.wired.com/2016j/12/21-best-new-words-2016/

The post Dictionary: optic boom appeared first on EtherealMind.

by Greg Ferro at January 10, 2017 11:33 AM

ipSpace.net Blog (Ivan Pepelnjak)

Device Configurations Are Not a Good Source of Truth

One of my subscribers sent me this question after watching the second part of Network Automation Tools webinar (or maybe it was Elisa Jasinska's presentation in the Data Center course):

Elisa mentions that for a given piece of data, there should be “one source of truth”. It gets a bit muddled when you have an IPAM tool and Git source control simultaneously. It is not hard to imagine scenarios where these get out of sync especially if you consider multi-operator scenarios.

Confused? He provided a simple scenario:

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 10, 2017 06:21 AM

January 09, 2017

Potaroo blog

A Postscript to the Leap Second

The inexorable progress of time clocked past the New Year and at 23:59:60 on the 31st December 2016 UTC the leap second claimed another victim. This time Cloudflare described how the Leap Second caused some DNS failures in Cloudflare’s infrastructure. What's going on here? It should not have been a surprise, yet we still see failing systems.

January 09, 2017 10:00 PM

Ethan Banks on Technology

After Two Years, Do I Find Self-Employment Worthwhile?

In March 2015, I started working for myself exclusively. That is to say, I went from working for someone else full-time while also operating my own company full-time to working strictly for my own company. How am I feeling after nearly two years of self-employment?

Fulfillment

Working for myself has proven to be fulfilling. I like the correlations to be found among opportunity, effort, risk, reward, and failure. I can weigh all of those things, make a decision of how to proceed, and benefit (or suffer) directly in accordance with my decisions. That is fulfilling to me.

Suffering, by the way, isn’t a bad thing. We could all stand to do a bit more of it today, so that we do a bit less of it tomorrow.

Process

I am free of silly processes that cripple my ability to get things done, not that I believe process is inherently bad. With my own company, I still have to define processes, but I can keep them both streamlined and fluid. I’m also free to let the people that work with me define their own processes, with me providing only the input required to achieve the desired result.

Balance

When working for other employers as an IT professional, I labored long hours, well beyond the normative forty. I was often part of a 24×7 on-call rotation for which I was typically not compensated. Depending on the employer, I was required to be reachable at any time no matter where I was, i.e. lunch, family vacation, a trip to the mountains, etc. For some employers, I was even required to carry a tetherable phone and laptop on backpacking trips — just in case. Some employers were more caring and considerate in this regard, allowing IT staff to truly disconnect from the office. Most were not.

The nature of IT operations work is that production-impacting projects are to be done outside of regular business hours. I do not miss these sorts of projects. Hovering over a laptop, pasting in pre-built configuration changes while sitting on the floor of a droning, freezing data center at 2am is never a good time.

My wife was always supportive of my late night projects and on-call disruptions to our personal lives, but it wore on her. She covered for me at social events or with the kids when required, and never complained about the long hours I was frequently gone. But still.

After twenty years of that lifestyle, I’ve found a much better balance between work and my personal life working for myself. My schedule is more predictable now. I can break away from the office without the nagging fear of being called or having to lug a laptop everywhere I go. I can take a day off whenever I need to. Yes, I find myself at airports more often due to my work, but that’s predictable now. I usually know months ahead of time where I’m going and can plan accordingly.

Balance is important. It’s taken me almost two years to get to the point that I can sleep consistently. I no longer dream about some crisis or other at work that might demand my attention. I haven’t been awakened by a manager asking me to take a look at an issue for a long time now. I no longer obsessively monitor infrastructure status screens, seeking dead canaries.

These days, when I’m at work, I do my work. Yes, I have a schedule. I have deadlines — lots of them, in fact. I have meetings. I have a busy calendar. But when I leave for the day, I’m done. As a company owner, I could obsess and fret over any number of details, but I’ve found that I’m much more effective when I take time each day to step away. Working for myself allows me to maintain that balance.

Complexity

Running a company, even a small one, is complex. I have employees and contractors. I have a business partner to make joint decisions with. I have customers. I have city, county, state, and federal governments that collect taxes from my company, me, or both. I have cash flow to monitor. I have payrolls to fulfill. I have insurances that require periodic review. I have bills to pay. All of this comes in addition to doing my work as a content creator.

While I farm as much of this back office operational work out to other companies as possible and automate where I can, it’s still ultimately my responsibility as a business owner to make sure all goes well.

But, returning to the point about fulfillment, I don’t mind the extraneous work. I’ve become increasingly efficient at it over the last two years. As the people that support our back office learn our company better, they, too, have become more efficient. The complexity of running a small business has gotten easier over the last couple of years — not harder.

Stress

There is a manageable amount of stress in my life as a small business owner, related to the complexity itemized above. I can summarize my stress points thusly.

  • Taxation is complex. I lack the legal expertise to comprehend what is required of me and my business. To relieve this stress, I retain a tax accountant at a reputable accounting firm.
  • Payroll is similarly complex. To relieve this stress, I have farmed out payroll to a company that specializes in paying not just my employees, but also the various groups that take deductions from the paychecks of my employees. They also handle the quarterly filing and reporting related to payroll.
  • Cash flow is a jagged line, not a straight one. To cope with this stress, I maintain a larger than ideal cash balance in business accounts. This irons out the lumpiness of accounts receivable.
  • Forgetting deliverables bothers me. To reduce the stress of deliverable fulfillment, all contracts live in a job tracking system. We also have a weekly meeting to be sure all obligations to our customers are being met. With this system, very little falls through the cracks.
  • Losing track of leads also bothers me. Sales cycles can be long, and we’ve learned to be persistent to keep up with inbound queries. Conversion takes time. Keeping track of sales conversations using a leads database has relieved the stress of keeping the sales pipeline full.

In summary, putting systems in place is critical to reducing the stress of running a small business.

