IP NAT is a very common configuration. One of the challenges that sometimes surfaces is the need for internal hosts to connect to the public address of a locally hosted server. Anyone who has tried to configure something like the following has likely faced this issue.
In this example, the top of the diagram represents the outside (Internet, ISP, or External Server), the left represents the DMZ area, and the bottom represents the inside. The goal is to enable dynamic port address translation for internal hosts and static port address translation for the host or hosts found in the DMZ area.
This configuration is fairly straightforward and typically covered in the CCNA curriculum. This includes identifying each interface as inside or outside and configuring the appropriate nat statements.
The Sourcefire NGIPS/NGFW solution is a way to quickly get some interesting information about traffic on a network. One of the things I like about the solution is that actionable information is almost immediately available after deployment.
There are five deployment modes for a Sourcefire Firepower appliance:
Passive and inline modes are the two deployment options for the Virtual versions of the Firepower appliances. Inline mode provides significant advantages over simple passive monitoring. Inline mode allows the appliance to block offending traffic or communications that violates the configured policy. Following the installation guide is straightforward and should allow a security engineer to quickly get this solution up and running.
At this point in the PacketU subnetting series, we have worked through the following–
This article takes the concept of subnetting to the next step. Today we are going to look at the concepts required to subnet a Class C network. As we reflect on the Classful IP rules, we recall that a Class C network has the following characteristics–
- First octet begins with binary 110…..
- The first Octet will be in the range of 192 to 223
- The first three (three leftmost) octets represent a Network
- The last octet (rightmost) Octet represents a Host on a network
We also know that this single IP network can be further subdivided into multiple, but smaller, networks. This process is known as subnetting.
Continuing with the syntax used in previous articles, we might represent a Class C Network as follows– Continue reading
I just wanted to take a quick moment to share a site Dan DeBusschere has created. This site is a list of very useful config snippets, information and links. Most of the content is focused on Datacenter and UCS. If you support this type of environment, check it out.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.
Today was a bittersweet day for me. It was my final day working with a great group of people at a prominent community bank. I have nothing but good things to say about the people, the organization, and the interesting projects I’ve been involved in. I’ll miss everyone a lot and plan to stay in touch.
Tomorrow I begin a new role as a Systems Engineer at Cisco Systems. I will be working with the SLED (public sector) sales team in Kentucky and West Virginia. In this role I hope to broaden my knowledge of networking components and spend time helping customers better position their technology infrastructures.
What this means for me–
I will be aggressively learning the Cisco Product lines, including areas that I previously had less exposure to. I will take advantage of the resources I have and marry my vision of the changing network industry to the components Cisco positions into higher education environments. My intentions include better understanding the roadmap and technical details as they pertain to the integration path from traditional networking to software defined approaches.
But what about…
Today’s podcast spotlight goes to Software Gone Wild. This is a newer podcast hosted by our friend Ivan Pepelnjak. The topics are focused on the growing pains the networking industry is experiencing and various forms of automation that are attempting to solve them. This includes various aspects of SDN, NFV and how others are using technology to deliver bigger/better/faster solutions.
Recent episodes include Network Automation @ Spotify and The F-Script with my good friend John Herbert.
Disclaimer: I have no affiliation with the Software Gone Wild podcast or any organization linked to, represented in or derived from content found in this article. This article represents my own opinions and may not be that of my employer.
At some point, Network engineers will likely face some type of issue with MTU or maximum transmittable unit. Their first experience with this may be an eye opening and time consuming effort. After resolving the issue, those with a thirst for knowledge will take the necessary time to understand the issue.
MTU problems are most often seen when Path MTU Discovery, or PMTUD, fails to function. This is the process by which one end host determines the largest possible packet size to another station on the network. Symptoms of this type of issue include two devices having proven reachability, but applications fail to work in a way that indicates a network issue. Some applications may even crash or hang the system.
Symptoms of PMTUD Failure
- Hosts may be able to ping one another
- Service/Port may prove accessible using telnet
- Severe and persistent application issues
- Partial page loads
- Either host appearing to hang
I wanted to take a few minutes to share a scenario that some seem to struggle with. This scenario is a routing issue that sometimes occurs when an interior routing protocol allows routes to leak back through a tunnel. To demonstrate this, I’ve built a lab with three routers. R1 and R3 are participating in EIGRP and have a GRE tunnel configured directly between them.
I’ve often stated how simple subnetting really is. While each individual concept is rather simple, it is the combination that make the holistic process challenging. If we, as humans, could look at the process more like computers and network devices, subnetting would be a much simpler process. In short, some knowledge of binary is an important requirement prior to sharing more complex subnetting examples.
This article will demonstrate the process of converting binary to and from the more familiar decimal numbering system. This will establish the necessary baseline knowledge required to understand when applying subnet masks to IP addresses. The first question we need to answer is–
What is Binary?
Binary, also known as base-2, is a numbering system in which each position only has two possible values. We often represent one possible value as zero and the other possible value as one. Alternatively, it could be represented many other ways including: positive and negative voltage, black and white colors, voltage and no voltage present, or null and not null. This simplicity in representation is what makes the system so advantageous for a computer’s limited discreet capabilities. Continue reading
I know many have been [not so patiently] waiting for the arrival of a Cisco virtual lab. Although I haven’t heard any official release date for VIRL or CML, there is a small scale virtual router lab available today. This lab is the All-in-One Virtual Machine made available on the Cisco DevNet site.
While not a comprehensive lab, it is a quick and easy way to get some real command line experience or test smaller layer 3 challenges. This VM includes 3 routers with a total of 10 routed interfaces in use. There is no access to layer 2, so the topology can only be manipulated by shutting down interfaces on the routers.
Using the DevNet All-in-One Virtual Machine
Posted in Blogroll, CCNA, Certification, General, Network, Rant, Technology
Tagged career, ccna, ccna security, certification, cisco, network
I have a lot of discussions with vendors, peers and other friends in the business. One of the things that I find challenging is the nuances with the language of technology. Our conversations include things like traffic flow, NAT, SDN, Cloud and many of the other industry buzzwords. Our use of terminology often has different meanings to different people (and in different contexts).
While I don’t fully subscribe to the, There is no bad question philosophy, I believe questions should be asked liberally. The only questions I hate to hear are from those trying to prove their [superior] knowledge. Beyond that, individual research can help with the learning process. However, everyone should have the confidence to ask those questions necessary to grasp the conversation at hand. More than likely others will benefit from the clarification as well.
Posted in Rant
Tagged career, rant
I’ve been reading articles by Jeremy Stretch for several years now. His site, PacketLife.net, may be best know for the useful cheat sheets that cover everything from IGP routing protocols to Wireshark Display filters. This site doesn’t end with cheat sheets. It also has many useful articles about all things networking. So if you’re looking for a site to add to you feedreader, check it out.
Disclaimer–I continually get requests for a list of the blogs, podcasts and people I follow to “keep up” in this industry. As a result, I decided to start publishing some of the blogs I regularly read. Links to other content from PacketU or affiliated social channels should not be thought of as a universal endorsement or indication of independence or neutrality for a given external site. Readers should assess ALL applicable content before proceeding with actions that could adversely affect their environment.