Heavy Networking

Today is a wide-ranging Future of Networking episode with a pair of special guests: Dave Temkin, VP of Networks at Netflix; and Steve Chalmers, a former Distinguished Architect at HP and an independent consultant. We discuss a broad range of topics and ideas, including how the public Internet is changing, edge computing, the challenges of recruiting the next generation of engineers, Gen Z fabrics, addressing BGP route leak issues, and more. Sponsor: Tufin Tufin has pioneered a policy-based approach to network security management using automation and analytics. You can make network changes in minutes instead of days, reliably and securely. Tufin. The Security Policy Company. Find out more at tufin.com. Sponsor: ITProTV Get over in-depth technical training from ITProTV. ITProTV offers online instruction in CompTIA, Cisco, VMWare, Microsoft and more. You can stream courses live and on demand on your favorite device. Sign up at itpro.tv/packet and save 25%. Use the code PACKET25 when you check out. Show Links: Steve Chalmers on LinkedIn Dave Temkin on LinkedIn BGP filtering study resources – NANOG MANRS Implementation Guide – Online Version – manrs.org Gen-Z – Wikipedia Computer Industry Alliance Revolutionizing Data Access – Gen-Z Consortium 3D XPoint – Wikipedia

Today’s Heavy Networking explores how to select a higher-ed program for your computer science education, including what to look for and what to run away from. How much is worth spending on education? Where do professional certifications fit into a degree program? How can you tell if the program you’re considering is outdated? If your university has a job placement program, is that a big deal? What if you want to study networking specifically? Is that even a thing? My guest is Aaron Francis, a Systems Engineer at Cisco and IT instructor. We discuss: * The essential elements of a computer science degree * How a CS degree differs from degrees in Information Science or IT Administration * Specializations within CS degrees, such as networking * How to measure educational costs and returns, community college vs. 4-year instutions, and so on * Getting a job after graduation * Whether to get certifications concurrently with your degree Sponsor: ExtraHop ExtraHop is the enterprise cyber analytics company delivering performance and security from the inside out. ExtraHop offers complete visibility with machine learning to help you make quick, confident decisions about your IT environment. Explore the ExtraHop Performance Platform at extrahop.com/packetpushers. Show Links: Aaron Francis on LinkedIn Aaron’s Blog on LinkedIn

You know your frame from your packet. You can explain how bridging tables are populated. Ethernet is your friend from as far back as 100 meg half duplex regularly plagued your life. Wireless? Not so much. This is a second podcast in a crash course series explaining wireless networking to people who are really good at wired networks. My guest is Chris Reed, lead network engineer at BEI Networks. Today, we dive into beacons, probes, SSIDs, roaming, and the ugly reality of band steering. If you’d like to hear the first entry in this series, check out episode 440. Show Links: Chris Reed on Twitter Clear To Send Podcast Episode 123 – Design Principles of Stadium Wi-Fi Clear To Send Podcast Episode 127 – Stadium WiFi Implementation SSID Overhead Calculator – Revolution Wi-Fi Wi-Fi Roaming Analysis Part 2 – Roaming Variations – Revolution Wi-Fi Heavy Networking 440: A Wireless Deployment Crash Course – Packet Pushers

Deep packet analysis at line rate is a complex claim. What do we mean when we say, “Deep”? Assuming we mean layer 7 payloads…which protocols? Some of them? All of them? What if the packet is encrypted? What if we’re a dual-stacked IPv4 and IPv6 network? And what do we mean when we say, “Line rate”? We’re at speeds of 400Gbps now. So, which lines are we talking, and how many of them? By the way, if we’re analyzing packets at line rate, where are we keeping them? Do we have to build a massive storage array? None of these problems are new, and the more data we put on the network, the more challenging line rate deep packet inspection becomes. Today we take a stab at it with our sponsor ExtraHop. Our guest is Mike Ernst, VP of Sales Engineering at ExtraHop. Mike has promised to put his engineering hat on today and keep his inner salesperson in the background. We discuss: * Commercial tools vs. Wireshark * The packet capture architecture required to get “every packet and transaction” * ExtraHop’s appliance family * How ExtraHop gets packets from the public cloud * Real-time analysis vs. investigating stored packets * Differences among flow data, telemetry, and full packet capture * How ExtraHop deals with encrypted traffic * Why an agent is required to decrypt TLS 1.3 traffic Show Links: ExtraHop ExtraHop.com/packetpushers Follow ExtraHop on Twitter

