Networking

IPv6 is not really new. According to Google, 10% of all users that access Google, do this over an IPv6 connection (Source). My blog is also accessible over IPv6 since its start in January 2014 (and since January 2016 only over HTTPS - thanks to Let’s Encrypt!).

When I talk with customers about IPv6, I often hear things like “Oh, we had to disable it. Too much problems!” or “We had to disable it. With IPv6 enabled, we had connectivity problems.". Sometimes it went wrong. Especially in this cases, where IPv6 was only unbind from the network adapter. That’s the wrong way to “disable” IPv6.

Disclaimer: Thanks to ALE Deutschland GmbH, the german subsidiary of Alcatel-Lucent Enterprise, for loaning me two OmniSwitch 6450 switches.

Who’s Alcatel-Lucent Enterprise?

I’m quite sure that you know Alcatel-Lucent, a leading vendor for telecommunication and networking equipment. But do you know Alcatel-Lucent Enterprise (ALE)? In April 2015, Nokia placed an offer to buy Alcatel-Lucent for ~ 15 billion euro. Six months before, in October 2014, Alcatel-Lucent sold his enterprise business to China Huaxin. Since october 2014, ALE offers communication, cloud and networking solutions for business of all sizes. More than 2700 employees in 100 countries and 2900 partners serve solutions for more than 830000 customers worldwide. ALE offers solutions for unified communications and collaboration, which benefit from intelligent and converged networks. Solutions that scale from the local office to the cloud. Unified communication and collaboration solutions include business telephony solutions (e.g. voice, video and conferencing across the enterprise), mobility solutions (e.g. wired and wireless voice and unified communications across the enterprise and across devices) and collaboration solutions (e.g. cloud or on-premises web conferencing).

In January 2014 I wrote a blog post about network flooding because of Windows NLB clusters in unicast mode. Yesterday, Windows NLB, HP switches and I met again.

After moving a customers core network from HP 5400zl switches to two IRF stacks with HP 7506 switches, multiple Windows NLB clusters stopped working. Because the Windows NLB used multicast operation mode, it was instantly clear that the switches were the problem.

The explanation is easy: By default, a Comware based switch does not learn multicast MAC addresses. And because of this, the switch does not add them to the ARP table. And you can’t add static multicast MAC address entries. You have to disable the ARP entry check.

Last week, my colleague Claudia and I have ported a HP ProVision configuration to HP Comware. Unexpectedly, it wasn’t routing or VLANs or OSPF that caused headaches, it was a Wake-on-LAN (WoL). Depending on the used tool, the magic packet (which wakes up the computer) is a broadcast (255.255.255.255) or a subnet-directed broadcast (e.g. 192.168.200.255). So it was important to know what tool the customer used.

This is how HP ProVision implements subnet-directed broadcasts:

Building networks in the cloud is sometimes hard to understand. A common mistake is to believe that all VMs can talk to another, regardless of the owner, and that all VMs are available over the internet.

Some basics about Cloud Service Endpoints and Virtual Networks

When we talk about Microsoft Azure, a Cloud Service Endpoint is the easiest way to access one or multiple VMs. A Cloud Service contains resources, like VMs, and it’s acting as a communication and security boundary. All VMs that use the same Cloud Service get their IPs via DHCP and share the same private IP address range. The VMs can communicate directly to each other. To access these VMs over the internet, a Cloud Service Endpoint is used. Each Cloud Service has a internet addressable virtual IP address assigned. And that’s the Cloud Service Endpoint. With PAT, ports for RDP or PowerShell are forwarded to the VMs by default. If you deploy a webserver and an application server, both can be provisioned to the same Cloud Service and therefore, they share the same Cloud Service Endpoint. But you can only forward http traffic to the webserver. Therefore only the webserver is available over the internet, not the application server.

This tweet from @JuniperCertify has caught my attention:

Later that day, I got an e-mail from Juniper with the same announcement. Juniper has launched its Design Certification Track inside the Juniper Networks Certification Program (JNCP) and the Juniper Networks Certified Design Associate (JNCDA) is the first available certification.

The new Design Certification Track

A picture says more than a thousands words (… I found this in the blog post “Juniper Networks New Network Design Curriculum and Certifications” on the Juniper “My Certification Journey” blog):

In my last blog post I have highlighted how HAProxy can be used to distribute client connections to two or more servers with Exchange 2013 CAS role. But there is another common use case for load balancers in a Exchange environment: SMTP. Let’s take a look at this drawing:

The inbound SMTP connections are distributed to two Mail Transfer Agents (often a cluster of appliances, like Cisco IronPort or Symantec Messaging Gateway) and the MTAs forward the e-mails to the Exchange servers. Sometimes the e-mails are not directly forwarded to the Exchange servers, but to mail security appliances instead (like Zertificon Z1 SecureMail Gateway). After the e-mails have been processed by the mail security appliances, they are forwarded to the Exchange backend. Such setups are quite common. If a load balancer isn’t used, the MX records often point to the public IP address of a specific MTA. In this case, two or more MX records have to be set to ensure that e-mails can be received, even if a MTA fails.

The next step is to connect the Synology DS414slim to my lab network. I use two HP 1910 Switches in my lab, a 8 Port and a 24 Port model. The Synology DS414slim has two 1 GbE ports, which can configured in different ways. I wanted to use both ports actively, to I decided to create a bond.

Create a bond

Browse to the admin website and go to Control Panel > Network > Network Interfaces and select “Create”. Then select “Create Bond”.

This tweet from @JuniperNetworks has really inspired me yesterday. I liked Junipers Firefly Perimeter (vSRX) from the first day. I like the idea behind this product (yes, I like everything that can be run as a VM…). But yesterday Juniper has go one better.

Introducing the vMX – the industry's only carrier class virtualized router: http://t.co/2lgXaQ1cjh #networkunlocked pic.twitter.com/V8zWvpRXoA

— HPE Networking (@HPE_Networking) November 6, 2014

Juniper Networks announced yesterday a virtualized and carrier-grade version of their MX Series 3D router. The Juniper Networks vMX is a virtual MX Series 3D Universal Edge Router and it’s optimized to run on x86 hardware. Juniper vMX can run on all major Hypervisors, including VMware ESXi and KVM. It was also mentioned, that vMX can be run in Docker containers or on bare-metal.

The Juniper Networks Certification Program (JNCP) consists of different tracks, which enable you to demonstrate your skills with Juniper products and technologies in the areas most pertinent to your job function and experience. There are three main areas:

• Junos
• Support
• Product and Technology

The Junos area consists of three tracks:

• Service Provider Routing and Switching
• Enterprise Routing and Switching
• Junos Security

The “Service Provider Routing and Switching” track focuses on service provider and telecommunication (M-, MX-Series, Routing with OSPF, BGP, MPLS etc.), the “Enterprise Routing and Switching” on enterprise routing and switching in LAN and WAN (EX-Series, MX-Series, Spanning-Tree, VLANs, Routing etc.) and the “Junos Security” track is focused on the Juniper Security products (SRX-Series, Routing, Firewall, VPN etc.). All three tracks have the Juniper Networks Certified Associate - Junos (JNCIA-Junos) as a prerequisite. This is an entry-level certification and it covers the following objectives: