Packets Analyzed

Common EAP Methods

2012-02-12T09:12:00.000-05:00

Challenge and Response methods

EAP-MD5: Uses MD5 based challenge and reponse for authentication
EAP-GTC: Generic Token and OTP authentication

Certifcate based methods

EAP-TLS: Uses X509v3 OKI certificates and TLS mechanism for authentication

Tunneling Methods

PEAP: Tunnels over EAP types in an encrypted tunned, much like web-based SSL
EAP FAST: Tunneling method designed to require no certificates for deployment

Note: This is not a comprehensive list.

802.1x Roles

2012-02-11T09:08:00.001-05:00

Role of the 802.1x Client Software

Supplicant is responsible for initiating on authenication sessions with the authenticator
Supplicant software can be included in the operating system or you can install a third party supplicant

Role of 802.1x Authenticator

The authenticator is refered to as the NAD (Network Access Device) such as a switch, WLAN controller, firewall, etc..
The supplicant is challenged by the authenicator, the supplicant enters credentials and the NAD passes credentitals to the authentication server. The authenticator also enforces policies on each 802.1x port.

Role of the 802.1x Authentication Server

Performs Authentication, Authorization and Accounting
Validates the authentication credentials of the supplicants that are forwarded by the NAD
Policy look-up based on the supplicant idenitiy and group affiliation and passes the policy to the NAD. This can be the for of DACL (Downloadable ACL) or VLAN assignment
An authentication server for Cisco can include Cisco ISE or Cisco ACS

Role of the Dirctory Server in 802.1x

Cisco ISE supports

local user database (does not scale)
Supports Active Directory
LDAP
RSA Tokens
RSA Secure ID
Certificate

BYOD

2012-02-04T09:12:00.000-05:00

BYOD (Bring Your Own Device) - There are security concerns when allowing employees, customers, and business partners to bring in there own device and plug it into the corporate network. Cisco has consolidated its ACS and NAC platform into a new product called ISE (Identity Services Engine). This new platform centralizes and simplifies the administration and empowers security groups the ability to make automated decisions. Have a look at the video below:

Terry: this one is for you as I am sure this challenge has come up many times.

Layer 2 Security Best Practices

2012-01-22T20:08:00.000-05:00

Here are a couple of recommendations from Cisco when it comes to securing layer 2

STP - Leverage Root Guard and BPDU Guard
Shutdown unused ports
Leverage DHCP snooping and DAI (Dynamic Arp Inspection)
Disable unneeded services
Use port security to restrict the number of MAC addresses that a port can learn
Limit management access to a layer 2 switch
Use SNMPv3
Do not use the native VLAN to send user data. Create a native VLAN and do not add any ports to it.

This was not mentioned but I would also add PVLAN (Private VLANs) and VACL's where appropriate.

CCIE Security.....

2012-01-16T17:35:00.003-05:00

Well I have started the long process of becoming a CCIE in security. I am going to start right from the beginning (CCNA Security---> CCNP Security---> CCIE Security Written ---> CCIE Lab) to ensure that no topics are left unturned. I am not sure that I learned my lesson from the R&S track but I have to renew by May of 2013 so Security made the most sense.

Anyone going down the same path?

Cisco UCS Blades Deploy 47% Faster versus HP

2012-01-16T17:31:00.000-05:00

A partner at Cisco shared this link with me showing the time differences between the deployment of blade servers. Cisco vs HP....imagine if you were deploying tens or hundreds of blades.

Fortinet - HA Master Selection

2011-12-13T21:25:00.000-05:00

Master Selection - High Availability with Fortinet

Master (also known as the Primary) is chosen based on the following

monitored port - (highest number of connected non failed monitored interfaces)
system up time (age) - (longest up-time)
unit priority - (default 128 - higher priority is selected as Master)
serial number - (highest serial number)

As soon as the FGCP protocol hits the first criteria that meets the requirement of the master selection process the rest of the evaluation process is no longer evaluated and the master node is selected.

