Archive

Category Archives for "Cumulus Networks Blog"

Our docs: now open for your contributions!

You may have noticed our technical documentation has a new look and feel. The reason? We recently migrated to a new platform, Hugo, a really fast static site generator. All our written content is formatted in Markdown and the source code is stored in a public GitHub repository. When we merge a release branch into the master branch, the site automatically gets rebuilt, which takes about 5 minutes from provisioning to deploying the new build, so we can quickly update the site when we come across an issue.

What does this all mean for you? We encourage you to participate if you have the opportunity and desire — and we certainly welcome your pull requests! Feel free to update anything you see that is incorrect or that could be written more clearly. If your time is limited, you can always file a bug against the docs too.

We also accept your original content! If you have an automation solution or a unique Cumulus Linux deployment you’d like to share, feel free to write about it and we’ll host it in the Network Solutions section of the Cumulus Linux user guide. You can read our contributor guide for guidelines on Continue reading

The case for open standards: an M&A perspective

Very few organizations use IT equipment supplied by a single vendor. Where heterogeneous IT environments exist, interoperability is key to achieving maximum value from existing investments. Open networking is the most cost effective way to ensure interoperability between devices on a network.

Unless your organization was formed very recently, chances are that your organization’s IT has evolved over time. Even small hardware upgrades are disruptive to an organization’s operations, making network-wide “lift and shift” upgrades nearly unheard of.

While loyalty to a single vendor can persist through regular organic growth and upgrade cycles, organizations regularly undergo mergers and acquisitions (M&As). M&As almost always introduce some level of heterogeneity into a network, meaning that any organization of modest size is almost guaranteed to have to integrate IT from multiple vendors.

While every new type of device from every different vendor imposes operational management overhead, the impact of heterogeneous IT isn’t universal across device types. The level of automation within an organization for different device classes, as well as the ubiquity and ease of use of management abstraction layers, both play a role in determining the impact of heterogeneity.

The Impact of Standards

Consider, for a moment, the average x86 server. Each Continue reading

Cumulus content roundup: September 2019

And with that, September has come and gone. Did you miss some of the great content we published? In true Cumulus Networks fashion, we’ve made it easy for you to catch up on all the blog posts and articles we had to offer below so take a moment to settle in and then dive into all things open networking!

From Cumulus Networks:

How open standards help with defense in depth:Networking is a vital part of security, and of defense in depth in particular. So how would open standards help this approach to InfoSec? Read this blog to learn.

EVPN-PIM: BUM optimization using PIM-SM: Does “PIM” make you break out into hives? You’re not alone. In part one of a two part blog series we talk about using PIM-SM to optimize BUM flooding in a L2-VNI with single VTEPs.

EVPN-PIM: Anycast VTEPs: In part one we learned about EVPN-PIM. This second part of the two-part blog series we throw MLAG into the mix and break down the additional procedures needed for it.

 

News from the web:

The future of networks: switching to 100G: Pete Lumbis shares five tips on changing to 100G networking in the latest Continue reading

EVPN-PIM: Anycast VTEPs

This is the second of the two part EVPN-PIM blog series exploring the feature and network deployment choices. If you missed part one, learn about BUM optimization using PIM-SM here.

Anycast VTEPs

Servers in a data-center Clos are typically dual connected to a pair of Top-of-Rack switches for redundancy purposes. These TOR switches are setup as a MLAG (Multichassis Link Aggregation) pair i.e. the server sees them as a single switch with two or more bonded links. Really there are two distinct switches with an ISL/peerlink between them syncing databases and pretending to be one.

The MLAG switches (L11, L12 in the sample setup) use a single VTEP IP address i.e. appear as an anycast-VTEP or virtual-VTEP.

Additional procedures involved in EVPN-PIM with anycast VTEPs are discussed in this blog.

