Designing The Next Gen Parliament Precinct Network with John Capobianco – ZNDP 075

ZNDP 075: Designing the Next Gen Parliament Precinct Network with John Capobianco

Zig Zsiga: [0:00] Designing the next gen Parliament Precinct network with John Capobianco episode 75.

Welcome back my friend's nerds geeks and ziglets out there we have another episode of the zigbits network design podcast where zigabytes are faster than gigabytes, as always we strive to provide real-world context around technology.

I'm Zig I'm your host as always thank you all for coming back today we have an interesting show we're going to do a kind of design-focused use case of transition for a

Parliament Precinct Network. John capobianco is here to help me today to really highlight the transition that he went through for this Canadian Parliament Network,

over the last few years and I'm kind of rambling here so John how are you doing today let's just kind of kick it off buddy.

John Capobianco: [0:51] I'm doing really great I'm excited to be here I've been following your podcast your doing really great stuff for the community and I thought that after your last ones with Stuart there that I saw maybe I'll just offer to see if you want to talk about what I've been up to and you nailed it so I joined the Canadian Parliament, not as a politician I wasn't elected but as part of NGPPN or the Next Generation parliamentary Precinct Network program which was a multi-year very big budget very ambitious very visionary, transformative approach to take an aging Legacy Nortel Network now this is in 2013 if you can imagine that. I don't know when Nortel went bankrupt and the switch to Avaya and all that but they were still running you know Nortel cores and Nortel base tax and big flat layer 2 Network,

Now so our challenge was a couple of things right. The parliament wanted to digitize and we've heard that from Cisco and Chuck talk about the digitization of, of functions and products and and and you know we're not there to make money we're not a you know in the financial sector or the business end of things.

Zig Zsiga: [2:04] Yeah you're not what I would call a traditional business right you're really there to provide a service if you go.

John Capobianco: [2:11] Yeah we're there to provide a service and that's you know the ongoing democracy of our country right if we want to think really ambitious about it so they wanted things like and this is 2013 wireless.

Surfaces tablets voice over IP security enhancements.

Formance enhancements logical separation there was a lot on the laundry list and and it was semi Greenfield we had a green field in that we could build net new,

but we at some point we had to integrate an onboard the existing Network.

To start shifting traffic right and it goes from you know one building on the new Cisco Network and everything else on the Nortel and we gradually shift the balance to every building and this is 50 buildings in our in our.

You know our man our Metropolis area network which is about 50 very interesting Heritage buildings,

the center block the West block the Sir Johnny McDonald building all these Heritage Limestone and the stained glass and just just Immaculate buildings,

I'm with Rich Heritage well now we have to digitize them and overlay fiber and copper and wireless access points and right.

It's very interesting even just from a layer one perspective.

[3:32] Having a nice path and a West path and diverse fibers I'm actually fortunate I my mind was blown when they introduced me to the cabling plant,

there's cabling Architects I'm not in the cabling end of things I basically say you know I need GI 111 on this switch,

Firebird over to GI 111 on that switch and The Architects and the fiber people take care of it but we blow our own fiber here at Parliament under the streets of Ottawa yeah so I got to see them do that which was pretty neat.

Zig Zsiga: [4:01] So real quick right we kind of jumped right in right and this is great can you go a little bit about yourself how long you been in the industry,

um and you know where they can find you a kind of on the interwebs I like to call the interweb so you know where people can reach out to you and find you on the interwebs.

John Capobianco: [4:16] I made some assumptions that maybe people know who I am sorry I'm not quite internet celebrity yet but that's a good point I should back up and start again so I've I graduated from a three-year computer programmer analyst program in Kingston Ontario,

in 2003.

Zig Zsiga: [4:32] So you're a computer programmer by trade then.

John Capobianco: [4:34] I'm a programmer by trade and it's funny the way my the way the dice roll my placement or my coop in my last two years of the program I actually ended up with with the ministry of Health's,

I'm service desk as more of a systems officer doing client server and network then programming so when I graduated I had this diploma in programming with no real world experience or no nothing on my resume that I've written code,

and I have.

Zig Zsiga: [5:02] I had the same situation man like I have a degree in computer science and I have never been in a computer science role no joke sorry go ahead.

John Capobianco: [5:10] No it's funny the way it worked out so I did very well in the client-server world and I started to pursue certificates to shore up my lack of you know my.

Programmer diploma and windows client server Network stuff.

Didn't really mesh so I started down the path of a plus and plus XP cert Windows certs Cisco certs so that's been the kind of the 20-year Journey for me,

I spent seven years with a top 10 Canadian Insurance Company,

doing their started in their server Farm actually and then moved full-time to the networks in about 2008 so 2008 is when I get my CCNA,

and I've maintained my CCNA this whole time my search journey is actually up on my webpage so for my interwebs presence,

you can go to automate your network all one word dot C A the Canadian domain and it's a bit of a blog post there's an about me page anyone who's curious about someone like me who's,

now now 20 years later and Senior it kind of person.

I've had done an about page with my search history a lot of people ask me on Twitter and Twitter it's John underscore capobianco.

