On May 10th I had a chance to attend again ITNOG in Bologna. Even if ITNOG seems to be an event with focus on ISP I find it very educative for anyone working in the enterprise market. The boundaries between enterprise and ISP network are a common ground for negotiation about connections, routing, security, SLA. Sun Tzu advice it is a good strategy to know your enemy, I see no enemies on the other side of the CPE but the idea remains valid.
Network documentation and monitoring are topics that never lose interest to me. Over the years I worked with many products, Nedi, Observium, Librenms,, NetBox, Icinga, NetShot, Smokeping to name a few. Each product has its strengths and weaknesses that in some cases are nothing more than the aspects on which the manufacturer has decided to concentrate development more. NetShot has compliance tests easy to write and verify, Smokeping is easy to setup and focused on monitor network and services latency.
I really enjoy discussing network design and deploy details with colleagues, customers and fellow network engineer. I find these discussions challenging, stimulating. An open, sincere and collaborative discussion gives a chance to better understand the real needs, fears, doubts of other professionals and to validate knowledge, expose gaps and most of all I learn a lot. This is still valid when discussing Data Center design or simpler topics like how to cable switch stacks.
I’m pleased to announce that my blog has been selected as a finalist in the Most Entertaining category of the IT Blog Awards, hosted by Cisco This blog is a project that I have been carrying out for years in the (little) free time between a demanding job, the study and the family. I think it is important to dedicate time to the blog because it has allowed me to meet many awesome people, actively participate in the community and make my contribution to the ecosystem that has helped me at the beginning of my career.
I’ve been working on a data center migration from regular switches to a Cisco ACI fabric in the last couple of months. I can’t say that’s enough to be defined as an ACI expert but I’ll share here what I learned from the experience. The project started with a Network Centric approach for an one-to-one migration from the previous network. After the migration new VRFs are being created in App Centric mode with contracts.
Recertification is part of the life of all active CCIEs. The process used to be an option between passing a CCIE written exam, passing a lab or getting Emeritus after 10 years, losing all CCIE privileges. Beginning June 2017 Cisco introduced the Continuing Education Program as a new way to recertify expert level certifications. The CE program allows to collect credits when attending eligible Cisco events or training. With 100 credits you earn the recertification.
Every time I manage a change to a customer network I have a chance to taste the many shades of possible IT Operations maturity levels. I collected some best practices over the years about how to reduce risk and speed-up the change and testing process. I’ll share some in this post. Improvements and suggestions are welcome in the comments of the post or on my Twitter account.
Every time I manage a change to a customer network I have a chance to taste the many shades of possible IT Operations maturity levels. I collected some best practices over the years about how to reduce risk and speed-up the change and testing process. I’ll share some in this post. Improvements and suggestions are welcome in the comments of the post or on my Twitter account.
As most IT professionals I usually configure network devices in a lab environment before the actual installation at customer site. I try to limit the installation as much as possible to a simple box moving process, spending most of the change window in a previously defined validation process. In this particular case I deal with a data center core network that includes 8 Nexus 9k switches configured in 4 VPC pairs and a bunch of links between them.
My new post about Cisco Network Assurance Engine: From Download to Value in 60 Minutes (or less) has been published, read it on GestaltIT Tech Talks.
This story starts with a phone call at night. If you worked in IT long enough you know what it means. Customer’s HQ network is down and since the day before I’ve replaced a pair of data center switch in a remote site I’m somehow involved based on the well-known principle “last one who made changes is responsible”. I state that all the facts took place with my telephone support, without any remote access to the machines.
My new post about Aruba 8400 programmability has been published, read it on Aruba Blogs.
My new post about Configuration and Hardware Assurance in the Datacenter with Cisco Network Assurance Engine has been published, read it on GestaltIT Tech Talks.
My new post about bandwidth limit enforcement on access points has been published, read it on Aruba Blogs.
At Cisco Live Europe in Barcelona I had a chance to see Cisco Candid (Network Assurance Engine) in action. My new post about Network Security Policy and Compliance in the Data Center with Cisco Network Assurance Engine has been published, read it on GestaltIT Tech Talks. Full video of TFDx session at CLEUR:
A couple of days ago Cisco released a Security Advisory. No big deal so far, level was informational so I didn’t read it right away. Title is impressive: Cisco Best Practices to Harden Devices Against Cyber Attacks Targeting Network Infrastructure so i read it during a lunch break just to be aware of the contents. Management sessions to network devices provide the ability to view and collect information about a device and its operations.
