Troubleshooting Old School

I was in town running some errands when this local business calls me and asks if I can help out. Something is going on within his network and some of the VOIP phones are not coming online. It has been 2 days and the IT support company that usually supports him has not answered any of his calls or emails.

He said that he didn't want to ask me earlier because he only thought I worked on huge complicated networks and was 'beneath me'. I chuckled and told him a large network is basically the same as a small network, just more of the same stuff duplicated. I explained that it doesn't matter to me how many devices are on them, troubleshooting methodology is pretty well the same.

I have never worked on this network, nor do they have any documentation - yeah real shocker. Of course, I don't drive around with my laptop, cable tester, and tools, so I started troubleshooting 'old school'.

I took a VoIP phone that didn't work and moved it to the closet where the VOIP gateway was located and plugged it in. Odd, it seems like it couldn't get an IP address or register with the gateway.

I disconnected all the wires from the switch that was HANGING by its ethernet cables (something else to fix) and only left the VoIP gateways connected. Bingo, the phone was online.

Then I simply plugged the cables back in, one by one, and tested all 10 phones to be certain they all worked until I found the suspect cable. When I asked where the mystery cable went, he said "That's the telecom cabinet, the IT support company has that key".

I then asked if he knew of anything in the telecom closet that required network connectivity like an IoT device, camera, or alarm system or if there was any cabling in the office that terminated there. he replied, "Pretty sure there isn't".

We left the mystery cable unplugged, he put a call into the IT service company that has a key to that room and we checked everything that requires network connectivity and all worked well.

Hope he figures out what is in that telecom closet ;) Regardless who provides support, you have access to all rooms on your premesis. And please "DOCUMENT AND LABEL!!!"

Is the SPAN port a scalable technology – No! Why?

 

Throughout the ages of Ethernet, SysAdmins have made frequent use of SPAN ports configured permanently, or on-demand, on switches and routers in the troubleshooting path. SPANs virtually guarantee that every packet passing through a switch port is mirrored to another port, which easily replicates every frame and delivers a complete copy for offline analysis. But how scalable is this approach for new and future speeds in the Gigabit family?

Since the introduction of 10 Gigabit Ethernet over 20 years ago, the outlook has gradually but drastically changed:

• More security and monitoring tools need now access to the same traffic 24/7 - but the switch has limitations on the number of ports that can be defined as span destinations

• More switch ports now need to be monitored - but the switch has limitations on the number of ports that can be defined as span sources

• The switch gives a low priority to span ports - so packets will not make it through the span port at the busiest times

• Some tools want access to specific traffic - but the switch cannot apply any packet filtering to the span port

• Some tools want access to different traffic at different times - but the switch cannot be easily reconfigured to accommodate these changes

All of which means SPAN ports simply cannot be relied upon for security monitoring and compliance applications in service provider and enterprise data centers, or anywhere else.

Now, as environments transition to 25, 50, and 100 Gigabit Ethernet, it is even more challenging, if not impossible, for core switches to mirror all required Full Duplex traffic at a full-time rate, in real-time, which effectively prohibits the use of SPAN for security purposes.

“The switch treats SPAN data with a lower priority than regular port-to-port traffic”, according to Cisco's White Paper on SPAN Port Usability. “In other words, if any resource under load must choose between passing normal traffic and SPAN data, the SPAN loses and the mirrored frames are arbitrarily discarded.” Now that users are aware that the SPAN port randomly drops traffic under specific load conditions, what measures should companies apply to prevent packets from dropping and losing visibility? The optimum approach, according to Cisco, is to “make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations”.

Another scalability issue for SPAN ports is the restriction on monitoring tools in terms of both type and number. Two SPAN ports can frequently be configured on even strong switches. While the majority of networks could consider this sufficient, it is likely to experience a situation where there are no SPAN ports available. On the contrary, the number of security monitoring tools continues to increase. Each of these tools is typically used by multiple teams involved in network operations or security, with changes engineered at different frequencies and visibility into multiple but related network segments.

