netsim-tools Release 1.2.1: More MPLS and VRFs, Dell OS10, Cumulus 5.0 on Containerlab

I already mentioned the netsim-tools Easter Egg, here are the other cool features shipping in release 1.2.1:

• Dell OS10 on libvirt (including BGP, OSPFv2, OSPFv3 and VRF Lite) by Stefano Sasso
• VRFs, MPLS, and MPLS/VPN support on Mikrotik RouterOS and VyOS by Stefano Sasso
• Containerlab support for Cumulus 5.0 with NVUE including Simple VRF-Lite by Julien Dhaille

To upgrade netsim-tools, use pip3 install --upgrade netsim-tools; if you’re starting from scratch, read the installation instructions.

Network Digital Twins Work Best in PowerPoint

A friend of mine sent me the following question a few months ago:

I thought you might know the best way (currently) to create a digital clone of parts of a production network? The objective is to test changes against a test network as part of a CI/CD process. Ideally, there would be an automation that could replicate selected parts of a production network in a test network.

TL&DR: Sounds great, but you might be solving the wrong problem.

Everything Is Better with a GUI (even netsim-tools)

Some people think that everything is better with Bluetooth. They’re clearly wrong; according to the ancient wisdom of product managers working for networking vendors, everything is better with a GUI.

Now imagine adding network topology visualizer and GUI-based device access with in-browser SSH to an intent-based infrastructure-as-code virtual network function labbing tool. How’s that for a Bullshit Bingo winner¹?

Worth Reading: New Linux Command Line Tools

Julia Evans published a long list of new(ish) Linux command line tools. For example, did you ever want to have directory listing in nicely formatted JSON? How about ls -l | jc --ls | jq .?

Quite a few of these tools also work on Mac and can be installed with HomeBrew. Some are written in a scripting language, so you could (in theory) also use them on Windows (without WSL).

Video: Challenges of Managed SD-WAN Services

When I published a link to the Is MPLS/VPN Too Complex? blog post to LinkedIn, someone asked whether I’m skeptical about service provider SD-WAN services due to lack of skills, and Kristijan Taskovski quickly identified the root cause in his reply:

The argument of a lack of skill is only one that is perpetuated by businesses. It’s not perpetuated by engineers. People that are trained, honed, and knowledgeable are expensive. Expense is the number one enemy for a business.

That’s exactly why I think most managed SD-WAN services will be a dismal failure.

Telephone System Is a Bad Example of Hierarchical Addresses

Networking engineers proposing strict hierarchical addressing scheme as a solution to global BGP table explosion often cite the international telephone system numbering plan (E.164) as a perfect example of an addressing plan that uses hierarchy to minimize routing table sizes. Even more, widespread mobile roaming and local number portability indicate that we could solve IP mobility and multihoming if only insert-your-favorite-opinion-here.

AWS Automatic EC2 Instance Recovery

On March 30th 2022, AWS announced automatic recovery of EC2 instances. Does that mean that AWS got feature-parity with VMware High Availability, or that VMware got it right from the very start? No and No.

Automatic Instance Recover Is Not High Availability

Reading the AWS documentation (as opposed to the feature announcement) quickly reveals a caveat or two. The automatic recovery is performed if an instance becomes impaired because of an underlying hardware failure or a problem that requires AWS involvement to repair.

Keep Blogging, Some of Us Still Read

I stumbled upon a sad tweet a few days ago…

… and not surprisingly, a lot of people chimed in saying “don’t give up, we still prefer reading”. Unfortunately, it does seem like the amount of worthy content is constantly decreasing, and way too many quality blogs disappeared over the years, so I’ll try to lift the veil of depression a bit ;)

Creating VRF Lite Labs With netsim-tools

I always found VRF lab setups a chore. On top of the usual IPAM tasks you have to create VRFs, assign route targets and route distinguishers, do that on every PE-router in your lab… before you can start working on interesting things.

I tried to remove as much friction as I could with the netsim-tools VRF configuration module – let me walk you through a few simple examples¹ which will also serve to illustrate the VRF configuration differences between Cisco IOS and Arista EOS.

Worth Reading: Full-Stack Network Automation

Lívio Zanol Puppim published a series of blog posts describing a full-stack network automation, including GitOps with GitLab, handling secrets with Hashicorp Vault, using Ansible and AWX to run automation scripts, continuous integration with Gitlab CI Runner, and topped it off with a REST API and React-based user interface.

You might not want to use the exact same components, but it’s probably worthwhile going through his solution and explore the source code. He’s also looking for any comments or feedback you might have on how to improve what he did.

