BGP Nuts - The Crazy Metric Story

Recently ran into an interesting BGP behavior. In order to convey the issue, I have oversimplified the design.

R2 (AS 100) has a network host 22.22.22.22/32 which is trying to reach R7 (AS 200) attached network host 77.77.77.77/32. 

As you can see, between AS 100 & AS 200 we have multiple exit points for the purpose of redundancy. However the interesting twist here is that those BGP next hops are learned from different IGPs.

54.0.0.5 <- Learned from EIGRP

63.0.0.6 <- Learned from OSPF

Given the scenario, what you think about which BGP route and next hop would make into the routing table ?

Well...most likely the answer would be BGP next hop learned from EIGRP because (Assuming... 1. " no auto-summary " is now default for EIGRP (resulting into same Prefix Length for route) , 2. EIGRP AD is 90 compare to OSPF Intra Area route which has AD 110. So based on theory how Router Process this information, the EIGRP learned Next hop (54.0.0.5) should be the one picked up by BGP Best Path Selection Algorithm and should be picked up as the best route over OSPF learned Next Hop (63.0.0.6)

All good ? ... Let's look at the BGP RIB to find it out and How IGP next hops are processed based on standard BGP Next Hop Processing approach that we know from standard BGP theory. Also let's run a quick traceroute towards 77.77.77.77 sourcing from 22.22.22.22 on R2

Now sure if you expected that...right ? :)

From BGP RIB standpoint we can clearly see that BGP route that's making into routing table & FIB essentially is the one that has OSPF learned BGP next hop.

Here is what our OSPF database looks like

Let's do a basic failover test by shutting down interface g6/0 on R3 

So things works fine and as expected here, so let's "un-shut" the interface in order to dig deeper into the behavior ( a little unexpected one)

So why this behavior ?...Well this is where BGP plays a little dumb. It actually ends up comparing METRICs across two IGPs since it doesn't have view of EIGRP Topology Table and OSPF Link State Database. Now if you go back and check IGP metrics for next hops learned from EIGRP vs. OSPF, The metric for EIGRP route is pretty high (in numeric ) as 3072 vs. OSPF route as 2 (Refer to first CLI screenshot in the post)

Now what if we make the OSPF metric look bigger than EIGRP by manually increasing OSPF cost to see if that would allow R2 to install EIGRP learned route as best route

And Yes it works as expected this time too :)

Now for fun let's make the metrics look same by again changing the OSPF cost manually

Well that works too as expected. Now interesting question here is - Since IGP metrics learned from OSPF and EIGRP look same, can we turn ON " i-BGP Multipath " and achieve load balancing.

Let's try that 

Well that works well too and as expected.

One of the problem incase you haven't noticed yet with this design is - Assume the path through OSPF has many more hops added before you reach to the OSPF learned BGP ASN exit point. Since OSPF cost metrics are much lower value compare to EIGRP, You will end up taking sub-optimal path from R2's standpoint in this case which may not be desired behavior. Alternatively You can replace EIGRP with IS-IS and you will by default still end up following OSPF learned BGP next since in most IOS version 10 is the default IS-IS metric for each interface hop. Obviously in practice you should try to run Single IGP across AS 100 here to avoid such issues though M&A scearios are always interesting and challenging. :)

Try this with " DMZ Link-BW " for Unequal Cost Multi-Path and I am pretty sure it will be fun. BGP AIGP NLRI is another interesting bit if you care depending upon the design. 

And of course, the above mentioned logic doesn't apply to following design where we have single exit point being reachable through both IGPs

To learn some more around BGP anomalies and somewhat un-predictable behavior:

BGP Wedgies

BGP Anomalies 

And if You want to master BGP from Design Standpoint, I would highly recommend " BGP Zero to Hero Design Masterclass " from my friend Orhan Ergun

HTH...

A Network Artist

The Mythical "Networking Expert" Unicorn - Part 1

" Expertise is a Myth " - Yes you read that right !!!

