Monday, February 28, 2011

Juniper Stratus Debuts as QFabric

For the last three years, Juniper has said it was working on Project Stratus, a new data center fabric for cloud computing designed to reduce network layers and complexity. Today, Juniper took the wraps off Stratus, which will be productized as "QFabric." The QFabric effort involved $100 million of investment and resulted in over 125 filed patents.

Juniper CEO Kevin Johnson explained during a QFabric launch event that in traditional network architectures, each layer of a network requires some processing before a packet is transported. The QFabric approach is different.

"We process once and we transport to any," Johnson said. "By doing that what we're able to provide are significant benefits in the areas of scalability, speed and performance."

Pradeep Sindhu, founder and CTO of Juniper noted that QFabric involves silicon, systems and software in order to collapse network layers. From a network topology perspective, Sindhu noted that QFabric enables a network to look like a single flat switch that can then be more easily managed and provisioned.
"QFabric looks like a single large flat logical switch and a single switch that has industry standard interfaces," Sindhu said. "What the single large switch enables is full resource pooling as well as partitioning of resources for organizational purposes.

David Yen, an executive vice president at Juniper, explained that QFabric enables an any-to-any non-blocking architecture that has a one hop capability from any resource to any other resource on the network. Yen noted that with QFabric, cross data center latency can be as low as 3.71 microseconds. He added that, since QFabric is essentially a single switch, it can be managed as such, requiring less overall administration.
QFabric is a competitive approach to other efforts to help flatten network architectures. Earlier this week, Avaya threw its hat in the ring with the 802.1aq Shortest Patch Bridging standard. Rival networking vendor Cisco has been supporting the TRILL (Transparent Interconnection of Lots of Links)standard as part of its FabricPath technology.

Yen noted that QFabric does not use Shortest Path Bridging or TRILL. Yen said those technologies add complexity.

"Cisco's standards-based architectural approach combining unified computing, a unified fabric, and unified network services provides a stronger foundation than fragmented point-product approaches," said John McCool, senior vice president and GM, data center, switching and services group at Cisco said in a statement emailed to InternetNews.com.

The QFabric solution involves three core components. The QFabric node is the outer layer and it contains the logic to forward packets from one node to another. Nodes also form the distributed control plane for QFabric. The QFabric Interconnect is the mechanism which allows packets to flow from the ingress to the egress point on the switch. Finally there is the Director component which is what enables QFabric to be viewed and managed as a single switch.

"QFabric allows all the compute and storage resources in the data center to be tied together into a single system," Yen said.

The first QFabric product that Juniper is shipping is the QFX35000, a 64 port 10 GbE switch that also has Fiber Channel capabilities. Yen said the QFX will ship in the third quarter of 2011

Inflection Point In the Data Center - Pradeep Sindhu, founder and CTO of Juniper


Pradeep Sindhu, founder and CTO of Juniper Networks, discusses the inflection points in the data center, and the potential of QFabric.

Cisco Drops Cloud E-Mail Service

 
Cisco Systems announced it has ended its Web-based e-mail service, Cisco Mail, after struggling for 13 months in the enterprise market.

"The product has been well received, but we've since learned that customers have come to view their e-mail as a mature and commoditized tool versus a long-term differentiated element of their collaboration strategy," wrote Debra Chrapaty, SVP and GM of Cisco's Collaboration Software Group, in a blog post. "We've also heard that customers are eager to embrace emerging collaboration tools such as social software and video."

Cisco introduced Cisco Mail in November 2009 to give its enterprise base the option of outsourcing e-mail hosting responsibilities. But it suffered from the steady growth of another cloud-based enterprise service launched two years earlier, Google Apps. Google Apps bundles e-mail, calendaring, and other productivity tools, along with 25MB of storage per employee for $50. In recent months Google secured Virgin America and the U.S. General Services Administration as clients.

In October, enterprise software leader Microsoft unveiled its own cloud computing bundle, Microsoft Office 365, which integrates Microsoft Office, SharePoint Online, Exchange Online, and Lync Online.
A Gartner analyst said Cisco invested $250 million in its first hosted e-mail product.

"Cisco's failure, after investing US$250 million, demonstrates the challenge of penetrating a mature market, and the difficulty in delivering a complex and demanding cloud-based application service, Matthew Cain, vice president and lead e-mail analyst at Gartner, wrote in a research note obtained by PCWorld.

Saturday, February 26, 2011

Top 10 cloud computing providers of 2011


#10 Joyent

Joyent, kept a spot in the top 10 by releasing its platform software and forming a partnership with Dell to sell pre-configured cloud infrastructure packages.

It's a nice way to push the model -- use the Joyent service, or build your own if you like the technology but not the public option. This may be the direction the market is headed, as more and more businesses want to adopt cloud computing within their infrastructure.
http://www.joyent.com/

#9 Microsoft

Microsoft is on a bit of a downward spiral. While the software giant has made a song and dance about its Azure cloud service, claiming 31,000 companies are customers, we’ve yet to see any significant traction among enterprise IT developers. Web companies, mobile companies, tech and social networking firms use it, sure, but so far there’s no standout among traditional enterprises.

Meanwhile, Microsoft’s cloud business is in turmoil, as Steve Ballmer has purged many of the company's key leaders. Software architect Ray Ozzie is out. Bob Muglia and Amitabh Srivastava from Server and Tools (and Azure) have left. Dave Thompson (Office Online, Office 365) is gone.

Now at the helm is veteran Satya Nadella, who ran Microsoft’s unremarkable ERP and CRM efforts. These people didn’t fail -- they built everything Microsoft can legitimately call "cloud" -- but they’ve been cut loose before their work had a chance to prove itself.
http://www.microsoft.com/en-us/cloud/default.aspx

#8 Bluelock

Our first new entrant on the list, BlueLock is a small-scale provider that's been a key testbed for VMware’s vCloud Express. It even pioneered a tool to help customers get out of their ESX bubbles and mix in vCloud resources, something VMware hadn’t been able to do. BlueLock’s Indiana facilities should soon become a major local employer, as it's now a key VMware/VCE provider and likely to see continued growth
http://www.bluelock.com/


#7 Google

Google App Engine has won lots of business among Web, gaming and mobile companies -- much like Microsoft Azure -- but similarly has yet to make any impact among enterprise developers. We talked to the GAE team recently and they are working on adding features, including an SLA and a hosted SQL service that Google hopes will attract the enterprise developer audience.

The company is also reportedly hiring 6,000 warm bodies in 2011, most likely to supply that crucial enterprise support Google has so notably lacked. Can’t win the cloud with foosball and beanbags, kids; put your big-boy clothes on and get ready for real customers. The race is on with Microsoft!
http://code.google.com/appengine/


#6 Rackspace

Even though Rackspace fell in the ranks from last year's list, it's still the number two cloud provider after Amazon in terms of revenue. It might even be coming close in terms of its user base, a remarkable feat.

But aside from the feel-good soft launch of OpenStack last year, it's still business as usual. The company hasn't made any major renovations to the service, something that may change as Rackspace absorbs cloud management technology firm Cloudkick.
http://www.rackspace.com/cloud/

#5 CSC

Our second new entrant on the list is CSC. The IT integrator and service provider has cooked up an interesting private cloud service called BizCloud. The company will wheel VCE -- the giant cloud-in-a-box system from VMware, Cisco and EMC -- into your IT shop. Ten weeks later, it will be integrated into all your messy, legacy IT systems, turning on Infrastructure as a Service. CSC then manages your hardware; for extra capacity, you can hook into a public cloud service, also running on VCE.

CSC points to the trend of enterprises looking for practical ways to use (and get to) cloud computing; the company also performs massive-scale integrations with Google Apps and other Software as a Service players. As a bridge to the cloud for many enterprises, CSC is on the front lines and on our top 10 list.
http://www.csc.com/cloud


#4 Salesforce.com

Salesforce.com maintains a spot in the top five, thanks to its acquisition of Heroku. The company singlehandedly forced its way into the Platform as a Service market with this buy, and it will give them legs to hit customers not interested in the patented "Salesforce.com maximum lock-in" feature offered on Force.com and their CRM platform.

