Ivan Pepelnjak
Author Archives: Ivan Pepelnjak
- Home → Author's archive:
Ivan Pepelnjak
Last Week on ipSpace.net (2019W14)
Last Thursday I started another experiment: a series of live webinar sessions focused on business aspects of networking technologies. The first session expanded on the idea of three paths of enterprise IT. It covered the commoditization of IT and networking in particular, vendor landscape, various attempts at segmenting customers, and potential long-term Enterprise IT paths. Recording is already online and currently available with standard subscription.
Although the attendance was lower than usual, attendees thoroughly enjoyed it – one of them sent me this: “the value of ipSpace.net is that you cut through the BS”. Mission accomplished ;)
Worth Reading: Email Event Horizon
If you're at least vaguely familiar with modern black hole theories, you'll totally enjoy the concept of email event horizon.
Why Is MPLS Segment Routing Better than LDP?
A while ago I made a statement along the lines of “MPLS segment routing is the best thing that happened to MPLS control plane in a decade”. Obviously some MPLS-focused engineers disagree with that and a few years ago I decided to write a lengthy blog post explaining the differences between using MPLS SR with IGP (or BGP) versus more traditional IGP+LDP approach.
Obviously, I wasn’t making any progress on that front, so the only way forward was to record a short video on the topic which didn’t work well either because the end-result was a set of three videos (available with free or paid ipSpace.net subscription).
Ansible Networking: From Science Fair Project toward Mature Product
When I started working with Ansible networking modules they had a distinct science fair feel: everything was in flux, every new version of Ansible would break my playbooks, modules would disappear from one release to next, documentation was sketchy and describing the latest development code not a shipped release.
In the meantime, code, documentation, and release/deprecation management improved dramatically:
Read more ...Don’t Sugarcoat the Challenges You Have
Last year I got into somewhat-heated discussion with a few engineers who followed the advice to run IBGP EVPN address family on top of an EBGP underlay.
My main argument was simple: this is not how BGP was designed and how it’s commonly used, and twisting it this way requires schizophrenic BGP routing process which introduces unnecessary complexity (even though it looks simple in Junos configuration) and might confuse people who have to run the network after the brilliant designer is gone.
Read more ...Automatic Clean-and-Updated Firewall Ruleset
This is a guest blog post by Andrea Dainese, senior network and security architect, and author of UNetLab (now EVE-NG) and Route Reflector Labs. These days you’ll find him busy automating Cisco ACI deployments.
Following the Ivan’s post about Firewall Ruleset Automation, I decided to take a step forward: can we always have up-to-date and clean firewall policies without stale rules?
The problem
We usually configure and manage firewalls using a process like this:
Read more ...Upcoming Events and Webinars
In April 2019 we’re starting a new cloud security saga with Matthias Luft. The first webinar in this series will focus on the basics, subsequent live sessions spread through the rest of 2019 will cover individual technologies.
Another series we’re starting is Business Aspects of Networking, opening on April 4th with Three Paths of Enterprise IT.
We’ll also continue the math-in-networking series, this time focused on reliability functions and advanced reliability topics.
From CCNA to SDN: Interview with David Bombal
A few weeks ago, I had an interesting video chat with David Bombal in which we covered a wide variety of topics including
- What would you do if you started networking today?
- How do you increase the value of your knowledge?
- Networking hasn’t changed in the last 40 years and whatever you learn about networking will still be valid 20 years from now;
- Why should I learn and implement network automation?
- When should I start learning about network automation?
Note: David posted the whole list of topics with timestamps in the pinned comment under the video.
Automating NSX-T
An attendee of our Building Network Automation Solutions online course decided to automate his NSX-T environment and sent me this question:
I will be working on NSX-T quite a lot these days and I was wondering how could I automate my workflow (lab + production) to produce a certain consistency in my work.
I’ve seen that VMware relies a lot on PowerShell and I’ve haven’t invested a lot in that yet … and I would like to get more skills and become more proficient using Python right now.
Always select the most convenient tool for the job, and regardless of personal preferences PowerShell seems to be the one to use in this case.
Read more ...Stateful Firewalls: When You Get to a Fork in the Road, Take It
If you’ve been in networking long enough you’d probably noticed an interesting pattern:
- Some topic is hotly debated;
- No agreement is ever reached even though the issue is an important one;
- The debate dies after participants diverge enough to stop caring about the other group.
I was reminded of this pattern when I was explaining the traffic filtering measures available in private and public clouds during the Designing Infrastructure for Private Clouds workshop.
