quick note for those spending weekends on labbing - if you want to log info (from Syslog for example), and the management interface is in separate VRF (very good idea), you need to configure VRF in two, or even three (if you count VRF definition itself) different places. if you forget one, it won’t work. so, first of all, create management VRF definition: ! vrf definition MGMNT rd 444:444 ! optional, but just to keep the numbering across VRFs !...
since first tuning of FreeBSD TCP/IP stack somewhere in 4.x, I’m typically fiddling with the /etc/sysctl.conf contents from time to time. you know, just to tune stuff. in the meantime, a lot of things has changed in FreeBSD TCP/IP stack, including introduction of modularity. however, MacOS X that is based on FreeBSD is much more conservative and some options are not available. therefore, on my MacOS systems I use following /etc/sysctl....
as I’m installing FreeBSD boxes and VMs left and right, I typically do some initial setup before doing anything else. while some use cases call for additional ports to be installed (like bird or routinator), there’s pretty standard “intro”. first, make sure the packages themselves are up to date: sed -i '' s/quarterly/latest/g /etc/pkg/FreeBSD.conf pkg upgrade this will trigger initial pkg install. then, it’s my personal minimum set of packages:...
if you have to pack a lot of things, using sheer power of modern multi-core/multi-threaded CPUs may come handy. unless… the tools you’re using are not enabling that by default, and you suffer running everything on one core/thread. as I spend most of my time recently with FreeBSD and MacOS the tools I typically use are command line. therefore, for every gzip - consider using pigz. and for bzip2 - consider using pbzip2....
nice addition to recent IOS-XE images is the info in BGP view when the peak number of prefixes was received: rtr-edge#sh bgp ipv4 unicast summary [...] 6807 received paths for inbound soft reconfiguration BGP activity 1126906/107856 prefixes, 1337822/171863 paths, scan interval 60 secs 878960 networks peaked at 15:02:09 Jan 29 2022 CET (22:53:01.065 ago) [...] rtr-edge#sh bgp ipv6 unicast summary [...] BGP using 102467162 total bytes of memory BGP activity 1126898/107856 prefixes, 1337806/171843 paths, scan interval 60 secs 140720 networks peaked at 05:46:19 Jan 29 2022 CET (1d08h ago) [....
one of the very old tricks, that’s even documented is how to simulate ctrl-break on newer PCs to break into ROMMON during router/switch boot. instead of fighting with SecureCRT on MacOS, I just used it recently. basically, you: disconnect terminal from the device turn device off set terminal to 1200 (yes, you read this right), 8N1 and no flow control turn device on press SPACE for 10-15 seconds (basically, until your terminal drops out some unreadable characters) reconfig terminal to 9600 8N1 and you should be in ROMMON yes, I’m old....
if you’re not accustomed to reading release notes for your favorite platform (Nexus NX-OS in this case), probably you already overlooked that starting with 10.1(2) there’s 2-stage commit system, known from IOS XR. what does that mean, really? that doing changes over CLI, directly in the parser, you can edit/add/remove whole blocks of configuration before committing them to running/actual configuration. so in case when you edit interface IP addressing (always touchy moment, specially for devices you’re 300km away for example) the session could look like this:...
I was invited by Adam Lange and Adam Haertle to share my story in “rozmowa KONtrolowana” podcast (in Polish). I’d like to thank both of them and of course all of participants for invitation, leading it, questions and nice way to spend time in familiar, geeky environment :) now - just view/listen to it your favorite format :)
as I get old, seems I’m missing obvious signals. my logs were screaming about it, friends made touchy comments… and nothing. after moving to hugo, despite the fact it has built-in RSS feed support, I somehow missed that completely. fortunately, it’s enough to add template to your page definition and… it works. and that’s about it. that’s all. RSS works now. hurray.
if you, like me, just love corporations that blatantly lie in your eyes about “protecting your privacy”, you’re ready to spend some time to make their lives as hard as possible. one of the new ideas is Google FLoC - Federated Learning of Cohorts. great concept, that apparently was to “increase privacy”, but instead actually decreases it even more. first of all, stop using Chrome. use Brave or Firefox - and make sure that security and privacy settings are properly configured (one of the key is DoH, which may be enabled by default and that actually overrides your configured DNS servers)....
one of the benefits of having (and master) IPv6 is the fact, that it’s completely separate protocol from IPv4. please take a moment to think about it now. take special care about completely separate protocol. in case of doubt, read this again but slower. you can also make smart face or write it down and use next time you’re on some kind of C-level panel. practical effects on practical example this just happened, couple of hours ago....
if you happen to have more than one internet connection and they have different usable bandwidths - which is no longer a rarity today - it becomes interesting element in network design. how would you use these links optimally? i have to admit, that i was provoked to sit down and write down this series of post by Marcin Ślęczek post on ccie.pl forum. Marcin is CEO of networkers.pl but by heart, he’s network engineer and sometimes fights with interesting problems....
Raspberry Pi 4 that comes originally without any case, or can be bought with original case, can bring you headaches. it’s absolute great and genius computer (never ask me how many I own… ;) ) in version four has really very fast CPU - Broadcom BCM2711. it contains four ARM Cortex A72 cores clocked with up to 1.5GHz and dedicated GPU complex. problems people all around internet report problems however with overheating of this little beast, and what’s more - problems with getting stable 4k 60Hz video output (just remember, there are two video outputs, but 60Hz is only achievable on the socket next to USB-C power supply)....
