ddib

Author Archives: ddib

Unnumbered Links In OSPF

This post is going to be a real deep dive! First, I want to send my sincere thanks to the maestro Peter Palúch and the guru Ivan Pepelnjak for helping me research this topic. Ivan wrote a couple of great posts on unnumbered links:

In VXLAN fabrics, it is quite common to build the underlay using unnumbered links. The concept is not new. In the past, unnumbered links were mainly used with point to point serial links using encapsulation such as Point-to-Point Protocol (PPP). There was a time before variable length subnet masks where addressing interfaces could be very wasteful. Using unnumbered links reduced the need for addressing. It was generally not allowed on multi access interfaces such as Ethernet, though. Even though we often use Ethernet as point to point links.

What benefits do unnumbered links provide in today’s networks? There are a few:

  • Reduce the number of IP addresses needed to address links.
  • Less unique configuration for each device.
  • Fewer lines of configuration.

Let’s dive deeper into each of these:

Reduced need of IP addresses – While these may be private IP addresses, it still Continue reading

Building a VXLAN Lab Using Nexus9000v

As I dive into the world of VXLAN, I will need a lab as that is the best way to deepen the learning process and to get hands-on experience with a protocol. I will be building a Cisco Nexus9000v lab in VMware ESX but the same images can be used in CML, EveNG, GNS3, etc. The lab is based on the following topology:

The specific platform I’ll use is the Nexus9300v which has the following requirements:

  • 1 vCPU (2 recommended).
  • 10 GB of RAM (12 GB recommended).

Note that there is also a Nexus9500v image which is a 16-slot modular chassis. As I have no need for multiple slots, and it requires more CPUs, I will not be using this image.

The specific image I am using is nexus9300v64.10.2.5.M.ova, which is NX-OS version 10.2.5.

Deploying the OVA can take some time but is otherwise straightforward. Refer to my post on caveats for more details.

I have mapped the different NICs to different port groups:

The mgmt0 interface is mapped to my management network so that I can SSH to the devices. I have also created specific port groups for the interconnections between leaf Continue reading

Caveats When Deploying Nexus9000v

As I’m building a VXLAN lab based on Nexus9000v, I ran into some caveats while deploying. Some things are related to ESX (vSphere) only while others apply to also other platforms.

The boot process for Nexus9000v is a bit special. It requires using a serial console to access switch prompt and from there booting the NX-OS image. There are a few steps to enable this in vCenter. For the VM that was deployed using the OVA, edit settings of the VM and go to Virtual Hardware -> Serial port 1:

Use the following settings:

  • Use Network.
  • Direction – Server.
  • Port URI – telnet://<portnumber>.

Note that when selecting a port number, it must be a port above 1024.

Next, under VM Options, go to Advanced and select Edit Configuration…

Click Add Configuration Params and add the following entry:

efi.serialconsole.enabled with a value of TRUE:

The server also needs to have firewall ports open. This is done by going to Configure -> System -> Firewall:

Make sure that VM serial port is enabled.

Then, power on the device which will boot to Loader. Boot on the image stored on bootflash:

Loader Version 5.9.3.94

loader  Continue reading

Introduction to VXLAN

In the previous post, we looked at some of the challenges with L2-based networks. Now let’s start diving into what VXLAN is and what it can provide. First, let’s talk about overlays.

Overlays

Overlays are not new. We have had overlays for many years. The most well known ones are probably GRE and MPLS. In general, overlays are used to create a level of indirection that extends network capabilities. For example, MPLS L3 VPNs provided some of these capabilities to IP networks:

  • Segmentation.
  • Overlapping IPs.
  • Custom topologies.
  • Scaling.
  • Multihoming.

With overlays, intelligence is often pushed to the edge of the network while intermediate devices can be “dumb”. This can reduce costs as not all devices need the advanced features. How does an overlay work? To create the indirection, the original frame or packet needs to be encapsulated. Depending on the type of overlay, the frame or packet could get encapsulated into another frame or packet. The transport between the overlay nodes is called the underlay. This is the network that transports packets between the nodes. For VXLAN, this is a layer 3 network.

