Where would you use these ?

You want  your custom application to be able to react, and act on network specific information. Integrating both at a very close level. Fundamentally your application can dynamically reconfigure your router in reaction to network events.

You want to remove common services such as AAA, Syslog, DHCP, etc, IVR apps, Unified communication apps all at the branch office in the ISR. If there is a failure, your router can dynamically reconfigure around that.

AXP architecture

Base Cisco Linux os, IOS CLI, Virtual Instances, C++, Perl, Java, OSGI, Bash. Fundementally this is very similar to a fedora core 4 systems doing paravirtualization.

API Fun – What can it do

1. You can query and change both the router and the network module
2. Leverage Embedded Event Manager (EEM) to trigger events on changes, and react to network events.
3. Network Packet monitoring .. Sniff, Sniff, Sniff

My Questions –

1. How do I automate network updates, similar to YUM?
2. Is Cisco using KVM for paravirtualization?

Similar Posts:

• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• Cool new features in 12.4(15)T
• Will Cisco succede where Sun has failed?
• Is your network ready for Cloud Computing with Virtual Infrastructure 4?
• User experience testing – enhanced
• Cisco NX-OS 4.0 | Next Generation Internet Operating System

--Colin McNamara

Application Extension API notes – Cisco Live 2008

When I work with data center infrastructure I expect the following – clean, remotely manageable, secure devices that runs on the same power and similar cabling, and everything can have a 24×7x4 support contract for hardware replacement. For the most part, you get this when dealing with Cisco, HP, Sun and similar manufacturers.

More often then not (with a few very cool exceptions), when I run into video surveillance infrastructure the video management infrastructure runs on some random third tier manufactured server. It never fails that the video management software is on Windows (normally XP or win2k). I have even seen some systems where the vendor requires you to have a session open to run the software.

And then when you get to the encoders themselves, it never fails. You have two choices.

1. The Uber package that can run a Casino, Identify and track dust mites , and if you point it at space, determine if there is life on mars.
2. Individual dinky encoders that run one or two camera’s each. They have limited encoding choices, limited camera control, no remote management, and normally run on 110 volt system that require different power distribution then the 220 that is common in systems today.

Cisco’s answer to this mess

Cisco has released both a video management solution, as well as a video encoding solution in a network module form factor for the Integrated Services Router (ISR).

The first part of this system, the Video Management and Storage System (VMSS) module fills the following roles -

• Management of multiple video streams from one interface, including IP cameras, 3rd party encoders, and streams from Cisco’s video encoding module
• Streaming of live and archived footage through a web browser interface
• This one is pretty cool – The module can mount external storage via iSCSI. So, in addition to its 160 gig internal drive, you can mount a filer and utilize external storage to scale the system.
• “fast forward” to events, as well as notify security and other personnel through SMS and email

The second part of the system (the module on the left in the picture above) is the Analog Video Gateway Network Module (EV-IPVS-16A). It has a couple functions -

• It can take up to 16 analogue video inputs and encode them with MJPEG or MPEG4 codecs
• You can use the first two ports to output video to a external monitors
• If you are using MPEG4, it can be used as a motion detector (handy for fast forwarding to important events, or triggering alerts)
• It can control pan and tilt cameras. This is good for pointing the camera at the janitor unplugging your servers each night to vacuum
• You can configure analogue contacts as an alarm. This can be bound to a door switch, or even temperature and water level monitors in a remote data center. This one will be very handy.

The third part of this solution is Cisco’s Video Surveillance Operations Manager. It manages, archives, displays and distributes the content that was created and collected on the two previous modules. You would use this if you had many branches to aggregate, or needed to staff a video wall (e.g. casino gaming commission operations). Now, you can run each of these components individually. Buy run together as a whole, Cisco has an enterprise class security solution.

Want to learn more ?

Branch office security page on cisco.com http://www.cisco.com/en/US/products/ps9671/prod_module_series_home.html

Cisco’s product page for the Video Managment Module – http://www.cisco.com/en/US/prod/collateral/modules/ps9671/data_sheet_c78_462225.htmlSimilar Posts:

• Interesting TechWise TV episode on virtualization
• Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments
• Cisco NX-OS 4.0 | Next Generation Internet Operating System
• Nexus 5020 – Consolidated 10 Gig Ethernet and 4 Gig Fibre Channel
• Cisco Nexus 5020 and 5010 FCOE video ordering guide
• About Colin McNamara

--Colin McNamara

Simplifying remote site security with Cisco’s new video surveillance modules on the ISR

1. Layer 2 Tunneling Protcol (V3) static and hairpin configuration example - my buddy Rick was nerding it out in the lab and sent a great configuration doc for L2TPv3 my way. L2TP(V3) is used to create a layer 2 psuedowire across layer 3 routed links. This is a great service provider tool that you can use in your own network, no MPLS needed .

2. SNIA Education – Fiber Channel Over Ethernet – There is a lot of buzz going around right now about Fiber Channel Over Ethernet (FCOE). There is also a lot of misunderstanding about the fundamentals of this architecture. This Storage Networking Industry Association (SNIA) does an outstanding job of covering FCOE at both at an architectural level, as well as going over low level messaging structures.

3. Trill (Rbridge) architecture – IETF internet draft – I think the last time I was this interested in an internet draft was when iSCSI was first being proposed in the IP Storage working group. Trill, in my opinion is basically a light weight version of MPLS / VPLS. It has as far as I can tell most of the advantages of this architecture, without some of the configuration and hardware requirement drawbacks. Fair warning, reading this document started a doc hunt that killed my Saturday.

