Game of Threats with Cisco AMP #NFDx

At Cisco Live Jonny Noble presented a session at the Tech Field Day Extra Event.
It was covereing the Umbreall and AMP for Endpoints from Ciscos Security group.

I will focus here on the updates of AMP for Endpoints and what has changed in
the product. AMP for Endpoints has been around for quite some time and was in the
past mainly focussed on File Protection and EDR usecases.Cisco has put a lot of development into the product and is fast moving forward with it.
From a more nish targeted product it has now grown to a fully featured Endpoint protection solution that is now also covering classic Anti Virus endpoint protection. Besides that Cisco has One-to-one signature, fuzzy fingerprinting , Machine Learning, rootkit scanning and Sandboxing capabilities built into AMP for Endpoints.
The management componenet is mainly deployed as a cloud solution. Cisco is also offering an on prem variant for those customers that do not want to go to the cloud.
On the OS side they support Windows, MAC OS, Linux (RHEL/CENTOS) and Android nativly.
Cisco now added an intergration for Apples IOS based IPhone devices with a new Client called Clarity. Will take a deeper look what is possible with this client and how deep the client is intergerated into Apples mobile device OS.

There are a lot of Endpoint Protection / AV products on the market, what is unique to Cisco AMP for Endpoints is the integration with the other AMP solutions.
This integration is from my point of view one of the key differentiators. Cisco has also integrated AMP for Meraki MX, Firepower, WSA, ESA and Threat Grid.
A good example is a retroperspective event and how you can investigate these. In case
a file was downloaded to a Client PC in a corporate network, it can pass multiple devices that are running AMP like the Web proxy / WSA or Firepower based NGFW. Maybe at the first day AMP was not able to detect that this file was malicious. In the moment the automated Threat feeds have been updated  it can detect this malicious file. In the mangement console it will mark based on the logs  the hash of this file and present it as a retroperspective event. Now you are able to detect where this File has been shown up in your enviroment. After AMP is aware that this file is malicoius it will start blocking the file. It is now easy to pin point where the file has been showing up in your infrastructure with the file trajectory and to track the potentially latural movement of it.

For more details check out the recorded Session:

Cisco Cloud Protect: A Quick Dive Into Cisco Cloud Security with Jonny Noble


Posted in Blog | Tagged | Leave a comment

How to fit an Elephant into a small car to transport it over the Networkautobahn #NFD17

On Networking Field Day 17 VeloCloud by VMWARE presented at the VMWARE HQ.

After the aquisition of VMWARE the VeloCloud Team put together an interesting overview on their SD-WAN solution and the features and capabilities it has.

I will focus on one point that to me is especially interesting:

“The Elephant flow problem”


All SDWAN vendors can use multiple WAN uplinks to load balance traffic across these connections. But that is in most cases only per session based load balancing. Works in most cases fine when we have a lot of sessions that can simply be destributed across multiple links.
It becomes more difficult when it comes to “Elephant Flows”. A typical example is backup traffic or large file transfers.  I have seen more than one time that a backup wasn´t finished over night and at the next morning when the first useres are showing up everything was terrible slow and the WAN uplink was still at 100% utilization.
In the past we normally solved the problem with more bandwidth. If you have just one big pipe your heavy elephant can run faster across the big road with more lanes. When you have multiple WAN Uplinks there are some challenges that need to be adressed.
Will use here the Autobahn as comparison to descripe the Problem. It helps for your heavy transport vehicle to have more lanes on the Autobahn. But if you have only 3 roads to transport one big load you need to disassemble it into multiple smaller packets that than can be loaded into smaller Trucks and transported to the destination.

Now comes the challenging part.  Before the packet can be send out to the LAN Interface it needs to be reassembled.

Out of order packets: some packets will arrive not in the right order, so they need to  be buffered until all Parts have arrived before they can be reassembled.

Packet Loss: Maybe some of the packets will need to be retransmitted

Track the Link Quality: during the hole process the link characteristics may change regarding to latency and throughput

Packet Size: On the internet uplinks the maximum MTU can be smaller than on a private WAN. For the IPSEC encryption and additional internal headers the maximum payload that can be forwarded needs also to be reduced. VeloCloud has also a feature that addresses this problem and can provide a virtual MSS Maximum Segmant Size for TCP packets.

