tag:blogger.com,1999:blog-16287437627484490412024-03-17T08:04:58.104+00:00The Systems Engineer organized chaosNotes about various (technical) topics and encountered or solved puzzles from engineering, devops or networking disciplines. Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.comBlogger375125tag:blogger.com,1999:blog-1628743762748449041.post-18275706361383717442015-01-04T16:15:00.003+00:002015-01-19T08:11:10.466+00:00mysql cheat sheet<span style="font-size: large;">How to grant access any user from one network only to mysql</span><br />
<br />
<pre class="brush:text;">
$ mysql -p
(root@localhost@localhost) 03:49:13 [mysql]> grant all on *.* to ''@'192.168.10.%';
$service mysql reload
</pre>
<br />
<br />
Please note the empty user name in the syntax above.<br />
For this changes to be effective I needed to reload the mysql.
<br />
<br />
<br />
Surprisingly these 2 commands don't work at all as much as you would believe. The '*' or the '%' for the <b>user</b> column have no wildcard meaning.
<br />
<pre class="brush:text;">
(root@localhost@localhost) 03:49:13 [mysql]> grant all on *.* to '%'@'192.168.10.%';
(root@localhost@localhost) 03:49:13 [mysql]> grant all on *.* to '*'@'192.168.10.%';
</pre>
<br />
This is how you can check the current grants (you need to flush the privileges or reload the mysql config as changes issues with 'grant' don't take actions immediately).
<br />
<pre class="brush:text;">
(root@localhost@localhost) 03:51:30 [mysql]> select * from user;
+---------------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+----------
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | Reference
+---------------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+----------
| localhost | root | *2447D497B9A6A15F2776055CB2D1E9F86758182F | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y
| OL63x64.example.com | root | *DCAB8B850144B862687D44957E317DE424E12923 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y
| 127.0.0.1 | root | *DCAB8B850144B862687D44957E317DE424E12923 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y
| ::1 | root | *DCAB8B850144B862687D44957E317DE424E12923 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y
| 192.168.10.% | | *2447D497B9A6A15F2776055CB2D1E9F86758182F | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | Y
+---------------------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+----------
5 rows in set (0.00 sec)
or
[root@OL63x64 log]# pt-show-grants --password=rrr
-- Grants dumped by pt-show-grants
-- Dumped from server Localhost via UNIX socket, MySQL 5.6.12-enterprise-commercial-advanced at 2015-01-04 15:55:27
-- Grants for ''@'192.168.10.%'
GRANT ALL PRIVILEGES ON *.* TO ''@'192.168.10.%' IDENTIFIED BY PASSWORD '*2447D497B9A6A15F2776055CB2D1E9F86758182F';
-- Grants for 'root'@'127.0.0.1'
GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' IDENTIFIED BY PASSWORD '*DCAB8B850144B862687D44957E317DE424E12923' WITH GRANT OPTION;
-- Grants for 'root'@'::1'
GRANT ALL PRIVILEGES ON *.* TO 'root'@'::1' IDENTIFIED BY PASSWORD '*DCAB8B850144B862687D44957E317DE424E12923' WITH GRANT OPTION;
-- Grants for 'root'@'OL63x64.example.com'
GRANT ALL PRIVILEGES ON *.* TO 'root'@'ol63x64.example.com' IDENTIFIED BY PASSWORD '*DCAB8B850144B862687D44957E317DE424E12923' WITH GRANT OPTION;
-- Grants for 'root'@'localhost'
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*2447D497B9A6A15F2776055CB2D1E9F86758182F' WITH GRANT OPTION;
GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION;
</pre>
<br />
<span style="font-size: large;">References</span><br />
<a href="http://dev.mysql.com/doc/refman/5.6/en/default-privileges.html">http://dev.mysql.com/doc/refman/5.6/en/default-privileges.html</a><br />
<br />
<span style="font-size: large;">Show mysqld server and mysql client options</span><br />
<br />
server options compiled-in defaults and any option files that it reads:<br />
mysqld --verbose --help<br />
<br />
server options (ignoring the settings in any option files):<br />
mysqld --no-defaults --verbose --help <br />
<br />
runtime/running server options : mysqladmin variables<br />
<br />
parsed options from config file(s): mysqld --print-defaults<br />
mysqld would have been started with the following arguments:<br />
--datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --user=mysql --symbolic-links=0Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-24661176504684183692014-09-01T17:04:00.002+01:002014-09-01T17:04:27.190+01:00How to automatically rotate the root password on cloud server<span style="font-size: large;">Description</span><br />
<br />
I need to create a public cloud server and use it as a bastion in a secure way.<br />
I hate the java/javascript console that you have to use when something doesn't work with your cloud.<br />
I want to keep the root user enabled. As leaving the password authentication for root is a security risk we need to mitigate this.<br />
By default the default loging method is going to be RSA public key.<br />
<br />
The reason I want to keep the root user enabled is that you can easely reset its passwors using the <a href="https://mycloud.rackspace.com/">https://mycloud.rackspace.com/ </a>portal. Otherwise the root user should be practically not available.<br />
<br />
We could leave it enabled but there is always a risk that somebody with enough time may want to try to hack us.<br />
<br />
<span style="font-size: large;">Problem </span><br />
<br />
How to set up a root password rotation using Cron in Linux,<br />
<br />
<span style="font-size: large;">Solution</span><br />
<pre class="brush:text;">
# crontab -l
# for debugging
# */10 * * * * echo root:$(/usr/bin/makepasswd --chars 15) | /usr/bin/tee /tmp/test.txt | /usr/sbin/chpasswd
*/10 * * * * echo root:$(/usr/bin/makepasswd --chars 15) | /usr/sbin/chpasswd
</pre>
<br />
This mitigates the root password attacks and still gives us a possibility to reset the root password over the portal and login over a regular ssh session.<br />
<br />
We don't care what the new root password is, if I need it I'll reset it on the myrack portal.<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com3tag:blogger.com,1999:blog-1628743762748449041.post-73985749506024190922014-05-27T18:47:00.002+01:002014-05-27T18:50:11.866+01:00How to use F5 Wireshark Plugin for LTM troubleshootingIn this post we are going to look how to use F5 Wireshark Plugin to troubleshoot networking issues on BigIP LTM.<br />
<ul>
<li>Download the and install the plugin in your Wireshark</li>
</ul>
<div>
The full instruction are here <a href="https://devcentral.f5.com/wiki/advdesignconfig.F5WiresharkPlugin.ashx">F5 Wireshark Plugin</a>. In essence you needed to copy the f5ethtrailer.dll file into C:\Program Files (x86)\wireshark\wireshark16\WiresharkPortable\ and restart my Wireshark.<br />
<br />
Once you restart wireshark go to menu Help - About Wireshark, Plugins tab. You should be able to see the plugin listed there if properly installed.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixYekptsx6oxxGTjydOL7rE_YeQDN_1PYL1mim7ziULWPS7c6WFabWnHqfMqHHcbm2OkQFTQbZPokK3JDJbgOAf8QhqkbEanv06PDuLdDB0CNg84LbNNu3a8vrDo6t7-9tgqkps2ucpI0/s1600/plugin-verification.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixYekptsx6oxxGTjydOL7rE_YeQDN_1PYL1mim7ziULWPS7c6WFabWnHqfMqHHcbm2OkQFTQbZPokK3JDJbgOAf8QhqkbEanv06PDuLdDB0CNg84LbNNu3a8vrDo6t7-9tgqkps2ucpI0/s1600/plugin-verification.png" /></a></div>
<div>
<br /></div>
<div>
<ul>
<li>The plugin is useful only if you take a capture on LTM with 'noise' information.</li>
</ul>
<div>
The noise is an internal information that TMM is attaching and managing for every packet when is being processed. To have a capture with noise these are the minimal options you need to specify:<br />
<b><br /></b>
<b>tcpdump -w /var/tmp/capture.pcap -s0 -i _interface_:nnn</b><br />
<br />
where the _interface_ can be:</div>
</div>
<ul><ul>
<li> 1.1 - example of an physical interface</li>
<li>dmz_vlan - a name you gave to your vlan when created</li>
<li>0.0 - is the equivalent of 'any' interface what means capture on all interfaces and all vlans</li>
</ul>
</ul>
<div>
My favourite syntax is usually something like this:<br />
<br />
<b>tcpdump -s0 -nn -w /var/tmp/test1-$(date +%s).pcap -i 0.0:nnn '(host _ip_ and port _port_ ) or arp or not ip' </b></div>
<ul>
<li>Open the capture in wireshark as normal</li>
</ul>
<div>
Once you open you will noticed that there is additional section in the packet details.<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ7F3syr06T8OXnJGHvkm0HCyRc_uQEYrSjr7tQpZUuVvmn1XgnSn4KHBAwLcVnZ2seMZtfhsoOM34pRurKpcrwA413aFp3cTNlgFiRVFIOOy8ZeOrTTrdg0TGSmAptWldFMZNKdyGw6U/s1600/details.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ7F3syr06T8OXnJGHvkm0HCyRc_uQEYrSjr7tQpZUuVvmn1XgnSn4KHBAwLcVnZ2seMZtfhsoOM34pRurKpcrwA413aFp3cTNlgFiRVFIOOy8ZeOrTTrdg0TGSmAptWldFMZNKdyGw6U/s1600/details.png" height="90" width="400" /></a></div>
<div>
<ul>
<li>The most useful part of using this plugin is that you can quickly and easily find the client and server site traffic in the capture (It can be a challenging when you have multiple tcp streams and OneConnect profile):</li>
<ul>
<li>Find a single packet of the flow you are interested in (search for VIP or client ip for example).</li>
<li>Find the <b>"Flow ID" </b>from the F5 Ethernet trailer (see the picture above for example).</li>
<li>Click with right mouse taste on the Flow ID field and select "Prepare as Filter".</li>
<li>In the Filter box (on top ) it will pre-populate the syntax for you.</li>
<li>Copy the hex value and delete the <b>'.flowid == hex' </b>part and start typing '.' (dot).</li>
<li>It will mediately give you a list of possible options, select <b>anyflowid</b> and copy the hex back as it was originally. Example:</li>
</ul>
</ul>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;">The original filter : <b>f5ethtrailer.flowid == 0x0d2e6dc0</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Filter after modifications : <b>f5ethtrailer.anyflowid == 0x0d2e6dc0</b></span></div>
<ul><ul>
<li>Press Apply button</li>
</ul>
</ul>
<div>
This filter is gong to find the client and server site flows for you. You can then analyse them packet by packet to find out and understand how and why LTM load balance it to one or another pool member.<br />
<br /></div>
<span style="font-size: large;">References </span><br />
<br />
<a href="https://devcentral.f5.com/wiki/advdesignconfig.F5WiresharkPlugin.ashx">https://devcentral.f5.com/wiki/advdesignconfig.F5WiresharkPlugin.ashx</a><br />
<a href="https://devcentral.f5.com/questions/tcpdump-with-multiple-pool-members">https://devcentral.f5.com/questions/tcpdump-with-multiple-pool-members</a><br />
<a href="http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html">SOL13637: Capturing internal TMM information with tcpdump</a><br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com1tag:blogger.com,1999:blog-1628743762748449041.post-45131912852464911672014-05-21T01:56:00.002+01:002014-05-21T01:58:23.408+01:00Simple MySQL and SQL exercises<span style="font-size: large;">How to create a sample MySQL data base and user</span><br />
<br />
You can download an example data base sql file from here: <a href="http://www.mysqltutorial.org/mysql-sample-database.aspx">http://www.mysqltutorial.org/mysql-sample-database.aspx</a>. After unziping you should find following file:<br />
<pre class="brush:text;">
rado2@ubuntu12-04:~$ ls -la mysqlsampledatabase.sql
-rw-rw-r-- 1 rado2 rado2 190711 May 23 2013 mysqlsampledatabase.sql
</pre>
<pre class="brush:text;">
rado2@ubuntu12-04:~$ more mysqlsampledatabase.sql
/*
http://www.mysqltutorial.org
*/
CREATE DATABASE /*!32312 IF NOT EXISTS*/`classicmodels` /*!40100 DEFAULT CHARACTER SET latin1 */;
USE `classicmodels`;
/*Table structure for table `customers` */
DROP TABLE IF EXISTS `customers`;
CREATE TABLE `customers` (
`customerNumber` int(11) NOT NULL,
`customerName` varchar(50) NOT NULL,
`contactLastName` varchar(50) NOT NULL,
`contactFirstName` varchar(50) NOT NULL,
....
