Design: Cisco Firewall Services Module Virtualization Design Traps
November 18, 2008 by Greg Ferro · Leave a Comment
The Cisco Firewall Service Modules (FWSM) has a design limitation based on its ability to discriminate packet forwarding between multiple contexts. It also applies to ASA/PIX software. Lets review this.
Read more
IP Addressing for HA Links for ASA/FWSM/ACE Etc- Poll
November 6, 2008 by Greg Ferro · 3 Comments
What IP addressing do you use for the sync / failover / HA links between your highly available devices ? Read more
The Difference Between Network Managers and Server Managers - Pictorial
October 3, 2008 by Greg Ferro · 1 Comment
As I am preparing the presentation to management on the proposed Cloud Computing infrastructure as a result of the consultation, I am put together the following pictorial representation of the data centre perceived scope for Network and Server Managers.
Blessay:Cloud Computing Not “Essential Service”, More Like “Public Transport”
September 24, 2008 by Greg Ferro · Leave a Comment
Cloud Computing is generating a lot of smoke, but it is hard to find flammable material that makes it “hot”. Cloud Computing is unlikely to become Essential Service, but will be more like Public Transport - cheap, mass capability, limited function and “acceptable” for some. Read more
The Difference Between Network and Server Engineers - Pictorial
September 18, 2008 by Greg Ferro · 10 Comments
I have been planning cloud computing systems recently, and had many long discussions with different teams. I have prepared the following diagram to show the perceptual difference between how each team perceives the data centre. Read more
TCP SYN Cookies - DDoS Defence
September 12, 2008 by Greg Ferro · 1 Comment
A TCP SYN Cookie is typically used in DDoS engines and load balancers to create another level of protocol security for Denial of Service attacks. Lets take a quick dive through the technology. Read more
Enterprise Cloud Computing - Build Your Own With Cisco VFrame - Why Wait ?
August 21, 2008 by Greg Ferro · 17 Comments
I can see some value in external Cloud Computing, but why not just build your own with Cisco ? Take a bunch of leftover machines, that old storage system and get a demo version and make your own. Read more
Autonegotiation on Ethernet - It Works, It Should Be Mandatory!
July 15, 2008 by Greg Ferro · 22 Comments
EVERYONE - Autosensing on ethernet works just fine, and all manufacturers recommend using autosensing. Why aren’t you !
Lets look at how it works and why you should be using it.
IOS:Open Source Lab DNS and IP Addressing
June 2, 2008 by Greg Ferro · 1 Comment
A number of Cisco Bloggers have talked about making labs available for others to use. However, part of what will be needed is some conventions to make these labs work for the largest number of people.
Following Ivan Pepelnjak posting on Private Domain Names, and an earlier posting that I made on Reserved IP Address for Testing I believe we have perfect combination for DNS and IP addresses for building live test environments, that will work for Open Source lab scenarios.
IOS: Reverse SSH Console Access
May 29, 2008 by Greg Ferro · 5 Comments
I recently needed to secure the reverse console access using Cisco IOS router. Now for many years, we have been doing this over telnet and the configuration has been straightforward. But configuring it to support SSH instead of telnet is a little bit different, awkward in fact. Read more
Review of ActivIdentity ActivID 4Tress AAA and 2 Factor Tokens
April 9, 2008 by Greg Ferro · 3 Comments
In a recent project I was required to use ActivIdentity ActivID for two factor authentication. This post is about my overall experience with the product and its poor approach to HA. While ActivID does work fine, and its tokens look nice and it works OK, this is not a product for any small or medium company, and requires a lot of IT resources to make it work
Blue Coat ProxySG VIP and Cisco Switches Need Multicast Enabled
March 30, 2008 by Greg Ferro · 2 Comments
You have a pair of shiny new ProxySG boxen that you want to setup in active / standby for high availability. You configure it up and everything seems to work, and then it doesn’t, or other equipment on the same network experiences random problems.
What you are having is a Multicast problem with your Ethernet switches, most likely your Cisco switches, that has the problem. How to understand and solve the problem after the jump.
