bgp blackholing is back

BGP Blackholing is back - with small steps (‘better done than perfect’). go ahead and visit the current project page with “quick howto”. happy blackholing!

February 28, 2022 · Łukasz Bromirski

nice peak info in BGP summary view

nice addition to recent IOS-XE images is the info in BGP view when the peak number of prefixes was received: rtr-edge#sh bgp ipv4 unicast summary [...] 6807 received paths for inbound soft reconfiguration BGP activity 1126906/107856 prefixes, 1337822/171863 paths, scan interval 60 secs 878960 networks peaked at 15:02:09 Jan 29 2022 CET (22:53:01.065 ago) [...] rtr-edge#sh bgp ipv6 unicast summary [...] BGP using 102467162 total bytes of memory BGP activity 1126898/107856 prefixes, 1337806/171843 paths, scan interval 60 secs 140720 networks peaked at 05:46:19 Jan 29 2022 CET (1d08h ago) [....

February 3, 2022 · Łukasz Bromirski

ctrl-break the new (old) way

one of the very old tricks, that’s even documented is how to simulate ctrl-break on newer PCs to break into ROMMON during router/switch boot. instead of fighting with SecureCRT on MacOS, I just used it recently. basically, you: disconnect terminal from the device turn device off set terminal to 1200 (yes, you read this right), 8N1 and no flow control turn device on press SPACE for 10-15 seconds (basically, until your terminal drops out some unreadable characters) reconfig terminal to 9600 8N1 and you should be in ROMMON yes, I’m old....

January 20, 2022 · Łukasz Bromirski

two-stage commit config for NX-OS

if you’re not accustomed to reading release notes for your favorite platform (Nexus NX-OS in this case), probably you already overlooked that starting with 10.1(2) there’s 2-stage commit system, known from IOS XR. what does that mean, really? that doing changes over CLI, directly in the parser, you can edit/add/remove whole blocks of configuration before committing them to running/actual configuration. so in case when you edit interface IP addressing (always touchy moment, specially for devices you’re 300km away for example) the session could look like this:...

July 15, 2021 · Łukasz Bromirski

working rss

as I get old, seems I’m missing obvious signals. my logs were screaming about it, friends made touchy comments… and nothing. after moving to hugo, despite the fact it has built-in RSS feed support, I somehow missed that completely. fortunately, it’s enough to add template to your page definition and… it works. and that’s about it. that’s all. RSS works now. hurray.

May 6, 2021 · Łukasz Bromirski

freebsd rebuild

one of the most common, but at the same time easiest problems to solve, when you’re working with FreeBSD system installed on too small disk is rebuilding the system. in my specific case, it was very old i386 system initially installed around release 6 on a 20GB HDD. at around release 11 I ran out of tricks to pull and still make it, so had to finally add a disk. fortunately, just before that, the machine was moved from physical box to virtual machine....

February 4, 2021 · Łukasz Bromirski

connecting switches

after I decided to save you and myself from spying eyes of Google Analytics, I don’t really look at my blog web statistics. just glancing over logs shows you’re reading - and that’s about all if you ask me. I noticed however, that for some mysterious reason (the doc is almost two decades old!), my very old article about connecting the switches together still gets downloaded like 30-50 times a month (I’m counting only non-bot downloads), and sometimes even more often....

January 22, 2021 · Łukasz Bromirski

freebsd and git

FreeBSD just migrated to git, and while handbook is being updated, you can do the migration yourself. first of all, move original src directory (if you’re synchronizing over SVN) away, along with customized kernel config file. for my deployments I do: mv /usr/src /usr/src.old then, let’s install git - it’s not (yet) installed by default: pkg install git last, but not least, you need to invoke git to clone the source repository....

January 20, 2021 · Łukasz Bromirski

load sharing, part one

if you happen to have more than one internet connection and they have different usable bandwidths - which is no longer a rarity today - it becomes interesting element in network design. how would you use these links optimally? i have to admit, that i was provoked to sit down and write down this series of post by Marcin Ślęczek post on ccie.pl forum. Marcin is CEO of networkers.pl but by heart, he’s network engineer and sometimes fights with interesting problems....

January 7, 2021 · Łukasz Bromirski

Raspberry Pi 4 and its cooling

Raspberry Pi 4 that comes originally without any case, or can be bought with original case, can bring you headaches. it’s absolute great and genius computer (never ask me how many I own… ;) ) in version four has really very fast CPU - Broadcom BCM2711. it contains four ARM Cortex A72 cores clocked with up to 1.5GHz and dedicated GPU complex. problems people all around internet report problems however with overheating of this little beast, and what’s more - problems with getting stable 4k 60Hz video output (just remember, there are two video outputs, but 60Hz is only achievable on the socket next to USB-C power supply)....

December 30, 2020 · Łukasz Bromirski

technology is just a tool

…but tools have to be used responsibly. first of all, short disclaimer - I’d like to make it perfectly clear before we go into this long piece, that I’m a: …big fan of discussing merits of technology and technology overall. I love technology. I believe having opportunity to create networks, solutions that really connect people and give us chance to exchange information is something I could do for the rest of my life, with full focus and commitment....

