2011-07-26

Bricking it

Well, I have the first proper training course for the new FireBricks starting tomorrow. Two day course.

It is a tricky topic as you end up spending your time explaining basic IP routing if you are not careful (and that is a separate course).

The way the new FB2700 and FB2500 work is a tad different to the older FB105 FireBricks, which is not surprising as we re-wrote the whole thing from scratch. This makes the training course slightly more complex. If someone knows the FB105 we have to cover all the differences, but if they don't we can explain the new system from scratch.

The main difference is the underlying routing logic. The FB105 made routing very much tied in to the session tracking logic at a low level. The session tracking was the routing cache. So the basic logic for establishing a session also defined the routing. It meant the routing rules were a list of rules (match the first you find) defining where the packets were to go, and that stuck for the session.

The new system is not that far off in some ways as there is a session based routing override, but at its heart the new FireBricks use conventional routing logic. This means you decide where a packet goes based on the target IP address and the current route you have (most specific applies). This is different to a 105 as it would work on a rule list not a most specific routing rule, and is also not per-packet. The new routing is based on static routes, profiles, and BGP and all sorts and can change per packet - like normal routers.

However the new FireBricks have a trick up their sleeve - there have per session logic to allow or deny the session, obviously, but that can set a new gateway for routing for the session. This works using a route override table checked at the session set-up just like the 105 and kept for the whole session. Unlike the 105, instead of saying where the packet goes directly it says indirectly by saying a new target IP for routing purposes. This allows routing based on protocol and source IP just like the 105, but as the target is itself just an IP it allows the target to be subject to routing rules as they change in real time. The end result is a lot more flexible, especially when looking at fall-back type arrangements where you want routing to change on the fly for an established session.

Of course, that is not the only change - but it is probably the most deep change to try and explain. We have a totally new web user interface, and a new idea of a config that is all in XML (with web based editing tools). One of the biggest changes is that IPv6 is fully supported and pretty seamless. Basically, almost anywhere you can put an IP address you can put either IPv4 or IPv6. At present DHCP settings are an exception but even that will probably change. We even do new VRRP3 so IPv4 and IPv6 are just interchangeable on VRRP settings.

The new FireBricks then have a load of new features like L2TP and BGP, but they are not too hard to explain.

Should be a fun course.

Next month we are considering doing a one-day course on this for end users rather than dealers, and I would be interested to hear if anyone wants to go on that. No idea on course pricing yet - catch me on irc.

5 comments:

  1. Sorry don't sound very interesting to me lol. now if it was a holiday that is totally different lol hope your ok and not working to hard xxxxx

    ReplyDelete
  2. Hard day's work today doing day one, but I think it went well.

    ReplyDelete
  3. at least 1 from my organisation would be interested in such an end user course
    Steve

    ReplyDelete
  4. Course went well...

    Comment from their boss was "The chaps have come back raving about the new firebricks. Well done!"

    They found a load of cosmetic improvements which I have spent all morning on, and embarrassingly a couple of bugs I am working on.

    ReplyDelete
  5. Adrian,
    As one of the 'chaps' that was on the course I can confirm that it went really well. We've been looking forward to the new range of FireBricks for so long; and so having been using them for the last few months, and having had so much interest from customers wanting to buy them, it was superb to get the training.

    AS always the interesting bits are the juicy bits that can't be written about on the roadmap and behind the scenes stuff. Suffice to say the future looks even better.

    I'm sorry if we gave you a hard time with ideas and improvements/bugs. To be fair - you gave us a hard time with such a packed agenda and so much covered! :-)

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Missing unix/linux/posix file open option

What I would like is a file open option for "create replacement file". The idea is that this makes a new inode in the same mount p...