trueneutralhttps://www.trueneutral.eu/2021-11-25T05:00:00+00:00On software versions and the brittleness of tools2021-11-25T05:00:00+00:002021-11-25T05:00:00+00:00redtag:www.trueneutral.eu,2021-11-25:2021/brittle-tools.html<p>I happened to stumble into a troubleshooting session where one person was trying to set up a container based development environment in order to do some work with Python 2.7 and Ansible. It was very stubbornly not working, and, while discussing various avenues of investigation (is it the Ansible version, the virtual environment, is poetry doing something etc.), I also decided to ask why - more specifically "Why Python 2.7?". The resulting discussion and tweets are the main catalyst for this post.</p>A Usable And Good Looking Automation Environment On Windows2021-06-06T05:00:00+01:002021-06-06T05:00:00+01:00redtag:www.trueneutral.eu,2021-06-06:2021/win-proper-env.html<p>About seven years later, I think it's high time for an update to one of the most useful (judging by views and search traffic) articles on this blog: <a href="https://www.trueneutral.eu/2014/win-proper-term.html">A Usable And Good Looking Shell On Windows</a>. Things have improved massively in Windows 10 with the introduction of WSL (Windows Subsystem for Linux), the Windows Terminal, and VSCode Remote integrations.</p>Ansible's truthy booleans2019-10-31T05:00:00+00:002019-10-31T05:00:00+00:00redtag:www.trueneutral.eu,2019-10-31:2019/ansible-truthy-filter.html<p>It all started with a question about Ansible - someone was getting a False when they were expecting a True after converting a variable using the <code>bool</code> filter. The solution to that particular problem was fairly easily found, but one additional detail caused me to go down the proverbial rabbit hole.</p>The tyranny of the enterprise laptop2019-04-10T05:00:00+01:002019-04-10T05:00:00+01:00redtag:www.trueneutral.eu,2019-04-10:2019/tyranny-enterprise-laptop.html<p>Every (networking related) event or conference out there has at least some talk about automation - with the audience divided into people who are <strong>politely interested</strong>, because they have been doing it for years... and the others who never wrote one line of code in their life, watching with <strong>desperation in their eyes</strong> yet another presentation they don't really understand heralding the end of their careers as they know it. There's a lot of FUD (fear, uncertainty and doubt) out there and it's driven by the "expert tech journalist" mouthpieces and non-stop marketing machines, but as with all things the noise has an effect on people. And not a beneficial one. <strong>So as a network admin, operator, engineer, architect, what are you to do?</strong></p>iNOG at three and a half2019-02-20T05:00:00+00:002019-02-20T05:00:00+00:00redtag:www.trueneutral.eu,2019-02-20:2019/inog-2019.html<p>The last time I wrote about iNOG here was 3 (<strong>!</strong>) years ago. Time flies when you're having fun, huh. Back then, our community was 6 months old and we had absolutely no idea what an amazing ride it would end up being.</p>Backing up configs to git with ansible2019-02-15T05:00:00+00:002019-02-15T05:00:00+00:00redtag:www.trueneutral.eu,2019-02-15:2019/ansible-cfg-git.html<p>Taking regular snapshots of device configuration is something everyone hopefully does, but having them in a version control system as text files provides all the benefits of a full revision history. Depending on the front-end you might even get good looking diffs, and all that for very little effort!</p>Stories from the Quantum Hackathon, RIPE77 & RONOG52018-11-21T05:00:00+00:002018-11-21T05:00:00+00:00redtag:www.trueneutral.eu,2018-11-21:2018/ripe77-quantum-ro5.html<p>The middle of October saw a flurry of fun tech events, all concentrated in the span of a week and half. It all started in Amsterdam with the <strong><a href="https://labs.ripe.net/Members/becha/join-the-quantum-internet-hackathon-2018">RIPE+QuTech Quantum Internet Hackathon</a></strong> for a weekend full of... errr uncertainty (at least for me, read on and you'll find out why), leading into five full days of wonderful <strong><a href="https://ripe77.ripe.net/archives/">RIPE77 meeting</a></strong> and culminating with a short trip to Bucharest for the fifth yearly <strong><a href="https://www.ronog.ro/">RONOG meeting</a></strong>!</p>A recap of RIPE762018-05-30T05:00:00+01:002018-05-30T05:00:00+01:00redtag:www.trueneutral.eu,2018-05-30:2018/ripe76.html<p>It's May 2018, on the south coast of France. Several hundred people are converging (heh) on Marseille for a <strong><a href="https://ripe76.ripe.net/">week-long event</a></strong>, filled with tech talks, policy, discussions about the future (and past) of the Internet, questions and comments and statements, <a href="https://twitter.com/JobSnijders/status/994872393117196290">cheese</a> and a lot of socializing with like-minded people. Below you will find my record and impressions of this trip, together with a few photos and links to other write-ups.</p>A tiny flask WebApp blueprint2018-02-26T05:00:00+00:002018-02-26T05:00:00+00:00redtag:www.trueneutral.eu,2018-02-26:2018/tiny-flask.html<p>Python scripts are great for getting stuff done (especially repetitive tasks or pulling and aggregating information). In some cases it makes a lot of sense to put a minimal graphical interface on top so that others can enjoy the results of said scripts without having to bother with all the details of actually running it.