Calico at KubeCon + CloudNativeCon NA 2022
Tigera is back at KubeCon + CloudNativeCon NA 2022! We’re excited to be back in person and meet new and familiar faces—and we have a lot of exciting Calico updates to share with you.
KubeCon + CloudNativeCon is action-packed as usual, kicking off the week with co-located events. We will be onsite at two co-located events: eBPF Day and Cloud Native SecurityCon. At the main event, KubeCon + CloudNativeCon, we will have a booth that you can visit for cool swag and deep dives with our experts. We will also be teaming up with AWS to bring you a fun party that you won’t want to miss!
Interested in attending? Curious about the party? Want to win some prizes? Read this blog post to find out what we have in store for KubeCon + CloudNativeCon NA 2022.
eBPF Day – October 24
eBPF Day is a vendor-neutral conference that explores the transformational technology that is eBPF, and its impact on the future of cloud native. This event is co-located with KubeCon + CloudNativeCon.
As a speaker at the event, our resident eBPF expert, Tomas Hruby, will demonstrate how to inspect and troubleshoot the eBPF mode of Calico Open Source during Continue reading
Network Break 402: Ex Uber Exec Guilty Of Breach Coverup; Startup Promotes Decentralized Cellular Networks
This week's Network Break podcast discusses new security capabilities from Aryaka, a Cisco/Microsoft partnership, the guilty verdict for Uber's former CSO, a startup tackling decentralized cell networks, and more tech news.Network Break 402: Ex Uber Exec Guilty Of Breach Coverup; Startup Promotes Decentralized Cellular Networks
This week's Network Break podcast discusses new security capabilities from Aryaka, a Cisco/Microsoft partnership, the guilty verdict for Uber's former CSO, a startup tackling decentralized cell networks, and more tech news.
The post Network Break 402: Ex Uber Exec Guilty Of Breach Coverup; Startup Promotes Decentralized Cellular Networks appeared first on Packet Pushers.
The Network Utility
With network-as-a-service, IT can concentrate on defining policy, not building the network.Direct Connect — Part 1
< MEDIUM: https://raaki-88.medium.com/direct-connect-part-1-dc3e9369933 >
AWS Advanced Networking Prep and General focus
Notion — https://meteor-honeycup-16b.notion.site/Direct-Connect-a61557d18e784e778b4500197168454c
What is the Direct Connect product trying to solve?
We have seen IPSEC Site-to-Site VPN, a nice extension to that is Direct Connect offering. In IPSEC VPN, we connected to AWS VPC securely over the internet, in Direct Connect we have a cable termination onto our Data Center premises which directly connects to AWS Infrastructure and no internet service providers are needed for this to happen.
Advantages:
- Bypasses Internet and thereby secure
- Low Latency to AWS services
- Consistent Performance with up to speeds of 1/10/100 and support for jumbo frames > 9k
What are my building blocks?
- We basically start with a Connection, pretty much self-explanatory
- A Connection has the below requirements
Ref: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
Functional Building Block?
Ref:https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html
So, once we have a connection setup, everything revolves around VIF — Virtual Interface.
Direct Connect can be divided into two parts
a. Public VIF — we are speaking about public IP addresses routable on the internet.
- Enables access to Amazon public service Continue reading
AWS Advanced Networking — IPSEC Vpn with BGP (FRR and Docker)
< MEDIUM: https://raaki-88.medium.com/aws-advanced-networking-ipsec-vpn-with-bgp-frr-and-docker-ae29a3ec6d85 >
The previous post covered IPSEC Vpn implementation with Static Routing and also had some points about IPSEC Vpn Implementation, this post aims at building IPSEC Vpn with Dynamic routing offered by VGW which is BGP.
Article on FRR, Docker — https://towardsaws.com/configuring-bgp-and-open-source-frr-docker-on-aws-advanced-networking-d21fd0d76b33
We will re-use the same concept and will start a BGP route exchange over IPSEC VPN.
https://meteor-honeycup-16b.notion.site/Site-2-Site-VPN-BGP-FRR-Docker-d818267a1041401481554e6f30764dfb — Notes and Topology
Lab Video — https://youtu.be/PmLkHRAMfMU
Few points to note:
- BGP ASN support is both for 2-byte and 4-byte
- ASN Range is from 64512–65534
- BGP Peering will happen over Tunnel endpoints with address 169.254.x.y/z which amazon usually initiates by default
- If you are extending the strong-swan use case, you need to have a configuration reference for the static tunnel as there is no dynamic configuration generated for Strong-swan/Open-swan use case
- In static and dynamic routings, VGW Route propagation needs to be done.
- I have observed that left-subnet and right-subnet should be 0/0 in AWS for communicating BGP-TCP messages for session establishment.
- This needs to be tested further and there is no BGP authentication that the user can define, as the user won’t have any control Continue reading
IPSEC VPN Site-to-Site — How to and notes for Advanced Networking Certification
https://meteor-honeycup-16b.notion.site/Site-to-Site-VPN-144441a6ac0b4e39a514adc67a8348d5 — This will be updated frequently and has the entire notes on the topics
Lab / Part 1— https://meteor-honeycup-16b.notion.site/Part-1-Building-Customer-VPN-Server-and-a-Client-688eed381f2849dfbe02f5eed740a573
Part 1 — https://youtu.be/h8zFEkVXV24
Lab / Part 2 — https://meteor-honeycup-16b.notion.site/Part-2-Setting-up-VGW-on-AWS-9055cd53a0174f51bd064bb2e3c1f3ac
Part 2 — https://youtu.be/PxJ04myIGJs
Lab / Part 3. — https://meteor-honeycup-16b.notion.site/Part-3-Configuring-Routing-and-verifying-Connectivity-0f2d03eae3474bb897a0f897c927786a
Part 3 — https://youtu.be/mf-Qymz-_Hg
Intro
- VPN — Virtual Private Network, often used to communicate securely over untrusted networks like the internet.
