2011 - Page 8 of 9 - TBL Networks

End to end virtual network security with the Cisco Nexus VSG

Posted on April 11, 2011February 11, 2019 by admin

So I’ve been spending a lot of time in our lab with the Cisco Nexus Virtual Security Gateway. I have come to the conclusion that it rocks! Finally, the virtual infrastructure is no longer treated as a second class citizen when it comes to securing network traffic between virtual machines. We are at a point now with the Cisco VSG that we can have robust Cisco infrastructure, including security, from the upstream physical network to the virtual network.

The Cisco Nexus VSG builds upon the Nexus 1000v distributed virtual switch and communicates with the Virtual Ethernet Modules in the Nexus 1000v to provide a very robust security policy engine that can perform granular filtering and matching on a number of parameters. For example:

Network (ip address, port number, etc.)
VM (VM Name, Installed OS Name, Cluster, Host, Zone)

Yep, that’s right, I said VM. Since the Cisco VSG integrates with the vSphere API’s and vCenter, you can filter on items like a virtual machine name or partial name, installed OS, cluster, etc. This is very powerful. I no longer have to rely on network and IP rules alone to filter traffic between virtual machines. This is a more intelligent approach to filtering that really highlights the synergies that Cisco and VMware have established. Best of all, once it is set up everything is managed from a single Cisco Virtual Network Management Center (VNMC) instance. This web-based management tool let’s you manage multiple Virtual Security Gateway instances. Let’s look at a simple example of how easy it is to perform traffic filtering in the virtual infrastructure with the Cisco VSG.

Topology and Components:

vSphere 4.1 Enterprise Plus Host Servers
Cisco VNMC VM
Cisco Nexus 1000v Infrastructure
Cisco VSG Infrastructure
tenanta-srv1 VM
tenanta-srv2 VM
tenantb-srv1 VM
tenantb-srv2 VM

The goal of this configuration is to allow the following communication flows:

tenanta-srv1 and tenanta-srv2 should communicate
tenantb-srv1 and tenantb-srv2 should communicate
The Tenant A servers(tenanta-srv1 and tenanta-srv2) should not be able to communicate with the Tenant B servers (tenantb-srv1 and tenantb-srv2)
Anyone else should be able to communicate with both the Tenant A and Tenant B servers
There is a further caveat that the Tenant A and Tenant B servers are both on the same subnet (don’t worry these servers belong to the same company )

Below are the network settings:

tenanta-srv1 VM – 10.91.41.200
tenanta-srv2 VM – 10.91.41.201
tenantb-srv1 VM – 10.91.41.202
tenantb-srv2 VM – 10.91.41.203
a client with another ip address

Here are the general steps for setting up this scenario once the Cisco VSG infrastructure is in place:

Create a tenant
Assign the VSG to the tenant
Create a zone each for the Tenant A and Tenant B servers (these zones match VM’s with names that contain “tenanta” and “tenantb” respectively)
Create a firewall policy for the VSG
Create a policy set that includes the policy
Bind the policy set to the VSG
Bind the tenant to a port-profile so that any VM that is on that port-profile is filtered with the policy rules

Below are the screenshots of the results after the VSG was configured.

These are the only rules that are required for the communication flows.

Here is what the port-profile looks like on the Nexus 1000v. Notice the org and vn-service entries. This means that this port profile is VSG aware.

The ICMP traffic from the Tenant A Servers.

The ICMP traffic from the Tenant B Servers (same result as the Tenant A servers. Only one is shown here.)

Finally the results from the external client

As you can see, we achieved our goal with just three filtering rules. Also, we were able to leverage VM name filtering instead of IP filtering which allowed us to filter on the same subnet without resorting to naming each IP address or different port numbers. Very cool! The Cisco VSG is capable of many complex configurations combining both networking categories (ip, port number, etc.) and VM categories. This was just a quick example of what can be done. As always, if you have any questions or would like to see a live demo feel free to contact me.

SIP – Are you ready?

Posted on April 4, 2011 by Patrick Tredway

If you haven’t heard yet, there’s a new kid on the block as it relates to connecting dial tone to your phone switch. Nearly all of the traditional service providers (and even some new ones) have come up with some sort of SIP offering for PSTN connectivity. However, seeing as the technology is still in an embryonic stage when compared to its ISDN forefathers, each service provider seems to have their own little tweaks to SIP delivery.

Now, not every PBX or phone switch out there is ready to support SIP dial tone…which, in my opinion, should be the second thing you investigate. The first and most important question to ask is “What does SIP offer to my company that traditional TDM based dial tone does not?”