The Software as a Service market is rapidly coalescing into a mature, well-defined space; props to Salesforce.com for grabbing on to something that keeps it relevant going forward.
http://www.salesforce.com/

#3 IBM

New to the list is IBM with its Smart Business Test and Development Cloud. While Big Blue might be lugging a hundred years of IT baggage, it has finally launched Infrastructure as a Service, although initially just for test and development purposes.

Despite its convoluted, muddled strategy in the cloud market, the Test and Dev service is winning enterprise business, which after all is IBM’s meat and potatoes. IBM reportedly earned $30 million in cloud revenue last year; few others have the scale of the enterprise user base to ramp up that fast.
http://www.ibm.com/ibm/cloud/


#2 Verizon/Terremark

Charging into the number two position on our list is Verizon. The telco giant had previously built its own cloud; high-quality stuff but with a commensurate price. The Four Seasons of cloud, if you will: snooty service, small menu, long waits for a reservation and eye-watering bill. It was a test run, and apparently Verizon decided it needed some expertise instead of re-inventing the wheel.

Verizon then bought Terremark, much as you or I would buy a coffee and a bagel. Not only is Terremark one of the premier Tier 1 hosters in the world, it's also a cloud supplier to the coveted enterprise market, effectively moving Verizon into the top ranks.

Bigger than almost any competitor and with all the pipe in the world (literally), Verizon could be the King Kong of cloud. We’ll see if they can make it work or if Terremark Cloud is doomed for post-acquisition mishandling.
http://www.verizonbusiness.com/Medium/solutions/cloud_services/

#1 Amazon

For the second year in a row, the king of cloud is still Amazon Web Services. No other company has come close to the cloud-based innovation AWS provides.

Even Eli Lilly taking some of its business elsewhere ended up doing AWS a favor. Since that debacle over SLAs, Amazon has stepped up its support and now offers a premium "white glove" service that routes your call to the nearest engineering specialist.
http://aws.amazon.com/


#Honorable Mention - NephoScale

NephoScale is a cloud startup that’s going old school by building out its own data center and selling on demand, like Amazon Web Services or Rackspace. That’s a gutsy move when Amazon is profitable enough to cut prices on a whim. Let us know how it works out, guys.

http://www.nephoscale.com/ 

CCIE Notes - ISIS


Intermediate System (IS) is the terminology used to describe a router.

IS-IS does not use IP addresses to identify each IS.  Rather, OSI CLNS addressing is used.

 Fundamentally, IS-IS does not use the IP protocol.  Rather, IS-IS uses it’s own L3 headers and leverages the Data Link layer directly.

CLNS (Connectionless Network Services) is a network layer protocol like the IP.  CLNS history comes from the 1980′s when it was still unclear whether IP or CLNS would be the defacto internetwork protocol.
In the 1980′s it was common for networks to have both OSI CLNS and IP application traffic.  Therefore, IS-IS was enhanced to be a single routing protocol that could support CLNS and IP concurrently.  IS-IS is open, flexible, extensible, and scalable.

Because IS-IS is not solely an IP protocol, IS-IS can easily be used for other non-IP applications, such as for Layer 2 routing implementations.  Example Cisco OTV, and Cisco FabricPath.
CLNS Addressing as the IS-IS router uses it, called the NET:

AREA (everything else) : SYSTEM ID  (6 bytes) : NSAP (1 byte)
Example:   49.1111.1000.1000.0001.00
AREA = 49.1111
SYSTEM ID = 1000.1000.0001
NSAP = 00

The SYSTEM ID is unique per AREA, however it may be simpler to also keep it unique across the network.
NSAP describes the upper layer protocol using — to address the IS-IS routing process on the router itself the NSAP is 00.  NSAP is analogous to the protocol number field in IP headers.

Two routers in the same AREA are considered intra-area and will form an L1 (Level 1) adjacency.

Two routers in the same AREA can form a Level 2 adjacency if their interfaces are explicitly configured for Level 2 only.

Two routers in a different AREA  are considered inter-area and will form a L2 (Level 2) adjacency.

Two routers in a different AREA will not be able to form Level 1 adjacencies.

By default, two Cisco IOS routers in the same AREA will form both and L1 and L2 adjacencies, unless their interfaces are configured otherwise.

interface serial 1/0
isis circuit-type (level 1, level2, or both)

Much like OSPF, the HELLO and HOLD timers do not need to match for neighbors to form.  Each IS-IS router declares its own HOLD time to its neighbors.

Much like OSPF, a designated router is elected on broadcast networks, called a DIS.  The DIS acts the pseudonode, just as the DR does in OSPF.

When IS routers exchange topology database information four types of packets are used:

Level 1 link state packets (LSP) – describe link state detail and information

Level 2 link state packets (LSP)

Complete sequence number packets (CSNP) – describe summary of  link states in data base

Similar to OSPF DD (database descriptor) packets

Partial sequence number packets (PSNP) – describe partial data base, or used to request LSPs

IS-IS supports several different metric values per link, Default metric, Expense metric, Delay metric, Error metric.

IP routing only uses the Default metric.

The other metrics are not commonly implemented.

IS-IS wide metrics is when the four metric fields are combined to together into a single large Default metric value
router isis
metric-style wide

IS-IS wide metric are required when using Tags

Wide metrics are required for MPLS traffic enginerring over IS-IS

Configuring some routers with wide metrics while others are not will break the network

To make the transition to wide metrics you can use ‘metric-style transition’ which allows an IS-IS router to accept both wide and narrow metric, presuming the metrics are within the narrow range.

router isis
metric-style transition

The default metric for an interface in Cisco IOS is 10.  The metric can be changed with the interface level command:

interface serial 1/0
isis metric

IS-IS provides the means to create logical flooding boundaries by breaking the network into one level 2 routing domain and multiple level 1 routing domains.

The one Level 2 routing domain could be analogous to OSPF Area 0

The multiple Level 1 routing domains could be analogous to other OSPF Areas

L1/L2 border routers will advertise all reachable IP destinations from their Level 1 domain into the Level 2 domain with a single Level 2 summary LSP describing the IP networks, much like an OSPF ABR and Type 3 LSA’s.

L1/L2 border routers will hide the topology detail of their Level 1 domain from the Level 2 domain (not flooding all of the Level 1 LSP information), much like an OSPF ABR.

L1/L2 border routers will not advertise IP destinations in the Level 1 domain learned from the Level 2.
A router with both L1 & L2 adjacencies does not automatically make it an L1/L2 border.

Only when an IS router is attached to another IS router advertising a domain (AREA) different than its own will it become an L1/L2 border

49.1111.1000.1000.0001.00  <—–>  49.2222.1000.1000.0002.00

The L1/L2 border router will set the “attached bit” in its LSP and flood that into the L1 domain.  The “attached bit” indicates it is connected to Level 2 and is an L1/L2 border.

If the Level 1 router receives a packet for a destination it cannot match with its own L1 topology information, it will look in its database for a router with the “attached bit” and send the packet to that router.

The L1/L2 border router does not generate or advertise a default route in the Level 1 area.

The Level 1 router upon seeing an LSP in its database with the “attached bit” will create a default route in its own IP routing table pointing to the L1/L2 border router.

Level 1 routers have no topology or IP reachability information outside of its area, which can sometimes lead to suboptimal routing for packets exiting the Level 1 area.

The L1/L2 border can be configured to “leak” specific IP reachability information (routes) into the Level 1 area to avoid suboptimal routing:
router isis
redistribute isis ip level-2 into level-1 distribute-list 100
access-list 100 permit ip 10.10.10.0 0.0.0.255 any

Each IS router will re-flood its LSP’s every 20 minutes.  In a large IS-IS network, this is another good reason for area segmentation, as LSP’s will only be flood within their area.

In a large IS-IS network, you can also reduce the amount of LSP flooding traffic by increasing the LSP refresh interval, and increasing the LSP max age (lifetime).

router isis
lsp-refresh-interval (seconds, 1 to 65535)
max-lsp-lifetime (seconds, 1 to 65535)

Note: Be sure to set the LSP max lifetime to something higher than the LSP refresh interval

IS-IS over NBMA networks (Frame Relay)

One simple approach is to use point-to-point subinterfaces per DLCI.  Can waste IP address space in large nets.

