Friday, February 8, 2019

Introduction F5 ASM Attack Signature Sets

--> Attack Signatures are the rules and patterns which identifies the attacks in a request to access the web application.

--> Attack Signatures are the basis for negative security model in ASM.

--> Whenever ASM receives any request for the web application, it checks for attack signatures enabled on the security policy.

--> If the request matches the attack signature then ASM triggers a violation based upon the mode request will be blocked ( Blocking Mode) or will not be blocked ( Transparent Mode).

--> Attack signatures works by buffering and holding different parts an HTTP request for inspection.

--> Attack Signatures in ASM of two types,

i) System Defined Attack Signatures: These are the signatures created by F5 and added to the attack signature pool.

ii) User Defined Attack Signatures: These are the signatures created by the Administrator and added to the attack signature pool.

--> Individual signatures cannot be applied to security policy. An Attack signature is set is assigned to security policy

--> An attack signature set is a group of individual attack signatures.

--> By default, Generic Attack Signature Set is applied to new security policy.

--> ASM Module comes with more than 2000 predefined attack signatures.

--> We can update these signatures using manual method or automatic method.

--> In Automatic Method, BIG IP system downloads the update file by using its own self IP address.

--> In Manual Method, BIG IP Admin needs to download the update file from downloads.f5.com

--> Updating Attack signatures provide updates to existing attack signature sets as well as adds new signature sets to the ASM.




--> Prior to version 13, attack signatures which are updated or new signatures placed into staging state.

--> From Version 13, we can select which attack signatures need to be placed in staging state.

--> In order to update attack signatures automatically, BIG IP ASM needs to have access to following Servers:

1) callhome.f5.com

2) activate.f5.com

--> If you want to know latest security announcements, attack signature updates by subscribing to F5 security Alerts mailing list ( https://interact.f5.com/F5-Preference-Center.html).

Ref: F5.com

Md.Kareemoddin

CCIE # 54759

Tuesday, January 22, 2019

What are the different types of vPC?

Single Sided vPC

--> In single-sided vPC, Access devices are connected to Nexus 7K series devices using vPC domain.

--> The access device which is attaching to vPC domain can be of any device such as Layer 2 Switch, Rack Mount Server, Blade Server, firewall, load balancer or any Network Attached Storage ( NAS) device.

--> The only requirement for an Access device in order to connect to vPC is to support Port channel or Link Aggregation feature.



--> The following are the Port-channel protocols supported by Nexus 7K for vPC:

1) LACP

2) Static

--> It is recommended to configure LACP Protocol when forming vPC using access devices.



Double-Sided vPC

--> In Double-sided vPC, Access devices are connected to Nexus 5K series devices using vPC domain and these 5k Series devices are connected to 7K forming one more vPC for the L2/L3 default gateway.

--> vPC domain at the bottom is used for active/active connectivity from endpoint devices to the network access layer.

--> vPC domain at the top is used for active/active FHRP in the L2/L3 boundary aggregation layer.

--> Double-Sided vPC provides higher bandwidth in the network compared to Single-Sided vPC.



Multilayer vPC

--> A dedicated layer of vPC domain (adjacent to aggregation layer which also runs vPC) is used to interconnect the 2 data centers together.

--> Another design is to interconnect directly between vPC aggregation layer, without using any dedicated vPC layer for DCI

--> vPC as DCI technology is intended to interconnect two data centers in maximum.

--> Use vPC to interconnect a maximum of 2 data centers. Use OTV when more than 2 data centers need to be interconnected.


Ref: Cisco.com

Md.Kareemoddin

CCIE # 54759

Sunday, January 20, 2019

How to configure Single attached device in vPC

Option 1:

--> Connect the Device to vPC attached access switch.

--> No configuration is required in vPC domain.

--> Provides minimum downtime in case of a peer link failover.

--> The problem with this type of setup is we need to manage additional switch which creates additional administrative overhead.



Option 2:

--> Connect the Device to vPC peers ( Primary or Secondary) by using a Non-vPC VLAN.

