Multicast test client

Microsoft got a tool to test multicast support in the network.

What is an ISP looking glass

Many ISP's provide something they call a looking glass.

a mirror; usually a ladies' dressing mirror

Source: Google

This is not what an ISP got. This is something that makes you look into their internal network from the outside.

A Looking Glass is a piece of software running as a CGI on an ISP's webserver that allows external users to get a look at routing and network behavior within their network. The software is usually a Perl script that resides in the CGI bin of a web server. The script executes shell commands, accesses a remote router, performes either a ping, trace, or one of several show commands allowing a view of the IP and BGP route tables. The CGI then returns the information as a web page.

Looking Glasses are most commonly used for verifying routing between providers, and for verifying that routes are propagating correctly across the Internet.

Source: InetDaemon

Global Load balancing solutions

As I have received some questions about GLB I will try to answer some of them here.

What is Global Load Balancing?

Global load balancing is a concept where several data centers answers to a web site.

In its simplest form you can create a GLB by using DNS to point to the IP address of your different web sites. This way you can share the load between your data centers.

But often you want more. Today most modern GLB solution can give you more:

• Direct you to the closest data center (based on IP addresses). (Speed.)
• Make sure the data center is up and running before sending clients there. (Always up.)

And probably more as well.

Most load balancers, if not all, uses DNS to direct traffic. The GLB is basically a DNS server that checks the incoming request and makes intelligent decisions before returning an answer.

This page talks about why GLB does not work. I do not agree to everything on this page but you will have to make out your own mind.

What GLB is not

With GLB you only get the solution to distribute traffic between your data centers. You still have to solve database replication, how to maintain your files in sync and so forth.

Who are the players?

I have done some research and found these vendors. I have not tried any of the solutions, only read the product documentation. I am sure there are other players, but they are sometimes hard to find.

Player	Comment
F5 Big-IP GTM	The most expensive solution I have found. I have used F5 products before and they usually work well. You can only buy this as an appliance. You can choose to buy it as a GTM only or as a local traffic management (load balancer) with GTM on top.
Zeus ZXTM GLB	You can buy this as an appliance or as a VMWare image. Promises good performance, supports active-active data centers and you can make rules on how to route traffic.
Coyotepoint Envoy	Envoy is an add-on to their local load balancer appliance. That is - you need to buy everything from them. With Envoy you can create policies for traffic management.

DNS directed lookups - pros and cons

When you have to do directed name lookups you have lots of options. Conditional forwarders, stub zones and secondary zones. What should I choose? It is not easy to choose, as the pros and cons are hard to find. But look no further, you are now reading the definitive source.

Before I go into the discussions about pros and cons bear in mind that not all environments are equal. For this discussion there exist only two types of connections (WAN) between sites. A network that is firewalled can in many circumstances look like a LAN-LAN VPN type of connection - the same restrictions applies.

Connection	Configuration
LAN-LAN VPN	In this configuration a remote site is connected to the main site using VPN over Internet. The remote site have only access to parts of your network based on the IPSec policy.
Leased line	The remote site shares the entire IP network with the main network and can access all internal resources.

Stub zones

Microsoft added support for stub zones a few years ago. With stub zones you configure from where to load the stub and then all queries are iterative from that point. More about stub zones here.

Why

Why not

Does not require zone transfers to work. Easy to integrate into an existing network as it can scale and change with the network. The stub zone can be placed in Active Directory and automatically loaded onto all domain controllers.

If stub zones fails to load (can not obtain NS and SOA) the zones can be loaded with information on the Internet. If a zone is part of a split DNS then the public information is cached instead of the private information. Queries are iterative; the DNS server will attempt to query all DNS servers by it self to get the answer. If the zone have delegated subzones then our DNS server needs to talk to all other DNS servers. Changes to information within DNS propagates slower as the server caches all answers. (Also negative answers.) You have to reconfigure the zone properties for most changes in the other DNS server.

Secondary zone

A secondary zone will at all times keep a copy of the entire zone on disc or in memory. Read more here.

Why

Why not

Faster updates (potentially) as your DNS server can be notified on any changes to the original zone. (If not, the zone is refreshed based on values inside the SOA record.) The server does not have to query any other server to get the answer. (Except when you have delegated subzones.) If the zone expires (it fails to update the zone within the configured time) the server will only send back negative answers. It will not ask other DNS servers for an answer. (No chance for cache poisoning.)