Unlike the SPAN, TAPs (Test Access Point) can guarantee the copy of all the packets to be submitted to the appliance without the possibility of oversubscription or packet loss. Network Critical's SmartNA Network TAP range is unique to the market as each TAP has been built by us from the ground-up supporting 1G/ 10G/ 40G/ 100G and 400G. This allows for a more tailored device that suits your needs, which makes for an ideal TAP for any purpose use, be it monitoring, security, or performance. The SmartNA TAPs are also able to aggregate, filter, slice, mask, strip, and more to help you get the information you need to perform your best. This cutting-edge technology is scalable to over 200 ports of 10/25/40 and 50G. Saving rack space and all speeds protect your network against obsolescence.

For more information, contact the Network Critical expert team at www.networkcritical.com/contact-us

Blast From the Past.. Big Game Hunting

 This was one of my rants about the dilemma analysts face when they buy a tool and can't find any errors. This is over 10 years old and funny how this issue still exists.

https://youtu.be/S-HctjOJznQ

The Key to Strong Network Infrastructure

 

Developing your network architecture is similar to constructing a building. Start with the foundation and work your way up. The foundation of your network is, of course, visibility. First, you need to access all the traffic flowing through the network. The emphasis will be on network TAPs as the fundamental component in this discussion because they are independent of network switches and can observe all data moving across the links. All of the traffic on those links in both directions will be available after the TAPs have been installed in the network links. Notice that introducing TAPs won't affect the availability or dependability of the network. TAPs consequently become the cornerstone for visibility.

Although this bottom-up plan sounds obvious, oftentimes the plan starts on the top floor of the building. The network architects and planners frequently have the higher-level applications offered by the network tools on their minds. Without much consideration for how they will be connected to the network, the tools are budgeted for and purchased. When this occurs, networks frequently follow a rabbit-hole-like evolution where one purchase corrects or improves an operation from a prior purchase. All of the tools are functional, though perhaps not as effectively or cheaply as they could be. Starting with the end in mind is crucial, but it's also critical to consider how the changes will impact the network ecosystem.

One of the fundamental tasks of network management is monitoring. The manager can observe what is happening and look for potential bottlenecks and areas where traffic might be improved. For instance, a bandwidth issue is frequently an application performance issue. There are specialized tools to assist in locating and fixing these problems. Information security and network protection are also crucial challenges. Threats are not only ongoing, but they also constantly changing. It is clear that before choosing certain technologies, maintaining and safeguarding networks takes some strategy and a blueprint.

A smart place to start is by planning TAP connectivity to links. Network TAPs can have numerous ports and won't slow down or disturb the network. Not all ports need to be active at deployment time. As a result, framing your visibility approach has become much simpler with a TAP basis. Traffic monitoring tools can provide crucial information once ports are installed, allowing additional decision-making. Now that connectivity, monitoring, and effective traffic allocation to prospective instruments are in place, other elements of the plan can be constructed. Upgrading applications, compliance, performance, and security tools will take less time and cause minimal network disruption.

Visibility foundation is the key to a strong and larger network strategy and defense against malicious attacks. For the network to operate efficiently, daily analytics and management require a comprehensive visibility approach. While there are many specialized tools required to understand and protect network traffic, they can be deployed efficiently with the proper foundation. For more information, ask the experts at Network Critical.

Packet Pub Quiz Video Answer - Proper TCP SYN Response

 First thing I want to do is thank everyone who came out to the virtual pub quiz events at www.coreitpros.com/quiz.

I thought it would be helpful to pick some questions, explain the answers and possibly show you a few tips or tricks along the way. The statement in the quiz was “The appropriate response to a TCP SYN is ____” and the correct answer is SYN ACK.

I think the word “appropriate” may have thrown some people off. When I say appropriate I mean a successful connection because the connection request might fail.

In this video I will show you how to prove or disprove the answer.