After studying for Advanced Networking Exam, I pondered a question about global backbones. There is a need for common understanding. So let’s take a step back. Transit gateway was a service introduced at ReInvent 2018. Transit Gateway(TGW) puts a router between VPCs and other networking services. The transit gateway works by putting attachments in each VPC using ENIs. If you’re lost before proceeding, watch the Re: Invent Video. TGW uses attachments is fundamental to the VPC architecture as the VPC doesn’t process traffic from a source destination outside the VPC. So the attachment ENI becomes part of the VPC. So now I have an attachment in the VPC thru a subnet. So instead of terminating my DirectConnect Gateway(DXGW) on a VGW in a VPC, it’s terminated in a TGW. A quick whiteboard of this architecture.

This becomes challenging while building a global network because European network would look like this assuming I had three pops in one Europe region:

Still better than Direct Connect Gateways to the VPCs. But there is a limitation Transit Gateways which are peered, don’t dynamically pass routes. This works great if you summarize routes by region. Like the US was all 10.50.0.0/12, and Europe was all 10.100.0.0/12. What doesn’t work is when I have unsummarized routes. But I digress route summarization doesn’t matter to the question. So here is a quick view of our whiteboard architecture of Europe and US regions:

The question is if there was dynamic routing, could I use the AWS backbone to haul traffic around the world without having to build my own global network as the two TGWs would exchange my prefixes from the exchange or pop locations?

I needed to recertify the Advanced Networking specialty. Technically it expired on 6/20. So I decided to focus on the Professional as it would include Networking and Security topics. I need to recertify Security Speciality later this month.

I took the AWS Advanced Networking Speciality on Tuesday and passed.

I took this exam with Pearson VUE. The exam opens 30 minutes before to get checked out. The process with the same as PSI, only there wasn’t a long wait. Personally, the interface in PSI is a little nicer than Pearson VUE. However, the experience of the otherwise of taking the exam is the same as it’s from the comfort of home.

I’m not going to talk about the exam, as that would violate the NDA. There are three observations. First, the exam requires deep AWS networking knowledge. Make sure you get in the console and get hands-on. The exam, as advertised, requires deep understanding and experience, which can only come thru practical hands-on experience. The other observation I would make is that the exam requires knowledge of services touched by networking, which is why acloud.guru course recommends associate level certification. The last comment on this exam has the most deficient written questions and answers of the certification exams I’ve taken. The questions and answers lack clarity found on the other exams.

I took the exam in about 90 minutes, which is half the allocated time. There were enough questions that I struggled to know the correct answer. I had no sense if I had no sense during the exam of a pass or fail.

Now the parts I can talk about, which was my preparation for the exam. In studying, the number of new networking specific services, including Transit Gateway announced Re:Invent 2018, Firewall Manager introduced April 2018 to name a few. The changes in networking services like AWS Shield, VPC FLow Logs, WAF between studying back in 2018 and studying three years later is incredible. Probably the reason, these certifications have to be re-certified every three years. The first time for the exam, I put about 50 hours of preparation into studying for the exam. This time I put maybe 16 hours into studying.

I watched about 80% of the acloud.guru course. I did watch most of it in 1.75x speed. I would slow down if I didn’t understand a topic or wanted more. I also read many whitepapers and FAQs and watched Youtube videos (2x) and linked below.

Resources:

• https://aws.amazon.com/certification/faqs/
• https://aws.amazon.com/certification/certified-advanced-networking-specialty/
• https://d1.awsstatic.com/training-and-certification/docs-advnetworking-spec/AWS-Certified-Advanced-Networking-Specialty_Exam-Guide.pdf
• https://aws.amazon.com/about-aws/global-infrastructure/regions_az/
• https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
• https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html#vpc-endpoints-limitations
• https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html
• https://aws.amazon.com/vpc/faqs/#Peering_Connections
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-peering.html
• https://www.youtube.com/watch?v=VIgAT7vjol8
• https://www.youtube.com/watch?v=_Z5jAs2gvPA
• https://www.youtube.com/watch?v=HKh54BkaOK0
• https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-ug.pdf
• https://aws.amazon.com/about-aws/whats-new/2020/08/aws-site-to-site-vpn-now-supports-internet-key-exchange-initiation/
• https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-client-vpn-to-securely-access-aws-and-on-premises-resources/
• https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/limits.html
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html
• https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
• https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
• https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html
• https://docs.aws.amazon.com/vpc/latest/userguide/Extend_VPCs.html
• https://www.youtube.com/watch?v=SMvom9QjkPk&list=PLlkukGgpsXyvUbJ85RVD7qNJ1mcGKO4_w&index=1
• https://www.youtube.com/watch?v=Qep11X1r1QA&list=PLlkukGgpsXyvUbJ85RVD7qNJ1mcGKO4_w&index=1
• https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/
• https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/
• https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-microsoft-active-directory/
• https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-by-using-unbound/
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
• https://aws.amazon.com/articles/6234671078671125
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html#vpc-limits-gateways
• https://aws.amazon.com/articles/high-availability-for-amazon-vpc-nat-instances-an-example/
• https://aws.amazon.com/cloudfront/details/#faq
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#default-network-acl
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ts-elb-http-errors.html
• http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
• http://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-network-requirements.html
• http://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
• http://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html
• http://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-vpc.html
• http://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html

A longtime issue with networking vendors is providing ports at one speed and the throughput at another speed.  I remember dealing with it back in 2005 with the first generation of Cisco ASA’s which primarily replaced the PIX Firewall.   Those firewalls provided 1Gbps ports, but the throughput the ASA could handle was about half that bandwidth.

