Confederations By its true definition, a confederation is an organization which consists of a number of parties or groups united in an alliance or league. But what is a BGP confederation? BGP Confederation A BGP confederation is an alternative method to route reflectors, used to reduce the number of BGP peerings within a single AS. … Read more
What is ORF? Outbound Route Filtering (ORF) is a Cisco proprietary feature that prevents the unnecessary exchanging of routes that are subject to inbound filtering. This, in turn, minimizes bandwidth across the links and reduces CPU cycles upon the router during the processing of the neighbor UPDATE. ORF works by the router transmitting its inbound filters … Read more
BGP Path Selection Process BGP exchanges routes (prefixes) between BGP peers. Each of these announcements from a peer for a prefix is called a path. [1] The routes within these UPDATE messages are stored within the BGP Table and kept separate from the Routing Information Base (RIB). The BGP process then selects the “best” path from … Read more
Introduction When the BGP routing policy is amended the BGP neighbor session must be reset in order for the changes to take effect. Of course in a production environment performing a hard reset i.e clear ip bgp … , isn’t something that is recommended. Within this article, we will look at the various options available … Read more
Introduction Reverse path forwarding (RPF) is a technique used in modern routers for the purposes of ensuring loop-free forwarding of multicast packets in multicast routing and to help prevent IP address spoofing in unicast routing. [1] Within this article, we will look at multicast RPF, and look into why it is needed along with how it … Read more
BGP Messages Within BGP (as per RFC 1771) there are four BGP message types. They are, OPEN – Used to open a BGP communication session between peers. This is the first message sent by each side once the 3WHS is complete, and can be thought of as a HELLO. Only once each side has confirmed … Read more
Introduction With this article, we will look at the basic commands used within Cisco IOS to configure OSPF. Basic Configuration To initially configure OSPF, at a minimum, you must configure three things – process ID, router ID, and the network. Process ID – Defines the OSPF process ID that OSPF will run under. This is … Read more
Introduction In order for OSPF-enabled routers to exchange information, they must form an adjacency (relationship) with their neighbor. Within this article, we will look at the process and various steps involved (Figure 1). Requirements Before the OSPF router even starts to try and form an adjacency, OSPF must know/determine the following: Router ID – The … Read more
Introduction IGMP (Internet Group Management Protocol) is a Layer 3 protocol (IP protocol number 2) and is a key component (Figure 1) to IP multicast. The role of IGMP is to notify a local multicast router when a host wants to receive multicast traffic for a specific group. Figure 1 – Summary of Multicast Components. There are 3 versions … Read more
Introduction Within this article we will look at how to interact with a networking device (Cisco CSR) using the NETCONF protocol. To do so, we will use the Python module – ncclient. What is NETCONF First of all, What is NETCONF? NETCONF (NETwork CONFiguration) is a protocol defined by the IETF to “install, manipulate, and … Read more
Introduction Following on from our previous article around NETCONF and YANG, we will look at the RESTCONF protocol. As per RFC 8040 (RESTCONF Protocol), the IETF describes RESTCONF as, “an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF).” Protocol … Read more
TL;DR NETCONF/YANG provides a standardized way to programmatically update and modify the configuration of a network device. To break this down further. YANG is the modelling language that describes the configuration changes. Whereas NETCONF is the protocol that applies the changes to the relevant datastore (i.e running, saved etc) upon the device. Introduction Let us start … Read more
Introduction Within this tutorial we will use NETCONF and YANG to configure an interface upon a Cisco CSR router using a combination of Python and the BASH CLI. Furthermore we will use 2 main tools – Pyang and Pyangbind. Before we start lets have a quick overview on what these tools do, Pyang is a YANG … Read more
Introduction NFV is a term that has been around for a few years now. As vendors and the open source communities look to drive the adoption of NFV, a wave of new acronyms and buzzwords are spreading through the industry. Within this article we will look into the various NFV components (such as standards, platforms, … Read more
Interface to Network Security Functions (I2NSF) is a working group within the IETF formed to define a set of interfaces and data models for monitoring and managing network security functions hosted across multiple sites. I2NSF states, Network security functions (NSFs) are provided and consumed in increasingly diverse environments. Users of NSFs could consume network security … Read more
OpenDaylight is an SDN controller provided by the Linux Foundation. In this article we will show you the steps required to perform a simple installation upon Ubuntu. Install Binaries [email protected]:~$ sudo apt-get update [email protected]:~$ sudo apt-get install software-properties-common [email protected]:~$ sudo apt-get install maven git unzip Install Java 1.8 {loadposition content_lock} [email protected]:~$ sudo add-apt-repository ppa:webupd8team/java [email protected]:~$ … Read more
