Archive

Category Archives for "Cumulus Networks Blog"

Cumulus content roundup: October 2019

What could be scarier than non-scalable networking systems, outdated solutions and slow deployment time? Nothing. Luckily for you, there’s none of that in this months content roundup.

We kept busy with a very exciting announcement (hint: it has to do with campus networks) and we think you’ll be excited about it too. Read October’s content roundup to catch up with all the latest Cumulus news, releases, and what’s to come. Happy reading!

From Cumulus Networks:

The ease and importance of scaling in the enterprise: Out with the old and in with the new. Check out this blog by Finn Turner to find out how flexible, scalable network technologies are helping organizations smoothly take their network to the next level.

Securing open source: a brief look at dependency management: Ready to dive into dependency management? This post will cover three categories of dependency management, and which one is the right fit for your project.

How inspiration from your data center can modernize your campus network: While we originally designed Cumulus Linux for data center networking, we’ve now entered into the campus network. Not sure what that entails? Read this informative post by Scott Ciccone to find out about all Continue reading

The ease and importance of scaling in the enterprise

Networks are growing, and growing fast. As enterprises adopt IoT and mobile clients, VPN technologies, virtual machines (VMs), and massively distributed compute and storage, the number of devices—as well as the amount of data being transported over their networks—is rising at an explosive rate. It’s becoming apparent that traditional, manual ways of provisioning don’t scale. Something new needs to be used, and for that, we look toward hyperscalers; companies like Google, Amazon and Microsoft, who’ve been dealing with huge networks almost since the very beginning.

The traditional approach to IT operations has been focused on one server or container at a time. Any attempt at management at scale frequently comes with being locked into a single vendor’s infrastructure and technologies. Unfortunately, today’s enterprises are finding that even the expensive, proprietary management solutions provided by the vendors who have long supported traditional IT practices simply cannot scale, especially when you consider the rapid growth of containerization and VMs that enterprises are now dealing with.

In this blog post, I’ll take a look at how an organization can use open, scalable network technologies—those first created or adopted by the aforementioned hyperscalers—to reduce growing pains. These issues are increasingly relevant as new Continue reading

Securing open source: a brief look at dependency management

Taking full advantage of all that IT automation and orchestration have to offer frequently involves combining IT infrastructure automation with in-house application development. To this end, open source software is often used to speed development. Unfortunately, incorporating third-party software into your application means incorporating that third-party software’s vulnerabilities, too.

Scanning for, identifying, and patching open source dependencies in an application’s codebase is known as dependency management, and it’s increasingly considered a critical part of modern development. A recent report found that 60% of open source programs audited had a vulnerability that’s already been patched. With 96% of all code using open source libraries, this is a problem that impacts everyone.

There are many dependency management products available; too many to list in a single blog post. That said, we’ll look at some examples of well-known dependency management products that fall into three broad categories: free, open source software; commercial software with a free tier; and commercial software without a free tier.

Some dependency management products rely on open source vulnerability lists (the most famous of which is supplied by the National Institute of Standards and Technology [NIST]). Some products are commercial, and use closed databases (often in combination with the Continue reading

How inspiration from your data center can modernize your campus network.

Campus networks are undergoing a rapid evolution as they draw inspiration from their data center peers from both a technology and cost perspective. At the forefront of this evolution is open networking, led by innovation and cost efficiencies that apply equally across data center and campus networks.

Interestingly, Cumulus Linux was originally intended for data center networking, but without a doubt, we’re seeing the lines between data center and campus blurring with campus standing to benefit significantly, and it’s about time. It’s the data center that has historically benefited from innovation, especially in compute and storage. The data center network, however, seemed to lag for more than a decade until our founders set out in 2010 to develop a fundamentally different approach to the data center with Cumulus Networks.

Cumulus Networks introduced an open, modern and innovative network operating system called Cumulus Linux. Cumulus Linux was originally designed to emulate the network architecture of the web-scale giants including Google, Amazon, Apple, Microsoft and Facebook allowing you to automate, customize and scale your data center network like no other, and for the first time, bringing this capability to the masses.