Another approach is to use a the physical Frame Relay interface in a point-to-multipoint topology.

Cisco routers have IP inverse ARP for Frame Relay on by default – which helps for OSPF, but not IS-IS, since IS-IS uses CLNS, not IP.

To form IS-IS neighbors on NBMA point-to-multipoint networks (Frame Relay) you need to use frame relay map statements for CLNS.

interface serial 1/0
encapsulation frame-relay
frame-relay map clns 101 broadcast

Another best practice on NBMA point-to-multipoint topolgies with IS-IS is to define the Hub router as the DIS (designated router).  You can force spoke routers to never become the DIS.  On an NBMA or broadcast network all IS-IS routers will need to exchange LSP’s with the DIS.  In a NBMA network, the spokes usually do not have direct connectivity between each other, so its important that the Hub router always be elected the DIS.

hub-router# interface serial 1/0
isis priority 125
spoke-router# interface serial 1/0
isis priority 0

You can use the command ‘show clns interfaces‘ to verify which router is the DIS a given network/interface

IS-IS uses the CLNS selector byte to identify the DIS on a brodcast segment.  The IS-IS router uses the 00 value to identify itself, so this leaves values 1-255 available for DIS nodes this router has been elected to.
An IS-IS router can be the DIS on no more than 254 different broadcast networks.

Thursday, February 24, 2011

Juniper Introduces QFabric to Challenge Cisco in Data Centers

Juniper Networks Inc., the second- largest maker of networking gear, introduced the first in a new family of data-center products, stepping up competition with larger rival Cisco Systems Inc.

The initial component will connect servers to a network and will cost $34,000, the Sunnyvale, California-based company said. It’s part of a project that Juniper has poured more than $100 million into in the past three years.

Juniper, which has built most of its business on selling gear to phone and Internet-service providers, is going after Cisco in the market for corporate data centers. The new QFabric products require less networking equipment, run more quickly and provide more value than rival products, the company said.

“Juniper’s heritage is one of innovating and disrupting the competition,” Chief Executive Officer Kevin Johnson said in an interview. “What customers are looking for is new ways to solve the problems of these massive data centers and in ways that are faster and more cost-effective.”

Juniper will begin selling the additional products in the QFabric suite in the third quarter. The company’s shares have risen 15 percent this year following the release of new security, routing and switching products, which direct the flow of Internet traffic.

Customer Tests

The company is testing the QFabric products with financial- services companies, health-care customers and education firms. NYSE Euronext, which has seen a steady surge in trading as the market gets more fragmented and new securities such as derivatives are introduced, turned to Juniper to help it keep up with the demands on its network.

“All of the large major companies have good offerings,” said Andrew Bach, a senior vice president at NYSE Euronext. “When you put together the combination of the architectural vision, competitive pricing and the overall support model, that’s what brought us to Juniper.”

Cisco said in a statement that its products are widely deployed in data centers and that customers have chosen to vote with their wallets.

Juniper will host an event in San Francisco tomorrow with partners to unveil the QFabric products.

Wednesday, February 23, 2011

CCNA Made Easy - Router Commands Overview


Here you will learn about the router commands, configurations, privileged mode commands, routing protocols, cisco labs and network configurations.There are hundreds of basic and advance level commands of a router. It is not easy to remember all the commands. But some commands are frequently used and can be remembered with some practice. I have provided a list of the most commonly used commands based on their features and usage.
 
You will find here some basic terminology of a router
.
Routing: Routing is a process of moving the data (packets) through an inter network. Routing performs the two basic tasks. Define the paths for a packet and then forward the packets on the basis of defined paths. Routing can also be defined as the communication between two or more logically and physical networks and this communication (packet transfer) is brought by a router.

First of all you should remember the keyboard shortcuts of a router.

Keyboard Shortcuts
CTRL-N - show next command
CTRL-P - show previous command
SHIFT-CTRL-6 – Break

Configuring the Router

You will be able to learn the basic commands for configuring a router.
sh running-config - details the running configuration file (RAM)
sh startup-config - displays the configuration stored in NVRAM
setup - Will start the the automatic setup; the same as when you first boot the router
config t - use to execute configuration commands from the terminal
config mem - executes configuration commands stored in NVRAM; copies startup-config to running-config
config net - used to retrieve configuration info from a TFTP server
copy running-config startup-config - copies saved config in running config (RAM) to NVRAM or "write memory" for IOS under ver.11
copy startup-config running-config - copies from non-volatile (NVRAM) to current running config (RAM)
boot system flash <put file filename here> - tells router which IOS file in flash to boot from
boot system tftp - tells router which IOS file on the tftp server to boot from
boot system rom - tell router to boot from ROM at next boot
copy flash tftp - Copies flash to tftp server
copy tftp flash - Restores flash from tftp server
copy run tftp - Copies the current running-config to tftp server
copy tftp run - Restores the running-config from tftp server

General Commands

Here is a list of the general commands. These are the basic level commands and most commonly used
no shutdown - (enables the interface)
reload - restarts the router
sh ver - Cisco IOS version, uptime of router, how the router started, where system was loaded from, the interfaces the POST found, and the configuration register
sh clock - shows date and time on router
sh history - shows the history of your commands
sh debug - shows all debugging that is currently enabled
no debug all - turns off all debugging
sh users - shows users connected to router
sh protocols - shows which protocols are configured
banner motd # Your customized message here # - Set/change banner
hostname <give router name> - use to configure the hostname of the router
clear counters - clear interface counters

Privileged Mode commands of a router

Learn how to work in the privileged mode of a router.
enable - get to privileged mode
disable - get to user mode
enable password <give password here> - sets privileged mode password
enable secret <give password here> - sets encrypted privileged mode password
Setting Passwords on router

Here you will be able to learn how to set the password on a router.
enable secret <give password here> - set encrypted password for privileged access
enable password <give password here> - set password for privileged access (used when there is no enable secret and when using older software)
Setting the password for console access:
(config)#line console 0
(config-line)#login
(config-line)#password <put password here>
Set password for virtual terminal (telnet) access (password must be set to access router through telnet):
(config)#line vty 0 4
(config-line)#login
(config-line)#password <put password here>
Set password for auxiliary (modem) access:
(config)#line aux 0
(config-line)#login
(config-line)#password <put password here>

Router Processes & Statistics

By these command you can see the statistics and different processes of the router.
sh processes - shows active processes running on router
sh process cpu - shows cpu statistics
sh mem - shows memory statistics
sh flash - describes the flash memory and displays the size of files and the amount of free flash memory
sh buffers - displays statistics for router buffer pools; shows the size of the Small, Middle, Big, Very Big, Large and Huge Buffers
sh stacks - shows reason for last reboot, monitors the stack use of processes and interrupts routines

IP Commands

Here is a list of the IP Commands
Configure IP on an interface:
int serial 0
ip address 157.89.1.3 255.255.0.0
int eth 0
ip address 2008.1.1.4 255.255.255.0

Other IP Commands:

sh ip route - view ip routing table
ip route <remote_network> <mask> <default_gateway> [administrative_distance] - configure a static IP route
ip route 0.0.0.0 0.0.0.0 <put gateway of the last resort here> - sets default gateway
ip classless - use with static routing to allow packets destined for unrecognized subnets to use the best possible route
sh arp - view arp cache; shows MAC address of connected routers
ip address 2.2.2.2 255.255.255.0 secondary - configure a 2nd ip address on an interface
sh ip protocol
CDP Commands (Cisco Discovery Protocol uses layer 2 multicast over a SNAP-capable link to send data):
sh cdp neighbor - shows directly connected neighbors
sh cdp int - shows which interfaces are running CDP
sh cdp int eth 0/0 - show CDP info for specific interface
sh cdp entry <cdp neighbor here> - shows CDP neighbor detail
cdp timer 120 - change how often CDP info is sent (default cdp timer is 60)
cp holdtime 240 - how long to wait before removing a CDP neighbor (default CDP holdtime is 180)
sh cdp run - shows if CDP turned on
no cdp run - turns off CDP for entire router (global config)
no cdp enable - turns off CDP on specific interface