</p>NX-OSv 9000 Automation (3)2018-02-05T05:00:00+00:002018-02-05T05:00:00+00:00redtag:www.trueneutral.eu,2018-02-05:2018/nxosv-3.html<p>I've been documenting my quest to make building and destroying a local lab using NXOSv 9000 as painless as possible in <strong><a href="https://www.trueneutral.eu/2017/nxosv-1.html">part 1</a></strong> and <strong><a href="https://www.trueneutral.eu/2017/nxosv-2.html">part 2</a></strong>. This post is pretty much the <strong>TL;DR</strong> of the series, as in the meantime I figured out the best way to run multiple instances of this image through Vagrant. So here's what I've been using for the past half year together with a few Ansible playbooks to perform some basic but very necessary tasks.</p>Docker overlays on Cisco ACI2018-01-04T05:00:00+00:002018-01-04T05:00:00+00:00redtag:www.trueneutral.eu,2018-01-04:2018/docker-overlay-aci.html<p>I started the new year troubleshooting Docker Overlay network traffic pushed through a Cisco ACI fabric that was not working despite physical connectivity and contracts being in place. Or so we thought... as VXLAN encapsulated packets (used by Docker overlays) do not follow the usual expected pattern.</p>Notes: Docker Networking2017-12-07T05:00:00+00:002017-12-07T05:00:00+00:00redtag:www.trueneutral.eu,2017-11-27:2017/docker-networking.html<p>I've been having a lot of fun recently with <strong><a href="https://www.docker.com/what-docker">Docker containers</a></strong>, from packaging and running my own Python scripts, to building the <strong><a href="https://github.com/inognet/pocketinternet">Pocket Internet</a></strong> proof of concept at the recent RIPE Hackathon and, finally, designing a solution for integrating a multi-datacentre, multi-environment <strong>Docker Swarm</strong> with a <strong>Cisco ACI</strong> fabric and the rest of the network for one of my customers. Below you will find my notes accumulated from going through official documentation, blog posts and experimentation in the lab.</p>NX-OSv 9000 Automation (2)2017-06-23T05:00:00+01:002017-06-23T05:00:00+01:00redtag:www.trueneutral.eu,2017-06-23:2017/nxosv-2.html<p>In <strong><a href="https://www.trueneutral.eu/2017/nxosv-1.html">part one</a></strong> of this series we looked at starting up a couple of Nexus9000v machines using a tool called <code>vagrant</code>. It went OK, but we had some unfinished business. In this post we'll look at how I try to address the MAC address issues and run my first <code>ansible</code> playbook against this lab.</p>NX-OSv 9000 Automation (1)2017-05-31T05:00:00+01:002017-05-31T05:00:00+01:00redtag:www.trueneutral.eu,2017-05-31:2017/nxosv-1.html<p>A recent tweet caught my eye: a new version of NX-OSv was available, together with instructions on setting it up in <strong><a href="https://www.vagrantup.com/">vagrant</a></strong>. Very good timing too, as I'm building automation (a bit of orchestration and a lot of validation) for a couple projects including for both the 7K and the 9K flavours of NX-API and could really use a decent machine-local lab.</p>Response: CCDE May 2017 Cancellation2017-05-14T05:00:00+01:002017-05-14T05:00:00+01:00redtag:www.trueneutral.eu,2017-05-14:2017/ccde-integrity.html<p>The CCDE (Cisco Certified Design Expert) practical exam scheduled for May 11th 2017 has been cancelled globally. This is a heads-up for <strong><a href="http://packetpushers.net/ccde-integrity-transparency-trust/">the article I've written on Packet Pushers</a></strong> about integrity, transparency and trust (with a call to action for Cisco) in the context of last week's events.</p>NetEngCode Hack at Facebook (1)2017-04-23T05:00:00+01:002017-04-23T05:00:00+01:00redtag:www.trueneutral.eu,2017-04-23:2017/netengcodehack-1.html<p>Today I attended my first ever hack, set up by our good friends in the neteng team in Facebook Dublin. And it was great geeky fun, very well organized, 10/10 will hack again!</p>MACsec performance2017-03-23T05:00:00+00:002017-03-23T05:00:00+00:00redtag:www.trueneutral.eu,2017-03-23:2017/macsec-perf.html<p>In a previous post I wrote about how raw <strong><a href="https://www.trueneutral.eu/2016/ssl-performance.html">SSL Performance</a></strong> looks like on a server, briefly mentioning network level encryption methods. I thought I'd post a brief note on some implications of using MACsec after watching a rather informative <strong><a href="https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89130&backBtn=true">Cisco Live session</a></strong> on the topic.</p>Python and Git on Windows2017-03-17T05:00:00+00:002017-03-17T05:00:00+00:00redtag:www.trueneutral.eu,2017-03-17:2017/python-git-win.html<p>I do most of my development under Linux so I have <code>python</code> out of the box and <code>git</code> is only an <code>apt install</code> away. But recently a colleague needed to generate configs based on templates built by yours truly (Jinja2 syntax) so I pointed him at <strong><a href="https://github.com/cmsirbu/gencfg">my gencfg script on GitHub</a></strong>. What I realized only later was that he only had a Windows machine and no idea how to create an environment to fetch repositories, install dependencies and run python scripts. Let's fix that.