bgp blackholing is back

BGP Blackholing is back - with small steps (‘better done than perfect’). go ahead and visit the current project page with “quick howto”. happy blackholing!

February 28, 2022 · Łukasz Bromirski

nice peak info in BGP summary view

nice addition to recent IOS-XE images is the info in BGP view when the peak number of prefixes was received: rtr-edge#sh bgp ipv4 unicast summary [...] 6807 received paths for inbound soft reconfiguration BGP activity 1126906/107856 prefixes, 1337822/171863 paths, scan interval 60 secs 878960 networks peaked at 15:02:09 Jan 29 2022 CET (22:53:01.065 ago) [...] rtr-edge#sh bgp ipv6 unicast summary [...] BGP using 102467162 total bytes of memory BGP activity 1126898/107856 prefixes, 1337806/171843 paths, scan interval 60 secs 140720 networks peaked at 05:46:19 Jan 29 2022 CET (1d08h ago) [....

February 3, 2022 · Łukasz Bromirski

ctrl-break the new (old) way

one of the very old tricks, that’s even documented is how to simulate ctrl-break on newer PCs to break into ROMMON during router/switch boot. instead of fighting with SecureCRT on MacOS, I just used it recently. basically, you: disconnect terminal from the device turn device off set terminal to 1200 (yes, you read this right), 8N1 and no flow control turn device on press SPACE for 10-15 seconds (basically, until your terminal drops out some unreadable characters) reconfig terminal to 9600 8N1 and you should be in ROMMON yes, I’m old....

January 20, 2022 · Łukasz Bromirski

two-stage commit config for NX-OS

if you’re not accustomed to reading release notes for your favorite platform (Nexus NX-OS in this case), probably you already overlooked that starting with 10.1(2) there’s 2-stage commit system, known from IOS XR. what does that mean, really? that doing changes over CLI, directly in the parser, you can edit/add/remove whole blocks of configuration before committing them to running/actual configuration. so in case when you edit interface IP addressing (always touchy moment, specially for devices you’re 300km away for example) the session could look like this:...

July 15, 2021 · Łukasz Bromirski

rozmowa KONtrolowana

I was invited by Adam Lange and Adam Haertle to share my story in “rozmowa KONtrolowana” podcast (in Polish). I’d like to thank both of them and of course all of participants for invitation, leading it, questions and nice way to spend time in familiar, geeky environment :) now - just view/listen to it your favorite format :)

May 16, 2021 · Łukasz Bromirski

ipv6 for the rescue

one of the benefits of having (and master) IPv6 is the fact, that it’s completely separate protocol from IPv4. please take a moment to think about it now. take special care about completely separate protocol. in case of doubt, read this again but slower. you can also make smart face or write it down and use next time you’re on some kind of C-level panel. practical effects on practical example this just happened, couple of hours ago....

April 15, 2021 · Łukasz Bromirski

load sharing, part one

if you happen to have more than one internet connection and they have different usable bandwidths - which is no longer a rarity today - it becomes interesting element in network design. how would you use these links optimally? i have to admit, that i was provoked to sit down and write down this series of post by Marcin Ślęczek post on ccie.pl forum. Marcin is CEO of networkers.pl but by heart, he’s network engineer and sometimes fights with interesting problems....

January 7, 2021 · Łukasz Bromirski

technology is just a tool

…but tools have to be used responsibly. first of all, short disclaimer - I’d like to make it perfectly clear before we go into this long piece, that I’m a: …big fan of discussing merits of technology and technology overall. I love technology. I believe having opportunity to create networks, solutions that really connect people and give us chance to exchange information is something I could do for the rest of my life, with full focus and commitment....

December 28, 2020 · Łukasz Bromirski

FRRouting, OpenBGPd and BIRD

as you may have read recently I was playing with open source routing protocol packages again. from pure CLI familiarity reasons, I kept myself to FRRouting, which is evolution of Quagga, which itself is evolution of Zebra. and Zebra syntax and CLI is based on Cisco IOS. FRRouting thanks to Job Snijders for correcting me on the name - it’s no longer OpenFRR, it’s FRRouting. sorry! :) unfortunately, while it worked very well for my home network (FRRouting that is), when deploying in AS112 I hit some unexpected behaviors quite quickly after starting the project....