Recently there were couple of different posts/threads going on over Linkedin where people were asking a very common question that most people in Networking/Technology industry struggle to answer and in most cases it only causes the them anxiety - " Since there are just too many new Technologies & Solutions those have surfaced in last couple of years, how do I stay relevant moving forward and what should I focus on? "

While the easiest answer you always hear from people would be " It depends" and they are probably right (Let's keep it for another post as it's not really as hard as a problem if you apply some science to it, "Yes there are proven methods" and you don't necessarily need to completely depend upon "what your gut tells you" which is what I guess 99% in real world would people rely upon, if you ever doubt that - Please be my guest to show me how you plan your career decisions in terms of a structured approach you follow to make those decisions).

Perhaps the 5 Ws is a good place to start.

Now on the same linkedin thread, many people suggested to follow T-Shaped skill set which essentially says - Be an Expert in few selective areas while continue to me a generalist in rest of areas.

Sounds plain, simple & logical - isn't it ?

But that leads us to another interesting question which is "How do I know if I am an Expert in a certain area?" - Since in general no one tells us how to gauge our expertise or perhaps the real question is "Does Expertise exists for real ?"

Here is what Wikipedia says -  "An expert is somebody who has a broad and deep competence in terms of knowledge, skill and experience through practice and education in a particular field."

Now as you can see, while those are some good statements and sensible ones too, they still don't tells us ways to measure expertise correctly. So still what we are struggling with is quantification of our Expertise persona.

Now obviously it just can't be unsolvable problem. But answer essentially lies in "How far you want to go on a quest to find these answers?" since it has its roots in Psychology, Critical thinking and many other places including:

- What's you motivation to be seen as an Expert ? Ever thought about it?

   In general it has it's roots spread across - Emotional Reasons, Psychological

   reasons, Social reasons, Financial reasons and so forth.

- Are you really trying to solve the real problem or just trying to address

   that in the realm of your own area of experience/expertise ?

- And in real world in order to do what I just mentioned above, you got 

   to step out of your comfort zone, So are you willing to do that?

- Since every environment has its own set of nuances involved including 

   its own set of constraints, one solution won't meet everyone's needs.

- Are you good at interacting with people or you are just comfortable 

   talking to Network devices and consider yourself as an introvert? 

- Are you keen to learn but more importantly put in practice lot of those 

   non-technical but essential skills which you would actually need to first  

    understand the problem landscape correctly?

- Are you keen to do actual hard-work to gather data points and validate 

   your understanding and hypothesis on a given topic or problem a

   statement? - Trust me, this is where 99% people usually fail as in most 

   cases they have lot of hypothesis and solutions which only they think 

   makes sense with no validation and Data to prove their point. And in

   many cases the data in question is too generic.

- Are you keen to constantly challenge yourself for good? (Since at times 

   it's a restless & never ending process - Though many enjoy that 

   pain being nerd)

- How do you find balance between Life, Work and Passion (Do you have 

   a method/approach to apply?)

- Do you have plans or just aspirations? (In my personal view aspirations 

   are 1000 kg a $ and plans are expensive)

- Are you another victim of Dunning Kruger effect or Big fish little pond 

   effect ?

- Are you in love with Problem or in love with Solutions? Unless a problem

    is very well defined, it can't really be solved or else your solution in 

    most cases would be just another duct tape which will fix something        

    temporarily but increase complexity by large margin.

- Are you open to listen and learn from other or you are the smartest 

   person in the room that knows the answers always? The most complex

   set of problems are solved best collectively rather than by just throwing

   your point of views into the equation.

- And last but not least - Are you willing to fail many times before you 

  succeed or even partially succeed? 

So as long as you have answers to those questions, that's a pretty good place to get started. :) , and if not - Keep continuing to play giant pretending game by projecting yourself as an Expert. :) ... since many people still love illusions or perhaps enjoy living under the rock.

Further stuff to go through: (Make sure you watch them few times)

https://www.youtube.com/watch?v=Hd_ptbiPoXM

https://youtu.be/g25jcvtjZjA

HTH...

A Network Artist

Do You Really Need VxLAN in a Modern Data Center ?

