The eighth annual Ohio LinuxFest will be held on September 10-12, 2010 at the Greater Columbus Convention Center in downtown Columbus, Ohio. Hosting authoritative speakers and a large expo, the Ohio LinuxFest welcomes all Free and Open Source Software professionals, enthusiasts, and everyone interested in learning more about Free and Open Source Software.

I’ve attended the Ohio LinuxFest numerous times and it has always been a top-notch event. Unfortunately, I won’t be able to attend this year as I already have plans for that Saturday. If I didn’t, though, I would. I’d probably also register for the OLFU Classes on Friday, just to sit in the IPv6 Essentials and Deployment Strategies session in the morning and the Data Centers: Planning, Expanding, Managing session in the afternoon ($350 seems a bit steep, though).

For what it’s worth, I have never failed to have a good time at this event. They have moved the date up from when it originally was, however, which is somewhat disappointing. The Ohio LinuxFest used to coincide with the Columbus Oktoberfest which was held just a few blocks away (it has since moved to a new venue, it seems). My girlfriend (at the time) wasn’t a geek at all, but she would go with me to the “dorkfest” (her word, not mine). We’d spend the day at the LinuxFest (well, she usually went shopping) and spend the evenings at Oktoberfest or a nearby bar. On the last day, before returning home, we’d spend time at the Columbus Zoo or divert south, swing by the Great American Ball Park, and catch a Cincinnati Reds game.

In short, you can make a weekend of it and bring your family along as well.

If you just want to check out the regular presentations, you can do that by signing up for the free “Enthusiast Package”. For just $65, however, you can sign up for the “Supporter Package” and support the Ohio LinuxFest. That $65 gets you a cool t-shirt and lunch on Saturday and you get a warm, fuzzy feeling knowing that you helped support the event (registration link).

One final note: Mark Krenz, of Twitter @climagic fame, will be presenting a session on Friday entitled “Command Line Magic: 25 Commands You Can Do Right Now”. Mark is a Linux System Administrator who works right down the road from me and was, for a few years, the fearless leader of our local Linux Users Group. Oh, and I just remembered, he still has a few of my Cisco switches… =)

Related Posts:

Ohio LinuxFest 2005

Ohio LinuxFest 2007

Unsubscribe

Ubuntu 9.10 and 10.04 LTS vulnerability

Jeremy 1, BSCI 0

I was recently toying with an old Nokia IP120 firewall and discovered that pfSense would run quite well on this old hardware.

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

The Nokia IP120 is a firewall/VPN security platform, wrapped up in a nice little desktop package. It’s been EoL/EoS for several years, but it would still make a perfect candidate for running pfSense.

The IP120 has a 266 MHz CPU, 128 MB of RAM, 3×10/100 NICs, and this particular unit had a 10GB HDD. Those specs are nothing by today’s standards, but it has plenty enough horsepower to push some packets around.

A few weeks ago, I used a LiveCD to install pfSense 1.2.3, by taking out the HDD and putting it in an old laptop I had sitting around. It worked great, except I noticed that it wouldn’t reboot properly. When going through the reboot process, it got to “Rebooting…” and just hung. I could power cycle it and it would be fine, but that just wouldn’t work for me.

I ran into Jim Pingle, co-author of “pfSense: The Definitive Guide” and one of the guys working on pfSense, on IRC. He encouraged me to do an online update to the 2.0 beta series to see if that would fix it. I went ahead with the upgrade, but I got nothing on the console of the IP120 after it rebooted. Presumably, the “embedded” kernel wasn’t installed and since the IP120 has no VGA built-in… well, you get it.

Fast forward to a day or two ago, when I decided to try it again. I took the 10GB HDD and put it back in the laptop, and began downloading the latest pfSense 2.0 snapshot to another server I have here at home:

$ fetch http://snapshots.pfsense.org/FreeBSD/RELENG_8_1/i386/...
pfSense-2.0-BETA4-4g-20100828-0039-nanobsd.img100% of  107 MB  285 kBps 00m00s

Next, I put a Gentoo LiveCD I had laying around into the laptop, plugged the laptop into my wired network, and booted Gentoo with a few extra parameters:

boot: gentoo nox dosshd passwd=gentoo42

This told it to not start the X Window System, do start up the SSH daemon, and to set the root password to “gentoo42″.

