March 27, 2017

ipSpace.net Blog (Ivan Pepelnjak)

Cisco and Apple Agree: QoS Marking Is an Application Problem

The last presentation during the Tech Field Day Extra @ Cisco Live Europe event was a Cisco-Apple Partnership presentation, and we expected an hour of corporate marketese.

Can’t tell you how pleasantly surprised we were when Jerome Henry started his very technical presentation explaining the wireless goodies you get when using iOS with IOS.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at March 27, 2017 06:26 AM

In Search of Tech

Configuring Microsoft NPS for Aerohive 802.1X Authentication

This post is a starting point for anyone who wants to use 802.1X authentication with Aerohive APs and Microsoft NPS. I will provide configuration screen shots for both of Aerohive’s management platforms and for NPS running on Microsoft Windows 2008 Server. It is not intended to be an exhaustive guide, but should be a decent starting point. Every implementation will be different in some respect, and some of these steps may not be the exact manner in which you configure Microsoft NPS. The steps for Aerohive may also be different depending on what you are trying to accomplish. I’ll make sure to note my particular scenario when appropriate.

Versions Used:

HiveManager Classic/HM6/HMOL – 6.8r7a

HiveManager NG – 11.19.99.0 (March 2017)

Microsoft Windows 2008 Server

Assumptions:

  1. Basic understanding of navigation within the HiveManager Classic and/or NG interface.
  2. No RADIUS objects or user profiles for 802.1X authentication have been configured within HiveManager Classic or NG. If you have already configured some of them, just skip the steps that cover the creation of those objects.
  3. Microsoft NPS is installed and a server certificate for the NPS machine has been issued and installed.

Scenario

Company XYZ wants to authenticate Active Directory users on a single 802.1X enabled SSID. They want to be able to treat corporate users and contractors with different security policies, QoS, time of day restrictions, etc. This will involve placing the two different types of users in separate user profiles to control access and end user experience. If a corporate user connects, that user will be placed into VLAN 202 after membership in the corporate users group in Active Directory has been verified. If a contractor user connects, that user will be placed into VLAN 203 after membership in the contractor user group in Active Directory has been verified.

Note: To skip down to the HiveManger NG configuration section, click here.

HiveManager Classic Configuration

  1. From within the Network Policy Guided Configuration, the first step is to add an 802.1X SSID. If you have not already created one, click on “Choose” and then click on “New”:

2. Another screen will open up to configure this new SSID. Name it whatever you want and select which bands it will be broadcast on. Next, ensure the “WPA/WPA2 802.1X (Enterprise)” button is selected and then click on “Save”.

3. You will be returned to the main configuration screen for the network policy and it will look something like this:

4. Now that the SSID is shown, you will need to select the RADIUS server to use. This will be the “AAA Client Settings” object that is found under the Configuration/Advanced Configuration/Authentication section within HiveManager. Since no RADIUS server is defined, you need to click on the “<RADIUS Settings>” segment and choose “New”.

5. Type in the name of this RADIUS object and give it a description if you want. You will need to create an IP address or domain name object and assign it to the “IP Address/Domain Name” field. I tend to favor using IP addresses over host names, but do whatever you prefer. You will also need to enter a shared secret that will need to match what is configured on the NPS side.

6. Click on “Apply” and it should look like this:

7. Click “Save” and it will return you the main configuration screen for the network policy. It probably looks like this:

8. Since we want to place corporate users in VLAN 202 and contractor users in VLAN 203, we need to add some user profiles for each of those VLANs and ensure the RADIUS attributes configured in NPS match the correct user profile. We’ll need to select a default user profile, and then select the user profiles for our corporate and contractor users. The default profile isn’t going to be used, but I created a restricted profile that has no access and goes into a dummy VLAN. Click on “Add/Remove” under the “User Profile” section. Next, choose your default user profile and then select the “Authentication” tab on the left and select the user profiles you want to assign authenticated users into. If those profiles do not exist, you can create them by clicking on the “New” button. I like to match the attribute value to the VLAN in user profiles. If you don’t do this, just make sure you use the attribute value in the NPS configuration and not the VLAN id. There is a way to use the actual VLAN id instead of the attribute value, but it involves using a different RADIUS attribute. In NG, this issue does not exist from a configuration perspective. Once the profiles have been selected, click on “Save” and you should see something like this:

9. Basic 802.1X setup is now complete for HiveManager Classic. Push the configuration changes to the appropriate APs. Next, we will need to configure Microsoft NPS. Click here to move to that section.

HiveManager NG Configuration

NG has an option that HiveManager Classic does not. You can step through the entire process of configuring an external RADIUS server by using the “Guided Configuration” method. On the far right side of every screen within the NG interface, there is a button that looks like this:

When you click on it, another screen appears with a list of all the guided configuration tasks available, and one of them is to create an external RADIUS server.

Here is how you do it without the guided configuration:

  1. Within the “Network Policy” configuration, after you have named the policy and selected whether it will be wireless, wired, or both, click “Next”. At the “Wireless Settings” tab, click the “Add” button and choose “All other SSIDs (standard)”.

2. Select “Enterprise” for authentication type after naming the SSID.

3. Next, you will need to define the RADIUS server, but before that, you will need to define a RADIUS server group. Click on the plus sign next to “Default RADIUS Server Group”. Name the group and then select “Add” and “External RADIUS Server”.

4. Give the RADIUS server a name and description(optional) and then click the plus sign next to the “IP Address/Host Name” field.

5. Give the object a name and type in the IP address of the RADIUS server. Click “Save”.

6. With the RADIUS server IP defined, the last thing you need to do is type in the shared secret that will match what we will configure shortly in NPS. Once that is entered, click “Save”.

7. Now that the RADIUS server is configured, you should see a screen similar to this one:

8. Click on “Save” and it should take you back to the main SSID configuration screen.

9. Scroll down the screen a bit and you will see the “User Access Settings” section, which is where you will add various user profiles that will get applied based on RADIUS attributes that are returned. You will need to check the box that says: “Apply a different user profile to various clients and user groups.” This will allow you to put a user into the correct profile based on what is returned by the RADIUS server.

