Why Is Container Security So Difficult?
IT departments want containers to make their lives easier, not harder.
EVPN with MPLS Data Plane in Data Centers
Mr. Anonymous (my most loyal reader and commentator) sent me this question as a comment to one of my blog posts:
Is there any use case of running EVPN (or PBB EVPN) in DC with MPLS Data Plane, most vendors seems to be only implementing NVO to my understanding.
Sure there is: you already have MPLS control plane and want to leverage the investment.
Read more ...Kathmandu, Nepal is data center 123
We said that we would head to the mountains for Cloudflare’s 123rd data center, and mountains feature prominently as we talk about Kathmandu, Nepal, home of our newest deployment and our 42nd data center in Asia!
Five and three quarter key facts to get started:
- Nepal is home to the highest mountain in the world.
- Kathmandu has more UNESCO heritage sites in its immediate area than any other capital!
- The Nepalese flag isn’t a rectangle. It’s not even close!
- Nepal has never been conquered or ruled by another country.
- Kathmandu, Nepal is where Cloudflare has placed its 123rd data center.
- Nepal’s timezone is 5 hours 45 minutes ahead of GMT.
Mountains
The mountainous nation of Nepal is home to Mount Everest, the highest mountain in the world, known in Nepali as Sagarmāthā. Most of us learn that at school; however there’s plenty of other mountains located in Nepal. Here’s the ones above 8,000 meters (extracted from the full list) to get you started:
- Mount Everest at 8,848 meters
- Kanchenjunga at 8,586 meters
- Lhotse at 8,516 meters
- Makalu at 8,463 meters
- Cho Oyu at 8,201 meters
- Dhaulagiri I at 8,167 meters
- Manaslu at 8,156 meters
- Annapurna I at 8,091 meters
Viewing Cisco Proximity with SpectrumView
I wanted to share a quick trick for troubleshooting Cisco Proximity. For those that haven’t stumbled onto this particular technology, Proximity is a feature in Spark Connected and Traditional Cisco Video Endpoints that provides a pairing channel for screen sharing. Specifically, the codec announces its presence and connection information via 22khz audio stream. The client device then uses that connection information to make a connection over the network and share the screen with the codec. Since 22khz is beyond what the human ear can hear, there is a need for some other tool to check for its presence.
The tool I use to check for the pairing channel presence is SpectrumView and is available in the Apple App Store.
There are a couple options that need to be manually configured before the tool displays the higher frequency used for the pairing process:
- Recording – Audio Sampling Rate 48000
- Display – This may be necessary to adjust if you don’t see anything. I typically set mine to about 15dB
With the proper settings and within range of a proximity enable device, some output should be visible just above 20kHz.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical Continue reading
Viewing Cisco Proximity with SpectrumView
I wanted to share a quick trick for troubleshooting Cisco Proximity. For those that haven’t stumbled onto this particular technology, Proximity is a feature in Spark Connected and Traditional Cisco Video Endpoints that provides a pairing channel for screen sharing. Specifically, the codec announces its presence and connection information via 22khz audio stream. The client device then uses that connection information to make a connection over the network and share the screen with the codec. Since 22khz is beyond what the human ear can hear, there is a need for some other tool to check for its presence.
The tool I use to check for the pairing channel presence is SpectrumView and is available in the Apple App Store.
There are a couple options that need to be manually configured before the tool displays the higher frequency used for the pairing process:
- Recording – Audio Sampling Rate 48000
- Display – This may be necessary to adjust if you don’t see anything. I typically set mine to about 15dB
With the proper settings and within range of a proximity enable device, some output should be visible just above 20kHz.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical Continue reading
Viewing Cisco Proximity with SpectrumView
I wanted to share a quick trick for troubleshooting Cisco Proximity. For those that haven’t stumbled onto this particular technology, Proximity is a feature in Spark Connected and Traditional Cisco Video Endpoints that provides a pairing channel for screen sharing. Specifically, the codec announces its presence and connection information via 22khz audio stream. The client device then uses that connection information to make a connection over the network and share the screen with the codec. Since 22khz is beyond what the human ear can hear, there is a need for some other tool to check for its presence.
The tool I use to check for the pairing channel presence is SpectrumView and is available in the Apple App Store.
There are a couple options that need to be manually configured before the tool displays the higher frequency used for the pairing process:
- Recording – Audio Sampling Rate 48000
- Display – This may be necessary to adjust if you don’t see anything. I typically set mine to about 15dB
With the proper settings and within range of a proximity enable device, some output should be visible just above 20kHz.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical Continue reading
HPE Revenue, Stock Skyrockets Under Neri’s First Earnings Report
Hyperconverged revenue alone grew over 200 percent, compared to a year earlier.
Understanding IPv6 – The 7 Part Blog Series and the 28 minute CHI-NOG Snippet
New to IPv6 or know someone who is? Below you will find my 7 part blog series of my lessons learned during my IPv6 journey and how I now teach IPv6 to others newer to it. Prefer a YouTube instead? At the end you will find the very rapid paced .. 28 minute… presentation I did of this for CHI-NOG in 2016.