--> non-vPC VLAN is a VLAN that is not part of any vPC and not present on vPC peer-link.

--> We need to create a special port-channel between vPC peers to forward this non-vPC VLAN traffic.

--> Access device can be connected to primary peer device or secondary peer device.

--> It does not matter because the dedicated port-channel guarantees a backup path in case vPC peer-link fails down.

--> The problem with this type of setup is we need to manage additional Port-Channel between the vPC Peers.



Option 3:

--> Connect the Device to vPC Primary peer or Secondary peer using vPC VLAN.

-->vPC VLAN is a VLAN that is allowed on vPC Peer-link.

--> No need to create a special port-channel between vPC peers to forward traffic as it uses peer-link for traffic forwarding.

--> But the problem with this type of connectivity is When the Peer-link goes down then the access devices which are connected to Secondary peer loses the connectivity.

--> This type of devices are called as Orphan Devices and Ports that are connected to Nexus 7K peer is called as Orphan Ports.

--> It is recommended to connect the single attached devices to vPC Primary Peer so that in case of peer link failure that does not affect the connectivity.


Ref: Cisco vPC design guide

Md.Kareemoddin

CCIE # 54759


Thursday, January 17, 2019

Understanding vPC Components

--> vPC is a virtualization technology that allows two Cisco Nexus 7000 or 5000 Series as a Single Virtual node to downstream devices.

--> The Downstream device can be a switch, server, or any other networking device which supports link aggregation technology.

--> vPC architecture contains the following components:

1) vPC Member

--> This is also called as vPC Peer device.

--> It can be a Nexus 5000 or Nexus 7000 Series Switch.

2) vPC Domain

--> vPC Domain contains two vPC Peer devices.

--> Only 2 peer devices max can be part of same vPC domain.

--> The domain ID must be the same on both peer devices.

--> vPC domain identifiers must be different on both layers because this information is used as part of the LACP protocol.


3) vPC member Port

--> This is one of the port which forms vPC.

--> This Port is connected to both of the Nexus 5000/7000 Upstream switches.

4) Orphan Port

--> A port that belongs to a single attached device.

--> A port on vPC peer device (primary or secondary) that is connected to a single attached device.

--> A port on vPC peer device (primary or secondary) that carries vPC VLAN.

--> If the port carries a non-vPC VLAN, it is no more defined as Orphan Port.

--> When connecting a single-attached access device to vPC domain using vPC VLAN, always connect it to vPC primary peer device.

-->  Reason is when vPC peer-link fails down, any single attached device connected to secondary peer device (and using vPC VLAN) will become completely isolated with the rest of the network.



5) vPC peer-link 

--> This Link used to synchronize the state between vPC peer devices.

--> It must be a 10-Gigabit Ethernet link.

--> vPC peer-link is an L2 trunk carrying vPC VLAN.

--> Cisco Fabric Service protocol is used for synchronizing the state information between vPC Peers.

--> vPC Peer-link can be formed only with the Same family of modules ( F3-F3 and M3-M3).

6) vPC peer-keepalive link 

--> The keepalive link between vPC peer devices; this link is used to monitor the liveness of the peer device.

--> It is recommended to use  1Gbps link for vPC Peer-keepalive link.

--> vPC Peer-Keepalive link must be configured before configuring vPC Peer-link.

--> vPC Peer-Keepalive link uses UDP port number 3200 to check reachability between vPC peers.

--> It is recommended to use separate VLAN interface in different VRF for the peer-keepalive link.

--> vPC Peer-Keepalive just requires reachability ( Both VPC Peers can use different Subnet IP Address for Peer-Keepalive).

--> vPC Peer-Keepalive use management VRF by default for checking the reachability between them.

7) vPC VLAN 

--> VLAN carried over the vPC peer-link and used to communicate via vPC with a third device.


--> vPC VLAN is simply VLAN which is allowed on the peer-link.

8) non-vPC VLAN

--> non-vPC VLAN A VLAN that is not part of any vPC and not present on vPC peer-link.


