May. 4, 2020
One of the most common questions I hear from small and even medium sized ISPs is “why should I run my own DNS resolver(s)?” The perception that DNS is hard, complicated, or even unnecessary is often cited as a reason to just farm it out to one of the “free” anycast resolver services available across the internet. Now, there are many reasons to be wary of DNS, both from the professional and the consumer side - it is a huge treasure trove of personal information about behavior, and is easily monitized by entities large enough to consume and process it.
Jan. 27, 2020
I was originally going to be inflammatory and title this “Details don’t matter”, but at the last minute I walked it back. This topic is consistently a pile of hot garbage. Why? Many reasons. Because technical people are, in general, extremely detail focused, and often binary minded (right/wrong, black/white, yes/no, 1/0). Because of this, a great many times we as technical people can hyper-focus on the details, especially when change is on the table.
Jul. 29, 2019
Small to medium ISPs are an interesting phenomenon. Early in my career I was pretty heavily involved in that space, so much of my current thought processes and methodologies are heavily informed by that experience. Something that never ceases to amaze me today is that the practice of scripting and “automating” things seems to have become somewhat of a lost art, or at the very least it is not part of an initial deployment plan.
May. 29, 2019
Years ago I wrote about building a secure network in a box. Over a weekend I decided to revisit this concept thanks to a colleague at work wanting to do something similar. It got me thinking “a lot has changed since I last did this” and it felt like time to revisit it. Well, disappointment wasn’t in the cards because it’s easier, smarter, and more flexible now that it was back then.
Apr. 29, 2019
There is no shortage of network telemetry data that can be collected, recorded, graphed, and stored for cross reference and triage. Not one to be underestimated, latency at a can be incredibly powerful when leveraged for baseline and deviation notification. As I have eluded to in the past,there are many tools in this space.I have written about a few of them in detailand touched on others in passing. Regardless of the tool, the data is powerful and the instrumentation they provide will only serve to make your network more robust and easier to work on.
Mar. 31, 2019
Over the last few days there has been a hugeamount of FUD and panic surrounding two as-yet-to-be-published CVEs (found hereand here) related to Mikrotik’s IPv6 implementation.It is my opinion that this entire process has been poorly handled, and that the community involved tends to be fairly sensitive to issues such as, and the cloak and dagger nature of the two issues has only exacerbated it. Mikrotik, as a company, is well known for being terse in their responses and tight lipped with their internal workings and dealings with these kinds of issues.
Nov. 5, 2018
Remember OpenFlow? It was the media and marketing darling for the better part of 5 years as “the machine” conflated OpenFlow with SDN and SDN with - almost literally - everything. “Still Does Nothing” was a common phrase uttered around those of us that had run large scale, complex networks for a long time. Quietly, and mostly, out of the fickle media and blogosphere eye, a scrappy little SDN project called faucethas been diligently plugging away– making easy to use, production quality, well documented, and very stable code that runs OpenFlow networks quite happily in production and at scale.
Nov. 1, 2018
As an often-security-engineer and an individual that has been working on large networks for quite a while, dealing with DDoS, or the threat of DDoS is a well traveled path. Recently I was invited to discuss some of the basics of DDoS mitigation on the Network Collective Podcast. This was a really fun and insightful chat with a wealth of great information for engineers and operators of any skill level.
Oct. 18, 2018
Recently, the venerable Ivan Pepelnjakpublished a very insightful article aboutautomation becoming such a popular topicthat was spawned by an email from one of his readers. I found this article to be spot on, and wanted to add a bit of my own opinion into the automation pie, as I have been spending a lot of time on automation as it related to existing networks as well as into SDN based environments.
Sep. 1, 2018
IPv6 has been a crusade of mine for well over a decade. Wether it is teaching IPv6 workshops, offering advice to new users, answering questions, or evangelizing it ad nauseam, it is an important topic to me. The ISP world holds a special place in my heart since a good deal of my early experience came from building or assisting regional ISPs. Recently I had a fun opportunity to talk about deploying IPv6 on The Brothers WISP podcast.
Jun. 11, 2018
I’ve been very vocal about the misinterpretation of NAT for many, many years. Since it’s inception, NAT has been slowly perverted into what many now believe to be a security mechanism. While I do see a reasonable use of IP masquerading in a larger security strategy, this is not the original intent (or implementation) of NAT. What mosts network engineers call “NAT” is actually one to many network port address translation- or taking one public address and “hiding” a number of private (likely RFC1918) addresses “behind” it, using ports to translate traffic and keeping the state of those connections.
May. 4, 2018
It’s no secret that RF technologies and what like to call “specialty networking” are two of my favorite things in the networking space. Put them together and it is like chocolate and peanut butter!Now, some may not consider Field Area Networking (FAN) to be “unconventional”, but it certainly falls well outside of the space of what is typically traditional enterprise networking. That said, Cisco’s FAN briefing at Network Field Day 17really got me excited and thinking about the alternatives for the IoT space.
Feb. 19, 2018
Build vs. buy is an often lamented and always hotly debated question in all aspects of IT, however, if one is able to truly look at all angles the answer is typically straightforward and can be rooted in one simple strategy: don’t reinvent the wheel.
Feb. 10, 2018
In the tradition of my NIX4NetEngseries I’m going to dive deep into the world of strategy, and specifically into the strategy of how we look at and operate our networks, the data they generate and the analytics that are available (and often overlooked) in how networks are managed both long term and day-to-day. So, in the spirit of visibility, lets think about how typical networks are monitored. My guess is that you either already know, or will soon realize that visibility and testing across disparate networks is hard.
Dec. 7, 2017
I have my +100 hat of irreverence on today so it’s time for a soapbox post. Having recently read a several posts and articles on what seems to be the never-ending cavalcade of assertions that “networking people will be out of jobs and you’d better learn to be a programmer” - or more succinctly put: the “dramatic changes in IT networking”. To this I respond simply:
Jun. 14, 2017
Anyone that looks at this site with any regularity may have noticed that I have been pretty remiss in adding posts - for that I apologize, things have been busy. However, I have not been absent in the tech world…quite the opposite, in fact. I’ve been spending more and more time on podcasts and other forms of tech media which I have not provided links for here. So, to help expose that, here are a few of the other media resources I’ve been popping up in.
Mar. 25, 2017
Taking politics and putting them aside, what the new administration has been attempting to changewith regard to internet privacy is something we should allbe informed about. Wether you have a tin foil hat or don’t care, “knowing is half the battle”. The other half is doing - which I will also lend some brief insight to (sorta). What’s changing? Nothing yet (as of the time of this writing). What will likely change?
Mar. 20, 2017
In the last few years I have moved all of my virtualization to proxmoxand docker. Seeing as I like to look at packets because I am a closet security guy, and being as I have been working off-and-on on a security project in recent times, I wanted to be able to span a port not only from a hardware switch, but also within my software switches. I had been using linux bridge, which I am not a fan of, so when I started down this path I did not look hard to find a way to do so under that platform.