To illustrate this important point, let’s go back a few years – the birth of VoIP. Back in those days, a little more than a decade ago now, Cisco led the charge in converging TDM based voice technologies onto a packetized, often IP driven, data networks. In doing so, we all became ever so aware of some of the risks and more importantly the risk mitigation techniques needed to be employed to make the conversion plausible. While we got the benefit of toll bypass, we picked up the responsibility of assuring an even level of service to RTP streams across our wide area network – quality of service (QoS). While we assumed all the advantages of a single PBX instance for an entire enterprise, we acquired the responsibility for providing local call processing for a remote site when a network failure occurs.
Some had to learn these lessons through hard knocks. So, my question is to you, how will you learn from history and avoid being doomed to repeat it? I have a few suggestions…

Start with a solid business case (or lack thereof) for a SIP rollout. From my position, I see two strong cases:
a. Cost Savings – I have a few clients who have multiple remote sites that require PRIs for functional reasons, but may not have the usage requirements to support 23 bearer channels. A regional bank is probably the best illustration of this. While a bank branch may need DID, DNIS, addressable CLID functionality, they typically will have fewer than 3 or 4 concurrent calls during any period of the work day. So in this case, if we can bring those 3 or 4 talk paths onto a data circuit and relieve the cost of the PRI loop, we can save some money.

b. Disaster Recovery – This is a big one. When you have a site or a remote PBX go down, you have few options to get those numbers re-routed to another site and avoid the “All circuits are busy” message being played repeatedly to your customers. At best, you can call your service provider and request an emergency call forward on a few numbers which typically gets put in place within a few hours – just in time for your circuit to come back online…wash, rinse, repeat. With SIP, most carriers allow for backup IP addressing for where a call is delivered to your network. This gives us the flexibility to offer at least one other point of entry to the network for those numbers…without having to call a soul.
TEST, TEST, TEST and then TEST some more. Seeing as most of these service offerings come from providers who are already offering you data services today, it stands to reason that you could have a few test numbers lit up and use those to test. Some key items you will want to watch out for – voice quality, DTMF exchange (call into an IVR), call forwarding and outbound CLID preservation. Once you think everything is working fine, port a few DIDs for a few users. Nothing says you need to cut an entire site or even a heavily used number the first time.

Pick a good partner. SIP cutovers don’t always go as smoothly as you might like. You’ll want to have a partner who has done a number of these cuts before and is adamant about having a solid reversion plan. If you’re having trouble finding one, give me a call…I should have a recommendation or two.

CJ’s Thumbs Up Foundation: Helping Make Every Day A Bonus

Posted on March 25, 2011February 11, 2019 by admin

TBL Networks is proud to present guest blogger Rachel Reynolds, Executive Director at CJSTUF.

Sickle cell disease is a life threatening genetic disorder that causes chronic pain, delayed growth, ulcers, jaundice, and other medical issues. Ongoing treatments are necessary and can range from dialysis, blood transfusions, medical management through steroids and pain medications, and (when possible) bone marrow transplants. While symptoms and treatment can vary across patients, it is a disease that requires lifelong management and frequent medical care.

The Price Family knows the reality of Sickle Cell disease only too well. Thirteen year old Nile (one of a set of triplets) has battled the disease since birth. Last year, Nile was fortunate to receive a bone marrow transplant that has cured his sickle cell disease and placed him in remission; however, he still faces chronic health challenges on a daily basis. His four-year-old sister Olivia also has the disease.

The Price family has struggled to balance their days between hospital visits and a “normal” life. They have faced the emotional, physical, and financial challenges that this disease brings to every family it impacts. Thanks to CJSTUF, the family was able to receive two Financial Assistance Grants in 2010: one for Nile and one for Olivia. The funds helped the family with their ongoing medical and household expenses.

This is just one example of how CJ’s Thumbs Up Foundation helps families of children with chronic and life-threatening illnesses. We serve families where children face cancer, cystic fibrosis, leukemia, and other debilitating illnesses that require constant care. Our mission is not to find a cure or to solve all of a family’s financial problems. We make an unbearable situation a little more bearable. We do this by providing financial support to families in need served by Children’s Hospital of Richmond. In our first year as a 501(c)3, (2010) we provided almost $13,000 in support to over 30 families through our financial assistance grants, vouchers for healthy meals, and other tangible support.

As a young organization in the Richmond area, we are grateful to individuals and businesses such as TBL Networks for their generous support. With the help of donors and volunteers, we can continue to provide support to families in the Richmond area and, hopefully, expand our services to cover more families around the state and even across the country.

If you would like to know more about our organization, visit our website for information on how to get involved. You can also follow us on Twitter and Facebook or hook into our blog for the latest updates.

