Blog Posts in January 2018
Got an interesting set of questions from one of my readers. He started with:
I really like networks but I don't know if I am doing enough for this community. Most of my work is involved with technologies which are already discovered by people and I am not really satisfied with it.
Well, first you want to decide whether you want to be (primarily) a researcher (focusing on discovering new stuff), an engineer (mostly figuring out how to build useful things by using existing stuff), or an administrator (configuring stuff).
Regardless of how much I write about (the ridiculousness of using) stretched VLANs, I keep getting questions along the same lines. This time it’s:
What type of applications require L2 Extension and L3 extension?
I don’t think I’ve seen anyone use L3 extension (after all, isn’t that what Internet is all about), so let’s focus on the first one.
Stretched VLANs (or L2 extensions) are used to solve a number of unrelated problems, because once a vendor sold you a hammer everything starts looking like a nail, and once you get used to replacing everything with nails, you want to use them in all possible environments, including public and hybrid clouds.
It took years after NETCONF RFCs were published before IETF standardized YANG. It took another half-decade before they could agree on how to enable or disable an interface, set interface description, or read interface counters. A few more years passed by, and finally some vendors implemented some of the IETF or OpenConfig YANG data models (with one notable exception).
Now that we have the standardized structure, it’s easy to build automated multi-vendor networks, right? Not so fast…
Found this great quote in Algorithms to Live By: The Computer Science of Human Decisions - a must-read for all nerds:
Depend upon it there comes a time when for every addition of knowledge you forget something that you knew before. It is of the highest importance, therefore, not to have useless facts elbowing out the useful ones.
Now you know why you should focus on how things work instead of memorizing commands ;)
After describing the basics of internal data center switch architectures, JR Rivers focused on the crux of the problem the vendors copiously exploit to create a confusopoly: is it better to use big- or small-buffer switches?
You’ll need at least free ipSpace.net subscription to watch the video.
EVPN is one of the major reasons we’re seeing BGP used in small- and mid-sized data center fabrics. In theory, EVPN is just a BGP address family and shouldn’t have an impact on your BGP design. In practice, suboptimal implementations might invalidate that assumption.
I've described a few EVPN-related BGP gotchas in BGP in EVPN-Based Data Center Fabrics, a section of Using BGP in Data Center Leaf-and-Spine Fabrics article.
Alex raised a number of valid points in his comments to this blog post. While they don't fundamentally change my view on the subject, they do warrant a more nuanced description. Expect an updated version of this part of the article when I return from Cisco Live Europe
J Metz published a great article describing six hard truths not taught in school. As all good things should come in 7-tuples, here’s another one I was told ages ago when I was a young hotshot full of myself:
Professions were created for a reason – they enable people to do the work they’re qualified to do.
Needless to say, it took me decades to fully understand its implications.
I thought that 2017 would be a year of the cloud, but that was not to be – I was too busy creating network automation and data center content.
While I have stock homework assignments prepared for every module of the Building Network Automation Solutions online course I always encourage the students to pick a challenge from their production network and solve it during the course.
Pavel Rovnov decided to focus on consistency of network management parameters (NTP, SNMP, SSH and syslog configuration) across Extreme and Cumulus switches, Fortinet firewalls and several distributions of Linux.
Linux operating system is used as the foundation for numerous network operating systems including Arista EOS and Cumulus Linux. It provides most networking constructs we grew familiar with including interfaces, VLANs, routing tables, VRFs and contexts, but they behave slightly differently from what we’re used to.
In Software Gone Wild Episode 86 Roopa Prabhu and David Ahern explained the fundamentals of packet forwarding on Linux, and the differences between Linux and more traditional network operating systems.
2017 was one of the busiest years since I started the ipSpace.net project.
It started with an Ansible for Networking Engineers session covering advanced Ansible topics and network device configurations. Further sessions of that same webinar throughout 2017 added roles, includes, extending Ansible with dynamic inventory, custom modules and filters, and using NAPALM with Ansible.
One of the first things I did when I started my deep-dive into network automation topics was to figure what tools people use to automate stuff and (on a pretty high level) what each one of these tools do.
You often hear about Ansible, Chef and Puppet when talking about network automation tools, with Salt becoming more popular, and CFEngine being occasionally mentioned. However, most network automation engineers prefer Ansible. Here are a few reasons.
Most engineers talking about network automation focus on configuration management: keeping track of configuration changes, generating device configurations from data models and templates, and deploying configuration changes.
There’s another extremely important aspect of network automation that’s oft forgotten: automatic response to internal or external events. You could wait for self-driving networks to see it implemented, or learn how to do it yourself.
One of my readers sent me this question:
Do you have any thoughts on this meltdown HPTI thing? How does a hardware issue/feature become a software vulnerability? Hasn't there always been an appropriate level of separation between kernel and user space?
There’s always been privilege-level separation between kernel and user space, but not the address space separation - kernel has been permanently mapped into the high-end addresses of user space (but not visible from the user-space code on systems that had decent virtual memory management hardware) since the days of OS/360, CP/M and VAX/VMS (RSX-11M was an exception since it ran on 16-bit CPU architecture and its designers wanted to support programs up to 64K byte in size).
Elisa Jasinska covered several IPAMs in her overview of open-source network automation tools, and we had Jeremy Stretch talking about NetBox in the Building Network Automation Solutions online course, but if you’re looking for a really robust easy-to-implement solution, check out this document from 1998 (deployment experience, including a large-scale one).
One of my readers sent me an interestingly sad story as a response to my importance of fundamentals rant. Here it is… enjoy ;)
2017-01-14: Updated with a different viewpoint
2018 has barely started and we’re already crazily busy:
- The update session of Network Automation Use Cases webinar on January 16th will talk about intent-based networking and data models;
- A week later (January 23rd) it’s back to basics: how do you select an optimal VPN service.
The last week of January is Cisco Live Europe week. I’ll be there as part of the Tech Field Day Extra event – drop by or send me an email if you’ll be in Barcelona during that week.
Level3 had a pretty bad bad-hair-day just a day before Pete Lumbis talked about Continuous Integration on the Building Network Automation Solutions online course (yes, it was a great lead-in for Pete).
According to messages circulating on mailing lists it was all caused by a fumbled configuration attempt. My wild guess: someone deleting the wrong route map, causing routes that should have been tagged with no-export escape into the wider Internet.
It’s interesting how the same pundits who loudly complain about the complexities of BGP (and how it will be dead any time soon and replaced by an SDN miracle) also praise the beauties of intent-based networking… without realizing that the hated BGP route selection process represents one of the first failures of intent-based approach to networking.
Let’s start with some definitions. There are two ways to get a job done by someone else:
One of my readers sent me a polite email a while ago saying “your site is becoming like $majorVendor’s web site – every corner looks completely different based on when you made it”
Source: Wikimedia Commons
The worst part is that he was right, so I spent the last two weeks as a website janitor, mopping up broken markup, fixing CSS cracks, polishing old texts…