Google unveiled some details of its new internal network at Open Networking Summit in April and predictably the industry press and OpenFlow pundits exploded with the “this is the end of the networking as we know it” glee. Unfortunately I haven’t seen a single serious technical analysis of what it is they’re actually doing and how different their new network is from what we have today.

Read more ...

Don’t forget that on Monday, May 21, INE begins our 5-Day CCNA Wireless course.
If you haven’t signed up yet, there’s still time to do so here.

The course will be streamed live, online here.

Look forward to seeing everyone on Monday.

We hinted at something coming from the Packet Pushers in an earlier post. Well, here’s another hint… Wookieepedia shares with us the following: The prophecy of the Chosen One was an ancient Jedi legend that foretold the coming of a being who would restore balance to the Force. The idea of balance of the Force, a central tenet of the Jedi [...]

Quick review of one of my favourite system tool for the Mac - SmartSleep

Source-NAT (also referred to as one-armed mode) is a common way of implementing load balancers into a network. It has several advantages over routed-mode (where the load balancer is the default gateway of the servers), most importantly that the load balancer doesn’t need to be Layer 2 adjacent/on the same subnet as the servers.  As [...]

I usually attend one or two trade shows per year, with Cisco Networkers/Live being the primary focus. That mostly has to do with being a largely Cisco shop, and my own predilections as much as with my general lack of time and a desire to maximize what I do have. Other shows and events I [...]

Let me tell you a story. The cell phone service at my house stinks. On a good day, if I walk out on the porch and lean against the rail, I can get one bar of signal. If it’s raining and the middle of the summer, where the trees have a good covering of leaves, [...]

Continuing on in our series on CCD, today we’ll look at the 3rd video (the shortest) in that series (video #55) from our current 62-hour CCNP Voice v8 bootcamp.

• CCD via SAF :: Overview (29m)
• CCD via SAF :: CUCM Inter-Cluster Call Routing (1h 32m)
• CCD via SAF :: CUCM Call Routing with PSTN Failover (29m)
• CCD via SAF :: CUCM Call Routing during SRST Fallback (48m)
• CCD via SAF :: CUCM to CME Call Routing (54m)
• CCD via SAF :: Inter-Cluster RSVP via SIP Preconditions (21m)

Related Posts

Call Control Discovery via Service Advertisement Framework — Part 2 of 6

Troubleshooting Voice: MGCP — Part 2

Troubleshooting Voice: MGCP — Part 1

Now Any Desktop Can Join Cisco Telepresence Video Conference for Free

Call Control Discovery via Service Advertisement Framework — Part 1 of 6

It’s 8:30pm here in Bellevue, WA and I just finished the PfR/OER section of the 10 Day R&S CCIE Bootcamp that was broadcast live online. The session started at 9:30am this morning with a break for lunch and we ended up with roughly 10 hours of video. We had over 5000 unique IP addresses connect during the session and at the peak we were pushing nearly 80GB with our content provider. If you didn’t attend the live session, the recording will be available at the end of this week or first part of next week. I covered everything from basic PfR/OER configurations using static routes and BGP to very advanced PfR/OER configurations using PBR with GRE tunnels. This should be what everyone needs to help them prepare for the CCIE lab and fully understand PfR/OER.

I’ll post an update once the video is available. Additionally I’ll publish the diagrams, initial configurations and some lab scenarios with final configuration so you can follow along with the video.

Lastly I’ll ensure that this video is made available to our customers free of charge. Unlike some vendors who want to nickel and dime you to death by charging you for material that should be included in their main products, I’m going to ensure if you’re an INE customer you get access to the video free of charge.

The popular torrent site The Pirate Bay (TPB) suffered a widespread outage today as reported by several media outlets: BBC, TorrentFreak, PC Magazine, ZDNet, The Huffington Post and many others.

To understand why The Pirate Bay disappeared, we'll look at them from a routing perspective, noting that without widely accepted routes to their IP space, they will lack global connectivity. TPB operates an autonomous system, AS 51040, which has two Internet service providers, namely, ROBTEX (AS 48285) and Serious Tubes Networks (AS 50066). TPB also has several peers, the most prominent of which is Hurricane Electric (AS 6939). To provide their services, The Pirate Bay originates two IP networks or prefixes: 194.14.56.0/24 (Pirate Networks) and 194.71.107.0/24 (The Pirate Bay). The 194.14.56.0/24 prefix appears to be TPB's core network, while 194.71.107.0/24 appears to host TPB's main domains, such as piratebay.net, piratebay.org, thepiratebay.com etc.

Continuing the series from the Brocade Virtual Symposium. In a special video session that was sponsored by Brocade, we got Chip Copper in the room with Stephen Foskett to talk about storage convergence. Over the last few years, I've been very critical of Ethernet storage protocols like [FCoE](http://etherealmind.com/tag/fcoe/) and the fact that storage protocols are unlikely to work well. There are few times here where Chip was able to give me answers and a different viewpoint that gave me a different take on the solutions.

With less than a month to go until Cisco Live 2012 in San Diego, we’re learning more and more about the festivities every day.  From the closing keynote speakers to the Customer Appreciation Event (CAE) band, it’s shaping up to be a very exciting event.  One area that I’m particularly excited to learn more about is the social side of things.  Last year was the best Cisco Live event I’ve ever attended, due in large part to all the people that I interacted with from Twitter and other social media sites.  We spent so much time hanging out together outside the registration desk that our group of tables was nicknamed “Tom’s Corner”.  I still blush a little bit when I think of that moniker.  It was wonderful having a place for everyone to come and sit down for a bit and just hang out or discuss sessions or speakers.  Even if we did have to fight for table space or chairs from time to time, I feel that having a place set aside for everyone to meet is a wonderful idea.  For Cisco Live 2012, the great folks at Cisco that are behind social media realize that too.  That leads to a couple of exciting new opportunities this year.

Social Media Lounge

The first thing that I’m excited about is a specific area set aside in the World of Solutions (WoS) for social media!  I always hear about “blogger lounges” and other such places at other vendor events or trade shows.  Cisco must have heard about them too, because we’re going to have our own spot at Cisco Live.  Much like the NetVet Lounge or the Cisco Certified Lounge, social media will finally have a hangout to call our own.  Based on some information that I’ve seen, it’s going to be a nice place to congregate and relax.  Couches galore, TVs all around, and even perhaps some entertainment options like an XBox or two.  This will also be the place where Cisco’s social media team will likely be hanging out as well, so if you want to interact with them then this is the place to be.  I’m already planning on moving myself in the second the WoS opens up.  I wonder if they’ll let me hang a banner…?

CAE Tweetup

Since last year’s CAE Tweetup was such a rousing success, there’s going to be another one this year.  I’m excited for all the same reasons that I’m thrilled about the social media lounge.  The CAE Tweetup is going to be even better though.  I’ll give you a hint why:

That’s where we’re going to be!  Originally, the Western Metal Supply Company building was going to be torn down when Petco Park was being built in 2004.  Since it was such a historic piece of San Diego, the park designers found a way to incorporate it into the actual architecture of the park.  The Western Metal Building has now been converted into a section of luxury suites with balconies and even a viewing terrace on the roof.  During the CAE, one of those suites will house the Tweetup.  It’s going to be a great time for sure.  I’ll post more info about the CAE once my Cisco Live moles feed me more information.

Other Tweetups

Since the WoS (and social media lounge) will only be open from Monday evening to Thursday afternoon, there’s been discussion of what to do about meeting up with people around those hours.  It’s always great to get in and hang out with everyone on the first day, especially since many of us don’t get to see each other unless we run into one another at Cisco Live.  Since I’m arriving around lunchtime on Sunday, June 10, I was talking to the Cisco Live folks about having an impromptu tweetup that afternoon, say around 3 p.m. or so.  The event schedule for Sunday looks fairly light, so having a tweetup around that time would give us all a chance to stop by and say hello before wandering off to parts unknown.  There’s still not a firm place nailed down for the meeting, so once again I’ll be relying on my Bothan spies to get me the information as soon as possible.