9) Cisco Fabric Services (CFS)


--> CFS is the protocol used between vPC peers to share and synchronize the state between vPC peer devices.

--> Cisco Fabric Services (CFS) protocol performs the following functions:

? Configuration validation and comparison (consistency check)

? Synchronization of MAC addresses for vPC member ports

? vPC member port status advertisement

? Spanning Tree Protocol management

? Synchronization of HSRP and IGMP snooping

--> Cisco Fabric Services is enabled by default when vPC feature is turned on.

--> There is no specific Cisco Fabric Services configuration to implement.


10) vPC System-Mac and vPC Local System-Mac

--> Once vPC domain is configured both the vPC peers will be assigned with the same MAC address known as vPC System-MAC.

--> vPC system-mac = 00:23:04:ee:be:<vpc domain-id in hexadecimal>

--> It is possible to configure manually vPC system-mac value with the command system-mac inside vPC domain configuration.

--> vPC local system mac is owned by each peer devices so it is unique per device. vPC local system mac is derived from the system or VDC mac address.

--> vPC system-mac is used only with vPC attached access devices while vPC local system-mac is used with single attached devices.

Ref: Cisco.com

Md.Kareemoddin

CCIE # 54759

Friday, January 11, 2019

What are the different Types of Cisco SFP Modules for 10Gbps Speed?

Cisco 10GBASE-T SFP

--> Uses a copper cable to connect between two devices.

--> Supports distance up to 100 meters.

--> Maximum data rate supported up to 10 Gbps.

--> Uses CAT 6A Cable.




Cisco 10GBASE-CX SFP

--> Uses a Infinity Band cable to connect between two devices.

--> It is a cost-effective connection within racks and across adjacent racks.

--> Maximum data rate supported up to 10 Gbps.

--> This cable is suitable for distances up to 15 meters.



Cisco 10GBase-ZR 

--> Uses Single Mode fiber to connect between two devices.

--> Supports distance up to 80 Kilometers.

--> Maximum data rate supported up to 10 Gbps.

--> Uses Dual LC link.



Cisco 10GBASE-ER

--> Uses Single Mode fiber to connect between two devices.

--> Supports distance up to 40 Kilometers.

--> Maximum data rate supported up to 10 Gbps.

--> Uses Dual LC link.



Cisco 10GBASE-LR

--> Uses Single Mode fiber to connect between two devices.

--> Supports distance up to 10 Kilometers.

--> Maximum data rate supported up to 10 Gbps.

--> Uses Dual LC link.




Cisco 10GBASE-LX4

--> Uses Multi Mode fiber to connect between two devices.

--> Supports distance up to 10 Kilometers.

--> Maximum data rate supported up to 10 Gbps.

--> Uses Dual LC link.


Cisco 10GBASE-LRM

--> Uses both Single and Multi-Mode fiber to connect between two devices.

--> Supports distance up to 300 meters.

--> Maximum data rate supported up to 10 Gbps.

--> Uses Dual LC link.

Cisco 10GBASE-SR

--> Uses Multi-Mode fiber to connect between two devices.

--> Supports distance up to 400 meters.

--> Maximum data rate supported up to 10 Gbps.

--> Uses Dual LC link.




Ref: Cisco.com

Md.Kareemoddin

CCIE # 54759

What are the different Types of Cisco SFP Modules for 1000 Mbps Speed?

Cisco 1000BASE-T SFP

--> Uses a copper cable to connect between two devices.

--> Supports distance up to 100 meters.

--> Maximum data rate supported up to 1000 Mbps.

--> Uses CAT 5 Cable.


Cisco 1000BASE-TX SFP

--> Uses a copper cable to connect between two devices.

--> Supports distance up to 100 meters.

--> Maximum data rate supported up to 1000 Mbps.

--> Uses CAT 6 Cable.



Cisco 1000BASE-CX SFP

--> Uses a Twinax cable to connect between two devices.

--> It is a cost-effective connection within racks and across adjacent racks.

--> Twinax cable is suitable for distances up to 5 meters.

