Posts

Running ASA on Firepower 2100: An End-to-End Guide

Image
This process shows you step by step how to run the beloved ASA appliance on a Firepower 2100 series chassis out of the box. Note that no special hardware (SSD, etc) is needed on the Firepower 2100 series devices to support this configuration.

A quick housekeeping aside: To anyone who reads this article and believes that one is giving up security by replacing FTD with ASA, I strongly contend that you're probably wrong about that. Also, if from reading this it sounds as though I'm being harsh toward Cisco and their Firepower product team's top-level decision making, it's only because it actually is that terrible. </sarcastic rant>

On that note, let's get started! Concepts and Key Terms Cisco's Firepower isn't actually a product in and of itself but actually a suite of products and subcomponents. For those uninitiated with the breakdown, it's important to understand what those components are for this procedure. FXOS (Firepower eXtensible OS) - More or…

GCP Network Design: The Basics

Image
This is a write up on best practice networking basics for Google Cloud Platform with what I've learned over the last year while working on a large company migration to the cloud from AWS. I hope that it comes in handy for anyone new to designing networking in and to Google Cloud, or those who may just be generally interested in the details of the networking architecture stitching their projects together.

Overview The Google Cloud Platform (the AWS-like division of the larger "Google Cloud", hereon referred to as just 'GCP'') organizational resource layout is generally like this:

Created cloud resources live in a VPC, which are part of a project, which are organized in folders or subfolders.

The flow is... Create a folder for each BU or department in your organization. From there, create a project for nearly everything else. This includes creating a dedicated project for the shared VPC to exist in. Nearly every different use case pretty much gets its own proj…

Putting Virtual Networking into the Fast Lane

Image
Here's a write up on some of the dirty details that I've learned over the last year or so while building an NFV (network function virtualization) platform with the goal of virtualizing edge devices at scale. If you've ever wondered how to get usable, scalable performance out of virtualized networking drivers and appliances in production then hopefully you'll find this useful.

While deploying specialized, purpose built network hardware might still make sense to many organizations who require a certain level of scale and performance (read: layer 2-3), I'd like to explore for a moment the possibilities which stem from the proliferation of x86-based cloud platforms, namely: virtual network appliances and their capability to eliminate the rapidly less-sexy sound of network appliances being unwieldy racked & stacked in your edge cabs.

What must system owners consider before making a transition to virtual appliances for services such as firewall security, VPN and loa…

What is SD-WAN and will it Replace MPLS?

Image
I've noticed quite a lot of confusion in the networking realm over the last few years, even by experienced networking professionals, as to what exactly SD-WAN is and for what use cases one may consider using it for. Well, here's my take on hopefully clearing some things up.

First things first...
How SD-WAN compares to traditional MPLS L3VPN They're both managed VPN services, it's mostly a difference of who's performing the encapsulation and doing the management. SD-WAN offers true CE-to-CE flow encryption, whereas MPLS isn't encrypted at all and performs encap/decap on the upstream PE routers for each site. SD-WAN needs this encryption since it relies on the Internet to be it's backbone, where MPLS is contained in a service provider's VRF.

Bottom line: Carriers are maddeningly slow and expensive, and the SD-WAN market wouldn't have been created at all if it weren't to give a giant middle finger to that.
SD-WAN technology isn't standardized;…

Let's Build a Datacenter Network

Image
It's quite common to hear of companies these days planning to migrate some or all of their infrastructure into third-party cloud providers such as AWS. However, for some organizations it still makes good sense to build physical, on-premises data centers to either augment that cloud workload presence or supplement it entirely. Today I'm going to pretend I'm working for one of those companies and come up with a network design to build out, just to get the juices flowing.

Be forewarned: brief this article is not, but I have glossed over a few details here and there for some brevity. Really, I wanted to illustrate some of the decisions that go into the process for those unaccustomed or otherwise curious.
The Challenge Let's say a startup has hired me to design a data center network for their existing co-lo space that will be used to host all of their services. All that I've been given so far are four 42RU, dual-power cabinets in the datacenter cage, and two upstream I…