YOUTUBE VIDEO

OSI MODEL

Layer 2 – Data Link: Specifications for delivering data across a uniform medium, that provide the functional & procedural means to transfer data between network entities

Data Link Functions:

  • PHYSICAL ADDRESSING: formats signal into data frames, organizing the bits into:
    • Frame Headers: contain the hardware destination & source address
    • Payload: contains the actual data/information being transmitted

    ERROR DETECTION: detection of transmission errors that may occur in the physical layer
    ACCESS ARBITRATION: endeavors to arbitrate between parties contending for access to a medium; in the event of contention specifies how devices detect &recover from such collisions, and may provide mechanisms to reduce or prevent them
    UPPER LAYER PROTOCOL IDENTIFICATION: Data-link frames, do not cross the boundaries of a local network. thus inter-networking and global addressing require higher layer functions. The protocols used to fulfill these functions must be identified.

Data Link Technologies/Protocols

  • L2 Devices – Bridges, Switches, Wireless AP, Network Interface Cards (NIC)
  • L2 LAN Protocols – 802.3 Ethernet, 802.11 Wireless,
  • L2 ISP Protocols – PPP, PPTP, L2TP, Frame Relay, Q.921 (ISDN), ESF (T1)

Data Link Framework

Composed of 2 Sub-Layers

  1. LLC[Logical Layer Control] 802.2; done in software
    • Flow Control & Regulation of data transfer rate
    • Error Detection [via FCS: Frame Check Sequence]
    • Identification Of Layer 3 Protocol [via Protocol Field in Header: DSAP/SNAP]
    • Encapsulation/Decapsulation
  2. MAC[Media Access Control]; done in hardware
  • Hardware Addressing
  • Media Contention
Ethernet Layer 2 Functions

Addressing – defines ID for each network node

Ethernet = MAC address = 48 bits long

Ethernet MAC Addresses – burned in to network devices EEPROM
NOTE: 48 bits represented as 12 digit hex ID
Ex) 0000.0015.E1FF
Decimal: 248 = Hex: F8 – (F is in 16’s column, and 8 is in 1’s column)
Decimal: 17 = Hex: 11

Cisco Notation – 0000.0000.FFFF
Standard Notation – 00:00:00:00:FF:FF

XX: represents 8 bits/1 byte – 0 to 255

010C.5C00.F544

(First 24 bits) OUI[Organizationally Unique Identifier] – Manufacturer ID assigned by IEEE
(Last 24 bits)Interface ID – Unique ID for that device

:. 16 million Manufacturers, each with 16 million unique device ID’s

Error Detection – determines if data successfully transmitted across the physical medium

Ethernet = FCS[Frame Check Sequence]

4 byte Data-Link Trailer – essentially algorithm based on frame’s contents is applied before transmission, then compared to results after transmission :. if they are the same -> no errors occurred

/!\NOT Error -Recovery-

Identification Of Encapsulated Data – identifies Layer 3 protocol that encapsulated the data

Ethernet = 802.2 LLC[Logical Layer Control] Sub-headers

i.e. determines if data is an IPX Packet meant for a Novell system, or an IP Packet meant for a Windows system

Arbitration – determines when it is appropriate to use physical medium; how to avoid and/or recover from frame collisions

Ethernet = CSMA/CD[Carrier Sense Multiple Access/Collision Detection]

media access mechanism in which devices ready to transmit first check channel for carrier prior to transmitting; if no carrier is sensed then device can transmit

Collisions: if 2 devices transmit at once -> a collision occurs

  • this collision delays retransmission from those devices for random length of time
  • more systems on network = slower network; 2X Systems -> 10X # of collisions

:. collisions limit the # of systems

[around 40% of bandwidth utilization performance peaks then drops due to collisions]

Collision Detection Process
  1. collision is detected [i.e. voltage is over acceptable range]
  2. jam signal propagates & notifies all devices on network
  3. all devices stop transmitting
  4. set random timers before resending

802.3 Ethernet Frame

Ethernet II = Xerox Ethernet developed by Bob Metcaff

*also called DIX[DEC Intel Xerox] Ethernet

Preamble Destination MAC Source MAC Type Data FCS
8 bytes 6 bytes 6 bytes 2 bytes MTU 4 bytes

IEEE 802.3 Ethernet

Preamble SD Dest MAC Source MAC Length DSAP SSAP Control Data FCS
7 bytes 1 byte 6 bytes 6 bytes 2 bytes 1 byte 1 byte 1-2 bytes MTU 4 bytes

IEEE 802.3 Ethernet w/ SNAP Header

Preamble SD Dest MAC Source MAC Length DSAP SSAP Control SNAP Data FCS
7 bytes 1 byte 6 bytes 6 bytes 2 bytes 1 byte 1 byte 1-2 bytes 5 bytes MTU 4 bytes

MTU[Maximum Transmission Unit] – 64 to 1518 bytes

defines max Layer 3 packet size that can be sent over a specific medium

802.2 LLC Sub-headers

SSAP[Source Service Access Point] – IEEE defined “type” field that identifies the Layer 3 protocol that originated Data

DSAP[Destination Service Access Point] – IEEE defined “type” field that identifies the Layer 3 protocol to send the Data to

SNAP[Sub-Network Access Protocol] – later developed by IEEE to accommodate additional protocols; i.e. extension to DSAP

Control – notifies what type of packet is encapsulated in frame :. reduces cross-protocol broadcasts [i.e. identifies what -fields- will follow]

NOTE: DSAP value of AA & Control value of 03 signifies to use SNAP to identify protocol

/!\TCP/IP requires SNAP

Preamble – a 64-bit (8 byte) field generated by the LAN interface card that contains a synchronization pattern consisting of alternating ones and zeros and ending with two consecutive ones, which allows devices on the network to easily detect a new incoming frame. After synchronization is established, the preamble is used to locate the first bit of the packet.

SFD [Start Frame Delimeter] – the 8-bit (1-byte) value marking the end of the Preamble of an Ethernet frame, which is designed to break this pattern, and signal the start of the actual frame. It has the value 10101011.

Both the Preamble and the SOF assist NIC’s adjustment to slight speed variations between frames

Advertisements

Sigh. You know, these past 5 or so years, I’ve been meandering around so many different aspects of IT…such a huge array of infrastructure technologies, all in order to meet the demands placed on me out in the battlefield. Either being the primary infrastructure architect, designing & operating a data center, and now finally as director of IT at my current job, I’ve needed to be highly competent in multiple disciplines in order to keep my head afloat in the tirade of shit-storms that incessantly barrage every network I’ve managed.

And let me tell you, it has NOT been easy. My list of certs is just ridiculous, but honestly these came out of an effort to simply understand…TRULY understand…all these various, complex technologies.

I was never fortunate enough to have guidance. While I certainly had colleagues in the field, they were in the same position I was– lacking a deep enough, master-level of understanding.