4. Cisco’s Security Response to Sebastian Muniz’s IOS rootkit – Security is a very important aspect of network design. Sebastian’s IOS rootkit demonstration is going to force some customers who in the past have been “OK” with having older, possibly vulnerable IOS versions floating around to update their operational practices and start keeping their routers and switches operating systems as often as they do their servers. Thankfully, Cisco has been embracing technologies such as kernel virtual machines, in service software upgrades and more to lesson or remove the impacts of software upgrades.

5. Turning Wounded Warriors into Network Ninja’s – As a former Marine (well, always a Marine, formerly employed by the USMC) this program goes straight to the heart. Cisco is partnering with Naval Medical Center San Diego (NMCSD, or Balboa Naval Hospital for us locals) to provide technical training to Marines and Sailors who have recieved service ending wounds in Afghanastan and Iraq.Similar Posts:

• Fibre Channel over Ethernet is taking off
• Cisco Live 2010 Schedule
• Cisco NX-OS 4.0 | Next Generation Internet Operating System
• Zone based IOS firewalls
• Nexus 5020 – Consolidated 10 Gig Ethernet and 4 Gig Fibre Channel
• Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers

--Colin McNamara

Link Round Up – L2TPv3 FCOE Trill Wounded Warriors

IOS-XE is takes the best elements out of Internet Operating System (IOS) which has its roots in a closet at Stanford, and combines them with the most successful open source technology ever – Linux. Cisco is leveraging Linux virtualization technologies such as Kernel Based Virtual Machines to protect against operating system failures as well as to allow for In Service Software Upgrades (ISSU).

To really appreciate this, we first have to dive down into the overall architectural changes of the ASR1000. The largest change that Cisco has made was to implement separate forwarding and control planes. In the past, Cisco routers would have the processes responsible for forwarding traffic, and the processes responsible for configuring the router running on the same root operating system. The side effect of this is that if you want to upgrade the root operating system of your router, you are going to have interrupt the traffic flowing through it to do so, or have a physically separate route processor to take over while you rebooted. This is a big headache operationally, and effectively forced engineers to design in separate physical chassis to meet high uptime requirements.

What Cisco has done to address this, was to mirror changes made in their storage and carrier routing portfolios. Both of those product lines utilize the operating system to push commands into advanced processors that exist on the line cards themselves. The ASICS on the line cards are designed to work in a distributed fashion, so that production traffic never goes into up into the router processor (or sup engine). This in effect ensures that the control and forwarding planes can exist as independent elements.

If you look at the graphic above, you will notice 3 main zones. The upper zone is what we would normally describe as the control plane. This is where the higher level functions such as your routing processes, ssh daemons, snmp daemons, and shells live. In short, if you you configure or read something, you are going to do it here. The only time traffic flows through this plane is when you are doing a thing called process switching. keep in mind this is a rare occurrence and usually occurs because of an oversight in your network designs.

By separating the control and forwarding planes, this allows Cisco to basically run a management station on the router, that programs chip sets in the line cards on the fly. This in my opinion is where the true power of this architecture comes through. By separating the two functions the software engineers are free to utilize powerful open source technologies such as Kernel-based Virtual Machines, and the Linux kernel, while letting the integrated circuit engineers design blazing fast chips which allow full functionality at line rate.

What benefits should we receive from a virtualized control plane? First, in larger routing and switching chassis (including the top end of the ASR1000 line) you normally have physically redundant route processors (RP)/ supervisory engines(SUP). The operating systems on these RP’s synchronize many things, including configuration, process state, routing tables, security associations and much more. The primary reason for this, is if you have a failure in the active RP, you can failover to the standby RP without interrupting traffic flows.They also can be used to streamline the software upgrade process by only upgrading one RP at a time, and then gracefully transferring traffic to it. Once proper operation is verified, the backup RP can be brought up to the same code revision.In any production environment this is highly desirable, and helps immensely in the battle for five nines.

The ASR1000 takes the redundant RP concept seen in high end chassis, and allows you to implement redundant upgrades, as well as protection against software failure, with only one physical route processor. This is done by utilizing Linux kernel virtualization. Instead of running the control plane directly on the production hardware, a small kernel is inserted. Booting from that are two copies of IOS-XE. These run independently, and synchronize state and configurations just as if you had two physically separate route processors. What this means in operational English, is that where in the past, you would have to either have two devices, or a larger device with redundant RP’s to upgrade without disruption, you can now have that same ease of maintenance, in a much smaller (and at the end of the day, less total cost) package.

Below this is the forwarding plane.It plugs into to a high speed interconnected fabric which all line cards and RP’s are redundantly connected to. In the diagram above, this is the bottom level. Items in this plane include buffer memory, Cisco Express Forwarding (CEF) ASICS, and now the new QuantumFlow processor. This is normally where you would find your DCEF enabled line cards, fibre channel and Nexus7000 line cards, as well as the modules for the ASR1000 routers. When properly utilized, traffic should be relatively isolated to this tier, and function independently from the control plane.

The shining star of the ASR1000’s forwarding plane is a group of chips that is referred to as QuantumFlow. The QuantumFlow architecture itself merges Cisco’s strength in integrated circuit design, with its strengths in IOS software design. In the past, Cisco would design ASICS’s for specific functions, and then write commands down into them. This has worked very well, until they point that a new feature came out that couldn’t leverage the fixed configuration of an older ASIC. Your choice at that point was generally to process switch for that feature (which is slower, and honestly bad form), or upgrade your cards to the newer ASIC design. The QuantumFlow chipset approaches this problem from a new angle. The first chip in the set (Popeye) is designed to be field programmable in C, as well as no fixed internal pipelines. This combined with utilizing 40 cores running between 900 and 1200 megahertz allows the programmers to utilize parallel processing techniques to utilize an immense amount of processing power in real time.

