The boundary between server team and network team responsibilities has become “fuzzy”

Cisco address’s this issue by putting a switch that can be managed via the same methods common to other network devices inside the ESX cluster. This switch runs the same code that has become standard on Cisco’s Nexus series of Data Center switches – NX-OS.

Prior to adoption of virtualization, when there was a connectivity problem with a host it was quite common for the network team to verify functionality down to the switch port. The server team would do the same. This allowed for each team to focus on areas that met their core competancy. Once we moved from a real switch port, to a dumb bridge inside ESX, lots of finger pointing resulted.

Now, with a Nexus 1000V sitting virtually inside the ESX clusters, the boundary between network and systems teams has been re-estabilished. Now when there is a problem with a host inside an ESX cluster, the network team can use the same day to day troubleshooting tools available to them in other portions of the network to resolve issues faster, and with less finger pointing.

Security controls have been moved further away from the hosts then we would like

A best practice for applying security policy is to apply controls as close to the source as possible. Think of this analogy – Your kids are blasting Radio Disney from their computer. Which of the following do you do?

A. Turn down the speakers at the source

B. Distribute earplugs to all members or the household

Of course, the obvious action is to go to the source, and apply a control (turn down the volume, and tell the kids to clean their rooms). The same principle is valid on the networking side. The best practice is to apply security policies such as VLAN ACL’s and TrustSec policies directly to the switchports that host your switches. Before the Nexus 1000V this was impossible to do in ESX, and forced many environments to move security controls further up into the distribution layer. The side effect of this was that now the security stance from host to host inside ESX clusters was diminished.

The Nexus 1000V brings something called port policies to the table to address this. What these are is pre-configured application security descriptions that are available to you systems administrators to apply in a point and click fashion. Once these policies are applied to the virtualized host, they follow the host where ever it is moved in your virtual cluster.

Provisioning and integrating the networks of VMware ESX clusters with classic networks for most is challenging at best

I wrote an article in march about this specific issue in my post – Challenges integrating VMware into Cisco networks . The core of this issue is that in general that the network integration portions of VMware ESX clusters is not really designed to address server teams , or network teams. In fact, you need to be pretty savy with both portions to successfully integrate VMware clusters into your network. In the real world, you generally find people that are good at one or the other, not both.

By putting a Nexus 1000V in your VMware clusters, you know give the networking teams something they can understand without having to learn Linux, and how it handles bridges (key to understanding ESX networking). With a Cisco switch running virtually inside your clusters, network teams can follow standard core / distribution / access models with the access layer now residing inside the ESX clusters. The network teams can also leverage their existing LAN switching skills for integrating the virtual switches in the clusters with the existing Data Center switching fabrics.

With these roadblocks addressed, Cisco is moving to further the DC 3.0 vision

To realize the DC 3.0 vision, the network inside of VMware clusters had to be under control, and follow the same architectural guidelines that the rest of our network is subject to. With the Nexus 1000V this is now a reality. The next steps withing the DC 3.0 vision to are to extend virtualization and mobility throughout our storage fabrics, and to continue to extend virtualization to the network as a whole, as well as focusing on application virtualization and acceleration to truly realize the vision of cloud computing in the data center.

On the storage virtualization side, Cisco will be using a technology called FlexAttach to enable virtual and physical hosts to change locations in the datacenter without storage team intervention (more on this in a near future post). And on the application virtulization and acceleration side, expect Cisco to continue to enhance it’s existing Application Control Engine (ACE) and Wide Area Application Services (WAAS), and further integrate these into their virtualization offerings.

Want to learn more ?

Introduction to VN-Link network services – Cisco.com

Nexus 1000V overview – Cisco.com

VMware distributed vNetwork switch demo – VMware.com

Challenges integrating VMware into Cisco networks – colinmcnamara.com

Douglas Gourley speaking about how Cisco and VMware will drive Cloud Computing in the Data CenterSimilar Posts:

• Altor Virtual Network Security Analyzer (VNSA) integrated with Cisco’s Nexus 1000v for VMware
• Cisco Nexus 4000 Blade Switch
• Nexus 5020 – Consolidated 10 Gig Ethernet and 4 Gig Fibre Channel
• Where is Colin ? Passing the VCP exam (VMware Certified Professional)
• Simplifying your Data Center with Cisco’s Nexus 2000 Fabric Extender (FEX)
• Is your network ready for Cloud Computing with Virtual Infrastructure 4?

--Colin McNamara

Cisco releases Nexus 1000V virtual switch for VMware

He writes about “the VLAN leaking myth” and how it encourages clients to utilize physically separate network infrastructure in the DMZ’s. Now first things first, I wouldn’t call VLAN leaking a myth. At one time it was a very real and serious vulnerability that was exploited by overflowing the capacity of the switch you were attacking, and causing it to “downgrade” from switch to a hub. Once this happened you now had access to previously protected devices, as well as having the ability to sniff data as it passed through the shared hub backplane.

As he mentions though, this is 8 years ago. Most switches have evolved to the point where backplanes far exceed the traffic that could ever be injected into their switchports. Even beyond backplane enhancements there are many ways to further firm up your security stance – Virtual Device Contexts, not using Layer 3 SVI’s on a DMZ VLAN, utilizing PVLANs, using port security, virtual routing instances, and many more. Of course, there are still many other attack vectors that still remain, but can be mitigated by utilizing features built into the majority of enterprise switches available today.

I think the real question is not “are VLANs safe in a DMZ”. The important question is have you mitigated the probability of compromise (the actual threat) to levels that are acceptable to your business. This question remains whether you have a standalone switch or not. So many times we hear about risk risk and more risk. But risk alone is meaningless in a business context. What is important is combining risk with likelihood. For that I like to use a simple table to come up with the true threat.

For example, as I drive to Fry’s there is the risk of me dying due to a car crash. The impact of me dying is very high (risk) however the likelihood of an accident is low, and furthermore I reduce (mitigate) the latent risk (threat) by wearing my seat belt. So all in all the threat of me dying on my way to Fry’s is pretty darn low.

In a business context this may be that I have public facing web servers and network devices in my DMZ. The impact of them being compromised is that my public image may be tarnished for a short time, and my end users may lose productivity if they are not able to VPN into work, or access the Internet while on premise. I mitigate this risk by using firewalls and both host and network based Intrusion Prevention Systems as well as implementing best security practices on my network and systems devices. The latent risk (threat) remaining is at a level that is acceptable to the business leaders, so the system is allowed.

One question that I have seen coming up more often as we move towards fully virtualized data centers is centered around commingling of virtual infrastructure. There are some hard questions which challenge some practices that we have held true over the years.

• Should you allow sharing of physical memory on a host virtual machine between an internal and DMZ server?
• Should you allow virtual infrastructure from multiple security zones to share a storage array or cluster of arrays?
• Should you allow multiple virtual switches in different security zones commingling on the same ESX or Hyper-V cluster?
• Should you allow virtual firewall and load balancing instances protecting internal and external zones to reside on the same hardware?
• Should you allow virtual routing instances from multiple zones to share a physical infrastructure?

In the past world of standalone systems, the additional cost of providing a wholly separate infrastructure for DMZ environments was relatively low. Each system generally had internal disk, or at most direct attached storage. Network devices themselves were scaled down to support one chassis one function. This fit quite neatly into the Enterprise Composite Network model that was quite common from 1999-2003.

Now, many data centers have moved to the Service Oriented Network Architecture (SONA). In this model the cost of a virtualized data center is primarily focused on foundation elements such as the virtual storage and virtual fabrics, virtualized network, and virtual systems elements. The cost of providing additional virtualized services off these elements is low, however the cost of duplicating the physical infrastructure is quite high on both the capital and operational levels. This is forcing the technical and executive leadership at many companies to take a long hard look at the true threats they are facing in previously physically separate security zones such as DMZ’s, Financial and other secure zones. In the end, they are having to decide whether the threat remaining after their security controls is worth duplicating hundreds of thousands of dollars worth of infrastructure or not.

These are hard questions, with really no single good answer. My gut feel is that over the next few years we will continue the move towards the fully virtualized data center where components such as memory, PCI-X buses, storage and network devices are even further decentralized. This will make the cost of duplicating the infrastructure more and more significant, causing consolidated data center (or compute) fabrics to be the norm. At this point the discussion will move away from securing zones by creating separate infrastructure, to providing end to end security, starting integrated application level security, maybe with TrustSec or a dirivative, all the way down to securing the data at rest on disk. For the time being however, the best we can do is sit down and do an honest appraisel of our security stances, mitigate what we can, and do our best to design data center architectures that provide the flexibility of implementing whatever choice the technical and business leaders agree on.Similar Posts:

• Moving towards a Green Data Center – Truth behind the hype
• Cisco’s Cloud Computing Offering
• About Colin McNamara
• Vote for my VMworld presentation – #3221 Built to fail (shameless pandering)
• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• Interesting TechWise TV episode on virtualization

--Colin McNamara

Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments

I think Rick (5x CCIE) put it best in a company wide email earlier this afternoon  -

Please join me in congratulating Darrel in obtaining his Storage CCIE. There are only 24 double CCIES (RS/Storage) in the world, so he is probably about 1 of 15 or less in the world to hold all three.