</p>DMVPN-over-Mobile Blues2017-02-11T05:00:00+00:002017-02-11T05:00:00+00:00redtag:www.trueneutral.eu,2017-02-11:2017/dmvpn-mobile-blues.html<p>It all started a while ago with a log message found on the hub of a large DMVPN/IPSEC deployment over mobile Internet connections. Given the increasing number of deployments that use the Internet as a cheaper, faster WAN for either primary or backup, I thought it would be useful to document the problems and the two main solutions.</p>BFD on Individual EtherChannel Members2017-02-01T05:00:00+00:002017-02-01T05:00:00+00:00redtag:www.trueneutral.eu,2017-02-01:2017/bfd-etherchannel.html<p>I was recently watching <strong><a href="https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=90789&backBtn=true">BRKDCT-2333 - Data Center Network Failure Detection</a></strong> and, after going through the usual suspects - L1 (carrier loss, link signaling), L2 (LACP, UDLD, CFM/Link-OAM), L3 (protocol keepalives, BFD) - the presenter talks about BFD over EtherChannel. But not only for node protection (see below), but for link protection as well, running micro-BFD sessions on each individual EtherChannel member. After understanding how it is done, I started wondering <strong>what's the point (tangible benefit) of using this feature</strong>?</p>Defining an improved WAN2017-02-01T05:00:00+00:002017-02-01T05:00:00+00:00redtag:www.trueneutral.eu,2016-11-02:2016/improved-wan.html<p>In the past couple of years I've had quite a bit of exposure to customers with large WANs in various industries (many non-IT centric) - with xDSL and DMVPN/FlexVPN playing a big role alongside simpler things like fibre based L3VPN and Internet access. I'm going to stay away from SD-anything because they are often vague marketing loaded terms, but that doesn't stop me from asking: <strong>what would an improved WAN offering look like?</strong> By <em>improved</em> I mean that it solves some of the challenges we're facing today (technical, user experience, cost, deployment etc.) or makes a big impact on customer experience.</p>Response: Riot Games and the Internet2016-10-03T05:00:00+01:002016-10-03T05:00:00+01:00redtag:www.trueneutral.eu,2016-10-03:2016/response-riot-fix-internet.html<p>Our last <strong><a href="https://inog.net">iNOG</a></strong> meeting was hosted by Riot Games (was a blast, check out the <strong><a href="https://www.youtube.com/watch?v=fS_q7o98JKI">recording here</a></strong>) - and part of getting to know them I found out that they have a pretty interesting <strong><a href="https://engineering.riotgames.com">engineering blog</a></strong> out there with long, well written posts. Only yesterday I managed to read through their network oriented posts and I can recommend <strong><a href="https://engineering.riotgames.com/news/fixing-internet-real-time-applications-part-i">Fixing the Internet ...</a></strong></p>SSL Performance2016-09-26T05:00:00+01:002016-09-26T05:00:00+01:00redtag:www.trueneutral.eu,2016-09-26:2016/ssl-performance.html<p>In a recent discussion with fellow network engineers about encryption in a DC network, I made an observation that in some cases it might be better to simply enforce end-to-end encryption directly between applications rather than in the underlying infrastructure (MACsec, IPSEC etc.). Looking at MACsec for example, as crypto is done by the ASIC, the general opinion was that it must be faster than doing it on a server CPU. But having no real data or comparison of that, I decided to dig a bit deeper.</p>Automation, one step at a time (1)2016-03-24T05:00:00+00:002016-03-24T05:00:00+00:00redtag:www.trueneutral.eu,2016-03-24:2016/automation-one-step-1.html<p>Not long ago I did a short demo at the sixth <strong><a href="https://inog.net">iNOG</a></strong> meeting, which saw around one hundred netengs get together at Facebook's Dublin HQ for an amazing evening. The point of the demo was to show people to how easy it is to write a bit of code to quickly generate device configuration from a template.</p>iNOG in 20152016-01-12T05:00:00+00:002016-01-12T05:00:00+00:00redtag:www.trueneutral.eu,2016-01-12:2016/inog-2015.html<p>I did plan to write about this during the break, I swear, but somehow all that good food and drink back home got in the way of... well, words. We did end the year with a bang here at the <strong><a href="https://inog.net">Ireland Network Operators Group</a></strong> and I wanted to share how our community grew <strong><a href="https://www.trueneutral.eu/2015/introducing-inog.html">from 5</a></strong> to 130 in about 6 months.</p>WILTW: Better encryption & bad 4G modems (6)2015-12-09T05:00:00+00:002015-12-09T05:00:00+00:00redtag:www.trueneutral.eu,2015-12-09:2015/wiltw-6.html<p><strong>WILTW</strong> (What I Learned This Week) is a (hopefully) never-ending series of mini-posts, once a week, until the end of time. Terms and holidays apply.</p>RIPE71 (3)2015-11-24T05:00:00+00:002015-11-24T05:00:00+00:00redtag:www.trueneutral.eu,2015-11-24:2015/ripe71-3.html<p>Well what do you know, the week has ended and we're all back to our normal lives. There are a few things worth mentioning from day four of the meeting, apart from the usual chatting with interesting people and the scrumptious dinner at the Palace of the Parliament.</p>