To put things into perspective, remember when you got your first multi core laptop or desktop. You were able to say watch a DVD, as well as compile code at this same time, while continuing to have a responsive workstation. Now imagine what you could do with a 40 core processor. This is the kind of power that we are talking about. Now imagine, that not only is your workstation immensely powerful, but you could also offload common jobs such as running daily builds, or encoding videos to another machine (or in this case processor.

In the ASR1000 this processor is called Spinach (yellow are in the graphic above). And of course just like the cartoon, Popeye’s potential really comes to light when combined with Spinach. Spinach is a separate chip, that is used a a traffic manager. This chip handles queueing and quality of service, ensuring that the proper packets arrive at the proper time, as well as interconnecting with cryptographic offload engines so it can equally apply services to encrypted flows.

At the end of the day, the most important question is not how fast something is, or how cool it is. The question is what can it do for me? By leveraging this new architecture the ASR1000 is now able to do line rate inspection of traffic using Network Based Application Recognition (NBAR), Support 128,000 queues for deep quality of service, secure and encrypt data using zone based firewalls and embedded crypto engines, segregate traffic using MPLS, integrate advanced voice and video functionality, as well as providing fulling Netflow v9 support for all of the above. It provides all of these services in an always on solution utilizing Linux virtualization, as well as leveraging an flexible chip set architecture that allows for field programmable improvements in the future.

My hope is that after reading this article that you are in a better to understand how Cisco is leveraging open source technology and integrated circuit designs to improve the foundation of the internet. In upcoming articles I will be discussing design scenarios utilizing this features in this product, as well as highlighting other areas where Cisco is embracing both open source technology, as well as open architectures that can properly leverage projects such as Linux, Ntop, Wireshark and more. If this article has you interested in learning more about some of the technologies mentioned today, then I encourage you to check out some of the links below, or shoot me and email to be highlighted in a future readers questions article.

Learn more about Linux Kernel-based Virtual Machines

Learn more about Cisco’s ASR1000

Learn more about Cisco QuantumFlowSimilar Posts:

• Cisco NX-OS 4.0 | Next Generation Internet Operating System
• Application Extension API notes – Cisco Live 2008
• Arista Networks – Their approach to cloud networking
• Zone based IOS firewalls
• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• Altor Virtual Network Security Analyzer (VNSA) integrated with Cisco’s Nexus 1000v for VMware

--Colin McNamara

Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers

One feature that is new, and frankly extremely exciting is Virtual Device Contexts. Each virtual device runs with its own process, vs the use of tagged differentiators in technologies such as VRF-Lite. This provides for paravirtualized management instances, and clear lines of delineation for both software and hardware for a resource that can be shared between different groups within an enterprise.

Chassis that run NX-OS will support In Service Software Upgrades (NSSU) to allow operations groups to upgrade operating systems with zero downtime. This is accomplished through a combination of modular software architecture, and the decoupling for the control and forwarding planes.

One of my favorite features in SAN-OS is the embedded is fabric analyser. This is a tool that can sniff management traffic without having to plug in a sniffer, or provision a span port. You can dump in real time to a tcpdump like interface in the command line, output to a local file, or map to the ip of a wireshark instance that layer 3 access to the management port. Cisco again has taken the best of SAN-OS and bundled it with NX-OS. You will be able to remotely span management traffic without having to set up rspan, or trudge down to the datacenter to set up a sniffer.

Now, your router can call home right now so that is not a totally new feature. Smart Call Home was released recently into IOS. But that still doesn’t stop it from being a great feature. This allows you to configure NX-OS powered devices to mail an xml formatted troubleshooting email to TAC, and / or your support staff. This has been proven to drop the average time to resolution from 16-30 hours to 6 hours.

Now the drum roll…… All IP routing features are VRF aware. This has been a point of contention with me for a while. As Cisco and the market in general has embraced virtualization as an answer to pressing business concerns of leveraging shared infrastructure, while retaining security controls segregating disparate environments technologies such as MPLS and VRF within the datacenter have become more and more prevalent. That is great, however it never fails that the feature you need at that moment always seems to be coming out in the NEXT IOS release. With Cisco NX-OS 4.0 this is no longer a question.

Now, if I was a CIO and I was reading about all these new technologies that Cisco was pushing with NX-OS, I would frankly be cautious, and rightfully so. The thing is, most of these features are not new, they have been in use, and in production under the most stringent uptime conditions in the world – storage networking. They have been tried and tested on Cisco’s MDS line of storage networking switches. So get comfortable, get educated, but most importantly get on board for DataCenter 3.0.Similar Posts:

• Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers
• The emergence of MDS features in Cisco’s datacenter networking equipment
• New features in VMware 3.1
• Link Round Up – L2TPv3 FCOE Trill Wounded Warriors
• About Colin McNamara
• Arista Networks – Their approach to cloud networking

--Colin McNamara

Cisco NX-OS 4.0 | Next Generation Internet Operating System

CERTIFICATIONS / ACCREDITATIONS HELD

CCIE – Cisco Systems Internetwork Expert #18233

VCP – VMware Certified Professional

CDCUCSS – Cisco Data Center Unified Computing Support Specialist

VSP – VMware Sales Professional

VTSP – VMware Technical Sales Professional

TSS – Cisco Technical Solutions Specialist, Data Center

GCIH – GIAC Certified Incident Handler

CCVP – Cisco Certified Voice Professional

CSNSSS – Cisco Storage Networking Solutions Support Specialist

CSNSDS – Cisco Storage Network Solutions Design Specialist

CADCNSS – Cisco Advanced Data Center Networking Infrastructure Support Specialist