What is everyone’s vote what is next in his career?  And, NO, you don’t have a say, Darrel

A) Service Provider

B) VOICE

C) CCDE

Thanks,

Rick Davis

ePlus, Senior Network Engineer

CCIE – Storage, Voice, Security, Service Provider, Routing and Switching (#5672)

Great job Darrel, everyone is really proud of you. and our apologies in advance to the wife for stealing you for choices A, B or C. (My vote is for C)

–Colin

Similar Posts:

• Updated CCIE numbers
• Cisco Certified Design Expert – CCDE – officially released by Cisco
• Passed CCDE written and Recertified my CCIE – Killed two birds with one stone
• About Colin McNamara
• CCIE Party 2008 Recap – Cisco Live Networkers 2008
• Are you a kick ass engineer looking to grow?

--Colin McNamara

Darrel Hinshaw – New Triple CCIE [Storage]!!!!!!!

In that spirit, my schedule is listed below. If you are in the area, it would be great if you would stop by and say hello.
“6/23/08″ “11:00 AM”"Certification Exam  –  Certification Exam”
“6/23/08″ “1:30 PM”"BRKCCT-1001  –  Contact Center Welcome Session: Focusing on the Experience”
“6/23/08″ “5:00 PM”"WoS Reception 1  –  Welcome Reception in World of Solutions”
“6/24/08″ “8:00 AM”"certification focus group  –  certification focus group”
“6/24/08″ “9:00 AM”"BRKITI-1031  –  Cisco Data Center 3.0 Strategy and Business Impact”
“6/24/08″ “10:00 AM”"GENKEY-1001  –  Keynote and Welcome Address with John Chambers”
“6/24/08″ “12:00 PM”"ITIPCS-1015  –  NetQoS: Getting the Most from Cisco WAN / Application Acceleration Technologies”
“6/24/08″ “1:00 PM”"BRKDEV-1221  –  Applying Cisco’s Nexus Operating System (NX-OS) and DCNM APIs to Emerging Data Center Infrastructure”
“6/24/08″ “2:00 PM”"BRKDEV-1001  –  Cisco Application eXtension Platform”
“6/24/08″ “3:00 PM”"GENSSN-1001  –  Super Session: The Power of Collaboration Panel”
“6/24/08″ “4:00 PM”"BRKSEC-3007  –  Solving Security Challenges with Embedded Event Manager”
“6/24/08″ “7:00 PM”"BRKAGG-2001  –  Multiservice Edge Architectures and Solutions for Service Providers”
“6/25/08″ “6:00 PM”"CCIE Appriciation  –  CCIE Appreciation part – Nascar Grill”
“6/25/08″ “9:00 AM”"BRKDEV-1111  –  Location Based Services using Cisco Location API”
“6/25/08″ “10:00 AM”"GENKEY-1002  –  Cisco Technology Keynote with Padmasree Warrior”
“6/25/08″ “12:00 PM”"ITIPCS-1019  –  Fluke Networks: General Parts Uses Embedded IOS Technologies to Successfully Manage Inventory at Retail Locations:
“6/25/08″ “1:00 PM”"BRKDEV-1051  –  ANA Technical Session and Demo”
“6/25/08″ “3:00 PM”"GENSSN-1002  –  Super Session: The Data Center–Evolution and Transformation:”
“6/25/08″ “4:00 PM”"BRKDEV-1131  –  Customer Voice Portal Application Development”
“6/25/08″ “8:00 PM”"Customer Event  –  Customer Appreciation Event”
“6/26/08″ “9:00 AM”"BRKITI-1034  –  Realize Business Goals through Network Architecture Solutions”
“6/26/08″ “10:00 AM”"GENKEY-1003  –  Closing Keynote Address and Guest Speaker, Ben Stein, Actor/Writer/Columnist”
“6/26/08″ “1:00 PM”"BRKCCIE-3003  –  CCDE: The Cisco Certified Design Expert”
“6/26/08″ “3:00 PM”"BRKDEV-1171  –  Managing  Network Performance using the New IOS Data Collection Services”
“6/26/08″ “4:00 PM”"BRKDEV-1181  –  Configuration and Provisioning using IOS  XML API”Similar Posts:

• Cisco Live 2009 – Networkers class schedule
• Cisco Certified Architect – Board examination above the CCIE and CCDE
• It’s on like Donkey Kong – CCDE practical registration is open
• Where is Colin ? Passing the VCP exam (VMware Certified Professional)
• About Colin McNamara
• Cisco Certified Design Expert – CCDE – officially released by Cisco

--Colin McNamara

I’ll be at Cisco Live 2008 (networkers) in Orlando all week

When I work with data center infrastructure I expect the following – clean, remotely manageable, secure devices that runs on the same power and similar cabling, and everything can have a 24x7x4 support contract for hardware replacement. For the most part, you get this when dealing with Cisco, HP, Sun and similar manufacturers.

More often then not (with a few very cool exceptions), when I run into video surveillance infrastructure the video management infrastructure runs on some random third tier manufactured server. It never fails that the video management software is on Windows (normally XP or win2k). I have even seen some systems where the vendor requires you to have a session open to run the software.

And then when you get to the encoders themselves, it never fails. You have two choices.

1. The Uber package that can run a Casino, Identify and track dust mites , and if you point it at space, determine if there is life on mars.
2. Individual dinky encoders that run one or two camera’s each. They have limited encoding choices, limited camera control, no remote management, and normally run on 110 volt system that require different power distribution then the 220 that is common in systems today.

Cisco’s answer to this mess

Cisco has released both a video management solution, as well as a video encoding solution in a network module form factor for the Integrated Services Router (ISR).

The first part of this system, the Video Management and Storage System (VMSS) module fills the following roles -

• Management of multiple video streams from one interface, including IP cameras, 3rd party encoders, and streams from Cisco’s video encoding module
• Streaming of live and archived footage through a web browser interface
• This one is pretty cool – The module can mount external storage via iSCSI. So, in addition to its 160 gig internal drive, you can mount a filer and utilize external storage to scale the system.
• “fast forward” to events, as well as notify security and other personnel through SMS and email

The second part of the system (the module on the left in the picture above) is the Analog Video Gateway Network Module (EV-IPVS-16A). It has a couple functions -

• It can take up to 16 analogue video inputs and encode them with MJPEG or MPEG4 codecs
• You can use the first two ports to output video to a external monitors
• If you are using MPEG4, it can be used as a motion detector (handy for fast forwarding to important events, or triggering alerts)
• It can control pan and tilt cameras. This is good for pointing the camera at the janitor unplugging your servers each night to vacuum
• You can configure analogue contacts as an alarm. This can be bound to a door switch, or even temperature and water level monitors in a remote data center. This one will be very handy.

The third part of this solution is Cisco’s Video Surveillance Operations Manager. It manages, archives, displays and distributes the content that was created and collected on the two previous modules. You would use this if you had many branches to aggregate, or needed to staff a video wall (e.g. casino gaming commission operations). Now, you can run each of these components individually. Buy run together as a whole, Cisco has an enterprise class security solution.

Want to learn more ?

Branch office security page on cisco.com http://www.cisco.com/en/US/products/ps9671/prod_module_series_home.html

Cisco’s product page for the Video Managment Module – http://www.cisco.com/en/US/prod/collateral/modules/ps9671/data_sheet_c78_462225.htmlSimilar Posts:

• Interesting TechWise TV episode on virtualization
• About Colin McNamara
• Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments
• Nexus 5020 – Consolidated 10 Gig Ethernet and 4 Gig Fibre Channel
• Cisco Nexus 5020 and 5010 FCOE video ordering guide
• Cisco NX-OS 4.0 | Next Generation Internet Operating System

--Colin McNamara

Simplifying remote site security with Cisco’s new video surveillance modules on the ISR

1. Layer 2 Tunneling Protcol (V3) static and hairpin configuration example - my buddy Rick was nerding it out in the lab and sent a great configuration doc for L2TPv3 my way. L2TP(V3) is used to create a layer 2 psuedowire across layer 3 routed links. This is a great service provider tool that you can use in your own network, no MPLS needed .

2. SNIA Education – Fiber Channel Over Ethernet – There is a lot of buzz going around right now about Fiber Channel Over Ethernet (FCOE). There is also a lot of misunderstanding about the fundamentals of this architecture. This Storage Networking Industry Association (SNIA) does an outstanding job of covering FCOE at both at an architectural level, as well as going over low level messaging structures.

3. Trill (Rbridge) architecture – IETF internet draft – I think the last time I was this interested in an internet draft was when iSCSI was first being proposed in the IP Storage working group. Trill, in my opinion is basically a light weight version of MPLS / VPLS. It has as far as I can tell most of the advantages of this architecture, without some of the configuration and hardware requirement drawbacks. Fair warning, reading this document started a doc hunt that killed my Saturday.

4. Cisco’s Security Response to Sebastian Muniz’s IOS rootkit – Security is a very important aspect of network design. Sebastian’s IOS rootkit demonstration is going to force some customers who in the past have been “OK” with having older, possibly vulnerable IOS versions floating around to update their operational practices and start keeping their routers and switches operating systems as often as they do their servers. Thankfully, Cisco has been embracing technologies such as kernel virtual machines, in service software upgrades and more to lesson or remove the impacts of software upgrades.

