Cisco ACE: Insert Client IP Address

May 17, 2012 3 Comments

Source-NAT (also referred to as one-armed mode) is a common way of implementing load balancers into a network. It has several advantages over routed-mode (where the load balancer is the default gateway of the servers), most importantly that the load balancer doesn’t need to be Layer 2 adjacent/on the same subnet as the servers.  As long as the SNAT IP address of the load balancer has bi-directional communication with the IP address of the servers, the load balancer can be anywhere. A different subnet, a different data center, even a different continent.

However, one drawback is that with Source NAT the client’s IP address is obscured. The server’s logs will show only the IP address of the SNAT address(s).

There is a way to remedy that if the traffic is HTTP/HTTPS, and that’s by having the load balancer insert the true source IP address into the HTTP request header from the client. You can do it with the ACE by putting it into the load balance policy-map.

policy-map type loadbalance http first-match VIP1_L7_POLICY
  class class-default
     serverfarm FARM1
     insert-http x-forwarded-for header-value "$is"

But alone is not enough. There are two extra steps you need to take.

The first step is you need to tell the web server to log the x-forwarded-for. For Apache, it’s a configuration file change. For IIS, you need to run an ISAPI filter in IIS.

The other thing you need to do is fix the ACE’s attention span. You see, by default the ACE has a short attention span. The HTTP protocol allows you to make multiple HTTP requests on a single TCP connection. By default, the ACE will only evaluate/manipulate the first HTTP request in a TCP connection.

So your log files will look like this:

1.1.1.1 "GET /lb/archive/10-2002/index.htm"
- "GET /lb/archive/10-2003/index.html"
- "GET /lb/archive/05-2004/0100.html HTTP/1.1"
2.2.2.2 "GET /lb/archive/10-2007/0010.html"
- "GET /lb/archive/index.php"
- "GET /lb/archive/09-2002/0001.html"

The “-” indicates Apache couldn’t find the header, because the ACE didn’t insert it. The ACE did add the first source IP address, but every request after it in the same TCP connection was ignored.

Why does the ACE do this? It’s less work for one, only evaluating/manipulating the first request in a connection. Since browsers will make dozens or even hundreds of requests over a single connection, this would be  a significant saving of resources. After all, most of the time when L7 configurations are used, it’s for cookie-based persistence. If that’s the case, all the requests in the same TCP connection are going to contain the same cookies anyway.

How do you fix it? By using a very ill-named feature called persistence-rebalance. This gives the ACE a longer attention span, telling the ACE to look at every HTTP request in the TCP connection.

First, create an HTTP parameter-map.

parameter-map type http HTTP_LONG_ATTENTION_SPAN
  persistence-rebalance

Then apply the parameter-map to the VIP in the multi-match policy map.

policy-map multi-match VIPsOnInterface
  class VIP1
    loadbalance vip inservice
    loadbalance policy VIP1_L7_POLICY
    appl-parameter http advanced-options HTTP_LONG_ATTENTION_SPAN

When that happens, the IP address will show up in all of the log entries.

1.1.1.1 "GET /lb/archive/10-2002/index.htm"
2.2.2.2 "GET /lb/archive/10-2003/index.html"
1.1.1.1 "GET /lb/archive/05-2004/0100.html HTTP/1.1"
2.2.2.2 "GET /lb/archive/10-2007/0010.html"
1.1.1.1 "GET /lb/archive/index.php"
2.2.2.2 "GET /lb/archive/09-2002/0001.html"

But remember, configuring the ACE (or load balancer in general) isn’t the only step you need to perform. You also need to tell the web service (Apache, Nginx, IIS) to use the header as well. None of them automatically use the X-Forwarded-for header.

I don’t know if they’ll try to trick you with this in the CCIE Lab, but it’s something to keep in mind for the CCIE and for implementations.

Filed under CCIE Data Center Prep, Certifications, data center, Load Balancing

CCIE Data Center: It’s Official

March 20, 2012 5 Comments

My twitter mentions was blowing up like a Michael Bay movie about the news that the CCIE Data Center certification was officially-officially announced at Cisco Live! in Melbourne this week. We’ve been teased with it for years, such as thinking we were getting it at Cisco Live last year, but our hopes were dashed. Even when A PDF was found on the Virtual Live site, we were still a little apprehensive.  Now we finally have full on confirmation.

Timeline? Written beta tests will be available in May, and apparently any passing grades there will allow you to take the lab. The CCIE DC Lab will be available September.

I’ll be taking the beta written the first day I possibly can, and likely will take the lab shortly after it’s available.

The equipment/subject list was what we expected from the PDF found at the Cisco Virtual Live website.