EVPN-PIM in a MLAG setup vs. PIM-MLAG

Friend: “So you are working on PIM-MLAG?”
Me: “No, I am implementing EVPN-PIM in a MLAG setup”
Friend: “Yup, same difference”
Me: “No, it is not!”
Friend: “OK, OK, so you are implementing PIM-EVPN with MLAG?”
Me: “Yes!”
Friend: “i.e. PIM-MLAG?”
Me: “Well, now that you put it like that….……..NO, I AM NOT!! Continue reading

EVPN-PIM: BUM optimization using PIM-SM

Does “PIM” make you break out into hives? Toss and turn at night?! You are not alone. While PIM can present some interesting troubleshooting challenges, it serves a specific and simple purpose of optimizing flooding in an EVPN underlay.

The right network design choices can eliminate some of the elements of complexity inherent to PIM while retaining efficiency. We will explore PIM-EVPN and its deployment choices in this two part blog.

Why use multicast VxLAN tunnels?

Head-end-replication

Overlay BUM (broadcast, unknown-unicast and intra-subnet unknown-multicast) traffic is vxlan-encapsulated and flooded to all VTEPs participating in an L2-VNI. One mechanism currently available for this is ingress-replication or HREP (head-end-replication).

In this mechanism BUM traffic from a local server (say H11 on rack-1 in the sample network) is replicated as many times as the number of remote VTEPs, by the origination VTEP L11. It is then encapsulated with individual tunnel header DIPs L21, L31 and sent over the underlay.

The number of copies created by the ingress VTEP increases proportionately with the number of VTEPs associated with a L2-VNI and this can quickly become a scale problem. Consider a POD with a 100 VTEPs; here the originating VTEP would need to create 99 Continue reading

How open standards help with defense in depth

If you ask an ordinary person about information security, they’ll probably talk to you about endpoints. Most people are aware of virus scanners for notebooks or PCs, and may have encountered some kind of mobile device management on a work-provided phone. These endpoint solutions naturally come to mind if someone mentions cyber security. However, this is backward from the way that infosec professionals think about the issue.

Someone who works in infosec will tell you that the endpoint should be the absolute last line of defense. If a virus scanner finds malware on your work notebook, the malware should have had to defeat a long list of other security precautions in order to get that far. This layered approach to security is known as defense in depth.

The term “defense in depth” originally was applied to military strategy. It described the practice of trying to slow an enemy down, disperse their attack, and cause casualties; rather than trying to stop their attack at a single, heavily fortified point. The enemy might breach the first layer of defenses, but would find additional layers beyond. While they struggled to advance, they could be surrounded and then counter-attacked.

Infosec in Depth

The information Continue reading

Cumulus content roundup: Summer 2019

Summer has flown by and you may have missed some of the great content that was published. Don’t worry, you can catch up on some of our favorite podcasts, blog posts, and articles below. So settle in and then dive into all things open networking!

From Cumulus Networks:

Customizing your network: Take a quick look at the types of automation available in Linux, from basic to dynamic, and how these automation capabilities help to enable data center-wide orchestration here.

Kernel of Truth podcast: Network monitoring: When it comes to network monitoring, have you run into a “switch that cried wolf?”Kernel of Truth host Brian O’Sullivan is joined by two new guests to the podcast Justin Betz & Faye Ly to chat more about networking monitoring here.

Best practices: MLAG backup IP: We cover the best ways to build a redundant backup IP link for multi-chassis link aggregation (MLAG).

Exploring Batfish with Cumulus – part one: With Batfish supporting Cumulus Networks this year, we show how it can fit into pipelines & replace or complement existing testing strategies in part one of a two-part series.

Kernel of Truth podcast: Innovation in the data center: Spiderman aka Rama Continue reading

Customizing your network

Open networking is based on open standards, interoperability, and open source software such as Linux. One of the things that has made Linux so ubiquitous is the unparalleled control it offers to users in terms of customization and building intelligence into the network. Much of this advantage comes in the form of the automation and orchestration possible with Linux-based networking.