CCIE Storage Networking

RHCE – Redhat Certified Engineer #804006368822511

RHCT – Redhat Certified Technician #804006368822511

EMCPA – EMC Proven Professional Associate – Information Storage and Management

NSCA – Netscaler Certified Administrator #2005072

NACE – Network Appliance Certified Expert #12912

NACP – Network Appliance Certified Professional #12017 – Data Protection

NACP – Network Appliance Certified Professional #11985 – Storage Area Network

NACP – Network Appliance Certified Professional #12911 – High Availability

Retired Certifications -

Cisco Qualified Specialist – IP Telephony Support

Cisco Qualified Specialist – IP Telephony Design

Cisco Qualified Specialist – IP Telephony Operations

Cisco Wireless LAN Design Specialist

Cisco Wireless LAN Support Specialist

TECHNICAL PROFICIENCY

PROTOCOL PROFICIENCY

EIGRP, OSPF, RIP, BGP, MPLS,  Spanning Tree, Rapid Spanning Tree, ATM, RTP, SIP, H.323, LWAPP, RADIUS, TACACS+, Ethernet, Fibre Channel, ISCSI, FCIP, FCP, FSPF, NDMP 802.11a, 802.11b, 802.11g, RBE, ISDN, SNMP

Virtualization Platforms

VMware ESX, Kernel Virtual Machine, Xen

VOICE and VOICE OVER IP

CallManager, Unity, ICS7750, PBX Trunking, SRST, Active Directory Integration, Extended Services, Call Detail Recording, Automated Attendant, Extension, Mobility, Asterisk, Callware and VSR VM.

HARDWARE

Cisco Unified Computing System (UCS) 6100, 2100, 5100, Nexus 7000, Nexus 5000, Nexus 2000 and Nexus 1000v switches, Catalyst 1900-6509 switches, 1600-7500 series routers, Cisco PIX firewalls, Cisco Load Balancers, Cisco MDS , F5 Load Balancers, Netscreen / Juniper Firewalls, Cisco VPN3000 VPN concentrators, Cisco ASA Adaptive Security Appliances, Nortel Contivity VPN Concentrators, Aironet Access Points and Bridges, Airespace LWAPP concentrators. 3com TotalConnect racks, Ascend dial concentrators, Netscaler Load balancers, SSL accelerators, SSL VPN concentrators. Brocade Silkworm, HP Eva Storage

NETWORK MANAGEMENT

Nagios, Cacti, NTOP, IPswitch What’s Up Gold, BIG Brother, Spectrum Network Management, Kiwi Syslog,, MRTG , HP OpenView, Cisco Secure Intrusion Detection system, Cisco Network Based Application Recognition, Snort IDS, Netscreen Firewall Manager, Unified Compute System Manager

OPERATING SYSTEMS

Redhat, Suse and Ubuntu Linux, Windows 2000, Windows 2003, Windows 2008, Windows XP, NT4.0, BSD, Solaris, OSX

BUSINESS ENVIRONMENTS

Consulting, Valued Added Reseller, Large Enterprise, Startup, Banking, Service Provider, Software Development, Manufacturing, Military

EMPLOYMENT

1/07 – Present, ePlus Technology

Consulting Systems Engineer – Data Center

Accelerate Data Center sales, design and implement network, storage, and systems solutions for ePlus west coast customers.

Accomplishments

• Developed and deployed go to market strategy for Cisco’s Unified Computing System resulting in significant competitive advantage in the western united states.

• Increased Data Center revenues year over year in a the worst economy in a century.

• Changed regional sales focus from technology silo’s to solutions based selling covering network, systems, storage and applications under one umbrella.

• Established a trend of Advanced Technology account wins.

• Accelerated ePlus’s southern California sales by providing high end engineering support.

• Increased sales for ePlus’s northern California office by overlaying and training field sales.

• Integrated MPLS service provider designs into cutting edge Enterprise Solutions.

• Filled PM and lead network engineer roles for large publicly traded company data center migrations.

• Created modular Cisco design / quote format and menu based hardware and services options to address rapidly changing customer needs.

9/05 – 1/07 ID Analytics

Lead Network Engineer

Lead team of four engineers, Define network and application integration architecture for large SaaS analytics deployment, Leverage networking technology to increase security and availability, and decrease development and product deployment timelines

Accomplishments

• Led team of engineers responsible for all Production and Back Office systems in 2 offices and 3 datacenters

• Designed and Implemented ID Analytics Phase2 datacenter, processing 1.2-1.8 million financial transactions daily.

• Designed and Implemented Contents Switching and SSL offloading solution, enabled non-disruptive scaling of core products

• Integrated ID Analytics product with the largest card processors in the world – Equifax, Visa, TransUnion, etc.

• Designed and integrated centralized Fiber Channel and ISCSI SAN solution, increasing application speed and decreasing production database refresh times from 4 weeks to 1 week.

• Managed and maintained over 130 terabytes of storage

• Created lights out server imaging and deployment solution for remote datacenters

• Deployed and integrated monitoring solutions utilizing open source technology

• Created user emulation probes for real time application monitoring and trending of production systems

• Worked with development and Analytics to create structured Development and QA environments

• Spearheaded project to change Analytics / Informatics environment from “unix for workgroups” to high performance computing environment (HPC)

• Provide structured documentation to US Government and Corporate auditors

• Utilized project management skills for international rollouts

2/04 – 8/2005 Openwave Systems
Senior Network Engineer, Strategic Design and Integration Group
Provide technical leadership, Define network architecture, Establish standards and technical vision. Responsible for researching, developing, and architecting technical solutions to business needs.