You need zone transfers, and that is usually blocked on DNS servers. If it is a zone with many records then you consume memory, disc and network resources. You have to reconfigure the zone properties for most changes in the other DNS server.

Conditional forwarders

A conditional forwarder sends (by default) a recursive query directly and returns the answer. Read more here.

Why	Why not
Queries are unconditionally forwarded to the forwarder(s). Answers are cached.  Reduces number of queries as they are recursive. (Good if you have a slow WAN.)	Have to be configured manually on all name servers. You have to reconfigure the zone properties for all changes in the other DNS server.

Sources

• DNS: Conditional Forwarders vs. Stub-Zones
• Contrasting stub zones and conditional forwarders
• DNS Conditional Forwarding in Windows Server 2003

DNS and directed lookups explained

With Microsoft DNS Server you roughly have three ways to force lookup to specific servers. They are:

• Stub zones
• Secondary zones
• Conditional forwarding

In any environment with split DNS, non-public zones or where you use .local domains you need to plan how to manage DNS lookups from third parties.

In this article you can read about the differences between these types.

 

Stub zones

When you configure a stub zone you only tell the DNS Server where to download the glue records for the zone. The glue records contains SOA, NS and if needed the corresponding A/AAAA records for that zone. Further resolving from the DNS server is done using these records. You have to type in one or more IP addresses of DNS servers to download the glue records from.

The local DNS server will use these records and continue recursion as normal, using these NS pointers as hints. You can not control what DNS Server that will be queried.

Secondary zones

A secondary zone contains a copy of the entire zone and can give authoritative answers. The entire content of the zone is downloaded from your DNS Servers (you have to specify where to download the zone from) and stored in a local file.

Conditional forwarders

This is also known as a forward delegation. When you configure a conditional forwarder you simply say that for all queries to a domain, ask this (or these) IP addresses.

All queries are recursive with a conditional forwarder.

CEF and unequal traffic sharing

Today I stumbled across a Cisco switch where the layer 3 CEF switching resulted in an unequal sharing of the outgoing load. The incoming traffic is from a Fortigate router which handles load sharing differently.

First I looked into the routing table and verified that I have two active routes to the destination.

Switch#sho ip ro 192.168.1.1
Routing entry for 192.168.1.0/24
  Known via "ospf 1", distance 110, metric 10, type extern 2, forward metric 1
  Last update from 10.47.1.1 on Vlan3800, 2w2d ago
  Routing Descriptor Blocks:
  * 172.30.254.249, from 10.47.1.1, 2w2d ago, via Vlan3800
      Route metric is 10, traffic share count is 1
    172.30.254.241, from 10.48.1.1, 2w2d ago, via Vlan200
      Route metric is 10, traffic share count is 1

I then looked into CEF.

Switch#sho ip cef 192.168.1.1 internal
192.168.1.0/24, epoch 1, RIB, refcount 6, per-destination sharing

The destination here is 192.168.1.0/24 - and it seems like Cisco is sending everything to that destination out on only one interface. Investigating further I found this command that also confirms this. (Run it several times!)

Switch#sho ip cef exact-route 10.0.0.1 192.168.1.1
10.0.0.1 -> 192.168.1.1 => IP adj out of Vlan3800, addr 10.47.1.1

I went looking on the Internet and found a great resource on Cisco and CEF on Cisco IOS hints and tricks.

Unfortunately, I did not find a solution that helped me.

IPv6 prefixes explained

IPv6 addresses are hard to read. Prefixes are also new for us. In this article I will show common prefixes and how to use them.

IPv6 addresses

There are many ways to express an IPv6 address. For example, the addresses below are all valid and equivalent:

2001:0db8:0000:0000:0000:0000:1428:57ab
2001:0db8:0000:0000:0000::1428:57ab
2001:0db8:0:0:0:0:1428:57ab
2001:0db8:0:0::1428:57ab
2001:0db8::1428:57ab
2001:db8::1428:57ab

The important lesson here is that the IPv6 addresses are complex and long. One or any number of consecutive groups of 0 value may be replaced with two colons (::).

Prefixes

You can specify a prefix on an IP address. Prefixes have the syntax /#bits, like 2001:db8::/32. Prefixes are only used for routing as networks that connect computers are expected to have a /64 prefix.

Each group of octets in an IP address represents 16 bits, giving us a total of 8 groups. A mask of /32 is thus the two first groups.

