Network technologies and trends


December 20, 2015  4:49 AM

How to capture packets in Cisco VIRL?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, Packet capture, Packet Sniffing, router, SSH, Telnet, Wireshark

With the introduction of Cisco VIRL 1.0.0,capturing the  traffic has become quite simpler. One can now directly click the link on a device and do a packet capture. , in this post lets see how we can capture the traffic in Cisco VIRL and analyse it.

Step 1: Login in to VRIL server form your web browser and you should see below screen, click on User Workspace Management  (UMW)

VIRL- Traffic capture -1

Step 2 : Login to  UWM portal using  default credentials

Username: umwadmin

Password: password

VIRL-Traffic Capture 2

Step 3:  Select Overview and look out for active simulations and click the simulation you want to do the packet capture

VIRL - Traffic Capture 4

Step 4: Select the node and interface you can to do the pack capture and click the eye shaped icon as demonstrated below

VIRL- Traffic Capture 5

Step 5: Select Offline Capture and apply any filter needed  and click create, in my case I am capturing all the traffic no filters are applied

VIRL - Traffic Capture 6

Step 6: Download the capture data and analyze it using Wireshark

VIRL-Traffic Capture 7

Below is the  Wireshark snap shot of packet capture I did

VIRL - Packet Capture -8

The new Cisco VIRL 1.0.0  is really offering some cool Packet capturing features which are very easy to use

December 18, 2015  6:34 PM

How to configure Cisco VIRL – VMMaestro to use external telnet and SSH Client?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
router, SSH, Telnet

Cisco VIRL comes with an internal SSH and Telnet client which is quite good and it opens all the SSH and telnet sessions within VMMaestro GUI, but if some one wants to use Secure CRT on  their MAC as external client, one can easily configure the changes in VIRL VMMaestro,

VMMaestro-1

Terminal>Cisco Terminal

Step 1

Change the title format to : %s

Step 2

Select : Use external terminal applications

Step3

Use the following fields show below

Telnet command:

/Applications/SecureCRT.app/contents/MacOS/SecureCRT

Telnet arguments:

/T /N %t /TELNET %h %p

SSH Command:

/Applications/SecureCRT.app/contents/MacOS/SecureCRT

SSH arguments:

/T /N %t /TELNET %h %p

VMMaestro-2

By doing these minor changes you can use Secure CRT to SSH or Telnet VIRL Devices

telnet VIRL

VIRL telnet 1


December 16, 2015  9:01 AM

What is Palo Alto Virtual Router?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, tunnel, VLAN

When it comes to routing traffic between different networks one needs a router. Palo Alto Networks Firewalls are capable of routing the traffic between networks. Palo Alto uses a concept of “Virtual Routers” to route the traffic be it static routing or dynamic routing. Virtual Router uses virtualized or partitioned routing tables to do the routing job. Palo Alto Firewalls uses virtual routers to obtain the routes and uses best route to populates its routing table.

 Virtual Router

Palo Alto Networks Firewall is capable of supporting Dynamic routing protocols like RIP v2, OSPF ( OSPF v2 and V3) and BGP v4. The Palo Alto Network Firewalls comes with a Virtual router named default which can be used for routing provided the layer 3 interfaces or VLANs are part of that default Virtual router. One can also create a new Virtual Router and name it according to his/her organization standards and use it for both static routing and dynamic routing.


December 11, 2015  3:48 PM

Palo Alto Networks Firewalls – Management Profile

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, tunnel, VLAN

Palo Alto Networks Firewalls does comes with a dedicated out -of-band Management (MGT) Interface which is used to manage the Palo Alto Network Firewalls. By default SSH , HTTPS and ping is enabled to manage the Palo Alto Network Firewalls, apart from dedicated out-of-band management interface one can use any Layer 3 interface for the management of the Palo Alto Network Firewalls.

large_29951

In order to manage the Palo Alto Network Firewalls using a Layer 3 interface one must enable a management profile . In order to configure the management interface follow the below mentioned steps

Network>Network Profiles > Interface Mgmt > Add

Management profile

Configure the management profile by giving the name you like and select the services you want permit along with the IP address if you want.

Screen Shot 2015-12-11 at 6.28.19 PM

Assign the Management Profile to any Layer 3 interface from where you want to manage the Palo Alto Networks Firewall as shown below.