IPX Commands

Enable IPX on router:
ipx routing
Configure IPX + IPX-RIP on an int:
int ser 0
ipx network 4A

Other Commands:

sh ipx route - shows IPX routing table
sh ipx int e0 - shows ipx address on int
sh ipx servers - shows SAP table
sh ipx traffic - view traffic statistics
debug ipx routing activity - debugs IPS RIP packets
debug ipx sap - debugs SAP packets

Routing Protocols

RIP, IGPR and OSPF are the routing protocols and here is a list of the commands for the working on the routing protocols.
Configure RIP:
router rip
network 157.89.0.0
network 208.1.1.0
Other RIP Commands:
debug ip rip - view RIP debugging info
Configure IGRP:
router IGRP 200
network 157.89.0.0
network 208.1.1.0
Other IGRP Commands:
debug ip igrp events - view IGRP debugging info
debug ip igrp transactions - view IGRP debugging info
Access Lists
Here is a list of the Access list command of a router.
sh ip int ser 0 - use to view which IP access lists are applies to which int
sh ipx int ser 0 - use to view which IPX access lists are applies to which int
sh appletalk int ser 0 - use to view which AppleTalk access lists are applies to which int
View access lists:
sh access-lists
sh ip access-lists
sh ipx access-lists
sh appletalk access-lists
Apply standard IP access list to int eth 0:
access-list 1 deny 200.1.1.0 0.0.0.255
access-list 1 permit any
int eth 0
ip access-group 1 in
Apply Extended IP access list to int eth 0:
access-list 100 deny tcp host 1.1.1.1 host 2.2.2.2 eq 23
access-list 100 deny tcp 3.3.3.0 0.0.0.255 any eq 80
int eth 0
ip access-group 100 out
Apply Standard IPX access list to int eth 0:
access-list 800 deny 7a 8000
access-list 800 permit -1
int eth 0
ipx access-group 800 out
Apply Standard IPX access list to int eth 0:
access-list 900 deny sap any 3378 -1
access-list 900 permit sap any all -1
int eth 0
ipx access-group 900 out

WAN Configurations Commands

Networking over WAN is the main functionality of a router. The most common use of a router is for the WAN connectivity. Here is a list of the commands for the different methods of the WAN connectivity.

PPP Configuration

Point to point protocol is a method for the WAN connectivity and you will find here some commands of PPP.
encapsulation pppppp authentication <chap or pap here>
ppp chap hostname <put router name here>
ppp pap sent-username <put user name here>
sh int ser 0 - use to view encapsulation on the interface

Frame-Relay Configuration

One of the methods for the WAN connectivity is the Frame Relay. Find here some basic commands for the WAN connectivity through Frame Relay.
encapsulation frame-relay ietf - use IETF when setting up a frame-relay network between a Ciscorouter and a non-Cisco router
frame-relay lmi-type ansi - LMI types are Cisco, ANSI, Q933A; Cisco is the default; LMI type is auto-sensed in IOS v11.2 and up
frame-relay map ip 3.3.3.3 100 broadcast - if inverse ARP won't work, map Other IP to Your DLCI # (local)
keep alive 10 - use to set keep alive
sh int ser 0 - use to show DLCI, LMI, and encapsulation info
sh frame-relay pvc - shows the configured DLCI's; shows PVC traffic stats
sh frame-relay map - shows route mapssh frame-relay lmi - shows LMI info

Miscellaneous Commands

In the last but not least here is a list of the some miscellaneous and useful commands
sh controller t1 - shows status of T1 lines
sh controller serial 1 - use to determine if DCE or DTE device
(config-if)#clock rate 6400 - set clock on DCE (bits per second)
(config-if)#bandwidth 64 - set bandwidth (kilobits)

Server Virtualiza​tion and the Path to Enlightenm​ent

by


The pace of change in the data center is brisk to say the least.  One of the most significant drivers of change is the broad adoption of server virtualization, which is designed to allow multiple applications to independently co-exist on the same physical server.  There have been many different approaches to server virtualization in the past:  “envelopes” in MVS (zOS); Mainframe Domain Facility from Amdahl; Dynamic System Domains and Containers from Sun; and so forth.  Today, the preferred solution is to use hypervisors to encapsulate applications and their operating system instances inside a virtual machine (VM).

It may seem like hypervisors such as VMware’s ESX have sprung out of nowhere.  In fact, the hypervisor has been more than 45 years in the making and can be traced back to a 1964 R&D project at IBM’s Cambridge research facility running on a modified IBM 360-40 mainframe.  Initially known as CP-40 and later as VM/CMS, it was eventually released as IBM’s first fully supported hypervisor in 1972 under the name VM/370.  Although it remained in the shadow of MVS, VM/370 proved to be the O/S that customers would not let IBM kill off. Today, it is known as z/VM and runs on IBM’s z-series mainframes.

The “modern” history of hypervisors began when Mendel Rosenblum, an associate professor at Stanford, and a few of his students created a hypervisor on x86 servers as a graduate project.  Mendel then teamed up with his wife Diane Greene to start VMware.  In the beginning, the significant overhead required to run the hypervisor limited its use to test and development environments. This changed when the boys from Cambridge University invented para-virtualization and open-sourced Xen.  Combined with the hardware support that Intel and AMD baked into their processors, the required system overhead dropped to under 10% and the hypervisor exploded into the production world.

Today there is a wealth of hypervisors to choose from: ESXi, Hyper-V, Xen and KVM on x86 servers, plus a set specific to various UNIX boxes and mainframes.  Today, thank to the ubiquity of hypervisors, almost all companies have implemented some form of server virtualization.

At my previous employer, I was a VMware customer and had the opportunity to interact with a number of their customers.  What I noticed is that most businesses embrace server virtualization in three stages, what I call “the path to enlightenment.”  In the first stage, IT is seeking to tame server sprawl through server consolidation.  When a server runs a single application, average utilization of that physical server is generally 5%-8%.  Using VMs to isolate the applications from each other, multiple applications can co-exist on a single server, increasing hardware utilization to 25%-35% (or more if you are good or lucky).  This made it possible to actually reduce the number of servers, bucking the trends of the last several decades.  Stage one: Consolidation – saving capital costs.

During this initial stage, virtualized server pools are generally small and configurations are static, with VM migration limited to once or twice per year to facilitate maintenance.  The security model is simplistic with a very limited number of VLANs and zones implemented within the server pool.  For the most part, the virtualized applications are limited to non-critical apps.  In this first phase, the legacy data center network proves to be adequate.

At some point during the first stage, IT realizes there is a greater benefit than CAPEX savings – agility.  It begins when IT discovers that provisioning new virtual “servers” to meet the needs of the business groups can now be performed in hours rather than the weeks or months typically required for new physical servers.  Suddenly IT is a hero – they are exceeding their “customers’” expectations.  Now the business can move faster and IT can be more responsive.  New capabilities come on line in less time.  Resources can be added quickly to respond to changes in demand, while applications that did not work out can be taken off-line and the resources easily reallocated.  Stage 2: Agility – for the infrastructure and the business.

Finally, as VMs become more dynamic, there is a third stage of enlightenment – resilience.  The ability to pick up and move an application safely and dynamically can also be used to build a more resilient infrastructure without having to resort to complex HA (high availability) clusters; now, HA can be delivered to all applications in the data center.  Stage 3: Resilience – keeping the business running.

As customers move into the second and third stages, the pools of virtualized servers grow in size, and they find that a single, larger resource pool is both more efficient and more agile than multiple smaller pools.  The environment becomes more dynamic, with VM migration becoming common place in order to facilitate workload balancing and resilience.  Many or even most of the applications become virtualized, including the critical apps.  It is at this stage we start to see big Oracle databases being virtualized — not because they will share the server with other apps but because they can now be easily moved to another server.  And finally, because of the number of applications, there needs to be a more sophisticated security model.  The number of VLANs and security zones implemented within the server pools grows dramatically.

