I am facing a strange problem with the Firepower management center 4000 (FMC) that was formaly known as Firesight Management Center. Cisco recently release SW code 6.1 for the FMC. With SW 6.1 the 10 Gig interface have become avaialble. The 10 Gig ports have been there in hardware but you couldn´t use them with the previous software releases.
Regarding to connections to Firepower device and logging the 10 Gig interface works as expected. When it comes to manegement webgui it shows a strange behaviour. You can connect to the IP address that you have configured on the 10Gig interface. Everytime when you try to enter the interface config tab the FMC webgui it reboots. That is working without any issues on the 1Gig interface.
My workaround is to use the 1G Interface for the WebGui and the 10Gig Interface for peering with firepower devices. Sadly at the moment there is no LACP or etherchannel on the FMC at the moment available. That would help to connect the FMC with more redundancy.
sadly I couldn´t join the Avaya ATF Europe event this year that was taking place in Dublin 10th to 13th of May 2016. Thanks to the networking infrastructure forum member OfWolfAndMan who provided me the presentations of the ATF event. Many thanks for that. Avaya has come up with some interesting news , here are some points that looked interesting for me.
Avaya has introduced the ERS4900 device family witch is the successor to the ERS4800 devices. Like in the VSP family the ERS4900 will share the same software code with the ERS5900 series. That make sense to me instead of developping multiple BOSS images you have a shared code base. That model has worked out great in the VSP family and gives also the nice benefit of feature parity from a code standpoint.
The VSP7200 is now available as a licensed 24port version. You will get the 48 Port hardware of the VSP7200 that is limited to 24 ports. For me that looks like the replacement for the VSP7000 that should be named ERS7000 because it was running the BOSS image. It had also the limitation that you couldn´t run L3 routing and SPB in parallel. The only caveat that I see here is that with the VSP7200 you loose the stacking capability.
On the Software side the two new exciting features for me are DVR Distributed Virtual Routing and Port Mirroring for the SPB Fabric. DVR will bring the capability to run the L3 distributed across multiple Access Switches in a SPB fabric. With that you can go full L3 on the Top of The Rack Switches and eliminating the need that packets have to sent to a centralized L3 Gateway. It is addressing the fist hop redundancy and the L3 load balancing problem at the same time. So traffic that is needed to be routed between two devices that are connected on the same Access switch can now be routed locally on that device.
Port mirroring across the fabric is the other new feature that cached my attention. Often it was a problem on traditional networks to do port mirroring. With the capability to send the Mirrored port traffic to an ISID in the SPB fabric you can transport it to any access port in the fabric. That brings a lot of flexibility. It is also possible to send multiple port mirrors to one ISID or to have multiple receivers. That gives you everything you would like to have in TAB network. Because SPB brings native multicast support this is something that can run in the background and fits natively into the fabric.
If you want to know more about it listen to the Network Braodcast Storm Podcast Episode 06 in that we had a nice conversation about DVR and Port Mirroring for SPB fabrics with Roger Lapuh from Avaya.
I was really fascinated by the BigSwitch Networks Presentation from Rob Sherwood at NetworkFieldDay11 . It was fantastic in many different ways. First Rob is a great presenter that can show even very complex content in an easy to understand way and also keep the presentation entertaining. In the past I have seen a lot of presntations that overused SDN as a major bussword in every second slide. I didn´t like that hype. Here at BigSwitch it was the opposite. Rob Sherwood was one of the early pioneers of SDN and activly envolved during the devolopment of SDN technolgies. He didn´t even mentioned the word SDN. He showed a practical usecase that runs SDN technology in the backround. I am more interested in what we can do with a technolgy instead of talking about a technolgy just for the sake of it. The usecase that was presented here is a TAB or Monitoring Network. To protect a datacenter it is very commen to use a set of tools or Tool Farm with a varity of different technolgies like FlowAnalyzer, IDS, IPS, ect. All of them will need to have a copy of the actual traffic that is going across the Links of your datacenter. With only one tool you could get away with a standard span/monitoring port , but when you are using multiple tools and would like to see the traffic on different links like e.g. inside and outside of your firewall, you need an extra dedicated TAB Network that can deliver you the different monitored sources for your toolfarm. If you have deployed that you know “where to find the rainbow in your network”. That was done in the past with special hardware or TABs. The approach from the Big Switch Monitoring Fabric is to use standard whitebox switches for that with the BigSwitch Software on top. With the software based appoach you get a much more flexible TabNetwork that can be programmed via API and is capbale of Event triggered Monitoring. That wouldn´t be possible with only switches. BigSwitch introduced a new component witch they call Service Node. It is a x86 based server that uses DPDK in the backround to do all the magic that can not be proceded by a switch. The Big Monitoring Fabric is the first product that uses the Service node but I suggest in the Future all the really exciting new stuff from BigSwitch will be done with some kind of x86 servers that have more flexebilty from a software capability standpoint.
The network Autobahn View
Building Tab Networks was always a very difficult, static and expensive task in the past. I like the new approach of the Big Monitoring Fabric to address the task. It adds plenty of choices. For me the most exsiting thing here is that SDN shows its potential for new real world products. I suggest we will see more of that in the future. The other point here is that Big Switch has understand how the modern more community based marketing works. All of the BigSwitch major releases have been announced at a Networking Field Day event. You have to address your massage to the right audiance.