[6:20] How do I get started how do I get there what do I do what certs do I need so I laid that that path out for people to take a look at my most recent search was the ccnp data center,

I'm ccmc cnpc CDP so very folk design heavy focus on my career I just got the DP,

for data center just before March when they redid the certifications what a what a race against the clock that was to get that last certain before they,

changed everything.

Zig Zsiga: [6:50] Yeah and you got to take it is the last time you can take it right and it's going to go away so.

John Capobianco: [6:54] That was a lot of pressure so I'm so that's kind of that kind of sets the stage for where I'm at again I join in 2013 because the house.

Pick Cisco Cisco one the RFP to provide the technology for this next Generation Network and at Empire life I had been.

Cisco I designed and deployed The Cisco Network they're so so there's a good fit for me to progress and and try to take on a bigger challenge in my career which would be the parliament Network.

Zig Zsiga: [7:23] No this is great like seriously a set the stage and this is great it's great to have you on the show and everyone all those Links at John's already said we'll have them the show notes you can easily

now connect him and reach out with any direct questions you might have and just to let everyone know we're going to do two shows with John so this is show number one and it's designed use case focused and then our follow-on show it won't be right after this one it'll be a couple weeks later

we're going to do one on Automation and how John has actually fully automated the parliament Network and if I sudden thing wrong John please correct that please.

John Capobianco: [7:55] No that's that's pretty good,

pretty ambitious but but yeah and it sounds unbelievable but in that seven years we transition from a manual classic CLI mode of build and deploy and maintain.

Around 2017 we kind of switched to a fully automated approach which we talk about you know down the road but to get there but to get there we had to put together,

all the pieces of the of the network so you know when I when I joined I had to acclimatize myself you know to the business,

so when we say the parliament of Canada it's actually made up of subgroups so there's the House of Commons which is technically who I work for and that's the members of parliament,

prime minister Justin Trudeau the the house side of things then there's the Senate of Canada and they're also a tenant on the network.

There's the library of parliament with all of the research and development and the historical archives is another tenant.

[8:57] The security apparatus so the parliament security team the RCMP and the different security officers.

Are another tenant the multimedia tenants so all of the tenants that do the television televised broadcasting and webcasting and well I say webcasting now but when I joined it was just.

And that's part of when I say the digitization one of the ambitious goals was can we put our proceedings up on the Internet like the C-SPAN right.

[9:28] Stand up on the web for the Canadian proceedings they couldn't do that on the old flat Nortel Networks.

That was one of the list so so the business has you know when we're looking at this at the 10,000 foot View,

we want Wireless right they want Wireless was one of the urgent things that they needed they want voice over IP they want enhance security and security was the big one in design.

And obviously wanted to perform and be fast and be available and reliable and and you know five nines and all the rest of that stuff,

so we kind of had to figure out what's in and what's out we had a date that we wanted to bring the first building online,

and you know what's in well Wireless is in 8021 X is in qos is,

the layer 2 layer 3 boundary changes in the the new speeds and new Optics or in certain things didn't make the cut.

Right because you're against the time and you have to weigh the risk versus reward something like,

it's in place now we've evolved but for that first deployment DHCP snooping ARP inspection that trilogy of security we it didn't make the cut right there were certain things that didn't make it in but.

Zig Zsiga: [10:38] There's always a cutting phase right you have to have a deadline right and you have to make that deadline the building's going to be operational at some point and you have to be ready for the operational date so.

John Capobianco: [10:48] Yeah so from the design point of view there were a couple things it's funny when I went through my ccnp CDP you kind of like it's not IE I realize that but,

when I joined the house one of the new technologies that they were talking about our vendors and our partners,

there was it wasn't just me in this room designing this network there was you know a big room full of a lot of stakeholders from across the business from the internet service provider from the vendor from our VAR lots and lots of Mines collaborating to,

to come up with the recipe of success for a large-scale modern Network right there's a lot of things to consider so my input or what I wanted to help,

change was one the the flatness of the network right this big layer 2/16 Network let's break that down into a layer 2 layer 3 boundary yeah.

Zig Zsiga: [11:38] So is 1/16 Network across the entire Arc organization or network structure wow.

John Capobianco: [11:44] You want more or less more or less or a few different / 16s again on Nortel base tax without spanning tree.

Zig Zsiga: [11:52] Wow.

John Capobianco: [11:53] That's the nail that's the day that's the footprint that I arrived in no Wireless no voice over IP yeah.

Zig Zsiga: [12:01] It's all one broadcast storm there's no fault isolation there's no layer 3 fault boundaries no kind of modularity and there's an adequate there's a,

broadcast there it's going everywhere right that's just basic you know broadcasts fundamental Theory so.

John Capobianco: [12:20] And no IP address gives you any sort of logical relevance as to where it is on the network or what it is or right it's just an IP of 16,000 IPS or something record.

Is one me right so so again to the layer 2 layer 3 boundary we pushed it to the building distribution layer so we followed this list go so again we started with the Cisco validated designs and.

You know to core data center so we have two physical data centers on the premise,

I'm fortunate that there are actually physically connected so it's just a logical stretch so it's one logical data center so we pick VSS technology for the core so nice pair of solid 6500 cores.

