One API to rule them all, and in the ether(net) bind them

While some APIs are more open than others, and some APIs are better documented than others (god bless ’em), APIs prevail. From basic network infrastructure elements to all the complex applications flowing across them, just about everything we deal with today in IT has an API. Pretty sure even that new fridge @netmanchris bought has an API. ūüėČ

The sheer quantity and diversity among these APIs presents network engineers, who are just starting to get a handle on automation, with the additional challenge of wrangling umpteen different versions of APIs into cohesive, scalable, and maintainable processes that don’t make them hate their lives on a daily basis.

So what better to way to corral your herd of APIs than with another API?¬† To quote @scottm32768 in this grand networking quest, “One API to rule them all, and in the ether(net) bind them.”

Or to put it another way:

As an orchestrator of orchestrators, that’s where Itential comes in.¬† Their architecture takes modern API and abstraction focused principles, and leverages them toward solving this problem of API overload. All while providing a platform which itself is API accessible and automation ready.

Using adapters that consume and abstract the various input APIs of your multi vendor network, Itential provides a platform that allows you to build for various systems all in one place.¬† Sounds suspiciously like that single pain, err pane, of glass we’ve all been promised for years. So what’s going on under the hood?

Itential’s adapters are reaching into disparate systems, consolidating the data, and then normalizing it into a JSON schema.¬† The broker layer above the adapter layer performs the real magic by transforming the desired state configuration changes you want into the what each system needs to be told to do to make it happen.

Need to change a VLAN across a multi vendor environment?¬† No problem.¬† Need to validate similar configuration elements across multiple systems, each with the data accessible in a different format? No problem. Use Itential’s Automation Studio and Configuration Manager to design your workflows and manage your configuration changes. Then let Itential’s broker layer translate, while its adapter layer makes it happen.

What if you’re further along than most in the automation game and are sitting on a repository of your own network automation scripts? One, you get a cookie. Two, Itential allows you to bring those into the platform as well using their Automation Gateway.

The Automation Gateway also serves in cases where the vendor of your choice isn’t on the adapter list yet, but you still want some level of centralized automation.

If this commander of API armies, this chieftain of your automation islands, peaks your interest, I recommend checking out Itential’s fantastic Networking Field Day 21 video here that details the platform architecture along with an excellent demo (demo starts at 14 min mark). Also, be sure to check out their developer tool website, which has lots of great links and FAQs, and their additional NFD21 videos as well.

 

Disclaimer: While Networking Field Day, which is sponsored by the companies that present, was very generous to invite me to the fantastic NFD21 event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

Published 10/20/2019

 

Network Change Validation Meets Supersized Network Emulation

Large scale networks means large scale configuration and change management testing. Or at least it should.

But device expense, power costs, and space limitations mean full scale physical network labs don’t happen. We, the engineers, get to roll-out complex network changes based on limited tests and what we hope is a well thought out, bulletproof rollback plan. We often risk significant loss of revenue for the company and significant loss of sleep for ourselves if changes go poorly.

This is not just a big shops problem either.¬† Even – or perhaps especially, small to medium enterprises lack full scale physical labs to simulate changes.¬† I’ve known one engineer that used to have a Nexus 5K on his desk (I’m looking at you @that1guy_15), but most of us are lucky to have a few pieces of equipment to cobble together to give us the general gist of the impact of a potential network change.

With the cloud eating everything, it’s about time that it started giving back to engineers – and that is what Tesuto seeks to do.¬† Tesuto leverages cloud to perform large scale emulation of networks, while allowing engineers to leverage modern automation tools and testing along the way.

Tesuto spins up emulation devices in Google Cloud or Digital Ocean, with support coming soon for Azure, AWS, and private cloud as well.  These spun-up devices have full L2 connectivity with each other and are running the actual vendor images, giving engineers emulations that can accurate reflect control plane functionality for configuration and change testing at the scale your network demands.

It’s worth noting that if you want to test ASIC specific functionality or throughput testing, this is not the platform for those types of tests. Emulations are ideal for control plane and connectivity testing, such as making BGP routing changes and seeing what neighbor relationships you hosed up, but not so ideal for how many packets per second a device can spit out.