Together with Michael McNamara I started a podcast project called the Network Broadcast Storm. We will discuss in the show a variety of topics from the sysadmin daily life and what ever sounds interesting to us. The Motto for the show is “Where it´s always the networks fault!” We are targeting 30 minutes in length for each show and try to record in a bi-weekly format. The original idea came up 4 years ago in the network infrastructure forum that was crafted by Mike. We had already recorded a test show and set up the website as the real life crossed our plans for the podcast project. On Networking Field Day 11 I had the chance to meetup with Mike in Silicon Valley and we decided together to give the Project a relaunch. The show will be mostly in a roundtable discussion style. A bunch of engineers discussing or occasional ranting about their daily work life and news from the networking industry.
I would like to thanks here my friend Torsten for composing the Intro and Outro for the Podcast toghter with me. Hopefully you like the sound , too. If you like to get in contact send us a message to firstname.lastname@example.org or via Twitter @tnbspodcast We would love to hear your feedback.
I am struggling a lot of times to find the right balance between Planing and FastDeployment. In IT you often have very ambitious projects that have to be finished ASAP. I can not recall how many times I have heard the words: “As soon as Possible” in a project meeting. Most of the times the IT people have to finish their work first , so that the rest of the company or organisation can start to use the IT infrastructure. No matter if it is a new Datacenter, Office Location or technology there will be some planing involved. Some task can be automated, but also for that automation infrastructure is planing needed. In Germany we say this is the point where the cat is biting in his own tail. It is time consuming to do a solid planing. So it happens that something will be half baked brought to production. Here I have seen many outages. People have to fire fight and doing over-hours in these situation to create a workaround that than becomes obviously a permanent solution. Years after that somebody will ask: who has planed this… Or sometimes everything worked as planed but the plan was shit. There must be the right balance between planing and deployment. Make for your self some standards that you always have in your workflow like Documentation, security hardening , stick to standards, monitoring etc.
And sometimes you spend a lot of time to make something work with the tools that you know and find out after the project was finished that there is a better tool/solution out there. The other tool/solution would have safed a lot of work-hours and budget, but you haven´t been aware of it at this point of time. When the only tool in your toolbox is a hammer than everything becomes a nail. So it looks to be more time consuming to spent more time in research and building up a new solution but on the long run this looks to me the better option. It is harder to accomplish something that is replacing the old workflow and way of thinking, for sure. But a great feeling when the new solution is up and running and you can achieve a task that was before taking hours,days or weeks with one klick. That is the essence why all the new technology’s like cloud, SDN and fabrics have changed the IT recently so dramatically.
Cisco has introduced at the Cisco Live the new FirePOWER 4100 device Family. besides a new Hardware Platform the really interesting development is going on the backround. First a short brief of the new 4100 appliances, they come out in 3 different versions at the start and a 4th model will be added in the 2nd half of 2016. It is a 1RU appliance that can do up to 20GB/s FW throughput with L7FW, AVC and IPS enabled.4100 NGFW Datasheet
The real interesting point here is that you can run the unified image for that. In the past we had an Hardware box that runs the ASA code and on top of that the FirePower as an additional instance. I always simplified that in my mind like an VM that runs on a server and in this VM the Firepower was living. To scale that model up you needed additional processing power. For example in the 5585-X models you had 2 devices inside of one chassis. On one part the ASA code was running and on the other the FirePower. That means from a packet flow prospective the packet was proceeded and inspected two times, first from the ASA based code/HW and when that was finished it was passed to the FirePOWER engine to get inspected and processed again. That changes now now with unified Image approach. The functions and features of the ASA have been ported to the FirePower code so that there is no need two run 2 images any more. Finally we have a integration of the L4 statefull inspection and L7 content based polices. At the moment there are missing some of the VPN features, hopefully we will see these functions added in one of the future releases.
To leverage the new unified FirePower 6.x Image approach there is also an Management solution available. Instead of dealing with Cisco Security manager or prime Security manager for the State full inspection L4 rules and the FireSIGHT manager for the L7 content aware policies this is also unified in the “Cisco Firepower Management Center” . It looks very much like the previous FireSIGHT interface and has some additional functions. I like that you now see all polices in one place regardless of the type of policy. FirePOWER Threat Defence for ISR and Advanced Malware protection (AMP) can be managed from here as well.
The Network Autobahn View
It was a long way but finally Cisco has integrated the FirePower NGFW and IDS/IPS Service based on SNORT with a state full inspection FW. That tight integration and a central policy choke point make a lot of sense. This combined with the centralized Management and Logging makes together a great solution. In the past the handling with ASA “ACL” based rules and NGFW L7 content based policys was always difficult to handle. I got the impression at Cisco Live that the new combined Image is the future and the old ASA will fade away completely in the future. A state full Inspection FW is pretty much the security modell of the late 90s and I think even the term “Next Generation Firewall” is outdated. Deep Packet inspection has become the only way to do security and Port numbers are pretty much irrelevant. I am looking forward to the next FirePower Releases that hopefully brings also the VPN features to the unified Image.