That acted as the.

Fundamental core of the network pure layer 3 of possible and then we had our layer three boundary at per building so a pair of 4500 is at the top of each stack of access switches per building and.

[13:18] What was new to me I started talking about my certifications drf swear new to me,

and I thought I thought to myself how can I get to see cnpc CDP and never even read about this or know about this V RF technology it must be an IEEE thing or maybe it's new or maybe in the in the March 2000 2020 refresh,

maybe vrs are now part of the curriculum but to me I was like holy cow like I had a real shock of imposter syndrome on like the first week at the job,

because I started talking about segregating in the vrs and I went home and told my wife like I don't even know what a vrf is what what am I going to do maybe I'm maybe I'm in above my head right.

So I had to do some real quick learning and it's actually pretty simple Cisco's implementation of VR app so if you're listening and are like me and didn't know what a vrf was.

At layer 2 we have the virtual segregation in vlans right the broadcast domain if you move up a layer 2 layer 3,

a virtual route forwarder or vrf is is similar to a VLAN but it's for the routing table.

So a single router a 4500 of physical router has a global routing table the GRT.

That you're used to if you do show IPR per show IP show IP route or something that's from the global routing table.

[14:39] I mentioned our tenants earlier the house the Senate the library the MMS the security zones Etc.

We wanted to separate those at layer 3 and use a firewall a central firewall to control the flow of Zone to Zone traffic or tenant to tenant traffic now without vrf sigh would need to put an access list.

At the top of every building distribution switch to separate and deny and permit Zone to Zone because it's one big shared routing.

[15:11] We wanted to avoid that so A vrf lets you contain the routing table per tenant in a Virtual Router so if I do if I go into the global routing table and I do show IP route.

[15:25] I don't see the routes from my House of Commons tenant I have to do show IP route vrf you know tenant one or whatever to see their routing table.

Which means they don't know how to get to each other at the building they have to go into the data center and be permitted at a firewall that communicate with each other.

We have a nice central point of control this premise help Drive our design to be honest with you,

because we needed we wanted nice summarize Abul spaces for these tenants that then I could cut into building chunks that I could summarize at the building,

so my ospf which is the routing protocol we chose partly out of necessity because I had to integrate with route with Nortel and I can't use eigrp for that,

and we didn't want to do static routes right so we're kind of by de facto we go.

Ospf which is fine I don't mind no SPF I would have liked the our grp but that's just personal preference so anyway we have a nice big big summary that we can say this represents the whole.

And then / building that summary gets broken into smaller you know we subnet it into smaller summaries and then each floor gets a / 24.

Now I have a nice logical view yeah.

[16:42] So now I can say I don't know 10 10 some I know right away that's my building one.

Okay 10 10 10 6 okay that's the sixth floor on building one for tenant one,

okay it's 10 20.6 okay that's 10 and 2 on building one floor to or whatever so it becomes like a Rolodex these IPS and,

people think it's magic they throw an IP at me today and I go yeah you want to go to this you know the Sir Johnny McDonald building on the 4th floor that's where that access point is how did you know that while the IP address is logically mapped to the topology of the network right.

Zig Zsiga: [17:17] It's called designing you know like there was a plan ahead of time and now it makes it easy to figure things out like that's,

and this is perfect right you have a set identifier for different buildings different floors and it doesn't mean that you're doing any static identification of those IP addresses to a computer

you're literally just saying hey this subnet is for that floor I know that 10.10.5.3 row / 24 is building 144 you just know.

John Capobianco: [17:45] Right and then it scales horizontally Okay the third octet is for that's the fourth floor in a building.

And then my second octant is the identifier for the building my fourth octet represents the end host right it's it's it's classic Cedar design it's what they taught you in school and if you apply it correctly like,

in the back of my mind you're always wondering is this going to scale is this going to scale right in 5 years do I need to throw this out.

Designing out and start again do I need to go to ip6 do I need to go to mpls like you know what I mean that question of scale is always there On The Fringe,

but seven years later we've yet to have to re IP a block or a building or a floor its scaled up to 50 buildings on the campus you would mention the scale earlier in our discussion about the wide area network so I'm kind of jumping all over but,

but it really that was my reality for the first five years was was a chaotic firehose of demand from this shiny new.

Zig Zsiga: [18:46] Well there's a couple things that I would like to ask right so because I kind of like you kind of do that for a little bit and get a good understanding jump around a bit so.

And I lost my train of thought because that's what happens with me so I'll ask another question because I have it right so

um you know we talked about the tenants you had about learning vrs you know for you and I we had a pre kind of talk before we started recording and one of those was like you know when we started in an it there really wasn't YouTube like we had to learn these things on our own

right we had to figure it out and so for vrf said you have to figure it out yourself.

John Capobianco: [19:20] More or less had to figure it out myself there was what I what I leaned on was was the Cisco live.

Zig Zsiga: [19:28] Yeah.

John Capobianco: [19:29] The Cisco live breakout sessions and the Cisco live I'm losing my train of my words here that they're on demand.

Zig Zsiga: [19:36] The Cisco live on demand Catalonia.