Once it was up and running, I needed to know what IP address it had acquired from my DHCP server:

livecd root # ifconfig eth0 | grep Bcast
          inet addr:203.0.113.143  Bcast:203.0.113.255  Mask:255.255.255.0

Okay, so the laptop was using the IP address 203.0.113.143. Duly noted.

Now, I could go back to my primary workstation and do the rest from there. First, I had to SSH into the laptop, however:

$ ssh root@203.0.113.143
The authenticity of host '203.0.113.143 (203.0.113.143)' can't be established.
RSA key fingerprint is cf:e1:e0:74:64:e8:92:7f:da:6d:5f:30:26:96:f5:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '203.0.113.143' (RSA) to the list of known hosts.
Password:
Welcome to the Gentoo Linux LiveCD!

...

Once SSH’d into the laptop, I needed to transfer the pfSense 2.0 beta image over to the laptop and write it to the 10GB HDD. I decided just to do it all in one fell swoop, since I’m a lazy bastard.

On the laptop, I started up a netcat listener:

livecd ~ # nc -l -p 4242 | gzip -dc | dd of=/dev/hda

Next, I went over to my FreeBSD server and started dumping the pfSense disk image out over the wire:

$ dd if=pfSense-2.0-BETA4-4g-20100828-0039-nanobsd.img.gz | nc 203.0.113.143 4242
220658+1 records in
220658+1 records out
112977011 bytes transferred in 652.244121 secs (173213 bytes/sec)

As you can see, it took almost 11 minutes to complete. This is because the laptop was receiving the data over TCP, decompressing it, then writing it out to the hard drive. The bottleneck in this case was definitely the old 10 GB HDD. Once that finished, I went back over to the laptop side and killed the netcat listener.

livecd ~ # nc -l -p 4242 | gzip -dc | dd of=/dev/hda
7827687+0 records in
7827687+0 records out
4007775744 bytes (4.0 GB) copied, 698.246 seconds, 5.7 MB/s
dd: closing input file `standard input': Bad file descriptor
livecd ~ #

pfSense was installed on the HDD at this point. I shut down the laptop, transferred the HDD back into the IP120, hooked it’s serial port up to my console server, connected to it, powered up the IP120 and watched it boot up and begin the “first time setup” process:

1  pfSense
2  pfSense

F6 PXE
Boot:  1
/boot.config: -h
Consoles: serial port
BIOS drive C: is disk0
BIOS 639kB/130048kB available memory

FreeBSD/i386 bootstrap loader, Revision 1.1
(sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org, Sat Aug 28 00:11:26 EDT 2010)
Loading /boot/defaults/loader.conf
/boot/kernel/kernel text=0x859d8c data=0x3c73d4+0x818e0 \
/
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [/boot/kernel/kernel]...
Copyright (c) 1992-2010 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.1-RELEASE #0: Sat Aug 28 00:39:10 EDT 2010
    sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Geode(TM) Integrated Processor by National Semi (266.68-MHz 586-class CPU)
  Origin = "Geode by NSC"  Id = 0x540  Family = 5  Model = 4  Stepping = 0
  Features=0x808131
real memory  = 138936320 (132 MB)
avail memory = 113254400 (108 MB)
wlan: mac acl policy registered
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xc06f5f30, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc06f5fd0, 0) error 1
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc06f6070, 0) error 1
wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/.
wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (wpi_fw, 0xc0852810, 0) error 1
ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309)
ACPI: Table initialisation failed: AE_NOT_FOUND
ACPI: Try disabling either ACPI or apic support.
cryptosoft0:  on motherboard
padlock0: No ACE support.
pcib0:  pcibus 0 on motherboard
pir0:  on motherboard
pci0:  on pcib0
fxp0:  port 0x8000-0x803f mem 0x80000000-0x80000fff,0x80100000-0x8011ffff irq 11 at device 14.0 on pci0
miibus0:  on fxp0
inphy0:  PHY 1 on miibus0
inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp0: [ITHREAD]
fxp1:  port 0x8400-0x843f mem 0x80200000-0x80200fff,0x80300000-0x8031ffff irq 10 at device 15.0 on pci0
miibus1:  on fxp1
inphy1:  PHY 1 on miibus1
inphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1: [ITHREAD]
fxp2:  port 0x8800-0x883f mem 0x80400000-0x80400fff,0x80500000-0x8051ffff irq 5 at device 16.0 on pci0
miibus2:  on fxp2
inphy2:  PHY 1 on miibus2
inphy2:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp2: [ITHREAD]
isab0:  at device 18.0 on pci0
isa0:  on isab0
pci0:  at device 18.1 (no driver attached)
atapci0:  port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 18.2 on pci0
ata0:  on atapci0
ata0: [ITHREAD]
ata1:  on atapci0
ata1: [ITHREAD]
pci0:  at device 18.3 (no driver attached)
cpu0 on motherboard
unknown:  can't assign resources (memory)
unknown:  can't assign resources (port)
atrtc0:  at port 0x70-0x7f irq 8 pnpid PNP0b00 on isa0
uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 pnpid PNP0501 on isa0
uart0: [FILTER]
uart0: console (9600,n,8,1)
uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 pnpid PNP0501 on isa0
uart1: [FILTER]
orm0:  at iomem 0xe8000-0xebfff,0xec000-0xeffff pnpid ORM0000 on isa0
ppc0: parallel port not found.
unknown:  can't assign resources (memory)
unknown:  can't assign resources (port)
driver bug: Unable to set devclass (devname: (null))
Timecounters tick every 10.000 msec
IPsec: Initialized Security Association Processing.
ad0: 9590MB  at ata0-master PIO4
GEOM: ad0s1: geometry does not match label (16h,63s != 15h,63s).
GEOM: ad0s2: geometry does not match label (16h,63s != 15h,63s).
Trying to mount root from ufs:/dev/ufs/pfsense0
Mounting filesystems...
Setting up embedded specific environment... done.