October 22, 2020 · Łukasz Bromirski

bgp in the lab #3

after last blog on sharing full bgp feed for IPv4, I got a number of interesting questions. given many of you were asking to have also IPv6 available, I decided to extend the project to cover that as well. disclaimer you’re doing this ON YOUR OWN. i’m not responsible for anything on your end and service itself. so if it crashes your router, makes all traffic to follow different paths, or essentially anything that you can’t control - you’re completely on your own....

October 7, 2020 · Łukasz Bromirski

AS112

thanks to inspiration from Robert Woźny, i’ve just launched two separate AS112 sites in Poland. that would never be possible without great folks at ATMAN: Sebastian Olejnik and Damian Nowacki …and at EPIX: Krzysztof Czuszek and Paweł Staszewski what is AS112 all about? as112 AS112 is world-wide project that sinkholes requests coming in from misbehaving or misconfigured DNS clients (which may be your home PC but also some enterprise-y workstation). they send queries looking for answers to questions like “what’s the name of 192....

September 29, 2020 · Łukasz Bromirski

PLNOG #25

starting from tomorrow, we’re launching another edition of PLNOG conference. as usually, I’d like to invite you to join us. I’ll be delivering session about Segment Routing with Piotr Jabłoński during second day of the conference, at 4:15pm. as Segment Routing was already covered couple of times, we’ll focus on practical deployment guide in existing networks. I’ll be also demoing some of the aspects we’ll cover live during the session....

September 27, 2020 · Łukasz Bromirski

redundant IPv6 tunnel from HE with HSRP

one of the interesting and rarely seen configuration options, is ability to have redundant IPv6 tunnel established from source address tracked by HSRP. if you’re limited by other side of communication - in this example Hurricane Electric - to have only one endpoint of tunnel on your side that’s right tool for task. the way this configuration would work, is that router active in HSRP pair will be the one on which tunnel will be active and forwarding....

August 31, 2020 · Łukasz Bromirski

ISC DHCP, FreeBSD and VMWare ESXi

recently during casual browsing of WLAN controller i spotted that sometimes users are having problems with receiving responses from DHCP server. i was suprised, as family doesn’t complain - and they’d do that immediately. well, so i went troubleshooting element by element. obviously, switches were primary suspect. why? everything was working, and those DHCP problems were very, very rare - that may mean drops on switch interfaces. Cisco QoS configuration on Catalyst and Nexus switches is far from easy....

August 29, 2020 · Łukasz Bromirski

bgp in the lab #2

update this project is still on, but at different IP. please refer to this updated description. old post below recent thread on nanog@ list got me back to old project that i was thinking about long time ago. and here it is - i just launched free-of-charge, load-your-router-with-full-live-bgp-feed service :) if you’re interested in joining the free project, disregard the information below and jump directly to latest version here disclaimer you’re doing this ON YOUR OWN....

August 5, 2020 · Łukasz Bromirski

ASA and full BGP table(s)

while I already mentioned couple of times on this blog, that handling dynamic routing on firewall is asking yourself for unexpected problems, sometimes it’s needed. as Cisco, we don’t normally recommend using ASA or FTD boxes as full table BGP routers. not because they can’t be used in this role, but because we don’t believe it’s a good networking and security practice. here’s example from my home lab testing lab cluster of two ASA 5516-X, running 9....

March 21, 2020 · Łukasz Bromirski

scaling VPNs for remote workers

due to COVID-19 outbreak, we’ve been flooded with request to provide assistance with deploying secure connectivity for remote workers. in some organizations number of remote workers grown from 0 to 7000-10000 in week. some others are serving today over 30000, and here at Cisco, we’re working mostly out of home those days (over 100k people!). thanks to help from my fellow engineers and specialists, we were able to publish following guides, related to building and scaling out VPN headends - both hardware and virtual:...

March 21, 2020 · Łukasz Bromirski

SDN Affinity

recently thanks to Robert Pająk i’ve had an opportunity to speak at fall edition of Akamai Affinity. as the request was to cover the networking side of innovation, i did my best. actually, that was not so recently - back in november last year, to be exact. but indeed quite recently we’ve released news about our 400Gbit/s switch and on the Cisco Live! at Barcelona we’ve demonstrated for the first time ACI evolution - ACI Anywhere....

February 1, 2019 · Łukasz Bromirski

PLNOG #20

plnog, plnog and… it’s gone. twentieth edition - how the time flies… from the beginning we knew it may be hard, but we can make it. ’let’s target 60 people!’ was the second decision after we agreed to ‘do this’ and create PLNOG. 124 of you showed up. i don’t really remember all of the things that happened that day. and that was only 10 years ago! i remember only the fact, that we couldn’t fit you in one of the Cracows Wawel room that Andrzejs team was able to secure for this experiment....