Accomplishments

• Designed Openwave’s new Pacific Datacenter Networks, with 900 production, and 2000 development servers.

• Designed Openwave’s Pacific Shores Campus Networks, and Showcase Datacenter.

• Responsible for hardware acquisition budget of 1.7 million dollars

• Established ISCSI IP based SAN infrastructure with DR components in 4 major datacenters worldwide

• Promoted from the ranks, moving from running our VOIP phone systems, to Network team lead, to Senior Network Engineer in the Strategic Design and Integration team.

• Active and engaged member of multiple boards covering design review, change control, and security

• Negotiated with Cisco and SBC regarding datacenter purchases saving $906,000 off list price.

• Renegotiated Cisco support saving Openwave nearly $600,000 over our three year term

• Established improved data center controls, allowing Openwave to pass Sarbanes Oxley (SOX) audits

• Wrote and ran multiple RFP, RFQ, and RFI’s

• Utilized project management skills for international rollouts

• Managed, Piloted, and Installed new wireless systems for our Customer Briefing Center

• Responsible for 6 VOIP clusters around the world

• Recipient of multiple awards recognizing dedication and quality work.

• Attended continuing training for security management (CISSP)

2/03 – 1/04 USMC Reservist activated in support of Operation Enduring Freedom
Information Services Coordinator
Implement and maintain Tactical Data Networks, Provide consulting services to hosting units. Maintain Microsoft Exchange servers in both tactical and garrison environments. Perform security audits and remediation. Train support personnel.

Accomplishments

• Performed Disaster recovery of routed ATM LANE environment for Marine Corps Air Station Yuma enabling over 3000 users to resume work (awarded the Navy and Marine Corps Achievement Medal for that event)

• Performed security audit and created a security and performance remediation plan for MCAS Yuma

• Provided project management and security audit skills to 3^rd Marine Air Wing Yuma server support teams, managed server security audit, security remediation, and SMS rollout.

• Designed and implemented Nagios network monitoring system at Marine Corps Air Station Yuma.

• Implemented Norton Antivirus server for MWSS 473

• Provided training on to data teams from MWSS 473, MCAS Yuma Station IT, and 3^rd Marine Air Wing Yuma server teams.

12/02 – 2/04 2 Cups Solutions, Pleasanton , Ca
Principal Consultant
Founded 2 Cups Solutions to provide cutting edge Voice, Data, Wireless and Security services to clients in the San Francisco bay and Fresno areas.

Accomplishments

• Implemented WAN failover solution at two City of Hayward fire stations.

• Implemented email and web solution for Express Mobile Notary.

• Developed and implemented business plan focusing on State and Local Government contracts.

2/02 – 12/02 ExtraTeam, Pleasanton , Ca
Senior Systems Engineer
Design, Installation, Configuration and Maintenance of network systems consisting of Cisco CallManager, Unity, Cisco Secure ACS, LEAP secured wireless, Aironet, Cisco routers and switches, PIX firewalls, and VPN3000 concentrators. Integrating all systems with Active Directory. Performed VOIP feasibility studies. Managed the entire business cycle including sales, design, installation, training and maintenance.

Accomplishments

• Integrated CallManager voice system with Active Directory

• Recovered a failed CallManager implementation at Phase 2 Strategies (PR firm for Logitech). Implemented CallManager with up to date hardware and software, upgraded Unity up to reasonably current levels. Brought up remote office in Phoenix utilizing SRST.

• Implemented City wide wireless network integrated with active directory for the City of Hayward

• Implemented VPN Concentrators in conjunction with multiple levels of firewalls for City of Hayward and Hayward PD to meet CLETS requirements.

• Implemented network configuration management system responsible for the city of Hayward.

• Implemented new wan for Livermore Pleasanton Fire department moving fire stations from isdn to T1 and Gigabit fiber lines in conjunction with moving the location for the network core.

• Designed and implemented IPSEC based wan for Universal life resources, allowing nationwide secure remote office connectivity while minimizing wan connection costs.

• Designed CallManager based VOIP system for a 27 site school district

• Provided emergency support to Fire and Police agencies across the bay area

• Performed security remediation for a large bay area company

• Participated in large switched network cutover from 7500 to a 6509 with flex-wan modules for Stanislaus County.

• Achieved technical certifications for ExtraTeam to become certified under both the Wireless and IP Telephony revised specifications.

7/01 – 2/02 Infobond Inc. Burlingame , Ca
Network Engineer

Responsible for engineering duties in a leadership role. Integrated legacy PBX’s using VOIP technology. Used Quality of service to ensure VOIP service levels. Support legacy voice over IP and voice over Frame Relay technologies. Upgrade from legacy voice integrations to state of the art VOIP integrations. Create project plans and act on them.

Accomplishments

• Cut over evergreen lines shipping terminal from legacy 3com equipment to VOIP enabled Cisco routers and switches. Accomplished all work during Union stand downs.

• Contracted to Openwave, Inc. to run Remote Access while the engineer was on leave. Ran Remote Access for 5 weeks, resolving DSL RLAN issues and IPSec issues, while reducing trouble ticket backload to manageable levels. Assisted other engineers when needed.

• Implemented Cisco 6509’s to replace aging core network of a Benchmark Capital (bay area investment firm).

• Diagnosed and resolved VOIP issues that were stopping call center rollouts for Embarcadero Systems (a large bay area shipping company).