     ___
 ___/ f \
/ p \___/ Sense
\___/   \
    \___/

Welcome to pfSense 2.0-BETA4  ...

Creating symlinks......done.
Launching the init system... done.
Initializing................................ done.
Starting device manager (devd)...done.
Loading configuration......done.

Network interface mismatch -- Running interface assignment option.

Valid interfaces are:

fxp0  00:a0:8e:21:83:85   (down)        Intel 82559ER Embedded 10/100 Ethernet
fxp1  00:a0:8e:21:83:86   (down)        Intel 82559ER Embedded 10/100 Ethernet
fxp2  00:a0:8e:21:83:87   (down)        Intel 82559ER Embedded 10/100 Ethernet

Do you want to set up VLANs first? 

If you are not going to use VLANs, or only for optional interfaces, you should
say no here and use the webConfigurator to configure VLANs later, if required.

Do you want to set up VLANs now [y|n]?

I wasn’t real confident that the 2.0 beta was going to properly reboot the Nokia due to the ACPI errors shown during boot-up:

ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309)
ACPI: Table initialisation failed: AE_NOT_FOUND
ACPI: Try disabling either ACPI or apic support.

I was going to have to go through the setup process before I could try though. For brevity’s sake, I’ve left out that part. Let’s continue on just past that:

Writing configuration...done.
Updating configuration......Loading new configuration...done.
Cleaning backup cache...done.
Setting up extended sysctls...done.
Setting timezone...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
route: writing to routing socket: File exists
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configurifxp2: link state changed to UP
ng WAN interface...done.
Configuring LAN interface...done.
Syncing OpenVPN settings...done.
Starting syslog...done.
Configuring firewall......done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...Creating SSL Certificate... done.
Configuring CRON...done.
Starting OpenNTP time client...done.
Starting DHCP service...done.
Starting DNS forwarder...done.
Configuring firewall......done.
Generating RRD graphs...done.
Starting CRON... done.
Executing rc.d items...
 Starting /usr/local/etc/rc.d/*.sh...done.
Bootup complete

FreeBSD/i386 (pfSense.localdomain) (console)

*** Welcome to pfSense 2.0-BETA4-nanobsd (i386) on pfSense ***

  WAN (wan)                 -> fxp2       -> 203.0.113.143 (DHCP)
  LAN (lan)                 -> fxp0       -> 192.168.1.1
  OPT1 (opt1)               -> fxp1       -> NONE 

 pfSense console setup
***************************
 0)  Logout (SSH only)
 1)  Assign Interfaces
 2)  Set interface(s) IP address
 3)  Reset webConfigurator password
 4)  Reset to factory defaults
 5)  Reboot system
 6)  Halt system
 7)  Ping host
 8)  Shell
 9)  PFtop
10)  Filter Logs
11)  Restart webConfigurator
12)  pfSense Developer Shell
13)  Upgrade from console
14)  Enable Secure Shell (sshd)

Enter an option:

The moment of truth was here. I told it to reboot and waited…

Enter an option: 5

pfSense will reboot. This may take one minute.