Beyond the systems themselves are the people operating those systems. For example, the Project Manager position is the hub around which my small company revolves. As a company owner focused on content creation, I lack the time required to properly manage projects. I rely heavily on my project manager to make sure we’re on track. Thankfully, she’s gifted in this role.

Reward

I’m glad I didn’t move to self-employment in the hopes of getting rich, because I am not on a fast track to wealth. That said, the paycheck is fine, the net outcome being similar to what I was earning as a network architect. Plus, I own part of my company. That could be worth something someday.

Might I go back to working for someone else?

Yes, perhaps, but that’s not a situation I’m looking for right now. Even so, working for someone else once again is not a scenario I dread, either. If I need to do that someday, I will be just fine. But I find the fulfillment, balance, and reward of working for myself outweighing the stress and complexity. At least on most days.

There’s a key element to all of this, though. That is that the business I’m in makes financial sense. We are able to pay the bills without worrying from week to week whether or not we can keep the lights on. That’s at the root of why self-employment is working out for me. If I was constantly anxious about whether or not we’d land sufficient business, I don’t believe my psyche would tolerate it. I’d de-stress by going to work for someone else so that I didn’t have to be concerned as much with a paycheck.

However, as it happens, we don’t have that challenge. If you’re thinking about taking the self-employment plunge, that’s a big consideration you’ll need to reflect upon seriously. How well can you tolerate lumpy cash flow and long sales cycles while your business is ramping up?

In my case, business ramped up for over 5 years as a side project. Only then was it de-risked enough for my personal tolerance levels. That slow ramp-up scenario is different from taking a headfirst plunge into unproven waters.

by Ethan Banks at January 09, 2017 09:42 PM

My Etherealmind

Response: Proposed server purchase for GitLab.com | GitLab

Gitlab is talking about heading into the private cloud after successfully building a cloud-ready application. The savings are substantial for a small, technology-rich company:

The cloud hosting for GitLab.com excluding GitLab CI is currently costing us about $200k per month. The capital needed for going to metal would be less than we pay for 1 quarter of hosting. The hosting facility costs look to be less than $10k per month. If you spread the capital costs over 2.5 years (10 quarters) it is 10x cheaper to host your own. (My emphasis)

This sounds about right but I don’t think this factors in head count for operating the physical infrastructure. Lets say that two extra FTEs at $15K per month are required, this still one third the cost of AWS. The reaility is $2.4MM is a substantial yearly budget for IT Infrastructure and for an application that already cloud-ready it would go a very long way

For a small company that is focussed on technology adding more headcount is good for capacity. In a team of ten people, adding 2 headcount increases diversity of thinking, ideas and approaches and can be important to spreading out the workload e.g. on call rotation is much improved with 12 people in the rota. 

Factors that I thought significant: 

  • Application fits into a single rack (its a small company)
  • Company is focussed on a single customer solution which they own end-to-end. 
  • Strong technical leadership has insights in the problems of owning infrastructure and is thinking ahead on minimising that. 
  • Making some good decisions to keep the physical infrastructure simple, plain and easy to handle.

I’ve said many times, public cloud isn’t cheap. This doesn’t make it the right or wrong solution but cheap is not a reason to go to the cloud when operating at any sort of scale. (Mind you, a startup with less then five people will always be better off using public cloud). There isn’t a right answer just use cases for when it works and doesn’t.

Proposed server purchase for GitLab.com | GitLab:

The post Response: Proposed server purchase for GitLab.com | GitLab appeared first on EtherealMind.

by Greg Ferro at January 09, 2017 09:36 PM

Dyn Research (Was Renesys Blog)

Iran Leaks Censorship via BGP Hijacks

Iran_map_new

Last week, we reported via Twitter that the Iranian state telecom TIC hijacked address space containing a number of pornographic websites.  The relevant BGP announcement was likely intended to stay within the borders of Iran, but had leaked out of the country in a manner reminiscent of Pakistan’s block of Youtube via BGP hijack in 2008.  Over the weekend, TIC performed BGP hijacks of additional IP address space hosting adult content as well as IP addresses associated with Apple’s iTunes service.

<script async="" charset="utf-8" src="http://platform.twitter.com/widgets.js"></script>

In addition, in 2015 on this blog we reported that a new DNS root server instance in Tehran was being leaked outside Iran, a situation that was quickly rectified at that time.  Despite the fact that the Tehran K-root is intended to only be accessible within Iran, as we will see below, it is currently being accessed by one of the largest US telecommunications companies.

Iranian BGP-based Censorship

Last week, Iranian state telecom announced a BGP hijack of address space (99.192.226.0/24) hosting numerous pornographic websites.  This was likely intended to stay within Iran, but like Pakistan’s BGP hijack of Youtube in 2008, it was inadvertently leaked out of the country, preventing internet users in many countries from being able to visit these sites.  In his coverage of this incident, Russell Brandom of The Verge wrote arguably the most memorable opening sentence in tech journalism this year (so far).

We alerted the hosting operation and they were able to regain control of the address space back from the Iranians. They began announcing the same /24 and then were able to get Omantel to stop announcing the route to the outside world.  In the graphic below, we can see the timeline of the announcement of this route, which was a more-specific hijack of 99.192.128.0/17.  TIC announced the route using a private ASN AS65050, and as Stéphane Bortzmeyer astutely pointed out, some peers saw this as being originated by AS12880 (TIC) itself, probably because it is the practice of some organizations to strip private ASNs from the AS path.  Hence, in the diagram below the hijack is represented by both origins AS12880 and AS65050.  Soon after AS27589 began announcing this same route, Omantel stopped announcing it to the outside world.  This all happened within an hour of our notification to them.


It is interesting that the more-specific BGP hijack wasn’t more widely adopted.  Omantel never announced it to its transit providers (including Level 3, Telia and Hurricane Electric) and only to some of its settlement-free peers (including some at AMSIX).  It is hard to know for certain whether this was due to filters in place by many of Omantel’s upstreams, or, more likely, it was just being announced to the peers based on something in its routing policy.

Using a looking glass inside Iran, it was clear that the hijacked route was still visible inside the country after Omantel stopped passing it on to the outside world.

