Roman Dodin#

Hey there! I'm Roman Dodin, a member of the SR Linux Product Management team at Nokia. Although I am much more often called a "containerlab guy" as I am one of the maintainers of the project.

Network automation, virtual networking labs and beautifully looking docs with reproducible examples are my passion. I am also a big fan of open source initiatives and community building.

September 12, 2024
2 min read

SR Linux container image for ARM64

I still remember the day when we announced general availability of the SR Linux container image that everyone could just docker pull and start building their dream labs:

🚨This is not a drill🚨
🥳This day has come and I'm delighted it has happened on my birthday.

🚀Nokia makes its Data Center NOS - SR Linux - available to everybody without any regwall, paywall, licwall or any other wall typical for a vendor

It is finally OUT! ->🧵 pic.twitter.com/GguERBHGzp
— Roman Dodin (@ntdvps) July 29, 2021

The availability of a free, lightweight and fast-to-boot containerized NOS served as a catalyst for the community to start building labs as code and use the image in the CI pipelines as it was easy and quick to run it on the free runners.
However, the container image was only available for x86_64 architecture, and as a result for a long time we were saying that running SR Linux on macOS, for instance, was a "no-go".

It was not only about macOS, though. The rise of ARM-based server systems also made it hard to say that SR Linux can run on any compute you might have in your possession. I would lie if I say that we had RaspberryPi in mind, but hey, people run all kinds of workloads on rPI, why not networking labs?

And, finally, the day has come! We are happy to announce that the SR Linux container image is now available as a preview for ARM64 architecture, and is ready to be used on any ARM64 system, including devices with Apple M chips.

The first preview release is distributed via the same ghcr.io/nokia registry, but as long as we are in the preview cycle, we will use a separate tag for it:

sudo docker pull ghcr.io/nokia/srlinux:24.7.2-arm-preview

There is a lot to be said as to how SR Linux labs powered by Containerlab can be run on ARM64 systems, and to make it more interactive, I recorded a video about it:

Put those performance cores to work, and lfl (let's *ucking lab)! 🚀

July 30, 2024
9 min read

Mirroring in SR Linux

Once in a while you need to take a closer look at the traffic that flows through your network. Be it for troubleshooting, monitoring, or security reasons, you need to be able to capture and analyze the packets.

Doing the packet capture in a virtual lab is a breeze - pick your favorite traffic dumping tool and point it to the virtual interface associated with your data port. But when you need to do the same in a physical network, things get a bit more complicated. Packets that are not destined to the management interface of your device are not visible to the CPU, and hence you can't capture it directly.

That is where the mirroring feature comes in. It allows you to copy the packets from a source interface to a mirror destination, where you would run your packet capture tool. By leveraging the ASIC capabilities, the mirroring feature is hardware-dependent, but luckily, SR Linux container image is built with mirroring support, so we can build a lab and play with mirroring in a close-to-real-world environment.

July 23, 2024
2 min read

Route Type 5 L3 EVPN Tutorial

Since the inception of our Data Center Fabric program in 2019 we have been focusing on EVPN-based deployments as the preferred choice for data centers of all sizes. And historically, EVPN has been associated with Layer 2 services, such as VPLS, VPWS, E-LAN. However, network engineers know it all too well that BGP can take it all, and over time EVPN grew to support inter-subnet routing, and subsequently, layer 3 VPNs.

Now you can deploy L3 VPN services with EVPN, both in and outside of the data center. Yes, a single control plane EVPN umbrella can cover all your needs, or at least most of them.

It was important for us to start with L2 EVPN basics and cover the EVPN origins first, but now more and more workloads ditching the arcane requirement to have layer 2 connectivity, and more and more data centers can be built with pure layer 3 services.

But Layer 3 EVPN services have many flavors... Some, such as RT5-only EVPN, are quite simple, while others offer more advanced features and require symmetric IRBs, SBDs, Interfacefull mode of operation, and ESI support. To ease in the L3 EVPN introduction we chose to start with the simplest form of L3 EVPN - RT5-only EVPN.