Feb. 27, 2016
The sixth [and arguably very overdue] installment of my NIX4NetEngseries, this began as an overly complex diatribe about DNS. As it evolved, I realized that DNS is so complex and far reaching that it could never be contained in one meager post. DNS is a powerful tool. It has existed for so long that many that have never had the responsibility of running an authoritative or recursive resolver may take for granted the extensive reach of a tool so engrained in the fabric of the internet that it is frequently overlooked, much like a utility such as electricity or running water.
Nov. 5, 2015
A few years ago I wrote some texton interdomain SDN. Years later, work is being done, smart people are thinking about it and building ways to make it a reality. Not being one to give up on an idea, I gave this presentationin may at ChiNOGon what my take on what that architecture should be. I (we) propose that the use of existing protocols such as BGP FlowSpecwill make this realistically deployable and maintainable given some simple, pluggable middleware.
Jul. 6, 2015
Back in February of this year (2015) I was introduced to Solarwindswhen they presented to us at Networking Field day 9. Until then I knew of SolarWinds products but only at a cursory level; I had never really seen or used their stuff since it was mostly focused on environments that were either smaller or outside of the networking world that I generally operate in. However, I am a[n insufferable] network monitoring “aficionado” so when the opportunity to play around with it arose, I happily took it.
Jun. 20, 2015
I recently had a need to test OpenFlow on the brocade ICX 7450 for a fairly good sized, high visibility project. The basic goal is pretty simple, Layer2 path provisioning. Straightforward and fairly well supported in OpenFlow, even from the early days. To do this, the idea was to use a turnkey platform, that way there is one throat to choke if there are issues. I landed on the Brocade Vyatta controller(which is essentially ODL), and the ICX.
Mar. 15, 2015
At Networking Field day 9there was a great deal of discussion regarding monitoring, modeling, and maintaining networks, as would be expected at an event with such a focus. Luckily for us, an interesting product that comes from a company that I was unfamiliar with called NetBeezgave an inspired presentation. Now, NetBeez got my attention for a few reasons. First off, NetBeez is doing some really great things in the field of network monitoring.
Feb. 20, 2015
When NECbegan talking about SDN at Network Field Day 9, I was not sure what to expect. I knew they had been heavily involved with openflow since the early days, and many years ago I was able to get my hands on their early OpenFlow controller and was immediately frustrated by its cryptic nature and frankly, poor documentation. Their switches were fine and were heavily utilized in early OpenFlow deployments. I knew they had decent support and were squarely on board the SDN train.
Jan. 24, 2015
In a few weeks I’ll have the opportunity to participate in another Network Field Day. I’ve been lucky enough to have the opportunity to attendin the pastand have done some remote participationwhen possible, but like some of the other rare opportunities I have had in my career, NFD is fairly unique in that it is constantly evolving in both the information provided and the individuals involved. As the saying goes, variety is the spice of life.
Dec. 21, 2014
Sometimes in networking and security it becomes necessary to do lookups of location data on IP addresses and prefixes. On my Mac I use homebrewto manage packages, but most of these tools are available with thetypocal apt, yum and port package management systems. For this post, I’m going to shift gears and show the install on my mac:
Once this installed we need to do a simple update:
This really doesn’t yield any output, but I tend to do it pretty much every time I am using the tool so I know I have up to date information.
Oct. 15, 2014
With the recent release of the POODLE SSLv3 vulnerability, folks are scrambling around trying to figure out what runs what and where. Running a handful of things that do SSL, I was obligated, both personally and professionally, to figure out an easy way to drill down and figure out what does what and then fix the vulnerable services. When there are a lot of devices, this can seem like a daunting task, and it is if you’re trying to do it manually.
Oct. 10, 2014
I was wanting to do a few quick mock-ups with OpenvSwitchand OpenDayLightand wanted to use CentOS since I have templates for it that I replicate. Just like with thedebian stuff I had been doing, I wasn’t able to find any in some quick searches. I stumbled upon This site, which had a great how to for building them, so I just used that. Seeing as that the debian packages actually got downloaded a lot, I figured I’d post these RPMs as well.
Sep. 22, 2014
I was recently granted access to the beta BigSwitch Networkslab site, a purpose built classroom in the cloud focused on teaching the BigSwitch SDN environment. I had seen some of the BSN offerings in the past and always held them in high regard, but I was thoroughly impressed with both the completeness of the lab and how polished the controller environment was.At the time of this writing, the lab consists of 3 modules: Building cloud fabric, monitoring fabric and dynamic provisioning of monitoring fabric.
Sep. 15, 2014
I know, I know, I’m always saying that you don’t need a firewall. That’s mostly to get your attention to push my agenda of sane security architecture, I do actually believe that firewalls are appropriate in a great many use cases and I’ve managed them big and small ranging from Juniper SRX 5800 clustersto tiny purpose built BSD distros on custom hardware. I even managed Checkpointand gauntlet firewallback in the 1990s.
Sep. 8, 2014
I admit that the title was meant to be inflammatory. However, there are use cases that aren’t terribly uncommon where an in-line security appliance is just not the correct tool for the job. Someone once told me “a firewall protects a network like a fuse protects an electrical circuit”, and it’s mostly a correct statement. Firewall vendors will probably argue this and enterprise folks may discount this as heresy and call for burning me at the stake.
Aug. 12, 2014
I’ve blathered on about BGPforever. Say what you will about the venerable protocol, it runs the interwebs, is reliable, extendable and well documented. I’ve also espousedad nauseamaboutIPv6, so none of this [admitted] rant should really be a surprise coming from me. As of 8/12/2014, according to the CIRD report(and many mailing lists), thedefault freeglobal ipv4 routing table has reached 512k routes. This is a milestone from many perspectives, but more importantly, it solidifies the fact that there is a great deal of equipment in critical points in the internet that is out of date and cannot perform as intended in its current configuration or function.
Jul. 26, 2014
IP addressing and subnetting is a common interview subject. I assert that memorizing these things is useful for learning the concepts but ultimately futile in that it is time consuming and inefficient use of engineering time when tools can be utilized to accomplish the same goals in less time with fewer errors. Honestly, I gave up doing this kind of work manually around 10 years ago and have never regretted it, and in actuality, I’d probably struggle to do it at this point because it’s a repetitive process better suited by code.
Jun. 23, 2014
With the recent announcement of Cisco Systems intent to purchase tail-f, proponents of a multi-vendor environment are waiting with baited breath to see how the networking giant will deal with support of competitor hardware and CLIs. Yang is here to stay, there is no doubt about that. As is netconf. Both of these are good things for the industry as a whole, having a standard way to communicate with network hardware [that isn’t openflow] is necessary and immeasurably useful.
