The AWS Cloud Development Kit (CDK) is an "open source software development framework to define your cloud application resources using familiar programming languages". When CDK launched in 2019, I remember reading the announcement and thinking, "Ok, AWS wants their own Terraform-esque tool. No surprise given how popular Terraform is." Months later, my friend and colleague Matt M. was telling me how he was using CDK in a project he was working on and how crazy cool it was. I finally decided to...| packetmischief.ca
I have a cron job that renews an SSL certificate from Let's Encrypt, and then restarts the smtpd daemon so that the new certificate is picked up. This all works fine--as proven by both the presence of a new, valid cert on disk, and smtpd successfully restarting--but cron never sends an email with the output of the job. What gives? Read the rest of this post.| packetmischief.ca
This is a running list of unusual data found in the Domain Name System. Typically, DNS stores name-to-IP (for example, foo.example.net -> 192.0.2.123) and IP-to-name mappings (i.e., the inverse). But, the DNS is arguably the biggest, most distributed key/value store on the planet, making it a great place to stash all kinds of simple data. Read the rest of this post.| packetmischief.ca
AWS Serverless Application Model (SAM) is a framework for building serverless applications on AWS. One of the components of SAM is a template specification. SAM templates would look and feel familiar to anyone who has used AWS CloudFormation to define their infrastructure as code, however they are not completely interchangeable. There are multiple reasons why you might want to convert from SAM to native CloudFormation: You want to deploy the app using CloudFormation StackSets. SAM uses the AW...| packetmischief.ca
I was recently playing around with the Traffic Mirroring feature in AWS. As a network geek, this is right up my alley because as some colleagues and I used to say, "the wire never lies!". Being able to pick packets off the wire for detailed inspection has saved the day many a time. Until Traffic Mirroring came along, it wasn't possible to do that in an Amazon VPC. Below are my notes and considerations for using this feature.Read the rest of this post.| packetmischief.ca
Consider for a moment that you have an application running on a server that needs to push some data out to multiple consumers and that every consumer needs the same copy of the data at the same time. The canonical example is live video. Live audio and stock market data are also common examples. At the re:Invent conference in 2019, AWS announced support for multicast routing in AWS Virtual Private Cloud (VPC). This blog post will provide a walkthrough of configuring and verifying multicast rou...| packetmischief.ca
Often in my career I have to make an estimate about the so-called "level of effort" (LoE) to do a thing. What's the LoE for me to do a demo for this customer? What's the LoE for me to help respond to this RFP? What's the LoE for me to participate in this conference? The critical metric by which I usually have to measure the LoE is time. People, equipment, venue, materials, and location are rarely ever a limiting factor. Time is always the limiting factor because no matter the circumstance, yo...| packetmischief.ca
I've been asking myself an uncomfortable question lately: "Can IT certifications become a liability? Have I reached a point where my IT certifications have become a liability to me?" Read the rest of this post.| packetmischief.ca
Given that my technical background is largely in the networking space (exhibit A,exhibit B,exhibit C (CIE)), one of the first things I tried to wrap my head around when being introduced to AWS is how networking works in the AWS cloud. What I attempted to do was build a mental model by relating cloud networking constructs such as Virtual Private Cloud (VPC), subnets, and routing tables to on-prem, physical networking constructs. This worked pretty well but I did get tripped up at times because...| packetmischief.ca
So, you've created a compute instance (ie, a virtual machine) on Amazon EC2. Next question: does the instance require access to and/or from the Internet? Protip: just because you created the instance in the public cloud, i.e. the cloud that you get to over the Internet, it doesn't mean that your instances all need to sit on the Internet. They can have direct inbound and outbound Internet access, no Internet access, or something in between (which I'll explain). The basic building block for net...| packetmischief.ca
Continuing on with the theme of previous cheat sheet articles, this article will help decode the format for Amazon Web Services' Elastic Compute Cloud (EC2) instance types. Read the rest of this post.| packetmischief.ca
Ok, you've just launched an Amazon EC2 instance (ie, a virtual machine) and you're ready to login and get to work. Just once teeeensy problem though... you have no idea how to actually connect to the instance! This post will walk through how to log into brand new Linux/BSD and Windows instances (the steps are slightly different for different OS families).| packetmischief.ca
