Scaling Overlay Networks: Scale-Out Control Plane
A week or so ago I described why a properly implemented hypervisor-based overlay virtual networking data plane is not a scalability challenge; even though the performance might decrease slightly as the total number of forwarding entries grow, modern implementations easily saturate 10GE server uplinks.
Scalability of the central controller or orchestration system is a totally different can of worms. As I explained in the Scaling Overlay Networks, the only approach that avoids single failure domain and guarantees scalability is scale-out control plane architecture.
A Quick Look at Cisco FabricPath
Cisco FabricPath is a proprietary protocol that uses ISIS to populate a “routing table” that is used for layer 2 forwarding.
Whether we like or not, there is often a need for layer 2 in the Datacenter for the following reasons:
- Some applications or protocols require to be layer 2 adjacent
- It allows for virtual machine/workload mobility
- Systems administrators are more familiar with switching than routing
A traditional network with layer 2 and Spanning Tree (STP) has a lot of limitations that makes it less than optimal for a Datacenter:
- Local problems have a network-wide impact
- The tree topology provides limited bandwidth
- The tree topology also introduces suboptimal paths
- MAC address tables don’t scale
In the traditional network, because STP is running, a tree topology is built. This works better for for flows that are North to South, meaning that traffic passes from the Access layer, up to Distribution, to the Core and then down to Distribution and to the Access layer again. This puts a lot of strain on Core interconnects and is not well suited for East-West traffic which is the name for server to server traffic.
A traditional Datacenter design will look something like this:
If we Continue reading
HP Buying Aruba?
Two things happened today. First, Twitter blew up at some point with rumors of HP in talks to buy Aruba. Second, my shares of Aruba stock shot up about 20%. I was disappointed with the first and pleased with the second. Of course, they were directly related.
In Case You Weren’t Aware…..
HP has had some issues over the past several years. Not so much issues with their technology, which has always been good, but more so with execution. The latest attempt to right the ship has been to split the company into two distinct entities. Trim the fat off of the corporate monster so to speak. Or, maybe a better way to put it is that HP wants to become less of an “all things to all customers” type of company, and more of a “some things to some customers” type of company. Some customers will be served by one of the two HP companies, and some customers will be served by the other, or both. This allows more focus in certain areas, and focus is never a bad thing.
Why Does It Matter If HP Buys Aruba?
Although this is all speculation, allow me to continue down this Continue reading
The Mobile Internet
It has been observed that the most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it, and are notable only by their absence. So how should we regard the Internet? Is it like large scale electricity power generators: a technology feat that is quickly taken for granted and largely ignored? Are we increasingly seeing the Internet in terms of the applications and services that sit upon it and just ignoring how the underlying systems are constructed? To what extent is the mobile Internet driving this change in perception of the Internet as a technology we simply assume is always available, anytime and anywhere? What is happening in the mobile world?Enforce Web Policy with HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this.
Downgrade attacks (also known as SSL stripping attacks) are a serious threat to web applications. This type of attack is a form of man-in-the-middle attack in which an attacker can redirect web browsers from a correctly configured HTTPS web server to an attacker controlled server. Once the attacker has successfully redirected a user, user data, including cookies, can be compromised. Unfortunately, this attack is outside the realm of pure SSL to prevent. This is why HSTS was created.
These attacks are very real: many major websites have been attacked through SSL stripping. They are a particularly powerful attack against otherwise well secured sites, as they bypass the protections of SSL.
HSTS headers consists of an HTTP header with several parameters -- including a configurable duration for client web browsers to cache and continue to enforce policy even if the site itself changes. Through CloudFlare, it is easy to configure on a per-domain basis with standard settings.
HSTS causes compliant browsers Continue reading
Initial Post with GitHub and Jekyll
Over the past several months, I’ve found myself holding back on writing posts simply because my blog platform does not support the ability to embed code or even change fonts to resemble code, CLI, or working on a terminal. Screen shots are good, but offering the ability to copy and paste is nice, plus it just looks cleaner. This is unacceptable.
Read More
Read More
Programmatic Access to CLI Devices with TextFSM
One of the harder things to do when it comes to network automation is work with the majority of the install base that exists out there. This is true even if we focus purely on data extraction, i.e. issuing show commands and getting the results in an automated fashion. The reason for this is that most devices do not support returning structured data in formats such as JSON or XML, and this often times makes automation a non-starter for network engineers.
Traditionally, SSH is used to connect to a network device, issue a command, and dump plain text results back to the user. This leaves the user with the task of parsing through raw text and probably working with a library built for working with regular expressions, e.g. re for Python. If you make it this far, you become an expert in using expressions like this: ([A-Z])w+. And that’s not even a hard one! Regex party, anyone? I’ll pass.
TextFSM to the Rescue
What if there was a way to simplify the process of getting structured data out of the raw text a network device responds with? As luck would have it, there is definitely a better way. Continue reading
Hyperglance: Visualising ALL of your IT infrastructure
In this modern world where the whole IT industry is pondering what the next steps, trends and operational requirements will be, one thing is sure, we’re in an era of collaboration and integration.
We’ve been through learning curves around converged network fabrics, traditional silo based approaches encroaching on each other and managerial headaches of rapidly deploying new enterprise and webscale applications. Cloud is now a domestic term and the IT industry seeks new cooler ways of delivering technology. Container popularity is rapidly rising and the ‘Internet of Things (IoT)’ is now becoming a real world thing as opposed to a ‘it will happen folks!’ statement.
Winding back to the opening statements, with a system comprised of physical tin, hypervisors, container providers, microservices, machine-to-machine communication, mobile end points, block and blob storage, even if this sat with one vendor it’s a complex set of mush. Throw in ten different vendors, a mashup of APIs and operational territory problems, we have a real problem.
I’m a human – not a machine!
All the recent Hollywood blockbusters focus on human efforts to generate realistic and complex AI (artificial intelligence), but how about humans trying to manage already complex systems? Every vendor and Continue reading
Share your Expertise – Become an INE Instructor!
Do you think you have what it takes to become a featured instructor at INE? We are looking for talented individuals to propose and execute new courses across multiple domains including: networking, programming, systems administration, and security. If you’re an expert in any of these domains, or related topics, then it’s time to share your knowledge with the world! Speak a language other than English? That’s great! We’re open to ideas for courses in different languages.
Click here for more information and to submit an application.
Not interested in becoming an instructor but have some ideas for content you’d like to see us cover? Drop us a line at [email protected].