Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

Start now!

Please Respond: Survey on Interconnection Agreements

Marco Canini is working on another IXP-related research project and would like to get your feedback on inter-AS interconnection agreements, or as he said in an email he sent me:

As academics, it would be extremely valuable for us to receive feedback from network operators in the industry.

It’s fantastic to see researchers who want to base their work on real-life experience (as opposed to ideas that result in great-looking YouTube videos but fail miserably when faced with reality), so if you’re working for an ISP please take a few minutes and fill out this survey.

Add comment

What Exactly Should My MAC Address Be?

Looks like I’m becoming the gateway-of-last-resort for people encountering totally weird Nexus OS bugs. Here’s another beauty…

I'm involved in a Nexus 9500 (NX-OS) migration project, and one bug recently caused vPC-connected Catalyst switches to err-disable (STP channel-misconfig) their port-channel members (CSCvg05807), effectively shutting down the network for our campus during what was supposed to be a "non-disruptive" ISSU upgrade.

Weird, right? Wait, there’s more…

read more Add comment

Video: Avaya [now Extreme] Data Center Solutions

I haven’t done an update on what Avaya was doing in the data center space for years, so I asked my good friend Roger Lapuh to do a short presentation on:

  • Avaya’s data center switches and their Shortest Path Bridging (SPB) fabric;
  • SPB fabric features;
  • Interesting use cases enabled by SPB fabric.

The videos are now available to everyone with a valid ipSpace.net account – the easiest way to get it is a trial subscription.

see 6 comments

Data Center BGP: Autonomous Systems and AS Numbers

Two weeks ago we discussed whether it makes sense to use BGP as the routing protocol in a data center fabric. Today we’ll tackle three additional design challenges:

  • Should you use IBGP or EBGP?
  • When should you run BGP on the spine switches?
  • Should every leaf switch have a different AS number or should they share the same AS number?
see 1 comments

Create IP Multicast Tree Graphs from Operational Data

A while ago I created an Ansible playbook that creates network diagrams from LLDP information. Ben Roberts, a student in my Building Network Automation Solutions online course used those ideas to create an awesome solution: he’s graphing multicast trees.

Here’s how he described his solution:

read more see 4 comments

Moving Complexity to Application Layer?

One of my readers sent me this question:

One thing that I notice is you mentioned moving the complexity to the upper layer. I was wondering why browsers don't support multiple IP addresses for a single site – when a browser receives more than one IP address in a DNS response, it could try to perform TCP SYN to the first address, and if it fails it will move to the other address. This way we don't need an anycast solution for DR site.

Of course I pointed out an old blog post ;), and we all know that Happy Eyeballs work this way.

read more Add comment

First Speakers in the Spring 2018 Automation Online Course

For the first two sessions of the Building Network Automation Solutions online course I got awesome guest speakers, and it seems we’ll have another fantastic lineup in the Spring 2018 course:

Most network automation solutions focus on device configuration based on user request – service creation or change of data model describing the network. Another very important but often ignored aspect is automatic response to external events, and that’s what David Gee will describe in his presentation.

read more Add comment

New Content: Debugging Ansible Playbooks and Jinja2 Templates

Here’s a quote from one of my friends who spent years working with Ansible playbooks:

Debugging Ansible is one of the most terrible experiences one can endure…

It’s not THAT bad, particularly if you have a good debugging toolbox. I described mine in the Debugging Ansible Playbooks part of the Ansible for Networking Engineers online course.

Please note that the Building Network Automation Solutions online course includes all material from the Ansible online course.

Add comment

Automate Remote Site Hardware Refresh Process

Every time we finish the Building Network Automation Solutions online course I ask the attendees to share their success stories with me. Stan Strijakov was quick to reply:

I have yet to complete the rest of the course and assignments, but the whole package was a tremendous help for me to get our Ansible running. We now deploy whole WAN sites within an hour.

Of course I wanted to know more and he sent me a detailed description of what they’re doing:

read more see 3 comments

Simplifying ipSpace.net Products

When I started my ipSpace.net project life was simple: I had a few webinars, and you could register for the live sessions. After a while I started adding recordings, subscriptions, bundles, roadmaps (and tracks), books… and a few years later workshops and online courses.

As you can imagine, the whole thing became a hard-to-navigate mess. Right now you can buy almost 70 different products on ipSpace.net. Time for a cleanup.

read more Add comment

How Did NETCONF Start on Software Gone Wild

A long while ago Marcel Wiget sent me an interesting email along the lines “I think you should do a Software Gone Wild podcast with Phil Shafer, the granddaddy of NETCONF

Not surprisingly, as we started discovering the history behind NETCONF we quickly figured out that all the API and automation hype being touted these days is nothing new – some engineers have been doing that stuff for almost 20 years.

read more see 2 comments

Automate End-to-End Latency Measurements

Here’s another idea from the Building Network Automation Solutions online course: Ruben Tripiana decided to implement a latency measurement tool. His playbook takes a list of managed devices from Ansible inventory, generates a set of unique device pairs, measures latency between them, and produces a summary report (see also his description of the project).

read more see 5 comments

BGP as a Better IGP? When and Where?

A while ago I helped a large enterprise redesign their data center fabric. They did a wonderful job optimizing their infrastructure, so all they really needed were two switches in each location.

Some vendors couldn’t fathom that. One of them proposed to build a “future-proof” (and twice as expensive) leaf-and-spine fabric with two leaves and two spines. On top of that they proposed to use EBGP as the only routing protocol because draft-lapukhov-bgp-routing-large-dc – a clear case of missing the customer needs.

read more see 10 comments

Security or Convenience, That’s the Question

One of my readers was so delighted that something finally happened after I wrote about a NX-OS bug that he sent me a pointer to another one that has been pending for a long while, and is now officially terminated as FAD (Functions-as-Designed… even documented in the Further Problem Description).

Here’s what he wrote (slightly reworded)…

read more Add comment

It’s Bash Scripts All the Way Down (more on CLI versus API)

Netfortius made an interesting comment to my Ansible playbook as a bash script blog post:

Ivan - aren't we now moving the "CLI"[-like] approach, upstream (the one we are just trying to depart, via the more structured and robust approach of RESTAPI).

