Someone recently sent me this scenario:
Our CIO has recently told us that he wants to get rid of MPLS because it is too costly and is leaning towards big Internet lines running IPSEC VPNs to connect the whole of Africa.
He was obviously shopping around for free advice (my friend Jeremy Stretch posted his answers to exactly the same set of questions not so long ago); here are the responses I wrote to his questions:Read more ...
INE is offering a $500 off special for a 1 year All Access Pass for our blog readers here. To get the special just click on the INE banner to the left and it will take you to the sign up site for the discount. Not sure how long they will keep the discount going so keep that in mind
Summer is the perfect time for campfire stories – here’s one about using the wrong tool for the job.
A Long time ago in an IT organization far, far away Artificial Intelligence (AI) was the coolest kid on the block.Read more ...
This is an exciting year for me. I joined Juniper Networks and my first week, I submitted a lab proposal representing Juniper for the VMworld 2014 Hands-on Lab. Weeks later, it was approved and two weeks ago, I finalized the lab and document. I am so incredibly excited that for the first time ever, Juniper Networks is represented in the VMworld Hands-on Lab.
What will be covered in the lab you ask? The lab of course covers some, but not all, of our Security virtualized products. If you would like a complete listing of these products, please review my previous blog post.
The Hands-on lab for 2014 is lab
HOL-PRT-1472 : Juniper Virtual Security for the Enterprise and Service Provider Environment
covers Juniper Junos Space with Security Director and Virtual Director, Firefly Perimeter, and DDoS Secure. The agenda for the lab is:
Juniper Virtual Security for the Enterprise and Service Provider Environment
Juniper Junos Space 101
Introduction to Space
Introduction to Virtual Director
Introduction to Security Director
Managing Your Physical and Virtual Infrastructure with Juniper Junos Space
Use Cases for Juniper Junos Space and Firefly Perimeter
Deploying Firefly Perimeter
Virtual Director – Greater Detail
Security Director – Greater Detail
Why Juniper for Your Physical and Virtual Infrastructure
Juniper DDoS Secure
Why Juniper DDoS Secure
Introduction to Juniper DDoS Secure
Introduction to Juniper DDoS Secure UI
Configuration of Testing Environment
Low and Slow Attack
If you are interested in taking the lab, the hours are:
I look forward to seeing you there! Make sure you stop by and say hi!!!
Big Switch Networks (BSN) launches Version 4.0 of Big Cloud Fabric for hardware-centric SDN data centre fabric. The Data Centre Fabric solution clearly shows the maturity gained from 5 years of shipping products while adding innovation in switch hardware through Switch Light operating system. At the same time, they have completed the transition from platform to product. A product that really has what you need in a hardware-centric SDN platform and addresses nearly all of the issues the competitors have not addressed. And it is shipping now.
The post Big Switch Networks Launches Mature Hardware-Centric Data Centre SDN Solution appeared first on EtherealMind.
The recent violence in Iraq and the government’s actions to block social media and other Internet services have put a spotlight on the Iraqi Internet. However, an overlooked but important dynamic in understanding the current Iraqi Internet is the central role Kurdish ISPs play in connecting the entire country to the global Internet.
|In the past five years, the Internet of Iraq has gone from about 50 networks (routed prefixes) to over 600. And what is most noteworthy this that the growth has not occurred as a result of increased connectivity from the submarine cable landing at Al Faw, as would be expected in a typical environment. Instead the dominant players in the Iraqi wholesale market are two Kurdish ISPs that connect to the global Internet through Turkey and Iran: Newroz and IQ Networks.|
Help from the Kurds
The Iraqi Kurdistan region contains four main cities: Erbil, Duhok, Zakho and Sulaymaniyah. Newroz covers the first three, while IQ Networks provides service in the last. However, it would be incorrect to simply classify these providers as city-level retail ISPs. They also carry significant amounts of traffic for the rest of the country.