Cisco 1000 Base-ZX GBIC

--> Uses Single Mode fiber to connect between two devices.

--> Supports distance up to 70 Kilometers.

--> Maximum data rate supported up to 1000 Mbps.

--> Uses Dual LC link.

Cisco 1000BASE-BX10 GBIC

--> Uses Single Mode fiber to connect between two devices.

--> Supports distance up to 10 Kilometers.

--> Maximum data rate supported up to 1000 Mbps.

--> Uses Single LC link.

Cisco 1000BASE-LX10

--> Uses Single Mode fiber to connect between two devices.

--> Supports distance up to 10 Kilometers.

--> Maximum data rate supported up to 1000 Mbps.

--> Uses Dual LC link.

Cisco 1000BASE-LX

--> Uses Multi-Mode fiber to connect between two devices.

--> Supports distance up to 550 meters.

--> Maximum data rate supported up to 1000 Mbps.

--> Uses Dual LC link.



Cisco 1000BASE-SX

--> Uses Multi-Mode fiber to connect between two devices.

--> Supports distance up to 500 meters.

--> Maximum data rate supported up to 1000 Mbps.

--> Uses Dual LC link.

Ref: Cisco.com

Md.Kareemoddin

CCIE # 54759







Saturday, December 29, 2018

Introduction to vCMP in F5

--> vCMP stands for Virtualized Clustered Multiprocessing.

--> vCMP is a hypervisor in F5 which allows you to divide one physical high powerful F5 device into multiple independent virtual F5 devices.

--> vCMP allocates CPU, memory, and storage for every logical or virtual BIG IP device.

--> We can create a number of instances of BIG IP system depend upon the configuration of the F5 hardware chasis.

--> vCMP uses built-in flexible resource allocation feature.

--> By using flexible resource allocation, We can allocate the separate size of resources to every BIG IP virtual instance according to the requirement.




--> vCMP provides the resources to every virtual instance in the form of cores to it.

--> Each core contains a portion of CPU and memory assigned to it.

--> vCMP is not supported in all of the BIG IP devices.

--> vCMP is supported in some of VIPRION chassis and BIG IP Devices such as,

i) VIPRION B2100, B4200, B4300, B4340N

ii) BIG IP 5200v, 7200v,10200v



--> With vCMP we have the following components,

i) vCMP host

--> This is the hypervisor which allows you to create and configure BIG IP Instances.

--> This Instances are known as vCMP guests.

--> For every guest, vCMP host allocates CPU and memory to it.

ii) vCMP Guest

--> vCMP Guest is the BIG IP instance which is created on vCMP host.

--> Each and every vCMP Guest is allocated BIG IP Modules such as LTM, GTM, ASM and APM to process the traffic.

--> Every Guest contains its own self IP Address, Management IP Address, and list of Virtual Servers.

--> Every Guest act as separate BIG IP device without having the knowledge of other BIG IP instances are present on vCMP host.

--> Each Guest can be divided by using Route domains and Partitions.

--> Each Guest can have different BIG IP version and different modules compared to other Guests in vCMP host.

iii) Virtual Disk

--> Virtual Disk is the storage area for the vCMP guest on the vCMP host.

--> Each Virtual Disk is configured as an image file with .img extension.

--> If vCMP Guest is allocated in two slots of vCMP host then the system creates and assigns two virtual disks to the guest.

iv) Cores

--> A Core is the Portion of CPU and system memory allocated to a guest.

--> The Amount of CPU and System memory that core contains depends upon the hardware platform.

--> CPU's in the core remain idle if the Core is not assigned to any host.

Note: There are two types of Administrators would come into picture when we use vCMP.

i) vCMP host Admin: 

--> used for creating guests and assigning the resources to the guests.

ii) vCMP guest Admin:

--> used for assigning and provisioning the BIG IP modules within the guest.

Ref: F5.com

Md.Kareemoddin,

CCIE# 54759



Introduction F5 ASM Attack Signature Sets

--> Attack Signatures are the rules and patterns which identifies the attacks in a request to access the web application. --> Attac...