0

Direct Connect — Part 1

< MEDIUM: https://raaki-88.medium.com/direct-connect-part-1-dc3e9369933 >

AWS Advanced Networking Prep and General focus

Notion — https://meteor-honeycup-16b.notion.site/Direct-Connect-a61557d18e784e778b4500197168454c

What is the Direct Connect product trying to solve?

We have seen IPSEC Site-to-Site VPN, a nice extension to that is Direct Connect offering. In IPSEC VPN, we connected to AWS VPC securely over the internet, in Direct Connect we have a cable termination onto our Data Center premises which directly connects to AWS Infrastructure and no internet service providers are needed for this to happen.

Advantages:

• Bypasses Internet and thereby secure
• Low Latency to AWS services
• Consistent Performance with up to speeds of 1/10/100 and support for jumbo frames > 9k

What are my building blocks?

• We basically start with a Connection, pretty much self-explanatory
• A Connection has the below requirements

Functional Building Block?

Ref:https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html

So, once we have a connection setup, everything revolves around VIF — Virtual Interface.

Direct Connect can be divided into two parts

a. Public VIF — we are speaking about public IP addresses routable on the internet.

• Enables access to Amazon public service Continue reading

0

AWS Advanced Networking — IPSEC Vpn with BGP (FRR and Docker)

< MEDIUM: https://raaki-88.medium.com/aws-advanced-networking-ipsec-vpn-with-bgp-frr-and-docker-ae29a3ec6d85 >

The previous post covered IPSEC Vpn implementation with Static Routing and also had some points about IPSEC Vpn Implementation, this post aims at building IPSEC Vpn with Dynamic routing offered by VGW which is BGP.

https://towardsaws.com/ipsec-vpn-site-to-site-how-to-and-notes-for-advanced-networking-certification-35f936b16316

Article on FRR, Docker — https://towardsaws.com/configuring-bgp-and-open-source-frr-docker-on-aws-advanced-networking-d21fd0d76b33

We will re-use the same concept and will start a BGP route exchange over IPSEC VPN.

https://meteor-honeycup-16b.notion.site/Site-2-Site-VPN-BGP-FRR-Docker-d818267a1041401481554e6f30764dfb — Notes and Topology

Lab Video — https://youtu.be/PmLkHRAMfMU

Few points to note:

• BGP ASN support is both for 2-byte and 4-byte
• ASN Range is from 64512–65534
• BGP Peering will happen over Tunnel endpoints with address 169.254.x.y/z which amazon usually initiates by default
• If you are extending the strong-swan use case, you need to have a configuration reference for the static tunnel as there is no dynamic configuration generated for Strong-swan/Open-swan use case
• In static and dynamic routings, VGW Route propagation needs to be done.
• I have observed that left-subnet and right-subnet should be 0/0 in AWS for communicating BGP-TCP messages for session establishment.
• This needs to be tested further and there is no BGP authentication that the user can define, as the user won’t have any control Continue reading

0

IPSEC VPN Site-to-Site — How to and notes for Advanced Networking Certification

< MEDIUM:https://towardsaws.com/ipsec-vpn-site-to-site-how-to-and-notes-for-advanced-networking-certification-35f936b16316 >

https://meteor-honeycup-16b.notion.site/Site-to-Site-VPN-144441a6ac0b4e39a514adc67a8348d5 — This will be updated frequently and has the entire notes on the topics

Lab / Part 1— https://meteor-honeycup-16b.notion.site/Part-1-Building-Customer-VPN-Server-and-a-Client-688eed381f2849dfbe02f5eed740a573

Part 1 — https://youtu.be/h8zFEkVXV24

Lab / Part 2 — https://meteor-honeycup-16b.notion.site/Part-2-Setting-up-VGW-on-AWS-9055cd53a0174f51bd064bb2e3c1f3ac

Part 2 — https://youtu.be/PxJ04myIGJs

Lab / Part 3. — https://meteor-honeycup-16b.notion.site/Part-3-Configuring-Routing-and-verifying-Connectivity-0f2d03eae3474bb897a0f897c927786a

Part 3 — https://youtu.be/mf-Qymz-_Hg

Intro

• VPN — Virtual Private Network, often used to communicate securely over untrusted networks like the internet.
• IPSEC is the protocol which is used for securing the data. Some other tunnelling protocols and frameworks are GRE, DMVPN, Wireguard etc
• Two types of VPNs — Site-to-Site other is Client-to-site /Remote Access VPN, this lab will be a site-to-site VPN.
• Site-to-Site, as the name suggests usually connects two sites and a Site is typically referred to as a group of devices in a Data-Center. Site-to-Site will enable two sites separated from the internet to communicate privately and securely over the internet.

Site-to-Site

• Think along the lines of two boundary devices which encrypt and decrypt LAN traffic
• Design Redundancy and Scalability along these lines for these two end-points
• It is important to note that you can have VPN to access any services within Continue reading

0

Cumulus Linux NVUE: an Incomplete Data Model

A few weeks ago I described how Cumulus Linux tried to put lipstick on a pig reduce the Linux data plane configuration pains with Network Command Line Utility. NCLU is a thin shim that takes CLI arguments, translates them into FRR or ifupdown configuration syntax, and updates the configuration files (similar to what Ansible is doing with something_config modules).