John Capobianco: [19:38] I went to the Cisco live on demand catalog and I found a few breakout sessions that talked about,

EVN easy virtual networking which is a technology you use for the prfs to automatically set up things like sub interfaces on trunk port,

that trunk the vrs like you trunk vlans so I did a lot of learning through the Cisco on-demand portals one of the,

ISP Engineers that was loaned to us who who kind of tabled the vrf idea he coached me a little bit but there was a lot of and also cisco.com there was a very good,

PDF just about vrf technology and how to implement it,

so I had to do a lot of learning and self-discovery and very quickly because that was our design that was our approach and that's how we were going to two in combination with other Technologies secure the network and provide isolation for the tenants.

Zig Zsiga: [20:31] You know it's good so I mean and just so people understand maybe they don't and if they do then great but you know like John said to get from one of your after another vrf you have to have some sort of technology or device that's meant to do that,

so if you have the VR app someone one specific device and most cases you cannot leak routes between those those VR apps,

now some some devices you can leak between the vrf so we have to do like static leaking or you run bgp.

Delete between the vrs with like route to targets around distinguishers so it's not like you're running mpls but you're kind of running on PLS but not really that makes any sense,

or you have some sort of fusion device like a fusion router in which case I think your firewalls acting as a kind of fusion router is that correct.

John Capobianco: [21:16] So it's a good point so we have a fusion router in the very center we call it the transit router and that's kind of like the central core were all VR eps.

But to get to the transit they have to pass through a firewall so our design is is kind of like the old high to low is good to go and load a high you must deny.

Traffic is allowed to leave a tenant meaning they're allowed to exit their vrf through their firewall context so we've context a context for tenant and they're allowed to leave that zone into Transit.

To either go north I can I call it North out through our are DMZ out to the internet.

Or itself or East-West into another tenant for some reason so some tenants are security tenant needs sometimes to go into other tenants.

So to come into a tenant to enter a firewall you need a permit.

It's denied by default so we allow everything to leave a Zone into Transit but if it's coming into his own it needs to be implicitly.

Zig Zsiga: [22:22] Nice so you're denying it by default and you have to allow it specifically so that's on the firewall side of things and then that Fusion router you also have to allow the routes to leak between the different vrf.

John Capobianco: [22:32] Yes at the fusion we then.

We like inject our default route down from transit and things like that and certain zones that don't have like our security apparatus and when I say security apparatus I mean,

IP cameras on floors and video recorders and door swipes and things like that the network at the house it's funny when we talk about demand earlier.

Security had big demands they wanted IP based cameras they wanted IP based or swipes they wanted IP based.

Recording systems where now we had to shore up our qos model to guarantee that traffic so it was all intermingled in entered.

Our network is.

Zig Zsiga: [23:09] Sorry you didn't have that beforehand it was no tin or tell Network you didn't have qos you didn't have voice or video traffic on the network right

and so I mean I want to make that clear like there's a lot of things that we've already talked about that you've already done right here you've you

redesigned it into blocks let's say it into modular modular blocks it makes sense from a layer 3,

you've designed it so it's can scale right so you had one building now you're at 50 buildings and your

OSP architecture your subnetting schemes can scale to that level you're also doing vrf within this environment,

we are F architecture designs for the tenants and that scales I mean this is scaling up to 450 500 sites right you know 500 wind sites.

John Capobianco: [23:55] Yeah so the WAN was another so we tackled the campus and then we tackled the wide area network which was prior to us was was a least system,

which had all kinds of problems right 450 so why are there so many wins sites let me address that from a business perspective.

Members of so the members of parliament yeah each member of parliament has a geographic they call it their writing and these are the writing offices or their pre there there.

Constituency offices or what we call them technically.

So it's like your local Senator or your local member of Congress or whatever right they have a local footprint in your neighborhood or in your community these are those offices for the members of parliament,

the country and every member is by law allowed to have up to three offices per geographic area,

because some of our space is like what if you go up way up North A Member of Parliament covers hundreds and hundreds of kilometers or miles of geographic area up North.

So they need three they need three offices to do their business right and be of then these different communities so we had to.

[25:04] We wanted to bring your own ISP what's with what we wanted to do.

So that the members could go out and shop around for their ISP based on their local budget and their local community offerings.

Pick the ISP of choice copper fiber DSL whatever they could get and then we would drop ship a bundle of hardware.

Which is that you know ahead and firewall and then the switching behind it and it was all pretty labeled we put nice stickers on.

Wire goes into and made it as easy to assemble as possible and and then we have the head and VPN back on Prem.

So this is this was another massive it's funny.

[25:46] When we kind of propose this to say we can give you on-prem like access they never had that before,

they had different portals and vpns and different different clunky Technologies we can actually extend the precinct so that it was just like they're sitting on their office.

Through he'll be called the hill because that's there's a hill where Parliament is there he'll office out in Saskatoon or Halifax or Regina or where they were sitting they have full email.

For intranet they're authenticated you don't I mean like like a true on.

Zig Zsiga: [26:17] It's seamless to them right it's really just seamless it's like they're actually physically in on the hill as you called it even no matter where they are right it just seamless to them.

