Colin McNamara - CCIE 18233 , VCP, RHCE, GCIH, GEEK » HP

Cisco releases Nexus 1000V virtual switch for VMware

colinmcnamara — Tue, 16 Sep 2008 20:30:21 +0000

This afternoon Cisco released a new member of the Nexus family of switches, the Nexus 1000V. This is the first switch to take advantage of VMware opening up their ESX and ESXi platforms to for third party network device manufacturers. This switch directly address some pretty big pain points surrounding current virtualization implementations.

The boundary between server team and network team responsibilities has become “fuzzy”

Cisco address’s this issue by putting a switch that can be managed via the same methods common to other network devices inside the ESX cluster. This switch runs the same code that has become standard on Cisco’s Nexus series of Data Center switches – NX-OS.

Prior to adoption of virtualization, when there was a connectivity problem with a host it was quite common for the network team to verify functionality down to the switch port. The server team would do the same. This allowed for each team to focus on areas that met their core competancy. Once we moved from a real switch port, to a dumb bridge inside ESX, lots of finger pointing resulted.

Now, with a Nexus 1000V sitting virtually inside the ESX clusters, the boundary between network and systems teams has been re-estabilished. Now when there is a problem with a host inside an ESX cluster, the network team can use the same day to day troubleshooting tools available to them in other portions of the network to resolve issues faster, and with less finger pointing.

Security controls have been moved further away from the hosts then we would like

A best practice for applying security policy is to apply controls as close to the source as possible. Think of this analogy – Your kids are blasting Radio Disney from their computer. Which of the following do you do?

A. Turn down the speakers at the source

B. Distribute earplugs to all members or the household

Of course, the obvious action is to go to the source, and apply a control (turn down the volume, and tell the kids to clean their rooms). The same principle is valid on the networking side. The best practice is to apply security policies such as VLAN ACL’s and TrustSec policies directly to the switchports that host your switches. Before the Nexus 1000V this was impossible to do in ESX, and forced many environments to move security controls further up into the distribution layer. The side effect of this was that now the security stance from host to host inside ESX clusters was diminished.

The Nexus 1000V brings something called port policies to the table to address this. What these are is pre-configured application security descriptions that are available to you systems administrators to apply in a point and click fashion. Once these policies are applied to the virtualized host, they follow the host where ever it is moved in your virtual cluster.

Provisioning and integrating the networks of VMware ESX clusters with classic networks for most is challenging at best

I wrote an article in march about this specific issue in my post – Challenges integrating VMware into Cisco networks . The core of this issue is that in general that the network integration portions of VMware ESX clusters is not really designed to address server teams , or network teams. In fact, you need to be pretty savy with both portions to successfully integrate VMware clusters into your network. In the real world, you generally find people that are good at one or the other, not both.

By putting a Nexus 1000V in your VMware clusters, you know give the networking teams something they can understand without having to learn Linux, and how it handles bridges (key to understanding ESX networking). With a Cisco switch running virtually inside your clusters, network teams can follow standard core / distribution / access models with the access layer now residing inside the ESX clusters. The network teams can also leverage their existing LAN switching skills for integrating the virtual switches in the clusters with the existing Data Center switching fabrics.

With these roadblocks addressed, Cisco is moving to further the DC 3.0 vision

To realize the DC 3.0 vision, the network inside of VMware clusters had to be under control, and follow the same architectural guidelines that the rest of our network is subject to. With the Nexus 1000V this is now a reality. The next steps withing the DC 3.0 vision to are to extend virtualization and mobility throughout our storage fabrics, and to continue to extend virtualization to the network as a whole, as well as focusing on application virtualization and acceleration to truly realize the vision of cloud computing in the data center.

On the storage virtualization side, Cisco will be using a technology called FlexAttach to enable virtual and physical hosts to change locations in the datacenter without storage team intervention (more on this in a near future post). And on the application virtulization and acceleration side, expect Cisco to continue to enhance it’s existing Application Control Engine (ACE) and Wide Area Application Services (WAAS), and further integrate these into their virtualization offerings.

Want to learn more ?

Introduction to VN-Link network services – Cisco.com

Nexus 1000V overview – Cisco.com

VMware distributed vNetwork switch demo – VMware.com

Challenges integrating VMware into Cisco networks – colinmcnamara.com

Douglas Gourley speaking about how Cisco and VMware will drive Cloud Computing in the Data CenterSimilar Posts:

--Colin McNamara

Cisco releases Nexus 1000V virtual switch for VMware

Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments

colinmcnamara — Tue, 09 Sep 2008 20:36:57 +0000

Ivan Pepelnjak over at IOS Hints and Tricks wrote a post about DMZ VLAN leaking that got me thinking.

He writes about “the VLAN leaking myth” and how it encourages clients to utilize physically separate network infrastructure in the DMZ’s. Now first things first, I wouldn’t call VLAN leaking a myth. At one time it was a very real and serious vulnerability that was exploited by overflowing the capacity of the switch you were attacking, and causing it to “downgrade” from switch to a hub. Once this happened you now had access to previously protected devices, as well as having the ability to sniff data as it passed through the shared hub backplane.

As he mentions though, this is 8 years ago. Most switches have evolved to the point where backplanes far exceed the traffic that could ever be injected into their switchports. Even beyond backplane enhancements there are many ways to further firm up your security stance – Virtual Device Contexts, not using Layer 3 SVI’s on a DMZ VLAN, utilizing PVLANs, using port security, virtual routing instances, and many more. Of course, there are still many other attack vectors that still remain, but can be mitigated by utilizing features built into the majority of enterprise switches available today.

I think the real question is not “are VLANs safe in a DMZ”. The important question is have you mitigated the probability of compromise (the actual threat) to levels that are acceptable to your business. This question remains whether you have a standalone switch or not. So many times we hear about risk risk and more risk. But risk alone is meaningless in a business context. What is important is combining risk with likelihood. For that I like to use a simple table to come up with the true threat.

For example, as I drive to Fry’s there is the risk of me dying due to a car crash. The impact of me dying is very high (risk) however the likelihood of an accident is low, and furthermore I reduce (mitigate) the latent risk (threat) by wearing my seat belt. So all in all the threat of me dying on my way to Fry’s is pretty darn low.

