Author Archives: cbroccoli

On Grady Booch’s Podcast: Enterprise Architecture and Technical Architecture

Posted on by cbroccoli
No Comments

I was just listening to a podcast from Grady Booch on the difference between enterprise architecture (EA) and technical architecture (TA) and it got me to thinkng.  In the podcast he defined EA as “attending to the architecture of businesses that uses technology” while TA “attends to architectures of software intensive systems which support that business.”  He discusses the fact that the two subjects,  except for sharing the word architecture, are separate and only slightly related.  I don’t think this is entirely correct. I believe that TA is a subset of EA as shown in the following diagram, where Grady’s definition of TA maps to application architecture and technology architecture refers to the infrastructure components (semantics).

As he mentions EA defines the overall context of how technology is to be used within an organization to support the business goals of that organization.  It is developed through the understanding and definition of the business architecture, the IS architecture and the technology architecture, each giving and taking inputs from the others.  Thereofore, in my opinion, EA is not a discrete architecture one can develop, rather it is the sum of the other 4 domains.

He also mentions that not possible to extend frameworks, notations and processes of one area to the other.  Again, since in my definition of EA, EA is not an architecture in itself but the superset of the other 4 domains, this makes sense.   This is however also true to some extent between the 4 domains.  Each domain deals with different viewpoints and therefore need to adopt the frameworks, notations and processes of their stakeholders.  To use notations and processes of software developers in a business context will obviously not work.  However, each does use a common vocabulary, such as viewpoints, stakeholders, etc. which does allow them to relate to one another.

By the way, loved his quote at the beginning of the podcast: “The more I know, the more I know I need to know and the more I know I don’t know.”  Couldn’t be more true.

Categories: Enterprise Architecture, TOGAF | Tags:

Automatic 6to4 Tunnels

Posted on by cbroccoli
No Comments

To learn about and test the capabilities of site to site tunneling I built the following network, which consists of an IPv4 core (the Internet / legacy corporate network) and two IPv6 islands.  The goal here is to enable communications between the two IPv6 endpoints R7 and R8.

As an additional challenge, I built the core IPv4 network using ISIS as the routing protocol.  I had never used ISIS before and with ISIS being the basis for TRILL, I thought that some first hand experience with it might come in handy.  The ISIS configuration is based on a most excelent tutorial I stumbled across while doing research on FCoE and data center bridging (http://http://www.menog.net/menog-meetings/menog4/presentations/MENOG4-ISIS-Tutorial.pdf).  I won’t go into the details here, so  for the purposes of this entry the IPv4 network can just be considered a cloud.

In this first attempt I decided to try my hand at using an automatic 6to4 tunnel as described in: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel_ps6441_TSD_Products_Configuration_Guide_Chapter.html.  The tunnel was built between R5 and R6.

 

One of the interesting things about automatic 6to4 tunnels is that as long as you have end to end IPv4 connectivity between the IPv4 interfaces on your tunnel endpoints, connectivity between the tunnel interfaces will work automatically due to the fact that the IPv4 address is encoded in the tunnel address (AC.10.C8.02 = 172.16.200.2).   Through this mechanism, the tunnel destinations are automatically derived.  If the IPv6 tunnel interfaces of the routers are the next hops in a routing table, then tunnels will be “built” on demand as traffic is routed towards the end destination.  The one essential command is a static route defining that the whole 2002::/16 network is reachable across the tunnel interface:

ipv6 route 2002::/16 Tunnel0

The challenges is configuring dynamic routing between the two networks so that the remote networks are known.  Most dynamic routing protocols will will not work across the tunnel interfaces.  The only one that should work is BGP.  For this test, however, I configured static routes on each end.  For example on R5:

ipv6 route FDC1:E1F2:425D:6::/64 2002:AC10:6402::1

The opposite route was added to R6.  I then redistributed this route into the local routing processes (OSPF in this case) and had connectivity between R7 and R8.

As mentioned, BGP will probably work fine if the other end of the tunnel is a service provider for the IPv6 Internet.  This would be a standard model for connecting and routing with service providers.    For enterprises, where both locations are internal offices (a data center and a branch office for example), BGP would not be the normal routing protocol chosen.  An alternative, since both ends of the tunnel are under the same administrative control, would be to run a totally different tunneling model such as DMVPN, which would allow for OSPF to be implemented as the site-to-site routing protocol.   The complete tunnel interface configurations on both ends are listed below.

For R5:

interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:AC10:C802::1/64
 ipv6 ospf 100 area 0
 tunnel source Ethernet0/0
 tunnel mode ipv6ip 6to4
!
interface Ethernet0/0
 ip address 172.16.200.2 255.255.255.0

For R6:

interface Tunnel0
 no ip address
 no ip redirects
 ip ospf network non-broadcast
 ipv6 address 2002:AC10:6402::1/64
 ipv6 ospf 100 area 0
 tunnel source Ethernet0/0
 tunnel mode ipv6ip 6to4
!
interface Ethernet0/0
 ip address 172.16.100.2 255.255.255.0

The output from R8:

R8# ping ipv6  FDC1:E1F2:425D:6:CE08:13FF:FE40:0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FDC1:E1F2:425D:6:CE08:13FF:FE40:0, 
timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max=180/219/312ms

 

Categories: IPv6, Networking

Check Point on VBox

Posted on by cbroccoli
No Comments

Following up on the last post, I reinstalled Check Point SPLAT as planned.   The installation again worked without any issues.    This time I installed 1G of RAM and 64G of disk from the start.  I used the basic RedHat profile offered by VBox.  So far everything seems to be working fine.  I have installed policies a couple of times and the firewall is generating log entries as expected.  I only have the management interface active since I wanted to install pure IPv6 on the others…  I expect that shouldn’t make a difference.

Finally, I left the firewall running overnight to see what happens when the PC goes into standby mode and VBox pauses the firewall system.  In the morning I woke the PC (moved the mouse) and then connected with SmartDashbord to the firewall.  Everything is working as if nothing happened, Tracker still active logging away.

Next step…  get Check Point to give me a FW-1/IPv6 license!

Categories: IT Security, Lab Environment, VBox