• A Network of People
    A Network of People A busy week at Cisco Live! Orlando
  • Panduit Panzone
    Panduit Panzone I was ridiculously excited by this ceiling enclosure
  • Cisco Network Emergency Response Vehicle
    Cisco Network Emergency Response Vehicle Inside the NERV at Cisco Live!
  • Cisco Live 2013
    Cisco Live 2013 Entry to Cisco Live! 2013 in Orlando
  • Italian Festival
    Italian Festival Some evening neighborhood fun
  • Moon Waxing Crescent
    Moon Waxing Crescent Some good moon views in January
  • Social Media Week 2013
    Social Media Week 2013 I was early...

Mildly Interesting Things

  • Linux Dynamic Memory in Hyper-V 2012 R2
    Written by
    Linux Dynamic Memory in Hyper-V 2012 R2

    Dynamic Memory Works with Linux Hyper-V in Server 2012 R2; sorta.

    I'm a big fan of Hyper-V for small businesses and enterprise. With great features like replica and the easy hyper-v manager, it's a real cinch for a small organization or lab work. The newest Linux kernels have some built in Hyper-V guest services support including dynamic memory for guests, with a few caveats. It even works in 2012 (non R2) with some installations, so I think it's more of something that is supported in the newer Linux kernels than any special change on the Windows side. It seems to be changing a bit as newer kernels are released for CentOS and Ubuntu, but it's not a perfect science and I have it turned off for most guests at the moment.

    If you had the hyper-v packages installed via yum or apt-get, those are no longer needed and can be removed if your kernel is reasonably up to date in CentOS or Ubuntu 13. I think it works in the latest Ubuntu 12 kernel, but I haven't messed with that in a while, so I need to check back on that.

    There seem to be several problems. The first is that after the guest has been running for some time, the system load reported in the Linux guest will be 1.00 instead of 0.00 when the guest is idle. This is more of a cosmetic problem, but could affect services if they are set to suspend with the system load is up and also messes with the SNMP reporting. It's a minor thing, but an annoyance. 

    The second problem is that memory will not exceed the startup memory. For example, if your VM is set to start with 1024M and has dynamic memory enabled, it will never exceed 1024M. This is not true for windows guests, which will expand to the maximum set in the dynamic memory area ( as is available ). It will reduce the memory and grow it back if needed, so setting it larger for startup is fine because it will prune it.hyper-v-memory

    The third problem is that the memory buffer does not work well. I'm not sure if this is because it reacts too late, or what, but my Linux based DNS server shrunk down to 192MB of ram but really needed about twice that to function well. Increasing the buffer works to make it more aggressive on assigning RAM and I have found that this is worth increasing for windows hosts as well. It tends to prune a bit too much.

    Finally, I've had a few crashes where the Linux kernel panics about not enough memory. I'm not sure if increasing the memory buffer will help this, but for the moment I have most of the Linux guests back on static memory assignment. If your application is very stable for memory usage, such as my DNS server, it seems to work fine. If it has sudden surges of memory demand, it seems not ready for prime time. This is my experience so far, your mileage may vary. Hit me on twitter or google+ if you want to talk about it.

    Written on Monday, 20 January 2014 09:40 in Technology Be the first to comment! Read 609 times
  • SIP Packets Should Trump RTP Packets
    Written by

    Is signalling more important than the media it enables?

    I like to shape traffic

     I feel like there is a disconnect between the importance of control messages and the priority they have set on the internet. VoIP RTP and other media streams that require real time priorities ToS / DSCP EF / precedence make sense to prioritize. I’m happy to drop an FTP or HTTP packet before a voice packet. Where I think there is a disconnect is related to the signalling side such as ICMP or SIP and I worry this will leak into next gen signalling like webRTC.

    ICMP was used by some for DoS (denial of service) attacks or for remote network mapping for security vulnerabilities and so many people started to block ICMP packets. What many people don’t realize is that ICMP is used for more than just ping. Possibly the most important use that gets blocked is for path MTU discovery. You may love using jumbo packets on your home or federal network, but some paths may not even be 1500 bytes, let alone 9000.

    Without ICMP, routers in the path cannot notify the endpoints that the packet is too large for the network transmission path. It will become even more important with IPv6 because IPv6 packets cannot be fragmented. In the design is an ICMPv6 response ‘packet too big’ and the originator is supposed to retransmit the packet.

