Building Network Automation Solutions
6 week online course starting in September 2017

Virtual Networks: What Users Think They Need

At the very beginning of the Cloud Computing Networking webinar I described typical enterprise IaaS user (application developer) requirements. As always, there’s a “slight” gap between what the users think they need, what they actually need, and how it gets implemented (aka How Projects Really Work).

Complex Routing in Hyper-V Network Virtualization

The layer-3-only Hyper-V Network Virtualization forwarding model implemented in Windows Server 2012 R2 thoroughly confuses engineers used to deal with traditional layer-2 subnets connected via layer-3 switches.

As always, it helps to take a few steps back, focus on the principles, and the “unexpected” behavior becomes crystal clear.

2014-02-05: HNV routing details updated based on feedback from Praveen Balasubramanian. Thank you!

VMware Virtual Network: Stuck Between the Past and the Future

If you want to implement overlay virtual networking with VMware products today, you have two options: use vCNS 5.5 or NSX for vSphere… and I would be hard pressed to choose one or the other.

Post #2000

When I started blogging in 2006, I had no idea that I’d still be doing it 8 years later… and I never dreamed of writing my 2000th post (this one, according to my blogging platform).


A virtual cake I got from my lovely daughter ;)

Visit my SDN Workshop @ Troopers 2014

Enno Rey (the mastermind behind the Troopers conference) and myself got a cunning plan during one of the Troopers 2013 dinners – we’d have an SDN & Security presentation at Troopers 2014.

As always, Enno exceeded my wildest expectations, and offered me to have a full-day SDN workshop during this year’s conference – an offer I simply couldn’t refuse.

SDN, security, IPv6, Heidelberg, fantastic presenters and audience, great organizers – it can’t get any better … all you have to do is register.

IPv6 reachability between ULA and GUA endpoints

From the IPv6 Trivia department: can a host with an ULA address reach a service with a global IPv6 address? Can a host with only a link-local address reach a service with a global IPv6 address? The answer to both questions might be Yes (but you better know what scopes and zones are if you want to figure it out).

Automation Explained

Just in case you've missed it: the ultimate explanation of DevOps, NetOps and other automation ideas.


Source: xkcd.com

Network Monitoring with OpenFlow

You know how hard it is to get the network traffic statistics: interface counters are too coarse, Netflow records are too granular, Sflow is sampling… life is hard for network monitoring Goldilocks.

In the Network Monitoring video (part of Real-Life OpenFlow Use Cases webinar) I explained an interesting alternative: you could get (hardware permitting) traffic counters with ever OpenFlow flow entry, resulting in any granularity you need.

Redundant Server-to-Network Connectivity

Load-based teaming and other methods of VM-to-uplink pinning used by VMware and other hypervisor vendors might be the best approach in traditional VLAN-based virtual networks. The situation changes drastically in the overlay virtual networking environment where the hypervisor sends all traffic from a single IP address, making multi-chassis link aggregation (MLAG) the best solution.

For more details, read the Redundant Server-to-Network Connectivity Expert Express case study or register for the Building a Small Private Cloud webinar.

PA, PI or ULA IPv6 Address Space? It depends

Having “do we need ULAblogologs with Ed Horley is great … and the best part of them is that we’re both right (aka: It Depends). OK, let’s try to quantify that last part.

Control and Data Plane Separation – Three Years Later

Almost three years ago the OpenFlow/SDN hype exploded and the Open Networking Foundation started promoting the concept of physically separate control and data planes. Let’s see how far its founding members got in the meantime:

vSphere Does Not Need LAG Bandaids – the Network Does

Chris Wahl claimed in one of his recent blog posts that vSphere doesn't need LAG band-aids. He's absolutely right - vSphere's loop prevention logic alleviates the need for STP-blocked links, allowing you to use full server uplink bandwidth without the complexity of link aggregation. Now let’s consider the networking perspective.

IPv6 pings and path MTU discovery

More news from the IPv6 is not like IPv4 department: there's no DF bit in IPv6, so you have to use slightly different troubleshooting tricks to figure out the path MTU size (and they depend on the operating system). More in a detailed blog post by my good friend MatjaĆŸ Straus.

Controller Implementation Choices Affecting OpenFlow Scalability

The first part of the Real-life OpenFlow Use Cases webinar focused on controller design and implementation choices that can significantly impact the scalability of an OpenFlow solution:

You could tell we had great fun with these topics: we spent more than half an hour on five slides.

What Exactly Is SDN (And Does It Make Sense)?

When Open Networking Foundation claimed ownership of Software-Defined Networking, they defined it as separation of control and data plane:

[SDN is] The physical separation of the network control plane from the forwarding plane, and where a control plane controls several devices.

Does this definition make sense or is it too limiting? Is there more to SDN? Would a broader scope make more sense?

Interfacing Overlay Virtual Networks with MPLS/VPN WAN

During my ExpertExpress engagements with engineers building multi-tenant cloud infrastructure I often get questions along the lines of “How do I integrate my public IaaS cloud with my MPLS/VPN WAN?” Here are a few ideas.

Source IPv6 Address Selection Saves the Day

My recommendation to use ULA addresses for internal communications within organizations that don’t have their own provider-independent address space resulted in the following comment:

[…] Having ULA for internal company communication and global IPv6 addresses for communication with the Internet will cause lots of issues with application guys since now application has to bind to specific IPv6 address for internal communications and another IPv6 address to go to the Internet.

Numerous aspects of IPv6 may still be broken, but fortunately this is not one of them.

How Did Software Defined Networking Start?

Software-Defined Networking is clearly a tautological term – after all, software defined networking device behavior ever since we stopped using Token Ring MAUs and unmanaged hubs. Open Networking Foundation claims it owns the definition of the term (which makes approximately as much sense as someone claiming they own the definition of red-colored clouds), but I was always wondering who coined the term in the first place.

VMware NSX Gateway Questions

Gordon sent me a whole list of NSX gateway questions:

  • Do you need a virtual gateway for each VXLAN segment or can a gateway be the entry/exit point across multiple VXLAN segments?
  • Can you setup multiple gateways and specify which VXLAN segments use each gateway?
  • Can you cluster gateways together (Active/Active) or do you setup them up as Active/Standby?

The answers obviously depend on whether you’re deploying NSX for multiple hypervisors or NSX for vSphere. Let’s start with the former.

Does uRPF Make Sense in Internet Service Provider Networks?

Every time someone wonders about the viability of unicast reverse path forwarding (uRPF) as source address validation technique at the edge of an ISP network, someone else inevitably claims it can’t possibly work due to asymmetrical routing issues. Is the situation really so black-and-white?

I Say ULA, You Hear NAT

Ed Horley wrote another great post arguing you don’t need Unique Local Addresses in an IPv6 network … and I couldn’t figure out what the problem was until I got the underlying context: it seems many engineers try to transplant their IPv4 mentality into IPv6 world and see ULAs as a nice replacement for RFC1918 with NAT66 or NPT66 on the private network edge. No wonder Ed argues against that.

Is Open vSwitch Control Plane In-Band or Out-of-Band?

A few days ago I described how most OpenFlow data center fabric solutions use out-of-band control plane (separate control-plane network). Can we do something similar when running OpenFlow switch (example: Open vSwitch) in a hypervisor host?

TL&DR answer: Sure we can. Does it make sense? It depends.

IPv6 Deployment: Religion and Reality

Someone left the following comment on one of my blog posts a few days ago:

IPv6 to a network engineer is like Communism to a Marxist. It would come in such a distant future that it would be in a form we can barely picture accurately. […] So my money is on NAT444, at least in the US.

Meanwhile on planet Earth…