Another idea being kicked around is a farewell tweetup sometime on Thursday.  The closing keynote runs from 2:00 to 3:00, but afterwards there are going to be many people that either don’t have sessions or just want to hang out one last time.  What would be a good time to have this last Twitter party of Cisco Live?  Last year we all hung out at Tom’s Corner until they came and took our tables away before heading off to dinner.  This year, I was thinking we could use the final meetup to take an awesome picture next to the Cisco Live sign like this one from last year:

There were a few folks that couldn’t make it to the photo session last year for various reasons.  This year, I figured it we got it all planned ahead of time no one would be left out. If you have any good ideas for the Thursday tweetup, either time or location, leave me a comment.  I’ll be sure to forward it on to the Cisco Live folks and make your voice heard.

Tom’s Take

Social media is a wonderful and powerful thing.  As you can see, Cisco is putting a lot of extra effort into social media and its participants this year.  From having our own lounge in the WoS to having a luxury box at the CAE, there’s no denying that it’s going to be a great time.  If you haven’t already, make sure you’re on the Cisco Live 2012 Twitter List.  That way, we can all link up easier and put names and faces to Twitter handles.  You should also log into your Cisco Live account and be sure your Twitter handle is there so it can be printed on your badge.  Let’s face it, most of us are more familiar by our handles and avatars than we are by our given names.  Hopefully, that will change with all the amazing opportunities that Cisco has given us to hang out together at Cisco Live 2012.  I can’t wait!

INE’s scholarship is back again.

Through the years Brian Dennis, CCIE #2210 (Routing & Switching, ISP Dial, Security, Service Provider, Voice) and Brian McGahan, CCIE #8593 (Routing & Switching, Service Provider, Security) have been devoted to revolutionizing the way CCIE Lab training is approached. Since 2004 their vision of success for CCIEs has changed the market and helped shape where it stands today. From inventing new ways to tackle technologies, to their famous CCIE Lab Workbooks, and now the highly sought after 10-Day Bootcamp, “The Brians” and INE continue to help networking professionals around the world achieve their own CCIE certification.

As part of Brian Dennis’ and Brian McGahan’s ongoing commitment to the CCIE community, INE is pleased to announce the INE 2012 Scholarship.

For CCIE Routing & Switching applicants, we will be choosing a scholarship recipient per region (Africa, Asia, Canada, Europe, Middle East, North America (US/Mexico), Oceanic (Australia) and South America) from the applicant pool. For those interested in CCIE Voice Training, we will be choosing two recipients from around the world. INE is providing a total of 10 CCIE Training Scholarships valued at $120,000!

Full link

Brad Hedlund did an excellent analysis of fixed versus chassis-based switches in his Interop presentation and concluded that fixed switches offer higher port density and lower per-port power consumption than chassis-based ones. That’s true when comparing individual products, but let’s ask a different question: how much does it take to implement a 384-port non-blocking fabric (equivalent to Arista’s 7508 switch) with fixed switches?

Read more ...

A short post, but this has been on my mind for a few months.

People who work for resellers and vendors typically have access to competitor information. This is usually a comparison or contrast against whomever the vendor sees as their competition. Sometimes it is generic in nature, and other times it is tailored to specific competitors.

For example, if you were an EMC partner, you might get to see what EMC’s views are regarding NetApp, HP, IBM, Hitachi, Dell, and other storage vendors. They give you this information so that if you have to go and sell against these other vendors, you can emphasize all the benefits of your vendor of choice, and bring up all the negative things about the competition. If you happen to work for a vendor, you probably have access to even more information about the competition as vendors trust partners to a certain extent, but they aren’t going to give them everything as it relates to their competition.

There are a lot of people out there who don’t really care for the competitive information. They see it as marketing nonsense and don’t waste their time reading it. I tend to read a fair amount of this stuff since my company partners with so many different vendors. I do this because I like to be prepared when it comes time to discuss the pros and cons of various vendors. I will never think of everything on my own, so I can leverage this type of information and gain a bit more insight into the various vendor products.

The Problem

As I read through this stuff, I find myself wondering if vendors aren’t setting partners up for failure. Two issues I have noticed are:

1. Vendors do not admit their own shortcomings in the competitor info documents. I realize you only want to emphasize the good points, but eventually someone will bring up a deficiency and your salespeople won’t know how to answer it unless they have an engineer with them, or they REALLY know the product they are pitching. Some of the competitor info will mention what to respond with if the other side brings up any “perceived” weaknesses, but it is usually some vague statement attacking a “straw man” and not really dealing with the initial claim.

2.  Some of the information regarding other competitors is just plain wrong. I was recently combing through a particular vendor’s competitive analysis documents on one of their competitors, and the points raised in opposition to the other vendor were incorrect. I don’t mean that they embellished a little. I meant that they were factually incorrect. They were wrong enough to where even a semi-competent customer would be able to shoot down the claims made in the competitive info document as false.

Closing Thoughts

Competitive info can be useful provided it is realistic and somewhat sincere. Filling people up with outright lies or generic marketing messages will eventually get them in trouble. Someone is bound to call them on it, and when they don’t know how to respond, they end up looking like an idiot.

What are your thoughts on competitive information?

If you are in the market for a good MPLS resource, check out the Cisco Press book MPLS Fundamentals: A Comprehensive Introduction to MPLS Theory and Practice. I've nearly finished reading this over the past few weeks and it's definitely a great place to start if you have never really worked with MPLS.

Of course, everyone is still waiting for an MPLS CBT Nugget from Jeremy.  However, until something like that is created - if you need to know more about the technology this is a great resource.

read more

When it comes to vGW antivirus and IDS, we get a lot of questions about performance, signatures, and whether traffic has to be sent to an external device for inspection.

 

With vGW, both the IDS and antivirus engine signatures are housed on the vGW Security VM (SVM). The packets are not sent to an external location for processing on the antivirus engine.

 

vGW antivirus also comes in two flavors: 1) an on-access scan and 2) an on-demand scan. Think of on-access as real time with a micro agent loaded in each VM, but with the signature repository residing on the SVM.  If, for instance, a user tries to save an infected file to their VDI VM, the vGW on-access scan will intercept and quarantine the file. The on-demand option is more like point-in-time or offline antivirus. It uses a micro snapshot, scans the offline VMDK file, and then recommits the snapshot. This way, you can optionally schedule your VM scans during maintenance windows or off-peak hours to ensure that virus scanning does not negatively impact business-critical traffic.

 

Finally, the IDS engine is not inline and, therefore, firewall performance is not directly affected and the maximum throughput on any ESX/ESX(i) host in the environment is approximately 2 Gbps. The IDS processing is done on the SVM with stats rolled up for reporting to the Security Design management center. This processing can also be exported using packet mirroring or spanning to an external engine. Please note that this is only IDS and not an IPS option.

 

For more information please contact Cloud Security Sales.

I usually use the “Nicira is Skype of virtual networking” analogy when describing the differences between Nicira’s NVP and traditional VLAN-based implementations. Cade Metz liked it so much he used it in his What Is a Virtual Network? It’s Not What You Think It Is article, so I guess a blog post is long overdue.

Before going into more details, you might want to browse through my Cloud Networking Scalability presentation (or watch its recording) – the crucial slide is this one:

Read more ...

The Cisco Certified Internetwork Professional (CCIP) certification has always been the goal of those network professionals that wanted to march to the beat of a different drummer.  People like me that concentrate on the enterprise/campus side of things revel in our use of OSPF and EIGRP.  We live and die by IOS and get cold sweats at night when someone mentions IS-IS.  The ideal CCIP candidate, on the other hand, loves all of this service provider oriented talk.  They want to spend all their time talking about ingress QoS policies.  They cackle with glee when the subject of MPLS-TE comes up.  They think users are just a myth that exist on the other side of the mythical CPE Wall.