On Saturday, TIC was back at it again, this time announcing BGP hijacks of the address space hosting www.sex.com (among numerous other adult content websites).  Below are screenshots from Dyn’s Internet Intelligence showing the propagation of this BGP hijack.

In addition, TIC announced BGP hijacks for 20 individual IPs associated with Apple’s iTunes service.  These too were carried by Omantel to the outside world, albeit with a smaller footprint due to the fact that BGP routes for /32’s typically don’t propagate very far.

 

17.110.232.45/32
17.110.232.46/32
17.110.234.27/32
17.110.234.28/32
17.154.66.154/32
17.154.66.155/32
17.154.66.156/32
17.154.66.73/32
17.154.66.74/32
17.154.66.75/32
17.154.66.79/32
17.173.66.101/32
17.173.66.102/32
17.173.66.103/32
17.173.66.104/32
17.173.66.179/32
17.173.66.180/32
17.173.66.181/32
17.250.237.37/32
17.250.237.7/32

 

Again, below are screenshots from Dyn’s Internet Intelligence analyzing these BGP hijacks:

This second round of BGP hijacks from TIC lasted a little less than 3 hours, but lends credence to the conclusion that the state telecom of Iran is exploring the use of BGP as a means of enforcing internet censorship of, at least, pornographic material.  In addition, TIC performed a more-specific BGP hijack on 22 December 2016 of a Server Stack address range (illustrated below), which also hosts adult content.  The hijack lasted less than 10 minutes.


141.0.174.0_24
In the past month, similar hijacks were performed against other individual IP addresses including:

209.190.4.58/32   XLHost.com Inc Columbus US
209.190.5.58/32   eNET Inc. Columbus US
99.192.226.224/32 Gotys Productions Inc. Miami US
104.107.156.61/32 Akamai International, BV Amsterdam NL

99.192.226.224 is an IP in the /24 that was hijacked last week and is associated with www.pichunter.com, an adult content website.  209.190.4.58 is a U.S.-based IP address hosting website of a Iranian telecommunications company (http://novinmehr.com, http://nepox.com).  The relevance of the other two IP addresses is unclear.

More leaks of K-root instance in Tehran

In 2015 on this blog, we reported on the establishment of the first Iranian root server of the global DNS system.  The objective of this root server was to provide faster query response times to internet users in Iran. Despite the fact that this instance of K-root was intended to only be visible from within Iran, we observed that it had leaked to telecommunications companies in India. (Shortly afterward, K-root’s operator RIPE published a responding blog post to further describe the operation of the Tehran root server.)

The Tehran K-root is being leaked again.  Presently U.S. telecommunications firm Cogent (often featured on the annual Baker’s Dozen blog post about trends among the largest transit providers in the world) is accepting the BGP route of the Tehran instance of K-root — suggesting a non-trivial number of their root queries are currently being answered by Iran.

Below is a traceroute measurement performed from Cogent’s looking glass utility showing a measurement to 193.0.14.0/24 (K-root) from Washington D.C..  It is ultimately directed to Rostelecom (state telecom of Russia) in Moscow before traveling to Delta Telecom (85.132.90.186) in Baku, Azerbaijan and on to IPM in Iran.

Below is a visualization of measurements to K-root from one of our measurement servers located in Ashburn, VA, utilizing Cogent transit.  Over time, the measurements shift from the US-based K-root in Miami to one hosted in Russia (accessed via Rascom), then to one hosted in Kazakhstan before finally settling on the K-root in Tehran.


Conclusions

What are the implications of sending queries to a root server in Tehran?  Well, there is the performance hit of having to send DNS queries thousands of miles away to Tehran.  But all-in-all root server latency has a small impact on overall performance — these queries only occur during a cache miss and there are 13 root server IPs that one might be directed to at any given time.  As far as security implications, the root server has visibility into the DNS queries being made to it, so there would be some ability to monitor the web pages being visited.

As we have stated many times on this blog, the underlying protocols of the internet still rely primarily on trust.  Given Iran’s track record for internet censorship (which includes DNS tampering), it is reasonable to be concerned about a repeat of the 2010 incident when a BGP leak of I-root caused internet users outside of China to experience the censorship of China’s Great Firewall.

The post Iran Leaks Censorship via BGP Hijacks appeared first on Dyn Research.

by Doug Madory at January 09, 2017 09:18 PM

My Etherealmind

Response: The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean | The Hacker Blog

So obvious but I’m checking my unused domains to make sure they have no nameservers configured

The root of this vulnerability occurs when a managed DNS provider allows someone to add a domain to their account without any verification of ownership of the domain name itself. This is actually an incredibly common flow and is used in cloud services such as AWS, Google Cloud, Rackspace and of course, Digital Ocean. The issue occurs when a domain name is used with one of these cloud services and the zone is later deleted without also changing the domain’s nameservers. This means that the domain is still fully set up for use in the cloud service but has no account with a zone file to control it. In many cloud providers this means that anyone can create a DNS zone for that domain and take full control over the domain. This allows an attacker to take full control over the domain to set up a website, issue SSL/TLS certificates, host email, etc. Worse yet, after combining the results from the various providers affected by this problem over 120,000 domains were vulnerable (likely many more).

The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean | The Hacker Blog : https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/index.html

The post Response: The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean | The Hacker Blog appeared first on EtherealMind.

by Greg Ferro at January 09, 2017 08:16 PM

Network Design and Architecture

I discussed some IP Mobility solutions including LISP

Couple days ago I discussed some IP Mobility solutions, including LISP (Locator Identity Separation Protocol) with the CCDE students. Basically all IP Mobility solutions work in a similar way. New location of the host Address needs to be learned either via routing system or authoritative server. Host information is called identity and it can be MAC […]

The post I discussed some IP Mobility solutions including LISP appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at January 09, 2017 04:11 PM

ipSpace.net Blog (Ivan Pepelnjak)

Plans for 2017

With January 6th the Christmas/New Year holidays are over even for most European countries, so it’s time to restart my blog and set some goals for 2017.

