Teneo !!!

Aaron’s blog on Networking, and Enterprise Technology

Category Archives: Technology

HP FlexNetwork Architecture

Today, Dave Donatelli, Executive VP for HP, announced HP’s FlexNetwork Architecture.

There is no doubt, that HP has been gaining alot of ground in their Procurve sales for the enterprise.  Being that their price points are below that of Cisco, with functionality one would expect in the enterprise, it’s no wonder people are considering HP when they did not before.

FlexNetwork is the all-inclusive term which encompasses 3 tiers of HP’s Networking Portfolio:

  • FlexFabric – Datacenter Networking
  • FlexCampus – Wired and Wireless networks in the Campus environment
  • FlexBranch – Branch Office products

FlexManagement actually applies to the FlexNetwork Architecture, as it pertains to the full management of it.  Currently, it consists of the Intelligent Management Center, or IMC for short, which monitors and manages all your network devices.  Not just Dell, but Cisco, Juniper, Dell, etc.  Currently, it manages 2600+ devices, and more than 3000 after Service Pack 1, to be released in June 2011.

Advertisements

Partial Internet Shutdown?

While no one can control the internet, you can certainly degrade it for many people.

We have a major technological hub in Sweden. Their internet provider (like many others in Sweden and Europe) use Telia as their communications provider. Over the last couple of days, our outbound emails kept queueing up in our systems, and some websites wouldn’t work.

Come to find out, Cogent, a major communications company in US and Europe, have actually depeered Telia from it’s AS routing, making it impossible for Nordic customers (as well as some in Europe, I would imagine) to access systems on Cogent’s network. Even alternate routing was turned off.

Apparently, this is because Cogent got ticked off because of contract dispute about the size and locations of certain internet pipes. They feel it was:

“…for the good of the internet.”

Also, coming from Jeff Henrikson, spokesperson for Cogent:

“Some traffic flow was impeded and some traffic was redirected further than it needed to go.”

“[Telia] wasn’t responding to requests to comply with the contract….[Cogent] wasn’t left with much alternative but to terminate the contract.”

Wow. Can you believe that? See the below links for more information:

http://www2.meltedcube.com/blog/web-internet-telecom/isp-quarrel-partitions-internet/
http://gigaom.com/2008/03/14/the-telia-cogent-spat-could-ruin-web-for-many/

Technorati Tags: , ,

Firefox vs IE memory usage

Being the Network Operations Manager, one of my duties is to decide on policies and standardization across the Desktop and Server infrastructure.  For the longest time, I’ve had to weigh and determine whether we should drop IE and move to Firefox.

Why the hard decisions?  Well, although Firefox is certainly more secure (and more productive to use in my opinion), the fact remains that many 3rd-party companies are still designing applications to the IE spec.  I won’t go into detail why that is wrong in around 100-different ways.  The fact is, we must keep IE.

However, I do encourage users to try Firefox, and use it if they can.  The only downside it has had, was the huge memory usage it would take.  The more tabs and windows you used, and the longer it sat, the more memory it would use.

Apparently, that has changed, according to some tests prominently displayed and explained on Pavlov.net’s blog.

They tested three different browsers.  IE7, Firefox2, and Firefox3-beta.  The results were shocking to me.  Basically, they opened 30 webpages, each using their own window, and did that 11 times.  Each window that was opened, closes the other window.  At the end, the last window remained opened, and they let the browser sit awhile.

Check out these results (blatently taken from Pavlov’s site):

This shows that not only has Firefox3 have BETTER memory management than it’s predecessor,  but check out IE7!!  It didn’t even reclaim the used space of all those windows after sitting!!

This is proof in the pudding!  Not only does IE SUCK at CSS, but it also SUCKS at memory usage.  No wonder why Vista has such steep memory requirements!  It’s not for the eye-candy, or advanced graphics and tools.  It’s to keep browsing the internet!!!

Here’s the link to the article, in case you missed it above:

Firefox 3 Memory Usage « pavlov.net

Email as a File Transfer Medium?

It is getting out-of-hand. Users are treating email as a file-transfer medium. Even if the other person is sitting 3 desks down. Rather than saving their files to the network, they "feel" it’s easier to just attach it, and send it to the other person’s mailbox.

It’s getting worse. Nowadays, Marketing files are getting overwhelmingly (is that a word?) large. We are now using email to transfer Marketing campaigns, video’s, and Magazine layout files. Where did we go wrong? And don’t get me started on the oversized 5MB photos of someone’s mom’s birthday with those 7 megapixel cameras.

I’m guessing it’s because everyone is so used to using email, it just became second nature. Now, of course I’ve implemented the size-restriction policy. Most of the medium/large-sized business have. BUT, you also can’t stop business processes either.  If they gotta have it, they gotta have it.