The problem, though, is that the CCIP hasn’t really been focused on the service provider arena for a while now.  While the other professional level exams have received overhauls in the recent past, no one touched the CCIP.  When the CCVP and CCSP became the CCNP: Voice and CCNP: Security, no one wanted to make the CCNP: Internetwork.  The coursework for the CCIP has always relied heavily on other tracks to exist.  QoS is a big part of the SP world, so the QoS exam was borrowed from the voice track.  Routing is another huge part, so the old Building Cisco Scalable Internetworks (BSCI) test was repurposed as well.  The only pure CCIP exams were over BGP and MPLS.  You could even take a composite exam if you were feeling up to the challenge of getting your teeth kicked in for twice as long.  However, the routing exam has caused some consternation.  When I originally studied for my CCNP three years ago, the BSCI book was a handbook of enterprise and service provider routing.  It contained a lot of information about every routing protocol.  While it focused on OSPF and EIGRP, there was a touch of BGP and IS-IS as well.  It served as the foundation for the CCNP, CCDP, and the CCIP.  This made sense with Cisco’s foundation being the router.  However, when Cisco changed the tests and courseware for the CCNP with their latest refresh, the new ROUTE test was a shell of its former self.  Based on the blueprint (login required), it still tests on OSPF, EIGRP, and BGP somewhat.  It even throws in IPv6 routing as well, which is a sorely needed topic.  However, there’s no IS-IS.  None. Nada. Zilch.  How’s that supposed to help the SP engineer that might use IS-IS all the time and never see EIGRP?  Something needed to be done.  And every passing day that the CCIP relied upon tests that didn’t fulfill the criteria of the people being certified was a day that it passed closer to irrelevance.

Thankfully, Cisco decided in May 2012 to overhaul the entire CCIP track.  Now known as the CCNP: Service Provider, it finally focuses on the things that service provider network professionals will be doing.  The four new tests are specific to the SP track.  There are no overlapping tests.  The prerequisite for the CCNP: SP is the CCNA: SP, which is two SP-specific tests of it’s own.  Cisco has finally figured out that most SP engineers exist in a world all their own with very little in common with enterprise/campus folks.  A quick glance at Mirek Burnejko’s excellent IT Certfication Master page for the CCNP:SP shows that the SPROUTE test will focus on IS-IS, OSPFv2 and v3, and BGP.  No EIGRP to be found.  It also tests these topics on IOS-XR and IOS-XE, the new flavors of IOS that run on the equipment that would be found in an SP environment.  If you’d like to see more about the ins and outs of IOS-XR, check out Jeff Fry’s (@fryguy_pa) IOS-XR posts.  The SPADVROUTE test focuses on BGP and multicast, the two odd ducks of routing.  This means that you can spend your time reading Jeff Doyle’s Routing TCP/IP Volume 2 and take a test basically over that whole book.  The SPCORE covers QoS and MPLS functionality such as MPLS-TE.  That’s where I’d expect to see the TE stuff, since it’s usually configured in the network core and not on the edges.  The SPEDGE test covers MPLS VPNs, as well as VPN technologies in general.  I like that Cisco chose to split the core and edge pieces of the CCNP: SP, as there are people that may spend their entire careers working on P routers and never see a piece of CPE equipment.  Conversely, there are those that want to stay as far away from the core as possible and would prefer to make the PE router their device of choice.

The CCNP: SP is available today at any Prometric/VUE testing center.  You can find out more about the certification from Cisco’s website or by visiting Mirek’s site above.

Tom’s Take

Cisco has done a great job of breaking the CCIP up into bite-sized chunks that have clearly defined topic boundaries.  I can choose to focus on interior routing without worrying about multicast.  I can focus on MPLS VPN without thinking too much about MPLS-TE.  I can focus on the important parts one at a time.  The new CCNP: SP also addresses the shortcomings I’ve seen with the old CCIP test.  By giving the SP track a dedicated testing platform all by itself, Cisco no longer has to worry that test changes in one area will carry over to a separate track and cause confusion and delay.  As well, with the new branding and focus on the service provider arena, Cisco has shown that it has not forsaken those that want to spend their time working behind the scenes at ISPs.

R&S CCIE Training Video Updates:
As most of you already know we’ve totally redone nearly all of the R&S CCIE training videos over the past year. I’ve removed for sale the vast major of what I will call for lack of a better term, sub-par, R&S CCIE videos that were done in the past by some of our former instructors. After being gone for nearly two years and coming back a year ago I reviewed the quality of the videos in question and the feedback from our customers and decided that these videos where not up to the traditional standard of INE’s products and services. We will continue to add more R&S CCIE videos in the future but they will only be done by Brian McGahan or myself.

R&S CCIE Workbook Updates:
We are in the process of testing out a few options to move the workbooks away from a traditional MS Word document format for authoring and PDF for the final product release. This legacy format makes it hard to make even the smallest change without becoming a major project. We are looking into switching over to a web based format (i.e. wikipedia style) that will allow for a faster updating process and better overall reader experience. We will still offer the PDFs for offline viewing and printing but the latest version will always be available through your members site account. By moving it to the web you will be able to optimize and customize your flow through the products. My personal goal is to move away from a separate product model (R&S Vol I, Vol II, ATC Videos, Mock Labs, etc, etc, etc) to a single all encompassing product (workbook and videos) by the end of 2012.

New Troubleshooting labs for Volume II are going to be in beta starting in June with final release by the end of June. We’re updating the configuration labs after the TS labs are released. The new Volume III will be released starting this week. I’m working on some changes to the Volume I workbook and hoping to start releasing them next month also.

R&S CCIE Rack Updates:
We’re currently using the Cisco 360 topology for my live bootcamps and will start to rent out the racks to customers in June when I’m not running a live bootcamp. The topology is identical using all ISRs (1841, 2811, 3825) and four 3560s but the material is 100% INE’s. Additionally the traditional INE R&S topology will be updated to remove the 2600XMs and consolidate the backbone routers starting in June. Not much will change other than the Serial interfaces on R1 and R2 from S0/0 and S0/1 to S0/0/0 and S0/1/0. All R&S rack rentals will also move to a 3 hour rental block as opposed to the standard 6 hour block. This will allow for more flexible starting and ending times.

R&S CCIE Troubleshooting Bootcamp and Racks:
I’m running the first R&S CCIE Troubleshooting bootcamp the following week here in Bellevue. We have 14 dedicated Troubleshooting racks each using 27 1841s, 1 2811 (FRS) and 4 3550s. You will be able to rent these racks in June in 3 hour blocks and access the same lab material that is used in the Troubleshooting live bootcamp. We will also be beta testing instantaneous grading for them in late June/early July.

Lastly I would like to once again extend the invitation out to any former student who attended an INE bootcamp that wasn’t taught by me to reseat one of my bootcamps. Contact Jeremy Brown at jbrown@ine.com or myself directly.

In this post, I'm looking at network designs with ECMP cores using TRILL or SPB, I'm realising that STP is equally improved in terms of risk and performance by reducing the STP domain size which leads to better stability, reduced risk and impact mitigation

  Collection of useful, relevant or just fun places on the Internets for 13th May 2012 and a bit commentary about what I’ve found interesting about them: Searching for an SDN Definition: What Is Software-Defined Networking? – Network Computing – Mike Fratto at NetworkComputing.com : I’m using VMware as an example, but there are and [...]

How do you create a really robust service on the Internet? How can we maximise speed, responsiveness, and resiliency? How can we set up an application service environment in today's network that can still deliver service quality and performance, even in the most adverse of conditions? And how can we engineer applications that will operate robustly in the face of the anticipated widespread deployment of Carrier Grade NATs (CGNs) as the Internet lumbers into a rather painful phase of a depleted IPv4 free pool and continuing growth pressures. Yes, IPv6 is the answer, but between here and there are a few challenges. And one of these is the way applications behave in a dual stack environment.

Hi Guys

It is very very rare that I do a "social commentary" post, I am and forever will be an Engineer (SP), but the ability to make a living doing what I love (Engineering, be it networking, storage, servers, whatever) or rather, the possibility that something might make jobs harder to find always worries me, hence I want to spend a bit of time talking about "The Cloud."


With this in mind I would like to quickly talk about the fear mongering around "cloud" services, the word itself is enough to make many people roll there eyes, and I couldn't agree more, the term itself is just a marketing buzzword, the concept behind it (that is, services or infrastructure over a network) has been going on for ages, if anyone ever asks me to define cloud, I normally point them in the direction of Xbox Live as a suitable example of a "cloud service"

Anyway, If the FUD is to be believed, more cloud services will lead to the end of your job in IT, all to be outsourced to the "cloud' which, using the economics of scale can cover every possible computing situation you could ever need with a total of four employees: A CEO to "align our services with your business needs and quantify the cloud as an ROI investment", a Sales guy, a super cheap but very bad "engineer" to look after it all and a janitor to clean up the mess.