<p>We've been very busy here at <strong><a href="https://ripe71.ripe.net/">RIPE71</a></strong>, as you might ...</p>RIPE71 (2)2015-11-24T05:00:00+00:002015-11-24T05:00:00+00:00redtag:www.trueneutral.eu,2015-11-18:2015/ripe71-2.html<p>Two days and a big pile of notes later, it's time to write about what happened Tuesday and Wednesday here at <strong><a href="https://ripe71.ripe.net/">RIPE71</a></strong>. There's no replacement for actually being here (and getting to talk to so many smart people) but if you couldn't make it then all talks are recorded and <strong><a href="https://ripe71.ripe.net/archives/">made available online</a></strong>, together with the slides ...</p>RIPE71 (1)2015-11-19T05:00:00+00:002015-11-19T05:00:00+00:00redtag:www.trueneutral.eu,2015-11-16:2015/ripe71-1.html<p>Today saw the start (with bells and whistles and awkward dancing) of the <strong><a href="https://ripe71.ripe.net/">71st RIPE meeting</a></strong> in my home town of Bucureşti! There's no better way to attend what's my first full meeting (only been for a day to RIPE69), so I do hope that I will be forgiven for posing as a newcomer.</p>
<p>I really love the ...</p>WILTW: IOS images, clipboards and bad code (5)2015-11-01T05:00:00+00:002015-11-01T05:00:00+00:00redtag:www.trueneutral.eu,2015-11-01:2015/wiltw-5.html<p><strong>WILTW</strong> (What I Learned This Week) is a (hopefully) never-ending series of mini-posts, once a week, until the end of time. Terms and holidays apply.</p>
<h3>Messing with IOS images</h3>
<p>Very <strong><a href="http://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices">interesting article</a></strong> on the evolution of attacks on devices running Cisco IOS. In short, these are the things they found in the wild:</p>
<ul>
<li>two incidents that modified the IOS image ...</li></ul>Cisco IOS SCP and integrity checking2015-10-26T05:00:00+00:002015-10-26T05:00:00+00:00redtag:www.trueneutral.eu,2015-10-26:2015/ios-scp-server.html<p>Getting files onto a router from various servers (TFTP, FTP, SCP) is pretty well understood and the most common way of doing it. But what if you're stuck with no servers, no connectivity and a wonderful corporate laptop with a firewall that you can't convince to allow TFTP?</p>
<p>Well, one solution is to use the SSH server on ...</p>Why should I care about fragmentation? (2)2015-10-15T05:00:00+01:002015-10-15T05:00:00+01:00redtag:www.trueneutral.eu,2015-10-15:2015/care-about-fragmentation-2.html<p>I actually wanted to write this article the first time as an answer to the question in the title (posted by one of my readers), but I ended up with a long <strong><a href="https://www.trueneutral.eu/2015/care-about-fragmentation-1.html">part 1</a></strong> which talks about why you fragmentation is undesirable and some problems you might run into while it is present.</p>
<p>There's a real story coming below ...</p>Musing: Single room2015-10-10T05:00:00+01:002015-10-10T05:00:00+01:00redtag:www.trueneutral.eu,2015-10-10:2015/single-room.html<p>As I was reading from <strong>Ursula Le Guin</strong>'s <strong>The Dispossessed</strong> novel (quoted below), an author that is quickly becoming one of my all time favorites, a train of thought formed that I thought worth sharing: is this what it feels like when your mind hesitantly but inevitably moves from a myriad of distractions into the calm of focused dedication ...</p>WILTW: UKNOF, Sony and Computing in Ro (4)2015-10-02T05:00:00+01:002015-10-02T05:00:00+01:00redtag:www.trueneutral.eu,2015-10-02:2015/wiltw-4.html<p><strong>WILTW</strong> (What I Learned This Week) is a (hopefully) never-ending series of mini-posts, once a week, until the end of time. Terms and holidays apply.</p>
<h3>UKNOF32</h3>
<p>A couple of weeks ago I attended my second UKNOF meeting, this time located in Sheffield over 2 days (you can read about my first experience in <strong><a href="https://www.trueneutral.eu/2015/uknof-30.html">London at UKNOF30 here</a></strong>).</p>
<p>It was an ...</p>Netinstall of Raspbian Jessie on Raspberry PI 22015-09-22T05:00:00+01:002015-09-22T05:00:00+01:00redtag:www.trueneutral.eu,2015-09-22:2015/raspbian-jessie-netinst.html<p>I've been using a Raspberry PI Model B as a mini-server for some time now and when the new RasPi was announced I was surely going to upgrade it. That moment is here, but there's one aspect I've always wanted to improve on: the official Raspbian image that you can download is not really fit for a server - it has all sorts of stuff installed (I actually managed to run out of space on my SD a few times) and it's still running Debian 7 (Wheezy).</p>Introducing iNOG2015-09-14T05:00:00+01:002015-09-14T05:00:00+01:00redtag:www.trueneutral.eu,2015-09-14:2015/introducing-inog.html<p>Up until about a month ago, there was no larger community of network operators / engineers in Ireland. Some gather together at other events, such as the INEX meetings or at UKNOF, but obviously these have limited coverage. All this and a short discussion on Twitter resulted in a few of us deciding it was high time we created a group ...</p>Why should I care about fragmentation? (1)2015-09-09T05:00:00+01:002015-09-09T05:00:00+01:00redtag:www.trueneutral.eu,2015-09-09:2015/care-about-fragmentation-1.html<p>A while ago I wrote a few articles on how to interpret fragmented packets in Wireshark (<strong><a href="https://www.trueneutral.eu/2015/wireshark-frags-1.html">part 1</a></strong> and <strong><a href="https://www.trueneutral.eu/2015/wireshark-frags-2.html">part 2</a></strong>). It took the fact that fragmentation exists for granted, so a reader asked me on LinkedIn: <strong>why should I care about fragmentation?</strong></p>