    The other application where I see problems with signalling is in SIP, especially the SIP 180 messages which is a continuation of the signalling problem from the SS7 / ISUP network where the alerting / ACM message is dropped. There is no response message to these alerting messages and if they are dropped, you find yourself in a situation where the call is proceeding, but the user gets dead air because the local switch or device wasn’t told it is ‘ringing’.

    Either the ICMP or SIP packet drops mean a stalled or abandoned connection and for this reason I have wondered if signalling shouldn’t be more important than media. It is a small part of the entire flow and really properly establishing or tearing down the connection seems much more critical than the flow.

    This is one reason I try to shape signalling traffic rather than police it. If media is late, there’s no point, it’s too late, but if you delay signalling a little bit ( rather than drop it ) to maintain data rates, you’re going to end up with a more reliable flow.

    The best example of why you should shape rather than police or drop ICMP is if you are using an IP SLA to track reachability and float a static route. If you are sending out default DSCP and your network gets congested, you’re going to start dropping those pings and your router will erroneously flap that route.

    In any case, I’ve given up using ICMP for a reliable SLA. Using an NTP or DNS for a reachable probe is more likely to succeed and less likely to be blocked by any provider or firewall application.

    Now that it has entered the conversation, DNS may be the best example of all. Google figured how important DNS was to the user experience when they built DNS pre-lookup into Chrome and magically users enjoyed the faster results when they clicked a link. Since a DNS query may have a timeout of 2-3 seconds when it times out ( from a drop ), it seems boosting that over default priority is a worthwhile cause.

    You might be right, I may be crazy, but since the signalling is such a small, yet important part, of our application experience, I think we should reconsider how we prioritize and queue those packets. I’ll rant about DSCP and my annoyance with common all or nothing priorities another day.

    Written on Saturday, 14 September 2013 15:48 in Technology Be the first to comment! Read 996 times
  • Cisco IOS Network Object Groups make for a safer ACL
    Written by

    Make your Cisco IPv4 Access Lists Easier and Safer

    Secure your Network More EasilyAs anyone who has spent a lot of time with ACLs knows, that as they grow they become more complex to read, edit, and troubleshoot. There's a nice solution in Cisco IOS for this that works in 12.4(20)T and later. It allows you to create object groups that define subsets of IPs or services. This means that network administrators only need to be editing in a small area of access lists to add or delete hosts, blocks, or services. Since the lists are either all permit or deny and are already in the correct order in the Extended Access List, it greatly simplifies the task and reduces the chances of inserting the rule in the wrong place (such as at the end).

    Let's look at the final ACL first. Note there are no IP addresses or ports defined in this access list, but it is an extended ACL.

    ip access-list extended TrustedOutSelf 
     remark I am a list of lists 
     remark these are type 'network' 
     permit ip object-group Operations any 
     permit ip object-group Branch any 
     remark BGP group is a type 'service' 
     permit object-group BGPtcp179 object-group TunnelIPs any

    The list above refers to the object definitions below:


    object-group network Operations 
     description COS IPs 
     host 10.160.42.5 
     192.168.52.0 255.255.252.0 
     10.14.12.0 255.255.255.0 

    object-group service BGPtcp179 
     description match BGP tcp 179/179 
     tcp eq bgp 

    object-group network Branch 
     description PrivateTunnelBlocks 
     10.252.0.0 255.255.0.0

    So the 'network' object groups are created similar to a standard access list, but without any permit or deny. The permit/deny and source/destination are defined in the actual extended ACL. Not shown here is also the ability to nest object groups of the same type.

    Why would you want to nest? Imagine an object group called 'Company'. Inside of company you may want a few different lists to maintain such as 'Accounting', 'Executive', 'Operations'. This makes it very simple to add a network to the one of the subgroups. Any of the objects can be called by other object groupsso while 'Company' might hold 'Executive' and 'Operations', the 'OSS' group would contain 'Operations', but not 'Executive'.

    The BGP entry is of type 'service' and can be used to match to/from ports and matches against either a network object or a standard host/network entry. Rather than 

    permit tcp host x.x.x.x eq 179 host y.y.y.y eq 179 
    we have 
    permit object-group BGPtcp179 host x.x.x.x host y.y.y.y

    This feature works with a simple extended ACL, IOS Firewall AND Zone Based Firewalls. A limit is still that you cannot remark individual lines or (as far as I know) edit the order of remark entries in the Extended ACL. You can put a description in the Object Group, however, and just the fact that they are in separate groups should help keep some useful command line documentation.

