Migrating a Data Center Fabric to VXLAN
Darko Petrovic made an excellent remark on one of my LinkedIn posts:
The majority of the networks running now in the Enterprise are on traditional VLANs, and the migration paths are limited. Really limited. How will a business transition from traditional to whatever is next?
The only sane choice I found so far in the data center environment (and I know it has been embraced by many organizations facing that conundrum) is to build a parallel fabric (preferably when the organization is doing a server refresh) and connect the new fabric with the old one with a layer-3 link (in the ideal world) or an MLAG link bundle.
Debian Installation on Raspberry Pi
This guide demonstrates how to install Debian 12 (bookworm), also known as "bookworm," on a […]
The post Debian Installation on Raspberry Pi first appeared on Brezular's Blog.
Palo Alto Object and Policy Cleanup with pan-os-php
Hi all, welcome back to yet another Palo Alto Automation post. If you work with firewalls, you know that one of the most time-consuming tasks is decommissioning a single resource or an entire subnet from the firewall (aka removing all the references related to the resource). Let's imagine you have thousands of address objects and several hundred security policies. Now, suppose we decommissioned a server and our task is to remove any references we may have in the firewall. It could be an address object, a member in an address group, or a reference in a security policy. Removing this manually would take a lot of time, so in this blog post, let's look at a very simple way of cleaning this up using pan-os-php.
The Problem with the Manual Approach
Here is the problem with the manual approach. Let’s say we are trying to decommission the IP address 10.10.10.25. Let's say we have an address object created for this server, and it has been referenced in a few address groups and several security policies. If you try to remove the address object first, the firewall will complain because the object is being referenced elsewhere. So, you Continue reading
NB489: Shareholders Sue CrowdStrike; Intel to Fire 15,000 Employees
Take a Network Break! This week we discuss a proposed class action lawsuit against CrowdStrike, while Delta investigates options to seek damages from CrowdStrike and Microsoft. Microsoft Azure goes down after a DDoS defense error, campus switch sales are forecast to drop significantly in 2024, and DigiCert warns customers that an error it made will... Read more »Understanding-BGP-Route-Reflector-Mysteries
It’s been while I was away from tech blog writing , this week end I powered on my EVE-NG based lab running on Dell R820 Edge Server and explored some mysteries behind BGP Route Reflector. Please read through it on my Github (https://github.com/kashif-nawaz/Understanding-BGP-Route-Reflector-Mysteries)
Review: Gowin 1U 2x25G (Alder Lake – N305)
Introduction
Last month, I took a good look at the Gowin R86S based on Jasper Lake (N6005) CPU [ref], which is a really neat little 10G (and, if you fiddle with it a little bit, 25G!) router that runs off of USB-C power and can be rack mounted if you print a bracket. Check out my findings in this [article].
David from Gowin reached out and asked me if I was willing to also take a look their Alder Lake (N305) CPU, which comes in a 19” rack mountable chassis, running off of 110V/220V AC mains power, but also with 2x25G ConnectX-4 network card. Why not! For critical readers: David sent me this machine, but made no attempt to influence this article.
Hardware Specs
There are a few differences between this 19” model and the compact mini-pc R86S. The most obvious difference is the form factor. The R86S is super compact, not inherently rack mountable, although I 3D printed a bracket for it. Looking inside, the motherboard is mostly obscured bya large cooling block with fins that are flush with the top plate. There are 5 copper ports in the front: 2x Intel i226-V (these Continue reading
Global Protect Authentication Cookies and Prevent Multiple MFA Prompts
In this blog post, let's look at a common scenario where users face two MFA prompts when trying to connect to Global Protect VPN. Typically, this happens because MFA has been set up for both the portal and the gateway.
When a user connects to GP, the user first logs into the portal and completes the MFA, then, they automatically attempt to connect to the gateway, which triggers another prompt. We'll look at how to prevent two MFA prompts using authentication cookies, so the user only needs to complete the MFA once.
Global Protect Cookie Authentication
Cookie authentication simplifies the authentication process for users because they will no longer be required to log in to both the portal and the gateway in succession or complete multiple MFAs to authenticate to each. This improves the user experience by minimizing the number of times the users enter credentials.
To keep things simple, when a user logs into Global Protect, we can configure it to generate a 'cookie.' This cookie allows the user to re-authenticate automatically without having to re-enter their credentials or go through MFA again. It's similar to how web browsers remember your login details for websites; once Continue reading
Hacking Terraform
In a previous blog post, I talked about how Terraform's native capabilities don't fully cover comprehensive IP address management, which can make network configurations a bit tricky.
In this post, I’m going to dive into a practical approach for handling IP addresses in Terraform. I'll show you how to leverage an external data source and use a Python script to process IP address operations, then integrate the results back into Terraform.
Introduction to External Data Source
In Terraform, a data source allows you to retrieve information from external systems or services, which you can then use in your configurations. Unlike resources, which are used to manage the lifecycle of infrastructure components, data sources are read-only. They provide a way to fetch data that you might need when setting up or configuring your infrastructure. This is especially useful when you want to incorporate existing information without directly managing the components within your Terraform scripts.
