5 host network configurations for MLAG

Host network configurations for MultiChassis Link Aggregation (MLAG, also referred to as dual-attach or ‘high availability’) can vary from host OS to host OS, even amongst Linux distributions. The most recommended and robust method is to use Link Aggregation Control Protocol (LACP), which is supported on most host operating systems natively. Host bonds or bonding refers to a variety of bonding methods, but for the purpose of this article it will refer to LACP bonds. The terms etherchannel, link aggregation group (LAG), NIC teaming, port-channel and bond can be used interchangeably to refer to LACP depending on the vendor’s nomenclature. For the sake of simplicity, we will just call it bonds or bonding. This post will take your through the steps for host network configurations for MLAG across five different operating systems.

Why LACP? LACP is a IEEE standard that has been available since 2000 known as 802.3ad. This makes a highly interoperable standards approach to bonding that can work across many network vendors and host operating systems. LACP is superior to static configuration (also referred to bond-mode ON) because there is a control protocol keeping the bond active. This means failover is predictable and automatic. This is also helpful because even if a layer 1 issue occurs where one side of a connection still thinks the link is up, the logical link will be brought down by LACP. Static configuration is also prone to be misconfigured on the first try because the only mechanism they have to detect if the bond is configured correctly is the physical state of the interface. This is not helpful when you are connected to the wrong switch or a media converter. With that in mind, let’s discuss the host network configurations for MLAG.

In this post we will cover multiple host operating systems:

  • Debian Linux
  • Ubuntu Linux
  • Red Hat Enterprise Linux (RHEL) and CentOS
  • Windows 2016 Server
  • VMware VSphere

This reference diagram will work for all configuration examples – just imagine the host os has been installed on server01.

Debian Linux

Debian Linux uses ifupdown for flat-file configuration. This configuration will also work on Cumulus Linux since the newer ifupdown2 is also backwards compatible with ifupdown. Look at a comparison of ifupdown vs ifupdown2 to learn more. It is possible (and recommended) to install ifupdown2 on both Debian and Ubuntu.

Debian Configuration (7.0 wheezy and 8.0 jessie and later)
##########################
auto lacpbond
iface lacpbond inet static
address 192.168.1.101/24
bond-slaves uplink1 uplink2
bond-mode 802.3ad
bond-miimon 100
bond-lacp-rate 1
bond-min-links 1
bond-xmit-hash-policy layer3+4

auto lacpbond.100
iface lacpbond.100 inet static
address 192.168.100.101/24

auto lacpbond.101
iface lacpbond.101 inet static
address 192.168.101.101/24

auto lacpbond.102
iface lacpbond.102 inet static
address 192.168.102.101/24

Ubuntu Linux

Ubuntu is similar to Debian except that the slave interfaces must be configured as type “inet manual” and assigned to their respective bond using the “bond-master” keyword.

auto uplink
iface uplink inet manual
bond-master lacpbond

auto uplink
iface uplink inet manual
bond-master lacpbond

auto lacpbond
iface lacpbond inet static
address 192.168.1.101/24
bond-mode 802.3ad
bond-miimon 100
bond-lacp-rate 1
bond-slaves none

auto lacpbond.100
iface lacpbond.100 inet static
address 192.168.100.101/24

auto lacpbond.101
iface lacpbond.101 inet static
address 192.168.101.101/24

auto lacpbond.102
iface lacpbond.102 inet static
address 192.168.102.101/24

Red Hat Enterprise Linux (RHEL) and CentOS

RHEL and CentOS have a variety of ways to configure networking. This includes nmtui (NetworkManager Text User Interface) and nmcli (NetworkManager command Line Tool) using the Linux CLI and ifcfg flat-files, and even using a GUI (GNOME). The nmtui and GUI are not really options for data centers as they are specifically made for human point and click interaction and don’t work with automation. The nmcli method is automatable, however, nmcli responds the same for commands when run twice in a row, which makes return codes for automation difficult to troubleshoot. For example, Ansible would report “changed” every time a playbook is run regardless if it actually changed something or not. This makes nmcli difficult to use in CI/CD (Continuous Integration / Continuous Delivery).

Cumulus Networks highly recommends using the standard CLI method by breaking the configuration files into separate ifcfg files. This method is common, battle hardened, easy to automate from a variety of tools, and well documented.

First, configure the physical links. On this example server the physical links are named uplink1 and uplink2.

/etc/sysconfig/network-scripts/ifcfg-uplink1

DEVICE=uplink1
NAME=lacpbond-slave
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
MASTER=lacpbond
SLAVE=yes

/etc/sysconfig/network-scripts/ifcfg-uplink1

DEVICE=uplink2
NAME=lacpbond-slave
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
MASTER=lacpbond
SLAVE=yes

Next, configure the bond logical interface:

/etc/sysconfig/network-scripts/ifcfg-lacpbond

DEVICE=lacpbond
NAME=lacpbond
TYPE=Bond
BONDING_MASTER=yes
ONBOOT=yes
BOOTPROTO=none
BONDING_OPTS="mode=4 miimon=100 lacp_rate=1 xmit_hash_policy=layer3+4"

Then, configure the tagged interfaces (for each VLAN). Each of these will again be a separate file.

/etc/sysconfig/network-scripts/ifcfg-lacpbond.100

DEVICE=lacpbond.100
IPADDR=192.168.100.101
PREFIX=24
ONBOOT=yes
BOOTPROTO=none
VLAN=yes

This would continue for however many VLANs you desired to configure.