–Rachel Reynolds
Executive Director, CJSTUF
rachel@cjstuf.org

TBL Networks 2nd Annual Virtual Golf Tournament

Posted on March 21, 2011 by Steve Glissman

Techumanity is an ideal that we embrace at TBL Networks. We often discuss this concept in terms of how technology can be used to make us more human. Other times, we use it as a justification to play golf and raise money for a great cause.

On Friday, March 11, TBL Networks hosted our 2nd Annual Virtual Open Golf Tournament. Whereas a traditional golf tournament in March would be at the mercy of the elements, a few Nintendo Wii Systems allowed us to convert the confines of TBL Headquarters into a climate-controlled TPC Blue Monster. Using Cisco WebEx, we generated a live leader board so players could keep track of the scores. In addition, participants received the chance to check the onsite technology, including our Cisco TelePresence 1100 rooms.

This year, TBL Networks received the privilege to benefit a great organization in CJ’s Thumbs Up Foundation, better known as CJSTUF. CJSTUF’s mission is to provide financial assistance to families of children with chronic and life-threatening illness. CJSTUF embraces techumanity by using their blog, FaceBook and Twitter pages to raise awareness and funds for their mission.

We would to like everyone who came out to our event and contributed to our cause. Thanks to our corporate partners Cisco, VMware and EMC for helping make our day possible. Special thanks to our local sponsors Bogeys Sports Park, Chick-fil-A Parham Rd FSU and the Richmond Flying Squirrels. With their help, we were able to raise $2,275 for CJSTUF.

To learn about CJSTUF, check out their website, and stay tuned to the TBL Networks Blog Home, where we will be providing more information about this great organization in coming weeks.

The iPad is VDI Ready!

Posted on March 14, 2011February 11, 2019 by admin

This has been a very cool couple of weeks for the VDI landscape with VMware View. The View client for the iPad that was first seen in a demo at VMword US in 2010 is finally here. Now I know what may have taken them so long.

VMware View 4.6 was also released in the past couple of weeks. With version 4.6 came the ability to use the PCOIP protocol on the VMware View Security Server that sits in your DMZ. This eliminates the need to set up a VPN for the endpoint device to access a desktop pool using the PCOIP protocol from outside your firewall.

I can now see where this functionality would be absolutely necessary to access a View desktop from the iPad. Super-mobile VDI is really cool, but it would have been a drag to only access your desktops over RDP. Also, having to set up a VPN connection from your iPad would go against the ease of use that the iPad offers.

Below is a video demo of the new iPad client. Among some of the coolest features are the virtual laptop track pad and the touch gestures built into the client to take advantage of the iPad functionality.

http://www.youtube.com/watch?v=ldECHtfDyjs

And also some use cases in the field. This one is for Children’s Hospital Central California. I think this is a great use of the technology.

http://www.youtube.com/watch?v=aU0nF_FM–s&feature=related

If you have any questions or would like more information, please contact me. Also, if you would like to see the View Client for iPad in person, we can schedule a demo for you with our VMware View Lab running on our Cisco UCS blade infrastructure.

Fun with WebEx

Posted on March 7, 2011 by Steve Glissman

To read our special photoblog about WebEx, go to http://tblnetworks.tumblr.com/post/3701677110/fun-with-webex

Techumanity Makes Us More Human

Posted on March 6, 2011 by Alan Sears

TBL prides itself on designing solutions for our clients that allow their employees to connect to each other in ways that improve the quality and speed of interaction. Business isn’t just conducted over the phone and e-mail anymore. As technology infiltrates our lives as consumers, we see the benefits it has on our personal interactions, and naturally begin to integrate it into our work lives. Instant Messaging and Text Messaging are two such examples that are almost common to most workplace environments these days. Ten years ago it would have been difficult to find many occurrences of either for business, but we were all seeing the benefits of IM’ing and texting to stay in touch with our friends and family.

Today, we have moved beyond IM at home, and Skype is the predominant way we keep in touch with loved ones. And not just on the PC – every cell phone commercial on television boasts the ability to video call across the network. Yes, video is nothing new to the enterprise – we are all familiar with rolling cart video conferencing, or even the newer immersive room video systems, but video isn’t pervasive at the desk… yet. Solutions are just being introduced that are pushing video to every user on every device, and not just for live interaction. Any message that needs to be delivered is enhanced by video. Portals for video sharing, a corporate YouTube, now allow the publishing on content in a controlled authenticated, and searchable way that is suitable for corporations. Video will soon be a part of daily interactions in the workplace.