Network>Interfaces>Ethernet> ethernet1/1>Advance>Management Profile

Screen Shot 2015-12-11 at 6.30.47 PM

Management Profile is a quite good option, which comes quite handy when you want to allow management functions on  any layer 3 interface.


December 7, 2015  5:17 AM

Palo Alto Networks Firewall Interface Types – Layer 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, Spanning Tree Protocol, STP, tunnel, VLAN

Like any other firewalls, Palo Alto Networks Firewall can be deployed in Layer 2 mode. In a Layer 2 deployment mode, the  Palo Alto Networks Firewalls provides switching between two or more networks.  In Layer 2 deployment mode,  a Vlan must be assigned each interface or Vlan object and additional layer 2 sub interfaces must  be assigned to group of interfaces.  The Palo Alto Networks Firewall will perform VLAN tag switching when Layer 2 sub interfaces are attached to a common VLAN object.

Palo Alto Layer 2 Deployment mode

Palo Alto Networks Firewalls Layer interfaces are only capable of supporting 802.1Q  trunks, however they are not capable of supporting any spanning tree protocols (STP) nor do they participate in spanning tree  process. Palo Alto Networks Firewalls simply  forwards the BPDUs, it receives from the peer Switch.


December 4, 2015  6:21 AM

Palo Alto Networks Firewall Interface Types –  Virtual Wire Sub interface

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, Internet, LAYER3, Loopback, Palo Alto Networks, Switch, tunnel, VLAN

In past few posts we were talking more about what is Virtual wire? and how it can be implemented. Lets talk briefly about the Virtual wire sub interfaces in this post.

Palo Alto in V-Wire Subineterface

Virtual Wire Sub interfaces are quite useful when one needs to manage traffic in a multi-tenant  network setup. It does offer lot of flexibilities in enforcing distinct policies especially when multi-tenant network are in place. Once can easily separate and classify traffic into different zones by using either VLAN tags  or VLAN tags in conjunction with IP Classifiers.  Yet one more deployment flexibility offered by Palo Alto Networks firewalls.


November 30, 2015  6:30 AM

How to configure Palo Alto Firewall in Virtual Wire mode?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, LAYER3, Loopback, Palo Alto Networks, tunnel, VLAN

Configuring Palo Alto Firewall in Virtual Wire mode is quite easy, in this post using below topology I am going to demonstrate how to configure a Palo Alto Networks Firewall in Virtual Wire or V-Wire mode.

Palo Alto in V-wire mode

You could see from the above topology , we have a laptop with an IP Address 192.168.1.156 in  VLAN 20 placed in the trust zone trying to access an internet in the untrust zone.  The laptop is configured with a default gateway 192.168.1.1 which happens to the IP address of our Internet Router and this is in untrust zone  and belongs to VLAN 1.

We have a Palo Alto Firewall with two interfaces connected to a Cisco Switch. One interface ,ethernet 1/2 connected to interface G1/0/2 in a Cisco  Switch , configured as a part of V-Wire with VLAN 20 and this belongs to trust zone.

Where as the Palo Alto Firewall interface ethernet 1/1 is connected to Cisco Switch interface G1/0/1 and is configured as part of V-Wire with Vlan 1 and this belongs to Untrust Zone

Now lets configure the same and see how traffic flows

Step 1 – Configure Cisco Switch for trust zone interfaces with VLAN 20

interface gigabitEthernet 1/0/2

description CONNECTED-TO-PALOALTO-TRUST-INTERFACE

switchport access vlan 20

spanning-tree portfast

no shut

interface gigabitEthernet 1/0/3

description CONNECTED-TO-LAPTOP

switchport access vlan 20

spanning-tree portfast

no shut

Step 2 – Configure Cisco Switch for Untrust Zone Interfaces with VLAN 1

interface gigabitEthernet 1/0/1

description CONNECTED-TO-INTERNET-ROUTER

switchport access vlan 1

no shut

interface gigabitEthernet 1/0/4

description CONNECTED-TO-PALOALTO-UNTRUST-INTERFACE

switchport access vlan 1

no shut

Step 3 –  Configure Virtual Wire called Test-V-Wire by clicking

Network >Virtual Wire

You can use any name you want ,

Step 3

In our case  we will name Test-V-Wire and interfaces ethernet 1/1 and ethernet 1/2 part of Interface1 and Interface 2

Step 3-B

Step 4 – Lets configure two zones names Untrust and Trust and assign ethernet 1/1 to be part of untrust zone and ethernet 1/2 to be part of trust zone.

