VIRL versus Junosphere

I’ve been using Junosphere a lot recently, and it’s a great tool – quick and easy creation of topologies without the need to go to a physical lab to try things out. Takes the guesswork out of a lot of things, which is a real bonus. There are obviously a few things you can’t do in a virtual environment that would be possible in a real one (e.g. QoS, MTU greater than 2000 bytes, MS-MIC in an MX), but it caters for 80% of what you need.

I always thought that it put Juniper leagues ahead of Cisco because you can buy credits to use the system right on the front page. Cisco were late to the party with something called VIRL – Virtual Internet Routing Lab.  They were late, but rumour had it that a lot of developers moved from Juniper to Cisco to bring VIRL about.  However Junosphere always had the edge for the networking student (as we all remain, whether we are JNCIE or not) because of its accessibility – with VIRL you had to be a Cisco customer and gain access through your account manager.  I’ll stick with GNS3 thanks!

That appears to have changed now, and you can get access to VIRL ‘personal edition’ for $199 per year.  Now we’re talking.  Since it runs on Openstack, you can run up other third-party VMs alongside NXOS, IOS and IOS-XE.  Network Inferno has a nice guide on integrating Juniper’s vSRX (formerly Firefly) into VIRL, which looks pretty comprehensive, although I’ve not tried it yet.

I think need to get a copy of this – only problem is it needs me to get a new quad-core laptop with the virtualization extensions in the BIOS to replace my cranky old Lenovo.  Ho hum!

HSRP disaster

I’ve got a customer that has lots of VLANs on a pair of 6509s, each with an HSRP gateway that is in group 0. They also have a Firewall Services Module (FWSM) in there, operating in transparent mode – but I *think* this might be irrelevant.

What happened recently was that some goon put a server in the server VLAN with the IP address of the HSRP gateway. What seemed to happen was that the HSRP failed over – for ALL the VLANs, not just the one the server was in.

Is this normal, do you think? If all standbys use the same group number, do they all need to fail over if there’s a problem?

Odd thing was that the logs show one VLAN’s HSRP saying that (once the failover had happened) the active HSRP master had a different IP address from the one configured – the IP address was from another VLAN. Almost as though there was some leakage between VLANs at layer-2 maybe – the common virtual MAC address might have been recognised as being the other partner in the HSRP pair maybe?

Would welcome any thoughts.

We’re considering different HSRP groups, and maybe ARP inspection/ACLs to protect the gateway, but can’t make ARP ACLs work right now.

Multicast frustration.

Ugh!   Just been doing some testing with PIM sparse mode and run up against what is probably a code issue.

The situation – two routers connected together over ethernet.  R1 has ‘ip igmp join-group 230.0.0.1’ on its ethernet interface – this makes it a listener for that group.   R2 is a PIM bootstrap router (BSR) and rendezvous point (RP).   Now, I should be able to ping 230.0.0.1 from R2 and receive a response, but I wasn’t getting anything. Read the rest of this entry »

IP SLA-dependent static routing

Just for reference really: I needed to have a static route whose presence depended on the IP reachability of a host. If the host wasn’t there, the static route should disappear, and default routing take over. Read the rest of this entry »

vlan.dat location in Dynamips

Well – just began my CCIE SP study in earnest today – after almost a year of procrastination!

I got a dedicated Ubuntu box, and run Dynamips there.  GNS3 is running on my Mac, leaving the dedicated machine doing the hard work.

Read the rest of this entry »

Cisco launches the ASR 9000

Interesting news from Cisco this morning: they’ve just launched the new ASR 9000 – an aggregation services router aimed at providing scalable video delivery, increased mobile backhaul capacity and carrier ethernet services at the edge.

Read the rest of this entry »

Trunking and sub-interfaces on the same switchport

For some reason, I never knew that you could trunk and use a sub-interface on the same port of a Catalyst 6500, so I’m recording it here for personal reference.

What I wanted to achieve was to connect two 7600 routers over an Ethernet pseudowire (E-Line, EoMPLS circuit, AToM circuit, Martini circuit – whatever it’s called these days).   The reason I needed to do so was that the interveninig 6500 routers were only getting a default route via BGP from the 7600s. Read the rest of this entry »

Configuration lock in IOS

Just read a really nice guide to exclusive configuration mode access in IOS, written by Joe Harris.

Its a useful way of stopping other people pulling the rug from under your feet (while you’re busy scratching your head about some route-map or other).

Really simple policy-routing in IOS

For some reason (and for quite a long time) policy routing seemed a bit of a scary subject.  I’ve noticed other people don’t like it very much either, but it is actually not all that bad. Read the rest of this entry »

MTU setting differences between 7600 and ME3750

Just for personal reference really:

The ME3750 has several ways of setting the MTU: Read the rest of this entry »