Network Dictionary - Knowledge Worker

1. Term coined by Peter Drucker in the 1960’s to describe the new class of workers who work on information about work. For example lawyers, computer programmers.

Readily identified by smooth, clean, soft hands and the ability to take and make phone calls at any time of the day. Able to complain about the quality of the chair that they sit on without noticing the clean, freely ventilated office they are in with free coffee and clean toilets.

If you don’t understand that, then think of the guy outside who is digging those data cables into the ground in the middle of winter. Where is his coffee coming from ?

Delete the X-Bluecoat-via Header on Your ProxySG

If you have noticed that your Blue Coat ProxySG inserts a HTTP header in every transaction, you might want to delete this to reduce information leakage to public networks

Read more

Rant: F5 LTM and GTM Doesn’t Do External AAA Authorization

F5 BigIP LTM and GTM does not have any user authorisation capability for administration by Radius or TACACS. Can you believe that?

They have been producing F5 BigIP software for more than a decade and I cannot believe that customers have not been asking to provide external user authorisation. To compare, I have just been configuring APC Switched Rack Power Distribution bars, and they have Radius authorisation. How can a product costing tens of thousands not support this feature when a product worth a few hundred can ?

Service Oriented !

My data centres are now being driven to Service Oriented Networking, and without AAA servers I cannot control security policy to my F5 devices. If I had only one or two of these, this might be OK, but the business needs are that I MUST have multiple units (and F5 BigIP does not support hypervirtualization or even paravirtualization, just a simple resource partition )

Authentication

The F5 does support authentication, however this means that you must still create the user account on the F5 and configure all the necessary group privileges for the user. Not a brilliant idea when you have around fifty operators in a 24/7 NOC and the staff turnover is high.

Conclusion

F5 seems to be concentrating on nifty features for Microsoft sys admins (Powershell, iControl) , but missing out on fundamentals for networking. I hope someone is listening: external device authentication and authorisation is a mandatory requirement in modern networking, and the current method in BigIP is not good enough. I have talked about comparing the F5 and ACE here, minus 5 points to F5. for this.

Is the Cisco Nexus 7000 Needed Today - or Tomorrow ?

No doubt that the Cisco Nexus 7000 switch is a fine piece of technology. The performance and throughput is welcome, and clearly offers some fine new capabilities such as virtualisation, ISSU, better OOB and so on. I am sure that everyone can perceive the positive messages, lets face it, Cisco isn’t going to be shy in telling us about them.

However, lets consider the issue from the perspective of the architect/designer and how Cisco has positioned this in the marketplace. From an architecture perspective, I will need to commit a substantial capex to the product and a much larger amount of resource cost to transition a network to use the product. Even if I am building new data centres (and thus have no legacy), changes to operating standards, procedures, management tools and other orchestration issues present substantial barriers to adoption.

Read more

Caring for Your Dynamips Install - Deleting Unwanted Files

Dynamips and dynagen are well behaved programs most of the time. Occasionally I am configuring a feature or two that causes IOS to crash (most recently I was configuring MPLS and redistribution on c2600 IOS which got really busted).

Then I noticed that my hard drive didn’t have a lot of free space….

Read more

Checking Connectivity on Your Blue Coat ProxySG

A very simple tool in your Proxy SG to check that you can access resources. It only works for HTTP but it provides a good check. I use this a lot in networks where ICMP has been disabled for security.

Read more

Network Dictionary - Fibrechannel

Fibrechannel

1. A low latency block oriented data transfer mechanism for storage centralization. Only used in Storage Area Networks.

2. A networking protocol designed by the server industry so they don’t have to communicate with networking people who know more than they do. Similar to Token Ring in its fervent belief and passion as a superior technical idea. Nobody cared about Token Ring either.

3. A storage network used by server teams so that they don’t have to understand ethernet networking.

Single Internet Connection but HA Infrastructure - Using Bridging Instead of Routing

Introduction - The Design Constraint

The customer had decided to build a hosting platform, but could only arrange for a single internet connection to that site due to location. However, all other hardware was duplicated for high availability. After considering the options the following diagram was prepared showing the first pass at the design. This was the Internet Connection (100Mb Ethernet) connected to the router, then connected to a switch, which was interconnected by trunk to a second switch. The first layer of firewalls is then connected.