To introduce you to the concept of L3 EVPN we prepared a comprehensive tutorial - RT5-only L3 EVPN Tutorial - that covers gets you through a fun lab exercise where you will configure a small but representative multitenant L3 EVPN network:

You'll get exposed to many interesting concepts, such as:

eBGP Unnumbered underlay to support the overlay services
iBGP overlay with EVPN address family
RT5-only EVPN service configuration for L3 workloads
EVPN service with BGP PE-CE routing protocol to support clients with routing on the host

So, have your favorite drink ready, and let's have our first dive into the world of L3 EVPN!

Pure L3 EVPN fabrics in the wild?

We shout out to the community to share their experiences with pure L3 EVPN fabrics. Have you deployed one? What were the challenges? What were the benefits?

Here is a linkedin post with some pretty interesting comments on the topic by Pavel Lunin from Scaleway.

July 4, 2024
1 min read

SR Linux labs in GitHub Codespaces

The best labs are the labs that you can run anywhere, anytime, with a single click and preferrably for free.

The public SR Linux container image made labs easy to run on any machine with Docker. How about we also rule out the requirement to have a machine? Let us introduce you to GitHub Codespaces.

February 25, 2024
1 min read

Filtering fields in the SR Linux CLI

CLI is still king when you start managing the network's and perform all those day2+ operations.

Network troubleshooting, in particular, is one of the tasks where having a performant, intuitive, and flexible CLI is a game changer.

In this video, we explore SR Linux's CLI feature that allows you to filter the fields and order them the way the operator needs.

CLI is dead
Long live CLI

January 16, 2024
16 min read

VLANs on SR Linux

Discussions: ·

What was one of the most common questions in our SR Linux discord in 2023?

EVPN? YANG? Streaming Telemetry? Programmability? Scaling DC workloads?

No. VLANs 😅

This buddy hurt you good in your early days, right? With global VLANs, trunks, and forgotten add? Your understanding of VLANs provisioning might get clouded by the industry-standard way of doing things, which may result in a lot of confusion when you start working with SR Linux.

Get yourself comfy, we are about to have a deep dive into VLANs on SR Linux.

cisco-man

January 6, 2024
10 min read

SSH Terrapin Attack and Network Operating Systems

Discussions: ·

Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel.

Pretty scary stuff, innit? Any Network Engineer/Admin understands the importance of SSH in their daily work. It's the most common way to access network devices, and it's the most secure way to do so. Is it now?

On December 18^th 2023, a group of researchers from the Ruhr University Bochum publicly disclosed a new attack (CVE-2023-48795: General Protocol Flaw) on SSH protocol, called Terrapin. Targeting the very best SSH Binary Packet Protocol researchers proved that an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.

But what does it mean to us, Network Engineers? Do we need to rush the vendors patching the SSH servers in their NOSes? Let's figure it out.

January 4, 2024
9 min read

User Authentication and Authorization with RADIUS on SR Linux

SR Linux supports a number of user authentication methods, including local authentication, TACACS+, and RADIUS. In this post, we will look at how to configure RADIUS authentication and authorization on SR Linux. As you may have already guessed, we will have a lab environment to play with sporting the FreeRADIUS server and a single-node SR Linux lab. Let's get started!

November 7, 2023
2 min read

Countless times I've been in a situation where I needed to share my terminal with someone or being asked to connect to someone's device instead.

Either I exhausted my networking foo and needed help from a colleague, or I was the one who was asked to help. In both cases, the problem was the same - how to quickly, securely¹ and effortlessly share the terminal with someone else.

The problem is not new and there are many options on the table. From installing a VPN software and sharing the credentials, through zero-trust solutions like teleport, to using a simple SSH tunnel. All of these solutions are great, but they require some setup and configuration. And sometimes you just want to share your terminal with someone without going through the hassle of setting up a VPN or a zero-trust solution.

The sshx.io open-source service that just popped out offers a simple solution to this problem.

Install the multi-arch lightweight² sshx binary on your machine
Run sshx
Share the URL with someone
Enjoy collaborative terminal in a responsive web UI with a multi panel canvas

I felt an immediate urge to try it out with SR Linux. And it worked like a charm!

October 24, 2023
7 min read

Instant SR Linux Labs

Containerlab already made it possible to quickly launch labs on demand with just a few commands. You would need to clone a repository with the lab and then call containerlab deploy to start the lab.

Simple enough, but quite often you want to run this simple SR Linux lab to test something quickly using a very basic topology. At times like this it is cumbersome to find and clone the repository and then call deploy command. Can we make it even more simple? Yes, we can!