Let’s take a look at the equipment list, shall we?

Cisco Catalyst Switch 3750

Hilariously enough, this is the one device in the entire list of devices that I can’t ever remember having logged into. I’ve got Cat 6K experience, but not the 3750s. I’ll have to figure out what I need to know on these guys.

Cisco 2511 Terminal Server

Well, duh. Plenty of experience here, although I could stand to brush up on it. I wonder if they’ll make us set it up, or if it’s transparent to the infrastructure.

MDS 9222i

Interesting choice, instead of an MDS 9500. I’m studying for the CCIE Storage anyway, so this should be good. I don’t see mention of FICON, which is good. Because screw FICON.

Nexus 7009, 5548, 2232 FEX

I’ve taught Nexus before, and I’m still cert’d to do so, I just haven’t in a while. Fortunately, it doesn’t appear that any routing protocols are including in the subject list. I don’t deal with routing on a day-to-day basis, so it’s tough to get practice on them. My old nemesis is listed though, multicast (and IGMP).  FabricPath and OTV are fairly new to me, but I should be able to get up and running on them quickly, especially since FabricPath is TRILL-ish.

Nexus 1000v

I’ve taught Nexus 1000v (DCUCI). Could always use more practice, but I’m good there.

Cisco UCS B-Series, Cisco ACE 4710 Appliance

UCS? ACE? Why Cisco, I thought’d you never ask.

I’ve been teaching ACE for the past 4 years, and I’ve done lab and course development for it. I’ve been teaching UCS almost weekly for the past 2 years, and I’ve also done course and lab development for it. So I’m totally prep’d for this, both written and lab.

I may not even need to study for the UCS and ACE sections. (ed: Bold statement there, buddy.)

Dual Attached JBODs

Need some lab practice on this with the MDS.

Not For Your Laundry Room

One thing is certain, you’re not going to build your own home lab on this. The equipment list is fairly cash intensive, so it’ll be interesting to see how the rental racks get priced out. As soon as I possibly can, I’d love to start teaching CCIE DC boot camps.

Tony’s Take

Now that it’s all official, I’m stoked. This is the CCIE I’ve always dreamed of. A R&S CCIE wouldn’t really help my day-to-day work, and there’s lots of aspects of a R&S that don’t really interest me. Everything about the CCIE DC (except the 3750s perhaps) interests me. Data center was a pretty big gap in Cisco’s certification track (there were a couple of specialization certifications but they don’t have much cachet).

You’ll be seeing a lot of posts from me in regards to my prep for the tests and the lab. Perhaps I’ll put together an ACE workbook. Should be fun.

Filed under Certifications

CCIE Data Center: It’s On Like Donkey Kong

March 4, 2012 7 Comments

My colleague Mike Crane pointed me to a PDF, and it looks like the CCIE Data Center certification is on, and it’s going to be announced at Cisco Live Australia this month.

This is how I looked when I saw the PDF on CCIE DC

If you go to the Ciscolive Virtual Session catalog (you can sign up to the site for free), and take a look at BRKCRT-1612. It lists the topics covered in the blueprint as:

  • Cisco Nexus 7000, 5000, 2000, 1000v
  • Cisco ACE 4710 (and presumably the GSS)
  • Cisco MDS
  • UCS
  • Catalyst 3750 (really?)

Pretty much what we expected, although there’s no WAAS (which surprised me). The ACE portion also surprised me, as I’d wondered if Cisco was really committed to the ACE. If it’s going to be in the CCIE DC track, they’re locked in to the ACE line for years.

But yeah, I’m so into this. The only CCIE track before DC that was even remotely relevant to what I do was Storage. If I went for the R&S it would represent maybe 20% of what I do, with 80% being fairly extraneous. DC is right up my alley.

Filed under Certifications

Initial Thoughts on Apple’s New Initiative

January 25, 2012 Leave a comment

When I heard about Apple’s new education initiative, I got excited. For one, it’s Apple. And yes, I’m a fanboy. So, like… Squeeeeeeee.

Tony, you have a problem

But it’s not algebra or geography books geared towards primary education that excites me (although that’s pretty cool), it’s how it could revolutionize IT ebooks.

Right now the primary market for technical books is print books. There are technical eBooks available on a variety of eBook platforms, but for the most part, technical books are a print business, with eBooks as an afterthought.

This approach has worked since the tech industry begain, but it does have its limiations.

For one, tech books usually have a percentage of its content that’s out of date by the time it reaches the shelves. Technical books can take over a year to get from outline to ending up on the shelves, and naturally the fast-paced moves from under the book. And going an update or corrections to a book is a major effort. If it’s C programming, it’s probably not too much of an issue. But a book on FCoE or VXLAN? There’s bound to be lots of changes and corrections within the span of a year.

