Collection of useful, relevant or just fun places on the Internets for %dateend% and a bit commentary about what I've found interesting about them:

Advertise here with BSA

The post Internets of Interest – 27 July 2014 appeared first on EtherealMind.

Maxim Gelin sent me an interesting question:

Can you please explain to me, why is STP supposed to be evil? What's wrong with STP?

STP’s fundamental problem is that it’s a fail-close, not a fail-open protocol.

Read more ...

Kirk Byers has been doing network automation work for quite a while now. I've been following his Pynet mailing list, where he teaches list members in a series of structured lessons how to code in Python, harnessing the scripting language's power for network automation. I met Kirk at Cisco Live US, and we got to chat for a few minutes. He agreed to come on the show anyway. Kirk discusses network automation with the Packet Pushers, drawing on his experience with Python and Ansible. We also discuss how network automation techniques relate to the larger world of software defined networking. Discussion What do we mean by "network automation"? Is network automation SDN? Python. What is it? (We're brief here, because Packet Pushers did show 176 with more information about Python.) Use-cases for network automation, such as information gathering and network device configuration. How an overlay/underlay networking model will facilitate network automation. Ivan Pepelnjak discussed this to a certain extent recently in this blog post. How white box switching could facilitate network automation (since it is Linux). How Ansible can be used for network device configuration. Links Ansible is Simple IT Automation Kirk Byers (kirkbyers) on Twitter Python for Network Engineers Unit testing - Wikipedia, the free encyclopedia

In modern network architecture, most designs are redundant, often all the way through. Hosts uplink to two different ToR switches. Those ToR switches usually have two uplinks to a distribution layer or potentially more uplinks in leaf-spine designs. Spine switches uplink to a pair of core switches. Physical firewalls are deployed as clusters. […]

In the last few posts on this topic, we’ve talked about the various bits and parts of the DNS system, from who pays to how it works to DNS tools. This time, we’re going to finish off DNS in this (probably record breaking for Packet Pushers) series, and talk about some various aspects of DNS […]

Author information

The post HTIRW: DNS Security appeared first on Packet Pushers Podcast and was written by Russ White.

http://www.netcraftsmen.net/blogs/entry/retrieving-music-on-hold-moh-files-from-cucm.html

This is one of a multi-part series on the Ethernet switching landscape I wrote to support a 2-hour presentation I made at Interop Las Vegas 2014. Part 1 of this written series appeared on NetworkComputing.com. Search for the rest of this series. One of the more specialized featured that appears in a limited […]

This is one of a multi-part series on the Ethernet switching landscape I wrote to support a 2-hour presentation I made at Interop Las Vegas 2014. Part 1 of this written series appeared on NetworkComputing.com. Search for the rest of this series. Ethernet switches have been a focal point of software defined networking. […]

Folks, this is a first for me on this blog – a guest post. In this case, I was interviewed by TechnologyAdvice’s Clark Buckner about my involvement with Interop. Since I’m a big fan of Interop as a vendor-neutral conference designed to bring together all the IT silos, it was an easy interview […]

Yesterday, I was briefed by the good folks at D-Link about their managed Ethernet switches. If you’re like I was, you think of D-Link purely as a consumer-grade line of switches aimed at home users. Reality is that D-Link also has managed switches that are worth evaluating for the small-to-medium sized enterprise. Why? […]

On 16-July-2014, I attended a webinar hosted by Curt Brune of Cumulus Networks on ONIE. This post is a distillation of some key points from that webinar. What is the Open Network Install Environment (ONIE)? Conceptually, ONIE (pronounced oh-nee) is a network OS installer used by several whitebox switching vendors to load a network […]

Someone recently sent me this scenario:

Our CIO has recently told us that he wants to get rid of MPLS because it is too costly and is leaning towards big Internet lines running IPSEC VPNs to connect the whole of Africa.

He was obviously shopping around for free advice (my friend Jeremy Stretch posted his answers to exactly the same set of questions not so long ago); here are the responses I wrote to his questions:

Read more ...

Thanks to all of you that helped me raise money for New Hampshire’s Mount Washington Observatory through the annual “Seek The Peak” hike to Mt. Washington’s summit. I completed the hike on Saturday. If you’d like to read about that hike and see a pile o’ pictures, go to my family’s hiking blog. […]

At APNIC Labs we’ve been working on developing a new approach to navigating through some of our data sets the describe aspects of IPv6 deployment, the use of DNSSEC and some measurements relating to the current state of BGP.