Step 4 -A – Configure Trust Zone

Network> Zone>Add

Step 4

Give the name Trust, select Type to be Virtual Wire and add the interface ethernet 1/2 to be part of Trust Zone as demonstrated below

Step 4-B

Step 4-C

Step 4 -B – Configure UnTrust Zone

Network> Zone>Add

Step 4-D

Step 5 – Create a Security Policy to allow access from trust zone to untrust zone ( This can be configured as per your requirements with security profiles, URL filtering etc)

Policies>Security>Add

Step 5

Give the name to your Security Policy ( V-Wire-Policy)

Step 5-b

Add Source Zone ( Trust)

Step 5-C

Add Destination Zone ( Untrust)

Step 5-D

Allow the access, you can also configure Application policy and Service/URL Category if needed . In our case we are allowing all kind of traffic

Step 5-E

The final Security Policy should look like this

Step 5-F

You can also monitor the traffic passing through the V-Wire, you can see from the below snapshot I am accessing Skype, pinging the default gateway (Vlan1) from my laptop (Vlan 20) and my traffic is passing from Trust zone to Untrust zone by using the Rule V-Wire-Policy which we created

Monitor>Traffic

Monitor

This is really a great feature from Palo Alto and the Virtual Wire can implemented easily without any modifications to existing network Design.


November 29, 2015  11:18 AM

Evolving technologies will be part of all CCIE and CCDE Written exams

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Cisco Press, cloud, Internet of Things, Network, Network programmability, NFV

Cisco has announced a major revamp for their CCIE  and CCDE written exams, starting July 26,2016 Cisco will include a new section titled “Evolving Technologies”. Except CCIE Data Center all other CCIE Lab exams remains intact. So those who will be appearing for CCIE and CCDE  written exam after July 26,2016 should master the following  Evolving technologies domain

  1. Cloud

1.1: Compare and contrast Cloud deployment models

  • Infrastructure, platform, and software services (XaaS)
  • Performance and reliability
  • Security and privacy
  • Scalability and interoperability

1.2: Describe Cloud implementations and operations

  • Automation and orchestration
  • Workload mobility
  • Troubleshooting and management
  • OpenStack components
  1. Network Programmability

2.1: Describe functional elements of network programmability (SDN) and how they interact

  • Controllers
  • APIs
  • Scripting
  • Agents
  • Northbound vs. Southbound protocols

2.2: Describe aspects of virtualization and automation in network environments

  • DevOps methodologies, tools and workflows
  • Network/application function virtualization (NFV, AFV)
  • Service function chaining
  • Performance, availability, and scaling considerations
  1. Internet of Things

3.1: Describe architectural framework and deployment considerations for Internet of Things (IoT)

  • Performance, reliability and scalability
  • Mobility
  • Security and privacy
  • Standards and compliance
  • Migration
  • Environmental impacts on the network

Looking at the new topics, one can assume how important technologies like cloud, network programmability, Internet of things are. And these topics covers 10% of the total score. Cisco is ensuring that  evolving technology does play a vital role in coming days.  The new recalibrated  exam topics shown below are something which candidates need to focus on.

Written Exam Topics Used for

Testing BEFORE July 25, 2016

Written Exam Topics Used for Testing On

July 25, 2016 and Beyond

CCIE Routing and Switching Existing exam topics version 5.0 Recalibrated exam topics version 5.1
CCIE Wireless Existing exam topics version 3.0 Recalibrated exam topics version 3.1
CCIE Security Existing exam topics version 4.0 Recalibrated exam topics version 4.1
CCIE Service Provider Existing exam topics version 4.0 Recalibrated exam topics version 4.1
CCIE Collaboration Existing exam topics version 1.0 Recalibrated exam topics version 1.1
CCDE Existing exam topics version 2.0 Recalibrated exam topics version 2.1
CCIE Data Center Existing written exam 350-080 and its corresponding exam topics will be available for candidates who are scheduled to take the test BEFORE July 25, 2016. The new unified exam topics version 2.0 will be used for the new written exam (400-151) and lab exam and is recommended for candidates scheduled to take the test on July 25, 2016 or beyond.

