VXLAN: BGP EVPN with Cumulus Quagga
VXLAN is an overlay network to encapsulate Ethernet traffic over an existing (highly available and scalable, possibly the Internet) IP network while accomodating a very large number of tenants. It is defined in RFC 7348. For an uncut introduction on its use with Linux, have a look at my “VXLAN & Linux” post.
In the above example, we have hypervisors hosting a virtual machines from different tenants. Each virtual machine is given access to a tenant-specific virtual Ethernet segment. Users are expecting classic Ethernet segments: no MAC restrictions1, total control over the IP addressing scheme they use and availability of multicast.
In a large VXLAN deployment, two aspects need attention:
- discovery of other endpoints (VTEPs) sharing the same VXLAN segments, and
- avoidance of BUM frames (broadcast, unknown unicast and multicast) as they have to be forwarded to all VTEPs.
A typical solution for the first point is using multicast. For the second point, this is source-address learning.
Introduction to BGP EVPN
BGP EVPN (RFC 7432 and draft-ietf-bess-evpn-overlay for its application with VXLAN Continue reading
VXLAN & Linux
VXLAN is an overlay network to carry Ethernet traffic over an existing (highly available and scalable) IP network while accommodating a very large number of tenants. It is defined in RFC 7348.
Starting from Linux 3.12, the VXLAN implementation is quite complete as both multicast and unicast are supported as well as IPv6 and IPv4. Let’s explore the various methods to configure it.
To illustrate our examples, we use the following setup:
- an underlay IP network (highly available and scalable, possibly the Internet),
- three Linux bridges acting as VXLAN tunnel endpoints (VTEP),
- four servers believing they share a common Ethernet segment.
A VXLAN tunnel extends the individual Ethernet segments accross the
three bridges, providing a unique (virtual) Ethernet segment. From one
host (e.g. H1), we can reach directly all the other hosts in the
virtual segment:
$ ping -c10 -w1 -t1 ff02::1%eth0 PING ff02::1%eth0(ff02::1%eth0) 56 data bytes 64 bytes from fe80::5254:33ff:fe00:8%eth0: icmp_seq=1 ttl=64 time=0.016 ms 64 bytes from fe80::5254:33ff:fe00:b%eth0: icmp_seq=1 ttl=64 time=4.98 ms (DUP!) 64 bytes from fe80::5254:33ff:fe00:9%eth0: icmp_seq=1 ttl=64 time=4.99 ms (DUP!) 64 bytes from fe80::5254:33ff:fe00:a%eth0: icmp_seq=1 ttl=64 time=4.99 ms (DUP!) --- ff02::1%eth0 ping statistics --- 1 packets transmitted, 1 received, +3 duplicates, Continue reading
Full Stack Journey 005: Patrick Kelso
Episode #5 of the Full Stack Journey Podcast features Patrick Kelso, an independent consultant who works in the UNIX/virtualization/cloud space.
Full Stack Journey 005: Patrick Kelso
Episode #5 of the Full Stack Journey Podcast features Patrick Kelso, an independent consultant who works in the UNIX/virtualization/cloud space.
The post Full Stack Journey 005: Patrick Kelso appeared first on Packet Pushers.
Introducing the new Cloudflare Community Forum
Cloudflare’s community of users is vast. With more than 6 million domains registered, our users come in all shapes and sizes and are located all over the world. They can also frequently be found hanging out all around the web, from social media platforms, to Q&A sites, to any number of personal interest forums. Cloudflare users have questions to ask and an awful lot of expertise to share.
It’s with that in mind that we wanted to give Cloudflare users a more centralized location to gather, and to discuss all things Cloudflare. So we have launched a new Cloudflare Community at community.cloudflare.com.
Who is this community for?
It's for anyone and everyone who uses Cloudflare. Whether you are adding your first domain and don’t know what a name server is, or you are managing 1,000s of domains via API, or you are somewhere in between. In the Cloudflare Community you will be able to find tips, tricks, troubleshooting guidance, and recommendations.
We also think this will be a great way to get feedback from users on what’s working for them, what isn’t, and ways that we can make Cloudflare better. There will even be opportunities to Continue reading
Value Constrains Us. At Least, It Should.
A friend of mine asked me, “How do you manage the billions of chat messages, chat apps, social media, etc.? I’m becoming so inefficient it isn’t funny.”
TL;DR
The short answer is that I don’t manage them. I mostly ignore them. I don’t view most of these apps, especially social media, as something to be kept up with. I declared permanent amnesty (some would say bankruptcy) some time ago. I have a different viewpoint on these tools than I once did.
See also the post I wrote on Cal Newport’s book, Deep Work in May 2016.
I limit active participation.
I only take part in a few services, and I’m not consistently active on any of them. Despite however many followers I might have on a given platform, the world doesn’t care what I have to say on those services so much that my contributions especially matter. Therefore, stepping back isn’t harming anyone, nor is it disappointing someone that I’m not saying something or participating in every conversation that I might. No one notices.
Conversely, I don’t pay attention to everything everyone else is saying on all the platforms where things are being said. The Internet allows everyone to talk Continue reading
9 reasons why the death of the security appliance is inevitable
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Organizations are used to appliances being the workhorse of their protection needs. There are appliances for everything from firewalls, to Intrusion Detection Systems, Web Security Gateways, Email Security Gateways, Web Application Firewalls, and Advanced Threat Protection.
But as crucial as security appliances are today, they are eventually going to die out as they get increasingly less effective, requiring detection to be pushed to the machines that need protection. Here are the nine reasons why:
To read this article in full or to leave a comment, please click here
9 reasons why the death of the security appliance is inevitable
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Organizations are used to appliances being the workhorse of their protection needs. There are appliances for everything from firewalls, to Intrusion Detection Systems, Web Security Gateways, Email Security Gateways, Web Application Firewalls, and Advanced Threat Protection.
But as crucial as security appliances are today, they are eventually going to die out as they get increasingly less effective, requiring detection to be pushed to the machines that need protection. Here are the nine reasons why:
To read this article in full or to leave a comment, please click here
9 reasons why the death of the security appliance is inevitable
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Organizations are used to appliances being the workhorse of their protection needs. There are appliances for everything from firewalls, to Intrusion Detection Systems, Web Security Gateways, Email Security Gateways, Web Application Firewalls, and Advanced Threat Protection.
But as crucial as security appliances are today, they are eventually going to die out as they get increasingly less effective, requiring detection to be pushed to the machines that need protection. Here are the nine reasons why:
Worth Reading: A trillion edge graph on a single node
The post Worth Reading: A trillion edge graph on a single node appeared first on rule 11 reader.