5. Turning Wounded Warriors into Network Ninja’s – As a former Marine (well, always a Marine, formerly employed by the USMC) this program goes straight to the heart. Cisco is partnering with Naval Medical Center San Diego (NMCSD, or Balboa Naval Hospital for us locals) to provide technical training to Marines and Sailors who have recieved service ending wounds in Afghanastan and Iraq.Similar Posts:

• Fibre Channel over Ethernet is taking off
• Cisco NX-OS 4.0 | Next Generation Internet Operating System
• Zone based IOS firewalls
• Nexus 5020 – Consolidated 10 Gig Ethernet and 4 Gig Fibre Channel
• Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers
• Cisco Nexus 7000 DataCenter switch released – Welcome to DataCenter 3.0

--Colin McNamara

Link Round Up – L2TPv3 FCOE Trill Wounded Warriors

Please join me in thanking Jayshree for all the positive contributions she has given to Cisco and the industry, and wishing her the best in her future endeavors.

Similar Posts:

• John McCool chosen as Jayshree Ullal’s replacement to lead Cisco’s Data Center Switching and Services Group (DSSG)
• Jayshree Ullal takes the helm of Arista Networks
• CCIE Party 2008 Recap – Cisco Live Networkers 2008
• Cisco Nexus 4000 Blade Switch
• BIG Cisco – VMware announcement – 1:30 Pacific time
• Cisco releases Nexus 1000V virtual switch for VMware

--Colin McNamara

Thanks and farewell to Jayshree Ullal

Legal implications of a breach

Losing control of personal data means means more then just replacing a tape in your backup rotation. Laws vary from state to state, however generally you are required to contact the identity holders who were breached, as well as fund some sort of remediation. This has huge implications on consumer confidence, and at the end of the day stock price of your company. In some cases, such as ChoicePoint a company can be completely decimated by a breach.

Data protection regulations

There are an ever increasing number of regulations that concern the control of sensitive data. These can vary from laws focused on patient data, to financial data, to personal identification data. The most most well known laws are HIPPA, GLBA, and Sarbanes Oxley (SOX). Past that there are laws that pop up every day at the state and municipality level that further increase the requirements and expense of dealing with a breach. In short, it is becoming an expensive and in some cases criminal offense to lose control of your sensitive.

What you can do to protect your backup tapes

First things first, putting a lock on that Iron Mountain box is just not good enough. You must assume that no matter what, a determined attacker will get physical access to your tapes. So many times companies thing that just because their data format is unique or proprietary that an attacker won’t be able to access it. The cold reality is that any format can be read, and yours is not that special.

The only way to be assured that your data is safe is to encrypt it with a complex cipher. In short, you need to treat your data the same way on tape as you would if it was sitting on a public ftp site (with anonymous access enabled). Luckily Cisco has a technology that allows you to encrypt and decrypt your data coming on and off tape. This technology is storage media encryption.

Cisco Storage Media Encryption (SME)

Cisco’s Storage Media Encryption (SME) technology allows for the seamless encryption of your data flows on and off your backup tapes using AES256 standard encryption. Whether you have VSANS segregating your data, a core / edge architecture, or Virtual Tape Libraries (VTL), you can use SME to protect your data at rest, removing the possibility of an attacker getting access to your critical data.

Storage Media Encryption works by leveraging a multifunction chipset available in the 18/4 module that comes default with the 9222i and is an option for the 9500 series director class SAN switches. Chipset has a couple functions, including line rate encryption of iSCSI and FCIP data streams at gigabit speeds, as well as line rate encryption of data as it streams your tape or virtual tape library’s (VTL).

Want to learn more ?

SAN and NAS, Oreilly Press – In the classic Oreilly style by W. Curtis Preston, this book is a great starting place to understanding the fundamentals of San and Nas architectures that many people are likely to face.

Storage Media Encryption for Cisco MDS SAN Switches – http://www.cisco.com/en/US/products/ps8502/index.html . Cisco has lumped together a couple good data sheets here, though I may have to write a future article taking a deap dive on what really drives SME.Similar Posts:

• Identity aware networking using Cisco TrustSec
• Cisco Nexus 7000 DataCenter switch released – Welcome to DataCenter 3.0
• My CCIE Storage Shopping List
• Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers
• Why was Storage Networking my first CCIE? And What did I do to prepare?
• How to succede in 2007 – By Tim O’Reilly

--Colin McNamara

Encrypting your backup tapes with Cisco Storage Media Encryption (SME)

In the past couple years, VMware has changed from a product hidden in development and testing environments to a full fledged enterprise computing platform. It brings many benefits to the companies that implement it, however with those benefits come changes to the access layer of your data center. Your access layer is no longer a top of rack Cisco switch, or end of row aggregation chassis. It is now a virtual bridge that exists logically within your VMware ESX server.

This causes an interesting question to come up in many customers – Who is responsible for the configuration and maintenance of this Vswitch? At first glance most groups reference the port on the last Cisco switch as the division of responsibility between network operations and systems operations. This has worked well in the past for a three main reasons.

First, it divided responsibilities based on technical skillset. For example a network engineer understands spanning tree, trunking, routing protocols, firewalling. While a systems engineer understands file systems, databases and Linux and Windows operating systems.

Second, it provided for a interconnection point where standardized configurations could be applied by an operational group, versus complicated configurations that could impact overall network designs and require an architectural board review.

Third it provided for a clean hand off for troubleshooting. Both network and systems operations could agree on layer 2-4 functionality in an area that provided for detailed debugging on both sides.

Lack of a defined access layer

VMware ESX throws a wrench in this model. We no longer have this well defined edge at the access layer. The access layer now exists virtually inside a server. More specifically, it is a logical devices running in a Linux server. This presents a challenge because it requires cross over knowledge. Whoever is responsible for this integration has to be fluent in Linux systems administration , and also fluent in network design and operations. Frankly this is a rare skill set to come across, as it requires and engineer who has attained high proficiency in both systems and network engineering.

I see this fuzzy line of demarcation often as a failing point for many VMware integrations. Many times I see network operations teams not involved in ESX cluster design because its a “server” , and systems operations teams generally don’t have the networking skills necessary to design and implement an fully functional system.. The solution to this problem is education and collaboration.

The need for collaborative design sessions

The single most powerful element in a successful VMware integration is the creation of strong design documents. These are created by holding planning sessions where both your systems and networking leads hash out a strong design that takes both short and long term virtualization and network goals into account. Also, many times when people hear the word design, they think it is a high level Visio and a bill of materials. That is a just a fraction of the effort required. A proper design should cover everything from a 10,000 foot overview Visio down to protocol flow diagrams and configuration examples. By created a detailed design like this it is likely to bring up common issues such as 10 gig aggregation, trunking, VMotion security, layer two adjacency and layer 7 network service delivery on a white board instead of a production environment.

To create this detailed design, both your Network and Systems leads have to understand this product. VMware recognizes this is critical to successful implementation (and to further sales of their product) an offers the VMware Certified Professional certification. If you have the resources, I would recommend sending both your network and systems leads to this training at the same time. Having them attend training together allows them to leverage each others strengths and bring up questions specific to their network and their goals.

A real world example of this is the company I work for, Eplus. Last April forty of us, all senior engineers attended VMware Certified Professional training at the same time. The class was mixed up so there was an even distribution of CCIE’s, Systems Experts, and Storage Experts. Needless to say this presented our instructors with some extremely challenging questions, but more importantly it set the stage and created a venue for collaboration between these different practices within our own company.

Real world benefits

A great example of this model’s success this occurred last month. Rick and I were sitting in the engineering side of our Sunnyvale office, catching up on email after giving presentations at Cisco that morning and afternoon. In the bullpen behind us, one of the Microsoft architects was engrossed in a troubleshooting call with a large customer on the other line. It turns out a large systems vendor (who shall remain nameless) had been trying for a week to integrate the first ESX cluster into this network and just could not get the networking portion to work correctly. Our account manager received the call from a the customer, and asked the technical teams to step in to see if we could help out in any way.

The systems engineers were able to isolate the problem down to the network interconnections, but needed to bring in networking resources to resolve the problem. Rick and I were waved over and were given an overview of the problem and introduced us to the customer the far side of the call. We asked a few questions about the physical and logical architecture of their network and created a diagram of their network on the whiteboard. With this we were able to ask them to execute commands continuously isolating the problem domain until we found and resolved the issue.

Seven minutes had passed from the point Rick and I were waved over to the point the customer had a working installation. This allowed the customer to focus on moving their business forward instead of fixing a failed implementation. Three of us on the call had attended VMware Certified Professional training together. We had spent at a minimum 50 hours each creating a baseline of understanding in class, as well as many discussions in engineering meetings. The solution came in seven minutes not because of any one teams individual strengths, but because of collaboration. The systems engineers were able to isolate the problem domain very specifically. And as network engineers trained on VMware were able to quickly understand and digest the issues, and tie it together with our larger understanding of networks as a whole. Only at that point, when the team was able to leverage each others strengths were we able to address the problem so quickly.