10. I already had a user profile with no real access defined, so I chose that as the default. I still need to create a user profile for the corporate and contractor users, and that is done by simply clicking the “Add” button and setting a profile name and VLAN. If the VLAN each user profile will be assigned to does not exist, you will need to create the VLAN object by clicking on the plus sign next to the “Connect to VLAN” field. Here are the profiles for the corporate user and the contractor user. There are plenty of things you can set within the user profile, but those specific items will not be covered in this post.

11. Once those profiles have been created, the screen should display something like this:

12. The next step is to add assignment rules so that the RADIUS attributes are used to put the user into the appropriate user profile. Click the plus sign under “Assignment Rules” for the first user profile(CorporateUsers in my case), and then click the plus sign on the following screen that will look like this:

13. Select “RADIUS Attribute” and then put the VLAN number in the “Attribute Values” section.

14. Click “OK” and then do the same for any other user profiles you want to match up with the RADIUS response. It should look similar to this when you are done:

15. Click “Save”. Basic 802.1X setup is now complete for HiveManager NG. Push the configuration changes to the appropriate APs by stepping through the other screens in the network policy or via the Monitor tab. Next, we will need to configure Microsoft NPS. Click here to move to that section.

Microsoft NPS Configuration

  1. Open up the NPS console and expand the “RADIUS Clients and Servers” folder.

2. Right click on “RADIUS Clients” and select “New”. The following window should appear:

3. Fill in the fields as shown below with a “Friendly name” and the IP address(es) of the AP(s) that will be functioning as the authenticator for wireless clients. You can use an entire range as shown below, or you can use individual IP addresses and create multiple “RADIUS Client” objects. Make sure the shared secret matches what was configured in HiveManager. Once that is done, click on “OK”.

4. Now it should look something like this:

5. Next, expand the “Policies” section on the far left side, right click on “Connection Request Policies” and select “New”. We don’t need to get too specific in this section. We just want to ensure that our 802.1X authentication requests get processed locally.

6. Name the policy whatever you want and click “Next”.

7. The next screen is where you will need to specify a condition. Click “Add”.

8. When the next screen appears, you have several options to choose from. I just selected “NAS Port Type”, but you can choose whatever method you want. More complex environments might go a different route than this. Select the method you want to use and click “Add”.

9. For the method I chose(NAS Port Type), I just selected “Wireless – IEEE 802.11”. Make your choice and click “OK”.

 

10. You should see your condition in the “Specify Conditions” screen. Click “Next”.

11. Click “Next” at this screen. Just accept the defaults.

12. Click “Next” at this screen as well. The defaults are fine. We’ll handle the EAP type in the next section dealing with network policy. However, note that you can override the network policy settings and choose a different EAP type if you were fairly granular in terms of how you setup this connection request policy.

13. Click “Next” at this screen as well. The defaults are fine, but again, you can use this to get far more granular in how you respond to authentication requests.

14. At this final screen, just click “Finish”.

Now you should see your Connection Request Policy that was just created.

The last portion of the NPS configuration is the creation of the network policy. For this example, I will be creating two of them. One for the corporate users and one for the contractor users. Your environment may be completely different. For example, in educational organizations, I normally see this broken up into students and staff/faculty.

15. Select the “Network Policies” folder on the far left side of the screen. You should see a screen similar to this:

16. Right click on the “Network Policies” folder and select “New”. When the new window opens up, give the policy a name and click “Next”. Remember that you will be making multiple policies, so the name should reflect the group of users it will apply to, unless you are just using one user profile on the Aerohive side.

17. The next screen is going to be the “Specify Conditions” screen. This is where we will define which Active Directory group a user needs to be a member of for this policy to apply. Click the “Add” button.

18. In the “Select condition” window, choose “User Groups” and click “Add”.

19. When the “User Groups” window appears, click “Add Groups”.

20. Type in the name of the group you need to authenticate the given group. In my example, I typed in “corporate” and hit the “Check Names” button. It automatically chose the “CorporateUsers” group I had created on a previous occasion. Once the proper group is displayed, click “OK”.

21. It will take you back to the “User Groups” window, but the correct group should be shown. Click “OK”.

22. Now you should be looking at the “Specify Conditions” portion of the “New Network Policy” configuration with your Active Directory group shown. Click “Next”.

23. When the “Specify Access Permission” window appears, you can take the default “Access granted” and click “Next”. Note that you can permit or deny access, so with a wide range of Active Directory groups, you could allow a larger group of users with one network policy, but deny a smaller subset using a different group and network policy and placing the deny entry above the permit entry.

Here is where it might get a little confusing if you are unfamiliar with EAP types. If you don’t know much about EAP, here is a starting point. Basically, with NPS, you are going to configure PEAP using MSCHAP v2 or use the EAP-TLS method which involves client side certificates. This example is going to use the easier PEAP with MSCHAP v2 method. Other than generating client side certificates, there is not much difference in configuring NPS to work with EAP-TLS from the method I will illustrate below.

The following window should appear:

24. Click the “Add” button and select “Microsoft: Protected EAP (PEAP)” as the EAP type to use. Click “OK”. The screen should look like this:

25. Select “Microsoft: Protected EAP (PEAP)” in the “EAP Types” window and click on “Edit”. Ensure that the only entry in the “Eap Types” window is “Secured password (EAP-MSCHAP v2). You may have to click the “Add” button and select it. You may also have to select other entries and click “Remove” to get down to the single option. You should also see the certificate with your NPS server name selected in the “Certificate issued” field at the top of the window. If there is not one, you will need to generate one and start the “Network Policy” configuration over from the start. Click on “OK”.

26. When the “Configure Authentication Methods” window appears, uncheck everything in the “Less secure authentication methods:” section at the bottom of the window and then click “Next”.

27. At the next screen titled “Configure Constraints”, you can keep the defaults and click on “Next”. If you want to get more granular with how the client sessions are treated, there are some options here to do that.

28. The “Configure Settings” window will appear next. This is where we are going to finally define which user profile to put the corporate(in this example) users into. Two attributes should already be present for “Framed-Protocol” and “Service-Type”. You can delete both of these attributes by selecting them and clicking on “Remove”. They won’t be needed.