In a business context this may be that I have public facing web servers and network devices in my DMZ. The impact of them being compromised is that my public image may be tarnished for a short time, and my end users may lose productivity if they are not able to VPN into work, or access the Internet while on premise. I mitigate this risk by using firewalls and both host and network based Intrusion Prevention Systems as well as implementing best security practices on my network and systems devices. The latent risk (threat) remaining is at a level that is acceptable to the business leaders, so the system is allowed.

One question that I have seen coming up more often as we move towards fully virtualized data centers is centered around commingling of virtual infrastructure. There are some hard questions which challenge some practices that we have held true over the years.

Should you allow sharing of physical memory on a host virtual machine between an internal and DMZ server?
Should you allow virtual infrastructure from multiple security zones to share a storage array or cluster of arrays?
Should you allow multiple virtual switches in different security zones commingling on the same ESX or Hyper-V cluster?
Should you allow virtual firewall and load balancing instances protecting internal and external zones to reside on the same hardware?
Should you allow virtual routing instances from multiple zones to share a physical infrastructure?

In the past world of standalone systems, the additional cost of providing a wholly separate infrastructure for DMZ environments was relatively low. Each system generally had internal disk, or at most direct attached storage. Network devices themselves were scaled down to support one chassis one function. This fit quite neatly into the Enterprise Composite Network model that was quite common from 1999-2003.

Now, many data centers have moved to the Service Oriented Network Architecture (SONA). In this model the cost of a virtualized data center is primarily focused on foundation elements such as the virtual storage and virtual fabrics, virtualized network, and virtual systems elements. The cost of providing additional virtualized services off these elements is low, however the cost of duplicating the physical infrastructure is quite high on both the capital and operational levels. This is forcing the technical and executive leadership at many companies to take a long hard look at the true threats they are facing in previously physically separate security zones such as DMZ’s, Financial and other secure zones. In the end, they are having to decide whether the threat remaining after their security controls is worth duplicating hundreds of thousands of dollars worth of infrastructure or not.

These are hard questions, with really no single good answer. My gut feel is that over the next few years we will continue the move towards the fully virtualized data center where components such as memory, PCI-X buses, storage and network devices are even further decentralized. This will make the cost of duplicating the infrastructure more and more significant, causing consolidated data center (or compute) fabrics to be the norm. At this point the discussion will move away from securing zones by creating separate infrastructure, to providing end to end security, starting integrated application level security, maybe with TrustSec or a dirivative, all the way down to securing the data at rest on disk. For the time being however, the best we can do is sit down and do an honest appraisel of our security stances, mitigate what we can, and do our best to design data center architectures that provide the flexibility of implementing whatever choice the technical and business leaders agree on.Similar Posts:

--Colin McNamara

Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments

Simplifying remote site security with Cisco’s new video surveillance modules on the ISR

colinmcnamara — Wed, 11 Jun 2008 00:31:13 +0000

One giant pain I have always faced when working with high security environments is dealing with surveillance systems. They are a necessary and required part of your security infrastructure. However they just never seem to integrate as well as your network, storage, or server devices.

When I work with data center infrastructure I expect the following – clean, remotely manageable, secure devices that runs on the same power and similar cabling, and everything can have a 24×7x4 support contract for hardware replacement. For the most part, you get this when dealing with Cisco, HP, Sun and similar manufacturers.

More often then not (with a few very cool exceptions), when I run into video surveillance infrastructure the video management infrastructure runs on some random third tier manufactured server. It never fails that the video management software is on Windows (normally XP or win2k). I have even seen some systems where the vendor requires you to have a session open to run the software.

And then when you get to the encoders themselves, it never fails. You have two choices.

The Uber package that can run a Casino, Identify and track dust mites , and if you point it at space, determine if there is life on mars.
Individual dinky encoders that run one or two camera’s each. They have limited encoding choices, limited camera control, no remote management, and normally run on 110 volt system that require different power distribution then the 220 that is common in systems today.

Cisco’s answer to this mess

Cisco has released both a video management solution, as well as a video encoding solution in a network module form factor for the Integrated Services Router (ISR).

The first part of this system, the Video Management and Storage System (VMSS) module fills the following roles -

Management of multiple video streams from one interface, including IP cameras, 3rd party encoders, and streams from Cisco’s video encoding module
Streaming of live and archived footage through a web browser interface
This one is pretty cool – The module can mount external storage via iSCSI. So, in addition to its 160 gig internal drive, you can mount a filer and utilize external storage to scale the system.
“fast forward” to events, as well as notify security and other personnel through SMS and email

The second part of the system (the module on the left in the picture above) is the Analog Video Gateway Network Module (EV-IPVS-16A). It has a couple functions -

It can take up to 16 analogue video inputs and encode them with MJPEG or MPEG4 codecs
You can use the first two ports to output video to a external monitors
If you are using MPEG4, it can be used as a motion detector (handy for fast forwarding to important events, or triggering alerts)
It can control pan and tilt cameras. This is good for pointing the camera at the janitor unplugging your servers each night to vacuum
You can configure analogue contacts as an alarm. This can be bound to a door switch, or even temperature and water level monitors in a remote data center. This one will be very handy.

The third part of this solution is Cisco’s Video Surveillance Operations Manager. It manages, archives, displays and distributes the content that was created and collected on the two previous modules. You would use this if you had many branches to aggregate, or needed to staff a video wall (e.g. casino gaming commission operations). Now, you can run each of these components individually. Buy run together as a whole, Cisco has an enterprise class security solution.

Want to learn more ?

Branch office security page on cisco.com http://www.cisco.com/en/US/products/ps9671/prod_module_series_home.html

Cisco’s product page for the Video Managment Module – http://www.cisco.com/en/US/prod/collateral/modules/ps9671/data_sheet_c78_462225.htmlSimilar Posts:

--Colin McNamara

Simplifying remote site security with Cisco’s new video surveillance modules on the ISR

Identity aware networking using Cisco TrustSec

colinmcnamara — Sun, 24 Feb 2008 07:13:07 +0000

With all the fanfare surrounding the recent Nexus 7000 release I think many people have missed a significant new development in Cisco’s security portfolio. That new development is Cisco TrustSec. TrustSec takes the classic notion of access control based source and destination ip:ports and replaces it with a role and resource based methodology that fits quite nicely with security requirements driven by information assurance groups. It also brings link security on certain platforms using the 802.1ae protocol that encrypts high speed links at line rate without taking a performance hit.