Worth Reading: The AI Illusion

Russ White’s Weekend Reads are full of gems, including a recent pointer to the AI Illusion – State-of-the-Art Chatbots Aren’t What They Seem article. It starts with “Artificial intelligence is an oxymoron. Despite all the incredible things computers can do, they are still not intelligent in any meaningful sense of the word.” and it only gets better.

While the article focuses on natural language processing (GPT-3 model), I see no reason why we should expect better performance from AI in networking (see also: AI/ML in Networking – The Good, the Bad, and the Ugly).

Video: IPv6 Trust Model

After discussing the basics of IPv6 security in the hands-on part of IPv6 security webinar webinar, Christopher Werny focused on the IPv6 trust model (aka “we’re all brothers and sisters on link-local").

Next Hops of BGP Routes Reflected by Arista EOS

Imagine a suboptimal design in which:

• A BGP route reflector also servers as an AS edge (PE) router¹;
• You want to use next-hop-self on AS edge routers.

Being exposed to Cisco IOS for decades, I considered that to be a no-brainer. After all, section 10 of RFC 4456 is pretty specific:

In addition, when a RR reflects a route, it SHOULD NOT modify the following path attributes: NEXT_HOP, AS_PATH, LOCAL_PREF, and MED.

Arista EOS is different – a route reflector happily modifies NEXT_HOP on reflected routes (but then, did you notice the “SHOULD NOT” wording?²)

Opinion: Do You Care about MPLS in 2022?

One of my readers asked for my opinion about this question…

… and I promised something longer than 280 characters.

BGP Labeled Unicast Interoperability Challenges

Jeff Tantsura left me tantalizing hint after reading the BGP Labeled Unicast on Cisco IOS blog post:

Read carefully “Relationship between SAFI-4 and SAFI-1 Routes” section in RFC 8277

The start of that section doesn’t look promising (and it gets worse):

It is possible that a BGP speaker will receive both a SAFI-1¹ route for prefix P and a SAFI-4² route for prefix P. Different implementations treat this situation in different ways.

Now for the details:

netsim-tools, MPLS Edition

netsim-tools release 1.2.0 adds full-blown MPLS and MPLS/VPN support:

• VRF definitions and layer-3 VRFs
• VRF-aware OSPF, IS-IS and BGP
• Traditional MPLS with LDP (SR-MPLS was already available)
• BGP Labeled Unicast
• MPLS/VPN: VPNv4 and VPNv6 address family support

It’s never been easier to build full-blown MPLS/VPN labs ;)… if you’re OK with using Cisco IOS or Arista EOS. Please feel free to submit a PR to add support for other platforms.

You might want to start with the VRF tutorial to see how simple it is to define VRFs, and follow the installation guide to set up your lab – if you’re semi-fluent in Linux (and don’t care about data plane quirks), the easiest option would be to run Arista cEOS.

Worth Reading: Higher Levels of Address Aggregation

Every now and then someone tells me how much better the global Internet would be if only we were using recursive layers (RINA) and hierarchical addresses. I always answer “that’s a business problem, not a technical one, and you cannot solve business problems by throwing technology at them”, but of course that has never persuaded anyone who hasn’t been running a large-enough business for long enough.

Geoff Huston is doing a much better job in the March 2022 ISP Column – read the Higher Levels of Address Aggregation, and if you still need more technical details, there’s 30+ pages of RFC 4984.

Worth Reading: Career Advice I’d Give to Younger Me

You MUST read the next masterpiece coming from Ethan Banks: Career Advice I’d Give To 20, 30 and 40-Something Year Old Me. I found this bit particularly relevant:

Your life is at least half over. Stop wasting time doing things other people think is important.

If only Ethan would have told me that wisdom ten years ago.

Video: Combining Data-Link- and Network Layer Addresses

The previous videos in the How Networks Really Work webinar described some interesting details of data-link layer addresses and network layer addresses. Now for the final bit: how do we map an adjacent network address into a per-interface data link layer address?

If you answered ARP (or ND if you happen to be of IPv6 persuasion) you’re absolutely right… but is that the only way? Watch the Combining Data-Link- and Network Addresses video to find out.

Is MPLS/VPN Too Complex?

Henk Smit made the following claim in one of his comments:

I think BGP-MPLS-VPNs are over-complicated. And you don’t get enough return for that extra complexity.

TL&DR: He’s right (and I just violated Betteridge’s law of headlines)

The history of how we got to the current morass might be interesting for engineers who want to look behind the curtain, so here we go…