Jan. 11, 2025
Cloudflare offers a powerful tunneling service that allows for a host on a private network to expose a service but retain protection using cloudflares’ powerful CDN tools. At the time of this post that service is a legacy IP first service, but with one minor tweak it can operate with IPv6-only hosts. Meaning one can provision an IPv6-only host, but provide a dual stacked service. If that sounds powerful, that’s because it is.
Jan. 3, 2025
An often overlooked dimension of data collection is flow data from hosts. This is not a new concept, there have been tools built for this for a very long time, but in many cases, and especially over the last 8-10 years, many system engineers have gravitated toward tooling like grafana and prometheus. While these are fine tools and if done well provide an excellent view of host health, they aren’t really a full picture of host behavior.
Dec. 21, 2024
One of the reasons for lack of blog post publishing is that my attention has been focused fairly heavily on working within the IETF. Toward the beginning of the COVID pandemic, the US Government published a new initiative - M-21-07, which requires the migration of all federally owned systems to IPv6-only. What does “IPv6-only” mean, you may ask. Well, that’s kinda nebulous. People define it in varying levels of extremism, I’ve chosen to define it as “a device that can operate without the use of IPv4 configured”.
Aug. 25, 2023
Over the last few years I have pulled back from the social networks and refocused in a way that has allowed for more time not doing tech. Overall this has been an extremely healthy choice that has only strengthened my desire to learn new things, experience different ways of thinking, and expand my overall vision past technical endeavors. This has led to some enlightening thoughts surrounding how not hyper-focusing on one thing is, in reality, a very good thing overall, and contrary to what social media may imply, will only serve your overall well being, which in turn can fuel passion toward things that can actually be beneficial career-wise.
Jul. 14, 2023
Over the last year there has been a slow hum, quietly building around the notion of building what has been called an “IPv6-mostly” network. What does this term mean? How do we do it? Why bother? Well, let me attempt to answer those questions. First, what is IPv6-mostly? Thankfully, it is pretty much what it sounds like - a network segment (i.e. a LAN segment) that is mostly IPv6, and only legacy IPv4 where it has to be.
May. 9, 2023
Once again I was fortunate enough to be invited to talk with the experts on IPv6 Buzz about everything IPv6 and my experience with attending IETF 116. You can check out the episode here. Discussion mostly includes Discussions on multihoming IPv6, but we run the spectrum of addressing, documentation, and all of the fun topics! Give it a listen here or in your favorite podcatcher. https://feeds.packetpushers.net/link/19801/16106092/IPv6_Buzz_125_Unique_Local_Addressing_ULA_And_Other_IPv6_Topics_At_IETF_116.mp3
May. 9, 2023
I will preface this with that I always say: do not implement this without IPv6 unless you literally have no other choice. IPv6 will allow for a significant resource offload because most eyeball services (Netflix, Youtube, Google, Facebook, etc.) will prefer IPv6, thus removing your requirement for more IPv4 NAT state and overload / port utilization. Because I found no simple how-to for using NETMAP for CGN on a Mikrotik, here is one.
Mar. 23, 2023
“Multihoming IPv6 is a pathway to many things some consider to be ……unnatural.” ―Darth Sidious, maybe. The current state of usability for multihoming IPv6 is fairly limited, and not terribly supportable. That said, it is doable, if you have the fortitude and hardware / software to make it happen. In this episode of MODEM, we get super nerdy about the current state of multihoming IPv6 and all of the gory details and exposed limitations.
Nov. 4, 2022
IPv6 unique local addressing has been a popular topic over the years. From its humble beginnings, replacing site-local, to the surge of interest within service providers, enterprise, and casual users due to the wealth of content now available on IPv6 and the prevalence of availability within major consumer ISPs, it has become quite a polarizing topic in the technical communities that are diving head first into the modern, current networking protocol - IPv6.
May. 29, 2022
So, you need a 100G router or switch, but are deeply concerned about:
CostPower drawCooling issuesPriceCapabilitiesMoneyAvailabilityCapEX The ever-increasing need for faster interfaces, and standardization in the WAN at 10G and 100G rather than 40G or 25G as an interface spec has dramatically increased the need for 100G hardware. With power consumption of most 100G platforms rising to ludicrous levels, and the accompanying cooling required to keep those platforms running smoothly keeping pace with the power draw, one may start to believe there is little hope for 100G for the small to medium size networks.
Apr. 9, 2022
The future called and it wants more IPv4 space. As much as I am a staunch proponent of IPv6, I get the need for more IPv4. Cloud providers, enterprises, ISPs, they all need it to stave off the CG-NAT as long as possible. Well, some friends came up with a pretty straightforward way to get it - or, according to some “completely break the internet”. We recorded this episode with Dave Taht (who you may remember from our podcast on bufferbloat) and Seth David Schoen about some new drafts they wrote for the Unicast Use of the Formerly Reserved 240⁄4, 127.
Apr. 9, 2022
Well there has been a lot of hubbub about IPv6 unique local addressing lately. You know, that address space defined by RFC 4193? The one that most folks think of as “RFC1918 for IPv6” (It’s not that)? Well, we recorded a podcast with Ed Horley over at modem.show to talk about it. Interested in how ULA is different than GUA (globally unique addressing)? Wanna understand what is broken about it (the list is significant)?
Feb. 10, 2021
IPv6 has been a hotly contested technology for as long as I can remember. It has always been “a few years out”, or something “no one is asking for”, depending on who is asked. In reality, and like most things, the truth lies somewhere in the middle. IPv6 has been slow to appear for certain demographics of networking, but a long standing pillar in others. It just so happens that IPv6 is not being asked for because when deployed correctly most users just don’t notice that it is there - and that’s by design.
Jan. 21, 2021
Back in January of 2016 a vain attempt was made to do a networking podcast called “non-blocking”. One episode was recorded - an informative conversation with Peter Phaal of sFlow / inMon. It was really fun to do, and was met as a reasonable freshman endeavor. In the making, however, there were a few thing that were made painfully obvious:
Scheduling a podcast is difficult. Getting the right people available at the same time is often a herculean endeavor in and of itself.
Jan. 4, 2021
I have been sitting on this post for quite some time. This is a long, and personal story with some technical bits for those looking to solve the same problem I was. It was a long, complicated, frustrating journey of sad realization about the state of IPv6 for everyday users and those with business class connections over consumer focused network last mile networks. It is well documented and annoyingly understood thatI am a vocal proponent of IPv6.
Jan. 2, 2021
2 Jan 2021 seems like as good a time as any to start thinking about change. Change is inevitable. The only constant is change. Adapt or die. There are any number of stereotypical and cheesy mantras that can be chanted over a beating drum whilst sitting around a fire. However, saying them and coping with change are very different beasts. AsI have written in the not so distant past, most change invokes an inherent fear of failure and aversion to risk.
Aug. 3, 2020
It is all too common that smaller shops do not have the resources for a proper test lab. Even with the cost of grey market hardware, and the ease of virtualization, the gap is definitely there - be it time, financial limits, manpower, or even a general malaise toward even asking for something which may get denied. This presents a problem for multiple reasons:
Changes are not staged in a safe environment first - i.
Jul. 20, 2020
As some may know, I have been head down in the segment routing game for almost two full years. As such, it has enabled me to get down into the gritty details of how SR - specifically SR-MPLS, and to a lesser extent the alternatives SRv6 and SRm6 - actually work in practice. Given that this is a fairly new technology, and that it is more service provider focused, there are limited resources available outside of the vendor documentation and and what is there tends to get drown our with the hype around things like SD-WAN and and other more marketed technologies.
May. 4, 2020
One of the most common questions I hear from small and even medium sized ISPs is “why should I run my own DNS resolver(s)?” The perception that DNS is hard, complicated, or even unnecessary is often cited as a reason to just farm it out to one of the “free” anycast resolver services available across the internet. Now, there are many reasons to be wary of DNS, both from the professional and the consumer side - it is a huge treasure trove of personal information about behavior, and is easily monitized by entities large enough to consume and process it.
Mar. 5, 2020
Today more than ever, networking has fundamental similarities. The days of routing IPX/SPX, AppleTalk, Banyan Vines or provisioning ATM and Frame Relay links are moving into the past. Most networks are now based on ethernet*. Most run at least IPv4 as a routed protocol. They leverage similar connectivity techniques such as an interior gateway protocol, a layer2 mechanism such as VLANs or VPLS, and an identifiable border (e.g. an autonomous system).