Obviously that wasn’t good enough. Cumulus Linux 4.4 introduced NVIDIA User Experience¹ – a full-blown configuration engine with its own data model and REST API².

0

Cumulus Linux NVUE: an Incomplete Data Model

A few weeks ago I described how Cumulus Linux tried to put lipstick on a pig reduce the Linux data plane configuration pains with Network Command Line Utility. NCLU is a thin shim that takes CLI arguments, translates them into FRR or ifupdown configuration syntax, and updates the configuration files (similar to what Ansible is doing with something_config modules).

Obviously that wasn’t good enough. Cumulus Linux 4.4 introduced NVIDIA User Experience¹ – a full-blown configuration engine with its own data model and REST API².

0

Troubleshooting VXLAN MTU issues with SR Linux

Giving your network engineers a fighting chance with the industry’s most truly open NOS

A recent blog reminds us that VXLAN overlay networks can be tricky to troubleshoot, as a typical encapsulation header adds 50 bytes per packet and RFC7348 simply assumes that the network is configured to support such larger payloads. And unlike most other IP packets, typical VTEPs will simply discard frames that are too large — without informing the sender.

Tailored troubleshooting commands in Linux

A common VXLAN underlay network is an IP fabric with IPv4 VTEPs at the leaves, using multiple spines with ECMP for redundancy and capacity. In Netlab such a topology might look like this:

netlab up -d srlinux -p clab vxlan-bridging-leaf-spine.yml

To troubleshoot suspected MTU issues in this context — say when a ping from h1 to h2 fails — one would verify the MTU on all paths between the VXLAN VTEPs l1/l2, i.e. l1->s1->l2 and l1->s2->l2. To simplify this task on SR Linux, we can add a custom /tools command for traceroute:

/tools vxlan-traceroute mac-vrf vlan1000

As can be seen from the above screenshot, this custom vxlan-traceroute command takes a Continue reading

0

Why Do We Accept Bad Wireless Clients?

We recorded a fun roundtable discussion last week during Mobility Field Day that talked about the challenges that wireless architects face in their daily lives. It’s about an hour but it’s packed with great discussions about hard things we deal with:

One of the surprises for me is that all the conversations came back to how terrible wireless clients can be. The discussion kept coming back to how hard it is to find quality clients and how we adjust our expectations for the bad ones.

Driven to Madness

Did you know that 70% of Windows crashes are caused by third-party drivers? That’s Microsoft’s own research saying it. That doesn’t mean that Windows is any better or more stable with their OS design compared to Linux or MacOS. However, I’ve fiddled with drivers on Linux and I can tell you how horrible that experience can be¹. Windows is quite tolerant of hardware that wouldn’t work anywhere else. As long as the manufacturer provides a driver you’re going to get something that works most of the time.

Apply that logic to a wireless networking card. You can buy just about anything and install it on your system and it will mostly Continue reading

0

Data Storage IT Careers Evolve with the Cloud

Here’s what data storage pros need to know in a hybrid cloud environment and why a business perspective is more important than ever.

0

Assembly within! BPF tail calls on x86 and ARM

Early on when we learn to program, we get introduced to the concept of recursion. And that it is handy for computing, among other things, sequences defined in terms of recurrences. Such as the famous Fibonnaci numbers - Fn = Fn-1 + Fn-2.

Later on, perhaps when diving into multithreaded programming, we come to terms with the fact that the stack space for call frames is finite. And that there is an “okay” way and a “cool” way to calculate the Fibonacci numbers using recursion:

// fib_okay.c

#include <stdint.h>

uint64_t fib(uint64_t n)
{
        if (n == 0 || n == 1)
                return 1;

        return fib(n - 1) + fib(n - 2);
}

Listing 1. An okay Fibonacci number generator implementation

// fib_cool.c

#include <stdint.h>

static uint64_t fib_tail(uint64_t n, uint64_t a, uint64_t b)
{
    if (n == 0)
        return a;
    if (n == 1)
        return b;

    return fib_tail(n - 1, b, a + b);
}

uint64_t fib(uint64_t n)
{
    return fib_tail(n, 1, 1);
}

Listing 2. A better version of the same

If we take a look at the machine code the compiler produces, the “cool” variant translates to a nice and tight sequence of instructions:

⚠ Continue reading

0

How SASE might improve worker productivity and make CFOs happy

What justifies network spending?  Two things, according to CIOs.The first is the money to maintain the infrastructure that was justified by projects in the past. The other is money for new projects, and they must deliver benefits large enough to meet the CFO’s target return on investment.The top business justification for any new tech project is productivity improvement. My data says that only about two-thirds of workers in jobs that could be empowered by network improvement have actually been given optimal access to information. In some job classifications, only 40% of workers have been empowered. Mobile workers, ones who regularly operate away from offices, are often empowered only part of the time.To read this article in full, please click here

0

netlab Release 1.3.2: Mikrotik RouterOS 7, Additional EVPN Platforms

The star of the netlab release 1.3.2 is Mikrotik RouterOS version 7. Stefano Sasso did a fantastic job adding support for VLANs, VRFs, OSPFv2, OSPFv3, BGP, MPLS, and MPLS/VPN, plus the libvirt box-building recipe.

