After reading a brief list of tips and tricks for traveling through airports on Lifehacker.com the other day, I came up a few tips of my own. Probably nothing new, but here are my tips for traveling these days:

1) Wear a shirt with a pocket. After checking in, place your ID and your boarding pass / ticket in that pocket so it’s right to hand for going through security. Much easier than digging through pants pockets. And it keeps the boarding pass neater too.

2) While checking in, or before getting in the security line, everything else you are carrying in your pockets (plus your watch) goes into a zipped pocket on your carryon. Make sure that getting your laptop(s) out for security won’t cause your wallet / phone / watch / etc to fall out.

3) Wear slip on shoes.

4) Once past the ID check, grab 2 tubs. One for your laptop (most airports require a separate tub for your laptop), and one for your shoes / belt / jacket / toiletries.

5) Try not to get too annoyed by the people who have done none of the above and are trying to figure out what to do next. Being annoyed only ruins your trip.

6) Speaking from experience tip: Don’t put anything valuable into the xray machine until there you are sure that you can walk through the metal detector without delay (lost a laptop that way before - guy in front of me buzzed repeatedly, and his partner was long gone with my pc when I made it through).

7) Best order for putting tubs through the xray machine is clothing, laptop, carryon bag. That way you can be well into getting your belt and shoes on before your laptop and carryon show up. Carry on bags always take longer to look at going through the xray.

As for actually being on the plane, I like to leave my wallet in the carry on, after I replace my ID in it. Much better than sitting on it for hours in the worlds most uncomfortable chairs.

I do tend to keep a credit card out now for drinks / snacks / wifi payment. I like to use a greendot prepaid card for that purpose. Then it’s not a big deal if I lose it somewhere - I’m out a few bucks, but no worries about my real accounts.

In my carry on I keep my netbook in a neoprene sleeve. In the sleeve (inside or in it’s pocket) I keep the stuff that I want on the flight - netbook, pen, moleskin, candy bar, mints). I carry that sleeve, along with my noise reducing headset onto the plane out of my carry on. Carry on goes into luggage compartment, the rest fits into the seat pocket. Takes all of 5 seconds to get situated.

Getting into a good routine that fits into what is expected or needed when traveling makes it so much easier to get through airports and flights. I don’t rack up the miles that I used too, but I still fly every 10 days or so, and having a good solid plan and habits make the whole thing go much easier.

One of the projects that I’m currently working on is a large network that is in place strictly as the backbone for a IP based security system. This network is a fairly typical two layer network, with a core in the small datacenter that we are building, and distribution switches out in smaller locations around the perimeter of the secured area.

One of the issues that arose during the selling of the project was securing the network itself (it’s sad that we brought it up, but then again most physical security types have very little understanding of networks, so it’s not that unusual). Within the datacenter I’m not as concerned about the physical security of the networking devices, but at the outside edges I am.

My concern is not so much the switches themselves (though we do a lot of security configuration on them as well), but rather on the lack of security of the cabling and endpoints connected to the switches at each location.

Each of these locations has a number of IP based security cameras, access control devices, access points, relay controllers, etc, plugged into a switch. While the theory is that we’d notice anyone doing something nefarious to these devices, or the cable that connects them to the switch, we wanted to make sure that nothing could get onto the network that shouldn’t be there. Or at least have a higher comfort level that it couldn’t happen unnoticed.

So how do you make sure that nobody swaps a laptop for the camera on the end of the cable, or that someone doesn’t add drop a hub in between the camera and the switch so that they can add their own devices to the network?

In our case, since we are using Cisco switches for the project, instead of the usual junk that security companies put in place for most IP networks, we are able to take advantage of the Cisco Port Security feature.

Basically, what port security does is to keep track of the devices on a switchport, and if something happens that shouldn’t, the port is turned off. Granted, that is a very basic explanation, but you get the point.