I desperately wanted a mentor, but after numerous failed attempts from IRC and 2600, my impatience finally won out. So throwing my arms up in frustration, I simply resigned myself to the DIY state of mind; left the world of ATI vs Nvidia T&L anisotropy Direct 3D super-mega online PC gaming behind…and took the first real step of my IT career to find those answers on my own.

I certified myself in various disciplines from active directory to information security to service provider networks to virtualization, and yes, it certainly paid off. If I had to, I could run a company’s entire IT department myself (assuming they kept me pumped full of intravenous amphetamines, since nothing interferes with productivity quite like “biology”). I was adaptable enough to work in multiple spaces from collocated data centers, service providers, and of course good old fashioned enterprise.

“Jack of all trades.” Master of some.

And by the way, by “ridiculous” list of certs, I mean freaking RIDICULOUS:

  • TippingPoint Certified Security Expert #2370
  • Information Systems Security (INFOSEC) Professional, NSTISSI 4011
  • VMware Certified Professional vSphere 5
  • Cisco Certified Network Associate (CCNA)
  • Cisco Certified Network Associate: Voice (CCNA: VOICE)
  • Cisco Certified Network Associate: Security (CCNA: SECURITY)
  • Cisco Certified Network Professional (CCNP)
  • Cisco SMB Engineer
  • Cisco SMB Account Manager
  • Microsoft Certified Systems Administrator 2000
  • Microsoft Certified Systems Administrator 2003 / Security
  • Microsoft Certified Technology Specialist: Windows Server 2008 R2, Server Virtualization
  • CompTIA A+ Certification
  • CompTIA Network+ Certification
  • CompTIA iNet+ Certification
  • CompTIA Security+ Certification

Again, all because I was sick and tired of being blind; no experience and certainly no one around who could offer any guidance:

“Hey is a Pentium Pro or Pentium MMX better?” No one knew, so thus came the A+

“Hey how do you control Active Directory replication between forests?” No one new, so thus came the MCSA

“Hey, whats the difference between SRR and WRR queuing on the 3550’s vs the 3560’s?” No one knew, thus came 75% of my CCIP, which I would have completed if the butt-faces @ Cisco Learning hadn’t decommissioned the cert when I was 3/4 of the way through!

End.rant()

You get the idea. But now the time has come to stop spreading myself so wide, and to focus now on my core competency: networking.

The time has come for this jedi to step up and fight for his CCIE.

No more netapp, no more juniper, no more Microsoft: the path I have chosen is the only one that is right for me. I’m sorry Brocade; I’m sorry ISC2. EMC, you’ll just have to wait in line with all your friends.

I want that CCIE and those who oppose me will be cut down into bite-size pieces and fed to my mutant, ill-tempered sea bass.

So, now that I’ve made my decision, how do I proceed? I’ve decided to fork out $500 for a starter study package. It is a lot of money, but it won’t kill me. I was going to do all of this 100% on my own; download PDFs from Cisco, buy a bunch of books off Amazon. But no, that path is too unfocused. I’ve attempted that before, and you end up burning half your energy searching through multiple sources of documentation, and even at times finding the information self-conflicting, if not confusing.

This time, I am going to seek the guidance I’ve been denied in the past; its finally available and certainly within reach. If I am to do this most monstrous of achievements, its time to change old habits and old ways of thinking.

Now then, the first step is the reality check: where am I at in respect to the CCIE requirements?

  • Layer 2 technologies. I’m fairly strong here; certainly in Ethernet, but I also have had a good amount of experience with PPP. I’ve optimized data center cores, so I’ve setup MST a few times, usually though RPVST has been sufficient in the field. Frame Relay on the other hand, not so recent. Last time I configured a frame relay circuit was probably 2006. I’ll give myself 7/10.
  • Implement IPv4. Not too bad here either. Of course I’m sure there is a ridiculous amount of minutia surrounding OSPF and EIGRP, but I’m solid on the fundamentals. Same with BGP; I’ve worked in service provider environments, so I have had practical experience in the real-world. In fact I also took & passed the former CCIP’s BGP exam, so focus on the minutia and more exotic configs. PFR on the other hand, completely ignorant. In fact I had never even heard of this until today. I’ll give myself 8/10.
  • Implement IPv6. Oh god this is the most ANNOYING one. Certainly studied it for my CCNP, but never used in real-world setting, and extremely rusty. Not to mention I personally don’t buy into this “we’re all switching to IPv6 because the world is ending” drama. Maybe if you’re Verizon or AT&T, but I seriously doubt any enterprises or data centers making use of RFC1918 addresses will have a need. Sigh, probably 2/10.
  • Implement MPLS Layer 3 VPN. Did study a little bit of the theory for CCNP, and I can’t speak reasonably intelligently about LDP, LFIB, etc. but unfortunately this was the 1/4 that I didn’t take for the CCIP. I have done a single implementation of this at a data center core to separate customer networks, but I’m sure I have a long way to go in terms of practical implementation. Here I’m a 3/10.
  • Implement IP Multicast. Again, some theory from CCNP, and about 3 real-world implementations for VoIP music on hold & paging. However when I look at a show mroute, I feel the neural synapses in my brain being sucked up into space as I stare dumbfounded at terminal outputs. Because I know the basic steps to setup sparse mode and dense mode, I’d day 5/10.
  • Implement IOS Security. Here I’m ready to rock. I got my CCNA-Security and just loved learning about all the inherent security features on routers & switches. Only because I’m unfamiliar with the new v5 of IOS IPS signatures (back in my day we just had 128MB.SDF and 256MB.SDF) and because I’ve never implemented 802.1x at the switch level, I’m giving myself a 8/10.
  • Implement Network Services. Another strong section. I’ve setup SNMP, NTP, DHCP, and HSRP many times. WCCP not so much, so we’ll go with another 8/10.
  • Implement QoS. I did take the QoS exam, and I have implemented this many times for VoIP implementations. So configuring the policies and working with NBAR, I’m pretty solid. However, the queuing specifics of catalyst switches is something I’m rusty on. Let’s be honest, on 10/100 switches QoS isn’t a life or death thing (certainly not like it is on the WAN side) and usually autoqos voip trust is sufficient. Plus QoS for Frame Relay is a topic here, so I’ll give myself 6/10.
  • Troubleshoot a Network. Oh god. How can I even guess? I’ve certainly been doing this for a while, but this is the CCIE exam. God knows what crazy bullshit they’ll throw in front of me. Plus, when I’m troubleshooting a network, I have the luxury of dual 21” monitors, with all my templates at my disposal on the desktop, as well as all my favorite tools (nmap, tcpdump, etc.) I’ll stay on the conservative side and give myself a 6/10 here.
  • Optimize a Network. I think this section should be renamed to “monitor” a network. Well, I’ve worked with SNMP, FTP/TFTP, HTTP/HTTPS, NetFlow, and syslogging. I’ve setup my share of SPAN/RSPANs for IPS devices. Never really used RMON, and no clue what EEM is. And again, I have dual 21” monitors and historical reports on my solarwinds server to really study & monitor traffic patterns. In the CCIE I’ll have what…90 seconds maybe, to quickly read through several pages of text/CLI outputs on a 15” monitor. I think I’ll give myself another 6/10

So there it is. Now how shall I conquer this mountain?

