01-14-2010 02:48 PM - edited 01-21-2010 09:55 AM
Description and topics:
In this session the authors are available to talk about designing and operating a network for high availability. Do you have questions about the book? Do you have questions about HA provisioning for your particular network? Write in and ask the experts!
1/21/10 11am PST, Junos Live Text Chat with the authors of Junos High Availability
Join us right here on J-Net on January 21st for a Junos live chat with the authors of the Junos High Availability book, James Sonderegger, Senad Palislamovic and Kieran Milne. Come ask questions about how to move away from default settings and achieve five, six and even seven nines of availability in your network. The authors are experts and wrote the book to help you modify existing networks, not greenfield designs.
What’s more, you’ll have a chance to win one of five Junos High Availability books (details below). Just make sure you’re registered for J-Net as you’ll need that to be eligible to win.
How To Attend:
The Live Chat URL is:
1. Make sure you are a registered J-Net member. You will not be able to participate in the chat event nor participate in the contest if you are not registered. To register for a J-Net account, simply click on the "register" link on the upper right hand side of the screen, follow the registration steps to receive a J-Net login. After you have received a confirmation email from Juniper Networks, make sure you come back to J-Net and sign in to create your J-Net username.
2. The JUNOS Live Chat URL will be posted on this thread on 1/21/10. It will also be available on J-Net's home page under the "Live Chat" category. Simply sign in to J-Net (by entering your user name and password on the upper right hand side of the screen) and join the live chat.
Please feel free to submit your chat questions ahead of time by sending an email to firstname.lastname@example.org or by replying to this thread. The chat transcript will be available to J-Net members after the event for those who are unable to attend.
Details on Promotional Give Away:
We're having a JUNOS Live Chat series on J-Net and to thank you for attending, we are giving away five (5) Junos High Availability books. Here's what you need to do to enter the drawing for these books:
1. If you haven't joined J-Net, register for a free account.
2. To be eligible for the Junos High Availability books, by 5pm Pacific time the day of the live chat, email the following information to email@example.com
- Your J-Net username
- Your full name and mailing address.
- The answer to the question we ask during the live chat.
That's it! So jump in, add your voice, share your knowledge, and have some fun.
* Prizes include five Junos High Availability books. No purchase necessary. Must be 18 years or older to be eligible to win the prize(s). Void where prohibited by law. Winner(s) will be selected via random drawing. Promotion ends at 11:59apm PST on January 21, 2010. Limit one entry per person. To be entered into the prize drawing, you must have a valid J-Net account. Winners will be notified by January 31, 2010.
About the Presenters:
James Sonderegger (JNCIE-M #130, JNCIS-FWV, JNCIS-ER, and Juniper Certified
Instructor) holds an MS in IT management and manages the Americas Division of
Juniper Networks’ Training Delivery organization. James spent five years as an Engineer
in Residence for federal customers and has been in the networking industry for
the past 13 years. His former employers include The Analysis Corporation (TAC),
Ericsson IP Infrastructure, and Automated Data Processing. James is a coauthor of
Juniper Networks Reference Guide: Routing, Configuration, and Architecture (Addison-
Wesley). When not serving the greater glory of the routed packet, James works as a
percussionist in several bands in the Washington, D.C. area.
Senad Palislamovic (JNCIE-M #145 and JNCIS-E) is a systems engineer at Juniper
Networks, where he spends time designing and implementing MPLS-enabled networks
for global service providers. Prior to this, Senad worked at Professional Services, where
he consulted, designed, and implemented MPLS-enabled NGEN services for ASPs and
financial institutions, specializing in highly available solutions, and at Juniper JTAC,
where he troubleshot M/T Series routers. Before Juniper, Senad held various network
positions at Weber State University, Utah, designing and implementing scalable network
solutions. He holds a double BS in telecommunications and IS&T from Weber
State University and has over 13 years of networking experience. Senad contributed to
the tech editing of MPLS-Enabled Applications, 2nd Edition (Wiley & Sons). He lives
in New York City with his wife, Samera.
Kieran Milne (JNCIE-M #380, JNCIS-ER, JNCIA-WX, JNCIA-EX, JNCIA-E, JNCI,
CCNA, Nortel NCTS) is a training developer and technical trainer within the Education
Services department at Juniper Networks. With more than 10 years of experience in
the networking industry, Kieran has taught all over the world, in both corporate and
college settings. Before joining Juniper Networks, Kieran spent time at Nortel Networks
and Alcatel. He is co-author of the forthcoming book, JUNOS Networking Essentials
(O’Reilly), and contributes to exam development for the Juniper Networks Technical
Certification Program. Kieran lives and works out of Canada.
01-22-2010 11:48 AM
Thanks everyone for attending the live chat. Below is the chat transcript from the live event.
Transcript for Chat: 'Junos Live Chat', Thu Jan 21 10:51:39 PST 2010
ac: Welcome to the Junos Live Chat, please make sure you are logged into J-Net if you'd like to ask a question.
ac: Welcome to the live chat, please feel free to send in your question. Remember you have to be logged into J-Net to sumbit a question.
ac: To get things started, here's a question that came in via email prior to the chat: Q: For a book about high availability there seems to be a lot of coverage of protocols. Why? Answer: Itï¿½s true, HA is often thought of in terms of redundancy and uptime of a specific network device, but there are many facets to high availability. For example, a router stacked with redundant components really provides no value (or perhaps is wasted value!) if a link or neighboring node goes down and the routing protocol (be it layer 2 or 3, or MPLS, etc.) takes several seconds to detect and route around the failure. HA is as much about dealing with a device failure as it is about dealing with network failures. So yes we did cover a fair bit on routing protocols in the book, but we did it with a specific eye toward HA.
sfouant: are we waiting, or should we just "jump right in" and start asking questions?
ac: To sfouant Jump right in!
ac: Here's another question that came in via email : Q: You talk about using a firewall to deal with DoS attacks... isn't that a simplistic solution to the problem? Answer: Absolutely. Given the choice you definitely want to have something more appropriate, something more purpose-built around security and attack detection/prevention ... SRX series, ISG series, IDP series devices, etc. The idea in discussing firewalls as a DoS tool was to emphasize not overlooking all your options. Even if you ï¿½justï¿½ have a Junos router, you still have many good options to protect it and maintain HA.
ac: the authors of the Junos High Availability book, James Sonderegger, Senad Palislamovic and Kieran Milne are standing by to answer your questions
ac: Another question from email: Q: Stateless firewalls seem so simplistic and 'old school' compared to newer stateful and flow-based technologies. Why did it get coverage in this book? Answer: Well for one thing, we had a page-count cap. Stateful and flow-based solutions absolutely have a role to play with regard to HA, but they were simply too large a can of worms to open here. But the rest of the answer is that the 'old' and 'simple' stateless firewalls can still provide serious benefit. They of course filter packets, but they can also be a great HA tool - firewall filters are the basis for sampling, port mirroring, policing (rate-limiting), class of service markings, filter-based forwarding (traffic redirection). All these features ultimately lead back to protecting the device and the network. And so it was logical to cover stateless firewalls from an HA perspective.
sfouant: A question, in your opinion, which are the preferable architectures - those that employ dual planes, i.e. router A and router B each supporting one place, or those architectures employing the use of Highly redundant single nodes?
McVooDoo: To sfouant That is part of the focus of chapter 1. It really boils down to cost vs benefit. If we a re trying to protect a small revenue stream then redundanct component architectures are adequate. If we are trying to protect a much larger revenue stream then redundant system architectures...geographically seperated...may be more appropriate.
sfouant: RE: the fw question abov - stateless firewalls definately have their place and are considered a first line of defense for removing the cruft, especialy in DDoS scenarios, in fact, stateful firewalls can fall over when their state tables are exhausted during a DDoS... stateless FWs still have their place
sfouant: with regards to ISSU, basically we upgrade the secondary RE, then use GRES to switch mastership and upgrade the remaining RE. This works well, however, in my experience, there is still several seconds of downtime when the microkernel code is downloaded to the PFE. Is there any way to avoid this behavior so that there is truly no down-time whatsoever?
