Subscribe to IOSHints feed
Internetworking perspectives by Ivan Pepelnjak
Updated: 11 hours 6 min ago

Stupidities of Switch Programming (written in June 2013)

May 21, 2015 - 10:25am

In June 2013 I wrote a rant that got stuck in my Evernote Blog Posts notebook for almost two years. Sadly, not much has changed since I wrote it, so I decided to publish it as-is.

In the meantime, the only vendor that’s working on making generic network deployments simpler seems to be Cumulus Networks (most other vendors went down the path of building proprietary fabrics, be it ACI, DFA, IRF, QFabric, Virtual Chassis or proprietary OpenFlow extensions).

Arista used to be in the same camp (I loved all the nifty little features they were rolling out to make ops simpler), but it seems they lost their mojo after the IPO.

Read more ...

Do We Need NAC and 802.1x?

May 20, 2015 - 1:48am

Another question I got in my Inbox:

What is your opinion on NAC and 802.1x for wired networks? Is there a better way to solve user access control at layer 2? Or is this a poor man's way to avoid network segmentation and internal network firewalls.

Unless you can trust all users (fat chance) or run a network with no access control (unlikely, unless you’re a coffee shop), you need to authenticate the users anyway.

Read more ...

Scaling OpenStack Security Groups

May 19, 2015 - 1:45am

Security groups (or Endpoint Groups if you’re a Cisco ACI fan) are a nice traffic policy abstraction: instead of dealing with subnets and ACLs, define groups of hosts and the rules of traffic control between them… and let the orchestration system deal with IP addresses and TCP/UDP port numbers.

Read more ...

On I-Shaped and T-Shaped Skills

May 18, 2015 - 12:03am

Several of the conversations I had at the recent RIPE70 meeting were focused on career advice (usually along the lines of “which technology should I focus on next”) and inevitably we ended up discussing the benefits of T-shaped skills versus I-shaped skills… and I couldn’t resist drawing a few graphs illustrating them.

Read more ...

Build Your Development or Lab Environment with Ravello Systems

May 15, 2015 - 1:14am

When preparing for my Simplifying Application Workload Migration workshop (coming in webinar format in autumn) I tried to find a solution that would allow me to recreate existing enterprise virtual network infrastructure in a cloud environment. Soon I stumbled upon Ravello Systems, remembered hearing about them on a podcast, and got in touch with them to figure out whether they could help me solve that challenge.

It turned you might use Ravello Systems’ solution to implement disaster recovery, but I got way more excited about the possibility to use their solution for labs or testing. To learn more about that, listen to Episode 32 of Software Gone Wild.

Listen to the podcast

Reinventing CLNS with L3-only Forwarding

May 13, 2015 - 12:37am

Hank left a lovely comment on my Rearchitecting L3-Only Networks blog post:

What you describe is literally intra-area routing in CLNS.

He’s absolutely right (and I admitted as much during my IPv6 Microsegmentation presentations @ Troopers 15).

Read more ...

Presentation & Video: Quo Vadis, SDN?

May 12, 2015 - 2:50am

From the automation perspective, the RIPE conference is a dream come true – 30 seconds after you upload your presentation, it appears on the RIPE web site, it’s automatically updated on the podium computer, and the video recording of your talk is published before you even manage to get off the podium – so you can already watch my “SDN - 4 years later (aka Quo Vadis, SDN?)” presentation if you missed it yesterday.

Watch the presentation

Do We Need Network Programmability?

May 10, 2015 - 10:20pm

Jsicuran left this comment on my You Must Understand the Fundamentals to Be Successful blog post:

I just went through some Cisco webinar where they were showcasing the use of NX-OS API and Python to add a VLAN. I do some Python myself and have used that API for some simple DevOps-like uses, but for the most part if you are an enterprise and use Prime DCIM to add VLANs, why should you go through the coding process?

It obviously depends on where you are in your IT automation journey.

Read more ...

OpenStack Got Full IPv6 Support

May 10, 2015 - 12:32pm

Great news for everyone trying to deploy IPv6 in OpenStack: the Kilo release has full support for IPv6 in the tenant networks, including SLAAC, stateless and stateful DHCPv6. For more details, read an extensive blog post by Shannon McFarland.

OpenFlow in HP Campus Solutions on Software Gone Wild

May 8, 2015 - 12:29am

When I finished my SDN workshop @ Interop Las Vegas (including a chapter on OpenFlow limitations), some attendees started wondering whether they should even consider OpenFlow in their SDN deployments. My answer: don’t blame the tool if people use it incorrectly.

Two days later, I discovered HP is one of those companies that knows how to use that tool.

Read more ...