If Company A has a critical financial spreadsheet that Company B must have, and it is 25MB in size, do you just tell them they are out of luck? Unless you want to lose your job, you temporarily give them access.

Of course, you have the other alternative, which is setup an FTP server. That way, you can give your user’s access to their own "folder", and drop files in there for the "outside" user’s. But, what if an outside user shouldn’t see another outside user’s data, from the same internal user’s folder?

Now, you are back to heavy administration. You’ve alleviated the database size problem from email, and moved over to an administrative overhead of maintaining user accounts and permissions.

Really, the best option is to setup a web-enabled file transfer application. This type of application allows end-users to "upload" the files they want to transmit, and type in the recipient’s email address. An email is then submitted, on the user’s behalf, with a link to download the file. Now, you’ve moved from a push (synchronous) technology, to a pull (asynchronous) technology. AND, if the user doesn’t want it, you are not forced to use up the bandwidth.

A perfect solution. I haven’t found many products to do what I want, though. Either, they are too expensive, or they don’t do what I want. So, I’m half-way thinking just making our own web application. Jeez, it can’t be that hard?

Anyone have any suggestions on products they use, to alleviate using email to transfer files, but still use email to notify users of the files?

Technorati Tags: , , , , ,

3750-metro frustrations. Worth it??

I am incredibly frustrated, and I’m hoping this post will save countless others from yelling out loud, after finding out you wasted money and hours of troubleshooting for no reason.

First off, a bit of history. Back in my historical posts, I mentioned my thoughts on the 3750-metro series switches. At first, I wasn’t all that impressed with the metro-series. I mean, it seems to be more for the service provider than for the customer. But, if Cisco recommends it for a customer, I should listen, right?

Well, Cisco sales reps are more interested in selling products, than in giving the best answers, and this is a perfect example. So, make sure to listen up, and pay attention.

In building our metro network, we have a fiber line, provided by AT&T. On the customer side, AT&T installed a Cisco switch to terminate the fiber, and hand-off copper. I then, take the copper into my network. But, after connecting my 3750-metro interface (The ES port, for “Enhanced Services”), I never saw a link. Hmmm… did AT&T enable their interface? I asked…. yep. Do I need a cross-over, or did they build the cross-over in their patchpanel? Nope. Straight-through. So, I must provide the cross-over
(And for those that will ask… no I do not trust the auto-sensing MDIX).

Still no luck.

Then, I asked AT&T the interface characteristics: (100Mbit – Full Duplex). Hmmmm…. shouldn’t be a problem. I’ll set my interface to that. What?? I can’t. It only accepts 1000? Let’s look at the docs:

caution-3750-warning

Now, I consider myself a respectful and considerate human being (at times). However, I must say, when I realized that, I was glad I was in an isolated room with no one around. Because I yelled and cussed as I used to when I was a sailor in the Navy. At this point, I realized I have spent between $6k to $8k more than I needed to (I bought 2 metro switches, one for each side of the link), and I just wasted 3 to 4 hours of troubleshooting. I should have gone with my initial feelings about the 3750-metro.

So, what is the difference between the 3750 and the 3750-metro? From Cisco’s website:

Q. What is the difference between the Cisco Catalyst 3750 Metro Series and the Cisco Catalyst 3750 Series?

A. The Cisco Catalyst 3750 Metro Series is built for Metro Ethernet access in a customer location, enabling the delivery of more differentiated Metro Ethernet services. These switches feature bidirectional hierarchical QoS and Traffic Shaping, intelligent 802.1Q tunneling with class-of-service (CoS)
mutation, VLAN translation, MPLS, EoMPLS, and Hierarchical Virtual Private LAN Service (H-VPLS) support, and redundant AC or DC power. They are ideal for service providers seeking to deliver profitable business services, such as Layer 2, Layer 3, and MPLS VPNs, in a variety of bandwidths and with different SLAs. With flexible software options, the Cisco Catalyst 3750 Metro Series offers a cost-effective path for meeting current and future service requirements from service providers.

And what is this “ES Port” thing. What does it do for me?

Q. What are the Enhanced Services (ES) ports?

A. The Cisco Catalyst 3750 Metro Series includes two SFP-based ES ports. The ES ports support Metro Ethernet features that are vital for delivering profitable business services, such as Layers 2 and 3 and MPLS VPNs, in several bandwidths and with different SLAs. Supported features on the ES ports
include EoMPLS, MPLS, MPLS VPNs, bidirectional hierarchical QoS, intelligent 802.1Q tunneling (Q-in-Q) with CoS mutation, and VLAN ID translation.

So, to summarize, pretty much every enhancement the metro-line offers, is in the ES ports. Other than the redundant power-supplies, this is a wash. The regular Cisco 3750 still has a powerful QoS engine, and the same IOS commands. Now, I’m sure there is more in the metro software image than the standard 3750, but without the ES Ports, what’s the point??? The provider will provide the Q-in-Q tunneling, the heirarchical QoS, etc. What good does it do??