The ASA logging gives you lots of great info but it tends to have loads of info coming up all at once. I tend to do a trick where I know the IP address I am looking for, so I constantly type:

show log | inc

then I try and generate the traffic and capture the entry in the log.

However, someone else has a great way to disable specific logs

http://tekcert.com/blog/2014/07/23/how-disable-useless-logs-cisco-asa?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Tekcert+%28tekcert.com%29


Great stuff!

INE is offering a $500 off special for a 1 year All Access Pass for our blog readers here. To get the special just click on the INE banner to the left and it will take you to the sign up site for the discount. Not sure how long they will keep the discount going so keep that in mind

Summer is the perfect time for campfire stories – here’s one about using the wrong tool for the job.

A Long time ago in an IT organization far, far away Artificial Intelligence (AI) was the coolest kid on the block.

Read more ...

This is an exciting year for me. I joined Juniper Networks and my first week, I submitted a lab proposal representing Juniper for the VMworld 2014 Hands-on Lab.  Weeks later, it was approved and two weeks ago, I finalized the lab and document.  I am so incredibly excited that for the first time ever, Juniper Networks is represented in the VMworld Hands-on Lab.

What will be covered in the lab you ask? The lab of course covers some, but not all, of our Security virtualized products.  If you would like a complete listing of these products, please review my previous blog post.

 

 

 

 

 

 

 

 

 

 

 

The Hands-on lab for 2014 is lab

 

HOL-PRT-1472 : Juniper Virtual Security for the Enterprise and Service Provider Environment

 

covers Juniper Junos Space with Security Director and Virtual Director, Firefly Perimeter, and DDoS Secure.  The agenda for the lab is:

 

 

 

HOL-PRT-1472

Juniper Virtual Security for the Enterprise and Service Provider Environment

 

Lab Overview

 

Juniper Junos Space 101

            Introduction to Space

            Introduction to Virtual Director

            Introduction to Security Director

 

Managing Your Physical and Virtual Infrastructure with Juniper Junos Space

            Use Cases for Juniper Junos Space and Firefly Perimeter

            Deploying Firefly Perimeter

            Virtual Director – Greater Detail

            Security Director – Greater Detail

            Why Juniper for Your Physical and Virtual Infrastructure

 

Juniper DDoS Secure

            Why Juniper DDoS Secure

            Introduction to Juniper DDoS Secure

            Introduction to Juniper DDoS Secure UI

            Configuration of Testing Environment

            Low and Slow Attack

 

If you are interested in taking the lab, the hours are:

 

• Sunday, August 24: 9:00 am – 7:00 pm
• Monday, August 25: 10:30 am – 7:00 pm
• Tuesday, August 26: 10:30 am – 6:00 pm
• Wednesday, August 27: 8:00 am – 5:00 pm
• Thursday, August 28: 8:00 am – 3:00 pm

 

Information on the Hands-on Labs

 

I look forward to seeing you there! Make sure you stop by and say hi!!!

Big Switch Networks (BSN) launches Version 4.0 of Big Cloud Fabric for hardware-centric SDN data centre fabric. The Data Centre Fabric solution clearly shows the maturity gained from 5 years of shipping products while adding innovation in switch hardware through Switch Light operating system. At the same time, they have completed the transition from platform to product. A product that really has what you need in a hardware-centric SDN platform and addresses nearly all of the issues the competitors have not addressed. And it is shipping now.

Advertise here with BSA

The post Big Switch Networks Launches Mature Hardware-Centric Data Centre SDN Solution appeared first on EtherealMind.

Last month I was asked to speak about Next Generation Networks at Indonesian Network Operators Group (IDNOG) forum. Whenever I speak about this subject with my customers, I usually use top down approach: started by talking about the business drivers and requirements, NGN architecture, to high level and low level design, before going deep into details to each supporting technology.

This time I decided to take a different approach. Instead, I tried to demonstrate how to build a new SP network from bottom to up. The objective is to show how the network can be transitioned from the simple one that offers a single service, to the one that carry multiple services and become resilient Next Generation Networks. I don't know if the message was received by the attendees, but I run out my 30 minutes time so I continued that effort by conducting the webex session few weeks ago.


The presentation I made for that session inspires me to write down about the six phases of network evolution below. And the phase will end up with the one thing that has become hot topic these days: Software Defined Network (SDN).

Phase 1: It begins with connectivity
When we build the network from ground up, the first and most important thing to focus is all about connectivity. Site A can connect to site B. User can access the server. This means we need to build the physical topology, enable layer 2 and L3 routing protocols (IGP, BGP) to provide connectivity. And it is common to deliver only single service (Internet/data) on global routing table.

