Featured Post

Security control mapping - CIS CSC Top 20, NIST CSF, and NIST 800-53

I am working on a security project with a colleague, and instead of tackling one of the bigger standards we decided to create a road map and...

Tuesday, May 10, 2022

Network Field Day 28 - Recap and Review

  I had the opportunity to participate as a delegate at Network Field Day 28, and I wanted to share my experience.

What is Network Field Day?

Network Field Day is one of the Tech Field Day events put on by Gestalt IT where sponsoring vendors present to a panel of delegates.  Network Field Day is specifically focused on networking solutions, and there are other events including Security Field Day and Storage Field Day with content that aligns to the respective categories.

There are usually about twelve delegates per event, with each one being invite-only.  Each delegate is independent (not employed by a vendor, or an industry analyst), is active in the community through things like blogs, podcasts, social media, etc, and could be considered a subject matter expert on the event topic.

There's a lot of information on how TFD works at their "About" page - https://techfieldday.com/about/ I recommend checking out the infographic, and reading through the FAQ to get a better understanding of what the event is about.

Want to find out more about the presenters or delegates?  Want to watch the recorded sessions?  Go to the NFD28 page to get all that and more!

Vendor Presentations

The event spanned three days, with 9 presenters, with 13.5 hours of presentations and 4.5 hours of off-camera conversations.  Plus there were plenty of conversations with other delegates throughout the event.  That said, this isn't an exhaustive review of everything.  I'll be working on putting more detailed posts together soon.


Day 1


Juniper https://www.juniper.net/

Juniper had two 1.5 hour sessions, so there was a lot of information to cover.  There were a couple specific areas that they talked about extensively - Marvis and Apstra.

Marvis is Juniper's AI that is used to help improve network operations.  One of the use cases would be streamlined anomaly detection, even to the point of potentially predicting issues before they occur.  There was a lot of discussion around Full Stack AIOps, along with a demo.  Another use case they presented was around wireless performance.  By collecting wireless performance data Marvis can recommend adding or moving APs to improve coverage.

Apstra is a solution that allows network teams to build out templates for data center deployments.  The cool thing that Apstra does is it disassociates the template from the underlying devices.  A single template could be deployed against Juniper, Cisco, and Arista hardware (among others) without needing to make any changes.  It takes the concept of intent-based networking and applies it in a mostly vendor agnostic way.  One of the use cases that was easy to see was environments that are being forced to look to different hardware vendors due to supply chain shortages.

Monday, April 18, 2022

ThousandEyes Walkthrough Part 4.1 - SNMP Monitoring

With the lab environment built, and the agents installed and online, now it's time to start actually getting monitoring data through ThousandEyes!

If you haven't followed along with the previous posts in this series you can find the lab build here: https://mytechgnome.blogspot.com/2022/04/thousandeyes-walkthrough-part-2-lab.html and the agent installation here: https://mytechgnome.blogspot.com/2022/04/thousandeyes-walkthrough-part-3.html

This lab requires version 1.1 of the lab build.  Verify the lab you are using is 1.1 or newer.  If it's not, look at the CHANGELOG section near the bottom of the lab build post: https://mytechgnome.blogspot.com/2022/04/thousandeyes-walkthrough-part-2-lab.html

SNMP Configuration

The SNMP configuration will allow basic SNMP monitoring but is not intended to replace existing SNMP monitoring solutions.  Within ThousandEyes the value of SNMP monitoring is to provide more contextual data and visibility, and some capabilities to alert on different conditions.

  1. Open a web browser and navigate to https://www.thousandeyes.com/
  2. Log into your account
  3. Click the Hamburger icon in the top left
  4. Expand Devices
  5. Click on Device Settings
  6. There might be a Get Started with Devices splash screen, or it will take you directly to the Devices page.
    1. Splash screen -
      1. Click Start Discovery
    2. Devices Page
      1. Click Find New Devices
  7. On the right in the Basic Configuration enter the scan details
    1. In Targets enter the following subnet: 10.255.255.0/24
    2. In the Monitoring Agent drop-down select CS1-1