An introduction to Amazon EC2 credentials When you assign an Identity and Access Management (IAM) role to an Amazon Elastic Compute Cloud (EC2) instance, the short-term credentials for the role are made available via a web service known as the Instance Metadata Service (IMDS). The IMDS provides an HTTP endpoint for retrieving instance metadata such as the instance IP address, AWS Region the instance is running in, the Amazon Machine Image used to launch the instance, and the access key, secre...| packetmischief.ca
Passwords suffer from an inherent risk: whoever possess the password inherits the privileges granted by that password. If the possessor is the intended person, then all is good. Otherwise, all is not so good because it means an unintended person has access to the system the password is guarding.| packetmischief.ca
I'd be lying if I said that since starting my new job at Amazon Web Services (AWS), I wasn't looking forward to writing about all the new things I was going to learn. Obviously there's the technology and services that make up the platform itself. But there's also the architectural best practices, the design patterns, and answers to questions like "how does moving to the cloud improve my performance/security/reliability?" Admittedly, I have a lot to learn.| packetmischief.ca
About the Site Hi! I'm Joel Knight and this is my personal home on the web. I use this site as a platform for expressing my ideas, knowledge, and experiences related to whatever geeky topics I may be interested in. The opinions and information expressed on this site are mine and not necessarily those of my employers, past or present. About Joel I am an IT professional with interests in IP networks, cloud infrastructure, open source projects, Unix operating systems, privacy, crypto, cyber secu...| packetmischief.ca
No Warranties This website is provided "as is" without any representations or warranties, express or implied. The Owner makes no representations or warranties in relation to this website or the information and materials provided on this website. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this website's information is solely at reader's own risk. Limitations of Liability The Owner will not be liable...| packetmischief.ca
The architecture of the infrastructure-as-code (IaC) tooling you use will determine the level to which your IaC definitions are exposed to bit rot. This is a maxim I have arrived at after working with multiple IaC tool sets, both professionally and personally, over the last few years. In this blog post, I will explain how I arrived at this maxim by describing three architectural patterns for IaC tools, each with differing levels of risk for bit rot.| packetmischief.ca
The AWS CLI is a tool set that lets you manage your AWS resources. The CLI comes in two versions which, at the time of this writing, are developed concurrently: version 1 and version 2. Internally, the AWS CLIv1 and v2 are quite different. Version 2 pulls in AWS libraries--libraries which are used across the AWS SDK ecosystem--rather than reinventing the wheel when it comes to common tasks, such as talking to Amazon S3. Running AWS CLIv2 on your operating system of choice requires building an...| packetmischief.ca
"Software is eating the world." Have truer words ever been spoken other than these words by Marc Andreessen? I've recently been immersed in a number of home automation projects (lights, heating/cooling, presence detection, and more). I was reflecting on what made all of these automations possible: the drastic increase in the amount of software present in the home. As I was reflecting on this, I realized how different my house is in this respect compared to the house I grew up in. Now, I'm not...| packetmischief.ca
You have: A Roomba vacuum. (I was working with an i-series when I wrote this. Maybe this applies to other models as well.) A firewall or router between your Roomba and your mobile device. (Maybe the two are on different wifi networks as would be the case if you have a network set aside for IoT devices.) An iRobot app that gets stuck at Verify password when setting up the Roomba.| packetmischief.ca
A colleague of mine recently quiped, "'The perimeter' in AWS is actually defined by Identity and Access Management (IAM)." After some reflection, I think my colleague is spot on.| packetmischief.ca
This site is privately owned and operated and has no corporate or commercial interests. This site may use third-party agents to gather and report on metrics related to visitors to the site. You should consult the respective privacy policies of these third-party agents for more detailed information on their practices as well as for instructions about how to opt-out of certain practices. Articles on this site may include embedded content (e.| packetmischief.ca
This is a retelling of a presentation I gave at work. In it, I describe a mechanism I've started using to raise the quality of artifacts I check into version control.| packetmischief.ca
I've written before about how I use MediaWiki for taking notes and as one of my study tools. This has worked well for many years. But a problem started to develop: while I wrote my technical notes in MediaWiki, I wrote my day-to-day notes (books I want to read, notes from podcasts I listen to, and even my weekly planner) in Notion. This meant I had to use different apps for reading/writing in each tool, remember two different markup languages, and couldn't (cleanly) link pieces of content bet...| packetmischief.ca
