Hedge 290: The Amoeba and the Mathematician

In this Hedge roundtable, Eyvonne, Tom, and Russ discuss The Amoeba and the Mathematician
 

 
download

Lab: Multilevel IS-IS Deployments

Like OSPF, IS-IS was designed when router memory was measured in megabytes and clock speeds in megahertz. Not surprisingly, it includes a scalability mechanism similar to OSPF areas. An IS-IS router could be a level-1 router (having in-area prefixes and a default route), a level-2 router (knowing just inter-area prefixes), or a level-1-2 router (equivalent to OSPF ABR).

Even though multilevel IS-IS is rarely used today, it always makes sense to understand how things work, and the Multilevel IS-IS Deployments lab exercise created by Dan Partelly gives you a perfect starting point.

Click here to start the lab in your browser using GitHub Codespaces (or set up your own lab infrastructure). After starting the lab environment, change the directory to advanced/1-multilevel and execute netlab up.

An In-Depth Look at Istio Ambient Mode with Calico

The Next Step Toward a Unified Kubernetes Platform: Istio Ambient Mode

Organizations are struggling with rising operational complexity, fragmented tools, and inconsistent security enforcement as Kubernetes becomes the foundation for modern application platforms. As a result of this complexity and fragmentation, platform teams are increasingly burdened by the need to stitch together separate solutions for networking, network security, and observability. This fragmentation also creates higher operating costs, security gaps, inefficient troubleshooting, and an elevated risk of outages in mission-critical environments. The challenge is even greater for companies running multiple Kubernetes distributions, as relying on each platform’s unique and often incompatible networking stack can lead to significant vendor lock-in and operational overhead.

The Tigera Unified Strategy: Addressing Fragmentation

Tigera’s unified platform strategy is designed to address these challenges by providing a single solution that brings together all the essential Kubernetes networking and security capabilities enterprises need, that includes Istio Ambient Mode, delivered consistently across every Kubernetes distribution.

Istio Ambient Mode brings sidecarless service-mesh functionality that includes authentication, authorization, encryption, L4/L7 traffic controls, and deep application-level (L7) observability directly into the unified Calico platform. By including Istio Ambient Mode with Calico and making it easy to install and manage with the Tigera Continue reading

IETF v6ops Working Group with Nick Buraglio

The first IPv6 specs were published in 1995, and yet 30 years later, we still have a pretty active IETF working group focused on “developing guidelines for the deployment and operation of new and existing IPv6 networks.” (taken from the old charter; they updated it in late October 2025). Why is it taking so long, and what problems are they trying to solve?

Nick Buraglio, one of the working group chairs, provided some answers in Episode 203 of the Software Gone Wild podcast.

Why AI Traffic Growth Demands Optical Network Automation Now

Demand for bandwidth continues to surge with increasing use of AI, high-definition video streaming, cloud and 5G mobile applications. In response, optical services need to become more dynamic and meet stricter service-level requirements. Consequently, metro-based networks owned by communications service providers (CSPs) and used for mobile transport, enterprise services or broadband access services face new demands relating to power, multiservice aggregation, security, AI integration and network slicing. Figure 1 shows a rich set of applications in a typical metro network. Figure 1 — A typical metro network supports a rich set of applications. As AI use grows, it will create a force multiplier that will drive significant traffic to transport networks. But the challenging throughput, latency and reliability requirements of AI workloads are already taking network scale and complexity to another level. CSPs are facing unprecedented pressure to deliver more, faster and better. Figure 2 shows the impact of AI traffic growth based on a recent Nokia Bell Labs study. This growth can range from 14% to 31%. Figure 2 — Traffic growth effects on CSP networks. CSPs’ access and aggregation network (orange) will bear the heaviest load, roughly 31% of the total AI traffic. CSPs’ metro network (pink) is Continue reading

Evergreen: The Big Ball of Mud

In 2007, Jeff Atwood published a legendary blog post summarizing a 1997 paper by Brian Foote and Joseph Yoder.