<p>Some engineers are quite lucky and never had to troubleshoot MTU and fragmentation issues, perhaps due to ...</p>WILTW: The NFD10 edition (3)2015-08-27T05:00:00+01:002015-08-27T05:00:00+01:00redtag:www.trueneutral.eu,2015-08-27:2015/wiltw-3.html<p><strong>WILTW</strong> (What I Learned This Week) is a (hopefully) never-ending series of mini-posts, once a week, until the end of time. Terms and holidays apply.</p>
<p>Network Field Day is awesome. That is all.</p>
<p>OK, I should probably say more, shouldn't I? NFD is an event where a bunch of <del>very lucky</del> worthy NetEngs jump from vendor to vendor in ...</p>Saving Web Pages into Markdown files2015-08-21T05:00:00+01:002015-08-21T05:00:00+01:00redtag:www.trueneutral.eu,2015-08-21:2015/html-to-markdown.html<p>Some time ago I organized and migrated my notes into one big repository of text files (and images where really necessary), all of them version controlled by <strong><a href="http://git-scm.com/">git</a></strong> and lightly formatted by <strong><a href="http://daringfireball.net/projects/markdown/">Markdown</a></strong>. I wrote about the setup and the reasoning behind it in the <strong><a href="https://www.trueneutral.eu/2014/note-taking-unchained.html">Note Taking Unchained</a></strong> article and today I'm going to expand on working with Markdown a bit.</p>WILTW: TwinAx, Traceroutes and ROMMON (2)2015-08-14T05:00:00+01:002015-08-14T05:00:00+01:00redtag:www.trueneutral.eu,2015-08-14:2015/wiltw-2.html<p><strong>WILTW</strong> (What I Learned This Week) is a (hopefully) never-ending series of mini-posts, once a week, until the end of time. Terms and holidays apply.</p>
<h3>TwinAx cables</h3>
<p>It's 10G over coaxial cable, for very short distances. And by that I mean up to 5m (passive) and 10m (active). Good enough in server-to-switch scenarios or switch-to-switch when they're close ...</p>Notes: CCDE Written materials2019-01-02T05:00:00+00:002019-01-02T05:00:00+00:00redtag:www.trueneutral.eu,2015-08-07:2015/ccde-written-mats.html<p>Studying for the CCDE is no simple task. It requires a different state of mind than the CCIE and the materials are all over the place. Awesome people like Elaine Lopes, Russ White and Orhan Ergun are working hard to improve the visibility and availability of resources - but that doesn't change the fact that there's a lot to ...</p>WILTW: Facebook, IPv6 and Virtual Labs (1)2015-08-01T05:00:00+01:002015-08-01T05:00:00+01:00redtag:www.trueneutral.eu,2015-08-01:2015/wiltw-1.html<p><strong>WILTW</strong> (What I Learned This Week) is a (hopefully) never-ending series of mini-posts, once a week, until the end of time. Terms and holidays apply.</p>
<h3>Facebook and IPv6</h3>
<p>To start off, I listened to <strong><a href="https://www.youtube.com/watch?v=An7s25FSK0U">this presentation</a></strong> where Paul Saab of Face::b00c (cute) discusses their IPv6 strategy. It is a video, but the recording is of his face without any ...</p>IP Fragmentation in Wireshark (2)2015-07-23T05:00:00+01:002015-07-23T05:00:00+01:00redtag:www.trueneutral.eu,2015-07-23:2015/wireshark-frags-2.html<p>I promised some (potentially amusing) examples from real life after our previous session that was focused on understanding how Wireshark presents fragmented packets. If you read <strong><a href="https://www.trueneutral.eu/2015/wireshark-frags-1.html">part 1</a></strong>, then you should be prepared for what comes below. If you didn't, please go ahead and read through it, as it has quite a bit of useful information. Don't worry, I'll wait for you.</p>Keep it simple (1)2015-07-13T05:00:00+01:002015-07-13T05:00:00+01:00redtag:www.trueneutral.eu,2015-07-13:2015/keep-it-simple-1.html<p>I'm a big fan of simplicity and I do my best to ensure things are straightforward and easy to understand and support when I design them. Therefore I have to sometimes stop that part of me that really enjoyed CCIE labs or <strong><a href="https://www.trueneutral.eu/2014/musing-resist-that-temptation.html">the other that is tempted</a></strong> by any shiny new thing found online or in a vendor presentation ...</p>Notes: Google's Software-defined WAN and DC2015-07-05T05:00:00+01:002015-07-05T05:00:00+01:00redtag:www.trueneutral.eu,2015-07-05:2015/google-dc-infra.html<p>About a year ago, Google's Amin Vahdat <strong><a href="http://www.youtube.com/watch?v=n4gOZrUwWmc">presented their SDN solution</a></strong>, namely the <strong><a href="http://googlecloudplatform.blogspot.ie/2014/04/enter-andromeda-zone-google-cloud-platforms-latest-networking-stack.html">Andromeda incarnation</a></strong>. As you'll see in this year's presentation, it's one in a long list of things they've done in this space, therefore quite interesting.</p>
<p>So Amin again jumped on the stage at <strong><a href="http://opennetsummit.org/conference/">ONS</a></strong> and gave an even more <strong><a href="https://www.youtube.com/watch?v=FaAZAII2x0w">interesting presentation</a></strong> about ...</p>A conflict of OSPF LinkState IDs2014-06-23T05:00:00+01:002014-06-23T05:00:00+01:00redtag:www.trueneutral.eu,2015-06-23:2015/ospf-conflicting-lsid.html<p>Soon you'll begin to think I have something against OSPF, after the previous 3-part series on how to break transit areas (start with <strong><a href="https://www.trueneutral.eu/2014/ospf-capability-transit-1.html">The dark side of OSPF transit capability (1)</a></strong> if you haven't read it). This post looks at another OSPF problem, one that started from trying to understand the following log message: <strong>%OSPF-4-CONFLICTING_LSAID: LSA origination prevented by existing LSA with same LSID but a different mask</strong>.</p>Sharing and Subscribing2015-06-18T00:00:00+01:002015-06-18T00:00:00+01:00redtag:www.trueneutral.eu,2015-06-18:2015/sharing-and-subscribing.html<p>I've always been quite minimalistic when designing this website, as to keep any distractions to a minimum: you're here to <strong>read the articles</strong>, not to swim in a sea of banners, ads and other ill placed pictures. Fear not, I'm still holding true to those principles, but I felt that it was time to improve the experience ...</p>PSA: Dual-Stack connectivity and VPNs2015-06-07T00:00:00+01:002015-06-07T00:00:00+01:00redtag:www.trueneutral.eu,2015-06-07:2015/dual-stack-vpns-1.html<p>I remember a time when all you had at home was IPv4. It was a simpler time, of private local addresses and a spot of NAT behind a public IP coming from your ISP.</p>
