Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!

Stackable Data Center Switches? Do the Math!

Imagine you have a typical 2-tier data center network (because 3-tier is so last millennium): layer-2 top-of-rack switches redundantly connected to a pair of core switches running MLAG (to get around spanning tree limitations) and IP forwarding between VLANs.

Next thing you know, a rep from your favorite vendor comes along and says: “did you know you could connect all ToR switches into a virtual fabric and manage them as a single entity?” Is that a good idea?

read more see 12 comments

IPv6 On-Link Determination – What Is It And Why Do We Need It?

When an IPv4/IPv6 host wants to send a packet to another host, it has to answer the following simple questions:

  • Can I reach the destination IP address directly (is the destination on the same LAN/subnet)?
  • If not, who will help me forward the packet (who is the first-hop router)?

In IPv4 world, the host can get all the information it needs through DHCP. In IPv6 world, things are way more complex (but also way more correct if you’re a theoretician).

read more see 16 comments

EIGRP Loop Prevention Logic

Hamid sent me the following question:

I have already memorized (bad idea, BTW) that a loop can occur if FD < RD. Could you please tell me how a loop could occur assuming FD < RD and we ignore the feasibility condition.

I’ll use a simple three-router network (see the following diagram) to illustrate why EIGRP cannot figure out whether an alternate more expensive path could lead to a loop or not.

read more see 10 comments

VXLAN is not a Data Center Interconnect technology

In a comment to the Firewalls in a Small Private Cloud blog post I wrote “VXLAN is _NOT_ a viable inter-DC solution” and Jason wasn’t exactly happy with my blanket response. I hope Jason got a detailed answer in the VXLAN Technical Deep Dive webinar, here’s a somewhat shorter explanation.

read more see 11 comments

Building Leaf-and-Spine Fabrics with Dell Force10 Switches

In the Clos Fabrics Explained webinar I focused on the Clos fabrics principles of operation and design options, and Brad Hedlund who graciously agreed to be my guest explained how you can use Dell Force10 switches to build them. In this video he’s describing a simple leaf-and-spine topology with 40GE uplinks.

Add comment

IPv6 deployment IETF drafts

An incredible amount of IPv6 deployment documents has been published as IETF drafts recently, amongst them:

Enjoy ... and don’t forget to join the v6ops mailing list ;)

Add comment

What Exactly Are Virtual Firewalls?

Kaage added a great comment to my Virtual Firewall Taxonomy post:

And many of physical firewalls can be virtualized. One physical firewall can have multiple virtual firewalls inside. They all have their own routing table, rule base and management interface.

He’s absolutely right, but there’s a huge difference between security contexts (to use the ASA terminology) and firewalls running in VMs.

read more see 20 comments

BGP Convergence Optimization

I’m exposed to an incredible variety of topics in my ExpertExpress engagements, but there are always a few recurring themes, one of them being “we’re experiencing long convergence times and high packet loss after our primary Internet link fails.” Almost always the root cause turns out to be full Internet routing table being received on inadequate hardware.

see 2 comments

More real-life DHCPv6 Prefix Delegation gotchas

The murky details of IPv6 implementations never crop up till you start deploying it (or, as Randy Bush recently wrote: “it is cheering to see that the ipv6 ivory tower still stands despite years of attack by reality”).

Here’s another one: in theory the prefixes delegated through DHCPv6 should be static and permanently assigned to the customers for long periods of time.

read more see 9 comments

DHCPv6 Prefix Delegation, RADIUS and Shared Usernames

Jernej Horvat sent me the following question:

I know DHCPv6-based prefix delegation should be as stable as possible, so I plan to include the delegated prefix in my RADIUS database. However, for legacy reasons each username can have up to four concurrent PPPoE sessions. How will that work with DHCPv6 IA_PD?

Short answer: worst case, DHCPv6 prefix delegation will be royally broken.

read more see 4 comments

Firewalls in a Small Private Cloud

Mrs. Y, the network security princess, sent me an interesting design challenge:

We’re building a private cloud and I'm pushing for keeping east/west traffic inside the cloud. What are your opinions on the pros/cons of keeping east/west traffic in the cloud vs. letting it exit for security/routing?

Short answer: it depends.

read more see 11 comments

IP packet delivery confirmation

Thomas wanted to check whether the IP traffic is actually delivered to a remote site and sent me the following question:

I would like to know whether the packets I sent from site A to site B have been received. I don't want to create test traffic using ip sla, I would like to know that the production traffic has been delivered. I could use ACL counters but I'm running a full mesh of tens of sites. Ipanema does this very well, but I'm surprised that this doesn’t exist on Cisco IOS.

Short answer: that’s not how Internet works.

read more see 2 comments