29. Now we are going to add the three attributes needed. Ensure “Standard” is selected under “RADIUS Attributes” and click the “Add” button. Select “802.1x” for the “Access type” and select “Tunnel-Medium-Type” under the “Attributes” section and click “Add”.

30. When the “Attribute Information” window appears, click “Add”.

31. Select “Others” and then select “IP (IP version 4)” and click on “OK”.

32. Click “OK” when the following “Attribute Information” screen appears:

33. You should see the “Add Standard RADIUS Attribute screen now. Select “802.1x” for the “Access type” if it is not already selected and select “Tunnel-Pvt-Group-ID” under the “Attributes” section and click “Add”.

34. Click “Add” when the following window appears:

35. Since this policy is for the corporate users, we are going to enter “202” for the attribute value as a string. Type in the value and click on “OK”.

36. Now your screen should display the “RADIUS Standard” attribute with a value of “202”. Click “OK”.

37. You should see the “Add Standard RADIUS Attribute screen once again. Select “802.1x” for the “Access type” if it is not already selected and select “Tunnel-Type” under the “Attributes” section and click “Add”. When the following screen appears, click “Add”:

38. Select “Generic Route Encapsulation” under the “Commonly used for Dial-Up or VPN” section and click “OK”.

39. When the following screen appears, click “OK”:

40. You should be looking at the “Configure Settings” screen with the three RADIUS attributes you configured. Click “Next”.

41. At the “Completing New Network Policy” screen, click “Finish”. You should now be taken back to the “Network Policies” screen in the main NPS window. The “Corporate Users” policy is at the bottom of the list. We want to move it to the top, so right click on the “Corporate Users” policy and select “Move Up”. Repeat until it is in the first position.

42. Next, we need to create our policy for the contractor users, but we will use a shortcut to save time. Right click on the “Corporate Users” policy and select “Duplicate Policy”.

43. When the “Copy of Corporate Users” policy appears, right click on it and select “Properties”.

44. Change the name of the policy to whatever you want it to say. For this example, I will change it to “Contractor Users”. Then, click on the “Conditions” tab at the top.

45. Select the “User Groups” condition and click on “Edit”.

46. Change the user group to whatever it should be. In this example, the group is changed to “ContractorUsers”. Once the proper group is displayed, click on the “Settings” tab.

47. On the “Settings” tab, select the “Tunnel-Pvt-Group-ID” in the “Attributes” section and click on “Edit”.

48. Edit the attribute by selecting it and clicking on “Edit”. Change it to whatever value is needed. In this example, it is changing from a value of “202” to “203”. Click on “OK” when the updated value is displayed.

49. Once that is done, you should be returned to the “Settings” screen. If everything looks right, click on “OK”.

50. You will be returned to the “Network Policies” screen in the main NPS window. Reorder the cloned policy and put it in the second position. It should look like this:

 

That’s all there is to it. You should be able to connect to the SSID and authenticate with Active Directory credentials. If you get a request to trust the certificate after typing in your username and password, don’t be too alarmed. Unless your certificate was issued by a certificate authority that your device trusts, that is going to happen. However, once you trust the certificate, that warning will go away. For example, here is what is displayed on my iPhone after successfully authenticating with a username and password for the first time:

One final note with regards to troubleshooting. If you run into authentication issues, make sure to look at what is being reported in the NPS log. You can find it under the “Custom Views/Server Roles” within Event Viewer.

If you see any sort of access denied message, it is most likely an NPS configuration issue. If you don’t see any entry after authenticating(good or bad), it is probably an Aerohive configuration issue. Additionally, if you do see access granted issues, but the client still will not connect, make sure to check for MAC filtering or other firewall policies on the Aerohive side. They tend to show up as  “incorrect username or password” errors on the device, even though that was not the problem. Ask me how I know. 🙂

Conclusion

Hopefully this will help with configuration of Aerohive APs and NPS. I need to reiterate that I am not an expert when it comes to Microsoft NPS. If you run into problems, feel free to leave a comment or ping me on Twitter(@matthewnorwood). I’ll try to help out if at all possible.

by Matthew Norwood at March 27, 2017 12:55 AM

XKCD Comics

March 26, 2017

ipSpace.net Blog (Ivan Pepelnjak)

Update: Virtual Switches in vSphere Environment

Just FYI: a week after I wrote this (don't forget to go through the comments), VMware made it official:

…we’ve found that VMware’s native virtual switch implementation has become the de facto standard for greater than 99% of vSphere customers today. … Moving forward, VMware will have a single virtual switch strategy that focuses on two sets of native virtual switch offerings – VMware vSphere® Standard Switch and vSphere Distributed Switch™ for VMware vSphere, and the Open virtual switch (OVS).

by Ivan Pepelnjak (noreply@blogger.com) at March 26, 2017 10:04 AM

Running vSphere on Cisco ACI? Think Twice…

When Cisco ACI was launched it promised to do everything you need (plus much more, and in multi-hypervisor environment). It was quickly obvious that you can’t do all that on ToR switches, and need control of the virtual switch (the real network edge) to get the job done.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at March 26, 2017 10:00 AM

March 25, 2017

My Etherealmind

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Serious and easily exploited flaws in older Cisco IOS software. Commonly used, but old, switches used for Campus and SME Data Centres. Serious problem.

Thoughts:

  • Demonstrates how older Cisco devices are fundamentally insecure.
  • Cisco wasn’t focussed on security back then. They were happy if it even worked properly.
  • Cisco was slow to adopt SSH in IOS because customers weren’t asking for it. Microsoft should shoulder a lot of blame for not including an SSH client and we slowed operational adoption 1 (seriously, getting putty installed in many enterprises was a major problem)
  • Cisco has responded promptly and professionally to offer fix.
  • Customers should replace most of this kit, not fix it. You can expect many more security flaws in these NOS’s because security was a minor design issue for Cisco at that time.

The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors

  • The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
  • The incorrect processing of malformed CMP-specific Telnet options.

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp


  1. seriously, getting putty installed in many enterprises was a major problem ↩

The post Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability appeared first on EtherealMind.

by Greg Ferro at March 25, 2017 04:00 PM

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated] | Ars Technica

Its become clear that the only way to improve security of certificate authorities is to follow through on threats. Symantec has been delinquent since 2012 in securing their processes and software. We have seen multiple instances of certificate falsely issued to domains (including Google’s domain). As the owner of Chrome browser, it has decided that Symantec is no longer fit to be considered a root authority for TLS (SSL) certificate.

Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site’s authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.

This is necessary. Politically this is a sound move. Taking down a major company that is US-based following removed of Chinese and Eastern European CA root certificates sends a message of fairness and balance. The repeat offenses by Symantec suggest that this it has systemic problems that it hasn’t been able to fix. Thats a top down problem, not a bottom up.

Given that Symantec is a major supplier to enteprises for a wide range of supposedly secure products, this means a lot of work. Symantec’s record and reputation on producing secure software is quite poor.

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated] | Ars Technica : https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/

The post Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated] | Ars Technica appeared first on EtherealMind.

by Greg Ferro at March 25, 2017 03:03 PM

March 24, 2017

The Networking Nerd

Do Network Professionals Need To Be Programmers?

With the advent of software defined networking (SDN) and the move to incorporate automation, orchestration, and extensive programmability into modern network design, it could easily be argued that programming is a must-have skill. Many networking professionals are asking themselves if it’s time to pick up Python, Ruby or some other language to create programs in the network. But is it a necessity?

Interfaces In Your Faces

The move toward using API interfaces is one of the more striking aspects of SDN that has been picked up quickly. Instead of forcing information to be input via CLI or information to be collected from the network via scraping the same CLI, APIs have unlocked more power than we ever imagined. RESTful APIs have giving nascent programmers the ability to query devices and push configurations without the need to learn cumbersome syntax. The ability to grab this information and feed it to a network management system and analytics platform has extended the capabilites of the systems that support these architectures.

The syntaxes that power these new APIs aren’t the copyrighted CLIs that networking professionals spend their waking hours memorizing in excruciating detail. JUNOS and Cisco’s “standard” CLI are as much relics of the past as CatOS. At least, that’s the refrain that comes from both sides of the discussion. The traditional networking professionals hold tight to the access methods they have experience with and can tune like a fine instrument. More progressive networkers argue that standardizing around programming languages is the way to go. Why learn a propriety access method when Python can do it for you?

Who is right here? Is there a middle ground? Is the issue really about programming? Is the prattle from programming proponents posturing about potential pitfalls in the perfect positioning of professional progress? Or are anti-programmers arguing against attacks, aghast at an area absent archetypical architecture?

Who You Gonna Call?

One clue in this discussion comes from the world of the smartphone. The very first devices that could be called “smartphones” were really very dumb. They were computing devices with strict user interfaces designed to mimic phone functions. Only when the device potential was recognized did phone manufacturers start to realize that things other than address books and phone dialers be created. Even the initial plans for application development weren’t straightforward. It took time for smartphone developers to understand how to create smartphone apps.

Today, it’s difficult to imagine using a phone without social media, augmented reality, and other important applications. But do you need to be a programmer to use a phone with all these functions? There is a huge market for smartphone apps and a ton of courses that can teach someone how to write apps in very little time. People can create simple apps in their spare time or dedicate themselves to make something truly spectacular. However, users of these phones don’t need to have any specific programming knowledge. Operators can just use their devices and install applications as needed without the requirement to learn Swift or Java or Objective C.

That doesn’t mean that programming isn’t important to the mobile device community. It does mean that programming isn’t a requirement for all mobile device users. Programming is something that can be used to extend the device and provide additional functionality. But no one in an AT&T or Verizon store is going to give an average user a programming test before they sell them the phone.

This, to me, is the argument for network programmability in a nutshell. Network operators aren’t going to learn programming. They don’t need to. Programmers can create software that gathers information and provides interfaces to make configuration changes. But the rank-and-file administrator isn’t going to need to pull out a Java manual to do their job. Instead, they can leverage the experience and intelligence of people that do know how to program in order to extend their network functionality.


Tom’s Take

It seems like this should be a fairly open-and-shut case, but there is a bit of debate yet left to have on the subject. I’m going to be moderating a discussion between Truman Boyes of Bloomberg and Vijay Gill of Salesforce around this topic on April 25th. Will they agree that networking professionals don’t need to be programmers? Will we find a middle ground? Or is there some aspect to this discussion that will surprise us all? I’ll make sure to keep you updated!


by networkingnerd at March 24, 2017 05:10 PM

Ethan Banks on Technology

It’s Personal

<soapbox>

One of the odd things about my job is that I often get to meet people I or someone in my company has written or podcasted about. That might be via a direct mention or an indirect one. For example, my company might cover a product and offer some commentary on it–indirect. We might mention a specific company in a positive or negative light, depending on our opinion–indirect. We might mention specific people if there is a good reason to do so–direct.

Meeting people we’ve talked about, directly or not, brings a poignant perspective to creating content for a wide audience. It’s personal. Somebody made a decision to create the product that way. Some group of humans worked on that standard. Real people decided on that process.

Is it appropriate to cast those people in a negative light and share that opinion with an audience? Sometimes…yes, at times even crucially necessary, if unfortunate. Sometimes…maybe not. Sometimes it’s okay to shut up. To show restraint. To chain the snark monster.

Stirring the pot can be fun. Yelling into a righteous megaphone about where the nasty thing hurt you feels empowering. But it’s only half of the equation. It’s the half that you see. You had a bad experience. You went through this time of stress because of this thing. You’re cynical as an outsider looking in who can’t imagine why something turned out badly from your point of view.

The other half of the equation is the rest of the story–the people involved in creating the thing you don’t like.

Do you create content that you make available to the general public? Think about your creation before hitting publish. Again, I’m not suggesting people and products are beyond criticism. Far from it. But make sure that what you’ve said is accurate, fair, balanced, defensible, and considers a broad spectrum of viewpoints.

If you don’t make certain of these elements but publish anyway, you’ve strayed into the realm of narcissism. You’re keen to get your opinion out there and gain some attention from your audience, but not so keen to do the homework required to come to a responsibly informed point of view.

There are real people involved. You might meet them someday.

</soapbox>


Ethan Banks writes & podcasts about IT, new media, and personal tech.
about | subscribe | @ecbanks

by Ethan Banks at March 24, 2017 02:37 PM

Networking Now (Juniper Blog)

Could Smart-City malware be spread via motorways and highways?