There will come a point in the next few years where this fuzzy boundary between the “network” and the “server” is established again. My call is that this will coincide with Cisco finishing development of their Vswitch that will reside inside the ESX server. This switch will require both Cisco and VMware improve their design and integration guides for ESX which are both frankly lacking substance. Until those detailed architecture, integration and troubleshooting guides exist the key to successful ESX cluster implementation will be a strong cross trained systems and network teams that are collaborating on the next level of virtual network design in your enterprise.

Want to learn more?

Cisco – Integrating Virtual Machines Into Cisco Data Center Architecture

This is Cisco’s main design guide regarding the integration of virtual machines. You can use it as a decent high level overview if you are a network engineer who is curious how VMware ESX, or Xen servers for that matter will fit into your network.

VMware – Virtual networking Concepts

This VMware document goes between high level overviews and detailed descriptions. It is a decent resource for a network engineer, and provides an overview of ESX network features, however it misses the target for providing configuration examples.

Blog of Scott Lowe – Technical Lead for Virtualization at Eplus Technology

Scott is an engineer that works with me at Eplus Technology. He is based out of the east coast and covers servers, storage and virtualization. His blog is chock full of good of information. A recent post of interest was how to enable Cisco Discovery Protocol (CDP) on VMware ESX server network interface cards.Similar Posts:

• Cisco releases Nexus 1000V virtual switch for VMware
• Arista Networks – Their approach to cloud networking
• Cisco Certified Design Expert – CCDE – officially released by Cisco
• Cisco NX-OS 4.0 | Next Generation Internet Operating System
• Resume – Colin McNamara, CCIE #18233
• New features in VMware 3.1

--Colin McNamara

Challenges integrating VMware into Cisco networks

IOS-XE is takes the best elements out of Internet Operating System (IOS) which has its roots in a closet at Stanford, and combines them with the most successful open source technology ever – Linux. Cisco is leveraging Linux virtualization technologies such as Kernel Based Virtual Machines to protect against operating system failures as well as to allow for In Service Software Upgrades (ISSU).

To really appreciate this, we first have to dive down into the overall architectural changes of the ASR1000. The largest change that Cisco has made was to implement separate forwarding and control planes. In the past, Cisco routers would have the processes responsible for forwarding traffic, and the processes responsible for configuring the router running on the same root operating system. The side effect of this is that if you want to upgrade the root operating system of your router, you are going to have interrupt the traffic flowing through it to do so, or have a physically separate route processor to take over while you rebooted. This is a big headache operationally, and effectively forced engineers to design in separate physical chassis to meet high uptime requirements.

What Cisco has done to address this, was to mirror changes made in their storage and carrier routing portfolios. Both of those product lines utilize the operating system to push commands into advanced processors that exist on the line cards themselves. The ASICS on the line cards are designed to work in a distributed fashion, so that production traffic never goes into up into the router processor (or sup engine). This in effect ensures that the control and forwarding planes can exist as independent elements.

If you look at the graphic above, you will notice 3 main zones. The upper zone is what we would normally describe as the control plane. This is where the higher level functions such as your routing processes, ssh daemons, snmp daemons, and shells live. In short, if you you configure or read something, you are going to do it here. The only time traffic flows through this plane is when you are doing a thing called process switching. keep in mind this is a rare occurrence and usually occurs because of an oversight in your network designs.

By separating the control and forwarding planes, this allows Cisco to basically run a management station on the router, that programs chip sets in the line cards on the fly. This in my opinion is where the true power of this architecture comes through. By separating the two functions the software engineers are free to utilize powerful open source technologies such as Kernel-based Virtual Machines, and the Linux kernel, while letting the integrated circuit engineers design blazing fast chips which allow full functionality at line rate.

What benefits should we receive from a virtualized control plane? First, in larger routing and switching chassis (including the top end of the ASR1000 line) you normally have physically redundant route processors (RP)/ supervisory engines(SUP). The operating systems on these RP’s synchronize many things, including configuration, process state, routing tables, security associations and much more. The primary reason for this, is if you have a failure in the active RP, you can failover to the standby RP without interrupting traffic flows.They also can be used to streamline the software upgrade process by only upgrading one RP at a time, and then gracefully transferring traffic to it. Once proper operation is verified, the backup RP can be brought up to the same code revision.In any production environment this is highly desirable, and helps immensely in the battle for five nines.

The ASR1000 takes the redundant RP concept seen in high end chassis, and allows you to implement redundant upgrades, as well as protection against software failure, with only one physical route processor. This is done by utilizing Linux kernel virtualization. Instead of running the control plane directly on the production hardware, a small kernel is inserted. Booting from that are two copies of IOS-XE. These run independently, and synchronize state and configurations just as if you had two physically separate route processors. What this means in operational English, is that where in the past, you would have to either have two devices, or a larger device with redundant RP’s to upgrade without disruption, you can now have that same ease of maintenance, in a much smaller (and at the end of the day, less total cost) package.

Below this is the forwarding plane.It plugs into to a high speed interconnected fabric which all line cards and RP’s are redundantly connected to. In the diagram above, this is the bottom level. Items in this plane include buffer memory, Cisco Express Forwarding (CEF) ASICS, and now the new QuantumFlow processor. This is normally where you would find your DCEF enabled line cards, fibre channel and Nexus7000 line cards, as well as the modules for the ASR1000 routers. When properly utilized, traffic should be relatively isolated to this tier, and function independently from the control plane.

The shining star of the ASR1000′s forwarding plane is a group of chips that is referred to as QuantumFlow. The QuantumFlow architecture itself merges Cisco’s strength in integrated circuit design, with its strengths in IOS software design. In the past, Cisco would design ASICS’s for specific functions, and then write commands down into them. This has worked very well, until they point that a new feature came out that couldn’t leverage the fixed configuration of an older ASIC. Your choice at that point was generally to process switch for that feature (which is slower, and honestly bad form), or upgrade your cards to the newer ASIC design. The QuantumFlow chipset approaches this problem from a new angle. The first chip in the set (Popeye) is designed to be field programmable in C, as well as no fixed internal pipelines. This combined with utilizing 40 cores running between 900 and 1200 megahertz allows the programmers to utilize parallel processing techniques to utilize an immense amount of processing power in real time.

To put things into perspective, remember when you got your first multi core laptop or desktop. You were able to say watch a DVD, as well as compile code at this same time, while continuing to have a responsive workstation. Now imagine what you could do with a 40 core processor. This is the kind of power that we are talking about. Now imagine, that not only is your workstation immensely powerful, but you could also offload common jobs such as running daily builds, or encoding videos to another machine (or in this case processor.

In the ASR1000 this processor is called Spinach (yellow are in the graphic above). And of course just like the cartoon, Popeye’s potential really comes to light when combined with Spinach. Spinach is a separate chip, that is used a a traffic manager. This chip handles queueing and quality of service, ensuring that the proper packets arrive at the proper time, as well as interconnecting with cryptographic offload engines so it can equally apply services to encrypted flows.

At the end of the day, the most important question is not how fast something is, or how cool it is. The question is what can it do for me? By leveraging this new architecture the ASR1000 is now able to do line rate inspection of traffic using Network Based Application Recognition (NBAR), Support 128,000 queues for deep quality of service, secure and encrypt data using zone based firewalls and embedded crypto engines, segregate traffic using MPLS, integrate advanced voice and video functionality, as well as providing fulling Netflow v9 support for all of the above. It provides all of these services in an always on solution utilizing Linux virtualization, as well as leveraging an flexible chip set architecture that allows for field programmable improvements in the future.

My hope is that after reading this article that you are in a better to understand how Cisco is leveraging open source technology and integrated circuit designs to improve the foundation of the internet. In upcoming articles I will be discussing design scenarios utilizing this features in this product, as well as highlighting other areas where Cisco is embracing both open source technology, as well as open architectures that can properly leverage projects such as Linux, Ntop, Wireshark and more. If this article has you interested in learning more about some of the technologies mentioned today, then I encourage you to check out some of the links below, or shoot me and email to be highlighted in a future readers questions article.

Learn more about Linux Kernel-based Virtual Machines

Learn more about Cisco’s ASR1000

Learn more about Cisco QuantumFlowSimilar Posts:

• Cisco NX-OS 4.0 | Next Generation Internet Operating System
• Application Extension API notes – Cisco Live 2008
• Zone based IOS firewalls
• Arista Networks – Their approach to cloud networking
• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• Altor Virtual Network Security Analyzer (VNSA) integrated with Cisco’s Nexus 1000v for VMware

--Colin McNamara

Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers

Cisco TrustSec starts at the edge by negotiating a secure link if both hosts support it (802.1ae). This is similar to wireless encryption schemes, where a secure handshake is established and the L2 path become impervious to sniffing. This is user configurable, and to my knowledge the asics available to support line rate encryption are currently only on the Nexus 7000 blades.

The next step is to start 802.1x negotiations. For the people not familiar with 802.1x, it is a way of passing username / password information from your computer up into the network infrastructure. Once this is completed, the switch can not only utilise tools like NAC to place you into the appropriate quarantine, or access vlans, but it also know knows your identity.

Now the “network” is aware of your identity, a new level of granular security control can be deployed across your infrastructure. These security policies can map into “user x can connect to webserver y” instead of being restricted by ip and port. This allows you to utilize true roles based administration similar to what you use in your Windows and Unix file systems, but now you can do this across the network.