As I explained several times, I don’t know where the we must get rid of CLI ideas are coming from; the CLI is root of all evil mantra is just hype generated by startups selling alternative approaches (the best part: one of them was actually demonstrating their product using CLI).

read more Add comment

Worth Reading: Designing Container Networking

Diane Patton (Cumulus Networks) published a short overview of container networking design options, from traditional MLAG to running Quagga on Docker host.

If you want to learn more about individual designs described in that blog post, watch the Leaf-and-Spine Fabric Architectures and Docker Networking webinars, or join one of the data center online courses.

Add comment

Let’s Pretend We Run Distributed Storage over a Thick Yellow Cable

One of my friends wanted to design a nice-and-easy layer-3 leaf-and-spine fabric for a new data center, and got blindsided by a hyperconverged vendor. Here’s what he wrote:

We wanted to have a spine/leaf L3 topology for an NSX deployment but can’t do that because the Nutanix servers require L2 between their nodes so they can be in the same cluster.

I wanted to check his claims, but Nutanix doesn’t publish their documentation (I would consider that a red flag), so I’m assuming he’s right until someone proves otherwise (note: whitepaper is not a proof of anything ;).

read more see 12 comments

Feedback: Ansible for Networking Engineers

Got this feedback on my Ansible for Networking Engineers webinar:

This webinar is very comprehensive compared to any other Ansible webinars available out there. Ivan does great job of mapping and using real life example which is directly related to daily tasks.

The Ansible online course is even better: it includes support, additional hands-on exercises, sample playbooks, case studies, and lab instructions.

However, Ansible is just a tool that shouldn’t be missing from your toolbox. If you need a bigger picture, consider the Building Network Automation Solutions online course (and register ASAP to save $700 with the Enthusiast ticket).

Add comment

Why Does It Take So Long to Upgrade Network Devices?

One of my readers sent me a question about his favorite annoyance:

During my long practice, I’ve never seen an Enterprise successfully managing the network device software upgrade/patching cycles. It seems like nothing changed in the last 20 years - despite technical progress, in still takes years (not months) to refresh software in your network.

There are two aspects to this:

read more see 8 comments

Optimize Data Center Infrastructure: Build an Optimized Fabric

I published the last part of my Optimize Data Center Infrastructure series: build an optimized data center fabric.

To learn more about data center fabric designs, check the new online course or enroll into the Spring 2018 session of Building Next-Generation Data Center course.

see 2 comments

Pluribus Networks… 2 Years Later

I first met Pluribus Networks 2.5 years ago during their Networking Field Day 9 presentation, which turned controversial enough that I was advised not to wear the same sweater during NFD16 to avoid jinxing another presentation (I also admit to be a bit biased in those days based on marketing deja-moo from a Pluribus sales guy I’d been exposed to during a customer engagement).

Pluribus NFD16 presentations were better; here’s what I got from them:

read more see 1 comments

Run Well-Designed Experiments to Learn Faster

I know that everyone learns in a slightly different way. Let me share the approach that usually works well for me when a tough topic I’m trying to master includes a practical (hands-on) component: running controlled experiments.

Sounds arcane and purely academic? How about a simple example?

A week ago I talked about this same concept in the Building Network Automation Solutions online course. The video is already online and you get immediate access to it (and the rest of the course) when you register for the next live session.

read more see 8 comments

Another Reason to Run Linux on Your Data Center Switches

Arista’s OpenFlow implementation doesn’t support TLS encryption. Usually that’s not a big deal, as there aren’t that many customers using OpenFlow anyway, and those that do hopefully do it over a well-protected management network.

However, lack of OpenFlow TLS encryption might become an RFP showstopper… not because the customer would really need it but because the customer is in CYA mode (we don’t know what this feature is or why we’d use it, but it might be handy in a decade, so we must have it now) or because someone wants to eliminate certain vendors based on some obscure missing feature.

read more see 7 comments

New Dates for the Building Network Automation Solutions Online Course

We’re slowly wrapping up the autumn 2017 Building Network Automation Solutions online course, so it’s time to schedule the next one. It will start on February 13th and you can already register (and save $700 over regular price as long as there are Enthusiast tickets left).

Do note that you get access to all course content (including the recordings of autumn 2017 sessions) the moment you register for the course. You can also start building your lab and working on hands-on exercises way before the course starts.

read more Add comment

Things that cannot go wrong

Found this Douglas Adams quote in The Signal and the Noise (a must-read book):

The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair

I’ll leave to your imagination how this relates to stretched VLANs, ACI, NSX, VSAN, SD-WAN and a few other technologies.

see 8 comments

Separate Data from Code [Video]

After explaining the challenges of data center fabric deployments, Dinesh Dutt focused on a very important topic I cover in Week#3 of the Building Network Automation Solutions online course: how do you separate data (data model describing data center fabric) from code (Ansible playbooks and device configurations)

Add comment

Create a VLAN Map from Network Operational Data

It’s always great to see students enrolled in Building Network Automation Solutions online course using ideas from my sample playbooks to implement a wonderful solution that solves a real-life problem.

James McCutcheon did exactly that: he took my LLDP-to-Graph playbook and used it to graph VLANs stretching across multiple switches (and provided a good description of his solution).

Add comment

DMVPN or Firewall-Based VPNs?

One of my readers sent me this question:

I'm having an internal debate whether to use firewall-based VPNs or DMVPN to connect several sites if our MPLS connection goes down. How would you handle it? Do you have specific courses answering this question?

As always, the correct answer is it depends, in this case on:

read more see 7 comments

The Three Paths of Enterprise IT

Everyone knows that Service Providers and Enterprise networks diverged decades ago. More precisely, organizations that offer network connectivity as their core business usually (but not always) behave differently from organizations that use networking to support their core business.

Obviously, there are grey areas: from people claiming to be service providers who can’t get their act together, to departments (or whole organizations) who run enterprise networks that look a lot like traditional service provider networks because they’re effectively an internal service provider.

read more see 1 comments

Where Does Automation Fit into Enterprise IT?