Because overlays encapsulate frames or packets, the size of the frame or packet will increase. To compensate Continue reading

VXLAN/EVPN – What Are the Challenges in L2-based Networks?

Before diving into a new technology, it is always useful to understand the previous generation of technology, what the limitations where, and how the new technology intends to overcome them. In this post, let’s look at what some of the challenges were with L2-based networks and how VXLAN/EVPN can overcome them. Before starting, I want to balance the messaging a bit on the bad reputation that STP gets:

  • Radia Perlman did an excellent job with what was available at that time.
  • A lot of the bad reputation comes from a misunderstanding of the protocol.
  • STP-based networks can run just fine but they are often misconfigured (related to the point above).
  • Many issues come from misbehaving end user devices where protection mechanisms have not been implemented (see the point above).
  • It’s natural for technologies to evolve as more compute becomes available and we gain experience.

Keep in mind that the original 802.1D standard was published in 1990. This was long before internet was generally available and our networks were critically important to us. At that time we didn’t measure outages in seconds or even minutes. That said, let’s look at the limitations of a traditional L2 network.

Convergence – In Continue reading

Python – Using the IP Address Module to Calculate IPs

I’m currently preparing for a network rollout and the preparation includes assigning subnets to the sites. There are subnets needed for management, wired users, wireless users, guests, and so on. Once subnets have been assigned, for some of the subnets, DHCP scopes need to be created. The team managing the server has requested that information on the subnets, gateway, and what IP the scope begins and ends with be provided as a CSV file. This will allow for easily importing the scopes into the server.

For my scenario, I have the information in a spreadsheet and I’m accessing the information using the openpyxl project. I am then using the ipaddress library to take the prefix from the spreadsheet and performing various calculations. Why use Python for this?

  • Writing CSV is time consuming for humans.
  • Although I’m quite good at performing calculations, I’m not better than a computer.
  • Using code means consistent output that is less error prone.

The goal is to create a line of CSV that looks like this:

VLAN 100 User,192.0.2.64,255.255.255.192,192.0.2.65,192.0.2.75,192.0.2.126,US0100 NY,example.com,

This line consists of:

OSPF Convergence In a Hub and Spoke Topology

My dear friend Micheline Murphy posted an excellent question on OSPF in a Hub and Spoke topology at the Cisco Learning Network. The scenario is a Hub and Spoke topology with two Hub routers that are ABRs belonging to area 100 and area 200. SP-101 and SP-102 belong to area 100. SP-201 and SP-202 belong to area 200. The topology is shown below:

The OSPF areas are shown below:

Some facts about the setup and intent of this post:

  • All routers are Catalyst8000v running IOS-XE 17.6.3.
  • Hub routers are connected to area 0 where the prefix 198.51.100.0/24 is being advertised.
  • Each spoke advertises a /28 from 192.0.2.0/24.
  • All interfaces are point to point as the purpose is not to simulate a NBMA topology.
  • The intent is to verify what happens in a failure scenario but lab first shows the stable topology.

The expectation is that in a stable topology each Spoke will have two ECMP routes, one via each Hub, to the other spokes. The router SP-202 will be used to demonstrate. First let’s verify that everything is working as expected. SP-202 is a router in area 200:

SP-202#show ip ospf 1
  Continue reading

Catalyst SD-WAN – Introduction to Configuration Groups

One of the challenges with Catalyst SD-WAN is managing templates. Depending on how successful you are in standardizing your deployment, you risk ending up with many device templates. This can also be amplified if you have several platforms as each platform requires its own set of device templates. Feature templates, while reusable, offers no concept of grouping feature templates which means that there is a lot of work involved in building a new device template. To overcome some of these challenges, Cisco has introduced Configuration Groups starting with 20.8 and going forward where 20.11 currently has the most features implemented. This is also often referred to as UX 2.0 in some presentations. Let’s take a look at Configuration Groups by looking at the building blocks.