This article was originally posted on the Amazon Web Services Security Blog. AWS CloudFormation is a service that lets you create a collection of related Amazon Web Services and third-party resources and provision them in an orderly and predictable fashion. A typical access control pattern is to delegate permissions for users to interact with CloudFormation and remove or limit their permissions to provision resources directly. You can grant the AWS CloudFormation service permission to create ...| packetmischief.ca
For years now I've had a light switch that can be programmed to turn itself on/off on a schedule. The switch is programmed with the date, time, time zone, and lat/long and then you can create a schedule such as, "turn the lights on at sun set". It works pretty well except when 1/ daylight savings time starts or stops (the schedule doesn't adjust itself) or 2/ the power goes out (bye, bye all programming). This slight annoyance coupled with my desire for a project I could geek out on lead me t...| packetmischief.ca
This article was originally posted on the Amazon Web Services Architecture blog. In a recent customer engagement, Quantiphi, Inc., a member of the Amazon Web Services Partner Network, built a solution capable of pre-processing tens of millions of PDF documents before sending them for inference by a machine learning (ML) model. While the customer's use case--and hence the ML model--was very specific to their needs, the pipeline that does the pre-processing of documents is reusable for a wide a...| packetmischief.ca
I recently used AWS DataSync as part of a lab I was building. These are my notes for using DataSync to replicate an Amazon Elastic File System (EFS) share from one region to another. AWS DataSync is a managed service that enables replication of data between AWS services and from on-prem to AWS. It automates the scheduling of transfer activities, validates copied data, and uses a purpose-built network protocol and multi-threaded architecture to achieve very high efficiency on the wire. The use...| packetmischief.ca
There can be times when you're working on the AWS Cloud where you need to grant limited access to your account to a third-party. For example: A contractor or a specialist needs to perform some work on your behalf You're having AWS Professional Services or a partner from the Amazon Partner Network do some work in your account You're conducting a pilot with AWS and you want your friendly neighborhood Solutions Architect to review something In each of these cases you likely want to grant the per...| packetmischief.ca
Here's a simple scenario: you have some Virtual Machines (VMs) in your on-premises environment, likely in VMware vSphere or Microsoft Hyper-V. You want to either fully migrate some or all of those VMs to the AWS Cloud or you want to copy a gold image to the AWS Cloud so you can launch compute instances from that image. Simple enough. Now, how do you do it? Can you just export an OVA of the VM, copy it up, and then boot it? Can you somehow import the VMDK files that hold the VM's virtual drive...| packetmischief.ca
Following on the heels of my previous post, Five Functional Facts about AWS Identity and Access Management, I wanted to dive into a separate, yet related way of enforcing access policies in AWS: Service Control Policies (SCPs). SCPs and IAM policies look very similar—both being JSON documents with the same sort of syntax—and it would be easy to mistake one for the other. However, they are used in different contexts and for different purposes. In this post, I'll explain the context where S...| packetmischief.ca
There are roughly a GAJILLION articles, blogs, and documents out there that explain how to setup Amazon CloudFront to work with WordPress. Most of them are wrong in one or more ways.| packetmischief.ca
This post is part of an open-ended series I'm writing where I take a specific protocol, app, or whatever-I-feel-like and focus on five functional aspects of that thing in order to expose some of how that thing really works. The topic in this post is the AWS Identity and Access Management (IAM) service. The IAM service holds a unique position within AWS: it doesn't get the attention that the machine learning or AI services get, and doesn't come to mind when buzzwords like "serverless" or "cont...| packetmischief.ca
In a previous post, I reviewed what a public subnet and Internet Gateway (IGW) are and that they allowed outbound and inbound connectivity to instances (ie, virtual machines) running in the AWS cloud. If you're the least bit security conscious, your reaction might be, "No way! I can't have my instances sitting right on the Internet without any protection". Fear not, reader. This post will explain the mechanisms that the Amazon Virtual Private Cloud (VPC) affords you to protect your instances.| packetmischief.ca