Scurvygrass(Danish)_2011_03_29_WestKirby_HilbreIsland_Hoylake_027p50.jpg

 

 

In recent years we have seen news reports of wildflowers and weeds being 'spread' by the wind-tunnel effect of cars on our motorways and highways, is there a potential for malware to spread between smart cities in the same way?

by lpitt at March 24, 2017 09:00 AM

ipSpace.net Blog (Ivan Pepelnjak)
XKCD Comics

March 23, 2017

Network Design and Architecture

CCDE Real Labs/Scenarios

I think it is time to write otherwise people will loose their money for nothing. Today I got a whatsapp message from someone who says ‘ I can’t join your Onsite CCDE training, is there a way to buy REAL scenarios Online ‘.    I didn’t understand initially. I thought someone is asking whether I […]

The post CCDE Real Labs/Scenarios appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 23, 2017 05:56 PM

ipSpace.net Blog (Ivan Pepelnjak)

Updated: User Authentication in Ansible Network Modules

Ansible network modules (at least in the way they’re implemented in Ansible releases 2.1 and 2.2) were one of the more confusing aspects of my Building Network Automation Solutions online course (and based on what I’m seeing on various chat sites we weren’t the only ones).

I wrote an in-depth explanation of how you’re supposed to be using them a while ago and now updated it with user authentication information.

by Ivan Pepelnjak (noreply@blogger.com) at March 23, 2017 07:24 AM

March 22, 2017

Network Design and Architecture

Is MPLS mandatory for Traffic Engineering?

Is MPLS mandatory for Traffic Engineering?   What is Traffic Engineering in the first place  ?   Wikipedia defines traffic engineering as below.   ” Internet traffic engineering is defined as that aspect of Internet network engineering dealing with the issue of performance evaluation and performance optimization of operational IP networks.”   So we are […]

The post Is MPLS mandatory for Traffic Engineering? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 22, 2017 06:06 PM

What is VPWS , VLL , EoMPLS

What is VPWS , VLL , EoMPLS ? Actually all are the same thing. VPWS stands for virtual private wire service , VLL stands for virtual leased line and EoMPLS stands for Ethernet over MPLS. All are MPLS Layer 2 VPN service and terms are used to define point to point layer 2 circuit. In […]

The post What is VPWS , VLL , EoMPLS appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 22, 2017 05:25 PM

ipSpace.net Blog (Ivan Pepelnjak)

Why Do We Need Session Stickiness in Load Balancing?

One of the engineers watching my Data Center 3.0 webinar asked me why we need session stickiness in load balancing, what its impact is on load balancer performance, and whether we could get rid of it. Here’s the whole story from the networking perspective.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at March 22, 2017 04:40 PM

My Etherealmind

Video: Software Secures the World

Martin Casado doesn’t have a proper job since he left VMware. This gives him times to think deeply about the future of IT security as part of his role of wasting investors money at A16Z and considering where the next advances or futures will be. This video makes a lot of sense to me.

Once upon a time, we thought of security measures as being built like a wall around a medieval city. Then, as threats grew in complexity, we began to think of it more like securing a city or nation-state. Finally, security grew alike to aerial warfare — mobile, quick, wide-ranging. Each of these new modes for thinking about security represented a major misalignment between the security threats that had evolved and our strategies/tactics for dealing with them.
Now we are once again at another such major misalignment — thanks largely to the cloud and new complexity — requiring both a shift in how we think about and respond to threats. But we also have security “overload” given the vast size of our systems and scale of notifications.
How do security threats develop? How should CEOs and CSOs think of planning for them? What role will AI and automation play? a16z general partner Martin Casado covers all this and more, from the perspective of someone who has experienced first-hand not just witnessed these shifts.

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="281" mozallowfullscreen="mozallowfullscreen" src="https://player.vimeo.com/video/201359131" title="Software Secures the World" webkitallowfullscreen="webkitallowfullscreen" width="500"></iframe>

The post Video: Software Secures the World appeared first on EtherealMind.

by Greg Ferro at March 22, 2017 03:03 PM

XKCD Comics

March 21, 2017

ipSpace.net Blog (Ivan Pepelnjak)

Two Switches Saga: Now in Text Format

Remember the All You Need Are Two Switches saga? Several readers told me they’d like to have in text (article) format, so I found a transcription service, and started editing what they produced and publishing it. The first two installments are already online.

On a related topic: we’ll discuss the viability of this approach in April DIGS event in Zurich, Switzerland.

by Ivan Pepelnjak (noreply@blogger.com) at March 21, 2017 08:01 AM

March 20, 2017

Network Design and Architecture

ARP, ARP Inspection, ARP Types and Deployment Considerations

Layer 2 security –  ARP and ARP Inspection   Introduction   This article is the second of our layer 2 attacks identification and mitigation techniques series, which will be a part of a bigger series discussing Security Infrastructure. Dynamic ARP Inspection relies on DHCP snooping technology explained in the previous article. It’s strongly recommended to […]

The post ARP, ARP Inspection, ARP Types and Deployment Considerations appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Ahmed Eldeeb at March 20, 2017 06:46 PM

Internetwork Expert Blog

INE’s CCIE Security v5 Content Updates

With the CCIE SCv5 blueprint now being live, we’re in the process of updating our Security product line in order to meet the new exam requirements. First of all, the following products will be released:

  1. Advanced Technologies Class
  2. Workbook

 

Advanced Technologies Class

The Advanced Technologies Class will run live online, starting 1st of May.  This course series is now available for preorder here, and the full schedule is shown on the product page.  The live course is also open to any All Access Pass subscriber.  Given the current blueprint, which includes pretty much all Cisco Security products, most probably this will be the biggest video series we have ever released so far across all CCIE tracks; expect more than 150 hours of CCIE level training.  First and most important, we’re going to deep dive into all core technologies:

  • ASA Firewall
  • IOS Firewall
  • FirePOWER
  • FirePOWER Threat Defense
  • FMC
  • WSA
  • ESA
  • AMP
  • IPsec VPN’s (IKEv1 and IKEv2)
  • SSL VPN’s
  • TrustSec
  • ISE
  • ACS

At the same time we’ll cover all the remaining topics (small but many), including technologies which will be tested mainly in the written exam (like CWS, SMA or Lancope). Oh….of course we’ll also cover in detail interesting topics like APIC-EM.

