Data Center Fabric Designs: Size Matters
The “should we use the same vendor for fabric spines and leaves?” discussion triggered the expected counterexamples. Here’s one:
I actually have worked with a few orgs that mix vendors at both spine and leaf layer. Can’t take names but they run fairly large streaming services. To me it seems like a play to avoid vendor lock-in, drive price points down and be in front of supply chain issues.
As always, one has to keep two things in mind:
Data Center Fabric Designs: Size Matters
The “should we use the same vendor for fabric spines and leaves?” discussion triggered the expected counterexamples. Here’s one:
I actually have worked with a few orgs that mix vendors at both spine and leaf layer. Can’t take names but they run fairly large streaming services. To me it seems like a play to avoid vendor lock-in, drive price points down and be in front of supply chain issues.
As always, one has to keep two things in mind:
NAN057: Nile Incorporates Network Automation from the Ground Up (Sponsored)
What if you could eliminate the burdens of networking without losing your control and visibility of the network? That’s the idea behind Nile. With Nile co-managing the network, you don’t have to spend all your time chasing down tickets, running patches, and dealing with CLI syntax. Instead you get to focus on higher level tasks... Read more »BGP AS Numbers for a Private MPLS/VPN Backbone
One of my readers was building a private MPLS/VPN backbone and wondered whether they should use their public AS number or a private AS number for the backbone. Usually, it doesn’t matter; the deciding point was the way they want to connect to the public Internet:
We also plan to peer with multiple external ISPs to advertise our public IP space not directly from our PE routers but from dedicated Internet Routers, adding a firewall between our PEs and external Internet routers.
They could either run BGP between the PE routers, firewall, and WAN routers (see BGP as High-Availability Protocol for more details) or run BGP across a bump-in-the-wire firewall:
BGP AS Numbers for a Private MPLS/VPN Backbone
One of my readers was building a private MPLS/VPN backbone and wondered whether they should use their public AS number or a private AS number for the backbone. Usually, it doesn’t matter; the deciding point was the way they want to connect to the public Internet:
We also plan to peer with multiple external ISPs to advertise our public IP space not directly from our PE routers but from dedicated Internet Routers, adding a firewall between our PEs and external Internet routers.
They could either run BGP between the PE routers, firewall, and WAN routers (see BGP as High-Availability Protocol for more details) or run BGP across a bump-in-the-wire firewall:
Adding IPv6-only to DNS and Truncation in UDP
We repeat the measurements of the behaviour of the DNS when processing truncated UDP responses, but this time we've constrained the measurement so that only IPv6-capable DNS resolvers are being measured. Does this make the results better or worse?Adding IPv6-only to DNS and Truncation in UDP
We repeat the measurements of the behaviour of the DNS when processing truncated UDP responses, but this time we've constrained the measurement so that only IPv6-capable DNS resolvers are being measured. Does this make the results better or worse?PP005: Red, Blue, Purple: Choosing the Right Teams for Security Testing and Defense
According to Bryson Bort, you can build higher metaphorical fences, electrify them, and have sharks with laser beams prowling the moat, but attackers are still going to get through the security perimeter. That’s why the priority of any IT team should be to identify anomalies and anticipate attack logic. To do this, organizations need to... Read more »How to Mitigate Shadow AI Security Risks by Implementing the Right Policies
Security has become even more paramount in every organization with growing popularity in AI created by a new phenomenon of ‘Shadow AI’ applications that need to be vetted against security policies.Adding TS’s IP Address to MAC-VRF (L2RIB) and IP-VRF (L3RIB)
In the previous chapter, we discussed how a VTEP learns the local TS's MAC address and the process through which the MAC address is programmed into BGP tables. An example VTEP device was configured with a Layer 2 VLAN and an EVPN Instance without deploying a VRF Context or VLAN routing interface. This chapter introduces, at a theoretical level, how the VTEP device, besides the TS's MAC address, learns the TS's IP address information after we have configured the VRF Context and routing interface for our example VLAN.
Figure 1-3: MAC-VRF Tenant System’s IP Address Propagation.