How is this done ? I like to think of this as a mix between dscp and mpls tags. Which in a nutshell means that when traffic enters the network it is tagged with a small amount of additional “identity: information which is retained as it traverses the network. This information can be used to augment or completely replace your current ACL based security controls in a way that enables you to more effectively comply with complex regulatory environments such as PCI, SOX, GLBA and HPPA.

Over the past few years we have learned how to leverage intelligence in the the network by utilizing tools like QOS, MPLS VPN’s, and many others. Expect to add Cisco TrustSec to your quiver of tricks to address the ever growing compliance needs faced by today’s network designers.

Learn more about Cisco TrustSecSimilar Posts:

• Cisco Nexus 7000 DataCenter switch released – Welcome to DataCenter 3.0
• Encrypting your backup tapes with Cisco Storage Media Encryption (SME)
• Altor Virtual Network Security Analyzer (VNSA) integrated with Cisco’s Nexus 1000v for VMware
• Cisco releases Nexus 1000V virtual switch for VMware
• Zone based IOS firewalls
• Cisco Nexus 4000 Blade Switch

--Colin McNamara

Identity aware networking using Cisco TrustSec

What useability enhancements do you feel are the most beneficial?

1. A separate, IP enabled, Management Interface. This has been a long time coming. The out of band management interface is very similar to a Ilo card in the HP world. it is effectively a supercharged console server that happens to site on the backplane of the sup engine. I am sure whoever pushed this feature through is going to get flowers one day from a Tech who DIDN’T lock himself out because the management interface was effectively a separate system.
2. Finally, a functionally USB Interface that I can transfer IOS (well, now NX-OS) images through. Everyone has a USB key nowadays, even my Grandmother has one, it will make life so much easier when I can have a 4 gig key with me that has most IOS / NX-OS  versions and my common configs and just pop them right in.
3. The integrated Cabling system is CLEAN. I love that it forces you to reserve the appropriate space for cabling, and that there finally is the possibility to avoid the flying spaghetti train wreck we see so often in Data Centers.
4. Front to back Cooling. The cooling design is well thought out. I liked the fact that it draws from directly above the front floor and exits rear top.. This should help out in raised floor data centers that have a large temperature gradient as you move to the top of the rack. It also negates problem of having multiple 6500 chassis side to side and having warm air blowing from the exhaust of one 6500 to the intake of another 6500.
5. Fan Slots are now placed where it is IMPOSSIBLE to cover with cables. I would say 7 out of 10 times when I walk into a new customers Data Center I find that there are cables run directly over the fan tray with no slack. That is not a failure in design per say, but it could have been avoided. With the Nexus 7000 fan trays in the back the problem is solved before it is created.
6. Power supplies are in the back . FAR away from the data cabling. It never fails that 20 amp circuits get uncomfortably close to copper cabling. By moving the power supplies to the back side of the chassis, this becomes a mute point and we remove any shadow of a doubt about EM interference causing craziness in our cabling.
7. This one sounds really mundane, but a quick heads up grouping of status lights. In the past these were normally in a position where you had to squat down to see them, or they are obscured by cables. Buy putting them on the front of the cable tray assembly it ensures these will always be visible.

What can we focus on now to make it a better platform?

1. One thing that worried me a little was the placement of the compact flash cards in the supervisory module. For those how haven’t it up close look at this picture of the chassis  and look for the Grey cover midway up the sup modules in the center slots. Behind them are two flash cards, one for system partition extension, and one to dump log files into. Having these cards available are great features however I could see an operational process of security rotating out the log partitions, or more likely and engineer pulling the flash card after dumping some data for analysis to it, and then pulling the wrong card by accident. Having a simple strap (like the screw downs for power supply plugs) or something similar would go along way towards mitigating that risk.
2. Continue with the spirit of innovation that has defined Cisco over the years. Cisco has consistently came out with or acquired and integrated many great products that directly address the needs of the market place into the product line (MARS, ASA, AireSpace, TelePresence, MDS, ACE, Etc) but frankly the last GAME CHANGING product that set the industry on its heals and forced everyone to rethink how we utilize technology to accelerate business as a whole was the acquisition of Selsius and the introduction of VOIP as an enterprise class product to the world. I remember having the hair stand up on my arms from the excitement of going up against Avaya and Nortel back then and fighting that uphill battle, educating customers and peers about this “new thing called VOIP and how CallManager (now Unified Communications Manager) is your ticket towards productivity.

   When we talk about the Virtual DataCenter, I/O Virtualization (FCOE) and VFrame Automation it is not just another incremental improvement of existing technology. It is a paradigm shift, a leap ahead, a GAME CHANGER. I get the same chills that I did when VOIP was new because I know that those are technologies that will force us to rethink how we approach computing and data systems. These technologies are to the Data Center what IP telephony was to the PBX, and Cisco is the only company with technologies and engineering know how in all the verticals necessary to pull this off.

Similar Posts:

• Cisco Nexus 7000 DataCenter switch released – Welcome to DataCenter 3.0
• Simplifying your Data Center with Cisco’s Nexus 2000 Fabric Extender (FEX)
• Nexus 5020 – Consolidated 10 Gig Ethernet and 4 Gig Fibre Channel
• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• Moving towards a Green Data Center – Truth behind the hype
• Interesting TechWise TV episode on virtualization

--Colin McNamara

Usability features in Cisco’s Nexus 7000

One feature that is new, and frankly extremely exciting is Virtual Device Contexts. Each virtual device runs with its own process, vs the use of tagged differentiators in technologies such as VRF-Lite. This provides for paravirtualized management instances, and clear lines of delineation for both software and hardware for a resource that can be shared between different groups within an enterprise.

Chassis that run NX-OS will support In Service Software Upgrades (NSSU) to allow operations groups to upgrade operating systems with zero downtime. This is accomplished through a combination of modular software architecture, and the decoupling for the control and forwarding planes.

One of my favorite features in SAN-OS is the embedded is fabric analyser. This is a tool that can sniff management traffic without having to plug in a sniffer, or provision a span port. You can dump in real time to a tcpdump like interface in the command line, output to a local file, or map to the ip of a wireshark instance that layer 3 access to the management port. Cisco again has taken the best of SAN-OS and bundled it with NX-OS. You will be able to remotely span management traffic without having to set up rspan, or trudge down to the datacenter to set up a sniffer.

Now, your router can call home right now so that is not a totally new feature. Smart Call Home was released recently into IOS. But that still doesn’t stop it from being a great feature. This allows you to configure NX-OS powered devices to mail an xml formatted troubleshooting email to TAC, and / or your support staff. This has been proven to drop the average time to resolution from 16-30 hours to 6 hours.

Now the drum roll…… All IP routing features are VRF aware. This has been a point of contention with me for a while. As Cisco and the market in general has embraced virtualization as an answer to pressing business concerns of leveraging shared infrastructure, while retaining security controls segregating disparate environments technologies such as MPLS and VRF within the datacenter have become more and more prevalent. That is great, however it never fails that the feature you need at that moment always seems to be coming out in the NEXT IOS release. With Cisco NX-OS 4.0 this is no longer a question.

Now, if I was a CIO and I was reading about all these new technologies that Cisco was pushing with NX-OS, I would frankly be cautious, and rightfully so. The thing is, most of these features are not new, they have been in use, and in production under the most stringent uptime conditions in the world – storage networking. They have been tried and tested on Cisco’s MDS line of storage networking switches. So get comfortable, get educated, but most importantly get on board for DataCenter 3.0.Similar Posts:

• The emergence of MDS features in Cisco’s datacenter networking equipment
• Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers
• New features in VMware 3.1
• Link Round Up – L2TPv3 FCOE Trill Wounded Warriors
• Arista Networks – Their approach to cloud networking
• About Colin McNamara

--Colin McNamara

Cisco NX-OS 4.0 | Next Generation Internet Operating System

For the engineering perspective on this, the CCDE is equivalent  to the CCIE. However, the CCDE is focused on design and architecture rather then implementation. Where the CCIE (R&S, Voice, Security, Service Provider, Storage) is focused on implementation, the CCDE is focused more on the pre-sales design and architecture efforts. I am personally looking forward to the lab being released, as it provides a certification to validate the skill set needed to be an sales engineer on Enterprise accounts, or to be a network architect at an Enterprise corporation.

It is funny how small a world it is. Eplus (the company I work for) CEO – Phil Norton was quoted on Cisco’s press release -

“Certifications provide a stamp of approval that validates the quality of our organization’s employees,” said Phil Norton, chairman, CEO and president of ePlus. “The CCDE isn’t about operations; it’s about recognizing the value of network designers and honoring their core skills that provide a real value to our business and our customers.”

My gut feel when I first got invited to the CCDE beta program was that this will become a requirement for the Channel. I think Phil’s statement cements that gut feel into a reality. Obtaining a CCDE will become similar to the CCIE – a check box that you must attain to work with the top VAR’s out there. This makes me extremely grateful that I was lucky enough to be invited into the beta group to be allowed first crack at this gem of a certification.Similar Posts:

• It’s on like Donkey Kong – CCDE practical registration is open
• CCDE Practical – Beta candidate deadline August 1 2008
• Cisco Certified Architect – Board examination above the CCIE and CCDE
• Are you a kick ass engineer looking to grow?
• Challenges integrating VMware into Cisco networks
• About Colin McNamara

--Colin McNamara

Cisco Certified Design Expert – CCDE – officially released by Cisco

CERTIFICATIONS / ACCREDITATIONS HELD

• CCIE – Cisco Systems Internetwork Expert #18233
• VCP – VMware Certified Professional
• CDCUCSS – Cisco Data Center Unified Computing Support Specialist
• VSP – VMware Sales Professional
• VTSP – VMware Technical Sales Professional
• TSS – Cisco Technical Solutions Specialist, Data Center
• GCIH – GIAC Certified Incident Handler
• CCVP – Cisco Certified Voice Professional
• CSNSSS – Cisco Storage Networking Solutions Support Specialist
• CSNSDS – Cisco Storage Network Solutions Design Specialist
• CADCNSS – Cisco Advanced Data Center Networking Infrastructure Support Specialist
• CCIE Storage Networking
• RHCE v4/5 – Redhat Certified Engineer #804006368822511
• RHCT v4/5 – Redhat Certified Technician #804006368822511
• EMCPA – EMC Proven Professional Associate – Information Storage and Management
• NSCA – Netscaler Certified Administrator #2005072
• NACE – Network Appliance Certified Expert #12912
• NACP – Network Appliance Certified Professional #12017 – Data Protection
• NACP – Network Appliance Certified Professional #11985 – Storage Area Network
• NACP – Network Appliance Certified Professional #12911 – High Availability

Retired Certifications

• Cisco Qualified Specialist – IP Telephony Support
• Cisco Qualified Specialist – IP Telephony Design
• Cisco Qualified Specialist – IP Telephony Operations
• Cisco Wireless LAN Design Specialist
• Cisco Wireless LAN Support Specialist

PROTOCOL PROFICIENCY

EIGRP, OSPF, RIP, BGP, MPLS,  Spanning Tree, Rapid Spanning Tree, VPC, VSS, VDC, TRILL, Fabric Path, OTV ATM, RTP, SIP, H.323, LWAPP, RADIUS, TACACS+, Ethernet, Fibre Channel, iSCSI, NFS FCIP, FCP, FSPF, NDMP 802.11a, 802.11b, 802.11g, RBE, ISDN, SNMP

Virtualization , Parallel and High Performance Compute Platforms

VMware ESX, Kernel Virtual Machine, Xen, Platform LSF, Sun Grid Engine, Hadoop

VOICE and VOICE OVER IP

CallManager, Unity, ICS7750, PBX Trunking, SRST, Active Directory Integration, Extended Services, Call Detail Recording, Automated Attendant, Extension, Mobility, Asterisk, Callware and VSR VM.

HARDWARE

Cisco Unified Computing System (UCS) 6100, 2100, 5100, Nexus 7000, Nexus 5000, Nexus 2000 and Nexus 1000v switches, Catalyst 1900-6509 switches, 1600-7500 series routers, Cisco PIX firewalls, Cisco Load Balancers, Cisco

MDS , F5 Load Balancers, Netscreen / Juniper Firewalls, Cisco VPN3000 VPN concentrators, Cisco ASA Adaptive Security Appliances, Nortel Contivity VPN Concentrators,  Aironet Access Points and Bridges, Airespace LWAPP

concentrators. 3com TotalConnect racks, Ascend dial concentrators, Netscaler Load balancers, SSL accelerators, SSL VPN concentrators. Brocade Silkworm, HP Eva Storage

NETWORK MANAGEMENT

Nagios, Cacti, NTOP, IPswitch What’s Up Gold, BIG Brother, Spectrum Network Management, Kiwi Syslog,, MRTG , HP OpenView, Cisco Secure Intrusion Detection system,

Cisco Network Based Application Recognition, Snort IDS, Netscreen Firewall Manager, Unified Compute System Manager

OPERATING SYSTEMS

Redhat, Suse and Ubuntu Linux, Windows 2000, Windows 2003, Windows 2008, Windows XP, NT4.0, BSD, Solaris, OSX

BUSINESS ENVIRONMENTS

Consulting, Valued Added Reseller, Large Enterprise, Startup, Banking, Service Provider, Software Development, Manufacturing, Military

EMPLOYMENT

6/11 -  Present , Nexus IS

Director, Data Center Practice

Responsible for got to market strategy for Nexus IS, a national Cisco DVAR.

Accomplishments

• TBD

1/07 – 6/11, ePlus Technology

Consulting Systems Engineer – Data Center (10/08 – 6/11)

Transformed ePlus western region from a #3 and #2 ranked voice and campus partner to the #1 ranked Data Center partner in Northern California

Accomplishments

• Changed regional sales focus from technology silo’s to solutions based selling covering network, systems, storage and applications under one umbrella
• Developed and deployed go to market strategy for Cisco’s Unified Computing System resulting in significant competitive advantage in the western United States.
• Deployed the first Nexus 7000/5000/2000 architecture into production securing competitive advantage across multiple verticals.

• Increased Data Center revenues year over year in the worst economy in a century.
• Attracted and retained top industry talent.
• Leveraged unique technology positioning to win multiple key global clients.
• Partnered with business units inside of Cisco, resulting in key product enhancements as well as increased revenue for both ePlus and Cisco.
• Passed multiple certifications resulting in ePlus being able to sell and install EMC Vblock.

1/07 – 6/11, ePlus Technology

Senior Systems Engineer (1/07 – 10/08)

Accelerate Technical Sales, design and implement network, storage, voice and systems solutions for ePlus Southern California customers.

Accomplishments

• Changed regional sales focus from technology silo’s to solutions based selling covering network, systems, storage and applications under one umbrella.
• Established a trend of Advanced Technology account wins.
• Accelerated ePlus’s southern California sales by providing high-end engineering support.
• Integrated MPLS service provider designs into cutting edge Enterprise and Casino Gaming solutions.
• Filled PM and lead network engineer roles for large publicly traded company data center migrations.
• Created modular Cisco design / quote format and menu based hardware and services options to address rapidly changing customer needs.

9/05 – 1/07 ID Analytics

Lead Network Engineer

Lead team of four engineers, Define network and application integration architecture for large SaaS (financial cloud) analytics deployment , Leverage networking technology to increase security and availability, and decrease development and product deployment timelines

Accomplishments

• Led team of engineers responsible for all Production and Back Office systems in 2 offices and 3 datacenters
• Designed and Implemented ID Analytics Phase2 datacenter, processing 1.8 million financial transactions daily.
• Designed and Implemented Contents Switching and SSL offloading solution, enabled non-disruptive scaling of core products
• Integrated ID Analytics product with the largest card processors in the world – Equifax, Visa, TransUnion, etc.
• Designed and integrated centralized Fiber Channel and ISCSI SAN solution, increasing application speed and decreasing production database refresh times from 4 weeks to 1 week.
• Managed and maintained over 130 terabytes of storage
• Created lights out server imaging and deployment solution for remote datacenters
• Deployed and integrated monitoring solutions utilizing open source technology
• Created user emulation probes for real time application monitoring and trending of production systems
• Worked with development and Analytics to create structured Development and QA environments
• Spearheaded project to change Analytics / Informatics environment from “unix for workgroups” to high performance computing environment (HPC)
• Provide structured documentation to US Government and Corporate auditors
• Utilized project management skills for international rollouts

2/04 – 8/2005 Openwave Systems
Senior Network Engineer, Strategic Design and Integration Group
Provide technical leadership, Define network architecture, Establish standards and technical vision. Responsible for researching, developing, and architecting technical solutions to business needs.

Accomplishments

• Designed Openwave’s new Pacific Datacenter Networks, with 900 production, and 2000 development servers.
• Designed Openwave’s Pacific Shores Campus Networks, and Showcase Datacenter.
• Responsible for hardware acquisition budget of 1.7 million dollars
• Established ISCSI IP based SAN infrastructure with DR components in 4 major datacenters worldwide
• Promoted from the ranks, moving from running our VOIP phone systems, to Network team lead, to Senior Network Engineer in the Strategic Design and Integration team.
• Active and engaged member of multiple boards covering design review, change control, and security
• Negotiated with Cisco and SBC regarding datacenter purchases saving $906,000 off list price.
• Renegotiated Cisco support saving Openwave nearly $600,000 over our three year term
• Established improved data center controls, allowing Openwave to pass Sarbanes Oxley (SOX) audits
• Wrote and ran multiple RFP, RFQ, and RFI’s
• Utilized project management skills for international rollouts
• Managed, Piloted, and Installed new wireless systems for our Customer Briefing Center
• Responsible for 6 VOIP clusters around the world
• Recipient of multiple awards recognizing dedication and quality work.
• Attended continuing training for security management (CISSP)

2/03 – 1/04 USMC Reservist activated in support of Operation Enduring Freedom
Information Services Coordinator
Implement and maintain Tactical Data Networks, Provide consulting services to hosting units. Maintain Microsoft Exchange servers in both tactical and garrison environments. Perform security audits and remediation. Train support personnel.