Cumulus Networks is building the modern data center network for applications Continue reading

Our docs: now open for your contributions!

You may have noticed our technical documentation has a new look and feel. The reason? We recently migrated to a new platform, Hugo, a really fast static site generator. All our written content is formatted in Markdown and the source code is stored in a public GitHub repository. When we merge a release branch into the master branch, the site automatically gets rebuilt, which takes about 5 minutes from provisioning to deploying the new build, so we can quickly update the site when we come across an issue.

What does this all mean for you? We encourage you to participate if you have the opportunity and desire — and we certainly welcome your pull requests! Feel free to update anything you see that is incorrect or that could be written more clearly. If your time is limited, you can always file a bug against the docs too.

We also accept your original content! If you have an automation solution or a unique Cumulus Linux deployment you’d like to share, feel free to write about it and we’ll host it in the Network Solutions section of the Cumulus Linux user guide. You can read our contributor guide for guidelines on Continue reading

The case for open standards: an M&A perspective

Very few organizations use IT equipment supplied by a single vendor. Where heterogeneous IT environments exist, interoperability is key to achieving maximum value from existing investments. Open networking is the most cost effective way to ensure interoperability between devices on a network.

Unless your organization was formed very recently, chances are that your organization’s IT has evolved over time. Even small hardware upgrades are disruptive to an organization’s operations, making network-wide “lift and shift” upgrades nearly unheard of.

While loyalty to a single vendor can persist through regular organic growth and upgrade cycles, organizations regularly undergo mergers and acquisitions (M&As). M&As almost always introduce some level of heterogeneity into a network, meaning that any organization of modest size is almost guaranteed to have to integrate IT from multiple vendors.

While every new type of device from every different vendor imposes operational management overhead, the impact of heterogeneous IT isn’t universal across device types. The level of automation within an organization for different device classes, as well as the ubiquity and ease of use of management abstraction layers, both play a role in determining the impact of heterogeneity.

The Impact of Standards

Consider, for a moment, the average x86 server. Each Continue reading

Cumulus content roundup: September 2019

And with that, September has come and gone. Did you miss some of the great content we published? In true Cumulus Networks fashion, we’ve made it easy for you to catch up on all the blog posts and articles we had to offer below so take a moment to settle in and then dive into all things open networking!

From Cumulus Networks:

How open standards help with defense in depth:Networking is a vital part of security, and of defense in depth in particular. So how would open standards help this approach to InfoSec? Read this blog to learn.

EVPN-PIM: BUM optimization using PIM-SM: Does “PIM” make you break out into hives? You’re not alone. In part one of a two part blog series we talk about using PIM-SM to optimize BUM flooding in a L2-VNI with single VTEPs.

EVPN-PIM: Anycast VTEPs: In part one we learned about EVPN-PIM. This second part of the two-part blog series we throw MLAG into the mix and break down the additional procedures needed for it.

 

News from the web:

The future of networks: switching to 100G: Pete Lumbis shares five tips on changing to 100G networking in the latest Continue reading

EVPN-PIM: Anycast VTEPs

This is the second of the two part EVPN-PIM blog series exploring the feature and network deployment choices. If you missed part one, learn about BUM optimization using PIM-SM here.

Anycast VTEPs

Servers in a data-center Clos are typically dual connected to a pair of Top-of-Rack switches for redundancy purposes. These TOR switches are setup as a MLAG (Multichassis Link Aggregation) pair i.e. the server sees them as a single switch with two or more bonded links. Really there are two distinct switches with an ISL/peerlink between them syncing databases and pretending to be one.

The MLAG switches (L11, L12 in the sample setup) use a single VTEP IP address i.e. appear as an anycast-VTEP or virtual-VTEP.

Additional procedures involved in EVPN-PIM with anycast VTEPs are discussed in this blog.