Webinars

2015 was year of SDN, 2016 was year of network automation, and 2017 is shaping up to be the year of the cloud.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 09, 2017 07:19 AM

In Search of Tech

Aerohive’s Private Pre-Shared Key Technology

ppsk-aerohiveA fairly common question I get asked when talking to people about Aerohive Networks is “what makes us different?” In other words, why should they choose Aerohive to replace their existing wireless vendor? It is a fair question. After all, plenty of vendors sell APs that can serve the most basic wireless needs. All of the vendors I compete with do a lot of the same things when it comes to general wireless.

One of the things I like to talk to potential customers about is Aerohive’s Private Pre-Shared Key(PPSK) technology. For some organizations, PPSK is not something they are interested in. Maybe they already have a pretty solid 802.1X implementation and don’t have a need for WPA2 Personal(pre-shared key) security on their wireless network. That’s perfectly fine in my book. I have other things I can always talk about with regard to an Aerohive solution. For quite a few organizations though, they see the advantage of PPSK over standard pre-shared key implementations and jump right in to using it. I wanted to briefly discuss what PPSK is and how it can be utilized with an Aerohive solution. No configuration screenshots or long demonstration videos. Just a basic overview.

Some Potential Issues With Standard PSK(WPA2 Personal)

1. The key is the same for all devices connecting to the SSID/WLAN. This means that if the key is compromised, anyone can connect to the wireless network. There are some additional things one could employ like MAC filtering(which isn’t very hard to defeat), but the one thing you will have a hard time doing is preventing someone from eavesdropping on a session, capturing the 4 way handshake, and then decrypting the traffic for that session. See the following:

psk-noppsk

2. If you fire someone, or have to change the key for any other reason, you have to change the key on all the devices that connect to that SSID/WLAN.

3. Identity is hard to determine since every device is using the same key. You could keep a running list of MAC addresses and use that to determine who a given device belongs to, but that creates an administrative burden and MAC spoofing is relatively easy to do.

Why Not Use 802.1X?

Without getting too far down into the weeds, 802.1X(WPA2 Enterprise) is more secure than pre-shared key(WPA2 Personal). The issue of key compromise is taken care of through the use of dynamic encryption keys for almost every EAP type that would be used in the authentication process and these keys are unknown to the user of the wireless client authenticating with 802.1X. Additionally, identity is going to be very easy to determine when devices authenticate with 802.1X.

The logical thought would be that every device should authenticate with 802.1X and not use the WPA2 Personal method. However, this doesn’t always occur for a number of reasons.

1. 802.1X is not the easiest thing to implement. If you are a seasoned wireless or security professional, you might disagree with that, but the IT world is not always overflowing with people that know how to setup authentication back ends using RADIUS, certificates, directory services, etc.

2. Not all devices support 802.1X. While it is getting harder to find laptops, tablets, and smart phones that don’t support 802.1X, there are literally millions(probably billions by now) of devices that don’t have 802.1X capabilities. The Internet of Things comes to mind. I have quite a few of these “dumb” devices in my home that only support WPA2 Personal and “no authentication” for their connection method.

PPSK To The Rescue!

Aerohive’s Private Pre-Shared Key technology bridges the gap between the standard PSK implementation and 802.1X.

1. You still use pre-shared keys to access the network, but under a single SSID/WLAN, you can have a bunch of different keys. Each device, or group of devices can have their own unique key. Whether you need ten keys, a thousand keys, or more; they can all exist under a single SSID/WLAN. See the following:

psk-ppsk
2. If someone gets fired or their key gets compromised, you can simply invalidate that key and not have to change the key on all devices using the same SSID/WLAN since they are using a different key. Of course, when it comes to key compromise, you would have to know that it was compromised. There are some additional things you can do on the Aerohive side to limit the damage of a key that is compromised without you knowing about it, but I will tackle that in another post.

3. Identity is tied to the key being used, so you WILL know who is connecting to the network based on the uniqueness of their key in the same way that certificates and usernames and passwords are used to determine identity with 802.1X. It just requires less complexity than an 802.1X setup.

Closing Thoughts

Like I said from the start of this post, PPSK is not something that every organization uses. For those with solid 802.1X implementations, they generally prefer to use that over PPSK. Other organizations have actually moved off of 802.1X and rolled out PPSK across their entire network. If nothing else, PPSK is another tool that Aerohive provides as something to differentiate themselves from other wireless vendors. The standard advice we give organizations is that with Aerohive, you can have your 802.1X SSID, your open guest network(if you so desire), and a catch-all PPSK SSID for anything that would connect with a pre-shared key.

In full disclosure, Ruckus Wireless has similar technology they call Dynamic PSK. I don’t have any deep insight into how Ruckus Wireless’ DPSK solution compares to Aerohive. I can only tell you how Aerohive functions, and in my next post, I am going to talk about what you can do once you determine that device identity from PPSK, or even 802.1X for that matter. In short, based on identity, you can assign different firewall policies, QoS settings, and other things, but I will leave that for the next post. While I do tend to talk about PPSK a lot in pre-sales discussions, it really just sets the stage for what can be done after the authentication happens. That’s where it really gets interesting!

by Matthew Norwood at January 09, 2017 06:57 AM

XKCD Comics

January 08, 2017

Network Design and Architecture

2017 CCDE Exam Dates

2017 CCDE Exam dates has been announced.There are four CCDE exam every year. More precisely there are four CCDE Practical/Lab exam every year. There is no limitation for the CCDE Written exam.  You can join CCDE Written exam anytime in any Pearson Vue Center. It is not only 4 times in a year. CCDE Practical […]

The post 2017 CCDE Exam Dates appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at January 08, 2017 06:08 PM

Is Cisco CCDE exam harder than CCIE ?