DNS, DHCP, and IPAM. That’s DDI. DDI systems work together to maintain sanity for your IP naming and addressing schemes. If your idea of DDI tracking is a spreadsheet you update when you think of it, you’re not doing it all that well. And if you are trying to move into network automation, you’re really going to struggle trying to use a manual spreadsheet as a data source. Our sponsor today is BlueCat Networks. BlueCat is a DDI platform that can help you get control of your IP addressing world, and is automation-friendly. In fact, BlueCat is announcing integrations with Cisco DNA and ACI, adding yet more functionality to the automation these systems already bring you. Joining us today to talk about BlueCat Networks and automation is CTO Andrew Wertkin. We discuss: * BlueCat’s IPAM, DNS, and DHCP (DDI) platform * Why and how DNS and IP addressing ties into enterprise automation * How BlueCat works with third-party operational tools via APIs * The role of IP infrastructure management in public cloud * How operations and security teams can leverage DNS * New integrations with Cisco DNA and ACI * More Show Links: BlueCat Networks BlueCat Networks on Twitter BlueCat Networks Blog

Today’s Heavy Networking looks at sources of network truth. Specifically, with NetBox. What is NetBox? To quote netbox.readthedocs.io: “NetBox is an open source web application designed to help manage and document computer networks. Initially conceived by the network engineering team at DigitalOcean, NetBox was developed specifically to address the needs of network and infrastructure engineers.” NetBox is growing in popularity among networkers. Here to talk to us about why NetBox is so great is John Anderson. He’s a network automation engineer at NetworkToCode, and a NetBox contributor. We discuss: * What NetBox is – IPAM and DCIM (Data Center Infrastructure Management) software * What NetBox is not – a network management system, a network discovery tool, or DNS/DHCP server * How to deploy NetBox * How you model the intended state of your network and import data to it * The kinds of information it can contain and what you can do with it * Its support for IPv6 * More Sponsor: Open Systems In the crowded SD-WAN market, don’t overlook Open Systems. Open Systems brings security, automation and expert management to let you focus on other aspects of your network. Get visibility, flexibility and control combined with performance, simplicity and security with SD-WAN from Open Systems. To find out more, go to www.open-systems.com/packetpushers. Sponsor: Tufin Tufin has pioneered a policy-based approach to network security management using automation and analytics. As a result, you can make network changes in minutes instead of days, reliably and securely. Tufin. The Security Policy Company. Find out more at tufin.com. Show Links: NetBox John Anderson on GitHub NetworkToCode

Today’s Heavy Networking was recorded at Gluware Intent 19, a live event in New York City sponsored by Gluware. The Packet Pushers dive into network automation, learn about Gluware’s capability to bring automation into brownfield environments and derive business intent from existing networks, and explore real-world use cases from customers Merck and Terracon. Our guests are Jeff Gray, CEO of Gluware; Michael Haugh, VP of Product Management at Gluware; Jamie Hughes, Infrastructure Architect at Terracon; and Salvatore Rannazzisi, Associate Director, Merck. We discuss: * What Gluware means by intelligent network automation * The concept of intent engineering and how Gluware derives intent from your existing networks and configurations * How Gluware differs from standalone tools such as Ansible * Working with multi-vendor networks * Real-world use cases from Merck and Terracon on configuration management, OS upgrades, and more * The technical and human challenges of automating an enterprise network * Lessons learned on bringing automation into production Show Links: Gluware Packet Pushers Gluware Intent 19 Live Stream – YouTube

Today’s Heavy Networking is all about VyOS, an open-source OS for routing that’s based on Debian GNU/Linux. VyOS “provides a free routing platform that competes directly with other commercially available solutions from well-known vendors. Because VyOS is run on standard amd64, i586 and ARM systems, it is able to be used as a router and firewall platform for cloud deployments.” Here to catch us up on VyOS is Yuriy Andamasov, the project coordinator. We discuss: * VyOS’s origins (it’s a fork of Vyatta Core) * Primary features, including routing, firewalling, NAT, QoS, VPN and more * Routing protocols supported, including FRR * Where it’s being deployed * Use cases Sponsor: ExtraHop ExtraHop is the enterprise cyber analytics company delivering performance and security from the inside out. ExtraHop offers complete visibility with machine learning to help you make quick, confident decisions about your IT environment. Explore the ExtraHop Performance Platform at extrahop.com/packetpushers. Sponsor: INE If you’re looking for training, consider INE.com. INE is a training resource for networking and a whole lot more. Visit ine.com/packetpushers to get a free 3-day trial. INE–experts at making you an expert. Show Links: VyOS VyOS blog VyOS docs VyOS Appliance – GNS3 VyOS Project 2019 – March Update – VyOS.io