So why not use GNS3, which offers device emulation as well?¬† Resource scale, ease of use, Rapid Initialization*, and the ability to tie into modern automation configuration and testing tools such as Ansible, NAPALM, etc…, are just a few reasons why cloudifying your network emulations with Tesuto starts to make sense.

Personally, I found the interface to be pretty intuitive, creating a few routers from different vendors, connecting them, and logging into the Tesuto provided jumpbox was quick and painless. Uploading licensed images for some vendors is required, so be prepared to BYOI (bring your own image).

The ability to run built in NAPALM validation tests takes a bit more finesse and experience, as does integrating Tesuto into your automated change management pipeline if you have one. With a bit of additional work, though, you can create your own validation tests, you are not limited to the built in tests or to NAPALM.

Tesuto brings a ton of additional features to network emulation, as you can see from the chart below. I recommend watching both NFD21 presentations, especially this demo in which a lot of questions you don’t even know you have yet are answered.

*Tesutos’s Rapid Initialization is a feature which significantly decreases boot time of the devices after first power on, so that MX router that takes 25 mins to boot the first time in an emulation takes only 5 mins on future boots.¬†

 

Disclaimer: While Networking Field Day, which is sponsored by the companies that present, was very generous to invite me to the fantastic NFD21 event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

Published 10/13/2019

Arrcus: An Application of Modern OEM Principles for Whitebox Switches

What’s a pirate’s favorite switching platform?

Arr-cus.¬† ūüėā

And before I make a joke about networking ship-sets (too late), I’ll move onto what Arrcus is and why you should be checking them out!

Arrcus manufactures white box switches running ArcOS, their latest generation of switches leveraging the Jericho-2 chipset.

Touting a microservices architecture, multi-tenancy at scale, and open integration across multiple ODM vendors, ArcOS offers up a hardware agnostic platform that finds it home in data center fabrics, large scale peering/edge deployments, and cloud deployments.

With support for OpenConfig and YANG, Arrcus intends for users to leverage APIs for operations and management in modern fashion, no slumming it with old school CLI (although there is one should you choose to use it).

With claims of up to 100 million (that’s 100 meeeeellion) BGP paths and carrier grade class hardware, the OS also provides streamed telemetry data for multiple purposes, including monitoring device health and workload mobility. Arrcus also takes advantage of streaming telemetry in BGP route validation, comparing real time data with RPKI lookups and sending notifications to operators of potentially hijacked routes.

Support for BGP-LSVR is also part of the ArcOS platform. Which if you don’t live in carrier land, you might have just said “huh?” (because that’s what I said as well).¬† BGP-LSVR is a IETF draft standard for augmenting BGP with Shortest Path Dijkstra algorithm behavior in an attempt to handle massively scaled out data centers and sneak around IGP flooding scale limitations.¬† I know what you’re thinking:

But BGP-LSVR has the advantage of the underlay and overlay both being BGP, as well as improved convergence times. And possibly dinosaurs wreaking havoc on humanity, but we’ll save that for the sequel.

For more Arrcus goodness, I recommend watching the Network Field Day 21 Arrcus videos, especially the demo presentation below.¬† I’ve also included some handy dandy research links for both Arrcus and BGP-LSVR if you’d like to learn more about either or both!

Arrcus Switching and Routing Demos from Gestalt IT

Link State Vector Routing as the Transport Underlay, by Keyur Patel, Founder & CTO

PacketPushers Blog New Network OS From Startup Arrcus Targets Whitebox Switching And Routing

PacketPushers Priority Queue Episode 160

PacketPushers Heavy Networking Episode 471

Networking Startup Arrcus Raises $30M, Unveils Enhanced OS To Compete With Cisco, Arista

ArcRR‚ĄĘ: The Arrcus Route Reflector

Arrcus Videos and Podcasts

 

Disclaimer: While Networking Field Day, which is sponsored by the companies that present, was very generous to invite me to the fantastic NFD21 event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

Published 10/07/2019

Cisco Live 2019 – A Whirlwind of Networking Goodness

Cisco Live 2019 came and went in a whirlwind of fantastic meetups, excellent sessions, and genuinely nerdy networking conversations.

