Dynamic MAC Learning: Hardware or CPU Activity?

An ipSpace.net subscriber sent me a question along the lines of “does it matter that EVPN uses BGP to implement dynamic MAC learning whereas in traditional switching that’s done in hardware?” Before going into those details, I wanted to establish the baseline: is dynamic MAC learning really implemented in hardware?

Hardware-based switching solutions usually use a hash table to implement MAC address lookups. The above question should thus be rephrased as is it possible to update the MAC hash table in hardware without punting the packet to the CPU? One would expect high-end (expensive) hardware to be able do it, while low-cost hardware would depend on the CPU. It turns out the reality is way more complex than that.

Artificial intelligence helps solve networking problems

With the public release of ChatGPT and Microsoft’s $10-billion investment into OpenAI, artificial intelligence (AI) is quickly gaining mainstream acceptance. For enterprise networking professionals, this means there is a very real possibility that AI traffic will affect their networks in major ways, both positive and negative.As AI becomes a core feature in mission-critical software, how should network teams and networking professionals adjust to stay ahead of the trend?Andrew Coward, GM of Software Defined Networking at IBM, argues that the enterprise has already lost control of its networks. The shift to the cloud has left the traditional enterprise network stranded, and AI and automation are required if enterprises hope to regain control.To read this article in full, please click here

Building your personal Linux cheat sheets

Linux man pages can be overwhelming to people who are just learning how to work on the command line, but here we'll look at a way to quickly prepare a cheat sheet for a series of commands. These cheat sheets will tell new Linux users enough to get started and know what man page to read when they want to know more.To get started, we’ll take a look at series of commands that any Linux newbie would need to learn:alias cmp export less tail whereis apropos comm grep more tar who cat dd head passwd top whoami chmod df kill pwd unzip zip chown diff killall sort whatis Next, we use a series of commands that will provide short descriptions of these commands. These are help -d, whatis, and a man command that selects only the command description from the man pages.To read this article in full, please click here

Building your personal Linux cheat sheets

Linux man pages can be overwhelming to people who are just learning how to work on the command line, but here we'll look at a way to quickly prepare a cheat sheet for a series of commands. These cheat sheets will tell new Linux users enough to get started and know what man page to read when they want to know more.To get started, we’ll take a look at series of commands that any Linux newbie would need to learn:alias cmp export less tail whereis apropos comm grep more tar who cat dd head passwd top whoami chmod df kill pwd unzip zip chown diff killall sort whatis Next, we use a series of commands that will provide short descriptions of these commands. These are help -d, whatis, and a man command that selects only the command description from the man pages.To read this article in full, please click here

An Economic Perspective on Internet Centrality

IDC: Add used IT gear to the mix to stretch budgets, support sustainability

Reducing e-waste and extending the useful life of IT gear are top recycling drivers, according to an IDC survey.The most commonly cited motivation was to reduce e-waste, with more than half those surveyed in Latin America, Western Europe, and Asia-Pacific, citing it, and with US respondents falling just shy of 50%. The IDC Spotlight survey results of 540 respondents was conducted in February 2023 and written by IDC Research Vice President, Flexible Consumption and Financing Strategies for IT Infrastructure.To read this article in full, please click here

Kubernetes Security And Networking 4: Helpful Tips To Secure The API Server – Video

In the previous video, Michael Levan walked through some security essentials for protecting worker nodes in a Kubernetes cluster. In this video he focuses on essential protections for the API server. He looks at security benchmarks from CIS, using Kubescape for security scanning, and how to integrate the two. Michael Levan hosts the “Kubernetes Unpacked” […]

The post Kubernetes Security And Networking 4: Helpful Tips To Secure The API Server – Video appeared first on Packet Pushers.

Network Break 420: Cisco, HPE Buy Security Startups; Can We Finally Hold Vendors Responsible For Software Defects?