Jan. 27, 2020
I was originally going to be inflammatory and title this “Details don’t matter”, but at the last minute I walked it back. This topic is consistently a pile of hot garbage. Why? Many reasons. Because technical people are, in general, extremely detail focused, and often binary minded (right/wrong, black/white, yes/no, 1⁄0). Because of this, a great many times we as technical people can hyper-focus on the details, especially when change is on the table.
Jan. 17, 2020
VPNs are a critically useful tool for gaining access to resources that cannot be exposed to the public internet for many different reasons, either policy or technical. VPNs can, however, be painful to install, difficult to troubleshoot, and in many cases (e.g. one time triage, single use instances) complete overkill. Providing encrypted access to this gooey center has never been easier, though, through the power of ease of sshuttle. sshuttle has some very usable capabilities.
Jan. 12, 2020
For those that may not be familiar, The Brothers WISP is a last mile wireless and Mikrotik focused podcast (although they cover far, far more than just that). Recently, I had the pleasure of sitting down with them again, this time one on one with Greg, the mastermind behind all of it (or as I like to call him - “The velvet fog” due to his really smooth and polished podcast delivery).
Dec. 21, 2019
Segment Routing. The technology that will likely cement itself (or already has, depending on who you ask) as the next evolution of carrier networks. Three years ago I was asked to participate in a very deep round table put together by the Tech Field Day crew and the only topic on the table was Segment Routing. Needless to say, I was enamored by the advantages that the raw technology provided, and thus far that enthusiasm has not diminished.
Sep. 8, 2019
Flow data is a critical piece of understanding how your network works what what it is actively doing. It also provides a great baseline and capacity planning tool. However, some of the more feature rich NetFlow and/or sFlow collectors can be quite daunting in their cost and/or complexity to install. ElastiFlow is a great alternative for flow analytics and is built on the well traveled and robust ElasticStack, meaning, its back end is well documented, well supported, and scales exceptionally well.
Jul. 29, 2019
Small to medium ISPs are an interesting phenomenon. Early in my career I was pretty heavily involved in that space, so much of my current thought processes and methodologies are heavily informed by that experience. Something that never ceases to amaze me today is that the practice of scripting and “automating” things seems to have become somewhat of a lost art, or at the very least it is not part of an initial deployment plan.
Jun. 29, 2019
BGP. It’s that magical protocol that runs the internet. For for as much as BGP is a fundamental, critical, irreplaceable part of the core functioning of the internet, it is a protocol that has not aged well as far as security is concerned. See, BGP was born when the internet was really still an academic experiment. Handshakes and loose agreements were totally fine for connecting a new site.
Then came the awakening.
May. 29, 2019
Years ago I wrote about building a secure network in a box. Over a weekend I decided to revisit this concept thanks to a colleague at work wanting to do something similar. It got me thinking “a lot has changed since I last did this” and it felt like time to revisit it. Well, disappointment wasn’t in the cards because it’s easier, smarter, and more flexible now that it was back then.
Apr. 29, 2019
There is no shortage of network telemetry data that can be collected, recorded, graphed, and stored for cross reference and triage. Not one to be underestimated, latency at a can be incredibly powerful when leveraged for baseline and deviation notification. As I have eluded to in the past, there are many tools in this space.I have written about a few of them in detail and touched on others in passing. Regardless of the tool, the data is powerful and the instrumentation they provide will only serve to make your network more robust and easier to work on.
Mar. 31, 2019
Over the last few days there has been a huge amount of FUD and panic surrounding two as-yet-to-be-published CVEs (found here and here) related to Mikrotik’s IPv6 implementation.It is my opinion that this entire process has been poorly handled, and that the community involved tends to be fairly sensitive to issues such as, and the cloak and dagger nature of the two issues has only exacerbated it. Mikrotik, as a company, is well known for being terse in their responses and tight lipped with their internal workings and dealings with these kinds of issues.
Mar. 2, 2019
A few months ago Kevin Myers of IP Architechs introduced me to a really interesting project called FreeRouter. Being that I absolutely love alternative routing platforms and feature complete simulation environments, this really got me going. I tend to define “feature complete” in a routing platform as something that can do both IS-IS and MPLS. Given that there aren’t many platforms that do both correctly or within a reasonable budget, and offer simulation options, I was pretty excited.
Dec. 10, 2018
In recent years, the nature of privacy on the internet has become a very important topic amongst those concerned with the now lack of net neutrality. The de-facto mechanism for dealing with privacy has been to "SSL all the things", which I am very much in favor of. What many do not realize, though, is that simply using SSL for the traffic that transits a given ISP still leaves a wealth of thick, rich, delicious personal data still easily available to your ISP to harvest, sell, and do with as they please.
Nov. 5, 2018
Remember OpenFlow? It was the media and marketing darling for the better part of 5 years as “the machine” conflated OpenFlow with SDN and SDN with - almost literally - everything. “Still Does Nothing” was a common phrase uttered around those of us that had run large scale, complex networks for a long time. Quietly, and mostly, out of the fickle media and blogosphere eye, a scrappy little SDN project called faucet has been diligently plugging away– making easy to use, production quality, well documented, and very stable code that runs OpenFlow networks quite happily in production and at scale.
Nov. 1, 2018
As an often-security-engineer and an individual that has been working on large networks for quite a while, dealing with DDoS, or the threat of DDoS is a well traveled path. Recently I was invited to discuss some of the basics of DDoS mitigation on the Network Collective Podcast. This was a really fun and insightful chat with a wealth of great information for engineers and operators of any skill level. Ep38 - DDoS Mitigation from Network Collective on Vimeo.
Oct. 18, 2018
Recently, the venerable Ivan Pepelnjak published a very insightful article aboutautomation becoming such a popular topic that was spawned by an email from one of his readers. I found this article to be spot on, and wanted to add a bit of my own opinion into the automation pie, as I have been spending a lot of time on automation as it related to existing networks as well as into SDN based environments.
Sep. 1, 2018
IPv6 has been a crusade of mine for well over a decade. Wether it is teaching IPv6 workshops, offering advice to new users, answering questions, or evangelizing it ad nauseam, it is an important topic to me. The ISP world holds a special place in my heart since a good deal of my early experience came from building or assisting regional ISPs. Recently I had a fun opportunity to talk about deploying IPv6 on The Brothers WISP podcast.
Jul. 16, 2018
As a follow up to my last post, I wanted to dive a little deeper into the world of address translation and to suss out some of the more compelling details. As I’ve said on many occasions, it pains me to see NAT referenced as a security mechanism. That said, where PNAT can be beneficial is in an overall privacy strategy, however, even that is comparatively low value and given the current state of global IPv4 allocations, arguably a detriment to usability - we’ll get to that - before we do, it is important to understand what ’NAT” as we call it today actually is, and to do that we need to explain all of the types of address translation (yes, there are several).
Jun. 11, 2018
I’ve been very vocal about the misinterpretation of NAT for many, many years. Since it’s inception, NAT has been slowly perverted into what many now believe to be a security mechanism. While I do see a reasonable use of IP masquerading in a larger security strategy, this is not the original intent (or implementation) of NAT. What mosts network engineers call “NAT” is actually one to many network port address translation - or taking one public address and “hiding” a number of private (likely RFC1918) addresses “behind” it, using ports to translate traffic and keeping the state of those connections.
May. 4, 2018
It’s no secret that RF technologies and what like to call “specialty networking” are two of my favorite things in the networking space. Put them together and it is like chocolate and peanut butter! Now, some may not consider Field Area Networking (FAN) to be “unconventional”, but it certainly falls well outside of the space of what is typically traditional enterprise networking. That said, Cisco’s FAN briefing at Network Field Day 17 really got me excited and thinking about the alternatives for the IoT space.
Feb. 19, 2018
Build vs. buy is an often lamented and always hotly debated question in all aspects of IT, however, if one is able to truly look at all angles the answer is typically straightforward and can be rooted in one simple strategy: don’t reinvent the wheel. Don’t reinvent the wheel Too many times we as an industry don’t do our homework - we are all guilty of it - and we reinvent a wheel.
Feb. 10, 2018
In the tradition of my NIX4NetEng series I’m going to dive deep into the world of strategy, and specifically into the strategy of how we look at and operate our networks, the data they generate and the analytics that are available (and often overlooked) in how networks are managed both long term and day-to-day. So, in the spirit of visibility, lets think about how typical networks are monitored. My guess is that you either already know, or will soon realize that visibility and testing across disparate networks is hard.
Dec. 18, 2017
You have one, right? Even if your entire strategy is “collect some flow data”, there is absolutely NO reason not to have a netflow implementation, and frankly, it will save you time and money over time if you make the effort to do it. I love network data and analytics and I have waxed poetic about how important they are at every opportunity. There are a myriad of options for analytics and flow data.