It is at the point, when customers move from the consolidation stage to the agility and resiliency stages, that they have an epiphany.  The legacy hierarchical network embedded in their data center is the single greatest impediment to achieving the promise of the virtualized data center.  And that, my friends, will be the subject of my next posting.

Tuesday, February 22, 2011

JUNOS Command Completion

The JUNOS command completion feature saves you lots of time and energy, and it provides syntax checking as you type. Gone are the days when you type a command on a line and after you press Enter the command is either invalid or not supported on that version of software. Any error or ambiguity will be detected early, and the router/switch will present a list of valid completions for the current command.

You can disable command completion on a per-login basis by modifying the CLI environment with an operational mode set cli command:

juniper@R1> set cli ?
Possible completions:
complete-on-space Set whether typing space completes current word

But a good reason to do so has not yet been noted.

You can evoke command completion by using either the space bar or the Tab key. Note that the Tab key also completes user-assigned variables such as interface names, IP addresses, firewall filters, and filenames.
Note: The most confusing thing about command completion is when to use space and when to use tab. The space bar is used until a variable is reached, at which time the Tab key is used to auto-complete the user variable for the filter name of TEST_JUNOS-FILTER.

Juniper Networks expands Junos Pulse Mobile Security Software to new devices and customers


Juniper Networks unveiled an expansion of the Junos Pulse Mobile Security Suite, a comprehensive security software suite that protects mobile devices and defends customers - and their sensitive information - while at work, at play or both, and includes mobile device management capabilities.

In addition, Junos Pulse Mobile Security Suite API's - which allow service providers open programmatic customization of the Junos Pulse solution - will be available soon.

These new offerings and enhancements underscore Juniper's continued commitment to delivering security and secure connectivity in a fast transforming mobile landscape.

Juniper first introduced the Junos Pulse Mobile Security Suite in October 2010 and has since seen rapid adoption of the solution from BullGuard, Culpeper County, Cyberian, IBM, Velux, Wright-Patt and Terra. The latest version of Junos Pulse Mobile Security Suite extends mobile device management support for Apple iOS devices, enabling configuration, provisioning, management and policy enforcement. Enterprises deploying iPads and iPhones can enable secure device connectivity to the network and corporate applications with the enforcement of corporate security profiles on the device. The management and policy enforcement capabilities within the Junos Pulse Mobile Security Suite ensures users set passwords according to corporate guidelines, use the appropriate VPN, and block applications that could expose the device to security risks.

Apple iPhone and iPad users can also track a lost or stolen device with GPS locator and remotely lock and wipe it free of content.

Junos Pulse Mobile Security Suite API's enable service providers and Juniper's own Professional Services to co-brand the Junos Pulse end user interface and integrate the Junos Pulse Mobile Security Suite management console into a service provider's billing and provisioning systems. This allows service providers a turnkey way to roll out new solutions for hosted mobile security offerings that drive incremental revenue while delivering peace of mind to customers who are at risk from malicious security threats and device loss or theft.
"BullGuard is in the business of making Internet security simple. This partnership with Juniper Networks offers us a chance to extend the same solutions our customers have enjoyed on their desktops and laptops to their mobile device," said Søren Ravn, CEO at BullGuard Internet Security. "We have been providing Junos Pulse Mobile Security Suite technology in our BullGuard Mobile Security 10 to our customers since December 2010, and it has been very well received by consumers and stakeholders, who have responded enthusiastically."

"We're seeing increasing demand for Junos Pulse and the Junos Pulse Mobile Security Suite as consumers and businesses realize the necessity of securing their mobile work, lifestyle, and day-to-day life," said Sanjay Beri, vice president and general manager, Junos Pulse Business Unit, Juniper Networks. "The name of the game is open flexibility. The Mobile Security Suite expands our reach in the mobility market into new client operating systems, and mobile security and connectivity capabilities while our API platform introduces new opportunities, particularly for service providers and enterprises looking to add value-based security services and differentiation for their customers."

Availability

The latest version of the Junos Pulse Mobile Security Suite and Junos Pulse Mobile Security Suite APIs will be available in Q2 2011.

Monday, February 21, 2011

Juniper Networks enables Saudi Arabia Ministry of Communications and IT to deliver comprehensive, unified e-government program


Juniper Networks announced that the Kingdom of Saudi Arabia's Ministry of Communications and Information Technology (MCIT) is building a high-performance network and data center infrastructure using switching, routing and security solutions from Juniper Networks.

MCIT has selected Juniper to create the infrastructure as a platform for the Kingdom's country-wide e-Government project called "Yesser", which will enable many other government departments to interact with each other and citizens online.

By integrating numerous information and communication technologies, Saudi Arabia's
e-Government program is expected to significantly increase the Kingdom's return on investment (ROI) in its networks, providing faster, easier-to-use services and transactions for government organizations and their commercial and constituent clients.

MCIT is responsible for the deployment and management of IT and network-based services across the Kingdom, including broadcast, digital and telephony activities. As part of its mission, MCIT is focusing on the integration of services that affect as many citizens as possible and help to support the Kingdom of Saudi Arabia's continued socio-economic development.

"Our e-Government initiative is designed to raise the productivity and efficiency of the public sector in Saudi Arabia and further improve the quality of life and value we can deliver to our citizens," said Ahmad Y. Alkhiary, assistant director general, Ministry of Communications and Information Technology, Kingdom of Saudi Arabia. "By introducing services through electronic transactions, we can utilize information technology to its best advantage and also control costs. The Juniper Networks solution for MCIT will reduce the cost and complexity of our data center network, delivering a dynamic, flexible and automated solution without sacrificing performance."

The MCIT e-Government program will leverage Juniper Networks EX4200 Series Ethernet Switches with virtual chassis fabric technology to provide high availability for MCIT's hosting services at the data center and among its agencies. Juniper Networks J Series Services Routers will be installed as a branch deployment to standardize service delivery and provide stability and efficiency for all agencies and the central site. Additionally, Juniper Networks M Series Multiservice Edge Routers will provide advanced routing with carrier-class reliability for the high-performance network.

Juniper Networks Network and Security Manager and STRM Series Security Threat Response Manager solutions will also be used in the e-Government program for centralized configuration and threat, compliance and log management to maximize end-to-end network security and performance. Juniper Networks SSG Series Secure Services Gateways and ISG Series Integrated Security Gateways will provide complete protection against all types of internal, external, current and emerging network- and application-layer attacks. Juniper Networks SA Series SSL VPN Appliances provide remote users secure access to corporate resources from any Web browser.

Juniper's routing and switching platforms run on Junos® software, Juniper's single-source operating system, enabling MCIT to seamlessly and cost-effectively deploy and accelerate its next-generation network services and improve reliability and performance of the network.

"MCIT understands the strategic importance of the network and the tremendous long-term value in leveraging it to improve employee productivity, optimize the user experience while simplifying the network to minimize the total cost of operations and raise customer satisfaction through high-quality online services," said Andy Ingram, vice president of product marketing and business development, Fabric and Switching Technologies, Juniper Networks. "Juniper's solutions are helping the Saudi Arabian government and its residents through this ambitious e-Government program, creating an innovative and operationally efficient network environment."

Juniper's local partner on the MCIT deployment is Mobily, a specialized provider in mobile telecom services nationwide.

comparison of Juniper JUNOS vs. Cisco IOS

Take a look at the JUNOS operating system, which is what really differentiates Juniper Networks from Cisco’s IOS.

Here, we summarize the reasons why some technical engineers chose JUNOS for our own network.

Modular vs Monolithic OS: JUNOS is a true modular operating system. Each JUNOS process runs on its own protected memory, so if a daemon encounters a problem, it can be re-started independently. When these types of events occur in monolithic OS environments, the outcome is usually a full system crash.

Single Train Software: JUNOS single train software runs all Juniper routing, switching and security products. With a single cohesive operating system, Juniper releases quarterly updates, making updates a planned event. Compare that to what people are saying about managing Cisco’s IOS versions!