STAGE 1: “ROUTING” AND “SWITCHING”

My tentative battle plan is to focus on Layer 2 and IPv4 routing first, advancing my skills on these as much as possible; after all it is CCIE “Routing & Switching.” After than I’m going to skip over IPv6, which I plan on saving for last, since I feel that is by far my weakest topic, and move onto Multicast. Since Multicast is dependent on existing routing & switching to function, this seems like a natural progression, esp since I’ll need to understand it better in the context of Ethernet and IPv4. Because these topics define the foundation of “Routing & Switching” I will probably focus on these 3 areas exclusively until I can comfortably perform any of their respective “foundation-level” labs.

The concern here is getting “rusty” on these topics if I migrate away to ancillary topics too soon. I’m sure this will happen to a certain extent, but to minimize it as much as possible, I want to reach a state of total comprehension, so any refreshing is just that…refreshing not relearning

STAGE 2: SERVICE-PROVIDER CROSSOVER

Next I will focus on MPLS and QoS. These orbit a little closer than the remain topics, and given their importance to the sister track “Service Provider” I would say this is good focal point for stage 2 of my CCIE journey

STAGE 3: TROUBLESHOOTING PART 1

Between everything so far, its time to focus on troubleshooting these core milestones, not only as unique technologies, but how they interoperate with each other. And even at this stage, the focus is enormous: OSPF, EIGRP, BGP, Route-Maps, Redistribution, Frame-Relay, Spanning-Tree, PIM-DM, PIM-SM, MPLS, WRED, NBAR, Queuing, Policing, IGMPv2/v3, and THEN troubleshooting the interop between them. This is the core of the CCIE exam. If we were building a person, this is the heart, mind, muscle, and bone of that body

STAGE 4: ANCILLARY SERVICES

Services, Security & Optimization. In terms of the test, I see these as tasks that will complicate or interfere with a properly working network. So now that I have the intermediate fundamentals down, I can now explore making it work in a more efficient and secure manner

STAGE 5: TROUBLESHOOTING PART 2

Adding in a single NAT statement, much less IPSec, DAI, DHCP Snooping and ZBFW can bring that happy network to its knees. Clearly troubleshooting complexity increases exponentially. Being able to identify the culprit as a misconfiguration; or is it instead the normal operation of a security mechanism? Understanding the behavior of these competing technologies will be the next major undertaking.

STAGE 6: IPv6 & TROUBLESHOOTING PART 3

This is where I’ll probably want to drive my car off the freeway and end the misery. Honestly I hate IPv6. Did you have to build it using 128 bit hex addresses IEEE? Really? Did you really have to do that?

“Hey Glen, can you ping the router for me?”

“Sure, what’s the IP?”

“fe80::1198:fdcd:381f:25c9”

“….what?”

I mean really. Why not build off of IPX/SPX? Simply a DECIMAL network number to the card’s MAC address? How much freakin easier would it be?

Sigh.

Well, that is the battle plan for now. Will it change? Maybe…probably. I’m sure I’ll need to adapt. And god forbid Cisco update’s the exam AGAIN while I’m in the middle of studying for it!

Anyway, I’ll keep you updated and document my progress here. Time is a bit tight, but I’m aiming for 1, possibly 2 posts a month.

Til then my padawans, give my best to your wife…and my kid

😉

Ok padawans, this is something that I’ve wanted to cover for quite a while, but with the plethora of obligations monopolizing the jedi’s time, I was out of commission for some months. But fear not! Your jedi is back in the saddle and ready to bring it!

COMBAT PREPARATION

Notice to the audience: this article assumes the reader understands basic networking concepts such as CIDR notation, legacy class A/B/C vs VLSM, and how to subnet both class B and Class C networks. If I say to you, “what is the most efficient subnet mask to support 400 hosts and allowing the most possible networks/subnets” you should know 255.255.254.0 (or a /23 if you prefer) off the top of your head will this requirement. In fact you should know it can scale to 510 hosts, and the moment you get that 511th host, you will need to change masks to 255.255.252.0 (or /22) in which case you can scale up to 1022 hosts

I’ve pasted a chart below to act as a refresher:

CIDR Host Addresses Subnet Mask
/19 8192 (8190 usable) 255.255.224.0
/20 4096 (4094 usable) 255.255.240.0
/21 2048 (2046 usable) 255.255.248.0
/22 1024 (1022 usable) 255.255.252.0
/23 512 (510 usable) 255.255.254.0
/24 256 (254 usable) 255.255.255.0
/25 128 (126 usable) 255.255.255.128
/26 64 (62 usable) 255.255.255.192
/27 32 (30 usable) 255.255.255.224
/28 16 (14 usable) 255.255.255.240
/29 8 (6 usable) 255.255.255.248
/30 4 (2 usable) 255.255.255.252
/31 2 (P2P Only) 255.255.255.254

.

/!\ BATTLE TIP: /31 mask can, in fact, be used, as per RFC 3021

This feature has been supported since IOS 12.2T; BUT be aware it is designed to be used on point to point links. Lets think about what you lose going from a /30 to a /31: the network address and the broadcast address. If you’re using a point to point link or non-broadcast media, those addresses are wasted. So /31 will work best on serial links running something like PPP or HDLC, or Frame Relay. They can be used on Ethernet, but since Ethernet is a broadcast-based medium, I don’t recommend it.

So, why do I feel this is important? You’re a Level 5 Network Ninja, CCNA in your hand, burning for the blood of your enemies (or just the AT&T account rep that terminated service due to a small “glitch” in their billing system). You’ve learned every detail of subnetting; you can subdivide a Class C in your sleep, ready to engage…

But, unfortunately, while the various network exams may cover the minute details of protocols and configuration parameters, typically the design aspect…the ~why~ …is left to you to discover through a painful process trial and error (i.e. fix, rinse, repeat). Specifically in this case, the ability to assess an enterprise’s infrastructure and come up with an IP addressing scheme that is easy to manage, easy to route, and consistent across the entire domain.

Think for a minute. You have a college campus or an international retail network, all interconnecting with several global data centers, with multiple classes of traffic, larger sites that contain dozens of IDF’s aggregating via fiber to an MDF with 2 or more service providers, each of which tie into BGP clouds that you control. Oh and let’s not forget…all of this needs to be monitored and secured. How do you tackle this challenge?