I’m still a little bitter, but by the time you post your comments, maybe I’ll feel better, and listen more. So feel free to let me know what you think. Right now, I’m disappointed, and frankly, quite pi$$ed, because I feel like I was taken advantage of.

My only advice is…. if you get the Cisco 3750-metro, please make sure the provider will hand off a 1000 Gigabit connection. Otherwise, you are sitting on an expensive 3750.

The only thing I can think of, is to place a media-converter in the middle, so I can use the 100Mbit ES interface. But, that just adds another point-of-failure, and this metro network was supposed to alleviate the failures… not add to them…..

((Sigh))

Cleveland – MAN (Datacenter recolation)

Well, I’m off to Cleveland this week. I’ll be bringing up our first MAN to a new co-located datacenter at Expedient.  We currently have one cabinet there, but look to getting a second cabinet in a few more months, depending on how great it works out.

The only thing I do not like about the 3750-metro switches is that they don’t have a netflow export option.  Personally, I think they should.  Being a multi-layer switch, and intended to be on each side of a MAN, the netflow export would be perfect to analyze the traffic across the MAN link.

What do you all think?  Agree to disagree?

For me, it will be a learning experience.  This will be my first time using the Cisco 3750-metro series switches (I’ve used the 3750’s before but the metro’s allow more fine-grained control on QoS and packet-shaping, though, I lose the Gb interfaces).

I’ll need that QoS and packet-shaping skils, since we only have a 20M fiber link between the two locations, and we’ll be sending voice and video through it, on top of regular data traffic.

To be honest, I’m not that confident in my QoS knowledge.  Yes, I know the fundamentals (at least I think I do…. uh oh), but I’m always nervous I’ll forget one tiny little thing, which will cause disastrous results.  Ah well…. I feel that way everytime I touch a keyboard key.

Wish me luck!

Technorati Tags: , , ,

Powered by ScribeFire.

Cisco IOS – Order of Operations

So, for the first time, I had to NAT an IPSec tunnel for a vendor, due to overlapping networks.  I know the fundamentals, but have never actually done it.

First, define the vpn traffic…. check

Next, define the  nat traffic…. check

Map the traffic to the cryptomap….check

Create the access-list to filter the VPN Traffic…..no check…. ummm…. okay.. so here is where I needed some help.  Does the ACL get hit first, and THEN NAT?  If so, I’ll need to use the NAT address in the ACL.  But, what if NAT gets hit first?  Then I’ll have to use my private address in the ACL.

What to do?  Well, visit the irc chat room #cisco, that’s what.  They sent me to an incredible post which details the operations of both ingress and egress in a Cisco IOS system.

Very handy!  ….. <Aaron is printing>….

Rightfax and Cisco integration using PRI

Rightfax, a Captaris product that centralizes Desktop Faxing and Electronic Document Delivery. I purchased Rightfax to help my company integrating Fax solutions, and save on maintenance and labor costs associated with manual faxing.

I purchased Rightfax with a digital PRI Brooktrout board (specifically a TR1034+E4H+T1+1N). Now, this board also supports T.38. So, why did I choose to use the digital PRI? Well, up till now, I haven’t had alot of luck using the T.38 protocol (probably due to my ignorance), and my users are starting to get very frustrated. So, for the time being, I chose to use PRI.

It took some soft massaging on both the Brooktrout, as well as on the Serial interface on my Cisco 3845, but I have it working. I will start with an overview of my design, before the implementation.

Here is the corresponding configuration on my Cisco 3845:
controller T1 0/0/0
  framing esf
  clock source internal
  linecode b8zs
  pri-group timeslots 1-4,24
  description RIGHTFAX
!
! Config Snipped
!
interface Serial0/0/0:23
  no ip address
  encapsulation hdlc
  isdn switch-type primary-dms100
  isdn protocol-emulate network
  isdn incoming-voice voice
  no cdp enable
!
! Config snipped
!
dial-peer voice 6799 pots
  destination-pattern 6799
  no digit-strip
  port 0/0/0:23

Okay, so here is some specifics:

CONTROLLER T1 0/0/0

  • clock source internal – I am receiving my clock source from one of my T1’s from the Telco side.  This command passes the clock source internally on the backplane, for this controller
  • pri-group timeslots 1-4,24 – I only have 4 channels licensed on the PRI card for RightFax.  Thus, I only want to allocate those channels.  Channel 24 is required for the D-channel.