Brocade Certification

2011-12-09T22:13:00.001-05:00

I know its been awhile and I am looking forward to posting again. I most recently have been asked to look deeper into Brocade so I looked up their certification path and was surprised to find the following

Data Center Enhanced Ethernet

2011-10-30T17:55:00.000-04:00

Data Center Enhanced Ethernet (NGDC - Next Generation Data Centers)

Priority Based Flow Control (802.1Qbb) - Supports storage traffic and provides CoS flow control
CoS Based BW Management (802.1Qaz) - CoS based enhanced transmission, grouping of classes into "service lanes"
Backward Congestion Notification (BCN/QCN - 802.1Qau)- end to end congestion management for L2 network
Data Center Bridging Capacity Exchange Protocol (DCBXP - 802.1AB) - Auto-negotiation for enhanced Ethernet capabilities (switch to nic)

Availabilty

2011-09-11T22:36:00.000-04:00

I have heard some engineers and administrators claim that their systems are available 100% of the time. I wanted to ensure that there is a clear understanding on what 100% availability means. Up-time does not equal availability; you can have a system that is up but the services may not be available. You also need to consider maintenance windows as this impacts your overall availability. If you do not have the ability to do maintenance without impacting the services that you are providing then your overall availability percentages take a hit. Other things that may impact your ability of achieving 100% availability includes environmental's such as power, cooling, etc and other services that are required to provide access to the very services that you are providing such as internet connectivity, WAN, LAN, SAN, etc....

Below is a chart showing the availability percentages and the expected downtime per year based on these percentages.

So.....are you really providing 100% availability?

vSphere 5.0 High Availability vs Previous Versions of VMware

2011-09-10T18:13:00.000-04:00

This post is a follow up to a previous post "Virtualization-Vmware-Clusters and Blade Servers" where we discussed limitations with HA in previous versions of VMware.

In vSphere 5.0 the concept of 5 primary/secondary hosts has been eliminated and the concept of master/slave exists. A single host is the master and all other hosts are slaves, if the master fails then an election process is kicked off and a new master is elected.

This eliminates issues in previous versions of VMware where the primary/secondary concept existed and we needed to consider

Number of hosts in a cluster
Managing the role of the host
Number of consecutive host failures
Placement of hosts across blade chassis and stretched clusters
Partition scenarios likely to occur in stretched cluster environment

By the way Dave thanks for the link

You Never Know When You Need......

2011-09-05T20:03:00.000-04:00

Cisco Borderless Network Architecture

2011-09-05T19:24:00.000-04:00

Cisco's borderless networks provides secure, seamless, and reliable connectivity to anyone, anywhere, anytime to anything. Borderless network architecture is a technical architecture that allows organizations to realize these benefits.

Virtualization - VMware Clusters and Blade Servers

2011-08-22T19:39:00.000-04:00

Blade chassis help further consolidate the data-center footprint and provide an excellent platform to run virtualization; this further consolidates the data-center footprint. I have noticed on a variety of installations the failure to ensure proper placement of the primary nodes when installing a VMware cluster on blade chassis technology. Primary placement is critical to ensure the availability of VMs in the event of a blade chassis failure. There are 5 primary nodes per cluster and these are selected as the nodes are added to the cluster. Primary nodes holds all cluster settings and node states and this is replicated to all primaries. Secondary nodes do not become primary nodes if a primary node were to fail. Heartbeats are sent from primary to primary nodes and from secondary to primary nodes. If a primary node fails and is not removed then no secondaries become primaries, but if a failed primary node is removed from the cluster than a secondary node becomes a primary node - the selection of which secondary node becomes a primary node is random further complicating the balancing of primary nodes. The diagram below shows 3 blade chassis's running in RACK A leveraging VMware, the diagram below shows the problems that happen when improper placement of the primary nodes is not followed. In the case below the blade chassis's are HP C7000 series. The installation of ESX is completed in the order of the blade server slots assigned by the blade chassis and all 5 primary nodes end up on one blade chassis (the installation includes adding the nodes to the cluster). The issues identified in the diagram.

To ensure that a blade chassis failure does not impact your ESX cluster ensure that you stagger the installation (installation includes adding the node to the cluster) across the blade chassis's (HP has a split back-plane which adds additional levels of resiliency). The installation process shown in the diagram below

As you can see this ensures that a blade chassis failure will not impact your ESX cluster. Blade technology and virtualization provides alot of opportunities for the business and with proper planning and execution you can ensure that the business realizes these benefits. There is no way to change the primary node placement without the removal of nodes from the cluster and strategically placing the nodes back into the cluster - this includes VMware 4.X and under.

Update: vSphere 5.0 uses the concept of master/slave and you can read more about it here

Virtualization - Zero Impact Maintenance

2011-08-21T19:48:00.001-04:00

Leveraging Virtualization to provide zero impact maintenance during production hours.