From the relative peace and stability of Kurdistan, Newroz and IQ Networks sell transit to Iraqi ISPs in the biggest markets — those in the middle and south of Iraq. Central Iraq ISPs, such as Earthlink, ScopeSky, and FastIraq, attain transit from the Kurdish providers by connecting in northern Iraqi cities of Mosul and Kirkuk.
Five years Iraqi Internet growth
The graph below illustrates the overall growth of the Iraqi Internet over the last five and a half years. The total count of Iraqi networks (routed prefixes) is depicted in purple and the networks transited by either Newroz (blue), IQ Networks (green) or both (yellow) are overlaid as a stacked plot in the forefront. At last count, 73% of Iraq networks are routed through these two providers. And if you count unique IP addresses, these two Kurdish providers transit 86% of all Iraqi IP address space.
The remaining networks are either routed through Jordan (e.g. Earthlink to Damamax), various satellite service providers, smaller direct connections to Turkey or submarine cable connectivity at the Al Faw cable landing (most notably ITC service to GTT). Below are recorded remarks by Prime Minister Nouri al-Maliki at the opening ceremony of ITC fiber service during which he said, “fiber optic cables have paved the way in revolutionizing the world of communications and this will now be witnessed in Iraq.”
The following graph is similar to the previous one, but limited to just 2014 to more clearly illustrate recent changes. You can see a discontinuity in June as militants destroyed an interconnection point in Mosul, impacting Internet traffic transited by Newroz from central Iraq. Most notably Earthlink lost its service from Newroz and Damamax in this incident.
Low Risk of Disconnection
In 2012, Jim Cowie classified Iraq as “low risk of disconnection” in his blog post Could it happen in your country?. The conclusion was that due to the diversity of external transit sources (submarine cable, satellite, and terrestrial via Turkey, Iran and Jordan), it would be difficult to completely disconnect the Iraq from the global Internet. It may be cold comfort for those Iraqis who were (and still are) impacted by the recent blackouts, but this back-of-the-envelope analysis was proven correct by recent events.
In fact, it is the latest attempted shutdowns (including the failed attempt last fall during a pricing dispute) that prove, perhaps surprising to some, how resilient the Internet of Iraq is. And that resiliency is primarily due to Kurdish transit.
The race to make things just a little bit faster in the networking world has heated up in recent weeks thanks to the formation of the 25Gig Ethernet Consortium. Arista Networks, along with Mellanox, Google, Microsoft, and Broadcom, has decided that 40Gig Ethernet is too expensive for most data center applications. Instead, they’re offering up an alternative in the 25Gig range.
This podcast with Greg Ferro (@EtherealMind) and Andrew Conry-Murray (@Interop_Andrew) does a great job of breaking down the technical details on the reasoning behind 25Gig Ethernet. In short, the current 10Gig connection is made of four multiplexed 2.5Gig connections. To get to 25Gig, all you need to do is over clock those connections a little. That’s not unprecedented, as 40Gig Ethernet accomplishes this by over clocking them to 10Gig, albeit with different optics. Aside from a technical merit badge, one has to ask themselves “Why?”
As always, money is the factor here. The 25Gig Consortium is betting that you don’t like paying a lot of money for your 40Gig optics. They want to offer an alternative that is faster than 10Gig but cheaper than the next standard step up. By giving you a cheaper option for things like uplinks, you gain money to spend on things. Probably on more switches, but that’s beside the point right now.
The other thing to keep in mind, as mentioned on the Coffee Break podcast, is that the cable runs for these 25Gig connectors will likely be much shorter. Short term that won’t mean much. There aren’t as many long-haul connections inside of a data center as one might thing. A short hop to the top-of-rack (ToR) switch, then another different hop to the end-of-row (EoR) or core switch. That’s really about it. One of the arguments against 40/100Gig is that it was designed for carriers for long-haul purposes. 25G can give you 60% of the speed of that link at a much lower cost. You aren’t paying for functionality you likely won’t use.