One of my readers coming from system development area asked a fundamental question about the role of automation in enterprise IT (somewhat paraphrased):

[In system development] we automate typical tasks from the pre-defined task repository, so I would like to understand broader context as the automation (I guess) is just a part of the change we want to do in the system. Someone needs to decide what to do, someone needs to accept the change and finally the automation is used.

Of course he’s absolutely right.

read more see 1 comments

Worth Reading: Contrarian View on NAT

I love reading well-argued contrarian views, and Geoff Huston’s Opinion in Defense of NAT is definitely worth the time it will take you to read it.

TL&DR: Geoff argues that with all the wastage going on in IPv6 land (most bizarre: let’s give a /48 to every residential subscriber) the number of bits available for IPv6 endpoint addressing gets close to what we can squeeze out of IPv4 NAT.

see 9 comments

Lab Requirements for Ansible for Networking Engineers Online Course

One of the undergraduate students attending my Ansible for Networking Engineers online course got to the point where he wanted to start hands-on work and sent me a list of questions:

Do I have to buy a VIRL license to use your Ansible course materials? Or is VIRL in any Github repository? Is there a way to use your files in a free Tool like GNS3?

Let’s go through them one by one:

read more Add comment

Ethernet History on Software Gone Wild

During Cisco Live Berlin 2017 Peter Jones (chair of several IEEE task forces) and myself went on a journey through 40 years of Ethernet history (and Token Bus and a few other choice technologies).

The sound quality is what you could expect from something recorded on a show floor with pigeons flying around, but I hope you’ll still enjoy our chat.

see 1 comments

Create Network Diagram from LLDP Neighbor Information

One of the sample Ansible playbooks I published to help the attendees of my Building Network Automation Solutions course get started collects LLDP neighbor information on all managed devices and converts that information into a network diagram.

Here’s the graph I got from it when I ran it on my 6-node OSPF network (the Inter-AS VIRL topology from this repository). Please note I spent zero time tweaking the graph description (it shows).

read more see 2 comments

CLI or API… Again (and Again and Again…)

Got this comment on one of my blog posts:

When looking at some of the CLIs just front-ending RESTAPIs, I wonder if "survival" of CLI isn't just in the eyes of the beholder.

It made me really sad because I wrote about this exact topic several times… obviously in vain. Or as one of my network automation friends said when I asked him to look at the draft of this blog post:

read more see 3 comments

[Video] Data Center Fabric Validation

Validating the expected network behavior is (according to the intent-driven pundits) a fundamental difference that makes intent-driven products more than glorified orchestration systems.

Guess what: smart people knew that for ages and validated their deployments even when using simple tools like Ansible playbooks.

Dinesh Dutt explained how he validates data center fabric deployment during the Network Automation Use Cases webinar; I’m doing something similar in my OSPF deployment playbooks (described in detail in Ansible online course).

Add comment

Another DMVPN Routing Question

One of my readers sent me an interesting DMVPN routing question. He has a design with a single DMVPN tunnel with two hubs (a primary and a backup hub), running BGP between hubs and spokes and IBGP session between hubs over a dedicated inter-hub link (he doesn’t want the hub-to-hub traffic to go over DMVPN).

Here's (approximately) what he's trying to do:

read more Add comment

Upgrading Virtual Appliances

In every SDDC workshop I tried to persuade the audience that the virtual appliances (particularly per-application instances of virtual appliances) are the way to go. I usually got the questions along the lines of “who will manage and audit all these instances?” but once someone asked “and how will we upgrade them?”

Short answer: you won’t.

read more see 4 comments

New Webinar: QoS Fundamentals (and Other Events)

I listened to Ethan Banks’ presentation on lessons learned running active-active data centers years ago at Interop, and liked it so much that I asked him to talk about the same topic during the Building Next-Generation Data Center course.

Not surprisingly, Ethan did a stellar job, and when I heard he was working on QoS part of an upcoming book asked him whether he’d be willing to do a webinar on QoS.

read more Add comment

[Video] Building a Pure Layer-3 Data Center with Cumulus Linux

One of the design scenarios we covered in Leaf-and-Spine Fabric Architectures webinar is a pure layer-3 data center, and in the “how do I do this” part of that section Dinesh Dutt talked about the details you need to know to get this idea implemented on Cumulus Linux.

We covered a half-dozen design scenarios in that webinar; for an even wider picture check out the new Designing and Building Data Center Fabrics online course.

Add comment

Turn Your Ansible Playbook into a Bash Command

In one of the previous blog posts I described the playbook I use to collect SSH keys from network devices. As I use it quite often, it became tedious to write ansible-playbook path-to-playbook every time I wanted to run the collection process.

Ansible playbooks are YAML documents, and YAML documents use # to start comments, so I thought “what if I’d use a YAML comment to add shebang and turn my YAML document into a script

TL&DR: It works. Now for the longer story…

read more see 9 comments

Update: Brocade Data Center Switches

Second vendor in this year’s series of data center switching updates: Brocade.

Not much has happened on this front since last year’s update. There was a maintenance release of Brocade NOS, they launched SLX series of switches, but those are so new that the software documentation didn’t have time to make it to the usual place (document library for individual switch models), it's here.

In any case, the updated videos (including edited 2016 content which describes IP Fabric in great details) are online. You can access them if you bought the webinar recording in the past or if you have an active ipSpace.net subscription.

Add comment

Solving the Problem in the Right Place

Sometimes I have this weird feeling that I’m the only loony in town desperately preaching against the stupidities heaped upon infrastructure, so it’s really nice when I find a fellow lost soul. This is what another senior networking engineer sent me:

I'm belonging to a small group of people who are thinking that the source of the problem are the apps and the associated business/security rules: their nature, their complexity, their lifecycle...

Sounds familiar (I probably wrote a few blog posts on this topic in the past), and it only got better.

read more see 1 comments

Networking Trends Discussion with Andrew Lerner and Simon Richard: Part 2

In June 2017, we concluded the Building Next Generation Data Center online course with a roundtable discussion with Andrew Lerner, Research Vice President, Networking, and Simon Richard, Research Director, Data Center Networking @ Gartner.

