March 27, 2015

My Etherealmind

Musing: HP Networking Futures after deals with Aruba & H3C

HP Networking will acquire Aruba and now it is selling 51% stake in H3C to a Chinese venture capital firm.  What could this mean for HP Networking customers ?  The sale of a controlling interest in H3C means that HP Networking has government support (blessing?) to sell products in China. The Chinese government has been […]


The post Musing: HP Networking Futures after deals with Aruba & H3C appeared first on EtherealMind.

by Greg Ferro at March 27, 2015 01:12 PM

Loopback Mountain

Quick Example: Elasticsearch Bulk Index API with Python

A quick example that shows how to use Elasticsearch bulk indexing from the Python client. This is dramatically faster than indexing documents one at a time in a loop with the index() method.

by noreply@blogger.com (Jay Swan) at March 27, 2015 02:17 AM

XKCD Comics

March 26, 2015

My Etherealmind

The End of WHOIS ?

The convergence trend on HTTPS protocol continues to gather momentum. This time it is the venerable WHOIS protocol that is poised to be replaced with RDAP over HTTP.


The post The End of WHOIS ? appeared first on EtherealMind.

by Greg Ferro at March 26, 2015 04:00 PM

Networking Now (Juniper Blog)

INFORMATION SHARING IS A TOOL TO ACHIEVING SHARED CYBER SITUATIONAL AWARENESS

There is a lot of focus these days in the US Congress and in the Administration on the topic of cyber information sharing. While it is important to elevate the dialogue about cybersecurity preparedness, protection, and resilience to a sustained national level, we must also not fall into the trap of thinking that the work is done by simply improving the exchange of cyber threat and vulnerability information.

by Bob Dix at March 26, 2015 12:00 PM

March 25, 2015

Peter's CCIE Musings and Rants
XKCD Comics

March 24, 2015

Networking Now (Juniper Blog)

Say goodbye to the network performance/security dilemma

Tired of security solutions that can’t keep up with the speed of your network—much less the speed of your business? Then you’ll love what Express Path has to offer.

by rajoon at March 24, 2015 09:45 PM

My Etherealmind

Commodity Manufacture is the Majority of Switch Products

How much of an Ethernet switch product is custom made by the vendor and how much is commodity components selected and assembled into a closed vendor solution ?


The post Commodity Manufacture is the Majority of Switch Products appeared first on EtherealMind.

by Greg Ferro at March 24, 2015 06:00 PM

Four Different Types of Ethernet & Whitebox Products

I drew up this diagram to explain how I see four different categories of Ethernet switches emerging in to the market.


The post Four Different Types of Ethernet & Whitebox Products appeared first on EtherealMind.

by Greg Ferro at March 24, 2015 04:00 PM

The Networking Nerd

Does EMC Need A Network?

EMCnetwork

Network acquisitions are in the news once again. This time, the buyer is EMC. In a blog article from last week, EMC is reportedly mulling the purchase of either Brocade or Arista to add a networking component to its offerings. While Arista would be a good pickup for EMC to add a complete data center networking practice, one must ask themselves “Does EMC Really Need A Network?”

Hardware? For What?

The “smart money” says that EMC needs a network offering to help complete their vBlock offering now that the EMC/Cisco divorce is in the final stages. EMC has accelerated those plans from the server side by offering EVO:RAIL as an option for VSPEX now. Yes, VSPEX isn’t a vBlock. But it’s a flexible architecture that will eventually supplant vBlock when the latter is finally put out to pasture once the relationship between Cisco and EMC is done.

EMC being the majority partner in VCE has incentive to continue offering the package to customers to make truckloads of cash. But long term, it makes more sense for EMC to start offering alternatives to a Cisco-only network. There have been many, many assurances that vBlock will not be going away any time soon (almost to the level of “the lady doth protest too much, methinks“). But to me, that just means that the successor to vBlock will be called something different, like nBlock or eBlock.

Regardless of what the next solution is called, it will still need networking components installed in order to facilitate communication between the components in the system. EMC has been looking at networking companies in the past, especially Juniper (again with much protesting to the contrary). It’s obvious they want to have a hardware solution to offer alongside Cisco for future converged systems. But do they really need to?

How About A BriteBlock?

EMC needs a network component. NSX is a great control system that EMC already owns (and is already considering for vBlocks), but as Joe Onisick (@JOnisick) is fond of pointing out, NSX doesn’t actually forward packets. So we still need something to fling bits back and forth. But why does it have to be something EMC owns?