Is Cisco CCDE exam harder than CCIE exam ? This is one of the most commonly asked questions by the CCDE candidates.  Short answer is no. But, you should know the differences between the CCIE vs. CCDE as well. CCDE exam is scenario based. You have four scenarios which is called as Lab or practical […]

The post Is Cisco CCDE exam harder than CCIE ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at January 08, 2017 04:49 PM

My Etherealmind

Musing: Norton Core Router | Introducing the Future of WiFi.

We set out to change WiFi forever. Our uncompromising vision: a wireless router that secures your digital life, while delivering the highest level of performance. The result is Norton Core. Core uses advanced machine learning and Symantec’s global intelligence network to defend your home WiFi—and every device connected to it—against malware, viruses, hackers and much more.

Powerful, secure WiFi is now a thing.

  1. We know that Norton produces sub-standard, low quality, deeply insecure anti-virus & malware desktop software. How good do you think this is ?
  2. Want to bet that no one cares and the branding plus a lot of marketing dollars will make it successful
  3. Attempting to be a full security suite in a single box. Oh, and WiFi.
  4. Enterprise-grade security features can now be offered to retail customers – (Enterprise comes last)
  5. Uses cloud for intelligence and threat analysis to power the security engine. Reuse of existing technology means its cheap and profitable.
  6. MIMO is hard, beam forming is really hard. I’m doubtful that Norton could get this right the first time (or at all).
  7. Lots of effort has been spent to make it look nice. Which is nice.
  8. Its probably better than nothing (which is what you really have today) so maybe its not a bad idea. 
  9. Subscription services are going to eat away at your household budgeting. 
 
 

Norton core router.png

Norton Core Router | Introducing the Future of WiFi.

The post Musing: Norton Core Router | Introducing the Future of WiFi. appeared first on EtherealMind.

by Greg Ferro at January 08, 2017 02:43 PM

Response: XenDesktop and XenApp Interoperability with VMware NSX

Citrix and NSX integration to build departmental isolation between VDI desktops.

In this blog, I am going to focus on XenDesktop, NetScaler and NSX interoperability. I will discuss a field use case, see how to implement that in VMware NSX for XenDesktop and then look at a few micro-segmentation deployment scenarios, to showcase how XenDesktop and NetScaler in conjunction with NSX provides a compelling deployment model.

The ability to isolate and control desktops represents a major security and integrity enhancement. Using a Netscaler provides a single point of access into the data centre and can be integrated into the NSX overlay.

Adding NetScaler in this deployment would simplify the set up and allow the users of all the airlines (or tenants) access the same landing URL and still have complete isolation from each other’s data and resources.

Observation: NSX is an automation tool for connectivity between end points and offers isolation/segmentation as service. Added to Netscaler, we get orchestration to produce greater business benefits because the XenDesktop & NSX becomes a unified service.

No specific provisioning to make this happen. Thats an SDN outcome.

XenDesktop and XenApp Interoperability with VMware NSX | Citrix Blogs

The post Response: XenDesktop and XenApp Interoperability with VMware NSX appeared first on EtherealMind.

by Greg Ferro at January 08, 2017 01:03 PM

January 07, 2017

Ethan Banks on Technology

How To Wade Through 100s Of Articles Weekly

The writing masses in addition to professional media generate tons of articles each week. What’s the best way to keep up? My strategy is multi-pronged.

TL;DR.

Filter quickly and mercilessly. Read only the most interesting articles.

  1. Know why you read. Ignore content that doesn’t align with your personal consumption goals.
  2. Ignore content with clickbait titles. These articles are purposely designed to drive traffic, generating salable ad impressions. Most of the time, they are content-free and safely ignored.
  3. Have no fear of declaring amnesty. Missing out doesn’t matter.
  4. Read it now; you probably won’t read it later. Don’t let articles pile up for when you have a better time.
  5. Use tools effectively. You can get through content more quickly and share or save the best stuff easily.

Know why you read.

Keeping up with technology is a big part of my business. Therefore, I subscribe to feeds about emerging tech from news organizations, independent tech writers, and technology vendors. From these sources, I monitor trends and hype, picking out what strikes me as useful or at least thought-provoking for IT practitioners. Articles that match this criteria inspire articles of my own as well as podcast scripts, and spawn research projects. My overarching goal is to bring to the attention of readers and listeners technology that might impact their life.

When articles, in my estimation, don’t match this goal, I delete them from my feed unread. I feel no obligation to read everything. I filter mercilessly by title. Vendor blogs tend to be spammy, emphasizing quantity over quality, pushing product agendas while adding no value to the reader. Some tech writers go into niches that are too narrow for my tastes. News sites cover topics that I often don’t find all that interesting or newsworthy. I estimate that I read between 5% and 10% of articles that hit my feeds.

Your personal goals will likely be different from mine, but know what those goals are. When you do, they will define which feeds to pay attention to, and which articles in those feeds are worth your time.

Ignore content with clickbait titles.

Every platform and author wants your attention, or at least your clicks to generate ad impressions. However, most professional writers with a daily quota don’t have enough to say to keep you coming back simply due to the overwhelming quality of their every word. To make up for the deficit in content usefulness, some writers and editors resort to clickbait titles.

Clickbait titles go after your baser nature through titillation or by sensationalizing a topic. If you feel perversely tempted to click on a link even though the title promises a content Twinkie, it’s clickbait. “Top X” articles, aka listicles, are also often time-wasters. (Yes, I’ve written them.)

Avoid these wastes of your time. There are ever more of them to be found, especially in vendor blogs and from old media organizations.

Declare article amnesty without fear of missing out.

Sometimes, real life takes over, and you don’t have time to read your feeds. That’s fine. Declare article amnesty by marking everything as read and starting over. If there’s anything so good that you might regret missing it, you’ll hear about it later from other people that tweet it or tell you about it. Fear of missing out is a pointless phobia in a world where it is impossible to keep up. You will miss out. Accept it.

In the spirit of hearing about content from other people and shameless self-promotion, we Packet Pushers offer the free Link Propagation newsletter covering the IT industry broadly. Greg, Drew and I “drink from the firehose so you can sip from a coffee cup.”

Read interesting content now.