03/00 – 7/01 Knapp Publishing Corporation, San Ramon, Ca
Network Systems Administrator

Responsible for day-to-day operations of e-commerce data center, and wide area networks Performed DNS changes for both internal and external networks. Designed, piloted, and implemented network changes. Installation configuration and maintenance of NT, and Windows 2k file, print, and web servers

Accomplishments

• Improved service levels from 90% to 99.99%, enhanced security and increased bandwidth were benefits derived from implementing a state-of-the-art web hosting data center

• Implemented a network monitoring system to document, report, and notify of network status.

• Designed and implemented ISDN failover of Frame-Relay Network.

• Designed, piloted, and implemented network changes.

• Replaced NT servers with Linux based servers, integrated with the Windows network

01/98 – 03/00 DKA Computers Inc. Clovis, Ca
Manager Information Services (01/99 – 03/00 )

Ran day to day operations of a central valley ISP. Worked with systems manufacturing to bundle client software with all new PC’s. Partnered with local ISP’s to provide access numbers across the valley.

Accomplishments

• Managed web development, and professional services

• Moved web hosting from IIS to APACHE based servers, drastically increasing site availability

• Produced a forms based web application to configure custom systems online.

• Designed and implemented an IPSec based WAN connecting 3 stores point of sales systems.

• Managed corporate office and data center relocation project.

Senior PC Service Technician (01/98 – 01/99)

Provide on call service. Staff PC help desk. Provide direct customer systems support while maximizing company revenues. Configured all servers ordered from manufacturing.

Accomplishments

• Responsible for all day to day service activities for a 13 million dollar company. Management of 4 team members. Directly responsible for customer satisfaction

• Implemented hard drive imaging system, decreasing both warranty costs and turnaround time

• Installed and configured SCO Unix reservation system for National Park service, Kings Canyon

• Designed, implemented inventory tracking database, reducing required stock on hand by $40,000

MILITARY

1996 – 2004 UNITED STATES MARINE CORPS RESERVE
Have held U.S. Government security clearance – Secret

EDUCATION

Ongoing professional education

Sans CISSP + Track

University of Oklahoma extension – Fire Science

Cisco Networking Academy

Similar Posts:

• What does it take to pass the CCIE exam?
• Cisco Certified Design Expert – CCDE – officially released by Cisco
• About Colin McNamara
• I’ll be at Cisco Live 2008 (networkers) in Orlando all week
• Where is Colin ? Passing the VCP exam (VMware Certified Professional)
• Challenges integrating VMware into Cisco networks

--Colin McNamara

Resume – Colin McNamara, CCIE #18233

”

By Ivan Pepelnjak

John S. Pumphrey recently asked an interesting question: “Can the router send an e-mail when an interface goes down?” The enterprisey solution is obvious: deploy a high-end EMS to collect SNMP traps and use its API to write a custom module that would use a MQ interface to alert the operator. Fortunately, Event Manager applets in Cisco IOS provide action mail command (available in 12.3(14)T and 12.4) that can send an e-mail to a SMTP server straight from the router.

There are two ways you can detect that an interface went down with EEM: either you track the interface status with a track object and start an EEM applet when the track object changes state or you catch the syslog messages reporting that the interface line protocol changed state to down. The second approach is obviously more generic, as a single applet can act on multiple interfaces.

event manager applet MailOnIfDown event syslog occurs 1 →    pattern "LINEPROTO-5-UPDOWN.*to down" →    period 1

Notes:

• If you want to limit the applet to serial interfaces only, you could change the pattern to LINEPROTO-5-UPDOWN.*Serial.*to down.
• The → continuation character is used to indicate that a single configuration line has been split to increase readability.

The action mail command specifies the mail server’s address (use a hostname and DNS lookup or ip host configuration command to make the EEM applet more generic), from and to address, message subject and body. In each of these fields, you can use EEM environment variables that you can define with the event manager environment configuration command. Each EEM event also defines a few environment variables that you can use (see the table of EEM system-defined variables on CCO). For example, you can define the e-mail recipient in the router’s configuration and use the _syslog_msg variable to include the syslog message in the e-mail body:

event manager environment _ifDown_rcpt admin@lab.com!event manager applet MailOnIfDown event syslog occurs 1 →    pattern "LINEPROTO-5-UPDOWN.*to down" →    period 1 action 1.0 mail server "mail-gw" →    to "$_ifDown_rcpt" from "R1@lab.com" →    subject "Interface down on R1" →    body "$_syslog_msg"

You can make the applet even more generic with the help of action info type routername command, which stores the current router’s name into the $_info_routername environment variable:

event manager environment _ifDown_rcpt admin@lab.com!event manager applet MailOnIfDown event syslog occurs 1 →    pattern "LINEPROTO-5-UPDOWN.*to down" →    period 1 action 1.0 info type routername action 2.0 mail server "mail-gw" →    to "$_ifDown_rcpt" from "$_info_routername@lab.com" →    subject "Interface down on $_info_routername" →    body "$_syslog_msg"

"

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

• Zone based IOS firewalls
• What should I do this thanksgiving break?
• Cool new features in 12.2(33)SXH
• Application Extension API notes – Cisco Live 2008
• Interesting TechWise TV episode on virtualization
• Why GoDaddy Linux Virtual Dedicated Hosting Sucks & How to Fix It

--Colin McNamara

Routers can email you when they go down

Cisco has finally included zone based firewalling in the IOS firewall feature set. The configuration guide can be found here -

Zone Based Firewall Design and Configuration Guide

The things that really got me interested are -

1. It is VRF aware (works well with network virtualization strategies)
2. No more CBAC’s
3. Policing built into firewalling classes
4. Content inspection including HTTP,P2P, and Instant Messenger

I think the biggest plus for this release is that IOS firewalls are finally following the general trend of zone based firewalling. By moving this way, configuration errors resulting in lax controls are likely to be minimized.