Cisco TrustSec starts at the edge by negotiating a secure link if both hosts support it (802.1ae). This is similar to wireless encryption schemes, where a secure handshake is established and the L2 path become impervious to sniffing. This is user configurable, and to my knowledge the asics available to support line rate encryption are currently only on the Nexus 7000 blades.

The next step is to start 802.1x negotiations. For the people not familiar with 802.1x, it is a way of passing username / password information from your computer up into the network infrastructure. Once this is completed, the switch can not only utilise tools like NAC to place you into the appropriate quarantine, or access vlans, but it also know knows your identity.

Now the “network” is aware of your identity, a new level of granular security control can be deployed across your infrastructure. These security policies can map into “user x can connect to webserver y” instead of being restricted by ip and port. This allows you to utilize true roles based administration similar to what you use in your Windows and Unix file systems, but now you can do this across the network.

How is this done ? I like to think of this as a mix between dscp and mpls tags. Which in a nutshell means that when traffic enters the network it is tagged with a small amount of additional “identity: information which is retained as it traverses the network. This information can be used to augment or completely replace your current ACL based security controls in a way that enables you to more effectively comply with complex regulatory environments such as PCI, SOX, GLBA and HPPA.

Over the past few years we have learned how to leverage intelligence in the the network by utilizing tools like QOS, MPLS VPN’s, and many others. Expect to add Cisco TrustSec to your quiver of tricks to address the ever growing compliance needs faced by today’s network designers.

Learn more about Cisco TrustSecSimilar Posts:

--Colin McNamara

Identity aware networking using Cisco TrustSec

Moving towards a Green Data Center – Truth behind the hype

colinmcnamara — Fri, 22 Feb 2008 21:53:56 +0000

Eplus, Cisco, Hewlett Packard and PG&E held a luncheon this last Friday focused on Green Data Center. I’ll be the first to admit that at first I thought “green” Data Center initiatives were just political and corporate marketing initiatives. I thought they saw Al Gore give some rocking presentation and decided it would be great to market their products as “green” while continuing to spew toxins and club baby seals in their manufacturing plants.

I was wrong, the Green Data Center is not about saving baby seals, it is about saving cold hard cash. Saving the world is just a nice side benefit.

That being said, saving cold hard cash is a very important discussion item in any IT Operations group as they are normally seen as a cost center. For them, a penny saved is literally a penny earned. Not only can you save money by not paying for power, but PG&E will actually has a budget to pay you NOT to use their power. Most people here this and get a puzzled look on their face. “why would the power company, who makes money on power, not want me to buy it from them?” The answer is that Californians use more power then PG&E can produce at peak times. When they have to buy it from another state it can cost them 10 times or more then they charge us. This is the reason why PG&E will pay you to use less. Each penny they give to the consumer for saving a watt, saves them 4 pennies (80% return on investment).

Great, PG&E saves money by giving it to me. How do I get this cash? Well there are a couple ways to get this.

Incentives for new buying new energy efficient servers
Rebates for moving to virtualized servers
Rebates and incentives for moving to thin client desktop systems
Audit teams for cooling and power if your Data Center is 10,000 square feet or more
Incentives for airflow control systems
Incentives for high efficiency UPS and power distribution systems
Technical services for cooling system evaluation (PG&E funded)

That is a pretty comprehensive list of how to get money from the power company, but you can save even more money buy not using the power in the first place. Not unsurprisingly this starts with the server.

First thing you can do, is virtualize, virtualize, and virtualize some more. For most people this means VMware. For others this may mean Xen, or Microsofts virtualization product. Whatever flavor you chose, the key message is to consolidate from many servers to few. A server sitting “idle” still pulls 50% of its max current. Now, howe many servers do you have that are just sitting there? My guess is a large amount. By virtualizing these servers, you allow them to be stacked onto high performance server that can be run at a higher utilization. This lowers the over all power utilization for your DataCenter. Another side benefit is that ever watt that you remove from a server, you get another watt removed from your cooling.

These same virtualization techniques can also be applied to your network devices, which account for 6 to 12 percent of your datacenters power draw.

Ask yourself a few questions

” Do I need 4 different firewall clusters?”. It is likely that these are leftovers from organic growth, and that you could consolidate them into virtual firewalls on a more efficient chassis (ASA comes to mind).
” Do I need to maintain physically separate infrastructure?”. There are technologies like MPLS, VFR-Lite, Virtual Switching and more that allow you to consolidate onto a shared network infrastructure, taking a service provider approach to providing transport in your network.
” Am I running old inefficient gear?”. Power supplies have increased in efficiency over the last few years. There may be a good return on investment for you to upgrade.
” Can I consolidate into larger chassis?”. Ask the question, which is more efficient – a closet full of 3560’s or a 4507? There is efficiency in scaling out.

I hope that reading this has caused you to ask some questions, and maybe look at the larger impact of your network operations on both the ecosystem and your operational expenses. With these questions in hand, you might want to talk to PG&E and your Cisco / HP parter about going “Green” in the data center.Similar Posts:

--Colin McNamara

Moving towards a Green Data Center – Truth behind the hype

Usability features in Cisco’s Nexus 7000

colinmcnamara — Fri, 08 Feb 2008 07:57:31 +0000

Douglas Gourlay, Sr Director, Marketing and Product Management for Cisco’s Data Center Business Unit and writer of Cisco’s Data Center Blog commented on my celebrity sighting post (me and the nexus 7000). He asked two questions regarding my post about the Nexus 7000, and I feel that it best serves everyone to answer them here.

What useability enhancements do you feel are the most beneficial?

