TVIX +404% in 12 Trading Days

Covid-19 has caused panic in the stock market and TVIX is rocking, I almost feel bad about making money during this financial meltdown.

Posted in Uncategorized | Leave a comment

DMVPN with BGP & OSPF

While working on some older CCNP labs recently I needed to get rid of the frame relay that was used in the various labs since it’s no longer being used and is not supported in EVE-NG. I originally connected everything via a generic cloud and used ethernet interfaces since that is the only type Eve will support to the cloud. While this worked okay I did not like the direct connectivity I was seeing between the routers as it seemed like the DMVPN tunnel I was building was pointless.

Then I decided to use EBGP as the Underlay for the DMVPN Overlay. I choose a very simple implementation where the hub and spokes all connect to the same “ISP”. This makes the scenario much easier since the ISP is just redistributing connected subnets.

Now I’m using DMVPN in the place of Frame Relay for all of my labs and it’s working great. I had never worked with DMVPN before so this was a great lab. Originally it was just a simple OSPF lab that “morphed” into something far more interesting. I’ll post the configuration snippets below in case you are curious.

ISP-SINGLE-REDISTRIBUTED –> allowas-in (for multiple ISP’s)

router bgp 1
 bgp log-neighbor-changes
 neighbor 11.11.11.1 remote-as 11
 neighbor 22.22.22.1 remote-as 22
 neighbor 44.44.44.1 remote-as 44
 network 11.11.11.0 mask 255.255.255.0
 network 22.22.22.0 mask 255.255.255.0
 network 44.44.44.0 mask 255.255.255.0
end

ip route 11.11.11.0 255.255.255.0 Null0
ip route 22.22.22.0 255.255.255.0 Null0
ip route 44.44.44.0 255.255.255.0 Null0

interface Serial1/0
 ip address 11.11.11.2 255.255.255.252
 serial restart-delay 0

interface Serial1/2
 ip address 22.22.22.2 255.255.255.252
 serial restart-delay 0

interface Serial1/3
 ip address 44.44.44.2 255.255.255.252
 serial restart-delay 0
end

BGP#sh ip bgp
     Network          Next Hop            Metric LocPrf Weight Path
 *>   11.11.11.0/24    0.0.0.0                  0         32768 i
 *>   22.22.22.0/24    0.0.0.0                  0         32768 i
 *>   44.44.44.0/24    0.0.0.0                  0         32768 i

DMVPN-HUB

interface Serial1/0
 ip address 11.11.11.1 255.255.255.252
 serial restart-delay 0

router bgp 11
 bgp log-neighbor-changes
 distribute-list 10 in
 network 11.11.11.0 mask 255.255.255.0
 neighbor 11.11.11.2 remote-as 1
end

access-list 10 deny   11.11.11.0
access-list 10 permit any

R1#sh ip bgp
     Network          Next Hop            Metric LocPrf Weight Path
 *>   22.22.22.0/24    11.11.11.2               0             0 1 i
 *>   44.44.44.0/24    11.11.11.2               0             0 1 i

Hub#sh ip route bgp
Gateway of last resort is not set
      22.0.0.0/30 is subnetted, 1 subnets
B        22.22.22.0 [20/0] via 11.11.11.2, 00:00:40
      44.0.0.0/30 is subnetted, 1 subnets
B        44.44.44.0 [20/0] via 11.11.11.2, 00:00:40

interface Tunnel1
 ip address 10.1.110.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 ip ospf network point-to-multipoint
 ip ospf cost 64
 tunnel source 11.11.11.1
 tunnel mode gre multipoint
end

HUB#sh dmvpn | i 1
        T1 - Route Installed, T2 - Nexthop-override
Interface: Tunnel1, IPv4 NHRP Details 
     1 22.22.22.1           10.1.110.2    UP 01:02:32     D
     1 44.44.44.1           10.1.110.4    UP 01:02:40     D

router ospf 1
 router-id 10.1.1.1
 area 24 stub no-summary
 redistribute static subnets
 network 10.1.110.0 0.0.0.255 area 24
 network 10.1.116.0 0.0.0.255 area 0
 neighbor 10.1.110.2 cost 10

HUB#sh ip ospf nei
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.6.6.6          0   FULL/  -        00:00:33    10.1.116.6      Serial1/1
10.4.4.4          0   FULL/  -        00:01:56    10.1.110.4      Tunnel1
10.2.2.2          0   FULL/  -        00:01:36    10.1.110.2      Tunnel1