Jun. 7, 2014
I don’t care what your vendor alignment of choice is, Cisco, Juniper, Brocade, Alcatel….it doesn’t matter. At one point or another you’re going to need to bird dog an address to see where it’s coming from, who owns it, what it’s DNS name is or what path you’re taking to get to it. We’ve already talked about BGP tools, they’re a great choice for checking routes across the internet. Hunting down addresses is an interesting one, though, as address management and lookups can bleed into other aspects of networking like path selection, latency, jitter and many other things.
May. 17, 2014
Many regular internet users are extremely upset about the recent proposed changes the FCC has opened for commentsabout the delivery and provisioning of internet services. Watch this video if you’re unaware of the high emotions it has evoked:
Apr. 30, 2014
Many network engineers are also tasked with maintaining systems that provide network services, those things that make the network easier to use such as DNS and DHCP or management systems that perform useful things like monitor the network, collect flow data or bestow access to the equipment by acting as bastionor jump hosts. In many instances, robust and high availability services run on UNIX, Linux or BSD systems for stability and reliability, so those that manage these systems need to be well versed system admins as well as whatever their other job functions are.
Apr. 20, 2014
I firmly believe that blending disciplines is the way of the future in IT. I’ve rambled about it here at other venuesand I’m vocal (some would probably say brash) about it on the twitters. Be it Networking and System, Systems and Security, Programming and Networking, most of us that have been around any length of time already do it but now it’s happening out in the open and “DevOps”, a form of the hybrid IT worker, has seemingly become the BOTD (Buzzword of the day).
Mar. 20, 2014
Time to rewind from the new and shiny and get back to roots of networking. BGPis one of those odd protocols that is foundational to the functioning of the internet but yet somewhat hard to get experience with. Say what you will about this venerable protocol, it’s been here a while and it is not going anywhere any time soon. I’ve been doing BGP since around late 1999, and I completely fell into it by accident, having only the Cisco Internet Routing Architecturesbook (which I literally read cover to cover) and theUlysses Black Routing Protocols Bookand whatever I could find on a random search engine to guide me, and that was only after having to learn on the CLI for the first 6-7 months.
Mar. 10, 2014
I recently had the displeasure of dealing with a series of failed disks in my newly created ZFS based NAS. I had cobbled together roughly 12TB of disk space and jammed them into an old PC, stretching the limits of the platform when I decided to go with ZFS. I broke all of the rules, underpowered, single core PC, only a handful of GIG of non-ECC RAM, etc. I’m sure storage guys are having a coronary after reading that, but it works for me and has minimal issues since I just relatively redundant need bulk storage and it doesn’t need to be fast (the ethernet connection is only 100M).
Feb. 26, 2014
“Hopefully there are some things here that will make you really upset in a very good way”is how Carl Mobergof Swedish based company tail-fopened up to the crowd at Networking Field Day 7onFeb 19, 2014. Tail-f is a sleeper, I had actually never heard of them before NFD7, but they’ve got a very unique product in NCSand in my opinion it can change the way existing andfuture networks are managed. Right now.
Feb. 10, 2014
A while ago I got an email asking me to participate in Network Field Day 7. I was very happy and humbled to get asked again since I wasn’t able to attend NFD5or NFD6for various reasons outside of my control (although I did try toparticipate with NFD5 remotely). If you’re unfamiliar with the tech field dayseries, you should spend a little time and learn about the value it brings. There are archived video feeds of previous conferencesand live feedand social media outlets for current field days.
Jan. 11, 2014
I am an absolutely hugefan of statistical and instrumentation data, especially when it comes to traffic analysis, visualization and baselining. I’ve rambled on about the importance of it at every opportunity. As a result of that, I have been doing work with netflow and netflow-like data for a fairly long time. My first collector was the OSU Flow tools based stuff back around 13 years ago. From there I played with all kinds of netflow tools, both commercialand open source, finally settling most of my focus on nfdumpand nfsen.
Jan. 4, 2014
The buzz as of late around the security and networking communities has been about the NSA and their catalog or spy toolkit. I’ve spent time in my career thinking about and doing infosec and I did a brief stint working for the FBI in a project called NCDIR. I like to think that I can provide at least a peripherally competent commentary about it [take it with a grain of salt].
Dec. 7, 2013
About a year ago I did a brief review of the “new Sonicwall”, specifically a smaller branch office device that was said should have had all of the features of the larger devices. I proposed that it had some significant limitations (much to the disagreement of a great deal of folks). However, I stand by my statements. If you ignore the fact that firewalls often cause more problems than they solve, that NAT is a nightmarish kludge (and not a security mechanism), andwill likely be phased out for better options eventually, the SonicOS I tested was pretty limited as far as what I believe should be features.
Nov. 29, 2013
As part of a larger fun project I’m working on (OVS for the ALIX platform; more to come on that once I have it 100% working), I have been playing a lot with OVS. It’s a great platform, andas others have mentioned, it’s as close to an SDN reference data plane implementation as we have. I’d be surprised if many if not all commercial implementations of OpenFlow aren’t based on OVS.
Nov. 9, 2013
My personal background in computing (specifically networking) is atypical. I have a bachelors in visual arts and only took a handful of computing classes in my relatively long tenure in college. However, I did learn one valuable lesson that has served me pretty well over the 15 or so years I have been doing networking and I’d bet money any good network engineer that has more than 10 years of experience will nod their head at this and agree.
Sep. 21, 2013
Let me be clear, when I say “single vendor” I’m talking about being “single vendor” in what you work on, not necessarily what you install (although one basically forces the other) and what I reallymean is multilingual. I’ll explain after a brief history of why I am the way I am. I’m idealistic but I’m also realistic. I generally propose solutions that I think are best even if it is non-standard or out of current comfort level along with an alternative or two.
Sep. 1, 2013
One of the things that I’ve always lamented about using non-Cisco hardware is the lack of true 1:1 netflowsupport. Say what you will about jflow, cflow, sflow….there is no substitute for netflow, with sflow being the exception to that since it is a protocol that inherently supports ipv6 and can transport far more than simple network informationif configured in certain ways on certain devices. On newer MX series Juniper routers the game has changed.
Aug. 7, 2013
Working on some MX series routers recently I encountered a problem I’d never seen before, essentially preventing the configuration from being committed:
This is a very annoying problem and is terribly inconvenient as you can probably imagine. So, my first instinct is to drop down to the shell and starting hacking at it UNIX style.
From there I wanted to see the file system and check out the stats of what it thinks we have.
Aug. 5, 2013
I have been learning and using IPv6 for a quite a while, even before I worked in research and education, back in the ISP days. I thought I should learn it because, frankly, I figured we’d all be converted to it by now, already whole hog using it like it was the layer 3 addressing mechanism that it is. Flashback: My first IPv6 access was via a tunnel to HE a long, long time ago and before that I was reading what I could about it.