  • Configuration Group – Logical grouping of features or configuration that is applied to devices. Similar to a device template but it can be applied to different models.
  • Feature Profile – Building block of configurations that can be reused across different Configuration Groups. Example feature profiles are Transport Profile, System Profile, Service Profile.
  • Feature – The Feature Profile consists of features. The individual capability to be shared across Configuration Groups such as service Continue reading

Catalyst SD-WAN – Bootstrapping a Catalyst8000v Using a File on Bootflash

Yesterday I showed how to bootstrap a Catalyst8000v from the CLI. Today, I will show how to put a file on bootflash which includes the configuration but also the root certificate and the certificate of the device. This is a bit of a more streamlined process and can also be useful if you don’t know what CLI commands to use as vManage will generate the configuration for you.

Starting out, we have a freshly booted router that is in autonomous mode (non-SD-WAN):

Router#sh ver | i operating
Router operating mode: Autonomous

To generate the bootstrap configuration, the process is to first go through the regular process of attaching a device to a template. Go to Configuration -> Templates and select Attach Devices:

Select the correct device:

Fill in the information needed:

Click Update to reflect the edits:

Then click Next:

Click Configure Devices and vManage will try to push the config but the device is offline:

Once this is done, vManage has all the information it needs to generate the bootstrap. Go to Configuration -> Devices and select the correct device and then Generate Bootstrap Configuration:

Then vManage will disply the following window. Choose Cloud-Init and have the box selected Continue reading

Catalyst SD-WAN – Botstrapping a Catalyst8000v in a Virtual Lab

I’m rebuilding my Catalyst SD-WAN lab and thought I would give some quick pointers on how to bootstrap a Catalyst 8000v in your virtual lab. When the router first boots up, it will be in autonomous mode (non-SD-WAN mode):

Router#show version | i operating
Router operating mode: Autonomous

Configure the router to be in controller mode which will cause it to reboot:

Router#controller-mode enable
Enabling controller mode will erase the nvram filesystem, remove all configuration files, and reload the box! 
Ensure the BOOT variable points to a valid image 
Continue? [confirm]
% Warning: Bootstrap config file needed for Day-0 boot is missing
Do you want to abort? (yes/[no]): no

To bootstrap the router, the following is needed:

  • System IP
  • Site ID
  • Organization name
  • vBond name/IP
  • IP address of tunnel interface (if not using DHCP)
  • Tunnel interface name
  • DNS server (if using name resolution)
  • On-premises root cert (if using your own certificates)
  • Certificate

First, verify that the router is now in controller mode:

Router#show version | i operating
Router operating mode: Controller-Managed

Create a small bootstrap configuration with all the required parameters. Mine is below (some information redacted):

config-transaction
system
system-ip x.x.x.x
site-id xxxxxxxxxx
organization-name "sd-wan-lab-daniel"
vbond 192. Continue reading

Building a WAN Impairment Device in Linux on VMware vSphere

In some scenarios it is really useful to be able to simulate a WAN in regards to latency, jitter, and packet loss. Especially for those of us that work with SD-WAN and want to test or policies in a controlled environment. In this post I will describe how I build a WAN impairment device in Linux for a VMware vSphere environment and how I can simulate different conditions.

My SD-WAN lab is built on VMware vSphere using Catalyst SD-WAN with Catalyst8000v as virtual routers and on-premises controllers. The goal with the WAN impairment device is to be able to manipulate each internet connection to a router individually. That way I can simulate that a particular connection or router is having issues while other connections/routers are not. I don’t want to impose the same conditions on all connections/devices simultaneously. To do this, I have built a physical topology that looks like this:

All devices are connected to a management network that I can access via a VPN. This way I have “out of band” access to all devices and can use SSH to configure my routers with a bootstrap configuration. To avoid having to create many unique VLANs in the vSwitch, Continue reading

Microsoft AZ-700 completed

I just passed the Microsoft AZ-700 exam, Designing and Implementing Microsoft Azure Networking Solutions, which means I am now certified in the two major clouds (AWS and Azure) when it comes to networking. As always after an exam, I write a summary of my experience with it and the resources I used. This is this post.

What is AZ-700?