A simple data source in Terraform looks like this:
data "external" "ip" {
id = "ip"
}Sample External Data Source
A lot of providers provide external data sources to interact with their systems and get configuration state. A data source in Terraform can range from a Continue reading
HN743: Leveraging AI for Network Automation at Scale (Sponsored)
AI is making its way into network automation. Maybe the thought of a hallucinating ChatGPT getting its six-fingered hands on your network makes you want to run the other way. But the story of AI for IT operations is more nuanced than the hot takes we get about the confidently dumb results that Large Language... Read more »The Hedge 237: What’s Wrong with Vendors?
Looking at changes in the market in the last ten years, it certainly seems like vendors work less toward innovation and more towards locking customers in to revenue streams. Chris Emerick, Dave Taht, and Russ White decided it’s time to talk about. What’s wrong with vendors? And since everything can’t be wrong with vendors, where are they doing the right thing?
download
A recent spate of Internet disruptions
Cloudflare Radar is constantly monitoring the Internet for widespread disruptions. In mid-July, we published our Q2 2024 Internet Disruption Summary, and here we examine several recent noteworthy disruptions detected in the first month of Q3, including traffic anomalies observed in Bangladesh, Syria, Pakistan, and Venezuela.
Bangladesh
Violent student protests in Bangladesh against quotas in government jobs and rising unemployment rates led the government to order the nationwide shutdown of mobile Internet connectivity on July 18, reportedly to “ensure the security of citizens.” This government-directed shutdown ultimately became a near-complete Internet outage for the country, as broadband networks were taken offline as well. At a country level, Internet traffic in Bangladesh dropped to near zero just before 21:00 local time (15:00 UTC). Announced IP address space from the country dropped to near zero at that time as well, meaning that nearly every network in the country was disconnected from the Internet.
However, ahead of this nationwide shutdown, we observed outages across several Bangladeshi network providers, perhaps foreshadowing what was to come. At AS24389 (Grameenphone), a complete Internet outage started at 01:30 local time on July 18 (19:30 UTC on July 17), with a total loss of both Internet Continue reading
A recent spate of Internet disruptions
Cloudflare Radar is constantly monitoring the Internet for widespread disruptions. In mid-July, we published our Q2 2024 Internet Disruption Summary, and here we examine recent several noteworthy disruptions detected in the first month of Q3, including traffic anomalies observed in Bangladesh, Syria, Pakistan, and Venezuela.
Bangladesh
Violent student protests in Bangladesh against quotas in government jobs and rising unemployment rates led the government to order the nationwide shutdown of mobile Internet connectivity on July 18, reportedly to “ensure the security of citizens.” This government-directed shutdown ultimately became a near-complete Internet outage for the country, as broadband networks were taken offline as well. At a country level, Internet traffic in Bangladesh dropped to near zero just before 21:00 local time (15:00 UTC). Announced IP address space from the country dropped to near zero at that time as well, meaning that nearly every network in the country was disconnected from the Internet.
However, ahead of this nationwide shutdown, we observed outages across several Bangladeshi network providers, perhaps foreshadowing what was to come. At AS24389 (Grameenphone), a complete Internet outage started at 01:30 local time on July 18 (19:30 UTC on July 17), with a total loss of both Internet Continue reading
Fat Pipe Transition Notification – August 2024
Hey, everyone. Ethan here with a behind-the-scenes administrative request. Several thousand of you subscribe to the Packet Pushers’ Fat Pipe. In the Fat Pipe, we’ve been stuffing every single podcast we produce. The problem is that we produce way too many shows–one almost every weekday–for the average podcast client to absorb them all. We can... Read more »Bytes from IETF 120 – A few Routing Topics
There was, as usual, a lot of work in the area of Inter-Domain Routing at IETF 120. There were a few routing-related topics that at IETF 120 that caught my attention.Bytes from IETF 120 – Deep Space IP
It has been an enduring fascination to see how we could use packet networking in the context of digital communications in space. Why can't we just use the IP protocol suite and declare success? The tricky issue with space is that it is really very big!Bytes from IETF 120 – DNS Topics
As usual, the recent IETF meeting contained a large set of topics related to the Domain Name Systems and its operation. Here's a quick rundown on some DNS topics that caught my eye.Bytes from IETF 120 – BBR 1,2,3
On the topic of TCP performance optimisation I’d like to dwell on one particular presentation from the ACM/IRTF Applied Networking Research Workshop held at IETF 120, "BBRv3 in the public Internet: a boon or a bane?"NAN069: Lessons On the Journey From NOC to Aerospace Networking
Today, Lexie Cooper shares her journey from a NOC environment to networking engineering in the aerospace industry. Along the way, the discussion makes stops at the importance of medium skills, and the role of humor and relatability in attracting and educating younger professionals in networking. Finally, Lexie relates her challenges when working on the New... Read more »Interesting: Crafting Endless AS Paths in BGP
Vincent Bernat documented a quirk I hope you’ll never see outside of a CCIE lab: combining BGP confederations with AS-override can generate endless AS paths.
I agree entirely with his conclusions (avoid both features). However, I still think that replacing an AS within the confederation part of an AS path (which should belong to a single well-managed AS) is not exactly the most brilliant idea I’ve seen.