Do you want to proceed [y|n]? y

pfSense is rebooting now.

*** FINAL System shutdown message from root@pfSense.localdomain ***
System going down IMMEDIATELY                                                  

pfSense is now shutting down ...

Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 done
All buffers synced.
Uptime: 8m26s
Rebooting...

…and waited. And waited. Unfortunately, the IP120 never actually rebooted. Jim Pingle gave me a few more things to try, but ultimately nothing worked. As before, I can power cycle it and it comes back up just fine, but I’d like the ability to reboot it remotely if the need arises. At this point, that’s pretty much a show-stopper for me. I’ve considered loading JunOS on it but since both pfSense and JunOS are based on FreeBSD, I’m not confident it will reboot correctly under JunOS either.

Regardless, it was a fun experiment. I’m debating getting a Nokia IP330 off of eBay, as I don’t think it is affected by the same bug (from what I’ve read). They’re cheap enough and it has the added advantage that I can mount it in my rack. Thanks again to Jim for his assistance.

Related Posts:

IPCop, part II

IIS 6.0 may not function correctly after installing KB973917

Interviews

IPCop rocks my socks

New Linux cluster goes into production

Monday morning. 7am. Reading e-mail. I get the “new mail” notification from Outlook and glance down in the bottom right corner of the screen to look at the preview.

The e-mail is from RANCID, and I can see from the preview that a change has been made to a core switch at one particular location.

“That’s weird,” I think to myself. I click on the preview to open the e-mail:

I’ve not included the whole message, but basically the output shows that every line of the running configuration was effectively removed. For those of you who don’t run RANCID — you should be (see “Installing RANCID on Ubuntu 10.04 LTS”) — allow me to give a simplified explanation.

RANCID has logged into this switch, an HP ProCurve 5406zl, and issued the “show run” command. The switch happily returns the running configuration to RANCID. RANCID compares it with the last running configuration and alerts us (via e-mail) to any differences between the two in UNIX diff format.

In a nutshell, the switch is screwed up. Again.

I’ve seen this once before, on 29/Jun/2010 actually. Same exact switch. At the time, I didn’t think much of it. I honestly thought it was just a fluke and RANCID had messed up. I was very wrong, though.

Eight hours later, in the early afternoon, I got an e-mail asking about a particular issue and logged into the device to check the access-lists. I issued the “show access-list config” command and the switch immediately rebooted. That’s sort of a problem.

I opened a case w/ ProCurve support, providing the following information:

I just had a production ProCurve 5406zl running K.13.71 spontaneously reboot.  I
had logged in via SSH and executed the "show access-list config" command
and my terminal locked up.  A quick visual check showed that the device was 
reloading.  The following was present in the logs: 
 
M 06/29/10 18:24:41 sys: 'PPC Program exception 0x700: esf=0x0820f410' 
I 06/29/10 18:26:41 00061 system: ----------------------------------------------
I 06/29/10 18:26:41 00063 system: System went down:  06/29/10 18:24:41 
I 06/29/10 18:26:41 00064 system: PPC Program exception 0x700: esf=0x0820f410 
 
Upon reload, the following was displayed on the console: 
 
System went down:  06/29/10 18:24:41 
Saved crash information: 
PPC Program exception 0x700: esf=0x0820f410 
addr=0x0badbad0 ip=0x00000000 Task='tSvcWorkQ' tid=0xab9bc60 
fp=0x00008150 sp=0x0820f4d0 lr=0x009f20d4 
 
After reload, the device appears to be functioning normally.

HP responded:

Research indicates that the replacement of the Management Module is advisable for this particular crash.

They sent me a new management module and CompactFlash card, which I swapped out a few days later. No issues had been observed on this device until now.

As a precaution, I’ve let everyone know not to even log into this device. Fortunately, we have spare chassis and I can grab a new management module and CF card out of one of them and get it swapped out — hopefully tonight, before the switch craps itself again.

I have a feeling this is going to be a great week. =)

Related Posts:

Power Supply issue on HP ProCurve 5400/8200 Switches

HP: “It seems that you have discovered an anomaly.”