A separate, IP enabled, Management Interface. This has been a long time coming. The out of band management interface is very similar to a Ilo card in the HP world. it is effectively a supercharged console server that happens to site on the backplane of the sup engine. I am sure whoever pushed this feature through is going to get flowers one day from a Tech who DIDN’T lock himself out because the management interface was effectively a separate system.
Finally, a functionally USB Interface that I can transfer IOS (well, now NX-OS) images through. Everyone has a USB key nowadays, even my Grandmother has one, it will make life so much easier when I can have a 4 gig key with me that has most IOS / NX-OS versions and my common configs and just pop them right in.
The integrated Cabling system is CLEAN. I love that it forces you to reserve the appropriate space for cabling, and that there finally is the possibility to avoid the flying spaghetti train wreck we see so often in Data Centers.
Front to back Cooling. The cooling design is well thought out. I liked the fact that it draws from directly above the front floor and exits rear top.. This should help out in raised floor data centers that have a large temperature gradient as you move to the top of the rack. It also negates problem of having multiple 6500 chassis side to side and having warm air blowing from the exhaust of one 6500 to the intake of another 6500.
Fan Slots are now placed where it is IMPOSSIBLE to cover with cables. I would say 7 out of 10 times when I walk into a new customers Data Center I find that there are cables run directly over the fan tray with no slack. That is not a failure in design per say, but it could have been avoided. With the Nexus 7000 fan trays in the back the problem is solved before it is created.
Power supplies are in the back . FAR away from the data cabling. It never fails that 20 amp circuits get uncomfortably close to copper cabling. By moving the power supplies to the back side of the chassis, this becomes a mute point and we remove any shadow of a doubt about EM interference causing craziness in our cabling.
This one sounds really mundane, but a quick heads up grouping of status lights. In the past these were normally in a position where you had to squat down to see them, or they are obscured by cables. Buy putting them on the front of the cable tray assembly it ensures these will always be visible.

What can we focus on now to make it a better platform?

One thing that worried me a little was the placement of the compact flash cards in the supervisory module. For those how haven’t it up close look at this picture of the chassis and look for the Grey cover midway up the sup modules in the center slots. Behind them are two flash cards, one for system partition extension, and one to dump log files into. Having these cards available are great features however I could see an operational process of security rotating out the log partitions, or more likely and engineer pulling the flash card after dumping some data for analysis to it, and then pulling the wrong card by accident. Having a simple strap (like the screw downs for power supply plugs) or something similar would go along way towards mitigating that risk.
Continue with the spirit of innovation that has defined Cisco over the years. Cisco has consistently came out with or acquired and integrated many great products that directly address the needs of the market place into the product line (MARS, ASA, AireSpace, TelePresence, MDS, ACE, Etc) but frankly the last GAME CHANGING product that set the industry on its heals and forced everyone to rethink how we utilize technology to accelerate business as a whole was the acquisition of Selsius and the introduction of VOIP as an enterprise class product to the world. I remember having the hair stand up on my arms from the excitement of going up against Avaya and Nortel back then and fighting that uphill battle, educating customers and peers about this “new thing called VOIP and how CallManager (now Unified Communications Manager) is your ticket towards productivity.
When we talk about the Virtual DataCenter, I/O Virtualization (FCOE) and VFrame Automation it is not just another incremental improvement of existing technology. It is a paradigm shift, a leap ahead, a GAME CHANGER. I get the same chills that I did when VOIP was new because I know that those are technologies that will force us to rethink how we approach computing and data systems. These technologies are to the Data Center what IP telephony was to the PBX, and Cisco is the only company with technologies and engineering know how in all the verticals necessary to pull this off.

Resume – Colin McNamara, CCIE #18233

colinmcnamara — Sun, 06 Jan 2008 17:24:24 +0000

Colin McNamara, CCIE #18233 – (858) 927-4515 – colin@2cups.com

CERTIFICATIONS / ACCREDITATIONS HELD

CCIE – Cisco Systems Internetwork Expert #18233

VCP – VMware Certified Professional

CDCUCSS – Cisco Data Center Unified Computing Support Specialist

VSP – VMware Sales Professional

VTSP – VMware Technical Sales Professional

TSS – Cisco Technical Solutions Specialist, Data Center

GCIH – GIAC Certified Incident Handler

CCVP – Cisco Certified Voice Professional

CSNSSS – Cisco Storage Networking Solutions Support Specialist

CSNSDS – Cisco Storage Network Solutions Design Specialist

CADCNSS – Cisco Advanced Data Center Networking Infrastructure Support Specialist

CCIE Storage Networking

RHCE – Redhat Certified Engineer #804006368822511

RHCT – Redhat Certified Technician #804006368822511

EMCPA – EMC Proven Professional Associate – Information Storage and Management

NSCA – Netscaler Certified Administrator #2005072

NACE – Network Appliance Certified Expert #12912

NACP – Network Appliance Certified Professional #12017 – Data Protection

NACP – Network Appliance Certified Professional #11985 – Storage Area Network

NACP – Network Appliance Certified Professional #12911 – High Availability

Retired Certifications -

Cisco Qualified Specialist – IP Telephony Support

Cisco Qualified Specialist – IP Telephony Design

Cisco Qualified Specialist – IP Telephony Operations

Cisco Wireless LAN Design Specialist

Cisco Wireless LAN Support Specialist

TECHNICAL PROFICIENCY

PROTOCOL PROFICIENCY

EIGRP, OSPF, RIP, BGP, MPLS, Spanning Tree, Rapid Spanning Tree, ATM, RTP, SIP, H.323, LWAPP, RADIUS, TACACS+, Ethernet, Fibre Channel, ISCSI, FCIP, FCP, FSPF, NDMP 802.11a, 802.11b, 802.11g, RBE, ISDN, SNMP

Virtualization Platforms

VMware ESX, Kernel Virtual Machine, Xen

VOICE and VOICE OVER IP

CallManager, Unity, ICS7750, PBX Trunking, SRST, Active Directory Integration, Extended Services, Call Detail Recording, Automated Attendant, Extension, Mobility, Asterisk, Callware and VSR VM.