For the Evolving Technologies section, which is tested only in the written exam but it’s common across all CCIE tracks, we’ll be releasing a common and separate video series which will be attached to all ATC’s.  We’ll be announcing a timeline soon for it.

The CCIE Security v5 Advanced Technologies Class is now available to preorder here: link.  Preordering allows you to participate in the live classes as we’re recording them, and also allows you to download them shortly after they’re recorded.

So, see you in class :)

 

Workbook

There will be a single unified workbook, containing:

  • Technology Labs (aimed to learn technologies)
  • Troubleshooting Labs (aimed to simulate the troubleshooting section of the lab exam)
  • Diagnostic Labs (aimed to simulate the diagnostic section of the lab exam)
  • Configuration Labs (aimed to simulate the configuration section of the lab exam)
  • Mock Labs (aimed to simulate the entire lab exam)

A timeline for the workbook will be announced soon, here on our blog.

 

Rack Rentals

By the end of this month, we’ll have the Security racks upgraded to meet the new blueprint requirements. Expect an upcoming blog post with details on the rack build and rentals.

by Cristian Matei, CCIEx2 #23684 at March 20, 2017 02:51 PM

Networking Now (Juniper Blog)

Juniper Networks Security Issues & Predictions (for 2017)

Cam.png

Recent focus in cybersecurity has been how to remain ahead of advanced attacks. Whilst this is important, 2016 proved that many organisations had missed fundamental security controls with ransomware seeping through email gateways, weak passwords in use on critical systems, users able to access data, files and systems across their internal networks, out of date security software, poor patch management controls, low use of encryption with data being stored in clear text – the list goes on and on. Why?

 

This series of articles will go into detail on network issues and predictions which we see on the horizon for the coming year. Please read on for a high-level overview of what you can look forward to...

by lpitt at March 20, 2017 10:32 AM

The first connected car could be taken for ransom

 

sedan3.png

 

 

In my last blog, I discussed how a supply chain attack could affect the business – and brand –of a global company. This week, we’re going to take this a level down and consider something else which I believe could be a threat - the intelligence that is being built into our cars.

by lpitt at March 20, 2017 09:00 AM

ipSpace.net Blog (Ivan Pepelnjak)

Why Didn’t We Have Leaf-and-Spine Fabrics a Decade Ago?

One of my readers watched my Leaf-and-Spine Fabric Architectures webinar and had a follow-up question:

You mentioned 3-tier architecture was dictated primarily by port count and throughput limits. I can understand that port density was a problem, but can you elaborate why the throughput is also a limitation? Do you mean that core switch like 6500 also not suitable to build a 2-tier network in term of throughput?

As always, the short answer is it depends, in this case on your access port count and bandwidth requirements.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at March 20, 2017 06:50 AM

XKCD Comics

March 17, 2017

FirstDigest

F5 BIG-IP Plugin with Firefox 52 workaround

It’s not news anymore that Mozilla is stopping support for NPAPI (Netscape Plugin API). With the release of Firefox 52 version, I believe that only Flash plugin is enabled by default. I’ll skip the discussion about NPAPI plugins and Mozilla’s

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

by Calin at March 17, 2017 11:19 PM

Network Design and Architecture

33% discount until 1st of April 2017 on all CCDE Products !

    33%  Discount – Limited seats ! On all CCDE Products It is only valid until 1st of April 2017 33% OFF On Below Products !  CCDE In-Depth  New CCDE Workbook buy now » Live/Instructor-Led  Online CCDE Training  buy now » Self Paced CCDE Training Lifetime Access buy now »   Discount is valid for both Online […]

The post 33% discount until 1st of April 2017 on all CCDE Products ! appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 17, 2017 03:09 PM

Router Jockey

Networking Field Day 15 – A new delegate emerges

Networking Field Day 15Yet again I find myself honored, and questioning their selection methods, by being selected for a Networking Field Day event. Networking Field Day 15 kicks off April 6 and 7th in San Jose California. Each and every Tech Field Day event is always an amazing opportunity to engage with vendors and industry peers. But trust me, I’m using the term peer rather loosely… While we may work in the same industry, many of these folks are way smarter than me! It seems the delegate list for NFD15 is certainly no exception to that rule! While I’ve met and become friends with roughly 75% of the “team” I get to meet a couple new faces which is always exciting. At least one of these faces I’ve spent hours talking to on Skype, but never actually met in person. I’m looking at you Nicolas. ;)

Networking Field Day Vendors

I took a look at the vendor list for this as soon as I heard they needed another delegate. Looking at the current line-up I got pretty excited, everything seems rather relevant to things I want to see! Looks like we’re going to see presentations from Gigamon, which specializes in the network tap and visibility market. I actually met with them back during NDF2 and it will be great to hear what they’ve been up to recently.  IP Infusion is a white box networking company that I haven’t had the chance to look too deeply at, but I’m really interested to hear more about their solutions. As for TeloIP, they have been on my list of SD-WAN companies to look at. My current 9-5 is looking to build repeatability and redundancy into our current WAN solution.  Last, but certainly not least, is VMware, which if you don’t know about their virtualization offerings you might be literally living in a cave. Seriously. I couldn’t ask for a better group of companies to hear from, I’m really excited to hear what’s new with each of them. Honestly, I wish we could get this kicked off tomorrow!

See you guys in Silicon Valley, Networking Field Day 15 is just 2.5 weeks away and counting!

Remember, all Tech Field Day events are streamed live over the Internets to allow everyone to join into the conversation. We all also monitor Twitter rather closely so join in using the #NFD15 hashtag, so throw some questions at us and we’ll make sure your voice is heard! Also, please be sure to read my TFD Disclaimer if you have any other questions about the event.