For a long while now I've been brainstorming how I could leverage the API that's present in the Cisco Spark collaboration platform to create a bot. There are lots of goofy and fun examples of bots (ie, Gifbot) that I might be able to draw inspiration from, but I wanted to create something that would provide high value to myself and anyone else that choose to download and use it. The idea finally hit me after I started using Zabbix for system monitoring. Since Zabbix also has a feature-rich AP...| packetmischief.ca
Continuing in a tradition I started early this year where I take a look back at the year that just passed, I've again been very fortunate to have had an amazing year, both in my professional and personal lives. Writing this post is my way of forcing myself to stop and take notice of what I was involved in (something I'm not very good at letting myself do in the moment) and also give readers a chance to see the "me" behind the scenes. Let's go through the list!| packetmischief.ca
If you're an IT professional and you have at least a minimal awareness of what Cisco is doing in the market and you don't live under a rock, you would've heard about the major launch that took place in June: "The network. Intuitive." The anchor solution to this launch is Cisco's Software Defined Access (SDA) in which the campus network becomes automated, highly secure, and highly scalable. The launch of SDA is what's called a "Tier 1" launch where Cisco's corporate marketing muscle is fully e...| packetmischief.ca
I want to draw some attention to a new document I've written titled "Troubleshooting Cisco Network Elements with the USE Method". In it, I explain how I've taken a model for troubleshooting a complex system-the USE Method, by Brendan Gregg-and applied it to Cisco network devices. By applying the USE Method, a network engineer can perform methodical troubleshooting of a network element in order to determine why the NE is not performing/acting/functioning as it should.| packetmischief.ca
The USE Method is a model for troubleshooting a system that is in distress when you don't know exactly what the nature of the problem is. For example, if users within a specific part of your network are complaining of slowness, disconnects and poor application performance, you can probably isolate your troubleshooting to 2-3 switches or routers. However, since the problem description is so vague (we all love the "it's slow!| packetmischief.ca
In response to my article about what would cause a directly connected route to be overridden, Matt Love (@showflogi) made a good observation: Good stuff - LPM rule can be a useful tool if you want to manipulate paths without mucking with metrics, esp if using multiple protocols — Matt Love (@thatmattlove) July 13, 2017 What Matt is saying is that longest prefix match (LPM) is a mechanism that can be used to steer traffic around the network in order to meet a technical or business need. This...| packetmischief.ca
I ran into this situation on a recent project and thought it would make an excellent question on an exam. It could be worded something like this: What is the behavior of a router or Layer 3 switch when a dynamic route is learned that partially overlaps with a directly connected network? The router reboots The network reboots That's um-possible None of the above| packetmischief.ca
Well, I got to tick a big item off my list of goals last week. I successfully delivered a presentation at Cisco Live! in front of a large group of people. It didn't kill me and I didn't trip over anything and embarrass myself so no matter what, I have those two points to feel good about :-) Me starting my presentation All joking aside, it actually went a whole lot better than that.| packetmischief.ca
On Jun 21, the OpenVPN team released an update for the 2.3.x and 2.4.x branches that resolved some newly discovered security vulnerabilities. The OpenVPN team recommends that users "upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible". OpenBSD 6.0-which was released Sep 1 2016 and is still receiving security updates to the base system as per OpenBSD's policy-shipped with a package for OpenVPN 2.3.11. Below you will find a patch and instructions for using the ports system to upgrade to vers...| packetmischief.ca
Well, it looks like another major item will get struck from my bucket list this year. I've been accepted to present at Cisco Live in Las Vegas this summer! 👊 This session is designed to walk through an enterprise network and look at how EIGRP can be engineered with purpose to best suit the needs of the different areas of the network. I will focus a lot on stability and scaling EIGRP and will show the audience how, where, and when to leverage common EIGRP features such as summarization, fas...| packetmischief.ca
It's funny, in my experience, OSPF is the most widely used interior gateway protocol because it "just works" and it's an IETF standard which means it inter-ops between different vendors and platforms. However, if you really start to look at how OSPF works, you realize it's actually a highly complex protocol. So on the one hand you get a protocol that likely works across your whole environment, regardless of vendor/platform, but on the other you're implementing a lot of complexity in your cont...| packetmischief.ca