Accomplishments

• Performed Disaster recovery of routed ATM LANE environment for Marine Corps Air Station Yuma enabling over 3000 users to resume work (awarded the Navy and Marine Corps Achievement Medal for that event)
• Performed security audit and created a security and performance remediation plan for MCAS Yuma
• Provided project management and security audit skills to 3^rd Marine Air Wing Yuma server support teams, managed server security audit, security remediation, and SMS rollout.
• Designed and implemented Nagios network monitoring system at Marine Corps Air Station Yuma.
• Implemented Norton Antivirus server for MWSS 473
• Provided training on to data teams from MWSS 473, MCAS Yuma Station IT, and 3^rd Marine Air Wing Yuma server teams.

12/02 – 2/04 2 Cups Solutions, Pleasanton , Ca
Principal Consultant
Founded 2 Cups Solutions to provide cutting edge Voice, Data, Wireless and Security services to clients in the San Francisco bay and Fresno areas.

Accomplishments

• Implemented WAN failover solution at two City of Hayward fire stations.
• Implemented email and web solution for Express Mobile Notary.
• Developed and implemented business plan focusing on State and Local Government contracts.

2/02 – 12/02 ExtraTeam, Pleasanton , Ca
Senior Systems Engineer
Design, Installation, Configuration and Maintenance of network systems consisting of Cisco CallManager, Unity, Cisco Secure ACS, LEAP secured wireless, Aironet, Cisco routers and switches, PIX firewalls, and VPN3000 concentrators. Integrating all systems with Active Directory. Performed VOIP feasibility studies. Managed the entire business cycle including sales, design, installation, training and maintenance.

Accomplishments

• Integrated CallManager voice system with Active Directory
• Recovered a failed CallManager implementation at Phase 2 Strategies (PR firm for Logitech). Implemented CallManager with up to date hardware and software, upgraded Unity up to reasonably current levels. Brought up remote office in Phoenix utilizing SRST.
• Implemented City wide wireless network integrated with active directory for the City of Hayward
• Implemented VPN Concentrators in conjunction with multiple levels of firewalls for City of Hayward and Hayward PD to meet CLETS requirements.
• Implemented network configuration management system responsible for the city of Hayward.
• Implemented new wan for Livermore Pleasanton Fire department moving fire stations from isdn to T1 and Gigabit fiber lines in conjunction with moving the location for the network core.
• Designed and implemented IPSEC based wan for Universal life resources, allowing nationwide secure remote office connectivity while minimizing wan connection costs.
• Designed CallManager based VOIP system for a 27 site school district
• Provided emergency support to Fire and Police agencies across the bay area
• Performed security remediation for a large bay area company
• Participated in large switched network cutover from 7500 to a 6509 with flex-wan modules for Stanislaus County.
• Achieved technical certifications for ExtraTeam to become certified under both the Wireless and IP Telephony revised specifications.

7/01 – 2/02 Infobond Inc. Burlingame , Ca
Network Engineer

Responsible for engineering duties in a leadership role. Integrated legacy PBX’s using VOIP technology. Used Quality of service to ensure VOIP service levels. Support legacy voice over IP and voice over Frame Relay technologies. Upgrade from legacy voice integrations to state of the art VOIP integrations. Create project plans and act on them.

Accomplishments

• Cut over evergreen lines shipping terminal from legacy 3com equipment to VOIP enabled Cisco routers and switches. Accomplished all work during Union stand downs.
• Contracted to Openwave, Inc. to run Remote Access while the engineer was on leave. Ran Remote Access for 5 weeks, resolving DSL RLAN issues and IPSec issues, while reducing trouble ticket backload to manageable levels. Assisted other engineers when needed.
• Implemented Cisco 6509’s to replace aging core network of a Benchmark Capital (bay area investment firm).
• Diagnosed and resolved VOIP issues that were stopping call center rollouts for Embarcadero Systems (a large bay area shipping company).

03/00 – 7/01 Knapp Publishing Corporation, San Ramon, Ca
Network Systems Administrator

Responsible for day-to-day operations of e-commerce data center, and wide area networks Performed DNS changes for both internal and external networks. Designed, piloted, and implemented network changes. Installation configuration and maintenance of NT, and Windows 2k file, print, and web servers

Accomplishments

• Improved service levels from 90% to 99.99%, enhanced security and increased bandwidth were benefits derived from implementing a state-of-the-art web hosting data center
• Implemented a network monitoring system to document, report, and notify of network status.
• Designed and implemented ISDN failover of Frame-Relay Network.
• Designed, piloted, and implemented network changes.
• Replaced NT servers with Linux based servers, integrated with the Windows network

01/98 – 03/00 DKA Computers Inc. Clovis, Ca
Manager Information Services (01/99 – 03/00 )

Ran day to day operations of a large valley ISP. Worked with systems manufacturing to bundle client software with all new PC’s. Partnered with local ISP’s to provide access numbers across the valley.

Accomplishments

• Managed web development, and professional services
• Moved web hosting from IIS on Windows NT to APACHE on Linux based servers, drastically increasing site availability
• Produced a forms based web application to configure custom systems online.
• Designed and implemented an IPSec based WAN connecting 3 stores point of sales systems.
• Managed corporate office and data center relocation project.

Senior PC Service Technician (01/98 – 01/99)

Provide on call service. Staff PC help desk. Provide direct customer systems support while maximizing company revenues. Configured all servers ordered from manufacturing.

Accomplishments

• Responsible for all day to day service activities for a 13 million dollar company. Management of 4 team members. Directly responsible for customer satisfaction
• Implemented hard drive imaging system, decreasing both warranty costs and turnaround time
• Installed and configured SCO Unix reservation system for National Park service, Kings Canyon
• Deploy Citrix Winframe Systems, Windows NT 4.0 Systems
• Designed, implemented inventory tracking database, reducing required stock on hand by $40,000

MILITARY

1996 – 2004 UNITED STATES MARINE CORPS RESERVE
Have held U.S. Government security clearance – Secret

EDUCATION

Ongoing professional education

Sans CISSP + Track

University of Oklahoma extension – Fire Science

Cisco Networking AcademySimilar Posts:

• What does it take to pass the CCIE exam?
• I’ll be at Cisco Live 2008 (networkers) in Orlando all week
• About Colin McNamara
• Cisco Certified Design Expert – CCDE – officially released by Cisco
• Challenges integrating VMware into Cisco networks
• Darrel Hinshaw – New Triple CCIE [Storage]!!!!!!!

--Colin McNamara

Resume – Colin McNamara, CCIE #18233

Colin is best known for providing designs that incorporate disparate technologies under a shared virtualized infrastructure. He is a proponent of both network virtualization and the utilization of service provider technologies inside enterprise networks to support the security delivery of Voice, Video, Storage and Real Time Application traffic over shared network infrastructure.

He resides in the San Ramon (San Francisco Bay Area) , California with his Wife and two kids. And is active in multiple boards and organizations, including -

• Cisco Partner Technology Advisory Board
• Consortium of Internet Technology Experts

He can be contacted via information found on his CCIE Resume page . by contacting him via Linkedin or at colin@2cups.com

Similar Posts:

• Colin has left ePlus Technology
• Cool new features in 12.4(15)T
• Are you a kick ass engineer looking to grow?
• Resume – Colin McNamara, CCIE #18233
• I’ll be at Cisco Live 2008 (networkers) in Orlando all week
• Cisco NX-OS 4.0 | Next Generation Internet Operating System

--Colin McNamara

About Colin McNamara

Though CCIEs are members of an exclusive group, they can be found in countries on every continent. Use the map and tables below to discover your peers around the world.

Americas EMEA Pacific Rim Africa Asia Cana Europe Middle East Pacific Islands South America United States

Total of Worldwide CCIEs:		15658 (last updated 11.14.2007)
Total of Routing and Switching CCIEs:		14329
Total of Security CCIEs:		1207
Total of Service Provider CCIEs:		650
Total of Storage Networking CCIEs:		99
Total of Voice CCIEs:		601

Multiple Certifications:

Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

• Darrel Hinshaw – New Triple CCIE [Storage]!!!!!!!
• What does it take to pass the CCIE exam?
• About Colin McNamara
• Cool new features in 12.4(15)T
• And it begins again – On the road to my CCIE in Storage
• Passed CCDE written and Recertified my CCIE – Killed two birds with one stone

--Colin McNamara

Updated CCIE numbers

Cisco has finally included zone based firewalling in the IOS firewall feature set. The configuration guide can be found here -

Zone Based Firewall Design and Configuration Guide

The things that really got me interested are -

1. It is VRF aware (works well with network virtualization strategies)
2. No more CBAC’s
3. Policing built into firewalling classes
4. Content inspection including HTTP,P2P, and Instant Messenger

I think the biggest plus for this release is that IOS firewalls are finally following the general trend of zone based firewalling. By moving this way, configuration errors resulting in lax controls are likely to be minimized.

Excerpts from the documentation -

Cisco IOS Software Release 12.4(6)T introduced a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall zones until an explicit policy is applied to allow desirable traffic.

Nearly all firewall features implemented prior to Cisco IOS Software Release 12.4(6)T are supported in the new zone-based policy inspection interface; supported features are as follows:

•Stateful packet inspection

•Application inspection

–HTTP

–Post Office Protocol (POP3), Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol/Enhanced Simple Mail Transfer Protocol (SMTP/ESMTP)

–Sun RPC

•VRF-aware Cisco IOS Firewall

•URL filtering

•Denial-of-service (DoS) mitigation

Zone-based policy firewall generally improves Cisco IOS performance for most firewall inspection activities.