(Ugh, Excuse me I just threw up a tiny bit, Is it any wonder I love engineers who perform tangible services, they BUILD things, rather than MBA types who talk about "quantifying" things)

Let me help you put this fear to rest guys using a simple example of history, IT has been struggling with scale since day 1. Here are some examples of scale in IT:

Storage:
We didn't have enough disk space and our disk's where not reliable enough, so we invented RAID
RAID was good for a time, but not efficient and not as scalable, so we invented SAN's, still disks where not fast enough so we created SSD's

Computing:
Our CPU's and memory are obviously constantly expanding, we have actually reached (or are close to reaching) the limit of how fast we can clock CPU's, so to scale we added more cores, we still couldn't get enough and we wanted to ensure we used it more efficiently, so we invented virtualization. We STILL needed more scale! So we invented blade chassis's to increase computing density

Internet:
The Damn internet itself was invented so researchers could pool resources!


Are you seeing a trend here? Scale. 


Cloud is just a natural progression of that scale, and as we build more "cloud" services, all that will happen is that the demand will increase.

Look back at some of the marketing material for some of the technologies above, they are all advertised with a mantra quite similiar to that of "cloud":

• Do more with less!
• reduce your operating expenses!
• Spend less time maintaining Systems!
• Reduce capital expenditure!

And, to be fair, each technology HAS accomplished those goals, but only for a short period of time, then suddenly people want MORE computing, MORE resources, and we have to scale up and scale out AGAIN! (The main method of achieving scale that we are fond of in IT it seems is abstraction, abstraction leads to scale)



Please trust me when I say your IT Jobs are not going anywhere, the demand for IT will never ever cease, the demand for more and more computing will simply not stop, there will never be a time when we turn to each other and say "yep, that's JUST ABOUT enough computing resources for us! Let's call it a day."

In conclusion, I think that when you realize that the cloud is just a natural progression to help us address scale because there is just SO MUCH DEMAND for IT resources, it is easy to see that IT has a bright future, and hey if I am wrong and we are all going to be replaced by the massive self-maintaining, self-programming (yep, didn't even MENTION the fact that obviously this stuff all still needs to be programmed ;)), self-cleaning and self-healing benevolent cloud at least us network engineering guys will be the last to go, after all you gotta be able to connect to the "cloud" somehow ;).

Stephen Hauser sent me an interesting question after the Data Center fabric webinar I did with Abner Germanow from Juniper:

A common theme in your talks is that L2 does not scale. Do you mean that Transparent (Learning) Bridging does not scale due to its flooding? Or is there something else that does not scale?

As is oft the case, I’m not precise enough in my statements, so let’s fix that first:

Read more ...

In the Brocade Virtual Symposium hosted by Packet Pushers and Tech Field Day, Part 3: Multi-Path vs. Multi-Chassis shows us an interesting case of using ECMP and VCS with different size ISL links. Ivan Pepelnjak asks a question. If Brocade is using ECMP as dictated by TRILL, will there be underutilised bandwidth as each of the links have [...]

Greg Ferro and Ethan Banks dive into a deep, dark hole of nerdery with Ivan Pepelnjak, Marko Milivojevic, and Petr Lapukov to see if we can decide whether or not MPLS is tunneling. We plumb the depths of packet and frame formatting, compare and contrast various technologies, toss different scenarios around, contradict one another, and throw buckets of cold water all over the place. In the end, we think we have an answer. So put the kids to bed, cram in your earbuds, and visualize the virtual whiteboard. Close your eyes...focus...there it is! All that's missing is the smell of dry erase markers. What We Talk About In the witty opening banter, we find out Greg is an Interop judge, Petr works on something called "Bing", and Marko is teaching the first CCIE ever a thing or two. Oh, and who WAS the first CCIE anyway? Hint - not our friend Terry. Not quite. From here, the show gets serious, and includes the following topics: Foundations: circuits vs. connections vs connectionless. How is a tunnel different from a virtual circuit? How do we say that a circuit has "state"? We could think of a tunnel as "a layer of forwarding indirection". The tricky business of distinguishing between the OSI model (classical layering) vs. what we normally consider tunnels. Now wait a minute...could MPLS be considered NAT in a certain sense? So...maybe a tunnel is tunnel when you see the same protocol twice in the header. Redefining a tunnel as "a layer of frozen interaction". MPLS is not exactly L2 or L3. It's a total layering violation. How do CRC checks impact our definition of tunneling? Isn't it time for a new networking model? Once we've hammered through all of that, we loop back around to review why we had the chat. The question comes back up - why are we reinventing the wheel in data center networking? Couldn't an MPLS application be written to do many of the same things the explosion of overlay protocols are doing? Or would we have scalability problems?

In data centers, customers are interconnected with carriers and other customers using dedicated physical connections called cross-connects. These can be just about any type of medium, however most cross-connects run inside a single building are copper or fiber Ethernet. In the simplest of cases, a cross-connect can be a single CAT 5e or 6 cable running from a patch panel in one cage to a patch panel in another cage. Very little can go wrong, or so one might think.

I ordered two such Gigabit Ethernet cross-connects recently. Two lines of CAT 6 cable from a cage leased by company to a customer's cabinet down the hall. Simple. One of the cross-connects came up fine, as usual. The other did not.

This was odd, because the data center tech who installs the cross-connect is responsible for certifying its operation before making it available to the customer. I check it out with my Fluke and see that pairs 3/6 and 4/5 are crossed. No big deal, probably just needs an end re-terminated. I disconnect the patch cables from the panels at either end of the cross-connect so a tech can re-terminate it, open a trouble ticket with the data center, and go on about my day.

The next day, I get an email confirmation that ticket with the data center has been closed. Awesome. I go to plug the cables back in thinking the issue has been resolved. Same problem as before; a short on 3/6 and 4/5. Annoyed, I call up the data center help desk and ask what's up.

Continue reading · 15 comments

Update: Congrats to Mark, our winner of 100 rack rental tokens for the first correct answer, that XR2 is missing a BGP router-id.  In regular IOS, a router-id is chosen based on the highest Loopback interface.  If there is no Loopback interface the highest IP address of all up/up interfaces is chosen.  In the case of IOS XR however, the router-id will not be chosen from a physical link.  It will only be chosen from the highest Loopback interface, or from the manual router-id command.  Per the Cisco documentation:

BGP Router Identifier

For BGP sessions between neighbors to be established, BGP must be assigned a router ID. The router ID is sent to BGP peers in the OPEN message when a BGP session is established.

BGP attempts to obtain a router ID in the following ways (in order of preference):

• By means of the address configured using the bgp router-id command in router configuration mode.
• By using the highest IPv4 address on a loopback interface in the system if the router is booted with saved loopback address configuration.
• By using the primary IPv4 address of the first loopback address that gets configured if there are not any in the saved configuration.

If none of these methods for obtaining a router ID succeeds, BGP does not have a router ID and cannot establish any peering sessions with BGP neighbors. In such an instance, an error message is entered in the system log, and the show bgp summary command displays a router ID of 0.0.0.0.

After BGP has obtained a router ID, it continues to use it even if a better router ID becomes available. This usage avoids unnecessary flapping for all BGP sessions. However, if the router ID currently in use becomes invalid (because the interface goes down or its configuration is changed), BGP selects a new router ID (using the rules described) and all established peering sessions are reset.

Since XR2 in this case does not have a Loopback configured, the BGP process cannot initialize.  The kicker with this problem is that the documentation states that when this problem occurs you should see that “an error message is entered in the system log”, however in this case a Syslog was not generated about the error.  At least this is the last time this problem will bite me

 

Today while working on additional content for our CCIE Service Provider Version 3.0 Lab Workbook I had one of those epic brain fart moments.  What started off as work on (what I thought was) a fairly simply design ended up as a 2 hour troubleshooting rabbit hole of rolling back config snippets one by one, debugging, and basically overall misery that can be perfectly summed up by this GIF of a guy smashing his head against his keyboard.

The scenario in question was a BGP peering between two IOS XR routers.  One was the PE of an MPLS L3VPN network and one was the CE.  As I’ve done this config literally hundreds of times in the past I could not for the life of me figure out why the BGP peering would not establish.  The relevant snippet of the topology diagram is as follows:

Since this scenario caused me so much pleasure I am offering 100 tokens good for CCIE Service Provider Version 3.0 Rack Rentals - or any of our other Routing & Switching rack rentals & mock labs, Security rack rentals, or Voice rack rentals – to whoever the first person is that can tell me why did these neighbors not establish a BGP peering.  The relevant outputs needed to troubleshoot the problem can be found below.  I still haven’t decided whether I’m going to leave this problem in the workbook or not since it’s such a mean one  Good luck!

