More than 70 percent of Internet Traffic passes through Data Center Alley in Loudoun County. Ashburn, Virginia has the largest data center footprint in the world. It makes sense to lease or collocate your data center here. Almost all cloud providers (Azure, Amazon AWS, Google, Office 365, etc.) have presence in these data centers. Being collocated locally can take advantage of direct connect services to any of these Cloud providers. Ashburn Consulting can help you design a Hybrid Cloud On Prem Architecture for your future Infrastructure.
Category: data center
ICMP Security
This is a draft guide to handling ICMP securely.
Guide Analysis to Handling ICMP protocol
Summary:
This guide is an attempt to help answer common questions related to the handling of ICMP protocol in a secure and effective manner. Comments and feedback is always welcomed. This article is meant to cover the major area in which there may be questions on how to handle ICMP and what specifically should we allow in each particular condition which will also allow for effective risk mitigation. If you need specifics on ICMP codes with in each ICMP type please refer to the reference URLs below.
Major ICMP Protocol Types:
– 0: Echo Reply
– 3: Destination Unreachable
– 4: Source Quench
– 5: Redirect (change a route)
– 8: Echo Request
– 9: Router Advertisement
– 10: Router Solicitation
– 11: Time Exceeded for a Datagram
– 12: Parameter Problem on a Datagram
– 13: Timestamp Request
– 14: Timestamp Reply
– 17: Address Mask Request
– 18: Address Mask Reply
Areas of Affect:
Perimeter
Outbound: Echo Reply (0), Echo Request (8) (For Troubleshooting)
Deny Type: All except (TTL Exceed (11) & (Type 3, Code 4) From Limited External Testing Devices.
Interior (Corporate Network)
Internal Deny: Should be handled on a case by case basis, however when permissible squelch Redirect (5), Router Advertisement (9), Router Solicitation (10), Timestamp Request (13), Timestamp Reply (14). Address Mask Request (17), and Address Mask Reply (18). The usefulness of the ICMP message types are deprecated by DHCP and NTP.
Internal Allow: Echo Reply (0), Destination Unreachable (3 Code 4), Echo Request (8), Time Exceeded (11)
Remote Access & Site to Site VPN
VPN Allow: Echo Reply (0), Destination Unreachable (3, Code 4), and Echo Request (8).
VPN Deny: Everything Else
Intranet to Intranet / Partner to Partner
Intranet to Intranet Allow: Echo Reply (0), Destination Unreachable (3 Code 4), Echo Request (8), Time Exceeded (11)
Intranet to Intranet Deny: Everything Else
References:
PMTU
http://www.tcpipguide.com/free/t_IPDatagramSizetheMaximumTransmissionUnitMTUandFrag-4.htm
ICMP
http://www.tcpipguide.com/free/t_ICMPv4TimestampRequestandTimestampReplyMessages-3.htm
University of Syracuse ICMP Lecture Notes
Layer 2 Tracing for (6500, 7609, 4500) Cisco Switches
In a 6509, 7609 or any Chassis based Cisco switch, to determine where the switch forwards a Source and Destination pair to an actual port in a Port-channel/Etherchannel do the following commands:
Note: Doesn’t apply to Nexus switches.
First enter console for switch:
Switch# remote login switch Trying Switch ... Entering CONSOLE for Switch |
Then enter the following command:
Switch-SP# test etherchannel load-balance interface port-channel 1 ip 10.1 . 1.1 10.1 . 1.2 Computed RBH: 0x6 Would select Gi2/ 1 of Po1 |
Based on the hash computation, the switch forwards traffic of the Src Dst pair to port Gi2/1.
This is a good tool to use if for some reason a particular port is dropping packets between the src and dst pairs.
Unmanned Aircraft Drone Technology Showcase
Here’s a short video presentation of wireless, gps, auto-pilot technology in drones by a local Metro Washington DC enthusiast. Video shot by: Amante Bustamante