Arista-20 Years of Growth and Innovation
Today marks the 20th anniversary of Arista!
Over that time, our company has grown from nothing to #1 in Data Center Ethernet, a highly profitable $100+ billion S&P 500 company doing $6+ billion in annual revenue.
Public Videos: PCI DSS for Networking Engineers
Michele Chubirka (currently at Google) kindly allowed me to make her PCI DSS for Networking Engineers webinar public (available without registration or login).
The webinar covers an older version of PCI DSS (version 3.0; the current version is 4.0.1), but as fundamentals never change, you might still find it useful.
Global Protect Internal Host Detection & Internal Gateways – Lessons Learnt
I already had Palo Alto GlobalProtect VPN configured with an external gateway and portal, allowing me to connect back to my home network when I'm outside. Even when I'm inside my internal network, I can still connect to the VPN. However, I wanted to use the Internal Host Detection feature of GlobalProtect VPN, so that if I'm on my internal network and try to connect, it won't connect to the external gateway. Throughout the configurations, I learned a few lessons. Let’s dive in.
If you're completely new to GlobalProtect VPN, please check out my introductory blog post linked below.
Palo Alto Global Protect VPN Configuration Example
In this blog post, we will cover how to configure Palo Alto Global Protect VPN. We’ll go through setting up the portal, gateway, authentication profile, IP pools, split-tunnel, security policy, NAT policy and other necessary components.
Suresh Vina
Please note that this setup was tested on PAN-OS 10.2.9-h1 and the GlobalProtect macOS client version 6.2.4.
What is Internal Host Detection?
If you're already in your office or internal network, there's no need to connect to the VPN, what’s the point, right? This is especially relevant if you're using an Continue reading
Building a Simple HTTP Source for Firewall EDL
Recently, I wanted to add a list of domains to the Palo Alto DNS policy to block them from resolving. However, I soon realized that I couldn't just add a list of domains directly to the firewall, I needed to use an External Dynamic List (EDL). Palo Alto and I believe other firewalls as well, require a simple HTTP URL that hosts a list of domains or IP addresses. While there are amazing EDL projects available, in this blog post, we'll explore the simplest way to deploy an EDL.
Python HTTP Server
Python's HTTP server module lets you create a basic web server using just a single command. This server can serve files from a directory over the network, making it an excellent tool for quick testing and file sharing without the complexity of setting up a full-fledged web server.
All you need to do is create a list of domains, save it as a text file, and run python -m http.server 8085 from the directory where the file is saved. You can use any port, but remember that a lower number of ports like 80 require admin privileges. Once the server is running, navigate to http://IP_ADDRESS:8085/domains.txt in Continue reading
IPB162: IPv6 Basics: Address Provisioning
IPv6 address provisioning is the topic of this latest installment of the IPv6 Basics series. The hosts focus on Stateless Address Auto Configuration (SLAAC) and Dynamic Host Configuration Protocol for IPv6 (DHCPv6). The differences between SLAAC and DHCPv6 are explained, including their use cases, the complexities of address management, and the importance of understanding... Read more »The story of web framework Hono, from the creator of Hono
Hono is a fast, lightweight web framework that runs anywhere JavaScript does, built with Web Standards. Of course, it runs on Cloudflare Workers.
It was three years ago, in December 2021. At that time, I wanted to create applications for Cloudflare Workers, but the code became verbose without using a framework, and couldn't find a framework that suited my needs. Itty-router was very nice but too simple. Worktop and Sunder did the same things I wanted to do, but their APIs weren't quite to my liking. I was also interested in creating a router — a program that determines which action is executed based on the HTTP method and URL path of the Request — made of a Trie tree structure because it’s fast. So, I started building a web framework with a Trie tree-based router.
“While trying to create my applications, I ended up creating my framework for them.” — a classic example of yak shaving. However, Hono is now used by many developers, including Cloudflare, which uses Hono in core products. So, this journey into the depths of yak shaving was ultimately meaningful.
Hono truly runs anywhere — not just on Cloudflare Continue reading
Comparing IP and CLNP: Finding Adjacent Nodes
Now that we know a bit more about addresses in a networking stack (read the whole series) and why CLNP uses node addresses while TCP/IP uses interface addresses, let’s see how they solve common addressing problems like finding adjacent nodes.
Let’s start with the elephant in the room: how do you know whether you can reach a host you want to communicate with directly? In the following diagram, how does A know whether B is sitting next to it?
Adding ADCS Role to ISE Lab Domain Controller
This post describes how to install Active Directory Certificate Services (ADCS) onto a domain controller. It’s for labbing purposes which means I’m going to run this all on a single server instead of a more realistic setup with offline root, issuing CA, and possibly intermediate CA. Don’t use this post for anything designed to go into production!
To add the ADCS role. Go to Server Manager, click Add roles and features. Click Next until you get to Server Roles. Select Active Directory Certificate Series:
Click Add Features. Click Next. Click Next. Then a warning is displayed that it’s not possible to change the computer name or domain settings:
Click Next. Select Certification Authority and Certification Authority Web Enrollment:
Selecting Certification Authority Web Enrollment will install IIS and a small web site will be built to provide certificate services.