 

 

RP/0/0/CPU0:XR1#show run

Fri May 11 00:34:38.563 UTC
Building configuration...
!! IOS XR Configuration 3.9.1
!! Last configuration change at Fri May 11 00:32:50 2012 by xr1
!
hostname XR1
username xr1
 group root-lr
 password 7 13061E010803
!
vrf ABC
 address-family ipv4 unicast
  import route-target
   26:65001
  !
  export route-target
   26:65001
  !
 !
!
line console
 exec-timeout 0 0
!
ipv4 access-list PE_ROUTERS
 10 permit ipv4 host 1.1.1.1 any
 20 permit ipv4 host 2.2.2.2 any
 30 permit ipv4 host 5.5.5.5 any
 40 permit ipv4 host 19.19.19.19 any
!
interface Loopback0
 ipv4 address 19.19.19.19 255.255.255.255
!
interface GigabitEthernet0/1/0/0
 ipv4 address 172.19.10.19 255.255.255.0
!
interface GigabitEthernet0/1/0/1
 ipv4 address 26.3.19.19 255.255.255.0
!
interface POS0/6/0/0
 vrf ABC
 ipv4 address 10.19.20.19 255.255.255.0
!
route-policy PASS
  pass
end-policy
!
router isis 1
 is-type level-2-only
 net 49.0001.0000.0000.0019.00
 address-family ipv4 unicast
  mpls ldp auto-config
 !
 interface Loopback0
  passive
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/1/0/1
  point-to-point
  hello-password hmac-md5 encrypted 022527722E
  address-family ipv4 unicast
  !
 !
!
router bgp 26
 address-family ipv4 unicast
 !
 ! address-family ipv4 unicast
 address-family vpnv4 unicast
 !
 neighbor-group PE_ROUTERS
  remote-as 26
  update-source Loopback0
  address-family vpnv4 unicast
  !
 !
 neighbor 1.1.1.1
  use neighbor-group PE_ROUTERS
 !
 neighbor 2.2.2.2
  use neighbor-group PE_ROUTERS
 !
 neighbor 5.5.5.5
  use neighbor-group PE_ROUTERS
 !
 vrf ABC
  rd 26:65001
  address-family ipv4 unicast
  !
  neighbor 10.19.20.20
   remote-as 65001
   address-family ipv4 unicast
    route-policy PASS in
    route-policy PASS out
    as-override
   !
  !
 !
!
mpls ldp
 label
  allocate for PE_ROUTERS
 !
!
end

RP/0/0/CPU0:XR1#

RP/0/3/CPU0:XR2#show run 

Fri May 11 00:35:04.932 UTC
Building configuration...
!! IOS XR Configuration 3.9.1
!! Last configuration change at Fri May 11 00:30:30 2012 by xr2
!
hostname XR2
logging console debugging
username xr2
 group root-lr
 password 7 00071A150754
!
cdp
line console
 exec-timeout 0 0
!
interface GigabitEthernet0/4/0/0
 ipv4 address 10.20.20.20 255.255.255.0
 ipv6 address 2001:10:20:20::20/64
!
interface POS0/7/0/0
 ipv4 address 10.19.20.20 255.255.255.0
 ipv6 address 2001:10:19:20::20/64
!
route-policy PASS
  pass
end-policy
!
router bgp 65001
 address-family ipv4 unicast
 !
 neighbor 10.19.20.19
  remote-as 26
  address-family ipv4 unicast
   route-policy PASS in
   route-policy PASS out
  !
 !
!
end

RP/0/3/CPU0:XR2#

RP/0/0/CPU0:XR1#show bgp vrf ABC ipv4 unicast summary 
Fri May 11 00:34:29.712 UTC
BGP VRF ABC, state: Active
BGP Route Distinguisher: 26:65001
VRF ID: 0x60000002
BGP router identifier 19.19.19.19, local AS number 26
BGP table state: Active
Table ID: 0xe0000002
BGP main routing table version 1

BGP is operating in STANDALONE mode.

Process       RcvTblVer   bRIB/RIB   LabelVer  ImportVer  SendTblVer  StandbyVer
Speaker               1          1          1          1           1           1

Neighbor        Spk    AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down  St/PfxRcd
10.19.20.20       0 65001       2       7        0    0    0 00:03:59 Idle

RP/0/3/CPU0:XR2#show bgp ipv4 unicast summary

Fri May 11 00:35:02.278 UTC
BGP router identifier 0.0.0.0, local AS number 65001
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0xe0000000
BGP main routing table version 1
BGP scan interval 60 secs

BGP is operating in STANDALONE mode.

Process       RcvTblVer   bRIB/RIB   LabelVer  ImportVer  SendTblVer  StandbyVer
Speaker               1          1          1          1           1           1

Neighbor        Spk    AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down  St/PfxRcd
10.19.20.19       0    26       2       2        0    0    0 00:04:31 Active

RP/0/0/CPU0:XR1#show bgp vrf ABC ipv4 unicast neighbors 
Fri May 11 00:34:18.708 UTC

BGP neighbor is 10.19.20.20, vrf ABC
 Remote AS 65001, local AS 26, external link
 Remote router ID 0.0.0.0
  BGP state = Idle
  Last read 00:00:00, Last read before reset 00:04:10
  Hold time is 180, keepalive interval is 60 seconds
  Configured hold time: 180, keepalive: 60, min acceptable hold time: 3
  Last write 00:00:15, attempted 53, written 53
  Second last write 00:01:01, attempted 53, written 53
  Last write before reset 00:04:10, attempted 72, written 72
  Second last write before reset 00:04:15, attempted 53, written 53
  Last write pulse rcvd  May 11 00:34:02.927 last full not set pulse count 9
  Last write pulse rcvd before reset 00:04:10
  Socket not armed for io, not armed for read, not armed for write
  Last write thread event before reset 00:04:10, second last 00:04:10
  Last KA expiry before reset 00:00:00, second last 00:00:00
  Last KA error before reset 00:00:00, KA not sent 00:00:00
  Last KA start before reset 00:00:00, second last 00:00:00
  Precedence: internet
  Enforcing first AS is enabled
  Received 2 messages, 0 notifications, 0 in queue
  Sent 7 messages, 0 notifications, 0 in queue
  Minimum time between advertisement runs is 0 secs

 For Address Family: IPv4 Unicast
  BGP neighbor version 0
  Update group: 0.2
  Route refresh request: received 0, sent 0
  Policy for incoming advertisements is PASS
  Policy for outgoing advertisements is PASS
  0 accepted prefixes, 0 are bestpaths
  Cumulative no. of prefixes denied: 0.
  Prefix advertised 0, suppressed 0, withdrawn 0
  Maximum prefixes allowed 524288
  Threshold for warning message 75%, restart interval 0 min
  AS override is set
  An EoR was not received during read-only mode
  Last ack version 0, Last synced ack version 0
  Outstanding version objects: current 0, max 0

  Connections established 1; dropped 1
  Local host: 10.19.20.19, Local port: 19432
  Foreign host: 10.19.20.20, Foreign port: 179
  Last reset 00:00:15, due to Peer closing down the session
  Peer reset reason: Remote closed the session (Connection timed out)
  Time since last notification sent to neighbor: 00:02:11
  Error Code: administrative shutdown
  Notification data sent:
    None

RP/0/3/CPU0:XR2#show bgp ipv4 unicast neighbors 

Fri May 11 00:34:58.427 UTC

BGP neighbor is 10.19.20.19
 Remote AS 26, local AS 65001, external link
 Remote router ID 0.0.0.0
  BGP state = Active
  Last read 00:00:00, Last read before reset 00:04:50
  Hold time is 180, keepalive interval is 60 seconds
  Configured hold time: 180, keepalive: 60, min acceptable hold time: 3
  Last write 00:04:50, attempted 19, written 19
  Second last write 00:04:50, attempted 53, written 53
  Last write before reset 00:04:50, attempted 19, written 19
  Second last write before reset 00:04:50, attempted 53, written 53
  Last write pulse rcvd  May 11 00:30:08.305 last full not set pulse count 4
  Last write pulse rcvd before reset 00:04:50
  Socket not armed for io, not armed for read, not armed for write
  Last write thread event before reset 00:04:50, second last 00:04:50
  Last KA expiry before reset 00:00:00, second last 00:00:00
  Last KA error before reset 00:00:00, KA not sent 00:00:00
  Last KA start before reset 00:04:50, second last 00:00:00
  Precedence: internet
  Enforcing first AS is enabled
  Received 2 messages, 0 notifications, 0 in queue
  Sent 2 messages, 0 notifications, 0 in queue
  Minimum time between advertisement runs is 30 secs