John Capobianco: [26:27] Yeah and because of the technology we have we have the ability to extend even Wireless,

so in their kid in there came in their constituency offices now they can use mobility and portability and laptops and and not be Shackled by,

by physical wiring some of their offices might be in a strip mall somewhere right like we don't know it's truly the wild west we have no Authority or control over,

Beyond Prem solution that the member has right they might lease a strip mall office space or they might have a I don't know a home converted to an office it could be anything so we had to you know that was a massive win.

For our you know for our technology and for our business was to offer them on-prem like experience just like on-prem when we offered them Wireless.

They wanted to move up to what were called paperless committees so if you can imagine before Wireless right everything was paper and pen or save to a local file and transferring around like just a nightmare right.

With with mobility and with wireless and tablets those things kind of converge the tablet boom and the wireless implementation here where now.

The official Parliament business is done on tablets and done on mobility and they've gone paperless paperless committees paperless onboarding they showed me actually we did this kind of as a bit of a.

[27:49] Shock value demonstration here are the four binders of paper that a new member when they got elected in,

used to get here's all of your financial requirements here's your legal obligations here's the rules of the parliament right like if you can imagine all the.

Zig Zsiga: [28:05] Secure beginning run book but it happens to be for biters long I got you.

John Capobianco: [28:09] Right now we give them a tablet and that tablet has portals and links and click and everything they need is digital and we did that almost over.

Zig Zsiga: [28:16] Wow that is such a that's such a difference in experience like overnight not overnight but you know I mean like that's just a difference in experience the impact of that alone is huge.

John Capobianco: [28:26] Yeah it really is and you know it has real value to the members of parliament like.

The acceleration and and just just how much I don't know it's revolutionary stuff right that's why I love I love being able to implement this technology yeah you know I'm not making.

Big bonuses or you know what I mean like it's not there's no Financial incentive other than a you know good salary in a good pension and and a great place to work.

When I walk through these Heritage buildings and I see wireless access points and I see members using tablets and using their voice bone and.

All of that was just a dream you know seven years ago five years ago kind of thing right.

Zig Zsiga: [29:08] Yeah I think that's extremely an impactful overall situation right I mean so you.

Maybe I'm Wrong John so you just always just chime in and let me know hey Zig you're wrong that's perfectly fine that's cool um but I'm taking some leaves here and some of the things I'm saying because I'm just I think this is how you are because like,

I'm the type of person that if I'm working on it something and I'm working for a cause business I have to agree with what I'm doing and I had to be vested in it sounds like you're vested in it and you're really passionate in what you've done here with

really I think not just the scalability because the network is scalable right from a technical perspective it works and it's scalable but it's more than just the network itself being scalable you've actually made the business flexible,

like the business is now becoming a nice a business right again this Parliament Network they're not there to make money right they're not their goal they are providing that service but the fact that they can be flexible

and you're reducing.

The time they have to do certain things like that whole like onboarding process I mean four binders can you imagine how long that takes to go through four binders of

requirements and and policies I mean that's not the fun stuff either I'm sure for them to go through like that's the stuff that they need to like eat some sort of snacks or they're going through at least that's that's me I'd be,

like M&M's or something right like every page so.

John Capobianco: [30:30] And you assume that they want to they want to start and make an impact they've been voted in by their you know what I mean people have voted for them and put them into power they want to start,

exercising that new power and changing the laws or putting forward bills they don't want to be,

break 3 months before they even know how the parliament works because they've had to slog through binders and training and blah blah blah now there's videos and portals and tablets that we give them it's incredible and the.

Like I you know we live in the west where the democracy and freedom and accessibility and all of these great.

Things about our culture and our society.

You know I have a small hand in in offering those services like I had mentioned the the multimedia moving this called Paro view so Parliament View,

people can now go to a website and stream there any of the pre-recorded that's knew they didn't have that our democracy didn't have that just a few years ago write our new web.

Zig Zsiga: [31:28] So is that multicast and are you doing multicast.

John Capobianco: [31:31] We do doing multicast and broadcast yeah we do a lot of almost everything is digital the multimedia,

now I help them with their networking they're switching and routing I'm not super deep into the protocols are using but some of the technology that they record and broadcast and simulcast and Translate,

things because we have both languages so we have English and French everything has to be translated it's all done through digital feeds,

the network has become ever-present right so every phone every wireless access point every device,

it goes beyond printers right goes beyond printers and workstations now our security apparatus.

It's funny the things you have to think about right if I need to take a building offline for some some let's say I can't do an issu upgrade on a stat on a pair of 4,500.

Say it's a major upgraded I need to take the building down well now I have to get possibly.

Security physical security guards to come on during that change window because all of the bubble cameras are going to be offline for a couple minutes while the switch reboots Jen I mean like.

Zig Zsiga: [32:38] Yeah there's this.

John Capobianco: [32:39] Generations yeah yeah real.

Zig Zsiga: [32:41] Well this goes even further right the network is now becoming a not just a requirement but almost like a unstated requirement like if the network is not up we can't function.