The Networkautobahn View

Amazing Feature. The elephant Flow problem was not solved by L2 Link aggregation in the LAN or L3 Routing in the WAN. One Flow was forwarded only over one Link and that was all we got. To get it done right is quite challenging and maybe one of the reasons why it wasn’t available sooner.

I still can remember some Netscreen devices that melt down when they had to do some packet dis/reassembleing over IPSEC tunnels. The CPU was at 100% load and you had nearly no throughput.

Also to get Jumbo Frames transferred accross WAN Links makes me excited. That is in particular interesting if you like to run NSX across your SDWAN infrastructure.

I would like to see that in action and also curious about how much impact that will have on the CPU of the VeloCloud Edge devices.

Posted in All, Blog | Leave a comment

NFD18 and Tech Field Day Extra Cisco Live Europe 2018

This year will start for me with two amazing events, will attend as a delegate the

Networking Field Day 18 and Tech Field Extra at Cisco Live Europe 2018 event.

So watch out for the event tags #NFD17 and #CLEUR18.

Will try to share all the interesting stuff that is presented at the both evenets.

In case you would like to meet up at Cisco Live drop me a massge on twitter @networkautobahn.


Looking forward to these two exsiting events.

Networking Field Day 17


Tech Field Day Extra at Cisco Live Europe 2018



Posted in All | Leave a comment

Tech Field Day Extra at Cisco Live Europe 2017

I will attend as a delegate the Tech Field Day Extra at Cisco Live Europe 2017 event.

Cisco Live Europe is this year 20th to 24th of February 2017 in Berlin

Besides all the exciting new tech on the #CLEUR event I am also looking forward to meet up with all the delegates and the Tech field day crew.

Field Day Extra at Cisco Lieve Europe 2017 delegates:

Ethan Banks @ECBanks
Gabriele Gerbino @GabrieleGerbino
Ivan Pepelnjak @IOSHints
Jasper Bongertz @PacketJay
Max Mortillaro @DarkkAvenger
Peter Paul Engelen @PPJM_Engelen


If you like to meet up , please reach out to me on the event.
Very happy to see you all in my home town Berlin.


Posted in Blog | 1 Comment

The Soundtrack of Networking

If you are on a long roadtrip to the next Datacenter to fix some networking problems you need the right soundtrack.

The Soundtrack Networking:

Number 1My favorite Net Thing, the maximum amount of possible network acronyms in one song.



Number 2: You down with BGP ?   Some Network Protocols are celebrated like rockstarts.



Number 3: The Spanning Tree Song . The Song is performed by Radia Pearlman (piano) the author of the Spanning Tree and her daughter Dawn Perlner (voice).



Number 4: The day the routers died…. my Cisco Shares are completely worthless


What is your favorite Networking song ? Leave a comment and let us know.

Posted in All, Humor | Leave a comment

Firepower Management Center 4k SW 6.1 10Gig Interface Problem

fmc_4kI am facing a strange problem with the Firepower management center 4000 (FMC) that was formaly known as Firesight Management Center. Cisco recently release SW code 6.1 for the FMC. With SW 6.1 the 10 Gig interface have become avaialble. The 10 Gig ports have been there in hardware but you couldn´t use them with the previous software releases.

Regarding to connections to Firepower device and logging the 10 Gig interface works as expected. When it comes to manegement webgui it shows a strange behaviour. You can connect to the IP address that you have configured on the 10Gig interface. Everytime when you try to enter the interface config tab the FMC webgui it reboots. That is working without any issues on the 1Gig interface.

My workaround is to use the 1G Interface for the WebGui and the 10Gig Interface for peering with firepower devices. Sadly at the moment there is no LACP or etherchannel on the FMC at the moment available. That would help to connect the FMC with more redundancy.

Posted in All | 1 Comment

Avaya ATF Updates

ATF_2016sadly I couldn´t join the Avaya ATF Europe event this year that was taking place in Dublin 10th to 13th of May 2016. Thanks to the networking infrastructure forum member OfWolfAndMan who provided me the presentations of the ATF event. Many thanks for that. Avaya has come up with some interesting news , here are some points that looked interesting for me.