<p>But if you're lucky and your ISP decided IPv6 is not something you just ignore and hope it goes away, then perhaps you have <strong>Dual ...</strong></p>My big box didn't save my network!2015-05-26T00:00:00+01:002015-05-26T00:00:00+01:00redtag:www.trueneutral.eu,2015-05-26:2015/big-box.html<p>It all started one morning with a few questions from my colleagues about a VSS deployment, in the context of a major failure that took place the day before. But the biggest question came from the customer: why did it fail when we invested so much money into making it bulletproof?</p>
<p><strong>Why indeed.</strong></p>
<p>For a bit of history, this customer ...</p>Rant: Company laptops2015-05-20T00:00:00+01:002015-05-20T00:00:00+01:00redtag:www.trueneutral.eu,2015-05-20:2015/company-laptops.html<p>A few weeks ago I was casually reading <strong><a href="https://www.reddit.com/r/linux/">r/linux</a></strong> and I bumped into the AMA (Ask Me Anything) thread of this <strong><a href="https://kernel.org/">kernel.org</a></strong> sysadmin called <strong><a href="https://www.reddit.com/r/linux/comments/2xqn12/im_part_of_the_sysadmin_team_behind_kernelorg_and/">Konstantin Ryabitsev</a></strong>.</p>
<p>Somewhere deep down he's asked what he works on and he replies with this gem - I wanted to quote it because it's amazing how spot on it is (also makes ...</p>PSA: How to distrust a root certificate2014-05-11T00:00:00+01:002014-05-11T00:00:00+01:00redtag:www.trueneutral.eu,2015-05-11:2015/distrust-root-cert.html<p>Let's say something prompted you to no longer trust a certain Certificate Authority (CA) and you wanted to make sure your OS stops trusting certificates issued by them as well. You could say it was linked to a recent Internet blunder, but I couldn't possibly comment.</p>
<p><strong>Before going further, be mindful of the changes you make, as they ...</strong></p>Update. Squirrel!2015-04-03T00:00:00+01:002015-04-03T00:00:00+01:00redtag:www.trueneutral.eu,2015-04-03:2015/update-squirrel-1.html<p>Maybe you've been wondering whether this continuous period of silence has been a sign that my enthusiasm for writing has dwindled. <strong>Fear not</strong>, I'm still here and my to-write list is ever growing.</p>
<p>I've recently moved to Ireland (Dublin is a fantastic city) and jumped into a consultancy role. As I get settled over the next weeks ...</p>UKNOF the 30th2015-01-29T00:00:00+00:002015-01-29T00:00:00+00:00redtag:www.trueneutral.eu,2015-01-29:2015/uknof-30.html<p>So UKNOF, we meet at last. On the 22nd of January I went to the 30th meeting of (mostly) UK based network operators. It was held in London in a very nice building (etc Venues Bishopgate) and it had 290 registered attendees, apparently being the biggest one yet.</p>
<p>More stats you say? I'm not sure how many actually attended ...</p>IP Fragmentation in Wireshark (1)2015-01-20T00:00:00+00:002015-01-20T00:00:00+00:00redtag:www.trueneutral.eu,2015-01-20:2015/wireshark-frags-1.html<p>Fragmentation. It's what happens when a big packet spawns a lot of smaller baby packets because the MTU is not big enough, be it anywhere in transit (IPv4) or only at the source (IPv6). It also might cause engineers to lose their sanity while troubleshooting weird problems.</p>And it's gone. Bonus: RIPE692015-01-04T00:00:00+00:002015-01-04T00:00:00+00:00redtag:www.trueneutral.eu,2015-01-04:2015/and-its-gone-plus-ripe69.html<p>I'm not a big fan of retrospective or "year in review" posts, but I still wanted to <strong>thank you all</strong> for reading my ramblings since I started in June last year.</p>
<p>Well, I can't help myself - here's <strong>ONE</strong> statistic, the top three posts of 2014:</p>
<ol>
<li><strong><a href="https://www.trueneutral.eu/2014/leaky-redistribution-1.html">Leaky Redistribution (1)</a></strong></li>
<li><strong><a href="https://www.trueneutral.eu/2014/ospf-capability-transit-1.html">The dark side of OSPF transit capability (1)</a></strong></li>
<li><strong><a href="https://www.trueneutral.eu/2014/512-magic-number.html">512 ...</a></strong></li></ol>Xperia Z3C Blues2014-12-01T00:00:00+00:002014-12-01T00:00:00+00:00redtag:www.trueneutral.eu,2014-12-01:2014/xperia-z3c-blues.html<p>Quite recently I found myself the new owner of a <strong><a href="http://www.sonymobile.com/gb/products/phones/xperia-z3-compact/">Sony Xperia Z3 Compact</a></strong> smartphone. This comes after a year of using another Sony phone, the Z1. I love the Z1 - it's fast, smooth and has a great camera. The only downside to it was its size and sharp corners: it's a bit too big for my pocket ...</p>Checking the Nexus FIB2014-11-12T00:00:00+00:002014-11-12T00:00:00+00:00redtag:www.trueneutral.eu,2014-11-12:2014/nexus-fib.html<p>I don't know about you, but I like my <code>show ip cef</code> and <code>show adjacency detail</code> commands. They give you a bit more information and are rather useful when <code>show ip route</code> and <code>show ip arp</code> are not really enough. But what happens when you jump on a device that doesn't have CEF?</p>