John Capobianco: [32:51] Right one of the it sticks out in my mind when we move to voice,

a very senior member who had a lot of apprehension about moving to voice over IP he picked up a plain old telephone a pots phone,

he held it up and held the dial tone in my ear he said you hear that it's a yeah he said when have you ever picked up a landline and never heard a dial tone.

Has that ever happened to you in your entire life and I thought about it for a minute I thought I don't I don't know I don't think I've ever picked up a phone and it not have a dial tone and he said well that's what we needed the network.

Right the network needs to be always giving a dial tone if you're putting all the phones on it can you maintain that level of availability like Bell Canada can provide for plain old telephone.

That's a lot of pressure right.

Zig Zsiga: [33:37] It is its huge pressure.

John Capobianco: [33:38] Keep it up right.

Zig Zsiga: [33:40] You're talking more than five nines there you're talking all the time up and,

having redundancy and resiliency and reliability and is it goes more than just a simple you know five-second failover you mean you can't have an outage really.

John Capobianco: [33:55] It's incredible and when we talk about iot I mention this because it's one of my fun stories one of the neat things I've got to do with the House of Commons the.

The food production so food production for all the meals and all of the Banquets and right we have a very large food production just like we have a very large it shop to have the parliament has a food production.

The cook that the head chef approached it because he bought a Smart Stove and needed to get it onto the network.

And we were like what you just went out and bought one of these things you didn't get any no no he's got this whatever $30,000 stove and he needs it on the wired Network to get to the internet.

So we worked with him and we come up with an iot policy ready kind of forced our hand to be ready for iot we'd already done a little bit of iot with the security cameras apparatus things like that so it wasn't brand new but it was such a neat use case where he on his tablet.

He can set the temperature of his burners he knows how long things have been in the oven he knows when things are coming out he can download recipes and smart install recipe timers and things like that to the stove like a full.

High-end integrated cloud-based stove if you can imagine.

Zig Zsiga: [35:11] It's like an automatic stove like you can just script it pretty much and that's going to go into our next show but I'm just saying like that's what it is like he got a stove that he can literally tell it what to do or script it and walk away and not even be there right.

John Capobianco: [35:25] Yeah and he gets alerts to the phone and that's all over the and it's all over the network so it's pretty neat the stuff that's coming yeah.

Zig Zsiga: [35:33] I just amazed I mean I don't know it's been,

I've been doing this for 20 years just about 20 years and I'm still amazed at the transition from when I started to now I mean I remember 20 years ago when there wasn't a network when most places it was all like Standalone pieces PCS like

unpack this or HP that and it was like you know this,

honestly they're hunka junk is now alright like they were just these huge things that you had to go and physically install everything I don't know if you remember any of that stuff right he like.

John Capobianco: [36:01] Oh yeah,

so here's my personal connection to the past if people want to know how far we've come and this is real this is a real story in 2002 when I was kind of struggling as a college student trying to get my way into the crew into the,

into the industry I took on a volunteer position at the Kingston Marine Museum,

that is a very small little Museum that's about marine life in Kingston so boats and ships and icebreakers and whatever.

They had a coax network still in 2002 so I had you know like like reflectors and absorbers and vampire teeth,

and tap BNC connectors on the back of all their PCS.

So they gave me a 45 dollar budget to go to over to Staples and buy an 8 Port wireless switch.

And and I did you know I bought a spool of CAT5 and a crimper and I made my own cables for them and I ripped out their coax and I replaced it with CAT5 and wireless that's in 2002.

You hear coax and you think the 70s right like you think it was.

You know 50 years ago they were doing it it wasn't that long ago that people just transition from coax to Copper or CAT5 I should say right.

Zig Zsiga: [37:15] Yeah I mean I I saw some pretty networks like I don't know if anyone remembers 50 I mean those were those are interesting networks to,

we don't have those really that much anymore but when I might have been 2000-2004 time frame when I saw my last 53 Network or frame relay even like if even IP based frame relay stuff I mean.

Man it's we're going back in history now right like this is history historical stuff but it's such a huge transition from then to now and this wasn't scripted as always there's just an idea of thought my head so but John.

John Capobianco: [37:51] What's really neat I think from that dumb era like today with,

I'll just throw another technology like we secured the network with 8021 X I mentioned that as one of the Technologies,

we have a certificate based thing here it's like a passport system where if you plug a device into any port we have 50 buildings worth so 60 or 70,000 interfaces.

You plug the device into any one of those interfaces and you do not have.

House issued certificate you get black hold it does not let you on any network you get shut down more or less and we get alarms.

Every place has to be certified and we have this kind of software defined Network now right,

you plug something in it's got to talk to ice and Ice has to say,

yeah you can come on the network and here is the network you're allowed to come onto so how we enforce those vrs because I think it was maybe a natural step that I missed when I kind of drifted off of the vrf discussion how do you ensure that,

a laptop or a surface or whatever gets plugged in ends up in the correct Zone.

We use certificates or worst case maybe a MAC address or Mac address bypass but really we're 99% of us are certs.

So that's security apparatus is very important in our design and.

And we just actually had an external review of our ice and Cisco gave it you know five star review.