On today’s Heavy Networking our topic is Web application firewalls (WAFs). Which, in the traditional sense, are neither web applications nor firewalls. So what are these strange creatures? If my company doesn’t have one, should I go to the pet store and get one? Will they bite me if I’m not careful? What does a web application firewall eat? Helping us understand how to feed and care for our very own web application firewall is Scott Hogg, who you might know from the IPv6 Buzz podcast, part of the Packet Pushers podcast network. We discuss: * How a WAF differs from typical firewalls * The security problems WAFs try to solve (protecting vulnerable Web apps) * How WAFs are deployed * The architecture of a typical WAF * Operational challenges * How attackers bypass WAFs * The role of WAFs in cloud applications * More Sponsor: ITProTV Get over 65 hours of free technical training from ITProTV. ITProTV offers online instruction in CompTIA, Cisco, VMWare, Microsoft and more. You can stream courses live and on demand on your favorite device. Sign up for a free membership at itpro.tv/packet-pushers and try it with no obligation. Sponsor: Cumulus Networks If you’re future-proofing your network, why go with legacy infrastructure? Cumulus Networks offers networking software for the open, modern data center, giving you the option to choose the new way every time. Find out more at cumulusnetworks.com/modernize. Show Links: Scott Hogg on Twitter Hexabuild IPv6 Buzz Podcast Scott’s Network World author page Scott’s Infoblox author page Web Application Firewalls and IPv6, Scott Hogg – Network World The Open Web Application Security Project (OWASP) The Web Application Security Consortium (WASC) Web Application Firewall Evaluation Criteria (WAFEC) WAF Criteria – ICSA Labs (PDF)

In today’s sponsored Heavy Networking episode, Juniper Networks’ Contrail SD-WAN is on the agenda. We get a detailed look at how Contrail SD-WAN operates, examine key security features and capabilities, and explore new options including Contrail SD-WAN as a cloud service managed by Juniper. We also examine Juniper’s competing differentiators, including scale, a focus on app Quality of Experience (QoE), the ability to customize the solution, and how Contrail SD-WAN can extend into the branch LAN and Wi-Fi networks for management and security. Our guest is Tony Sarathchandra, Director of Product Management at Juniper. We discuss: * How Juniper’s SRX and NFX fit into the solution * The role of Contrail Service Orchestration * Investment protection in the solution * Juniper’s ability to scale to more than 10,000 endpoints with a single SD-WAN controller * Built-in security features and the ability to integrate third-party security software and services * Juniper’s new cloud-hosted solution * Integration with Mist APs and the Mist Cloud for operational visibility in the branch * More Show Links: Contrail SD-WAN – Juniper Networks Contrail SD-WAN: 15 Features In 15 Minutes – Juniper Networks via YouTube Contrail Juniper SD-WAN Solution – EANTC (report) Contrail Service Orchestration (CSO) Deployment Guide – Juniper Networks (PDF)

Building a networking career is challenging under the best of circumstances. Between keeping the packets flowing and lights on, there are certifications to pursue, problems to troubleshoot, and emerging technologies to grok. Those challenges can be compounded by your location. If you live in a small city or outside a major population hub, jobs may be scarce. Mentors and colleagues might be hard to come by. Opportunities to get your hands on new or different technologies and equipment could be limited. We’ve assembled a roundtable of engineers to talk about the challenges of developing a networking career and growing your expertise outside of the bright lights of the big city. Our guests are Phil Gervasi, Ryan Booth, and Eric Stover. We discuss: * How to cope with limited job options * How to make travel or telecommuting work for you * Where to find mentors, training, and community * How community engagement can get you that new opportunity * Potential upsides, including better quality of life, lower cost of living, and opportunities to wear many hats Sponsor: ExtraHop ExtraHop is the enterprise cyber analytics company delivering performance and security from the inside out. ExtraHop offers complete visibility with machine learning to help you make quick, confident decisions about your IT environment. Explore the ExtraHop Performance Platform at extrahop.com/packetpushers. Sponsor: ITProTV Get over 65 hours of free technical training from ITProTV. ITProTV offers online instruction in CompTIA, Cisco, VMWare, Microsoft and more. You can stream courses live and on demand on your favorite device. Sign up for a free membership at itpro.tv/packet-pushers and try it with no obligation. Show Links: Phil Gervasi on Twitter Networkphil – Phil Gervasi’s blog Ryan Booth on Twitter Moving Ones and Zeros – Ryan Booth’s blog Eric Stover on Twitter FF:FF:FF:FF:FF:FF – Eric Stover’s blog