Spoke #1

interface Serial1/2
 ip address 22.22.22.1 255.255.255.252
 serial restart-delay 0
end

router bgp 22
 bgp log-neighbor-changes
 distribute-list 10 in
 network 22.22.22.0 mask 255.255.255.0
 neighbor 22.22.22.2 remote-as 1
end

access-list 10 deny   22.22.22.0
access-list 10 permit any

R2#sh ip bgp
     Network          Next Hop            Metric LocPrf Weight Path
 *>   11.11.11.0/24    22.22.22.2               0             0 1 i
 *>   44.44.44.0/24    22.22.22.2               0             0 1 i

Spoke1#sh ip route bgp
Gateway of last resort is 10.1.110.1 to network 0.0.0.0
      11.0.0.0/30 is subnetted, 1 subnets
B        11.11.11.0 [20/0] via 22.22.22.2, 00:00:40
      44.0.0.0/30 is subnetted, 1 subnets
B        44.44.44.0 [20/0] via 22.22.22.2, 00:00:40

interface Tunnel1
 ip address 10.1.110.2 255.255.255.0
 no ip redirects
 ip nhrp map 10.1.110.1 11.11.11.1
 ip nhrp map multicast 11.11.11.1
 ip nhrp map 10.1.110.4 44.44.44.1
 ip nhrp map multicast 44.44.44.1
 ip nhrp network-id 10
 ip nhrp nhs 10.1.110.1
 ip nhrp nhs 10.1.110.4
 ip ospf network point-to-multipoint
 ip ospf cost 64
 tunnel source 22.22.22.1
 tunnel mode gre multipoint
end

Spoke1#sh dmvpn | i 1
        T1 - Route Installed, T2 - Nexthop-override
Interface: Tunnel1, IPv4 NHRP Details 
     1 11.11.11.1           10.1.110.1    UP 01:02:23     S
     1 44.44.44.1           10.1.110.4    UP 00:16:21     S

router ospf 1
 router-id 10.2.2.2
 area 24 stub
 network 10.1.110.0 0.0.0.255 area 24
 network 172.30.24.0 0.0.0.255 area 24
 distribute-list 10 in
end

Spoke1#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.1.1          0   FULL/  -        00:01:53    10.1.110.1      Tunnel1
10.4.4.4          1   FULL/DR         00:00:39    172.30.24.4     Ethernet0/0

Spoke #2

interface Serial1/3
 ip address 44.44.44.1 255.255.255.252
 serial restart-delay 0
end

router bgp 44
 bgp log-neighbor-changes
 distribute-list 10 in
 network 44.44.44.0 mask 255.255.255.0
 neighbor 44.44.44.2 remote-as 1
end

access-list 10 deny   44.44.44.0
access-list 10 permit any

R4#sh ip bgp
     Network          Next Hop            Metric LocPrf Weight Path
 *>   11.11.11.0/24    44.44.44.2               0             0 1 i
 *>   22.22.22.0/24    44.44.44.2               0             0 1 i

Spoke2#sh ip route bgp
Gateway of last resort is 10.1.110.1 to network 0.0.0.0
      11.0.0.0/30 is subnetted, 1 subnets
B        11.11.11.0 [20/0] via 44.44.44.2, 00:00:40
      22.0.0.0/30 is subnetted, 1 subnets
B        22.22.22.0 [20/0] via 44.44.44.2, 00:00:40

interface Tunnel1
 ip address 10.1.110.4 255.255.255.0
 no ip redirects
 ip nhrp map 10.1.110.1 11.11.11.1
 ip nhrp map multicast 11.11.11.1
 ip nhrp map 10.1.110.2 22.22.22.1
 ip nhrp map multicast 22.22.22.1
 ip nhrp network-id 10
 ip nhrp nhs 10.1.110.1
 ip nhrp nhs 10.1.110.2
 ip ospf network point-to-multipoint
 ip ospf cost 64
 tunnel source 44.44.44.1
 tunnel mode gre multipoint
end

Spoke2#sh dmvpn | i 1
        T1 - Route Installed, T2 - Nexthop-override
Interface: Tunnel1, IPv4 NHRP Details 
     1 11.11.11.1           10.1.110.1    UP 00:12:38     S
     1 22.22.22.1           10.1.110.2    UP 00:12:38     S

router ospf 1
 router-id 10.4.4.4
 area 24 stub
 network 10.1.110.0 0.0.0.255 area 24
 network 172.30.24.0 0.0.0.255 area 24
end

Spoke2#sh ip ospf nei
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.1.1          0   FULL/  -        00:01:53    10.1.110.1      Tunnel1
10.2.2.2          1   FULL/BDR        00:00:36    172.30.24.2     Ethernet0/0

When I get some extra time I’ll add 2 more ISP routers so that each site it connecting to a different instance of AS1. Then I’ll use iBGP within AS1 to forward the routes accordingly and verify that the tunnel can still be built through various hops as opposed to all meeting on the same AS1 router. This method is a better approximation of a real world scenario.