Understanding IPv6: The Journey Begins (Part 1 of 7)
Understanding IPv6: Link-Local ‘Magic’ (Part 2 of 7)
Understanding IPv6: A Sniffer Full Of 3s (Part 3 of 7)
Understanding IPv6: What Is Solicited-Node Multicast? (Part 4 of 7)
Understanding IPv6: Prepping For Solicited-Node Multicast (Part 5 of 7)
Understanding IPv6: The Ping Before Solicited-Node Multicast (Part 6 of 7)
Understanding IPv6: Solicited-Node Multicast In Action (Part 7 of 7)
JUNIPER QFX10K | EVPN-VXLAN | MAC LEARNING VERIFICATION | SINGLE-HOMED ENDPOINT
This article is all about EVPN-VXLAN and Juniper QFX technology. I’ve been working with this tech quite a lot over the past few months and figured it would be useful to share some of my experiences. This particular article is probably going to be released in 2 or 3 parts and is focused specifically on the MAC learning process and how to verify behaviour. The first post focuses on a single-homed endpoint connected to the fabric via a single leaf switch. The second part will look at a multihomed endpoint connected via two leaf switches that are utilising the EVPN multihoming feature. And, lastly, the third part will focus on Layer 3 Virtual Gateway at the QFX10k Spine switches. The setup I’m using is based on Juniper vQFX for spine and leaf functions with a vSRX acting as a VR device. I also have a Linux host that is connected to a single leaf switch.
Overview
When verifying and troubleshooting EVPN-VXLAN it can become pretty difficult to figure out exactly how the control plane and data plane are programmed and how to verify behaviours. You’ll find yourself looking at various elements such as the MAC table, EVPN database, EVPN routing Continue reading
Understanding IPv6: Solicited-Node Multicast In Action (Part 7 of 7)
The last few blogs in my series on IPv6 have focused on solicited-node multicast, which provides the functionality for Neighbor Discovery in IPv6 addressing. We ended the last blog with a cliffhanger, asking, “In IPv6, how do we find the Layer 2 MAC address associated with a Layer 3 IPv6 address?”
Time to put the pieces together
In this series of blogs, I have laid out all the varying puzzle pieces needed to answer this question. Let’s start putting those puzzle pieces together.
In this blog, we learned that, if a device has an IPv6 global address of 2001:DB8::AB:1/64, then, according to RFC 4291, it must also “compute and join” the IPv6 solicited-node multicast address FF02::1:FFAB:1.
By the same logic, that means the node associated with the IPv6 address of 2001:DB8::AB:2 must “compute and join” the IPv6 solicited-node multicast address FF02::1:FFAB:2.
So our first puzzle piece gets us to here:
But so what? How does that get us any closer to getting the DMAC associated with Router B’s IPv6 global unicast address? All it did was give us a multicast address that this IPv6 unicast address must join.
Let’s add another piece of the puzzle. From this Continue reading
Understanding IPv6: The Ping Before Solicited-Node Multicast (Part 6 of 7)
In a previous blog, we looked at the basics of IPv6 solicited-node multicast. Going back to our Router A and Router B environment, if we sniff the wire while pinging from Router A’s IPv6 address to Router B’s IPv6 address, what will we see? Spoilers! Suffice it to say we will see some IPv6 solicited-node multicast very much in action.
Ping in IPv4
Before we jump into IPv6, let’s first do an IPv4 ping from Router A to Router B. When we sniff the wire we can review the mechanisms of how IPv4 does all of this on the wire.
When ping 10.10.10.2 is entered on Router A, the router knows it is being asked to build an ICMP echo request message and put it “out on the wire” with a destination IP address of 10.10.10.2. But in order to make the request “ready” to put out on the wire to get to 10.10.10.2, Router A needs more than simply the destination IPv4 address.
For the purposes of this post, we will look at four things the router needs before sending the ICMP echo request out on the wire. These Continue reading
Understanding IPv6: Prepping For Solicited-Node Multicast (Part 5 of 7)
Solicited-node multicast: I stumbled and tripped a bunch over this one in the beginning. Well, that isn’t 100% true. Admittedly, at first, I really just ignored it, which really got in the way of my understanding some of the fundamentals of Neighbor Discovery Protocol (NDP).
But before we jump into solicited-node multicast, let’s review link-local scope multicast addresses.
Multicast is all around you
Multicast is all around your current IPv4 network. You might not think so if you haven’t enabled IP multicast routing and PIM, but it’s there. Pretty much everywhere you turn, it’s there.
Let’s return to our RouterA/RouterB environment. But let’s have IPv4 only running right now, like probably a lot of your routers in your environment.
Show IP interface
This is often an overlooked command, which is a shame because there is a great deal of very useful information that is given in the output. For now, we’re going to focus on the line “multicast reserved groups joined” and ignore all the other lines.
See? Lots and lots of multicast! To be specific, lots of “Local Network Control Block (224.0.0.0 – 224.0.0.255 (224.0.0/24),” according to the Internet Continue reading
Grocery Uses Bigleaf SD-WAN to Scale With Growing Business
The market's IT director felt like he "was held hostage" to some of the T1 agreements.
Understanding IPv6: What Is Solicited-Node Multicast? (Part 4 of 7)
IPv6 solicited-node multicast somtimes seems to confuse those new to IPv6 in the beginning. I think this is because it seems so foreign and new. In this post, we will explore exactly what IPv6’s solicited-node multicast is and the rules of creating such an address as told to us by RFC 4291.
However, before we start on what’s new and different, let’s look at what solicited-node multicast has in common with IPv4 and IPv6 constructs that we already know.
In this blog post, we looked at IPv6 link-local scope multicast addresses. One of the examples was FF02::A. This address is for all devices on a wire that want to “talk” EIGRP with one another.
Focusing specifically on FF02::A and how routers join it, we can see and say three things:
- Local: FF02::A is local to the wire.
- Join: Each device “joins” FF02::A by just “deciding to listen” to the IPv6 link-local scope multicast address FF02::A. Then, by extension, it listens to the corresponding MAC address for that multicast IPv6 address (33:33:00:00:00:0A).
- Common interest: As we can see, these varying groups have something in common that they would all like to hear about. For FF02::A, the common interest — the “connection” Continue reading