    3. Under Credentials click "Create new credentials"
      1. In the Add New, Credentials pane enter a name, and for the community, string enter: TE
    4. If the Credentials don't auto-populate then click the dropdown and select the TE-SNMP that was just created
    5. Occasionally devices may not be picked up on the first discovery, but if the box is checked to "Save as a scheduled discovery" it will retry every hour
    6. Click Start Discovery
  8. Wait for the discovery process to complete - this might take a few minutes
    1. NOTE: There seems to be a bug in the UI where it displays a "No devices found" error, even though all the devices were discovered.
  9. Click back to the main section of the page and the Add Devices panel will disappear
  10. Click the Select All checkbox on the top left of the device list, then click Monitor at the bottom of the page.
  11. Wait a few minutes for the devices to show Green under the Last Contact column

SNMP Toplolgy

ThousandEyes includes a cool toplogy builder based on the data collected from the SNMP monitors.  It's able to determine device adjacency, but not necissarily the best placement for our interpretation.  The good news is the devices can be moved to better align to what we'd like to see.
  1. Hover over the menu icon in the top left, then under Devices click on Views
  2. The Device Views will show some metric data on the top, and the topology on the bottom
  3. Click on Edit Topology Layout
  4. Devices in the topology view can be moved (drag-and-drop) to better represent the actual topology. Click Done Editing when the device positions match the lab topology.
As usual, if there were any issues you can add a comment to this post, or reach me on Twitter @Ipswitch

Conclusion

The SNMP monitoring in ThousandEyes is now configured.  One important note here is that this is a lab build.  In a production environment steps should be taken to secure SNMP access.  Restricting access to SNMP via ACL is always a good idea, as well as using SNMP v3 for authentication and encryption.

Later in this series the SNMP configuration will be revisited.  When data is flowing on the lab network the SNMP views will be useful in getting more information on traffic flows.  The SNMP data can also be used to help troubleshoot issues and to create alarms depending on network conditions.

What's next

The next task is to define some scenarios to identify what needs to be monitored.  The scenarios will be generic but should be relatable for any IT professional out there.  After the scenarios are defined then the ThousandEyes tests can be built for each unique scenario.



Monday, April 11, 2022

ThousandEyes Walkthrough Part 3 - Enterprise and Endpoint Agent Installs

There are going to be a number of agent deployments in the lab that was covered in the previous post:
  • 4x Linux Enterprise Agent installs on the CML Ubuntu instances 
    • CS1-1, CS1-2, CS2-1, and CS2-2
  • 2x Docker Enterprise Agent container deployments on the Ubuntu Docker host
    • These two agents will be added to a cluster
  • 1x Raspberry Pi Enterprise agent (optional)  
  • 1x Windows Endpoint Agent install on the Windows VM

Prerequisites

The lab needs to be built out.  Details on that process can be found here: https://mytechgnome.blogspot.com/2022/03/thousandeyes-walkthrough-part-2-lab.html

Before we can start with the agent installs some ThousandEyes licenses are required.  It's possible you already have some ThousandEyes licenses.  Cisco has bundled Enterprise Agents with the purchase of DNA Advantage or Premier licensing on the Catalyst 9300 and 9400 switches.  

If existing licenses are unavailable a 15-day trial license can be requested here: https://www.thousandeyes.com/signup/

Additional hardware and software

As a side note - if you plan to work a lot with the Raspberry Pi I strongly recommend getting the USB 3 adapter.  It has a significant improvement in performance over the USB 2 adapters that are typically bundled with Raspberry Pi kits.  The SD cards recommended by ThousandEyes are because of the card performance.  Other cards can be used, but there may be a negative impact on performance.

Installs

Account Group Token

Before getting started with the installs it is important to get your Account Group Token.  This is an ID that is used to associate the agents to the correct account.  When deploying agents it will often require the token to be specified.

There's multiple ways to find the token, but I think the easiest is to just pull it from the Enterprise Agent deployment panel
  1. Open a web browser and navigate to https://www.thousandeyes.com/
  2. Log into your account
  3. Click the Hamburger icon in the top left
  4. Expand Cloud & Enterprise Agents
  5. Click Agent Settings
  6. Click the Add New Enterprise Agent button
  7. Click the eye button to show the token, or the copy button to store it on the clipboard
    1. In a production environment you would want to keep this token safe.  It provides devices access to your ThousandEyes account, so it should not be made public
  8. Store the token in a safe, convenient location.  It will be used to add agents to the ThousandEyes account throughout this process.