Well, first and foremost, you need a consistent method to simplify the administration of the network, and to do that, you need a system that makes all of your network devices as easy as possible to identify, locate, and manage. One of the most critical ways you do this is with your IP addressing scheme:

  • You should be able to look at an IP address and know what it is and where it is.
  • You should use as few lines as possible to control access to and from specific networks
  • You should use as few entries as possible to build a concise, efficient routing table to any destination throughout your enterprise

Sure, if you have a couple branch offices and 100 users …that’s cake. But what about when you have 100 SITES, with voice & video traffic, PCI requirements, multiple 100+TB SAN/NAS devices mirroring across your private WAN that need to be collapsed onto the same core? Or even worse, what if you are the provider with different customer networks that all need to be segregated from each other?

So…rather than repeat the inadequate techniques practiced by all those non-jedi enfeeblings, spewing forth the same generic & over generalized “tips & tricks” …I instead am going to go over a specific case study. One that is based in the real world, and mirrors different aspects of networks I’ve engineered in the past. We will proceed in this exercise making design choices and explaining them as we go.

For that is how you must learn young padawan. You must observe live combat, watching the jedi’s tactics as he battles the forces of darkness, and eventually come to understand the techniques employed, use them, and make them your own. Every thrust and parry; every defensive stance and offensive strike, and above all, to preempt your enemy as he adapts to your fighting style.

To do any less is to overindulge the pedantic at the expense of the practical. And while I strongly believe in knowing your theory, theory alone will not determine the victor in combat.

Balance young Skywalker

CASE STUDY – CISCO JEDI, LLC

The company we will be using is Cisco Jedi, LLC. A US-based retail company, with corporate offices in Los Angeles, Chicago, and New York, as well as 2 co-located data centers (one local to HQ in Los Angeles, and the other, functioning as a DR site in Scottsdale.) Additionally, they have their own retail chain of 400+ stores across US & Canada, with plans to expand another 80 stores, including expanding into EU and South America, by the end of 2015.

Cisco Jedi Network

Cisco Jedi Network

CORE NETWORK

All sites are interconnected by a private MPLS cloud through Verizon, running BGP to redistribute each site’s private networks. They connect over 100mb Ethernet loops that are rate limited down accordingly at each site. Los Angeles branch is using a Cisco 2821 and is rate-limited down to 50mb/s, while the New York and Chicago branch offices are using somewhat newer 1921’s but are rate-limited down to 20mb/s.  Both data centers are running at the full 100mb/s and connect through Cisco 3845.

Corporate HQ in Los Angeles is divided between 2 main sites: Site A and Site B. Both connect to each other by a point to point Cisco 1410 wireless bridge running at 54mb/s over 802.11g. Site B is the warehouse & distribution center which sits approximately 100 meters from Site A, the corporate office containing HR, Operations, Finance, Production, Marketing, and Design departments.

NOTE: Site B (the warehouse) is NOT directly connected to the MPLS network, but rather accesses internal applications & services through its wireless P2P bridge. Contrarily, Site A (HQ) is not directly connected to the internet, but rather connects through the warehouse, traversing the wireless bridge as well.

This is your network.

/!\BATTLE TIP: There are no small amount of considerations as you examine this network. Your mind should look at this topology and attempt to understand design choices & the challenges surrounding them. For instance, the latency between the two main corporate sites over the wireless bridge; esp considering if they have IP phones in the warehouse. You should ask yourself, why was it setup this way? Why not an internet connection and/or MPLS connection at both locations? The two culprits that should immediately come to mind are ISP availability and money. Also, take note the retail sites. These are templatized setups in which the stores internet access all goes through a centralized choke point. Again, analyze why. This being a retail company with PCI requirements, this would allow easy control & restriction of traffic in or out of the retail network. Clearly internet access is needed (otherwise it wouldn’t be provided), more than likely for some type of cloud-hosted application, be it for document collaboration, payroll, or email.

The end goal of this IP scheme is to provide us with a consistent structure that in some way simplifies the massive administrative burden of managing a network. Below I will present the solution, and work backwards to explain these design decisions.

GLOBAL ADDRESSING SCHEME

Because of the large number of retail sites that need to be on the network, I’ve elected take our addressing scheme from the 10.0.0.0/8 supernet addressing space, and will adhere to the following format:

10 . <Site ID> . <VLAN##> . X

 

SITE ID GEOGRAPHIC LOCATIONS
10 Los Angeles Corp & Warehouse
12 Chicago Branch
14 New York Branch
200 Los Angeles Data Center
220 Scottsdale Data Center
100-110 Retail Sites**
255 MPLS/BGP Core

.

Each site can be summarized to a 10.##.0.0/16 address. For example, any device located in the NY branch will be somewhere in the 10.14.0.0/16 network. Anything in the Scottsdale data center will be in 10.220.0.0/16.

Store sites require a little more consideration, especially since there are more than 254, we cannot easily summarize the Site ID to just the second octet. Furthermore, each store will need far fewer devices than any of the corporate locations. My recommendation is to assign each store its own /24 class C subnet. However, in doing so, you still need to be able to associate the Store # (assigned by operations) and correlate to a network address. Speaking from experience, it’s highly desirable for all the stores’ subnets to be adjacent to each other to allow for easier route summarization & access control list management. The list below defines the addressing template we will use for the retail environment:

STORE SUBNET
Store 1-199 10.100.(1-199).x
Store 200-399 10.102.(0-199).x
Store 400-599 10.104.(0-199).x
Store 600-799 10.106.(0-199).x
Store 800-999 10.108.(0-199).x
Store 1000-1199 10.110.(0-199).x

.

Examples)

Store 22        10.100.22.x/24

Store 122       10.100.122.x/24

Store 222       10.102.22.x/24

Store 522       10.104.122.x/24

Store 1222      10.112.22.x/24

LOS ANGELES CORPORATE VLANS

VLAN FUNCTION NETWORK HOSTS
8 Standard Corp Users 10.##.8.0/22 1022
16 Design/Graphics 10.##.16.0/24 254
24 Finance/Credit 10.##.24.0/24 254
32 Voice 10.##.32.0/22 1022
40 Video/Presence 10.##.40.0/22 1022
48 Wireless: Corp 10.##.48.0/22 1022
64 Warehouse User 10.##.64.0/22 1022
72 Wireless: Warehouse 10.##.72.0/22 1022
80 Warehouse  Sorting Systems 10.##.80.0/24 254
88 Guest [Internet Only] 10.##.88.0/22 1022
100 Servers 10.##.100.0/22 1022
104 ESX/vMotion 10.##.104.0/24 254
108 Storage 10.##.108.0/24 254
200 Mgmt/ILO/ Monitoring 10.##.200.0/22 1022
8XX DMZ 172.22.XX.0/16 255 Class C Subnets
999 MPLS/BGP** 10.255.##.0/16 65535 BGP Loopbacks