The post Networking Field Day 15 – A new delegate emerges appeared first on Router Jockey.

by Tony Mattke at March 17, 2017 02:02 PM

ipSpace.net Blog (Ivan Pepelnjak)

TCP in the Data Center and Beyond on Software Gone Wild

In autumn 2016 I embarked on a quest to figure out how TCP really works and whether big buffers in data center switches make sense. One of the obvious stops on this journey was a chat with Thomas Graf, Linux Core Team member and a founding member of the Cilium project.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at March 17, 2017 07:39 AM

XKCD Comics

March 16, 2017

Network Design and Architecture

Layer 2 security – DHCP Details, DHCP Snooping

Layer 2 security – DHCP Details, DHCP Snooping  Introduction   This article is the first of a series explaining layer 2 attacks identification and mitigation techniques, which will be a part of a bigger series discussing Security Infrastructure.   We will be discussing the most common attacks and how to mitigate them; but more important, […]

The post Layer 2 security – DHCP Details, DHCP Snooping appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Ahmed Eldeeb at March 16, 2017 10:20 PM

My Etherealmind

Human Infrastructure And Always Planning to Quit and Move On

I did a video for “Speak With A Geek” where I sat down with David Sparks where I talk about approaching your career in a similar fashion to approaching your technology. Your value to the business is determined by how good you are as a piece of human infrastructure.

When you show you can do it for yourself, the people in charge will see that and want to invest in you to bump you up to the next level of productivity. Human infrastructure is no different than physical technical infrastructure, argued Ferro. You purchase a small infrastructure and then you scale it up, spending more money on it, make it bigger, more valuable, and able to do more. That’s no different in how you invest in yourself.

No matter how good your situation is, Ferro advised to “always have one eye on the door.” There is always a better opportunity even when you think yours is the best. For that reason, keep your skills and resume polished at all times and be available for what’s next.

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="281" src="https://www.youtube.com/embed/xkTeYP9EY0g?feature=oembed" width="500"></iframe>

The post Human Infrastructure And Always Planning to Quit and Move On appeared first on EtherealMind.

by Greg Ferro at March 16, 2017 08:53 AM

March 15, 2017

ipSpace.net Blog (Ivan Pepelnjak)

To YANG or Not to YANG, That’s the Question

Yannis sent me an interesting challenge after reading my short “this is how I wasted my time” update:

We are very much committed in automation and use Ansible to create configuration and provision our SP and data center network. One of our principles is that we do rely solely on data available in external resources (databases and REST endpoints), and avoid fetching information/views from the network because that would create a loop.

You can almost feel a however coming in just a few seconds, right?

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at March 15, 2017 06:48 PM

Network Design and Architecture

Fast Convergence and the Fast Reroute – Definitions/Design Considerations in IP and MPLS

Fast Convergence and the Fast Reroute Network reliability is an important design aspect for deployability of time and loss sensitive applications. When a link, node or SRLG failure occurs in a routed network, there is inevitably a period of disruption to the delivery of traffic until the network reconverges on the new topology.   Fast reaction is essential […]

The post Fast Convergence and the Fast Reroute – Definitions/Design Considerations in IP and MPLS appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 15, 2017 05:19 PM

ShortestPathFirst

Understanding the Federal Government’s Rapid Adoption of Cloud

One of the biggest trends in the IT industry at the moment is enterprise adoption of the public cloud. It’s obvious that it’s been accelerating over the recent years, but perhaps more importantly, Federal agencies are beginning to take a serious look at the cloud in an effort to reform IT and to achieve greater agility …

by Stefan Fouant at March 15, 2017 01:04 PM

Security to the Core | Arbor Networks Security

Acronym: M is for Malware

A malware researcher known as Antelox recently tweeted about an unknown malware sample that caught our eye. Upon further investigation, it is a modular malware known as Acronym and could possibly be associated with the Win32/Potao malware family and the Operation Potao Express campaign. This […]

by Dennis Schwarz at March 15, 2017 01:00 PM

XKCD Comics

March 14, 2017

My Etherealmind

Video: “…You can either be a farmer, or join a politically motivated global hacking collective” – YouTube

Funny and insightful. Maybe.

Jake Davis, former Anonymous and LulzSec hacker, shares his hacker journey while exploring just what makes hackers tick…

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="281" src="https://www.youtube.com/embed/E0h_pNv1a98?feature=oembed" width="500"></iframe>

“…You can either be a farmer, or join a politically motivated global hacking collective” – YouTube : https://www.youtube.com/watch?v=E0h_pNv1a98&app=desktop

The post Video: “…You can either be a farmer, or join a politically motivated global hacking collective” – YouTube appeared first on EtherealMind.

by Greg Ferro at March 14, 2017 07:56 PM

Network Design and Architecture

OSPF Best Practices

ealing OSPF Best Practices Understanding and using best practices is very important though may not be feasible in all networks due to budget , political or other technical constraints.   In this post I will explain the best practices on OSPF networks. This best practices come from my real life design and deployment experience , […]

The post OSPF Best Practices appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 14, 2017 06:03 PM

ipSpace.net Blog (Ivan Pepelnjak)

CloudScale ASICs on Software Gone Wild

Last year Cisco launched a new series of Nexus 9000 switches with table sizes that didn’t match any of the known merchant silicon ASICs. It was obvious they had to be using their own silicon – the CloudScale ASIC. Lukas Krattiger was kind enough to describe some of the details last November, resulting in Episode 73 of Software Gone Wild.

For even more details, watch the Cisco Nexus 9000 Architecture Cisco Live presentation.

by Ivan Pepelnjak (noreply@blogger.com) at March 14, 2017 06:53 AM

SDN Use Cases: Featured Webinar in March 2017

The featured webinar in March 2017 is the SDN Use Cases webinar describing over a dozen different real-life SDN use cases. The featured videos cover four of them: a data center fabric by Plexxi, microsegmentation (including VMware NSX), SDN-based Internet edge router built by David Barroso, and Fibbing - an OSPF-based traffic engineering developed at University of Louvain.

To view the videos, log into my.ipspace.net, select the webinar from the first page, and watch the videos marked with star.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at March 14, 2017 06:21 AM

March 13, 2017

The Networking Nerd

There Won’t Be A CCIE: SDN. Here’s Why

There’s a lot of work that’s been done recently to bring the CCIE up to modern network standards. Yusuf and his team are working hard to incorporate new concepts into the written exam. Candidates are broadening their horizons and picking up new ideas as they learn about industry stalwarts like OSPF and spanning tree. But the biggest challenge out there is incorporating the ideas behind software defined networking (SDN) into the exam. I don’t believe that this will ever happen. Here’s why.