Is this a good move? That depends. There aren’t any 25Gig cards for servers right now, so the obvious use for these connectors will be uplinks. Uplinks that can only be used by switches that share 25Gig (and later 50Gig) connections. As of today, that means you’re using Arista, Dell, or Brocade. And that’s when the optics and switches actually start shipping. I assume that existing switching lines will be able to retrofit with firmware upgrades to support the links, but that’s anyone’s guess right now.
If Mellanox and Broadcom do eventually start shipping cards to upgrade existing server hardware to 25Gig then you’ll have to ask yourself if you want to pursue the upgrade costs to drive that little extra bit of speed out of the servers. Are you pushing the 10Gig links in your servers today? Are they the limiting factor in your data center? And will upgrading your servers to support twice the bandwidth per network connection help alleviate your bottlenecks? Or will they just move to the uplinks on the switches? It’s a quandary that you have to investigate. And that takes time and effort.
The very first thing I ever tweeted (4 years ago):
We’ve come a long way from ratified standards to deployment of 40Gig and 100Gig. Uplinks in crowded data centers are going to 40Gig. I’ve seen a 100Gig optic in the wild running a research network. It’s interesting to see that there is now a push to get to a marginally faster connection method with 25Gig. It reminds me of all the competing 100Mbit standards back in the day. Every standard was close but not quite the same. I feel that 25Gig will get some adoption in the market. So now we’ll have to choose from 10Gig, 40Gig, or something in between to connect servers and uplinks. It will either get sent to the standards body for ratification or die on the vine with no adoption at all. Time will tell.
There are many algorithms that can be used to for flow-based hashing to provide the best load balancing method over multiple IP or Ethernet connections but I recently learned that Cuckoo Hashing the preferred method.
The post Response: Improving Flow Based Hashing on ECMP with Cuckoo hashing appeared first on EtherealMind.
The CCIE Routing & Switching Advanced Technologies Class v5 resumes Wednesday, July 23rd at 8:00 AM PDT (15:00 UTC) at live.ine.com, where we will be discussing MPLS Layer 3 VPN. In the meantime, you will find the streaming and download playlists have been updated and now includes over 63 hours of content.
We have some other great news as well. The CCIE R&S v5 Rack Control panel has been released with the built-in telnet, loading and saving configs and one click device configurations and reset requests. Also, new content will be posted this week to the workbook, including all new troubleshooting labs.
My Trident 2 Chipset and Nexus 9500 blog post must have hit a raw nerve or two – Bruce Davie dedicated a whole paragraph in his Physical Networks in Virtualized Networking World blog post to tell everyone how the whole thing is a non-issue and how everything’s good in the NSX land.
It’s always fun digging into more details to figure out what’s really going on behind the scenes; let’s do it.Read more ...
Here is a block diagram showing the functional areas in private & public cloud that I use when working with clients. I'm often explaining the full picture of cloud building especially in relation to how the network can be orchestrated to fully accelerate the cloud process. I hope you find it useful.
When I published the Data Center Design Case Studies book almost exactly a month ago, three chapters were still missing – but that was the only way to stop the procrastination and ensure I’ll write them (I’m trying to stick to published deadlines ;).
The first one of the missing chapters is already finished and available to subscribersand everyone who bought the book or Designing Private Cloud Infrastructure webinar (you’ll also get a mailing on Sunday to remind you to download the fresh copy of the PDF).
The Amazon Kindle version will be updated in a few days.
The Joint Information Environment requires new solutions.
Today organizations need to be prepared for a number of different types of DDoS attacks on their networks. Today Juniper Networks announced several new enhancements that allows its DDoS Secure solution to help the network better defend itself by using routers as enforcement points.
What can you do if you have a small team of networking engineers responsible for four even-growing data centers (with several hundred network devices in each of them)? There’s only one answer: you try to survive by automating as much as you can.
