Tagged: Networking
47 posts · browse all tags
-
Ansible Deep Dive Part 1: What Ansible Is, and Why Agentless Still Wins
Kicking off a thirteen-part Ansible series. Part 1 covers what Ansible actually is, the push-based agentless model and why it still matters against Chef/Puppet/Salt, the control node/managed node mental model, installing Ansible, and your first ad-hoc command against a real inventory.
-
Ansible Deep Dive Part 2: Inventory — Static, Dynamic, and Everything In Between
Part 2 of the Ansible series: INI vs YAML inventory, groups and nested groups, host_vars/group_vars, patterns and limits, and moving to dynamic inventory plugins (AWS, and a network-specific example) once static files stop scaling.
-
The Three Planes: Management, Control, and Data — and Why Every SD-WAN Argument Comes Back to Them
A vendor-neutral primer on the management, control, and data planes — what each actually does, why management-vs-control is the distinction everyone blurs, and a three-question test you can run against any SD-WAN platform regardless of vendor.
-
Cilium: Kubernetes Networking and Security Built on eBPF
Cilium replaces iptables-based kube-proxy and overlay CNIs with eBPF programs on the kernel datapath. Connects back to namespaces, veth pairs, nftables, and eBPF/XDP, then covers identity-based network policy and Hubble observability.
-
Nmap and the Scripting Engine: A Network Engineer's Field Guide to NSE
Nmap's scan engine and NSE scripting framework are as useful for firewall change validation and inventory work as for security assessments. Covers scan types, timing, NSE categories, writing a custom script, and practical recipes for network engineers.
-
Local Internet Breakout in Practice: SD-WAN Zones, Rules, and a Multi-VRF Guest Wi-Fi Walkthrough
How SD-WAN zones, members, and performance-SLA rules actually decide where a session breaks out — and a full walkthrough of giving Guest Wi-Fi its own VRF, its own zone, and a local internet path that never touches the corporate tunnel.
-
Fortinet SD-WAN Hub Placement Part 1: The Traditional Model — Hubs in the DC
Why hubs traditionally sit in the DC, the job they actually do there, how they protect FMG/FAZ, and how BGP on loopback ties it together. Part 1 of a series that goes on to challenge the assumption that the hub belongs in the DC at all.
-
Fortinet SD-WAN Hub Placement Part 2: The MSSP Shift — When the Hub Becomes Customer-Centric
What changes when one FMG/FAZ pair manages many customers through ADOMs: the hub stops being "the DC's hub" and becomes a per-customer design decision, with its own routing domain, AS plan, and placement logic.
-
Fortinet SD-WAN Hub Placement Part 3: Cloud, SASE, and the Death of "The DC" as the Default
Closing out the hub-placement series: what changes about hub design when the destination is Azure, AWS, or GCP rather than a DC, and what changes again for customers migrating from a DC-centric WAN to a SASE-centric one.
-
From DSCP to Deep Packet Inspection: Why SD-WAN Application-Aware Routing Killed Traditional QoS
A deep technical comparison of legacy QoS (DSCP/CoS, static priority queues, box-by-box CLI) against SD-WAN Application-Aware Routing — plus a vendor-by-vendor breakdown of how Cisco Catalyst SD-WAN, Fortinet, Juniper Mist (128T), and VeloCloud actually identify and steer application traffic.
-
The Packet Never Lies: Advanced tcpdump Recipes for the Enterprise Engineer
Bitwise BPF masking, enterprise recipes for asymmetric routing and retransmission hunting, a safe SSH-to-Wireshark live-streaming setup that won't loop your own session, and a cross-vendor capture map spanning Debian, Cisco IOS, FortiOS, Junos, and VeloCloud.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 1: System Health & Routing
Part 1 of a 3-part deep-dive CLI reference for the NSE 4 exam. Covers get system status, get system performance status, interface and NIC diagnostics, the routing table RIB vs FIB, ARP, and ping-options — with live output breakdowns and exam-pressure indicators for every command.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 2: Session Table & Packet Flow
Part 2 of 3 in the NSE 4 CLI reference series. Deep-dives into FortiOS session table internals — filtering, reading, and clearing sessions — then covers the packet sniffer verbosity levels 1–6 and the full debug flow chain with line-by-line breakdown of successful vs. dropped traces.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 3: VPN & HA
Part 3 of 3 in the NSE 4 CLI reference series. Covers IPsec VPN diagnostics (IKE gateway state, tunnel SAs, SPI counter discrepancies), SSL-VPN authentication traces, and HA cluster mechanics — election criteria, heartbeat state, and configuration synchronisation verification via checksum hashes.
-
BGP Route Dampening Part 1: The Flapping Problem, Exponential Decay, and Cisco Configuration
A deep dive into how BGP route dampening works: the 1990s internet instability that created it, the exponential decay algorithm behind it, every Cisco parameter explained, and a full configuration and verification reference.
-
BGP Route Dampening Part 2: RFC 7454, BFD, and Where Dampening Still Belongs
Why the IETF now discourages global BGP route dampening, how Bidirectional Forwarding Detection interacts with it, what RFC 7454 actually says, and the specific modern scenarios where dampening remains the right answer.
-
SDWAN Resilience Part 1: Design and Assumptions
A multi-part deep dive into building a resilient Fortinet SD-WAN on a real, slightly unfashionable topology — HA FortiManager, dual hubs in active/standby, no DCI, and an independent DCE. Part 1 lays out the topology, the AS plan, and challenges the design choices up front.
-
SDWAN Resilience Part 2: BGP on Loopback
Why we peer BGP on loopbacks instead of tunnel-interface IPs, the FortiOS dynamic-IPsec config that makes it work, the spoke-side reciprocal config, and why hub-to-hub iBGP is the wrong answer in a no-DCI active/standby topology.
-
SDWAN Resilience Part 3: DC to DCE Routing — Static, OSPF, and BGP
The hub FortiGate has to glue the spoke overlay to the data-centre environment that hosts the services. Static, OSPF, and eBGP each work — but only two of them fail correctly when the DCE peering goes down on one DC and not the other.
-
SDWAN Resilience Part 4: BFD and Convergence Tuning
Default BGP timers detect failure in three minutes. That's unacceptable for active/standby SD-WAN. This post is the timer-math: DPD vs BFD on tunnels, BFD-for-BGP, holdtime ratios, the Graceful Restart trade-off, and what convergence numbers each combination actually delivers.
-
SDWAN Resilience Part 5: Performance SLAs and Service Steering
BGP and BFD catch every failure that takes a tunnel or session with it. They don't catch the failure where everything looks healthy at the network layer but the application is gone. That's the gap SD-WAN Performance SLAs fill — and the place where careful health-check design earns its keep.
-
SDWAN Resilience Part 6: Building It Right — Full DCI and Dual-Active ADVPN
The first five parts defended a topology with real constraints. This final post is the version without those constraints — Fortinet's reference design: full DCI, dual-active ADVPN, iBGP between hubs, symmetric routing, ECMP across both paths. The full shebang.
-
Designing an Arista SD-WAN Spoke with Enhanced HA, Dual DIA, and OSPF
Building a resilient Arista (formerly VeloCloud) SD-WAN spoke: two Edges in Enhanced HA, two DIA circuits wired the optimal way, a multi-VLAN LAN, OSPF for route exchange, and the caveats that bite in practice.
-
Adding Vendor Route-Table Parsers to route-compare, and Why the Work Lives on a Branch
A follow-up on the route-compare tool: I taught it to read raw show ip route, get router info routing-table all, show route, and show routing route output directly — no Excel cleanup step. The work lives on a branch rather than on main, and this is why.
-
Comparing Route Tables Between Two Sources: A Small Python Tool for Audits and Migrations
A self-contained Python utility that takes two Excel route lists, normalises every prefix through ipaddress, finds exact matches and overlaps, preserves invalid entries for audit, and writes a colour-coded Excel report plus CSVs. Includes install guide and full source.
-
NSE5 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a 10-part study series for the Fortinet NSE 5 / FCP FortiManager Administrator certification. Covers the exam logistics, the official curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
Resilient DNS at Home: Building an HA Pi-hole Pair on Raspberry Pi
A complete walkthrough for installing Pi-hole on a Raspberry Pi running current Raspbian, then turning a single box into a highly available pair using keepalived and Orbital Sync — with the config examples and show commands you'll actually use.
-
Building a FortiManager Lab on Proxmox — Part 3: Proxmox Networking, Linux Bridges, VLAN-Aware Bridges and SDN for the Lab
Part 3 of the FortiManager-on-Proxmox series. Designs the four-segment lab network, compares Linux bridges, VLAN-aware bridges and Proxmox SDN, walks through the /etc/network/interfaces shape, and explains why the lab bridges should never have an IP on the host.
-
FortiOS 7.6.6 SD-WAN: VRF1 Transport and Loopback Design
A refined VRF reference design for FortiOS 7.6.6 — transport in VRF 1, separate transport and management loopbacks, complete management-plane pinning, and NPU-VLINK guidance for inter-VRF acceleration.
-
MP-BGP and VRFs on FortiGate SD-WAN
A practical reference design using MP-BGP (VPNv4) and VRFs on FortiOS to keep management (VRF20), customer SD-WAN (VRF30), and Guest Wi-Fi DIA (VRF99) isolated end-to-end. Includes config, traffic flows, and the gotchas that bite people in production.
-
Building a Polished CLI Tool with Click and Rich: Packaging Network Automation for Other Humans
Turn a working network-automation script into a tool your colleagues will use — moving from argparse to Click, formatted output with Rich, environment-loaded secrets, and pip-installable packaging.
-
iptables to nftables: Migrating Production Firewalls Without Downtime
A working engineer's guide to moving from iptables to nftables on production Linux firewalls — the mental model shift, where iptables-translate misleads you, atomic ruleset swaps, and a clean rollback strategy that means a bad migration costs you seconds, not your weekend.
-
Linux Networking from the Ground Up: Network Namespaces, veth Pairs, and Building a Multi-Router Lab on One Host
Build a real multi-router BGP and OSPF lab on a single Linux box using network namespaces, veth pairs, and FRRouting — no VMs, no containers, no GNS3. A practical walk-through of the primitives that GNS3, Docker, and Kubernetes are quietly using under the hood.
-
NAPALM vs Netmiko: Vendor-Agnostic Config vs Raw CLI, and When You Want Both
A practical comparison of NAPALM and Netmiko for network automation — where Netmiko's raw CLI access is the right answer, where NAPALM's compare/replace/rollback abstraction earns its keep, and the hybrid pattern that most production tooling actually settles on.
-
Netmiko in Practice: From a Show-Command Script to a Repeatable Audit Tool
A working network engineer's guide to Netmiko — starting from a small repo of mine that runs show commands across a JSON inventory, and extending it into something you can use as a real audit tool with structured output, concurrency, secure credentials, and a sane dry-run for config changes.
-
Network Emulation with NETEM: Simulating Latency, Loss, Jitter, and Bandwidth Constraints for Realistic Lab Testing
A practical guide to using Linux's NETEM qdisc to bend networks to your will — adding latency, loss, jitter, duplication, reordering, and bandwidth caps so you can test how applications and protocols actually behave when the network is anything other than perfect.
-
Nornir for Network Engineers: Running Automation Across an Inventory at Scale
A practical introduction to Nornir for engineers whose Netmiko script has grown too big — inventory plugins, structured tasks, parallelism, filtering by site or role, and integrating Netmiko, NAPALM, and pyATS as connection plugins. The framework you reach for once one box has become a hundred.
-
Parsing show Command Output: TextFSM, Genie, and TTP for Structured Data
A practical comparison of the three main ways to turn Cisco show output into structured Python data — TextFSM with NTC Templates, Genie/pyATS, and TTP — with worked examples and rules of thumb for picking the right one.
-
Route Leaking Between VRFs on Cisco IOS: From BGP First Principles to Advanced Manipulation
A practical end-to-end walkthrough of route leaking between VRFs on Cisco IOS — starting with the BGP and VRF fundamentals you need to actually understand what's happening, the static and MP-BGP options for the leak itself, and the route-map machinery that lets you control exactly what crosses.
-
tcpdump Deep Dive: BPF Filters, Capture Rotation, and Cross-Mapping to FortiGate's diagnose sniffer packet
A practical, command-heavy guide to getting real value out of tcpdump — precise BPF filters, production-grade ring-buffer captures, and a side-by-side mapping to FortiGate's diagnose sniffer packet so you can switch between the two without losing your place.
-
NSE4 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a study series for the Fortinet NSE 4 / FCP FortiGate Administrator certification. Covers exam logistics, the official 16-lesson curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE4 Part 10: High Availability
Part 10 — the final post in the NSE4 study series. Covers FGCP, active-passive vs active-active, heartbeat and monitor interfaces, session synchronisation, failover behaviour, and the diagnostic output you'll be asked to interpret.
-
NSE4 Part 2: Initial Configuration & the Security Fabric
Part 2 of the NSE4 study series — covers the day-one FortiGate configuration (interfaces, operation modes, admin access, DHCP, FortiGuard) and how the Security Fabric stitches multiple FortiGates and Fortinet products together.
-
NSE4 Part 3: Firewall Policies & NAT
Part 3 of the NSE4 study series — firewall policy structure, lookup order, NGFW modes, central vs policy NAT, source NAT pools, virtual IPs, and the session helpers behind protocol fixups.
-
NSE4 Part 8: IPsec VPN
Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.
-
NSE4 Part 9: Routing & SD-WAN
Part 9 of the NSE4 study series — static and policy routing, distance vs priority, RPF, OSPF and BGP basics, and how SD-WAN turns a pile of WAN links into a single steered zone with performance SLAs.
-
Route Leaking Between VRFs on FortiGate: Why It's Trickier Than You Think
VRF route leaking is a daily reality in any multi-tenant or shared-services network design. On FortiGate it's harder to find — and harder to get right — than the equivalent on Cisco or Juniper. Here's how to do it, why it's easy to miss, and the practical pitfalls.