Skip to content

Networking

My take on Amazon Network Switches

There has been a rumour floating around lately that Amazon is going to be introducing Ethernet switches. A move like this by Amazon will eventually challenge manufacturers like Cisco Systems. I have came across a video from Packet Pushers where Greg Ferro talks about the possibilities and avenues which Amazon would take to venture into the switching or even networking arena.

As Greg stated, Amazon, in this case AWS already run their own network on their own hardware and software. This is because they cannot have a profit margin by relying on another vendor. It would be cheaper in the long run, to run on your own hardware and software managed and manufactured by themselves. Furthermore, it will be near impossible to run the biggest cloud architecture in the world and run the network on some other vendor. They would most likely run their underlying network as a fabric, controlled by Software Driven Network SDN such as OpenFlow and run the rest of the architecture virtualized and controlled by the AWS console.

Read more

Assigning /31 prefix address to interfaces

When it comes to subnetting most people usually stop at /30. This will give them a netmask of 255.255.255.252 thus resulting in two usable IP address along with one Network and one Broadcast address.

The /31 subnet prefixes was introduced in RFC3021 which defines that it can be used on a point-to-point link. A point-to-point interface does not need broadcast address, therefore we don’t really need to assign a /30 address prefix. On a /31 bit segment, both addresses are interpreted as hosts addresses.

The main advantage of using /32 prefix will enable us to limit the number of network address required on a segment. Therefore, if a company using multiple point-to-point networks using public IP addresses, then they will be able to save half of its allocated IP space.

Read more

Ubiquiti EdgeRouter Tunnelbroker IPv6 Configuration

This post will cover the IPv6 configuration on Ubiquiti Edge Router ERPoE-5 running Version 1.9.1. I will be going through the whole process of setting up IPv6 connectivity using Hurricane Electric 6in4 tunnel.

I will not be using the real IP Addresses, however the reader should be able to understand and substitute for their own configuration.

This is a home network, therefore a lot of aspects are not considered in the design!

Overview

  • There are three VLANs. (Main (1) , Guest (2) , Automation (3) )
  • Since there is no native IPv6 support from my ISP, I am using a 6in4 Tunnel to get IPv6 working.
  • The EdgeRouter is the public facing device connected to a vDSL Modem via eth0.
  • The Ethernet interfaces eth1, eth2, eth3, eth4 are bridged via bridge interface br0.
  • Bridge interface br0 has a 192.168.1.124 RFC1918 address assigned to VLAN1 and also used as the management IP.

Part 1

In this part, I will be covering the tunnel creation. You need to head to Hurricane Electric (HE) https://www.tunnelbroker.net and get yourself an IPv6 tunnel. I have used a /48 Routed Prefix for my configuration which you can see below.

Read more

Best Practice Access Control List Firewall Rules

When it comes to firewall rules, there are a number of things I follow as best practice. To start with, you need to make sure you have all the necessary information in place before writing your firewall rules.

Ask yourself the following questions… If you don’t have the answers, go back to the drawing board and get all the necessary information.

  • Do you have all the necessary ports required for the firewall?
  • Do you have all the IP/Subnet information?

Make the ACLs short and sweet

It is always a best practice to avoid using IP addresses in ACLs.

  • Make sure that the ACLs are intuitive to anyone who is not familiar with your network.
  • You should be able to understand how the firewalling is done by reading the ACLs.
Read more

Remove or Move Interface from VSAN Database

This will guide you through adding and removing interfaces from VSAN Database. Even though I have tested this on Cisco MDS 9124, the process is virtually the same on the Cisco Nexus platforms with a slight difference on interface names. When you issue the command show VSAN membership will tell you which VSAN member an interface is part of. Interfaces are usually in VSAN 1 being the default and it can be moved to other VSAN by using the following commend. vsan database vsan 100 interface fc1/1 If you want to remove an interface from a particular VSAN, you need to move it back to VSAN 1.

How to flash Cisco Autonomous Access Point to Lightweight

The following method will enable a Cisco Aironet Autonomous Access Points to be converted into Lightwright mode by flashing the code. I have tested this on c1252 model but the same method should work as long as the models are supported by Cisco.

Download the recovery image and place it in the TFTP Server.
c1250-rcvk9w8-tar.152-4.JB6.tar

Remove the trailing .tar from the image filename, it should look something like the following.
c1250-rcvk9w8-tar.152-4.JB6

Set the Laptop IP Address as follows…
IP Address: 10.0.0.5
Subnet Mask: 255.255.248.0
Default Gateway: 10.0.0.10

Read more

Juniper SRX Config on PlusNet / FTTC / BT Infinity

The following JunOS configuration has been tested on PlusNet Fibre broadband running with external BT Openreach Modem. This setup should work with other VDSL/FTTC providers since they use the same underlaying BT infrastructure.

  • The configuration has been tested on SRX210H running JunOS 11.4R9.4 & 12.1X44-D35.5
  • BT Openreach modem connect to interfaces fe-0/0/7 on the SRX

Set the underlaying interface encapsulation to be PPP-Over-Ethernet.

set interfaces fe-0/0/7 unit 0 encapsulation ppp-over-ether

Set PPP Options with Authentication method CHAP.

If your ISP happen to use PAP Authentication method, then you need to reflect that.

set interfaces pp0 unit 0 ppp-options chap default-chap-secret YOUR-PASSWORD
set interfaces pp0 unit 0 ppp-options chap local-name YOUR-USERNAME
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
Read more

Border Gateway Protocol (BGP) as SDN Backbone

Border Gateway Protocol (BGP) is the core of Internet and yet its versatility is hardly utilised by majority of the networking community within a data centre environment. BGP is widely used by the service provides and also in conjunction with MPLS. In the introduction of Software-Defined Networking (SDN), the whole concept of network will change dramatically in the coming years; some could say it has already changed, and I agree. We will hardly be managing devices individually and it will become impractical to manage 100s or even 1000s of devices in a data centre architecture.

Why Border Gateway Protocol?

I will try and justify my views as how BGP would be the perfect candidate as a SDN backbone. However, other protocols will still tick some of the boxes but those won’t be able to tick every boxes as BGP does.

Versatility

I can’t think of a protocol which is versatile enough to handle control plane and data plane separate, yet when it comes to talking between control and data plane, it does it efficiently. After all, SDN is all about separating Control Plane from Data Plane.

Read more

Unable to Capture Wireshark on Linux

This is a common issue on Wireshark under Linux due to permission issue. You may also get the following error while trying to do a Capture. You didn’t specify an interface on which to capture packets. This can be fixed by the following commands. sudo dpkg-reconfigure wireshark-common sudo usermod -a -G wireshark $USER Then Reboot or logout and log back it via the following command. gnome-session-quit --logout --no-prompt