Automation and programmability is not a new topic for me. Having studied Information Technology in High School I’ve always coded somehow, never making it my primary focus but always using it as a tool to make my life easier. I remember a script I did in Pascal to create a menu to load custom maps for Doom II instead of using the CLI. It would be great to find it again but it’s very unlikely because I trashed so many PCs and hard drives since, well, at least I hadn’t bitcoins stored there!
For a Network Engineer living and working on the field has some challenges that are not common in office environments. I have a set of tools, hardware and software, that I bought or built over the years that allow me to accomplish my job in more effective way. I used to carry a small Access Point to provide connectivity inside a datacenter or campus when the rack is located in odd places (you know what I mean).
We live in a time of intent, automation, orchestration and a lot of wonderful tools that promise to make the life of network engineers easier. Sometimes reality is simpler and maybe less fascinating, real problems need to be solved quickly with small budget. The specific case I discuss here is a medium network, around a hundred devices. The problem is to create an inventory of all the devices, backup configurations and verify all the boxes have the correct syslog, ntp and timezone configuration.
My new post about Floating Networks has been published, read it on Aruba Blogs.
In the previous post of this AirPiConsole series (part1, part2) I used Autossh to create a reverse tunnel from the device to a cloud VPS to permit remote access. The VPS I use is cheap but unreliable so the tunnel was down most of the time so I started looking for a better alternative. The solution came from the Packet Pushers podcast episode PQ134 about ZeroTier. What is ZeroTier?
My new post about Colorless Switches and Mac-Auth has been published, read it on Aruba Blogs.
The future of CLI and how Network Engineers will interact with devices is a topic being discussed quite often: "I'll give you my CLI when you pry it from my cold, dead fingers" - said no #CCIE ever, they're busy automating their networks with Python to save time for more creative activities. Just a few of them suffer the "CLI Stockholm Syndrome"https://t.co/jHkB4LQk5T pic.twitter.com/j8CDgCIBpA — Gian Paolo (@gp_ifconfig) December 6, 2017 Andrew Lerner wrote on November 2016:
Quite often cable management is something that starts well when a new IDF is deployed and then gets messier over time. Cable p0rn channel on reddit shows plenty of example of how cabling should look like. I usually don’t do cabling and I’m not good at it either so I’ll not post my home lab setup ;-) Unpatchable? The real problem with poor cable management arises when a new box must be connected and all switch ports are already patched.
I read a lot of discussions about complexity in networking and IT today that include a large amount of FUD. Topics range from “we’ll all lose our jobs because abstraction” to “you can’t fix complexity” to “welcome robot overlords” ;-) Complexity is something that may be easy to move, even easier and to increment, hard to remove. For a clear definition of complexity read Navigating Network Complexity by Jeff Tantsura and Russ White.
White boxes and their impact on enterprise networking is a hot topic today, with many point of views. The last update from Dave Temkin, VP of Network Architecture ad Netflix, put more gasoline on the flames: **Update April 2018: the original tweet was deleted, the message was: Super proud of my team - today they removed the last “big expensive router” from our network; no more Cisco ASR or Juniper MX.
When a customer calls with a problem or request I often see a chance to investigate a technology, learn something new or apply random skills to find a creative solution. This time is about an ASA, customer noticed too much traffic on the Internet facing interface. Syslog, Netflow, bandwidth monitoring and any other useful tools are totally missing, only the old good CLI to help. The MVP We can get a list of all active connections from ASA with
In episode 13 of the Network Collective podcast around minute 26 Jordan Martin asks: Aren’t we all just following a trend? The discussion topic is how to mentor juniors in a learning path to grow their skills and be experts eventually. The question can be translated as: Are we creating fake (IT) news/trends or is it just (excessive) nerd enthusiasm? Bloggers, events, news Tech professional read every day about some new technologies promising to change the way we work, live and play.
This week I’ve attended the Network Automation Seminar organized by Reiss Romoli. The speaker was the great Ivan Pepelnjiak! I was happy to meet Ivan again after NFD16. At the event I joined old and new friends: Andrea, Nicola, Paolo and Tiziano. Are these networkers or programmers? ;) @ioshints @adainese @nmodena @ReissRomoli @Paolo_Lucente #networking pic.twitter.com/RwjX6h2Mng — Gian Paolo (@gp_ifconfig) October 19, 2017 Content is king In two days Ivan presented tools, solutions, concepts and a lot of use cases of network automation.