Jul. 25, 2013
In many environments, the move to virtualization is a path well traveled. My home and lab networks are no exception to this and I’m sure nearly everyone who reads these pages has at least been exposed to it in one way or another. I have played with nearly all of the virtualization platforms and am firmly in the camp that there will be a large segment of networking that will move to a virtualized platform especially in the data center and campus segments.
Jul. 5, 2013
I had the need to build a FlowVisor instance under CentOS. Since nearly all of the docs I could find were for debian, I threw this together. I utilized this GENI docand the github docsas a simple reference. This is the quick and dirty method I used: Install the prerequisites:
Create my standard directories:
Navigate, add user and install
Here is the relativde output I saw:
Start the controller:
Output from controller starting:
Jul. 3, 2013
I want to preface this by saying that I have not seen or worked on the cumulus networks system yet. This is a stream of consciousness post on my thoughts and opinions based on what I’ve read publicly.Recently anew network playerhas emerged on the scene with a very simple, straightforward idea. Take linux and put it on a switch. While this isn’t exactly new (see Juniper and FreeBSD, Arista with Linux, Force10 with NetBSD or the plethora of other vendors using an opensource OS as the underpinnings of their NOS), the angle that cumulus networks is taking is a bit more….
Jun. 30, 2013
One of my biggest complaints about VMware is that it is an enterprise application. It has historically catered to the masses, which I completely understand, but those of us that aren’t a fortune 500 company are figuratively and operationally shoved into a corner and forced to find hackish ways of doing things to work around the enterprise nature. One really, really good example of this is OS dependency. I hated architecture dependencies back in the old days (x86, SPARC, PPC) and I absolutely despise things that are OS platform dependent now.
Jun. 22, 2013
As much as I like to think I automate everything, I’m pretty bad at writing code to make my life easier since it tends to take me longer to write the code and it tends to make be a bit grumpy (this is eomthing I’m fixing by learning as much code dev as I can during my limited spare time). However, I like to think I can be fairly smart about working around my limited programming skills (think boba fett rather than jedi) by using the tools available to common folk.
Jun. 16, 2013
I recently had the need to debug a run away ip_rx process on an older Brocade MLX. For anyone that has had to do any type of low level debugging on the Brocade (Foundry) platform, you know that there many somewhat deep level diagnostics that are possible. The debug (like cisco debug) is a bit lacking, but the dm, LP and MP commands are very useful (and a tad scary). Regardless, I’ve had to utilize them a lot in the last few years so my aversion to using them has been pretty much completely callused over.
Jun. 7, 2013
I’ve been doing a lot of MPLS in the last 45 or so days (which is one of the reasons I have been absentee in the OpenFlow world lately). Having had almost no real world MPLS experience aside from a handful of pseudo-wires and a very small LDP signaled network, I had to spend some time reading, hacking at routers and essentially learning. In doing so, I found a few things.
May. 19, 2013
I love to be the “uncola” of networking sites. I like interop and I don’t do a lot with Cisco because I don’t have access to much of their gear anymore. So, that being the case, I had a need to bring up a l2circuit (in JunOS speak), or VLL (in Brocade speak) between an MX480 and an MLX. Since they are very different platforms, I had to do some digging and playing around to get it to work.
May. 17, 2013
There has been some recent chatter on the IPv6 Ops mailing listabout the feature matrix. Sadly, I’ve let this sort of wither on the vine for a while in favor of OpenFlow and SDN. At the end of the day, though, as a whole we actually needIPv6 more than SDN and OpenFlow at this moment in time, so I’m resurrecting it. It is available here. A few additions have been made and there is now a “last edited” cell so folks can tell if the data is stale or not.
May. 3, 2013
Jon Langemakhas a great write up on building the OpenDaylight controller under CentOS. Since I’ll have to do this a bunch of times, I though tI’d take what he so generously put online and build a very rudimentary script for deploying ODC under CentOS. The prerequisites are that you already have an account and ssh key at the OpenDaylight GIT repoand that you disable SELinux. Here is the script:
Once up and running, it’s pretty trivial to point something like an HP switch at the controller.
Apr. 27, 2013
Let me preface this post by saying that I am absolutely not an enterprise IT or systems guy, take everything that I write here on out with that as a side dish. I’m also very, very cheap. That said, one of the things I really like about KVM is the ability to easily view the console of a guest system using free, non-windows software like VNC. However, much like everything in life, there are reasons to do one thing or another.
Apr. 25, 2013
I had been working, off and on, on a how-to for building the daylight openflow controllerunder CentOS. Most openflow docs and dev are done under ubuntu or debian, and while those are both fantastic alternatives, there are a huge number of folks that will want or need to use RHEL or CentOS. So, seeing as that is the case, having someone be mindful of that is important. When I saw the write upby Jon Langemak, I scrapped my attempt at a how-to since his was so much better.
Apr. 18, 2013
OpenFlow is, of course, a hot buzzword. It’s the newest, and in my opinion, the most innovative thing to hit data networking since dynamic routing. The ability to programmatically, systematically and potentially dynamically control traffic at the flow level through a network is innovative, exciting and terrifying [to many network engineers and architects] at the same time. Allowing applications to touch the network change behavior is something that many engineers are not terribly comfortable with.
Apr. 8, 2013
The SDN world is abuzz with the announcement that the OpenDaylight controllercame from stealth mode today. Why is this important? Well, SDN and OpenFlow are fractured. It is Mac vs. PC, Beta vs VHS, Coke vs. Pepsi all over again……multiplied by 100x and with a handful of players. Vendor zealots and brand loyalists will nearly always side with their camp. Heck, even I have some biases of personal preference. But at the end of the day, the greater good is always most important.
Mar. 28, 2013
Lately I’ve been lamenting the fact that there seems to be a lack of options in a very specific product level. Lets say you have a network that looks like this: Right Away you’re limited since you need MPLS and more than 2 10G interfaces. Even more so if you require full support for IPv6 and ISIS. If budget is of any concern, you’re in real trouble. For many, Cisco pricing and smartnet is potentially going to exclude anything reasonable from them.
Mar. 23, 2013
This week there was a lot of buzz about SDN (as usual). There was alightreading thread that I commented onand a fantastic read by Brent Salisburyabout being the steamroller and not the roadthat got me thinking about OpenFlow and SDN in a way I had not before. <soapbox> All that is old is new again. I remember when internal networks were small and routing protocols were taboo in many internal environments.
Mar. 18, 2013
OK, maybe they’re not totally dead, but they’re being demoted. To the mail room. During the course of my career I’ve always had at least some responsibility for firewall and security devices. In those ~15 years, how these boxes are built and function has shifted. From the perspective of my career, there were IOS ACLs (yes, I know, not a firewall), there was the IOS firewall versions and there were software packages such as gauntlet, checkpoint.