Linux Enterprise Agent install

  1. Open a web browser and navigate to https://www.thousandeyes.com/
  2. Log into your account
  3. Click the Hamburger icon in the top left
  4. Expand Cloud & Enterprise Agents
  5. Click Agent Settings
  6. Click the Add New Enterprise Agent button
  7. Click the option for Linux Package
  8. Copy the commands displayed
    1. curl -Os https://downloads.thousandeyes.com/agent/install_thousandeyes.sh
      chmod +x install_thousandeyes.sh
      sudo ./install_thousandeyes.sh -b <--Your Token goes here-->
  9. Perform the following steps for CS1-1. CS1-2, CS2-1, and CS2-2 in CML
    1. In CLM open the terminal session and log in
    2. Paste the commands into the terminal and press Enter
    3. It may take some time, but eventually there will be a prompt that say: 
      The default log path is /var/log. Do you want to change it [y/N]?
    4. Press Enter to accept the default log location
    5. It might take 10 minutes or it could be over an hour for the process to complete and the agent to come online.  When it returns to the user prompt the service should be started.
  10. When the installs are complete they should be listed in the ThousandEyes portal under Enterprise Agents
    1. If the agent status is yellow it likely means an agent update is required, and it should automatically update within a few minutes

Docker Enterprise Agent install

  1. Open a web browser and navigate to https://www.thousandeyes.com/
  2. Log into your account
  3. Click the Hamburger icon in the top left
  4. Expand Cloud & Enterprise Agents
  5. Click Agent Settings
  6. Click the Add New Enterprise Agent button
  7. Click the option for Docker
  8. Scroll down to the sections with the commands
  9. Copy the section to configure seccomp and apparmor profile
    1. curl -Os https://downloads.thousandeyes.com/bbot/configure_docker.sh
      chmod +x configure_docker.sh
      sudo ./configure_docker.sh
  10. Log in to the Ubuntu node that is the Docker host and paste in the commands:
    1. Add listening IPs for the Docker containers
      1. sudo ip add add 192.168.1.51 dev ens33
        sudo ip add add 192.168.1.52 dev ens33
    2. Pull the TE Docker image
      1. docker pull thousandeyes/enterprise-agent > /dev/null 2>&1
    3. Update these commands by putting in your ThousandEyes token and changing the IPs if needed, then run them to create two ThousandEyes agents.

    4. NOTE: These commands have been updated to include DNS and IP settings that aren't available on the ThousandEyes Enterprise Agent page. If you use the commands from ThousandEyes the DNS and Published ports will need to be updated.
      1. docker run
          --hostname='TE-Docker1' \
          --memory=2g \
          --memory-swap=2g \
          --detach=true \
          --tty=true \
          --shm-size=512M \
          -e TEAGENT_ACCOUNT_TOKEN=<--Your Token goes here--> \
          -e TEAGENT_INET=4 \
          -v '/etc/thousandeyes/TE-Docker1/te-agent':/var/lib/te-agent \
          -v '/etc/thousandeyes/TE-Docker1/te-browserbot':/var/lib/te-browserbot \
          -v '/etc/thousandeyes/TE-Docker1/log/':/var/log/agent \
          --cap-add=NET_ADMIN \
          --cap-add=SYS_ADMIN \
          --name 'TE-Docker1' \
          --restart=unless-stopped \
          --security-opt apparmor=docker_sandbox \
          --security-opt seccomp=/var/docker/configs/te-seccomp.json \
          --dns=10.133.100.10 \
          --dns-search=cml.lab \
          --publish=192.168.1.51:49152:49152/udp \
          --publish=192.168.1.51:49153:49153/udp \
          --publish=192.168.1.51:49153:49153/tcp \
          thousandeyes/enterprise-agent /sbin/my_init
      2. docker run
          --hostname='TE-Docker2' \
          --memory=2g \
          --memory-swap=2g \
          --detach=true \
          --tty=true \
          --shm-size=512M \
          -e TEAGENT_ACCOUNT_TOKEN=<--Your Token goes here--> \
          -e TEAGENT_INET=4 \
          -v '/etc/thousandeyes/TE-Docker2/te-agent':/var/lib/te-agent \
          -v '/etc/thousandeyes/TE-Docker2/te-browserbot':/var/lib/te-browserbot \
          -v '/etc/thousandeyes/TE-Docker2/log/':/var/log/agent \
          --cap-add=NET_ADMIN \
          --cap-add=SYS_ADMIN \
          --name 'TE-Docker2' \
          --restart=unless-stopped \
          --security-opt apparmor=docker_sandbox \
          --security-opt seccomp=/var/docker/configs/te-seccomp.json \
          --dns=10.133.100.10 \
          --dns-search=cml.lab \
          --publish=192.168.1.52:49152:49152/udp \
          --publish=192.168.1.52:49153:49153/udp \
          --publish=192.168.1.52:49153:49153/tcp \
          thousandeyes/enterprise-agent /sbin/my_init
          