Cacti is a "complete network graphing solution" according to their website. It has also been a thorn in my side for a long time. See what I did there? Thorn... because it's a cactus... never mind. When Cacti is in a steady state-when I could get it to a steady state-it was good. Not great, because there was a lot of effort to get it into what I consider "steady state", but good. The rest of the time... thorny. There are five major things that have driven me up the wall. In no particular order:| packetmischief.ca
I had just lost the RAID array that hosts my ESXi data store. I didn't yet know that's what had happened, but with some investigation, some embarrassment, and a bit of swearing, I would find out that an oversight on my part three years ago would lead to this happening.| packetmischief.ca
This past June when I was in North Carolina at Cisco's CPOC lab, I learned that there was a chance-albeit a slim one, but a chance nonetheless-that a position would be opening up on the CPOC team in the fall. By that point I had been to CPOC three times and knew many of the engineers who worked there. I spoke to them to get their feedback, met with the newly-hired manager of the team, and just generally did all the things I thought I should be doing to take advantage of my time being face to ...| packetmischief.ca
I haven't ever written a "year in review" type of post before. Sure, I do a post to summarize how the blog has done over the year but I've never done a personal look back. Last night-New Years Eve-I was thinking about everything that I was involved in during 2016 and I realized "I should write this down! I was involved in or a participant of some amazing things last year!" So here we go. In an effort to show a more personal side and not just my geeky side, here is my personal 2016 year in rev...| packetmischief.ca
Happy New Year! I just realized the other day that this blog turned 5 years old in 2016. It's been a lot of fun and has paid me back for my time in terms of building my brand and being a means to explore and learn new topics. I have plans to put more focus on my writing in 2017 and reduce the friction between starting with a blank page and hitting that "Publish" button. Anyways! Here's a look back at 2016 on packetmischief.ca.| packetmischief.ca
Sixth Generation Intel NUC I recently decided it would be fun to upgrade the hardware on my main OpenBSD machine at home (because, you know, geek). These Intel NUC machines are pretty interesting. They are pretty powerful, support a decent amount of RAM, certain models support internal storage, and they are very low power and low noise. Perfect for a machine that is a shell/email/development box.| packetmischief.ca
So... I'm a little embarrased to admit this but I only very recently found out that there are significant differences in how Virtual Port Channels (vPC) behave on the Nexus 5k vs the Nexus 7k when it comes to forming routing adjacencies over the vPC. Take the title literally! I've read the vPC Best Practice whitepaper and have often referred others to it and also referred back to it myself from time to time. What I failed to realize is that I should've been taking the title of this paper more...| packetmischief.ca
Whether it's Dropbox, LinkedIn, MySpace, PlayStation, or whatever the latest breach happens to be, it's almost inevitable that you will be caught up in one of these breaches and have your username, password and possibly other information exposed in a data dump. Here's how to respond when that happens.| packetmischief.ca
There's a lot of information on the intertoobs about getting ssh-agent "working" in OS X and even more articles about when and how the stock behavior of ssh-agent changed (mostly with respect to how ssh-agent interacted with the Keychain). This article doesn't cover or care about any of that. This article is concerned with: Enabling ssh-agent in such a way that I can "ssh-add" in one terminal window and that same agent (and the loaded keys) is available in all of my other terminal windows. En...| packetmischief.ca
At Cisco's GSX conference at the start of FY17, the DevNet team made a programming scavenger hunt by posting daily challenges that required using things like containers, Python, and RESTful APIs in Cisco software in order to solve puzzles. In order to submit an answer, the team created an API that contestants had to use (in effect creating another challenge that contestants had to solve). This post contains the artifacts I created while solving some of the challenges.| packetmischief.ca
I'm a big fan of Let's Encrypt (free, widely trusted SSL certificates) but not a big fan of most of the client software available for requesting and renewing certificates. Unlike a typical certificate authority, Let's Encrypt doesn't have a webui for requesting/renewing certs; everything is driven via an automated process that is run between a Let's Encrypt software client and the Let's Encrypt web service. Since the protocols that Let's Encrypt uses are standards-based, there are many open s...| packetmischief.ca
I got an interesting email from Ying Lu who had read my posts on LSM: I am curious about the Ethernet DA and codepoint used for multicast MPLS. Previously, I understand that: Ethernet DA is unicast MAC of nexthop of each replication leg. codepoint is 0x8847 However, looking at RFC5332, I am not so sure... Quote: "Ethernet is an example of a multipoint-to-multipoint data link. Ethertype 0x8847 is used whenever a unicast ethernet frame carries an MPLS packet.| packetmischief.ca