EVPN-PIM in a MLAG setup vs. PIM-MLAG

Friend: “So you are working on PIM-MLAG?”
Me: “No, I am implementing EVPN-PIM in a MLAG setup”
Friend: “Yup, same difference”
Me: “No, it is not!”
Friend: “OK, OK, so you are implementing PIM-EVPN with MLAG?”
Me: “Yes!”
Friend: “i.e. PIM-MLAG?”
Me: “Well, now that you put it like that….……..NO, I AM NOT!! Continue reading

EVPN-PIM: BUM optimization using PIM-SM

Does “PIM” make you break out into hives? Toss and turn at night?! You are not alone. While PIM can present some interesting troubleshooting challenges, it serves a specific and simple purpose of optimizing flooding in an EVPN underlay.

The right network design choices can eliminate some of the elements of complexity inherent to PIM while retaining efficiency. We will explore PIM-EVPN and its deployment choices in this two part blog.

Why use multicast VxLAN tunnels?

Head-end-replication

Overlay BUM (broadcast, unknown-unicast and intra-subnet unknown-multicast) traffic is vxlan-encapsulated and flooded to all VTEPs participating in an L2-VNI. One mechanism currently available for this is ingress-replication or HREP (head-end-replication).

In this mechanism BUM traffic from a local server (say H11 on rack-1 in the sample network) is replicated as many times as the number of remote VTEPs, by the origination VTEP L11. It is then encapsulated with individual tunnel header DIPs L21, L31 and sent over the underlay.

The number of copies created by the ingress VTEP increases proportionately with the number of VTEPs associated with a L2-VNI and this can quickly become a scale problem. Consider a POD with a 100 VTEPs; here the originating VTEP would need to create 99 Continue reading

How open standards help with defense in depth

If you ask an ordinary person about information security, they’ll probably talk to you about endpoints. Most people are aware of virus scanners for notebooks or PCs, and may have encountered some kind of mobile device management on a work-provided phone. These endpoint solutions naturally come to mind if someone mentions cyber security. However, this is backward from the way that infosec professionals think about the issue.

Someone who works in infosec will tell you that the endpoint should be the absolute last line of defense. If a virus scanner finds malware on your work notebook, the malware should have had to defeat a long list of other security precautions in order to get that far. This layered approach to security is known as defense in depth.

The term “defense in depth” originally was applied to military strategy. It described the practice of trying to slow an enemy down, disperse their attack, and cause casualties; rather than trying to stop their attack at a single, heavily fortified point. The enemy might breach the first layer of defenses, but would find additional layers beyond. While they struggled to advance, they could be surrounded and then counter-attacked.

Infosec in Depth

The information Continue reading

Cumulus content roundup: Summer 2019

Summer has flown by and you may have missed some of the great content that was published. Don’t worry, you can catch up on some of our favorite podcasts, blog posts, and articles below. So settle in and then dive into all things open networking!

From Cumulus Networks:

Customizing your network: Take a quick look at the types of automation available in Linux, from basic to dynamic, and how these automation capabilities help to enable data center-wide orchestration here.

Kernel of Truth podcast: Network monitoring: When it comes to network monitoring, have you run into a “switch that cried wolf?”Kernel of Truth host Brian O’Sullivan is joined by two new guests to the podcast Justin Betz & Faye Ly to chat more about networking monitoring here.

Best practices: MLAG backup IP: We cover the best ways to build a redundant backup IP link for multi-chassis link aggregation (MLAG).

Exploring Batfish with Cumulus – part one: With Batfish supporting Cumulus Networks this year, we show how it can fit into pipelines & replace or complement existing testing strategies in part one of a two-part series.

Kernel of Truth podcast: Innovation in the data center: Spiderman aka Rama Continue reading

Customizing your network

Open networking is based on open standards, interoperability, and open source software such as Linux. One of the things that has made Linux so ubiquitous is the unparalleled control it offers to users in terms of customization and building intelligence into the network. Much of this advantage comes in the form of the automation and orchestration possible with Linux-based networking.