Today on Heavy Networking, we welcome Open Systems, a new SD-WAN sponsor to the show. Open Systems is among the new breed of SD-WAN solutions emphasizing integrated security and SD-WAN as a service. We’re going to talk about what the Open Systems solution is all about, so that you walk away knowing why they should be part of your upcoming SD-WAN proof of concept. Our guest is Moritz Mann, Head of Product Management at Open Systems. We discuss: * Open Systems’ origins as an MSP and security provider * Its SD-WAN-as-a-service approach * The company’s architecture, including a controller, intelligent edge devices, and the overlay * Security capabilities, including a next-gen firewall, a Web gateway, and monitoring * The service’s threat-hunting capabilities * How Open Systems differentiates itself through customer service and security * Its support for routing protocols To see Open Systems for yourself, request a free assessment at https://www.open-systems.com/packetpushers. You can also get an Open Systems beanie and download a Gartner report on the economics of SD-WAN. Show Links: Open Systems Open Systems on Twitter Open Systems on LinkedIn Moritz Mann on LinkedIn

Today’s Heavy Networking introduces Nornir, an automation framework written in Python. Nornir provides a system to manage inventory and data, and provides glue code to tool such as Netmiko and Napalm. We chat with three Nornir developers to explain to us what the heck a framework is, what I’m supposed to do with the Nornir framework, and how Nornir fits in with my other automation tools like Ansible, among other things. Our guests today are David Barroso, a Principal Engineer at Fastly; Kirk Byers, Founder of Twin Bridges Technology; and Dmitry Figol, a Systems Engineer at Cisco. All three guests help maintain Nornir. We discuss: * What the Nornir name means * Nornir’s capabilities * The difference between a framework and a library * What problems it helps solve * How it works with Netmiko and Napalm * How it compares to Ansible * Installation and Nornir basics Sponsor: ITProTV Get over 65 hours of free technical training from ITProTV. ITProTV offers online instruction in CompTIA, Cisco, VMWare, Microsoft and more. You can stream courses live and on demand on your favorite device. Sign up for a free membership at itpro.tv/packet-pushers and try it with no obligation. Sponsor: Cumulus Networks Cumulus Linux allows you to affordably build and efficiently operate your network like the world’s largest data center operators, unlocking vertical network stacks. Combined with Cumulus NetQ, an operational management tool, organizations can take advantage of deeper analytics and advanced telemetry to increase visibility across the network and reduce mean time to resolution. Find out more at cumulusnetworks.com/epicpushers. Show Links: Nornir

Today’s sponsored Heavy Networking episode is a two-part conversation about SD-WAN and security; namely, how SD-WAN vendor Silver Peak has partnered with Zscaler, which operates a cloud-based security service, to give customers more options to inspect their WAN traffic without having to backhaul to a data center. In part one, we talk with Nuffield Health, a U.K.-based healthcare company to get a real-world perspective on how this Silver Peak and Zscaler partnership works in production. We discuss the business drivers for cloud-based security inspection, which traffic gets sent to Zscaler, whether the scanning affects performance, and why Silver Peak’s service chaining and app ID capabilities were key. Our guest is Dan Morgan, IT Infrastructure & Services Director at Nuffield. In part two, we go deeper into the networking and operational impacts of using Silver Peak and Zscaler together, including how the two systems handle encryption, potential latency impacts, where and how incident response happens, and day-to-day management. Our guests for this section are Damon Ennis, SVP of Products at Silver Peak; and Steve House, Vice President of Product Management at Zscaler. Show Links: SD-WAN Demo – Silver Peak Silver Peak on Twitter

Today’s Heavy Networking is the result of a listener request. We discuss the differences between network architects and network engineers. What’s different about each role? Where is the overlap? If you are an architect and find yourself doing engineering, is that a bad thing? Should an engineer aspire to be an architect? Are architects so out of touch with reality that engineers rightfully hate them? If an architect and an engineer pass each other in the hall, does the engineer have to kiss the architect’s ring every time, or just the first time? To answer these questions, we’ve gathered guests who’ve held both roles in their careers (as has your host). Our guests are Robin Gilijamse, IT Infrastructure Architect; Oli Elliott, Network Architect at the University of Bristol; and Tom Ammon, Sr. Network Architect at a regional service provider in the United States. We talk about: * The definitions of an engineer and an architect * The path to becoming an architect * The perspective of tactics vs. strategy * Whether you have to give up hand-on networking * Why architects have to get more deeply involved with business requirements and nurture personal relationships * Advice for folks new to the architect role Sponsor: INE If you’re looking for training, consider INE.com. INE is a training resource for networking and a whole lot more. Visit ine.com/packetpushers to get a free 3-day trial. INE–experts at making you an expert. Sponsor: Open Systems Open Systems brings security, automation, and expert management to SD-WAN. Get visibility, flexibility, and control combined with performance, simplicity and security with SD-WAN from Open Systems. To find out more, go to Open-systems.com/packetpushers and get a free beanie and a Gartner report on the economics of SD-WAN. Show Links: Robin Gilijamse’s blog “Interesting Traffic” Tom Ammon’s blog