March 26, 2018 · Łukasz Bromirski

we're getting older...

NASA spent recently a lot of effort (and i suspect - money) to find Fortran proficient developer to rewrite code working still on Voyager. ideal candidate was found finally at NASA. this begs a question - how much you can do in Fortran having 64kB of RAM and less than 3W of power? it’s completely different task than our typical computers, not to mention bad practices they learn to junior developers due to abundance of hardware resources....

January 13, 2017 · Łukasz Bromirski

OpenSSH 7

OpenSSH 7 among other things discontinued older key exchange protocols for Diffie-Hellmans group 1 (diffie-hellman-group1-sha1). we already know that it can be compromised by executing attack known as Logjam. that’s all good and nice, until you try to connect to such device using newly upgraded SSH. if your device doesn’t support DH group 1 key exchange, you need to upgrade software. if you already have software capable of doing so, it needs to be configured on the box....

October 3, 2016 · Łukasz Bromirski

this is how it should work

weekend at countryside kind of suprised me… :) so, Cisco 887VAGW+7-E-K9, a little configuration and here we are. ! chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 15 "OK" ! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation slip load-interval 30 dialer in-band dialer idle-timeout 300 dialer string gsm dialer-group 1 async mode interactive ! ip nat translation timeout 60 ip route 0.0.0.0 0.0.0.0 Cellular0 ! dialer-list 1 protocol ip permit !...

May 24, 2015 · Łukasz Bromirski

daily "top" for spam and malware

it’s interesting to take a look. and then a second look - as a lot of well known networks and hosts appear on those maps: SenderBase malware SenderBase spam and for general SenderBase reports, biggest threat intelligence network go here: SenderBase

May 13, 2015 · Łukasz Bromirski

ietf and new ideas

while looking through recent IETF meeting notes i found interesting idea - splitting OSPF area zero without incurring outage. it’s very interesting idea for flawless, in-service migrations. on the other side, another OSPF concept that I was afraid somebody will bring up is… enabling FlowSpec capabilities. oh my… also, overlay networking effort is gaining grounds, with architectural choices as well as security. it’s interesting how much longer it will take....

January 8, 2015 · Łukasz Bromirski

interesting data..

…on the performance of virtualized network stack different cloud providers. plus - couple of slides and some speculations about how AWS is built.

November 24, 2014 · Łukasz Bromirski

AOL still gets a lot money from...

…people using dialup connections. those poor people stay need them to take advantage of restricted Internet services provided by AOL. a year ago at that time, still around 2.6 million of US citizens were connecting to internet that way. …and you think that your 1Mbps upstream link is not enough? ;P

August 8, 2014 · Łukasz Bromirski

standards...

…or who needs them anyway today? there’s interesting article written down by one of Google employees, that perfectly describes how ineffective today standard bodies are, and how less and less influence they have on the market. cisco decided to spearhead new solutions without waiting for multi-year discussions, true to the ‘good description and working code’ motto. if we wouldn’t be doing that, there would be no PVLANs, FabricPath (TRILL) but also protocols like LDP or HSRP/VRRP/GLBP....

May 22, 2014 · Łukasz Bromirski

ASA 9.2(1)

…supports BGP and it’s already out. do you like BGP on your firewalls? i don’t. should we have the tool in hand, just in case? well, sometimes it’s handy. but going back again - do you like BGP on your firewalls? ;)

April 27, 2014 · Łukasz Bromirski

ipv6... once again in bad spotlight

all memory and CPU related features in IPv6 world is major challenge even for modern hardware. unfortunately this is emphasized with lack of best practices followed by developers writing code. i just noticed there’s Microsoft Windows problem with IPv6 RA. it seems that actual problem is not limited only to RA, but actually - to the whole networking stack when working with link-local addresses. under Microsoft Windows code is allocating memory pretty recklessly....

April 1, 2014 · Łukasz Bromirski

CCDE bootcamp

it will be unique opportunity in Poland and in this part of Europe. with group of my dear friends and design masters - Piotr Jabłoński, Sebastian Pasternacki and Piotr Matusiak i’ll be delivering bootcamp-type of training for CCDE. we’re starting on 5th of may - and you can find more details here.

February 28, 2014 · Łukasz Bromirski