Networking

In January 2014 I wrote a blog post about network flooding because of Windows NLB clusters in unicast mode. Yesterday, Windows NLB, HP switches and I met again.

After moving a customers core network from HP 5400zl switches to two IRF stacks with HP 7506 switches, multiple Windows NLB clusters stopped working. Because the Windows NLB used multicast operation mode, it was instantly clear that the switches were the problem.

The explanation is easy: By default, a Comware based switch does not learn multicast MAC addresses. And because of this, the switch does not add them to the ARP table. And you can’t add static multicast MAC address entries. You have to disable the ARP entry check.

Last week, my colleague Claudia and I have ported a HP ProVision configuration to HP Comware. Unexpectedly, it wasn’t routing or VLANs or OSPF that caused headaches, it was a Wake-on-LAN (WoL). Depending on the used tool, the magic packet (which wakes up the computer) is a broadcast (255.255.255.255) or a subnet-directed broadcast (e.g. 192.168.200.255). So it was important to know what tool the customer used.

This is how HP ProVision implements subnet-directed broadcasts:

This tweet from @JuniperCertify has caught my attention:

Later that day, I got an e-mail from Juniper with the same announcement. Juniper has launched its Design Certification Track inside the Juniper Networks Certification Program (JNCP) and the Juniper Networks Certified Design Associate (JNCDA) is the first available certification.

The new Design Certification Track

A picture says more than a thousands words (… I found this in the blog post “Juniper Networks New Network Design Curriculum and Certifications” on the Juniper “My Certification Journey” blog):

This tweet from @JuniperNetworks has really inspired me yesterday. I liked Junipers Firefly Perimeter (vSRX) from the first day. I like the idea behind this product (yes, I like everything that can be run as a VM…). But yesterday Juniper has go one better.

Introducing the vMX – the industry's only carrier class virtualized router: http://t.co/2lgXaQ1cjh #networkunlocked pic.twitter.com/V8zWvpRXoA

— HPE Networking (@HPE_Networking) November 6, 2014

Juniper Networks announced yesterday a virtualized and carrier-grade version of their MX Series 3D router. The Juniper Networks vMX is a virtual MX Series 3D Universal Edge Router and it’s optimized to run on x86 hardware. Juniper vMX can run on all major Hypervisors, including VMware ESXi and KVM. It was also mentioned, that vMX can be run in Docker containers or on bare-metal.

The Juniper Networks Certification Program (JNCP) consists of different tracks, which enable you to demonstrate your skills with Juniper products and technologies in the areas most pertinent to your job function and experience. There are three main areas:

• Junos
• Support
• Product and Technology

The Junos area consists of three tracks:

• Service Provider Routing and Switching
• Enterprise Routing and Switching
• Junos Security

The “Service Provider Routing and Switching” track focuses on service provider and telecommunication (M-, MX-Series, Routing with OSPF, BGP, MPLS etc.), the “Enterprise Routing and Switching” on enterprise routing and switching in LAN and WAN (EX-Series, MX-Series, Spanning-Tree, VLANs, Routing etc.) and the “Junos Security” track is focused on the Juniper Security products (SRX-Series, Routing, Firewall, VPN etc.). All three tracks have the Juniper Networks Certified Associate - Junos (JNCIA-Junos) as a prerequisite. This is an entry-level certification and it covers the following objectives:

Today I changed the SCSI controller type for my Windows VMs in my lab from LSI SAS to PVSCSI. Because the VMs were installed with LSI SAS, I used the procedure described in VMware KB1010398 (Configuring disks to use VMware Paravirtual SCSI (PVSCSI) adapters) to change the SCSI controller type. The main problem is, that Windows doesn’t have a driver for the PVSCSI installed. You can force the installation of the driver using this procedure (taken from KB1010398):

Inspired by Chris Wahls blog post “Building a New Network Design for the Lab”, I want to describe how my lab network designs looks like.

The requirements

My lab is separated from my home network, and it’s focused on the needs of a lab. A detailed overview about my lab can be found here. My lab is a lab and therefore I divided it into a lab, and an infrastructure part. The infrastructure part of my lab consists of devices that are needed to provide basic infrastructure and management. The other part is my playground.

The developtment of the Intelligent Resilient Framework (IRF) goes back to H3C, a joint venture between Huawai and 3COM. With the acquisition of 3COM by HP, IRF capable products were integrated into the HP Networking product portfolio.

What is IRF?

IRF is a software-based solution to connect multiple switches together and create a logical switching devices. The idea behind IRF is to create a logical device with one control and multiple data planes. This simplifies the management and sometimes eliminates the need for technics like (R/M)STP, XRRP/ VRRP/ HSRP or similar, to create layer 2 or layer 3 redundancy for cases like a switch failure. This depends on the requirements of the network design. The master switch in an IRF stack updates the forwarding and routing table for all devices in the stack. If it fails, another switch in the stack is elected. The switches are connected with multiple high speed links (10 GbE in most cases, some entry-level switches allow 1 GbE) and use a daisy chain or ring topology. If a switch fails, even if it’s the master of the stack, the stack will operate continuously. The time for a failover is < 50ms (Source). There are another advantage: Because the stack acts like a single switch, you can use switch-assisted teaming or trunking between IRF stacks or between servers and IRF stacks.

Sometimes it’s necessary to limit specific traffic in terms of bandwidth. Today I like to show you how to manage bandwidth limits using QoS and firewall policies. Especially if you have only limited bandwidth, e.g. a DSL connection, it can be useful to manage the used bandwidth for specific hosts or protocols. I use a really simple setup to show you, how you can manage bandwidth using CoS on a Juniper SRX.

Sophos offers a free license of their UTM firewall for private use. The product was originally developed by Astaro and since these days I use it at home. After the merger with Sophos I switched to the new Sophos UTM 9, still using my old license. I use it to seperate my test VLAN from my normal VLAN, and I use it as proxy with antivirus scanning for all my devices (iPhone, iPad, laptop etc.), but the UTM can do a lot more than this. This morning I wanted to read my Twitter timeline on my iPhone but I got no connection over WLAN. After disabling the proxy it worked fine. I took a look at the admin interface of my UTM and what did I see? An expired license. WTF?!