Reading that blog post (or the original paper), the inevitable conclusion is that we haven’t made much progress in the last 20 years. Even worse, almost every single pathological architecture described in that blog post applies quite well to real-life organically grown networks.

netlab 25.12: Cisco IOS/XR Configuration Modules, More VXLAN Goodies

netlab release 25.12 (25.12.02 to be exact – I had a few PEBCAK moments) was published last Friday. Here are the highlights:

• Significantly improved Cisco IOS/XR support. With the netlab release 25.12, you can configure VLANs, VRFs, static routes, route redistribution, OSPF default routes, BGP confederations, and BGP local-as
• VXLAN-over-IPv6 on Arista EOS
• VXLAN with ingress replication on Cisco Catalyst 8000v
• The shutdown link/interface attribute can be used to start labs with interfaces turned off
• Large BGP community lists, implemented on Arista EOS, FRR, and Junos. You can use standard- or large community lists in routing policies
• The netlab validate command will reread validation tests from a modified lab topology file every time you run it. It can also read validation tests from a separate file.

Best of the Hedge: Hedge 6 on DoH (Part 2)

In this episode of the Hedge, Geoff Huston joins Tom Ammon and Russ White to finish the discussion on the ideas behind DNS over HTTPS (DoH), and to consider the implications of its widespread adoption. Is it time to bow to our new overlords?
 
This is part two of a two part series. This is a “best of the Hedge” repost.
 

 
download

Lab: More Complex VXLAN Deployment Scenario

In the first VXLAN lab, we covered the very basics. Now it’s time for a few essential concepts (before introducing the EVPN control plane or integrated routing and bridging):

• Each VXLAN segment could have a different set of VTEPs (used to build the BUM flooding list)
• While the VXLAN Network Identifier (VNI) must be unique across the participating VTEPs, you could map different VLAN IDs into a single VNI (allowing you to merge two VLAN segments over VXLAN)
• Neither VXLAN VNI nor VLAN ID has to be globally unique (but it helps to make them unique to remain sane)

Technical Writing: Lower Your Expectations

Sean Goedecke published an excellent set of recommendations for good technical writing, including:

• Keep it short
• Try to make your point in the first sentence
• Details matter less than you think.

Based on some emails I received in the past (and the lack of response to the lengthy emails I sent), we should apply the same rules to emails (and all other forms of technical communication).

Worth Watching: AI/ML Data Center Design

What could be better than watching 0x02 Jeffs discuss networking? How about having Petr Lapukhov of the RFC 7938 fame as a guest discussing AI/ML Data Center Design?

Note: Petr disappeared into the information black hole called Facebook over a decade ago, so I wondered how they allowed him to chat on a podcast for hours. It turns out he moved to NVIDIA, which might influence the podcast content a bit, but I’m pretty sure Petr is still Petr ;)

AI Meets Kubernetes Security: Tigera CEO Reveals What Comes Next for Platform Teams

Kubernetes adoption is growing rapidly, but so are complexity and security risks.

Platform teams are tasked with keeping clusters secure and observable while navigating a skills gap. At KubeCon + CloudNativeCon North America, The New Stack spoke with Ratan Tipirneni, President and CEO of Tigera, about the future of Kubernetes security, AI-driven operations, and emerging trends in enterprise networking. The highlights from that discussion are summarized below.

Portions of this article are adapted from a recorded interview between The New Stack’s Heather Joslin and Tigera CEO Ratan Tipirneni. You can watch the full conversation on The New Stack’s YouTube channel. Watch the full interview here

How Can Teams Better Manage the Kubernetes Blast Radius and Skills Gap?

Tipirneni emphasizes the importance of controlling risk in Kubernetes clusters. “You want to be able to microsegment your workloads so that if you do come under an attack, you can actually limit the blast radius,” he says.

Egress traffic is another area of concern. According to Tipirneni, identifying what leaves the cluster is critical for security and compliance. Platform engineers are often navigating complex configurations without decades of Continue reading

AWS, Google Build a Multicloud Bridge

Addressing a long-standing perceived roadblock in enabling systems to span multiple cloud services, Amazon Web Services and Google Cloud have jointly developed a standard for customers to easily bridge their cloud deployments with Layer 3 connectivity. The idea, according to both companies, is to make it easy for their customers with cloud operations in both clouds to network them together in a private network, reducing the burden of maintaining multicloud connectivity, and perhaps even dispelling fears of cloud lock-in. Such easy connectivity may even spur customers to create more multicloud applications, theConnection Coordinator API specification is built on OpenAPI 3.0 customized for easily provisioning dedicated bandwidth between two cloud providers. The two cloud giants want other cloud providers to use the API as well. AWS implemented the spec in Google Cloud’s Cross-Cloud Interconnect. Both companies pledge to “engage in continuous monitoring to proactively detect and resolve issues,” according to the AWS website. The private lines between Google and AWS will be built on

Multi-Pod EVPN Troubleshooting (Part 3)

Last week, we fixed the mismatched route targets in our sample multi-pod EVPN fabric. With that fixed, every PE device should see every other PE device as a remote VTEP for ingress replication purposes. We got that to work on Site-A (AS 65001), but not on Site-B (AS 65002); let’s see what else is broken.