Read more ...Automation Solution: Create Network Diagram from BGP Data in Nornir
Chris Crook decided to work on a pretty typical problem for his second hands-on assignment in the Building Network Automation Solutions online course: create a network diagram from adjacency data.
He decided to rely on BGP adjacencies (I would usually use LLDP) and added an interesting twist: instead of Ansible he used Nornir with NAPALM.
Read more ...Last Week on ipSpace.net (2019W12)
Spring started for real, so it was time for some early-spring cleaning and I managed to complete two webinars during last week:
- We covered the gory details of LISP and layer-2 data center interconnects on Tuesday;
- The third Ansible for Networking Engineers update session on Thursday covered network device configuration management (merge, fetch, compare, replace, rollback and save) and declarative configuration modules.
Both webinars are part of standard ipSpace.net subscription
Must Read: BGP Show and Tell
If you’re a BGP newbie, you’ll love this BGP Show and Tell series from Denise Fishburne. Enjoy!
Multipath TCP on Software Gone Wild
I mentioned Multipath TCP (MP-TCP) numerous times in the past but I never managed to get beyond “this is the thing that might solve some TCP multihoming challenges” We fixed this omission in Episode 100 of Software Gone Wild with Christoph Paasch (software engineer @ Apple) and Mat Martineau from Open Source Technology Center @ Intel.
Read more ...Creating Automation Source-of-Truth from Device Configurations
Remember the previous blog post in this sequence in which I explained the need for single source-of-truth used in your network automation solution? No? Please read it first ;)
Ready for the next step? Assuming your sole source-of-truth is the actual device configuration, is there a magic mechanism we can use to transform it into something we could use in network automation?
TL&DR: No.
Read more ...Lock-In and SD-WAN: a Match Made in Heaven
This blog post was initially sent to subscribers of my SDN and Network Automation mailing list. Subscribe here.
I made a statement along these lines in an SD-WAN blog post and related email sent to our SDN and Network Automation mailing list:
The architecture of most SD-WAN products is thus much cleaner and easier to configure than traditional hybrid networks. However, do keep in mind that most of them use proprietary protocols, resulting in a perfect lock-in.
While reading that one of my readers sent me a nice email with an interesting question:
Read more ...Automating Cisco ACI Environment with Python and Ansible
This is a guest blog post by Dave Crown, Lead Data Center Engineer at the State of Delaware. He can be found automating things when he's not in meetings or fighting technical debt.
Over the course of the last year or so, I’ve been working on building a solution to deploy and manage Cisco’s ACI using Ansible and Git, with Python to spackle in cracks. The goal I started with was to take the plain-text description of our network from a Git server, pull in any requirements, and use the solution to configure the fabric, and lastly, update our IPAM, Netbox. All this without using the GUI or CLI to make changes. Most importantly, I want to run it with a simple invocation so that others can run it and it could be moved into Ansible Tower when ready.
Read more ...Last Week on ipSpace.net (2019W11)
TL&DR: We ran two workshops in Zurich last week – a quick peek into using Ansible for network automation and updated Building Private Cloud Infrastructure. You can access workshop materials with any paid ipSpace.net subscription.
Now for the fun part…
Read more ...Feedback: Data Center Interconnects Webinar
I got great feedback about the first part of Data Center Interconnects webinar from one of ipSpace.net subscribers:
I had no specific expectation when I started watching the material and I must have watched it 6 times by now.
Your webinar covered just the right level of detail to educate myself or refresh my knowledge on the technologies and relevant options for today’s market choices
The information provided is powerful and avoids useless discussions which vendors and PowerPoint pitches. Once you ask the right question it’s easy to get an idea of the vendor readiness
In the first live session we covered the easy cases: design considerations, and layer-3 interconnect with path separation (multiple routing domains). The real fun will start in the second live session on March 19th when we’ll dive into stretched VLANs and long-distance vMotion ideas.
You can attend the live session with any paid ipSpace.net subscription – details here.
Using Screen Scraping in Network Automation
The first time I encountered screen scraping was in mid-1990. All business applications were running on IBM mainframes those days, and IBM used proprietary terminal system (remember 3270) that was almost impossible to interact with, so some people got the “bright” idea of emulating that screen, scraping information off the emulated screen and copying it into HTML pages… thus webifying their ancient apps.
Guess what – we’re still doing the very same thing in network automation as Andrea Dainese succinctly explained in the latest addition to his Automation for Cisco NetDevOps article.