Before performing maintenance on the physical node in question you need to migrate the VM over to another physical node. This step is non-disruptive to the production environment and the VM continues to provide services.

The migration happens fairly quickly with zero impact. You have to ability to migrate VM's either hot or cold but typically your VM's are running in production environment and cannot tolerate down time; therefore most administrators migrate them hot.

Now it is time to set the node into maintenance mode to ensure that VMs do not migrate over during the maintenance window. Technologies leveraging VMware's vMotion have the ability to migrate VM's dynamically as well as administrators have the ability to migrate VMs as required. Maintenance mode ensures that a migration does not happen during maintenance.

Once the maintenance is complete remove the physical node from maintenance mode. Manually migrate VM's back to the node if desired or allow technologies such as DRS (Distributed Resource Allocation) to determine the outcome.

Once the migration is complete the virtual infrastructure is running in the same state prior to the maintenance window. Virtualization allowed the administrator to perform maintenance during production hours reducing overtime costs and providing zero impact services to the customer.

Note: You can have multiple physical hosts in a cluster providing high levels of resiliency.

FCoE - Convergance

2011-08-20T12:55:00.002-04:00

FCoE (Fibre Channel over Ethernet) allows companies to further converge their infrastructure reducing the complexity and costs.

Reduction in Cables and Switches
Reduction in Interface Cards
Reduction in Power and Cooling

FCoE runs on your data network and removes the need to have a separate Fibre channel infrastructure. FcoE is not routable and will not extend across routed IP networks. FCoE runs on top of Ethernet and enhancements to Ethernet were required in order to prevent frame loss (PFC). The new enhancements to Ethernet are referred to as Lossless Ethernet.

Priority Flow Control (802.1Qbb)

Additional enhancements to Ethernet may include (dependent on the vendor)

Bandwidth Management (802.1Qaz)
Congestion Management (802.1Qau)
Shortest Path Bridging (802.1aq)

Servers leverage CNA (Converged Network Adapter) with contains both the NIC (Network Interface Card) and HBA (Host Bus Adapter). CNAs have 1 or more ports.

Note: The diagram below is NOT meant to show redundancy.

Introduction to QFabric

2011-08-11T06:31:00.000-04:00

NX-OS VEM Physical and Virtual Ports

2011-07-31T12:00:00.001-04:00

VEM (Virtual Ethernet Module)

VSM (Virtual Supervisor Module)

Nexus 1000v supports the following

-2 VSMs (High Availability)

-64 VEMs

-512 Active VLANs

-2048 Ports (Eth + vEth)

-256 Port Channels

VEM supports the following

-216 Ports (vETH

-32 Physical NICs

-8 Port Channels

NX-OS Fibre Channel Module

2011-07-30T12:00:00.000-04:00

The Nexus 5000 can run in two modes

Fabric Mode - The Nexus 5000 switch module runs as a typical switch in a fibre channel network.

NPV (N-Port Virtualization) Mode - Does not operate as a typical FC switch. Operates like a NPIV enabled host within a fabric.

NX-OS FCoE Ports

2011-07-29T12:00:00.000-04:00

Nexus 5000 Feature that needs to be licensed.

FCoE (Fibre Channel over Ethernet) - is leveraged to further unify I/O. FCoE allows fibre channel to operate over ethernet by encapsulating Fibre Channel into ethernet.

FCoE Ports

Virutal N_Port (VN_Port) - Node ports which exist on hosts or storage arrays and connect to a FC fabric. Operates over Ethernet links.

Virtual F_Port (VF_Port) - Switch or director ports that connct to node ports. Operates over Ethernet links.

Virtual E_Port (VE_Port) - Expansion port that is used to inter-connect two FC switches together. When two swithes are connected they form an ISL (interswitch link) Operates over Ethernet links.

NX-OS Virtual SPAN

2011-07-28T12:00:00.001-04:00

Virtual SPAN empowers a network administrator to SPAN more than 1 VLAN and enables the network administrator the ability to selectively chose which VLAN goes to what destination SPAN port. Example: A network administrator wants to SPAN a trunk port with VLAN 10, 20, and 30 but wants to send VLAN 10 to SPAN port ethernet 1/1, send VLAN 20 to SPAN port ethernet 1/2. and send VLAN 30 to SPAN port ethernet 1/3. Virtual SPAN enables that flexibility. This also helps reduce the number of SPAN sessions required.

