Tim Shotton on LinkedIn: Cisco SDA L2VNI.. What is it and why is it needed? 💭 As we move away… (2024)

A trip to Liverpool on Saturday turned out to be the world’s saddest Easter egg hunt for me.. Spotting Baltic Broadband / Matt Wilson fixed wireless access solutions across the city 😂This just goes to show the power of branding I guess, once you’ve seen the red ‘Baltic Broadband’ sticker on a Ubiquiti Nanobeam once, you don’t stop seeing it! 😅Some really cool connectivity solutions coming from these guys 🤓

27

3 Comments

Been a busy one this week 😮💨Started off migrating perimeter services over from some legacy core Nexus 7710s onto some new Catalyst 9500-32Cs for a customer. A mid-week date day with the wife to celebrate our 2nd wedding anniversary and wrapped it up by migrating some ACI L3outs (and upping them from 40G too 100G) to the 9500s along with some failvover testing to ensure those new core switches behave how we expect them to during failure scenarios!Some multi-domain SDA/ACI/WLAN macro-segmentation testing to look forward to next week ahead of migrating a patient bedside monitoring system into SDA in the coming weeks. Now to carve some time out of the weekend back to working my way through Narbik Kocharians CCIE lab workbook!Happy Friday Folks 🥳

62

6 Comments

How do you migrate a hospital network from old to new?Just like teaching my toddler how to make me a flat white, really f*cking carefully. Some interesting stats you may not have thought about before.. The 9s of availability. What does this 99.999% uptime actually mean?99% = 3d 14h 56m 18s downtime per year 99.9% = 8h 41m 38s downtime per year 99.99% = 52m 9.8s downtime per year99.999% = 5m 13s downtime per yearWhen planning migrations to move to a new network, it is important that the network stays as available as possible throughout the project.This can be achieved using various methods depending on the network. In most cases where entirely new kit has been purchased and the environment allows, it is possible to stand up a new core, SDA fabric and ACI fabric in parallel to the legacy network and devices will be migrated over. This causes potential issues where layer 2 networks are being migrated to layer 3 routed designs.. How do you maintain that layer 2 extension for the period of migrations? In the SDA campus, we want to use as big of a data pool as possible for ordinary endpoints to migrate into but this isn’t always possible for some subnets. There may be devices that have static IP addresses and it is too costly to pay the 3rd party supplier to re-address these so the subnet has to move into the fabric (Other reasons also exist). Once the gateway is moved into the SDA fabric and becomes an anycast gateway it can’t coexist in the legacy environment. We need to extend layer 2 back into the legacy network so all devices on the layer 2 segment can still communicate with the gateway and the devices inside the fabric until all have been migrated.. To overcome this, we make use of a dedicated layer 2 border which will hand layer 2 off to the legacy network. These pools will require layer 2 flooding within the SDA fabric during the migration period to facilitate BUM traffic. The layer 2 border will be removed once all migrations are complete and layer 2 flooding will be switched off in these fixed subnet pools.A similar technique is used in ACI. We create L2outs which are effectively a trunk between a border leaf switch and the legacy network. This allows the layer 2 domain to be extended to the legacy environment as we migrate servers into the fabric. Bridge domains are created (Think of this as a VLAN) and enabled for flooding within the BD to allow BUM traffic to extend to the legacy network from endpoints within the fabric. Gateways are migrated into the fabric by enabling the bridge domain for layer 3 and L3outs are selected to route this traffic out of the fabric. The L2outs are removed once all servers have been migrated.Using these techniques allows us to migrate endpoints to the new network as seamlessly as possible maintaining that network availability across the hospital. There’s a lot to consider and a lot of gotchas waiting for you to add that little bit of extra stress to a change 🤣

37

I’ve seen my LinkedIn network grow a fair bit in the past few weeks and as I now scroll my feed, it’s amazing to see the amount of knowledge out there amongst the network engineering community. I’ve not been one to focus on the ‘other’ type of networking before, often siloing myself into a hole, but I am starting to see the power of just interacting more with others for sure. Really enjoying connecting with others, and hopefully surrounding myself with as much knowledge as I can will pay off with my own development! Happy Thursday✌🏻