What do you mean my book on cell phones isn’t current?

Also, eBooks right now are mostly just electronic versions of the paper books (ed: duh). The electronic format could do a whole lot more than just words on page, as shown by Apple in their presentation. With a fully interactive eBook, there could be animations (really awesome for networking flows), interactive quizzes (and huge test banks, not just 10 questions per chapter).

And right now eBooks seem to be an afterthought. Not all physical titles are available in eBook format (hint, several important and influential Fibre Channel books), and the ones that are can seem like a rush job. In my preparation for the CCIE Storage written test, I picked up this ebook on the Kindle platform: CCIE Network Storage. The ebook version was riddled with formatting errors which made it sometimes difficult to follow. Also, it looks like they’ve seem to have even taken it off Kindle.

Right now my favorite eBook format is the Kindle. Despite being an Apple fanboy, Kindle has the largest library of technical books, by far. And Kindle’s reader and cloud storage make managing your library stupid easy. Apple also makes it easier, although the platform is limited to Apple devices, and the tech library doesn’t seem to be as comprehensive. All of this this is in stark contrast to Adobe’s shitty eBook platform, which seems to want to destroy eBooks.

The Controversy

So the controversy is in Apple’s EULA. If you create an iBook with the iBook Author, that “Work” must be distributed through the Apple iBook store if you charge a fee for it. The tricky part is how Apple defines the term “Work”. Right now it’s a bit ambiguous. Some claim that the term “Work” defines the totality of the book. Others (like the Ars article) say “Work” only defines the output of the iBook Author program (PDF of Apple’s proprietary eBook format).

So if I write a book, and create an eBook version of it with Apple’s iBook Author (which looks like it create amazingly interactive ebooks), can I take the material from the book and make a (probably less interactive) Kindle version of the book?

Tony’s Take

Whether you like Apple or not, you have to admit this certainly ups the game. It’s high time eBooks took center stage for technical eBooks, instead of being an afterthought.

Right now the networking and data center landscape is changing fast, and we need new and better ways to cram new knowledge into our brainbags. A good interactive ebook, riddled with animations, audio, and large test banks would certainly go a long way to help. I don’t really care if it’s Apple or Amazon that provide that format. But right now, it looks like Apple is the only one saddling up.

Filed under Always Be Learning, Certifications, Learning

Is The Pearson VUE Testing Center Network Collapsing?

January 5, 2012 14 Comments

Since my day job is teaching, I need to do a lot of certification tests. There are periods of time when I seem to live in a Pearson VUE testing center. However, In the past three months I’ve noticed the number of testing centers has dropped significantly.  There used to be three in the Portland metro area, but about three months ago that number went down to zero. One came back, but there aren’t any open testing dates until March now.

Which is a problem, because I need to do my VCP5 certification before Feb 29th, 2012, otherwise in order to get the VCP5 certification I’ll have to take a course (I’m a current VCP4 holder).

I brought this up on Twitter a few months ago, and a few people responded they had issues as well recently with no local testing centers.

So I wonder, is the Pearson VUE testing network collapsing? Or is it just Portland, Oregon?

My dream of a VCP5 is collapsing

Filed under Certifications

Dare To Be Stupid

October 3, 2011 2 Comments

I was fortunate to be a guest again on the Packet Pusher’s Podcast recently, and one of the topics was an audience question regarding how to keep up with all that’s going on in the networking world. The group as a whole came up with some great insights, but I thought this would also make a great blog post.

Depending on your point of view, it can either be an exciting time or a terrifying time to be in data center networking. Here’s a small list of all the new stuff that you’re likely going to have to be familiar with: LISP, OTV, SPB, Fabric Path, TRILL, FCoE, FCoTR, BSP, IPv6, IS-IS, VXLAN, NVGRE, NPV, NPIV, EVB, as well as technologies that have been around for a little while but are much more prominent in a networker’s life such as iSCSI and Fibre Channel. And that’s just the data center. With campus and enterprise networking, you’ve got VOIP, unified communications, MPLS, VPLS, metro Ethernet, and more.

*BSP: The Bullshit Protocol. Used to see if you’re paying attention.

So how do you keep up with all this? I’ll admit, it can be a bit overwhelming. But the answer comes from the timeless wisdom of Weird Al Yankovic: Dare to be stupid.

One of the greatest mistakes I see people making in IT is that they stop learning. This is a common folly, and it never ends well. I know this because this is a mistake I’ve made big time. Let’s take the wayback machine to the late ’90s, early 2000′s.

This was a period in my career where I thought I was hot shit. In the late 90s and early 2000s, I was an expert in load balancing, and everyone who wanted to know information about load balancing came to me. I was Mr. Load Balancer.


We all have an inner one of these

But there were huge, huge gaps in my knowledge. Gaps in networking, gaps in system administration, and gaps in my HTTP knowledge. During the heyday of the First Great Internet Bubble, technical talent was a scarce and precious resource, and anyone with experience and skills did very, very well. It made for a great living, but the downside was that it made it very easy to ignore skills gaps, and ignore those gaps I did. I thought that because I was hot shit, that I didn’t need to spend too much time learning. I didn’t dare be stupid.

But it caught up with me. I did a telephone interview with a load balancing vendor, and I got ripped to shreds. They found the gaping holes in my knowledge easily, and it was quite a humbling experience. Initially I was angry, and I thought they were being overly pedantic (something I still dislike). But it wasn’t the IP header overhead of an unlaiden swallow that I didn’t know, it was core concepts that I didn’t know.

It took a while, but my ego healed enough to realize I had a problem: I had to get my shit together. They were right to rip me to shreds (they were nice about it, but having large areas of ignorance in an area you thought you knew well is fairly unpleasant).

Moral of the story? Don’t rest on your laurels, and dare to be stupid. Otherwise, it will be your undoing. And if you’ve been too chicken to be stupid, it’s not too late. I eventually got my shit together. When I started my tract to become a Cisco Certified Systems Instructor (CCSI), I confronted those huge gaps head on, and it was humbling. On my first attempt at the CCNA, I failed so badly that I thought Johns Chambers was going to get a phone call. I thought I was good at networking, but I couldn’t even do proper subnetting. (Like most sysadmins, if it wasn’t a class C subnet, 255.255.255.0, I was completely lost.)

What the fuck does 255.255.255.224 mean?

Eventually I learned subnetting, networking, and filled in the gaps. And I know what 255.255.255.224 means. So always be learning. And a trick I’ve used to continually learn is to learn something not related to computers. You’d be amazed at the insights you can get from learning a completely unrelated skill. For instance, in the past 5 years I’ve learned how to scuba dive, fly a plane, and ball room dance. Each one of those gave me incredible insights into how I learn. Keep at it.

The Magic Words

The three magic words in IT are also among the most painful to say: “I don’t know”. That’s especially true for me, an IT instructor. I’m supposed to know the answer, but I don’t always do. So saying “I don’t know” is quite painful.

In IT, knowledge is our currency, and ignorance is poverty. So it’s really tough to admit ignorance. But it’s important to fight that urge, and say the words “I don’t’ know”.

Even with that motto, part of me still cringes when those words escape my lips. I have a confession to make: During the most recent podcast I was on, Ethan asked me if I knew about vPC with the Nexus 2000 FEX. My response was “It’s been so long since I taught Nexus 7000″. That was basically me being too much of a chicken shit to say “I have no frakkin’ clue.”

Don’t Be An Asshole

Have you ever worked with someone who made you feel small? Where they seem to take delight in showing you how you fucked up? Do they take delight in highlighting your ignorance? Someone who enjoys a good gotcha?

Fuck those people.

Also, stay away from them. Avoid them like the plague. They create environments that are not conducive to learning. Learning is filling in the gaps of knowledge, and it’s tougher to do that when you don’t feel safe to admit you don’t know the answer.

I used to work with a guy like that back in 1998. I was a green Unix administrator whippersnapper, and there was a senior admin who used his powers for evil. He would lord his knowledge over us lesser experienced people. It was a hostile environment for growing. It backfires on them, however, since they stop growing too. They’ll be stuck at their skill level, because they’ll avoid areas where they aren’t the smartest person in the room. They don’t dare to be stupid.

And for Kirk’s sake, don’t be one of those people. Don’t be an asshole, be a teacher. If someone has a lesser level of knowledge on a subject, don’t berate them, don’t lord it over them, help them understand. Want to know how well you know a subject? Explain it to someone who ins’t familiar. You’ll figure out a topic much more comprehensively to that. That’s one of the secrets of blogging, you learn more about a subject simply by writing about it and organizing your thoughts on it (and coming up with clever pictures and captions).

Pull A Superman 2

I’m fortunate enough to have been invited to be a delegate for Network Field Day 2. If you’re not familiar with Network Field Day, it’s a networking-oriented offshoot of Tech Field Day, the brain child of Stephen Foskett, storage expert extrordinarre (check out his great talk on iSCSI and FCoE). If you want to keep up with the future of IT developments, whether it’s storage, networking, or virtualization, pay attention to Tech Field Day and its offshoots. The companies that present (for the most part) aren’t pitching old ideas, they’re pitching what’s next. (For instance, Fsck It! We’ll Do It All in SSDs!)

When I take a look at the other delegates for the upcoming Network Field Day 2, I can only come to one conclusion: I’m not worthy.

Ivan Pepelnjak, Greg Ferro, Ethan Banks, Tom Hollingsworth, Brandon Carrol, (along with my fellow former condescending Unix administrator Mrs Y.) these some of the smartest, most experienced people in networking. And they love to share. I’m not at their level, and I’m likely going to embarrass myself. But I’m going anyway, because it’s a great opportunity to soak up as much knowledge from them as I can. I’m even preparing my own Superman 2 chamber, where I can steal their powers and abilities. And I’m doing it by daring to be stupid.

Surround yourself with people who know more than you, and like sharing that knowledge. You’ll naturally soak up their power.

So if you want to increase your kung fu, learn all the things, and bring out your inner “fuck yea”, then dare to be stupid.

Filed under Always Be Learning, Certifications

The CCIE Datacenter Plan

August 2, 2011 1 Comment

On the CCIE Data Center (or Centre, if you speak the Queen’s English) front:

The rumor had been that Cisco was going to announce a new CCIE Data Center track, possibly replacing the CCIE SAN track. That didn’t quite happen.

I took a look at the PDF (BRKCCIE-1001_c2_Rev_2.pdf) of the CCIE update presentation (you can take a look yourself for free by going to the  Cisco Live 2011 site). They gave quick overview of the CCIE tracks, an expanded intro to the CCIE SAN track, and mentioned that CCIE SAN will likely be updated in the future with data center subjects like ACE, WAAS, DC switching technologies (QoS, vPC), UCS, etc.

The most promising part of the presentation was the schedule from that presentation, which showed them referring to the CCIE DC/SAN.

Back, and to the left. Back, and to the left.

So a bit of a buzzkill. I was hoping they’d go full bore with a CCIE DC track. It seems it might not be out for a while, perhaps a year before its actually updated to be SAN/DC.  Tom Hollingsworth of Networking Nerds thinks it’s 12-18 months out.

So here’s my plan.  I’m going to finish up my CCNP (ROUTE and TSHOOT to go), and then go for the existing CCIE SAN. That’s probably going to take a year before I’m ready to take the lab. If the CCIE data center track isn’t announced by then, I’ll just take the lab.

They did announce a few details as to what they will likely add to the track:

* ACE
* WAAS
* Cisco UCS

Which is awesome, because I’ve been teaching and consulting with ACE for 3 years now, and teaching Cisco UCS for a year and a half. I got those down pat. About 3 years ago I got TTT (train-the-trainer) for Cisco WAAS, and I think I’m cert’d, but never ended up teaching it. I’m familiar with it, but it’d take some refamiliarization.

Eventually, I’d love to give bootcamps for CCIE DC (CCSI after all).

Filed under Certifications

CCIE Data Center?

June 24, 2011 1 Comment

The CCIE certification from Cisco is widely considered to be one of the best, toughest certifications to get.

Generally obtaining this certification requires months, if not years of preparation, abanonding free time (and in some cases, hope). You hear of CCIE widows/widowers. It has a high failure rate the first attempt, and some (really smart people too) take several attempts.

I haven’t seriously considered getting a CCIE, despite working a lot in the Cisco realm (I’m a Cisco Certified Systems Instructor).  And it’s not because of the insane prep and soul crushing defeats.  I mean, something difficult and insane? Sign me up. (I enjoy insane goals, like running marathons and training to be an aerobatic pilot.)

The problem is relevance. Right now there are six different CCIE tracks: CCIE Route & Switch, CCIE Storage, CCIE Service Provider, CCIE Security, CCIE Wireless, and CCIE Voice.  The vast majority are CCIE R&S. CCIE Wireless has less than 50 at last count.

Not one of them would dramatically increase my skills in areas that I typically work in. I deal with switching, a bit of spanning-tree, virtualization, and storage (some FC, more FCoE, and iSCSI).  Things I never deal with, ever: ATM, voice, metro Ethernet, routing protocols (although IS-IS maybe a new skill I need to pick up).


This will require intense study. Right after I check Twitter.

For a year or so now however, there’s been a rumor that a CCIE Data Center is coming. It would likely involve MDS/storage, FCoE, Nexus switching, UCS, even some load balancing and WAAS.

So I’m hoping it gets released soon. I would be all over that shit.

Filed under Always Be Learning, Certifications

Follow

Get every new post delivered to your Inbox.