May. 29, 2022
So, you need a 100G router or switch, but are deeply concerned about:
CostPower drawCooling issuesPriceCapabilitiesMoneyAvailabilityCapEX The ever-increasing need for faster interfaces, and standardization in the WAN at 10G and 100G rather than 40G or 25G as an interface spec has dramatically increased the need for 100G hardware. With power consumption of most 100G platforms rising to ludicrous levels, and the accompanying cooling required to keep those platforms running smoothly keeping pace with the power draw, one may start to believe there is little hope for 100G for the small to medium size networks.
Jul. 20, 2020
As some may know, I have been head down in the segment routing game for almost two full years. As such, it has enabled me to get down into the gritty details of how SR - specifically SR-MPLS, and to a lesser extent the alternatives SRv6 and SRm6 - actually work in practice. Given that this is a fairly new technology, and that it is more service provider focused, there are limited resources available outside of the vendor documentation and and what is there tends to get drown our with the hype around things like SD-WAN and and other more marketed technologies.
Jun. 29, 2019
BGP. It’s that magical protocol that runs the internet. For for as much as BGP is a fundamental, critical, irreplaceable part of the core functioning of the internet, it is a protocol that has not aged well as far as security is concerned. See, BGP was born when the internet was really still an academic experiment. Handshakes and loose agreements were totally fine for connecting a new site.
Then came the awakening.
Mar. 2, 2019
A few months ago Kevin Myers of IP Architechs introduced me to a really interesting project called FreeRouter. Being that I absolutely love alternative routing platforms and feature complete simulation environments, this really got me going. I tend to define “feature complete” in a routing platform as something that can do both IS-IS and MPLS. Given that there aren’t many platforms that do both correctly or within a reasonable budget, and offer simulation options, I was pretty excited.
Jun. 14, 2017
Anyone that looks at this site with any regularity may have noticed that I have been pretty remiss in adding posts - for that I apologize, things have been busy. However, I have not been absent in the tech world…quite the opposite, in fact. I’ve been spending more and more time on podcasts and other forms of tech media which I have not provided links for here. So, to help expose that, here are a few of the other media resources I’ve been popping up in.
Oct. 3, 2016
Edit: Going against my normal “just get the content out there” methodology, I’ve been mulling over this blog post since July of 2016. Segment routing is such a beautifully elegant solution I have had trouble articulating that fact. WAN technologies are squarely within my wheelhouse, and this one fits in so well I was going over and over the post never really satisfied with it, continuing to find mistakes and decided to just get it out there.
May. 21, 2016
I was recently at a meeting where BGP RPKI was the topic de jour. While this has been a topic that I have visited on occasion of the last few years and something I wanted to spend significant time on, I have found that setting aside the time has been difficult and sparse, much like the deployment of BGP RPKI. In order to better understand the options available, it's important to break down the pieces and terminology involved; BGP is daunting enough to those unfamiliar with it and adding PKI on top of that can be even more so.
Nov. 5, 2015
A few years ago I wrote some text on interdomain SDN. Years later, work is being done, smart people are thinking about it and building ways to make it a reality. Not being one to give up on an idea, I gave this presentation in may at ChiNOG on what my take on what that architecture should be. I (we) propose that the use of existing protocols such as BGP FlowSpec will make this realistically deployable and maintainable given some simple, pluggable middleware.
Mar. 19, 2015
For those that run BGP networks, BGPmon is often a tool they turn to for some really unique and hard to find information. Remember back in February 2008 when Pakistan Telecom "blocked" Youtube? That one was a really, really public example of something that BGPMon caught. BGPmon has been around for a long, long time. Quietly watching prefixes. Silently noting changes and reporting them to the ones lucky enough to know of its existence.
Jan. 24, 2015
In a few weeks I’ll have the opportunity to participate in another Network Field Day. I’ve been lucky enough to have the opportunity to attendin the past and have done some remote participation when possible, but like some of the other rare opportunities I have had in my career, NFD is fairly unique in that it is constantly evolving in both the information provided and the individuals involved. As the saying goes, variety is the spice of life.