Dec. 7, 2017
I have my +100 hat of irreverence on today so it’s time for a soapbox post. Having recently read a several posts and articles on what seems to be the never-ending cavalcade of assertions that “networking people will be out of jobs and you’d better learn to be a programmer” - or more succinctly put: the “dramatic changes in IT networking”. To this I respond simply: via GIPHY The scorched earth, “there’s a hole in the boat, we’re all going to die!
Oct. 3, 2017
Configuration management is a critical part of successfully and efficiently run any network. From the early days of networking there have been options for doing configuration backup. Several projects have been around for literally decades, enabling the backup of a myriad of critical network devices and providing historical archives. Many of these projects and platforms require a reasonable amount of unix experience and perhaps some development skills. I’m going to give a quick synopsis of my three favorites, these a all very different in execution but provide the same types of services - configuration backup, diff, and archive (and not much else).
Jun. 14, 2017
Anyone that looks at this site with any regularity may have noticed that I have been pretty remiss in adding posts - for that I apologize, things have been busy. However, I have not been absent in the tech world…quite the opposite, in fact. I’ve been spending more and more time on podcasts and other forms of tech media which I have not provided links for here. So, to help expose that, here are a few of the other media resources I’ve been popping up in.
Mar. 25, 2017
Taking politics and putting them aside, what the new administration has been attempting to change with regard to internet privacy is something we should all be informed about. Wether you have a tin foil hat or don’t care, “knowing is half the battle”. The other half is doing - which I will also lend some brief insight to (sorta). What’s changing? Nothing yet (as of the time of this writing). What will likely change?
Mar. 20, 2017
In the last few years I have moved all of my virtualization to proxmox and docker. Seeing as I like to look at packets because I am a closet security guy, and being as I have been working off-and-on on a security project in recent times, I wanted to be able to span a port not only from a hardware switch, but also within my software switches. I had been using linux bridge, which I am not a fan of, so when I started down this path I did not look hard to find a way to do so under that platform.
Oct. 3, 2016
Edit: Going against my normal “just get the content out there” methodology, I’ve been mulling over this blog post since July of 2016. Segment routing is such a beautifully elegant solution I have had trouble articulating that fact. WAN technologies are squarely within my wheelhouse, and this one fits in so well I was going over and over the post never really satisfied with it, continuing to find mistakes and decided to just get it out there.
May. 21, 2016
I was recently at a meeting where BGP RPKI was the topic de jour. While this has been a topic that I have visited on occasion of the last few years and something I wanted to spend significant time on, I have found that setting aside the time has been difficult and sparse, much like the deployment of BGP RPKI. In order to better understand the options available, it's important to break down the pieces and terminology involved; BGP is daunting enough to those unfamiliar with it and adding PKI on top of that can be even more so.
Feb. 27, 2016
The sixth [and arguably very overdue] installment of my NIX4NetEng series, this began as an overly complex diatribe about DNS. As it evolved, I realized that DNS is so complex and far reaching that it could never be contained in one meager post. DNS is a powerful tool. It has existed for so long that many that have never had the responsibility of running an authoritative or recursive resolver may take for granted the extensive reach of a tool so engrained in the fabric of the internet that it is frequently overlooked, much like a utility such as electricity or running water.
Jan. 18, 2016
I'm way overdue for a soapbox session -- I found this one in my drafts and thought it was something I needed to put out there. It's already dated in terminology but that actually helps make the point - it's hard to keep up. Lets throw this out there: social media can be exhausting. Do not misunderstand me, it’s a great tool for communication, obtaining and disseminating information as well as standard goofing around.
Nov. 5, 2015
A few years ago I wrote some text on interdomain SDN. Years later, work is being done, smart people are thinking about it and building ways to make it a reality. Not being one to give up on an idea, I gave this presentation in may at ChiNOG on what my take on what that architecture should be. I (we) propose that the use of existing protocols such as BGP FlowSpec will make this realistically deployable and maintainable given some simple, pluggable middleware.
Jul. 6, 2015
Back in February of this year (2015) I was introduced to Solarwinds when they presented to us at Networking Field day 9. Until then I knew of SolarWinds products but only at a cursory level; I had never really seen or used their stuff since it was mostly focused on environments that were either smaller or outside of the networking world that I generally operate in. However, I am a[n insufferable] network monitoring “aficionado” so when the opportunity to play around with it arose, I happily took it.
Jun. 20, 2015
I recently had a need to test OpenFlow on the brocade ICX 7450 for a fairly good sized, high visibility project. The basic goal is pretty simple, Layer2 path provisioning. Straightforward and fairly well supported in OpenFlow, even from the early days. To do this, the idea was to use a turnkey platform, that way there is one throat to choke if there are issues. I landed on the Brocade Vyatta controller (which is essentially ODL), and the ICX.
May. 16, 2015
There are a vast number of entities that offer the seemingly ubiquitous “cloud”. “SaaS”, “IaaS”, “BLAHaaS”, buzzword compliance is truly a sought after thing by marketing folks. With the proliferation of virtualization, containers and other “time slicing” of hardware by software the chatter can quickly become noise. As technical professionals and the warm bodies with the responsibility for actually making things work and keeping them running, the onus is on us to be able to decipher the useful from the fluff.
Mar. 28, 2015
Since Network Field Day 9, I have spent more and more time mentally grinding on what Brocade is doing. I have been a pretty vocal critic of the foundry hardware and software platform since my first experience with it years and years ago. I found it to be lacking in completed features, Layer 3 functionality and general stability.
This is one reason that anyone reading this should take pause and think about the background this post is sourcing from and how much of a shift it is.
Mar. 19, 2015
For those that run BGP networks, BGPmon is often a tool they turn to for some really unique and hard to find information. Remember back in February 2008 when Pakistan Telecom "blocked" Youtube? That one was a really, really public example of something that BGPMon caught. BGPmon has been around for a long, long time. Quietly watching prefixes. Silently noting changes and reporting them to the ones lucky enough to know of its existence.
Mar. 15, 2015
At Networking Field day 9 there was a great deal of discussion regarding monitoring, modeling, and maintaining networks, as would be expected at an event with such a focus. Luckily for us, an interesting product that comes from a company that I was unfamiliar with called NetBeez gave an inspired presentation. Now, NetBeez got my attention for a few reasons. First off, NetBeez is doing some really great things in the field of network monitoring.
Feb. 20, 2015
When NEC began talking about SDN at Network Field Day 9, I was not sure what to expect. I knew they had been heavily involved with openflow since the early days, and many years ago I was able to get my hands on their early OpenFlow controller and was immediately frustrated by its cryptic nature and frankly, poor documentation. Their switches were fine and were heavily utilized in early OpenFlow deployments.
Jan. 28, 2015
BigSwitch is making waves again, this time with its Big Cloud Fabric product update. I was lucky enough to get a bit of a preview of what was coming and was pleasantly surprised by the new features, finding them functionally useful for both operators, security folks and management alike. Not only is the fabric fit to operate at hyper scale proportions, they've paid close attention to making such operations even easier.
Jan. 24, 2015
In a few weeks I’ll have the opportunity to participate in another Network Field Day. I’ve been lucky enough to have the opportunity to attendin the past and have done some remote participation when possible, but like some of the other rare opportunities I have had in my career, NFD is fairly unique in that it is constantly evolving in both the information provided and the individuals involved. As the saying goes, variety is the spice of life.
Jan. 19, 2015
VMWare is a powerful tool, and monitoring is a critical service. How does one monitor such an integral piece of infrastructure, and what do they monitor it with? There are powerful commercial ways of monitoring VMware, however, for those with existing SNMP based systems in place, specifically cacti, there are options. To that end, I'll set aside my strong distaste for SNMP [yet again], because those are for a larger, less useful series of posts.
Dec. 21, 2014
Sometimes in networking and security it becomes necessary to do lookups of location data on IP addresses and prefixes. On my Mac I use homebrew to manage packages, but most of these tools are available with thetypocal apt, yum and port package management systems. For this post, I’m going to shift gears and show the install on my mac: sliver:~ buraglio$ brew install geoip ==> Downloading https://downloads.sf.net/project/machomebrew/Bottles/geoip-1.6.3.mavericks.bottle.tar.gz ######################################################################## 100.0% ==> Pouring geoip-1.
Oct. 15, 2014
With the recent release of the POODLE SSLv3 vulnerability, folks are scrambling around trying to figure out what runs what and where. Running a handful of things that do SSL, I was obligated, both personally and professionally, to figure out an easy way to drill down and figure out what does what and then fix the vulnerable services. When there are a lot of devices, this can seem like a daunting task, and it is if you’re trying to do it manually.
Oct. 10, 2014
I was wanting to do a few quick mock-ups with OpenvSwitch and OpenDayLight and wanted to use CentOS since I have templates for it that I replicate. Just like with thedebian stuff I had been doing, I wasn’t able to find any in some quick searches. I stumbled upon This site, which had a great how to for building them, so I just used that. Seeing as that the debian packages actually got downloaded a lot, I figured I’d post these RPMs as well.
Sep. 22, 2014
I was recently granted access to the beta BigSwitch Networks lab site, a purpose built classroom in the cloud focused on teaching the BigSwitch SDN environment. I had seen some of the BSN offerings in the past and always held them in high regard, but I was thoroughly impressed with both the completeness of the lab and how polished the controller environment was.At the time of this writing, the lab consists of 3 modules: Building cloud fabric, monitoring fabric and dynamic provisioning of monitoring fabric.
Sep. 15, 2014
I know, I know, I’m always saying that you don’t need a firewall. That’s mostly to get your attention to push my agenda of sane security architecture, I do actually believe that firewalls are appropriate in a great many use cases and I’ve managed them big and small ranging from Juniper SRX 5800 clusters to tiny purpose built BSD distros on custom hardware. I even managed Checkpoint and gauntlet firewall back in the 1990s.
Sep. 8, 2014
I admit that the title was meant to be inflammatory. However, there are use cases that aren’t terribly uncommon where an in-line security appliance is just not the correct tool for the job. Someone once told me “a firewall protects a network like a fuse protects an electrical circuit”, and it’s mostly a correct statement. Firewall vendors will probably argue this and enterprise folks may discount this as heresy and call for burning me at the stake.
Aug. 12, 2014
I’ve blathered on about BGP forever. Say what you will about the venerable protocol, it runs the interwebs, is reliable, extendable and well documented. I’ve also espoused ad nauseam about IPv6, so none of this [admitted] rant should really be a surprise coming from me. As of 8/12/2014, according to the CIRD report (and many mailing lists), thedefault free global ipv4 routing table has reached 512k routes. This is a milestone from many perspectives, but more importantly, it solidifies the fact that there is a great deal of equipment in critical points in the internet that is out of date and cannot perform as intended in its current configuration or function.
Jul. 26, 2014
IP addressing and subnetting is a common interview subject. I assert that memorizing these things is useful for learning the concepts but ultimately futile in that it is time consuming and inefficient use of engineering time when tools can be utilized to accomplish the same goals in less time with fewer errors. Honestly, I gave up doing this kind of work manually around 10 years ago and have never regretted it, and in actuality, I’d probably struggle to do it at this point because it’s a repetitive process better suited by code.
Jun. 23, 2014
With the recent announcement of Cisco Systems intent to purchase tail-f, proponents of a multi-vendor environment are waiting with baited breath to see how the networking giant will deal with support of competitor hardware and CLIs. Yang is here to stay, there is no doubt about that. As is netconf. Both of these are good things for the industry as a whole, having a standard way to communicate with network hardware [that isn’t openflow] is necessary and immeasurably useful.
Jun. 7, 2014
I don’t care what your vendor alignment of choice is, Cisco, Juniper, Brocade, Alcatel….it doesn’t matter. At one point or another you’re going to need to bird dog an address to see where it’s coming from, who owns it, what it’s DNS name is or what path you’re taking to get to it. We’ve already talked about BGP tools, they’re a great choice for checking routes across the internet. Hunting down addresses is an interesting one, though, as address management and lookups can bleed into other aspects of networking like path selection, latency, jitter and many other things.
May. 17, 2014
Many regular internet users are extremely upset about the recent proposed changes the FCC has opened for comments about the delivery and provisioning of internet services. Watch this video if you’re unaware of the high emotions it has evoked: While these are proposed rules and are not in any way finalized, there is real concern that they may become law. Where this is problematic is that it opens up the possibility of some real misuse, abuse or simple misunderstanding of needs and services.
Apr. 30, 2014
Many network engineers are also tasked with maintaining systems that provide network services, those things that make the network easier to use such as DNS and DHCP or management systems that perform useful things like monitor the network, collect flow data or bestow access to the equipment by acting as bastion or jump hosts. In many instances, robust and high availability services run on UNIX, Linux or BSD systems for stability and reliability, so those that manage these systems need to be well versed system admins as well as whatever their other job functions are.
Apr. 20, 2014
I firmly believe that blending disciplines is the way of the future in IT. I’ve rambled about it here at other venues and I’m vocal (some would probably say brash) about it on the twitters. Be it Networking and System, Systems and Security, Programming and Networking, most of us that have been around any length of time already do it but now it’s happening out in the open and “DevOps”, a form of the hybrid IT worker, has seemingly become the BOTD (Buzzword of the day).
Mar. 20, 2014
Time to rewind from the new and shiny and get back to roots of networking. BGP is one of those odd protocols that is foundational to the functioning of the internet but yet somewhat hard to get experience with. Say what you will about this venerable protocol, it’s been here a while and it is not going anywhere any time soon. I’ve been doing BGP since around late 1999, and I completely fell into it by accident, having only the Cisco Internet Routing Architectures book (which I literally read cover to cover) and theUlysses Black Routing Protocols Book and whatever I could find on a random search engine to guide me, and that was only after having to learn on the CLI for the first 6-7 months.
Mar. 10, 2014
I recently had the displeasure of dealing with a series of failed disks in my newly created ZFS based NAS. I had cobbled together roughly 12TB of disk space and jammed them into an old PC, stretching the limits of the platform when I decided to go with ZFS. I broke all of the rules, underpowered, single core PC, only a handful of GIG of non-ECC RAM, etc. I’m sure storage guys are having a coronary after reading that, but it works for me and has minimal issues since I just relatively redundant need bulk storage and it doesn’t need to be fast (the ethernet connection is only 100M).
Feb. 26, 2014
“Hopefully there are some things here that will make you really upset in a very good way” is how Carl Moberg of Swedish based company tail-f opened up to the crowd at Networking Field Day 7 onFeb 19, 2014. Tail-f is a sleeper, I had actually never heard of them before NFD7, but they’ve got a very unique product in NCS and in my opinion it can change the way existing and future networks are managed.
Feb. 10, 2014
A while ago I got an email asking me to participate in Network Field Day 7. I was very happy and humbled to get asked again since I wasn’t able to attend NFD5 or NFD6 for various reasons outside of my control (although I did try toparticipate with NFD5 remotely). If you’re unfamiliar with the tech field day series, you should spend a little time and learn about the value it brings.
Jan. 11, 2014
I am an absolutely huge fan of statistical and instrumentation data, especially when it comes to traffic analysis, visualization and baselining. I’ve rambled on about the importance of it at every opportunity. As a result of that, I have been doing work with netflow and netflow-like data for a fairly long time. My first collector was the OSU Flow tools based stuff back around 13 years ago. From there I played with all kinds of netflow tools, both commercial and open source, finally settling most of my focus on nfdump and nfsen.
Jan. 4, 2014
The buzz as of late around the security and networking communities has been about the NSA and their catalog or spy toolkit. I’ve spent time in my career thinking about and doing infosec and I did a brief stint working for the FBI in a project called NCDIR. I like to think that I can provide at least a peripherally competent commentary about it [take it with a grain of salt].
Dec. 7, 2013
About a year ago I did a brief review of the “new Sonicwall”, specifically a smaller branch office device that was said should have had all of the features of the larger devices. I proposed that it had some significant limitations (much to the disagreement of a great deal of folks). However, I stand by my statements. If you ignore the fact that firewalls often cause more problems than they solve, that NAT is a nightmarish kludge (and not a security mechanism), andwill likely be phased out for better options eventually, the SonicOS I tested was pretty limited as far as what I believe should be features.
Nov. 29, 2013
As part of a larger fun project I’m working on (OVS for the ALIX platform; more to come on that once I have it 100% working), I have been playing a lot with OVS. It’s a great platform, andas others have mentioned, it’s as close to an SDN reference data plane implementation as we have. I’d be surprised if many if not all commercial implementations of OpenFlow aren’t based on OVS.
Nov. 9, 2013
My personal background in computing (specifically networking) is atypical. I have a bachelors in visual arts and only took a handful of computing classes in my relatively long tenure in college. However, I did learn one valuable lesson that has served me pretty well over the 15 or so years I have been doing networking and I’d bet money any good network engineer that has more than 10 years of experience will nod their head at this and agree.
Sep. 21, 2013
Let me be clear, when I say “single vendor” I’m talking about being “single vendor” in what you work on, not necessarily what you install (although one basically forces the other) and what I really mean is multilingual. I’ll explain after a brief history of why I am the way I am. I’m idealistic but I’m also realistic. I generally propose solutions that I think are best even if it is non-standard or out of current comfort level along with an alternative or two.