 For Address Family: IPv4 Unicast
  BGP neighbor version 0
  Update group: 0.2
  Route refresh request: received 0, sent 0
  Policy for incoming advertisements is PASS
  Policy for outgoing advertisements is PASS
  0 accepted prefixes, 0 are bestpaths
  Cumulative no. of prefixes denied: 0.
  Prefix advertised 0, suppressed 0, withdrawn 0
  Maximum prefixes allowed 524288
  Threshold for warning message 75%, restart interval 0 min
  An EoR was not received during read-only mode
  Last ack version 0, Last synced ack version 0
  Outstanding version objects: current 0, max 0

  Connections established 1; dropped 1
  Local host: 10.19.20.20, Local port: 60056
  Foreign host: 10.19.20.19, Foreign port: 179
  Last reset 00:02:27, due to Interface flap
  Time since last notification sent to neighbor: 00:05:07
  Error Code: administrative reset
  Notification data sent:
    None

I had an ASA flash die today, it was an unfortunate experience that I recommend avoiding!

Anyway, Try as I might I could not find any directions on how to recover from this situation, so I thought I would put in vivid detail what worked for me so it can help others out there

First, if your flash has died, the ASA won't boot, you need to console into the ASA and wait for the following prompt:


Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006

Platform ASA5520

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Press ESC to break the boot process and you will be in ROMMON:

rommon #1> 

You need to set a bunch of variables so that the ASA can download the image over your management interface, so plugin a laptop and run up a TFTP server and put the image on a directory accessible from the TFTP Server

rommon #>  ADDRESS=192.168.50.1
rommon #>   SERVER=192.168.50.2
rommon #>   GATEWAY=0.0.0.0
rommon #>   IMAGE=asa804-k8.bin

In my case I did not need a gateway but in your case you might, you can also specify what port it should use by setting some other variables, to get a list of variables type help but for most situations the above will be enough.

Next type tftpdnld to start the download process:


rommon #4> tftp
ROMMON Variable Settings:

tftp asa804-k8.bin@192.168.50.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The image will then boot, but this is not the end of your adventure, you will be booted into the ASA:
and see something like this:

Insufficient flash space available for this request:
  Size info: request:32 free:0  delta:32
open or write(ffsdev/2/write/32) failed
Could not initialize system files in flash.
Type help or '?' for a list of available commands. 

this is saying it can't see the flash, so go ahead and enter enable mode and we will format the flash

 
ciscoasa> en
Password:


ciscoasa# format disk0:
WARNING: Saving activation key file failed. Proceed with operation? [confirm]

Format operation may take a while. Continue? [confirm]

Format operation will destroy all data in "disk0:".  Continue? [confirm]
Initializing partition - done!
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk

Format of disk0 complete
ciscoasa# fsck disk0:
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
/dev/hda1: 2 files, 2/62934 clusters

fsck of disk0: complete
ciscoasa# dir

Directory of disk0:/

No files in directory

257777664 bytes total (257769472 bytes free)
ciscoasa#  


Now that you can actually see the disk0, you need to reconfigure the management interface AGAIN:

interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.50.1 255.255.255.0
ciscoasa# ping 192.168.50.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


You can now copy the image again over tftp using the usual copy tftp flash command:
ciscoasa# copy ftp flash

Address or name of remote host [192.168.50.2]?

Source filename [asa804-k8.bin]?

Destination filename [asa804-k8.bin]?

Accessing ftp://192.168.50.2/asa804-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

You can now write the mem and reload!

You may have to retrieve your activation key though for your ASA












ciscoasa# format disk0:
WARNING: Saving activation key file failed. Proceed with operation? [confirm]

Format operation may take a while. Continue? [confirm]

Format operation will destroy all data in "disk0:".  Continue? [confirm]
Initializing partition - done!
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk

Format of disk0 complete
ciscoasa# fsck disk0:
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
/dev/hda1: 2 files, 2/62934 clusters

fsck of disk0: complete
ciscoasa# dir

As the current movement toward open source virtualization (in other words, “no-pay” virtualization platform) is gaining more momentum, so are projects like OpenStack. Founded in July 2010 by Rackspace and NASA, OpenStack is an open source cloud computing platform project and community that currently has more than 165 companies, including two recent joiners, IBM and Red Hat. It has three core projects—Compute, Object Storage, and Image Service—with many more in the incubation hopper and, per a recent NetworkWorld article, also ranks as one of the top 10 most powerful Iaas companies.

 

The beauty of open source is that there is no vendor lock-in and, well, it’s cheaper—which are two things that are important to customers and, by extension, to Juniper. When it comes to the cloud, Juniper’s objective is to provide the best possible and most cost-effective security for its customers—whatever their choice of platform may be. OpenStack supports multiple hypervisors and Juniper’s vGW Virtual Gateway, which currently supports VMware and has short-term planned support for other hypervisors like KVM, Hyper-V, and Xen. So if organizations continue to rally behind OpenStack and the efforts of its growing number of active developers and cloud technologists to create a massively scalable cloud offering, they can count on Juniper to provide security that meets their needs for versatility as well as high-performance, multi-layered defenses, and compliance.

My first Cisco Live 2012 is this morning (5/10/12) at 9am PST: TwitterChat!

Feel free to join #CLUS and hang between 9am - 10am. CBTNuggets will be continuing the fun from 10am - 11am at #CBTchat.

See you soon!

Jeremy

Just prior to Networking Field Day, the merry band of geeks sat down with Chip Copper, Brocade’s Solutioneer (a job title almost as good as Packet Herder) to discuss the intricate details of VCS Fabric. The videos are well worth watching – the technical details are interesting, but above all, Chip is a fantastic storyteller.

Read more ...

TRILL (TRansparent Interconnect of Lots of Links) is considered by some to be the heir-apparent to spanning-tree’s throne. After all, Radia Perlman was the force behind STP, and her name heads the list of authors for RFC 6325, the base TRILL protocol specification. For that reason alone, it seems a natural progression to move from [...]

Hi Guys!

This might be dead obvious to some of you out there, but for me just starting in the world of storage (Currently studying for my EMC VNX Storage certification :)), some of this was less than obvious, I wanted to quickly talk about iSCSI.

In iSCSI, your initiator and target (your host and the storage your host is trying to talk to) have names, these names are called iSCSI Qualified Names (IQN) and have a particular format, I never really understood how the format was meant to work and although wikipedia kind of shows you I think a more laymen definition would be helpful :)

So an IQN has the following format:

iqn.date.yourdomainname-in-reverse:storage-identifer

so the start of the IQN must start with IQN, this is required, next you enter a date, and a domain name, this is where I was confused, what domain name do I use?

you can use any domain name that belongs to your organization, even a domain name that has expired or does not resolve to anything, the date part of the above string, is where you specify a date (in format of YYYY-MM) on which you owned that domain name, so let's say i had the domain name ccierants.com on the 5th month of 2011 my format would be

iqn.2011-05.com.ccierants

Again, the domain does NOT have to resolve, and i don't even have to own it anymore, i just have to have owned it on that date, I am not sure what the rules around internal domain names would be (maybe you've never registered a domain, which seems quite odd, but let's hypothetically say that is the case) but i assume it is generally frowned upon.

That is the start of my IQN, then the identifer after the : (shown as storage identifer in my little bit above) can be anything that makes sense to you as an organization, it could be a serial number, an asset number or any other storage identifier.

so the total string is:

iqn.2011-05.com.ccierants:emc-vnx-prod-01

for example :)




I hope this clears things up for someone, I actually found this out thanks to an EMC Book, it seems quite obvious now but for me it was something I did not fully know :).

  Collection of useful, relevant or just fun places on the Internets for 9th May 2012 and a bit commentary about what I’ve found interesting about them: Avantages of Using SVTI Based VPNs | PacketU – Paul Stewart gives a great example on SVTI. (I”m still learning here). Starting in version 12.3T (which is some [...]