The only Cisco IOS Firewall features that are not supported in zone-based policy firewall in Cisco IOS Software Release 12.4(6)T are as follows:

•Authentication proxy

•Stateful firewall failover

•Unified firewall MIB

Zone-based policy firewall completely changes the way you configure a Cisco IOS Firewall.

The first major change to the firewall configuration is the introduction of zone-based configuration. Cisco IOS Firewall is the first Cisco IOS Software threat defense feature to implement a zone configuration model. Other features might adopt the zone model over time. The classical Cisco IOS Firewall stateful inspection/context-based access control (CBAC) interface-based configuration model employing the ip inspect command set will be maintained for a period of time, but few, if any, new features will be configurable with the classical command-line interface (CLI). Zone-policy firewall does not use the stateful inspection/CBAC commands. The two configuration models can be used concurrently on routers but not combined on interfaces; an interface cannot be configured as a security zone member as well as being configured for ip inspect simultaneously.

Zones establish the security borders of your network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of your network. Zone-Policy Firewall’s default policy between zones is to deny all. If no policy is explicitly configured, all traffic moving between zones is blocked. This is a significant departure from stateful inspection’s model, in which traffic was implicitly allowed unless it was explicitly blocked with an access control list (ACL).

The second major change is the introduction of a new configuration policy language known as CPL. Users familiar with the Cisco IOS Software Modular quality-of-service (QoS) CLI (MQC) might recognize the format being similar to QoS’s use of class maps to specify which traffic will be affected by the action applied in a policy map.

Colin McNamara
Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”Similar Posts:

• Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers
• Cool new features in 12.4(15)T
• Identity aware networking using Cisco TrustSec
• Routers can email you when they go down
• Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments
• Cisco NX-OS 4.0 | Next Generation Internet Operating System

--Colin McNamara

Zone based IOS firewalls

* Solid State Drive (SSD) boot support
As initially discovered last month, VMware will make available a special version of ESX Server (mentioned with terms like ESX Lite and Embedded ESX) for OEM vendors, to be installed into bootable Solid State storage devices (flash drives, etc.). This option will allow creation of ESX Server hardware appliances for easy jumpstart, granting smaller form-factors and improved reliability.
Dell, IBM and possibly other vendors will offer this option at announcement time in Q3 2007.
* DMotion
Unofficially introduced with ESX Server 3.0.1, in its first version DMotion is a special VMotion operation only capable of moving running virtual machines from an ESX Server 2.5.x host to a new ESX Server 3.x., without shared SAN LUN mandatory requirement.
In ESX Server 3.1 this capability will be extended, allowing hot migration of running virtual machines between ESX 3.1 hosts through the Ethernet cable.
* Patch management system for host and virtual machines (Update Manager 1.0)
ESX Server 3.1 will finally introduce an automated patch management system called Update Manager. This solution will be able to update both host itself and virtual machines (both Microsoft Windows and Red Hat Enterprise Linux).
Update Manager will look for available updates from Shavlik Technologies website (a possible acquisition after IPO), and will allow VI administrators to decide which patches to deliver to virtual machines.
Before applying them, Update Manager will take a snapshot and will even rollback automatically if something goes wrong.

(this product was originally codenamed VM Integrity and its developement started more than one year ago, when virtualization.info discovered it in June 2006)
* VMware Consolidate Backup (VCB) and VMware Converter 4.0 integration
VirtualCenter 2.1 will now allow restoring VCB images with an integrated version of VMware Converter, which reaches 4.0 release number.
* Server consolidation advisor
VirtualCenter 2.1 will expose a server consolidation assistant able to analyze which physical machines should be converted in virtual ones, and where to move existing VMs among available hosts.
(note that with this feature VMware is further extending competition with PlateSpin, covering both features with PowerRecon and PowerConvert)
* Guest OS disaster recovery capability
VirtualCenter 2.1 will be able to recognize a failure inside a virtual machine and restart it through VMware HA module.
* Support for VMware Server 2.0
VirtualCenter 2.1 will be finally able to seamless manage both ESX Server and VMware Server 2.0 hosts.
* Lockdown Mode
ESX Server 3.1 will expose a new security feature to completely disable local administrative account after a VirtualCenter 2.1 takes remote control.
* Power saving capability (Distributed Power Management)
VirtualCenter 2.1 will introduce a new resources utilization analysis feature, able to verify when a physical host can be powered off, VMotion-ing its virtual machines on other hosts without impacting performances.
* Support for Cisco Discovery Protocol (CDP)
VirtualCenter 2.1 will be able to recognize and use CDP to discover physical and virtual network topologies.
It stays unconfirmed if ESX Server 3.1 will already expose new virtual network architecture, allowing 3rd party virtual switches, as it will be announced by Cisco CEO at VMworld 2007.
* Support for 10Gbit Ethernet network cards
* Support for TCP/IP Offload Engine (TOE) network cards
* Support for network load balancing algorithms
* Support for 200 hosts and 2000 virtual machines
* Support for 128GB RAM per host and for 64GB RAM per virtual machine
* Support for SATA storage devices
* Support for N_Port ID Virtualization (NPIV)
* Support for VCB over iSCSI SANs
* Support for IPv6 in virtual networking
* Support for Para-virtualization guest OSes

Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

• Cisco releases Nexus 1000V virtual switch for VMware
• Is your network ready for Cloud Computing with Virtual Infrastructure 4?
• Cisco EMC and VMware partneship VCE VBlocks Acadia and the Partner Ecosystem
• Interesting TechWise TV episode on virtualization
• Cool new features in 12.2(33)SXH
• VMworld 2009 Schedule

--Colin McNamara

New features in VMware 3.1

Link – http://www.cisco.com/application/pdf/en/us/guest/products/ps8258/c1161/cdccont_0900aecd80679ce3.pdf

From Cisco’s site -

Cisco IOS Software Release 12.4T integrates a portfolio of new capabilities, including security, voice, and wireless, with powerful hardware support to deliver advanced services for enterprise and access customers. It will be issued as a series of regularly scheduled individual releases, which Cisco will ultimately consolidate to form the next major release.

Release 12.4(15)T, the sixth release of the 12.4T family, streamlines the Cisco IOS Software upgrade process, provides sub-second link failure detection and faster convergence, delivers next-generation Layer 2-7 flexible packet classification, enhances intrusion protection and SSL VPN capabilities, and provides support for the new Cisco 7201 Router, amongst other features.

Like all releases in the 12.4T family, Release 12.4(15)T integrates innovations that span multiple technology areas, including Cisco IOS Security, Voice, Cisco IOS Infrastructure, Access, High Availability, Management Instrumentation, Quality of Service, IP Multicast, Broadband, IP Routing, and IP Services. Release 12.4(15)T delivers these integrated technologies on the broadest range of hardware in the industry, including the Cisco Integrated Services Routers, Cisco 7200 Series, and Cisco 7301 Router.
Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

• The emergence of MDS features in Cisco’s datacenter networking equipment
• About Colin McNamara
• Application Extension API notes – Cisco Live 2008
• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• Darrel Hinshaw – New Triple CCIE [Storage]!!!!!!!
• New features in VMware 3.1

--Colin McNamara

Cool new features in 12.4(15)T

Security Threat Mitigation and Response: Understanding Cisco Security MARS
by Dale Tesch, Greg Abelar
Publisher: Cisco Press
Pub Date: September 28, 2006
Print ISBN-10: 1-58705-260-1
Print ISBN-13: 978-1-58705-260-6
Pages: 408

This book had so much potential to be a great. Sadly it turned out to be an overgrown technical manual. The author does try to lighten things up by interspersing real world technical details throughout the book, however he could have just written a “hacks” style book with that material and been much better off.

This book is organized into four major divisions. The first, Security threat identification and response challenge reviews basic security theory and response. A network engineer breaking into security may find this interesting. Anyone else can just skip over this chapter.

I actually found the second, CS-MARS theory and operation to be the most useful. The author laid out a pretty good flowchart of the designing process used to process alerts. He also hinted out the back end architecture supporting the device.

The third section, CS-MARS operation was just blatantly lifted from the users guide. The only difference is that the online users guide is organized a little more clearly. I recommend skipping this chapter and going straight to the on-line documentation, you will be much happier.

The fourth section, CS-MARS in action had great potential, however the author just stuck in some really salesy usage scenarios. I can’t reinforce this enough – This needs to be updated. I have been to customer talks where users presented how the MARS box has made their life easier in many ways. The stories presented here do a disservice to the product, and do not highlight the core differentiators that this product offers.

Would I recommend this book? Yes and No. I would recommend that entry level engineers with no security experience, and business users pick this up. Other then that, log onto CCO and just read through the docs. You will learn more in less time. And as a plus, you will have $50 sitting in your wallet still.

Colin McNamara
Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”

Similar Posts:

• RSS feeds – an intranet aggregation solution?
• Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments
• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• What should I do this thanksgiving break?
• Cool new features in 12.4(15)T
• Altor Virtual Network Security Analyzer (VNSA) integrated with Cisco’s Nexus 1000v for VMware

--Colin McNamara

Book Review – Security Threat Mitigation and Response: Understanding Cisco Security MARS