Mar. 9, 2013
I started working on Juniper equipment around 2002. At my employer, we had an M40 with the serial number 256. We did Layer3 only. I had no idea if the Juniper even did layer2. It certainly wasn’t a layer3 switch like a 6500 like I was used to. It was like a deliciously robust version of any Layer 3 router I’d worked on previously. Over the years Juniperhas added a switching lineutilizing their FreeBSD based OS, JunOS.
Mar. 6, 2013
Last year, Networking Field Daywas something that I’d heard of but wasn’t really aware of what is really was. I occasionally looked at Twitter and saw the hash tags but did not know much about how it was set up or what it was about. In fact, I actually thought it was supposed to be like the HAM radio field day stuff where you go out and build out an emergency network on the fly.
Mar. 2, 2013
I’ve recently run into a situation where there was no longer enough space in the FIB to handle both the full IPv4 global table and the full IPv6 global table. We prefer to run a default-free network within this particular SP network, but in this case, until a hardware refresh can happen, we’ll need to adjust that. Given what we knew about the size of both tables, it made more sense to take a default IPv6 route from one transit provider and filter the rest.
Mar. 1, 2013
I am a network engineer by profession, but with the proliferation of SDN and OpenFlow, I have had to spend a lot of time re-learning a lot of system admin skills that I’d shelved years ago. Now, I’ve been a virtualization user forever. From VMware(Fusion, ESX), VirtualBox, to Parallels, I’ve used them at least in testing if not in production environments. I’d not really spent any mentionable amount of time with XEN, qEMUor KVM, but some projects I was working on suggested it for the virtualization mechanism, so I figured I’d try to pick it up.
Feb. 20, 2013
Recently SI6 released the IPv6 Toolkit 1.3 This release is on the heels of this IETF draft on IPv6 host scanning. It was long thought that scanning an IPv6 network was impossible. The address space was too large and reliably ascertaining the hosts from it would be too time consuming to even attempt. However, as Dr. Hans Zarkov says in the 1980 classic cult film of my youth, Flash Gordon, “You can’t beat the human spirit!
Feb. 15, 2013
It’s no secret that I’m a fan of the model Arista Networksis using to make gear and provide innovative services and products. In my opinion, they’re changing the landscape of campus and data center networking gear. I’m always a fan of the little guy trying to change the world and this falls under that category. For those that don’t know, Arista Networks is a “hardware” networking company that is using merchant silicon wrapped in their custom linux based operating system (which is very much like IOS).
Feb. 4, 2013
A bit of back history: I came from BSD land. I was a FreeBSD user from way back in the 1990s. BSD land is a land of secure boxes and very high uptimes. It’s also a land of arguably clunky package support, a lot of compiling by hand and these days, not nearly as encompassing package and network tuning support. I decided to move to Linuxa while ago, reluctantly, and chose Debian as my flavor of choice.
Feb. 4, 2013
Recently we encountered a very strange behavior on an SRX 5800 cluster. The cluster, which is in active/active mode, started dropping OSPF adjacencies to it’s neighboring routing equipment, in this case, Juniper MX480 and Brocade/Foundry MLX8. Strange behavior indeed, since for us, these had been rock solid for around 2 years and we’d never seen this odd behavior before. Honestly, we started looking at the routers first since this was something the SRX has never done before.
Jan. 31, 2013
Starting from a base CentOS system with nothing configured, and referencing the CentOS wiki, here is how I like to set up a headless virtualbox environment: Disable selinux. It’s overly cumbersome and is enabled by default in CentOS. I like to permanently disable it even though the default is permissive. I ride the edge, I know.
Jan. 24, 2013
If you are running a network and aren’t using RANCID, you should give it a serious look. RANCID is a cross platform configuration management toolkit for backing up router configurations and certain environmental and hardware information into version control. It’s been around for as long as I can remember and supports nearly every platform I can think of, including a fewmodulesthat I cobbled together myself. There is are a few nice web based front ends for CVS and SVN, I prefer to use ViewVCbecause I have a lot of experience with it, however, there may be cases where a web server isn’t a good option, unavailable or just too much work.
Jan. 22, 2013
There has been a lot of buzz about the service provider model, net neutralityand tiered access for consumers in the past few years. Just this week Google has been accused of paying Orange(more likely Orange is forcing google) for handling its traffic. This is a VERY slippery slope that teeters on the edge of what we all want to avoid as consumers or content creators. This recent story has sparked something I’ve been thinking about for a very long time.
Jan. 10, 2013
I’ve been lamenting about the SDN WANoptions for a while now. Having SDN/OpenFlow in a data center or campus is relatively well documented and already widely deployed. Google has been doing SDN across their private WAN in production. These pieces are easy. What isn’t easy is the ability to plumb SDN across many domains that are under disparate control. This part is hard. What is lacking is a fundamental framework, or set of primitives to build from.
Jan. 9, 2013
I have a bunch of Apple wireless gear at my house. It’s inexpensive, feature rich and easy to maintain. However, with the update to mountain lion a while ago, the ability to install the older Airport Utility stopped. This is annoying since I have what apple now considers “advanced” features like IPv6 at my home and essentially all my gear here is a lab (except for the plex server =) I’ve been spending a lot of time on cactilately, and I wanted to test out the syslog plugin….
Jan. 4, 2013
It’s always annoying to me, being a convert from *BSD to Linux, that tools lke dig and host aren’t in the minimal base install. I realise that this makes me somewhat of a hypocrite, as I prefer an additive system rather than a subtractive base OS. Nevertheless, I’m continually surprised that “host” isn’t available after installing a minimal CentOS system without adding an additional package. So, since I always forget, here is a quick blog post to remind me and any other converts how to install those tools:
Jan. 2, 2013
After reading Stephen Fosketts post “How Will Cisco Recover From The Consumer Strategy Blunder?”, it got me thinking. It’s a very different world than when Cisco got started all those years ago. I don’t have any brand loyalty to Cisco, I learned on cisco gear 14-15 years ago for the most part, but I try to keep the mentality of “the right tool for the job”, which means constantly surveying th emarket for new and interesting ways to do things.
Jan. 1, 2013
I am very happy and flattered that this site actually proves to be useful to folks. It was always my intention to use this as a platform to try to give back a bit, to help with any data I may have run across that was interesting, useful, or obscure. I utilize sites like etherialmind.com, packetpushers.net, evilrouters.net,networkstatic.netand ioshintsmore than I can even measure. I wanted to try to contribute as much as I could to pay it back.
Dec. 20, 2012
I have a love-hate feeling about “predictions” about the upcoming year, especially tech predictions. I don’t like media sensationalism of any kind, and a lot of the tech predctions are just that, sensational, extreme talk to draw in readers or viewers. I’m choosing to go down a more subtle path, these are things I’ve thought about lately but will likely forget in the upcoming year, unless they actually happen, in which case I’d likely do an “ah, I remember thinking that may happen” gesture.