Take This Broken Network

If you look at the CCIE and what it’s really testing, the exam is really about troubleshooting and existing network integration. The CCIE introduces and tests on concepts like link aggregation, routing protocol redistribution, and network service implementation. These are things that professionals are expected to do when they walk in the door, either as a consultant or as someone advising on the incorporation of a new network.

The CCIE doesn’t deal with the design of a network from the ground up. It doesn’t task someone with coming up with the implementation of a greenfield network from scratch. The CCIE exam, especially the lab component, only tests a candidate on their ability to work on something that has already exists. That’s been one of the biggest criticisms of the CCIE for a very long time. Since the knowledge level of a CCIE is at the highest level, they are often drafted to design networks rather than implementing them.

That’s the reason why the CCDE was created. CCDEs create networks from nothing. Their coursework focuses on taking requirements and making a network out of it. That’s why their practical exam focuses less on command lines and more on product knowledge and implementation details. The CCDE is where people that build networks prove they know their trade.

The Road You Must Design For

When you look at the concepts behind SDN, it’s not really built for troubleshooting and implementation without thought. Yes, automation does help implementation. Orchestration helps new devices configure themselves on the fly. API access allows us to pull all kinds of useful information out of the network for the purposes of troubleshooting and management. But each and every one of these things is not in the domain of the CCIE.

Can SDN solve the thorny issues behind redistributing EIGRP into OSPF? How about creating Multiple Spanning Tree instances for odd numbered VLANs? Will SDN finally help me figure out how to implement Frame Relay Traffic Shaping without screwing up the QoS policies? The answer to almost every one of these questions is no.

SDNs major advantages can only be realized with forethought and guidelines. Orchestration and automation make sense when implemented in pods or with new greenfield deployments. Once they have been tested and proven, these concepts can be spread across the entire network and used to ease design woes.

Does it make more sense to start using Ansible and Jinja at the beginning? Or halfway through a deployment? Would you prefer to create Python scripts to poll against APIs after you’ve implemented a different network monitoring system (NMS)? Or would it make more sense to do it right from the start?

CCIEs may see SDN in practice as they start using things like APIC-EM to roll out polices in the network, but CCDEs are the real SDN gatekeepers. They alone can make the decisions to incorporate these ideas from the very beginning to leverage capabilities to ease deployment and make troubleshooting easier. Even though CCIEs won’t see SDN, they will reap the benefits from it being baked in to everything they do.


Tom’s Take

Rather than asking when the CCIE is going to get SDN-ified, a better question would be “Should the CCIE worry?” The answer, as explained above, is no. SDN isn’t something that a CCIE needs to study for. CCDEs, on the other hand, will be hugely impacted by SDN and it will make a big difference to them in the long run. Rather than forcing CCIEs into a niche role that they aren’t necessarily suited for, we should instead let them do what they do best. We should incorporate SDN concepts into the CCDE and let them do what they do best and make the network a better place for CCIEs. Everyone will be better in the long run.


by networkingnerd at March 13, 2017 10:57 PM

ipSpace.net Blog (Ivan Pepelnjak)

Worth Reading: Building an OpenStack Private Cloud

It’s uncommon to find an organization that succeeds in building a private OpenStack-based cloud. It’s extremely rare to find one that documented and published the whole process like Paddy Power Betfair did with their OpenStack Reference Architecture whitepaper.

I was delighted to see they decided to do a lot of things I was preaching for ages in blog posts, webinars, and lately in my Next Generation Data Center online course.

Highlights include:

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at March 13, 2017 06:22 AM

XKCD Comics

March 12, 2017

Network Design and Architecture

Turkiyede CCDE Egitimi

Bu Turkce paylastigim ilk post olacak. Heyecanliyim. Ama daha cok , Turkiyede ve Turkce CCDE Egitimi verecek olmaktan dolayi heyecanliyim. Takipcilerim bilirlerki 2 yildan fazla bir suredir Cisco CCDE Egitimi vermekteyim ve egitimlerime Dunyanin her yerinden 100 lerce kisi katilmistir. Cogunlukla Online/Live olmakla birlikte, Amerikada, Dubai de , Afrika da , Qatar ve Avrupada Onsite […]

The post Turkiyede CCDE Egitimi appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 12, 2017 11:35 AM

MPLS Layer 3 VPN Deployment

MPLS Layer 3 VPN Deployment In this post I will explain MPLS Layer 3 VPN deployment by providing a case study. This deployment mainly will be for green field environment where you deploy network nodes and protocols from scratch. This post doesn’t cover migration from Legacy transport mechanisms such as ATM and Frame Relay migration as […]

The post MPLS Layer 3 VPN Deployment appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 12, 2017 10:36 AM

March 11, 2017

Network Design and Architecture

MPLS Transport Profile (MPLS-TP) Basic Explanation and Key Points

MPLS Transport Profile (MPLS-TP) Multi-Protocol Label Switching Transport Profile (MPLS-TP) is a new technology developed jointly by the ITU-T and the IETF. The key motivation is to add OAM functionality to MPLS in order to monitor each packet and thus enable MPLS-TP to operate as a transport network protocol.   Motivations for MPLS Transport Profile  […]

The post MPLS Transport Profile (MPLS-TP) Basic Explanation and Key Points appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 11, 2017 02:34 PM

Quality of Service Best Practices

Quality of Service Best Practices What is best practice ? Below is a Wikipedia definition of best practice. This apply to education as well.   A best practice is a method or technique that has been generally accepted as superior to any alternatives because it produces results that are superior to those achieved by other […]

The post Quality of Service Best Practices appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at March 11, 2017 01:12 PM

March 10, 2017

ipSpace.net Blog (Ivan Pepelnjak)

Video: Out-of-Band SDN Management Network

One of the challenges of designing a controller-based solution is the transport network used to exchange information between controller and controlled devices. Can you do that in-band or is it better to have an out-of-band network (built with traditional components)? Terry Slattery explained some of the pros and cons in the Monitoring SDN Networks webinar.

by Ivan Pepelnjak (noreply@blogger.com) at March 10, 2017 10:17 AM