Network Mémos

Wednesday, January 25, 2023

IT/OT Convergence - Not only a technical challenge!

The convergence of IT (Information Technology) and OT (Operational Technology) can present several challenges:

Management: in most of the company, IT and OT systems were managed by different teams, with different skills and expertise. It can be difficult to ensure that the two teams are being managed effectively and that the IT and OT engineers are working together effectively.
Compliance and regulation: IT and OT have different compliance and regulatory requirements. It can be difficult to ensure that both systems are meeting all relevant standards.
Understanding and process: both teams are talking different languages and have different expectations. There is long a learning curve to take in consideration if you start this journe. IT must understand OT and the other way around. This understanding must not be limited to technical aspects. The process must also be taken in consideration. For example, ITIL processes are not well known by most of the OT Teams.

For the reasons listed above, it's important to build a strong governance. You should have a dedicated team in charge of the convergence process, with clear roles and responsibilities and the right level of expertise in IT and OT.

And maybe the most important. A trust must be created between both teams.

Thursday, January 5, 2023

How to use the Ansible Vault ?

If your are using a clear password in your YAML file, you can encrypt the file via Ansible-vault.

How to encrypt the credentials ?

#ansible-vault encrypt MyCredentials.yml

New Vault password: <Enter the password and stored in a safe place>
Confirm New Vault password: <Enter the same password>
Encryption successful

How to view the encrypted credentials ?

#ansible-vault view MyCredentials.yml

Vault password: <Enter the password previously chosen>

How to change data in your file (for example your credentials) ?

decrypt the file MyCredentials.yml

User@Ansible-Host:~/> ansible-vault decrypt MyCredentials.yml
Vault password: <known_key>
Decryption successful

Edit the file with your preferred editor (vim/nano) by changing the data.

Then encrypt the file again

User@Ansible-Host:~/> ansible-vault encrypt MyCredentials.yml
New Vault password: <known_key>
Confirm New Vault password: <known_key>
Encryption successful

2023 - New Posts - I'm back

After a big pause, I have decided to share again my experience. I will publish more articles on several topics and no more just the network. The following areas will be covered:

IT/OT Convergence. For this specific area, I would like to cover the technical challenges but also the organization changes which brings this convergence.
IoT 4.0 and cybersecurity.
Advanced firewalling.
Ansible and Automation.

Friday, June 10, 2016

BGP Conditional Advertisement

This BGP feature is able to filter a subnet advertisement based on a certain match (AS-PATH, subnet in the routing table...). In our example below, we can image that AS100 is an ISP1 and AS200 is an ISP2. In most of the case, we monitor only the status of the interface which is directly connected. But in our case, we will monitor the presence of the subnet 20.20.20.0/24 which is advertised by the ISP1.
By default, we only advertise the subnet 50.50.50.0/24 to ISP1 and if the subnet 20.20.20.0/24 disappears, we announce it also to ISP2. We can typically use this feature when ISP2 is more expensive than ISP1.

Configuration:

R1:
interface Loopback50
ip address 50.50.50.50 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/1
ip address 192.168.150.1 255.255.255.0
!
router bgp 50
network 50.50.50.0 mask 255.255.255.0
neighbor 192.168.50.2 remote-as 100
neighbor 192.168.150.3 remote-as 200
neighbor 192.168.150.3 advertise-map NOT_ANNOUNCE_R3 non-exist-map ADVERTISE
!
ip prefix-list LO20 seq 5 permit 20.20.20.0/24
!
ip prefix-list LO50 seq 5 permit 50.50.50.0/24
!
route-map NOT_ANNOUNCE_R3 permit 10
match ip address prefix-list LO50
!
route-map ADVERTISE permit 10
match ip address prefix-list LO20
R2:
interface Loopback20
ip address 20.20.20.20 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.50.2 255.255.255.0
!
interface Ethernet0/1
ip address 192.168.100.2 255.255.255.0
!
router bgp 100
network 20.20.20.0 mask 255.255.255.0
neighbor 192.168.50.1 remote-as 50
neighbor 192.168.100.3 remote-as 200
R3:
interface Ethernet0/0
ip address 192.168.100.3 255.255.255.0
!
interface Ethernet0/1
ip address 192.168.200.3 255.255.255.0
!
interface Ethernet0/2
ip address 192.168.150.3 255.255.255.0
!
router bgp 200
neighbor 192.168.100.2 remote-as 100
neighbor 192.168.150.1 remote-as 50

Initial behavior:

R3 sees subnet 50.50.50.0/24 only from R3
R3#sho ip bgp
Network Next Hop Metric LocPrf Weight Path
* 20.20.20.0/24 192.168.150.1 0 50 100 i
*> 192.168.100.2 0 0 100 i
*> 50.50.50.0/24 192.168.100.2 0 100 50 i
We can check that R1 is not advertising the subnet to R3:
R1#sho ip bgp neighbors 192.168.150.3 advertised-routes
Network Next Hop Metric LocPrf Weight Path
*> 20.20.20.0/24 192.168.50.2 0 0 100 i
R1#sho ip bgp neighbors 192.168.50.2 advertised-routes
Network Next Hop Metric LocPrf Weight Path
*> 50.50.50.0/24 0.0.0.0 0 32768 i
R1#sho ip bgp neighbors 192.168.150.3 | in Conditio
Condition-map ADVERTISE, Advertise-map NOT_ANNOUNCE_R3, status: Withdraw