Dec. 15, 2012
Securing SSH is a form or art. It’s often debated, much like blocking all ICMP packets (which I normally disagree with). If you need good proof, read thesepostsby Bob Plankers. There is a camp that likes to promote moving to a non-standard port. There is a faction that likes to block it completely except from a handful of hosts. Then there are those that like to leave it open all together.
Dec. 13, 2012
IPv6 is coming. Like SDN, we can’t ignore it. Are you ready? Are you apps ready? I’ll wager the answer is no. Mine aren’t. I’ve been working on IPv6 for about 11 years, from early days of tunnels to full native IPv6 at home and at work. In teaching the IPv6 workshop for internet2, one of the things that I always suggest is to have a dual stacked host and an IPv6 only host available for testing.
Dec. 10, 2012
Plexxiis an interesting product that has recently emerged in the data center space. While data center, fabric and cloud are all the rage in the buzzword world of data networking, this one caught my attention because it was something unique that I’d not seen before. Their TOR boxes have a few interesting additions to them, the first of which is a WDM port on the back. Now, I’m not really a stranger to the WDM world.
Dec. 8, 2012
I recently had the opportinity to work with the much-anticipated Brocade VDX “Ethernet Fabric”platform. I do admit tha tI’m intrigued by this product. I’d seen it work multiple times in demos and it worked so well and looked to easy that we actively tried to throw curve balls at the demo organizer to prove it wasn’t canned. It succeeded. The hardware hashing across the VLAGs is very slick. The VMware VSwitch integration worked well and was handy.
Dec. 7, 2012
~12 years ago I had a drinking buddy that worked with me at the regional ISP. We had a lot in common, he had been an icon back in the didjitsera of punk rock in Champaign Urbana and we had briefly been in a terrible band together. He introduced me to a dude that to this day I just knew as “Ravi Sonicwall”. He had apparently been recruited from the U of I, written a lot of the low level pieces of the original sonicwall and retired to enjoy life and buy beers (he actually scolded me at a bar for buying him a beer saying “when I’m in town, I buy the beers”).
Dec. 2, 2012
For a long time I ran a blog called tech.buraglio.comthat was a self hosted wordpress site. After having kids and getting a bit busier at work, I decided to move everything that I had been hosting (images, scripts, hacks, blogs and DNS) to “the cloud”. I managed to do this for everything but my primary DNS resolver, which I had always intended to keep, and one wordpress blogthat I hosted for someone else.
Nov. 27, 2012
There has been a flurry of discussion on SDN in the WAN lately, specifically, why and how. Brent Salsbury laid out a few use cases here. The why seems pretty straightforward. I do believe it will happen, however, the how is the interesting part. Admittedly, I’m a tad of a greenhorn in the SDN space, I’ve made it work in a lab, I participate as much as I can in the working groups and I attempt (poorly) to keep up.
Nov. 25, 2012
Have you ever needed to replicate a lot of data transparently to an IDS without the use of a rack of optical taps? Not enough budget for a Gigamon or cPacket? Have a spare MLXe laying around? you’re in luck, we were in that boat too. Let me first preface this by saying that this would be fairly trivial using OpenFlow / SDN. That being said, we didn’t have the time to set that up, so this is what we came with.
Nov. 24, 2012
Recently, there was a thread over at Packet Pushersabout what folks use for their daily workflow. I quickly realized that my setup is pretty simple (as I like it) and relied on a large amount of terminal based tools, which makes sense since I have been a UNIX (or UNIX based) OS user since my migration from the original MacOS back in the 1990s. Anyway, Since I wrote most of this up already, I thought I’d post it here:Envoronment and EditingEditor: VIM via Terminal.
Nov. 14, 2012
For the Supercomputing 2012show, as in years past, I was “the guy who installed and maintained RANCID” as part of my duties for the SCinetrouting team. If you don’t know about RANCID for change management and config back up, check the link. It’s ree and works on a huge amount of gear. Every year there is a new and interesting platform, this year is wasJuniper qfabricand Brocade VDX. The Juniper qFabric just worked with the existing jrancid pieces.
Nov. 9, 2012
Every year there is an international conference for High Performance Computing, or HPC as it is often called. This is a bit of a niche in that it’s something that many enterprises and researchers need but don’t do themselves and so many don’t have a grasp as to what all is invoved. It’s a specialized, potentially expensive and very different environment as well as mindset than the general sysadmin or network engineer will ever see.
Nov. 6, 2012
Recently we’ve run into an odd issue while routing on an EX4200 series. These little JunOS boxes are a nice alternative for an entry level building router, they support L2/L3 functionality, a PVST+-ish protocol and, with advanced licensing, IPv6, ISIS and BGP. They have multi 10G interface options and come in a pluggable fiber option. We use them all over for light layer 3. They can also be stacked via stacking cables and fiber, which is very handy and makes them extremely versatile but not really applicable for the purpose of this entry.
Nov. 5, 2012
If I had my perfect world where I lived in a gumdrop house with lollypop trees and everything smelled like butterfly kisses, here is what I would like to see in WAN networking gear. I can build a list for LAN and edge gear as well. It’s not a golden rocket ship I’m looking for. OK, maybe it is.
Oct. 31, 2012
As I sit here thinking if this site is worth my time, some words that someone said to me recently ring true. “Take from things you’re doing every day” is what Brent Salisburyof networkstatic.netsaid to me. He was right.…And it was why I originally started this site, in a way. The original goal was to make a site I could take notes on and possibly help out someone trying to solve the same issues as me or look at something from the same perspective I had.
Oct. 27, 2012
Moving to JunOS from IOS can be a daunting task. It’s a completely different command structure and the config, by default, looks like a programming language. I was fortunate enough to have gotten in on using JunOS very early in my career, 1/3 in to be exact (as of this writing). Not to mention that wen I got started, IOS wasn’t the only game in town. Remember Xylan? Gandalf? OpenRoute?
Oct. 27, 2012
I’m an awful sysadmin. Running services permanently isn’t really my forte, I tend to lean more on the “I’ll get this proof of concept all working, prove that it works or doesn’t, then roll it on for polishing by someone else” kinda guy. That final 15% is something I’m constantly working to refine and better myself at accomplishing. I’m decent at debugging network services, and can be handy in a “oh crap, it’s down!
Oct. 19, 2012
Let me save you some time….Microflow Policing on the Catalyst 6500 / Sup2TXL doesn’t yet work. Inbound it “kinda works”. You can configure it and it applies as a service policy, but even though outbound is “supported in hardware on the Supervisor2TXL”, there is no software support for it in either the 15.0SY or 12.2(50)SY. It took me a month to suss this out…..Yes, I should have suspected. I dont work on Cisco every day, I have Juniper MX, Brocade MLX and a multitude of other platforms to work on daily, so it took a bit.