</pre>
<br />
We don't want to use a root user to manipulate our data base records. To create a separate user you can run these commands:<br />
<pre class="brush:text;">
$ mysql -u root -p
mysql> use information_schema;
mysql> CREATE USER 'rado2'@'localhost';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'rado2'@'localhost';
mysql> select * from USER_PRIVILEGES ;
</pre>
<br />
To import and inspect the database we can use this commands:<br />
<pre class="brush:text;">
$ mysql -u rado2 < mysqlsampledatabase.sql
$ mysql -u rado2
mysql> show databases;
mysql> show tables;
+-------------------------+
| Tables_in_classicmodels |
+-------------------------+
| customers |
| employees |
| offices |
| orderdetails |
| orders |
| payments |
| productlines |
| products |
+-------------------------+
8 rows in set (0.00 sec)
mysql> select * from employees LIMIT 5;
+----------------+-----------+-----------+-----------+---------------------------------+------------+-----------+----------------------+
| employeeNumber | lastName | firstName | extension | email | officeCode | reportsTo | jobTitle |
+----------------+-----------+-----------+-----------+---------------------------------+------------+-----------+----------------------+
| 1002 | Murphy | Diane | x5800 | dmurphy@classicmodelcars.com | 1 | NULL | President |
| 1056 | Patterson | Mary | x4611 | mpatterso@classicmodelcars.com | 1 | 1002 | VP Sales |
| 1076 | Firrelli | Jeff | x9273 | jfirrelli@classicmodelcars.com | 1 | 1002 | VP Marketing |
| 1088 | Patterson | William | x4871 | wpatterson@classicmodelcars.com | 6 | 1056 | Sales Manager (APAC) |
| 1102 | Bondur | Gerard | x5408 | gbondur@classicmodelcars.com | 4 | 1056 | Sale Manager (EMEA) |
+----------------+-----------+-----------+-----------+---------------------------------+------------+-----------+----------------------+
mysql> select * from offices LIMIT 5;
+------------+---------------+-----------------+--------------------------+--------------+------------+---------+------------+-----------+
| officeCode | city | phone | addressLine1 | addressLine2 | state | country | postalCode | territory |
+------------+---------------+-----------------+--------------------------+--------------+------------+---------+------------+-----------+
| 1 | San Francisco | +1 650 219 4782 | 100 Market Street | Suite 300 | CA | USA | 94080 | NA |
| 2 | Boston | +1 215 837 0825 | 1550 Court Place | Suite 102 | MA | USA | 02107 | NA |
| 3 | NYC | +1 212 555 3000 | 523 East 53rd Street | apt. 5A | NY | USA | 10022 | NA |
| 4 | Paris | +33 14 723 4404 | 43 Rue Jouffroy D'abbans | NULL | NULL | France | 75017 | EMEA |
| 5 | Tokyo | +81 33 224 5000 | 4-1 Kioicho | NULL | Chiyoda-Ku | Japan | 102-8578 | Japan |
+------------+---------------+-----------------+--------------------------+--------------+------------+---------+------------+-----------+
mysql> show COLUMNS FROM employees
+----------------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------------+--------------+------+-----+---------+-------+
| employeeNumber | int(11) | NO | PRI | NULL | |
| lastName | varchar(50) | NO | | NULL | |
| firstName | varchar(50) | NO | | NULL | |
| extension | varchar(10) | NO | | NULL | |
| email | varchar(100) | NO | | NULL | |
| officeCode | varchar(10) | NO | MUL | NULL | |
| reportsTo | int(11) | YES | MUL | NULL | |
| jobTitle | varchar(50) | NO | | NULL | |
+----------------+--------------+------+-----+---------+-------+
mysql> show COLUMNS FROM offices ;
+--------------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------------+-------------+------+-----+---------+-------+
| officeCode | varchar(10) | NO | PRI | NULL | |
| city | varchar(50) | NO | | NULL | |
| phone | varchar(50) | NO | | NULL | |
| addressLine1 | varchar(50) | NO | | NULL | |
| addressLine2 | varchar(50) | YES | | NULL | |
| state | varchar(50) | YES | | NULL | |
| country | varchar(50) | NO | | NULL | |
| postalCode | varchar(15) | NO | | NULL | |
| territory | varchar(10) | NO | | NULL | |
+--------------+-------------+------+-----+---------+-------+
9 rows in set (0.00 sec)
</pre>
<br />
<span style="font-size: large;">Exercise 1: select all employees from offices in USA only</span><br />
<pre class="brush:text;">
mysql> SELECT * FROM employees as e, offices as o where e.officeCode = o.officeCode and o.country='USA';
+----------------+-----------+-----------+-----------+---------------------------------+------------+-----------+--------------------+------------+---------------+-----------------+----------------------+--------------+-------+---------+------------+-----------+
| employeeNumber | lastName | firstName | extension | email | officeCode | reportsTo | jobTitle | officeCode | city | phone | addressLine1 | addressLine2 | state | country | postalCode | territory |
+----------------+-----------+-----------+-----------+---------------------------------+------------+-----------+--------------------+------------+---------------+-----------------+----------------------+--------------+-------+---------+------------+-----------+
| 1002 | Murphy | Diane | x5800 | dmurphy@classicmodelcars.com | 1 | NULL | President | 1 | San Francisco | +1 650 219 4782 | 100 Market Street | Suite 300 | CA | USA | 94080 | NA |
| 1056 | Patterson | Mary | x4611 | mpatterso@classicmodelcars.com | 1 | 1002 | VP Sales | 1 | San Francisco | +1 650 219 4782 | 100 Market Street | Suite 300 | CA | USA | 94080 | NA |
| 1076 | Firrelli | Jeff | x9273 | jfirrelli@classicmodelcars.com | 1 | 1002 | VP Marketing | 1 | San Francisco | +1 650 219 4782 | 100 Market Street | Suite 300 | CA | USA | 94080 | NA |
| 1143 | Bow | Anthony | x5428 | abow@classicmodelcars.com | 1 | 1056 | Sales Manager (NA) | 1 | San Francisco | +1 650 219 4782 | 100 Market Street | Suite 300 | CA | USA | 94080 | NA |
| 1165 | Jennings | Leslie | x3291 | ljennings@classicmodelcars.com | 1 | 1143 | Sales Rep | 1 | San Francisco | +1 650 219 4782 | 100 Market Street | Suite 300 | CA | USA | 94080 | NA |
| 1166 | Thompson | Leslie | x4065 | lthompson@classicmodelcars.com | 1 | 1143 | Sales Rep | 1 | San Francisco | +1 650 219 4782 | 100 Market Street | Suite 300 | CA | USA | 94080 | NA |
| 1188 | Firrelli | Julie | x2173 | jfirrelli@classicmodelcars.com | 2 | 1143 | Sales Rep | 2 | Boston | +1 215 837 0825 | 1550 Court Place | Suite 102 | MA | USA | 02107 | NA |
| 1216 | Patterson | Steve | x4334 | spatterson@classicmodelcars.com | 2 | 1143 | Sales Rep | 2 | Boston | +1 215 837 0825 | 1550 Court Place | Suite 102 | MA | USA | 02107 | NA |
| 1286 | Tseng | Foon Yue | x2248 | ftseng@classicmodelcars.com | 3 | 1143 | Sales Rep | 3 | NYC | +1 212 555 3000 | 523 East 53rd Street | apt. 5A | NY | USA | 10022 | NA |
| 1323 | Vanauf | George | x4102 | gvanauf@classicmodelcars.com | 3 | 1143 | Sales Rep | 3 | NYC | +1 212 555 3000 | 523 East 53rd Street | apt. 5A | NY | USA | 10022 | NA |
+----------------+-----------+-----------+-----------+---------------------------------+------------+-----------+--------------------+------------+---------------+-----------------+----------------------+--------------+-------+---------+------------+-----------+
10 rows in set (0.00 sec)
</pre>
<br />
<span style="font-size: large;">References </span><br />
<br />
<a href="http://www.mysqltutorial.org/mysql-sample-database.aspx">http://www.mysqltutorial.org/mysql-sample-database.aspx</a><br />
<a href="http://en.wikipedia.org/wiki/Join_%28SQL%29">http://en.wikipedia.org/wiki/Join_%28SQL%29</a><br />
<a href="https://answers.yahoo.com/question/index?qid=20080520200936AAmD1Mt">https://answers.yahoo.com/question/index?qid=20080520200936AAmD1Mt</a><br />
<a href="http://www.cyberciti.biz/tips/mysql-auto-completion-for-database-table-names.html">http://www.cyberciti.biz/tips/mysql-auto-completion-for-database-table-names.html</a><br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-88186336889027129892014-05-20T23:44:00.004+01:002014-05-20T23:58:24.153+01:00What is the difference between XenServer vs Xen vx XCP vs XAPIIt wasn't clear to me at fist what the differences are between XenServer, Xen and XCP. To make it even more confusing the documentation in many place were referring to XAPI and its importance in managing the hypervisors.<br />
<br />
To understand what the XAPI is and how it can be used please take a look at this demo I wrote: <a href="http://rtomaszewski.blogspot.co.uk/2014/05/how-to-install-ipython-on-xenserver-and.html">How to install ipython on XenServer and test XAPI</a>. As we can see the XAPI is an elegant way on top of the hypervisor itself that exposes some more advance API operation to help to control and managed the VM and hypervisor live cycle.<br />
<br />
In a very simplistic way you can think of Xen as a 'hypervisor kernel'. The kernel itself may be difficult to use so we need some management software bundled with it.<br />
<br />
It is similar comparing Linux kernel and a distribution together. It is hard to use the kernel on its own, we need a more user friendly tools to do this and this is the place where GNU toolchain is coming into play.<br />
<br />
Once we understand this it is now easy to understand this FAQ: <a href="http://wiki.xen.org/wiki/Xen_Common_Problems#What.27s_the_difference_between_Xen_hypervisor_.28from_xen.org.29_and_Citrix_XenServer_or_XCP.3F">What's the difference between Xen hypervisor (from xen.org) and Citrix XenServer or XCP?</a><br />
<br />
If you understood what the last link is about please take a look at these for more advance comparisons:<br />
<ul>
<li><a href="http://wiki.xen.org/wiki/Xen_/_XCP_/_XCP_on_Linux_Overview">http://wiki.xen.org/wiki/Xen_/_XCP_/_XCP_on_Linux_Overview</a></li>
<li><a href="http://wiki.xen.org/wiki/XCP/XenServer_Feature_Matrix">http://wiki.xen.org/wiki/XCP/XenServer_Feature_Matrix</a></li>
<li><a href="http://wiki.xen.org/wiki/Choice_of_Toolstacks">http://wiki.xen.org/wiki/Choice_of_Toolstacks</a></li>
</ul>
<div>
Here is an example showing the differences between the XenServer and Xen management cli:</div>
<div>
<ul>
<li>xe - <a href="http://docs.vmd.citrix.com/XenServer/6.2.0/1.0/en_gb/reference.html#id978473">http://docs.vmd.citrix.com/XenServer/6.2.0/1.0/en_gb/reference.html#id978473</a></li>
<li>xm - <a href="http://krypted.com/ubuntu/some-basic-xen-commands/">http://krypted.com/ubuntu/some-basic-xen-commands/</a></li>
</ul>
</div>
Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-72260914707243407192014-05-20T23:33:00.001+01:002014-05-20T23:34:50.888+01:00How to install ipython on XenServer and test XAPIWe've been using the more user friendly shell to interact with python before: <a href="http://rtomaszewski.blogspot.co.uk/2013/04/how-to-paste-into-python-interpreter.html">ipython</a>. The example below are showing first how to install and enable EPEL repository to be able to install ipython. Next we are going to write a simple XAPI demo program.<br />
<br />
<span style="font-size: large;">Install ipython</span><br />
<ul>
<li><b>Find the distro your XenServer is based on</b></li>
</ul>
cat /etc/issue.net<br />
<div>
<div>
CentOS release 5.7 (Final)</div>
<div>
Kernel \r on an \m</div>
</div>
<ul>
<li><b>Check enabled repository </b></li>
</ul>
yum repolist<br />
<div>
<ul>
<li><b>From the EPEL install the relevant rpm packets that will add new repository to your yum</b></li>
</ul>
<div>
# http://fedoraproject.org/wiki/EPEL<br />
# http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/5/i386/repoview/epel-release.html</div>
</div>
<div>
<br /></div>
<div>
rpm --force -i http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm</div>
<div>
<ul>
<li><b>Update the repo info</b></li>
</ul>
<div>
yum list </div>
<div>
yum list | grep ipython</div>
<ul>
<li><b>Install ipython</b></li>
</ul>
<div>
<div>
yum install ipython.noarch</div>
</div>
</div>
<div>
<ul>
<li><b>Start and verify that ipython is working fine</b></li>
</ul>
<div>
ipython</div>
</div>
<div>
<div>
<br /></div>
<div>
In [3]: import sys</div>
<div>
In [4]: sys.version</div>
</div>
<div>
<div>
Out[4]: '2.4.3 (#1, Sep 21 2011, 20:06:00) \n[GCC 4.1.2 20080704 (Red Hat 4.1.2-51)]'</div>
<div>
<br /></div>
</div>
<span style="font-size: large;">Xapi example using ipython</span><br />
<br />
<script src="https://gist.github.com/rtomaszewski/31b0b70d063cd4c74fde.js"></script>
<span style="font-size: large;">References </span><br />
<br />
XAPI:<br />
<a href="http://blogs.citrix.com/2011/05/18/so-what-is-xenserver-xapi/">http://blogs.citrix.com/2011/05/18/so-what-is-xenserver-xapi/</a><br />