Omar Baldonado talks about the value of openness for SDN & OpenFlow My takeaway from that panel and the other speakers is that we’ve arrived here at this point in the industry because of the openness of software-defined networking. Many of the components of SDN already existed as the audience pointed out, but it is [...]

SDN/OpenFlow is about Network Management, at least, in part. But the rich tools for software control dont' exist. I also think don't think that todays management _platforms_ (such as Tivoli, OpenView and BMC) are suitable for network orchestration in the future.

Today, Juniper Networks released its Trusted Mobility Index, a global survey of more than 4,000 mobile device users and IT decision-makers, which benchmarks current levels of trust in mobile technologies as well as examines how trends in mobile security and reliability influence attitudes and behaviors.

 

While there is a great deal of research into increasing mobile security and privacy threats – including Juniper’s own threat research conducted by its Mobile Threat Center – little attention has been given to understanding people’s current attitudes and confidence in their mobile experiences.

 

 

One of the more tedious parts of any phone system deployment is configuring the access layer switches to support said phones.  The configuration in and of itself isn’t complicated, but every port that may receive a phone needs to be setup correctly.  In Cisco parlance, this is accomplished with the switchport voice vlan <ID> command.  I’ve typed that into the CLI a thousand times and never really knew what it did besides “make the phones work”.  After a little research, I finally found some answers.  I thought I’d share them with you.

In the old days, before the Catalyst 2950, configuring a switch port for use by a phone involved creating an explicit 802.1q trunk.  This made sense from the perspective that it allowed traffic from multiple VLANs to pass on a single link.  It also allowed the 802.1p priority bits for Quality of Service (QoS) tagging to be sent with the frames.  The downside is that it was very difficult for phone mobility.  You either needed to provision every phone-facing switchport in your organization to be an 802.1q trunk or you had to leave the phones were they were.  While the latter is usually the case in most of my deployments, the mobility provided by the ability to plug a phone in anywhere in the network and not worry about extra configuration is key to some clients.  Thankfully, Cisco fixed this starting in the 2950 with a little concept known as the Auxiliary VLAN.

The Auxiliary VLAN (AUX VLAN) is a specialized VLAN that sits beside a regular access VLAN configured on a switch (sometimes called a “normal” VLAN).  The purpose of the AUX VLAN is to allow IP phones to transmit their payloads along with the untagged data coming from a PC that might be plugged into a switchport on the back of the phone.  The AUX VLAN allows these two devices to transmit on the same port without the need to use an explicit trunk on the link.  In addition, since the port is not configured explicitly as an 802.1q trunk, extraneous VLANs will not be flooded over the port.  In essence, the port becomes a two VLAN trunk.  All the phone traffic is tagged with the ID of the AUX VLAN and the PC traffic is untagged.  Curiously, according to this document, the traffic in the AUX VLAN must also carry a Class of Service (CoS) of 5 along with the AUX VLAN ID.  Otherwise, the traffic is dropped.  So how does the phone get the ID of the AUX VLAN so it can start sending the traffic?  Ah, that’s where CDP comes in.

Cisco Discovery Protocol (CDP) is very crucial in the operation of a Cisco IP phone.  It not only provides the AUX (Voice) VLAN ID for the phone to being sending traffic on the AUX VLAN, it also allows the phone to automatically negotiate power settings.  This allows the phone to use less than the maximum 15.4 watts of power under the 802.3af PoE standard.  If you disable CDP on the port facing the phone/PC you will likely start pulling your hair out.  Even though the phone might have already assigned itself in the Voice VLAN, removing CDP from the switchport in question causes it to forget where to find the voice VLAN.  You’ll need to re-enable CDP and reboot the phone.  You could also statically configure an 802.1q trunk to fix the issue, but where’s the fun in that?

One other curious note is that I’ve always been told that the connection between the phone and the switch when switchport voice vlan is configured is a “special 802.1q trunk”.  Not that I’ve ever been able to see that configuration, as show interface trunk seems to think that the port isn’t trunking and show interface switchport says that it’s an access port.  The key is in Cisco’s documentation.  The correct term for a port with switchport voice vlan configured is a “multi-VLAN access port”.  The distinction between the two is that only the two vlans (voice and access) configured on the switchport will be accepted on the link.  If you were to do something silly like, oh I don’t know, plug another switch into the back of the phone and configure an access port on that switch to be in a different VLAN than the voice or PC access VLAN, traffic will not pass through the phone port to the switch.  Once again, that’s because this isn’t a real trunk.  The switch will only accept tagged frames from the Voice (AUX) VLAN.

---

Tom’s Take

I hope this was a little more insight into what the magical command switchport voice vlan does on a switch.  I’m often asked by people new to voice why this must be configured each time.  Before I blindly regurgitated lines like “special 802.1q trunk” and “do it or it won’t work.”  Now I have a very interesting story to tell and threaten people with if they don’t do it.

The total amount of known mobile malware has risen dramatically. From 2010 to 2011, Juniper Networks Mobile Threat Center identified a 155 percent increase in threats to mobile devices. However, no other category of mobile security threats is growing as quickly as Spyware.

 

In fact, in the first three months of 2012, Spyware targeting mobile devices has doubled. To put this in perspective, Juniper has discovered nearly the same amount of Spyware from January to March of 2012 as we have in the last eight years combined.

NHRP-based interface state control is a fantastic feature that you can use for faster convergence of very large DMVPN networks (as explained in the DMVPN Designs webinar, you can also use it to solve some interesting backup scenarios). We tested it in a network with over 1000 spokes (using ASR1K as the hub router) using very short registration timeouts, and the CPU utilization of the NHRP process rarely exceeded a few percents.

Read more ...

I have one primary question for the Packet Pusher’s community regarding the newly announced CCIE Data Center track: Who’s in? The beta CCIE Data Center written tests are available (mine is scheduled for a week from now), schedule at a PearsonVUE near you (they’ve gotten a bit better in Portland, btw). Non-beta written tests and [...]

Intel talks about the their Fulcrum silicon (FM6000) fully supporting OpenFlow. If one of the bigger merchant silicon vendors is shipping OpenFlow ready silicon, then I would expect new products to arrive in the next few months. I believe Intel is demoing this at Interop. We’ve also contributed our Barcelona 10GbE TOR switch reference platform [...]

Brad Casemore makes that case that HP is not telling us enough about it’s OpenFlow technology. HP has been a major contributor to several initiatives, including QoS code for OpenFlow v1.1 and the first vendor to offer OpenFlow support on it’s network switches. Yet, HP is not necessarily getting the recognition it deserves for these [...]

I’m returning to Las Vegas for Interop. I was fortunate enough to attend last year on behalf of HP and Ivy Worldwide. I am returning again as a guest of HP and Ivy Worldwide. I should point out that HP has never asked me for anything other than an opinion. They sent me to the Las Vegas and New York Interop shows last year, but the New York show is much smaller than the Las Vegas one.

A stark difference in my Interop Las Vegas experience last year and my Interop experience this year is my relationship to these vendors. Last July, I left my corporate IT job and went to work for a reseller. I LOVE talking to vendors, and being in the reseller space allows me a different kind of relationship with vendors. It is more of a collaborative type relationship and less of a buyer/seller relationship that you see in the corporate IT side.

For the bulk of the conference, I will be on the expo floor. That’s the place I want to be as much as possible. While the pens and t-shirts are very plentiful, I am not really there for that. However, if they are giving away electronics in a LEGITIMATE drawing, I will not turn that down. I just have to figure out which ones are legitimate and which ones are steered towards potential customers(ie rigged drawings). I’m there to absorb as much of the vendor’s solutions and company secrets as possible. Okay, so I don’t get a whole lot of company secrets, but I keep hoping someone in a vendor booth will slip up and tell me something they shouldn’t.

Here’s some random thoughts around some of the vendors I want to talk to. I’ll indicate if my company is a partner with them as we partner with a lot of companies.

Aerohive (Partner) – They don’t have a booth, but they are here. Their Bonjour gateway seems to have attracted a fair amount of attention and they just released the BR200 device for remote offices/mobile employees. I’m curious to see what might be coming from them in the near future.

Alcatel-Lucent – I don’t ever run into them in the enterprise space. I am curious as to how they are doing in that market. If I recall correctly, they tried to sell their enterprise line and focus on the SP market, but that fell through. They re-brand their wireless from Aruba, so I probably am not going to ask much about that.