Phase 2: Converged network and multi-services
Then comes the next requirement to use the same network to deliver multiple services. MPLS is definitely the protocol of choice by industry to provide overlay in the network, even other tunneling protocols can still be used as long as the objective is achieved. The network now must be able to provide L3VPN and L2VPN services over MPLS, High speed Internet, voice over IP, IPTV for both multicast stream and unicast video on demand, even mobile services and multimedia. Convergence happens in access layer too: one IP MPLS network to carry different types of last-mile access networks technology.

Phase 3: Scalability
When we have big number of users accessing multiple services, especially for Service Provider, scalability factor becomes important. Nowadays we use IGP routing protocol only to connect between SP routers while the customer networks are carried using BGP. IGP must be fine tuned and link-state protocol area design must be done properly to make it scalable. BGP RR design becomes crucial when the number of BGP speakers is high. Multiple BGP AS must be able to work between each other to carry the services seamlessly. Even the design of every part of the network need to be unified and consistent in order to make it easier to scale up.

Phase 4: Services level differentiation
QoS will kick in when there is congestion in the network. When there is no congestion, QoS is applied to limit the service in order to differentiate service level provided to end user. QoS implementation in Service Provider network is obviously different with Enterprise network. In SP it's common to share network infrastructure that spread across the nation connected with WAN links, with potential of network congestion, to serve big number of users trying to access multiple services. QoS makes sense to be applied to prioritize certain type of traffic, or to charge the customer differently depending on the agreed service level. In Enterprise network such as LAN campus network or data center, it is already considered low latency network with sufficient bandwidth pipe hence the QoS implementation focus is most likely on the WAN link.


Phase 5: High availability and resiliency
The target for HA and resiliency in the network depends on how much we can tolerate services unavailability. Some customers can afford network downtime for days while others can only tolerate fraction of seconds. Some applications can continue to work, or to resume immediately, when it gets disconnected for more than few seconds while some others can show serious disruption when the network is down within miliseconds. So we need to look at high availability and resiliency from end to end perspective. Physical topology redundancy is good but may not be enough. Link down or network node down detection becomes crucial. IGP can be fined tune to react below 500 ms. Hardware availability combined with NSF, NSR and GR may be able to provide 0 packet drop during route-processor failover. BGP fast convergence is done in forwarding plane, even in control plane it still relies on IGP convergence. Multicast streams can be active-active and in parallel using path diversity to provide always-on IPTV service. MPLS TE and IP FRR may be used to achieve sub-50 ms while waiting for the IGP to fully converged, in exchange of more complexity in the network. And infrastructure security is another factor to consider to ensure network availability.

Phase 6: Manageability, agility and efficiency
"Simplicity is the prerequisite for reliability". In order to provide reliable services it should be simple enough to run the network. Some believe if network management works as expected we won't even talk much about SDN. The fact that the network today has become very complex to manage, even with various management tools available in the market, makes many of us are looking for the solution that seems to be promised by SDN. We still need to run lots of management protocol like SNMP and RMON. We still need to secure management channel through SSH or other encrypted channel. But now we want the network to be agile to adopt to the changes that come from lots of new applications. We need to be able to provision new services quicker. We are talking more and more about automation and network programmability. We want the network to be efficient. We want to hide all the complexity that happens in the network to make it efficient for the operator to run and manage it. And SDN may be able to do so by providing the abstraction to provide the simplicity to run the network.



In the end, with the amount of complexity built up when the network transforms from one phase to the other as above, it's clear why SDN looks promising. It's easier now to understand why people believe SDN is the answer.
Because it's simply the part of the network evolution.

The recent violence in Iraq and the government’s actions to block social media and other Internet services have put a spotlight on the Iraqi Internet. However, an overlooked but important dynamic in understanding the current Iraqi Internet is the central role Kurdish ISPs play in connecting the entire country to the global Internet.

In the past five years, the Internet of Iraq has gone from about 50 networks (routed prefixes) to over 600. And what is most noteworthy this that the growth has not occurred as a result of increased connectivity from the submarine cable landing at Al Faw, as would be expected in a typical environment. Instead the dominant players in the Iraqi wholesale market are two Kurdish ISPs that connect to the global Internet through Turkey and Iran: Newroz and IQ Networks.

Help from the Kurds

The Iraqi Kurdistan region contains four main cities: Erbil, Duhok, Zakho and Sulaymaniyah. Newroz covers the first three, while IQ Networks provides service in the last. However, it would be incorrect to simply classify these providers as city-level retail ISPs. They also carry significant amounts of traffic for the rest of the country.