Yet another reason to hate HP

And people wonder why I hate HP

Upgrading HP Procurve firmware via USB flash drive

Note: This is Part 3 of a three-part series. Also see Part 1 and Part 2.

S-series Overview

Day 2 of HP Networking Tech Day started out with Gary Kinghorn and Aman Garg presenting the S-series. The S-series includes the TippingPoint Intrusion Prevention System and Core Controller. TippingPoint “secures 30+% of the Fortune 1000″.

HP defined three priorities with the IPS product:

• In-line Network Uptime (redundant power supplies, “fail open”, active/active, active/passive, etc.),
• In-line Performance (high inspected throughput w/ low latency), and
• In-line Filter Accuracy (“Vulnerability Filter”)

They claim that the S5100N can handle up to 5 Gbps of inspected throughput with < 80μs latency. With the Core Controller platform, that increases to up to 16 Gbps of inspected throughput with < 110μs latency.

TippingPoint’s vulnerability filter acts like a virtual software patch, eliminating false positives

They also have the S1200N IPS module for the A7500 platform. Each of these modules can handle up to 1.3 Gbps of inspected throughput and you can throw up to 10 of them into a single chassis (scalability, high-availability, etc.).

Next up, DVLabs was introduced:

TippingPoint DVLabs is a premier research organization for vulnerability analysis and discovery, ensuring TippingPoint customers have the best preemptive protection for vulnerabilities and zero day issues. Our team consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers’ intrusion prevention systems through the Digital Vaccine® service.

For 2009 Microsoft vulnerabilites, TippingPoint claims that “146/163 covered” with an average response time of -26 days. Yes, minus 26 days. I didn’t ask, but presumably that means they had coverage 26 days before the vulnerabilities were public announced/fixed.

This is likely due to the Zero Day Initiative, “a program for rewarding security researchers for responsibly disclosing vulnerabilities”. Basically, there’s over 1,000 independent security researchers that they have bought 0-day vulnerabilities from. They then integrate these into the TippingPoint IPS products to protect their customers. In 2009, TippingPoint claims 116 “vulnerability discoveries” including those from their 30+ dedicated researchers and the independent researchers that they buy 0-days from.

It was mentioned that Cisco only has one person working full-time researching security vulnerabilities.

Unified Communication & Collaboration

Next up was Manfred Arndt to talk about UC&C.

Manfred talked about the evolution and transformation that has taken place in telephony over the last few decades up to the present. Personally, I’m not too interested in Unified Communications (UC) or Voice-over-IP (VoIP). I rarely use my office phone, as the only calls and voicemails I receive on it are from sales people (who I typically despise, if you’ll remember). I have no less than five phone numbers at present, yet the only phone I ever use is my BlackBerry. I really abhor voicemail, as well, so I had it turned off probably a year or so ago.

Greg Ferro (@etherealmind) thinks that IP Telephony is dead.

Anyway, I’m much more interested/concerned with the network side of things. VoIP introduced some new challenges for us network folks, things like ensuring available bandwidth, Quality-of-Service (QoS), Power-over-Ethernet (PoE). As Manfred pointed out, “the network is the foundation.”

He discussed “some UC reality checks”:

• UC is not a point product — it is a vision and strategy
• You can’t just drop a few servers onto your existing TDM network
• No single vendor can provide a complete end-to-end UC solution

That last one seems debateable to me, but I’m not a VoIP/UC guy so I can’t be sure. I’d love to get some input from others on that.

HP doesn’t really provide a VoIP/UC solution of their own, but rather work with other vendors to integrate their technology, with HP providing the networking, server, and storage infrastructure (typically with Microsoft UC&C solutions). HP really touts their interoperability (as I mentioned in a previous article), claiming there are “many successful HP Networking edge deployments with Cisco at the core and running Cisco VoIP”. If I didn’t mention it before, they’ve also created interoperability guides dealing with integrating Cisco & HP networking gear.

In particular, Cambridge University was mentioned, who deployed 17,000 Cisco IP phones over an HP network with Cisco at the core (PDF).

“Microsoft is HP’s primary UC&C partner”, while “Avaya-Nortel, Alcatel-Lucent, and Polycom are HP strategic UC&C partners”.

Various vendors have either already released or are either working on various ONE Services modules (for the E-series line-up, see yesterday’s post) that puts UC&C functionality directly into the switch chassis.