Example Nexus 7000:

Trunk Port that you want to monitor

(config)#interface ethernet 1/10

(config-if)#switchport

(config-if)#switchport mode trunk

(config-if)#switchport trunk allowed vlan 10,20,30

(config-if)#no shut

Create a SPAN Monitor Port for the Analyzer1 (must be a trunk when leveraging virtual SPAN)

(config)#interface ethernet 1/1

(config-if)#switchport

(config-if)#switchport monitor

(config-if)#switchport mode trunk

(config-if)#switchport trunk allowed vlan 10

Create a SPAN Monitor Port for the Analyzer2 (must be a trunk when leveraging virtual SPAN)

(config)#interface ethernet 1/2

(config-if)#switchport

(config-if)#switchport monitor

(config-if)#switchport mode trunk

(config-if)#switchport trunk allowed vlan 20

Create a SPAN Monitor Port for the Analyzer3 (must be a trunk when leveraging virtual SPAN)

(config)#interface ethernet 1/3

(config-if)#switchport

(config-if)#switchport monitor

(config-if)#switchport mode trunk

(config-if)#switchport trunk allowed vlan 30

If the system is an IDS/IPS it may required the ability to learn the MAC address of the device. Include the following

(config-if)#switchport monitor ingress learning

Configure Monitor Session

(config)#monitor session 1

(config-monitor)#source interface 1/10

(config-monitor)#destination interface ethernet 1/1,ethernet 1/2,ethernet 1/3

(config-monitor)#description SPANNING SESSION 1

(config-monitor)#no shut

You must no shut the monitor session

NX-OS SPAN

2011-07-27T12:00:00.002-04:00

Nexus 7000/5000 SPAN Sessions

SPAN Session Limit - 18

Nexus 1000V

SPAN Session Limit (SPAN and ERSPAN) - 64

Nexus 5000 SPAN Sessions

Can SPAN Ethernet,Fibre Channel,PortChannel,SAN PortChannel,VLAN,VSAN (Virtual Storage Area Network)

Nexus 7000 Example:

Create a SPAN Monitor Port for the Analyzer

(config)#interface ethernet 1/1

(config-if)#switchport

(config-if)#switchport monitor

If the system is an IDS/IPS it may required the ability to learn the MAC address of the device. Include the following

(config-if)#switchport monitor ingress learning

Configure Monitor Session

(config)#monitor session 1

(config-monitor)#source vlan 10 rx

(config-monitor)#source vlan 20 both

(config-monitor)#source vlan 30 tx

(config-monitor)#destination interface ethernet 1/1

(config-monitor)#description SPANNING SESSION 1

(config-monitor)#no shut

You must no shut the monitor session

NX-OS ISSU

2011-07-26T06:00:00.003-04:00

ISSU (In-Service Software Update) - Provides the ability to upgrade software without disrupting operations. The system performs the following steps to ensure a non disruptive upgrade:

Active and Standby Supervisors and all line cards BIOS's are upgraded
Standby Supervisor is upgraded and rebooted
Once the Standby Supervisor comes online with the upgraded version of NX-OS a stateful switchover is performed. All control plane traffic is now running on the former Standby Supervisor which is now the Active Supervisor.
The new Standby Supervisor (former Active Supervisor) is now upgraded.
Upgrade is performed on the Line Cards on are a time and then reloaded. The reload is non disruptive and is only performed on the CPU, no data plane components are impacted.
CMP (Connectivity Management Processor) on both Supervisors are upgraded.

NX-OS Stateful Switchover

2011-07-25T06:00:00.006-04:00

Having redundant supervisors and a software architecture like NX-OS provides the ability to switchover to the redundant supervisor. Common reasons to fail-over include:

-ISSU (In Service Software Update)

-System Manager Initiated

-User Initiated

To manually switchover perform the following:

#system switchover

NX-OS 1000V Installation

2011-07-24T19:36:00.003-04:00

Nexus 1000V can be installed within VMware using two methods

-Manual Installation

-Nexus 1000V Installer

When using an ISO image use the following settings for the VM

VMType: Other 64-bit Linux

1 Processor

2GB RAM

3 NICs

Minimum 3GB SCSI Disk

LSILogic adapter

Reserve 2 GB RAM for the VM

Configure VM Network adapters and attach ISO, power on

You can use and OVA/OVF (Open Virtualization Appliance/Open Virtualization Format) file to perform the install

Note: There is a Nexus 1000V plug-in that needs to be registered into VMware Virtual Center