Whitebox switching is making huge strides toward being a data center solution. Cumulus, Pluribus, and Big Switch have created stable platforms that offer several advantages over more traditional offerings, not the least of which is cost. The ability to customize the OS to a degree is also attractive to people that want to integrate with other systems.

Could you imagine running a Cumulus switch in a vBlock and having the network forwarding totally integrated with the management platform? Or how about running Big Switch’s Big Fabric as the backplane for vBlock? These solutions would work with minimal effort on the part of EMC and very little tuning required by the end user. Add in the lowered acquistion cost of the network hardware and you end up with a slightly healthier profit margin for EMC.

Is The Answer A FaceBlock?

The other solution is to use OpenCompute Project switches in a vBlock offering. OCP is gaining momentum, with Cumulus and Big Switch both making big contributions recently at the 2015 OCP Summit. Add in the buzz around the Wedge switch and new Six Pack chassis and you have the potential to have significant network performance for a relative pittance.

Wedge and Six Pack are not without their challenges. Even running Cumulus Linux or Open Network Linux from Big Switch, it’s going to take some time to integrate the network OS with the vBlock architecture. NSX can alleviate some of these challenges, but it’s more a matter of time than technology. EMC is actually very good at taking nascent technology from startups and integrating with their product lines. Doing the same with OCP networking would not be much different from their current R&D style.

Another advantage of using OCP networking comes from the effect that EMC would have to the project. By having a major vendor embrace OCP as the spine of their architecture, Facebook gains the advantages of reduced component costs and increased development. Even if EMC doesn’t release their developments back into the community, they will attract more developers to the project and magnify the work being done. This benefits EMC as well, as every OCP addition flows back into their offerings as well.


Tom’s Take

We’re running out of big companies to buy other companies. Through consolidation and positioning, the mid-tier has grown to the point where they can’t easily be bought by anyone other than Cisco. Thanks to Aruba, HP is going to be busy with that integration until well after the company split. EMC is the last company out there that has the resources to buy someone as big as Arista or Brocade.

The question that the people at EMC need to ask themselves is: Do we really need hardware? Or can we make everything work without pulling out the checkbook? Cisco will always been an option for vBlock, just not necessarily the cheapest solution. EMC can find solutions to increase their margins, but it’s going to take some elbow grease and a few thinking caps to integrate whitebox or OCP-style offerings.

EMC does need a network. It just may not need to be one they own.

 


by networkingnerd at March 24, 2015 03:24 PM

Network Design and Architecture

Introduction to Network Design, Pre-CCDE Training

I am going to start an ONLINE Pre-CCDE  preparation course in Mid of April I realized that many people is not ready to start study CCDE study and they don’t know what they study before attend a CCDE Training or Bootcamps. Course will cover network design principles,theory of the; IGP, BGP, MPLS, VPNs, Qos, Multicast and… Read More »

The post Introduction to Network Design, Pre-CCDE Training appeared first on Network Design and Architecture.

by orhanergun at March 24, 2015 11:42 AM

Networking Quiz -2

In this networking quiz you have 5 questions. It is not a basic, also not too hard.It should take less than 10 minutes for an experienced engineers. If you want to learn the basics of NETWORK DESIGN, check my latest PRE-CCDE Training. You can enjoy with more quizzes by clicking here.   How was it ?… Read More »

The post Networking Quiz -2 appeared first on Network Design and Architecture.

by orhanergun at March 24, 2015 11:42 AM

March 23, 2015

Bridging the gap between CCIE RS and SP

Packet Loss Recovery

 

Modern TCP stacks have become more efficient at dealing with latency by adding TCP Window Scaling and Selective Acknowledgements. However TCP is still vulnerable to packet loss and this has a drastic impact on network performance.

Why is Packet Loss important?

  • Loss has a severe impact on TCP performance: For example TCP throughput over a 100 Mbps link is limited to 1 Mbps at 80 ms and 2% loss.
  • More businesses are connecting their offices via low cost VPN links. These typically have 1% loss rate, which is 10 times higher than MPLS links.
  • SLA’s provide a false sense of security. A 3+% loss for an hour a day means providers can still meet a very low monthly average loss rate SLA.
  • Packet Loss is higher in emerging and developing countries. On average 2% or more.