Oct. 18, 2012
I’ve been doing research, carrier and service provider networking for a long time. I my first real service provider experience was beta testing DSL for GTE back in the 1990s, I prototyped and proposed a CLEC for an employer in 1998 and went to work for the only ISP in the area rolling it’s own DSL over ATM in early 2000. Everything seems to come full circle, though, given enough time.
May. 22, 2012
Data centers are one of the hot things in networking tech right now. Combine SDN, cloud, buzzword of the day, mix with data center and serve over ice. I end up doing a lot with data centers for whatever reason. This, however, is something I found interesting. "DCTCP is an enhancement to the TCP congestion control algorithm for data center networks. It leverages Explicit Congestion Notification (ECN), a feature which is increasingly becoming available in modern data center switches.
Apr. 27, 2012
Lets just say, for instance, that you have an MX series router at somewhere on your network. Lets also say that said router is carved into more than just the main logical system. For the sake of this writing, lets say that your eBGP sessions are in the default logical system and your IGP is in the logical system, lets call it “internal”.JunOS has some wonderful mechanisms for keeping things running, one is called NSR(Non Stop Routing), the other is called ISSU (In Service Software Upgrade).
Nov. 6, 2011
I’ve been looking at iMessage from time to time as my schedule permits, for some reason that I can’t really explain I’m fixated on it. So, just like I did with FaceTime, I started doing network sniffing to see just what it’s doing. The results were not terribly unexpected. iPhone.buraglio.com.53140 > st11p01st-courier143-bz.push.apple.com.5223: Flags [R], cksum 0x5ec8 (correct), seq 4109691913, win 0, length 014:07:51.665485 IP (tos 0x20, ttl 49, id 11699, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->8fc7)!
Nov. 1, 2011
I’ve had a co-located server in one way or another for the last 11 years. From hosting a bare metal box at the ISP I worked for for a while, to sharing a bare metal box at a colo providerto switching to a VPS service, I’ve always had an “offsite box”. I just wanted to post a quick “these guys are great” comment to my current VPS provider, ARP Networks. Not only do they have native IPv6, they also don’t oversell their VPS hosts and have unparalleled customer service and reliability.
Oct. 22, 2011
Recently I was poking around Mail.app, setting up my new machine. I like to keep redundant copies of everything, email being no exception. I have backups of all of my email dating back to 1998, for the most part. It has come in handy from time to time and I like it for reference reasons. It’s a small amount of actual data as far as space goes, and it’s easy to do.
Oct. 15, 2011
I had very high hopes for iMessage. With the release of iOS 5, one of the big new features was iMessage, the ability to do Blackberry messenger style messaging on an iOS device. I had really hoped that this would be something like wifismsor the DeskSMSapp for Android. At the very least I was hoping for iChat integration with iMessage. This didn’t happen. Don’t get me wrong, iMessage is still really cool.
Oct. 4, 2011
I have recently enabledDuo Securityfor many of my personal services, and I can’t recommend them enough. Personal two factor authenticationis very useful and really powerful. It works on my iPhone and I have yet to run into any real issues….except for one. I can’t use automation to scp or sftp anything anymore and keep my two factor auth working in a way I’m comfortable with. Enter ftps. FTP is a terrible, yet immensely useful protocol.
Oct. 4, 2011
It’s no secret or ground breaking area to do black hole routing. ISPs and NSPs have been doing it forever to allow for a very low cost, very scriptable and very effective way to wholesale block a layer3 address. However, it can seem like a bit of a black box to anyone who has never done it. I recently did some work spinning this up in a good sized network that it didn’t currently exist, and remembered how monumentally useful (and simple) it actually is.
Sep. 7, 2011
Google has introduced a very powerful set of python based command line (CLI) tools called GoogleCL. This post was made using GoogleCL from my Mac. I highly recommend checking it out if you like to automate or script stuff.[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Jul. 30, 2011
I’m not a fan of IPv6 privacy addressing. I understand the logic behind it, I really doo, obfuscate the LLADDR (MAC address) of the host in question, but I really dont’t see the realistic purpose. If someone wanted to use my mac address, what good would that really get them, unless they’re on the same layer 2 segment? More importantly, if they;re on the same layer 2 segment, they have my MAC address anyway.
Jul. 26, 2011
It looks like MacOS 10.7 (Lion) has fully functioning DHCPv6. It’s about time.Before:<img style=“cursor:pointer; cursor:hand;width: 400px; height: 343px;” src=“http://1.bp.blogspot.com/-6FQwzCiawpg/TjDWmwrbONI/AAAAAAAAAEI/9mOtP9fMbqE/s400/Screen%2BShot%2B2011-07-25%2Bat%2B8.45.24%2BPM.png" border=“0” alt=““id=“BLOGGER_PHOTO_ID_5634239095230904530” />After:<img style=“cursor:pointer; cursor:hand;width: 400px; height: 366px;” src=“http://4.bp.blogspot.com/-stFnUb3g1zI/TjDW1MDpOyI/AAAAAAAAAEY/YgG7fXCfujY/s400/Screen%2BShot%2B2011-07-26%2Bat%2B7.18.45%2BAM.png" border=“0” alt=““id=“BLOGGER_PHOTO_ID_5634239343098411810” />pfSense setup:<img style=“cursor:pointer; cursor:hand;width: 400px; height: 341px;” src=“http://2.bp.blogspot.com/-gSN5Rx7vIUU/TjDW0t1BcEI/AAAAAAAAAEQ/1hQNIlCJl30/s400/Screen%2BShot%2B2011-07-26%2Bat%2B7.16.50%2BAM.png" border=“0” alt=““id=“BLOGGER_PHOTO_ID_5634239334984020034” />Using Internet Systems Consortium DHCP Server 4.2.1-P1 as the server (on my pfSense box) I am able to get not only a privacy address (via stateless autoconfigure) but also a normal EUI-64 address as well as an IPv6 address via dhcpv6.
Jul. 18, 2011
If anyone is interested in the talks I participated in at Joint Techs in Fairbanks, AK, they are now on the internet2 sites. IPv6 feature supportIPv6 campus panel discussionThey’re apparently not embeddable, but can be watched from the Joint Techs site.[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Jun. 30, 2011
I did some minor tweaking to the Alcatel Lucent RANCID scripts and some modifications to make RANCID work under my pfsense environment (originally m0n0rancid code from John Skopis). Since I don’t really do much dev work and am not interested in maintaing a box do be an SVN server for the public, I threw it up onto google code. I’ll be adding a brief how-to on making RANCID work with pfSense as soon as I get some time.
Jun. 20, 2011
I’ve been a *BSD user since around 1997, when I installed NetBSD on a Mac SE 30 that I got for free. I was always intrigued with alternative operating systems like BeOS, *BSD, Plan9 and Linux so it made sense that I’d poke around with different systems.I’d gone back and forth from OpenBSD to FreeBSD but eventually settled on FreeBSD as my OS of choice. I ran it as a desktop before MacOS X came out and was generally happy with it.