HARDWARE

Cisco Unified Computing System (UCS) 6100, 2100, 5100, Nexus 7000, Nexus 5000, Nexus 2000 and Nexus 1000v switches, Catalyst 1900-6509 switches, 1600-7500 series routers, Cisco PIX firewalls, Cisco Load Balancers, Cisco MDS , F5 Load Balancers, Netscreen / Juniper Firewalls, Cisco VPN3000 VPN concentrators, Cisco ASA Adaptive Security Appliances, Nortel Contivity VPN Concentrators, Aironet Access Points and Bridges, Airespace LWAPP concentrators. 3com TotalConnect racks, Ascend dial concentrators, Netscaler Load balancers, SSL accelerators, SSL VPN concentrators. Brocade Silkworm, HP Eva Storage

NETWORK MANAGEMENT

Nagios, Cacti, NTOP, IPswitch What’s Up Gold, BIG Brother, Spectrum Network Management, Kiwi Syslog,, MRTG , HP OpenView, Cisco Secure Intrusion Detection system, Cisco Network Based Application Recognition, Snort IDS, Netscreen Firewall Manager, Unified Compute System Manager

OPERATING SYSTEMS

Redhat, Suse and Ubuntu Linux, Windows 2000, Windows 2003, Windows 2008, Windows XP, NT4.0, BSD, Solaris, OSX

BUSINESS ENVIRONMENTS

Consulting, Valued Added Reseller, Large Enterprise, Startup, Banking, Service Provider, Software Development, Manufacturing, Military

EMPLOYMENT

1/07 – Present, ePlus Technology

Consulting Systems Engineer – Data Center

Accelerate Data Center sales, design and implement network, storage, and systems solutions for ePlus west coast customers.

Accomplishments

Developed and deployed go to market strategy for Cisco’s Unified Computing System resulting in significant competitive advantage in the western united states.

Increased Data Center revenues year over year in a the worst economy in a century.

Changed regional sales focus from technology silo’s to solutions based selling covering network, systems, storage and applications under one umbrella.
Established a trend of Advanced Technology account wins.
Accelerated ePlus’s southern California sales by providing high end engineering support.
Increased sales for ePlus’s northern California office by overlaying and training field sales.
Integrated MPLS service provider designs into cutting edge Enterprise Solutions.
Filled PM and lead network engineer roles for large publicly traded company data center migrations.
Created modular Cisco design / quote format and menu based hardware and services options to address rapidly changing customer needs.

9/05 – 1/07 ID Analytics

Lead Network Engineer

Lead team of four engineers, Define network and application integration architecture for large SaaS analytics deployment, Leverage networking technology to increase security and availability, and decrease development and product deployment timelines

Accomplishments

Led team of engineers responsible for all Production and Back Office systems in 2 offices and 3 datacenters
Designed and Implemented ID Analytics Phase2 datacenter, processing 1.2-1.8 million financial transactions daily.
Designed and Implemented Contents Switching and SSL offloading solution, enabled non-disruptive scaling of core products
Integrated ID Analytics product with the largest card processors in the world – Equifax, Visa, TransUnion, etc.
Designed and integrated centralized Fiber Channel and ISCSI SAN solution, increasing application speed and decreasing production database refresh times from 4 weeks to 1 week.
Managed and maintained over 130 terabytes of storage
Created lights out server imaging and deployment solution for remote datacenters
Deployed and integrated monitoring solutions utilizing open source technology
Created user emulation probes for real time application monitoring and trending of production systems
Worked with development and Analytics to create structured Development and QA environments
Spearheaded project to change Analytics / Informatics environment from “unix for workgroups” to high performance computing environment (HPC)
Provide structured documentation to US Government and Corporate auditors
Utilized project management skills for international rollouts

2/04 – 8/2005 Openwave Systems
Senior Network Engineer, Strategic Design and Integration Group
Provide technical leadership, Define network architecture, Establish standards and technical vision. Responsible for researching, developing, and architecting technical solutions to business needs.

Accomplishments

Designed Openwave’s new Pacific Datacenter Networks, with 900 production, and 2000 development servers.
Designed Openwave’s Pacific Shores Campus Networks, and Showcase Datacenter.
Responsible for hardware acquisition budget of 1.7 million dollars
Established ISCSI IP based SAN infrastructure with DR components in 4 major datacenters worldwide
Promoted from the ranks, moving from running our VOIP phone systems, to Network team lead, to Senior Network Engineer in the Strategic Design and Integration team.
Active and engaged member of multiple boards covering design review, change control, and security
Negotiated with Cisco and SBC regarding datacenter purchases saving $906,000 off list price.
Renegotiated Cisco support saving Openwave nearly $600,000 over our three year term
Established improved data center controls, allowing Openwave to pass Sarbanes Oxley (SOX) audits
Wrote and ran multiple RFP, RFQ, and RFI’s
Utilized project management skills for international rollouts
Managed, Piloted, and Installed new wireless systems for our Customer Briefing Center
Responsible for 6 VOIP clusters around the world
Recipient of multiple awards recognizing dedication and quality work.
Attended continuing training for security management (CISSP)

2/03 – 1/04 USMC Reservist activated in support of Operation Enduring Freedom
Information Services Coordinator
Implement and maintain Tactical Data Networks, Provide consulting services to hosting units. Maintain Microsoft Exchange servers in both tactical and garrison environments. Perform security audits and remediation. Train support personnel.

Accomplishments

Performed Disaster recovery of routed ATM LANE environment for Marine Corps Air Station Yuma enabling over 3000 users to resume work (awarded the Navy and Marine Corps Achievement Medal for that event)
Performed security audit and created a security and performance remediation plan for MCAS Yuma
Provided project management and security audit skills to 3^rd Marine Air Wing Yuma server support teams, managed server security audit, security remediation, and SMS rollout.
Designed and implemented Nagios network monitoring system at Marine Corps Air Station Yuma.
Implemented Norton Antivirus server for MWSS 473
Provided training on to data teams from MWSS 473, MCAS Yuma Station IT, and 3^rd Marine Air Wing Yuma server teams.

12/02 – 2/04 2 Cups Solutions, Pleasanton , Ca
Principal Consultant
Founded 2 Cups Solutions to provide cutting edge Voice, Data, Wireless and Security services to clients in the San Francisco bay and Fresno areas.

Accomplishments

Implemented WAN failover solution at two City of Hayward fire stations.
Implemented email and web solution for Express Mobile Notary.
Developed and implemented business plan focusing on State and Local Government contracts.

2/02 – 12/02 ExtraTeam, Pleasanton , Ca
Senior Systems Engineer
Design, Installation, Configuration and Maintenance of network systems consisting of Cisco CallManager, Unity, Cisco Secure ACS, LEAP secured wireless, Aironet, Cisco routers and switches, PIX firewalls, and VPN3000 concentrators. Integrating all systems with Active Directory. Performed VOIP feasibility studies. Managed the entire business cycle including sales, design, installation, training and maintenance.