Sep. 8, 2014
I admit that the title was meant to be inflammatory. However, there are use cases that aren’t terribly uncommon where an in-line security appliance is just not the correct tool for the job. Someone once told me “a firewall protects a network like a fuse protects an electrical circuit”, and it’s mostly a correct statement. Firewall vendors will probably argue this and enterprise folks may discount this as heresy and call for burning me at the stake.
Aug. 12, 2014
I’ve blathered on about BGP forever. Say what you will about the venerable protocol, it runs the interwebs, is reliable, extendable and well documented. I’ve also espoused ad nauseam about IPv6, so none of this [admitted] rant should really be a surprise coming from me. As of 8/12/2014, according to the CIRD report (and many mailing lists), thedefault free global ipv4 routing table has reached 512k routes. This is a milestone from many perspectives, but more importantly, it solidifies the fact that there is a great deal of equipment in critical points in the internet that is out of date and cannot perform as intended in its current configuration or function.
Jun. 7, 2014
I don’t care what your vendor alignment of choice is, Cisco, Juniper, Brocade, Alcatel….it doesn’t matter. At one point or another you’re going to need to bird dog an address to see where it’s coming from, who owns it, what it’s DNS name is or what path you’re taking to get to it. We’ve already talked about BGP tools, they’re a great choice for checking routes across the internet. Hunting down addresses is an interesting one, though, as address management and lookups can bleed into other aspects of networking like path selection, latency, jitter and many other things.
Apr. 20, 2014
I firmly believe that blending disciplines is the way of the future in IT. I’ve rambled about it here at other venues and I’m vocal (some would probably say brash) about it on the twitters. Be it Networking and System, Systems and Security, Programming and Networking, most of us that have been around any length of time already do it but now it’s happening out in the open and “DevOps”, a form of the hybrid IT worker, has seemingly become the BOTD (Buzzword of the day).
Mar. 20, 2014
Time to rewind from the new and shiny and get back to roots of networking. BGP is one of those odd protocols that is foundational to the functioning of the internet but yet somewhat hard to get experience with. Say what you will about this venerable protocol, it’s been here a while and it is not going anywhere any time soon. I’ve been doing BGP since around late 1999, and I completely fell into it by accident, having only the Cisco Internet Routing Architectures book (which I literally read cover to cover) and theUlysses Black Routing Protocols Book and whatever I could find on a random search engine to guide me, and that was only after having to learn on the CLI for the first 6-7 months.
Feb. 26, 2014
“Hopefully there are some things here that will make you really upset in a very good way” is how Carl Moberg of Swedish based company tail-f opened up to the crowd at Networking Field Day 7 onFeb 19, 2014. Tail-f is a sleeper, I had actually never heard of them before NFD7, but they’ve got a very unique product in NCS and in my opinion it can change the way existing and future networks are managed.
Sep. 1, 2013
One of the things that I’ve always lamented about using non-Cisco hardware is the lack of true 1:1 netflow support. Say what you will about jflow, cflow, sflow….there is no substitute for netflow, with sflow being the exception to that since it is a protocol that inherently supports ipv6 and can transport far more than simple network information if configured in certain ways on certain devices. On newer MX series Juniper routers the game has changed.
Aug. 7, 2013
Working on some MX series routers recently I encountered a problem I’d never seen before, essentially preventing the configuration from being committed: buraglio@rtr# commit check re0: error: could not open configuration database (juniper.data+) This is a very annoying problem and is terribly inconvenient as you can probably imagine. So, my first instinct is to drop down to the shell and starting hacking at it UNIX style. buraglio@rtr>start shell From there I wanted to see the file system and check out the stats of what it thinks we have.
Jun. 16, 2013
I recently had the need to debug a run away ip_rx process on an older Brocade MLX. For anyone that has had to do any type of low level debugging on the Brocade (Foundry) platform, you know that there many somewhat deep level diagnostics that are possible. The debug (like cisco debug) is a bit lacking, but the dm, LP and MP commands are very useful (and a tad scary).
Jun. 7, 2013
I’ve been doing a lot of MPLS in the last 45 or so days (which is one of the reasons I have been absentee in the OpenFlow world lately). Having had almost no real world MPLS experience aside from a handful of pseudo-wires and a very small LDP signaled network, I had to spend some time reading, hacking at routers and essentially learning. In doing so, I found a few things.