Day two of NFD16 started with Apstra and their intent-based networking system. Intent concept is not as broad as SDN but still vendors have different views of this meaning. According to Apstra an intent is “the definition of the expected outcome”. The sum of the intents of a network is the source of truth. Read Sasha Ratkovic blog post about the definition of Intent Based Networking. The checklist he suggest can be very useful to compare different solutions and spot intent washing strategies.
Second part of Tech Field Day NFD16 day 1 continues with Arista. Getting ready for @AristaNetworks #NFD16 pic.twitter.com/SCWXVGsR2l — Gian Paolo (@gp_ifconfig) September 13, 2017 Arista’s presentation included 400G (hist: it’s fast!), EOS programmability, Network Automation and Telemetry, Routing Architecture Transformations. All video recording are in the youtube channel of TechFielDay. EOS Programmability Ken Duda (Founder, CTO, and Senior VP of Software Engineering) did a great session about EOS programmability explaining the reason of some technical choices and the available options.
First day at Tech Field Day NFD16, I’m quite excited to be here among fellow network engineers to share our views on products and technologies. I’m planning to post my takeaways for each vendor with variable lengths based on my knowledge and interest of the specific product. Today’s first presenter is Veriflow. Let’s see what Continuous Network Verification is and how it can help to make networks more robust and secure.
Welcome back to AirPiConsole blog post, this is part two. If you read part one and followed the configuration steps you should now have a fully working Raspberry Pi Zero W connected to your WiFi network. You should also be able to connect via Bluetooth to get a console connection without knowing the IP address of the Raspi. Now it’s time to move on and start to actually connect to the serial ports.
As a network engineer I spend a lot of time with my laptop connected via serial cable to various devices. Physical serial connection is needed for initial device setup and sometimes per customer’s security policy I can’t access the network, so I can only use out-of-band management. I also configure many devices at staging lab that I call the “Theory room” because you know, in theory everything works ;-)
I’m happy to announce I’ll join a great team of professionals for 3 days of pure networking awesomeness in Silicon Valley: Great news: I'm a #NFD16 delegate! https://t.co/WuziopJtKc Can't wait to join such a great team of professionals! — Gian Paolo (@gp_ifconfig) August 11, 2017 NFD16 is part of Tech Field Day events where vendors and professionals meet to share and discuss about the IT world, products, trends and future.
Summertime usually means a busy period for Network Engineers, customers are on holidays and we have the opportunity to performs all the changes that impact network connectivity. For me this usually means core switch replacement. Today I was moving a configuration from an HP8200 to a Cisco 4500, taking care of all the details of ports, trunks, vlans. From this: to this: When a task is manual, boring, repetitive and error-prone my automation skills came to help.
My interview was published today on Networkcareer.net, the latest project from Daniel Dib and Kim Pedersen. It’s available online HERE.
Ansible has been around for I while but I didn’t had a chance to play with it so far. Now the time has come: I manage enough IOS devices with homogeneous configurations in multiple sites without Cisco Prime. Any change is a pain, it’s time to automate all the things! My environment I run Ansible inside Bash on Windows, I don’t see any issue or difference than running in an actual Linux box or docker/vagrant/whatever and it permits a better integration with the tools I already use.
Last week I had the opportunity to attend a “Cisco Meraki Masters” session at Meraki HQ in San Francisco. Meraki Masters is a program that sits on top of CMNA to give partners a deeper view of the Meraki product line, vision and roadmap. Merakify a.k.a. “Don’t spend your time doing work a well-trained monkey could do.” Meraki has a strong focus on the “merakification” of the products. Merakification means that all the repetitive tasks a network administrator performs almost on daily basis are now included in the Meraki Dashboard.
The problem I manage many networks and quite often I work at customer site. For every site I need and IP address, gateway, Wi-Fi network, sometimes proxy, a printer and many other unique network settings. Change IP address on Windows is a process that takes too much time and many clicks. The automation I used to use netsh scripts to do that but it was hard to maintain. The OED solution: NETSETMAN
This post is part of a series about Docker, including: Docker Introduction Docker: Install software inside a container Docker Volumes Today we’ll see Docker networking with a very specific target in mind: bridge container to the host network. This isn’t supposed to be the way of work of containers: a container should be created to run a single application so container networking, from the point of view of a Network Engineer, is essentialy a Port Address Translation with a firewall exception.
Quick tool: PingInfoView _PingInfoView is a small utility that allows you to easily ping multiple host names and IP addresses, and watch the result in one table. It automatically ping to all hosts every number of seconds that you specify, and displays the number of succeed and failed pings, as well as the average ping time._ OS: Windows License: freeware ###How I use it I find it particularly useful during network migrations to check if all the hosts are available before and after.