Windows Server 2016

Windows 2016 server has the ability to use the Windows GUI or use PowerShell. For this document, we will only cover PowerShell.

PS C:> New-NetLbfoTeam Team1 uplink1,uplink2 -TeamingMode LACP
‑LoadBalancingAlgorithm TransportPorts

TransportPorts, as described by Microsoft, is also called Address Hash via their GUI. This mode creates hash on the TCP/UDP ports and source and destination IP addresses so they will match the hash on the ToR (Top of Rack) switch.

VMware vSphere 6.+

VMware requires the VSphere Distributed Switches 5.1 or Vmware 5.5 or VMware 6.0. This can be configured two ways through the Vsphere Web Client.

Interested in learning even more about LACP and host network configurations for MLAG? Then you should check out our 3 part blog series on LACP! This series covers design choices, how MLAG interacts with the host, and the sharing state between host and upstream network. Head over to our blog if you’d like to become an LACP scholar.

The post 5 host network configurations for MLAG appeared first on Cumulus Networks Blog.

Read more here:: Cumulus Networks

60% off Logitech G105 Gaming Keyboard – Deal Alert

The G105 gaming keyboard from Logitech features dual-level LED backlighting, fully programmable g-keys for single actions and macros, and anti-ghosting capabilities. Program 3 macros per key — configure up to 18 unique functions per game. Program single keystrokes, complex macros or intricate LUA scripts. Record new macros on the fly while you’re in the game. The G105 Logitech gaming keyboard is built for serious gaming and its typical list price of $59.99 has been reduced 60% to $23.99. See this deal on Amazon.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Hardware Systems

Amazon Macie automates cloud data protection with machine learning

Amazon offers a number of excellent tools to help enterprises keep their data and applications safe in the cloud. Last year, Amazon unveiled Amazon Inspector, its host-based application vulnerability assessment tool to monitor what is installed and configured on each virtual Instance. This year, it’s Amazon Macie, a security service designed to automatically discover and protect sensitive data stored in AWS.

As organizations move more of their data to Amazon’s various cloud offerings, security teams have the unenviable task of continuously tracking the data to identify, classify and protect sensitive pieces of information such as personally identifiable information (PII), personal health information (PHI), regulatory documents, API keys, secret key material and intellectual property.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Security

Booking a Taxi for Faketoken

The Trojan-Banker.AndroidOS.Faketoken malware has been known about for already more than a year. Throughout the time of its existence, it has worked its way up from a primitive Trojan intercepting mTAN codes to an encrypter. The authors of its newer modifications continue to upgrade the malware, while its geographical spread is growing. Some of these modifications contain overlay mechanisms for about 2,000 financial apps. In one of the newest versions, we also detected a mechanism for attacking apps for booking taxis and paying traffic tickets issued by the Main Directorate for Road Traffic Safety.

Not so long ago, thanks to our colleagues from a large Russian bank, we detected a new Trojan sample, Faketoken.q, which contained a number of curious features.

Infection

We have not yet managed to reconstruct the entire chain of events leading to infection, but the application icon suggests that the malware sneaks onto smartphones through bulk SMS messages with a prompt to download some pictures.

The malware icon

The structure of the malware

The mobile Trojan that we examined consists of two parts. The first part is an obfuscated dropper (verdict: Trojan-Banker.AndroidOS.Fyec.az): files like this are usually obfuscated on the server side in order to resist detection. At first glance, it may seem that its code is gibberish:

However, this is code works quite well. It decrypts and launches the second part of the malware. This is standard practice these days, whereas unpacked Trojans are very rare.

The second part of the malware, which is a file with DAT extensions, contains the malware’s main features. The data becomes encrypted:

By decrypting the data, it is possible to obtain a rather legible code:

After the Trojan initiates, it hides its shortcut icon and starts to monitor all of the calls and whichever apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it to evildoers shortly after the conversation ends.

The code for recording a conversation

The authors of Faketoken.q kept the overlay features and simplified them considerably. So, the Trojan is capable of overlaying several banking and miscellaneous applications, such as Android Pay, Google Play Store, and apps for paying traffic tickets and booking flights, hotel rooms, and taxis.

Faketoken.q monitors active apps and, as soon as the user launches a specific one, it substitutes its UI with a fake one, prompting the victim to enter his or her bank card data. The substitution happens instantaneously, and the colors of the fake UI correspond to those of the original launched app.

It should be noted that all of the apps attacked by this malware sample have support for linking bank cards in order to make payments. However, the terms of some apps make it mandatory to link a bank card in order to use the service. As millions of Android users have these applications installed, the damage caused by Faketoken can be significant.

However, the following question may arise: what do fraudsters do in order to process a payment if they have to enter an SMS code sent by the bank? Evildoers successfully accomplish this by stealing incoming SMS messages and forwarding them to command-and-control servers.

We are inclined to believe that the version that we got our hands on is still unfinished, as screen overlays contain formatting artifacts, which make it easy for a victim to identify it as fake:

The screen overlays for the UI of a taxi-booking app

As screen overlays are a documented feature widely used in a large number of apps (window managers, messengers, etc.), protecting yourself against such fake overlays is quite complicated, a fact that is exploited by evildoers.

To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.

Precautions

In order to avoid falling victim to Faketoken and apps similar to it, we strongly discourage the installation of third-party software on your Android device. A mobile security solution like Kaspersky Mobile Antivirus: Web Security & AppLock would be quite helpful too.

MD5

CF401E5D21DE36FF583B416FA06231D5

Read more here:: Securelist