From the relative peace and stability of Kurdistan, Newroz and IQ Networks sell transit to Iraqi ISPs in the biggest markets — those in the middle and south of Iraq. Central Iraq ISPs, such as Earthlink, ScopeSky, and FastIraq, attain transit from the Kurdish providers by connecting in northern Iraqi cities of Mosul and Kirkuk.

Five years Iraqi Internet growth

The graph below illustrates the overall growth of the Iraqi Internet over the last five and a half years. The total count of Iraqi networks (routed prefixes) is depicted in purple and the networks transited by either Newroz (blue), IQ Networks (green) or both (yellow) are overlaid as a stacked plot in the forefront. At last count, 73% of Iraq networks are routed through these two providers. And if you count unique IP addresses, these two Kurdish providers transit 86% of all Iraqi IP address space.

The remaining networks are either routed through Jordan (e.g. Earthlink to Damamax), various satellite service providers, smaller direct connections to Turkey or submarine cable connectivity at the Al Faw cable landing (most notably ITC service to GTT). Below are recorded remarks by Prime Minister Nouri al-Maliki at the opening ceremony of ITC fiber service during which he said, “fiber optic cables have paved the way in revolutionizing the world of communications and this will now be witnessed in Iraq.”

The following graph is similar to the previous one, but limited to just 2014 to more clearly illustrate recent changes. You can see a discontinuity in June as militants destroyed an interconnection point in Mosul, impacting Internet traffic transited by Newroz from central Iraq. Most notably Earthlink lost its service from Newroz and Damamax in this incident.

Low Risk of Disconnection

In 2012, Jim Cowie classified Iraq as “low risk of disconnection” in his blog post Could it happen in your country?. The conclusion was that due to the diversity of external transit sources (submarine cable, satellite, and terrestrial via Turkey, Iran and Jordan), it would be difficult to completely disconnect the Iraq from the global Internet. It may be cold comfort for those Iraqis who were (and still are) impacted by the recent blackouts, but this back-of-the-envelope analysis was proven correct by recent events.

In fact, it is the latest attempted shutdowns (including the failed attempt last fall during a pricing dispute) that prove, perhaps surprising to some, how resilient the Internet of Iraq is. And that resiliency is primarily due to Kurdish transit.

The post Kurdish ISPs enable growth of Iraqi Internet appeared first on Renesys.

The race to make things just a little bit faster in the networking world has heated up in recent weeks thanks to the formation of the 25Gig Ethernet Consortium.  Arista Networks, along with Mellanox, Google, Microsoft, and Broadcom, has decided that 40Gig Ethernet is too expensive for most data center applications.  Instead, they’re offering up an alternative in the 25Gig range.

This podcast with Greg Ferro (@EtherealMind) and Andrew Conry-Murray (@Interop_Andrew) does a great job of breaking down the technical details on the reasoning behind 25Gig Ethernet.  In short, the current 10Gig connection is made of four multiplexed 2.5Gig connections.  To get to 25Gig, all you need to do is over clock those connections a little.  That’s not unprecedented, as 40Gig Ethernet accomplishes this by over clocking them to 10Gig, albeit with different optics.  Aside from a technical merit badge, one has to ask themselves “Why?”

High Hopes

As always, money is the factor here.  The 25Gig Consortium is betting that you don’t like paying a lot of money for your 40Gig optics.  They want to offer an alternative that is faster than 10Gig but cheaper than the next standard step up.  By giving you a cheaper option for things like uplinks, you gain money to spend on things.  Probably on more switches, but that’s beside the point right now.

The other thing to keep in mind, as mentioned on the Coffee Break podcast, is that the cable runs for these 25Gig connectors will likely be much shorter.  Short term that won’t mean much.  There aren’t as many long-haul connections inside of a data center as one might thing.  A short hop to the top-of-rack (ToR) switch, then another different hop to the end-of-row (EoR) or core switch.  That’s really about it.  One of the arguments against 40/100Gig is that it was designed for carriers for long-haul purposes.  25G can give you 60% of the speed of that link at a much lower cost.  You aren’t paying for functionality you likely won’t use.

Heavy Metal

Is this a good move?  That depends.  There aren’t any 25Gig cards for servers right now, so the obvious use for these connectors will be uplinks.  Uplinks that can only be used by switches that share 25Gig (and later 50Gig) connections.  As of today, that means you’re using Arista, Dell, or Brocade.  And that’s when the optics and switches actually start shipping.  I assume that existing switching lines will be able to retrofit with firmware upgrades to support the links, but that’s anyone’s guess right now.