It started as a thread on Linkedin yesterday when someone posted a sort of glimpse of his free Cisco ACI training on linkedin. Later a Network Architect joined the conversation thread by asking the Original poster "Would you prefer ACI or BGP EVPN VxLAN based standard fabric ?". Of course the Architect suggested he would prefer BGP EVPN VxLAN fabric (That's mouthful man :) )

As usual out of my curiosity (without being a DCN expert - Yes I only worked on 3 ACI projects and Zero Cisco Nexus 9K BGP EVPN VxLAN fabric (VTS) so far), I asked this self proclaimed Network Architect another question...very basic in my view:

In modern Data Center context, Where in VxLAN actually plays an important role. Or is it just another snowflake in Networking realm in order to keep your App guys happy since you are not good at Saying " NO " and push them to build better Apps those works well on L3 vs. Sure guys, I can help you with L2 stretches for your App Clusters and for those totally broken old legacy Apps which only works on L2 best.

The point being:

1. Most modern App works well on L3 in conjunction with DNS
2. From Cloud Native Apps perspective, L2 shouldn't happen to begin with
3. vMotion works well on L3 since 6.x release
4. Inter DC Cluster using L2 are well known bad design practices (Some people tried it with even firewalls and failed miserably)
5. At least in my personal view, Most Enterprises still run MLAG or vPC thingy for server redundancy compare to perfect world (Original Hyperscaler ideas) where you either run Routing with Servers and VxLAN boundary starts from Hypervisor layer to avoid broken MLAG and STP implementations
6. Let's agree on L3 based transport is much better compare to L2
7. Perhaps we have seen enough DC meltdowns in past due to broken L2 and broadcast loops by now ?
8. Did you ever notice that most Hyperscalers DCs don't run VxLAN in their DC fabrics (Pick your favorite one) - https://engineering.linkedin.com/blog/2016/03/project-altair--the-evolution-of-linkedins-data-center-network
9. Perhaps there are good reasons someone like AWS and AZURE don't let you run VxLAN between your On Prem DC and Virtual DC they host (VMware on AWS is a corner case and rather a joint GTM thingy)
10. How many of your Use Case requirements are persistent vs. temp in nature ( Migration and Maintenance were always temp requirements in my view at least)
11. What value Bridging over L3 really has today to begin with
12. Shouldn't we rather focus on solving real problems instead of pretending 
13. Don't forget you can't have unlimited VxLANs in real world like most vendor slides tell you otherwise
14. Focus on your failure domains/blast radius and create a strategy to mitigate that - Which doesn't seems easy in VxLAN environment and more so in Controller based Clos Fabric (Single Plainer) running VxLAN
15. And since Overlays such as VxLAN seems to be the new norm in Enterprise DCs, Make sure you are familiar with some of well known Overlay Problems besides challenges such as Visibility, Security and so forth
16. Make sure you fully understand the VxLAN convergence process with EVPN added while understanding your dependencies on Physical Topology, Underlay Convergence and other nuances
17. Make sure you understand Leaky Abstractions & Grey Failures very well in context of VxLAN deployment
18. Understand some myths about Clos Fabric that your favorite vendor otherwise won't tell you - Part 1, Part 2, Part 3 & Fact Check

And of course I am totally ignoring:

• Level of complexity VxLAN and EVPN brings into Design...You either got to read through few books to become an SME or your must be Genius
• NSX over ACI never took off ... sort of
• Most VxLAN implementations are still vendor specific and ACI runs modified VxLAN header
• VxLAN & EVPN across multi vendors in Single environment... Good luck (Though things have improved a bit over time)
• MPLS & SR in DCN Fabric...Perhaps needs a separate discussion
• I am not aware of any strong one to one mapping in context of Overlay and Underlay correlation for simplified Day 2 and operations
• VxLAN vs Geneve (What NSX-T uses now) vs STT vs NvGRE (Assuming you love MS) vs Dove....Needs separate discussion
• This is not a scalability discussion but more around to find real world use cases for VxLAN
• MS Fabric today (Not Originally) does run VxLAN since 2015. Spoke to few MS friends, seems like Bing was Broken from APP designs perspective so they had to do it in order to Keep Business and App guys happy....BTW who runs Bing anyway :)
• If you are running HW VTEP with MLAG for servers. Perhaps you got to relook into your design and define what purpose VxLAN really serves
• We still got plenty of other HW and SW in DC context that don't understand VxLAN and more importantly have no HW acceleration
• Role of VxLAN offload on NIC, DPDK, SR-IOV and other stuff....perhaps needs a separate discussion
• HW and SW VTEP Integration and how broken those are...let's keep it for another day
• IPv6 DC/IPv6 Only DC and VxLAN v6... Perhaps need another thread
• Control Plane, Data Plane & Policy Plane Security in Context of VxLAN - Requires a separate discussion
• VxLAN Control Plane, Data Plane & Policy Plane in Multi DC, Multi Cloud and Active-Active DC - Needs separate discussion
• Control Plane & Data Plane Optimization in VxLAN Context - Broadcast Suppression, Conversational MAC address Learning,  BUM traffic (Watch out for those details in given implementation