<a href="http://docs.vmd.citrix.com/XenServer/6.2.0/1.0/en_gb/sdk.html#language_bindings-python">http://docs.vmd.citrix.com/XenServer/6.2.0/1.0/en_gb/sdk.html#language_bindings-python</a><br />
<br />
Packages:<br />
<a href="http://xmodulo.com/2012/05/how-to-install-additional-packages-in.html">http://xmodulo.com/2012/05/how-to-install-additional-packages-in.html</a><br />
<a href="http://thomas-cokelaer.info/blog/2012/01/installing-repositories-under-centos-6-2-to-get-ipython-r-and-other-packages/">http://thomas-cokelaer.info/blog/2012/01/installing-repositories-under-centos-6-2-to-get-ipython-r-and-other-packages/</a><br />
<a href="http://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F">http://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F</a><br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-5207267598665598192014-05-19T22:35:00.001+01:002014-05-19T22:36:02.396+01:00Create a VM on an isolated networkFor experimenting and testing we want to have a VM that is attached to an isolated network.<br />
In the script below in the part 1) :<br />
<ul>
<li>Take a clone of an existing VM</li>
<li>Create a new private network</li>
<li>Create and attached new interface to our VM</li>
</ul>
Next in part 2) we configure statically an IP of 192.168.32.1 on this new interface.<br />
<br />
<script src="https://gist.github.com/rtomaszewski/834a6790bd287e8d4c40.js"></script>
<span style="font-size: large;">References </span><br />
<br />
<a href="http://blogs.citrix.com/2013/03/18/virtual-hypervisor/">http://blogs.citrix.com/2013/03/18/virtual-hypervisor/</a><br />
<a href="https://wiki.debian.org/NetworkConfiguration">https://wiki.debian.org/NetworkConfiguration</a><br />
<a href="http://docs.vmd.citrix.com/XenServer/4.0.1/reference/ch03s02.html">http://docs.vmd.citrix.com/XenServer/4.0.1/reference/ch03s02.html</a>Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-68571424177033179472014-05-17T23:58:00.000+01:002014-05-18T00:34:29.902+01:00Using xe how to boot a VM in XenServerAfter we have <a href="http://rtomaszewski.blogspot.co.uk/2014/05/install-xenserver-from-usb-over-ikvm-on.html">installed XenServer</a> there is a time to spin up an VM to test. Below are is a litle script that create a VM (code is based on: <a href="http://wiki.xen.org/wiki/Installing_Linux_on_Kronos">http://wiki.xen.org/wiki/Installing_Linux_on_Kronos</a> ).<br />
<br />
<script src="https://gist.github.com/rtomaszewski/d0faea99eaf90895d8fd.js"></script>
This create and starts the VM. You need to connect over the console port and follow the installer questions. We don't need anything media or ISO files. The installer will automatically download all necessary files.<br />
<br />
Once your VM is created you can shutdown it, export it to XVA image. Later on we can restore the VM by simply importing it back. We can use the XVA file as well to create further more VMs for testing.<br />
<br />
<script src="https://gist.github.com/rtomaszewski/2f56a09403ed0dfa69bf.js"></script>
<span style="font-size: large;">References</span><br />
<br />
<a href="http://wiki.xen.org/wiki/Installing_Linux_on_Kronos">http://wiki.xen.org/wiki/Installing_Linux_on_Kronos</a><br />
<a href="http://krypted.com/tag/list_domains/">http://krypted.com/tag/list_domains</a><br />
<br />
Docs on Citrix site:<br />
<br />
<a href="http://docs.vmd.citrix.com/XenServer/6.2.0/1.0/en_gb/">http://docs.vmd.citrix.com/XenServer/6.2.0/1.0/en_gb/</a><br />
<br />
<a href="http://support.citrix.com/article/CTX137836">XenServer 6.2.0 Technical FAQ</a><br />
<a href="http://support.citrix.com/article/CTX137826">XenServer 6.2.0 Release Notes</a><br />
<a href="http://support.citrix.com/search?searchQuery=*&lang=en&sort=date_desc&prod=XenServer&pver=XenServer+6.2.0&ct=Product+Documentation">XenServer Product Documentation</a><br />
<a href="http://krypted.com/tag/list_domains/">/</a><br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-693763587518580892014-05-17T20:52:00.003+01:002014-05-17T20:54:21.618+01:00Linux Bash cheat sheetI've spend some time googling for bash shortcats using phrases like: bash readline shortcat, copy and paste text to bash clipboard, etc ... I always forget how to do this, especially when I don't work on Linux for a while.<br />
<br />
Below is a list of my favorite (hard to remember) bash shortcats and tricks I like to use.<br />
<div>
<br /></div>
<span style="font-size: large;">Bash shortcats</span><br />
<br />
Ctrl + w Cut the Word before the cursor to the clipboard<br />
Ctrl + y Paste the last thing to be cut (yank)<br />
Alt + r Cancel the changes and put back the line as it was in the history (revert).<br />
<div>
<br /></div>
<span style="font-size: large;">Bash tricks to speed up typing </span><br />
<ul>
<li>How to copy the last command </li>
<li>How to copy and paste the last command output</li>
</ul>
This one is my favorite because it allows me to refer to a previous command output text without having to copy and paste it with mouse.<br />
<br />
# readline function<br />
shell-expand-line (M-C-e)<br />
<br />
<b>Example 1:</b><br />
$ myvar="/etc/passwd"<br />
$ echo $myvar<br />
$ ls $(echo $myvar) <br />
<br />
Before you press enter press now (M-C-e) and the line will turn into<br />
<br />
ls /etc/passwd-rrr<br />
<div>
<br /></div>
<div>
<b>Example 2:</b></div>
$ ls -l /etc/passwd<br />
<div>
$ echo !!</div>
<div>
<br /></div>
Before you press enter press now (M-C-e) and the line will turn into<br />
<br />
echo ls -l /etc/passwd<br />
<div>
<br /></div>
<div>
<b>Example 3:</b></div>
<br />
$ ls -l /etc/passwd<br />
<div>
$ echo $(!!)</div>
<div>
<br /></div>
Before you press enter press now (M-C-e) and the line will turn into<br />
<br />
echo -rw-r--r-- 1 root root 1399 May 17 02:19 /etc/passwd<br />
<br />
<span style="font-size: large;">References </span><br />
<br />
<a href="http://ss64.com/bash/syntax-keyboard.html">http://ss64.com/bash/syntax-keyboard.html</a><br />
<a href="http://superuser.com/questions/304519/how-to-copy-the-results-from-a-grep-command-to-the-bash-clipboard">http://superuser.com/questions/304519/how-to-copy-the-results-from-a-grep-command-to-the-bash-clipboard</a><br />
<a href="http://superuser.com/questions/421463/why-does-ctrl-v-notpaste-in-bash-linux-shell">http://superuser.com/questions/421463/why-does-ctrl-v-notpaste-in-bash-linux-shell</a><br />
<a href="http://unix.stackexchange.com/questions/15850/how-to-use-keyboard-instead-of-mouse-middle-click-for-copy-paste">http://unix.stackexchange.com/questions/15850/how-to-use-keyboard-instead-of-mouse-middle-click-for-copy-paste</a><br />
<a href="http://stackoverflow.com/questions/749544/pipe-to-from-clipboard">http://stackoverflow.com/questions/749544/pipe-to-from-clipboard</a><br />
<a href="https://wiki.archlinux.org/index.php/Keyboard_Shortcuts">https://wiki.archlinux.org/index.php/Keyboard_Shortcuts</a><br />
<a href="http://rtomaszewski.blogspot.co.uk/2013/06/linux-and-bash-cheat-sheet.html">http://rtomaszewski.blogspot.co.uk/2013/06/linux-and-bash-cheat-sheet.html</a><br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-24061227619161340792014-05-17T00:54:00.001+01:002014-05-17T02:03:55.561+01:00XenServer installation over iKVM and redirected ISO CD-ROM option in JViewerI've had a problem using my <a href="http://rtomaszewski.blogspot.co.uk/2014/05/how-to-install-xenserver-on-vmware.html">XenServer on VMware Workstation</a>. I needed instead to install it on my dedicated server i have. Some of my notes:<br />
<ul>
<li>Enabled iKVM on the server: <a href="http://rtomaszewski.blogspot.co.uk/2013/04/how-to-enable-ipmi-settings-in-bios-on.html">How to enable IPMI settings in BIOS on Tyan S8225 motherboard</a>.</li>
<li>In BIOS make sure you have enabled the VGA graphic output and disabled the graphics output on the PCI-X bus (as per the link above)</li>
<li>The XenServer installer was not able to recognize my AHCI disk driver so I needed to enable a regular 'Native IDE' driver in BIOS (see screen shots below)</li>
<li>Disable java security permission in Windows (search for 'configure java' under Windows menu)</li>
<li>Mount the ISO image from the JViewer (java iKVM from ASUS) restart the server and follow the installation instructions :)</li>
<li><b><i>At the beginning of installation you will see that the phase 'Loading /install.img' is taking very long time. Don't panic, watch the network card stats and wait for the installer to start</i></b>. It can take even up to 10min.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdKgg7tTvxBegtdVAg5MrZUj2BHfZx03enLABOmrp_Zb7akyIJTwQAT9fHZkeXLkHPpwbJb16xSxPHWOsZ4WZDiYx9J6e8OauYTdvPZboS5Ewm9gJH_UPxTjltXaiRrjtyJMwDnaggmzU/s1600/ikvm-hdd1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdKgg7tTvxBegtdVAg5MrZUj2BHfZx03enLABOmrp_Zb7akyIJTwQAT9fHZkeXLkHPpwbJb16xSxPHWOsZ4WZDiYx9J6e8OauYTdvPZboS5Ewm9gJH_UPxTjltXaiRrjtyJMwDnaggmzU/s1600/ikvm-hdd1.png" height="261" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjvo8YVoHmWwxmrN1Ys_si6ZSRSU0gLi-7BcUKzdk_LLYqmutSG8PhI0soqY6l9_qHF0-cn0EAdi70CtnFrBOTSCgK0K0HQw1LjPbNKbbyiyyU9bUmgedcY4l_ESgqoTEt40S2qaEyo_s/s1600/ikvm-hdd2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjvo8YVoHmWwxmrN1Ys_si6ZSRSU0gLi-7BcUKzdk_LLYqmutSG8PhI0soqY6l9_qHF0-cn0EAdi70CtnFrBOTSCgK0K0HQw1LjPbNKbbyiyyU9bUmgedcY4l_ESgqoTEt40S2qaEyo_s/s1600/ikvm-hdd2.png" height="261" width="320" /></a></div>
<div>
<br /></div>
<span style="font-size: large;">References</span><br />
<br />
<a href="http://www.davethijssen.nl/2013/07/install-citrix-xenserver-62-from-usb.html">http://www.davethijssen.nl/2013/07/install-citrix-xenserver-62-from-usb.html</a><br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-10275561892834417342014-05-14T23:38:00.002+01:002014-05-17T00:54:31.785+01:00How to install XenServer on VMware Workstation in Windows<span style="font-size: large;">How to install XenServer 6.2 on VMware Workstation 8</span><br />
<br />
<b>Note: 17 May 2014:</b><br />
<b>The installation was fine. The XenServer boots fine in the VM. Unfortunately it hangs once in a while constantly. Couldn't find out what causes it. I've installed XenServer on hw instead <a href="http://rtomaszewski.blogspot.co.uk/2014/05/install-xenserver-from-usb-over-ikvm-on.html">here</a>.</b><br />
<br />
It is possible to install <a href="http://en.wikipedia.org/wiki/Hypervisor">Type 1 hypervisor</a> like XenServer within a virtualized environment like <a href="http://en.wikipedia.org/wiki/VMware_Workstation">VMware Workstation</a> by using<a href="http://rtomaszewski.blogspot.co.uk/2014/01/nested-virtualization-support-on.html"> nested virtualization</a> technology. It may be shocking at first look because this is the software stack we are going to create:<br />
<ul>
<li>Regular operating system, I'm using Windows 7</li>
<li>Install in Windows (Type 2) hypervisor VMware Workstation</li>
<li>Create a VM within VMware </li>
<li>Install XenServer with in VM</li>
<li>Boot VM and run (Type 1) hypervisor XenServer</li>
</ul>
<span style="font-size: large;">Installation</span><span style="font-size: large;"> steps</span><br />
<ul>
<li>Create a new VM and chose guest: OS VMware ESX and version: VMware ESXi 5 (my config for the VM can be found here: <a href="https://gist.github.com/rtomaszewski/7589f0735fa7df356823">vmware-workstation-xenserver.conf</a>)</li>
<li>Download the XenServer-6.2.0-install-cd.iso </li>
<li>For the VM chose to boot from the iso above</li>
<li>Boot the VM and follow the installation instruction</li>
<li>Installer at the end will reboot the VM</li>
<li>Before new boots power off VM and deselect the ISO file</li>
<li>Boot the VM and enjoy your XenServer </li>
<li>You may want to install XenServer-6.2.0-XenCenter.msi to graphically manged your XenServer or use CLI over SSH</li>
</ul>
<span style="font-size: large;"> XenServer 6.2 doesn't boot after installation on VMware Workstation 8</span><br />
<br />
You may run into the following issues when attempting the installation procedure above<br />
<br />
<div>
<ul>
<li><b>Wrong VM guest type. I've seen this initially when I try to use the type: Other, version: Other 64-bit.</b></li>
</ul>
<div>
BUG: recent printk recursion!</div>
</div>
<div>
clocksource/1: Time went backwards</div>
<div>
PCI: Bar 13: no parent found for of bridge</div>
<div>
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkzppr9JjtEPOyM5dQknZgBTsInnCjLn1S2I_8ilas_sG5oLSFz0CE1JZ2oFWdv_W8XCOf6vCcp2ZeJZxeA3BZoTz2-yVlnCbvRlwVvZqKxN6xFcL-KCC9FqvMR77wVGEB5q-5hataVAg/s1600/xenserver-boot-error.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkzppr9JjtEPOyM5dQknZgBTsInnCjLn1S2I_8ilas_sG5oLSFz0CE1JZ2oFWdv_W8XCOf6vCcp2ZeJZxeA3BZoTz2-yVlnCbvRlwVvZqKxN6xFcL-KCC9FqvMR77wVGEB5q-5hataVAg/s1600/xenserver-boot-error.png" height="206" width="320" /></a></div>