There are some limitations as to what kind of port you can apply port security to, but as they don’t apply to the ports that I’m looking at I’m not going to get into those here. Suffice it to say that it’s mostly an issue of SPAN ports and Trunks.

The basic configuration of port security on a switchport is very simple:

Ciscoswitch(config-if)# switchport port-security

That enables port-security on the switchport you are configuring. In it’s default mode, port-security allows 1 MAC address, which is the first connected MAC address, and disables the port if there is a violation of port-security.

In our case, we are being a bit more specific:

Ciscoswitch(config-if)# switchport port-security
Ciscoswitch(config-if)# switchport port-security max 1
Ciscoswitch(config-if)# switchport port-security mac-address 1111.2222.3333

What we have added there is to define that only 1 MAC address can be on that port at a time (prevents hubs and spliced in machines from getting on the network) and that only the device with MAC address 1111.2222.3333 can use that port.

Any violations of that rule will shutdown the port and send an SNMP Trap to the operations center, alerting the staff there to the problem.

So that is how we make sure that no devices are added to or changed on the edge switches of the network.

Well, that’s most of it actually, I’ll be covering the second part of this next.

Wow - that was a long time away from posting.

I’d like to say that I have a good excuse, but other than a couple of pretty busy months, I don’t really have a good one.

But now that I’m back and posting again, expect to see regular updates, answers to questions and general commentary.

It’s good to be back.

Took a bit of time yesterday to run up to Long Beach and walk around the Energy Management Conference exhibit hall. I would have liked to attend the conference sessions, or perhaps speak at the conference, but I didn’t realize that I’d be around for it. Oh well, maybe next year.

Anyway, there were quite a few interesting concepts and ideas out there for not only monitoring power usage, but also for reducing power usage and power spending. Daylight tracking sunlights, ice based cooling systems (makes ice during the night with lower cost power, then uses the ice during the day instead of running A/C compressors), that sort of thing.

Also in attendance at the show where a few consultants who do power profiling of your business and buildings. I like the idea of that, and truthfully never really thought of doing it as a business (at least until yesterday) but being in the IT field, with a solid background in building systems, I think that Voodoo may start offering a service along those lines. Though I’d rather just do the work to fix the problems that other auditors find. And help people make better choices from the early stages of a project.

As usual though, the exhibitors that interested me the most where the control systems guys. Slowly but surely they are moving away from weird proprietary control schemes to straight IP based controls. I can’t wait until they all get to the point where IP is the control scheme, and you don’t need proprietary software to control the systems. They are so close to that now (at least some of them) that I’m excited for what I will see coming in the next year. I think that someone will finally get there. And as soon as they do I’m ready to start deploying it.

Though that does bring up the issue of security on converged networks. Something that we’ll get to shortly.

Inspired by working onsite at a contract in Los Angeles this week.

I’ve worked on a lot of other peoples networks. And while it can be entertaining, it’s rarely fun. Usually you are expected to jump in and fix the random problem that they are having within minutes, which is never a reality (except in the case of very obvious things like the power cord being unplugged).

Thankfully I’m not dealing with that this week, though I am having some fun with trying to figure out why certain things have been done, and more importantly, why things haven’t been done.

For example, the company that I’m onsite at have 2 large internet connections, one each to different carriers. What you normally would do with that - and I’m sure that was the intention here - is apply for an Autonomous System (AS) number, apply for a bank of IP addresses from ARIN, then setup those two connections to be redundant to each other, both inbound and outbound, by advertising your AS number and IP address range over the Internet.

Simple, right?

Well, actually it’s not all that simple, but it’s a pretty straightforward thing to do. In fact it’s pretty much the default configuration for large networks connected to two or more ISP’s.

Well, things aren’t quite setup like that here. They have the big Internet connections. They have an AS number. And they qualified for and got a class C bank of IP addresses from ARIN. But then things sort of fell apart. They attempted to setup the dual homing, and their internet went down. So they rolled back off of that to having two separate internet connections with all of their inbound traffic coming in one, and all of their outbound traffic going out the other. There is some failover, but only for web browsing - if the connection goes down that their external servers are on, then they will have no ability for their customers to reach them over their secondary line.