December 28, 2020 · Łukasz Bromirski

FRRouting, OpenBGPd and BIRD

as you may have read recently I was playing with open source routing protocol packages again. from pure CLI familiarity reasons, I kept myself to FRRouting, which is evolution of Quagga, which itself is evolution of Zebra. and Zebra syntax and CLI is based on Cisco IOS. FRRouting thanks to Job Snijders for correcting me on the name - it’s no longer OpenFRR, it’s FRRouting. sorry! :) unfortunately, while it worked very well for my home network (FRRouting that is), when deploying in AS112 I hit some unexpected behaviors quite quickly after starting the project....

October 22, 2020 · Łukasz Bromirski

bgp in the lab #3

after last blog on sharing full bgp feed for IPv4, I got a number of interesting questions. given many of you were asking to have also IPv6 available, I decided to extend the project to cover that as well. disclaimer you’re doing this ON YOUR OWN. i’m not responsible for anything on your end and service itself. so if it crashes your router, makes all traffic to follow different paths, or essentially anything that you can’t control - you’re completely on your own....

October 7, 2020 · Łukasz Bromirski

world wide convergence of BGP

Daniel Dib asked recently on Twitter about BGP convergence time for world wide operations. two hours he got in response from his friend seemed a bit too long. I did recently help to spin up new ASN with new IPv4 prefix (well, both came from second hand, but you get the point) and as far as I could tell, propagation took around 15 minutes maximum. so in the interest of self-education, I started digging....

September 24, 2020 · Łukasz Bromirski

redundant IPv6 tunnel from HE with HSRP

one of the interesting and rarely seen configuration options, is ability to have redundant IPv6 tunnel established from source address tracked by HSRP. if you’re limited by other side of communication - in this example Hurricane Electric - to have only one endpoint of tunnel on your side that’s right tool for task. the way this configuration would work, is that router active in HSRP pair will be the one on which tunnel will be active and forwarding....

August 31, 2020 · Łukasz Bromirski

ISC DHCP, FreeBSD and VMWare ESXi

recently during casual browsing of WLAN controller i spotted that sometimes users are having problems with receiving responses from DHCP server. i was suprised, as family doesn’t complain - and they’d do that immediately. well, so i went troubleshooting element by element. obviously, switches were primary suspect. why? everything was working, and those DHCP problems were very, very rare - that may mean drops on switch interfaces. Cisco QoS configuration on Catalyst and Nexus switches is far from easy....

August 29, 2020 · Łukasz Bromirski

bgp in the lab #2

update this project is still on, but at different IP. please refer to this updated description. old post below recent thread on nanog@ list got me back to old project that i was thinking about long time ago. and here it is - i just launched free-of-charge, load-your-router-with-full-live-bgp-feed service :) if you’re interested in joining the free project, disregard the information below and jump directly to latest version here disclaimer you’re doing this ON YOUR OWN....

August 5, 2020 · Łukasz Bromirski

my home network #2

last post in the series about my home lab resulted in a number of interesting emails in my inbox. i have to admit that i really appreciate words of praise. as well as those with constructive, critical feedback :) so after short description what is connected where and how (see link above), let’s focus now on services. first and foremost - remember it’s “always DNS” ;) so let’s tackle that....

July 27, 2020 · Łukasz Bromirski

ASA and full BGP table(s)

while I already mentioned couple of times on this blog, that handling dynamic routing on firewall is asking yourself for unexpected problems, sometimes it’s needed. as Cisco, we don’t normally recommend using ASA or FTD boxes as full table BGP routers. not because they can’t be used in this role, but because we don’t believe it’s a good networking and security practice. here’s example from my home lab testing lab cluster of two ASA 5516-X, running 9....

March 21, 2020 · Łukasz Bromirski

my home network #1

as you can easily guess, i’m networking geek. my home network was thus built with hacking, not with ‘smallest footprint possible’ in mind. it’s great if you can test your “great” ideas before recommending them to anyone, and of course getting feel of new features is also a plus in this case. so, my first assumption was it has to be fast - fiber. both floors are connected with fiber network, that’s aggregated near front door, in the cloakroom....

April 22, 2018 · Łukasz Bromirski

you can't get enough space and speed

my 256GB SSD drive in MacPro 2013 started to fill up recently. i went on short googling to see how to extend it without relying on NAS of course. and i get nice offer. it seems that good people in the internet found a way to interface typical NVMe disk drives with the socket Apple uses. and so i became user of 1TB Samsung SSD drive. that upgrade gave me also speed bump - on encrypted drive transfers shoot up from 500MBbs (reading) and 380MBbs (writing) to 1....

March 12, 2018 · Łukasz Bromirski

it's hard to be a spammer

…if everyone is trying to make your life harder. couple weeks ago I refreshed my private email server on FreeBSD. for some time spam levels were raising and I had to do something about it. old spamassassin was not handling it accurately enough anymore. enter spamd from OpenBSD. current postfix has built in greylisting server that’s working quite well. for my installation I tuned it a bit, by extending period of time that has to pass from last delivery attempt (to 1200 seconds, which is 20 minutes):...