This exam is for those that want to get certified on the networking component of Azure. Microsoft describes the exam in the following manner:

Candidates for this exam should have subject matter expertise in planning, implementing, and maintaining Azure networking solutions, including hybrid networking, connectivity, routing, security, and private access to Azure services

The breakdown of major topics and their percentage is the following:

  • Design, implement, and manage hybrid networking (10-15%)
  • Design and implement core networking infrastructure (20-25%)
  • Design and implement routing (25-30%)
  • Secure and monitor networks (15-20%)
  • Design and implement Private access to Azure Services (10-15%)

There is a more detailed breakdown available as well. Always go through the exam blueprint before studying for a certification.

How to study for AZ-700

My goal when studying for this exam was to build a proficiency working with networking in Azure. That Continue reading

Is VLAN 1 Special in Cisco Networks?

I got asked why we change from VLAN 1 to another VLAN in Cisco networks. What is bad with the default setup? Is VLAN 1 really magical in a Cisco network?

When Cisco ships a Catalyst switch to you, there is no configuration provided. This means that all the ports will be access ports and the only VLAN that exists is VLAN 1. Now, we’ve all seen networks that keep it like this. Everything is one big flat network and the only VLAN in use is VLAN 1. If this is a bad configuration depends on several factors, including the size of the network, but let’s take a look at some of the drawbacks to maintaining this configuration:

  • No segmentation – There is no segmentation. Every user can access every other user and anything else in the VLAN such as infrastructure, servers, IoT type devices, and so on
  • Default access – The user gets access simply by connecting their PC to the switch which may not be the desired outcome
  • Management access – Related to the first bullet point, if the switch has a management IP in VLAN 1, the user may be able to access and login to the Continue reading

Internet Edge IP SLA Deep Dive

It is a common design to have an internet Edge router connected to two different internet service providers to protect against the failure of an ISP bringing the office down. The topology may look something like this:

Internet Edge HA scenario

The two ISPs are used in an active/standby fashion using static routes. This is normally implemented by using two default routes where one of the routes is a floating static route. It will look something like this:

ip route 0.0.0.0 0.0.0.0 203.0.113.1 name PRIMARY
ip route 0.0.0.0 0.0.0.0 203.0.113.9 200 name SECONDARY

With this configuration, if the interface to ISP1 goes down, the floating static route which has an administrative distance (AD) of 200 will be installed and traffic will flow via ISP2. The drawback to this configuration is that it only works if the physical interface goes down. What happens if ISP1’s CPE has the interface towards the customer up but the interface towards the ISP Core goes down? What happens if there is a failure in another part of the ISP’s network? What if all interfaces are up but Continue reading

Modifying Maximum Throughput of Catalyst8000v

The Catalyst8000v is Cisco’s virtual version of the Catalyst 8000 platform. It is the go to platform and a replacement of previous products such as CSR1000v, vEdge cloud, and ISRV. When installing a Catalyst8000v, it comes with a builtin shaper setting the maximum throughput to 10 Mbit/s as can be seen below:

R1#show platform hardware throughput level 
The current throughput level is 10000 kb/s

This is most likely enough to perform labbing but obviously not enough to run production workloads. You may be familiar with Smart Licensing on Cisco. Previously, licensing was enforced and it wasn’t possible to modify throughput without first applying a license to a device. In releases 17.3.2 and later, Cisco started implementing Smart Licensing Using Policy which essentially means that most of the licenses are trust-based and you only have to report your usage. There are exceptions, such as export-controlled licenses like HSEC which is for high speed crypto, anything above 250 Mbit/s of crypto. To modify the maximum throughput of Catalyst8000v, follow these steps:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#platform hardware throughput level MB ?
  100    Mbps
  1000   Mbps
  10000  Mbps
  15     Mbps
  25     Mbps
  250    Mbps
  2500    Continue reading

Modifying Administrative Distance of Specific BGP Route

In one of the Discords that I’m in there was a user with a complex network consisting of a mix of DMVPN, BGP over MPLS VPN circuits, and SD-WAN. For some prefixes, the path via the private MPLS is preferred, for others, the SD-WAN path. Now, if a prefix is available in two different protocols, BGP vs Overlay Management Protocol (OMP), there is nothing we can do in BGP or OMP to modify which one gets installed into the Routing Information Base (RIB). This is no different than if EIGRP and OSPF were competing to install a prefix into the RIB, the protocol with the lower Administrative Distance (AD) would have its route installed.