If Mellanox and Broadcom do eventually start shipping cards to upgrade existing server hardware to 25Gig then you’ll have to ask yourself if you want to pursue the upgrade costs to drive that little extra bit of speed out of the servers.  Are you pushing the 10Gig links in your servers today?  Are they the limiting factor in your data center?  And will upgrading your servers to support twice the bandwidth per network connection help alleviate your bottlenecks? Or will they just move to the uplinks on the switches?  It’s a quandary that you have to investigate.  And that takes time and effort.

---

 

Tom’s Take

The very first thing I ever tweeted (4 years ago):

40GB and 100GB Ethernet ratified: http://bit.ly/9WeKiI Probably over Cat 6 cable with a distance of 3 inches.—
Tom Hollingsworth (@networkingnerd) June 21, 2010

We’ve come a long way from ratified standards to deployment of 40Gig and 100Gig.  Uplinks in crowded data centers are going to 40Gig.  I’ve seen a 100Gig optic in the wild running a research network.  It’s interesting to see that there is now a push to get to a marginally faster connection method with 25Gig.  It reminds me of all the competing 100Mbit standards back in the day.  Every standard was close but not quite the same.  I feel that 25Gig will get some adoption in the market.  So now we’ll have to choose from 10Gig, 40Gig, or something in between to connect servers and uplinks.  It will either get sent to the standards body for ratification or die on the vine with no adoption at all.  Time will tell.

 

Repeat guest and friend of the Packet Pushers Ron Fuller chats with Greg Ferro and Ethan Banks about the latest updates to both the hardware and software in the ever-growing and capable Cisco Nexus product line. We get a thorough update in this show, hitting lots and lots of highlights. Discussion What's new with the Nexus 7K product line? New hardware in the form of the 7706, 7710, 7718 chassis. New F3 line cards. Additions to the Nexus 6K line with the 6004X chassis, featuring all removable LEMs. NX-OS continues to mature. The 6.2 code train now has "long lived" releases for customers who wish to standardize on specific builds. The Nexus Validation Testing program continues to grow in scope. New software services include Remote Integration of Services Engines (RISE) and Intelligent Traffic Director (ITD). The Nexus 5K line gets new models in the 5672 and 56128 which feature line rate L3 forwarding. What is Dynamic Fabric Automation, and how has customer adoption been? Links Cisco Nexus 7700 Data Sheet Cisco Nexus I/O Modules Data Sheets (including the F3 modules) Cisco Remote Integrated Service Engine Cisco/Citrix RISE-related White Paper Cisco Nexus 7000 NX-OS 6.2 Release Notes

There are many algorithms that can be used to for flow-based hashing to provide the best load balancing method over multiple IP or Ethernet connections but I recently learned that Cuckoo Hashing the preferred method.

Advertise here with BSA

The post Response: Improving Flow Based Hashing on ECMP with Cuckoo hashing appeared first on EtherealMind.

The CCIE Routing & Switching Advanced Technologies Class v5 resumes Wednesday, July 23rd at 8:00 AM PDT (15:00 UTC) at live.ine.com, where we will be discussing MPLS Layer 3 VPN. In the meantime, you will find the streaming and download playlists have been updated and now includes over 63 hours of content.

We have some other great news as well. The CCIE R&S v5 Rack Control panel has been released with the built-in telnet, loading and saving configs and one click device configurations and reset requests. Also, new content will be posted this week to the workbook, including all new troubleshooting labs.

---

My Trident 2 Chipset and Nexus 9500 blog post must have hit a raw nerve or two – Bruce Davie dedicated a whole paragraph in his Physical Networks in Virtualized Networking World blog post to tell everyone how the whole thing is a non-issue and how everything’s good in the NSX land.

It’s always fun digging into more details to figure out what’s really going on behind the scenes; let’s do it.

Read more ...

Here is a block diagram showing the functional areas in private & public cloud that I use when working with clients. I'm often explaining the full picture of cloud building especially in relation to how the network can be orchestrated to fully accelerate the cloud process. I hope you find it useful.

Advertise here with BSA

The post My Private Cloud Block Architecture Diagram appeared first on EtherealMind.

When I published the Data Center Design Case Studies book almost exactly a month ago, three chapters were still missing – but that was the only way to stop the procrastination and ensure I’ll write them (I’m trying to stick to published deadlines ;).

The first one of the missing chapters is already finished and available to subscribersand everyone who bought the book or Designing Private Cloud Infrastructure webinar (you’ll also get a mailing on Sunday to remind you to download the fresh copy of the PDF).

The Amazon Kindle version will be updated in a few days.