Take a Network Break! We begin with some FU on what constitutes on-prem and off-prem, and then dive into news. Cisco and T-Mobile are partnering on 5G gateways, Cisco Webex is getting installed as a feature(?) in Mercedes E-Class cars, and Cisco is buying multi-cloud security startup Valtix. Valtix offers firewalling, IPS, a cloud Web […]

The post Network Break 420: Cisco, HPE Buy Security Startups; Can We Finally Hold Vendors Responsible For Software Defects? appeared first on Packet Pushers.

Network Break 420: Cisco, HPE Buy Security Startups; Can We Finally Hold Vendors Responsible For Software Defects?

Royal Caribbean adopts Zero Trust on land and sea

The name Royal Caribbean conjures up images of luxury cruise ships, top-notch entertainment, fine dining, sandy beaches, breathtaking sunsets, tall tropical beverages.“Our mission is to create fabulous vacations with great experiences and great memories for our crew and our guests,” says John Maya, vice president of operational excellence at Miami-based Royal Caribbean Group.Beyond the glitz and glamour, however, Royal Caribbean has the same internal systems as any company in the travel/hospitality industry – corporate offices, sales, marketing, reservations, call centers, baggage handling, etc.Maya describes his IT infrastructure as hybrid cloud, with some resources hosted on Amazon AWS and Microsoft Azure, but also some core systems, such as the mission critical reservations application, running on an IBM AS-400 server in an Equinix data center in Virginia.To read this article in full, please click here

Royal Caribbean adopts Zero Trust on land and sea

The name Royal Caribbean conjures up images of luxury cruise ships, top-notch entertainment, fine dining, sandy beaches, breathtaking sunsets, tall tropical beverages.“Our mission is to create fabulous vacations with great experiences and great memories for our crew and our guests,” says John Maya, vice president of operational excellence at Miami-based Royal Caribbean Group.Beyond the glitz and glamour, however, Royal Caribbean has the same internal systems as any company in the travel/hospitality industry – corporate offices, sales, marketing, reservations, call centers, baggage handling, etc.Maya describes his IT infrastructure as hybrid cloud, with some resources hosted on Amazon AWS and Microsoft Azure, but also some core systems, such as the mission critical reservations application, running on an IBM AS-400 server in an Equinix data center in Virginia.To read this article in full, please click here

Five Things You Need for Today’s Network Monitoring

By extending into environments such as the cloud, SD-WAN, and applications, today's network monitoring platforms are turning into powerful solution that can improve the overall operations IT environment. Let's drill down into the top five needs for networking monitoring.

The post Five Things You Need for Today’s Network Monitoring appeared first on Packet Pushers.

What is Multicloud?

An organization takes a multicloud approach when it uses cloud services from more than one provider. That might seem obvious from the name—it's multiple clouds, after all—but the reasons for choosing a multicloud approach can be as varied as the cloud platforms themselves.Because "cloud" has become such a broad and all-encompassing category, a multicloud environment might include, say, Microsoft 365 SaaS for productivity apps, Google Drive for storage, and Amazon AWS for compute services.On the other hand, organizations might have a reason to turn to multiple cloud providers for the same function or purpose. And public cloud services are so cheap and easy to get started with that large organizations (or organizations that don't have tight centralized control over IT) might find themselves in a multicloud situation without ever intending to.To read this article in full, please click here

DDoS detection and remediation with Akvorado and Flowspec

Akvorado collects sFlow and IPFIX flows, stores them in a ClickHouse database, and presents them in a web console. Although it lacks built-in DDoS detection, it’s possible to create one by crafting custom ClickHouse queries.

DDoS detection​

Let’s assume we want to detect DDoS targeting our customers. As an example, we consider a DDoS attack as a collection of flows over one minute targeting a single customer IP address, from a single source port and matching one of these conditions:

• an average bandwidth of 1 Gbps,
• an average bandwidth of 200 Mbps when the protocol is UDP,
• more than 20 source IP addresses and an average bandwidth of 100 Mbps, or
• more than 10 source countries and an average bandwidth of 100 Mbps.

