Networking

Inspired by Chris Wahls blog post “Building a New Network Design for the Lab”, I want to describe how my lab network designs looks like.

The requirements

My lab is separated from my home network, and it’s focused on the needs of a lab. A detailed overview about my lab can be found here. My lab is a lab and therefore I divided it into a lab, and an infrastructure part. The infrastructure part of my lab consists of devices that are needed to provide basic infrastructure and management. The other part is my playground.

A customer contacted me, because he had trouble to move a VM between two clusters. The hosts in the source cluster used vNetwork Standard Switches (vSS), the hosts in the destination cluster vNetwork Distributed Switch (dVS). Because of this, a host in the destionation cluster had an additional vSS with the same port groups, that were used in the source cluster. This configuration allowed the customer to do vMotion without shared storage between the two clusters. The setup worked fine, until the customer moved a specific VM to the new cluster and switched the port group of the VM from the vSS to the vDS: The VM lost the connect to the network. A switch back to the vSS restored network connectivity for the VM. While troubleshooting this issue I noticed that the port was blocked due to a L2 security violation.

The developtment of the Intelligent Resilient Framework (IRF) goes back to H3C, a joint venture between Huawai and 3COM. With the acquisition of 3COM by HP, IRF capable products were integrated into the HP Networking product portfolio.

What is IRF?

IRF is a software-based solution to connect multiple switches together and create a logical switching devices. The idea behind IRF is to create a logical device with one control and multiple data planes. This simplifies the management and sometimes eliminates the need for technics like (R/M)STP, XRRP/ VRRP/ HSRP or similar, to create layer 2 or layer 3 redundancy for cases like a switch failure. This depends on the requirements of the network design. The master switch in an IRF stack updates the forwarding and routing table for all devices in the stack. If it fails, another switch in the stack is elected. The switches are connected with multiple high speed links (10 GbE in most cases, some entry-level switches allow 1 GbE) and use a daisy chain or ring topology. If a switch fails, even if it’s the master of the stack, the stack will operate continuously. The time for a failover is < 50ms (Source). There are another advantage: Because the stack acts like a single switch, you can use switch-assisted teaming or trunking between IRF stacks or between servers and IRF stacks.

Sometimes it’s necessary to limit specific traffic in terms of bandwidth. Today I like to show you how to manage bandwidth limits using QoS and firewall policies. Especially if you have only limited bandwidth, e.g. a DSL connection, it can be useful to manage the used bandwidth for specific hosts or protocols. I use a really simple setup to show you, how you can manage bandwidth using CoS on a Juniper SRX.

Sophos offers a free license of their UTM firewall for private use. The product was originally developed by Astaro and since these days I use it at home. After the merger with Sophos I switched to the new Sophos UTM 9, still using my old license. I use it to seperate my test VLAN from my normal VLAN, and I use it as proxy with antivirus scanning for all my devices (iPhone, iPad, laptop etc.), but the UTM can do a lot more than this. This morning I wanted to read my Twitter timeline on my iPhone but I got no connection over WLAN. After disabling the proxy it worked fine. I took a look at the admin interface of my UTM and what did I see? An expired license. WTF?!

I faced today a really nasty problem. I have four HP ProLiant DL360 G6 in my lab. This server type has two 1 GbE NICs with the Broadcom NetXtreme II BCM5709 chip onboard, which are usually claimed by the bnx2 driver. While applying a host profile to three of the hosts, one hosts reported an error. Supposedly the host hasn’t a vmnic0 and because of this the host profile couldn’t be applied. Okay, quick check in the vSphere Web Client: Only three NICs. C# client showed the same result. Now it was interesting:

One strength of Juniper Junos is the config file management. The concept of different configurations is nothing special. For example Cisco uses two configuration files to reflect the current configuration in the RAM (running configuration), and the configuration used on startup (startup configuration). HP is doing the same on their networking gear. If you are new to Juniper Junos, the concept of an active configuration and a candidate config, which holds the current changes but isn’t active, maybe confuses you.

The Cisco Discovery Protocol (CDP) is used to discover and advertise the identity and capabilities of a network component to other networking components. CDP a proprietary protocol developed by Cisco, so it’s often used on Cisco switches and routers. The Link Layer Discovery Protocol (LLDP) is a vendor-neutral discovery protocol, which is used e.g. by Hewlett-Packard. With CDP or LLDP you can easily get an overview over a network topology. You can quickly check, e.g. what switches are connected to an uplink. Both protocols use Ethernet Multicast to advertise and receive information. CDP usess the address 01:00:0C:CC:CC:CC, LLDP 01:80:C2:00:00:0E.

Sometimes it’s necessary to backup system, that are behind a firewall. A good example for this are servers in a DMZ. When using HP Data Protector there are some things to know and consider, before you can backup systems behind a firewall. Lets start with some basics.

The components

Cell Manager: The Cell Manager (CM) is the backup server itself. It controls the whole enviroments, stores the licenses, clients, media, devices, backup specifications etc.

I’m a big fan of Juniper Networks! I work mainly with the SSG (ScreenOS) and SRX (Junos) series. The Juniper SRX is a network security solution, which can be positioned in the data center or at the branch. You will surely agree, that virtualization and cloud computing changed a lot from the network perspective. This demands security solutions that are not bound to hardware boundaries. Juniper Firefly Perimeter addresses this demands.

What is Juniper Firefly Perimeter?

Juniper Firefly Perimeter is a SRX Service Gateway and it’s delivered in form of a virtual appliance. You can compare it with HP VSR1000 Virtual Service Router or Cisco Cloud Service Router 1000V. Firefly Perimeter is available for VMware vSphere 5.x and Linux KVM. Microsoft Hyper-V is currently not supported. When you take a look into the datasheet you will notice, that Firefly Perimeter can all the cool things, that you expect from this kind of a virtual appliance: From simple routing, routing protocols (RIP, OSP, BGP, IS-IS…), MPLS, VPN, stateful/ stateless firewall, Network attack detection, a lot of management feature and many more.