In the second half of our discussion (first half is here) we focused on these topics:

read more Add comment

Update: Arista Data Center Switches

In the past 5+ years I ran at least one Data Center Fabrics Update webinar per year to cover new hardware and software launched by data center switching vendors.

The rate of product and feature launches in data center switching market is slowing down, so I decided to insert the information on new hardware and software features launched in 2017 directly into the merged videos describing the progress various vendors made in the last years.

First in line: Arista EOS. You can access the videos if you bought the webinar recording in the past or if you have an active ipSpace.net subscription.

see 5 comments

Reducing the Number of Transported Routes

One of my friends sent me this design challenge:

Assume you’re migrating from another WAN transport technology to MPLS. The existing network has 3000 routes but the MPLS carrier is limiting you to 1000 routes. How could you solve this with MPLS?

Personally, I think MPLS is a red herring.

A better question would be “how do you reduce the number of routes transported across your WAN network” or “how do you reduce the routing interaction with your MPLS service providers” (particularly intriguing if you use more than one of them).

As always, there are several options and it’s impossible to recommend the best one:

  • Readdressing is usually out of question (or at least too messy to try). It might also break numerous firewall rules and other hard-coded stuff… unless you automated everything, but then it wouldn’t be hard to readdress, would it?
  • The usual answer would be to summarize the routes. The usual challenge is that you might not be able to do it (because random addressing). Furthermore, summarization is a lossy compression, and loss of forwarding information might result in black holes.
  • RFC 1925 states that there’s nothing that cannot be solved with another layer of abstraction. In this case, we could use any one or more of a half-dozen overlay technologies (IPsec, GRE, VXLAN, DMVPN, LISP…), or use an overlay technology sprinkled with unicorn dust (aka SD-WAN). The beauty of CE-to-CE tunnels is that they totally eliminate the need for PE-CE routing, and (when combined with VRFs) create independent routing domains, so you can use multiple SPs without the associated hassle.
  • Finally, you could go for a really exotic solution like Carriers-Carrier (using additional MPLS labels as the data-plane abstraction mechanism).

Having an interesting design challenge? Check out ExpertExpress – also included in Professional Subscription.

see 3 comments

Are You Solving the Right Problem?

With all the intent-based hype (and the previous SDN-will-rule-the-world-hype) you’d think that the network is the ultimate ossified roadblock on the path to agile nirvana.

You’d be totally wrong (and you’d deserve it – never trust a vendor peddling a product).

Here’s an amazing discovery I made when I was still running on-site SDN and network automation workshops.

read more see 4 comments

Upcoming Webinars and Events

Here’s the list of webinars and events planned for October and November 2017:

Hint: you get access to all live webinar sessions, and 170 hours of downloadable videos with ipSpace.net subscription.

Add comment

my.ipSpace.net outage: fixing broken libraries

An update of PERL libraries broke a number of my scripts (don't ask). Here's the current status:

  • Fixed: credit card processing. It was impossible to buy products from ipSpace.net with credit cards (the credit card form didn't appear at all)
  • Fixed: Google+ login
  • Unrelated and fixed: blog search

Anything else not working? Please write a comment or send me an email. Thank you!

see 1 comments

Collect SSH Keys with Ansible

Here’s a common scenario I’m encountering on Ansible-related forums:

Q: I cannot connect to network devices with my Ansible network modules. I keep getting these weird error messages…

Me: Are you sure you have the device SSH keys in known_hosts file?

Q: How did you know?

read more see 4 comments

Coming Full Circle on IPv6 Address Length

In the Future of Networking with Fred Baker Fred mentioned an interesting IPv6 deployment scenario: give a /64 prefix to every server to support container deployment, and run routing protocols between servers and ToR switches to advertise the /64 prefix to the data center fabric preferably using link-local addresses.

Let’s recap:

read more see 10 comments

Self-Driving Networks with Kireeti Kompella

A while ago I got a kind email from Kireeti Kompella, CTO @ Juniper Networks, saying “A colleague sent me an email of yours regarding SDN, the trough of disillusionment, and the rise of automation. Here's a more dramatic view: the Self-Driving Network -- one whose operation is totally automated.

Even though Software Gone Wild podcast focuses on practical ideas that you could deploy relatively soon in your network, we decided to make an exception and talk about (as one of my friends described it) a unicorn driving a flying DeLorean with a flux capacitor.

read more see 3 comments

Are VXLAN-Based Large Layer-2 Domains Safer?

One of my readers was wondering about the stability and scalability of large layer-2 domains implemented with VXLAN. He wrote:

If common BUM traffic (e.g. ARP) is being handled/localized by the network (e.g. NSX or ACI), and if we are managing what traffic hosts can send with micro-segmentation style filtering blocking broadcast/multicast, are large layer-2 domains still a recipe for disaster?

There are three major (fundamental) problems with large L2 domains:

read more see 3 comments

Start Your Network Automation Journey by Mastering Fundamentals

If you’re a long-time reader of my blog you probably know that I believe in learning the fundamentals before trying to do anything else (like Google-and-Paste spaghetti wall approach), so you could imagine my delight when I got this feedback from an engineer watching (free) Network Programmability 101 webinar:

I was expecting a technical webinar, so I was a little bit disappointed at first with a “meta” webinar, but as I got through I was more than happy; learning such a meta sphere or getting to know other mindsets is very useful for me. The webinar pushed me to think outside of my little world and to open my mind.

That's exactly what I'm trying to achieve with the high-level webinars. So glad to hear it worked ;))

read more Add comment

Improving BGP Convergence without Tweaking BGP Timers

One of the perks of my online courses is the lifetime access to course Slack team, and you’d amazed by the variety of questions asked there. Not so long ago I got one on BGP timers:

The BGP timers I’m using in my network are 5 and 15 seconds, and I am not sure if it's a good practice to reduce them even more.

You should always ask yourself this set of questions before tweaking a nerd knob:

read more see 7 comments

Upcoming Events and Webinars

You might have noticed the “upcoming webinars” blog widget is gone and I’ll write a blog post every two weeks or so to keep you updated on upcoming webinars and other events.