So now I’ve mentioned this and been asked to fix it.

Which is where the fun really starts.

It’s really not that bad to make a change like this, just time consuming. You have to make a lot of phone calls, make some changes to the way that your routers are configured, add some translations into your firealls and then wait around until all that propagates across the Internet. Once your new IP addresses are available across the Internet, you now have to update the DNS entries for your servers. Then when that information propagates, you can go back and fix the translations on your firewall. And then stop using the ISP supplied IP addresses that you have been using up to this point.

That is a bit simplified, but it covers the basics. Like I said, it’s not complicated, just time consuming. But if something does go wrong it can be even more time consuming to fix.

I’m in the process of writing up the detailed plan of how I’m going to make the changes to get this running correctly. Hopefully all goes smoothly.

And hopefully when their normal network admin gets back from vacation he’s not too confused by what I’ve done……

I think that I’ve mentioned this before, but if I haven’t, here you go:

The team at Voodoo Networks, in addition to doing local office network and consulting work here in the Seattle area, also does a lot of work around the world designing and building out large networks. The reason that we are contacted about those networks isn’t due to our competence with smaller, computer centric networks, rather it has a lot to do with our expertise in building out networks that can handle not only computer data, but other systems as well. And handle them very well.

Now when I explain that to people, I frequently end up repeating a list of that kinds of things that exist on what have traditionally been computer networks up to this point. I’ll start with computer related items then go from there:

• Computers
• Servers
• Printers
• Network Attached Storage
• Voice over IP Telephone systems
• Video over IP Conferencing systemsv
• Video over IP Television
• Video on Demand systems
• Background music systems
• Overhead paging systems
• CCTV and camera control systems
• Streaming Audio Systems
• Home Entertainment Systems
• Home Control Systems
• Heating and Cooling Control systems
• Power Generation Controllers
• UPS Controllers
• Temperature and Humidity sensors (internal)
• Weather Stations (sensor systems for local weather monitoring)
• Motion sensors
• Occupancy Sensors
• Lighting controls (residential & office)
• Lighting controls (outdoor & common area)
• Water control systems (fountains)
• Water Flow Sensors (residential & commercial)
• Parking space sensors
• Parking control systems
• Vehicle identification systems
• Access control readers
• Access control locks and barriers
• Location Tracking Systems
• RFID Systems
• Fire and Life Safety systems (not always as these are heavily regulated)
• Building automation systems
• Theater control systems (not home - real auditorium / theaters)
• Leak sensors
• Air quality sensors

Off the top of my head, that’s pretty much what I remember right now. I may update it later if any more come to me, but this is a pretty decent list even if it’s not 100% complete.

So what does this have to do with IT consulting? Well, all of these systems are things that are either delivered, monitored, controlled or viewed over what used to be a data network. And they all have very different requirements for bandwidth, latency and redundancy. From a network design perspective, these are some of the things that we think about constantly when working on networks to make sure that we compensate in the network design for anything that may be added to the network at a later date.

Many times the people that we are working with are far more concerned about the end points of these networks - the computers, security cameras, the entertainment systems, etc. But while we understand that (the shiny bits are often the most fun and interesting) we really stress that the design of a network core that can handle the stresses placed upon it now and in the foreseeable future is the key to any successful implementation, and not worrying about exactly which shiny end point we are going be using.

One quick example. Recently we were working on a project in Dubai that was just beginning construction planning. The marketing people, the sales people and the guys that were going to run this huge complex where constantly asking about what TV we were selecting for the different types of units, what handheld controllers we wanted to use and what kinds of technology the eventual residents and tenants would have.