 

Packet Loss Recovery

To counter the negative effects of loss on TCP throughput, Wanos provides packet loss recovery to assist in TCP Acceleration. Below are CIFS copy speed stats over various loss and delay profiles. The first control test indicates the standard TCP throughput under these conditions. The second test is with Wanos Packet Loss Recovery enabled and compression and deduplication disabled.
 

Packet Loss Recovery Performance

Packet Loss Recovery Performance


 

Packet Loss Recovery Demo

In the illustration below compression and deduplication has been disabled. The link has a 50ms latency and 5% packet loss rate. TCP throughput on this link is below 1 Mbps. When Packet Loss Recovery is enabled, TCP Acceleration improves throughput up to 10x.

The post Packet Loss Recovery appeared first on Free WAN Optimization Software.

by Wanop at March 23, 2015 09:31 PM

Peter's CCIE Musings and Rants

Great Explanation of the SIP Diversion header

Hi Guys!

Found this blog post on the SIP diversion header and had to share it, really good explanation of exactly when it's used, his reading of the RFC is most enlightening:
  • A change to the ultimate destination endpoint of a request. A change in the Request-URI of a request that was not caused by a routing decision. This is also sometimes called a deflection or redirection.
  • A diversion can occur when the “user” portion of the Request-URI is changed for a reason other than expansion or translation.
  • A diversion can occur when only the “host” portion of the Request-URI has changed if the change was due to a non-routing decision.

In other words, some sort of forward set on the users phone.


https://andrewjprokop.wordpress.com/2014/09/22/an-introduction-to-the-sip-diversion-header/

by peter_revill (noreply@blogger.com) at March 23, 2015 05:51 PM

Cisco Mediasense (Cheap and cheerful Call recording)

Hi Guys!

I recently had to install Cisco MediaSense to configure another feature, Cisco Mediasense from everything I can tell is essentially a fairly rudimentary call recording solution. Cisco talk a lot about it's open API, network-based etc. etc. but for me it's really just a great way to get cheap recording.

To deploy it, first all you need to do is obtain the ISO and install it as a virtual machine just like any other Voice application.

It is licensed per concurrent recording, from what I could say the price per user hovers between $20 to $40 bucks, so for an organization with a T1 and a small call center it's pretty cost effective, around $400 to $500 bucks (maybe a little more once maintenance is added) to record up to 24 sessions at a time.

There is another part number available for it:  MCP-10X-AUD-10PACK which includes 10 concurrent ports.

The configuration of media sense itself is extremely straightforward, when you first login to the mediasense server it will prompt you to configure a username/password for connectivity to AXL on CUCM.

Note: this SHOULD NOT and infact CANNOT be your usual admin user, resist the temptation to just slack off and use your admin account and instead create a new AXL user for this, they will also require CM administration privileges.


Once this is done MediaSense is essentially configured! Their is very little you can configure except for selecting which users can utilize the 'Search and play' functionality.

You do this by navigating to Administration - Mediasense API user Configuration



The fact that they call this section Mediasense API user, along with the very limited functionality available to the user makes Cisco's insistence that this is simply a device for COLLECTING the media, not for organizing/searching through it even more obvious.

The GUI that is available to search through recordings can be found on at the following URL:

https://:8440/mediasense/
 

You can login with the user you defined as a mediasense API user previously.


The GUI is pretty limited as you can see and you can see in terms of searching and organizing, but you can export the recordings, save them and even perform a live monitor by clicking on "Active Calls"

For CUCM configuration the first step is to configure a SIP trunk pointing to the IP address of the Mediasense server, this is straightforward so the steps for this are not outlined below.

Once this is done, you need to create a route pattern and point a number to this SIP trunk.

Finally, you need to define a call recording profile under:
Device -> Device Settings -> Call Recording Profile

 The settings for this are shown below, obviously replace 9998 with the number you configured previously and pointed to the SIP trunk



To configure a phone to use the call recording feature, you must first make sure the phone has a Built in Bridge enabled under the phone configuration, next, you must go to the phones line and select the call recording profile:




 For troubleshooting, I find it helpful to turn on the recording beeps so that you can tell the call is being recorded. This can be found back under the phone device configuration:




 So there you have it, cheap and cheerful call recording that might be all you need for certain situations.