Just a quick post since I speak with many network engineers and I notice some confusion about this topic. Are all 4 pairs of an Cat5e cable used? The answer is.. it depends. For gigabit speed 1000T all four pairs are used. If 100TX speed is enough we can of course split the cable and double the connections without pulling more cables: In my specific case I’ve used a single cable drop in the garage to connect a humidity/temperature to a 1wire bus sensor while allowing a future connection of an Ethernet device.
Log analysis is important to both troubleshoot and understand network devices behavior. Tail/less/grep are great tools that can help to filter and search hundreds or thousands lines of logs. If you prefer a GUI there are a couple of alternatives that can fit well. For windows users only Log Expert is a great choice with many features but it is not developed since 2012. Log Expert is a Windows tail program (a GUI replacement for the Unix tail command).
A few days ago a customer called worried by the flow control counters increasing on his Cisco 4510 switch, he just sent me this asking for an explanation: CORE_4510#show interfaces flowcontrol Port Send FlowControl Receive FlowControl RxPause TxPause admin oper admin oper --------- -------- -------- -------- -------- ------- ------- Gi1/1 on on desired on 28972 107274064 Gi1/2 on on desired on 9494 111534 Gi1/3 on on desired on 32580 1406178 Gi1/4 on on desired on 1278 84112 .
Last week I passed PW0-105 exam and obtained the CWNA certification: I work with wireless network since 2005, I began installing some SoHo APs and in the last few years I designed and deployed many bigger networks, some of which are challenging high density environments. I read manyCisco documents about wifi design and in this year’s Cisco Live I attended many session related to wifi. After passing CCNA-W I didn’t felt confident enough, I know how to design, install and troubleshoot a wireless network but I wanted to have a deeper knowledge of the technologies involved ant how the protocols work.
Networking is awesome but some tasks may be quite boring and repetitive. For new campus network installations a lot of time is used just to put a basic initial configuration template on switches. Each vendor has its proprietary method to distribute configs automagically but sometimes the effort to setup the system is simply too much. A common practice is to prepare a template in a test environment then copy it changing the IP address, hostname and a few other parameters.
This means two things: I’m CCIE for over one year now I need to prepare again the written exam The last day to test the v4 edition is June 3, 2014, I’ve passed that exam twice so I expect a little effort to pass it again.
Ten years ago I’ve passed my first Cisco exam: CCNA! What was supposed to be just a marginal skill for a junior systems engineer became both my job and my passion. Ten years and 21 Cisco exams later (and a bunch of other vendors), with 2 labs in Brussels, 1 FAIL and 1 PASS, I’m still excited about networking and I hope the next ten year will be as valuable and inspired.
IPv6 is the evolution that everybody know must be done one day but not today. Unike the Millenniun Bug that had a clear deadline, IPv6 adoption is a topic that I often discuss with clients but nobody is really willing to do it, even in a test environment. I studied IPv6 in many Cisco certifications but since they’re focused on the infrastructure side of the network, I plan to do some labs myself in the next months.
Questo post e’ dedicato ai networkers iscritti al CUG di AreaNetworking.it per condividere la mia esperienza del Cisco Live! 2013 a Londra. Ho visto diversi messaggi in ML e dato che la risposta sarebbe un po’ lunga e magari puo’ interessare a piu’ persone ho deciso di scrivere direttamente un post qui. Ho avuto il piacere di partecipare al Live! 2013 a Londra e salvo imprevisti a Gennaio parteciperò anche a quello di Milano.
Huawei network devices are becoming more and more popular in European market lately. It all started with 3G adapters, then mobiles, and now I see routers and switches deployed in many locations. For a project I’ll deploy in the next few weeks I had the opportunity to attend an Huawei training. Huawei provides a fast-track for people already certified with other vendors, three training courses are condensed in just one week but it works if you don’t want to hear for the 100th time how STP works ;)
I noticed that not everybody knows how to download Cisco certs PDF files or order additional printed copies. Just open this link, login with your Cisco credentials and enter the menu “Certification Fulfillment”. An additional CCIE plaque costs 150USD, paper certs cost 15USD. HTH
NTP client / server with authentication SERVER CONFIG ntp authentication-key 1 md5 0802657D2A36 7 ntp master 5 CLIENT CONFIG ntp authentication-key 1 md5 1531223F2705 7 ntp authenticate ntp trusted-key 1 ntp server 10.0.12.1 key 1 Notes: the client authenticates the time source, server must have the key.