**See MPLS/Core Section Below

DATACENTER VLANS

VLAN FUNCTION NETWORK HOSTS
100 Servers 10.##.100.0/22 1022
104 ESX/vMotion 10.##.104.0/24 254
108 Storage 10.##.108.0/24 254
200 Mgmt/ILO/ Monitoring 10.##.200.0/22 1022
8XX DMZ 172.22.XX.0/16 255 Class C Subnets
999 MPLS/BGP** 10.255.##.0/16 65535 BGP Loopbacks

**See MPLS/Core Section Below

BRANCH VLANS

VLAN FUNCTION NETWORK HOSTS
8 Standard Corp Users 10.##.8.0/22 1022
16 Design/Graphics 10.##.16.0/24 254
24 Finance/Credit 10.##.24.0/24 254
32 Voice 10.##.32.0/22 1022
40 Video/Presence 10.##.40.0/22 1022
48 Wireless: Corp 10.##.48.0/22 1022
88 Guest [Internet Only] 10.##.88.0/22 1022
100 Servers 10.##.100.0/22 1022
200 Mgmt/ILO/ Monitoring 10.##.200.0/22 1022
999 MPLS/BGP** 10.255.##.0/16 65535 BGP Loopbacks

**See MPLS/Core Section Below

COMPREHENDING THE BATTLE PLAN

By now it should be apparent that this company operates with two main paradigms: the corporate environment and the retail environment. They both have somewhat similar needs, however each has its own challenges and requirements.

RETAIL NETWORK

Let’s start with the Retail network. We need something easy, and something that scales—the company is already at 400 stores, and given their expansion plans, you should be prepared to grow to 1000+ over the next 5 years. Furthermore, to control routing updates, ACLs, NAT statements, etc, its best if these addresses are contiguous so the entire retail space can be easily summarized. Again, each store will be given its own /24 subnet for such things as registers, wireless devices, management stations, printers, IP phones, etc.

/!\A NOTE ON EFFICIENCY

This is why subnetting is so critical. I had given a similar exercise to one of my employees, and below is the scheme he came up with.

10.100.(1-99).x = Store 1-99 data 10.100.(101-199).x = Store 1-99 voice
10.101.(0-99).x = Store 100-199 data 10.101.(100-199).x = Store 100-199 voice
10.102.(0-99).x = Store 200-299 data 10.102.(100-199).x = Store 200-299 voice
10.103.(0-99).x = Store 300-399 data 10.103.(100-199).x = Store 300-399 voice

.

Note it’s not necessarily “wrong.” It certainly takes into account separating voice traffic, and overall not a bad solution. However, using TWO class C’s for one retail location; ask yourself the question, do you really think a store will need even 254 devices (much less 510)?

Also consider this is a retail company, whose network must be governed (partially at least) by PCI compliance. Translated: your POS registers need to be on a separate VLAN. Add to that PCI requirements for quarterly wireless scanning, and the fact that the entire earth is using iPads for everything from credit card scans to open heart surgery, you might as well come to grips each retail site will need to be segmented across several VLANs. In light of these considerations, below is template for subnetting each store’s /24

VLAN # FUNCTION SUBNET GATEWAY HOST RANGE
VLAN 10 POS X.X.X.0/26 X.X.X.1 .2 – .62
VLAN 20 WIRELESS X.X.X.64/26 X.X.X.65 .66 – .126
VLAN 30 VOIP X.X.X.128/26 X.X.X.129 .130 – .190
VLAN 40 CORPORATE X.X.X.192/26 X.X.X.193 .194 – .254

.

This design will accommodate 62 POS registers, 62 wireless devices, 62 devices on the internal corporate network, and 62 devices on the VoIP network, all within a single /24.

So at the end of this setup we’ve set the stage for several things

  1. We can summarize the entire address space with a single ACL statement: 10.100.X.X/12. For instance, if the internet connection at the Scottsdale data center fails, it is a simple matter of modifying a single entry to reroute traffic for all retail locations out of the Los Angeles data center. In fact, a clever admin could have IP SLA setup and/or floating static routes to automatically handle that failover.
  2. We’ve allowed each store to be easily summarized to a /24, and effectively used its space in an easily templatized manner.
  3. Because we have several VLANs at each store, we can treat respective traffic differently. We can prevent the POS subnet from accessing other stores on the MPLS cloud, while allowing the VoIP and Corporate subnets to not suffer this restriction. We can police & prioritize traffic relatively easily based on a device’s VLAN membership.

.

DATA CENTERS

Next, let’s look at infrastructure VLANs: server, vMotion, storage, and management. Again, consistent and easily recognizable. If you see 10.220.100.18 is syslog or event entry somewhere, you instantly know that this IP belongs to a server located in the Scottsdale data center. The separation of these functions allow you to treat each VLAN differently. Specifically

  • Storage & vMotion traffic should never go across the WAN
  • IP based storage traffic can experience increased performance by using 9KB jumbo frames, esp if 10Gb is not yet installed and you must milk every ounce of speed that you can.
  • The management VLAN needs to function as a privileged network for the purpose of troubleshooting & diagnostics, and as such should not be subject to the same access lists and firewall rules as production networks. Furthermore, since this would also be used for monitoring, heavy amounts of SNMP and NetFlow are required. These can be isolated, and if necessary prioritized down so as not to interfere with network traffic that is business critical.

.

CORPORATE & BRANCH OFFICES

Lots of subnets here! As with the retail network, separation of these different VLANs allows different prioritizing and security filtering. And again, the management network is given more privileged access for the purpose of troubleshooting.

You should observe a few deliberate design choices right off the bat:

First, there is a correlation between the VLAN # and the third octet of the subnet. While this is not required, when dealing with a network this large, having consistency greatly simplifies the administration and maintenance.

Second, subnets and VLANs are aligned on the mask boundary: 4, 8, 16, etc. This allows for maximum agility. The design department right now is only using a standard class C mask. What for some insane reason they hire another 100 designers? Or decide that every designer needs an additional workstation? Well, we have the space available. Simply go to your DHCP server and update the mask; you have plenty of room to grow. The same is true if you need to insert or subdivide a larger address space into a group of smaller subnets.

/!\SECRET TACTIC: There is a second reason for doing this, however it is far less known. Modern layer 3 devices are moving away from the classic RIB/FIB framework, and now compile their entries into specialized TCAM tables, each with an associated VMR (Value Mask Result). Thus, rather than robbing CPU cycles to perform a sequential lookup, parsing down multiple tables, one entry at a time, these TCAM tables compare a packet to all its entries in parallel! However, like everything else in networking, they live in a binary universe. As a result, entries that can be easily written on binary borders increases the efficiency of how these entries are compiled in the TCAM tables. Much the same way summarization increases efficiency for the routing engine, TCAM tables aggregate entries for multiple scanning engines (routing, ACL, NAT, QoS, etc). Consequently, having fewer entries means a smaller TCAM, which in turn means faster lookups. Thus it behooves the us to utilize prefix alignment as we design our addressing space.

