Weird Junos IS-IS Metrics
As part of the netlab development process, I run almost 200 integration tests on more than 20 platforms (over a dozen operating systems), and the amount of weirdness I discover is unbelievable.
Today’s special: Junos is failing the IS-IS metrics test.
The test is trivial:
- The device under test is connected to two IS-IS routers (X1 and X2)
- It has a low metric configured on the link with X1 and a high metric configured on the link with X2
The validation process is equally trivial:
NB509: FCC to Raise Funds for Rip-and-Replace of Chinese Telco Gear; Billionaire Space Race Takes Off
Take a Network Break! We start with serious CVEs for Perl and Ivanti. On the news front, the FCC wants to license spectrum to raise money to help US telcos rip out Chinese network equipment–even though there’s no evidence Chinese equipment led to telco intrusions by Chinese attackers. Verizon boasts of 5.5Gbps download speeds on... Read more »netlab: Multi-Site VLANs
Imagine you want to create a simple multi-site network with netlab:
- The lab should have two sites (A and B).
- Each site has a layer-3 switch, a single VLAN (VLAN 100), and two hosts connected to that VLAN.
- As you don’t believe in the magic powers of stretched VLANs, you have a layer-3 (IPv4) link between sites.
Network diagram
From Python to Go 010. Dealing With Text Files. And Tiny Bit On Regexp.
Hello my friend,
So far the only way to provide user input to your Python and Go (Golang) applications we’ve shared with you in these blog series was the environment. Whilst it is a powerful way, which is heavily used especially in cloud native world, where we utilize Kubernetes, it is not the only way to provide user input. Today we’ll review another mechanism, which is text files.
Is Software Development Not Valuable Job Anymore?
Lately I’ve seen more and more posts on LinkedIn that AI is taking software development jobs away and/or making them less profitable. I’m myself use various AIs as code assistants, so I can see massive massive boost in productivity. At the same time, often AI generates code, which simply doesn’t work regardless the amount of iterations you try it with different prompts. Or it does generates working code, which is far less performance optimized that it can be. Therefore, I’m convinced that software engineers are here to stay for quite a bit. Moreover, network and IT infrastructure automation is a specific domain, which knowledge is even less acquirable by AI now due to lack of structured data for models training. Which means, you shall Continue reading
AI for Network Engineers: LSTM-Based RNN
Recap of the Operation of an LSTM Cell
The previous section introduced the construction and operation of a single Long Short-Term Memory (LSTM) cell. This section briefly discusses an LSTM-based Recurrent Neural Network (RNN). Before diving into the details, let’s recap how an individual LSTM cell operates with a theoretical, non-mathematical example.
Suppose we want our model to produce the sentence: “It was cloudy, but it is raining now.” The first part of it refers to the past, and one of the LSTM cells has stored the tense “was” in its internal cell state. However, the last portion of the sentence refers to the present. Naturally, we want the model to forget the previous tense “was” and update its state to reflect the current tense “is.”
The Forget Gate plays a role in discarding unnecessary information. In this case, the forget gate suppresses the word “was” by closing its gate (outputting 0). The Input Gate is responsible for providing a new candidate cell state, which in this example is the word “is.” The input gate is fully open (outputting 1) to allow the latest information to be introduced.
The Identification function computes the updated cell state by Continue reading
IP Addresses in 2024
Time for another annual roundup from the world of IP addresses. Let's see what has changed in the past 12 months in addressing the Internet and look at how IP address allocation information can inform us of the changing nature of the network itself.Palo Alto URL Filtering and SSL Decryption
In my previous blog posts (linked below), we looked at how to allow or block specific websites using URL filtering. In this post, we'll look into how to use URL filtering with SSL decryption for more granular control.
Palo Alto Allow Access To Certain URLs Matching A Blocked URL Category
If you use URL filtering on your Palo Alto firewalls, you may come across situations where a specific URL category is set to block, but you need to allow certain sites.
Suresh Vina
Palo Alto How to Block Specific URLs?
In this blog post, we’ll explore how to block specific sites using a Palo Alto firewall. There are two ways to achieve this, and we’ll cover both options.