May. 19, 2013
I love to be the “uncola” of networking sites. I like interop and I don’t do a lot with Cisco because I don’t have access to much of their gear anymore. So, that being the case, I had a need to bring up a l2circuit (in JunOS speak), or VLL (in Brocade speak) between an MX480 and an MLX. Since they are very different platforms, I had to do some digging and playing around to get it to work.
Mar. 28, 2013
Lately I’ve been lamenting the fact that there seems to be a lack of options in a very specific product level. Lets say you have a network that looks like this: Right Away you’re limited since you need MPLS and more than 2 10G interfaces. Even more so if you require full support for IPv6 and ISIS. If budget is of any concern, you’re in real trouble. For many, Cisco pricing and smartnet is potentially going to exclude anything reasonable from them.
Mar. 9, 2013
I started working on Juniper equipment around 2002. At my employer, we had an M40 with the serial number 256. We did Layer3 only. I had no idea if the Juniper even did layer2. It certainly wasn’t a layer3 switch like a 6500 like I was used to. It was like a deliciously robust version of any Layer 3 router I’d worked on previously. Over the years Juniper has added a switching line utilizing their FreeBSD based OS, JunOS.
Mar. 6, 2013
Last year, Networking Field Day was something that I’d heard of but wasn’t really aware of what is really was. I occasionally looked at Twitter and saw the hash tags but did not know much about how it was set up or what it was about. In fact, I actually thought it was supposed to be like the HAM radio field day stuff where you go out and build out an emergency network on the fly.
Mar. 2, 2013
I’ve recently run into a situation where there was no longer enough space in the FIB to handle both the full IPv4 global table and the full IPv6 global table. We prefer to run a default-free network within this particular SP network, but in this case, until a hardware refresh can happen, we’ll need to adjust that. Given what we knew about the size of both tables, it made more sense to take a default IPv6 route from one transit provider and filter the rest.
Feb. 4, 2013
Recently we encountered a very strange behavior on an SRX 5800 cluster. The cluster, which is in active/active mode, started dropping OSPF adjacencies to it’s neighboring routing equipment, in this case, Juniper MX480 and Brocade/Foundry MLX8. Strange behavior indeed, since for us, these had been rock solid for around 2 years and we’d never seen this odd behavior before. Honestly, we started looking at the routers first since this was something the SRX has never done before.
Nov. 25, 2012
Have you ever needed to replicate a lot of data transparently to an IDS without the use of a rack of optical taps? Not enough budget for a Gigamon or cPacket? Have a spare MLXe laying around? you’re in luck, we were in that boat too. Let me first preface this by saying that this would be fairly trivial using OpenFlow / SDN. That being said, we didn’t have the time to set that up, so this is what we came with.
Nov. 14, 2012
For the Supercomputing 2012 show, as in years past, I was “the guy who installed and maintained RANCID” as part of my duties for the SCinet routing team. If you don’t know about RANCID for change management and config back up, check the link. It’s ree and works on a huge amount of gear. Every year there is a new and interesting platform, this year is wasJuniper qfabric and Brocade VDX.
Nov. 6, 2012
Recently we’ve run into an odd issue while routing on an EX4200 series. These little JunOS boxes are a nice alternative for an entry level building router, they support L2/L3 functionality, a PVST+-ish protocol and, with advanced licensing, IPv6, ISIS and BGP. They have multi 10G interface options and come in a pluggable fiber option. We use them all over for light layer 3. They can also be stacked via stacking cables and fiber, which is very handy and makes them extremely versatile but not really applicable for the purpose of this entry.
Oct. 27, 2012
Moving to JunOS from IOS can be a daunting task. It’s a completely different command structure and the config, by default, looks like a programming language. I was fortunate enough to have gotten in on using JunOS very early in my career, 1⁄3 in to be exact (as of this writing). Not to mention that wen I got started, IOS wasn’t the only game in town. Remember Xylan? Gandalf? OpenRoute?