MPLS/BGP CORE

As I’m sure you remember from your CCNA, best practices recommend using a loopback interface as the source/destination for all your routing updates. I’m not going to elaborate on the pros & cons of doing so in this article, but let’s assume for now you’re going to employ this best practice. That being the case, each site’s MPLS router will have a single /32 address in this range, as per below

SITE LOOPBACK IP
10 10.255.0.10/32
12 10.255.0.12/32
14 10.255.0.14/32
200 10.255.0.200/32
220 10.255.0.220/32
Store 22 10.255.100.22/32
Store 122 10.255.100.122/32
Store 222 10.255.102.22/32
Store 522 10.255.104.122/32

.

DMZ

Anything that is publicly accessible will go in this range. However rather than a single dumping ground, it’s probably more prudent to subdivide it as necessary. With this range we can have 255 distinct class C subnets, which should be more than adequate. To keep management as simple as possible, we can correlate the VLAN with the subnet

Ex)

Email               VLAN 808 – 172.22.8.X/24

eCommerce    VLAN 820 – 172.22.20.X/24

CLAIMING VICTORY

As you can see, having the design laid out before you allows for more thorough comprehension of how to tackle such a daunting task. Not all networks are the same, and there is no one plug & play solution. Take this exercise and experiment with it; modify it to fit your existing network.

The hope is that by understanding the methods you can take this process of analysis, compare it to whatever infrastructure is laid before you, and still meet the objectives that are desirable from all networks:

  • Scalable – a network that can grow with your business without the need to be completely restructured
  • Flexible – a network that is agile enough to adapt to changes in the business, as well as the infrastructure
  • Manageable – a consistent, transparent network that is no more complex than it needs to be

As I said earlier in this article, I’ve wanted to write this topic for some time. I spent a good hour googling for relevant articles; and while I found some decent tutorials on TCP/IP in general, I found nothing that would help an up & coming jr. network administrator to design an address space for large enterprise-class network.

I hope this has been helpful in your fight against the forces of darkness (and incompetence)

Thanks for reading!

Jedi…out

The Rockstar Within

Posted: February 19, 2013 in Battle Scars & Rants

There are two types of leaders in this world, be it finance or football, cyberpunk or cyber war.

1) Those that are motivated by fear, that move at a cautious pace whose number one goal is not to interrupt the status quo.

2) And the second type, visionaries; those that are driven by opportunity & change.

The failure I see in most organizations is too much of one and not enough of the other. Too much blind idealism and you end up with a dozen half-completed projects, with poor or non-existent interop, constantly crashing and frustrating both their user base, as well as their support staff. Too much fear, and you’re running your enterprise on a couple hundred power hungry 4U Windows NT Power Edge 6800’s, all using local storage. (Don’t laugh, they still exist!)

As IT leaders, you are rock stars. Period. And your user base = your fan base.

Play out of key, miss a gig, get arrested for a dead hooker in the trunk of your car, and suddenly –that- is what you’re known for. Not the 5 albums that went triple platinum. Not the singles still being played on the radio. Not all the charities and functions you’ve donated your money, and even more valuable, your TIME to.

You are now just your latest failure

Unfair? Duh! Just be glad you’re not a stock broker. An entire mass psychology machine that makes & breaks hundreds of millions quite literally overnight

Our job as IT is now evolving beyond just connecting laptops and iPads; beyond email servers & firewall filters. We are the ones companies go to when they can’t figure something out.

Something, anything. When did IT become responsible for power & airflow? But go ahead, tell your boss “Uh, sorry my MCSE and Bachelors in Business Administration, yeah they didn’t cover that.”

We exist because, whatever it is, from big data and private clouds to smartphones on steroids…we figure it out. We ingest technology, deconstruct complex systems, untangle the abstract, and make it real, and usable, and ultimately, profitable. (Although many arguments to be had on if flexible, feature-rich, business intelligence directly correlates to strategic profitability or if it’s just a commodity we can take for granted…to which I say “Shut up foo! And don’t quote me no damn ‘IT Doesn’t Matter’ bullsh!t”)

IT matters and it matters most. I don’t care if you sell socks or send satellites to the moon, IT is your right hand. We’re the armor a soldier wears into battle. We’re the tools your sales team needs to close that deal. We’re bouncers protecting your night club. We’re the gas in your car and the condoms in bedroom drawer.

It’s quarter end, and you need to run a report showing gross sales, hardware depreciation, operation hours, support hours, manufacturing & distribution resources, power used & consumed in the manufacturing process, cardboard used in the packaging, ink used to make it pretty…

25 years ago, what would you do? You’d call up Agnus and Betty, have them pull your file cabinet down, get every scrap of paper, and over the course of 2-4 weeks, you’d have your report

Business leaders now have that in real time.

Take a step back and ponder with the jedi, REAL TIME.

Would ANY of that be possible without IT? Would you be able to pull out your iPhone, VPN to your corporate LAN, pull up your doc portal, download your latest accounting spreadsheet and have it in your hot little hands all before the plane taxis for take off?

Of course not.

Duh again.

But your CFO isn’t thinking about this. He’s thinking he’s paying $200/sq foot for your 10Gb core switch and your cisco UCS, but in the end, wasn’t VDI his boss’s idea?

Ok, so what do we do about this. How do we get money for our projects and show we have value. That we’re not just some necessary evil to shove into the basement and reach out to when email is down?

More to the point, how do we advertise our potential to be strategic for the business?

YOU! Get off your butt, out of your chair, abandon the cube, evacuate the data center, exodus the IT bubble and create your market.

Learn your business. Learn the names of managers and directors that head the various departments. Ask about their pain points, listen to their ambitions, understand their problems and help to fix them.  In smaller companies, you may have a direct line of communication to C-level execs. If so great, but not essential. Start with middle management. Advocate not only yourself, but your department…your profession.

And let me tell you, these problems will not be easy or simple. The solutions will not be apparent. They will absolutely involve skills you don’t yet have, technologies you’re unfamiliar with, and parts of the business itself that you were previously unexposed to.

It will take hundreds of hours of research and analysis.

But now you’re more than the guy they call when they want a new laptop. You’re now ingratiating yourself into your environment, showing value and literally creating your own demand.

You’re converting a user base into a fan base.

Let me tell you, do this 2 or 3 times…if you didn’t know your CFO before, you will now.

And for the record, you don’t need to be a CIO or VP to be an IT leader. Your mental prowess, your ability to understand the business and architect relevant, applicable solutions, and to communicate this to the departments around you…THAT is what makes you an IT leader.