<p>It just happens that I ...</p>Notes: UK IPv6 Council (1)2014-10-23T00:00:00+01:002014-10-23T00:00:00+01:00redtag:www.trueneutral.eu,2014-10-23:2014/uk-ipv6-council-1.html<p>Last week saw the first proper meeting of the <strong><a href="http://www.ipv6.org.uk">UK IPv6 council</a></strong>, an initiative started earlier this year by a few people who want to improve the current situation. What this situation actually is you get to find out below, because I was there and <strong>this is what I think</strong>.</p>
<p>The event agenda is listed in full <strong><a href="http://www.ipv6.org.uk/?page_id=39">here</a></strong> and the ...</p>IPv6, addressing plans and you2014-10-14T00:00:00+01:002014-10-14T00:00:00+01:00redtag:www.trueneutral.eu,2014-10-14:2014/ipv6-addressing-plan.html<p>It's no secret that everyone <strong>just loves</strong> IP address management. Especially when it's done out of a spreadsheet or when some people think it's necessary and some think it's optional. The history of IPv4 is rather painful and it's not going to be used as a positive example anytime soon - unless we make an even ...</p>Note taking unchained2014-10-05T00:00:00+01:002014-10-05T00:00:00+01:00redtag:www.trueneutral.eu,2014-10-05:2014/note-taking-unchained.html<p>I've lost count of all the various ways I kept notes about things. And by that I mean (mostly) digital notes - I'm not a big fan of doing this on paper (hard to search, impossible to change and simply a waste of a precious resource). Historically, the problem had been that things ended up in emails sent to myself, text files, word documents, spreadsheets etc. Nothing that was easy to index, search through and backup.</p>512 is the magic number2014-09-28T00:00:00+01:002014-09-28T00:00:00+01:00redtag:www.trueneutral.eu,2014-09-28:2014/512-magic-number.html<p>There are some things not many network engineers think about in their day to day activities, and watching FIB limits is one of them. But they have that nasty way of telling you that you either have outdated hardware or you're using the wrong device in the wrong place by crashing or black-holing traffic when you least expect it ...</p>TCP bug in FreeBSD2014-09-21T00:00:00+01:002014-09-21T00:00:00+01:00redtag:www.trueneutral.eu,2014-09-21:2014/freebsd-tcp.html<p>A recent vulnerability found in the <strong>FreeBSD TCP/IP stack</strong> caught my eye due to its relative simplicity (both in exploiting it and avoiding it). It references CVE-2004-0230 (yep, 2004) with a slight twist: instead of using RST packets, it uses SYN packets for the same end-result: a connection reset.</p>
<p>Let's say you have an established TCP connection between ...</p>Leaky Redistribution (2)2014-09-10T00:00:00+01:002014-09-10T00:00:00+01:00redtag:www.trueneutral.eu,2014-09-10:2014/leaky-redistribution-2.html<p>In <strong><a href="https://www.trueneutral.eu/2014/leaky-redistribution-1.html">part 1</a></strong> we had a look at some redistribution scenarios and what happens when equal-cost multi-pathing is involved. The problem we look at in this post is what gave the series its title and it builds on the previous setup by adding VRFs and MPBGP to the mix.</p>Leaky Redistribution (1)2014-09-01T00:00:00+01:002014-09-01T00:00:00+01:00redtag:www.trueneutral.eu,2014-09-01:2014/leaky-redistribution-1.html<p>It's a well known fact that <strong>RR (Route Redistribution) is a complicated topic</strong> (putting it mildly), and all of you studying for expert level certifications or running old and complicated networks know what I'm talking about. Don't worry, I won't go into a crazy corner-case scenario, this is based on something that happened in a production network.</p>Cisco Service Provider Tech Huddle2014-10-14T00:00:00+01:002014-10-14T00:00:00+01:00redtag:www.trueneutral.eu,2014-08-11:2014/cisco-sp-tech-huddle-1.html<p>A couple of months ago I attended an event organized by <strong>Cisco</strong> called a Tech Huddle. It was a full day of presentations, in this case of products and technologies of the <strong>service provider</strong> variety. Mostly.</p>
<p>I recently revisited the slides and my notes from the day, and <strong>this is what I think</strong> about them (disclaimer: I was invited to ...</p>The dark side of OSPF transit capability (3)2014-08-03T00:00:00+01:002014-08-03T00:00:00+01:00redtag:www.trueneutral.eu,2014-08-03:2014/ospf-capability-transit-3.html<p>Here we are, the long awaited (or so I like to believe) finale of the series! You are now a veteran when it comes to OSPF transit areas, but there's still one tiny detail nagging you: <strong>ABRs are not allowed to summarize backbone prefixes nor filter them in any way when advertising them into the transit area</strong>. Before we dive in though, in case you're not familiar with the series take a look at <strong><a href="https://www.trueneutral.eu/2014/ospf-capability-transit-1.html">part 1</a></strong> and <strong><a href="https://www.trueneutral.eu/2014/ospf-capability-transit-2.html">part 2</a></strong>.</p>Musing: Resist that temptation2014-07-24T00:00:00+01:002014-07-24T00:00:00+01:00redtag:www.trueneutral.eu,2014-07-24:2014/musing-resist-that-temptation.html<p>Ivan Pepelnjak published an article called <strong><a href="http://blog.ipspace.net/2014/07/campfire-story-using-wrong-tool-for-job.html">Campfire story: Using the wrong tool for the job</a></strong> and it instantly got me thinking about something I've been discussing with my colleagues for the past few weeks, endlessly racking our brains trying to solve a scaling problem in our network.</p>