What is OpenFlow? OpenFlow is a protocol, released by the ONF that allows the remote modification of a network switch’s forwarding table. In other words, the control plane is decoupled from the forwarding plane, enabling network controllers to define the flow of traffic between switches far greater than standard routing or forwarding protocols. Figure 1. … Read more
Introduction First of all, what is a route leak? A route leak is the propagation of routing announcement(s) beyond their intended scope – RFC7908 Within this article we will look at 2 methods of route leaking within an MPLS environment – static routes and route maps. To demonstrate both methods we will look at 2 … Read more
Introduction Within this article we will walk through the various steps required in configuring MPLS. NOTE This article does not look to explain the various terms and concepts of MPLS, for details around these please see Getting to Know MPLS. Overview Within our example we will have 2 customers COSTA and STARBUCKS. Each customer consisting … Read more
Introduction Cisco Express Forwarding (CEF) is a packet-switching technique used within Cisco routers. The main purpose of CEF is to optimize the forwarding of packets and increase the packet switching speed. History Prior to CEF there were 2 methods for packet-switching – Process- Switching and Fast-Switching. Process-Switching The first method, process-switching is the oldest and … Read more
Issue Starting in BIG-IP 11.5.0, you can associate multiple SSL certificate/key pair types with a single SSL profile. This configuration allows the virtual server to accept SSL connections from clients supporting newer cryptographic algorithms (such as ECC), while continuing to accept connections from clients supporting traditional algorithms[1]. However, with this new feature you are cannot … Read more
In order to adjust the MSS of your traffic on a vRouter, also known as MSS clamping, a policy route is defined. Once the policy route is created it is then assigned to the outside interface. MSS Clamping is typically used for IPSEC based traffic to ensure that traffic does not exceed the MTU of … Read more
Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs, explained further on a tunnel based VPN will be created. The main difference with a route based VPN is that a tunnel interface (VTI) … Read more
Issues with Layer2 across DCs Ideally, data centers do not share fate. But extending L2 creates a common broadcast domain in 2 data center. Now, we are sharing fate Traffic patterns become sub-optimal Where does the default-gateway live? In the local DC? Or remote? Traffic to load balancer to pool member, but pool member lives … Read more
EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers[1]. All member ports within the bundle must have the same physical settings … Read more
Port Aggregation Protocol (PAgP) is a Cisco priority standard that allows multiple physical interfaces to be aggregated into one logical link. Each logical link can contain up-to 8 physical members. All member ports within the bundle must have the same physical settings such as port type, speed and duplex. Modes Within PAgP there are 2 modes … Read more
LACP (Link Aggregation Control Protocol) is an open standards protocol (IEEE802.3ad) that allows multiple physical interfaces to be aggregated into one logical link. Each logical link can contain up-to 8 physical members. All member ports within the bundle must have the same physical settings such as port type, speed and duplex. Modes Within LACP there … Read more
The VLAN database is used to store vlan data, such as the VLAN ID, name and MTU. The default location of the VLAN database is in the local vlan.dat file, this is stored in non-volatile memory. Modify VLANDB Location In order to change the location of where the VLAN information is stored the following command … Read more
Uni-Directional Link Detection detects links where either the transmit or receive path has failed. Used to monitor fibre-optic or twisted pair cabling for unidirectional links. UDLD used periodic hello packets and uses the concept of echos to ensure neighbors are receiving UDLD the UDLD hellos. Supports 2 modes of operations, Normal – Port is placed … Read more
Unlike CDP, LLDP is a, non Cisco propriety, discovery protocol. LLDP is disabled by default. Global R1(config)# lldp run Timer/Holdtime lldp timer 5 lldp holdtime 15 Show R1(config)# do show lldp neigh
Issue When remote authentication is configured it is not possible (out of the box) to configure local user accounts. Other then the default admin and root accounts provided. This is also stated within the TMOS Management Guide for BIG-IP Systems, which says: “Excluding the admin account, the entire set of standard user accounts that you … Read more
Now lets consider the following scenario. The client has multiple domains. Traffic is going to all domains on HTTP. However, these domains are under a single virtual server and each domain requires a separate health-check. In order to achieve this configuration port-aliasing is used. What is port-aliasing, you may ask ? Within the ADX various … Read more
In order to interact with the F5 via Python the best option available is bigsuds. This is a Python module that allows you to interact with the F5 API iControl via a set of Python classes. Typically you will normally find all the methods you need to interact with your F5 without issues. However, there … Read more