Here’s what’s coming in September and October 2017:

Add comment

NFD16 First Impressions

Getting bored sitting at San Jose airport waiting for Vagrant to update guest additions in my Ubuntu VM (first item on my to-do list: prepare final version of material for next week’s Docker workshop), so here are my very first impressions of Networking Field Day 16 presentations we’ve seen in the last three days.

As always, there were great presentations, good presentations, … and a few that are best forgotten. I won’t mention those.

read more Add comment

Open-Source Networking Textbook

A month ago I told you how dr. Olivier Bonaventure starts his networking course with IPv6. But there’s more: the full textbook for the undergraduate course (Computer Networking: Principles, Protocols and Practice) is open-sourced and available (in source form) on GitHub.

You might wonder why I’m so enthusiastic, so let me tell you another story…

read more see 4 comments

Featured webinar: Ansible for Networking Engineers

The featured webinar in September 2017 is the Ansible for Networking Engineers webinar, and in the featured videos you'll learn what Jinja2 is and how you can use it to generate network device configurations with Ansible.

If you already have an trial subscription, log into my.ipspace.net, select the Ansible webinar from the first page, and watch the videos marked with star. To start your trial subscription, register here.

read more Add comment

New theme on blog.ipspace.net

You might have noticed that my blog looks a bit different than it did a few hours ago thanks to fantastic work by Nils & Mathias from Strandrover.Agency (and a bit of homegrown blogger template hacking). We tested all functionality we could think of, if we missed something, please write a comment (they still work ;).

When reporting a problem, please tell me what browser (and browser version) you're using and whether you're using a web proxy (like Cisco Web Security Appliance).

see 11 comments

Networking Trends Discussion with Andrew Lerner and Simon Richard

In June 2017, we concluded the Building Next Generation Data Center online course with a roundtable discussion with Andrew Lerner, Research Vice President, Networking, and Simon Richard, Research Director, Data Center Networking @ Gartner.

During the first 45 minutes, we covered a lot of topics including:

read more Add comment

New in Ansible for Networking Engineers Online Course

Plenty of new stuff was added to the Ansible for Networking Engineers online course and webinar since the last update.

Fun things first: I needed adjustable check mode behavior and change tracking in some playbooks, and documented these features in two new videos (online course and webinar).

read more Add comment

Intent-Based Hype

It all started with a realistic response I got to my automation and orchestration blog post (here’s a unicorn-driving-a-DeLorean one in case you missed it):

Maybe you could also add the "intent-based network" which is also not so far from orchestration?

It got me thinking. The way I understand intent-based whatever, it’s an approach where I tell a system what I want it to do, not how to do it.

read more see 9 comments

New: Metro- and Carrier Ethernet Encryptors Market Overview

My friend Christoph Jaggi published new versions of his Metro- and Carrier Ethernet Encryptor documents:

  • Technology introduction, including an overview of encryption mechanisms, Carrier Ethernet connectivity models, typical deployments, and key management challenges.
  • Market overview, including standards, control- and data plane considerations, key- and system management, and network integration.

Enjoy!

see 1 comments

Automation Tools in Building Network Automation Solutions Online Course

A network engineer interested in attending the Building Network Automation Solutions online course sent me this question:

Does the course cover only Ansible, or does it also cover other automation tools like Python?

The course focuses on how you’d build a network automation solution. Selecting the best tool for the job is obviously one of the major challenges, and so one of the self-study modules describes various automation tools and where you could use them to build a full-blown solution.

read more Add comment

Challenges of Data Center Fabric Deployments [Video]

One of the use cases we covered in Network Automation Use Cases webinar is a fully-automated data center fabric deployment. Dinesh Dutt (Cumulus Networks) started this section with an overview of challenges you might face in data center fabric deployments.

If you want to automate your fabric with Ansible, enroll into the Ansible for Networking Engineers course, or attend the Building Network Automation Solutions course if you want to get a broader view.

Add comment

Interesting Idea: Architecture Review Working Group

John Allspaw wrote an interesting blog post describing how he dealt with requests to introduce new technologies or design patterns. While he’s writing from the software development perspective, the ideas apply equally well to network architecture, so go and read what he has to say (and how he defines what engineering method is).

see 1 comments

Upgrade Network Device Software with Ansible Playbook

One of the engineers going through my Ansible for Networking Engineers online course sent me this question:

In the Introduction section, you mention a use case of upgrading software. Do you have an example playbook?

Unfortunately, I don’t. Upgrading software is one of those things that’s almost impossible to simulate in a virtual lab.

read more Add comment

The Cost of Networking Hardware (and Disaggregation)

Eyvonne Sharp wrote an interesting blog post describing the challenges Cisco might have integrating Viptela acquisition, particularly the fact that Viptela has a software solution running on low-cost hardware.

Guess what… Cisco IOS also runs on low-cost hardware, it’s just that Cisco routers are sold as a software+hardware bundle masquerading as expensive hardware.

read more see 13 comments

Feedback: Network Automation 101

Some networking practitioners start their network automation journey with the Python or Ansible dilemma. Engineers and architects usually want to understand the bigger picture first, and figure out the potential showstoppers and roadblocks. One of them left this feedback on the Network Automation 101 webinar:

A must-have overview of fundamental Network Automation concepts. I wouldn't face an automation project without understanding these concepts first.
Add comment

Teach IPv6 First and Automate the Deployment

In mid-July dr. Olivier Bonaventure (one of the unsung networking heroes who’s always trying to address real-life problems instead of inventing unicorn solutions in search of a problem) sent an email to v6ops mailing list describing how they teach networking.

Short summary for differently-attentive:

read more see 2 comments

Feedback: Open Networking for Large-Scale Networks

Got this feedback from a network architect attending the Open Networking for Large-Scale Networks webinar:

I used the webinar when preparing for a meeting/discussion with a NOS SW-vendor. In the meeting, my knowledge was completely up-to-speed & I was on the level with the vendor in the discussion! :-)

Obviously, Russ White and Shawn Zandi did a great job based on their real-life hands-on experience (they use whitebox switches @ LinkedIn).