Well, given that we were over 3 years away from actually installing any of those end points, the constant struggle we faced was explaining that we could only give them ideas, but consumer technology in particular changes so quickly that guessing what we’d be deploying in 3+ years was impossible. Last I heard from them, they finally started to realize what we were talking about when Pioneer bowed out of the TV business while they were the leader in the high end market. But no matter what TV (or any other device they eventually select), they can rest assured that the core network design that we worked on for them would have withstood the test of time, because it was designed with the needs of the network in mind, not specific devices.

And that is the moral of the story. Don’t design, or let someone else design, your networks unless you are thinking long term. If you aren’t then you will be spending money again and again to keep your networks up, running and useful over the coming years.

There are lots of things that scare people about the Internet. Nigerian scammers, hackers, LOLCats. You know, the usual stuff.

While there is no perfect defense from any of those, especially the lolcats, implementing a firewall on your internet connection is a big step in the right direction.

A firewall is, in it’s most basic form, something that prevents network traffic from going to certain places. Think of it as a combination filtering and direction control system. Firewalls are available as software for a single computer, or as a combination hardware and software device for networks.

The most common firewall, at least for smaller companies, is a hardware based firewall that is built into your Internet router. It is generally setup to allow all traffic from the internal network (inside your company) out to the Internet, and block all traffic from the Internet that is trying to get into your companies network. It does this by watching where network traffic originates, makes a decision if it will allow that traffic to pass, and either lets it through or drops it. The firewall also keeps track of the traffic that it allows out, so that the return information can get back to the computer on the inside that requested it.

These firewalls also give you the ability to allow traffic from the Internet to come in to your network. Why would you want to do that? Well, if your email server is in your office, or you webserver is, then you’d need to tell the firewall to allow appropriate traffic from the Internet in to those servers. If you aren’t sure if you need to do that, or are sure you do, but don’t feel comfortable doing so, please contact a professional to do the work for you. It’s pretty straightforward, and shouldn’t take long at all in a small office setting.

Firewalls are also available as software for your computer. Both Windows and OS X have built in firewalls that can be used to allow traffic from your network to get to your computer, or can be used to stop your computer from communicating with the network.

There are also 3rd Party software packages from companies like McAffee or Symantec that you can install on your computer. Be aware of the issues that can come up if install one of these pacakages on your computer and it’s also running the native Windows firewall - lots of very weird issues can come from having both of them active at the same time.

A firewall won’t protect you from bad decisions made online, like sending your bank account info to Nigeria, or browsing LOL Cats, but it will definitely help to prevent unauthorized access into your network from the Internet. And given how secure even very small, low cost firewalls can be, there is no reason that you shouldn’t have one between your systems and the Internet.

A constant issue for everyone who has anything to do with the IT world is management of wire. There are thousands of images out there of the nightmare that server room or network closet wiring can become.

Here are a couple of my favorites:

Now the first one is entertaining because anyone who has worked in a large datacenter has thought about doing just that. Especially when it’s 3 o’clock in the morning and you don’t feel like routing any more cables.

On the other hand, the second image is one that most people who’ve been in a small business IT closet are familiar with. It’s a small rack, holding a switch and a patch panel (that’s the plate with all of the jacks in it for plugging in network cables - the other end of the cables on the back of the patch panel end up in the walls or floor or at desks out in the work area), with some really messy cable connections between them.

Both of these images show extremely bad cable management, just on different scales. But they both suffer from the same problems. Difficulty in determining which cable goes where. Poor bend radius for the network cables that can cause network issues. Weight of the cable being supported in full by the connector. And so on.

Cable management isn’t on most peoples minds when they think about IT, but good cable management can reduce costs, troubleshooting time and network issues. So it’s something that we take seriously.

Over the past 15 years I’ve worked with untold numbers of networks, starting with Coax, going on to Token Ring and FDDI, and now working with Cat 6 Ethernet and Fiber. And over the same amount of time I’ve used almost every cable management platform on the market. And while most of them look very nice for a while, they tend to degrade into a mess, usually because they are designed to hide the mess, not control it.