    This sort of ruleset is compatible with Cisco Configuration Professional and you should be able to edit the rule names and remarks from that GUI tool or equivelant. I have not tried it with the express version that runs off the router.

    I also cannot speak to any differences in performance, but I saw no difference on the 1812 and 2821 I tested on, IOS 15.1T and 12.4T respectively. They both appear to hit the CEF path with out any interference with GRE tunneling or qos pre-classify even with IPSEC DMVPN.

    While ZBF does some inspection of IPv6 up to a certain layer, object-group does not appear to support IPv6, at least as of 15.1(4)T. IPv6 addresses or prefixes cannot be entered in the object-group and ipv6 access-list has no entry for 'object-group'. For more information, see Object Groups for ACLs.

    Written on Saturday, 14 September 2013 14:48 in Technology Be the first to comment! Read 1148 times
  • iPad Slow Charging
    Written by

    TIP: Slow iPad Charge? A Simple Fix with Cable Upgrade can Charge your iPad or iPhone 30% Faster

    UPDATE: The same is true for new iPad, iPad 2, iPhone 4S

    Some people have noticed that the iPad will not charge or seems to take forever to charge on some after market cables, especially if they are longer than the standard charge and sync cable.  In fact I have seen this on standard length cables where the iPad battery drops even though I have it plugged into the ipadnotchargingcharger it came with and it says charging.

    The main reason for this is pretty simple.  USB charges around 5 volts and if you are expecting the over 1 amp ( 5 watts ) on the standard cable, it better not be very long.  This is because the size / gauge / AWG / diameter of the wires is too small.  By specifications, USB 2.0 cables can have wires with AWG as high ( small ) as 28. The result of this is that during the high speed charge phase ( usually the first 50% ) you are potentially losing 30% charge efficiency with the stock cable based on my multimeter tests. Not very green and very annoying that Apple cheaped out by a few pennies on this.

    First a table of solid core wire AWG for power transmission ( most USB cables have stranded wire for more flexible cables ).  The following is a table that shows common iPhone or iPad charging methods, for nerds the values are approximate and designed to carry the 'concept' and length is length of cable but AWG for true 'round trip'.  Smaller AWG means a thicker wire.  Data from Powerstream calculator.

    Charger Current/Power 3ft AWG 6ft AWG 10ft AWG Approx Voltage Drop
    PC USB 0.5A/2.5Watts 28 26 24 0.4
    iPhone 3GS 1.0A/5.0Watts 26 24 22 0.5
    iPad 2.1A/ 10Watts 22 20 18 0.5
    Written on Wednesday, 06 March 2013 14:54 in Technology Be the first to comment! Read 26978 times Read more...
  • Glass Filters and Digital Cameras
    Written by
    Glass Filters and Digital Cameras

    Glass Filters and Digital Cameras

    There are a host of techniques such as HDR or tone mapping to improve the display of your images on computer monitors and in some cases on prints. Something that is often overlooked is the use of glass filters. For a long time I used a polarizing filter ( CPL type ) to cut reflections and help improve some of my images. I don't always want the reflections cut, however, such as in the attached/linked photo.

    Color filters are an obvious choice in BW photography, but in color photography you don't want to skew the color too much; or so I thought. I realized that I preferred amber colored lenses on my sunglasses here in Florida because of all the blue light. I decided to try similar filters for my digital camera. In this case a B+W 77mm 'Skylight' 1A filter for my Canon 60D with 17-55mm USM IS and 10-22mm.

    The results were very exciting and make me want to try more aggressive filters for color photography. By cutting some of the blue light ( dominant ), I can capture more of the light I want with out blowing out (over-exposing) areas of the photo. I can expose longer, pulling more shadows or elusive colors.

    I will say the multi-coated filters help a lot during the day, or any time shooting into light sources. It helps reduce lens flare and I believe it improves contrast a bit too.

    Written on Saturday, 23 February 2013 14:27 in Photography Be the first to comment! Read 9978 times

Welcome!

I am a South Florida Technology Professional specializing in technology integration and strategy with over 20 years of Linux and Internet experience. Cisco guest author and CCNP. CCIE written done, lab is next! My Technical CV  

DaTweets

Connect

I'm active on many social networks, here's an easy list at about.me/john.spade