Cisco Live session content was top notch. Jasper Bongertz’s¬†Wireshark talk blew the audience away with useful packet capture and troubleshooting tips, and Denise Fishburne’s Network Detective presentation captivated the audience with methodical troubleshooting processes and issue isolation techniques. Both sessions are a must watch for network engineers. Seriously, you will thank me (send coffee) and more importantly you should definitely thank them for giving so much to the community!

Tech Field Day captured a ton of great content this year as well.¬† I especially recommend this NetBeez presentation highlighting the exciting ways their monitoring solution is fighting the good fight by helping to prove it’s not the network. Their new integration with Cat9K switches is also covered and definitely worth checking out.

This year also featured the distribution of Amy’s Army of Angry Routers. Angry routers were given, angry routers were received, and a new site header came to be.

Cisco Live 2019 was also especially memorable in the recognition that this very blog received! As Cisco 2018 IT Blog Award winner for Most Entertaining, yours truly had her big screen moment! I couldn’t be more thankful for each of you who took the time to vote! Thanks for reading along, laughing along, and sharing along with my adventures, snark, and bits of wisdom. You all rock, and obviously have the best taste.

 

And finally, my favorite part of every Cisco Live wrap up, the photo gallery! So many long time friends, so many new friends.  The networking community is genuinely the best and you all make it that way.

Published 06/23/2019

“Thirteen hundred APs, no open support tickets” – achieving quality in wireless networks

“Thirteen hundred APs, no open support tickets,” Sudheer Matta, VP of Products for Mist Systems,¬†boldly stated during his MFD3 presentation.¬† At the time, he was referencing one of their largest customers specifically, but the company’s desire to prevent bugs, create high quality customer experiences, and resolve issues quickly were principles that permeated the discussions with Mobility Field Day¬†delegates.

Mist leverages several key components in order to pull off their customer focused reliability, visibility, and proactive troubleshooting of the wireless network.

Cloud-based micro-services architecture.  This modern approach to building systems is part and parcel of what many cloud companies have been doing with their software architecture over the last few years.  Instantiating distributed services and leveraging APIs between these services is foundational to providing the kind of resiliency and redundancy cloud makes possible and Mist credits this architecture with how they are able to push out new features, fixes, and services weekly without causing any data plane outages for customers.

In his presentation, Sudheer shares an impressive case of how Mist was able to do a complete restore for a customer that had deleted their entire controller infrastructure. All the controllers and services were back online in less than 2 hrs with no access point reboots or data plane outages, a feat Sudheer also credits to Mist’s distributed architectural approach.

Analytics. These days collecting data is table stakes, the real advancement is in building better algorithms that provide useful information to customers. Mist calls these, “actionable insights” and they are more than just increasing the noise floor with more alerts. Mist believes their actionable insights are so dead on that they’ve announced proactive anomaly detection, meaning the system will open a ticket on your behalf when an issue is detected.

And the analytics don’t stop with just ticket opening – MARVIS (Mist’s AI) is getting several feature enhancements focused on improving the troubleshooting process, reducing analysis time, and improving RRM.

A culture of attention to detail. After watching¬†Mist’s¬†MDF3 presentations, I would describe their business model as “just good enough is not good enough for us.”

Besides a distributed architecture designed to minimized the number of bugs and the impact of those bugs that do make it into the system, issues are expected to be resolved quickly and not allowed to fester or be ignored.  A clear emphasis is placed on quality and usability of the system, from the architecture to the user experience.

Mist is also listening both to its customer base as well as wireless engineers. An improved adapter bracket, the transparency with firmware version issues, the coming soon red and green buttons, and the constant tuning of the virtual assistant were just a few indicators from the presentations that customer experience and usability not only matter, but are at the top of the priority list.

For more Mist goodness, be sure to check out these posts:

@badger-fi¬†–¬†Mom’s love Mist

@rowelldionicio¬†–¬†Demistifying Wi-Fi Issues

@Drew_CM –¬†Mist Enhances Machine Learning Capabilities To Improve WLAN Performance, Troubleshooting

@theitrebel РMDF Day 1 Recap

Disclaimer: While Mobility Field Day, which is sponsored by the companies that present, was very generous to invite me to the fantastic MDF3 event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

Published 10/7/2018

 

Intro into Fortinet WLAN configuration

Simple, secure, sensible – Koroush Saraf, Fortiner VP of Product Management, emphasized these words in his recent MFD3 presentations. While any vendor can claim their products share these attributes, it’s usually the complexity of workflow that reveals the betrayal of one or all of these characteristics. Watching this Mobility Field Day demo, however, the simplicity of setting up a basic Fortinet WLAN SSID, applying security policies, and even setting up automation for quarantining an infected machine boiled down to just a few steps.