I hope this helps someone out there!














by peter_revill (noreply@blogger.com) at March 23, 2015 11:55 AM

XKCD Comics

March 21, 2015

Bridging the gap between CCIE RS and SP

Router Mode – Out of Path

Wanos runs in bridge mode by default. In some cases it might not be possible to place a simple bridge appliance in-line or in-path. In this scenario out of path can be used by configuring the wan optimizer in router mode or server mode.

In router mode only the physical wan0 interface is used. The primary IP address is used to indicate wan0 traffic. One or more secondary IP addresses are configured to indicate the lan0 networks. This implementation is designed to preserve IP visibility throughout the network. This means addresses are not translated or proxied and clients, servers and network visibility tools see original source and destination addresses.

Source based or policy based routing:

In the following diagram the data center wan optimizer primary and secondary address share a segment with the gateway router. Optimized traffic from the wan is directed to the wan0 address 10.0.0.2. Traffic from the lan that needs to be optimized is directed to the virtual lan address 10.0.0.1. High availability safe fail-over is possible by tracking the wan accelerator address.

Wan Optimizer PBR Policy Based Routing Out of Path

Policy Based Routing Out of Path

 

Simple routing:

In the following diagram the data center wan optimizer primary address shares a segment with the gateway router. Traffic from the wan is directed to the wan0 address 10.0.0.2. Devices on the lan have their default gateways set to be the wan accelerator virtual lan addresses 10.1.1.1 and 10.2.2.1. High availability is possible by configuring secondary routes.

Wan Optimizer Router mode Out of Path

Router mode Out of Path

The post Router Mode – Out of Path appeared first on Free WAN Optimization Software.

by Wanop at March 21, 2015 04:27 PM

March 20, 2015

Network Design and Architecture

Networking Basics – Test2

There are 12 networking questions below. Most of them relatively basic networking questions. Although this post is related with networking basics, click here to solve advanced networking tests. If you liked this test, you will like this too.   How was it ? Leave your comment in the comment box.

The post Networking Basics – Test2 appeared first on Network Design and Architecture.

by orhanergun at March 20, 2015 12:59 PM

XKCD Comics

March 19, 2015

Network Design and Architecture

Campus Network Design Scenario

In this post I will give you a campus network design scenario and as always will wait your answers. You need to specify what are the mistakes, you need to recommend a technical solutions to Superent which is a fictitious company and don’t forget to give your answers based on customer requirements rather than industry… Read More »

The post Campus Network Design Scenario appeared first on Network Design and Architecture.

by orhanergun at March 19, 2015 07:58 PM

PACKETattack

Can You Still Get To The Top Climbing the Cisco Certification Ladder?

Should you go from the CCNA to the CCIE directly? Why or why not? Considering SDN, is going after the CCIE even a good idea? I opine.

by Ethan Banks at March 19, 2015 02:05 PM

Networking Now (Juniper Blog)

7,617 Tests Later, and Juniper’s Firewall Stops Threats Faster

How well does your IPS stack up?  We decided to do some in-house testing, to see how our firewall solutions measured up against some of our competitors in terms of detecting and stopping attacks. The results are something that you may find interesting.  

by bwoodberg at March 19, 2015 01:25 AM

March 18, 2015

Networking Now (Juniper Blog)
Network Design and Architecture

Networking Quiz

I prepared 14 networking questions for you. There are design and theory based questions. Some questions have only one answer, some of them have multiple. Each correct option is 4 points. This is general networking quiz which includes many different questions. Check other Networking quizzes from here.   How was your score ? Did you… Read More »

The post Networking Quiz appeared first on Network Design and Architecture.

by orhanergun at March 18, 2015 06:37 PM

XKCD Comics

March 17, 2015

Networking Now (Juniper Blog)

How does Expedient outperform the competition? By offering innovative, affordable services like DRaaS built on Juniper vSRX

Colocation and hosting managed service providers (MSPs) are under extreme pressure these days. Commoditization has driven margins down, causing considerable jockeying for position as MSPs try to differentiate themselves in an increasingly saturated market.

 

by Mora Gozani at March 17, 2015 11:15 PM

Internetwork Expert Blog

CCIE Data Center Rack Rental Scheduling Changes

In an effort to make our CCIE Data Center Rack Rentals have a better fair scheduler, we’ve implemented a new QoS policy for them as follows:

  • Users can have a maximum of 3 concurrent sessions scheduled
  • Sessions can be a maximum of 9 hours apiece
  • Maximum hours per month limit is now removed
  • Base sessions (Nexus 7K/5K) and add-ons (UCS/SAN & Nexus 2K/SAN) are now 8 tokens per hour

Note that these changes will only affect new session bookings, not any sessions that you already have reserved.