HP network gear supports all major VoIP related standards, including PoE/PoE+, LLDP-MED, 802.1X, IGMP, and QoS (802.1p/DSCP).

Solutions Test Center Tour

After a short break, we ventured over to the Solutions Test Center where Ken Taggard gave us a tour.

During the tour, we were asked not to take any photos, which is understandable but unfortunate. I’m not sure I can adequately convey the amount of network gear that was present — row after row after row of racks. Most of the gear was from the E-series line, but there was also A-series gear, Ixia/Agilent traffic generators and test gear, some Cisco 6500 and Nexus switches, and I even spotted one lonely old Cisco 7500 still in the rack.

The Solutions Test Center is where HP can build large-scale deployments to test and emulate damn near any scenario you can imagine, apparently. I was impressed; total nerdgasm.

I did, at one point, ask to take a picture. It was just a poster and they weren’t sure what my intentions were, so I was allowed:

Nothing major, of course. I just giggled when I saw that in their scenario they were using a /24 for a point-to-point link. Most of us would never even consider wasting IP address space like that in production. I’m sure they wouldn’t either, but they do have a “Class A” (15/8) allocated to them, so it’s entirely possible. =)

HPN Go-to-Market

After the tour, Jay Mellman gave us some insights into HP’s market strategies. Once again, everyone was open and honest and there was little “fluff”. Jay openly acknowledged that HP “will never be as big as Cisco”. Most of us already know this, but it’s nice to hear it from them.

Jay mentioned that in FY11 HP will be launching a new Partner Program, with implementation beginning November 1st. As part of the revamping, they’ll have a “Converged Infrastructure Elite” track, consisting of approximately 100 partners.

HP is on “the path towards $10 billion”, as Jay described it. They openly admit that it’s possible unattainable but I can’t bash them for setting their sights high. They’ll be quite happy even if they don’t reach that mark. They do have a number of strategies for getting there, however.

One of their key priorities is to focus initially on the most likely customers. This would be your average enterprise customer who is “disillusioned with vendor X” — in other words, Cisco. I think we all know of companies who were shocked to learn that Cisco has 65%+ profit margins (and reportedly higher than that in certain areas). HP wants to reach out to those customers. Makes sense.

Another priority is to begin attacking key Cisco strongholds in certain vertical markets. I can’t recall now if Jay mentioned specifics, but I would imagine education, health care, etc.

Final Thoughts

So, what were my overall thoughts?

I’ve been exposed to HP’s networking products for several years now and went into this with my own preconceived opinions (which aren’t always favorable). I did my best to keep an open mind, however. HP didn’t really sway my opinion one way or the other. My opinions of a product are developed after using that product (it would’ve been nice to get some hands-on with the A-series!). With regard to the E-series line (the products that I am most familiar with), my opinion hasn’t changed. I’ve long said that I think HP’s networking products are great at layer 2. Would I recommend ripping out the Cisco core and immediately replacing it with A-series products? Without using the products and gaining first-hand experience, there’s no way I could do that.

My honest opinion is that HP has great plans and strategies and, perhaps more importantly, the ability to execute them. They don’t seem to have much interest in the carrier/service provider market, but instead intend to focus on the SMB and Enterprise markets. That’s a good idea to me. In this economy, there’s a lot of organizations trying to be fiscally conservative and if they can get an equivalent product with a much lower capital expenditure, then there is money to be made for HP. The H3C and TippingPoint acquisitions have really filled a gaping hole in HP’s product lines as well, I think.

Finally, I want to thank HP for holding this event and inviting me to attend. I did find it very informative and beneficial, and my hope is that those at HP did too. Thanks again to those HP/H3C/TippingPoint employees who took the time out of their schedules to spend with us. It was a pleasure meeting all of you.

Even the sales and marketing drones. =)

Related Posts:

HP Networking Tech Day is here

HP Networking Tech Day

HP Networking Tech Day – Part 1

HP Networking Tech Day: A Quick Review

HP: “It seems that you have discovered an anomaly.”

Note: This is Part 2 of a three-part series. Also see Part 1 and Part 3.

Emerging Network Standards

Continuing on, Paul Congdon was up once again, this time to discuss vSwitches, Virtual Ethernet Bridge (VEB), and Virtual Ethernet Port Aggregation (VEPA), and give us a live demonstration.