Apr. 12, 2011
I found most of this on a web page somewhere tha tI can’t seem to find again. Below are some common useful junos tidbits regarding routing tables and interface types/names:JunOS CLI supports the basic grep command (like | include) so any show commands can be grepped. I believe the grep command implies the -i flag for case insensitivity.The routing table is presented in such a way to group types of routes.
Mar. 16, 2011
I’ve been doing a lot of IPv6 stuff lately, and one of the things I didn’t find (and kinda just wanted to put one together for my own benefit) is a matrix of features I thought were important to have on the IPv6 side for common network hardware. Below is a work in progress of what I have so far, which will automatically publish changes from this spreadsheet. Please email me if you’re interested in adding to this or correcting anything I may be incorrect on.
Feb. 7, 2011
We are putting a few new SRX 3600 clusters into production soon, and we’ve had them for about 6 months in boxes. This presented a fairly significant issue, one that I didn’t think about until it smacked me in the face. The code on these boxes was old. Very old. JunOS 9.2 old. No problem, lets just upgrade them to 10.4R something. Wrong. the code that shipped on these boxes was so old, and we waited so long to upgrade them that I was unable to upgrade them straight to anything modern.
Feb. 4, 2011
I was recently helping my brother-in-law out with the new Seagate FreeAgent GoFlex Desk 3 TB USB 3.0 External Hard Drivehe had purchased to do time machine backups on his mac. I personally have the 2t version and have been pretty happy with it, save for one small incident that I think was my fault that required some basic data recovery.Since the drive comes in a file system that is not HFS+ Journaled, it needed to be reformatted to support time machine backups.
Jan. 7, 2011
Regardless of the fact that there is now a good ISSU-like service for the SRX (named Low-Impact Cluster Upgrade; LICU for short), if you’re upgrading your Active/Active cluster from something that isn’t10.4, or if you just aren’t comfortable with how baked LICU actually is, you’ll need to know how to move the junos code around. This is easy if you have physical access to both nodes, but for those that have.
Dec. 29, 2010
I recently needed to upgrade a few MX480 routers and decided that it would be a good opportunity to get some experience with Juniper’s in service software upgrade.I’d read a bit about it but I’d not had the chance to really use it. It’s pretty straightforward and it does what it claims. The following are my notes from rolling through this on my test lab MX480.A few things are necessary to get going with ISSU, first and foremost, you need to have a box with two routing engines.
Dec. 23, 2010
<img style=“cursor:pointer; cursor:hand;width: 400px; height: 184px;” src=“http://4.bp.blogspot.com/_99YK8gwWGlQ/TRO8rtT4cyI/AAAAAAAAACs/9K8i0PsSr14/s400/Screen%2Bshot%2B2010-12-23%2Bat%2B3.16.15%2BPM.png" border=“0” alt=““id=“BLOGGER_PHOTO_ID_5553990224561337122” />A quick screen grab from here[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Dec. 6, 2010
At the 2010 Supercomputing conferencethis year, one of my tasks was to get RANCIDworking on the Alcatel Lucent 77xx series. for some this may have been a simple task, but for me, a self taught and inefficient programmer, it was something that took some time. The Alcatel Lucent boxes were good performers, but their CLI is pretty awful. The prompt changes based on having unsaved configuration items, and can contain things liks an asterisk.
Oct. 20, 2010
After enabling the IPv6 Flow based processing, we decided to get rolling with making our IPv6 path congruent with everything else (IPv4 unicast and multicast). With all of the other things we had going on, we thought this would be a low hanging fruit that would be easily plucked from the routing tree. Well, a minor oversight on our part caught us by surprise. According to this handy dandy matrix for JunOS 10.
Oct. 17, 2010
We’ve been working toward a more simplified model for our network path, and in doing so, we desired a congruent path for IPv6, IPv4 Multicast and IPv4 Unicast.However, this is actually pretty hard when dealing with the link speeds, amounts of traffic and flows that we do, in conjunction with Firewall…..and IDP/IPS…Lots of research, reading and testing was done.Juniper SRX series has full support for 90% of this, with IPv6 IDP coming in Q2 of 2011.
Oct. 13, 2010
Cross posted from my personal blogsince it’s a technical subjectThat is the million dollar question on many phone geeks minds. The iPhone is really a love it or hate it kind of device, much like Apple stuff in general. Android, on the other hand, is still new enough that some folks are still ignoring it. Well, I wanted to know which worked better for me, and so I set out to test them both.
Sep. 16, 2010
One of our plans is to consolidate as many of the egress trafic paths as possible. To facilitate this, we had to do some things like buy carrier grade equipment. Enter the SRX 5800. No one really does IPS/IDP+Firewall quite like the SRX. After extensive research and exhaustive hands on testing with quite a bit of equipment, that is what we settled on. Even the IBM “technical evangelist” guy that came to talk to us said “No one really does it like they do” when referring to Juniper and 10G firewall/IPS.
Sep. 6, 2010
I know this is documented elsewhere, but this was a pain for me, so I wanted to take some notes. I have several Snow Leopard (MAcOS 10.6) Macs and a Netgear DNS-323. I want to mount the drive using NFS and any good UNIX admin would. Unlike older versions of the Mac OS, NFS mounts are now handled under the Disk Utility application (which seems odd to me, but whatever). So, to make this work right I had to do the following:First, I had to make sure that the NFS Add-on was installed on the DNS-323.
Sep. 3, 2010
I knew a tool like this had to exist, but I had never needed to look in the past. While debugging a RA problem, I come upon the need to view IPv6 router advertisements. How can one do this? tcpdump? Yeah, I guess that could work. It’s almost like using a bulldozer when a wheelbarrow is all you need, though. I could use ndpmon, I suppose, but that, too seems like overkill.
Sep. 2, 2010
IDP signatures need to be updated often. On the SRX platform, there is also the notion of a “detector”. This also meeds to be updated on a regular basis. it seems. Over the past few weeks, we’ve needed to update the IDP signatures and detector on our SRX 5800 cluster several times, and the results have normally been fine. Updating the IDP signatures has never been thatbig of a problem (see postings about updating stuff on cluster nodes).
Sep. 1, 2010
I’m not the greatest at AAA on Cisco’s IOS. I always have to think about how to order things, and to test fallback (which you should do anyway). One of the caveats that I always overlook, no matter how many times I set this up, is that Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops and no other authentication methods are attempted*.
Aug. 31, 2010
I have had the opportunity to work pretty extensively on the Juniper SRX firewall/IDS platform over the last few months. In doing so, I’ve found many “gotchas” the hard way. Here are a few that I’ve found so far:Clustering is a beast in and of itself. I think it needs a bit more polishing, but it could be that we just need to refine our design.On the SRX 650 it works, but you must be on the right code version (I got it to work under 9.