First adopted by hobbyists, widespread use of Linux in production environments only started to take off in the mid-1990s in the supercomputing field, where organizations such as NASA started to replace their overly expensive hardware with clusters of inexpensive commodity computers running Linux. Today, Linux systems are used throughout computing.

Linux can be found in servers, clouds, and network equipment. Linux is ubiquitous in the embedded systems space, and is the operating system upon which virtually all modern supercomputers are built. Even Microsoft (which once derided Linux as “a cancer”) now champions Linux, building its own Linux distributions for its Azure cloud networking and making it possible to run Linux on top of Windows.

Linux offers organizations numerous ways to automate devices and workloads. This includes task scheduling, scripting, automation, and policy management. Because Linux is used widely in so Continue reading

Best practices: MLAG backup IP

Recently there was a conversation in the Cumulus community (details in the debriefing below) about the best way to build a redundant backup IP link for multi-chassis link aggregation (MLAG). Like all good consulting-led blogs, we have a healthy dose of pragmatism that goes with our recommendations and this technology is no different. But if you’re looking for the short answer, let’s just say: it depends.

The MLAG backup IP feature goes by many names in the industry. In Cisco-land you might call this the “peer keepalive link,” in Arista-ville you might call this the “peer-address heartbeat” and in Dell VLTs it is known as the “backup destination.” No matter what you call it, the functionality offered is nearly the same.

What does it do?

Before we get into the meat of the recommendation, let’s talk about what the backup IP is designed to do. The backup IP link provides an additional value for MLAG to monitor, so a switch knows if its peer is reachable. Most implementations use this backup IP link solely as a heartbeat, meaning that it is not used to synchronize MAC addresses between the two MLAG peers. This is also the case with Cumulus Continue reading

Exploring Batfish with Cumulus – Part 2

In Part 1 of our look into navigating Batfish with Cumulus, we explored how to get started with communicating with the pybatfish SDK, as well as getting some basic actionable topology information back. With the introduction out of the way, we’re going to take a look at some of the more advanced use cases when it comes to parsing the information we get back in response to our queries. Finally, we’re going to reference an existing CI/CD pipeline, where templates are used to dynamically generate switch configuration files, and see exactly where and how Batfish can fit in and aid in our efforts to dynamically test changes.

For a look under the covers, the examples mentioned in this series of posts are tracked in “https://gitlab.com/permitanyany/cldemo2

Enforcing Policy

As you may remember, in Part 1 we gathered the expected BGP status of all our sessions via the bgpSessionStatus query and added some simple logic to tell us when any of those sessions would report back as anything but “Established”. Building on that type of policy expectation, we’re going to add a few more rules that we want to enforce in our topology.

For example:

Kernel of Truth season 2 episode 12: Innovation in the data center

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

In this podcast we have an in-depth conversation about the different types and levels of innovation in the data center and where we see it going. Spiderman aka Rama Darbha and host Brian O’Sullivan are joined by a new guest to the podcast, VP of Marketing Ami Badani. They share that while innovation in the data center doesn’t appear sexy, outside of network engineers, in reality there has been a huge paradigm shift in the way data centers have built and operated last 3 years. So what does that mean? How is automation involved in this conversation? Listen here to find out.

Guest Bios

Brian O’Sullivan: Brian currently heads Product Management for Cumulus Linux. For 15 or so years he’s held software Product Management positions at Juniper Networks as well as other smaller companies. Once he saw the change that was happening in the networking space, he decided to join Cumulus Networks to be a part of the open networking innovation. When not working, Brian is a voracious reader and has held a variety of jobs, including Continue reading

Exploring Batfish with Cumulus – part one

The topic of testing in continuous integration pipelines, is something we at Cumulus discuss almost daily, whether it’s internally or with customers. While our approach mainly centers around doing this type of testing in a virtual simulated environment, the moment I heard about a project called Batfish taking a different approach to testing, it had my attention. Better yet, once Batfish announced initial support for Cumulus earlier this year, there were no excuses left to not start digging in and understanding how it can fit into pipelines and replace or complement existing testing strategies.

