N4N028: The Wide World of WANs
We wanted to do an episode on SD-WAN, but realized we needed to set the stage for how wide-area networking developed. That’s why today’s episode is a history lesson of the Wide Area Network (WAN). We talk about how WANs emerged, public and private WANs, how WANs connect to LANs and data centers, the care... Read more »Dear ArubaCX, VXLAN VNI Has 24 Bits
I thought I’ve seen it all, but the networking vendors (and their lack of testing) never cease to amaze me. Today’s special: ArubaCX software VXLAN implementation.
We decided it’s a good idea to rewrite the VXLAN integration tests to use one target device and one FRR container to test inter-vendor VXLAN interoperability. After all, what could possibly go wrong with a simple encapsulation format that could be described on a single page?
Everything worked fine (as expected), except for the ArubaCX VM (running release Virtual.10.15.1005, build ID AOS-CX:Virtual.10.15.1005:9d92f5caa6b6:202502181604), which failed every single test.
HW053: Ubiquiti in the Enterprise
Ubiquiti is known primarily for wireless equipment for residential and small business use, but it can be a player in the enterprise world. On today’s show, we talk with Darrell DeRosia, Sr. Director, Network & Infrastructure Services with the Memphis Grizzlies, about how he provides that connectivity for the FedExForum, home to the Memphis Grizzlies... Read more »D2DO273: Azure VNets Don’t Exist
Cloud networks aren’t like traditional data center networks, so applying a traditional network design to the cloud probably isn’t the best idea. On today’s Day Two Cloud, guest Aidan Finn guides us through significant differences between Microsoft Azure networking and on-prem data center networks. For instance, subnets don’t segment hosts, network security groups do; every... Read more »Worth Reading: Practical Advice for Engineers
Sean Goedecke published an interesting compilation of practical advice for engineers. Not surprisingly, they include things like “focus on fundamentals” and “spend your working time doing things that are valuable to the company and your career” (OMG, does that really have to be said?).
Bonus point: a link to an article by Patrick McKenzie (of the Bits About Money fame) explaining why you SHOULD NOT call yourself a programmer (there goes the everyone should be a programmer gospel 😜).
Understanding Shortest Path First
Link state protocols like OSPF and IS-IS use the Shortest Path First (SPF) algorithm developed by Edsger Dijkstra. Edsger was a Dutch computer scientist, programmer, software engineer, mathematician, and science essayist. He wanted to solve the problem of finding the shortest distance between two cities such as Rotterdam and Groningen. The solution came to him when sitting in a café and the rest is history. SPF is used in many applications, such as GPS, but also in routing protocols, which I’ll cover today.
To explain SPF, I’ll be working with the following topology:
Note that SPF only works with a weighted graph where we have positive weights. I’m using symmetrical costs, although you could have different costs in each direction. Before running SPF, we need to build our Link State Database (LSDB) and I’ll be using IS-IS in my lab for this purpose. Based on the topology above, we can build a table showing the cost between the nodes:
This triplet of information consists of originating node, neighbor node, and cost. It can also be represented as [R1, R2, 2], [R1, R3, 8], [R2, R1, 2], [R2, R3, 5], [R2, R4, 6], [R3, R1, 8], [R3, R2, 5], [R3, R4, Continue reading
BGP handling bug causes widespread internet routing instability
BGP handling bug causes widespread internet routing instability
At 7AM (UTC) on Wednesday May 20th 2025 a BGP message was propagated that triggered surprising (to many) behaviours with two major B
PP064: How Aviatrix Tackles Multi-Cloud Security Challenges (Sponsored)
Aviatrix is a cloud network security company that helps you secure connectivity to and among public and private clouds. On today’s Packet Protector, sponsored by Aviatrix, we get details on how Aviatrix works, and dive into a new feature called the Secure Network Supervisor Agent. This tool uses AI to help you monitor and troubleshoot... Read more »NB528: IP Fabric Adds Firewall Rule Simulation; Extreme Networks Debuts Agentic AI in Platform ONE
Take a Network Break! We begin with a Red Alert for critical vulnerabilities Kubernetes Gardener. Up next, a threat actor has been squatting on unused CNAME records to distribute malware and spam, and IP Fabric rolls out a new firewall rule simulation capability to let administrators test the effect of firewall rules on traffic patterns.... Read more »ChatGPT Strikes Again: IS-IS on Unnumbered Interfaces 🤦♂️
In the last few days, I decided to check out how much better ChatGPT has gotten in the last year or two. I tried to be positive and was rewarded with some surprisingly good results. I even figured out I can use it to summarize my blog posts using prompts like this one:
Using solely the information from blog.ipspace.net, what can you tell me about running ospf over unnumbered interfaces
And then I asked it about unnumbered interfaces and IS-IS, and it all went sideways:
Why we need a unified approach to Kubernetes environments
Today, organizations struggle managing disparate technologies for their Kubernetes networking and network security needs. Leveraging multiple technologies for networking and security for in-cluster, ingress, egress, and traffic across clusters creates challenges, including operational complexities and increased costs. For example, to manage ingress traffic for Kubernetes clusters, users cobble together multiple solutions from different providers such as ingress controllers or gateways and load balancers for routing traffic, as well as Web Application Firewalls (WAFs) for enhanced security.