  11. When the installs are complete they should be listed in the ThousandEyes portal under Enterprise Agents
    1. If the agent status is yellow it likely means an agent update is required, and it should automatically update within a few minutes

Docker Enterprise Agent configuration

There are two configuration tasks that will be performed on the Docker agents.  The IP setting in ThousandEyes will be updated to use the host IPs that are tied to the Docker agents instead of the private Docker IPs, and the two agents will be added to a ThousandEyes Cluster.
  1. Open a web browser and navigate to https://www.thousandeyes.com/
  2. Log into your account
  3. Click the Hamburger icon in the top left
  4. Expand Cloud & Enterprise Agents
  5. Click Agent Settings
  6. Click on the Agent
  7. In the right panel click on Advanced Settings
  8. Updated the IP address with the address assigned to that instance
  9. Click the Save Changes button on the bottom right
  10. Repeat this process for the other container agent
  11. At the Enterprise Agents page select both Docker agents
  12. Click the Edit button
  13. Select Edit Cluster
  14. On the right select Add to a new cluster
    1. In the name field type Docker
  15. Click Save Changes
    1. It will give a confirmation screen, click Save Changes again
  16. The agent icon will be updated to include the cluster icon, and under the Cluster tab it will display the new cluster
Wondering why those changes were made?  

The first change to the IP address was because ThousandEyes learns the IP address of the agent from its local configuration.  Docker, by default, creates a bridged network that uses NAT to communicate with the rest of the network.  That means the addresses Docker assigns to containers aren't accessible on the network.  The additional IPs were added to the Ubuntu host to allow static NAT entries to be created in Docker (the Publish lines), which redirect traffic to sent to those IPs to the correct agent.  Since there are two containers using the same ports, we need two IP addresses to uniquely address each instance.  The change that was made to the agent settings in ThousandEyes forces other agents to use the routed 192.168.1.0/24 LAN network instead of the unrouted 172.17.0.0/16 Docker network.  This is only needed because we are going to build inbound tests into those agents.  If this was only outbound then it wouldn't matter.

As for the creation of the cluster, this was done for high availability.  Granted, in this scenario both instances are running on the same Docker host which defeats the purpose.  However, it still illustrates how to configure the cluster.  The purpose of the cluster is exactly what would be expected.  Both agents share a name, and are treated as a single agent.  If a test is assigned to a cluster then either instance could run it.  In addition to high availability, this also can provide some load balancing between the agents, and it can simplify test creation.  Instead of managing tests to multiple instances in one location we can use the cluster agent to distribute those tests.

Raspberry Pi Enterprise Agent install

  1. Open a web browser and navigate to https://www.thousandeyes.com/
  2. Log into your account
  3. Click the Hamburger icon in the top left
  4. Expand Cloud & Enterprise Agents
  5. Click Agent Settings
  6. Click the Add New Enterprise Agent button
  7. The pane on the right should open the the Appliance tab, under Physical Appliance Installer find the Raspberry Pi 4, and to the right of that click Download - IMG
  8. Wait for the download to complete.  It's nearly a 1GB file, so it might take a few minutes.
  9. Connect the SD card to the computer that will be doing the imaging
    1. This process erases the entire card.  Make sure you are using a blank card, or you have any valuable data on the card backed up elsewhere.
  10. Launch the Raspberry Pi Imager
  11. Under Operating System click Choose OS
  12. Scroll down to the bottom of the list and click Use custom
  13. Browse to the location of the downloaded image, select it, and click Open
  14. Under Storage click on Choose Storage (or Choose Stor...)
  15. Select the SD card in the window that pops up
    1. If the SD card does not show up try reseating the card
  16. Click Write
  17. Continuing this process will erase all data on the SD card, if that's acceptable click Yes
  18. A progress bar will be displayed, and after a few minutes the image copy should complete successfully.  Click continue and close the Raspberry Pi Imager software
  19. Remove the SD card from the imaging PC and insert it in the Raspberry Pi.  
  20. Boot the Raspberry Pi
    1. You'll want a monitor connected to find the IP assigned, though this could also be done by looking at DHCP leases, scanning the network, or trying name resolution for the default hostname: tepi
    2. Make sure there's a network cable plugged in and connected to the LAN (the ThousandEyes agent doesn't support wireless connections)
  21. When the Pi finishes booting find the IP address displayed on the screen
  22. Use a web browser to connect to the IP of the Pi agent (using the name might work - https://tepi/)
  23. Likely the browser will display a security warning because the certificate is untrusted.  Go through the steps required to accept the security risk and access the site.
  24. At the login page enter the default credentials: admin / welcome
    1. After logging in there may be an error message that briefly appears in the lower right stating the Account Group Token needs to be set.  This will be resolved shortly, and the error can be ignored for now.
  25. The first page will prompt to change the password.  Enter the current password and create a new one, then click Change Password
    1. After the password change is saved click the Continue button at the bottom of the page
  26. The next page prompts for the Account Group Token.  Enter the token value that was collected earlier in this post and then click Continue
    1. Even though there is a button to enable Browserbot here, the Raspberry Pi agent does not support it.  Leave that field set to No.  You can decide if you want to leave the crash reports enabled.
  27. The agent will go through a check-in process and provide diagnostic data.  If everything looks good you can click Complete