Zig Zsiga: [39:11] Is

John Capobianco: [39:12] It's it's a it's as important as the core to us and people don't really think of Isis at.

Without ice to certify who can get where you know things break down pretty quickly in your into fail open mode right.

Zig Zsiga: [39:26] Also I look at ice and I would say I would even bring it up to a higher level I look at any network access control that's what Isis

right any network access control solution or capability it's an infrastructure critical capability if you're rolling it out and it's fully rolled out how it should be I mean it is a requirement,

be up all the time I mean you're literally relying it to know what's on your network and authorize it

authenticated first re-authenticate it first then authorize it and authorizations is going to dictate what you can access right and it's not what you want to access,

it's only what you need to be accessing and that's and I want to be clear it's not just user to user access or user to application or user to resource,

it's also device to device access so those those IP cameras that we talked about those security cameras like what can they access you can literally lock them down,

so they can only access what they should be accessing and you know maybe they don't need to go to the Internet for example that's something I'd probably say they don't need to go to the Internet so they don't get to go to the internet you know and they can go to the server or whatever wherever that is and that's it.

Is that a good example.

John Capobianco: [40:34] It's become part of the fabric of like DHCP DNS now Knack is up there because it's so key and it's so critical to our infrastructure.

Zig Zsiga: [40:43] It is it really I mean it's an infrastructure component DNS DHCP time and TP even like if you're using some sort of authentication what I would say,

single point of Truth and an ldap server of some sort and you know most people use active directory but I just that's a vendor solution right so I always try to bring it back up ldap is that capability so you're using some sort of ldap server that's critical right,

no one can log in if they don't have an ldap is not working this is the same thing for Knack now Knack has to be highly available up all the time is you need to do need a failure situation if it's offline right that's a file open but then if you're failing open,

what's going to happen right this is now you're allowing everyone on the network or or you're not allowing you're going to network if you're feeling closed by you there's some input key implications there.

John Capobianco: [41:30] Right yeah it's it's been a real challenge to roll that out and to try to think of every permeation of.

I've device and certificates and you know like we have and then you get that weird edge cases like we have the Microsoft Surface tubs.

To put a certificate to prison put a certificate on one of those hubs you need in tune and then you start going down the rabbit hole and you find that,

now I have four dependencies to get this one device on the network because it needs a cert but to get a cert I need a third manager or an MDM of some kind right so yeah it's it's not.

It's not as simple as it used to be right I don't believe networks I think I think as the capability grows it's not just about getting faster right it's getting more intelligent it's getting more efficient it's and really secure right we're going to move,

likely in our next iteration to more of a fabric DNA micro segmentation approach,

still using ice insecure group tags and different different mechanisms but that's likely the next iteration of our of our network is to move to the,

the SD access fabric type approach.

Zig Zsiga: [42:39] Yeah that's going to shift your environment to a different architecture all over again probably,

you know I mean you know there's some Concepts within that that fabric approach that would sell that.

The terms I use our software to find land So Soft to find local area network or soft on campus or campus Fabric or something along those lines right to be vendor agnostic but you know any of those Solutions I mean,

it's again it changes that paradigm

and I have these demystifying the role series as well on this this podcast the mystifying the network engineer Network designer whatever role well really we're also mystifying here the network again the network is constantly shifting with all these new

capabilities.

It's actually pretty interesting how the shift has happened and I kind of equate it to that paradigm shift that happened years ago where we went from Central kind of.

Server environments where like Mainframe well you have these mainframes or huge and that's how you connect everything to the edge kind of push where everything went to the edge and then things kind of went back to the central side of things is like this pendulum pendulum a pendulum,

can't talk can't say the right word but you know what I mean.

John Capobianco: [43:47] Ya know it's funny you say that I've had the same we're on exact same wavelength because I I used to teach for a little bit and I've tried to mention to my students that,

you know today the flavor of the of the industry might be client-server tomorrow it might swing back to Mainframe like if you look at Cloud.

You know the big Mainframe in the cloud Riley.

Zig Zsiga: [44:06] Yes exactly.

John Capobianco: [44:07] Decentralized Central compute and storage in another space now Cloud might switch back to fog.

Puke to the edge and it goes back to client server so it's funny where ya how it swings back and forth like that I also think the general trend of making.

Classic CLI based operations I think more and more are becoming software or programmatically driven,

so you can program that Central controller in a Ci or program the DNA or program your your SD well and I'm fortunate and you're fortunate being computer programmer by trade or by industry or by education I should say,

I feel lucky now 20 years later I feel like I'm coming home again because the shift is to programmatic approaches be it with,

salt Chef puppet ansible nor near your own python even these controllers you can send,

API calls with your Json body to an Apec controller or something and then it pushes the config of the fabric I think I've you know the industries come full circle that.

It's right back to my programming days and I get to use tools like ansible and Json and yeah mole and it's a lot of it's a.

The capabilities that it that are becoming a available to network Engineers are going through a revolution right now.