In the fourth episode of Software Gone Wild podcast David Barosso from Spotify explains how they use network automation to cope with the ever-growing installed base without increasing the size of the networking team.Read more ...
INE is reducing the cost of our live, instructor-led bootcamps by $1,000 each. Our new pricing model will still include access to our workbooks and ATC video courses with the purchase , but will separate out the Lab Exam Voucher and access to our All Access Pass as optional add-ons to provide you with a more flexible options for both your learning style and your budget. If you would like the existing complete, bundled solution, you have until Aug 1 to make a bootcamp purchase.
See this advert for more details.
Look forward to seeing you in a bootcamp soon!
Juniper Networks has the ingredients and lineage to remain one of the top three players in network security, according to a report by Jeff Wilson, principal analyst with Infonetics Research. See what he had to say after attending Juniper's annual Industry Analyst Event.
I’ve been working on Mellanox S-Series switches lately in a largish network with several hundred 10GbE server ports. On the whole, the product has performed beyond my cynically low expectations and the product has good capabilities overall but the command line interface (CLI) is a really poor user experience. How about this gem for configuring […]
As I was reading this article describing examples of certain healthcare practitioners using data mining and analytics of patients’ lifestyles (e.g. foods they eat, activity levels, where they live, etc.) to help predict their risk factor for ailments, I started to draw a parallel to the state of the network. I was thinking about how security analytics of a network may help predict the onset of a data breach. The common goal in both cases, human and network, is to maintain a certain level of health – call it an “equilibrium” state, one that doesn’t require immediate intervention or repair.
Inspired by the table shared in the article describing what certain collected data about a patient could indicate about his/her health habits, I came up with a table containing types of network state related which could be indicators for a potential data exploit/breach.
State of Network
Weak password for an online account
This could allow a hacker to uncover the password (by using automated tools), gain access to user data (name, address, phone #, bank account/credit card data) and perform unauthorized transaction (e.g., purchase of product/service or withdrawal of money from bank account) on the user’s behalf.
Multiple unsuccessful attempts to search for usernames and passwords via Web browser exploitation techniques
This could result in a data breach.
Improper isolation of HR records, financial, medical, credit/debit card, or other PII data within Enterprise data center/private cloud network
This could inadvertently allow an insider (e.g. employee) access to the network for obtaining and selling data on black market for profit.
Excessive communication requests to a Web server or other resource, slowing it down considerably or rendering it unavailable
This could indicate someone is trying to gain access to the server for malicious intent.
No application layer protection at Enterprise edge
This could allow a hacker to launch an application-layer attack and access data for further exploitation.
Enterprise and service providers would benefit greatly from self-monitoring and constantly improving the health of networks, to minimize the possibility of a data breach.
One of the ways to do this is via technology, including application-aware, next generation firewalls, and strong SIEM solutions and network security management solutions (for firewall management), which provide visibility, analyze network security posture, and alert administrators about unusual network activity.
In addition, humans themselves should be held accountable for security. For one, it is imperative that the IT security team is proactively monitoring the network security posture, carefully balancing access to certain network resources, applications and data with control over the same. In addition, trust plays a big role in maintaining security and privacy, so it is ultimately the responsibility of individuals (business owners and employees) to not exploit data for personal gain.
Someone left the following comment on one of my blog posts:
There is a paradigm shift that I don’t think most application developers understand. In a traditional enterprise model, the network is built around the application requirements, now we are saying the application has to build around the network.
I would say there’s no paradigm shift – developers of well-performing applications were always aware of laws of physics.Read more ...
BGP in the data center? And MPLS? Are you insane? Well, maybe, yes. But then again, I’ve been known to do a lot of crazy things in my time. Isn’t MPLS a core and edge service provider technology, while VXLAN is an enterprise data center technology? But let’s begin with this idea that technologies are […]