First adopted by hobbyists, widespread use of Linux in production environments only started to take off in the mid-1990s in the supercomputing field, where organizations such as NASA started to replace their overly expensive hardware with clusters of inexpensive commodity computers running Linux. Today, Linux systems are used throughout computing.

Linux can be found in servers, clouds, and network equipment. Linux is ubiquitous in the embedded systems space, and is the operating system upon which virtually all modern supercomputers are built. Even Microsoft (which once derided Linux as “a cancer”) now champions Linux, building its own Linux distributions for its Azure cloud networking and making it possible to run Linux on top of Windows.

Linux offers organizations numerous ways to automate devices and workloads. This includes task scheduling, scripting, automation, and policy management. Because Linux is used widely in so Continue reading

Best practices: MLAG backup IP

Recently there was a conversation in the Cumulus community (details in the debriefing below) about the best way to build a redundant backup IP link for multi-chassis link aggregation (MLAG). Like all good consulting-led blogs, we have a healthy dose of pragmatism that goes with our recommendations and this technology is no different. But if you’re looking for the short answer, let’s just say: it depends.

The MLAG backup IP feature goes by many names in the industry. In Cisco-land you might call this the “peer keepalive link,” in Arista-ville you might call this the “peer-address heartbeat” and in Dell VLTs it is known as the “backup destination.” No matter what you call it, the functionality offered is nearly the same.

What does it do?

Before we get into the meat of the recommendation, let’s talk about what the backup IP is designed to do. The backup IP link provides an additional value for MLAG to monitor, so a switch knows if its peer is reachable. Most implementations use this backup IP link solely as a heartbeat, meaning that it is not used to synchronize MAC addresses between the two MLAG peers. This is also the case with Cumulus Continue reading

Exploring Batfish with Cumulus – Part 2

In Part 1 of our look into navigating Batfish with Cumulus, we explored how to get started with communicating with the pybatfish SDK, as well as getting some basic actionable topology information back. With the introduction out of the way, we’re going to take a look at some of the more advanced use cases when it comes to parsing the information we get back in response to our queries. Finally, we’re going to reference an existing CI/CD pipeline, where templates are used to dynamically generate switch configuration files, and see exactly where and how Batfish can fit in and aid in our efforts to dynamically test changes.

For a look under the covers, the examples mentioned in this series of posts are tracked in “https://gitlab.com/permitanyany/cldemo2

Enforcing Policy

As you may remember, in Part 1 we gathered the expected BGP status of all our sessions via the bgpSessionStatus query and added some simple logic to tell us when any of those sessions would report back as anything but “Established”. Building on that type of policy expectation, we’re going to add a few more rules that we want to enforce in our topology.

For example:

Kernel of Truth season 2 episode 12: Innovation in the data center

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

In this podcast we have an in-depth conversation about the different types and levels of innovation in the data center and where we see it going. Spiderman aka Rama Darbha and host Brian O’Sullivan are joined by a new guest to the podcast, VP of Marketing Ami Badani. They share that while innovation in the data center doesn’t appear sexy, outside of network engineers, in reality there has been a huge paradigm shift in the way data centers have built and operated last 3 years. So what does that mean? How is automation involved in this conversation? Listen here to find out.

Guest Bios

Brian O’Sullivan: Brian currently heads Product Management for Cumulus Linux. For 15 or so years he’s held software Product Management positions at Juniper Networks as well as other smaller companies. Once he saw the change that was happening in the networking space, he decided to join Cumulus Networks to be a part of the open networking innovation. When not working, Brian is a voracious reader and has held a variety of jobs, including Continue reading

Exploring Batfish with Cumulus – part one

The topic of testing in continuous integration pipelines, is something we at Cumulus discuss almost daily, whether it’s internally or with customers. While our approach mainly centers around doing this type of testing in a virtual simulated environment, the moment I heard about a project called Batfish taking a different approach to testing, it had my attention. Better yet, once Batfish announced initial support for Cumulus earlier this year, there were no excuses left to not start digging in and understanding how it can fit into pipelines and replace or complement existing testing strategies.