The default AD values used on a Cisco device for these protocols are:

  • eBGP – 20
  • iBGP – 200
  • OMP – 251

Based on the AD, OMP will always lose out. It is of course possible to change the AD of BGP, but that would have an effect of all prefixes and we lose the ability to have some prefixes preferred via BGP and others via OMP. I had never changed the AD of a specific BGP prefix before, so I turned to Twitter to see Continue reading

Using Python to Calculate Cisco SD-WAN Tunnel Numbers – Part 2

In the first post I shared with you my code to calculate tunnel numbers in Cisco SD-WAN. I’m a beginner in Python so I thought it would be a great learning experience to have someone experienced in Python, such as Rodrigo, take a look at the code and come up with improvements. As I like to share knowledge, I’m taking this journey with you all. Let’s get started!

You may recall that I had a function to calculate the tunnel number. It looked like this:

def calculate_tunnel_number(interface_name:str) -> int:
    <SNIP>
    return total_score

Rodrigo’s comment was that the function name is excellent as it is clear what the function does. However, my return statement returns total_score which is not clear what it does. It would be better to return tunnel_number which is what the function is calculating.

The next comment is that when splitting things and it is known how many pieces you have, it is better to unpack them, that is, assign the unwanted piece to a throwaway variable rather than using indexing. My code looked something like this:

interface_number = split_interface(interface_name)[1]

It would be better to do something like this:

_, interface_number = split_interface(interface_name)[1]

The first variable, a Continue reading

Using Python to Calculate Cisco SD-WAN Tunnel Numbers – Part 1

When using Cisco SD-WAN on IOS-XE, it uses tunnel interfaces to configure parameters of the implementation. There is a mapping between what interface the tunnel is sourcing from and the name of the tunnel interface. For example, if the tunnel source is GigabitEthernet0, the tunnel interface is Tunnel0, if the tunnel source is GigabitEthernet0.100, the tunnel interface is Tunnel100000. When provisioning a router and not using Zero Touch Provisioning (ZTP), you build a small bootstrap configuration that configures mandatory parameters such as Site ID, System IP, Organization Name, but also a tunnel interface to be able to connect to the controllers. It is possible to create this configuration in vManage, and hence find out the tunnel interface name, but I thought it would be interesting to do this with code and not be dependent on vManage.

In this post, I will describe the code I used and what my logic was when creating different parts of the code. In this first post I will use the code that I came up with. In the second part, my friend Rodrigo who runs an excellent Python blog ,analyzed my code and came up with improvements, which I will describe in that Continue reading

Viewing a Certificate Using OpenSSL

I have started taking Ed Harmoush’s Practical TLS course to learn more about TLS and certificates. When learning about TLS, you want to inspect different certificates to see the various fields and see how different organizations use certificates differently. As always, Linux comes with a great set of tools to work with certificates in the form of OpenSSL. In this post, I will show how to download a certificate and discuss some of the fields that are present in the certificate.

To get the certificate, we will use openssl with s_client and connect to a web site. I’m using twitter.com in this example:

openssl s_client -connect twitter.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com
   i:C = US, O =  Continue reading

My Journey to Getting AWS Certified Advanced Networking – Specialty Certified

Last week I took and passed the AWS Certified Advanced Networking – Specialty exam on my first attempt. In this post I will describe the study materials that I used and talk about my experience of taking this test.

What type of skills does this exam test? This is a quote from AWS:

Earning AWS Certified Advanced Networking – Specialty validates expertise in designing and maintaining network architecture for the breadth of AWS services.

The key here I think is “for breadth of AWS services”. It’s not enough to only understand general networking in AWS, you need to understand how to do networking for different AWS services such as S3, WorkSpaces, Lambda, storage gateway, and so on. There is no actual prerequisite to take the exam but it definitely doesn’t hurt if you already have the Solutions Architect Associate (this was previously a prereq) as it will help you in understanding what services are available.

The following is also listed as recommendations for who should take this exam:

  • Professional experience using AWS technology, AWS security best practices, AWS storage options and their underlying consistency models, and AWS networking nuances and how they relate to the integration of AWS services.
  • Knowledge Continue reading
1 2 3 4 5 11