Sep. 1, 2013
One of the things that I’ve always lamented about using non-Cisco hardware is the lack of true 1:1 netflow support. Say what you will about jflow, cflow, sflow….there is no substitute for netflow, with sflow being the exception to that since it is a protocol that inherently supports ipv6 and can transport far more than simple network information if configured in certain ways on certain devices. On newer MX series Juniper routers the game has changed.
Aug. 7, 2013
Working on some MX series routers recently I encountered a problem I’d never seen before, essentially preventing the configuration from being committed: buraglio@rtr# commit check re0: error: could not open configuration database (juniper.data+) This is a very annoying problem and is terribly inconvenient as you can probably imagine. So, my first instinct is to drop down to the shell and starting hacking at it UNIX style. buraglio@rtr>start shell From there I wanted to see the file system and check out the stats of what it thinks we have.
Aug. 5, 2013
I have been learning and using IPv6 for a quite a while, even before I worked in research and education, back in the ISP days. I thought I should learn it because, frankly, I figured we’d all be converted to it by now, already whole hog using it like it was the layer 3 addressing mechanism that it is. Flashback: My first IPv6 access was via a tunnel to HE a long, long time ago and before that I was reading what I could about it.
Jul. 25, 2013
In many environments, the move to virtualization is a path well traveled. My home and lab networks are no exception to this and I’m sure nearly everyone who reads these pages has at least been exposed to it in one way or another. I have played with nearly all of the virtualization platforms and am firmly in the camp that there will be a large segment of networking that will move to a virtualized platform especially in the data center and campus segments.
Jul. 5, 2013
I had the need to build a FlowVisor instance under CentOS. Since nearly all of the docs I could find were for debian, I threw this together. I utilized this GENI doc and the github docs as a simple reference. This is the quick and dirty method I used: Install the prerequisites: sudo yum -y install ant eclipse java-1.6.0-openjdk.x86_64 git sudo yum -y groupinstall “Development Tools” Create my standard directories: mkdir /services cd /services git clone git://github.
Jul. 3, 2013
I want to preface this by saying that I have not seen or worked on the cumulus networks system yet. This is a stream of consciousness post on my thoughts and opinions based on what I’ve read publicly. Recently anew network player has emerged on the scene with a very simple, straightforward idea. Take linux and put it on a switch. While this isn’t exactly new (see Juniper and FreeBSD, Arista with Linux, Force10 with NetBSD or the plethora of other vendors using an opensource OS as the underpinnings of their NOS), the angle that cumulus networks is taking is a bit more….
Jun. 30, 2013
One of my biggest complaints about VMware is that it is an enterprise application. It has historically catered to the masses, which I completely understand, but those of us that aren’t a fortune 500 company are figuratively and operationally shoved into a corner and forced to find hackish ways of doing things to work around the enterprise nature. One really, really good example of this is OS dependency. I hated architecture dependencies back in the old days (x86, SPARC, PPC) and I absolutely despise things that are OS platform dependent now.
Jun. 22, 2013
As much as I like to think I automate everything, I’m pretty bad at writing code to make my life easier since it tends to take me longer to write the code and it tends to make be a bit grumpy (this is eomthing I’m fixing by learning as much code dev as I can during my limited spare time). However, I like to think I can be fairly smart about working around my limited programming skills (think boba fett rather than jedi) by using the tools available to common folk.
Jun. 16, 2013
I recently had the need to debug a run away ip_rx process on an older Brocade MLX. For anyone that has had to do any type of low level debugging on the Brocade (Foundry) platform, you know that there many somewhat deep level diagnostics that are possible. The debug (like cisco debug) is a bit lacking, but the dm, LP and MP commands are very useful (and a tad scary).
Jun. 7, 2013
I’ve been doing a lot of MPLS in the last 45 or so days (which is one of the reasons I have been absentee in the OpenFlow world lately). Having had almost no real world MPLS experience aside from a handful of pseudo-wires and a very small LDP signaled network, I had to spend some time reading, hacking at routers and essentially learning. In doing so, I found a few things.
May. 19, 2013
I love to be the “uncola” of networking sites. I like interop and I don’t do a lot with Cisco because I don’t have access to much of their gear anymore. So, that being the case, I had a need to bring up a l2circuit (in JunOS speak), or VLL (in Brocade speak) between an MX480 and an MLX. Since they are very different platforms, I had to do some digging and playing around to get it to work.
May. 17, 2013
There has been some recent chatter on the IPv6 Ops mailing list about the feature matrix. Sadly, I’ve let this sort of wither on the vine for a while in favor of OpenFlow and SDN. At the end of the day, though, as a whole we actually need IPv6 more than SDN and OpenFlow at this moment in time, so I’m resurrecting it. It is available here. A few additions have been made and there is now a “last edited” cell so folks can tell if the data is stale or not.
May. 3, 2013
Jon Langemak has a great write up on building the OpenDaylight controller under CentOS. Since I’ll have to do this a bunch of times, I though tI’d take what he so generously put online and build a very rudimentary script for deploying ODC under CentOS. The prerequisites are that you already have an account and ssh key at the OpenDaylight GIT repo and that you disable SELinux. Here is the script: #!
Apr. 27, 2013
Let me preface this post by saying that I am absolutely not an enterprise IT or systems guy, take everything that I write here on out with that as a side dish. I’m also very, very cheap. That said, one of the things I really like about KVM is the ability to easily view the console of a guest system using free, non-windows software like VNC. However, much like everything in life, there are reasons to do one thing or another.
Apr. 25, 2013
I had been working, off and on, on a how-to for building the daylight openflow controller under CentOS. Most openflow docs and dev are done under ubuntu or debian, and while those are both fantastic alternatives, there are a huge number of folks that will want or need to use RHEL or CentOS. So, seeing as that is the case, having someone be mindful of that is important. When I saw the write up by Jon Langemak, I scrapped my attempt at a how-to since his was so much better.
Apr. 18, 2013
OpenFlow is, of course, a hot buzzword. It’s the newest, and in my opinion, the most innovative thing to hit data networking since dynamic routing. The ability to programmatically, systematically and potentially dynamically control traffic at the flow level through a network is innovative, exciting and terrifying [to many network engineers and architects] at the same time. Allowing applications to touch the network change behavior is something that many engineers are not terribly comfortable with.
Apr. 8, 2013
The SDN world is abuzz with the announcement that the OpenDaylight controller came from stealth mode today. Why is this important? Well, SDN and OpenFlow are fractured. It is Mac vs. PC, Beta vs VHS, Coke vs. Pepsi all over again……multiplied by 100x and with a handful of players. Vendor zealots and brand loyalists will nearly always side with their camp. Heck, even I have some biases of personal preference.
Mar. 28, 2013
Lately I’ve been lamenting the fact that there seems to be a lack of options in a very specific product level. Lets say you have a network that looks like this: Right Away you’re limited since you need MPLS and more than 2 10G interfaces. Even more so if you require full support for IPv6 and ISIS. If budget is of any concern, you’re in real trouble. For many, Cisco pricing and smartnet is potentially going to exclude anything reasonable from them.
Mar. 23, 2013
This week there was a lot of buzz about SDN (as usual). There was alightreading thread that I commented on and a fantastic read by Brent Salisbury about being the steamroller and not the road that got me thinking about OpenFlow and SDN in a way I had not before. <soapbox> All that is old is new again. I remember when internal networks were small and routing protocols were taboo in many internal environments.
Mar. 18, 2013
OK, maybe they’re not totally dead, but they’re being demoted. To the mail room. During the course of my career I’ve always had at least some responsibility for firewall and security devices. In those ~15 years, how these boxes are built and function has shifted. From the perspective of my career, there were IOS ACLs (yes, I know, not a firewall), there was the IOS firewall versions and there were software packages such as gauntlet, checkpoint.
Mar. 9, 2013
I started working on Juniper equipment around 2002. At my employer, we had an M40 with the serial number 256. We did Layer3 only. I had no idea if the Juniper even did layer2. It certainly wasn’t a layer3 switch like a 6500 like I was used to. It was like a deliciously robust version of any Layer 3 router I’d worked on previously. Over the years Juniper has added a switching line utilizing their FreeBSD based OS, JunOS.
Mar. 6, 2013
Last year, Networking Field Day was something that I’d heard of but wasn’t really aware of what is really was. I occasionally looked at Twitter and saw the hash tags but did not know much about how it was set up or what it was about. In fact, I actually thought it was supposed to be like the HAM radio field day stuff where you go out and build out an emergency network on the fly.