I believe it’s a welcome move from Cisco and I could see Cisco wants to capitalize the market by ensuring the new CCIEs are aware of these new evolving technologies at least at some extent. Also I expect Cisco Press will come out with the appropriate study guides and titles.


November 28, 2015  3:22 PM

Cisco releases VIRL 1.0.0

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, Java, Jitter, Latency, link, OpenStack, OpenVPN, TCP

Yesterday I received an email from Cisco VIRL about their new release of VIRL 1.0.0

Hello VIRL Family! Happy Thanksgiving (if you’re celebrating!)

We are very happy to announce the release of VIRL 1.0.0 – a major upgrade release packed full of new features! :)

The VIRL team really surprised their customers with the release of new version especially when we are not expecting any major release from them.  The new  VIRL release 1.0.0 has some major changes , as Cisco VIRL is moving from Openstack Icehouse to Openstack Kilo. Those who have previous release of VIRL cannot upgrade to the new version. They must have received an email from Cisco with the download link for the new version as Cisco is also stoping the support for VIRL 0.9.293 on 25 December 2015.

The new release contains the following version

  • Openstack Kilo
  • VM Maestro 1.2.4 Build Dev-363
  • AutoNetkit 0.20.9/0.20.22
  • Live Network Collection Engine 0.7.20
  • VIRL_CORE 0.10.21.7

Platform reference model VMs included in the new release

  • IOSv – 15.5(3)M image
  • IOSvL2 – 15.2.4055 DSGS image
  • IOSXRv – 5.3.2 image
  • CSR1000v – 3.16 XE-based image
  • NX-OSv 7.2.0.D1.1(121)
  • ASAv 9.5.1
  • Ubuntu 14.4.2 Cloud-init

Linux Container images included in the new release

  • Ubuntu 14.4.2 LXC
  • iPerf LXC
  • Routem LXC
  • Ostinato LXC

Some of the new features which grabbed my attention are as follows

  • OpenVPN –  allows users to connect from their laptop to their VIRL server.
  • Link Latency, jitter and packet-loss controls – Users can now set latency, packet loss and jitter directly on the link.
  • Static TCP port allocation controls – Users can now specify the tcp port numbers they wish to when connecting to the console, auxiliary or monitor port of a particular node in their simulation.
  • Web Editor – User can run an ALPA release of topology design tool which can be run within a web-browser.
  • VM Maestro Java Runtime Environment bundled – Users don’t need to install the java to use VM Maestro
  • VM Maestro active canvas

One can also capture  a packet in the newly released VIRL. More details can be accessed from the VIRL community portal.


November 26, 2015  4:41 AM

Palo Alto Networks Firewall Interface Types –  Virtual Wire

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Decryption, Ethernet, Firewalls, HA, Interface, LAYER3, Loopback, NAT, Palo Alto Networks, Security policy, tunnel, VLAN

We all know Palo Alto Network Firewalls offers quite flexibility deployment options, one can also deploy Palo Alto Networks in Virtual Wire or V-Wire mode. This is the beauty of Palo Alto Networks Firewalls , the flexibility it offers cannot be matched by some of the leading firewall vendors. Though other vendors offers the same feature  better known as transparent firewalls.

Virtual Wire mode can be deployed by pairing a set of two physical interfaces into a single set and in V-Wire mode one does not needs to assign either an IP Address or a mac address.  Virtual Wire is also referred to as a “Bump in the Wire” of “Transparent In-Line”. By default certain Palo Alto Networks Firewalls comes with preconfigure Virtual Wire mode and Ethernet ports 1 and 2 are part of that default V-Wire.

Palo Alto V-Wire Mode

These kinds of deployment comes very handy, especially when one does not wants to do any kind of  switching or routing  and simply wants to plug and play with the Palo Alto Networks firewall.  The biggest value Palo Alto Networks offers in Virtual Wire mode is, it supports features like App-ID, decryption , Content-ID , User-ID and NAT by using all these features one can certainly inspect the traffic passing through Virtual Wire and can apply the security policy. In upcoming  post lets configure a Palo Alto Firewall in Virtual -Wire Mode and see how it works.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: