East West Segmentation With ACI


dome-664000_640East/west segmentation is required in the data center to protect backend networks from each other. Segmentation is often implemented using ACLs between VLANS on your core switch. The ACLS are maintained by network or security engineers but define the flows permitted between hosts or host classes. Continue reading

Thoughts on leaving Amazon

Hi All,

I left Amazon in late 2015 to become an independent contractor. I took a contract working for a small managed service provider, which was closer to my home and offered a more family friendly schedule. It wasn’t an easy decision to make. I knew that I was going to miss some really cool colleagues, some fascinating nerdy discussions and a very tough, but massively effective thought-system.

The network I’m currently working on is tiny when compared to Amazon’s but most networks are. I’m back to figuring out the messy work of taking over projects in the deployment stage and trying to squeeze advanced features out of enterprise hardware. I’m working within a different set of constraints. Continue reading

Redistribution of named and tagged static routes

Redistribute named and Tagged Static routesI always name my IOS static routes as a best practise. However I hit a syntax issue last week when I tried to combine the named static with a tag, then redistributing that tagged static route into OSPF. If you have issues redistributing a ‘named and tagged static’ then this may be the post for you.

The simplified config snippet below is configured on SW1 (cisco 3750X). This config will match all static routes tagged with ‘200’ and redistribute them into OSPF. I could have avoided this whole issue if I used a prefix list to match the routes, but I think tag-and-match is a more efficient and less-error prone approach.

Continue reading

Basic network change control process

Make your own change controlScenario: You are an engineer who runs a managed network on behalf of a customer. Your manager has asked you to create a change control process. Your customer and your manager will measure you only by the uptime or outages they experience, and don’t care what your process looks like.

I’ve discussed why we need change control in a previous post. Knowing this, what sort of process would you create? I this post I provide a high-level template and some tips. Continue reading

Network change – who is in control?

Network Change

Nothing sparks engineering debate quite as much as ‘network change control’. It’s one of those topics we love to hate. We feel buried by useless bureaucracy. We ask, ‘Why can’t our managers just trust us, instead of weighing us down with meaningless process and red tape’?

Comfort Zone


This may be a controversial perspective but I think we’ve gotten exactly what we deserve. We endure heavyweight change control procedures because when we make network changes we break stuff. We break stuff in truly spectacular ways, in ways we could never have predicted. We hit weird bugs, asymmetric configuration, faulty hardware, poor process, or we just have a brain fart/fat-finger/etc.

Continue reading

VTY ACLs don’t block HTTP/S access

A VTY ACL doesn't control https accessI was doing some testing on a 3750X and saw that the http and http services were enabled. I knew that you could apply an ACL to restrict HTTP access, but had assumed that the HTTP security was an optional extra on top of the VTY ACL.

I tested this … and found out I was wrong. Although http(s) uses the same inband access path as SSH, web admin is not restricted in any way by VTY ACLS.
This will be quite obvious to some readers but it wasn’t for me, so I’ll assume at least one other person on the interwebz had the same issue.

Continue reading