ARP Processing in Layer-3-Only Networks

May 6, 2015 - 10:09pm

John Jackson wrote an interesting comment on my Rearchitecting L3-Only Networks blog post:

What the host has configured for its default gateway doesn't really matter, correct? Because the default gateway in traditional L2 access networks really isn't about the gateway's IP address, but the gateway's MAC address. The destination IP address in the packet header is always the end destination IP address, never the default gateway.

He totally got the idea, however there are a few minor details to consider.

Read more ...

Video: End-to-End High Availability in Dual Stack Networks

May 5, 2015 - 10:34pm

One of the topics I discussed in the IPv6 High Availability webinar is the problem of dual-stack deployments – what do you do when the end-to-end path for one of the protocol stacks breaks down. Happy eyeballs is one of the solutions, as is IPv6-only data center (Facebook is moving in that direction really fast). For more details, watch the short End-to-End High Availability in Dual Stack Networks demo video.

Watch the video

Dinesh Dutt from Cumulus Networks on Data Center Fabrics Webinar

May 4, 2015 - 9:56pm

Occasionally I’d invite a vendor speaker (usually working for an interesting startup) to present in my Data Center Fabrics webinar series. Dan Backman from Plexxi was talking about affinity networking in 2013, and in the May 2015 update session we’ll have Dinesh Dutt from Cumulus Networks talking about their software platform, architectures you can build with whitebox (or britebox) switches running Cumulus Linux, exciting network automation options, and cool new features they’re constantly adding to their software.

Click to register

Replacing Central Router with a Next-Generation Firewall?

May 3, 2015 - 11:14pm

One of my readers sent me this question:

After reading this blog post and a lot of blog posts about zero trust mode versus security zones, what do you think about replacing L3 Data Center core switches by High Speed Next Generation Firewalls?

Long story short: just because someone writes about an idea doesn’t mean it makes sense. Some things are better left in PowerPoint.

Read more ...

On Theory and Practice

May 2, 2015 - 11:10am

I recently read a must-read blog post by Russ White in which he argued that you need to understand both theory and practice (see also Knowledge or Recipes and my other certification rants) and got a painful flashback of a discussion I had with a corner-cutting SE (fortunately he was an exception) almost two decades ago when I was teaching my Advanced OSPF course at Cisco.

Read more ...

ALF: Application Layer Fixup

May 1, 2015 - 6:37am

I was talking about “application-layer gateways” on firewalls and NAT boxes with a fellow engineer, and we came to an interesting conclusion: in most cases they are not gateways; they don’t add any significant functionality apart for payload fixups for those broken applications that think carrying network endpoint information in application packets is a good idea (I’m looking at you, SIP and FTP). These things should thus be called Application Layer Fixups or ALFs ;)

PF_RING Deep Dive with Luca Deri on Software Gone Wild

April 30, 2015 - 5:49am

Whenever software switching nerds get together and start discussing the challenges of high-speed x86-based switching, someone inevitably mentions PF_RING, an open-source library that gives you blazingly fast packet processing performance on a Linux server.

I started recording a podcast with Luca Deri, the author of PF_RING, but we diverted into discussing ntopng, Luca’s network monitoring software. We quickly fixed that and recorded another podcast – this time, it’s all about PF_RING, and we discussed these topics:

Read more ...

Going Back to the Mainframes?

April 29, 2015 - 6:35am

25 years ago when I started my networking career, mainframes were all the rage, and we were doing some crazy stuff with small distributed systems that quickly adapted to topology changes, and survived link, port, and node failures. We called them routers.

Yes, we were crazy and weird, but our stuff worked. We won and we built the Internet, proving that we can build networks bigger than any mainframe-based solution could ever hope to be.

Read more ...

How Do I Start My IPv6 Addressing Plan?

April 28, 2015 - 6:19am

One of my readers was reading the Preparing an IPv6 Addressing Plan document on RIPE web site, and found that the document proposes two approaches to IPv6 addressing: encode location in high-order bits and subnet type in low-order bits (the traditional approach) or encode subnet type in high-order bits and location in low-order bits (totally counter intuitive to most networking engineers). His obvious question was: “Is anyone using type-first addressing in production network?”

Terastream project seems to be using service-first format; if you’re doing something similar, please leave a comment!

Read more ...

On SDN Controllers, Interconnectedness and Failure Domains

April 27, 2015 - 4:57am

A long long time ago Colin Dixon wrote the following tweet in response to my Controller Cluster Is a Single Failure Domain blog post:

He’s obviously right, but I wasn’t talking about interconnected domains, but failure domains (yeah, I know, you could argue they are the same, but do read on).

Read more ...