Jeroen van Bemmel contributed another major PR¹ adding VLANs, VRFs, VXLAN, EVPN, and OSPFv3 to Nokia SR OS.

Other platform improvements include:

0

netlab Release 1.3.2: Mikrotik RouterOS 7, Additional EVPN Platforms

The star of the netlab release 1.3.2 is Mikrotik RouterOS version 7. Stefano Sasso did a fantastic job adding support for VLANs, VRFs, OSPFv2, OSPFv3, BGP, MPLS, and MPLS/VPN, plus the libvirt box-building recipe.

Jeroen van Bemmel contributed another major PR¹ adding VLANs, VRFs, VXLAN, EVPN, and OSPFv3 to Nokia SR OS.

Other platform improvements include:

0

SRIOV VF Plumbing into K8s PODs

https://github.com/kashif-nawaz/SRIOV-VF-Plumbing-into-K8s-PODs

0

Juniper CN2 DPDK vRouter Bringup

How to bring Juniper Cloud Native CN2 DPDK vRouter

https://github.com/kashif-nawaz/Juniper-CN2-DPDK-vRouter-Bringup

0

Hedge: October Update

What’s going on with the Hedge? What am I teaching this coming month? Listen to this short update to find out all the news.

download

0

Weekend Reads 100722

Meta Platforms Inc. Chief Executive Officer Mark Zuckerberg outlined sweeping plans to reorganize teams and reduce headcount for the first time ever, calling an end to an era of rapid growth at the social media giant.

A food delivery drone operated by Alphabet subsidiary Wing landed on overhead power lines in Brisbane, Australia, and caught fire. As a result, the network was shut down by energy firm Energex to respond to the incident, leaving thousands without power.

If you know about DNS, you’ve probably heard of the Time-to-Live (TTL) field. But mistakes with TTL are more common than you might think. Here we look at the quirks of DNS record sets, parent/child domains and how to avoid TTL problems.

While some have given up on Moore’s Law, Intel CEO Pat Gelsinger clearly hasn’t. “For decades now, I’ve been in the debate: is Moore’s Law dead? And the answer is no,” he said, during his keynote at the Intel Innovation event this week.

In this post, we will demonstrate how malicious actors can force UDP DNS answers to fragment so they can inject forged DNS data into DNS resolver caches and highlight what percentage of servers are at risk.

We identify Continue reading

0

Worth Reading: VXLAN Drops Large Packets

Ian Nightingale published an interesting story of connectivity problems he had in a VXLAN-based campus network. TL&DR: it’s always the MTU (unless it’s DNS or BGP).

The really fun part: even though large L2 segments might have magical properties (according to vendor fluff), there’s no host-to-network communication in transparent bridging, so there’s absolutely no way that the ingress VTEP could tell the host that the packet is too big. In a layer-3 network you have at least a fighting chance…

For more details, watch the Switching, Routing and Bridging part of How Networks Really Work webinar (most of it available with Free Subscription).

0

Worth Reading: VXLAN Drops Large Packets

Ian Nightingale published an interesting story of connectivity problems he had in a VXLAN-based campus network. TL&DR: it’s always the MTU (unless it’s DNS or BGP).

The really fun part: even though large L2 segments might have magical properties (according to vendor fluff), there’s no host-to-network communication in transparent bridging, so there’s absolutely no way that the ingress VTEP could tell the host that the packet is too big. In a layer-3 network you have at least a fighting chance…

For more details, watch the Switching, Routing and Bridging part of How Networks Really Work webinar (most of it available with Free Subscription).

0

Heavy Networking 650: Whether And How To Adopt Whitebox Switches

On today’s Heavy Networking podcast, Kevin Myers joins us for a whitebox conversation. Kevin helps Internet Service Providers build their networks, and has noticed increased adoption of whitebox switches. Why? Are the problems whitebox solves for these ISPs the same you might have at your company? Should you consider whitebox instead of Cisco, Juniper, or Arista? Maybe…and maybe not.

The post Heavy Networking 650: Whether And How To Adopt Whitebox Switches appeared first on Packet Pushers.

0

Heavy Networking 650: Whether And How To Adopt Whitebox Switches

On today’s Heavy Networking podcast, Kevin Myers joins us for a whitebox conversation. Kevin helps Internet Service Providers build their networks, and has noticed increased adoption of whitebox switches. Why? Are the problems whitebox solves for these ISPs the same you might have at your company? Should you consider whitebox instead of Cisco, Juniper, or Arista? Maybe…and maybe not.