Add comment

Net Neutrality (Again and Again and Again)

Net neutrality is one of those topics that should never have existed, but of course it inevitably erupts every so often, so here we go…

Not so long ago Robert Graham published his anti-net-neutrality arguments which are (no surprise) not much different from what I wrote when I still cared about this argument (here, here, here and here). While I agree with his overall perspective, I completely disagree with his view of Comcast’s initial response to network congestion.

read more see 2 comments

RFC8200: IPv6 Is an Internet Standard

You wouldn’t believe it – after almost 22 years (yeah, it’s been that long since RFC 1883 was published), IPv6 became an Internet standard (RFC8200/STD86). No wonder some people claim IETF moves at glacial speed ;)

Speaking of IPv6, IETF and glacial speeds – there’s been a hilarious thread before Prague IETF meeting heatedly arguing whether the default WLAN SSID should be IPv6-only (+NAT64). Definitely worth reading (for the entertainment value) over a beer or two.

see 3 comments

RFC 8196: IS-IS Autoconfiguration

Finally a group of engineers figured out it’s a good idea to make things less complex instead of heaping layers of complexity on top of already-complex kludges.

RFC 8196 specifies default values and extensions to IS-IS that make it a true plug-and-play routing protocol. I wonder when we’ll see it implemented now that everyone is obsessed with intent-based hype.

Add comment

(Not-so-very) Early Network Automation

If you’re not old enough to know otherwise, you’d think (based on recent hype) that we discovered network automation a few years ago. Not true. One of my readers sent me a link to excellent Managing IP Networks with Free Software presentation from NANOG26 (October 2002).

I found the presentation awesome, nothing new, and extremely sad… all at the same time.

read more see 6 comments

IPv6 Link-Local Addresses and VLAN Interfaces

One of my readers sent me an email that’s easiest paraphrased into: “Why can’t I have a different IPv6 link-local address (LLA) on every access port connected to a VLAN interface?

There’s probably nothing stopping someone from implementing such an approach, but it would go against the usual understanding of how bridging and routing interact in L2+L3 switches.

read more see 6 comments

Q&A: Building Network Automation Solutions Online Course

I got tons of questions about the upcoming Building Network Automation Solutions online course. It always starts with the same one:

Is access to the self-study material granted upon enrollment?

Absolutely. You also get access to everything we did in January, and the new self-paced Ansible for Networking Engineers online course.

read more Add comment

Automation or Orchestration?

Have you ever wondered what the difference between automation and orchestration is?

Wikipedia defines automation as use of various control systems for operating equipment. The definition I prefer (because it’s easier to understand in network automation environment) is elimination of well-defined repeatable manual tasks – the emphasis being on well-defined and repeatable.

read more see 1 comments

Swimlanes, Read-Write Transactions and Session State

Another question from someone watching my Designing Active-Active and Disaster Recovery Data Centers webinar (you know, the one where I tell people how to avoid the world-spanning-layer-2 madness):

In the video about parallel application stacks (swimlanes) you mentioned that one of the options for using the R/W database in Datacenter A if the user traffic landed in Datacenter B in which the replica of the database is read-only was to redirect the user browser with the purpose that the follow up HTTP POST land in Datacenter A.

Here’s the diagram he’s referring to:

read more Add comment

New in Ansible for Networking Engineers

Here’s the list of materials (and other changes) I added to the Ansible for Networking Engineers webinar and online course in June 2017.

The first thing you’ll notice is the brand-new user interface with collapsible sections, making it easier to grasp the big picture (the change was badly needed – the webinar is already almost 12 hours long).

read more see 2 comments

How Do I Start Automating Network Device Configurations in an Existing Network?

I get a “how do I get started with network automation” question every other week, and when I wrote a lengthy reply to one about configuration templating of existing snowflake network on networktocode Slack channel I decided it’s time to turn my replies into a blog post.

read more see 6 comments

Sample Network Automation Ansible Playbooks

I developed over a dozen different Ansible-based network automation solutions in the last two years for my network automation workshops and online course, and always published them on GitHub… but never built an index, or explained what they do, and why I decided to do things that way.

With the new my.ipSpace.net functionality I added for online courses I got the hooks I needed to make the first part happen:

read more see 4 comments

Asymmetrical Traffic Flows and Complexity

One of my readers sent me a list of questions on asymmetrical traffic flows in IP networks, particularly in heavily meshed environments (where it’s really hard to ensure both directions use the same path) and in combination with stateful devices (firewalls in particular) in the forwarding path.

Unfortunately, there’s no silver bullet (and the more I think about this problem, the more I feel it’s not worth solving).

read more see 6 comments

Moving to Summer Schedule

The inevitable summer decline of visitors has started, so I'm switching (like every summer) to a lower publishing frequency. Given my current focus (here and here) expect one network automation post and one other in-depth post every week… and maybe an occasional this-is-worth-reading link.


Working in the summer office ;)

Take some time off, enjoy the vacations, and I hope to meet you in the September online course ;)

Add comment

Monitoring SDN Networks: Featured Webinar in June 2016

Monitoring SDN Networks is the featured webinar of June 2017, and in the featured video Terry Slattery (CCIE#1026) talks about network analysis of SDN.

If you’re a trial subscriber, log into my.ipspace.net, select the webinar from the first page, and watch the video marked with star… and if you’d like to try the ipSpace.net subscription register here.

Trial subscribers can also use this month's featured webinar discount to get a 25% discount (and get closer to the full subscription).

Add comment

First Speakers in Autumn Network Automation Course

Today I can tell you who the first speakers in the autumn 2017 network automation online course will be.

Sounds promising? Why don’t you register before we run out of early-bird tickets?

see 1 comments

Want to Learn Something New? Learn Git!

If you'd come to me as a networking engineer and say “there's one new thing I want to learn that's outside of my $dayjob” I'd probably say “invest some serious time into learning Git (beyond memorizing the quick recipes) if you haven’t done that already”

Full disclosure: not so long ago I tried to avoid Git as much as possible… and then it suddenly clicked ;)

read more see 3 comments

Packet Fabric on Software Gone Wild

Imagine a service provider that allows you to provision 100GE point-to-point circuit between any two of their POPs through a web site and delivers in seconds (assuming you’ve already solved the physical connectivity problem). That’s the whole idea of SDN, right? Only not so many providers got there yet.

read more see 3 comments

New: Ansible for Networking Engineers Online Course

Long story short: I’m launching Ansible for Networking Engineers self-paced course today. It’s already online and you can start whenever you wish.