Literally creating your own position

FINAL THOUGHTS

I’m not known for my subtlety or euphemistic explanations. So, what if you go through with this exercise several times, expand your horizons, improve the business processes of 2 or more departments, and at the end of 2 years, find yourself getting no notice or appreciation? Well first give yourself a minute to vent (kick the wall, punch a server), and after a couple deep breaths, take it for the learning experience it was. What you’ve learned, what you’ve accomplished…no one can take that away from you. So go update your resume (maybe grab a cert or 2 in the process), and put yourself back on the market.

It’s time to move on. Your skills and intelligence are being wasted in your current position; so step out into the unknown and find a place that will fully utilize your potential.

You’ll have a dozen calls in the first 3 weeks.

– Jedi….out

“The network is protected by a firewall; isn’t a firewall enough?”

While a firewall is a critical component of secured network infrastructure, it only examines individual packets in isolation. The benefit of an IPS/IDS is that it can scrutinize the comprehensive behavior of a network attack spread out over dozens, even hundreds, of individual packets.

A real world comparison would be the security guard at the entrance to a building. The guard checks each person’s ID before allowing or denying access to the building. This guard would certainly be effective against a majority of villains; however, imagine a scenario where a team of attackers legitimately enter the building, all at different times, and then coordinate their attack once safely inside.

The guard at the front door would be completely ineffective against this type of attack. What’s required to defend against such tactics is a second security guard, that monitors the video feeds of multiple security cameras placed at key locations throughout the building. In the scenario above, these seemingly legitimate persons are now seen exhibiting suspicious behavior; for example all of them taking the service elevator and rendezvousing just outside the datacenter in the basement.

The point being, that while a firewall is a critical layer in a defensive architecture, it is simply not designed to detect more complex attacks.

IPS VS IDS

Short for Intrusion Prevention System and Intrusion Detection System, respectively. At a high level, what differentiates the two is how they’re implemented in a network.

Intrusion Detection’s primary function is to alert on suspicious activity. It does not sit in the pathway of inbound/outbound traffic, like a firewall, but rather is placed to the side where traffic that traverses the network’s core is replicated out of a “span port” that is then fed to the IDS. The main disadvantage of this model is that if suspicious activity is detected, it cannot be effectively prevented. The best a deployment such as this can do is respond with TCP resets for any malicious connections. However this is not an efficient mechanism, and an IPS unit can quickly become overwhelmed. Furthermore, the replication of all traffic to the “span port” places an significant burden on core switch resources

Intrusion Prevention, on the other hand, is equally effective at detecting or blocking network attacks. The primary difference is that an IPS sits inline, directly between the path of traffic entering and leaving the protected network. Because of this, malicious traffic can be dropped before entering the network’s perimeter, and because it sits inline, there is no need to burden core switches with the task of replicating “span port” traffic. Additionally it can still function as an IDS by sending alerts exclusively without acting on any traffic it inspects.

IMPLEMENTING

Implementing an IPS system is not an arbitrary task. Because of the complexity of analysis, it’s important to first establish a base-lining period, to properly differentiate attack traffic from legitimate traffic. This essentially involves a period of monitoring & adjustment, where the number of “false positives” can be minimized.

A false positive is the misidentification of legitimate network sessions for attack traffic. It’s easy to see how disruptive this could be for a production network; the IPS blocking communication that is critical for business applications to run.

That is the reason for this preliminary monitoring phase; alerts generated by the IPS unit must be carefully examined and signature actions adjusted accordingly.

WHAT TO SCAN FOR?

From a high level you have to identify potential threats and correlate them to applicable vulnerabilities.

A threat is essentially a network attack. Viruses, Denial Of Service, SQL Injections are all examples of threats.

A vulnerability is a point of weakness that allows a particular attack to succeed. Protocols such as TCP and HTTP have multiple vulnerabilities. Operating Systems like Linux and Windows also have vulnerabilities. Some of these vulnerabilities can be mitigated with security updates or specific configuration settings, but the reality is not all of them can be  fixed. These vulnerabilities are sometimes inherent to the technology and a fix isn’t always feasible.

The correlation of vulnerability to threat is a critical step in implementing an effective IPS solution. For example, is it necessarily a point of concern that your logs show a high amount of attacks that target http and IIS? Well that depends; if you’re running PostFix on a Linux server, then those attacks clearly aren’t as relevant.

FINAL THOUGHTS

Again, because of the nature of network security, implementing and IPS is not a “plug & play” solution. Technology evolves, threats evolve; you don’t simply lock the front door to your house and never return, naively assuming all will be well. The same is true for networks. Once the IPS is properly setup, it must be monitored on a daily basis to ensure not only that it is effectively securing the customer’s network, but that it is operating correctly and not prohibiting legitimate business applications from running.

 

ISR’s IOS firewall vs ASA

Posted: September 23, 2010 in Network Security

In the IT industry, some of the most common debates among technology professionals are Mac vs PC, Linux vs Everything, Nvdia vs ATI, Intel vs AMD, and ASA firewall vs IOS’s firewall.

Other than money, the decision is for the most part, depends on the engineer’s philosophy. Some prefer to have a single device do their routing and their security, while others prefer to have dedicated security devices. This reasoning, however, does not really determine what the “best” solution for your network is.

Since IOS 12.4(9)T, IOS routers now support Zone-Based firewalls; as opposed to the previous CBAC, which worked by deny-all ACL’s, and CBAC creating temporary holes in your ACL based on inspection rules. Because of this, the ~features~ offered by the IOS are just as rich as those offered by the ASA. One difference is that the IOS router starts out by allowing all traffic [on your untrusted interfaces], where as the ASA starts by denying all traffic. Consequently you have to configure the actual hardening of your IOS router. I will say the ASA typically offers faster performance, but that’s partially because the ASA is sort of a 1 trick pony and not doing any dynamic routing.

One advantage of the ASA is that it can operate in Transparent mode, in which the firewall is essentially acts as a Layer 2 bridge, and is not seen as a router hop in the network path. This simplifies deployment since there are no routing patterns to adjust and no complicated NAT configurations to setup. It also obfuscates the firewall’s presence.

The 800 series routers offer 3G cards, and as such, typically make for better branch office solutions than an ASA5505. This incorporation of 3G cards offer better fault tolerance if your main connection fails, and to date there are no ASA models that have integrated 3G. Both allow for High Availability clusters; however this only addresses the failure of the device itself, not the loss of service provider connectivity. [Which is something we all know; 90% of the time, the problem is with the ISP, not the device.]