The Batfish Approach To Testing

While there are various testing frameworks out there that help in building and organizing an approach to testing changes, the ugly truth is that the majority of this process occurs after a change has actually been pushed to a device. Techniques like linting provide some level of aid in the mostly empty pre-change testing area, but the control and data plane validation checks are forced to occur after a change has been pushed, when its generally “too late”. Even though there’s no argument that some testing is better than none, the pre-change test area is desperate for any type of visibility Continue reading

Kernel of Truth season 2 episode 11: Network monitoring

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

Don’t let your switch be the one who called wolf! Network monitoring is a hot topic here at Cumulus Networks and to talk about it more, host Brian O’Sullivan is joined by two new guests to the podcast Justin Betz and Faye Ly. They sit down to chat about the evolution of monitoring, the challenges in achieving robust monitoring and visibility, and what does it even mean to have “good network monitoring and visibility?” Listen, learn and hopefully enjoy!

Guest Bios

Brian O’Sullivan: Brian currently heads Product Management for Cumulus Linux. For 15 or so years he’s held software Product Management positions at Juniper Networks as well as other smaller companies. Once he saw the change that was happening in the networking space, he decided to join Cumulus Networks to be a part of the open networking innovation. When not working, Brian is a voracious reader and has held a variety of jobs, including bartending in three countries and working as an extra in a German soap opera. You can find him on Twitter at @bosullivan00.

Faye Continue reading

Campus design feature set-up : Part 6

I’ve been going through how to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in a 6-part blog series and I’m happy to say we’ve made it to the last one.

If you’ve stuck with me through this series, you’d know that in blogs 1-5 we had guides for Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass, Wired 802.1x using Cisco ISE and Wired MAC Authentication using Cisco ISE

Now that we’re at the end of the road, this final guide will enable Multi-Domain Authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4, Patch 8.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE and read part four and part five of this blog series.

Over the past year, Cumulus Networks has made a concerted effort to expand the breadth and scope of the campus features within Cumulus Linux. Hot off the press in 3.7.5 is one of those features, Multi-Domain Authentication (MDA).

Classically, MDA allows for a Voice VLAN and Data VLAN to be configured Continue reading

Kernel of Truth season 2 episode 10: Practical open networking

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

But wait, there’s more! If you keep up with our podcast you may have noticed the previous episode where we talk about what open networking was, so why are we chatting about it again? Last time we talked about having open API’s and having the demarcation point between components but in this podcast, we’re extending the conversation out to show how everyone can take advantage of open networking in a wider, practical sense. Guests Rama Darbha and Roopa Prabhu join host Brian to share their thoughts, experiences and expertise on the subject. Listen, enjoy, and feel free to comment away here or on our social media channels if you have any questions or thoughts to add.

Guest Bios

Brian O’Sullivan: Brian currently heads Product Management for Cumulus Linux. For 15 or so years he’s held software Product Management positions at Juniper Networks as well as other smaller companies. Once he saw the change that was happening in the networking space, he decided to join Cumulus Networks to be a part of the open networking innovation. When not working, Brian is Continue reading

Campus design feature set-up : Part 5

In this blog series, we’ve been on a journey of sorts. We’ve shown you all the different ways to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in this 6-part series and guess what? We’re getting into the home stretch!

In blogs 1-4 we had guides for Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass and Wired 802.1x using Cisco ISE. After this blog, we’ll just have one more covering. Multi-Domain Authentication using Cisco ISE. But we’re not here to talk about those now.

In this fifth guide, I’ll be sharing how to enable Wired MAC Authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4, Patch 8.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE .

Cisco ISE Configuration:

1. Add a Cumulus Switch group to Cisco ISE:

First, we are going to add a Network Device Group to Cisco ISE:

Administration > Network Resources > Network Device Groups. Click the “+Add” button

Make sure to set the “Parent Group” to “All Device Types.” The result will look Continue reading