Zig Zsiga: [45:35] They really are and I think a good point to make like so my degree plan right obviously computer science but I didn't Learn Python

think I didn't this is anyone like see and,

lisp in some older programming languages that some people still use I did use I did learn C++ and Java as well

but like I don't know pythons I actually went to go look at the dev net Associates blueprint a couple weeks ago and I was like yeah I don't know python,

okay I don't know it I'm going to have to go learn it I don't know I mean I know programming but.

John Capobianco: [46:07] You're like a brother from another mother because I did you know C++ and Java and even the old COBOL kicks JCL stuff but and Visual Basic,

I never touch python either so I'm,

I'm wrapping up I'm learning a little bit one new Cisco tool that's free that's gotting gotten me excited about python is called pie 80s.

The python automatic testing Solution that's free from Cisco so basically how it works real quick since I've thrown it out there,

you can do a show command like show IP interface brief.

And there's a genie parser also free from Cisco that gives you Json back from the command.

And then the pie 80s you can write test Willian pass failed tests against that Json data,

so something like ospf neighbors pie 80s can automatically tell me if I've lost the neighbor based on the Json it gets back,

but that's a little bit of a preview of our next discussion where I can get into today was a lot of fun and I had a really good time discussing in gpn with you but but the next discussion about automations going to really blow people away.

Zig Zsiga: [47:18] Yeah I'm really excited about the next discussion because I mean I'm kind of new to the hotel I mean I've always done automation like I always try to automate everything I can

but I have not jumped into ansible as much as I showed in Python so in real quick I want to I want to just articulate and summarize everything like we talked about a lot today.

Honestly this this specific design use case that you have John I mean we would

in almost every single area that you could think of - maybe full automation we talked about and it's not service provider heavy right but like from an Enterprise perspective we talked about security and we talked about when we talked about land we talked about data center we talked about

like VoIP and video I mean in multicast like we talked about a whole bunch of things in the last like our

for however long it is so this is truly an awesome use case and I really appreciate your time going through it it sounds like a lot of fun for you to go through it sounds like it took about four years to go from beginning to end I think it's 2013 to 2017 right.

John Capobianco: [48:16] That's about right now.

Zig Zsiga: [48:17] Yeah so man this is awesome this is great stuff I appreciate it for sure.

Now just to kind of wrap up you know where can everyone find you if they want to continue the conversation they like what they're hearing they want to ask you some questions where can they find you on the interwebs one more time.

John Capobianco: [48:35] Yeah so one more time you can find me I'm very responsive on Twitter I love Twitter if you've got a mean for me I'd love you to share it with me so it's John underscore capobianco my last name on Twitter,

easy to find,

I also just launched automate your network dot C A all one word as a hub for blogs and my ideas my posts so I have a couple posts on there about my tool kit that I use and where you get started with automation so you might want to check out the web page,

and I'm also on LinkedIn and I'd be happy to connect with you professionally on LinkedIn as well Zig I had a really good time today man thanks for inviting me and I hope so anybody who may be,

you know if you follow your certification path and if you do your training in your homework and work real hard you can build a network at the scale that I,

that I've built and and have success with it so I don't want anyone to be intimidated and say holy Callie what have I gotten myself into if I want to be a network engineer but but those designated good point wireless security boys,

multicast video Internet of Things,

nak DNS DHCP I all of these amazing things it's a big jigsaw puzzle and you get to piece it together and at the other end you have users that are consuming those services and you could change the world.

Zig Zsiga: [49:50] Yeah seriously I mean it's a true Enterprise we talked about it's a true Enterprise architect here this is a true Enterprise Network and to end and that's really what I want to emphasize here and the last thing John like I think you've recently wrote a book right.

John Capobianco: [50:04] Yeah so I wrote a book called automate your network introducing the modern approach to Enterprise Network management I know it's a mouthful but I self-published it on Amazon in March of 2019 there's an e-book and a paperback.

And if you do pick up the book again reach out to me on Twitter if you have any questions or comments I'm always open to help,

next discussion I have was Zig we're going to really explore Network Automation and my approach to it and where I started and where I have kind of,

I found myself today and what I've learned I really like to help people become Network automation Engineers because it really is going to change your life and make things a lot easier all this stuff I've talked about,

it's hard it's complicated stuff and if you can make it easier which you can through automation they should rename automation,

because that's network simplification is really what it is all about so I'm really excited to talk to is again and thanks for having me today.

Zig Zsiga: [51:01] Yes I'll kind of wrap up the show bud thanks John again I appreciate it I appreciate your time real quick just let everyone know I'm actually going to go ahead and give away one of John's,

looks if you want to be a part of that giveaway process you go to zigbits text / automate your network,

all one word or no spaces no dashes zigbits dot text / automate your network sign up there for that giveaway and you'll get more information on it the plan is to give it away in February sometime after our second episode just.

Sign up if you want it if you don't want it no worries all of this is John's links and comments is given will be in the show notes Today's Show notes will be zigbits dot text / 75,

again that's 75 I appreciate you if you have any questions comments concerns you can email me at Zig at zigbits Dot,

you can also find us on the socials that's a zig underscore zsiga on Twitter or just zsiga somewhere else that's Twitter Facebook and Linkedin or you can find zigbits as well on all three of those and until next time,

bye for now.