When deploying for large corporate networks, with multiple sites that are networked together, I think one of the main things to consider is the complexity of VPN features desired. The ASA’s feature set is relatively limited in this respect. If you want to leverage more advanced features like DMVPN or GET VPN, and IOS router is your only option. Of course by default, the ASA performs a little faster on VPN tunnels, but if you need a boost to VPN performance, you can install one of the AIM-VPN boards and get a significant increase to the number of IPSec tunnels and/or SSL session. For example, on an 1841 the datasheet says about 800 tunnels and on a 2800 about 1500 tunnels. More info here:

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

If you’re looking for IPS, either platform will serve your needs: IOS routers have IPS AIM and IPS NME add on boards, and these will dramatically increase inspection performance over just using the router’s resources. I believe the stats show the AIM @ 45mb/s and the NME @ 75mb/s w/ about 3000 signatures. If you’re setting up a branch office or smaller office, yet you want advanced analysis offered by IPS, then the IOS Router is the less expensive solution. For an ASA you must purchase  an AIP module to do Intrusion Detection/Prevention, however an IOS router with the Advanced IP Services image can make use of software based IPS built into the image. The number of simultaneous inspections that can be performed depends on the DRAM installed in the router. For 128MB you use the 128MB.SDF signature file, which supports 300+ signatures. For 256MB, you use the 256MB.SDF signature file, which supports 500+ signatures. Now this is a far cry from the thousands of signatures offered the AIM or AIP hardware, but it does offer a bit more intelligence than a standard firewall

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps5853/ps5875/product_data_sheet0900aecd806c4e2a_ps2641_Products_Data_Sheet.html

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/prod_presentation0900aecd806ccf26.pdf

SO IN CONCLUSION.

If you’re looking for an appliance to just do traffic inspection, predominantly for a web DMZ or publicly accessible network, probably the ASA is your best bet. If however you have a highly decentralized -internal- network where branch offices frequently talk to each other, then you would benefit from something like DMVPN, thus your deployment would be greatly simplified using something like a 2800 running IPSec SSO w/ the AIM-VPN card.

As a matter of personal preference, I find myself moving away from the philosophy of this specialized device for routing and this specialized device for security. I prefer to simplify my deployments, and believe me w/ NAT, VPNs, Firewall, IPS, having an ASA sitting behind your border router…it can add a significant amount of complexity to your design…and ultimately, your troubleshooting.

So what is our topic for today? Cisco S.M.A.R.T. Designs.

As CCNA’s or SMB Engineers, you probably understand how to implement Cisco’s various technologies & solutions. Whether researching from old textbooks or online documentation, such things such as creating an IOS firewall that blocks a certain URL or P2P app, or assigning 20% of an interface’s bandwidth to a priority traffic class…these individual tasks are either already known to us or easily researched. All day long we can create extensions and voicemail inboxes and auto-attendants and call routing. In our sleep we can add wireless AP’s with restricted guest VLANs [for those naughty downloads everyone denies knowing -anything- about].

But there are some things that this knowledge does not offer us, and just because we understand the individual processes doesn’t necessarily equate to understanding all of these individual configurations interoperating in a single fluid organism. [I.e. I understand she’s hot, I understand how I want to “configure” her, but do I understand all the steps involved in making her say “yes”? Hmm?]

Securing a single office’s perimeter network is a fairly straight ahead endeavor.

Securing a multi-site network with converged voice and data traffic across both wired and wireless mediums…another matter entirely. I’m sure we all remember our first experience configuring VoIP over wireless. [Incidentally, my first time I mistakenly added a preconfigured 3550 running in VTP Server Mode to an existing network, spent HOURS troubleshooting the ASA, until I finally realized, wow, why is there now only VLAN 1?]

In a nutshell, the problem we’re looking at is network design, which goes beyond just individually configuring a collection of network devices. We must now ask ourselves more than just “how do we configure this one task?” and more importantly, we must understand WHY.

“Why is the only real source of power, without it you are powerless”

-Merovingian, The Matrix Reloaded

You don’t want to be powerless with our customers do you? I thought not.  So…Why do we need so many VLANs for a wireless network? Why do I need a guest VLAN? Why are we creating so many classes of network traffic? Why are we using SSL VPNs instead of IPSec?

Well you have a few choices on how to deal with the dilemma of power

1. You could spend countless hours googling the night away, accelerating yourself into a minor stroke.

2. You could spend 9-12 months studying to become a Cisco Certified Design Professional.

3. You could read a 50 page document that answers these questions, point-blank, targeted directly at Cisco’s SMB product line, and further elaborated with specific examples that are appropriate for an array scenarios.

Considering I’m rapidly approaching my 40’s and have ambitions of actually –enjoying- a girlfriend’s company [crazy notion I realize], the choice for me is obvious: download the SmartDesign documents and enjoy one of the rare moments in life when, yes, I can actually have INSTANT gratification.

See for yourself what SMART Designs guides have to offer:

http://www.cisco.com/cisco/web/solutions/small_business/programs_promotions/smart_design.html

Noteworthy Downloads

  • Small Business Pro Foundation 1.1 – Design Guide (Network Foundation)
  • Secure Network Foundation 2.5 – Design Guide
  • Smart Business Communications System 2.0 – Design Guide
  • Wireless LAN 2.0 – Design Guide

Welcome Padawans

Posted: April 8, 2010 in Battle Scars & Rants

…to the Cisco Jedi’s blog.

On this most glorious of Internet diatribes, shall you be privy to the rants, ravings, incessant monologues, and other such technological-focuced editorials where I choose to expound on everything from authentication to VoIP to wireless to QoS . Moments of the jedi’s most embarassing blunders and flawless victories of absolute brilliance.

And yes, I usually refer to myself in the 3rd person. My ego demands it’s own identity 🙂 …but who in IT is any different? We all know that it is truly us, the benevolent wireless warriors and network ninjas, that keep the world running.

Introductions

*Bows cordially*

I am the CTO/President of Katana InfoTech, a So Cal based technology solutions consulting firm, focused on small & medium businesses. 

I have been in the IT industry since 1999, where I first worked for a recording studio in Hollywood. I setup a real-time mp3 encoder for voice actor’s lines to be transmitted over an ISDN connection to branch studios in NY, Canada, or any other 3rd party with an internet connection and an mp3 converter. I networked their Macintosh Pro Tools systems together, setup an audio file server, and organized their backup. Tragically, not what I went to college for; my bachelors is in audio engineering. However, the demands of that industry called for someone to recognize the lack of efficiency, aggressively research technology solutions, and be adaptable enough to change roles as the job needed.

I was 22 years old at the time and I drastically increased their efficiency.

  • Since then I’ve worked in numerous capacities in IT ranging from phone support, to system administration, to network engineering, to information security
  • I’ve taught classes for Geek Squad techs, Merchant Marines, and AT&T employees
  • I’ve brought several startups from an abstract concept of what they ~think~ they want, to fully functioning, highly available information infrastructures
  • I’ve written corporate security policies, as well as organized incident responses to security breaches & handled all system forensics for said incidents.

The forces of darkness do not stand a chance on my network

-Jeremy NeeDLE – Administrator, Jedi, Diabolical Genius