The Batfish Approach To Testing

While there are various testing frameworks out there that help in building and organizing an approach to testing changes, the ugly truth is that the majority of this process occurs after a change has actually been pushed to a device. Techniques like linting provide some level of aid in the mostly empty pre-change testing area, but the control and data plane validation checks are forced to occur after a change has been pushed, when its generally “too late”. Even though there’s no argument that some testing is better than none, the pre-change test area is desperate for any type of visibility Continue reading

Kernel of Truth season 2 episode 11: Network monitoring

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

Don’t let your switch be the one who called wolf! Network monitoring is a hot topic here at Cumulus Networks and to talk about it more, host Brian O’Sullivan is joined by two new guests to the podcast Justin Betz and Faye Ly. They sit down to chat about the evolution of monitoring, the challenges in achieving robust monitoring and visibility, and what does it even mean to have “good network monitoring and visibility?” Listen, learn and hopefully enjoy!

Guest Bios

Brian O’Sullivan: Brian currently heads Product Management for Cumulus Linux. For 15 or so years he’s held software Product Management positions at Juniper Networks as well as other smaller companies. Once he saw the change that was happening in the networking space, he decided to join Cumulus Networks to be a part of the open networking innovation. When not working, Brian is a voracious reader and has held a variety of jobs, including bartending in three countries and working as an extra in a German soap opera. You can find him on Twitter at @bosullivan00.

Faye Continue reading

Campus design feature set-up : Part 6

I’ve been going through how to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in a 6-part blog series and I’m happy to say we’ve made it to the last one.

If you’ve stuck with me through this series, you’d know that in blogs 1-5 we had guides for Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass, Wired 802.1x using Cisco ISE and Wired MAC Authentication using Cisco ISE

Now that we’re at the end of the road, this final guide will enable Multi-Domain Authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4, Patch 8.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE and read part four and part five of this blog series.

Over the past year, Cumulus Networks has made a concerted effort to expand the breadth and scope of the campus features within Cumulus Linux. Hot off the press in 3.7.5 is one of those features, Multi-Domain Authentication (MDA).

Classically, MDA allows for a Voice VLAN and Data VLAN to be configured Continue reading

Kernel of Truth season 2 episode 10: Practical open networking

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

But wait, there’s more! If you keep up with our podcast you may have noticed the previous episode where we talk about what open networking was, so why are we chatting about it again? Last time we talked about having open API’s and having the demarcation point between components but in this podcast, we’re extending the conversation out to show how everyone can take advantage of open networking in a wider, practical sense. Guests Rama Darbha and Roopa Prabhu join host Brian to share their thoughts, experiences and expertise on the subject. Listen, enjoy, and feel free to comment away here or on our social media channels if you have any questions or thoughts to add.

Guest Bios

Brian O’Sullivan: Brian currently heads Product Management for Cumulus Linux. For 15 or so years he’s held software Product Management positions at Juniper Networks as well as other smaller companies. Once he saw the change that was happening in the networking space, he decided to join Cumulus Networks to be a part of the open networking innovation. When not working, Brian is Continue reading

Campus design feature set-up : Part 5

In this blog series, we’ve been on a journey of sorts. We’ve shown you all the different ways to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in this 6-part series and guess what? We’re getting into the home stretch!

In blogs 1-4 we had guides for Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass and Wired 802.1x using Cisco ISE. After this blog, we’ll just have one more covering. Multi-Domain Authentication using Cisco ISE. But we’re not here to talk about those now.

In this fifth guide, I’ll be sharing how to enable Wired MAC Authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4, Patch 8.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE .

Cisco ISE Configuration:

1. Add a Cumulus Switch group to Cisco ISE:

First, we are going to add a Network Device Group to Cisco ISE:

Administration > Network Resources > Network Device Groups. Click the “+Add” button

Make sure to set the “Parent Group” to “All Device Types.” The result will look Continue reading

Kernel of Truth season 2 episode 9: Open Networking in 2019

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

We had a couple of weeks off but we’re back in action, bringing to you a podcast about what makes up open networking in 2019. We took a different approach than normal this time and have guests both from sales & engineering here to discuss the different things they’re seeing from their respective “worlds” with the hopes of bridging the gap between the two of them for you. Joining host Brian is Andreas la Quiante, calling in from Germany no less, and representing the “sales” side of the conversation. On the engineering side, we have some folks you might recognize from previous podcasts: Roopa Prabhu and David Ahern. With that intro out of the way, now is the time to sit down, relax and listen to their conversation here. We hope you enjoy it!

Guest Bios

Brian O’Sullivan: Brian currently heads Product Management for Cumulus Linux. For 15 or so years he’s held software Product Management positions at Juniper Networks as well as other smaller companies. Once he saw the change that was happening in the networking space, he decided Continue reading

Validation vibes: How we’ve won the praise of customers and employees alike

The success of a company is often defined by two key factors: how your customers feel about you and how your employees feel about you. We’re excited to share that recently we’ve had some great validation by both!

Customer validation

We’re very honored to work with a variety of innovative companies that are breaking the status quo with open networking principles in data centers designed to scale. All of our customers have realized the need for an open, modern data center and are looking to build infrastructure with purpose. From web-scale giants to visionary enterprises, we give them all the ability to build something “EPIC.”

This was recently highlighted when for the second year in a row, our customers have rallied around our vision for the future of data center networking and recognized us as “The Best Data Center Networking 2019” with their reviews through Gartner Peer Insights.

As Gartner puts it, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with Continue reading

Cumulus content roundup: May

May is well in the books and summer seems to be in full swing with recent heatwaves across the country. Since we know life can get pretty busy and you may have missed some of May’s great content, we’ve rounded up some of our favorite podcasts, blog posts, and articles for you here. So settle in, hopefully, stay cool, and get ready for all things open networking!

From Cumulus Networks:

Minipack Highlight Video from OCP Summit: Listen to Brian O’Sullivan & Michael Lane, VP of Business Development at Edgecore Networks discuss the recently launched Minipack, open, modular switch.

Kernel of Truth season 2 episode 7: Certifications: Listen as we discuss the value of certifications, if any, what works for certifications and what doesn’t, who should be taking certifications and more!

Installing Cumulus packages on air-gapped equipment: Check out this excerpt to help you get additional packages into an air-gapped environment for the install where you don’t have a repo or mirror available to pull from.

ngrok on Cumulus Linux: If you have a good idea of what ngrok is and what it does, here are step-by-step instructions for turning up ngrok ssh services on Cumulus Linux.

The Continue reading

Campus design feature set-up : Part 4

In case you’ve missed the first three blogs, I’ve been showing you how to set up the CL 3.7.5 campus feature: Multi-Domain Authentication. This is a 6-part blog series and we’re officially past the half-way point.

In blogs 1-3 we covered Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass. We’ll also have guides for Wired 802.1x using Cisco ISE, Wired MAC Authentication using Cisco ISE, and Multi-Domain Authentication using Cisco ISE. So yes, we’ve got all the bases covered.

In this fourth guide, I’ll be sharing how to enable wired 802.1X authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4 Patch 8.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE.

Cisco ISE Configuration:

1. Add a Cumulus Switch group to Cisco ISE:

First, we are going to add a Network Device Group to Cisco ISE:

Administration > Network Resources > Network Device Groups. Click the “+Add” button

Make sure to set the “Parent Group” to “All Device Types.” The result will look like the following:

2. Adding Continue reading

1 2 3 17