<br />
<ul>
<li><b>You can boot the VM and from the Xen boot loader select 'safe'. Unfortunately the XenServer will report this time I/O error.</b></li>
</ul>
<div>
ata2.01: qc timeout (cmd 0xa0)</div>
<div>
ata2.01: TEST_UNIT_READY failed (err_mask=0x4)</div>
<div>
Unhanded error code</div>
<div>
Result: hostbyte=DID_OK driverbyte=DRIVER_TIMEOUT</div>
<div>
end_request: I/O error, dev sda, sector 0</div>
<div>
buffer I/O error on device sda, logical block 0</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJXfOerKzBfDdITmi8rw9PgBbT7uzaEzO-6QYZ77oOzTy5WMPG0vSwDvdS60gIUq_GiXHuWo22Tp7mUB42V2VxnKr2pJNx0oa2xA2NPitMEXPiaj8Rsk6r6EV2FTFJhThIqjYf2VWGCTI/s1600/xenserver-boot-safe-io-error.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJXfOerKzBfDdITmi8rw9PgBbT7uzaEzO-6QYZ77oOzTy5WMPG0vSwDvdS60gIUq_GiXHuWo22Tp7mUB42V2VxnKr2pJNx0oa2xA2NPitMEXPiaj8Rsk6r6EV2FTFJhThIqjYf2VWGCTI/s1600/xenserver-boot-safe-io-error.png" height="179" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh8CaQcj9BN02ksNhwxWGGY9MeQL3bsrAUOmxHG8q_Ra7MNKAWkR3Ig8WTfRoIjtvk4QIOolskD_GZ5gBovgmfE508F8_FS1Gliwi1IKkhH2YejKMw0wyQIlfVw8OvOG2W5C8JzE2aIDU/s1600/xenserver-boot-safe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh8CaQcj9BN02ksNhwxWGGY9MeQL3bsrAUOmxHG8q_Ra7MNKAWkR3Ig8WTfRoIjtvk4QIOolskD_GZ5gBovgmfE508F8_FS1Gliwi1IKkhH2YejKMw0wyQIlfVw8OvOG2W5C8JzE2aIDU/s1600/xenserver-boot-safe.png" height="184" width="320" /></a></div>
<div>
<br /></div>
<br />
<span style="font-size: large;">References</span><br />
<br />
<a href="http://bjtechnews.org/2013/07/01/how-to-install-citrix-xenserver-6-2-0-on-vmware-workstation-9-0/">http://bjtechnews.org/2013/07/01/how-to-install-citrix-xenserver-6-2-0-on-vmware-workstation-9-0/</a><br />
<a href="http://discussions.citrix.com/topic/329733-xenserver-freeze-on-reboot/">http://discussions.citrix.com/topic/329733-xenserver-freeze-on-reboot/</a><br />
<a href="http://discussions.citrix.com/topic/324048-virtual-machines-in-xenserver-6-on-wmware-workstation/">http://discussions.citrix.com/topic/324048-virtual-machines-in-xenserver-6-on-wmware-workstation/</a><br />
<a href="http://www.vi-tips.com/2011/10/how-to-run-xenserver-60-on-vsphere-5.html">http://www.vi-tips.com/2011/10/how-to-run-xenserver-60-on-vsphere-5.html</a><br />
<a href="http://vstorage.wordpress.com/2010/06/06/running-xenserver-5-6-on-vmware-workstation/">http://vstorage.wordpress.com/2010/06/06/running-xenserver-5-6-on-vmware-workstation/</a><br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-35107472173812352932014-04-27T22:00:00.000+01:002014-06-08T20:16:25.138+01:00Overlay technologies in data centerEveryone speaks about SDN an the benefits its brings when deploying cloud or enterprise infrastructures. But do we actually know or have any understanding what this all SDN is about? If you want be fluent in the language of virtual networking and network overlays in modern data centers you need to understand at least the following concepts:<br />
<ul>
<li><a href="http://etherealmind.com/northbound-api-southbound-api-eastnorth-lan-navigation-in-an-openflow-world-and-an-sdn-compass/">SDN controller (Northbound and Southbound API)</a> (an example controller could be <a href="http://rtomaszewski.blogspot.co.uk/2014/01/openstack-neutron-architecture.html">VMware NVP/NSX</a> or <a href="http://www.opendaylight.org/">OpenDaylight</a>a; a list of vendor specific <a href="http://www.sdncentral.com/comprehensive-list-of-sdn-apis/">Northbound API</a>)</li>
<li><a href="http://rtomaszewski.blogspot.co.uk/2013/02/what-is-openflow.html">Openflow</a> as Southbound API (example <a href="http://rtomaszewski.blogspot.co.uk/2013/05/how-is-single-openflow-flow-defined-on.html">flow in Open vSwitch</a>)</li>
<li><a href="http://en.wikipedia.org/wiki/Network_Functions_Virtualization">Network Functions Virtualization</a></li>
<li><a href="http://etherealmind.com/introduction-to-how-overlay-networking-and-tunnel-fabrics-work/">Overlay and tunnels concept</a> for cloud network inside data center (example protocols are <a href="http://rtomaszewski.blogspot.co.uk/2013/05/how-does-vxlan-protocol-work.html">VXLAN </a>and <a href="http://rtomaszewski.blogspot.co.uk/2012/11/introduction-into-tunneling-protocols.html">STT</a>)</li>
</ul>
In the remaining of the post we will concentrate solely on existing overlay technologies. These information was extracted from Cisco doc: <a href="http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-730116.html">Cisco Nexus 9000 Series Switches - Data Center Overlay Technologies</a>).<br />
<br />
<span style="font-size: large;">Network-Based Overlay Networks</span><br />
<ol>
<li>IEEE 802.1ad Provider Bridging or IEEE 802.1q Tunneling also known as IEEE 802.1QinQ or simply Q-in-Q</li>
<li>IEEE 802.1ah Provider Backbone Bridges (PBB) or Mac-in-Mac Tunnels</li>
<li>Cisco FabricPath allows multipath networking at Layer 2</li>
<li>TRILL - IETF Transparent Interconnection of Lots of Links is a Layer 2 multipathing technology</li>
<li>Shortest-Path Bridging (SPB) is defined in IEEE 802.1aq and is targeted as a replacement for Spanning Tree Protocol (example <a href="http://rtomaszewski.blogspot.co.uk/2014/04/how-does-switch-fabric-network-work.html">info</a> based on Avaya documentation)</li>
<li>Cisco Overlay Transport Virtualization (OTV) is a Layer 2-over-Layer 3 encapsulation "MAC-in-IP" technology</li>
<li>The Cisco Location/Identifier Separation Protocol (LISP) is currently defined as a Layer 3 overlay scheme over a Layer 3 network</li>
<li>Multiprotocol Label Switching (MPLS)</li>
<li>Virtual Private LAN Service (VPLS) a Layer 2 tunneling protocols</li>
<li>Virtual Private Routed Network (VPRN) also known as BGP/MPLS or IP-VPN provides IP VPN services</li>
</ol>
<span style="font-size: large;">Host-Based Overlay Networks</span><br />
<ul></ul>
<ol>
<li>Virtual Extensible LAN (VXLAN) is a Layer 2 overlay scheme over a Layer 3 networ that uses IP/UDP encapsulation</li>
<li>Network Virtualization Using Generic Routing Encapsulation (NVGRE) allows creation of virtual Layer 2 topologies on top of a physical Layer 3 network</li>
<li>Stateless transport tunneling (STT) is an overlay encapsulation scheme over Layer 3 networks that use a TCP-like header</li>
</ol>
Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-10798156954193552532014-04-27T17:28:00.000+01:002014-04-27T17:57:42.133+01:00You can use bash shell instead of Cisco CLI on Nexus SwitchesEvery one who works on Linux and understand how to efficiently use Bash hates to work with the limited <a href="http://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-15-0s/tsd-products-support-series-home.html">Cisco IOS CLI</a>. The design objectives standing behind this CLI haven't changed for the last 20 years or so. It is obvious that this tools lacks plenty of features expected from a modern shell for many people.<br />
<br />
But the evolution or even revolution that is happening in networking thanks to SDN is changing this terrible static network configuration landscape. The new generation of network devises like <a href="http://rtomaszewski.blogspot.co.uk/2013/04/cisco-nexus-nx-os-operating-systems-has.html">Cisco Nexus platform</a> are going to support in the <a href="http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-729492.html">Cisco NX-OS</a> :<br />
<ul>
<li>Bash shell</li>
<li>Python shell </li>
<li>API access</li>
<li>Linux containers for custom applications</li>
</ul>
For these who still don't believe you can read about this here:<br />
<ul>
<li><a href="http://www.cisco.com/c/en/us/products/switches/nexus-9000-series-switches/index.html">http://www.cisco.com/c/en/us/products/switches/nexus-9000-series-switches/index.html</a></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyedYl9fnUbrmrVtVRpwSQEEt9At_XgQpao6rkeF1yPKSZw9CRSId6lKDPUOfS9uYXoqhsOVFRxUul05Qh_wGk7pZDpgEshdI8zucAlSblqh5SLd_lCkA9KmOm7UfHjZwaaKashpSPamg/s1600/nexus-shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyedYl9fnUbrmrVtVRpwSQEEt9At_XgQpao6rkeF1yPKSZw9CRSId6lKDPUOfS9uYXoqhsOVFRxUul05Qh_wGk7pZDpgEshdI8zucAlSblqh5SLd_lCkA9KmOm7UfHjZwaaKashpSPamg/s1600/nexus-shell.png" height="74" width="320" /></a></div>
<ul>
<li><a href="http://www.cisco.com/c/en/us/products/switches/nexus-9516-switch/index.html">http://www.cisco.com/c/en/us/products/switches/nexus-9516-switch/index.html</a></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggHbeQuNRM0lO4bTT5dJ5rF9oS9_QR83mvRyNgzHN2o6b1pEijEsoNmcEA9Q5SFf5IYPSWSloX8FBxBs6aYKUymZljmnk4prPQytZoDSszW96t7Pe73K5zdETc1qoGbermW4ccwiy8NKw/s1600/nexus-api.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggHbeQuNRM0lO4bTT5dJ5rF9oS9_QR83mvRyNgzHN2o6b1pEijEsoNmcEA9Q5SFf5IYPSWSloX8FBxBs6aYKUymZljmnk4prPQytZoDSszW96t7Pe73K5zdETc1qoGbermW4ccwiy8NKw/s1600/nexus-api.png" height="113" width="320" /></a></div>
<ul>
<li><a href="http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/datasheet-c78-729405.html">http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/datasheet-c78-729405.html</a></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG8m5fFcVXNVRoyepDBkkknVpxjo9pT5NKyMxbYeitL7IhbiLI5dhj76bQKtdFodVIqV9TOffxwGLK5-FBWJMtZeTid2_EZUUpLEE6cr3T1X9Ck5boYPVUZQCo5u4ddkQ2kunkHG2hASc/s1600/nexus-shell-features.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG8m5fFcVXNVRoyepDBkkknVpxjo9pT5NKyMxbYeitL7IhbiLI5dhj76bQKtdFodVIqV9TOffxwGLK5-FBWJMtZeTid2_EZUUpLEE6cr3T1X9Ck5boYPVUZQCo5u4ddkQ2kunkHG2hASc/s1600/nexus-shell-features.png" height="118" width="320" /></a></div>
<br />
<span style="font-size: large;">References </span><br />
<br />
<a href="http://www.cisco.com/c/en/us/products/switches/nexus-9000-series-switches/white-paper-listing.html">http://www.cisco.com/c/en/us/products/switches/nexus-9000-series-switches/white-paper-listing.html</a><br />
<a href="http://rtomaszewski.blogspot.co.uk/search/label/sdn">http://rtomaszewski.blogspot.co.uk/search/label/sdn</a><br />
<a href="http://rtomaszewski.blogspot.co.uk/2013/09/cisco-cheat-sheet.html">http://rtomaszewski.blogspot.co.uk/2013/09/cisco-cheat-sheet.html</a><br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-91832506022621224612014-04-13T23:48:00.000+01:002014-04-13T23:57:25.574+01:00Description and demonstration of the Heartbleed bug in OpenSSLThere is a ton of posts on the Internet about the new bug in OpenSSL. I'm not going to repeat what others wrote but rather give us a small demonstration.<br />
<br />
<span style="font-size: large;">Heartbeat packet description in SSL protocol suite</span><br />
<br />
This is excellent blog posts we can take a look at the openssl code analysis and see where exactly the bug was hidden: <a href="http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html">Diagnosis of the OpenSSL Heartbleed Bug</a>.<br />
<br />
If you want to learn more how to build an potential exploid you can read and watch this: <a href="http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work">http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work</a><br />
<br />
A working code for a prof of concept can be found here:<br />
<a href="http://www.garage4hackers.com/entry.php?b=2551">http://www.garage4hackers.com/entry.php?b=2551</a><br />
<a href="http://nakedsecurity.sophos.com/2014/04/08/anatomy-of-a-data-leak-bug-openssl-heartbleed/">http://nakedsecurity.sophos.com/2014/04/08/anatomy-of-a-data-leak-bug-openssl-heartbleed/</a><br />
<br />
<span style="font-size: large;">Demonstration</span><br />
<br />
How do I know if my site is vulnerable?<br />
<br />
There are potentially many different ways how you can test if a site is vulnerable. As two extreme examples (a) we could write a simple SSL client and try to sent an hearbeat packet (not so trivial and requires some knowledge about the ssl protocol itself) or (b) search for a site on Internet that do the testing for us. I would definitively avoid (b). These sites can store the URL you provided and try to exploit you later.<br />
<br />
A more simple and elegant solution can be built using openssl cli client tool instead. By running as single line script you can test if a server supports heartbeat or not. Next you have to find if the version of the OpenSSL you use is vulnerable.<br />
<pre class="brush:text; highlight: [1,8,96,97];">
$ openssl s_client -connect www.cloudflarechallenge.com:443 -tlsextdebug
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02 ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01 .