Now the subnet 20.20.20.0/24 is removed from the routing table:

R2#int lo20
shut

We can check that R1 is now advertising the subnet to R3:
R1#sho ip bgp neighbors 192.168.150.3 | in Conditio
Condition-map ADVERTISE, Advertise-map NOT_ANNOUNCE_R3, status: Advertise
R1#sho ip bgp neighbors 192.168.150.3 advertised-routes
Network Next Hop Metric LocPrf Weight Path
*> 50.50.50.0/24 0.0.0.0 0 32768 i

R3#sho ip bgp
BGP table version is 18, local router ID is 192.168.200.3
*> 50.50.50.0/24 192.168.150.1 0 0 50 i
* 192.168.100.2 0 100 50 i

Monday, May 9, 2016

Simple regular expression Cisco CLI (AND)

This small memo explains just how to use a show command pipe command to get a AND regular expression. For example :
show interface status | inculde textA AND textB

In order to perform this action, you can use this expression:
show interfaces status | in textA.*textB

Example, show all interface Gi1/2/ which are connected:
show interfaces status | in Gi1/2/.*connected

Monday, March 14, 2016

BGP MED routing decision - Always-compare-med

MED (Multi-Exit Discriminator) is used to influence routing decision. By default, a router which receives MED attribute from neighbors, only compares it if they are coming from the same AS. As you can see in the diagram below:

R3 send to R4 a MED of 50 for subnet 172.16.1.0/24
R2 send to R5 a MED of 100 for subnet 172.16.1.0/24
The lowest MED is the preferred path

In a first step, the configuration below has been applied:

R1:

interface Loopback1

ip address 172.16.1.1 255.255.255.0

router bgp 50

bgp log-neighbor-changes

network 172.16.1.0 mask 255.255.255.0

neighbor 10.1.1.2 remote-as 100

neighbor 10.1.3.3 remote-as 200

R2:

router bgp 100

bgp log-neighbor-changes

neighbor 10.1.1.1 remote-as 50

neighbor 10.1.2.3 remote-as 200

neighbor 10.1.4.4 remote-as 300

neighbor 10.1.4.4 route-map MED out

access-list 1 permit 172.16.1.0 0.0.0.255

route-map MED permit 10

match ip address 1

set metric 100

route-map MED permit 20

R3:

router bgp 200

bgp log-neighbor-changes

neighbor 10.1.2.2 remote-as 100

neighbor 10.1.3.1 remote-as 50

neighbor 10.1.5.4 remote-as 300

neighbor 10.1.5.4 route-map MED out

access-list 1 permit 172.16.1.0 0.0.0.255

route-map MED permit 10

match ip address 1

set metric 50

route-map MED permit 20

R4:

router bgp 300

bgp log-neighbor-changes

neighbor 10.1.4.2 remote-as 100

neighbor 10.1.5.3 remote-as 200

MED is seen in R4 but R4 set R2 has next-hop. R4 doesn't compare MED because information is coming from 2 different ASs. R2 is used due to the fact that he has the lowest Router-id 10.1.4.2.

R4#sho ip bgp 172.16.1.0

BGP routing table entry for 172.16.1.0/24, version 2

Paths: (2 available, best #1, table default)

Advertised to update-groups:

Refresh Epoch 1

100 50

10.1.4.2 from 10.1.4.2 (10.1.4.2)

Origin IGP, metric 100, localpref 100, valid, external, best

Refresh Epoch 1

200 50

10.1.5.3 from 10.1.5.3 (10.1.5.3)

Origin IGP, metric 50, localpref 100, valid, external

Now, we add the command 'bgp always-compare-med' on R4:

R4:

router bgp 300

bgp always-compare-med

As you can, R4 has now choosen R3 for the next-hop. MED is used:

R4#sho ip bgp 172.16.1.0

BGP routing table entry for 172.16.1.0/24, version 2

Paths: (2 available, best #1, table default)

Advertised to update-groups:

Refresh Epoch 1

200 50

10.1.5.3 from 10.1.5.3 (10.1.5.3)

Origin IGP, metric 50, localpref 100, valid, external, best

Refresh Epoch 1

100 50

10.1.4.2 from 10.1.4.2 (10.1.4.2)

Origin IGP, metric 100, localpref 100, valid, external

Tuesday, March 8, 2016

Enable or disable ECN (Explicit Congestion Notification) on Windows

The TCP protocol can detect network congestion with different mechanisms:

packets loss
timeouts
duplicate acknowledgments

In order to avoid this behavior on a saturated link, TCP ECN can be enable (on by default on Windows 2012 server). TCP ECN are generated by the network in order to signal to the receiver that the network component is close to drop packets. The receiver can notify the sender to slow down the traffic rate. This mechanisms can react faster than the traditional TCP timeout or DUP ack.

You can use the following command to enable it on Windows:
C:\Windows\system32>netsh int tcp set global ecncapability=enabled
Ok.
Verify:
C:\Windows\system32>netsh int tcp show global
Querying active state...

TCP Global Parameters
----------------------------------------------
Receive-Side Scaling State : enabled
Chimney Offload State : automatic
NetDMA State : enabled
Direct Cache Acess (DCA) : disabled
Receive Window Auto-Tuning Level : normal
Add-On Congestion Control Provider : none
ECN Capability : enabled
RFC 1323 Timestamps : disabled
Disable:
C:\Windows\system32>netsh int tcp set global ecncapability=disabled
Ok.