  28. That completes the required agent set up.  It will then bring you to the network configuration page.  Scroll down to the DNS section, switch the Current DNS Resolver to Override and enter the IP 10.133.100.10 in the Primary DNS box
    1. For the purposes of this lab none of the other settings need to be changed.  A static IP can be configured and/or the hostname could be changed if desired
  29. The agent should now be listed in the ThousandEyes portal under Enterprise Agent
    1. If the agent status is yellow it likely means an agent update is required, and it should automatically update within a few minutes
That completes the Enterprise Agent installations for the lab.

Windows Endpoint Agent install

  1. Start the Windows VM and log in
  2. Open a web browser and navigate to https://www.thousandeyes.com/
  3. Log into your account
  4. Click the Hamburger icon in the top left
  5. Expand the Endpoint Agents section
  6. Click on Agent Settings
  7. Either a splash screen with a Download button will appear, or there will be a button to Add New Endpoint Agent.  Click the button that shows up - both bring up the same pane
    1. Splash screen - 
    2. Add Endpoint Agent Button
  8. Leave the Endpoint Agent radio button selected and click the button Download - Windows MSI
    1. The Mac installation isn't being covered here, but there's instructions on how to install it here: https://docs.thousandeyes.com/product-documentation/global-vantage-points/endpoint-agents/installing
  9. There will be two options for the processor architecture, select the x64 Windows MSI 
  10. When the download completes run the MSI
  11. The installation is a typical MSI package, so I'm not going to include screenshots for every step
    1. Click Next to start the install
    2. Read the EULA and if you agree to the terms check the box to accept and click Next
    3. Click on the TCP Network Tests Support and select "Will be installed on local hard drive"
    4. Do the same for at least one browser extension.  Edge is the default browser on Windows 10, but if you want to install and use Chrome then get Chrome installed before continuing the Endpoint Agent installation.  Click Next when you have the browser selected.
    5. Click Install
    6. If there us a UAC prompt for the install, click yes to continue
    7. Click Finish
  12. It might take a few minutes for the agent to check in, but eventually you should see the agent listed under Endpoint Agents in the portal
    1.  

Conclusion

This was the first post actually working with ThousandEyes, and hopefully it illustrates how powerful this tool is.  As part of the lab there are four different types of agents installed, but there's many more available:
  • Bare metal install (Intel NUC or other hardware)
  • OVA (VMware ESX, Workstation, and Player, Microsoft Hyper-V Oracle VirtualBox)
  • Application hosting on Cisco platforms (Catalyst 9300 and 9400, Nexus 9300 and 9500, Catalyst 8000, ISR, ASR)
  • AWS CloudFormation Template
  • Mac OS Endpoint Agents
  • Pulse Endpoint Agents for external entities
In addition to the breadth of agents available, the deployment can easily be automated.  I've written a script that wrote the Raspberry Pi image to an SD card, then mounted it and applied customizations.  The MSI package can be used with the plethora of Windows software deployment tools, or a link can be given to end users to install on their own.  With DNA Center the image can be pushed to Catalyst switches in bulk.  The Docker images can be build with Docker files.  If that's not enough, there's also all the automation tools - Ansible, Terraform...

Getting ThousandEyes deployed throughout an environment can be done with ease.

What's next?

That completes the agent installation.  The next installment in this series will cover some test scenarios, and walk through getting monitoring configured and tests created.