Mar. 2, 2013
I’ve recently run into a situation where there was no longer enough space in the FIB to handle both the full IPv4 global table and the full IPv6 global table. We prefer to run a default-free network within this particular SP network, but in this case, until a hardware refresh can happen, we’ll need to adjust that. Given what we knew about the size of both tables, it made more sense to take a default IPv6 route from one transit provider and filter the rest.
Mar. 1, 2013
I am a network engineer by profession, but with the proliferation of SDN and OpenFlow, I have had to spend a lot of time re-learning a lot of system admin skills that I’d shelved years ago. Now, I’ve been a virtualization user forever. From VMware (Fusion, ESX), VirtualBox, to Parallels, I’ve used them at least in testing if not in production environments. I’d not really spent any mentionable amount of time with XEN, qEMU or KVM, but some projects I was working on suggested it for the virtualization mechanism, so I figured I’d try to pick it up.
Feb. 20, 2013
Recently SI6 released the IPv6 Toolkit 1.3 This release is on the heels of this IETF draft on IPv6 host scanning. It was long thought that scanning an IPv6 network was impossible. The address space was too large and reliably ascertaining the hosts from it would be too time consuming to even attempt. However, as Dr. Hans Zarkov says in the 1980 classic cult film of my youth, Flash Gordon, “You can’t beat the human spirit!
Feb. 15, 2013
It’s no secret that I’m a fan of the model Arista Networks is using to make gear and provide innovative services and products. In my opinion, they’re changing the landscape of campus and data center networking gear. I’m always a fan of the little guy trying to change the world and this falls under that category. For those that don’t know, Arista Networks is a “hardware” networking company that is using merchant silicon wrapped in their custom linux based operating system (which is very much like IOS).
Feb. 4, 2013
A bit of back history: I came from BSD land. I was a FreeBSD user from way back in the 1990s. BSD land is a land of secure boxes and very high uptimes. It’s also a land of arguably clunky package support, a lot of compiling by hand and these days, not nearly as encompassing package and network tuning support. I decided to move to Linux a while ago, reluctantly, and chose Debian as my flavor of choice.
Feb. 4, 2013
Recently we encountered a very strange behavior on an SRX 5800 cluster. The cluster, which is in active/active mode, started dropping OSPF adjacencies to it’s neighboring routing equipment, in this case, Juniper MX480 and Brocade/Foundry MLX8. Strange behavior indeed, since for us, these had been rock solid for around 2 years and we’d never seen this odd behavior before. Honestly, we started looking at the routers first since this was something the SRX has never done before.
Jan. 31, 2013
Starting from a base CentOS system with nothing configured, and referencing the CentOS wiki, here is how I like to set up a headless virtualbox environment: Disable selinux. It’s overly cumbersome and is enabled by default in CentOS. I like to permanently disable it even though the default is permissive. I ride the edge, I know. vi /etc/selinux/config and change SELINUX=enabled to SELINUX=disabled Then reboot. Using the methodology I originally found found here, I like to install the epel repo using this method: cat <<EOM >/etc/yum.
Jan. 24, 2013
If you are running a network and aren’t using RANCID, you should give it a serious look. RANCID is a cross platform configuration management toolkit for backing up router configurations and certain environmental and hardware information into version control. It’s been around for as long as I can remember and supports nearly every platform I can think of, including a few modules that I cobbled together myself. There is are a few nice web based front ends for CVS and SVN, I prefer to use ViewVC because I have a lot of experience with it, however, there may be cases where a web server isn’t a good option, unavailable or just too much work.
Jan. 22, 2013
There has been a lot of buzz about the service provider model, net neutrality and tiered access for consumers in the past few years. Just this week Google has been accused of paying Orange (more likely Orange is forcing google) for handling its traffic. This is a VERY slippery slope that teeters on the edge of what we all want to avoid as consumers or content creators. This recent story has sparked something I’ve been thinking about for a very long time.
Jan. 10, 2013
I’ve been lamenting about the SDN WAN options for a while now. Having SDN/OpenFlow in a data center or campus is relatively well documented and already widely deployed. Google has been doing SDN across their private WAN in production. These pieces are easy. What isn’t easy is the ability to plumb SDN across many domains that are under disparate control. This part is hard. What is lacking is a fundamental framework, or set of primitives to build from.
Jan. 9, 2013
I have a bunch of Apple wireless gear at my house. It’s inexpensive, feature rich and easy to maintain. However, with the update to mountain lion a while ago, the ability to install the older Airport Utility stopped. This is annoying since I have what apple now considers “advanced” features like IPv6 at my home and essentially all my gear here is a lab (except for the plex server =) I’ve been spending a lot of time on cacti lately, and I wanted to test out the syslog plugin….
Jan. 4, 2013
It’s always annoying to me, being a convert from *BSD to Linux, that tools lke dig and host aren’t in the minimal base install. I realise that this makes me somewhat of a hypocrite, as I prefer an additive system rather than a subtractive base OS. Nevertheless, I’m continually surprised that “host” isn’t available after installing a minimal CentOS system without adding an additional package. So, since I always forget, here is a quick blog post to remind me and any other converts how to install those tools: yum -y install bind-utils That’s it.
Jan. 2, 2013
After reading Stephen Fosketts post “How Will Cisco Recover From The Consumer Strategy Blunder?”, it got me thinking. It’s a very different world than when Cisco got started all those years ago. I don’t have any brand loyalty to Cisco, I learned on cisco gear 14-15 years ago for the most part, but I try to keep the mentality of “the right tool for the job”, which means constantly surveying th emarket for new and interesting ways to do things.
Jan. 1, 2013
I am very happy and flattered that this site actually proves to be useful to folks. It was always my intention to use this as a platform to try to give back a bit, to help with any data I may have run across that was interesting, useful, or obscure. I utilize sites like etherialmind.com, packetpushers.net, evilrouters.net,networkstatic.net and ioshints more than I can even measure. I wanted to try to contribute as much as I could to pay it back.
Dec. 20, 2012
I have a love-hate feeling about “predictions” about the upcoming year, especially tech predictions. I don’t like media sensationalism of any kind, and a lot of the tech predctions are just that, sensational, extreme talk to draw in readers or viewers. I’m choosing to go down a more subtle path, these are things I’ve thought about lately but will likely forget in the upcoming year, unless they actually happen, in which case I’d likely do an “ah, I remember thinking that may happen” gesture.
Dec. 15, 2012
Securing SSH is a form or art. It’s often debated, much like blocking all ICMP packets (which I normally disagree with). If you need good proof, read these posts by Bob Plankers. There is a camp that likes to promote moving to a non-standard port. There is a faction that likes to block it completely except from a handful of hosts. Then there are those that like to leave it open all together.
Dec. 13, 2012
IPv6 is coming. Like SDN, we can’t ignore it. Are you ready? Are you apps ready? I’ll wager the answer is no. Mine aren’t. I’ve been working on IPv6 for about 11 years, from early days of tunnels to full native IPv6 at home and at work. In teaching the IPv6 workshop for internet2, one of the things that I always suggest is to have a dual stacked host and an IPv6 only host available for testing.
Dec. 10, 2012
Plexxi is an interesting product that has recently emerged in the data center space. While data center, fabric and cloud are all the rage in the buzzword world of data networking, this one caught my attention because it was something unique that I’d not seen before. Their TOR boxes have a few interesting additions to them, the first of which is a WDM port on the back. Now, I’m not really a stranger to the WDM world.
Dec. 8, 2012
I recently had the opportinity to work with the much-anticipated Brocade VDX “Ethernet Fabric” platform. I do admit tha tI’m intrigued by this product. I’d seen it work multiple times in demos and it worked so well and looked to easy that we actively tried to throw curve balls at the demo organizer to prove it wasn’t canned. It succeeded. The hardware hashing across the VLAGs is very slick. The VMware VSwitch integration worked well and was handy.
Dec. 7, 2012
~12 years ago I had a drinking buddy that worked with me at the regional ISP. We had a lot in common, he had been an icon back in the didjits era of punk rock in Champaign Urbana and we had briefly been in a terrible band together. He introduced me to a dude that to this day I just knew as “Ravi Sonicwall”. He had apparently been recruited from the U of I, written a lot of the low level pieces of the original sonicwall and retired to enjoy life and buy beers (he actually scolded me at a bar for buying him a beer saying “when I’m in town, I buy the beers”).
Dec. 2, 2012
For a long time I ran a blog called tech.buraglio.com that was a self hosted wordpress site. After having kids and getting a bit busier at work, I decided to move everything that I had been hosting (images, scripts, hacks, blogs and DNS) to “the cloud”. I managed to do this for everything but my primary DNS resolver, which I had always intended to keep, and one wordpress blog that I hosted for someone else.