I was recently introduced to a woman who studies the use of technology by society. Amber Case refers to herself as a Cyborg Anthropologist. While a traditional anthropologist studies the tools ancient civilizations used to extend the physical self, Amber philosophizes on how modern man uses technology as tools to extend the mental self. We teleport ourselves around the world in an instant with global communications networks, can interact with acquaintances even when they are not online, and store a lifetime worth of memories on a device in the palm of our hand. It is technology that allows us to do this, but humanity that urges us to want to. If technology didn’t allow us to improve to way we interact with other humans, we wouldn’t use it. At TBL, we coined the phrase techumanity to describe the way technology allows people to connect in ways that are more human.

Amber gets techumanity, and we think it is pretty cool.

Sean Crookston Awarded VCAP-DCA

Posted on February 25, 2011 by Steve Glissman

TBL Networks’ Solutions Engineer Sean Crookston recently attained the title of VMware Certified Advanced Professional in Datacenter Administration (VCAP-DCA). Sean is only the 47^th person worldwide to achieve this elite virtualization certification.

The VMware Certified Advanced Professional 4 – Datacenter Administration (VCAP4-DCA) is designed for Administrators, Consultants and Technical Support Engineers capable of working with large and more complex virtualized environments and can demonstrate technical leadership with VMware vSphere technologies.

Sean put together many hours of study and research to reach this achievement. Sean has documented much of this work on his website – www.seancrookston.com.

Congratulations to Sean Crookston, VCAP-DCA #47.

Follow Sean Crookston on Twitter at www.twitter.com/seancrookston

Follow TBL Networks on Twitter at www.twitter.com/tblnetworks

What I Learned – EMC VNX and The Green Hornet

Posted on February 24, 2011 by Steve Glissman

Virtualization. Storage. Seth Rogen? You might not associate movie theaters and superheroes with Unified Storage, but for one day, TBL Networks found a way to bring them together. On February 17th, TBL Networks’ Harley Stagner and EMC’s Steve Woods provided an exclusive presentation the new EMC VNX series of storage solutions at Movieland at Boulevard Square. Following the presentation, the attendees watched a private screening of The Green Hornet.

Here are a few things that I learned from the EMC VNX/Green Hornet event.

– The VNX series is the new mid-tier storage platform built for the demanding virtualized data center. It has a fully redundant, multi-controller design that scales and scales.

– Just because you have giant bucket of popcorn, you are not obligated to eat the entire bucket.

– Even if you ask nicely, Steve and Harley will not add select scenes from Black Swan to their presentation.

– The VNXe series has a series of best practice wizards so you can configure your storage with just a few clicks.

– I am a sucker for any technology that comes with a wizard.

– Movieland is not planning to screen The Cannonball Run as part of their MOVIES & MIMOSAS® series.

– The VNX series provides the broadest range of unified storage platforms in the industry.

Thanks to everyone who came out to hear Harley and Steve and to watch the movie. Special thanks to the team at Movieland for a providing a great facility and experience.

Solving the Virtual Desktop Puzzle Part 3

Posted on February 23, 2011February 11, 2019 by admin

In this series we’ve already looked at virtual desktop storage efficiency with “linked clones” and user profile management options. In this post we will discuss another piece of the desktop image that can potentially be offloaded to the network. The applications.

Remember that in a virtual desktop environment one of our goals is to make the “gold” master image as vanilla as possible. We do this by offloading unique components of the desktop off of the image and onto the network. VMware has a way to virtualize your applications so that they can be offloaded onto a network share. This means that the applications can be streamed to the user when they log in to their desktop. So, the desktop becomes disposable and the user gets the appropriate applications when they log into any virtual desktop. So how can we do this?

We do this with a VMware product called ThinApp. It even comes bundled with the VMware View Bundled licensing. ThinApp allows us to package an application as a single executable file. All of the DLL’s and bits that the application requires at runtime are packaged in this single executable file. So, nothing actually gets installed on the desktop in order to run the application. Once the application is packaged it can run from the desktop hard drive, an external hard drive, a cd, a dvd, and even from the network. Basically, if you have an operating system and a place to store the packaged ThinApp’ed application, you can run it.

If you run the packaged application from the network, then each user can have the application streamed to their virtual desktop instance when they log in. There is also the added benefit of the packaged applications running on the appropriate storage tier if we are running a tiered storage solution. So, we’ve taken care of the user profiles and applications to make the desktop image as vanilla as possible. Our user profiles and our applications can be centrally managed along with our desktops. We can now treat multiple desktops as a single pooled unit. No more Microsoft patch Tuesday woes, no more uncontrolled virus or spyware outbreaks, and fewer user desk side trips.