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Free SSL/CN=cloudflarechallenge.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
4 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIQSkGkHc+NJGGLqUs9YZlcxDANBgkqhkiG9w0BAQUFADBy
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEYMBYGA1UE
AxMPRXNzZW50aWFsU1NMIENBMB4XDTE0MDQxMDAwMDAwMFoXDTE0MDcwOTIzNTk1
OVowWDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMREwDwYDVQQL
EwhGcmVlIFNTTDEgMB4GA1UEAxMXY2xvdWRmbGFyZWNoYWxsZW5nZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQBaRWcPHl945y10L3tm2C+13
bm4oqaGMIekvJyYTF7VGJFKX+EYgvt/wWD+qJTO1Wbm5dknVQbt3PP7061M2H6/b
sG3M+xTfKK8d6/AAHWZMy0/ps+5cGPOzFFwL3JVwEFakoExGc3jT6S9RlhU5q4I+
q8Qd+jpHL7uKeklipCb8VIznRmtGKYI7H01kjyW8gwXYOrWKlKCHOIcR32LIxHfd
fv72QjT2kGupne3TmXAY+6cEL12ZqS2HCYpGBa8QQaZ7/dggc1X5OJL1yrQP8Le9
/faCOBHn0A4yzNp873BVMQ+7T+7k2PCSs7qAfB0TdvdfQFiPPFaTODDtPWClAgMB
AAGjggHXMIIB0zAfBgNVHSMEGDAWgBTay+qtWwhdzP/8JlTOSeVVxjj0+DAdBgNV
HQ4EFgQUbqyvF2sHtsjg5i82wBON35elvNQwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
EwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3
CgMDBglghkgBhvhCBAEwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsG
AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEw
OwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5jb21vZG9jYS5jb20vRXNzZW50
aWFsU1NMQ0EuY3JsMG4GCCsGAQUFBwEBBGIwYDA4BggrBgEFBQcwAoYsaHR0cDov
L2NydC5jb21vZG9jYS5jb20vRXNzZW50aWFsU1NMQ0FfMi5jcnQwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA/BgNVHREEODA2ghdjbG91ZGZs
YXJlY2hhbGxlbmdlLmNvbYIbd3d3LmNsb3VkZmxhcmVjaGFsbGVuZ2UuY29tMA0G
CSqGSIb3DQEBBQUAA4IBAQBlN1564xpz0f0EnCh5dKOjo6uk+kbLzEhkfaGd5Ydi
4diFQ9VYx3+Le1JCB/bDHMVUfwlqTpV0Eq8DZIWTO5wnP9BlRDiljVe7+y/jkQ/b
/B88kmBr2jjR9Aet1l8hOrqJycw6Ack6F+5hd/lYIvZ/0YH+h/qu9/Z6ii6rcUCd
UWERSKiTFsbM8PRmG/Cwb4Jm52N8ev6mcVYmxeBYIPmf51HBHEakN13oQcubCAjd
V9/8CugEMrl56lUpt7BYZMET2h4NyCDrfTlbFcDqQC+YBr5dLDOvLpe7T7Dv+r1P
wYJ+R0A4JC0F2RdUeIBWC5CycJcTx4h7ZSlNeWtFrZgJ
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Free SSL/CN=cloudflarechallenge.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 6784 bytes and written 376 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: EF16DB45C3D67F69A480645C5267C4FDC44F41FD4CF4911194E986FC21E72F62
Session-ID-ctx:
Master-Key: 9DF3223AAF1520D6437E643E83E4AD5B1A590776F375B7ED082E024F3EC9EB43617A0D1F7715DF299EA483F905095465
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - c5 00 41 79 f6 38 12 30-bf 5f 85 54 f7 93 09 1c ..Ay.8.0._.T....
0010 - c1 60 e2 23 ca 90 8f 17-0c 4a 9f db cc 40 0e ea .`.#.....J...@..
0020 - 55 b0 f8 49 f1 7e b0 4e-78 0f 36 4a 58 3a 60 e2 U..I.~.Nx.6JX:`.
0030 - b4 2b 22 a2 49 e8 c5 42-d0 00 ad a6 ec 49 b3 4d .+".I..B.....I.M
0040 - 28 b1 c3 ad 03 c6 53 de-a3 e7 ec c8 aa ed 5e 97 (.....S.......^.
0050 - 75 12 5e 9f 5f eb cf a9-4a ab b7 85 bf cd e0 12 u.^._...J.......
0060 - 2c ec 0b 05 4f cf ac 16-e9 65 40 1b a8 60 dc 3a ,...O....e@..`.:
0070 - 99 a0 cf 7a 65 0b 4c 74-a5 fc a5 16 11 48 e2 94 ...ze.Lt.....H..
0080 - 19 0e 17 a8 03 d0 d0 4b-a4 14 7e 49 05 75 36 65 .......K..~I.u6e
0090 - d4 70 63 fa a7 92 5a 14-63 97 00 cf 6b 5b 45 36 .pc...Z.c...k[E6
Start Time: 1397426832
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
GET /heartbleed HTTP/1.1
Host: www.cloudflarechallenge.com
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Apr 2014 22:02:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Strict-Transport-Security: max-age=86400
f61
<!doctype html>
<html>
<head>
<title>Heartbleed Challenge</title>
</pre>
<br />
From the output we can see that:<br />
<ul>
<li>We connect to the server</li>
<li>There are many packages exchange between the client (our openssl cli tool) and the web server; the packets types and formats are defined in the relevant RFC documents for SSL/TLS</li>
<li>Option <a href="http://www.openssl.org/docs/apps/s_client.html">tlsextdebug</a> instructs openssl to print out TLS extensions the server supports</li>
<li>We can immediately see if the option is supported by our www server; what we have o do next is to check if the version of OpenSSL that we run is vulnerable or not </li>
<li>It is important to note that regardless if the www server supports the heartbeat extension or not you as a client can sent any legitimate HTTP requests; the whole problem is that if your client sent an heartbeat packet that was on purpose malicious the server in its response can reveal a lot more data that it should.</li>
</ul>
<span style="font-size: large;">References</span><br />
<br />
<a href="http://www.openssl.org/docs/apps/s_client.html">http://www.openssl.org/docs/apps/s_client.html</a><br />
<a href="http://www.theregister.co.uk/2014/04/09/heartbleed_explained/">http://www.theregister.co.uk/2014/04/09/heartbleed_explained/</a><br />
<a href="https://www.cloudflarechallenge.com/heartbleed">https://www.cloudflarechallenge.com/heartbleed</a><br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-36267883533319479592014-04-08T01:54:00.004+01:002014-06-08T20:10:27.079+01:00Can I use Shortest Path Bridging hardware to build my SDN networkRecently I've come across a document that compares a number of existing network overlays in SDN architecture: <a href="https://www.avaya.com/usa/documents/the_2013_guide_to_network_virtualization_and_sdn.pdf">The 2013 Guide to Network Visualization and SDN</a>.<br />
<br />
What is new and interesting is the solution from Avaya. Instead of using VXLAN, STT and GRE like all other vendors they use <a href="http://www.quickiwiki.com/en/IEEE_802.1aq">SPB</a> (we wrote about this here <a href="http://rtomaszewski.blogspot.co.uk/2014/04/how-does-switch-fabric-network-work.html">How does switch fabric network work</a>) to build the SDN solution.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDtGGUL6De34aMRHyFrHcaEECTeD8ryxN1zx-hVJcEWIQLy_eq110884wFJD2KbGfvrYBToId0Q92fiu168I4U0T_NqWJVR5E_KAsymY0eKrZuBPZZ2ha4rZryiG6-n-rYh8nquhDqW2A/s1600/sdn-overlay-networks.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDtGGUL6De34aMRHyFrHcaEECTeD8ryxN1zx-hVJcEWIQLy_eq110884wFJD2KbGfvrYBToId0Q92fiu168I4U0T_NqWJVR5E_KAsymY0eKrZuBPZZ2ha4rZryiG6-n-rYh8nquhDqW2A/s1600/sdn-overlay-networks.png" height="312" width="400" /></a></div>
Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-64889804025506468622014-04-08T01:42:00.004+01:002014-04-08T14:17:55.140+01:00How does switch fabric network workA network engineer can list a number of issues you can potentially run when using STP protocol in your switch network. Over the years the network industry has created successor protocols like RSTP or MSTP. Both are improvements and offer much better convergence time and respond much quicker to switch topology changes. One of the major disadvantages for networks that relay on STP is the fact that they don't support multipathing. It means once network topology converges there will be blocked path between switches that are elected and managed by STP. This often redundant links can't be used because of a loop risk.<br />
<br />
But there are better solutions today on the market to design better layer 2 Ethernet networks (more scalable, with higher throughput and with active link redundancy as an example). The 2 most popular are based on <a href="http://en.wikipedia.org/wiki/IEEE_802.1aq">SPB</a> and <a href="http://en.wikipedia.org/wiki/TRILL_%28computing%29">TRILL</a> protocols. Both of them are used as a foundation in <a href="http://searchsdn.techtarget.com/definition/network-fabric">switch fabrics</a> products. To better understand both of them the pictures below provide a side by side comparison. This was taken from Avaya document: <a href="http://www.avaya.com/uk/resource/assets/whitepapers/SPB-TRILL_Compare_Contrast-DN4634.pdf">Compare and Contrast SPB and TRILL</a>.<br />
<br />
Avaya is a SPB promoted so the comparison is a bit waited towards SPB but nevertheless it gives some inside view into both protocols.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQRzKn499PgYXVzetlhxbZxdcrdigngmyOPHUPROQP4dGkYjd6EWiCpWiPhDNpkIz8mR2oryMishJI3i6njDCV6Eb9EfNIyCEXpxskzW8Limw3brxLRdNkMqOkeNRNP7L2r3f_AOKb7jg/s1600/trill-spb-table1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQRzKn499PgYXVzetlhxbZxdcrdigngmyOPHUPROQP4dGkYjd6EWiCpWiPhDNpkIz8mR2oryMishJI3i6njDCV6Eb9EfNIyCEXpxskzW8Limw3brxLRdNkMqOkeNRNP7L2r3f_AOKb7jg/s1600/trill-spb-table1.png" height="193" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzShtDaxPtwmatl0MwEXQX-c9IS-34onFNqmcoLMYhEPh_hxN63xJuCpB2BOkYIyPgRPsu28_6-LbAdNwsEnXs8u-foQkHyXsbjcx3h4mXLYSNT4vnVY4ysgtuuj5iS2L2GgtSWj2HhJE/s1600/trill-spb-table2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzShtDaxPtwmatl0MwEXQX-c9IS-34onFNqmcoLMYhEPh_hxN63xJuCpB2BOkYIyPgRPsu28_6-LbAdNwsEnXs8u-foQkHyXsbjcx3h4mXLYSNT4vnVY4ysgtuuj5iS2L2GgtSWj2HhJE/s1600/trill-spb-table2.png" height="320" width="320" /></a></div>
<br />
<span style="font-size: large;">References </span><br />
<br />
<a href="http://cciethebeginning.wordpress.com/2008/11/20/differences-between-stp-and-rstp/">http://cciethebeginning.wordpress.com/2008/11/20/differences-between-stp-and-rstp/</a><br />
<a href="http://etherealmind.com/spb-attention/">http://etherealmind.com/spb-attention/</a><br />
<a href="http://en.wikipedia.org/wiki/IEEE_802.1aq">http://en.wikipedia.org/wiki/IEEE_802.1aq</a><br />
<a href="http://en.wikipedia.org/wiki/TRILL_%28computing%29">http://en.wikipedia.org/wiki/TRILL_(computing)</a><br />
<a href="http://www.avaya.com/uk/resource/assets/whitepapers/SPB-TRILL_Compare_Contrast-DN4634.pdf">http://www.avaya.com/uk/resource/assets/whitepapers/SPB-TRILL_Compare_Contrast-DN4634.pdf</a><br />
<a href="http://nanog.org/meetings/nanog50/presentations/Monday/NANOG50.Talk63.NANOG50_TRILL-SPB-Debate-Roisman.pdf">http://nanog.org/meetings/nanog50/presentations/Monday/NANOG50.Talk63.NANOG50_TRILL-SPB-Debate-Roisman.pdf</a><br />
<a href="http://www.ebrahma.com/2012/06/trill-vs-spb-similarities-differences/">http://www.ebrahma.com/2012/06/trill-vs-spb-similarities-differences/</a><br />
<a href="http://wikibon.org/wiki/v/Network_Fabrics,_L2_Multipath_and_L3">http://wikibon.org/wiki/v/Network_Fabrics,_L2_Multipath_and_L3</a><br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-64366503491556074342014-03-31T11:53:00.002+01:002014-06-16T18:01:57.692+01:00How to list numbers next to ACL rules on Cisco<span style="font-size: large;">How to list numbers next to the ACL rules on Cisco </span><br />
<br />
<pre class="brush:text;">sh access-list outside-acl | e \ \
access-list 101; 86 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip object-group WHITELIST-IPS any 0xc4d2a54e
access-list 101 line 2 extended permit icmp any any object-group ICMP-ALLOWED (hitcnt=576916) 0x994c9516
access-list 101 line 3 extended deny ip any host 192.168.199.254 (hitcnt=31708) 0x8e8cc2a6
access-list 101 line 5 remark !*!*!*!*!*!*!*!*!*!