Arista – I love this company. They do one thing and do it well. I am curious to see if they have any announcements around 40 and 100gig. I know they will be supporting it, but not sure to what extent and when. Listening to various Arista people talk during the Getstalt IT Network Field Day 3, I get the feeling they will continue to innovate and dominate the low latency switching market.

Avaya – I had a nice long chat with one of their engineers at their booth at last year’s show in Las Vegas. I am interested to see how well their switching line is doing. They also have a wireless line that I didn’t get to look at last year. That intrigues me. Finally, they came out with their own UC tablet like the Cisco Cius. I am sure they will have their Flare tablet on display.

Barracuda Networks (Partner) – As a Barracuda partner, I have a different view of them now. I heard a presentation on their Next Gen firewall last year, but the presentation didn’t sell the features of the NG firewall that I was able to see during my partner dealings with Barracuda. It really is a neat firewall that came via an acquisition and was not developed in house. I think that is where people have an issue. They think it is a feature-lite firewall like some of their other products when compared to their much more expensive competitors. They also dabble in the UC and video surveillance market. Odd considering they got their start doing anti-spam work. They also have a storage replication product that I am interested in seeing demonstrated.

BlueCoat (Partner) – I really just want to see if/when full combination of content filtering/WAN optimization will happen. Maybe it shouldn’t happen. Maybe it should. I used Packeteer products in a previous job and liked them.  Most of my questions to BlueCoat are really around differentiating themselves from Riverbed.

Brocade (Partner) – It turns out that Brocade does not have a booth on the expo floor, but they will be sharing part of the NEC booth. We are doing a fair amount with Brocade, so I am just interested in a general conversation with them. I’ve put forth my theory that they will buy a firewall vendor in the coming years if they don’t get acquired and taken private. I’ve discussed this with multiple Brocade employees, but that’s just complete speculation on my part and cannot be validated by anyone I have talked to. I also wonder about their relationship with Motorola since they re-brand their wireless gear. Would Brocade ever buy that part of Motorola? At the risk of sounding too “conspiracy theory”, I will end my comments on Brocade here.

Cisco (Partner) – I have tons of questions for Cisco. I want to see the 3600 AP up close and personal. I would also like to know if they have the module that is rumored to be coming. I’ve heard about it on the No Strings Attached podcast and pictures of the AP indicate that future capability. As a partner, I might know a little more than I am letting on, but that wouldn’t be very professional if I blabbed about every little thing now would it? There are some other wireless things I would like to chat about. Some of the other things I would like to see and talk about are WAAS, Nexus 3000 series, ASA CX, UC ver 9 enhancements, ACE 30 update and potential for a Nexus 7000 module.

Citrix (Partner) – My company has someone covering the Citrix Summit / Citrix Synergy conference in San Francisco, and that person is far more versed in Citrix than I am. My interest in Citrix begins and ends with the NetScaler as it relates to load balancing and SSL VPN connectivity.

Dell (Partner) – Obviously, the big thing for me with Dell is the Force10 gear. I’m interested to see how they are rolling the Force10 gear into their lineup and what that means for the other vendors(ie Brocade) that they re-branded. I’d also like to talk to them about Aruba wireless that they re-brand as PowerConnect W-Series. I wonder if Dell would consider buying Aruba. They seem to be buying everyone else lately. SonicWall will have a booth at Interop as well, so naturally I am interested to see how that integration with Dell is going.

ExtraHop Networks (Partner) – What’s not to like about this NPM/APM vendor started by ex-F5 people? They are entirely agentless and can be up and running in a matter of minutes. They also just released a new Citrix module, so I would like to talk with them about that. Other solutions require software agents for the type of information they are pulling off the network with a simple packet capture.

Extreme Networks – I remember last year’s Las Vegas show where they showed the Black Diamond X8 switch in a smoke filled booth. 192 ports of 40GbE at line rate. A monster switch. I am curious how they are selling and who is using that kind of  throughput.

Ekahau – They will be located with the MetaGeek booth on the expo floor. I had the privilege of seeing this Finnish company present at the last Gestalt IT Wireless Field Day event back in January. I’ve been using their Site Survey tool lately, and have also been able to use their Android-based Mobile Survey utility.

F5 Networks (Partner) – I haven’t seen the Viprion line in person yet. I am hoping they have some at their booth. They are always good to talk to since they seem to be expanding beyond the load-balancing function they are so well known for.

Gigamon – This orange colored company is hard to miss. I have talked to them before, but I am interested about what life would be like as a Gigamon partner. With all the monitoring that is required in data centers these days, their name comes up more and more in discussions amongst other engineers.

HP (Partner) – Since HP is bringing me to Interop, I get a fair amount of access to their people. I have several questions around their firewall solutions, the collapse of switching lines on the ProCurve side, as well as the future of their voice platform they inherited from 3Com. Then, there’s the wireless solution, which I assume will be simplified in the coming years just like their switching lines. I also want to see how their publishing venture has been received. Finally, I would like to see if there are going to be any changes to the AllianceOne program, which I happen to think is a good idea for them.

Huawei – I talked to this newcomer to the US market at Interop NYC last October. They have a full line of everything from switches to telepresence video conferencing suites. I am interested to see how their growth in the US market is going.

Juniper Networks (Partner) – Of course, QFabric will be on display. It’s hard to miss that impressive hardware. I’ll take better pictures this year than last. I’m also keen on seeing anything new they have coming up. I believe a fair amount of their focus has been on the security market lately.

MetaGeek – I have had the pleasure of seeing MetaGeek at the Gestalt IT Wireless Field Days for two years in a row. Their new EyePA product is simply amazing and I look forward to seeing the looks on people’s faces when they see it demonstrated for them.

NEC – I need someone to sell me on OpenFlow in the Enterprise. I see the applications for it in the SP market. I just don’t see it in the Enterprise. If anyone can show me where it fits, it will probably be NEC.

ShoreTel – I am not a voice person, but I do like to have a basic understanding of who the key players are. I am always looking for a solution that could possibly rival Cisco and Avaya as they seem to dominate the voice deployments I come across in enterprise networks. I spoke with ShoreTel last year and have seen them around for a number of years.

SonicWALL (Partner – Sort of.) – Dell recently acquired SonicWALL, so I would expect to see a lot more of them in the near future. As a Dell partner, my interest is really centered around how to position them in the enterprise space. I used to work for a SonicWALL partner and we sold quite a few of their boxes in the SMB arena. Although my SonicWALL cert is long expired, I am curious to see how much progress they have made since I dealt with them last.

Vyatta – This company has been around for a number of years running routing software on commodity hardware. I have never used their software and have not come across many companies that do. Having said that, I do know there are a fair amount of people that are big fans of Vyatta. I’d be interested to find out from them about large real world deployments.

Xirrus – There’s really one big question I have for Xirrus, and it has to do with 802.11n MIMO. They have directional antennas in their arrays, so I want to understand how they can associate multiple antennas with a single client. I have no doubt they have thought about this, so I am sure they can answer that question.

There’s a lot more vendors at Interop. See the full list here:

http://www.interop.com/lasvegas/2012/exhibitor-list/

If you happen to read this before Thursday, May 10^th 2012, let me know if there are any questions you would like me to ask a vendor or vendors. I’m more than willing to do that. Just drop me a comment at the end of this post and I will do my best to get it answered while I am here.

May 2012 Microsoft Patch Tuesday Summary

 

Welcome to another edition of patch Tuesday summary blog.  Last month’s patch Tuesday involved patching 11 vulnerabilities over 6 bulletins, while this month we are patching 23 vulnerabilities over 7 bulletins.

 

Here is a list of the vulnerabilities fixed in today’s patches:

The much brandied "Internet of things" or the more geeky M2M conjure up a vision of myriad of connected devices all talking to each other exchanging data in real time. Just for a moment overlay that with the security lens and you will start to see what is a seemingly intractable problem - how do you secure these billions of devices ?

Couple of days ago, I had really interesting discussion about using BGP communities to influent inbound traffic by modifying ISP’s LOCAL_PREF on advertised prefixes in multi homed environments. There are many Internet Service Providers that support this, including, for example, Level3 (as visible on this link). Taking in consideration that BGP communities are basically prefix [...]