Accomplishments

Integrated CallManager voice system with Active Directory
Recovered a failed CallManager implementation at Phase 2 Strategies (PR firm for Logitech). Implemented CallManager with up to date hardware and software, upgraded Unity up to reasonably current levels. Brought up remote office in Phoenix utilizing SRST.
Implemented City wide wireless network integrated with active directory for the City of Hayward
Implemented VPN Concentrators in conjunction with multiple levels of firewalls for City of Hayward and Hayward PD to meet CLETS requirements.
Implemented network configuration management system responsible for the city of Hayward.
Implemented new wan for Livermore Pleasanton Fire department moving fire stations from isdn to T1 and Gigabit fiber lines in conjunction with moving the location for the network core.
Designed and implemented IPSEC based wan for Universal life resources, allowing nationwide secure remote office connectivity while minimizing wan connection costs.
Designed CallManager based VOIP system for a 27 site school district
Provided emergency support to Fire and Police agencies across the bay area
Performed security remediation for a large bay area company
Participated in large switched network cutover from 7500 to a 6509 with flex-wan modules for Stanislaus County.
Achieved technical certifications for ExtraTeam to become certified under both the Wireless and IP Telephony revised specifications.

7/01 – 2/02 Infobond Inc. Burlingame , Ca
Network Engineer

Responsible for engineering duties in a leadership role. Integrated legacy PBX’s using VOIP technology. Used Quality of service to ensure VOIP service levels. Support legacy voice over IP and voice over Frame Relay technologies. Upgrade from legacy voice integrations to state of the art VOIP integrations. Create project plans and act on them.

Accomplishments

Cut over evergreen lines shipping terminal from legacy 3com equipment to VOIP enabled Cisco routers and switches. Accomplished all work during Union stand downs.
Contracted to Openwave, Inc. to run Remote Access while the engineer was on leave. Ran Remote Access for 5 weeks, resolving DSL RLAN issues and IPSec issues, while reducing trouble ticket backload to manageable levels. Assisted other engineers when needed.
Implemented Cisco 6509’s to replace aging core network of a Benchmark Capital (bay area investment firm).
Diagnosed and resolved VOIP issues that were stopping call center rollouts for Embarcadero Systems (a large bay area shipping company).

03/00 – 7/01 Knapp Publishing Corporation, San Ramon, Ca
Network Systems Administrator

Responsible for day-to-day operations of e-commerce data center, and wide area networks Performed DNS changes for both internal and external networks. Designed, piloted, and implemented network changes. Installation configuration and maintenance of NT, and Windows 2k file, print, and web servers

Accomplishments

Improved service levels from 90% to 99.99%, enhanced security and increased bandwidth were benefits derived from implementing a state-of-the-art web hosting data center
Implemented a network monitoring system to document, report, and notify of network status.
Designed and implemented ISDN failover of Frame-Relay Network.
Designed, piloted, and implemented network changes.
Replaced NT servers with Linux based servers, integrated with the Windows network

01/98 – 03/00 DKA Computers Inc. Clovis, Ca
Manager Information Services (01/99 – 03/00 )

Ran day to day operations of a central valley ISP. Worked with systems manufacturing to bundle client software with all new PC’s. Partnered with local ISP’s to provide access numbers across the valley.

Accomplishments

Managed web development, and professional services
Moved web hosting from IIS to APACHE based servers, drastically increasing site availability
Produced a forms based web application to configure custom systems online.
Designed and implemented an IPSec based WAN connecting 3 stores point of sales systems.
Managed corporate office and data center relocation project.

Senior PC Service Technician (01/98 – 01/99)

Provide on call service. Staff PC help desk. Provide direct customer systems support while maximizing company revenues. Configured all servers ordered from manufacturing.

Accomplishments

Responsible for all day to day service activities for a 13 million dollar company. Management of 4 team members. Directly responsible for customer satisfaction

Implemented hard drive imaging system, decreasing both warranty costs and turnaround time
Installed and configured SCO Unix reservation system for National Park service, Kings Canyon
Designed, implemented inventory tracking database, reducing required stock on hand by $40,000

MILITARY

1996 – 2004 UNITED STATES MARINE CORPS RESERVE
Have held U.S. Government security clearance – Secret

EDUCATION

Ongoing professional education

Sans CISSP + Track

University of Oklahoma extension – Fire Science

Cisco Networking Academy

Similar Posts:

--Colin McNamara

Resume – Colin McNamara, CCIE #18233

created a new map of ashley’s site

colinmcnamara — Tue, 30 Nov 1999 00:00:00 +0000

I have been learning many of the guidelines of being a good site for Google lately. Man has it been an eye opener. As part of that eye opening, I updated some pages on the wifes site. I found this cool tool called a sitemap tool that creates a list of all pages in XML .. handy huh?

http://www.ashleymcnamara.com/index2.php

http://www.ashleymcnamara.com/articles/2007/05/19/mama-rocks/

--Colin McNamara

created a new map of ashley’s site

Tour of Ashley’s new site !

colinmcnamara — Fri, 04 Jan 2008 01:35:00 +0000

Ashley got a new site from blu-domain a couple weeks ago and it is finally live.
let me take you on a tour -

Here is the flash version of her site

Here is the HTML beginning of her site

Direct to the HTML version

Her about page titled your San Diego Photographer

Her maternity portfolio, featuring some great shots of San Diego moms

Her baby portfolio feature babies in San Diego

Her children portfolio

Her frequently asked questions

Her price sheet

Ashley’s Charity Work

Her client proofing, where her clients can preview all their images

One that I really like is a place where you can check her schedule

And last but not least, a place where you can contact her

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

--Colin McNamara

Tour of Ashley’s new site !

What does it take to pass the CCIE exam?

colinmcnamara — Tue, 30 Nov 1999 00:00:00 +0000

What does it take to pass the CCIE exam?

For those who haven’t heard yet, I passed my CCIE Lab on June 14th. Now I can officially put CCIE #18233 after my name.

Anyone who has been down the same path understands how long of a road this is.
I started down this path in the spring of 1999 as the 432nd student ever in Cisco’s Networking Academy (which I promptly dropped out of to move to the bay area). I grew my networking skills all the way to passing my CCIE Written in 2001. I attempted my Route Switch lab in 2002, however I got called away to war for a year. Being away from it all for a year really cramped my style technically. In that time many of my certs expired, and I lost much of the momentum I had built of the past half decade.