NSF and GR are two features in Layer 3 network elements (NEs) that allows two adjacent elements to work together when one of them undergoes a control plane switchover or control plane restart. The benefit is that when a control plane switchover/restart occurs, the impact to network traffic is kept to a minimum and in most cases, to zero.| packetmischief.ca
Presenter: Paul Lysander, Technical Marketing Engineer, Cisco| packetmischief.ca
Presented by: Russ White, LinkedIn| packetmischief.ca
Presenter: Fred Niehaus, Technical Marketing Engineer, Cisco Wireless Networking Group| packetmischief.ca
Presented by: David Prall, Communications Architect, Cisco For reference, David is the "father of IWAN". This session was not what I was expecting. I was expecting design and architecture, but it was all about features in IOS and IOS-XE (eg, FHRPs, talked about routing protocol timers, PfRv3, BFD). I guess I need to pay more attention to the session code (RST == routing; ARC == architecture).| packetmischief.ca
Presented by Muhammad A Imam, Sr Manager Technical Marketing Engineering| packetmischief.ca
Presenters: Lewis Hickman, Consulting Systems Engineer Jennifer Valentine, Systems Engineer| packetmischief.ca
Presenter: Steven Heinsius, Product Manager, Enterprise Networking Group I'm hoping the title of this session could also be "7 Ways to not be a TOTAL Wireless Noob" since that's more my level. 😁| packetmischief.ca
Presenters: Rick Irons-Mclean, Oil & Gas and Energy Architecture Lead Jason Greengrass, IoT Solution Architect| packetmischief.ca
I know it's cliche and I know I'm biased because I have an @cisco.com email address, but I've truthfully never seen anything like CPOC before. And the customer's I've worked with at CPOC haven't either. It's extremely gratifying to take something you built "on paper" and prove that it works; to take it to the next level and work those final kinks out that the paper design just didn't account for. Anyways, on to the point of this post. When I was building the topology for the customer, I kept ...| packetmischief.ca
This post is the last one I'm planning in this series on Label Switched Multicast (LSM). The questions & answers below are meant to expand on topics from the previous posts or address topics that weren't mentioned in the previous posts at all. If you're not familiar with LSM yet then this Q&A likely won't make much sense to you and I recommend you go back and read through the previous posts. Please post a comment if one of the answers isn't clear or you have additional questions!| packetmischief.ca
I wanted to jot down some quick notes relating to running a virtual Firepower sensor on ESXi and how to validate that all the settings are correct for getting traffic from the physical network down into the sensor. Firepower is the name of Cisco's (formerly Sourcefire's) so-called Next-Gen IPS. The IPS comes in many form-factors, including beefy physical appliances, integrated into the ASA firewall, and as a discrete virtual machine. Since the virtual machine (likely) does not sit in-line of ...| packetmischief.ca
This post is going to follow a multicast packet as it moves through a sample MPLS network using Label Switched Multicast (LSM). I'll show how the packet moves through the network by looking at the forwarding tables on different routers and also by doing some packet captures. This post is part of a series I'm writing on LSM and if you're not already familiar with LSM, I recommend you go back and read the previous posts. After reading this post you will be able to precisely describe how LSM for...| packetmischief.ca
In the previous post (Label Switched Multicast - An Introduction) in this series on Label Switched Multicast (LSM) I introduced the concepts behind LSM and draft-rosen, the two most poplar methods for transporting multicast traffic through MPLS Layer 3 VPNs. In this article I will talk through the configuration of LSM on the PE and P routers and get to the point where two CEs are successfully passing multicast traffic via the MPLS network. All of the configuration examples will be relevant to...| packetmischief.ca
There are two common methods for transporting multicast packets within an MPLS-based Layer 3 VPN: Generic Routing Encapsulation (GRE) with Protocol Independent Multicast (PIM) (also known as "draft-rosen") Label Switched Multicast (LSM) There's also a third method which uses Resource Reservation Protocol-Traffic Engineering (RSVP-TE) but I'm not going to get into that one. In this first post in a series on LSM, I'll describe how draft-rosen works, how LSM works, and then compare and contrast ...| packetmischief.ca
Happy New Year! As is my tradition, here are the 2015 blog statistics as compared to 2014. I'm pretty excited that once again readership and overall reach of this blog has increased by double digits. I'm looking forward to growing these numbers and creating challenging and interesting new content in 2016.| packetmischief.ca
The idea for this post came from someone I was working with recently. Thanks Fan (and Carson, and Shree) :-) In Service Software Upgrade (ISSU) is a method of upgrading software on a switch without interrupting the flow of traffic through the switch. The conditions for successfully completing an ISSU are usually pretty strict and if you don't comply, the hitless upgrade can all of a sudden become impacting. The conditions for ISSU on the Nexus 5000 are pretty well documented (cisco.com link) ...| packetmischief.ca
In this post I'm going to look at the characteristics of OSPF and EIGRP when used in a Dynamic Multipoint VPN (DMVPN). I will do my best not to play favorites and instead stick to the facts (yes, I do have a preference :-). To that end I will back everything up with data from my lab. The focus areas of the comparison will be: Scalability of the hub router's control plane Overall control plane stability Traffic engineering This post won't go into any background on how DMVPN works. If you're no...| packetmischief.ca
Design For How People Learn, by Julie Dirksen (ISBN 978-0321768438) I saw the title for this book roll across my Twitter feed — can't remember from who, sorry — from someone who had a blog and was advocating for other bloggers to check this book out. When I read the abstract for the book, I immediately added it to my reading list. "Whether it's giving a presentation, writing documentation, or creating a website or blog, we need and want to share our knowledge with other people. But if you...| packetmischief.ca
The oft-requested and long awaited arrival of TACACS+ support in Cisco's Identity Services Engine (ISE) is finally here starting in version 2.0. I've been able to play with this feature in the lab and wanted to blog about it so that existing ISE and ACS (Cisco's Access Control Server, the long-time defacto TACACS+ server) users know what to expect. Below are five facts about how TACACS+ works in ISE 2.0.| packetmischief.ca
I will be presenting at the Cisco Connect Canada tour in Edmonton and Calgary on November 3rd and 5th, respectively. My presentation is about that three letter acronym that everyone loves to hate: SDN :-) I will talk about SDN in general terms and describe what it really means; what we're really doing in the network when we say that it's "software defined". No unicorns or fairy tales here, just engineering. Next I'll talk about three areas where Cisco is introducing programmability into its d...| packetmischief.ca
At the time that I'm writing this I've been working at Cisco for just over 3 years as a Systems Engineer. Prior to that I worked for multiple Cisco customers and was heavily involved in Cisco technologies. I know what a monster cisco.com is and how hard it can be to find what you're looking for. Since starting at Cisco, the amount of time I've spent on cisco.com has shot up dramatically. Add to that studying for my CCIE and it goes up even more. In fact, cisco.com is probably the number 1 or ...| packetmischief.ca
As I've written about previously (The Importance of BGP NEXT_HOP in L3VPNs), the BGP NEXT_HOP attribute is key to ensuring end to end connectivity in an MPLS L3VPN. In the other article, I examine the different forwarding behavior of the network based on which of the egress PE's IP addresses is used as the NEXT_HOP. In this article I'll look at the subnet mask that's associated with the NEXT_HOP and the differences in forwarding behavior when the mask is configured to different values. There ...| packetmischief.ca
I've been doing a lot of reading and video watching on securing industrial control and automation systems (ICAS) (sometimes referred to as SCADA systems) so this POI has a few links related to that and ends with a link to an editorial piece about privacy and why privacy matters to us all.| packetmischief.ca
In an MPLS network with L3VPNs, it's very easy for the NEXT_HOP attribute of a VPN route to look absolutely correct but be very wrong at the same time. In a vanilla IP network, the NEXT_HOP can point to any IP address that gets the packets moving in the right direction towards the ultimate destination. In an MPLS network, the NEXT_HOP must get the packets moving in the right direction but it must also point to the exact right address in order for traffic to successfully reach the destination.| packetmischief.ca
It's been a while since I've done a POI so here we go. The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them. ...| packetmischief.ca
Presenter: Arkadiy Shapiro, Manager Technical Marketing (Nexus 2000 - 7000) @ArkadiyShapiro "You could say I'm obsessed with BFD" -Arkadiy Fast failure detection is the key to fast convergence.| packetmischief.ca
Presenter: Eric Kostlan, Technical Marketing Engineer, Cisco Security Technologies Group "Above all, Snort is a community" -Eric Snort stats over 4 million downloads nearly 500,000 registered users Snort was created in 1998 (!!). Sourcefire founded in 2001.| packetmischief.ca
Presenters: Dave Zacks, Distinguished Engineer; Peter Zones, Principle Engineer History has been: 10x performnce increase at 3x the cost. 40Gb broke that model -> 100Gb PHYs were very expensive; industry needed/wanted an intermediate step.| packetmischief.ca
Presenter: Eric Howard, Techincal Marketing Engineer "Why aren't we stopping all the malware???"| packetmischief.ca