Oct. 27, 2012
I’m an awful sysadmin. Running services permanently isn’t really my forte, I tend to lean more on the “I’ll get this proof of concept all working, prove that it works or doesn’t, then roll it on for polishing by someone else” kinda guy. That final 15% is something I’m constantly working to refine and better myself at accomplishing. I’m decent at debugging network services, and can be handy in a “oh crap, it’s down!
Oct. 19, 2012
Let me save you some time….Microflow Policing on the Catalyst 6500 / Sup2TXL doesn’t yet work. Inbound it “kinda works”. You can configure it and it applies as a service policy, but even though outbound is “supported in hardware on the Supervisor2TXL”, there is no software support for it in either the 15.0SY or 12.2(50)SY. It took me a month to suss this out…..
Yes, I should have suspected. I dont work on Cisco every day, I have Juniper MX, Brocade MLX and a multitude of other platforms to work on daily, so it took a bit.
Oct. 18, 2012
I’ve been doing research, carrier and service provider networking for a long time. I my first real service provider experience was beta testing DSL for GTE back in the 1990s, I prototyped and proposed a CLEC for an employer in 1998 and went to work for the only ISP in the area rolling it’s own DSL over ATM in early 2000. Everything seems to come full circle, though, given enough time.
Apr. 27, 2012
Lets just say, for instance, that you have an MX series router at somewhere on your network. Lets also say that said router is carved into more than just the main logical system. For the sake of this writing, lets say that your eBGP sessions are in the default logical system and your IGP is in the logical system, lets call it “internal”.
JunOS has some wonderful mechanisms for keeping things running, one is called NSR (Non Stop Routing), the other is called ISSU (In Service Software Upgrade).
Oct. 4, 2011
It’s no secret or ground breaking area to do black hole routing. ISPs and NSPs have been doing it forever to allow for a very low cost, very scriptable and very effective way to wholesale block a layer3 address. However, it can seem like a bit of a black box to anyone who has never done it. I recently did some work spinning this up in a good sized network that it didn’t currently exist, and remembered how monumentally useful (and simple) it actually is.
Jun. 30, 2011
I did some minor tweaking to the Alcatel Lucent RANCID scripts and some modifications to make RANCID work under my pfsense environment (originally m0n0rancid code from John Skopis). Since I don’t really do much dev work and am not interested in maintaing a box do be an SVN server for the public, I threw it up onto google code. I’ll be adding a brief how-to on making RANCID work with pfSense as soon as I get some time.
Apr. 12, 2011
I found most of this on a web page somewhere tha tI can’t seem to find again. Below are some common useful junos tidbits regarding routing tables and interface types/names:
JunOS CLI supports the basic grep command (like | include) so any show commands can be grepped. I believe the grep command implies the -i flag for case insensitivity.
The routing table is presented in such a way to group types of routes.
Dec. 29, 2010
I recently needed to upgrade a few MX480 routers and decided that it would be a good opportunity to get some experience with Juniper’s in service software upgrade.
I’d read a bit about it but I’d not had the chance to really use it. It’s pretty straightforward and it does what it claims. The following are my notes from rolling through this on my test lab MX480.
A few things are necessary to get going with ISSU, first and foremost, you need to have a box with two routing engines.
Dec. 6, 2010
At the 2010 Supercomputing conference this year, one of my tasks was to get RANCID working on the Alcatel Lucent 77xx series. for some this may have been a simple task, but for me, a self taught and inefficient programmer, it was something that took some time. The Alcatel Lucent boxes were good performers, but their CLI is pretty awful. The prompt changes based on having unsaved configuration items, and can contain things liks an asterisk.
Oct. 17, 2010
We’ve been working toward a more simplified model for our network path, and in doing so, we desired a congruent path for IPv6, IPv4 Multicast and IPv4 Unicast.
However, this is actually pretty hard when dealing with the link speeds, amounts of traffic and flows that we do, in conjunction with Firewall…..and IDP/IPS…
Lots of research, reading and testing was done.
Juniper SRX series has full support for 90% of this, with IPv6 IDP coming in Q2 of 2011.
Sep. 1, 2010
I’m not the greatest at AAA on Cisco’s IOS. I always have to think about how to order things, and to test fallback (which you should do anyway). One of the caveats that I always overlook, no matter how many times I set this up, is that Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops and no other authentication methods are attempted*.