McVooDoo: To sfouant Sorry to answer a question with a question but what platforms have you worked with. From what I have seen ISSU mastership switch should be sub-second
sfouant: M120s I saw approx. 7 seconds downtime, and BGP peering sessions were rebooted, this was probably running 9.2
McVooDoo: To sfouant That is an interesting result. BGP session should definately not reboot because the TCP relationship would not reset. My testing was with M320 and I believe Senad tested with T640. I haven't worked with the M120 but am definately surprised by this result.
ac: Question via email: Q: Most of the books on HA talk about MTBF calculations as primary idea behind HA; however, your book does not even mention it, let alone help us calculate it. A - We took different approach; make it more practical to the end user - you. The goal was to give you all the tools to build your network as highly available as possible; design it properly; turning all HA knobs where applicable; and running it in HA mode with JUNOS available scripting tools. Our idea is that most of the operators will find this more useful than spending time calculating MTBF. Have you?
KTM: Hi everyone. As we worked on this book, we would get questions from fokls about where the idea for this book came from, how it was born, etc. James was really the lead on this book... James can you give some context, and then Senad and I can give some context around how we came onto the project.
spuluka: Its hard to tell from just the table of contents on-line, but I'm wondering if you deal with design considerations in site-tosite VPN networks. We run about 100 sites to a datacenter services across internet VPN tunnels. Some sites have dual internet for redundancy and the data center is planning on dual firewalls. Do you address VPN networking considerations in designing for HA?
senad: To spuluka I am not sure if you are talking about IPsec VPN tunnels or MPLS L3VPN VPNs. However, the concepts should be applicable for both in terms of end-to-end connectivity. We don't have a specific chapter addressing site -to -site VPN tunnels, but the entire book provides enough information for optimal site to site design. Chapter 1 talks about architectural methodology; and Chapter 4 and Chapter 11 talk about actual implementation; protocol selection; system availability etc.
ac: Thanks guys for sending in your questions. Please stand by while the authors type in their replies
smorris: Does the book take things from a theory perspective, or does it actually step through case-study kind of implementations?
KTM: To smorris Hey smorris, it's a mix of both. We spent some time on a certain amount of theory where we felt it was appropriate to do so (though we never started from ground zero). We also spent a fair bit of time taking the ideas and concepts and illustrating with scenarios and examples, etc.
sfouant: so HOW should it work, so I have a better understanding... PFE microkernel is updated and total downtime is only on the order of milliseconds?
McVooDoo: To sfouant Take a look at chapter 7 page 161 for the mechanics. From what I and the other authors experienced, your mileage may vary, failover time should be on the order of 500 millisec.
McVooDoo: The book was derived from an idea Chris Hellberg proposed a few years ago. I had also put together an outline for HA networks specific to state and federal govs and we sort of combined the two.
ac: Question via email: Q: Your book includes configs, best practices, and gotchas for gear from your biggest competitor. What message are you sending when you write about products from those guys? Are you encouraging people to buy non-Juniper hardware? Answer: Juniper has been making best-in class products for a little over a decade but many nets are older than that so naturally they will have some legacy products from other vendors. I was just trying to write from a reality perspectiveï¿½i.e. there are very few single-vendor nets in the world today. We felt that this would make the book more useful to more people.
KTM: To follow James' (McVooDoo) comments about how this book got started, I actually came fairly late to the game, to replace another author. I contributed a handful of chapters.
sfouant: what are your thoughts in terms of protection mechanisms for MPLS, do the authors advocate FRR, Link/Node Protection, Secondary Standby paths, or a combination of the above?
senad: To sfouant sfouant; This is loaded question so answer is: it depends. FRR would be an ideal solution but it suffers the scalability problem as creates end-to-end protection, plus it is not implemented by all vendors. Link/Node protection is more scalable and widelly implemented protection mechanism; interoperable as well. Only problem is tail-end (last PE) redundancy and LSP termination which is solved through the new concept of local-repair. The entire concept was publically addressed during MPLS 2009 conference in DC last year.
ac: Thanks for sending in all the great questions. Keep them coming! We'll post the "secret question" for the book giveaway in 5 minutes
jtb: Unfortunately I was a bit late and missed part of this session, but I would to say a few words. I had a chance to look the book for a few minutes (waiting on the queue for reading) and I really like the book's idea - it's not only about redundant hardware, we have more and more complex protocols, design and some extra features like Junoscript too. Just hope the book is not too small to cover all the topics :-) And having multivendor examples is great (a must) for many of us.