Excerpts from the documentation -

Cisco IOS Software Release 12.4(6)T introduced a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall zones until an explicit policy is applied to allow desirable traffic.

Nearly all firewall features implemented prior to Cisco IOS Software Release 12.4(6)T are supported in the new zone-based policy inspection interface; supported features are as follows:

•Stateful packet inspection

•Application inspection

–HTTP

–Post Office Protocol (POP3), Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol/Enhanced Simple Mail Transfer Protocol (SMTP/ESMTP)

–Sun RPC

•VRF-aware Cisco IOS Firewall

•URL filtering

•Denial-of-service (DoS) mitigation

Zone-based policy firewall generally improves Cisco IOS performance for most firewall inspection activities.

The only Cisco IOS Firewall features that are not supported in zone-based policy firewall in Cisco IOS Software Release 12.4(6)T are as follows:

•Authentication proxy

•Stateful firewall failover

•Unified firewall MIB

Zone-based policy firewall completely changes the way you configure a Cisco IOS Firewall.

The first major change to the firewall configuration is the introduction of zone-based configuration. Cisco IOS Firewall is the first Cisco IOS Software threat defense feature to implement a zone configuration model. Other features might adopt the zone model over time. The classical Cisco IOS Firewall stateful inspection/context-based access control (CBAC) interface-based configuration model employing the ip inspect command set will be maintained for a period of time, but few, if any, new features will be configurable with the classical command-line interface (CLI). Zone-policy firewall does not use the stateful inspection/CBAC commands. The two configuration models can be used concurrently on routers but not combined on interfaces; an interface cannot be configured as a security zone member as well as being configured for ip inspect simultaneously.

Zones establish the security borders of your network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of your network. Zone-Policy Firewall’s default policy between zones is to deny all. If no policy is explicitly configured, all traffic moving between zones is blocked. This is a significant departure from stateful inspection’s model, in which traffic was implicitly allowed unless it was explicitly blocked with an access control list (ACL).

The second major change is the introduction of a new configuration policy language known as CPL. Users familiar with the Cisco IOS Software Modular quality-of-service (QoS) CLI (MQC) might recognize the format being similar to QoS’s use of class maps to specify which traffic will be affected by the action applied in a policy map.

Colin McNamara
Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”Similar Posts:

• Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers
• Cool new features in 12.4(15)T
• Routers can email you when they go down
• Identity aware networking using Cisco TrustSec
• Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments
• Cisco NX-OS 4.0 | Next Generation Internet Operating System

--Colin McNamara

Zone based IOS firewalls

Link – http://www.cisco.com/application/pdf/en/us/guest/products/ps8258/c1161/cdccont_0900aecd80679ce3.pdf

From Cisco’s site -

Cisco IOS Software Release 12.4T integrates a portfolio of new capabilities, including security, voice, and wireless, with powerful hardware support to deliver advanced services for enterprise and access customers. It will be issued as a series of regularly scheduled individual releases, which Cisco will ultimately consolidate to form the next major release.

Release 12.4(15)T, the sixth release of the 12.4T family, streamlines the Cisco IOS Software upgrade process, provides sub-second link failure detection and faster convergence, delivers next-generation Layer 2-7 flexible packet classification, enhances intrusion protection and SSL VPN capabilities, and provides support for the new Cisco 7201 Router, amongst other features.

Like all releases in the 12.4T family, Release 12.4(15)T integrates innovations that span multiple technology areas, including Cisco IOS Security, Voice, Cisco IOS Infrastructure, Access, High Availability, Management Instrumentation, Quality of Service, IP Multicast, Broadband, IP Routing, and IP Services. Release 12.4(15)T delivers these integrated technologies on the broadest range of hardware in the industry, including the Cisco Integrated Services Routers, Cisco 7200 Series, and Cisco 7301 Router.
Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

• The emergence of MDS features in Cisco’s datacenter networking equipment
• About Colin McNamara
• Application Extension API notes – Cisco Live 2008
• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• New features in VMware 3.1
• Darrel Hinshaw – New Triple CCIE [Storage]!!!!!!!

--Colin McNamara

Cool new features in 12.4(15)T

Lets just start this out by saying, darn.. this is going to be expensive.
Now that that is out of the way, lets get started. Cisco publishes the hardware that is in the Storage lab.

Here is the hardware summary -

• Cisco Routers
• Cisco Catalyst Switches
• Cisco Secure Access Control System
• MDS 9506*
• MDS 9216*
• Port Analyzer Adapter
• JBOD
• RAID storage
• HBA
• 3rd Party Fibre Channel Switch

My guess is that this equals a basic routed network with a CS-ACS server on the backend.
It looks like there is also at least 1 pc with an HBA connected into one MDS. The one big question I have is on the connected storage.
My guess is that Cisco’s JBOD reference = Fibre Channel connected storage, and the RAID array mentioned is connected to at least one server.
If my guess is right then there is the 9506 and 9216 – (note, no I in the name) and a third party switch.

So lets start the shopping list.

1. Cisco Routers
I have those coming out of the yinyang, no need to purchase anymore for this lab.

2. Cisco Catalyst Switches
Mine are a little old, but I don’t expect a storage exam to have anything challenging in the switching arena. No need to upgrade there.

3. Cisco Secure Access Control System
Thankfully Cisco provides VAR’s with NFR binders. ACS will be loaded on HMB-SERVER1 in a vmware image. No expenditure needed.