access-list 101 line 6 remark RULES CONTROLLED BY AUTOMATION
access-list 101 line 7 remark !*!*!*!*!*!*!*!*!*!
access-list 101 line 8 extended permit ip host 1.1.1.1 host 10.179.72.125 (hitcnt=0) 0xa9809ff7
access-list 101 line 9 extended permit ip any host 10.179.72.125 (hitcnt=0) 0xa9809ff7
</pre>
Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-35006776649114553382014-03-30T20:31:00.004+01:002014-03-30T20:39:42.019+01:00How to automatically prefill command on the Linux bashLinux Bash is one of the most famous Linux shells. It offers a great number of features like for example spawning and controlling process, redirecting streams, supporting scripts and a flexible way to control you editing line.<br />
<br />
<span style="font-size: large;">Problem </span><br />
<br />
How to automatically pre-populate a command on the shell after prompt.<br />
<br />
<span style="font-size: large;">Solution description</span><br />
<br />
The shell has tree default streams: stdout, stdin and stderr. By manipulating the stdin of the process we can simulate typing a command.<br />
<br />
<span style="font-size: large;">Reference implementation</span><br />
<br />
The original script can be found here: <a href="https://github.com/rtomaszewski/experiments/blob/master/type-command.c">https://github.com/rtomaszewski/experiments/blob/master/type-command.c</a><br />
<br />
<script src="https://gist.github.com/rtomaszewski/9878103.js"></script>
<span style="font-size: large;">Demonstration</span>
<br />
<ul>
<li><b>Compile first the program</b></li>
</ul>
<pre class="brush:text;">gcc -o type-command type-command.c</pre>
<ul>
<li><b>Run for the firs time</b></li>
</ul>
<pre class="brush:text;"># ./type-command
type-command: the variable TYPE_CMD_ENABLED is not set, set it to 'no' to surpress this message; set the TYPE_CMD_TYPE for the command to type
Example: export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date</pre>
<ul>
<li><b>Export the variable to controls if the program should try to type a command or not</b></li>
</ul>
<pre class="brush:text;"># export TYPE_CMD_ENABLED=yes
# ./type-command
#</pre>
<ul>
<li><b>Specify the command that you wish to be typed</b></li>
</ul>
<pre class="brush:text;"># export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date
# ./type-command
# date
Sun Mar 30 19:27:55 UTC 2014>
</pre>
<br />
<span style="font-size: large;">References</span>
<br />
<br />
<a href="http://stackoverflow.com/questions/10866005/bash-how-to-prefill-command-line-input">http://stackoverflow.com/questions/10866005/bash-how-to-prefill-command-line-input</a><br />
<a href="http://stackoverflow.com/questions/11198603/inject-keystroke-to-different-process-using-bash">http://stackoverflow.com/questions/11198603/inject-keystroke-to-different-process-using-bash</a><br />
<a href="http://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty">http://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty</a><br />
<br />
<a href="http://fossies.org/linux/misc/old/console-tools-0.3.3.tar.gz%3at/console-tools-0.3.3/vttools/writevt.c">http://fossies.org/linux/misc/old/console-tools-0.3.3.tar.gz%3at/console-tools-0.3.3/vttools/writevt.c</a><br />
<br />
<a href="http://man7.org/linux/man-pages/man4/tty_ioctl.4.html">http://man7.org/linux/man-pages/man4/tty_ioctl.4.html</a><br />
<a href="http://man7.org/linux/man-pages/man3/tcflush.3.html">http://man7.org/linux/man-pages/man3/tcflush.3.html</a><br />
<a href="http://www.tldp.org/LDP/lpg/node143.html">http://www.tldp.org/LDP/lpg/node143.html</a><br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-37255813562353709062014-03-29T21:54:00.002+00:002014-04-10T23:20:17.273+01:00How to create a sequence of replace commands to change your file<span style="font-size: large;">Use existing plugin: RegReplace</span><br />
<br />
We could write a custom plugin using the <a href="http://rtomaszewski.blogspot.co.uk/2014/03/how-to-write-plugin-for-sublime-editor.html">Sublime API</a> or try to use a plugin that promises to offer this functionality already: <a href="https://github.com/facelessuser/RegReplace">https://github.com/facelessuser/RegReplace</a><br />
<br />
<span style="font-size: large;">Demonstration</span><br />
<br />
We have a following structured but not consistently formatted data that we would like to adjust so it is easier toread and work with.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirk4-bXRZDxtpCby20UPM0N-i7_D8agfhHXHLhxpOhncZS-fJ40acOMEtbBaQiFYyFdIZWwsn7ohXyOMiWvu3fjiEFPzJpkPNV82r0wIcis667ki9m4rOHbdTPD_xXE9e3KkL3EmzTSeU/s1600/transactions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirk4-bXRZDxtpCby20UPM0N-i7_D8agfhHXHLhxpOhncZS-fJ40acOMEtbBaQiFYyFdIZWwsn7ohXyOMiWvu3fjiEFPzJpkPNV82r0wIcis667ki9m4rOHbdTPD_xXE9e3KkL3EmzTSeU/s1600/transactions.png" height="160" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSOdEUz3C09rZqAYwTyCjm9yEMYq0irk7jiVsmA3-ldreOEZSrUygP4B8QvaSXvfUnl-8w053cwp-vcbDQzksLXtG0-U1R3UP7XubJbvmw72qQhtKy9C-6sjv0PXV-AMZsMpRKZiMfZAs/s1600/orders.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSOdEUz3C09rZqAYwTyCjm9yEMYq0irk7jiVsmA3-ldreOEZSrUygP4B8QvaSXvfUnl-8w053cwp-vcbDQzksLXtG0-U1R3UP7XubJbvmw72qQhtKy9C-6sjv0PXV-AMZsMpRKZiMfZAs/s1600/orders.png" height="144" width="320" /></a></div>
<br />
To reformat the text we can use the above plugin and define a series of regex that match and modify text.<br />
<ul>
<li><b>Installed RegReplace plugin.</b></li>
<li><b>Create a <u>reg_replace.sublime-settings</u> in your Sublime2\Data\Packages\User\ directory and define the regex commands we want to use.</b></li>
</ul>
<pre class="brush:text;">{
"replacements": {
// add teh .<digit> when is missing
"ig_order_add_dot_digit": {
"find": "([0-9][0-9]) at",
"replace": "\\1.0 at"
// "greedy": true,
// "case": false
},
"ig_order_add_dot_digit2": {
"find": "([0-9][0-9]) *- ",
"replace": "\\1.0 - ",
"greedy": true
},
"ig_order_fix_spaces": {
"find": "/(201[0-9]) *",
"replace": "/\\1 "
},
"ig_order_fix_spaces2": {
"find": "- - - ",
"replace": "- - - "
},
"ig_order_change_android_str": {
"find": "AndroidApp",
"replace": "AndrAp"
},
"ig_order_remove_str": {
"find": "/s ",
"replace": " ",
"greedy": true
},
"ig_order_fix_header": {
"find": "(Date) *(Time) *(Activity) *(Market) *(Period) *(Channel) *(Currency) *(Size) *(Level) *(Stop) *(Type) *(Limit) *(Result)",
"replace": "Date Time Activity Market Period Channel Cur Size Level Stop Type Limit Result",
"greedy": true
},
"ig_transactions_fix_header": {
"find": "(Type) *(Date) *(Ref) *(Market) *(Period) *(Opening) *(Ccy) *(Size) *(Closing) *(P/L)",
"replace": "Type Date Ref Market Period Opening Ccy Size Closing P/L",
"greedy": true
},
"ig_transactions_add_dot_digit": {
"find": "([0-9][0-9]) +£",
"replace": "\\1.0 £"
},
"ig_transactions_add_dot_digit2": {
"find": "(£ +.*\\..* +)([0-9]+) +",
"replace": "\\1\\2.0 "
},
"ig_transactions_fix_plus_minus_sign": {
"find": "([0-9]+\\.[0-9]+ +[0-9]+\\.[0-9]+ +)([0-9]+\\.[0-9]+)",
"replace": "\\1 \\2"
}
}
}</pre>
<ul>
<li><b>Define the final regex command to run and associate a a keyboard short in <u>Default (Windows).sublime-keymap </u>file</b></li>
</ul>
<pre class="brush:text;">[
{
{
"keys": ["alt+ctrl+t"],
"command": "reg_replace",
"args": {"replacements": [
// orders
"ig_order_add_dot_digit",
"ig_order_add_dot_digit2",
"ig_order_fix_spaces",
"ig_order_fix_spaces2",
"ig_order_change_android_str",
"ig_order_remove_str",
"ig_order_fix_header",
// transactions
"ig_transactions_fix_header",
"ig_transactions_add_dot_digit",
"ig_transactions_add_dot_digit2",
"ig_transactions_fix_plus_minus_sign"
], "find_only": true}
}
]</pre>
<ul>
<li><b>When you activate the regex chain command it will first show what part of the file are going to be changed</b></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm2iIyuopv1FshOEDbvvhBZ5MFzQHH1K3CQBTkuRb-08FM2ERWP-XF5ykTXGRjb8iUQnaY3OyHSBRBzptI3B6v8Angz6muu0C4wN2CuST-vbICJRqLE9NCpCmSZpRNQFUqZrd_xg1aeuw/s1600/regex-active.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm2iIyuopv1FshOEDbvvhBZ5MFzQHH1K3CQBTkuRb-08FM2ERWP-XF5ykTXGRjb8iUQnaY3OyHSBRBzptI3B6v8Angz6muu0C4wN2CuST-vbICJRqLE9NCpCmSZpRNQFUqZrd_xg1aeuw/s1600/regex-active.png" height="129" width="320" /></a></div>
<ul>
<li><b>Accept the "yes" option at the bottom and reformat the file</b></li>
</ul>
Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-52220170553524618992014-03-29T21:31:00.001+00:002014-03-29T21:31:08.356+00:00How to write a plugin for Sublime editorBelow is a list of links for Sublime API and Sublime commands if you want to write a custom plugins.<br />
<br />
<span style="font-size: large;">Sublime API</span><br />
<br />
<a href="https://www.sublimetext.com/docs/api-reference">https://www.sublimetext.com/docs/api-reference</a><br />
<a href="https://www.sublimetext.com/docs/2/api_reference.html">https://www.sublimetext.com/docs/2/api_reference.html</a><br />
<br />
<span style="font-size: large;">Commands </span><br />
<br />
<a href="http://sublimetext.info/docs/en/core/commands.html">http://sublimetext.info/docs/en/core/commands.html</a><br />
<a href="http://www.sublimetext.com/docs/commands">http://www.sublimetext.com/docs/commands</a><br />
<br />
<span style="font-size: large;">Debug best practices </span><br />
<br />
Once you follow the steps below everything you do in the editor will be logged on the console.<br />
<ul>
<li><b>Open Sublime console: Ctrl+~</b></li>
<li><b>Enable verbose and debug within the editor</b></li>
</ul>
<pre class="brush:text">sublime.log_commands(True)
sublime.log_input(True)</pre>
<ul>
<li><b>Example commands to try on the console </b></li>
</ul>
<pre class="brush:text">view.run_command("goto_line", {"line": 7})
view.window().run_command("show_minimap", {"key": True})
</pre>
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-52517621790780994122014-03-14T22:21:00.000+00:002014-03-18T13:14:41.852+00:00Interface redundancy on the host with TCP MultipathTCP and UDP protocols are used exchange data between hosts. They have been used for a decade or longer and are very well documented how they work.<br />
<br />
Everyone knows the problem that when you lost your active link on the server all your TCP sessions are going to die as well. Let's say your server has 2 active interfaces. There is no way to move/migrate a TCP session to use another active interface (by default). The other link can't be used automatically as a fail back mechanism.<br />
<br />
There are couple of reasons behind why it isn't to works, the simplest one is that the new link used a different IP address. Even if the Linux kernel would start using the new interface and start sending IP/TCP packets sourced with the new IP address these packets wouldn't be recognized on the remote site. The remote site expect tcp segments from one and only one IP source.<br />
<br />
<span style="font-size: large;">Problem</span><br />
<br />
How to provide a link level redundancy on the server to keep a TCP session alive even if one interface experience an error.<br />
<br />
<span style="font-size: large;">Analysis and solution Demonstration</span><br />
<br />
The problem could be see as a more generic issue: how to implement <a href="http://en.wikipedia.org/wiki/Multihoming">multihoming</a> or link redundancy. There are couple of working solution out there. The simplest example:<br />
<ul>
<li>Link bonding(link aggregation) on the server; requires support and proper configuration on the switch and the server</li>
</ul>
We will look at another one: <a href="http://multipath-tcp.org/">TCP Multipath</a>. What is cool about this is that it is transparent to your application. It visualizes a session and provide a single TCP session to the application that can benefit from built-in multipath redundancy on the kernel level.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/02nBaaIoFWU?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<span style="font-size: large;">References </span><br />
<br />
<a href="http://multipath-tcp.org/">http://multipath-tcp.org/</a><br />
<a href="http://queue.acm.org/detail.cfm?id=2591369">Decoupled from IP, TCP is at last able to support multihomed hosts</a><br />
<a href="https://devcentral.f5.com/articles/multipath-tcp-mptcp">https://devcentral.f5.com/articles/multipath-tcp-mptcp</a><br />
<a href="https://devcentral.f5.com/articles/the-evolution-of-tcp">https://devcentral.f5.com/articles/the-evolution-of-tcp</a><br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-56366441813168623152014-03-08T23:54:00.003+00:002014-03-08T23:54:40.292+00:00How to build a high performance network appliance like routers using commodity hardware and off the shelf componentsYou can assemble a server from off the shelf components that will be able to sent and receive traffic in multi Gigabit speed. Here is an example of an <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16833106075">10Gps net card from Intel</a>.<br />
<br />
But can we turn this server into a high performance network appliance? Do we still need a dedicated hardware like for example ASIC, FPGA, low latency RAM and TCAM RAM in network devise so they can efficiently switch and forward packets with maximum wire speed.<br />
<br />