Note: If you’re like me and new to this storage/virtual I/O thing, you might want to read this technology brief (PDF).

I’m not sure what the original purposes of VEB/VEPA were (maybe I wasn’t paying attention at that moment), but the biggest benefits seem to be added visibility into what is happening between servers in a virtualized environment. When Paul was discussing how VEB/VEPA worked, the first thoughts I had were with regard to security. In a typical virtualized environment, when two VMs on the same physical host are communicating with one another, that VM-to-VM traffic is forwarded by the software vSwitch and never actually hits the physical switch.

VEB provides “limited visibility and policy enforcement” while VEPA provides “full visibility and policy enforcement”:

Both are implemented on the server. The major difference (as far as I can tell — remember, this is new to me!) is that VEBs forward traffic in the server, while VEPAs actually dump the VM traffic out on the wire where it hits the physical network. Out of the two, it seems to me that VEPA would be much preferred, simply because of the ability to see the VM-to-VM traffic and act upon it where necessary (think rate-limiting, filtering, compliance, etc.). If you had the choice between VEB and VEPA, I’m not sure why you would choose VEB but, then again, I don’t really know much about this stuff. It seems that VEB would be a bit faster but with SR-IOV NICs and high-end, low-latency switches, this becomes less of an issue.

Remember that VEPA dumps the traffic on the physical network? My first thought, when considering traffic between two VMs on the same physical host, was “how is it going to get back to the other VM?” When a frame enters a switch, it will not be forwarded if both the source MAC address and destination MAC address were learned on the same interface — it will be silently dropped. About the time I was contemplating this, Dr. Congdon mentioned “hairpinning”.

Hairpinning involves the use of a “reflective relay” on the physical switch which, in a nutshell, allows it to forward a frame back out the same interface on which it arrived. The frame then hits the server NIC and re-enters the virtualized environment where it is forwarded on to its destination (another VM). According to Paul, most switches can be software upgraded to support hairpin mode. I asked if any of the E-series switches would be getting this feature, but never really got a straight answer.

Paul did an excellent job of explaining the technologies, but he went one step further and followed that up with a live demonstration, which was a tremendous help in solidifying my understanding.

Paul started out with the NIC in VEB mode. He fired up a CLI ping tool on each VM; each instance was pinging the others. By watching, it was apparent that the VM-to-VM traffic was never hitting the A6120 switch. He then ran a shell script which, as far as I can tell, simply flipped a VEB/VEPA bit (on the NIC), which caused the traffic to be dumped on the wire where it hits the switch.

There were three basic ACLs set up on the switch, none of which were actually applied. Once we could see the traffic hitting the switch, he enabled and disabled the ACLs. By watching the output of the ping application, we could verify that the ACLs were actually in effect and filtering traffic. To me, this was damn cool and I’m looking forward to when I can make use of these features.

Last, there’s a whitepaper that Paul wrote on VEB/VEPA benchmarking that is supposed to be released September 6th.

E- and V-series Overview

Mike Verdugo and Mark Hilton were up next, to give us an overview of the E- and V-series line. With regard to HP Networking, this is where most of my knowledge lies, as I am intimately familiar with the modular and fixed series switches in the E-series line.

The modular switches in the E-series line are the E4200vl, E5400zl, and E8200zl. The E4200vl switches are your basic layer 2 edge switches. The E5400zl adds common layer 3 functionality (OSPF, VRRP, PIM, etc.). The E8200zl is basically the same, with redundancy added (dual management modules, etc.). All three of these products run the same software (and, thus, the same bugs).

Here’s their slide about the E-series modular switches:

The E-series fixed configuration switches are divided up into three areas: layer 2 only, lite layer 3, and full layer 3. The differences between them are highlighted here:

They briefly touched on the E-series wireless, which are, if I’m not mistaken, mostly (all?) products that were acquired by HP’s purchase of Colubris a few years ago. This gave HP a wireless solution which featured centralized management (via the controllers). Yes, they had that before with the wireless services modules, but those sucked. The acquisition of Colubris gave them a viable wireless solution.

One key wireless product that HP talked about was the MSM317 Access Device, pictured here:

From the product page:

HP ProCurve MSM317 Access Device integrates wired and wireless connectivity into a small unit that can be quickly and discretely installed in a standard wall outlet box. It provides four Ethernet ports, a 2.4 GHz wireless access point, and a pass-through RJ-45 connection to support a range of service and user connectivity options.