Despite the challenges it brings, deploying disparate technologies has been a “necessary evil” for organizations to get all the capabilities needed for holistic Kubernetes networking. Here, we’ll explore challenges this proliferation of tooling introduces, and provide actionable tips for today’s platform and security teams to overcome these issues.
Challenges Managing Multiple Technologies
The fragmented approach to networking and network security in Kubernetes leads to challenges and inefficiencies, including:
- Operational overhead: Each technology comes with its own learning curve, setup, configuration, integration, and maintenance requirements. This leads to a challenging user experience.
- Increased costs: Licensing and operational costs accumulate as more tools are deployed.
- Scaling challenges: As clusters grow or spread across diverse environments, ensuring consistent and secure networking becomes harder.
- Security gaps: Disjointed solutions Continue reading
Repost: On the Advantages of XML
Continuing the discussion started by my Breaking APIs or Data Models Is a Cardinal Sin and Screen Scraping in 2025 blog posts, Dr. Tony Przygienda left another thoughtful comment worth reposting as a publicly visible blog post:
Having read your newest rant around my rant ;-} I can attest that you hit the nail on the very head in basically all you say:
- XML output big? yeah.
- JSON squishy syntax? yeah.
- SSH prioritization? You didn’t live it until you had a customer where a runaway python script generated 800+ XML netconf sessions pumping data ;-)
What is an EVPN Type 5 Route for (EVPN/VXLAN)
For EVPN/VXLAN, Type 5 routes are used for two purposes: Internally and Externally
Internally it’s used to communicate which VTEPs have a given subnet instantiated on it.
Here’s an example of the output of the command show ip bgp route-type ip-prefix ipv4 on an Arista cEOS spine running EVPN/VXLAN.
It’s showing you that 10.1.10.0/24 (VLAN 10/VNI 10010) is only available on leaf1 and leaf2 (10.1.255.1-2) and 10.1.20.0/24 (VLAN 20/VNI 10020) is only available on leaf3 and leaf4 (10.1.255.3-4). It’s eBGP so each leaf has its own ASN (you see in the path field). The next hop shows the VTEP IP (10.1.254.1-4). I checked on the spine as the spine receives all the EVPN routes from the leafs and propagates them as a route server. The spines don’t install any of these routes, they just propagates them.
Network Next Hop Metric LocPref Weight Path
* > RD: 10.1.255.1:10000 ip-prefix 10.1.10.0/24
10.1.254.1 - 100 0 65101 i
* > RD: 10.1.255.2:10000 ip-prefix 10.1.10.0/24
10.1.254.2 - 100 0 65102 i
Continue reading
Packet Classification for High Speed Packet Processing
“We are drowning in information but starved for knowledge.” - John NaisbittHN782: Netris Meets Your Network Automation Challenges in AI Data Centers (Sponsored)
Netris is tackling the issue of automating multi-tenancy in an AI data center. Netris has your answer to this challenge, and it’s a solution certified to work with NVIDIA. We’re going to get into the nuts and bolts of Netris network automation with Alex Saroyan, CEO and co-founder of Netris. Along the way, we will... Read more »TNO030: The Backbone of AI: Data Center Ops in the Age of Explosive Growth (Sponsored)
Data Center construction has reached an incredible pace over the last few years with implications on NetOps and operations of all kinds. Today we with talk with sponsor Siemon regarding the state of data centers, past, present and future. We explore legacy data centers and how they are evolving to work in today’s environments. We... Read more »Cloudflare named in 2025 Gartner® Magic Quadrant™ for Security Service Edge
For the third consecutive year, Gartner has named Cloudflare in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) report. This analyst evaluation helps security and network leaders make informed choices about their long-term partners in digital transformation. We are excited to share that Cloudflare is one of only nine vendors recognized in this year’s report. You can read more about our position in the report here.
What’s more exciting is that we’re just getting started. Since 2018, starting with our Zero Trust Network Access (ZTNA) service Cloudflare Access, we’ve continued to push the boundaries of how quickly we can build and deliver a mature SSE platform. In that time, we’ve released multiple products each year, delivering hundreds of features across our platform. That’s not possible without our customers. Today, tens of thousands of customers have chosen to connect and protect their people, devices, applications, networks, and data with Cloudflare. They tell us our platform is faster and easier to deploy and provides a more consistent and reliable user experience, all on a more agile architecture for longer term modernization. We’ve made a commitment to those customers to continue to deliver innovative solutions with the velocity and resilience Continue reading
Video: netlab Introduction by Ethan Banks
Ethan Banks created an excellent introductory Netlab - Automate Your Network Labs With YAML! video showing how easy it is to start and configure a container- or VM-based lab, and explaining the basic netlab commands you need to get started.
Thanks a million!
P.S.: If you’ve done something similar and I haven’t noticed it, please send me the link.