Presenter: Chuck Stickney, Cisco SE Handful of OT folks in the room; majority IT. Convergence Benefits Simplification (common protocols) Reduced Cost Pervasive enablement of features and services| packetmischief.ca
Presenter: Markus Harbek, CCIE, CCDE Who knows what SDN stands for? Still Don't kNow Still Does Nothing Schnitzel Dinner Night| packetmischief.ca
Presenter: Craig Williams (@security_craig) - Sr Technical Leader / Security Outreach Manager, Cisco TALOS "I'm from Talos. We love to stop bad guys." Talos by the numbers: 1.1 million incoming malware samples per day 1.5 billion Sender Base reputation queries per day Talos has a serious amount of data. For serious.| packetmischief.ca
A friend of mine recently had a solar panel system installed on his acreage. Besides being interesting because of the renewable/green aspect of the project, the system itself—from SolarEdge—is actually highly digital. A mobile app is used for commissioning the system. SolarEdge operates a cloud service which collects telemetry from the system and reports various performance metrics in a user-friendly dashboard. The inverters can connect to the IP network and provide a means to collect tel...| packetmischief.ca
In a throwback to the problems I dealt with using AirPlay across VLANs, I recently jumped through similar hoops for Sonos speakers. There are many forum and blog posts out there that describe (or attempt to describe) how to make this work, however all of the ones I read suffered from one or both of these problems: Their instructions had errors (eg, reversing the upstream and downstream interfaces when talking about multicast). They don't have a diagram of traffic flow! Every network engineer ...| packetmischief.ca
For the past few months I've been involved in a case study project with some colleagues at Cisco where we've been researching what the most relevant software skills are that Cisco's pre-sales engineers could benefit from. We're all freaking experts at Outlook of course (that's a joke ?) but we were interested in the areas of programming, automation, orchestration, databases, analytics, and so on. The end goal of the project was to identify what those relevant skills are, have a plan to identi...| packetmischief.ca
I spent a long time creating my first Spark bot, Zpark. The first commit was in August and the first release was posted in January. So, six months elapsed time. It's also over-engineered. I mean, all it does is post messages back and forth between a back-end system and some Spark spaces and I ended up with something so complex that I had to draw a damn block diagram in the user guide to give people a fighting chance at comprehending how it works. Its internals could've been much simpler. But ...| packetmischief.ca
Cisco Encrypted Traffic Analytics (ETA) sounds just a little bit like magic the first time you hear about it. Cisco is basically proposing that when you turn on ETA, your network can (magically!) detect malicious traffic (ie, malware, trojans, ransomware, etc) inside encrypted flows. Further, Cisco proposes that ETA can differentiate legitimate encrypted traffic from malicious encrypted traffic. Uhmm, how? The immediate mental model that springs to mind is that of a web proxy that intercepts ...| packetmischief.ca
Didn't I just write the 2016 statistics post like... last week? Another year has flown by and with it another year of attempting to prioritize my writing. I'll be honest, I'm not optimistic about what I'm going to find when I compare 2017 to 2016. It was a year filled with a lot of change and opportunity so I'll use that as my excuse as to why I didn't write as much or as often as I had planned. I was thinking though: every year I set a goal of writing more posts than the previous year, but t...| packetmischief.ca
For the benefit of readers who haven't worked with Flask or don't know what Flask is, it's a so-called microframework for writing web-based applications in Python. Basically, the framework takes care of all the obvious tasks that are needed to run a web app. Things like talking HTTP to clients, routing incoming requests to the appropriate handler in the app, and formatting output to send back to the client in response to their request. When you use a framework like this, you as the developer ...| packetmischief.ca
This post has been sitting in the "drafts" folder for a while now. Clearly, since it's August and is therefore a little late to be deciding on a plan that is supposed to carry through all 12 months of 2017. Regardless, I think it's still worth sharing how I've attempted to increase the frequency of my blogging. My basic goal for 2017 is: Create more content in 12 months than I ever have before in order to a) significantly build up the depth and breadth of knowledge on my blog, b) increase my ...| packetmischief.ca
Mohamed Anwar asked the following question on my post "4 Types of Port Channels and When They're Used". "I need a clarification, where if a member link fails, what will happen to the traffic already sent over that link ? Is there any mechanism to notify the upper layer about the loss and ask it to resend ? How this link failure will be handled for data traffic and control traffic ?" — Mohamed Anwar I think his questions are really important because he hits on two really key aspects of a fai...| packetmischief.ca