Ensuring Resilient Connectivity During the Holiday Rush
As you prepare for the holiday rush, here are a few ways to improve your resilience, mitigate the impact of potential outages, and ensure customers have optimal e-retail experiences.netlab: IRB with Anycast Gateways
netlab release 1.4 added support for static anycast gateways and VRRP. Today we’ll use that functionality to add anycast gateways to the VLAN trunk lab:
Lab topology
We’ll start with the VLAN trunk lab topology and make the following changes:
- We’ll rearrange the node list to make sure the switches get the lowest possible node ID:
nodes: [ s1, s2, h1, h2, h3, h4 ]
- The switches have to use the new gateway module:
groups:
switches:
members: [ s1, s2 ]
module: [ vlan, gateway ]
device: eos
- We have to enable first-hop gateway on VLAN links:
vlans:
red:
gateway: True
blue:
gateway: True
- The default FHRP protocol is anycast (we could also use VRRP), and the default shared IP address is the last IP address in the subnet. We’ll use the first IP address in the subnet:
gateway.id: 1
After starting the lab you’ll notice the change in node identifiers and interface IP addresses. Without the anycast gateway, netlab assigns node ID 1 (and loopback IP address 10.0.0.1) to S1. Now that the node ID 1 is reserved, S1 gets loopback address 10.0.0.2.
The only other change on the Continue reading
netlab: IRB with Anycast Gateways
netlab release 1.4 added support for static anycast gateways and VRRP. Today we’ll use that functionality to add anycast gateways to the VLAN trunk lab:
Lab topology
We’ll start with the VLAN trunk lab topology and make the following changes:
Looking at Centrality in the DNS
Many aspects of the digital environment are dominated by a small clique of extremely large enterprises. Meta and Twitter may be teetering at the moment, but we have Google, Apple, Microsoft and Amazon who are still strongly dominant in their respective markets. Looking further afield, what about our common infrastructure services that everyone is forced to rely upon? How's the Domain Name System faring? Is the DNS also falling under the influence of these digital hypergiants? Or is the DNS still highly distributed and resisting the trends of centralization? Lets take a look at some DNS data to see if we can answer this question.Mastodon – Part 1 – Installing
About this series
I have seen companies achieve great successes in the space of consumer internet and entertainment industry. I’ve been feeling less enthusiastic about the stronghold that these corporations have over my digital presence. I am the first to admit that using “free” services is convenient, but these companies are sometimes taking away my autonomy and exerting control over society. To each their own of course, but for me it’s time to take back a little bit of responsibility for my online social presence, away from centrally hosted services and to privately operated ones.
This series details my findings starting a micro blogging website, which uses a new set of super interesting open interconnect protocols to share media (text, pictures, videos, etc) between producers and their followers, using an open source project called Mastodon.
Introduction
Similar to how blogging is the act of publishing updates to a website, microblogging is the act of publishing small updates to a stream of updates on your profile. You can publish text posts and optionally attach media such as pictures, audio, video, or polls. Mastodon lets you follow friends and discover new ones. It doesn’t do this in a centralized way, however.
Groups Continue reading
Worth Reading: Resolverless DNS
Geoff Huston published a lengthy article (as always) describing talks from recent OARC meeting, including resolver-less DNS and DNSSEC deployment risks.
Definitely worth reading if you’re at least vaguely interested in the technology that supposedly causes all network-related outages (unless it’s BGP, of course)
Worth Reading: Resolverless DNS
Geoff Huston published a lengthy article (as always) describing talks from recent OARC meeting, including resolver-less DNS and DNSSEC deployment risks.
Definitely worth reading if you’re at least vaguely interested in the technology that supposedly causes all network-related outages (unless it’s BGP, of course)
Worth Reading: Another Hugo-Based Blog
Bruno Wollmann migrated his blog post to Hugo/GitHub/CloudFlare (the exact toolchain I’m using for one of my personal web sites) and described his choices and improved user- and author experience.
As I keep telling you, always make sure you own your content. There’s absolutely no reason to publish stuff you spent hours researching and creating on legacy platforms like WordPress, third-party walled gardens like LinkedIn, or “free services” obsessed with gathering visitors' personal data like Medium.
Worth Reading: Another Hugo-Based Blog
Bruno Wollmann migrated his blog post to Hugo/GitHub/CloudFlare (the exact toolchain I’m using for one of my personal web sites) and described his choices and improved user- and author experience.
As I keep telling you, always make sure you own your content. There’s absolutely no reason to publish stuff you spent hours researching and creating on legacy platforms like WordPress, third-party walled gardens like LinkedIn, or “free services” obsessed with gathering visitors’ personal data like Medium.
Troubleshooting EVPN with Arista EOS (Control Plane Edition)
“It’s all fun and games until you can’t ping your default gateway.”
While EVPN/VXLAN brings a number of benefits when compared to a more traditional Core/Aggregation/Access layer style network with only VLANs and SVIs, it is different enough that you’ll need to learn some new troubleshooting techniques. It’s not all that different than what you’ve probably done before, but it is different enough to warrant a blog post.
This article is on how to troubleshoot EVPN/VXLAN on Arista EOS switches, and the command line commands will reflect that. However, as EVPN/VXLAN are a collection of IETF standards, the overall technique will translate to any EVPN/VXLAN platform.
The scenario this article is going to explore is endpoint to endpoint connectivity, though it can also be easily modified for endpoint to network connectivity. It doesn’t matter if the host is on the same VXLAN segment or a different one.
The primary strategy will be to verify the control plane. EVPN/VXLAN has a control plane, a data plane, an overlay and an underlay. Generally, I’ve found that most issues occur on the control plane. The control plane process looks like this:
- MAC address is learned on the ingress leaf VLAN
- MAC learning Continue reading
ICYMI: Developer Week 2022 announcements
Developer Week 2022 has come to a close. Over the last week we’ve shared with you 31 posts on what you can build on Cloudflare and our vision and roadmap on where we’re headed. We shared product announcements, customer and partner stories, and provided technical deep dives. In case you missed any of the posts here’s a handy recap.
Product and feature announcements
| Announcement | Summary |
|---|---|
| Welcome to the Supercloud (and Developer Week 2022) | Our vision of the cloud -- a model of cloud computing that promises to make developers highly productive at scaling from one to Internet-scale in the most flexible, efficient, and economical way. |
| Build applications of any size on Cloudflare with the Queues open beta | Build performant and resilient distributed applications with Queues. Available to all developers with a paid Workers plan. |
| Migrate from S3 easily with the R2 Super Slurper | A tool to easily and efficiently move objects from your existing storage provider to R2. |
| Get started with Cloudflare Workers with ready-made templates | See what’s possible with Workers and get building faster with these starter templates. |
| Reduce origin load, save on cloud egress fees, and maximize cache hits with Cache Reserve | Cache Reserve is graduating to open Continue reading |
Heavy Networking 656: Embedding Zero Trust Into Applications
On today's Heavy Networking we look at the idea of embedding zero trust into applications. The way we do cyber security these days has failed in significant ways. What if we could extend the AAA or RBAC model to all applications? Better yet, what if we take the RBAC model, make authentication more robust than username & password, assess endpoint security posture constantly, and evaluate each request individually up at layer 7 for all applications? Guest Galeal Zino has opinions on what embedded zero trust looks like. We discuss.
The post Heavy Networking 656: Embedding Zero Trust Into Applications appeared first on Packet Pushers.