I have learned over time that bookmarking an article to read it later means the article doesn’t get read. In analyzing myself to determine why I resist reading a piece immediately, I’ve determined that I’m worried I’ll spend too much time trying to “get it,” whatever it is.

This comes from reading lots of tech articles over the years where content occasionally gets into theory, deep science, or some arcane corner of the world I’m unfamiliar with, requiring careful focus. “Oooh, that title sounds provocative…but deep,” I’ll think, “so I better save it for a better time when I can really focus and wrestle it to the ground.”

Well…no. For me, this almost never works out, because “a better time” is mythological. If I’m spending time right now to read, then right now is the best time to go after that bit of meat and get chewing. Remember that the goal is NOT to get through your feed. The goal is to digest something new that furthers your goals — the reason you’re reading to begin with.

Therefore, prioritize reading right now. I’ve often found that the more I force myself to do this, the easier it becomes to absorb content, even meatier topics. It’s also true that article titles which seem initially intimidating often head content that isn’t all that difficult to get a hold of, assuming the writer can express themselves well.

Use tools effectively.

My system for reading starts with RSS. If a site doesn’t have an RSS feed, I don’t follow it, at least not closely. I might catch an interesting piece on Twitter or Reddit and click through, but the first thing I do when ending up at a new, interesting site is add it to my RSS aggregator.

Ah. The aggregator. I use Feedly, and pay for the Pro upgrade. Feedly Pro lets me…

  • Subscribe to more than 100 feeds, which I require.
  • Integrate with IFTTT, Zapier, and Buffer, all of which I use.
  • Backup to Dropbox, which I do.
  • Many other things which are less important to me, but might interest you.

Within Feedly, I organize my feeds into four main categories.

  1. Fodder. In this group, I keep mostly news media feeds that I’ll use for research, writing, or podcasting. These tend to be the most active feeds I follow as they are populated by professional journalists who do little but file articles all day. Therefore, I’m selective about which media feeds make the cut. Each feed covers a unique aspect of the tech industry, so that I minimize duplicate content. I cull feeds if the quality becomes too poor. 17 busy feeds.
  2. Fun. Believe it or not, sometimes I read recreationally. 39 not-so-busy feeds.
  3. Humans. This category contains independent writers, or at least writers producing content from an independent perspective, even if they happen to be employed by technology vendors. I name each feed according to the actual human writing the content, which makes the content far more personal to me. Most of these folks are friends or people I’ve interviewed. This is the least busy category, as independent writers tend to have paying jobs that occupy most of their time. However, this is what makes their content among the best technology reading on the web. 71 sparse feeds.
  4. Spin Zone. These articles are official vendor blogs or open source project announcement feeds. These tend to be awful, written by marketers whose chief aim is gaming Google search results. In addition, they are sometimes busy feeds, covering technical minutiae of interest only to a select few. However, useful product announcements or thoughtful engineering articles make it through the cruft from time to time. 22 busy feeds.

It’s possible to over-organize your feeds. Don’t fall into this trap, or you’ll find yourself wasting a lot of time moving feeds into categories, deciding which category to sift through at any given time, etc. I’ve made that mistake. Keep it simple. Don’t invent work for yourself.

I use Feedly mostly on my phone. I can quickly swipe away uninteresting articles, which is most of them. If I happen to be using Feedly on a big screen in a browser, I will do the same weeding by clicking the X to dismiss the content that doesn’t match my reasons for reading.

Winning content is read. I will read in their entirety articles that are genuinely interesting to me. Optionally, I will tag and/or share those interesting articles.

Tagging an article in Feedly is called “saving to a board.” These tags can be acted upon in IFTTT or Zapier. For example, I have an IFTTT recipe that posts articles with a specific tag into a Slack channel for me. This is an efficient way to keep track of the most interesting articles I’ve seen recently and share them with others in my Slack teams. We often build podcast scripts and newsletters in this way.

My other major use for Feedly tags (boards) is when I’m researching for a whitepaper, book, or presentation. Presentations, etc. are usually temporary projects that last a few months or a year. Therefore, these tags come and go. When the project is done and the articles all referenced, I’ll delete the tag to keep my Feedly interface as uncluttered as possible.

For sharing, I use Buffer, which pushes my shared articles to Twitter on a schedule. There are many ways to get content into Buffer, but I use the tight integration with Feedly the most.

Outside of Feedly, I mentioned that Twitter and Reddit are a part of my content discovery process. Twitter rarely offers articles, but sometimes. The Twitter timeline is so noisy, that it’s easy to miss articles that someone might be sharing. If I get lucky, I get lucky, but frankly, hours and days go by in between my checks of Twitter. My odds of catching all of the interesting content shared on Twitter isn’t high.

Reddit is still a new tool for me. I monitor several subreddits for interesting content, but most of it is for personal entertainment and not serious research. The quality is all over the place on Reddit. Moderators are usually not that active, and the articles shared are all too often clickbait, content-free, or spammy. Interestingly, I discovered today that if you feed reddit.com/r/subreddit into Feedly, you can monitor the subreddit with RSS. I am going to see if that is a more efficient way to go through subreddits than using the Reddit app on my phone.

A parting thought.

To keep up with dozens or hundreds of feeds, reading needs to be part of your daily routine. For the feeds I monitor, there is an average of roughly 125 articles per weekday. The weekends slow down a bit, as do holidays. But if you don’t keep up, you’ll be overwhelmed with articles. I usually read first thing in the morning and late at night, taking me anywhere from 1 to 3 hours total each day — usually closer to 1.