Click Add Features. Click Next. Click Next. Select Restart the destination server automatically if required:
Click Install. The installation starts:
When the installation has finished, click Close. Click AD CS in Server Manager. Click More… where it says Configuration required for Active Directory Certificate Services:
Click Configure Active Directory Certificate Services on the destination server:
Select an Continue reading
D2DO253: Breaking Into Tech: Job Hunting Realities for Recent Graduates
Job hunting is never easy and on today’s Day Two Cloud, Katrina Janeczko shares her journey from college to her current role at Comcast. Katrina discusses the challenges of job hunting, the relevance of her education, and the impact of AI tools on her learning process. She also talks about the importance of networking, mentorship,... Read more »HW038: From Coax to Fiber: Wi-Fi Evolution in Multiple Dwelling Units (MDUs)
Todd Thorpe is today’s guest on Heavy Wireless joining host Keith Parsons to explain the evolution of Wi-Fi technology in Multiple Dwelling Units (MDUs) like apartments and condos. Todd, with over 20 years of MDU experience, discusses the industry’s transformation from early coax cable services to modern managed Wi-Fi solutions. The challenges of retrofitting older... Read more »NAN076: Innovating Healthcare IT: Automating NetOps at RUSH University Medical Center (Sponsored)
Uzair Khan from RUSH University Medical Center is today’s guest on the Network Automation Nerds podcast. Uzair discusses the complexities of healthcare technology and the critical role of automation in enhancing operational efficiency and patient safety. He provides examples of how Itential’s automation and orchestration products have given his teams the tools they need to... Read more »MUST READ: Egress Peer Engineering
Dmytro Shypovalov wrote a great series of detailed posts on Egress Peer Engineering:
- Poor Man’s Traffic Engineering
- Egress Peer Engineering: Basics
- Egress Peer Engineering: Building Blocks
Have fun!
PP035: What IT Should Know About Securing Industrial Systems
Industrial Control Systems (ICS) and Operational Technology (OT) used to stand apart from traditional IT. But those worlds are converging, and IT pros, including infosec teams and network engineers, need to become familiar with the operational challenges and quirks of ICS/OT systems. On today’s Packet Protector, guest Mike Holcomb demystifies ICS and OT for IT... Read more »Meta and Arista Build AI at Scale
We are excited to share that Meta has deployed the Arista 7700R4 Distributed Etherlink Switch (DES) for its latest Ethernet-based AI cluster. It's useful to reflect on how we arrived at this point and the strength of the partnership with Meta.
Analysis of the EPYC 145% performance gain in Cloudflare Gen 12 servers
Cloudflare's network spans more than 330 cities in over 120 countries, serving over 60 million HTTP requests per second and 39 million DNS queries per second on average. These numbers will continue to grow, and at an accelerating pace, as will Cloudflare’s infrastructure to support them. While we can continue to scale out by deploying more servers, it is also paramount for us to develop and deploy more performant and more efficient servers.
At the heart of each server is the processor (central processing unit, or CPU). Even though many aspects of a server rack can be redesigned to improve the cost to serve a request, CPU remains the biggest lever, as it is typically the primary compute resource in a server, and the primary enabler of new technologies.
Cloudflare’s 12th Generation server with AMD EPYC 9684-X (codenamed Genoa-X) is 145% more performant and 63% more efficient. These are big numbers, but where do the performance gains come from? Cloudflare’s hardware system engineering team did a sensitivity analysis on three variants of 4th generation AMD EPYC processor to understand the contributing factors.
For the 4th generation AMD EPYC Processors, AMD offers three architectural variants:
mainstream classic Zen 4 cores, codenamed Continue reading
Meter sets the bar for Network-as-a-Service
TLDR; Keep your eye on Meter, a Network-as-a-Service company with a vision so far in the future that it seems nearly impossible, yet they are actively...
The post Meter sets the bar for Network-as-a-Service appeared first on /overlaid.
Protect against identity-based attacks by sharing Cloudflare user risk scores with Okta
Cloudflare One, our secure access service edge (SASE) platform, is introducing a new integration with Okta, the identity and access management (IAM) vendor, to share risk indicators in real-time and simplify how organizations can dynamically manage their security posture in response to changes across their environments.
For many organizations, it is becoming increasingly challenging and inefficient to adapt to risks across their growing attack surface. In particular, security teams struggle with multiple siloed tools that fail to share risk data effectively with each other, leading to excessive manual effort to extract signals from the noise. To address this complexity, Cloudflare launched risk posture management capabilities earlier this year to make it easier for organizations to accomplish three key jobs on one platform:
Evaluating risk posed by people by using first-party user entity and behavior analytics (UEBA) models
Exchanging risk telemetry with best-in-class security tools, and
Enforcing risk controls based on those dynamic first- and third-party risk scores.
Today’s announcement builds on these capabilities (particularly job #2) and our partnership with Okta by enabling organizations to share Cloudflare’s real-time user risk scores with Okta, which can then automatically enforce policies based on that user’s risk. In this way, organizations can adapt Continue reading