30

Testing, 1, 2, 3 ‼️As the great Jeremy Cioara once said, two is one, and one is none when it comes to network resilience.Before we can enter any new kit into production, we have to be sure it will behave as expected and ensure that is configured correctly. How do we do this? Test, test and test.One of the most fascinating things I found as I got into network engineering was fault tolerance and convergence. That fascination grew more as I progressed through topics.. HSRP, nice.. OSPF, okay cool.. EIGRP, wow that was quick.. BGP.. Ermmm, feels like things have been down for a while.. Oh wait, this thing called BFD exists, boom, that’s quick.. Hospitals require as close to an always-on network as possible and that is achieved within the campus in several ways. Using Cisco SDA, we are able to make use of anycast gateways within the fabric, no need for FHRP here! From each fabric edge switch, we use a minimum of 2 uplinks to separate intermediate switches and through the use of ECMP using IS-IS along with BFD, we achieve sub-second failover should we lose an uplink or an uplinking switch. Moving up to the Fabric Border layer, these utilise BGP to handoff prefixes to the network external to the fabric. By design, BGP is a slow protocol to converge. As an exterior gateway protocol, BGP wants to be sure the network is stable rather than converging as quickly as possible. A link flap within an OSPF area causes an SPF calculation across the entire area.. You wouldn’t want that to happen across the internet right?! The internet is never really converged.. Within the campus however, we want quick convergence here, so we utilise BFD across every BGP peer to ensure a link going down or losing a switch will result in once again, a sub-second failover.. It is imperitive that failover scenarios are tested thoroughly and tested against various different failure causes. This is key to knowing the network will behave as predicted and give you re-assurance that your network will keep running smoothly in the event of maybe even a whole DC room outage as the other room will keep you going! There are other areas where the “two is one and one is none” phrase comes in..- 2 DC rooms, not one- 2 power feeds, not one- 2 power supplies, not one- 2 geographically separate fibre runs between DCs, not one - 2 ISPs using different circuits, not oneI think you get the drift? Obviously, achieving resilience is always a balance between cost and risk.. While a small branch might not need full redundancy, a hospital absolutely does. This is the importance of correct network design and finding the right solution for the business’ needs.

350

15 Comments

Make network engineering cool again! 🤓That’s a pretty common sentence I keep seeing in LinkedIn posts recently and it got me thinking, what made me think network engineering was a cool career? I think a lot of network engineers end up in this career accidentally and I am no different.. Back when I was a break/fix field engineer, I one day volunteered to help with an office move which happened to involve some repatching in a comms room.. I’d never been in one before and as soon as I entered I remember being mesmerised by all of the green flashing LEDs and thought THIS IS COOL. After a closer look at the switches I found the Cisco logo, did some research, immediately started studying for my CCNA (that same night) and the rest is history! A visit to one of our customer data centres a few weeks back brought this super simple ‘cool’ feeling back as I entered while the lights were off.. I couldn’t help but take a picture 😅Something so simple set off a chain reaction to lead me to a career that I didn’t even know existed! I know college courses offer networking as a part of computer studies these days but I can’t help thinking every school should include a visit to one of their comms rooms as part of ICT lessons and a brief introduction at least, to the world of networking.. After all, all the ‘cooler’ IT careers all require the same thing to work.. A network! I’m always so intrigued to hear how everyone else ended up on this path 🤔

48

Failure to Launch 🫣Since I started studying networking, from my first CCENT exam to my most recent ENARSI exam, my biggest challenge has been getting started…I believe many learners face this issue. However, I've recently become better at minimizing distractions and overcoming procrastination. A key takeaway from reading "Atomic Habits" is that it's easier to make distractions more effortful to engage with than to rely on sheer self-control to resist them.Here are some strategies that work for me:- Notifications: Off- Phone: In another room- Music: MinimalistWhen I apply these methods, I'm always amazed at how deeply I can focus on my studies or work.And of course, I'm using my Pomodoro break to write this post, not procrastinating, I promise!

84

6 Comments

As the networking landscape is evolving rapidly, it’s becoming increasingly more apparent that the network engineer role as we once knew is changing to be more of a solutions engineer.. No longer can the sole focus of our role be just routing & switching, we need much more awareness of the whole solution stack.. So this weekend I have been delving into ISE more than I have done before and looking at the micro segmentation abilities of SDA rather than just the macro segmentation that I am used to configuring previously.So far in my lab, I have integrated ISE into Catalyst Center and configured dot1x to authenticate my clients onto the network and configured GBAC to use the SGT matrix in Catalyst Center and I can see the matrix update in ISE. On the agenda today is to get TrustSec working and ensuring the clients are receiving the correct SGT and policy is assigned and then test connectivity between endpoints!

31