Suresh Vina
Why Do We Need SSL Decryption?
Previously, we saw how to block sites like facebook.com or cnn.com, or allow specific websites blocked by a URL Filtering profile. However, these methods fall short when more granular access is required. Most website traffic today is encrypted with HTTPS, meaning the firewall cannot inspect what's happening within those sessions.
Without SSL decryption, the Palo Alto firewall (or any NGFW) relies on the SNI or CN of the certificate Continue reading
Palo Alto How to Block Specific URLs?
When working with Next-Generation Firewalls (NGFWs), you may come across situations where you need to block specific websites. In this blog post, we'll explore how to block specific sites using a Palo Alto firewall. There are two ways to achieve this, and we'll cover both options.
Palo Alto Allow Access To Certain URLs Matching A Blocked URL Category
If you use URL filtering on your Palo Alto firewalls, you may come across situations where a specific URL category is set to block, but you need to allow certain sites.
Suresh Vina
A Quick Recap on URL Filtering
This blog post assumes you have some familiarity with URL filtering. In a typical setup, you create a URL Filtering profile, configure the categories to allow or block, and attach this profile to your security policies.
Depending on your security requirements, you might block entire categories such as gambling, terrorism, or proxy sites. However, there are times when you only need to block specific sites rather than an entire category.
In this blog post, we'll use cnn.com and samsung.com as examples (no hard feelings toward them, these were just the first sites that came to mind, haha 🙂).
💡
Please Continue reading
New IPv6 Documentation Prefix
After three and a half years of haggling (the IETF draft that became the RFC was written in May 2021; the original discussions go back to 2013), Nick Buraglio & co managed to persuade pontificators bikeshedding in the v6ops working group that we might need an IPv6 documentation prefix larger than the existing 2001:db8::/32.
With the new documentation prefix (3fff::/20) (defined in RFC 9637), there’s absolutely no excuse to use public IPv6 address space in examples anymore.
HN763: You Too Can Say ‘Yes’ to Packet Analysis
Packet capture and packet analysis is incredibly useful for problem-solving and troubleshooting. Analyzing packets is also a difficult skill to master. With the incredible array of network troubleshooting tools at our disposal, including emerging networking models for artificial intelligence, do we still need to fuss around with Wireshark in 2025? Our guest Chris Greer says... Read more »
Hedge 254: Should you /64?
One of the big questions about IPv6 is: “Should you use /64’s for subnets?” Tom Coffeen joins Eyvonne Sharp, Rick Graziani, and Russ as we discuss the various questions surrounding IPv6 addressing, planning, waste, and … should you /64?
TNO012: From Hardware to Cloud: Evolving Roles for Network Operators
Cloud networking is still networking, but there are differences. In this special collaboration episode between the Total Network Operations and Cloud Gambit podcasts, Scott Robohn, Eyvonne Sharp, and William Collins dive into the contrasts between traditional and cloud networking, and how network engineers raised on hardware and the CLI can flourish in cloudy environments. In... Read more »Palo Alto Allow Access To Certain URLs Matching A Blocked URL Category
If you use URL filtering on your Palo Alto firewalls, you may come across situations where a specific URL category is set to block, but you need to allow certain sites. For example, you might block the 'social networking' category but still want to allow access to Facebook. Similarly, you may block 'newly registered domains,' but need immediate access to a site categorized as such. While you can request Palo Alto to re-categorize the site, sometimes you need a quicker solution.
In this blog post, we'll look at how to allow access to specific URLs that match a blocked URL category. There are two ways to achieve this, and I’ll cover both.
A Quick Recap on URL Filtering
This blog post assumes you have some familiarity with URL filtering. In a typical setup, you create a URL Filtering profile, configure the categories to allow or block, and attach this profile to your security policies. For instance, if you block the 'proxy-avoidance' category and try to access a site like expressvpn.com, the traffic will be blocked.