Step one:  Create your SSID.

In Fortinet world, creating an SSID creates a virtual interface.  At first, this seems like a strange construct to be involved in a WLAN setup process, but later in the process, the logic and flexibility of having this virtual interface becomes apparent.

To create your basic SSID, navigate to WiFi & Switch Controller, click on SSID, click Add New.¬† You can select if this SSID will be a Tunnel, Bridge, or Mesh SSID, as well as configure parameters such as IP address, DHCP server options, Default Gateway, DNS servers, etc…

Keep in mind that to avoid clutter, the GUI presents the essential and the most commonly used options for configuration. Some more advanced configuration may not be seen in the GUI but available via CLI.

Step 2: Attach or create an AP Profile.

The FortiAP Profile is where things like radio bands, transmit power, channel and channel width, etc… are configured and controlled in a manner that can be applied to multiple APs.

To create a new AP profile, navigate to WiFi & Switch Controller, and click on FortiAP Profiles, click Add New. 

To attach an already created AP Profile to an AP, navigate to WiFi & Switch Controller, click Managed FortiAPs, select your AP, and apply the appropriate profile to the AP. This screen is also where you would configure AP specific options that would not apply to all APs using the profile selected. Note, this assumes you have already setup your basic controller parameters so that APs can be automatically discovered.  For more information, see the documentation cited at the end of this post.

Step 3: Create interface policies.

This step brings together the SSID virtual interface created and the security policies that need to be applied to the SSID.  The virtual interface allows for the straight-forward application of security policies such as allowed/denied ports and protocols, along with UTM features and application restrictions.

For engineers that have configured Fortigate firewalls, this part of the process will feel the most familiar since it’s leverages the same process of policy creation used to create traditional firewall rules.¬†

Bonus step: Configuring an automation alert for compromised clients.

Now that you have your SSID and AP online, you can head over to Automation and quickly setup workflow for what should happen when the Fortigate sees a compromised host. You can see from the screen shot below that not only can the host be quarantined automagically, but an email could be sent to inform those taking the calls from the angry virus-spreading-machine owners that these machines have been blocked.Note this type of automation can apply not just to WLAN clients, it is a feature that can be used globally for all detected endpoints.

To see this demo in action, check out this MFD presentation in which Fortinet makes a compelling case for the idea that the lives of IT engineers shouldn’t be made so difficult all the time. Now if only all IT vendors thought this way…

And for even more Forti-content, check out these posts from fellow delegates:

Lee BadmanClarity and Confusion- Fortinet and Arista at Mobility Field Day 3

Scott LesterForti What

Jim PalmerA Story of Three Companies

 

 

Note: This post is based on the basic setup and topolgy given in the video presentation, for more advanced configuration information, please check out Fortinet’s documentation that can be found here. Also, Fortinet has an pretty awesome demo site here which allows you to log in and look around in pretty much any Fortinet product you’d like to see.

Disclaimer: While Mobility Field Day, which is sponsored by the companies that present, was very generous to invite me to the fantastic MDF3 event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

Published 9/30/2018

Cisco Live 2018 – Geek Camp Returns

It’s hard to believe it’s been nearly a month since Cisco Live 2018! The amazing week at Geek Camp was filled with fantastic sessions,¬†Tech Field Day goodness, and lots of great conversations with incredibly talented people.¬† Engineering Deathmatch¬†had a great lineup, and even launched a new quiz show that was super fun to watch. I am eagerly waiting the posting of those videos.¬†(hint, hint @samplefive).

Seeing long time friends, meeting new folks, and networking with the engineers in the trenches makes Cisco Live an extraordinary experience every year.  I am constantly impressed by a community of people willing to share, mentor, and embrace one another Рfiguratively and sometimes quite literally, in an effort to educate, help, and support one another in this incredible field. You all know who you are, and you all are phenomenal.