The dscp mutation map is a per-port configuration that permits to modify the dscp field of a packet. The mutation map works for EGRESS traffic only We trust the documentation but it’s event better to verify it. The topology si simple: PC1 11.0.0.1 –> G1/0/1 C3750-24 G1/0/24 –> G1/0/24 C3750-48 G1/0/1 –> PC2 11.0.0.2 running wireshark First step: turn on QOS on both switches with the command mls qos Then on C3750-24 port G1/0/1 we set COS to 5:
Private VLAN configuration: vlan 300 private-vlan primary private-vlan association 301-302 ! vlan 301 private-vlan isolated ! vlan 302 private-vlan community Port configuration: interface GigabitEthernet1/0/1 switchport private-vlan host-association 300 301 switchport mode private-vlan host What about the SVI? interface Vlan300 ip address 11.0.0.48 255.255.255.0 private-vlan mapping ? WORD Secondary VLAN IDs of the private VLAN SVI interface mapping add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list If we add a private-vlan mapping to the SVI it works like a promicuous port for all the secondary vlans mapped, reachable by both isolated and community ports:
Netflow quick notes for basic config. NETFLOW EXPORT Send NetFlow data to a collector: From? (source) Where? (destination, port) How? (udp, sctp, backup) Version? (1,5,9) SAMPLING / FILTERING Not all traffic is evaluated to generate NetFlow statistics. Sampling (one packet each N) of filtering (sampling only on a class of traffic). applied to interface applied to policy map (with optional filter) “filter” is applied with “match” in the class map and netflow-samples in policy-map AGGREGATION CACHE Aggregate flows based on some criteria.
Your Route to Cisco Career Success by Kevin Wallace A free ebook from Amazon/Kindle about the strategy to prepare for a brilliant career in networking. UPDATE: the book was free just for a limited amount of time (I got the link from Twitter).
This week I’m attending an HP training in Milan The course topics aren’t as challenging as I’ve expected but I had the opportunity to test focus on some interoperability problems that may occur in mixed environments, especially with Cisco and non-Cisco devices, like PVST. For this post we use 2 switches, a Cisco and a non Cisco (HP in this case), the topology is simple: CISCO port g1/0/3 --> HP port 13 On the Cisco switch we enable PVST:
Inspired by the Packet Pushers Podcast I setup my personal IPv6 tunnel to TunnelBroker.net. Registration is free and the configuration is straightforward. The first step is the registration and setup of a tunnel to our IPv4 address. Second step the configuration of the tunnel on our side. The webiste includes many examples of tunnel configuration, in my case Cisco IOS: configure terminal interface Tunnel6 description Hurricane Electric IPv6 Tunnel Broker no ip address ipv6 enable ipv6 address 2001:470:99:15::2/64 tunnel source 1.
You can either do a planned, careful migration, or you can do it in a panic, and you should know full well that panicking is more expensive. Martin Levy, director of IPv6 strategy for Hurricane Electric
Remember: voice Vlan is not automatically created when applied to a port. You must create it!
Number 8 is the one I mention when I see a network project made with PowerPoint that looks simple with all those clouds and arrows: (8) It is more complicated than you think. Link to all the 12 truths HERE
Quite often when a network configuration includes authentication or 802.1x on network devices Radius is the protocol of choice. NtRadPing is a free utility to test a Radius server. The usage is simple: insert the IP address of the radius server, the secret, user name and password of the user to test. Remember to add the IP of the PC as NAS on the Radius server to allow request to be processed and answered.
HP allows Cisco certified people to achieve it’s MASE/ASE certs using Fast Track: While HP certifications aren’t as popular as Cisco’s they can be a way to learn a different platform and increase career opportunities. The official cert guide is available on Amazon.
A quick note about tcp small servers. DOC-CD says: The TCP small servers consist of three services: Discard (port 9), Echo (port 7), and Chargen (port 19). If we do a portscan to a router before and after enabling tcp-small-server with the command: R(config)#service tcp-small-servers We can see that these ports are opened: Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (10.1.0.254): Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen The DOC-CD misses port 13 corresponding to Daytime Protocol.
Thou shalt above all, maintain the integrity of the network. Thou shalt have a long term strategic direction. Thou shalt always opt for quality before expediency. Thou shalt meet the requirements, exceed the expectations and anticipate the needs of users. Thou shalt benefit from a successful implementation by careful project planning. Thou shalt provide reliability, availability and serviceability. Thou shalt maintain detailed, timely and accurate documentation. Thou shalt commit to continuous training.