March 5, 2018 · Łukasz Bromirski

freenas and lsi

my old poor LSI 9211-8i RAID card, that was powering my cache NAS server, decided to die. my spare 9261-8i, to my complete suprise, was halting FreeNAS at the boot… and i was not able initially to troubleshoot the problem. it was dropping mysterious timeout errors: mfi0: COMMAND 0xfffffe000150dc08 TIMEOUT AFTER 59 SECONDS mfi0: COMMAND 0xfffffe000150dc90 TIMEOUT AFTER 59 SECONDS mfi0: COMMAND 0xfffffe000150dc18 TIMEOUT AFTER 59 SECONDS run_interrupt_driven_hooks: still waiting after 60 seconds for xpt_config my google-fu immediately shown me some potential solutions, but they were totally random nad kind of voodoo-magic (‘disable Firewire controller!...

April 17, 2017 · Łukasz Bromirski

please clock me timely!

during the last 30 years, processor speeds has increased from millions of cycles to billions - multiplied by multi-core and special mechanisms that increase the efficiency of working with ‘boring’ cores. Pentium 66 processor from 1993 contained 3.2 million transistors, which is anyway quite a value, considering they are packed into a space comparable to that of four dices - and contains one main unit. available today Xeon E5-2699v4 has 22 cores operating at nominal frequency 2....

February 8, 2017 · Łukasz Bromirski

FreeNAS and Samba - curious case of MacOS

FreeNAS is special edition of tuned-up FreeBSD, with GUI available over WWW to enable easy setup and maintenance. i had to migrate recently my old Synology 1815+ thanks to well known Intel SNAFU with Atom CPUs. interestingly enough, even Synology own service department declined to RMA the NAS, without even discussing the situation. so i managed to setup quickly 12x 3.5" bay server. i had five 3.5" 8TB HDDs from Synology that i wanted to rescue data from....

January 6, 2017 · Łukasz Bromirski

doing recert

every two (or three, depending how desperate you are) years, in life of every CCIE and CCDE there is this looming deadline called ‘recertification’. panic is usually short lived and ends with ‘push’ - succesful recertification. in variable styles and techniques, but successful nonetheless. i had opportunity recently to execute this dance. and wise words people say, that if you loose daily connection with networking gear and technologies, you very quickly loose and forget expert level skills....

October 3, 2015 · Łukasz Bromirski

this is how it should work

weekend at countryside kind of suprised me… :) so, Cisco 887VAGW+7-E-K9, a little configuration and here we are. ! chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 15 "OK" ! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation slip load-interval 30 dialer in-band dialer idle-timeout 300 dialer string gsm dialer-group 1 async mode interactive ! ip nat translation timeout 60 ip route 0.0.0.0 0.0.0.0 Cellular0 ! dialer-list 1 protocol ip permit !...

May 24, 2015 · Łukasz Bromirski

use keys, not passwords

it’s subject old as world (password-protected world, that is). i had to do some of cleanup on my devices and i hit a problem with 4096 bit keys. so, just as a reference that may be helpful somewhere for someone - you import keys to Cisco IOS without any special problems: router#conf t Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip ssh pubkey-chain router(conf-ssh-pubkey)#username TEST router(conf-ssh-pubkey-user)#key-string router(conf-ssh-pubkey-data)#AAAAB3NzaC1yc2EAAAADAQABAAACAQDCiLBaopUwsFb9YJNhGqVYqBajlrH S/zwD6/yR6N8VcRzrpqMMNCFXe1q5GMGM[...]ANWInd9GHBjTzbJWVwavxy1ooQewii8ErofZuv1l/SXSdXLzfL p0zMoZ0L+BNPS0j4XBS0N3t8Vl8oVixqIeG2BNTCNaDDt6hx2Q== lukasz@bromirski....

April 1, 2015 · Łukasz Bromirski

because you can't just have one CPU...

…workstation requires two! ;) i had some time over Christmas to finally build myself following beast: Asus Z9PE-D8 WS (BIOS 5304, original 3304 had some interesting bugs Xeon E5 2660 (Sandy Bridge EP/EX) - 16 cores, 32 HT Corsair H80i for CPU cooling 64GB RAMu (8x 8GB DDR3 1600 ECC) OWC 480GB PCIe - has two 240GB blades in RAID0 Corsair Obsidian 900D 2x Seagate 4TB HDD [6x Samsung 2TB] LSI 9261-8i to drive those mechanical disks in RAID5 Creative SB ZX AMD Radeon 7970 connected to three Dell U2412 monitors Intel x520 NIC connected to Catalyst 2960S and to other workstation - Xeon 5670, 48GB RAMu, OWC 240GB as boot and two 2TB RAID0 disks as RAID0 for ESXi 5....

February 1, 2014 · Łukasz Bromirski

vmware - again

you spend a lot of time preparing OVA to save time in future and enable cloning. then, during importing to remote ESXi you get following error message: Failed to deploy OVF package: The task was canceled by a user.. i didnt’ cancel anything! it’s frustrating, and it seems its a small problem on import format side, not on user side. OVA is simple ZIP file that can be unpacked, so you should do so....

November 10, 2013 · Łukasz Bromirski