OPEX Summary:
  1. With a single release train, education costs and new feature implementation times are significantly reduced.
  2. The stability of the JUNOS platform dramatically reduces down time.
  3. The logical design and consistency of the JUNOS CLI reduces configuration time.
  4. Configuration change mechanism s are designed to “human proof” the network from disasters.
  5. Administrators can safely make configuration or policy changes remotely, without worrying about losing connectivity.
A recent study conducted by Lake Partners Strategy Consultants concluded organizations experienced the following time savings in the following categories:
  • Troubleshooting 54%
  • Upgrades and Planned Events 23%
  • Duration of Unplanned Events 30%
  • Frequency of Unplanned Events 24%
So, in a side by side comparison between Cisco’s IOS and Juniper’s JUNOS, it was no contest. This is the reason most of the technical team prefers Juniper.

The Cisco Nexus or the Juniper EX Series?

About Juniper’s EX8200:

Overview: Juniper has been in backbone and provider networks for over 11 years. The EX8200 is the flagship of Juniper’s EX series line of switches. With a full product portfolio all running one JUNOS operating system version, Juniper gives customers a simplified network from the WAN to the core and right on down to the wireless network.

The Good: Lower price points, less power consumption, one operating system, very reasonable maintenance and support costs with better overall performance than Cisco’s Nexus.

The Bad: It’s not Cisco. If you are not familiar with JUNOS, it will require learning a new operating system.
About Cisco’s Nexus 7000:

Overview: The Nexus 7000 series is Cisco’s newest core and datacenter switch offering. Announced in January 2009, it is designed to consolidate IP, storage and inter-process communication (IPC). The Nexus uses the new and unproven NX-OS operating system.

The Good: It is Cisco – With 80% market share, it’s safe to assume you can leverage Nexus features while easily integrating the NX-OS into your environment.

The Bad: You’ll pay a hefty price tag for it. Its overall performance is lower and its power consumption is higher than Juniper’s EX8200 series. The Nexus 7000 uses Cisco’s NX-OS operating system, increasing the product’s complexity and raising operating costs.

Conclusion: New operating systems aside, we took a hard look at the performance specs and, in the end, it was no contest. We chose Juniper. The bottom line was better performance with lower overall operating costs.

“There has been a lot of hype around the Cisco Nexus. What’s driving this is the unprecedented demand for bandwidth and network managers on a quest to find a solution. Since Nexus runs NX-OS, IT will be introducing a new operating system into their environment. If you are going to introduce a new operating system anyway, this is a great opportunity for data centers to leverage Juniper’s flagship EX8200 and the JUNOS operating system.”

Sunday, February 20, 2011

Cisco's Demonstration Plans for Mobile World Congress 2011

Cisco Demonstration in 3 Areas in Mobile world congress 2011

- Mobile Experience
- Transforming Mobile internet infrastructure
- Mobile Cloud and Mobile Data centers




Concepts of Private VLANs

Private VLANs are best suited for a service provider network who can isolate customer VLANs rather than assigning a new VLAN to every customer. Keep in mind that two of the major issues faced by service providers were:
  • If every client was assigned a new VLAN, they would only be able to support 4096 client :) Not a smart business move.
  • Then our already depleted IPV4 space would be further wasted just to pass traffic between clients.
Concept of a private vlan is very basic, take a vlan and subdivide that into many vlans. Each private vlan consists of ONE primary vlan and many secondary vlans.  There are two types of secondary vlans: Isolated or secondary. You can assign many community vlans to a primary VLAN but only ONE isolated VLAN can be assigned to each primary VLAN.

Private VLAN Ports:-

Private VLAN ports can be divided into three types:

Promiscuous Port

  • Promiscuous port belongs to the primary VLAN.
  • Promiscuous port can communicate with all ports that belong to a secondary VLAN (Isolated or Community) as long as they are associated to the same primary VLAN.

Isolated Port

  • An isolated port is a host port that belongs to an isolated secondary VLAN.
  • The host ports that belong to an isolated VLAN can NOT communicate with other ports in the isolated VLAN.
  • Isolated ports can ONLY communicate with the promiscuous ports.

Community Port

  • Community ports belong to a community secondary VLAN.
  • Community ports can communicate with ports in the same community VLAN along with the promiscuous ports.
  • Community ports can NOT communicate with ports in other community VLANs.

Dealing with Major Incidents

We know that the primary goal of the incident management process is to restore normal service operations as quickly as possible and to minimize any adverse impact on business operations. This will insure the highest levels of service quality and availability are delivered to the user community, guaranteeing that the business is receiving value and facilitating the outcomes it wants to achieve.

The value this process produces for the business is in the ability to:
  • detect and resolve incidents quickly, resulting in higher availability of IT services.
  • align IT activities to real time business priorities and dynamically allocate resources as necessary.
  • identify potential improvements to services, through the analysis of incident trends.
So it sounds like we have everything covered as long as we handle all incidents in the same consistent and proceduralized manner. Well not so fast. What happens when we have an incident that affects a major business process and in turn creates a major impact to the business?

For these types of situations we need to have a separate procedure, with shorter escalation time scales and greater urgency in responding to “Major Incidents”. First we must agree on a definition of just what constitutes a major incident and how it will be integrated into the overall incident prioritization system.

Note: Many organizations that I have corresponded with confuse this separate process with problem management. A major incident may increase in impact to the business thus increasing in the priority it needs to be addressed by the ITSM processes but it still remains an incident and never becomes a problem.

Where necessary , the major incident procedure should include the formation of a separate and dynamic major incident team (under the leadership of the incident manager) to concentrate their efforts on the particular incident alone and insure that adequate resources are engaged and solely focused on providing a swift resolution to the impact at hand. Problem management can be involved if the underlying cause needs to be discovered at the same time, but the incident manager must ensure that restoration of services and root cause analysis are kept separate and that impact reduction is the priority.

Saturday, February 19, 2011

Cisco, Juniper mobilize in Barcelona

Cisco's on the MOVE; Juniper spreads Falcon wings


Lost amid the scrutinization of Cisco's Q2 financials and the upheaval it exposed were significant product announcements by the company and rival Juniper at the Mobile World Congress conference in Barcelona this week. At the show, Cisco announced MOVE - which stands for Monetization, Optimization, Videoscape Experience - a framework to optimize mobile video traffic, reduce carriers' costs and enhance users' wireless experience.

MOVE's components include Mobile Videoscape, enhancements to Cisco's ASR 5000 LTE gateway (from the Starent acquisition) and Unified Computing System to enable linkage to the new Videoscape Internet TV platform;  a new WiFi access point for service providers; and software for its edge routers to add intelligence for mobile applications. You can read further details on MOVE here and here.

Meanwhile, Juniper launched MobileNext, the embodiment of its year+-old Project Falcon Evolved Packet Core effort. MobileNext is software for Juniper's MX 3D series routers designed to enable non-interrupted delivery of high-definition voice and video to users over 2G/3G and LTE mobile networks. The software includes deep packet inspection, traffic direction, network address translation, firewall, video optimization, MPLS and application load balancing features as well, according to Juniper.

Juniper worked with Openwave Systems for the video optimization and application load balancing pieces of MobileNext.

MobileNext software allows the MX 3D to function as a broadband gateway, an authentication and management control plane for 2G/3G and LTE mobile packet cores, and as a policy manager for subscriber management systems. 

Both companies are preparing themselves and their customers for the explosion in mobile traffic and applications. MobileNext supports up to eight million sessions, which some analysts peg as high-capacity. Cisco is expecting mobile data traffic to grow at a 92% CAGR between 2010 to 2015, with mobile video making up 66% of all mobile data traffic by 2015.

eBook - Cisco IOS Performance Routing

Performance Routing is an extension of the Optimized Edge Routing (OER) technology and many of the
commands and command modes still use the OER naming conventions. All of the original OER features
are incorporated into the Performance Routing technology and are still listed here under the original
feature name.

Below is the link for downloading the cisco file on PfR.


DOWNLOAD FILE


Friday, February 18, 2011

Juniper Debuts Virtual Security Firewall Gateway

As enterprises move to virtual servers, there is a corresponding need and demand for virtual machine (VM) security. To help meet that need, Juniper Networks (NYSE:JNPR) this week announced a new virtual security solution called the vGW Virtual Gateway.
 