4. MDS 9506*
Holy smokes, this is a lot of money. I have seen them on ebay for $8,000. This includes both sup modules. I would need to buy a line card, which I see going for about 1k. so $9000

5. MDS 9216
Still bad, but not horrible. I just saw one on ebay for $5500. Depending on lab requirements it may be smart just to get to 9216’s. so $5500

6. Port Analyzer Adapter
Best I can find is $2000 refurbished. I have a feeling practicing using this, and seeing the ethereal dumps is going to be integral to success. worst case this is 2k, best case beg or borrow $2000

7. JBOD
Normally you are looking at 2-4k for one of these. My strategy is to find an old Netapp shelf, and low level format it. I found one on ebay that ends in 22 hours for $89. Sounds good to me.

8. RAID storage
I am going with my guess that this is just to facilitate data transfers between storage and host. My tactic is to use the existing storage inside one of my servers. $0

9. HBA
Interesting – Only one HBA .This can be up to $2000 to buy new. Luckily ebay is my friend. I found a qlogic 2340 card for $50. My kind of deal

10. 3rd party Fibre Channel Switch
Luckily Brocade resells to everyone and their mother. IBM, Dell, HP, Compaq, ETC. I have found some Silkworm 2800’s for as low as $50 on ebay.
I do have my eye on a 3800 that is going for $24 right now (I hope it stays low).

So how much is the damage?

$16,700

Holy smokes I could sell my truck just to buy the lab gear.

–Colin
Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

• Update on the Cisco / Nuova connection
• Why was Storage Networking my first CCIE? And What did I do to prepare?
• Cisco Nexus 5020 and 5010 FCOE video ordering guide
• CCIE Party 2008 Recap – Cisco Live Networkers 2008
• Cisco Nexus 4000 Blade Switch
• Fibre Channel over Ethernet is taking off

--Colin McNamara

My CCIE Storage Shopping List

This is great information to have, however when you have a multi tiered application it becomes harder to get a true status of your application stack. Luckily most new applications nowadays incorporate a HTTP interfaces.
However, this interface responding to a http get request generally does not indicate full application functionality. To get that level of information out you usually need to present some authentication to the web app, execute a click through, etc.

Now this has always presented a problem for me. I can check the availability of each level of the application stack. What I can’t do is verify that the application is truly working properly. This puts a major blind spot in my monitoring strategies. Luckily I just came across a very cool application. This sweet application is webinject – http://www.webinject.org/
It can be configured to graph application performance to mrtg, or output to nagios network monitor. Below is some information about this project.

What is WebInject?
WebInject is a free tool for automated testing of web applications and services. It can be used to test individual system components that have HTTP interfaces (JSP, ASP, CGI, PHP, Servlets, HTML Forms, etc), and can be used as a test harness to create a suite of [HTTP level] automated functional, acceptance, and regression tests. A test harness, also referred to as a test driver or a test framework, allows you to run many test cases and collect/report your results. WebInject offers real-time results display and may also be used for monitoring system response times.
WebInject can be used as a complete test framework that is controlled by the WebInject User Interface (GUI). Optionally, it can be used as a standalone test runner (text/console application) which can be integrated and called from other test frameworks or applications.

Programming Language and Platforms
WebInject uses an XML API (interface) for defining and loading test cases. You can use WebInject without ever seeing it’s internal implementation (no scripting or programming necessary to use it).
WebInject is written in Perl and can run on any platform that a Perl interpreter can be installed on (MS Windows, GNU/Linux, BSD, Solaris, MAC OS, and many more). Currently, binary executables of WebInject are only available for MS Windows. If you would like to run on other platforms, you must have a Perl interpreter and run it from the Perl source code.

Test Cases
Test cases are written in XML files, using XML elements and attributes, and passed to the WebInject engine for execution against the application/service under test. This abstracts the internals of WebInject’s implementation away from the non-technical tester, while using an open architecture [written in Perl] for those that require more customization or modifications.

Results/Reporting
Result reports are generated in HTML (for viewing) and XML (for tranformation by external programs). These detailed results include pass/fail status, errors, response times, etc. Results are also displayed in a window on the User Interface if you are running the WebInject GUI, and are sent to the STDOUT channel if you are running the WebInject Engine as a standalone (console) application.

Service-Level Monitoring
HTTP response times can be collected and monitored in real-time during test execution. Timer statistics are calculated and displayed in a monitor window during runtime. When used along with gnuplot (a plotting utility), a response time graph is generated and updated in real-time as the test runs. This is used to verify responses from the web application or web service under test are within an acceptable range (to meet your SLA or quality of service criteria). This also enables WebInject to be run as a performance probe for application/service monitoring.
WebInject can also be integrated as a plugin for external monitoring systems. In this case, it is used in console mode as an intelligent test agent that returns status and response times to your external program.
For real-time monitoring of your web applications or web services, WebInject is able to run in a mode that makes it compatible with Nagios. Nagios is an open source host, service, and network monitoring program.
For graphical trending of web service-levels over a long period of time, WebInject is able to run in a mode that makes it compatible with MRTG. MRTG (Multi Router Traffic Grapher) is an open source tool for collecting, storing, and graphing time-series data.

–Colin
Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

• What should I do this thanksgiving break?
• Application Extension API notes – Cisco Live 2008
• Why GoDaddy Linux Virtual Dedicated Hosting Sucks & How to Fix It
• Is your network ready for Cloud Computing with Virtual Infrastructure 4?
• New Buzzword Enterprise Service Bus
• RSS feeds – an intranet aggregation solution?

--Colin McNamara

User experience testing – enhanced