Another option would be to use EBGP and have each site use a different ISP. Then make the different Autonomous Systems talk to each other to form the tunnel, another very likely real world scenario and one of the whole reasons for using DMVPN.

Posted in bgp, dmvpn, Networks, ospf | Leave a comment

CCNP Enterprise (Routing and Switching)

Happy to say that I passed my CCNP re-certification after letting it expire in 2016. It felt good getting back in the lab and running through various routing and switching problems. I used EVE-NG to study with, it’s simply amazing software.

Posted in Uncategorized | Leave a comment

Site Reliability Engineering: How Google Runs Production Systems

If you support systems @ scale than you must read the Google SRE book!  Do yourself and your team a favor by making sure you donโ€™t repeat the mistakes in this book! This should be required reading for all managers and front line engineers.

Posted in Books | Leave a comment

Chromecast WPA-EAP from guest WiFi

You may have recently seen the article about the FBI recommending that all IOT devices be placed onto their own networks for security purposes. The reason being that security in IoT devices has been notoriously bad and in some cases, non-existent.

That got me thinking about the chromecast that was sitting on my LAN and looking for solutions to make it more secure. The unfortunate thing about the chromecast is that it does not support WPA-EAP Security, only WPA-PSK. Lucky for me I also have an “Ultra” version which supports 4K and has an Ethernet port, without this Ethernet port I would be forced to dumb down my wifi to make the chromecast work.

What I found out, through much trial and error, is that chromecast uses mDNS to find the various network components needed to make the necessary connectivity. All of my attempts were failing due to the fact that the mDNS was not propagating across broadcast domains. The missing piece was “Avahi“, available in PfSense, which forwards mDNS requests across broadcast domains.

Once this package was in place, the chromecast was able to configure itself correctly in the wired DMZ portion of my network. Moreover, with the mDNS being forwarded across selected broadcast domains, WiFi clients are able to stream to the IoT device using the much more secure WPA-EAP protocol that is not supported via the wireless NIC on the chromecast, it only supports WPA-PSK.

This solution has the added benefit of allowing clients on the Guest WiFi (WPA-EAP VLAN99) to cast to the IoT device sitting in the DMZ. All of this is accomplished without enabling “Guest Mode” on the chromecast and without having to drop down to a less secure version of wifi security. Moreover, I found that I now have the ability to cast content from my PLEX server, connected over VPN , via LAN, DMZ, or the guest WiFi.

Therefore I’ve essentially setup my IoT device to work securely from 4 different networks while isolating it into a DMZ network with a little trial and error. Of course there are lots of firewall rules to make it all happen, if you want to know more head to the Home Lab section for the configuration specifics and some examples.

Posted in IoT, Security | Leave a comment

Delegated Credentials: Improving the security of TLS certificates

This is worthy of a share if you are interested in TSL. Facebook, Cloudflare, and Mozilla are working together with the ITEF to develop a new protocol for handling the private keys for SSL certs. Facebook Engineering gives a great overview in the article below.

Posted in Security | Leave a comment

Tutanota: Secure email, calendar and contact list

Today I upgraded my email provider to Tutanota. They provide encrypted email hosted on servers in Germany. In addition to the encrypted inbox you can easily send end to end encrypted emails with users of other services like Gmail. Fellow Tutanota users have their emails automatically encrypted end to end with no effort at all on their part as it’s built into the service by default.

I opted for the premium service and was able to set this up using my own domain name and was provided 5 email aliases. Price was very reasonable and it was a HUGE security improvement over the crappy email service my hosting provider was giving me. I highly encourage everyone to checkout this open source email service that focuses on privacy and security and ditch your Gmail account that scans your emails to deliver ads!

Posted in Security | Leave a comment

Site Back Online

Website is back online after a small hiatus. I’m pretty sure my old wordpress instance had been hacked so I nuked the entire site and left it dormant for awhile. Now I’m starting to rebuild it to highlight some of the things I’m interested in.

It’s a work in progress so bookmark the site and check back if you like, but it will probably be hacked again since my hosting provider sucks so bad at security. I’ll need to look into alternatives after reading an article about how easy it is to hack their console site ๐Ÿ™

Posted in Uncategorized | Leave a comment