To demonstrate this, I'll set the 'proxy-avoidance' category to block. This means that if I try to access expressvpn.com, it will be blocked. Continue reading
XtendISE Key Features – Simplifying Cisco ISE Management
XtendISE is a user-friendly web application integrated with Cisco ISE and designed to simplify daily tasks and common challenges related to 802.1X without requiring extensive training on Cisco ISE. XtendISE helps manage MAC addresses, troubleshoot 802.1X authentication issues, and simplify the management of switch 802.1X configurations. It also validates configurations to ensure they are set up correctly and as intended.
We covered the basics of XtendISE in a previous article linked below. In this blog post, we will explore in detail three key features that XtendISE offers.
- MAC address management
- Enhanced Troubleshooting Capabilities
- Configuration and Auditing of the network access devices
How XtendISE Helps with 802.1X Management in ISE?
XtendISE is a simple web application connected to your Cisco ISE, which helps with everyday routine tasks and common challenges related to 802.1X without the need to train everyone in Cisco ISE.
Suresh Vina
💡
Disclaimer - XtendISE sponsors my blog, and this is a sponsored post. However, I had the final say on the content and personally liked their product.
Mac Address Management
Typically, when a device doesn’t support 802.1X, we collect its MAC address and add it to a specific group in Continue reading
netlab 1.9.3: MLAG, Static Routes, Node Cloning
netlab release 1.9.3 brings these new features:
- Multi-chassis Link Aggregation (MLAG) on Arista EOS, Aruba CX, Cumulus NVUE, and Dell OS10
- VRF and VLAN groups
- Additional OSPF interface parameters (hello and dead timers, cleartext passwords, and DR priority) implemented on Arista EOS, Aruba CX, Cisco IOS/IOS-XE, Cisco Nexus OS, Cumulus Linux, Dell OS10, and FRRouting
- Static routes with direct or indirect next hops implemented on Arista EOS, Cisco IOS/IOS-XE, FRRouting, and Linux
- Node cloning plugin for users who want to build detailed digital twins of their networks.
- Consistent selection of default address pools based on the number of nodes attached to a link (this could change addressing in multi-provider topologies)
- Support for vjunos-router and Cisco NSO tool.
Other new features include:
N4N008: What Is a Default Gateway?
Today’s topic is the default gateway, essential for routing traffic between networks. We explain its purpose, configuration, and the consequences of incorrect settings. Using home networks as an example, Ethan and Holly illustrate how default gateways enable devices to communicate with external networks. The discussion also covers routing tables, subnet masks, and the differences between... Read more »Configuring IP Addresses Won’t Make You an Expert
A friend of mine recently wrote a nice post explaining how netlab helped him set up a large network topology in a reasonably short timeframe. As expected, his post attracted a wide variety of comments, from “netlab is a gamechanger” (thank you 😎) to “I prefer traditional labs.” Instead of writing a bunch of replies into a walled-garden ecosystem, I decided to address some of those concerns in a public place.
Let’s start with:
How Calico Network Threat Detection Works
In today’s cloud-native environments, network security is more complex than ever, with Kubernetes and containerized workloads introducing unique challenges. Traditional tools struggle to monitor and secure these dynamic, interconnected systems, leaving organizations vulnerable to advanced threats, such as lateral movement, zero-day exploits, ransomware, data exfiltration, and more.
Network threat detection identifies malicious or suspicious activity within network traffic by using rules and analyzing patterns, behaviors, and anomalies. It enables organizations to spot attacks early, respond quickly, and mitigate risks before they escalate. Tools like Calico are specifically designed to address these challenges in Kubernetes, offering visibility, detection, and automated responses to protect workloads from known and emerging threats.
Calico delivers advanced network threat detection for Kubernetes environments, leveraging a variety of techniques to ensure comprehensive protection. Here are the key features of Calico’s network threat detection.
Behavior-based detection
Calico uses machine learning algorithms to establish a baseline of normal network behavior and detect anomalies such as port scans, IP (Internet Protocol) sweeps, and domain generation algorithms (DGA), which are commonly used by malware to evade detection and maintain communication with command and control (C2) servers.
Calico’s anomaly detection capability evaluates traffic flows using machine learning to identify the baseline behavior Continue reading