McVooDoo: To jtb Thanks for the high praise and we are glad you are enjoying it!
ac: Question from email: You guys dedicated 3 chapters in the book to JUNOS upgrades but you didnï¿½t recommend any specific releases of JUNOS. Why? Answer: Naming a specific revision of JUNOS would have automatically dated the book and we didnï¿½t want people to think that the ideas were only appropriate for a specific point in time. The ï¿½Rightï¿½ release for your network really depends on your circumstances. Chapter 6, page 132, goes through what we would consider for identifying the ï¿½Rightï¿½ release for a given network.
ac: Here's the contest detail: We're having a JUNOS Live Chat series on J-Net and to thank you for attending, we are giving away five (5) Junos High Availability books. Here's what you need to do to enter the drawing for these books: 1. If you haven't joined J-Net, register for a free account. 2. To be eligible for the Junos High Availability books, by 5pm Pacific time the day of the live chat, email the following information to firstname.lastname@example.org ï¿½ Your J-Net username ï¿½ Your full name and mailing address. ï¿½ The answer to the question we ask during the live chat. * Prizes include five Junos High Availability books. No purchase necessary. Must be 18 years or older to be eligible to win the prize(s). Void where prohibited by law. Winner(s) will be selected via random drawing. Promotion ends at 11:59pm PST on January 21, 2010. Limit one entry per person. To be entered into the prize drawing, you must have a valid J-Net account. Winners will be notified by January 31, 2010.
ac: Here comes the secret question to send in for the book giveaway:
ac: The secret question for the book giveaway drawing is: 'Does the book take things from a theory perspective, or does it actually step through case-study kind of implementations?'
ac: Another question via email: Your book mentions JCS 1200 as ideal route reflector solution for large scalable network; particularly in L3VPN, VPLS and multicast-enabled L3VPNs? I was under impression that enabling multicast is done through Rosen-based MVPN solution that does not require BGP? Isn't PIM/GRE sufficient? A- Rosen based MVPN implementation is an obsolete technology that has been shut down through IETF; meaning; it will never become a standard. BGP solution driven by large providers, based on 'draft-ietf-l3vpn-mvpn-considerations-05' is going to be standardized as most scalable solution as it allows you to create multicast topology driven by unicast L3VPN. Advantages of NGEN MVPN are numerous and the entire book can be written about it. However, due to lack of time I can just mention couple of them: - NGEN breaks virtual-model of Rosen based MVPN -Ability to build multicast cast topology based on receivers; not any-to-any -Less control traffic overhead -More control in traffic direction -Follows L3VPN Unicast model
ac: Thanks everyone for attending! We will wrap this up in 2 minutes, last call for any questions you may have for the authors
McVooDoo: To sfouant Hi Sfount, On your earlier question, JNPR has a white paper on data center design that is available through this link: http://www.juniper.net/us/en/solutions/service-pro
sfouant: Thanks a lot guys for this, I am really looking forward to reading your book!
McVooDoo: To sfouant Thanks for keeping the session interesting!! We appreciate the questions.
senad: Note to everyone. We will have a TV session with HA authors discussing certain technologies and book writting experince; to be available on this forum some time in February / March..... So stay tuned
ac: While we answer the few questions remaining in the queue, I'd like to tell everyone that the transcript of this chat will be posted on the Junos board in 24 hours
jtb: If you would like to write a follow up book, what other topics would you consider worth discussing ?
KTM: To jtb Hi jtb - hmmm that's a broad question. I can tell you that [begin shameless plug] there will be a book coming out later this year that is targeted towards topics for the updated/new JNCIA exam. I have always felt we don't always do a thorough job of covering networking essentials and more intro-level topics, and so I am involved in a project along those lines.
smorris: Should be a great book to read! Thanks for the chat!
ac: Thank you everyone for attending, stay tuned in the Junos board for announcements re: the next live chat as well as the next Junos Connect video program. Thanks again for coming!!
senad: To sfouant np... have a good day..
senad: To sfouant thanks for attending the session
ac: Thanks all for attending. Dont forget to email the secret question to J-Net@juniper.net to enter the book giveaway drawing. Once again the secret question for the book giveaway drawing is: 'Does the book take things from a theory perspective, or does it actually step through case-study kind of implementations?'
ac: Have a good day everyone