As I said, there’s no harm in declaring amnesty. Fear of missing out is pointless. Almost nothing on the Internet is going to change your life. However, if you’re declaring amnesty all the time, you’re oversubscribed. If you’re in that situation, pick the best feeds and forget the rest. You want your reading to be profitable — not a burden.

by Ethan Banks at January 07, 2017 02:36 AM

January 06, 2017

The Data Center Overlords

Why We Wear Seat Belts On Airplanes

This post is inspired by Matt Simmons‘ fantastic post on why we still have ashtrays on airplanes, despite smoking being banned over a decade ago. This time, I’m going to cover seat belts on airplanes. I’ve often heard people balking at the practice for being somewhat arbitrary and useless, much like balking at turning off electronic devices before takeoff. But while some rules in commercial aviation are a bit arbitrary, there is a very good reason for seat belts.

airplane

In addition to being a very, very frequent flier (I just hit 1 million miles on United), I’m also a licensed fixed wing pilot and skydiving instructor. Part of the training of any new skydiver is what we call the “pilot briefing”. And as part of that briefing we talk about the FAA rules for seat belts: They should be on for taxi, take-off, and landing. That’s true for commercial flights as well.

Some people balk at the idea of seat belts on commercial airliners. After all, if you fly into the side of a mountain, a seat belt isn’t going to help much. But they’re still important.

84271048

Your Seat Belt Is For Me, My Seat Belt Is For You

In a car, the primary purpose of a seat belt is to protect you from being ejected, and to keep you in one place so the car around you (and airbags) can absorb the impact of an impact. Another purpose, one that is often overlooked, is to keep you from smashing the ever loving shit out of someone who did wear their seat belt.

In skydiving, we have a term that encompasses the kinetic and potential energy contained within the leathery sacks of water and bones known as humans: Meat missiles. Unsecured cargo, including meat missiles, can bounce around the inside of airplanes if there’s a rough landing or turbulence. With all the energy and mass, we can do a lot of damage. That’s why flight attendants and pilots punctuate their “fasten you seat belt” speech with “for your safety and the safety of those around you“.

A lot of people don’t realize that if you don’t wear a seat belt, you’re endangering those around you as much as, or more so, than yourself. Your seat belt doesn’t do much good if a meat missile smashes into you. Check out the GIF below:

View post on imgur.com

<script async="async" charset="utf-8" src="https://s.imgur.com/min/embed.js"></script>

In the GIF, there’s some sort of impact and as a result the unsecured woman on the left smashes into the secured woman on the right. It’s hard to tell how bad they were hurt, though it could have been a lot worse having two heads smash into each other. The side airbag doesn’t do much good if one solid head hits another solid head. Had the woman on the left had her seat belt on it’s likely their injuries would be far less severe.

While incidents in commercial aviation are far more rare than cars, there can be rough landings and turbulence, both expected and unexpected, and even planes colliding while taxing. Those events can cause enough movement to send meat missiles flying, hence the importance of seat belts.

Commercial aviation is probably the safest method of travel, certainly safer than driving. But there is a good reason why we wear seat belts on airplanes.So buckle up, chumps.


by tonybourke at January 06, 2017 06:57 PM

My Etherealmind

Posit: Private Cloud Has Less Lock-In

Posit: A private cloud has less lock-in than a public cloud because realistic, practical alternatives exist and migration is possible

  • Moving between public cloud services is practically impossible.
  • It may never be possible.
  • Your business process is hostage to a third party and completely outside of your control from a timeline, cost and change view
  • Consider, your business is under threat and cutting costs is imperative. Your cloud provider is forcing a migration to a updated service and you have fixed time period to complete the upgrade process. You must spend to maintain service. Control is lost
  • Loss of control is a lock in

In private cloud, you have some greater degree of control over these issues. Its a tradeoff.

Addendum: 20170106-17:30

  1. Take for examples, the collapse of public clouds by VMware, Cisco, HPE, Verizon etc. All of these are forcing your business to undertake an activity outside of your control.
  2. Amazon is quite ruthless about forcing customers to fit its technology. Machines are force rebooted, products are deprecated and discontinued reguarly.
  3. Azure if forcing upgrades on its SQL products as a rapid pace, often beyond what customers are able to handle (they don’t have the resources to change their systems).

 

The post Posit: Private Cloud Has Less Lock-In appeared first on EtherealMind.

by Greg Ferro at January 06, 2017 04:11 PM

PacketLife.net Blog

Three Months with Google Fiber

I'm one of the lucky few to benefit from Google Fiber's recent expansion into new regions (before they nixed the whole thing). I've had the service fire three months now and figured I should write up my experience with it thus far.

The Installation

Google Fiber announced that it would be expanding to the Raleigh-Durham metro area, known locally as "The Triangle", in January 2015. It's been a long game of hurry-up-and-wait since then, watching crews laying fiber all over town without hearing a peep from Google regarding availability. But in the fall of 2016, people were finally able to start signing up for service. Here's how my installation went.

September 3

Google Fiber registration opens! I sign up for service and pay a paltry $10 deposit, which gets credited toward my first bill. Over the next couple weeks, various utilities swing by to mark their lines in the ground. (Here's the color code for utility markings in the US, if you're curious.)

September 24

Google's contractor arrives on site to lay fiber from the curb to my house and to many of my neighbors' houses. Surprisingly, they cut my trench by hand, possibly due to the steep incline of my side yard.

fiber_installation.jpg

The outside installers ran a single pair of fiber to a box mounted on the side of my house, with the remainder of the installation to be completed by the indoor tech. (As with Verizon FiOS, only one strand is needed for service.)

September 27

I receive a notification to schedule my installation. Of course, I pick the first available slot: 9:40am on October 3.

Continue reading · 6 comments

by Jeremy Stretch at January 06, 2017 02:40 PM

XKCD Comics

January 05, 2017

The Networking Nerd

Blogging By The Refrigerator’s Light

Blogging isn’t starting off to a good 2017 so far. Ev Williams announced that Medium is cutting back and trying to find new ways to engage readers. The platform of blogging is scaling back as clickbait headlines and other new forms of media capture the collective attention for the next six seconds. How does that all relate to the humble tech blogger?

Mindshare, Not Eyeshare

One of the reasons why things have gotten so crazy is the drive for page views. Clickbait headlines serve the singular purpose of getting someone to click on an article to register a page view. Ever clicked on some Top Ten article only to find that it’s actually a series of 10 pages in a slideshow format? Page views. I’ve even gone so far as to see an article of top 7 somethings broken down into 33(!) pages, each with 19 ads and about 14 words.

