Lab: Dual-Stack IS-IS Routing

Contrary to the OSPF world, where we have to use two completely different routing protocols to route IPv4 and IPv6 (unless you believe in the IPv4 address family in OSPFv3), IS-IS provided multi-protocol support from the very early days of its embracement by IETF. Adding IPv6 support was only a matter of a few extra TLVs, but even there, IETF gave us two incompatible ways of making IPv6 work with IS-IS.

Want to know more? You’ll find the details in the Dual-Stack (IPv4+IPv6) IS-IS Routing lab exercise.

IPv6 Support for Multiple Routers and Multiple Interfaces

Fernando Gont published an Individual Internet Draft (meaning it hasn’t been adopted by any IETF WG yet) describing the Problem Statement about IPv6 Support for Multiple Routers and Multiple Interfaces. It’s so nice to see someone finally acknowledging the full scope of the problem and describing it succinctly. However, I cannot help but point out that:

• I was ranting about that problem in 2009 (15 years ago) and did a summary of older rants in 2015.
• It was evident to everyone but the religious zealots that the only solution we have at the moment is either NAT (because stuff simply does not work otherwise) or host-based solutions that never got implemented (apart from a few rare cases of multipath TCP).

Anyway, Fernando wraps up his draft with:

EVPN Designs: EVPN IBGP over IPv4 EBGP

We’ll conclude the EVPN designs saga with the “most creative” design promoted by some networking vendors: running an IBGP session (carrying EVPN address family) between loopbacks advertised with EBGP IPv4 address family.

There’s just a tiny gotcha in the above Works Best in PowerPoint diagram. IBGP assumes the BGP neighbors are in the same autonomous system while EBGP assumes they are in different autonomous systems. The usual way out of that OMG, I painted myself into a corner situation is to use BGP local AS functionality on the underlay EBGP session:

Dynamic BGP Peers

You might have an environment where a route reflector (or a route server) has dozens or hundreds of BGP peers. Configuring them by hand is a nightmare; you should either build a decent automation platform or use dynamic BGP neighbors – a feature you can practice in the next lab exercise.

Click here to start the lab in your browser using GitHub Codespaces (or set up your own lab infrastructure). After starting the lab environment, change the directory to session/9-dynamic and execute netlab up.

Public Videos: Enterprise MPLS/VPN

Over a decade ago, I created a webinar describing enterprise MPLS/VPN use cases. Surprisingly, some networking engineers still find it useful in the wonderful new world of SD-WAN duct tape, and starting today, you can access it without an ipSpace.net account.

Lab: Using IS-IS Metrics

It’s time for another “the vendor IS-IS defaults are all wrong” blog post. Wide IS-IS metrics were standardized in RFC 3784 in June 2004, yet most vendors still use the ancient narrow metrics as the default setting.

Want to know more? The Using IS-IS Metrics lab exercise provides all the gory details.

Latency Numbers Every Programmer Should Know

One of the key arguments against stretched clusters (and similar stupidities) I used in my Disaster Recovery Myths presentation was the SSD read latency versus cross-site round-trip time.

Thanks to Networking Notes, I found a great infographic I can use in my next presentation (bonus points: it also works great in a terminal when fetched with curl) and a site that checks the latency of your web site from various vantage points.

Using a BGP Route Server in an Internet Exchange Point

A BGP route server is like a BGP route reflector but for EBGP sessions. In its simplest implementation, it receives BGP updates over EBGP sessions and propagates them over other EBGP sessions without inserting its own AS number in the AS path (more details).

BGP route servers are commonly used on Internet Exchange Points (IXPs), and that’s what you can practice in the BGP Route Server in an Internet Exchange Point lab exercise.

Click here to start the lab in your browser using GitHub Codespaces (or set up your own lab infrastructure). After starting the lab environment, change the directory to session/5-routeserver and execute netlab up.

Running Routing Protocols over Tunnels

James got confused by a statement made by Hannes Gredler in his IS-IS book:

Things behave really badly if the total IGP cost over the tunnel undermines the total topologies’ cost. What happens next is that the tunnel “wraps” around itself, ultimately causing a meltdown of the entire network.

Let’s unpack that, starting with “Why would you need a tunnel?”

netlab 1.9.2: STP, LAG, Cisco IOL, Edgeshark

While I was busy fixing bugs in the netlab release 1.9.2, other contributors added exciting new features:

• Jeroen van Bemmel added the spanning tree and link aggregation configuration modules, initially implemented on Arista EOS, Cumulus Linux, and FRR.
• Dan Partelly added the netlab exec command that can execute the same command on a set of network devices, support for Edgeshark, and support for Cisco IOS on Linux (IOL) and Cisco IOS layer-2 image on Linux (IOLL2), the latter after a heroic uphill battle with ancient software (part 1, part 2).