So question remains - What value really VxLAN brings in the context of modern DC. (Please don't tell me scale, let's keep it as a topic of debate for another day) ?

Further Readings:

https://cumulusnetworks.com/lp/bgp-ebook/

https://cumulusnetworks.com/lp/evpn-data-center-oreilly/ 

https://blog.ipspace.net/2020/05/need-vxlan-transport.html

https://rule11.tech/simpler-is-better-right/

https://cumulusnetworks.com/blog/evpn-host/

https://cumulusnetworks.com/blog/evpn-underlay-routing-protocol/

https://cumulusnetworks.com/blog/evpn-pim-part-one/

https://cumulusnetworks.com/blog/evpn-pim-anycast-vteps/

https://cumulusnetworks.com/blog/vxlan-designs-part-1/

https://cumulusnetworks.com/blog/vxlan-designs-part-2/

https://cumulusnetworks.com/blog/asymmetric-vs-symmetric-model/

https://cumulusnetworks.com/blog/microsegmentation/

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-735015.html

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-739942.html

https://youtu.be/Oo7FnQxavmA

https://blog.ipspace.net/2018/09/vxlan-broadcast-domain-size-limitations.html

https://blog.ipspace.net/2019/02/loop-avoidance-in-vxlan-networks.html

https://blog.ipspace.net/2018/10/vxlan-and-evpn-on-hypervisor-hosts.html

http://www.yellow-bricks.com/2019/03/14/how-to-test-failure-scenarios/

https://www.linkedin.com/pulse/should-you-use-vxlan-data-center-definitely-how-why-think-starr/

HTH...
A Network Artist

Why You Shouldn't Bother About Having An Inbuilt LTE Interface In Your SD-WAN Device

Very often I have seen Clients and Network Engineers being very much concerned about having inbuilt LTE/4G interface into their SD-WAN device. Here is my take on why it shouldn't matter or perhaps should be one of those things you should avoid. Because:

1. They can hook external LTE Modem to SD-WAN device using ethernet hand-off. More importantly external LTE device can offer Dual SIM in Active Standby design from two different provider and even Active-Active setup.
2. External LTE connectivity provider can offer their service on MRC (Monthly Recurring Charges) model.
3. Most enterprises usually have partner/promotion plans from Mobile operators those can be leveraged.
4. Makes deployment easy and consistent in Global Scenario. You don't need to chase several Telcos and keep track of usage etc.
5. They offer few basic SD-WAN capabilities from their box natively.
6. They offer external Antenna connectivity as well. Most DC floors running SD-WAN device with inbuilt LTE interface are likely to face Signal coverage issues sitting behind thick walls.
7. Moving to 5G seamlessly becomes easy as you don't own HW and nor dependency on SD-WAN device itself
8. Management interface/EMS to monitor, manage and troubleshoot Mobile connectivity centrally and central help desk model
9. With inbuilt LTE interface you always need to verify Band and other compatibilities for given HW and SW version. External LTE interface through ethernet handoff takes that pain away and lower that risk.

Further Readings:

https://www.sd-wan-experts.com/blog/sd-wan-buyer-alert-the-hidden-costs-of-4g-lte/

HTH...

A Network Artist