<p>Among other vendors, we had a few meetings with <strong><a href="http://www.arista.com/">Arista</a></strong> and I ...</p>The dark side of OSPF transit capability (2)2014-08-03T00:00:00+01:002014-08-03T00:00:00+01:00redtag:www.trueneutral.eu,2014-07-20:2014/ospf-capability-transit-2.html<p>Last week I wrote <strong><a href="https://www.trueneutral.eu/2014/ospf-capability-transit-1.html">part 1</a></strong> of this series on how do to <strong>nasty</strong> things to OSPF's transit areas. This time we'll jump right in with two more examples, so I'd suggest starting with <strong><a href="https://www.trueneutral.eu/2014/ospf-capability-transit-1.html">part 1</a></strong> if you haven't read it.</p>The dark side of OSPF transit capability (1)2014-08-03T00:00:00+01:002014-08-03T00:00:00+01:00redtag:www.trueneutral.eu,2014-07-12:2014/ospf-capability-transit-1.html<p>There are lots of write-ups about this feature and the ones I looked at are fairly good at explaining what it does (with examples). <em>That's not a very promising way to start your own article</em>, you might say. Hear me out though: <strong>I'm here to show you what it prevents from happening</strong> with the aid of a few pretty pictures. It took me a couple of years (during my CCIE studies) before I managed to actually properly understand and <strong>remember for more than 2 hours</strong> what this does and why it is so important to leave it enabled.</p>A usable and good looking shell on Windows2014-07-08T00:00:00+01:002014-07-08T00:00:00+01:00redtag:www.trueneutral.eu,2014-07-06:2014/win-proper-term.html<p>I've been a long time <strong>Linux</strong> user... and because of that I've gotten used to having certain shell functionality on all of the computers I work on. That essentially means finding a usable solution that works on <em>Windows</em>.</p>Prefix filtering when exporting from a VRF2014-07-08T00:00:00+01:002014-07-08T00:00:00+01:00redtag:www.trueneutral.eu,2014-06-22:2014/ios-vrf-export.html<p>Recently, I had to solve a rather simple problem: on a Cisco PE, I had to prevent a certain prefix from being advertised into the L3VPN associated with its VRF.</p>
<p><em>Well, if it's that simple, why do you need to talk about it?</em> - I hear you asking. Well, it's because in a production network it's never as ...</p>It's alive! What, again?2014-07-12T00:00:00+01:002014-07-12T00:00:00+01:00redtag:www.trueneutral.eu,2014-06-21:2014/its-alive.html<p>Well, yes, <strong>again</strong>. Technically, it's <strong>the second time</strong> you could ask the question as this is the <strong>third</strong> <small>(hence <code>v3</code> down at the bottom, in the highly unlikely scenario it was a question you had)</small> incarnation of my web publishing efforts.</p>
<h3>The history lesson</h3>
<p>The first time it was a joint effort with a friend: a blog called <strong>net ...</strong></p>Step 3 in the BGP best-path selection process2014-06-28T00:00:00+01:002014-06-28T00:00:00+01:00redtag:www.trueneutral.eu,2011-06-07:2011/bgp-best-path-step-3.html<p>This is a short look at the third step in the BGP best-path selection process, which started from reading the explanation in the <code>CCIE Routing and Switching Certification Guide</code> text:</p>
<ul>
<li>it first states that it prefers <em>"Locally injected routes - Pick the route injected into BGP locally; (using the network command, redistribution, or route summarization)."</em></li>
<li>but then it also says <em>"Choose ...</em></li></ul>BGP Backdoor Routes2014-06-28T00:00:00+01:002014-06-28T00:00:00+01:00redtag:www.trueneutral.eu,2011-06-01:2011/bgp-backdoor.html<p>This short article looks at the behavior of the BGP Backdoor Route feature. Although this has been explained, both in books and in other articles on the net, I would like to make a few points that I feel are not covered properly. Skip to the end if you are already familiar with the feature, as the first part provides a quick refresher.</p>Troubleshooting a weird TCP handshake2014-06-28T00:00:00+01:002014-06-28T00:00:00+01:00redtag:www.trueneutral.eu,2011-05-16:2011/tcp-nat-tshoot.html<p>This is a troubleshooting scenario based on an issue that happened in a production network, <strong>namely getting a RST as the third packet in the 3-way handshake</strong>. The flow of this article is as follows: <strong>first</strong>, we will look at the topology and how the problem manifested itself, <strong>then</strong> dig deeper and find out the issue. <strong>Lastly</strong>, we will configure a similar topology in order to recreate what happened.</p>Troubleshooting HSRP (with preemption)2014-06-28T00:00:00+01:002014-06-28T00:00:00+01:00redtag:www.trueneutral.eu,2011-04-01:2011/hsrp-tshoot.html<p>In this article we are going to look at how HSRP behaves in two scenarios which are based on what happened to a colleague of mine in the live network. Basic knowledge of how HSRP functions is needed in order to understand what happens here.</p>