Now for the details…

Isn’t there already an Ansible for Networking Engineers webinar? Yes.

So what’s the difference? Glad you asked ;)

read more see 3 comments

Leaf-and-Spine Fabrics: Implicit or Explicit Complexity?

During Shawn Zandi’s presentation describing large-scale leaf-and-spine fabrics I got into an interesting conversation with an attendee that claimed it might be simpler to replace parts of a large fabric with large chassis switches (largest boxes offered by multiple vendors support up to 576 40GE or even 100GE ports).

As always, you have to decide between implicit and explicit complexity.

read more see 12 comments

Self-Study Exercises Added to Ansible for Networking Engineers Webinar

Last week I published self-study exercises for the YAML and Jinja2 modules in the Ansible for Networking Engineers webinars, and a long list of review questions for the Using Ansible and Ansible Deeper Dive sections.

I also reformatted the webinar materials page. Hope you’ll find the new format easier to read than the old one (it’s hard to squeeze over 70 videos and links on a single page ;).

Oh, and you do know you get Ansible webinar (and over 50 other webinars) with ipSpace.net subscription, right?

Add comment

Where Do You Want to Move the Complexity?

Michael Klose left an interesting remark on my Regional Internet Exits in Large DMVPN Deployment blog post saying…

Would BGP communities work? Each regional Internet Exit announce Default Route with a Region Community and all spokes only import default route for their specific region community.

That approach would definitely work. However, you have to decide where to move the complexity.

read more Add comment

Cisco ACI, VMware NSX and Programmability

One of my readers sent me a lengthy email describing his NSX-versus-ACI views. He started with [slightly reworded]:

What I want to do is to create customer templates to speed up deployment of application environments, as it takes too long at the moment to set up a new application environment.

That’s what we all want. How you get there is the interesting part.

read more see 4 comments

Webinars in First Half of 2017

The first half of 2017 is almost gone, so it’s time to check how far I got with the plans I made in January.

Delivered:

read more see 6 comments

Is Anyone Using Open Daylight?

A while ago I sent out an email to my SDN and network automation mailing list (join here) asking whether anyone uses Open Daylight in anything close to a production environment (because I haven’t ever seen one).

Among many responses saying “not here” I got a polite email from VP of Marketing working for a company that sells OpenDaylight-related services listing tons of customer deployments (no surprise there).

read more see 12 comments

Start Using OpenConfig with NAPALM on Software Gone Wild

OpenConfig sounds like a great idea, but unfortunately only a few vendors support it, and it doesn’t run on all their platforms, and you need the latest-and-greatest software release. Not exactly a set of conditions that would encourage widespread adoption.

Things might change with the OpenConfig data models supported in NAPALM. Imagine you could parse router configurations or show printouts into OpenConfig data structures, or use OpenConfig to configure Cisco IOS routers running a decade old software.

read more Add comment

Use Your Networking Knowledge to Design Automation Solution

I’m getting plenty of emails from not-so-very-young networking engineers trying to make career transitions. I got this one from a CCIE in his mid-40s:

Would you think the SDN and Data Center paths would be suitable for a long standing engineer?

Absolutely. It's just networking, although it's sometimes disguised a bit.

This article was initially sent to my Network Automation mailing list.

read more see 2 comments

Webinars in This Week

The spring craziness is still in full swing – we’ll have three webinars this week (a first) and I was so busy I didn’t even have time to write about them. Let’s fix that.

Data Center Updates on Monday is the second part of server virtualization, virtual machines and containers update to Data Center 3.0 webinar. We covered virtual machines in the last session (April 25th), this time we’ll talk about containers.

David Barroso (now at Fastly) will talk about NAPALM in Ansible on Tuesday.

read more Add comment

Let's build a small network automation solution!

Do you have the feeling that you should know more about network automation, but don't know where to start? I was facing that same problem in 2015, and then started exploring Ansible (plus YAML, Jinja2, Git, Puppet…), creating small playbooks, and finally came to a point where I said "now I know that you can have a small solution solving an actual problem ready in a few weeks even if you know absolutely nothing today".

read more Add comment

Regional Internet Exits in Large DMVPN Deployment

One of my readers wanted to implement a large DMVPN cloud with regional Internet exit points:

We need to deploy a regional Internet exits and I’d like to centralize them.  Each location with a local Internet exit will be in a region and that location will advertise a default-route into the DMVPN domain to only those spokes in that particular region.

He wasn’t particularly happy with the idea of deploying access and core DMVPN clouds:

read more see 5 comments

Few Secrets of Successful Learning: Focus, Small Chunks, and Sleep

One of my readers sent me a few questions about the leaf-and-spine fabric architectures webinar because (in his own words)

We have some projects 100% matching these contents and it would be really useful this extra feedback, not just from consultants and manufacturer.

When I explained the details he followed up with:

Now, I expect in one or two weeks to find some days to be able to follow this webinar in a profitable way, not just between phone calls and emails.

That’s not how it works.

read more see 6 comments

Network Testing on Software Gone Wild

Network automation and orchestration is a great idea… but how do you verify that what your automation script wants to do won’t break the network? In Episode 78 of Software Gone Wild we discussed the intricacies of testing network automation solutions with Kristian Larsson (developer of Terastream orchestration softare) and David Barroso of the NAPALM and SDN Internet Router fame.

read more Add comment

Failure Is Inevitable – Deal with It!

Last week a large European financial institution had a bad hair day. My friend Christoph Jaggi asked for my opinion, and I decided not to focus on the specific problem (that’s what post-mortems are for) but to point out something that’s often forgotten: don’t believe your system won’t fail, be prepared to deal with the failure.

Add comment

Have to choose between VMware NSX and Cisco ACI? You’re Not Alone

I keep getting questions along the lines of “should I go with VMware NSX or should I deploy Cisco ACI” every single week, and as you know it’s hard to answer anything but it depends without spending hours on the topic.

