Blog Posts in November 2012
Imagine you have a typical 2-tier data center network (because 3-tier is so last millennium): layer-2 top-of-rack switches redundantly connected to a pair of core switches running MLAG (to get around spanning tree limitations) and IP forwarding between VLANs.
Next thing you know, a rep from your favorite vendor comes along and says: “did you know you could connect all ToR switches into a virtual fabric and manage them as a single entity?” Is that a good idea?
When an IPv4/IPv6 host wants to send a packet to another host, it has to answer the following simple questions:
- Can I reach the destination IP address directly (is the destination on the same LAN/subnet)?
- If not, who will help me forward the packet (who is the first-hop router)?
In IPv4 world, the host can get all the information it needs through DHCP. In IPv6 world, things are way more complex (but also way more correct if you’re a theoretician).
Hamid sent me the following question:
I have already memorized (bad idea, BTW) that a loop can occur if FD < RD. Could you please tell me how a loop could occur assuming FD < RD and we ignore the feasibility condition.
I’ll use a simple three-router network (see the following diagram) to illustrate why EIGRP cannot figure out whether an alternate more expensive path could lead to a loop or not.
In the introductory part of the IPv6 security webinar, Eric Vyncke explained how the huge IPv6 subnet sizes won’t stop a determined attacker, but will make the task of network or security engineers trying to take host inventory much harder.
I’m constantly getting questions about the intricate interworking of various flags present in IPv6 Router Advertisement messages. Here’s a (hopefully comprehensive) summary taken primarily from RFC 4861.
In a comment to the Firewalls in a Small Private Cloud blog post I wrote “VXLAN is _NOT_ a viable inter-DC solution” and Jason wasn’t exactly happy with my blanket response. I hope Jason got a detailed answer in the VXLAN Technical Deep Dive webinar, here’s a somewhat shorter explanation.
In the Clos Fabrics Explained webinar I focused on the Clos fabrics principles of operation and design options, and Brad Hedlund who graciously agreed to be my guest explained how you can use Dell Force10 switches to build them. In this video he’s describing a simple leaf-and-spine topology with 40GE uplinks.
An incredible amount of IPv6 deployment documents has been published as IETF drafts recently, amongst them:
- Operational security considerations for IPv6 networks
- Design guidelines for IPv6 networks
- Stateless IP/ICMP Translation in IPv6 Data Centre Environments (aka IPv6-only data centers)
- Enterprise IPv6 Deployment Guidelines
Enjoy ... and don’t forget to join the v6ops mailing list ;)
And many of physical firewalls can be virtualized. One physical firewall can have multiple virtual firewalls inside. They all have their own routing table, rule base and management interface.
He’s absolutely right, but there’s a huge difference between security contexts (to use the ASA terminology) and firewalls running in VMs.
I’m exposed to an incredible variety of topics in my ExpertExpress engagements, but there are always a few recurring themes, one of them being “we’re experiencing long convergence times and high packet loss after our primary Internet link fails.” Almost always the root cause turns out to be full Internet routing table being received on inadequate hardware.
The murky details of IPv6 implementations never crop up till you start deploying it (or, as Randy Bush recently wrote: “it is cheering to see that the ipv6 ivory tower still stands despite years of attack by reality”).
Here’s another one: in theory the prefixes delegated through DHCPv6 should be static and
permanently assigned to the customers .
Based on readers’ comments and recent discussions with fellow packet pushers, it seems the marketing departments and industry press managed to thoroughly muddy the virtualized security waters. Trying to fix that, here’s my attempt at virtual firewall taxonomy.
Jernej Horvat sent me the following question:
I know DHCPv6-based prefix delegation should be as stable as possible, so I plan to include the delegated prefix in my RADIUS database. However, for legacy reasons each username can have up to four concurrent PPPoE sessions. How will that work with DHCPv6 IA_PD?
Short answer: worst case, DHCPv6 prefix delegation will be royally broken.
Similar to Data Center and DMVPN trilogy, I bundled the core IPv6 webinars into IPv6 trilogy. Following the great example set by Douglas Adams, the trilogy has four webinars (the real reason: it’s not likely someone would need both Enterprise and Service Provider introductory webinar).
We’re building a private cloud and I'm pushing for keeping east/west traffic inside the cloud. What are your opinions on the pros/cons of keeping east/west traffic in the cloud vs. letting it exit for security/routing?
Short answer: it depends.
Thomas wanted to check whether the IP traffic is actually delivered to a remote site and sent me the following question:
I would like to know whether the packets I sent from site A to site B have been received. I don't want to create test traffic using ip sla, I would like to know that the production traffic has been delivered. I could use ACL counters but I'm running a full mesh of tens of sites. Ipanema does this very well, but I'm surprised that this doesn’t exist on Cisco IOS.
Short answer: that’s not how Internet works.