Other new features include:

Worth Reading: Creating a Tech Blog

Would you like to start a tech blog but don’t know how to do it? Ethan Banks put together a phenomenal how-to guide in his Developing Content & Gathering Research For Your Tech Blog article.

Oh, and please use Hugo (or similar) and use walled gardens like LinkedIn solely to post summaries and links to your content. You want to be in control and retain ownership of your work, right?

DEEP: a Boutique Security Conference

Last week, I had the privilege of discussing Disaster Recovery Myths at the DEEP Conference. I also took the opportunity to attend several other presentations covering topics such as eBPF, open-source supply pipelines, tips for bug bounty hunters, and SSE.

TL&DR: I loved the experience ;)

EVPN Designs: EVPN EBGP over IPv4 EBGP

In the previous blog posts, we explored three fundamental EVPN designs: we don’t need EVPN, IBGP EVPN AF over IGP-advertised loopbacks (the way EVPN was designed to be used) and EBGP-only EVPN (running the EVPN AF in parallel with the IPv4 AF).

Now we’re entering Wonderland: the somewhat unusual¹ things vendors do to make their existing stuff work while also pretending to look cool². We’ll start with EBGP-over-EBGP, and to understand why someone would want to do something like that, we have to go back to the basics.

netlab: How do I Specify VLAN Interface Parameters

Similarly to how it handles VRFs, netlab automatically creates VLANs on a lab device if the device uses them on any access- or trunk link or if the VLAN is mentioned in the node vlans dictionary.

If the VLAN is an IRB VLAN (which can be modified globally or per node with the VLAN mode parameter), netlab also creates the VLAN (or SVI, or BVI) interface. But how do you specify the parameters of the VLAN interface?

Public Videos: Active-Active and DR Data Centers

I had a Disaster Recovery Myths and Reality talk at the DEEP conference yesterday. The presentation is already online, but unfortunately, not everyone made it to Zadar (your loss, but I get it).

To counteract that, I made the first part of the Designing Active-Active and Disaster Recovery Data Centers webinar public. Hope you’ll like it.

How Does Netlab Deal with Server Reboots?

Now and then, someone asks how netlab deals with reboots (or power failures or crashes) of the server it’s running on.

TL&DR: It doesn’t. However…

netlab is a CLI command that acts as an umbrella orchestration layer for Vagrant and Containerlab. It does not run as a cron job, init script, or service and thus cannot be invoked when a server is booted.

Per-Prefix and Per-VRF MPLS/VPN and EVPN Labels/VNIs

Long long time ago¹, in an ancient town far far away², an old-school networking Jeddi³ was driving us toward a convent⁴ where we had an SDN workshop⁵. While we were stuck in the morning traffic jam, an enthusiastic engineer sitting beside me wanted to know my opinion about per-prefix and per-VRF MPLS/VPN label allocation.

At that time, I had lived in a comfortable Cisco IOS bubble for way too long, so my answer was along the lines of “Say what???” Nicola Modena⁶ quickly expanded my horizons, and I said, “Gee, I have to write a blog post about that!” As you can see, it took me over a decade.

Lab: Configure IS-IS on Point-to-Point Links

From a very high-level perspective, OSPF and IS-IS are quite similar. Both were created in the Stone Age of networking, and both differentiate between multi-access LAN segments and point-to-point serial interfaces. Unfortunately, that approach no longer works in the Ethernet Everywhere world where most of the point-to-point links look like LAN segments, so we always have to change the default settings to make an IGP work better.

That’s what you’ll do in today’s lab exercise, which also explains the behind-the-scenes differences between point-to-point and multi-access links and the intricate world of three-way handshake.

NOG.HR: A NOG Meeting Worth Attending

I never know what to expect when I’m invited to speak at a regional (or in-country) Network Operator Group (NOG) meeting. Sometimes, it turns out to be a large conference (PLNOG and ITNOG come to mind); other times, it’s just a few people gathered around free donuts and coffee¹. Last week’s Croatian NOG (NOG.HR) meeting was in the Goldilocks zone between the extremes: plenty of interested networking engineers, but not large enough to be overpowering.

Also, it was such a nice experience ;)

Public Videos: PCI DSS for Networking Engineers

Michele Chubirka (currently at Google) kindly allowed me to make her PCI DSS for Networking Engineers webinar public (available without registration or login).

The webinar covers an older version of PCI DSS (version 3.0; the current version is 4.0.1), but as fundamentals never change, you might still find it useful.