Nov. 27, 2012
There has been a flurry of discussion on SDN in the WAN lately, specifically, why and how. Brent Salsbury laid out a few use cases here. The why seems pretty straightforward. I do believe it will happen, however, the how is the interesting part. Admittedly, I’m a tad of a greenhorn in the SDN space, I’ve made it work in a lab, I participate as much as I can in the working groups and I attempt (poorly) to keep up.
Nov. 25, 2012
Have you ever needed to replicate a lot of data transparently to an IDS without the use of a rack of optical taps? Not enough budget for a Gigamon or cPacket? Have a spare MLXe laying around? you’re in luck, we were in that boat too. Let me first preface this by saying that this would be fairly trivial using OpenFlow / SDN. That being said, we didn’t have the time to set that up, so this is what we came with.
Nov. 24, 2012
Recently, there was a thread over at Packet Pushers about what folks use for their daily workflow. I quickly realized that my setup is pretty simple (as I like it) and relied on a large amount of terminal based tools, which makes sense since I have been a UNIX (or UNIX based) OS user since my migration from the original MacOS back in the 1990s. Anyway, Since I wrote most of this up already, I thought I’d post it here:
Nov. 14, 2012
For the Supercomputing 2012 show, as in years past, I was “the guy who installed and maintained RANCID” as part of my duties for the SCinet routing team. If you don’t know about RANCID for change management and config back up, check the link. It’s ree and works on a huge amount of gear. Every year there is a new and interesting platform, this year is wasJuniper qfabric and Brocade VDX.
Nov. 9, 2012
Every year there is an international conference for High Performance Computing, or HPC as it is often called. This is a bit of a niche in that it’s something that many enterprises and researchers need but don’t do themselves and so many don’t have a grasp as to what all is invoved. It’s a specialized, potentially expensive and very different environment as well as mindset than the general sysadmin or network engineer will ever see.
Nov. 6, 2012
Recently we’ve run into an odd issue while routing on an EX4200 series. These little JunOS boxes are a nice alternative for an entry level building router, they support L2/L3 functionality, a PVST+-ish protocol and, with advanced licensing, IPv6, ISIS and BGP. They have multi 10G interface options and come in a pluggable fiber option. We use them all over for light layer 3. They can also be stacked via stacking cables and fiber, which is very handy and makes them extremely versatile but not really applicable for the purpose of this entry.
Nov. 5, 2012
If I had my perfect world where I lived in a gumdrop house with lollypop trees and everything smelled like butterfly kisses, here is what I would like to see in WAN networking gear. I can build a list for LAN and edge gear as well. It’s not a golden rocket ship I’m looking for. OK, maybe it is. Full MPLS support Full IPv6 support, all the features, not just pieces.
Oct. 31, 2012
As I sit here thinking if this site is worth my time, some words that someone said to me recently ring true. “Take from things you’re doing every day” is what Brent Salisbury of networkstatic.net said to me. He was right.
…And it was why I originally started this site, in a way. The original goal was to make a site I could take notes on and possibly help out someone trying to solve the same issues as me or look at something from the same perspective I had.
Oct. 27, 2012
Moving to JunOS from IOS can be a daunting task. It’s a completely different command structure and the config, by default, looks like a programming language. I was fortunate enough to have gotten in on using JunOS very early in my career, 1⁄3 in to be exact (as of this writing). Not to mention that wen I got started, IOS wasn’t the only game in town. Remember Xylan? Gandalf? OpenRoute?
Oct. 27, 2012
I’m an awful sysadmin. Running services permanently isn’t really my forte, I tend to lean more on the “I’ll get this proof of concept all working, prove that it works or doesn’t, then roll it on for polishing by someone else” kinda guy. That final 15% is something I’m constantly working to refine and better myself at accomplishing. I’m decent at debugging network services, and can be handy in a “oh crap, it’s down!
Oct. 19, 2012
Let me save you some time….Microflow Policing on the Catalyst 6500 / Sup2TXL doesn’t yet work. Inbound it “kinda works”. You can configure it and it applies as a service policy, but even though outbound is “supported in hardware on the Supervisor2TXL”, there is no software support for it in either the 15.0SY or 12.2(50)SY. It took me a month to suss this out…..
Yes, I should have suspected. I dont work on Cisco every day, I have Juniper MX, Brocade MLX and a multitude of other platforms to work on daily, so it took a bit.
Oct. 18, 2012
I’ve been doing research, carrier and service provider networking for a long time. I my first real service provider experience was beta testing DSL for GTE back in the 1990s, I prototyped and proposed a CLEC for an employer in 1998 and went to work for the only ISP in the area rolling it’s own DSL over ATM in early 2000. Everything seems to come full circle, though, given enough time.
May. 22, 2012
Data centers are one of the hot things in networking tech right now. Combine SDN, cloud, buzzword of the day, mix with data center and serve over ice. I end up doing a lot with data centers for whatever reason. This, however, is something I found interesting. “DCTCP is an enhancement to the TCP congestion control algorithm for data center networks. It leverages Explicit Congestion Notification (ECN), a feature which is increasingly becoming available in modern data center switches.
Apr. 27, 2012
Lets just say, for instance, that you have an MX series router at somewhere on your network. Lets also say that said router is carved into more than just the main logical system. For the sake of this writing, lets say that your eBGP sessions are in the default logical system and your IGP is in the logical system, lets call it “internal”.
JunOS has some wonderful mechanisms for keeping things running, one is called NSR (Non Stop Routing), the other is called ISSU (In Service Software Upgrade).
Nov. 6, 2011
I’ve been looking at iMessage from time to time as my schedule permits, for some reason that I can’t really explain I’m fixated on it. So, just like I did with FaceTime, I started doing network sniffing to see just what it’s doing. The results were not terribly unexpected.
iPhone.buraglio.com.53140 > st11p01st-courier143-bz.push.apple.com.5223: Flags [R], cksum 0x5ec8 (correct), seq 4109691913, win 0, length 0
14:07:51.665485 IP (tos 0x20, ttl 49, id 11699, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->8fc7)!
Nov. 1, 2011
I’ve had a co-located server in one way or another for the last 11 years. From hosting a bare metal box at the ISP I worked for for a while, to sharing a bare metal box at a colo provider to switching to a VPS service, I’ve always had an “offsite box”. I just wanted to post a quick “these guys are great” comment to my current VPS provider, ARP Networks.
Oct. 22, 2011
Recently I was poking around Mail.app, setting up my new machine. I like to keep redundant copies of everything, email being no exception. I have backups of all of my email dating back to 1998, for the most part. It has come in handy from time to time and I like it for reference reasons. It’s a small amount of actual data as far as space goes, and it’s easy to do.
Oct. 15, 2011
I had very high hopes for iMessage. With the release of iOS 5, one of the big new features was iMessage, the ability to do Blackberry messenger style messaging on an iOS device. I had really hoped that this would be something like wifisms or the DeskSMS app for Android. At the very least I was hoping for iChat integration with iMessage.
This didn’t happen.
Don’t get me wrong, iMessage is still really cool.
Oct. 4, 2011
I have recently enabledDuo Security for many of my personal services, and I can’t recommend them enough. Personal two factor authentication is very useful and really powerful. It works on my iPhone and I have yet to run into any real issues….except for one. I can’t use automation to scp or sftp anything anymore and keep my two factor auth working in a way I’m comfortable with. Enter ftps. FTP is a terrible, yet immensely useful protocol.
Oct. 4, 2011
It’s no secret or ground breaking area to do black hole routing. ISPs and NSPs have been doing it forever to allow for a very low cost, very scriptable and very effective way to wholesale block a layer3 address. However, it can seem like a bit of a black box to anyone who has never done it. I recently did some work spinning this up in a good sized network that it didn’t currently exist, and remembered how monumentally useful (and simple) it actually is.
Sep. 7, 2011
Google has introduced a very powerful set of python based command line (CLI) tools called GoogleCL. This post was made using GoogleCL from my Mac. I highly recommend checking it out if you like to automate or script stuff.[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Aug. 6, 2011
I've recently decided that even though I love the BSD style MacPorts system, it can be too clunky to maintain and doesn't handle dependancies as well as I'd like (much like the actual BSD ports collection). So, in doing a little looking I found that Fink is still out of date, but Homebrew is very simple and also really elegant comparatively speaking. Since homebrew doesn't wrk well with other packge systems installed, and I already I'd like to know what I had installed since this system has been in use for 2+ years, so I do a list and send it to a txt file: touch ~/Documents/installed.