The vGW builds on technology that Juniper gained when it acquired Altor Networks for $95 million in December. The vGW expands on the Altor technology and now integrates with the Juniper's SRX security gateway to provide security policy, management and enforcement across both virtual and physical infrastructure.
 
"The vGW is software that sits on the server and then communicates with the SRX," Peter Lunk, director of product marketing, Security Business Unit at Juniper Networks told InternetNews.com. "The SRX sends security zone information to the vGW which then puts virtual machines into secure zones."
 
Lunk added that the vGW helps to create a communications path between virtual and physical security. The initial vGW release is specifically targeted at VMware environments though Lunk did not rule the future possibility of Juniper enabling Citrix' Xen technology or Microsoft's Hyper-V.

The idea of VM security is not a new one and is already being offered by multiple vendors including Sourcefire, IBM and VMware. VMware's vShield helps to provide firewall type zone capabilities for virtual machines. Lunk noted that Juniper is a VMware partner and does not see the vGW solution as being overlap. Rather in Lunk's view, the vGW provides an additional layer of depth and scalability for virtual security.
 
The ability to send security information from the SRX to the vGW is something that Lunk said was now being built into the SRX's Junos operating system. Junos is also the same core system sitting in Juniper's EX switches and MX routers. That said, Lunk was unclear about whether or not security zone information for
VMs would extend to other components of Juniper's networking portfolio.
 
"That's an interesting direction that we could take, but it's not something that we're announcing today," Lunk said.
 
While virtualization can sometimes be a challenge for application performance, Lunk also noted that the vGW has a negligible impact on a virtual server's performance.

"By building this into the hypervisor. we're able to see some performance improvements," Lunk said. "I think what has held back virtual security is people are doing virtualization to improve utilization, but if you then have to turn on compute intensive security that defeats the purpose."

Juniper's vGW Virtual Gateway Offers VM Security


The networking giant unveils a virtual security firewall gateway.

Virtualization can be a great way for enterprises to reduce costs and avoid so-called server sprawl, but this new generation of virtual machines (VM)s require security just as their physical counterparts. Enter Juniper Networks (NYSE:JNPR) which this week announced a new virtual security solution called the vGW Virtual Gateway.
 
The vGW builds on technology that Juniper gained when it acquired Altor Networks for $95 million in December. The vGW expands on the Altor technology and now integrates with the Juniper's SRX security gateway to provide security policy, management and enforcement across both virtual and physical infrastructure.
 
"The vGW is software that sits on the server and then communicates with the SRX," Peter Lunk, director of product marketing at Juniper's Security Business Unit, told InternetNews.com. "The SRX sends security zone information to the vGW which then puts virtual machines into secure zones."
 
The idea of VM security isn't new, with multiple vendors including Sourcefire, IBM and VMware in play, but Juniper said it's bringing additional layers of depth and scalability to virtual security. Also, while virtualization can sometimes be a challenge for application performance, Lunk said the vGW has a negligible impact on a virtual server's performance.

Juniper aims to ease and speed configuration of virtual gateways

Juniper Networks is introducing a virtual security gateway that integrates with its physical security gateway so customers need not configure their security zones twice when working in a mixed physical-virtual environment.

Building on its December purchase of Altor Networks, Juniper is announcing at the RSA Conference this week that the latest version of the Altor security software -- now called Juniper VGW (stands for virtual gateway) -- can align its policies with those of Juniper's SRX appliances.

With the new VGA upgrade, the software can import from SRXes the security zone structure and policies, making sure the zones in each are identical and easing configuration.

Security zones separate users into groups and restrict their access to only those resources allocated to the group. With VGA and the new software, these zones remain intact if the resources migrate into the virtual environment or from physical server to physical server within the virtual environment. Security policies follow each virtual machine, and each virtual machine is identified with a unique identifier that stays with it throughout its lifetime.

Groups are assigned by an administrator as SRX zones.

Juniper says it envisions that both SRXes and VGWs will be deployed in data centers where SRXes will impose zones among groups of machines within the center and VGWs will impose smaller zones within those larger ones. The company says a similar model could be used by cloud service providers to separate customer resources from each other via SRXes and creating security zones within each customer's cloud environment.

VGW also supports imposing intrusion prevention on specific flows it monitors by mirroring them to the AppSecure IPS software within SRXes, the company says.

Juniper is also announcing that VGW fills a blind spot in its security threat response management (STRM) platform, which gathers and analyzes syslog and NetFlow data to flag possible trouble. Before, STRM had no view into events inside virtual environments, but VGW will provide that data.

VGW is available now. Pricing starts at starts about $4,000 per virtual host.

Thursday, February 17, 2011

Juniper up next with cloud switches

Juniper's data center announcement next week is expected to include switches based on new silicon that allows them to establish a flat fabric for cloud computing.

Sources say Juniper will unveil its Stratus line of data center and cloud switches on Feb. 23. Juniper announced its Stratus project two years ago as a flat, low-latency, lossless switching fabric for high-performance computing environments for enterprises and service providers.

The Stratus line will include 10-Gigabit Ethernet top-of-rack and core switches, sources say, as well as Juniper's entry into 40 Gigabit Ethernet. Inter-switch links between the top-of-rack and core switches will be 40G Ethernet, they say.

The top-of-rack switches could ship this month, while the core switches are expected to ship late this year.

Juniper declined to comment for this story.

With Stratus, Juniper is looking to essentially deconstruct three-tier data center switching architectures into two, and eventually one. This is intended to increase performance and reduce operational time and cost by eliminating the need to deploy and manage additional products.

Sources say the Stratus switches will support a common control plane and a virtual data plane across Layer 2 switches. While physically dispersed, each switch port will function as if it is one virtual hop away from any other port.

The switches will also feature port-level virtual Layer 2/3 services that can migrate with workloads, sources say. This is similar to the virtual machine service profile mapping feature Cisco and Brocade already support, or announced support for, on their respective Nexus and VDX data center switches.

"If you think about Juniper's Virtual Chassis, I believe it extends these capabilities across a fabric," one source said. "The added benefit is L3 services, especially for security."

Virtual Chassis allows several fixed-configuration Juniper EX switches to be combined into a single logical switch for increased scale and density, and to reduce a three-tier switching architecture into two tiers. Juniper has disclosed plans to extend this capability across more EX switches and MX routers.

Upgrading JUNOS

So how do you upgrade the JUNOS version on your device? With Cisco IOS it’s pretty easy. Copy the old IOS to your tftp server and then copy a new IOS image on and restart your box.

JUNOS doesn’t use tftp though, only regular ftp. You can either copy the images from with JUNOS itself, or just run an FTP server on the JUNOS box itself and ftp from your PC. I prefer the latter.

To run an FTP server on your router, make sure you’ve configured an interface with an IP and is reachable. Then add the following:
 
> configure
# set system services ftp
# commit

Make sure you actually have a user configured that can upload files. If it’s a temp user just do the following:

# set system login user ftpuser class super-user authentication plain-text-password

On your PC, open a command window and change to the directory containing your images. Then ftp into your JUNOS box:

C:\>ftp 10.4.10.10
Connected to 10.4.10.10.
220  FTP server (Version 6.00LS) ready.
User (10.4.10.10:(none)): ftpuser
331 Password required for ftpuser.
Password:
230 User ftpuser logged in.
ftp> bin
200 Type set to I.
ftp> cd /var/tmp
250 CWD command successful.
ftp> put jinstall-8.1R3.3-domestic-signed.tgz
200 PORT command successful.
150 Opening BINARY mode data connection for 'jinstall-8.1R3.3-domestic-signed.tgz'.
226 Transfer complete.
ftp: 93793459 bytes sent in 25.81Seconds 3634.42Kbytes/sec.
ftp> bye

Now get back to the juniper.