Here is the SQL query to detect such attacks over the last 5 minutes:

SELECT *
FROM (
  SELECT
    toStartOfMinute(TimeReceived) AS TimeReceived,
    DstAddr,
    SrcPort,
    dictGetOrDefault('protocols', 'name', Proto, '???') AS Proto,
    SUM(((((Bytes * SamplingRate) * 8) / 1000) / 1000) / 1000) / 60 AS Gbps,
    uniq(SrcAddr) AS sources,
    uniq Continue reading

netlab: Change Stub Networks into Loopbacks

One of the least-documented limitations of virtual networking labs is the number of network interfaces a virtual machine could have. vSphere supports up to 10 interfaces per VM, the default setting for vagrant-libvirt is eight, and I couldn’t find the exact numbers for KVM. Many vendors claim their KVM limit is around 25; I was able to bring up a Nexus 9300v device with 40 adapters.

Anyway, a dozen interfaces should be good enough if you’re building a proof-of-concept fabric, but it might get a bit tight if you want to emulate plenty of edge subnets.

netlab: Change Stub Networks into Loopbacks

One of the least-documented limitations of virtual networking labs is the number of network interfaces a virtual machine could have. vSphere supports up to 10 interfaces per VM, the default setting for vagrant-libvirt is eight, and I couldn’t find the exact numbers for KVM. Many vendors claim their KVM limit is around 25; I was able to bring up a Nexus 9300v device with 40 adapters.

Anyway, a dozen interfaces should be good enough if you’re building a proof-of-concept fabric, but it might get a bit tight if you want to emulate plenty of edge subnets.

Why Application Security is Critical to Network Security

Controversial Reads 030423

Privacy campaigners say such systems could be used as tools of oppression. In Moscow, Vyborov and countless others now face that oppression on a daily basis.

The general problem statement for technological standards is how to avoid the power imbalance of a single source for essential goods and services; in other words, standards are a line of defense against concentration risk. Interoperability is the goal, and multiple suppliers is the proof.

In this episode, they focus particularly on how social media has become a place where predators will search and highlight childrenâ€s vulnerabilities — which so many young people share online.

Tech policy, however, has its own set of “culture war issues” including net neutrality and encryption that largely serve as a distraction from the real issues at stake. Victims of child porn are now caught in the fray.

A major escalation in official online censorship regimes is progressing rapidly in Brazil, with implications for everyone in the democratic world. Under Brazil’s new government headed by President Lula da Silva, the country is poised to become the first in the democratic world to implement a law censoring and banning “fake news and disinformation” online, and then punishing those deemed Continue reading

Gravity Model

Motivation

I recently read Google’s latest sigcomm paper: Jupiter Evolving on their Datacenter fabric evolution. It is an excellent paper with tons of good information, and the depth and width show what an engineering thought process should look like. The central theme talks about the challenges faced with deploying and scaling Clos fabrics and how they have evolved by replacing the spine layer with OCS that allows the blocks to be directly connected, calling it Direct connect topology.

If you look closely, the Direct Connect topology resembles Dragonfly+, where you have directly connected blocks.

The paper has many interesting topics, including Traffic and Topology Engineering and Traffic aware routing. One of the most exciting parts to me, which will be understandably missing, is the formulation of Traffic engineering problems as Optimization problems. I would love to see some pseudo-real-world code examples made publicly available.

However, one thing that surprised me the most was from a Traffic characteristics perspective, a Gravity model best described Google’s Inter-Block traffic. When I studied Gravity Model, I thought this was such a simplistic model that I would never see that in real life, but it turns out I was wrong, and it still has practical Continue reading

Datacenter System Makers Leary But Not Weary

The central banks of the world, led by the European Central Bank and the US Federal Reserve, want to curb inflation and they are willing to cause a small recession or at least get very close to one to shock us all into controlling the acquisitive habits we developed during the lockdowns of the early years of the coronavirus pandemic. …

Datacenter System Makers Leary But Not Weary was written by Timothy Prickett Morgan at The Next Platform.