They talked specifically about how a hotel chain (Marriott, if memory serves) was needing to roll out wireless access through their hotels, but a number of factors were complicating that. They were able to install the MSM317s and gained the ability to provide both wired and wireless network access. The access points operate in a “mesh” (my assumption is just an ESS) and if one happens to go down, the idea is that a client will automatically connect to an adjacent/nearby access point and not lose network access. In our environment, I could definitely see utilizing these (except that we’ve already made the decision to replace our existing HP wireless infrastructure with Meru Wireless gear).

The V-series consists of a number of low-end managed and unmanaged switches, wireless access points, and wireless routers, which I’m not going to spend any time writing about.

Next, we discussed AllianceONE (FAQ) and a handful of available products.

AllianceONE gives you the framework, tools and resources you need to have a successful collaborative relationship with HP. Building on a standards-based architecture across Microsoft® Windows®, Linux, HP-UX and NonStop, we can deliver leading solutions that seamlessly fit within the current data center or across the enterprise , while helping clients prepare for the future.

The ONE Services zl Module (available on the 5400zl & 8200zl chassis) is an add-on module sporting a Core 2 Duo CPU, 8GB of main memory, 4GB of flash memory, and up to two hard drives. The modules have 2x10Gbps Ethernet connections to the backplane and can run in transparent mode. There are currently a number of products built on top of this, including the HP Threat Management Services module (I demo’d one of these when they first came out and wasn’t impressed), and third-party products from inMon (Traffic Sentinel), Fortigate (UTM), and — coming soon — Microsoft (Survivable Branch Office Gateway) and Avaya (SBC). In addition, a Riverbed WAN acceleration module is coming sometime around October.

We were told that we could expect more product announcement in the E-series line in the future and that, in the next six months, there were “significant offerings” coming in the 5400zl product. I’m particularly interested in this, as I have a lot of 5400s deployed. I’m just hoping they’ll get the K.15.x software tested, tuned, stable and as bug-free as possible in the near future. There are some features that I want that are only available in the K.15.x train, but at this point it is waaaaay too “beta” for me.

“Shake and Bake” Lab Tour

Next up, we were taken on a tour of the “Shake and Bake” lab (officially called the HP Roseville Hardware Test Center) by Mike Avery. This is where HP subjects its products to a number of physical and environmental tests, hence the name. We got to hear about some of the tests that they do, but didn’t get to see any in action (which was a slight disappointment).

Competitive Discussion

We ended Day 1 at the HP campus with a “competitive discussion” or, as Greg Ferro put it, “a rather splendid vendor bitchfest.” =)

In this session, everyone present openly discussed the current market and HP’s competition. We discussed HP’s certification program, which I’ve written about recently. One thing I said is that it would be in HP’s best interests to increase their number of HP Certified Professionals and one great way to do that would be to subsidize the cost of the certification exams. Juniper saw tremendous growth when they began offering free test vouchers as part of their Fast Track Program (which yours truly took advantage of, to earn the JNCIA-ER certification) and that HP would be wise to do something similar. They acknowledged that they are working on their education program and that a “very large investment is being made” in that regard.

I did ask if HP would be extending their lifetime warranty to products in the A-series line-up, but I already knew the answer. HP has “no intention of doing that”.

Dinner

After the Competitive Discussion, we left and returned to our hotel. Shortly afterwards, we met back up in the lobby and headed to Paul Martin’s American Bistro for dinner and drinks. As might be expected, the atmosphere was very relaxed and we all got to “mingle”. I got the opportunity to talk with Dom Wilde one-on-one regarding the A-series line.

A bit later, we moved inside and continued our “chatter” where I learned a few interesting things. HP apparently has intramural sports and Paul Congdon is on one of the softball teams, though his team lost Monday’s game. Also, Jennifer Lake, TippingPoint PR Manager, runs way too much. I was nearly exhausted after hearing her talk about running marathons.

We made our way back to the hotel once again, where a few of us stopped for a drink before heading off to bed to prepare for Day 2.

Related Posts:

HP Networking Tech Day is here

HP Networking Tech Day

HP Networking Tech Day – Part 1

HP Networking Tech Day: A Quick Review

HP: “It seems that you have discovered an anomaly.”