- IPSEC is the protocol which is used for securing the data. Some other tunnelling protocols and frameworks are GRE, DMVPN, Wireguard etc
- Two types of VPNs — Site-to-Site other is Client-to-site /Remote Access VPN, this lab will be a site-to-site VPN.
- Site-to-Site, as the name suggests usually connects two sites and a Site is typically referred to as a group of devices in a Data-Center. Site-to-Site will enable two sites separated from the internet to communicate privately and securely over the internet.
Site-to-Site
- Think along the lines of two boundary devices which encrypt and decrypt LAN traffic
- Design Redundancy and Scalability along these lines for these two end-points
- It is important to note that you can have VPN to access any services within Continue reading
Cumulus Linux NVUE: an Incomplete Data Model
A few weeks ago I described how Cumulus Linux tried to put lipstick on a pig reduce the Linux data plane configuration pains with Network Command Line Utility. NCLU is a thin shim that takes CLI arguments, translates them into FRR or ifupdown configuration syntax, and updates the configuration files (similar to what Ansible is doing with something_config modules).
Obviously that wasn’t good enough. Cumulus Linux 4.4 introduced NVIDIA User Experience1 – a full-blown configuration engine with its own data model and REST API2.
Troubleshooting VXLAN MTU issues with SR Linux
Giving your network engineers a fighting chance with the industry’s most truly open NOS
A recent blog reminds us that VXLAN overlay networks can be tricky to troubleshoot, as a typical encapsulation header adds 50 bytes per packet and RFC7348 simply assumes that the network is configured to support such larger payloads. And unlike most other IP packets, typical VTEPs will simply discard frames that are too large — without informing the sender.
Tailored troubleshooting commands in Linux
A common VXLAN underlay network is an IP fabric with IPv4 VTEPs at the leaves, using multiple spines with ECMP for redundancy and capacity. In Netlab such a topology might look like this:
netlab up -d srlinux -p clab vxlan-bridging-leaf-spine.yml
To troubleshoot suspected MTU issues in this context — say when a ping from h1 to h2 fails — one would verify the MTU on all paths between the VXLAN VTEPs l1/l2, i.e. l1->s1->l2 and l1->s2->l2. To simplify this task on SR Linux, we can add a custom /tools command for traceroute:
/tools vxlan-traceroute mac-vrf vlan1000
As can be seen from the above screenshot, this custom vxlan-traceroute command takes a Continue reading
Why Do We Accept Bad Wireless Clients?
We recorded a fun roundtable discussion last week during Mobility Field Day that talked about the challenges that wireless architects face in their daily lives. It’s about an hour but it’s packed with great discussions about hard things we deal with:
One of the surprises for me is that all the conversations came back to how terrible wireless clients can be. The discussion kept coming back to how hard it is to find quality clients and how we adjust our expectations for the bad ones.
Driven to Madness
Did you know that 70% of Windows crashes are caused by third-party drivers? That’s Microsoft’s own research saying it. That doesn’t mean that Windows is any better or more stable with their OS design compared to Linux or MacOS. However, I’ve fiddled with drivers on Linux and I can tell you how horrible that experience can be1. Windows is quite tolerant of hardware that wouldn’t work anywhere else. As long as the manufacturer provides a driver you’re going to get something that works most of the time.
Apply that logic to a wireless networking card. You can buy just about anything and install it on your system and it will mostly Continue reading
Data Storage IT Careers Evolve with the Cloud
Here’s what data storage pros need to know in a hybrid cloud environment and why a business perspective is more important than ever.Assembly within! BPF tail calls on x86 and ARM
Early on when we learn to program, we get introduced to the concept of recursion. And that it is handy for computing, among other things, sequences defined in terms of recurrences. Such as the famous Fibonnaci numbers - Fn = Fn-1 + Fn-2.
Later on, perhaps when diving into multithreaded programming, we come to terms with the fact that the stack space for call frames is finite. And that there is an “okay” way and a “cool” way to calculate the Fibonacci numbers using recursion:
// fib_okay.c
#include <stdint.h>
uint64_t fib(uint64_t n)
{
if (n == 0 || n == 1)
return 1;
return fib(n - 1) + fib(n - 2);
}
Listing 1. An okay Fibonacci number generator implementation
// fib_cool.c
#include <stdint.h>
static uint64_t fib_tail(uint64_t n, uint64_t a, uint64_t b)
{
if (n == 0)
return a;
if (n == 1)
return b;
return fib_tail(n - 1, b, a + b);
}
uint64_t fib(uint64_t n)
{
return fib_tail(n, 1, 1);
}
Listing 2. A better version of the same
If we take a look at the machine code the compiler produces, the “cool” variant translates to a nice and tight sequence of instructions:
netlab Release 1.3.2: Mikrotik RouterOS 7, Additional EVPN Platforms
The star of the netlab release 1.3.2 is Mikrotik RouterOS version 7. Stefano Sasso did a fantastic job adding support for VLANs, VRFs, OSPFv2, OSPFv3, BGP, MPLS, and MPLS/VPN, plus the libvirt box-building recipe.
Jeroen van Bemmel contributed another major PR1 adding VLANs, VRFs, VXLAN, EVPN, and OSPFv3 to Nokia SR OS.
Other platform improvements include:
Juniper CN2 DPDK vRouter Bringup
How to bring Juniper Cloud Native CN2 DPDK vRouter
https://github.com/kashif-nawaz/Juniper-CN2-DPDK-vRouter-Bringup