Avaya has introduced the ERS4900 device family witch is the successor to the ERS4800 devices. Like in the VSP family the ERS4900 will share the same software code with the ERS5900 series.  That make sense to me instead of developping multiple BOSS images you have a shared code base. That model has worked out great in the VSP family and gives also the nice benefit of feature parity from a code standpoint.

The VSP7200 is now available as a licensed 24port version. You will get the 48 Port hardware of the VSP7200 that is limited to 24 ports. For me that looks like the replacement for the VSP7000 that should be named ERS7000 because it was running the BOSS image. It had also the limitation that you couldn´t run L3 routing and SPB in parallel. The only caveat that I see here is that with the VSP7200 you loose the stacking capability.



On the Software side the two new exciting features for me are DVR Distributed Virtual Routing and Port Mirroring for the SPB Fabric. DVR will bring the capability to run the L3 distributed across multiple Access Switches in a SPB fabric. With that you can go full L3 on the Top of The Rack Switches and eliminating the need that packets have to sent to a centralized L3 Gateway. It is addressing the fist hop redundancy and the L3 load balancing problem at the same time. So traffic that is needed to be routed between two devices that are connected on the same Access switch can now be routed locally on that device.

Port mirroring across the fabric is the other new feature that cached my attention. Often it was a problem on traditional networks to do port mirroring. With the capability to send the Mirrored port traffic to an ISID in the SPB fabric you can transport it to any access port in the fabric. That brings a lot of flexibility. It is also possible to send multiple port mirrors to one ISID or to have multiple receivers. That gives you everything you would like to have in TAB network. Because SPB brings native multicast support this is something that can run in the background and fits natively into the fabric.

If you want to know more about it listen to the Network Braodcast Storm Podcast Episode 06 in that we had a nice conversation about DVR and Port Mirroring for SPB fabrics with Roger Lapuh from Avaya.


Posted in All, Avaya, Blog | 1 Comment

Next Generation of PortMonitoring using SDN by Big Switch Networks Big Monitoring Fabric

I was really fascinated by the BigSwitch Networks Presentation from Rob Sherwood at NetworkFieldDay11 . It was fantastic in many different ways. First Rob is a great presenter that can show even very complex content in an easy to understand way and also keep the presentation entertaining. In the past I have seen a lot of presntations that overused SDN as a major bussword in every second slide. I didn´t like that hype. Here at BigSwitch it was the opposite. Rob Sherwood was one of the early pioneers of SDN and activly envolved during the devolopment of SDN technolgies. He didn´t even mentioned the word SDN.  He showed a practical usecase that runs SDN technology in the backround. I am more interested in what we can do with a technolgy instead of talking about a technolgy just for the sake of it. The usecase that was presented here is a TAB or Monitoring Network. To protMonitoring_fabricect a datacenter it is very commen to use a set of tools or Tool Farm with a varity of different technolgies like FlowAnalyzer, IDS, IPS,  ect. All of them will need to have a copy of the actual traffic that is going across the Links of your datacenter. With only one tool you could get away with a standard span/monitoring port , but when you are using multiple tools and would like to see the traffic on different links like e.g. inside and outside of your firewall, you need an extra dedicated TAB Network that can deliver you the different monitored sources for your toolfarm. If you have deployed that you know “where to find the rainbow in your network”. That was done in the past with special hardware or TABs. The approach from the Big Switch Monitoring Fabric is to use standard whitebox switches for that with the BigSwitch Software on top. With the software based appoach you get a much more flexible TabNetwork that can be programmed via API and is capbale of Event triggered Monitoring. That wouldn´t be possible with only switches. BigSwitch introduced a new component witch they call Service Node. It is a x86 based server that uses DPDK in the backround to do all the magic that can not be proceded  by a switch. The Big Monitoring Fabric is the first product that uses the Service node but I suggest in the Future all the really exciting new stuff  from BigSwitch will be done with some kind of x86 servers that have more flexebilty from a software capability standpoint.

The network Autobahn View

Building Tab Networks was always a very difficult, static and expensive task in the past. I like the new approach of the Big Monitoring Fabric to address the task. It adds plenty of choices. For me the most exsiting thing here is that SDN shows its potential for new real world products. I suggest we will see more of that in the future. The other point here is that Big Switch has understand how the modern more community based marketing works. All of the BigSwitch major releases have been announced at a Networking Field Day event. You have to address your massage to the right audiance.

Posted in All | 2 Comments