Since I got back to the real world I had focused on work to the detriment of my certifications. I really did some great things, however I really neglected my resume.
In July of 2006 I had worked 2038 hours that year (for those not mathematically inclined, that is a full work year, in 1/2 a year) . At that point I decided it was time to stop neglecting my certifications. At that point I dedicated 8 hours each saturday, along with two nights a week to studies. By December of that year I had Certified on a few of the technologies that I had tons of experience in.

I managed to get my RHCE, Cisco Storage Support and Design Specialist, update my old IP Telephony specialist certifications to CCVP, get my Netapp Certified Administrator, and pass my CCIE Written for storage networking all by the end of the year. This spring I finished my Netapp Certified Expert and scheduled my Storage lab for early summer.

Anyone who knows me well knows how closely I track my time. That time tracking extends to my training. I tracked my training (reading, lab practice, testing, etc) just like any other part of my professional life. I spent around 150 hours studying for my Design, Support specialist certs, along with reading the recommended books of the CCIE reading list, and around 300 hours preparing for my lab exam. That is 300 hours configuring every possible combination and permutation of technology that could be setup, and then refining my speed in configuring those technologies until i got to the point where speed as well as brains would be an advantage in the lab.

So now that I have my CCIE, whats next? Well, oddly enough.. I am thinking of getting my second CCIE cert. In my office I will be the Jr guy by only having a single CCIE (on of our guys has all five). I also need to take my VMware certified professional cert, and probably get my HP Master Accredited Storage Engineer. I guess I am just a glutton for punishment.

--Colin McNamara

What does it take to pass the CCIE exam?

The difference between a consultant and a partner

colinmcnamara — Sat, 09 Dec 2006 21:17:00 +0000

A shepherd was herding his flock in a remote pasture when suddenly a brand-new BMW drives up in a cloud of dust. The driver, a young man in an Armani suit, Gucci shoes, Ray Ban sunglasses and YSL tie, leans out the window and asks the shepherd: “If I tell you exactly how many sheep you have in your flock, will you give me one?”

The shepherd looks at the man, obviously a yuppie, then looks at his peacefully grazing flock and calmly answers: “Sure. Why not?” The yuppie parks his car, whips out his Dell notebook computer,connects it to his AT&T cell phone, surfs to a NASA page on the internet, where he calls up a GPS satellite navigation system to get an exact fix on his location which he then feeds to another NASA satellite that scans the area in an ultra-high-resolution photo.

The young man then opens the digital photo in Adobe Photoshop and exports it to an image processing facility in Hamburg, Germany. Within seconds, he receives an email on his Palm Pilot that the image has been processed and the data stored. He then accesses a MS-SQL database through an ODBC connected Excel spreadsheet with hundreds of complex formulas. He uploads all of this data via an email on his Blackberry and, after a few minutes, receives a response. Finally, he prints out a full-color, 150-page report on his hi-tech, miniaturized HP LaserJet printer and finally turns to the shepherd and says:

“You have exactly 1586 sheep.”

“That’s right. Well, I guess you can take one of my sheep.”, says the shepherd. He watches the young man select one of the animals and looks on amused as the young man stuffs it into the trunk of his car. Then the shepherd says to the young man: “Hey, if I can tell you exactly what your business is, will you give me back my sheep? ” The young man thinks about it for a second and then says:“Okay, why not?”

“You’re a consultant.” says the shepherd.

“Wow! That’s correct,” says the yuppie, “but how did you guess that?”

“No guessing required”, answered the shepherd.

“You showed up here even though nobody called you; you want to get paid for an answer I already knew, to a question I never asked; and you don’t know crap about my business… Now give me back my dog.”

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

--Colin McNamara

The difference between a consultant and a partner

My CCIE Storage Shopping List

colinmcnamara — Thu, 07 Dec 2006 04:54:00 +0000

My CCIE Storage Shopping List

Lets just start this out by saying, darn.. this is going to be expensive.
Now that that is out of the way, lets get started. Cisco publishes the hardware that is in the Storage lab.

Here is the hardware summary -

Cisco Routers
Cisco Catalyst Switches
Cisco Secure Access Control System
MDS 9506*
MDS 9216*
Port Analyzer Adapter
JBOD
RAID storage
HBA
3rd Party Fibre Channel Switch

My guess is that this equals a basic routed network with a CS-ACS server on the backend.
It looks like there is also at least 1 pc with an HBA connected into one MDS. The one big question I have is on the connected storage.
My guess is that Cisco’s JBOD reference = Fibre Channel connected storage, and the RAID array mentioned is connected to at least one server.
If my guess is right then there is the 9506 and 9216 – (note, no I in the name) and a third party switch.

So lets start the shopping list.

1. Cisco Routers
I have those coming out of the yinyang, no need to purchase anymore for this lab.

2. Cisco Catalyst Switches
Mine are a little old, but I don’t expect a storage exam to have anything challenging in the switching arena. No need to upgrade there.

3. Cisco Secure Access Control System
Thankfully Cisco provides VAR’s with NFR binders. ACS will be loaded on HMB-SERVER1 in a vmware image. No expenditure needed.

4. MDS 9506*
Holy smokes, this is a lot of money. I have seen them on ebay for $8,000. This includes both sup modules. I would need to buy a line card, which I see going for about 1k. so $9000

5. MDS 9216
Still bad, but not horrible. I just saw one on ebay for $5500. Depending on lab requirements it may be smart just to get to 9216’s. so $5500

6. Port Analyzer Adapter
Best I can find is $2000 refurbished. I have a feeling practicing using this, and seeing the ethereal dumps is going to be integral to success. worst case this is 2k, best case beg or borrow $2000

7. JBOD
Normally you are looking at 2-4k for one of these. My strategy is to find an old Netapp shelf, and low level format it. I found one on ebay that ends in 22 hours for $89. Sounds good to me.