…but tools have to be used responsibly. first of all, short disclaimer - I’d like to make it perfectly clear before we go into this long piece, that I’m a: …big fan of discussing merits of technology and technology overall. I love technology. I believe having opportunity to create networks, solutions that really connect people and give us chance to exchange information is something I could do for the rest of my life, with full focus and commitment....
as you may have read recently I was playing with open source routing protocol packages again. from pure CLI familiarity reasons, I kept myself to FRRouting, which is evolution of Quagga, which itself is evolution of Zebra. and Zebra syntax and CLI is based on Cisco IOS. FRRouting thanks to Job Snijders for correcting me on the name - it’s no longer OpenFRR, it’s FRRouting. sorry! :) unfortunately, while it worked very well for my home network (FRRouting that is), when deploying in AS112 I hit some unexpected behaviors quite quickly after starting the project....
ARM announced recently 64-bit Cortex CPU. it’s very interesting, as not only it can run real time operating systems, but 64 bit architecture enables it to address more than 4GB. it also has optional memory protection unit, which means it will be able to run software requiring it - like Linux for example. and by the way - it’s worth to mention polish real-time operating system that’s already on the market for last couple of years with significant success - Phoenix RTOS....
thanks to inspiration from Robert Woźny, i’ve just launched two separate AS112 sites in Poland. that would never be possible without great folks at ATMAN: Sebastian Olejnik and Damian Nowacki …and at EPIX: Krzysztof Czuszek and Paweł Staszewski what is AS112 all about? as112 AS112 is world-wide project that sinkholes requests coming in from misbehaving or misconfigured DNS clients (which may be your home PC but also some enterprise-y workstation). they send queries looking for answers to questions like “what’s the name of 192....
Daniel Dib asked recently on Twitter about BGP convergence time for world wide operations. two hours he got in response from his friend seemed a bit too long. I did recently help to spin up new ASN with new IPv4 prefix (well, both came from second hand, but you get the point) and as far as I could tell, propagation took around 15 minutes maximum. so in the interest of self-education, I started digging....
WD was recently caught red-handed on trying to sell HDDs to NAS duties that use SMR technology without informing about it (and, actually, by actively trying to misled customers and then silence the whole situation). that ended up in lawsuit. while others were also caught trying to do similar things, they backed up immediately, while WD still tried to say that “white is black, you know, really”. technology is amazing. i already wrote about it some time ago....
one of the interesting and rarely seen configuration options, is ability to have redundant IPv6 tunnel established from source address tracked by HSRP. if you’re limited by other side of communication - in this example Hurricane Electric - to have only one endpoint of tunnel on your side that’s right tool for task. the way this configuration would work, is that router active in HSRP pair will be the one on which tunnel will be active and forwarding....
recently during casual browsing of WLAN controller i spotted that sometimes users are having problems with receiving responses from DHCP server. i was suprised, as family doesn’t complain - and they’d do that immediately. well, so i went troubleshooting element by element. obviously, switches were primary suspect. why? everything was working, and those DHCP problems were very, very rare - that may mean drops on switch interfaces. Cisco QoS configuration on Catalyst and Nexus switches is far from easy....
while I already mentioned couple of times on this blog, that handling dynamic routing on firewall is asking yourself for unexpected problems, sometimes it’s needed. as Cisco, we don’t normally recommend using ASA or FTD boxes as full table BGP routers. not because they can’t be used in this role, but because we don’t believe it’s a good networking and security practice. here’s example from my home lab testing lab cluster of two ASA 5516-X, running 9....
due to COVID-19 outbreak, we’ve been flooded with request to provide assistance with deploying secure connectivity for remote workers. in some organizations number of remote workers grown from 0 to 7000-10000 in week. some others are serving today over 30000, and here at Cisco, we’re working mostly out of home those days (over 100k people!). thanks to help from my fellow engineers and specialists, we were able to publish following guides, related to building and scaling out VPN headends - both hardware and virtual:...
recently thanks to Robert Pająk i’ve had an opportunity to speak at fall edition of Akamai Affinity. as the request was to cover the networking side of innovation, i did my best. actually, that was not so recently - back in november last year, to be exact. but indeed quite recently we’ve released news about our 400Gbit/s switch and on the Cisco Live! at Barcelona we’ve demonstrated for the first time ACI evolution - ACI Anywhere....
…if everyone is trying to make your life harder. couple weeks ago I refreshed my private email server on FreeBSD. for some time spam levels were raising and I had to do something about it. old spamassassin was not handling it accurately enough anymore. enter spamd from OpenBSD. current postfix has built in greylisting server that’s working quite well. for my installation I tuned it a bit, by extending period of time that has to pass from last delivery attempt (to 1200 seconds, which is 20 minutes):...
during one of the design discussions with one of our Customers, I had a chance to discuss a bit about using anycast to scale out delivery via CDN. unfortunately, as more ads served even on popular sites is malware or even miners for different cryptocoins it begs a question - how should you protect the site you’re maintaining? using reputable CDN is good first step. the other one, i didn’t know about (and it seems to be quite natural if you think about it) is to verify hash of the attached resources....
have you thought recently how oversubscribed are acronyms you’re using daily if you’re in IT? i just spent the whole day listening about VPC, but not vPC or VPC - but about Virtual Private Cloud in AWS services. not about virtual Private Channel or Virtual Path Connection and neither about Virtual Packet Core. and i have to admit, i liked it. i’ve spent whole day on a Mirek Burnejkos training dedicated to clouds....
during the last 30 years, processor speeds has increased from millions of cycles to billions - multiplied by multi-core and special mechanisms that increase the efficiency of working with ‘boring’ cores. Pentium 66 processor from 1993 contained 3.2 million transistors, which is anyway quite a value, considering they are packed into a space comparable to that of four dices - and contains one main unit. available today Xeon E5-2699v4 has 22 cores operating at nominal frequency 2....