In this design, the router and the first switch are single points of failure as shown on the diagram

Read more

Cisco ASA and IOS Command Tip - Test Aaa-Server

I have been working on a VPN setup that loads the Group Policy from a CiscoSecure ACS server. During the process I discovered the test aaa-server command. Its very handy tool when you are doing this kind of stuff.

Read on…..

Read more

Network Dictionary - Backhoe Attenuation

Backhoe Attenuation - term used to describe the loss of signal (attentuation) of your copper or fibre cable by a backhoe digging your cable out of the ground.

Failure is usually severe as the entire cable will need to the replaced.

Installing Tun Tap Driver on Leopard

First, I read about what TunTap is at Wikipedia and VTUN Sourceforge. From what I read, TunTap was written for the VTUN project to specifically encapsulate Ethernet packets (TAP driver), whereas the TUN driver encapsulated IP packets. The driver is used by other popular software so it looks like it is here to stay. It is implemented as part of the Linux Kernel.

Go here Tun TAP driver for MAC OS X and download the installer package for Leopard.

Extract the package using Stuffit Expander (free app, google for it), and this will create a pkg file. This is a self installing script package so use Finder to run it, it will ask for your password so as to root privileges to install the Tun and Tap drivers into your dev directory.

Read more

Network Tools, Craftsmen and Why My Mac Is a Good Hammer

My brother is intensely interested in tools, especially handtools for woodworking. He likes to go to markets and buy old tools, it seems a strange type of hobby so I finally asked him why ?

It turns out that many of these hammers, chisels, and planes were actually HANDMADE by those tradesmen from 50 or more years ago, often when they are apprentices. And many hammers and chisels were customised by that person to fit their exact way of working, short handles, long heads, cutting blades at odd angles.

It strikes me I am part of time honoured tradition by making my own tools. My laptop is my own hand made hammer and chisel set, and I choose MAC as the raw material.

Read more

Performance of Blue Coat BCAAA Agent for Authentication

A common question in the Blue Coat forums is about the server specification for the BCAAA and how many users can be supported. While I am not sure sure about the performance that Blue Coat recommends I can tell you my experiences.

Read more

Loading Policy Configuration in the Local File

A common question in the Blue Coat forums is “how do I load this config snippet into configuration. The question most often comes from people who are new to SGOS and have been using the Virtual Policy Manager. This quick note shows you how to load a config snippet that removes the X-Bluecoat-Via header

Read more

Network Dictionary - Reassuringly Expensive

Reassuringly expensive

1. Terminology used by sales representative to refer to high level of quality and overall excellence in this product, as in “it wasn’t built on the cheap”. Sometimes even meant honestly.

2. Term that refers to the eye watering cost of the product or solution, often for the benefit of the manufacturer or reseller.

3. For very large companies, a mandatory requirement for any IT project, as anything cheap is inherently and obviously valueless.

Network Dictionary - Firewall

Firewall

1. A network device to permit and / or control authorised access to / from a network.

3. A router that doesn’t work.

Introducing the Network Dictionary

In this technically surreal, mystical world of Networking, we are often fabricating new words, coining new terms or adapting old language to new requirements. Our profession is not the first to do this, but our language is our own. How many people can conduct a 15 minute conversation without a single coherent sentence ? Can you count how many TLA and ETLA you can eject in a single breath ?

These terms, these expressions of our unique and singular profession, should be documented and treasured for future generations. Hackers have the jargon file, we should have a similar record of our kultcha.

I have started to collect the terms that I use on a regular basis, and expound their meaning. I hope to collect their actual and colloquial meaning and perhaps offer some insight into use and definition.

In the weeks to come, I will post words that are part of the Networking World. I hope you like them.

SOCKS Clients That Are Available for Your Blue Coat ProxySG - Update

A short list of SOCKS Clients that I have used or know of

Note that many programs have their own SOCKS client built in, many FTP clients such as Filezilla, WS FTP, Firefox and so on have built in support. You really need a client when you have an application that must use a proxy server, but the application does not have proxy support.

Read more

Next Page »