For those of you looking for more dedicated rack time I would suggest to look into our CCIE Data Center Bootcamp, where students get 12 days of 24/7 access to all hardware platforms in our racks (Nexus 7K/5K/2K, MDS, & UCS).

Happy Labbing!

by Brian McGahan, CCIE #8593, CCDE #2013::13 at March 17, 2015 07:54 PM

The Networking Nerd

Insecurity Guards

file000491308347

Pick a random headline related to security today and you’ll see lots of exclamation points and dire warnings about the insecurity of a something we thought was inviolate, such as Apple Pay or TLS. It’s enough to make you jump out of your skin and crawl into a dark hole somewhere never to use electricity again. Until you read the article, that is. After going through a couple of paragraphs, you realize that a click-bait headline about a new technology actually underscores an age-old problem: people are the weakest link.

Engineered To Be Social

We can engineer security for protocols and systems until the cows come home. We can use ciphers so complicated that even Deep Thought couldn’t figure them out. We can create a system so secure that it could never be hacked. But in the end that system needs to be used by people. And people are where everything breaks down.

Take the most recent Apple Pay “exploit” in the news that’s been making all the headlines. The problem has nothing to do with Apple Pay itself, or the way the device interacts with the point-of-sale terminal. It has everything to do with enterprising crooks calling in to banks an impersonating users to get a live, breathing person on the other end of the phone to override security safeguards and break the system down. An hourly employee of the bank can put all the defense-in-depth research to naught in a matter of keystrokes.

It is the way it is because people are dumb, panicky, and dangerous. When confronted with situations that are outside their norm they tend to freeze up and do the wrong thing. Take this scene from Sneakers (which is an excellent movie you should go watch right now):

When I originally started writing this post, that scene stuck out in my mind as a brilliant way to illustrate how less-than-savory people get around high technology with simple solutions, like kicking in a door protected by a keypad. But then I watched the scene again and found an even better example of my point. Look how Robert Redford and River Phoenix work together to distract and eventually overwhelm the security guard. The guard knows that no one should be able to get through the gate without the right keycard. With a bit of distraction, some added stress, and an apparently helpless but irritated user, Redford is able to social engineer his way into the building with little effort. The movie is full of these kinds of scenes.

The point is not that Robert Redford can talk his way into a building. The point that should be illustrated is that people override security decisions every day. Writing down passwords. Ignoring security warnings. Clicking on believable but fake exploits. It’s done because it’s quicker or easier or it’s done to remove a screaming customer on the other end of the phone. Polices are ignored and shortcuts are taken to make things easy. So how do we fix it?

Teach It, Don’t Tech It

The absolute last thing you should do when trying to fix these issues is to create another layer of technology to insulate the issue. That leads to two problems. The first is that people will being to see the new solution as yet another problem and try to create shortcuts to work around it. The second, which is a more sinister issue, is that you’ve essentially told those people that they can’t understand why this is a problem and you’ve decided to marginalize them instead of teaching them. They may not realize it, but you’ve silently placed them lower on the intelligence ladder than a few bytes of code.

People need to know why things are the way they are. If the policy says not to write down a password, tell people why that is. If the rules say you don’t override a lockout for a PIN or add a card to a person’s account without certain information then you need to tell people why you don’t do that. A policy or security feature without an explanation is merely an annoyance. One that will be circumvented. Making your users aware of the reason for a policy makes it something that’s hard to ignore. You’re more likely to get traction by treating your users like people, not automatons.


Tom’s Take

Kevin Mitnick (@KevinMitnick) wrote an entire book about social engineering and how easy it is to accomplish. As security systems become more complicated and much less simple to fool, the majority of miscreants aren’t going to spend hours upon hours trying to hack a handshake protocol or create hash collisions. Instead, they will attack the weakest link in the chain. That will almost undoubtedly be the users of the system. We have to make our users smart enough to know when people are trying to take advantage of them and close that loop. Or at least make that loop as difficult to breach as the rest of the system. That’s the only way to be sure that the security measures we put in place can be used to their fullest potential. Just make sure that everyone knows the Eddie Vedder doesn’t work in accounting.

 


by networkingnerd at March 17, 2015 03:06 AM