<span style="font-size: large;">Router </span><span style="font-size: large;">hardware design plan</span><br />
<br />
Looking at this presentation from 2012 <a href="https://ripe64.ripe.net/presentations/18-ripe-64-router-architecture-challenges.pdf">https://ripe64.ripe.net/presentations/18-ripe-64-router-architecture-challenges.pdf</a> you would think that yes. These would be the obvious reasons (screenshots taken from the presentation):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUnU8v7Iv0rwuSKGqRZdzLV64ymUOmmSjR_4wuKByHw-2zpKPzs9tN19jpel6TsrRGOfVs3J8TlPAwjoaaWdG08ODyZ0oWqywkETO6KsmjZagdw1Tb1TcMer20IrTavkS7Dv9qzXQqFVM/s1600/asic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUnU8v7Iv0rwuSKGqRZdzLV64ymUOmmSjR_4wuKByHw-2zpKPzs9tN19jpel6TsrRGOfVs3J8TlPAwjoaaWdG08ODyZ0oWqywkETO6KsmjZagdw1Tb1TcMer20IrTavkS7Dv9qzXQqFVM/s1600/asic.png" height="241" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi25u1xe5BWHelmwV7Owdbsuo8EIsUEX95NgbCOBr4ccL7jLf8speo61jjYzziWxwXgfOg__KezjsdzzRWOZRgNi7-I5LogclL4-CsCN-y28goEBDo_-lCY2aIAoyd0eIpLs48cTn_tXHM/s1600/memory-latency.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi25u1xe5BWHelmwV7Owdbsuo8EIsUEX95NgbCOBr4ccL7jLf8speo61jjYzziWxwXgfOg__KezjsdzzRWOZRgNi7-I5LogclL4-CsCN-y28goEBDo_-lCY2aIAoyd0eIpLs48cTn_tXHM/s1600/memory-latency.png" height="240" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioNZ9fwIdL-xpEU96H75WaqC50aIQ5IGGjyt1fnv-tgZgIQewAVibnWEMJGbSypfFSiN_oniDEafiNf6ShXnnaRXCVgqIbbRP8bvdNoSr7p450rAzAa9Qb8Q_nS9dpfM3HJI1N8vCzzew/s1600/ram-technologies.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioNZ9fwIdL-xpEU96H75WaqC50aIQ5IGGjyt1fnv-tgZgIQewAVibnWEMJGbSypfFSiN_oniDEafiNf6ShXnnaRXCVgqIbbRP8bvdNoSr7p450rAzAa9Qb8Q_nS9dpfM3HJI1N8vCzzew/s1600/ram-technologies.png" height="241" width="320" /></a></div>
<br />
<br />
<span style="font-size: large;">Network processing unit (NPU) and new hardware design</span><br />
<br />
The key points listed above still hold. But the next generation network appliances will be rather build with a help of a multicore generic <a href="http://en.wikipedia.org/wiki/Network_Processing_Unit">NPU</a> using the power of parallel processing than expensive and purposely design ASIC. With the right software (OS - often Linux, drivers, firmware, SDK, and API libraries) you will be able to turn a conventional x86 server with a modern PCIe data bus into a high performance, low latency and high speed network appliance.<br />
<br />
<a href="http://www.datacenterknowledge.com/archives/2014/03/06/netronome-network-cards-accelerate-sdn-and-nfv-designs/">Netronome Network Cards Accelerate SDN and NFV Designs</a><br />
100Gps <a href="http://www.netronome.com/product/flownics/">FlowNIC-6xxx network card</a><br />
<a href="http://www.netronome.com/hardware-reference-designs/">Hardware reference designs for FlowProcessor NPU chips</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihNg9VzA2WPlOZkJCqhGrSrnDpgnWYXOEYneRRoOEb4REIYC9qJH5u9ysmytsedbuzV5EaTyWg0HuvO3H0rFGwRukbbRHJGGAv8pooBuDKhUqLmNWcrV5P6PMtO3p1IKVXy3S-bwJs3cU/s1600/network-appliance-flowProcessor-nfp-netronome.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihNg9VzA2WPlOZkJCqhGrSrnDpgnWYXOEYneRRoOEb4REIYC9qJH5u9ysmytsedbuzV5EaTyWg0HuvO3H0rFGwRukbbRHJGGAv8pooBuDKhUqLmNWcrV5P6PMtO3p1IKVXy3S-bwJs3cU/s1600/network-appliance-flowProcessor-nfp-netronome.jpg" height="224" width="640" /></a></div>
<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-51570967845874605112014-03-02T17:10:00.000+00:002014-03-02T17:17:21.855+00:00How to do URL based load balancing on F5 There are many load balancers out there. Some of them offer a great flexibility to control the traffic by allowing a user to upload a custom script that implement the load balancing algorithm to solve a particular problem.<br />
<br />
<span style="font-size: large;">Problem</span><br />
<br />
How to do HTTP URL based load balancing on F5.<br />
<br />
<span style="font-size: large;">Solution and demonstration</span><br />
<br />
This is an <a href="https://devcentral.f5.com/irules">iRule </a>script that inspects the HTTP GET URL string to decided where to load balance it: <a href="https://github.com/rtomaszewski/f5/blob/master/lb-based-on-url.tcl">https://github.com/rtomaszewski/f5/blob/master/lb-based-on-url.tcl</a>.<br />
<br />
Create default pool<br />
<br />
<script src="https://gist.github.com/rtomaszewski/9309342.js"></script>
Create VIP<br />
<br />
<script src="https://gist.github.com/rtomaszewski/9309386.js"></script>
Create custom pools <br />
<script src="https://gist.github.com/rtomaszewski/9309412.js"></script>
<br />
<span style="font-size: large;">Testing</span><br />
<br />
To verify that our iRule is working properly we can enable debugging by changing the iRule variable DEBUG to 1.<br />
<br />
Next we can simulate traffic<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">curl -v http://vip/</span><br />
<span style="font-family: Courier New, Courier, monospace;">curl -v http://vip/url1</span><br />
<span style="font-family: Courier New, Courier, monospace;">curl -v http://vip/url2</span><br />
<span style="font-family: Courier New, Courier, monospace;">curl -v http://vip/url3</span><br />
<br />
And watch the logs on the lb.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">tail -f /var/log/ltm</span><br />
<br />
<pre>
<span style="font-family: Courier New, Courier, monospace;">Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80
Mar 2 15:49:37 local/tmm info tmm[5231]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url1
Mar 2 15:49:37 local/tmm info tmm[5231]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url1
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url2
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url2
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url3
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url3
</span>
</pre>
<br />
<br />
<span style="font-size: large;">Reference</span><br />
<br />
<a href="https://devcentral.f5.com/wiki/iRules.HomePage.ashx">https://devcentral.f5.com/wiki/iRules.HomePage.ashx</a><br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-57862491395912926512014-02-24T19:15:00.003+00:002014-03-30T15:22:03.048+01:00Dirty trick how to analysis ASA performance based on interface overruns and underruns<br />
There are number of <a href="http://www.satisnet.co.uk/blog/palo-alto-networks-strengthens-its-leadership-position-in-the-latest-gartner-magic-quadrant-for-enterprise-network-firewalls/">firewall vendors </a>on the market you can chose from (other links to Gartner magic quadrant for firewalls <a href="http://www.silicon.hu/sites/default/files/files/Gartner_FW_2011.pdf">here </a>and <a href="http://www.itogether.co.uk/wp-content/uploads/2011/12/gartner-magic-quadrant-2011.pdf">here</a>). Every vendor has a product line ranging from the low to high end firewalls. An example product list for Cisco ASA can be seen here: <a href="http://here./">http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/models-comparison.html#~tab-b</a><br />
<br />
<span style="font-size: large;">Problem</span><br />
<br />
I can see in my firewalls interface stats underruns and overrruns and the counters increase.<br />
<br />
<span style="font-size: large;">Solution</span><br />
<br />
This is rather a dirty trick and your monitoring system should be able to graph the interface stats. But if you are in a position like me where you have no visibility to interface statistics like you could have in Zenoss, Cacti, Zabbix or other monitoring system you may need to manually check this...<br />
<ul>
<li>We need to first start collecting data so we can look at it later.</li>
</ul>
Run at least one a day the command and save in a file 1.txt, 2.txt, etc.<br />
<br />
<pre class="brush:text">sh clock
sh int</pre>
<ul>
<li>After some time you should have a collection of files </li>
</ul>
<pre class="brush:text">$ ls -1 *.txt
1.txt
2.txt
3.txt
4.1.txt
4.2.txt
5.1.txt
6.1.txt
8.txt
</pre>
<br />
<div>
An example outpout form the file can be seen here: <a href="https://github.com/rtomaszewski/experiments/blob/master/asa-interfaces-example.txt">https://github.com/rtomaszewski/experiments/blob/master/asa-interfaces-example.txt</a></div>
<div>
<ul>
<li>Download the script <a href="https://github.com/rtomaszewski/experiments/blob/master/asa-interfaces.sh">asa-interfaces.sh</a> and run it </li>
</ul>
</div>
<pre class="brush:text">bash asa-interfaces.sh
</pre>
<br />
Base on the files you collected it will generate stats for every interface (time stamp is in the last column). Example output:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet0/0 "outside", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 31 input errors, 0 CRC, 0 frame, 31 overrun, 0 ignored, 0 abort 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 31 input errors, 0 CRC, 0 frame, 31 overrun, 0 ignored, 0 abort 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 31 input errors, 0 CRC, 0 frame, 31 overrun, 0 ignored, 0 abort 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 94 input errors, 0 CRC, 0 frame, 94 overrun, 0 ignored, 0 abort 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 94 input errors, 0 CRC, 0 frame, 94 overrun, 0 ignored, 0 abort 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 94 input errors, 0 CRC, 0 frame, 94 overrun, 0 ignored, 0 abort 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 104 input errors, 0 CRC, 0 frame, 104 overrun, 0 ignored, 0 abort 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 104 input errors, 0 CRC, 0 frame, 104 overrun, 0 ignored, 0 abort 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet0/1 "dmz", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 719 input errors, 0 CRC, 0 frame, 719 overrun, 0 ignored, 0 abort 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 719 input errors, 0 CRC, 0 frame, 719 overrun, 0 ignored, 0 abort 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 734 input errors, 0 CRC, 0 frame, 734 overrun, 0 ignored, 0 abort 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1502 input errors, 0 CRC, 0 frame, 1502 overrun, 0 ignored, 0 abort 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1794 input errors, 0 CRC, 0 frame, 1794 overrun, 0 ignored, 0 abort 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1881 input errors, 0 CRC, 0 frame, 1881 overrun, 0 ignored, 0 abort 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1921 input errors, 0 CRC, 0 frame, 1921 overrun, 0 ignored, 0 abort 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1971 input errors, 0 CRC, 0 frame, 1971 overrun, 0 ignored, 0 abort 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet0/2 "myapp1", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored, 0 abort 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored, 0 abort 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet0/3 "state-failover", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface Management0/0 "lan-failover", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet1/0 "inside", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 364 input errors, 0 CRC, 0 frame, 364 overrun, 0 ignored, 0 abort 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 382 input errors, 0 CRC, 0 frame, 382 overrun, 0 ignored, 0 abort 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 392 input errors, 0 CRC, 0 frame, 392 overrun, 0 ignored, 0 abort 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 444 input errors, 0 CRC, 0 frame, 444 overrun, 0 ignored, 0 abort 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 444 input errors, 0 CRC, 0 frame, 444 overrun, 0 ignored, 0 abort 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 468 input errors, 0 CRC, 0 frame, 468 overrun, 0 ignored, 0 abort 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 707 input errors, 0 CRC, 0 frame, 707 overrun, 0 ignored, 0 abort 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 756 input errors, 0 CRC, 0 frame, 756 overrun, 0 ignored, 0 abort 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet1/1 "app2", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 640 input errors, 0 CRC, 0 frame, 640 overrun, 0 ignored, 0 abort 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 658 input errors, 0 CRC, 0 frame, 658 overrun, 0 ignored, 0 abort 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 683 input errors, 0 CRC, 0 frame, 683 overrun, 0 ignored, 0 abort 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 797 input errors, 0 CRC, 0 frame, 797 overrun, 0 ignored, 0 abort 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 811 input errors, 0 CRC, 0 frame, 811 overrun, 0 ignored, 0 abort 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 863 input errors, 0 CRC, 0 frame, 863 overrun, 0 ignored, 0 abort 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 984 input errors, 0 CRC, 0 frame, 984 overrun, 0 ignored, 0 abort 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1052 input errors, 0 CRC, 0 frame, 1052 overrun, 0 ignored, 0 abort 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet1/2 "", is administratively down, line protocol is down</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet0/0 "outside", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 646983182 packets output, 473597063148 bytes, 0 underruns 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 700155558 packets output, 509814505730 bytes, 0 underruns 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 753341661 packets output, 546026853810 bytes, 0 underruns 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1025937535 packets output, 734304301602 bytes, 0 underruns 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1054530605 packets output, 761409276094 bytes, 0 underruns 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1105491616 packets output, 798565630885 bytes, 0 underruns 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1264871240 packets output, 907739984962 bytes, 0 underruns 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1315876113 packets output, 943680519398 bytes, 0 underruns 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet0/1 "dmz", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 985243431 packets output, 309823858329 bytes, 459 underruns 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1070533450 packets output, 336205856058 bytes, 459 underruns 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1159894277 packets output, 366047579951 bytes, 483 underruns 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1596471490 packets output, 500836893219 bytes, 483 underruns 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1635530484 packets output, 511489408071 bytes, 483 underruns 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1722164227 packets output, 536769375853 bytes, 483 underruns 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 2032554621 packets output, 636075162304 bytes, 2831 underruns 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 2174454722 packets output, 688313076839 bytes, 2831 underruns 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet0/2 "myapp1", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1968362 packets output, 524301440 bytes, 0 underruns 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1987058 packets output, 526612914 bytes, 0 underruns 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 2005883 packets output, 528940672 bytes, 0 underruns 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 4036852 packets output, 3167775775 bytes, 2831 underruns 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 13676338 packets output, 15853359823 bytes, 2831 underruns 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 23861856 packets output, 16649050850 bytes, 3052 underruns 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 66743830 packets output, 20187731129 bytes, 5941 underruns 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 80290600 packets output, 21286340673 bytes, 6860 underruns 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet0/3 "state-failover", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 16582048 packets output, 17699836232 bytes, 0 underruns 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 17971640 packets output, 19234649922 bytes, 0 underruns 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 19380417 packets output, 20791969660 bytes, 0 underruns 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 26970739 packets output, 29162172960 bytes, 0 underruns 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 27259841 packets output, 29471830004 bytes, 0 underruns 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 29612954 packets output, 32141440890 bytes, 0 underruns 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 39077736 packets output, 42912691094 bytes, 0 underruns 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 42074827 packets output, 46322035220 bytes, 0 underruns 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface Management0/0 "lan-failover", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1863787 packets output, 265441230 bytes, 0 underruns 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 1977505 packets output, 281732398 bytes, 0 underruns 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 2091970 packets output, 298145244 bytes, 0 underruns 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 2718733 packets output, 387975068 bytes, 0 underruns 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 2750523 packets output, 392530668 bytes, 0 underruns 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 2855417 packets output, 407567752 bytes, 0 underruns 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 3242848 packets output, 463113612 bytes, 0 underruns 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 3366749 packets output, 480878922 bytes, 0 underruns 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet1/0 "inside", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 229534738 packets output, 55157234973 bytes, 0 underruns 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 249682890 packets output, 59948227086 bytes, 0 underruns 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 272763726 packets output, 66350185657 bytes, 0 underruns 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 378020447 packets output, 91307448807 bytes, 0 underruns 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 384704374 packets output, 93165635304 bytes, 0 underruns 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 402556578 packets output, 97469565455 bytes, 0 underruns 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 492798902 packets output, 119550853698 bytes, 0 underruns 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 564346002 packets output, 137603523999 bytes, 0 underruns 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet1/1 "app2", is up, line protocol is up</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 142287604 packets output, 56966204294 bytes, 0 underruns 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 154809474 packets output, 62049309926 bytes, 0 underruns 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 167733332 packets output, 67152657884 bytes, 0 underruns 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 231962627 packets output, 93689642614 bytes, 0 underruns 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 235640974 packets output, 95384548398 bytes, 0 underruns 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 249769631 packets output, 103735197461 bytes, 0 underruns 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 290301462 packets output, 119748550482 bytes, 0 underruns 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 303003248 packets output, 125098088305 bytes, 0 underruns 08:22:57.704 cst Mon Feb 24 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Interface GigabitEthernet1/2 "", is administratively down, line protocol is down</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 packets output, 0 bytes, 0 underruns 07:48:45.631 cst Wed Feb 12 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 packets output, 0 bytes, 0 underruns 05:38:08.573 cst Thu Feb 13 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 packets output, 0 bytes, 0 underruns 03:37:26.853 cst Fri Feb 14 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 packets output, 0 bytes, 0 underruns 03:52:52.523 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 packets output, 0 bytes, 0 underruns 10:03:08.799 cst Wed Feb 19 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 packets output, 0 bytes, 0 underruns 06:11:22.244 cst Thu Feb 20 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 packets output, 0 bytes, 0 underruns 08:35:21.315 cst Sun Feb 23 2014</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0 packets output, 0 bytes, 0 underruns 08:22:57.704 cst Mon Feb 24 2014</span><br />
<div>
<br /></div>
Once you have the data in-front of you can easily see how the stats were changing over time, over longer period of time like a week.<br />
<br />
In my case we suspected that the Firewall hit the capacity limit but further investigation confirmed that the device is doing well and no upgrade is necessary.<br />
<br />
<span style="font-size: large;">References </span><br />
<br />
<a href="http://www.gossamer-threads.com/lists/cisco/nsp/152428">http://www.gossamer-threads.com/lists/cisco/nsp/152428</a><br />
<a href="http://ccna2ccnp.blogspot.co.uk/2012/12/ciscoasa-oversubcription-maximizing.html">http://ccna2ccnp.blogspot.co.uk/2012/12/ciscoasa-oversubcription-maximizing.html</a><br />
<a href="http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1904.html">http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1904.html</a><br />
<a href="http://en.wikipedia.org/wiki/Buffer_underrun">http://en.wikipedia.org/wiki/Buffer_underrun</a><br />
<a href="http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html">http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html</a><br />
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0tag:blogger.com,1999:blog-1628743762748449041.post-4089405140475067932014-02-23T22:35:00.001+00:002014-03-08T20:54:53.792+00:00How to design a network for Openstack or cloud deploymentDesigning a network is a topic within itself and there is no way we can cover all of it in this single post. Cisco has its own certification path path <a href="https://learningnetwork.cisco.com/community/certifications/ccde">CCDE</a> for these who want to know more.<br />
<br />
<span style="font-size: large;">Cisco design and implementation guide - old best practices</span><br />
<br />
In a very simplistic view back in the old days a network used to be design similar to the picture below (although it is hard to say when the new era started ;)). Every big network had to have<b> a core, distribution(sometimes called aggregation) and access layer</b>. The network was engineered mainly to help with <b>North to South</b> traffic in the data center or in another words to help <b>get the data out and into the data center</b>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhimpoAUJEzpKRwX0N4e6JqvtS_ThEj3FoGtIf_A5yWxnzQSMXbQay-z3NGwj7rnsAw3JnMjg35EXAMjZ94aGUdL75G6KYEBnIP46InAeegFOxZ4Xdwc6TYmOjw_aSbqg3g3KlCeX77Qoc/s1600/Core_Dist_Access.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhimpoAUJEzpKRwX0N4e6JqvtS_ThEj3FoGtIf_A5yWxnzQSMXbQay-z3NGwj7rnsAw3JnMjg35EXAMjZ94aGUdL75G6KYEBnIP46InAeegFOxZ4Xdwc6TYmOjw_aSbqg3g3KlCeX77Qoc/s1600/Core_Dist_Access.jpg" height="234" width="320" /></a></div>
<br />
<span style="font-size: large;">New cloud friendly data center design best practice</span><br />
<br />
With the advent and popularization of new networking devises that support layer 2 routing, commonly know as <a href="http://searchsdn.techtarget.com/definition/network-fabric">networks fabrics</a> (more info about <a href="http://www.networkworld.com/community/blog/clos-networks-%E2%80%93-what%E2%80%99s-old-new-again">TRILL and fabric</a>) the network design has shifted in data centers. The way we design the networks today is to maximize the <b>East to West</b> traffic instead of the North to South ( old design above). The purpose of the new network is to<b> allow more efficiently exchange data between the servers</b> within the rack or data center.<br />
<br />
They say that a picture is worth more than a thousand words. To help us to visualize how a new data center network/cloud network is designed these demonstration pictures (taken from Cisco document: <a href="http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Data_Center/MSDC/1-0/MSDC_AAG_1.pdf">Cisco Massively Salable Data Center</a>) will shed some more light on it. Please note that we no longer use the core, distribution or access keyword but instead: <b>spine, leaf or superspine </b>to describe the different network layers :).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTyi7XSs-iRw17pGLgJ5QpyNnXatqgcXSZd8eHw3QvTSMefwOot5Mw_iFeK2yiUHllj4SupX2WGQ32aetWOJm2yCGdrRUW9m2tE8OnWWFjwWXq5KhK1So01XiMl6-_7d88-91C8gizZmI/s1600/design-dc-topology1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTyi7XSs-iRw17pGLgJ5QpyNnXatqgcXSZd8eHw3QvTSMefwOot5Mw_iFeK2yiUHllj4SupX2WGQ32aetWOJm2yCGdrRUW9m2tE8OnWWFjwWXq5KhK1So01XiMl6-_7d88-91C8gizZmI/s1600/design-dc-topology1.png" height="215" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5wRjLTXvit2niZIZkA0E3-G2qW4OtpHqpHN4gamZw5ee2FMqhRH4jcH3sD4QKCdlJZ2qTCFSkkA2gvEjjAZ1MVmvnCFfeW5O4IbKV17BA-R9V9L4gqUdZsTZW5L62pD-wgq9qZLItclU/s1600/design-dc-topology-superspine.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5wRjLTXvit2niZIZkA0E3-G2qW4OtpHqpHN4gamZw5ee2FMqhRH4jcH3sD4QKCdlJZ2qTCFSkkA2gvEjjAZ1MVmvnCFfeW5O4IbKV17BA-R9V9L4gqUdZsTZW5L62pD-wgq9qZLItclU/s1600/design-dc-topology-superspine.png" height="255" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKjidUaPZdjst7tH-VJzsyqBUfdOBZ97x8BrGRwEQcSfaYA2EoAkat4wxNgrWs5CePanYLU9Q69p7Z6wufzPZ2EHMNHa4obC-9GUWWKvE_zTjezVCmXwLYTGQbUvvrFKTCYaxSX_sO5J8/s1600/design-dc-topology-superspine-tor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKjidUaPZdjst7tH-VJzsyqBUfdOBZ97x8BrGRwEQcSfaYA2EoAkat4wxNgrWs5CePanYLU9Q69p7Z6wufzPZ2EHMNHa4obC-9GUWWKvE_zTjezVCmXwLYTGQbUvvrFKTCYaxSX_sO5J8/s1600/design-dc-topology-superspine-tor.png" height="266" width="400" /></a></div>
Anonymoushttp://www.blogger.com/profile/07819763839528988809noreply@blogger.com0