Note: This is the fifth blog post in the Multi-Pod EVPN series. If you stumbled upon it, start with the design overview and troubleshooting overview posts. More importantly, familiarize yourself with the topology we’ll be using; it’s described in the Multi-Pod EVPN Troubleshooting: Fixing Next Hops.

Ready? Let’s go. Here’s our network topology:

Computer Network Design Complexity and Tradeoffs Training

I’m teaching a “one off” special event class over on O’Reilly’s platform (via Pearson) this coming Friday, the 5th of December. From the Description:

Join networking engineer and infrastructure expert Russ White for this exclusive, one-time event exploring the critical role of tradeoffs in network design. We’ll begin by unpacking how complexity shapes the decisions architects and designers must make, and how tradeoffs are often an unavoidable part of navigating that complexity. Through real-world examples, you’ll learn how different network design choices impact overall system complexity, and how to approach these decisions with greater clarity and confidence. We’ll wrap up with an in-depth discussion of unintended consequences—how they arise, how to anticipate them, and how they relate to designing in complex, adaptive environments.

As always, if you register for the course you can watch later.

Register here.

netlab as the Universal Configuration Translator

Dan Partelly, a heavy netlab user (and an active contributor), sent me this interesting perspective on how one might want to use netlab without ever building a lab with it. All I added was a bit of AI-assisted editing; my comments are on a grey background.

In all podcasts and interviews I listened to, netlab was referred to as a “lab management solution”. But this is misleading. It’s also a translator, due to its ability to abstract devices, and can easily generate perfectly usable configs for devices or technologies you have never worked on.

Fun Reading: From XML to LLMs

In his latest blog post (Systems design 3: LLMs and the semantic revolution), Avery Pennarun claims that LLMs might solve the problem we consistently failed to solve on a large scale for the last 60 (or so) years – the automated B2B data exchange.

You might agree with him or not (for example, an accountant or two might get upset with hallucinated invoice items), but his articles are always a fun read.

KubeCon NA 2025: Three Core Kubernetes Trends and a Calico Feature You Should Use Now

The Tigera team recently returned from KubeCon + CloudNativeCon North America and CalicoCon 2025 in Atlanta, Georgia. It was great, as always, to attend these events, feel the energy of our community, and hold in-depth discussions at the booth and in our dedicated sessions that revealed specific, critical shifts shaping the future of cloud-native platforms.
We pulled together observations from our Tigera engineers and product experts in attendance to identify three key trends that are directly influencing how organizations manage Kubernetes today.

Trend 1: Kubernetes is Central to AI Workload Orchestration

A frequent and significant topic of conversation was the role of Kubernetes in supporting Artificial Intelligence and Machine Learning (AI/ML) infrastructure.
The consensus is clear: Kubernetes is becoming the standard orchestration layer for these specialized workloads. This requires careful consideration of networking and security policies tailored to high-demand environments. Observations from the Tigera team indicated a consistent focus on positioning Kubernetes as the essential orchestration layer for AI workloads. This trend underscores the need for robust, high-performance CNI solutions designed for the future of specialized computing.

Trend 2: Growth in Edge Deployments Increases Complexity

Conversations pointed to a growing and tangible expansion of Kubernetes beyond central data centers and Continue reading

Best of the Hedge: Episode 5 on DoH (Part 1)

In this episode of the Hedge, Geoff Huston joins Tom Ammon and Russ White to discuss the ideas behind DNS over HTTPS (DoH), and to consider the implications of its widespread adoption. Is it time to bow to our new overlords?

download

Lab: IS-IS Route Redistribution

Route redistribution into IS-IS seems even easier than its OSPFv2/OSPFv3 counterparts. There are no additional LSAs/LSPs; the redistributed prefixes are included in the router LSP. Things get much more interesting once you start looking into the gory details and exploring how different implementations use (or do not) the various metric bits and TLVs.

You’ll find more details (and the opportunity to explore the LSP database contents in a safe environment) in the IS-IS Route Redistribution lab exercise.

Click here to start the lab in your browser using GitHub Codespaces (or set up your own lab infrastructure). After starting the lab environment, change the directory to feature/7-redistribute and execute netlab up.