Where Are All the Features for Nexus ? Or Is It Just Me ?
March 20, 2008 by Greg Ferro · 2 Comments
I wrote this in response to Omar Sultan at Cisco on ‘Why you want this switch ?
I was looking the NX-OS feature navigator today and NX-OS looks (currently) like a substantially feature-free platform - check out the NX-OS Feature Navigator and consider what is not listed here.
A couple of other things that strike me as odd:
- NX-OS has a primary marketing message that is based on technologies that do not yet exist (FCoE) or technology that only a few companies care much about (10GB Ethernet), or intangible elements like their new switching fabric
- Waxing lyrically about your ‘lights out sub-system’ smacks of desperation because there are not any other features to talk about.
- NX-OS remains an unknown.
- I still believe that NX-OS has been released to put a footprint in the space and slow down venture capital investments. You never know, they might have produced a product that could eat Cisco’s lunch.
Omar and Doug have a role in promoting the Nexus 7000. Lets make sure that we don’t go overboard with the markitecture. I would appreciate if they could quiet down the marketing so I can get some work done here. If another person comes up to me and asks whether I have seen the Nexus 7000 I am going to hit them with RITA.
As a long time veteran of many product releases, market announcements, platform announcements I remain deeply cynical. In some movie, a pretending person once said, “show me the money”. That’s what I want.
Postscript
I wrote more about the Nexus 7000 in a previous posting considering whether it is suitable for use today or tomorrow.
Is the Cisco Nexus 7000 Needed Today - or Tomorrow ?
February 25, 2008 by Greg Ferro · 1 Comment
No doubt that the Cisco Nexus 7000 switch is a fine piece of technology. The performance and throughput is welcome, and clearly offers some fine new capabilities such as virtualisation, ISSU, better OOB and so on. I am sure that everyone can perceive the positive messages, lets face it, Cisco isn’t going to be shy in telling us about them.
However, lets consider the issue from the perspective of the architect/designer and how Cisco has positioned this in the marketplace. From an architecture perspective, I will need to commit a substantial capex to the product and a much larger amount of resource cost to transition a network to use the product. Even if I am building new data centres (and thus have no legacy), changes to operating standards, procedures, management tools and other orchestration issues present substantial barriers to adoption.
Single Internet Connection but HA Infrastructure - Using Bridging Instead of Routing
February 20, 2008 by Greg Ferro · 1 Comment
Introduction - The Design Constraint
The customer had decided to build a hosting platform, but could only arrange for a single internet connection to that site due to location. However, all other hardware was duplicated for high availability. After considering the options the following diagram was prepared showing the first pass at the design. This was the Internet Connection (100Mb Ethernet) connected to the router, then connected to a switch, which was interconnected by trunk to a second switch. The first layer of firewalls is then connected.
In this design, the router and the first switch are single points of failure as shown on the diagram
Performance of Blue Coat BCAAA Agent for Authentication
February 11, 2008 by Greg Ferro · Leave a Comment
A common question in the Blue Coat forums is about the server specification for the BCAAA and how many users can be supported. While I am not sure sure about the performance that Blue Coat recommends I can tell you my experiences.
Reserved IP Address Range for Testing - RFC 2544
February 5, 2008 by Greg Ferro · 1 Comment
I have been looking at a multi host data centre and am using MPLS to securely share certain resources and considering what architecture considerations for Network Management.
Lets define the problem. Network Management is software and servers that collect data from my network equipment and presents it to me in some useful form. Add to this some documentation and process support tools such as a wiki that holds documentation or a service such as helpdesk package.
The servers have to have IP addresses but what addresses to allocate ? If I use something from the RFC1918 addressing then it is possible that a given VRF might need to use that range. I don’t need the hassle of buying and maintaining routable addresses (although for a very large data centre this would be easy enough to do).
So I spent some time researching the RFC’s and found this little gem.
The Poor Man’s IOS Traffic Generator
January 18, 2008 by Greg Ferro · 1 Comment
This is a feature that I used to use years ago, but had forgotten about. For some reason, I remembered it today and it is still as useful as it ever was. Read on…
Read more