Some marketing genius created the term wire speed and throughput.

If you’re curious about this go look at Cisco Firepower NGFW firewalls.  The 4100 series have 40Gbps interfaces, but depending on the model throughput is between 10Gbps and 24Gbps with FW+AVC+IPS turned on.

I have referenced several  Cisco devices, but it’s not a specific issue to Cisco.    Take a look at Palo Alto Networks Firewalls specifically the PA-52XX have four 40Gbps ports, but can support between 9Gbps and 30Gbps of throughput with full threat protection on.

The technology exists so why aren’t networking vendors able to provide wire-speed throughput between ports, even with the full inspection of traffic turned on?    I would very like to know your thoughts on this topic please leave a comment.

To my disappointment having completely read the CCNP Routing and Switching ROUTE 300-101 Official Cert Guide and the Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide (CCNP ROUTE 300-101) for the CCNP Route Exam, these books are not aligned with the exam blueprint.

Looking at the exam blueprint, topics like CHAPv2 and Frame-Relay are still covered but are not used as much.   CHAPv2 is not mentioned in either book.   Secondly, technologies like IPSec VPN and MPLS get little coverage in the books but are prevalent in deployments today.   Additionally there no real configuration examples for DMVPN.

Cisco Press claims to be the official certification guides for the exams, it gives me great concern that the exam blueprint and the official certification guide are not in sync.  Wendell Odom [https://www.certskills.com/]. who wrote a number of the original certification guides always did a great job in matching the book to the exam blueprint and providing exercises to reinforce learning.  He no longer the author on the CCNP certification guides as Wendell focuses on the CCNA Routing and Switching.

The last time I went thru CCNP certification I used the Cisco Press Exam Certification Guides and Sybex CCNP books which included exercises.   Sybex no longer publishes CCNP books.

Before taking the test, I think I’ll find a lab workbook and execute the exercises on VIRL.

IPv4 exhaustion is technology’s version of chicken little and sky is failing.     The sky has been falling on this for 20+ years, as we have been warned IPv4 is exhausting since the late 1990s.   Here comes the IoT including Smart Home were supposed to strain the IPv4 space.    I don’t know about you, but I don’t want my refrigerate and smart thermostat on the internet.

However, every time I go into AWS, I can generate an IPv4 address.   Home ISP are stilling handing out static IPv4 if you are willing to pay a monthly fee.     Enterprise ISP will hand you a /28 or /29 block without to much effort.    Sure lots of companies, AWS, Google, Microsoft have properties on IPv6.   But it’s not widely adopted.   The original RFC on IPv6 was published in December of 1995.

I believe the lack of adaption is due to the complexity of the address. If my refrigerators IPv4 address is 192.168.0.33.    It’s IPv6 address is 2001:AAB4:0000:0000:0000:0000:1010:FE01 which could be shorten to  2001:AAB4::1010:FE01.   Imagine calling that into tech support or being tech support taking that call.  Why didn’t the inventors of IPv6 add octets to the existing IP address?   For instance, the address 192.168.0.33.5.101.49, would have been so much more elegant and easier to understand.     I think it will take another 15-20 years before IPv6 is widely adapted and another 50 years before IPv4 is no longer routed within networks.

IPv6 implemented Anycast for many benefits. The premise behind Anycast is multiple nodes can share the same address, and the network routes the traffic to the Anycast interface address closest to the nearest neighbor.

There is a lot of information on it for the Internet as it relates to IPv6.  Starting with a deep dive in the RFC RFC 4291 - IP Version 6 Addressing Architecture.   Also, there is a document on Cisco Information IPv6 Configuration Guide.

The more interesting item which was a technical interview topic this week was the extension into IPv4. The basic premise is that BGP can have multiple subnets in different geographic regions with the same IP address and because of how internet routing works, traffic to that address is routed to the closest address based on BGP path.

However, this presents two issues if the path in BGP disappears that means the traffic would end up at another node, which would present state issues. The other issues are with BGP as it routes based on path length. So depending on how upstream ISP is peered and routed, a node physically closer, could not be in the preferred path and therefore add latency.

One of the concepts behind this is DDoS Mitigation, which is deployed with the Root Name Servers and also CDN providers. Several RFC papers discuss Anycast as a possible DDoS Mitigation technique:

RFC 7094 - Architectural Considerations of IP Anycast

RFC 4786 - Operation of Anycast Services

CloudFlare(a CDN provider) discusses their Anycast Solution:  What is Anycast.

Finally, I’m a big advocate of conference papers, maybe because of my Master’s degree or 20 years ago if you wanted to learn something it was either from a book or post-conference proceedings. In the research, for this blog article, I came across a well-written research paper from 2015 on the topic of DDoS mitigation with Anycast Characterizing IPv4 Anycast Adoption and Deployment.  It’s definitely worth a read, and especially on interesting how Anycast has been deployed to protect the Root DNS servers and CDNs.