INTERFACE SERIAL 0/0/0:23

  • isdn switch-type primary-dms100 – This will change based on your configuration.  I am only using it, since I’m using it on my other PRI’s from the telco.  Whatever you choose, you must make sure it’s matched on the Brooktrout card.
  • isdn protocol-emulate network – THIS IS INCREDIBLY IMPORTANT!!  Rightfax expects to be talking to the telco, not another device.

DIAL-PEER VOICE 6799 POTS

  • destination-pattern 6799 – This will change based on your dialplan.  I chose to use a specific number for testing.  Generally, you will create a pattern for your fax numbers.
  • no digit-strip – If you will be using DID numbers (you probably are), then you’ll need to send the number along to RightFax.  In order to do that, we need to send the digits on, so RightFax can use them to sort out the correct Fax mailbox.
  • port 0/0/0:23 – This just directs the call to the Serial interface for Rightfax.

That’s really it.  I kept the default configuration on the Brooktrout card, except for the ISDN config (Protocol Options under the Port A tab).  For the ISDN config, I just chose what I’ve configured here (i.e. B8ZS, DMS-100 switch, etc).  Oh, and you need to modify the max. DID digits.  By default, it is set to ‘0’, so I assumed that meant no limit.  No, that means 0 digits.  Change it. 🙂

Good LUCK!!!

It’s the Network. No it’s NOT!

Hasn’t everyone received this reason for practically every problem that exists in business? My computer won’t open Outlook…. It’s the Network! My system is running slow… It’s the Network! My chair won’t swivel… It’s the Network! It’s getting ridiculous.

Quite a frustrating incident today. One of our database servers was running incredibly slow. A user calls me up informing me about it. Upon looking at the server, their process was pegging the CPU at 100%.

I merely told them there wasn’t much I can do. The server is giving them everything it’s got (Quoting Scotty with a scottish accent). I was then told, “Well, we do this every month, and it’s never done this before”. I merely said (paraphrasing, of course), “I don’t know what to tell you. Maybe you have more calculations, data, etc etc”.

I then realized, that this user was attempting to train me in the ways of Net-Fu, and why it is the Wireless network that was causing the slow down. I must have been trained well in the Net-Fu skills, as that was a VERY enlightening experience for me. What level of ascension allows CPU cycles to be affected by Wireless RF signals? I need more training………..

Powered by ScribeFire.

Cisco Policy Based Routing (PBR)

Okay, you may have noticed I have implemented a video conferencing system across the enterprise WAN. I had to do some network re-working, however, as the Watchguard Firebox does not play nicely with H.323 for internet-based traffic. However, I had a Pix Firewall that I had been meaning to implement.

Unfortunately, I cannot just remove the Firebox. It is doing web-blocking, SMTP proxying, and countless rules that would take time to rebuild on the Pix. I only wanted the Pix to firewall my H.323 gateway. So, I had to make sure both can play nice together.

Enter Policy-based Routing…..

Basically, I wanted my H.323 Gateway (say 172.16.1.25) to go through my Pix, but still allowing EVERYTHING ELSE (172.16.1.0/24) to go through the Watchguard Firewall. For now, anyway….. Here is a basic diagram:

(Click for larger image)

From here, you can see the flow. Since my default router (172.16.1.1) is in the middle, it will be the “Traffic Cop”. It is here, that we will place a policy on how it will route the packets.

First, we need to identify the packets. We do this by creating an access-list:

default_router(config)# access-list 10 permit 172.16.1.25

Next, we build a routing map that uses the access-list. We will also throw in some precedence, for soft-QoS identification:

default_router(config)# route-map VideoConf permit 10
default_router(config-route-map)# match ip address 10

default_router(config-route-map)# set ip precedence priority

default_router(config-route-map)# set ip next-hop 172.16.1.3

Okay, in our routing map, we are doing three things:

1). We see if it matches our access-list numbered 10

2). If it does, set the precedence bit to ‘priority’ (This is video, after all)

3). Route the packet to host 172.16.1.3 (That’s the PIX).

Once our map is complete, all we have to do is apply it to an interface. In our case, the packet is being received on the inside interface (FastEthernet 0/0).

default_router(config)# interface f0/0
default_router(config-if)# ip policy route-map VideoConf

Done! NOTE, you can only have one policy applied to an interface. This is where the ‘permit 10’ comes in, on the route-map definition. You can build multiple “groups” in a route map. For example, a ‘route-map newPolicy permit 20’.

Now, all packets NOT matching the access-list will still fall-back to the default route going to 172.16.1.2. If the traffic matches access-list 10 (i.e. host 172.16.1.25), it will be applied to the route-map VideoConf, which says to route it to 172.16.1.3.

All you have to do, is make sure 172.16.1.3 can handle the traffic (for example, the proper NAT, access-lists, etc).

Good Luck! Next, I’ll post the PIX rules needed for Polycom to receive inbound calls, and make outbound calls.

Technorati Tags: , ,

Powered by ScribeFire.