8. RAID storage
I am going with my guess that this is just to facilitate data transfers between storage and host. My tactic is to use the existing storage inside one of my servers. $0

9. HBA
Interesting – Only one HBA .This can be up to $2000 to buy new. Luckily ebay is my friend. I found a qlogic 2340 card for $50. My kind of deal

10. 3rd party Fibre Channel Switch
Luckily Brocade resells to everyone and their mother. IBM, Dell, HP, Compaq, ETC. I have found some Silkworm 2800’s for as low as $50 on ebay.
I do have my eye on a 3800 that is going for $24 right now (I hope it stays low).

So how much is the damage?

$16,700

Holy smokes I could sell my truck just to buy the lab gear.

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

--Colin McNamara

My CCIE Storage Shopping List

I found a great tutorial on PHP + MySQL+Flash integration

colinmcnamara — Fri, 10 Nov 2006 18:29:00 +0000

I found a great tutorial on PHP + MySQL+Flash integration

Going through bludomain’s source code really got my interest going on the possibilities for dynamic flash content generation. Some Google searches brought up this tutorial – http://www.creativecow.net/articles/brimelow_lee/php_mysql/php_mysql_flash.html

Colin McNamara

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

--Colin McNamara

I found a great tutorial on PHP + MySQL+Flash integration

PHP / MySQL / FLASH website integration

colinmcnamara — Thu, 09 Nov 2006 21:27:00 +0000

First I have to say, check out the new Ashley McNamara Photography website at http://www.ashleymcnamara.com/

We had it designed by Bludomain.com. At first I was a little reticent about using them, but now I am very happy about the move. The interface for maintaining gallery’s is superior to how I was doing them before. In the past Ashley would bug me to update her pictures, and I would bug her to provide them in for proper format. Now she just logs onto a web interface and uploads her pictures, updates her content, and whaam.. the site is updated. All this happens without one honey do this. I say that is worth its price in gold

Once I saw this “seamless” interface I had to figure out how they are doing it. After a little pocking around their source code I found out that they were using PHP to pull information out of a MySQL database, and use that for dynamic content insertion into a flash template. From what I can tell, the first thing that happens is the base flash template loads. Each button shape is hard coded in flash, and an actionscript is bound to each button.
This actionscript runs a PHP web application that logs into a local MySQL database, selects from a table, creates an array, then runs a for loop to populate each submenu for items in each drop down.

The net net of this is that you can have a few default templates, and just populate unique configuration options a MySQL db. This simplifies the whole content management issue while still providing the Content Protection that flash gives you.

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

--Colin McNamara

PHP / MySQL / FLASH website integration

User experience testing – enhanced

colinmcnamara — Wed, 29 Jun 2005 02:37:00 +0000

Good afternoon,
Everyone who knows me, knows that I have special spot in my heart for user experience testing. My personal favorite platform is Nagios, formerly Netsaint. It’s a linux based monitoring system located at http://www.nagios.com . I have set it up at pretty much everywhere I have worked. Like many monitoring systems, Nagios uses a plugin based architecture for its service checks. These plugins classically either connect to the TCP port that a service runs on, or does basic protocol validation.. e.g. issue a http get, and pattern match the response string.

This is great information to have, however when you have a multi tiered application it becomes harder to get a true status of your application stack. Luckily most new applications nowadays incorporate a HTTP interfaces.
However, this interface responding to a http get request generally does not indicate full application functionality. To get that level of information out you usually need to present some authentication to the web app, execute a click through, etc.

Now this has always presented a problem for me. I can check the availability of each level of the application stack. What I can’t do is verify that the application is truly working properly. This puts a major blind spot in my monitoring strategies. Luckily I just came across a very cool application. This sweet application is webinject – http://www.webinject.org/
It can be configured to graph application performance to mrtg, or output to nagios network monitor. Below is some information about this project.

What is WebInject?
WebInject is a free tool for automated testing of web applications and services. It can be used to test individual system components that have HTTP interfaces (JSP, ASP, CGI, PHP, Servlets, HTML Forms, etc), and can be used as a test harness to create a suite of [HTTP level] automated functional, acceptance, and regression tests. A test harness, also referred to as a test driver or a test framework, allows you to run many test cases and collect/report your results. WebInject offers real-time results display and may also be used for monitoring system response times.
WebInject can be used as a complete test framework that is controlled by the WebInject User Interface (GUI). Optionally, it can be used as a standalone test runner (text/console application) which can be integrated and called from other test frameworks or applications.

Programming Language and Platforms
WebInject uses an XML API (interface) for defining and loading test cases. You can use WebInject without ever seeing it’s internal implementation (no scripting or programming necessary to use it).
WebInject is written in Perl and can run on any platform that a Perl interpreter can be installed on (MS Windows, GNU/Linux, BSD, Solaris, MAC OS, and many more). Currently, binary executables of WebInject are only available for MS Windows. If you would like to run on other platforms, you must have a Perl interpreter and run it from the Perl source code.

Test Cases
Test cases are written in XML files, using XML elements and attributes, and passed to the WebInject engine for execution against the application/service under test. This abstracts the internals of WebInject’s implementation away from the non-technical tester, while using an open architecture [written in Perl] for those that require more customization or modifications.

Results/Reporting
Result reports are generated in HTML (for viewing) and XML (for tranformation by external programs). These detailed results include pass/fail status, errors, response times, etc. Results are also displayed in a window on the User Interface if you are running the WebInject GUI, and are sent to the STDOUT channel if you are running the WebInject Engine as a standalone (console) application.

Service-Level Monitoring
HTTP response times can be collected and monitored in real-time during test execution. Timer statistics are calculated and displayed in a monitor window during runtime. When used along with gnuplot (a plotting utility), a response time graph is generated and updated in real-time as the test runs. This is used to verify responses from the web application or web service under test are within an acceptable range (to meet your SLA or quality of service criteria). This also enables WebInject to be run as a performance probe for application/service monitoring.
WebInject can also be integrated as a plugin for external monitoring systems. In this case, it is used in console mode as an intelligent test agent that returns status and response times to your external program.
For real-time monitoring of your web applications or web services, WebInject is able to run in a mode that makes it compatible with Nagios. Nagios is an open source host, service, and network monitoring program.
For graphical trending of web service-levels over a long period of time, WebInject is able to run in a mode that makes it compatible with MRTG. MRTG (Multi Router Traffic Grapher) is an open source tool for collecting, storing, and graphing time-series data.

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

--Colin McNamara

User experience testing – enhanced