Tuesday, August 9, 2016

Opengear and the Evolution and Consolidation of Network Devices

Opengear at Tech Field Day Extra 2016


I recently attended Cisco Live 2016 in Las Vegas and was invited to attend Tech Field Day Extra as a delegate. The first presenter was Opengear, a maker of console access servers and remote management gateways. They describe their products as "next generation Smart Solutions for managing and protecting critical IT and communications infrastructure."



While the term "next generation" is frequently overused, I can't argue with Opengear. Opengear extends the functionality of a console access server into a more complete out-of-band management solution. First, the Opengear presentation made me reevaluate what I should look for in an a console access server. What should it do? What shouldn't it do, and what roles should be held by separate devices?

Read more »
Posted by No comments:
Labels: , , , , ,

Friday, February 5, 2016

Configuring ERSPAN on Cisco Routers and Switches

In two recent posts, I covered SPAN, for mirroring traffic to a port on a local switch, and RSPAN, for mirroring traffic across a VLAN to a port on a remote switch.  What if we want to mirror traffic traffic to a destination across a L3 link?  Cisco provides the ability to do this natively with a feature called ERSPAN, or encapsulated RSPAN.  However, this feature is only available on higher end platforms such as Catalyst 6500 and 6800 series switches, 7600 series routers, ASR1000, and CSR1000v (this is not a complete list).

ERSPAN

Like SPAN and RSPAN, configuring ERSPAN is pretty straightforward.  ERSPAN simply requires L3 connectivity between source and destination devices.  The ERSPAN monitor session then builds a GRE tunnel that transports mirrored frames from the source port to the destination port.

Basic ERSPAN configuration is as follows:
! Source switch
monitor session SESSION-NUMBER type erspan-source 
 source-interface INTERFACE(S)|VLAN(S) {TX|RX|BOTH}
 no shutdown
 destination
  erspan-id ERSPAN-ID
  ip address DESTINATION-IP
  origin ip address ORIGIN-IP

! Destination switch
monitor session SESSION-NUMBER type erspan-destination
 destination-interface INTERFACE(S)
 no shutdown
 source
  erspan-id ERSPAN-ID
  ip address SOURCE-IP
    It is important to note that when configuring the destination switch "source IP," you should select the source IP on the destination switch itself - the GRE tunnel endpoint.  Source IP does not refer to the GRE tunnel origin IP address.  Therefore, the "ip address" command should match on the source and destination.

    Below is a basic ERSPAN config to mirror data from R1 interface g3 to R3 interface g3.  I created this topology using VIRL using CSR1000V routers for R1 and R3.


    Read more »
    Posted by 3 comments:
    Labels: , , , , , , , , , , , ,

    Saturday, January 30, 2016

    Configuring RSPAN on Cisco Catalyst Switches

    I recently wrote a post on configuring port mirroring (SPAN) on Cisco Catalyst switches.  SPAN (switched port analyzer) allows you to mirror traffic from a source or multiple sources on a switch to a destination interface or interfaces on the same switch.  RSPAN (remote SPAN) takes this a step further and allows you to mirror traffic to an interface on a remote switch or switches.

    RSPAN


    RSPAN configuration is relatively simple and builds upon existing SPAN functionality and configuration syntax.
    • Create an RSPAN VLAN on the source switch, destination switch, and all switches in the transit path.
    • Take traffic from a specified source on switch A, and mirror it to an RSPAN VLAN.  
    • Then, on switch B, use traffic from this VLAN as the source and mirror it to a physical interface

    As shown below, traffic mirrored from the switch on the right to the switch on the left can traverse other switches as long as there is end to end L2 connectivity between them (ie. the RSPAN VLAN exists on all switches).



    Basic RSPAN configuration is as follows:
    Read more »
    Posted by 2 comments:
    Labels: , , , , , , , , , , ,

    Thursday, January 28, 2016

    Configuring Port Mirroring (SPAN) on Cisco Catalyst Switches

    So you have a network issue.  Or perhaps you don't, but you need to help find the root cause of a performance issue and conclusively show that it's not network related.  In either case, packet analysis is your friend.

    At times, it can be convenient (and effective) to capture directly on an affected server or host.  However, you may not always be able to access the affected device.  Even you can, capturing from the affected device is not always the best option due to TCP segmentation offload, checksum offload, and a number of other factors.  (These are outside of the scope of this post, but Kary over at packetbomb.com has a ton of great content on packet analysis including why you shouldn't capture on a host.  See here.)

    A network tap is the best solution when absolute precision is required.  However, this can be impractical and is often overkill.  This is where port mirroring comes into play.  Cisco gear provides a number of ways to mirror traffic from a specified source (or sources) and get frames from point A to point B for analysis. 



    Read more »
    Posted by No comments:
    Labels: , , , , , , , , , , ,

    Wednesday, April 8, 2015

    vMotion Fails - Failed to connect to remote host. Network unreachable.

    When migrating a VM using vMotion, the migration may stall at 14% and eventually fail with the following error:

    Migration [xxxx:xxxx] failed to connect to remote host <x.x.x.x> from host <y.y.y.y>: Network unreachable.

    Usually this is a pretty straightforward fix: correct whatever network issue is preventing communication between the vmkernel ports.  However, I recently encountered an issue where the network was configured properly, traffic was flowing, and vMotion still failed.

    Everything with the multi-NIC vMotion config checked out:
    • Two separate VMkernel ports on the relevant vSwitch with IPs on the same subnet.
    • One vmnic active and one standby for each VMkernel port.
    • Active/standby adapters on the second VMkernel port were the inverse of the first.
    • vMotion enabled on the vMotion VMkernel ports.
    • 9000 MTU on each vSwitch and VMkernel port
    • 9000 MTU on the relevant switch and switchports.
    • Relevant switchports tagged for the appropriate VLAN.



    (The configuration is pretty straightforward, as outlined in the VMware KB: kb.vmware.com/kb/2007467)

    Read more »
    Posted by No comments:
    Labels: , , , , , , ,

    Tuesday, March 31, 2015

    ASA Remote Access User Prevent SSH Access

    When configuring a remote access VPN on an ASA, there are times when an external authentication server (RADIUS, TACACS+, etc) is not available.  In this case, the local AAA database can be used:
    asa01(config)# username vpnuser password p@ssw0rd privilege 0
asa01(config)# username vpnuser attributes
asa01(config-username)# service-type remote-access
asa01(config-username)# exit
asa01(config)#
    You might think that specifying privilege 0 and service-type remote access as shown above would be enough to prevent this user from logging in through SSH.  However, this may not be the case.  Let's look at the following example:
    asa01# sh run user vpnuser
username vpnuser password jpCK6VfivhvBp0Pn encrypted privilege 0
username vpnuser attributes
 service-type remote-access
asa01# sh run aaa
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
asa01#
    With this configuration, it is still possible for "vpnuser" to log in through SSH:
    vpnuser@asa01's password:
login as: vpnuser
vpnuser@asa01's password:
Type help or '?' for a list of available commands.
asa01>
    This is possible because the above configuration only specifies AAA authentication, not authorization.  Therefore the local user account's password is checked against the local database, but no check is performed to determine whether or not this local user is authorized for EXEC shell access.  This behavior can be changed by enabling management authorization with the following command:
    asa01(config)# aaa authorization exec LOCAL
asa01(config)#
    Now if we attempt to log in with this same account, the login will fail:
    login as: vpnuser
vpnuser@asa01's password:
Access denied
vpnuser@asa01's password:

    The ASA configuration guide goes into more detail about this feature here:
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#86134
    Posted by No comments:
    Labels: , , , , , ,

    Saturday, January 10, 2015

    Choosing an ExtremeXOS Software Release

    When updating ExtremeXOS, it is important to choose your software release carefully.  The newest builds may contain new features that are not yet stable.  I learned this the hard way.  The Extreme support portal currently does not label their software builds with anything that indicates what is a stable build and what is may contain new unstable features.



    Read more »
    Posted by No comments:
    Labels: , , , ,
    Subscribe to: Posts (Atom)