That’s exactly what we plan to do in Zurich next Tuesday (May 16th) in a DIGS workshop that will run in parallel with the Data Center & Cloud Day (part of the SIGS Technology Conference).

read more see 7 comments

Follow-up: Nexus-OS Dropping Configuration Commands

Not long after I published the let’s drop some configuration commands rant I got a very nice email from Nicolas Delecroix, Technical Marketing Engineer in Cisco INSBU, effectively saying “Would you have time for a short WebEx call to discuss the root cause of the problem and what we did to fix it?”

Of course I agreed and here’s what they told me:

read more see 8 comments

What is VxRail?

One of my readers was considering Dell/EMC hyperconverged solutions and sent me this question:

Just wondering if you have a chance to check out VxRail.

I read the data sheet and spec sheet, but have never seen anyone using it (any real-life experience highly welcome – please write a comment).

read more see 2 comments

Salt and SaltStack on Software Gone Wild

Ansible, Puppet, Chef, Git, GitLab… the list of tools you can supposedly use to automate your network is endless, and there’s a new kid on the block every few months.

In Episode 77 of Software Gone Wild we explored Salt, its internal architecture, and how you can use it with Mircea Ulinic, a happy Salt user/contributor working for Cloudflare, and Seth House, developer @ SaltStack, the company behind Salt.

read more see 1 comments

Update: VMware NSX in Redundant L3-only Data Center Fabric

Short update for those that read the original blog post: it turns out that the answer to the question “Is it possible to run VMware NSX on redundantly-connected hosts in a pure L3 data center fabric?” is still NO.

VTEPs from different ESXi hosts can be in different subnets, but while a single ESXi host might have multiple VTEPs, the only supported way to use them is to put them in the same subnet. I removed the original blog post.

A huge thank you to everyone who pushed me with their comments and emails to find the correct answer.

Add comment

Mini-RSA in Zurich, NSX, ACI, Automation…

I’ll be doing several on-site workshops in the next two months. Here’s a brief summary of where you could meet me in person.

A bit of manual geolocation first: if you’re from Europe, check out the first few entries, if you’re from US, there’s important information for you at the bottom, and if you don’t want to travel Europe or US, there’s an online course starting in September ;)

read more Add comment

Figure Out What the Customer Really Needs

One of the toughest challenges you can face as a networking engineer is trying to understand what the customer really needs (as opposed to what they think they’re telling you they want).

For example, the server team comes to you saying “we need 5 VLANs between these 3 data centers”. What do you do?

read more see 6 comments

Programmable ASICs on Software Gone Wild

During Cisco Live Europe 2017 (where I got thanks to the Tech Field Day crew kindly inviting me) I had a nice chat with Peter Jones, principal engineer @ Cisco Systems. We started with a totally tangential discussion on why startups fail, and quickly got back to flexible hardware and why one would want to have it in a switch.

read more see 5 comments

Leaf-and-Spine Fabrics: Featured Webinar in April 2017

I recently finished editing the videos from the Leaf-and-Spine Designs update to the Leaf-and-Spine Fabrics webinar, so it wasn’t hard to select the featured webinar for April 2017. The featured videos now include BGP in the Data Center by Dinesh Dutt, SPB Deep Dive by Roger Lapuh, and VXLAN with EVPN control plane by Lukas Krattiger.

read more Add comment

Worth Reading: Legacy software and Evolution

In case you’re wondering why we’re stuck with old stuff like TCP, IPv4, OSPF, and a few other bits and pieces that were invented decades ago when we could be using the glitzy controller-based software-defined whatever, read the blog post by Martin Sustrik. He talks about software, but we’re facing the same challenges in networking.

see 2 comments

Network Automation Is Much More than Configuration Management

Most network automation presentations you can find on the Internet focus on configuration management, either to provision new boxes, or to provision new services, so it’s easy to assume that network automation is really a fancy new term for consistent device configuration management.

However, as I explained in the Network Automation 101 webinar, there’s so much more you can do and today I’d like to share a real-life example from Jaakko Rautanen, an alumni of my Building Network Automation Solutions online course.

read more see 4 comments

Let’s Drop Some Random Commands, Shall We?

One of my readers sent me a link to CCO documentation containing this gem:

Beginning with Cisco NX-OS Release 7.0(3)I2(1), Cisco Nexus 9000 Series switches handle the CLI configuration actions in a different way than before the introduction of NX-API and DME. The NX-API and DME architecture introduces a delay in the communication between Cisco Nexus 9000 Series switches and the end host terminal sessions, for example SSH terminal sessions.

So far so good. We can probably tolerate some delay. However, the next sentence is a killer…

2017-05-08: The behavior is caused by an old bug in Linux TTY driver. Fixed NX-OS versions are planned to be shipped in late May 2017. More details here.

2017-04-05: The wonderful information disappeared from Cisco's documentation within 24 hours with no explanation whatsoever. However, I expected that and took a snapshot of that page before publishing the blog post ;)

read more see 21 comments

NETCONF on Cisco Campus Switches on Software Gone Wild

During Cisco Live Europe (huge thanks to Tech Field Day crew for bringing me there) I had a chat with Jeff McLaughlin about NETCONF support on Cisco IOS XE, in particular on the campus switches.

We started with the obvious question “why would someone want to have NETCONF on a campus switch”, continued with “why would you use NETCONF and not REST API”, and diverted into “who loves regular expressions”. Teasing aside, we discussed:

read more Add comment

Railroads and Cars: a Fairy Tale

Imagine a Flatworld in which railways are the main means of transportation. They were using horses and pigeons in the past, and experimenting with underwater airplanes, but railways won because they were cheaper than anything else (for whatever reason, price always wins over quality or convenience in that world).

As always, there were multiple railroad tracks and trains manufacturers, and everyone tried to use all sorts of interesting tricks to force the customers to buy tracks and trains from the same vendor. Different track gauges and heptagonal wheels that worked best with grooved rails were the usual tricks.

read more see 6 comments

Securing Network Automation: Troopers 17 Presentation

Niki Vonderwell kindly invited me to Troopers 2017 and I decided to talk about security and reliability aspects of network automation.

The presentation is available on my web site, and I’ll post the link to the video when they upload it. An extended version of the presentation will eventually become part of Network Automation Use Cases webinar.

Add comment
Sidebar