IP	2001	:	0db8	:	0000	:	0000	:	0000	:	0000	:	1428	:	57ab
Prefix	/16		/32		/48		/64		/80		/96		/112		/128

Sources

Wikipedia is used as the main source. Their article on IPv6 is used as the source.

HP GbE2c Ethernet Blade Switch User Guide

The user guide (documentation) for this switch, dated May 2006 can be found here.

VLAN tagging on GbE2c

The HP GbE2c Ethernet Blade Switch for HP c-Class BladeSystem can sometimes be hard to configure correctly.

To configure a port to be in trunk (Cisco term) or tagged mode, allowing it to pass through several VLAN over one port.

First we change port 5 to allow it to send and receive tagged VLAN's.

/cfg/port
Enter port (1-24): 5
>> Port 5# tag
Current VLAN tag support: disabled
Enter new VLAN tag support [d/e]: e
 

Remeber to verify that the VLAN's you need are enabled on the switch. Below you see VLAN 1 and 107 defined on this switch.

>> System# /info/l2/vlan
VLAN Name Status Ports
1 Default VLAN ena 4 5 11-13 17 18 20 21 23 24
107 VLAN 107 ena 9 21

If you need to add more VLAN's you have to type in the commands listed below. Here I will create VLAN 142.

/cfg/l2/vlan
Enter VLAN number: (1-4095) 142
ena
Current status: disabled
New status: enabled

The PVID is 1. This is the VLAN that is untagged.

You are now ready to add VLAN's to the port. You have to repeat this for every VLAN that you want to carry over the port.

/cfg/l2/vlan 142
add 5

Before you finish remember to apply and save the changes. You apply them to make them active, and you save them so they are persistent between reboots of the switch.

save
apply

Packet cheat sheets

Here you can find good and easy sheets that shows you how different protocols are built. You can find sheets for IPSec, IPv6, spanning-tree protocol (STP) and some others.

Shr Dispute in Cisco switches

I did some tests on some Cisco switches the other day and came across an error I have not seen before. Then I looked into a port's spanning tree I found a port was blocking with the message Dispute Shr. I have not seen this message before and could not find anything when I tried to Google on it.

nede#sho span int g0/1

Mst Instance Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- --------
MST0 Desg BLK 2000000 128.1 Dispute Shr
 

So I had to investigate this. Luckily for me Cisco have very good documentation. In an article discussing something I found the answer I was looking for.

A dispute flag appears when a designated port receives inferior designated information until the port returns to the forwarding state or ceases to be designated.

The Shr simply indicates that the port is on a shared network. The reason for that is that the link is half duplex.

Vista wireless and lag

Have you noticed that Vista and wireless often looses connection to the Internet (and corporate network). This is often seen with games and real-time applications like VoIP products.

Windows Vista doesn't works with the optimal wireless setinngs. Some of this settings are causing 1,5sec dropouts with many wireless cards, which are appearing every 30-60sec. This dropouts are very hated in the gaming community and if users are using voice over IP applications or other realtime protocols.

Here you can find a solution for your problem.

WAN optimization with Riverbed

Today I had a chance to work with a product for WAN optimization for the first time. I ran a live demo at a customers site.

	It works. At least if your network traffic is predictable and repetitive. Most networks are, as clients tend to do much of the same.
	It is too expensive for most customers. It is really hard to justify the cost and more importantly the return of investment.

Acceleration of SSL traffic

Rivedbed promised to support SSL in version 4 of their software. I can't wait to try this one out. It only requires you to install your private key on the box inside your datacenter.

Steelhead appliances now accelerate encrypted (SSL) traffic, using all of Riverbed's algorithms to deliver LAN-like performance for those key business applications.

Of course this won't work for external web sites as you don't have access to private keys. But for intranet applications this is cool!

Exchange 2007

Exchange 2007 supports encrypted MAPI connections. Much details on this issue is not known at this point.

Based on our testing, we've found that the encrypted connections that appear by default in an Exchange 2007 environment with Outlook 2007 clients are a proprietary "MAPI encryption", not SSL.

Impression

Riverbed Steelhead appliances are easy to set up and work without the need to do much. Just make sure the traffic is unencrypted and leave the rest to Riverbed.

RiOS 4.0

I will do a new lab with RiOS 4.0 when it is released and do tests on Exchange, Sharepoint and web traffic. All SSL encrypted. If you are curious about this, please leave me a note.