> request system software add /var/tmp/jinstall-8.1R3.3-domestic-signed.tgz

This will take a while to finish. Once complete, type the following:

> request system reboot

JUNOS should reboot twice in total, it’ll do this automatically. Once it comes back you’ll be in your new version:

root@% cli
root> show version
Model: olive
JUNOS Base OS boot [8.1R3.3]
JUNOS Base OS Software Suite [8.1R3.3]
JUNOS Kernel Software Suite [8.1R3.3]
JUNOS Crypto Software Suite [8.1R3.3]
JUNOS Packet Forwarding Engine Support (M/T Common) [8.1R3.3]
JUNOS Packet Forwarding Engine Support (M20/M40) [8.1R3.3]
JUNOS Online Documentation [8.1R3.3]
JUNOS Routing Software Suite [8.1R3.3]

Once done, remember to remove your ftpuser and the actual ftp server itself.

Understanding JUNOS Release Numbers

Many people are confused some time about the JUNOS release numbers so I thought I would share what I have learned.

What does 10.1r1 mean:
10 = 2010 IE the year of release
.1 = The Quarter 1 feature release, each quarter adds new features
r1 = Tthe release/patch/hotfix level of the 10.1 release

Starting in 2010 Junos releases will be numbered according to a year.quarter convention.
What about 10.1s6 ?
S releases are service level release, most often a higher number than the last r the main difference is that they are not supported by NSM and also are not generally supported for very long, they get released faster than normal to fix critical bugs.. It is almost always best to migrate to a stable r once one is available. These special releases that are published outside the normal release cycle and generally only availalbe by contacting Juniper support (JTAC)
You can't compare 10.0 and 10.1 they are different releases and each will get their own "r" updates for up to a year. 10.1r1 may contain bugs that where fixed in 10.0r3 and wont be fixed in 10.1 until r2 or 3

The higher the r in theory the more stable the release... I have heard from some sources that anything less than an r3 really isn't considered reliable. So you may be better off with a 10.0r3 than a 10.1r1 for example, unless you need a feature only found in 10.1 releases.

There are extended end of life releases... Special versions will be marked as EEOL this means instead of a years support for new r releases it will have more like 3 years.... 10.4 will be the next EEOL release and I believe moving foward the 4th quarter release will always be the EEOL release.

Make sure you request a Product Incident Report (Cisco calls this a Bug scrub) for your target version.  This will outline any known issues with the version you intend to use.  This will help you determine if your target version will not just "work", but allow continued service on your equipment with the services & protocols you are running.

I believe this article now clarifies the confusions related to Junos release numbers.

Wednesday, February 16, 2011

Juniper announces open mobile core for 2G/3G, LTE


Juniper Networks has announced its first open mobile core for 2G/3G and LTE networks, designed to enable mobile operators to profit from the increase in mobile data traffic from smartphones and other mobile device types, called MobileNext.

The system is based on the Juniper Networks MX 3D Universal Edge Router and Junos software platform.

MobileNext is designed to allow scalability of mobile sessions, set up rates and forwarding capacity, enable high-definition voice and video delivery between 3G and LTE for non-interrupted user experience while integrating a portfolio of in-line IP services.

These in-line services include Deep Packet Inspection, Traffic Direct for Internet offload, Carrier Grade NAT, Firewall, Video Optimisation, MPLS, and Application Load Balancing.

MobileNext features three key elements for 2G/3G and LTE mobile packet cores; MobileNext Broadband Gateway, MobileNext Control Gateway and MobileNext Policy Manager.

The MobileNext Broadband Gateway: Providing GGSN and PDN/Serving Gateway functions in one platform, the MobileNext Broadband Gateway delivers scale and performance with uncompromised in-line IP services while enabling service creation with the Junos SDK for operators to innovate profitable data services.

The MobileNext Control Gateway provides SGSN and MME functions for 2G/3G and LTE mobile packet cores and is designed to deliver control plane functions for mobile networks including user authentication and mobility management.

The MobileNext Policy Manager is designed to integrate with subscriber management systems and Juniper is integrating with some of the industry's leading subscriber managment systems to offer choice and flexibility for mobile operators to enable content and network control, charging and monetise new applications.      


"Mobile operators are under pressure to scale bandwidth, offer new services and drive profitability," said Mike Iandolo, general manager and vice president of Mobile Business Unit at Juniper Networks. "With MobileNext, Juniper is providing a solution that delivers high-definition experience, investment protection and stronger economics. Our unique solution offers a programmable platform for operators to customize innovation that monetises rich media data services."


MobileNext is also designed to offer integration of new applications through Junos SDK to help mobile operators accelerate service innovation.


Juniper worked with Openwave Systems to deliver video optimisation and application load balancing for mobile operators to build IP services and expedite time to revenue. 


"The data tsunami coming from smartphones and other mobile devices will continue to increase, fuelled by more powerful devices and a shift from 3G to 4G/LTE," said Phil Solis, research director, Mobile Networks at ABI Research. "Through its open Junos SDK, Juniper's MobileNext delivers the service creation and service velocity operators need in the smartphone era, and the consolidation of best-in-class services in a single platform can reduce operators' total cost of ownership up to 56%."


MobileNext Broadband Gateway, Control Gateway, and Policy Manager will be available in mid-2011.
IP services including Deep Packet Inspection, Traffic Direct for internet off-load, Carrier Grade NAT/Firewall, MPLS and Mobile Video Optimization are available now.

WiMAX Operators Draft Global Roaming Agreements

Sixteen WiMAX operators from across the globe met this week to draft roaming agreements between their networks. The meeting occurred at the first WiMAX Forum Global Operator Summit, which was hosted in Taipei.

"The WiMAX Forum Global Operator Summit was created to specifically address overcoming both business and consumer perceptions that data roaming is expensive, and to explore ways to help operators grow revenue," said Ron Resnick, president and chairman of the WiMAX Forum. "WiMAX has an established ecosystem with nearly 600 deployments around the world. The opportunity for operators to offer their customers roaming is there, and it is an excellent way for operators to add another viable revenue stream and earn returns on their 4G network investments."

What's So Scary About APT?



The latest security buzzword is APT: Advanced Persistent Threat. Is APT important and should we be concerned? I’m afraid the answer to both these questions is “yes.” But knowledge is power. If we understand APT, we can learn how to protect against it.

Previously, most external threats to commercial enterprises came from hackers and criminals. These threats are generally opportunistic and unoriginal. Everyone’s money is equal so criminals and hackers focus on the softest targets. If one defender is more secure than average, these attackers focus elsewhere. And the tools they use are nothing special, just prebuilt exploits that they bought on the Internet. This is similar to home security. You don’t need perfect security. If your security is clearly better than your neighbor’s, the thieves will go to his house. And their burglary tools will come from the hardware store: crowbars and screwdrivers.

APT is different. With APT, the attacker is highly skilled, well funded, and operating with a long-term focused objective in mind. That’s why it’s called an Advanced Persistent Threat. Recent examples include GhostNet, ShadowNet, and Operation Aurora. In all these cases, someone targeted particular organizations and used sophisticated techniques to infect and infiltrate their systems. The attackers didn’t break anything. They laid low and extracted as much information as they could without setting off alarms.

APT is more like a jewel thief or an art heist than a house theft. The attacker selects a specific target, evaluates its defenses, and employs special tools to commit the crime. In the cyber realm, the tools are custom-built, often exploiting unreported vulnerabilities for which no patch or signature is available.
Nobody knows who’s behind the recent spike in APT attacks but suspicions rest on military or intelligence forces. Their motivations are similarly obscure. Are they just gathering intelligence or planting booby traps and back doors that they can exploit later? Unclear.

What does this mean? For those of us in information security, our entire threat landscape has changed. APT attacks are no longer clever tricks that only happen in the movies or at the Black Hat conference. They’re now a real danger for our enterprises. Who would have thought that Google would be targeted by APT attackers? If they are a target, who is immune?

The good news is that we have some good defenses against APT attacks. Behavior-based intrusion detection systems excel at detecting previously unknown attacks. Data leakage prevention systems can sniff out large-scale data exfiltration. Security incident and event management systems can correlate log messages to detect problems. And insider threat detection techniques can detect stealthy attacks in general.

Most important, we must all be on our guard. The threat landscape has changed. APT is no longer theoretical. It’s real and it could affect any of us. Keep a close eye out for anomalies. Put in place multiple layers of defense. And don’t ignore clues that point to a stealthy, persistent, and sophisticated infiltration at your organization. It’s not impossible. In fact, it’s quite likely.