Introduction Within this article we will show you the steps needed to configure cookie persistence (insert) based on URI. i.e cookie persistence is only performed for a single URI. Cookie Insert When cookie insert persistence is configured the loadbalancer selects a server to the send the traffic to. The server id of the server is … Read more
If you want to perform any form of packet analysis/reporting there is, really, only one program to use. Yep you guessed it, Wireshark. However as Wireshark is a GUI based program, it raised the question, How do you build a packet analysis report via the commandline ? Within this article we will show you 2 … Read more
Problem You may observe both devices, within an F5 HA pair, going into a standby-standby when, VLAN Failsafe is enabled on a segment Route Domains are configured There is no server present on the given segment The F5 version is lower then 11.2.0 Reason The reason for this is based around bug id 388270 and also … Read more
Within this article we will look at a simple network design and the various caveats and considerations involved. Initial Design The initial design (shown below) is simple – a pair of network devices (in this instance Cisco ASAs) connected to a pair of Nexus 3k’s switches. Each firewall is connected to both switches via the … Read more
Issue When updating the parent profile on a client SSL profile the cert-key-chain settings are inherited from the new parent profile. Even though the cert-key-chain is explicitly configured within the child profile. Consider the following, You have a client SSL profile ‘CLIENTSSL’ with the cert, key and chain configured along with a parent profile set … Read more
What is AAM ? BIGIPs AAM (Application Acceleration Manager) is a set of modules used to optimize web traffic. The modules include : Web Optimization WAN Optimization Profiles – this includes profiles used to deploy various optimization techniques such as SPDY, HTTP compression, OneConnect etc. Bandwidth Controller Rate Shaping Core vs Full AAM comes in … Read more
The other day I was reading about the benefits and new features within HTTP 2.0. One of the key features to HTTP2.0 is the ability to interleave (i.e multiplex) multiple requests and responses across a single TCP connection. Resulting in Domain Sharding being considered counterproductive. However, based on how Domain Sharding and HTTP Pipelining can … Read more
ovs-vsctl – utility to manage configuration state in ovsdb-server bridge management port management controller management failure mode management ovs-appctl – send commands to ovs-vswitchd ovs-dpctl – Tool to manage datapaths in the kernel directly. Direct management only reallu required when there is no ovs-vswitchd Mostly useful for inspecting kernel … Read more
What is AFM ? Introduced within 11.3, AFM (Advanced Firewall Manager) is a licensed module for the BIGIP appliance that provides stateful firewalling along with reporting and DoS protection. Within this article we will look at AFMs key components and also how it processes traffic. Contexts A context defines the scope of a firewall rule. … Read more
Wireshark provides the ability to calculate the amount of time between packets. This data can then be used within the IO graphing tool of Wireshark to create a visual representation which can be used when troubleshooting networking issues. Within this article we will show you how to create the TCP delta column, the TCP preferences … Read more
Introduction Caching is one of the key optimisation methods in HTTP. It can reduce both network overhead and page load times, resulting in an improved experience for the client. Within this article we will look the various headers and options available in both HTTP 1.0 and HTTP 1.1. HTTP 1.0 The caching mechanism within HTTP … Read more
Within this article we will show you the commands to show the status of the serial cable i.e whether it is connected without the need to physically check the device. Commands The follow commands shows the status that the failover daemon detects on the serial cable from its failover peer. Version Command 10.x b failover … Read more
Issue You may observe GTM Monitors failing with a message of ‘state: timeout’ within the logs messages. On further investigation you find that though the GTM is trying to build the connection (i.e sending the SYN), there is no response (SYN-ACK) from the destination. Resulting in the probe attempt failing. Reason The reason for this … Read more
In order to mitigate the Poodle vulnerability on the Brocade ADX SSLv3 must be disabled. However this can only be achieved via the code release 12.4s, which disables SSLv3 completely. All code versions prior to this do not have any method or option to disable the SSLv3 protocol. HealthChecks On the ADX there are 2 … Read more
Within this article we will provide you with the steps to upgrade an F5 LTM v10 box to v11. New Device Upgrade Below are the steps if you are going to be upgrading your v10 configuration onto a new device. These steps presume that you already have v11 running on your new device. Verify your … Read more
This cookbook is a collection of iRule tips, hints and solutions that I have discovered and found whilst writing and designing iRules across the years. Contents How do I split a URL and assign them to separate variables ? How do I perform DNS Lookups ? What is the easiest way to Rewrite the uri … Read more