Which brings us to a recommendation, and an example of what we currently are using (and will likely use for a long time to come) - Neat-Patch.

About 7 years ago, when I was in the process of starting up a division of a Fortune 1000 company that deployed wired and wireless infrastructure around the US, I happened upon Neat-Patch. They were kind enough to come down and give us a demonstration of the product in one of our closets and quite frankly we were all blown away. While I’m not sure that the division started using them (I left that organization and went back into my full time IT position) I have used them since on several occasions and the product never fails to amaze me.

Designed to actually manage your network patch cables, rather than just hide the mess, the Neat-Patch system truly does make it easier to add, change and remove network drops. It also reduces troubleshooting time and headaches, and because of the engineering in the product keeps the network cables running running to specifications.

Here is a quick shot of the Neat-Patch solution in action:

That image shows the full network wiring layout for 96 computers. Pretty isn’t it?

Overall it’s a great product, and one that I’d like to see everyone using. On the other hand, if everyone was using it, then it could reduce the amount of troubleshooting business that we get, but I still think that it would be worth it.

Update: I understand that Neat-Patch is prepping for a product video showing management around a Cisco 6509 Switch. Having managed dozens of those beasts, and their nasty idea of cable management, I can’t wait to see their video.

Starting out with a short answer to a question I was asked at lunch the other day:

If you are moving into a new office space, should you install Ethernet cabling or just run everything over a wireless network?

Well, as one of my engineers told me years ago, wired is the future of wireless. And I agree for the most part.

Before anyone jumps down our throats about that answer, let me provide a bit of background. We are, deep down, a networking company. Sure, we do servers, desktops and other systems. But the core of our expertise was originally networking. Big fat networks that spanned the globe, running very high uptimes and supporting tens of thousands of users. As part of that background, we were involved in starting what has become known as connected real estate. There is a large network equipment company that you may have heard of that has taken that and run with it. We know that the did because we invited them to be part of the first network of that type that we built and they like the idea so much they even filmed promo videos from it.

Those networks weren’t just wired. There was plenty of wireless in them too - on the edge as well as backup interconnections between buildings. We also wired up about 60 shopping malls, a ferry run, a petro chemical plant or two and several financial and government buildings. And they all had a wireless component. A big wireless component. Overall we deployed thousands of individual Access Points, covering millions upon millions of square feet of space.

So if we have all of this background in wireless, then why would I suggest wired?

Because, for new installations, nothing beats the flexibility of putting in a wired networked. If you don’t have to worry about ripping out walls, or carpet, or any other kind of structural mods, then by all means go with a wired network.

Wired networks are faster than wireless, more secure and far more flexible. You can use them for desktops, printers, CCTV systems, VoIP systems and a lot more. Many of those “extra” components that go on the network run power over ethernet, so you don’t even have to run a power line to things like phones, cctv cameras or security devices. Just an ethernet cable.

On the other hand, if you are putting in a network in a building that you can’t or don’t want to run wires in, for whatever reason (cost, difficulty, historic buildings, etc) then be all means go wireless. Just make sure that your wireless network is selected, installed and configured correctly, or you’ll have nothing but issues with it. We’ll cover that in an upcoming post.

So, the answer to the question is wired. Unless it’s wireless.

Hope that helps you out.

Welcome to the Voodoo Networks blog.

We’ve been up for a while, but no posts. Too busy doing other work. But that is changing now. While this is just a notice to let you know that there is actually something coming, we also want to let you know what kinds of things to expect in the near future from us.

So in no particular order, here you go:

Answers to questions about networking or computer systems.

Wired and wireless network design and troubleshooting tips.

Green computing information.

Short reviews of systems or components.

How to articles on network systems and monitoring.

That’s what we are thinking about right now, but we are completely open to other content ideas. Just let us know, either via comments in the blog, email info@voodoonetworks.com or on Twitter (http://www.twitter.com/voodoonetworks).

Watch this space for updates.