Jul. 30, 2011
I’m not a fan of IPv6 privacy addressing. I understand the logic behind it, I really doo, obfuscate the LLADDR (MAC address) of the host in question, but I really dont’t see the realistic purpose. If someone wanted to use my mac address, what good would that really get them, unless they’re on the same layer 2 segment? More importantly, if they;re on the same layer 2 segment, they have my MAC address anyway.
Jul. 26, 2011
It looks like MacOS 10.7 (Lion) has fully functioning DHCPv6. It’s about time.
Before:
After:
pfSense setup:
Using Internet Systems Consortium DHCP Server 4.2.1-P1 as the server (on my pfSense box) I am able to get not only a privacy address (via stateless autoconfigure) but also a normal EUI-64 address as well as an IPv6 address via dhcpv6.
I didn’t do anything except use the “Automatic” setting in the network control panel, so out of the box OSX 10.
Jul. 18, 2011
If anyone is interested in the talks I participated in at Joint Techs in Fairbanks, AK, they are now on the internet2 sites. IPv6 feature support
IPv6 campus panel discussion
They’re apparently not embeddable, but can be watched from the Joint Techs site.[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Jun. 30, 2011
I did some minor tweaking to the Alcatel Lucent RANCID scripts and some modifications to make RANCID work under my pfsense environment (originally m0n0rancid code from John Skopis). Since I don’t really do much dev work and am not interested in maintaing a box do be an SVN server for the public, I threw it up onto google code. I’ll be adding a brief how-to on making RANCID work with pfSense as soon as I get some time.
Jun. 20, 2011
I’ve been a *BSD user since around 1997, when I installed NetBSD on a Mac SE 30 that I got for free. I was always intrigued with alternative operating systems like BeOS, *BSD, Plan9 and Linux so it made sense that I’d poke around with different systems.I’d gone back and forth from OpenBSD to FreeBSD but eventually settled on FreeBSD as my OS of choice. I ran it as a desktop before MacOS X came out and was generally happy with it.
Apr. 12, 2011
I found most of this on a web page somewhere tha tI can’t seem to find again. Below are some common useful junos tidbits regarding routing tables and interface types/names:
JunOS CLI supports the basic grep command (like | include) so any show commands can be grepped. I believe the grep command implies the -i flag for case insensitivity.
The routing table is presented in such a way to group types of routes.
Mar. 16, 2011
I’ve been doing a lot of IPv6 stuff lately, and one of the things I didn’t find (and kinda just wanted to put one together for my own benefit) is a matrix of features I thought were important to have on the IPv6 side for common network hardware. Below is a work in progress of what I have so far, which will automatically publish changes from this spreadsheet. Please email me if you’re interested in adding to this or correcting anything I may be incorrect on.
Feb. 18, 2011
I have huge iPhoto and iTunes catalogs. This can present a problem for both loading the applications and for backup. I have learned to deal with the Application load times, but backups are very important to me.
I'd gone through the iPhoto backup process and restore more than once, and I didn't like the fact that I didn't have an offsite backup, so I paid for a flickr pro account ($24/yr, supports iPhoto export and RAW format).
Feb. 7, 2011
We are putting a few new SRX 3600 clusters into production soon, and we’ve had them for about 6 months in boxes. This presented a fairly significant issue, one that I didn’t think about until it smacked me in the face. The code on these boxes was old. Very old. JunOS 9.2 old. No problem, lets just upgrade them to 10.4R something. Wrong.
the code that shipped on these boxes was so old, and we waited so long to upgrade them that I was unable to upgrade them straight to anything modern.
Feb. 4, 2011
I was recently helping my brother-in-law out with the new Seagate FreeAgent GoFlex Desk 3 TB USB 3.0 External Hard Drivehe had purchased to do time machine backups on his mac. I personally have the 2t version and have been pretty happy with it, save for one small incident that I think was my fault that required some basic data recovery.
Since the drive comes in a file system that is not HFS+ Journaled, it needed to be reformatted to support time machine backups.
Jan. 7, 2011
Regardless of the fact that there is now a good ISSU-like service for the SRX (named Low-Impact Cluster Upgrade; LICU for short), if you’re upgrading your Active/Active cluster from something that isn’t 10.4, or if you just aren’t comfortable with how baked LICU actually is, you’ll need to know how to move the junos code around. This is easy if you have physical access to both nodes, but for those that have.
Dec. 29, 2010
I recently needed to upgrade a few MX480 routers and decided that it would be a good opportunity to get some experience with Juniper’s in service software upgrade.
I’d read a bit about it but I’d not had the chance to really use it. It’s pretty straightforward and it does what it claims. The following are my notes from rolling through this on my test lab MX480.
A few things are necessary to get going with ISSU, first and foremost, you need to have a box with two routing engines.
Dec. 23, 2010
A quick screen grab from here[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Dec. 6, 2010
At the 2010 Supercomputing conference this year, one of my tasks was to get RANCID working on the Alcatel Lucent 77xx series. for some this may have been a simple task, but for me, a self taught and inefficient programmer, it was something that took some time. The Alcatel Lucent boxes were good performers, but their CLI is pretty awful. The prompt changes based on having unsaved configuration items, and can contain things liks an asterisk.
Oct. 20, 2010
After enabling the IPv6 Flow based processing, we decided to get rolling with making our IPv6 path congruent with everything else (IPv4 unicast and multicast). With all of the other things we had going on, we thought this would be a low hanging fruit that would be easily plucked from the routing tree. Well, a minor oversight on our part caught us by surprise. According to this handy dandy matrix for JunOS 10.
Oct. 17, 2010
We’ve been working toward a more simplified model for our network path, and in doing so, we desired a congruent path for IPv6, IPv4 Multicast and IPv4 Unicast.
However, this is actually pretty hard when dealing with the link speeds, amounts of traffic and flows that we do, in conjunction with Firewall…..and IDP/IPS…
Lots of research, reading and testing was done.
Juniper SRX series has full support for 90% of this, with IPv6 IDP coming in Q2 of 2011.
Oct. 13, 2010
Cross posted from my personal blog since it’s a technical subject
That is the million dollar question on many phone geeks minds. The iPhone is really a love it or hate it kind of device, much like Apple stuff in general. Android, on the other hand, is still new enough that some folks are still ignoring it. Well, I wanted to know which worked better for me, and so I set out to test them both.
Sep. 16, 2010
One of our plans is to consolidate as many of the egress trafic paths as possible. To facilitate this, we had to do some things like buy carrier grade equipment. Enter the SRX 5800. No one really does IPS/IDP+Firewall quite like the SRX. After extensive research and exhaustive hands on testing with quite a bit of equipment, that is what we settled on. Even the IBM “technical evangelist” guy that came to talk to us said “No one really does it like they do” when referring to Juniper and 10G firewall/IPS.
Sep. 6, 2010
I know this is documented elsewhere, but this was a pain for me, so I wanted to take some notes. I have several Snow Leopard (MAcOS 10.6) Macs and a Netgear DNS-323. I want to mount the drive using NFS and any good UNIX admin would. Unlike older versions of the Mac OS, NFS mounts are now handled under the Disk Utility application (which seems odd to me, but whatever). So, to make this work right I had to do the following:
Sep. 3, 2010
I knew a tool like this had to exist, but I had never needed to look in the past. While debugging a RA problem, I come upon the need to view IPv6 router advertisements. How can one do this? tcpdump? Yeah, I guess that could work. It’s almost like using a bulldozer when a wheelbarrow is all you need, though. I could use ndpmon, I suppose, but that, too seems like overkill.
Sep. 2, 2010
IDP signatures need to be updated often. On the SRX platform, there is also the notion of a “detector”. This also meeds to be updated on a regular basis. it seems. Over the past few weeks, we’ve needed to update the IDP signatures and detector on our SRX 5800 cluster several times, and the results have normally been fine. Updating the IDP signatures has never been that big of a problem (see postings about updating stuff on cluster nodes).
Sep. 1, 2010
I’m not the greatest at AAA on Cisco’s IOS. I always have to think about how to order things, and to test fallback (which you should do anyway). One of the caveats that I always overlook, no matter how many times I set this up, is that Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops and no other authentication methods are attempted*.
Aug. 31, 2010
I have had the opportunity to work pretty extensively on the Juniper SRX firewall/IDS platform over the last few months. In doing so, I’ve found many “gotchas” the hard way. Here are a few that I’ve found so far:
Clustering is a beast in and of itself. I think it needs a bit more polishing, but it could be that we just need to refine our design.
On the SRX 650 it works, but you must be on the right code version (I got it to work under 9.