Posts

it’s interesting to see proposal submitted by two “freedom stars” of authoritarian China - Huawei and China Telecom to ITU. on the surface the proposal clearly speaks about future societal needs and development of new, improved technologies that - in the process - would make current IP obsolete. it’s easy to see however that first of all the proposal contains a lot of old ideas that are already implemented (LISP, mobile IP and IPv6 itself just to name a few). in addition, it puts a lot of emphasis on “security” - with authentication of users being center idea. all while touting “decentralization” and “strong trust relationships”. while technical merits of the proposal itself are weak and often misguided (look for yourself - proposal is here and the IETF answer here), I can’t help to wonder: how can companies that are known from being engaged in stealing intellectual property and hijacking internet traffic are at the same time the ones proposing such changes? just to make a point maybe? ...

if you, like me, get bored immediately after you execute copy scp x y, you’ll likely be happy to know that we’re introducing changes in the TCP/IP stack responsible for SCP operations. in NX-OS beginning in 9.3(1), while copying using scp you can add use k-stack, like this: nxos-switch#copy scp://192.168.0.1/nxos.bin bootflash: use-kstack in IOS-XE, starting from 17.2(1), it’s possible to achieve similar speed-up effect by enabling globally ip ssh bulk-mode. the same copy operation should speed up 4-5x over. ...

while I already mentioned couple of times on this blog, that handling dynamic routing on firewall is asking yourself for unexpected problems, sometimes it’s needed. as Cisco, we don’t normally recommend using ASA or FTD boxes as full table BGP routers. not because they can’t be used in this role, but because we don’t believe it’s a good networking and security practice. here’s example from my home lab testing lab cluster of two ASA 5516-X, running 9.13(1) and getting full BGP feed from my upstream ASR 1001-X router: ...

due to COVID-19 outbreak, we’ve been flooded with request to provide assistance with deploying secure connectivity for remote workers. in some organizations number of remote workers grown from 0 to 7000-10000 in week. some others are serving today over 30000, and here at Cisco, we’re working mostly out of home those days (over 100k people!). thanks to help from my fellow engineers and specialists, we were able to publish following guides, related to building and scaling out VPN headends - both hardware and virtual: ...

after last 13 years spent at Cisco Systems Poland, working in the “field” I decided it’s prime time for something new. something, that can challenge me and give back that sense of new adventure. having opportunity to spend all that time with great people, learning a lot and experiencing even more was great fun. i went through full country chain - from “simple” Systems Engineer, to Architecture Lead, Systems Engineer Manager, then Regional Sales Manager (driving 2/3rds of country business operations) and finally Country Systems Engineer Manager and CTO. those thirteen years bring together the best moments (like ability to see your interns grow into SEs and then develop in different roles, or meeting Customers and Partners on countless conferences and events, including Cisco Forum and Cisco Connect) and some of the most challenging and stressful in my life as well. living with weight of your decisions and learning on your own errors, taking ownership of having those hard 1:1 discussions… and ultimately also having to let some people go was really a steep learning curve (and opportunity) i won’t ever forget. some day i may share some of my observations - it’s still too early I believe. ...

last couple of weeks were quite hectic. I’m working on rebuilding the BGP blackholing infrastructure (yes, that’s old site, along with old, expired certificate), along with some extras (like AS112 and RPKI services). the job is like 40% done, with scripts completely rewritten in Python, and the ‘only’ part missing being infra (virtualized and not-so-much) and WWW portal. at the same time, I’ve committed long time ago to new project with failure post-mortem analysis on our netdesign.zone which by itself waits for refreshing the underlying infrastructure (this may end up also migrating to Hugo from WordPress). ...

as it’s easy to notice, I did a site migration. instead of moving to WordPress however (which was original plan), i decided to follow more ambitious path, and deploy Hugo platform, supported by Go… and static page generation (yeah!). Hugo itself supports i18n, so it provides the most important functionality. it doesn’t hurt that this solution frees me also from continuous tinkering in PHP and SQL :)

recently thanks to Robert Pająk i’ve had an opportunity to speak at fall edition of Akamai Affinity. as the request was to cover the networking side of innovation, i did my best. actually, that was not so recently - back in november last year, to be exact. but indeed quite recently we’ve released news about our 400Gbit/s switch and on the Cisco Live! at Barcelona we’ve demonstrated for the first time ACI evolution - ACI Anywhere. ACI evolves to bridge hardware and software worlds in more flexible ways, and its latest release enables the whole set of functions with pure software solutions (aka ‘cloud’). ...

…and in particular, often goes very badly. not only in life in general, but also in the IT world :) you probably have dozens of stories to tell, if not hundreds. someone configured the port badly, everything worked until it stopped … and when it stopped, it dragged the whole network behind. big time. whole data center. why do we make the same mistakes all the time? automation slightly improves the situation, but sometimes it may dramatically speed up things going bad. I have already written about the ‘black box’ method - we do not use it in IT. yes, we met during various ‘fuckup nights’ type of events (kudos) for Bartek Górczyński, who, using his extensive experience of many drama cases in IT, spoke bluntly and openly), but for ‘hard’ infrastructure - there is not much, and if it is, is treated rather, as an example, rather than a ready recipe for what conclusions to draw. Andrzej Gab and Robert Woźny started such a cycle to organize at PLNOG. ...

ISR 4000s have the capability to “license” throughput. the solution was built this way with clear goal in mind. previously it was hard to estimate how given router will perform under some random set of features. the CPU driven routers by themselves have a lot of challenges to address, so measuring performance and then sticking to it with each and every new software release was simply unrealistic. we published “kpps” numbers, but then got heat from our Customers, when performance was lower with each and every enabled service. with ISR 4000 we decided to go different route - the router is “good” for up to specific bandwidth - with all services enabled. that means it can go faster, but initially we limited this capability. ...