I have divided Figure 1-3 into three sections. The section on the top left, Integrated Routing and Bridging - IRB illustrates the components required for intra-tenant routing and their interdependencies. By configuring a Virtual Routing and Forwarding Context (VRF Context), we create a closed routing environment with a per-tenant IP-VRF L3 Routing Information Base (L3RIB). Within the VRF Context, we define the Layer 3 Virtual Network Identifier (L3VNI) along with the Route Distinguisher (RD) and Route Target (RT) values. The RD of the VRF Context enables the use of overlapping IP addresses across different tenants. Based on the RT value of the VRF Context, Continue reading
10 Steps to Choosing the Best SD-WAN Provider for Your Company
When evaluating SD-WAN providers, proceed with caution.OSPF Summarization and Split Areas
In the Do We Still Need OSPF Areas and Summarization? I wrote this somewhat cryptic remark:
The routers advertising a summarized prefix should be connected by a path going exclusively through the part of the network with more specific prefixes. GRE tunnel also satisfies that criteria; the proof is left as an exercise for the reader.
One of my readers asked for a lengthier explanation, so here we go. Imagine a network with two areas doing inter-area summarization on /24 boundary:
OSPF Summarization and Split Areas
In the Do We Still Need OSPF Areas and Summarization? I wrote this somewhat cryptic remark:
The routers advertising a summarized prefix should be connected by a path going exclusively through the part of the network with more specific prefixes. GRE tunnel also satisfies that criteria; the proof is left as an exercise for the reader.
One of my readers asked for a lengthier explanation, so here we go. Imagine a network with two areas doing inter-area summarization on /24 boundary:
Tech Bytes: Cisco ThousandEyes Deepens Visibility for Remote Workforce Management (Sponsored)
SecOps, NetOps, and help desks need integrated data, increased context, and the ability to quickly understand interdependencies in order to take on the complex tasks facing them. That’s why ThousandEyes is now integrated with Cisco Secure Access, Cisco’s SSE solution. Tune in to learn about ThousandEyes’ deeper visibility, system process metrics, streamlined test setup, and... Read more »User Discomfort As A Security Function
If you grew up in the 80s watching movies like me, you’ll remember Wargames. I could spend hours lauding this movie but for the purpose of this post I want to call out the sequence at the beginning when the two airmen are trying to operate the nuclear missile launch computer. It requires the use of two keys, one each in the possession of one of the airmen. They must be inserted into two different locks located more than ten feet from each other. The reason is that launching the missile requires two people to agree to do something at the same time. The two key scene appears in a number of movies as a way to show that so much power needs to have controls.
However, one thing I wanted to talk about in this post is the notion that those controls need to be visible to be effective. The two key solution is pretty visible. You carry a key with you but you can also see the locks that are situated apart from each other. There is a bit of challenge in getting the keys into the locks and turning them simultaneously. That not only shows that the Continue reading
NB 469: Arista Debuts Network Observability Service; Startups Aim To Break Nvidia’s AI Chip Grip
This week we discuss a new network observability offering from Arista that integrates network telemetry with application data, why startups such as Groq and Taalas think they can break Nvidia’s grip on the AI chip market, and how Microsoft is hedging its LLM bets. Amazon goes nuclear with the purchase of a reactor-powered data center... Read more »What is Network-as-a-Service (NaaS)? A Complete Guide
Network-as-a-Service (NaaS) offers a flexible, cost-effective, and efficient way for businesses to manage their networking needs. Here is an overview to guide your selection and use of NaaS.Security Week 2024 wrap up
The next 12 months have the potential to reshape the global political landscape with elections occurring in more than 80 nations, in 2024, while new technologies, such as AI, capture our imagination and pose new security challenges.
Against this backdrop, the role of CISOs has never been more important. Grant Bourzikas, Cloudflare’s Chief Security Officer, shared his views on what the biggest challenges currently facing the security industry are in the Security Week opening blog.
Over the past week, we announced a number of new products and features that align with what we believe are the most crucial challenges for CISOs around the globe. We released features that span Cloudflare’s product portfolio, ranging from application security to securing employees and cloud infrastructure. We have also published a few stories on how we take a Customer Zero approach to using Cloudflare services to manage security at Cloudflare.
We hope you find these stories interesting and are excited by the new Cloudflare products. In case you missed any of these announcements, here is a recap of Security Week:
Responding to opportunity and risk from AI
| Title | Excerpt |
|---|---|
| Cloudflare announces Firewall for AI | Cloudflare announced the development of Firewall for AI, Continue reading |