Writers competing for eyeballs are always going to lose in the end. Because the attention span of the average human doesn’t dally long enough to make a difference. Think of yourself in a crowded room. Your eyes dart back and forth and all around trying to find something in the crowd. You may not even know what you’re looking for. But you’ll know it when you see it. Your attention wanders as you scan through the crowd.

Blogging, on the other hand, is like finding a good conversation in the crowd. It engages the mind. It causes deeper thinking and engagement that leads to lasting results. The best blog posts don’t have thousands of views in the first week followed by little to nothing for the rest of eternity. They have active commenters. They have response pieces. They have page views and search results that get traffic years after publication.

The 3am Ah Ha Moments

Good blogs shouldn’t just be about “going viral”. Good blogs should have something called Fridge Brilliance. Simply put, the best blogs hit you out of the blue a day after you read it standing in front of your fridge door. BANG. Now you get it! You run off to see how it applies to what you’re doing or even to give your perspective on things.

The mark of a truly successful blog is creating something that lasts and is memorable in the minds of readers. Even if all you’re really known for is “that one post” or a series of great articles, you’ve made an impression. And, as I’ve said before, you can never tell which post is going to hit it big. So the key is to keep writing what you write and making sure you’re engaging your audience at a deeper level than their corneas.

That’s not to say that you can’t have fun with blog posts now and then or post silly things here and there. But if you really want to be known as an authoritative source of content, you have to stay consistent. One of the things that Dave Henry (@DaveMHenry) saw in his 2016 wrap-up was that his most viewed posts were all about product announcements. Those tend to get lots of headlines, but for an independent blog it’s just as much about the perspective the writer lends as it is for the news itself. That’s how you can continue to engage people beyond the eyeball and into the brain.


Tom’s Take

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

I’ve noticed that people still like to write. They want to share thoughts. But they pick the wrong platforms. They want eyeballs instead of minds. They don’t want deep thoughts. They just want an audience. That’s the wrong way to look at it. You want engagement. You want disagreement and argument and 4,000 word response posts about why you’re completely wrong. Because that’s how you know you’ve hooked the reader. You’re a splinter in their mind that won’t go away. That’s the real draw. Keep your page views. I’d rather have memories and fridge brilliance instead.


by networkingnerd at January 05, 2017 04:32 PM

My Etherealmind

Response: Cisco iWAN costs : networking

Doing an initial look into the cost of deploying a Cisco iWAN to see how it stacks up against Viptela or another SDWAN provider. Does anyone know what components or licensing is required for this? I’m lost. I see it requires a Cisco APIC-EM to be setup, but then how does the licensing for this work?

Interesting the breadth of vendors discussion – Cisco iWAN, Meraki, Viptela, Cloudgenix, Talari, APIC-EM, Glueware etc. 

Comments like the following:

“Anything but iwan unless you prefer a complicated mess of technologies that pre date the tube television.” 

 “APIC-EM is a hot mess. I would not recommend using it at this time for anything more than seeing what a mess it is. I recommend you look at something like Glue Networks Gluware for your orchestration tool over APIC-EM. In the WAAS space we picked Riverbed over Cisco WAAS because it would have required replacing our current routers with a new model in the middle of our lifecycle management. In our case, Viptela and Cisco were about the same cost, with maybe a slight advantage to Cisco”

“The are several drawbacks to Viptela. They tout it as a router replacement, but it’s definitely not. It can only do rudimentary NAT, not even a basic port forward without a lot of trickery. It has no concept of a native VLAN. Poor documentation. It’s expensive. At a per endpoint level, Viptela was almost $1k higher than a similar Cisco solution. Their hub-end routers were less expensive though. and they also have a pretty slick CLI template based orchestrator.”

Cisco iWAN costs : networking: “https://www.reddit.com/r/networking/comments/5jhzx0/cisco_iwan_costs/”

The post Response: Cisco iWAN costs : networking appeared first on EtherealMind.

by Greg Ferro at January 05, 2017 03:13 PM

Response: Vendor Frustrations on Subscription Pricing

The pain of software subscriptions is only just beginning. In this case, $vendor is being sneaky about unchallenged price increases.

MrFogg97 – Network Ramblings: Vendor Frustrations: “Today I sit here, last day of vacation. Skimmer though work email just so it doesn’t overflow. (I am pretty bad at the disconnection part). I have received 2 emails from vendor $. Basically telling me that my renewal is about 60 days past and wondering am I going to renew. Oh and they have graciously allowed me to continue to use the product. Along with this was a quote for 3 years for the product.”

The post Response: Vendor Frustrations on Subscription Pricing appeared first on EtherealMind.

by Greg Ferro at January 05, 2017 03:00 PM

Musing: Average Life Span on S&P Index

On average, your big corporate employer won’t be around in ten years.

B071bc6c d441 424c bf93 702f0e213827

Plan your career accordingly.

  • When the boss says “people are our most important asset” its not about you particluarly.
  • Don’t transfer responsibility for your life and career to someone else.
  • Don’t trust your employer to to be on your side, they can be but the company comes first, profits second…… and several steps later its you.

Source: https://twitter.com/CBinsights/status/808861430908850176

The post Musing: Average Life Span on S&P Index appeared first on EtherealMind.

by Greg Ferro at January 05, 2017 11:56 AM

January 04, 2017

XKCD Comics

January 03, 2017

My Etherealmind

Now its a Microblog

The transition to Packet Pushers is complete.  My long-form technical and analytical writing is published there.

Etherealmind will become a “microblog”:

  1. I want to share links, thoughts, references, observations that I collect from reading and research.
  2. Posts with just a few sentences and link to the source.
  3. Its not practical to publish to Twitter, Facebook, LinkedIn etc individually. Nor do I want to, I own this content.

The RSS feed is changed to full content.

The post Now its a Microblog appeared first on EtherealMind.

by Greg Ferro at January 03, 2017 07:32 PM