The DevSecOps Approach to Kubernetes
While transitioning to a DevSecOps culture from DevOps requires a change in how security is viewed, there are also tactics that are helpful specifically for integrating DevSecOps practices in Kubernetes environments.Hedge 125: Brooks Westbrook and DC Fabric Design
DC fabric design is more of an art than a science—a lot of factors come into play, such as future growth, lifecycle management, security, and costs. How can network engineers balance these various factors—how do they even know what questions to ask? Brooks Westrbook joins Tom Ammon and Russ White to discuss three- and five-stage DC fabric design, OPEX, CAPEX, and other topics on this episode of the Hedge.
OSPF Load Balancing
OSPF Load Balancing is to place multiple next-hops into the Routing and Forwarding table for a given IP destination prefix. In this post, we will look at OSPF Load Balancing, OSPF Load Sharing, OSPF ECMP, OSPF UCMP, where we should use it, where we shouldn’t use it, and what can be dangerous if we have OSPF Load balancing will be explained.
OSPF Equal Cost Load Balancing – OSPF ECMP
What is OSPF Equal Cost Load Balancing let’s have a look at the below topology and let’s try to understand?
In the above topology, the 192.168.0.0/24 network is connected to Router D.
As a link-state routing protocol, OSPF routers in the network would know that the 192.168.0.0/24 subnet is connected to Router D.
And they would run SPF/Dijkstra algorithm to calculate the shortest path to this destination.
In the above topology, Interface costs are shown.
When we look at Router A to 192.168.0.0/24 subnet, we have two paths. A-B-D and A-C-D.
Both of the paths’ total cost is 10+10 = 20.
Thus, Router A can do load balancing for that destination prefix.
When OSPF has two paths, we don’t need to Continue reading
How To Use Grep + Regex To Match Non-200 HTTP Status Codes In Apache Server Logs
When parsing Apache web server logs on Linux, I find it interesting to monitor access requests resulting in HTTP status codes other than 200s. An HTTP status code in the 200s mean the request was successful, and hey–that’s boring.
I want to see the requests that my dear Apache instance is upset about. So the question becomes…how do I filter the logs to show me every entry that doesn’t have a status code in the 200s?
Let’s back our way into this. We’ll start with the answer, then explain how we got there.
The Answer
This CLI incantation will get the job done.
sudo grep -E '\" [1345][01235][0-9] [[:digit:]]{1,8} \"' /var/log/apache2/access.logIf you’d like to watch the log entries scroll by in real time, try this.
sudo tail -f /var/log/apache2/access.log | grep -E '\" [1345][01235][0-9] [[:digit:]]{1,8} \"'Comprehending The Regex
Let’s focus on the regular expression (regex) grep is using to find the matches. In plain English, the grep utility is using an extended -E regex to display all lines in the file /var/log/apache2/access.log matching the regex.
The regex portion of the command is as follows.
'\" [1345][01235][0-9] [[:digit:]]{1,8} \"'
The regex is enclosed in single quotes Continue reading
BGP AS Path Prepending
BGP AS Path Prepending or BGP prepend is a common technique for incoming path manipulating. When we want to engineer the traffic coming from another BGP AS to our BGP AS, BGP AS prepending is one of the most common mechanisms. There are cases BGP AS Prepend doesn’t work and shouldn’t be used as well, and in this post, we will look at them too by using the below topology.
In the above topology, we have two BGP Autonomous Systems. AS 200 is Customer BGP AS, and AS 100 is Provider BGP AS.
As a customer, AS 200 wants AS100 to send the traffic over the left path as a Primary path and the right path as a backup path as is depicted in the above topology.
BGP AS Path Prepend
When we want to have Primary and Backup Paths as it is depicted in the above topology. BGP AS Path Prepending technique is used to influence upstream BGP Autonomous Systems’ decision.
BGP Prepend means, adding our BGP AS to the AS-path multiple times. In the above topology, 10.0.10.0/24 network’s BGP AS 200 is advertised with 3 AS prepend. By default when the prefix is advertised to Continue reading
Response: Apple’s Worldwide Developers Conference returns in its all-online format
Virtual only has value.
Opinion: Do You Care about MPLS in 2022?
One of my readers asked for my opinion about this question…
… and I promised something longer than 280 characters.
Device Management From The Ground Up: Part 6 – Working In ROMMON
This post originally appeared on the Packet Pushers’ Ignition site on April 16, 2021. If you work with network devices long enough, you will eventually encounter a device that is not working as expected. The phone calls from on-site personnel take the same general shape: Yes, the building has no connectivity; Yes, the router is […]
The post Device Management From The Ground Up: Part 6 – Working In ROMMON appeared first on Packet Pushers.
EIGRP vs OSPF 11 Important Differences between them!
In this post, we will compare EIGRP and OSPF. We will look at some of the important aspects when we compare EIGRP vs OSPF. From scalability, standardization, working on different topologies and many aspects will be compared in this most detailed comparison blog post on the Internet.
We prepared the above comparison chart for EIGRP vs OSPF comparison. We will look at some of those important Comparison criteria from a design point of view.
EIGRP vs OSPF Scalability
OSPF supports two layers of Hiearchicy. OSPF Backbone areas and OSPF Non-backbone areas. EIGRP on the other side supports as many as you want. You can summarize EIGRP prefixes at every hop. This capability provides a scale advantage to EIGRP. In EIGRP, we don’t need an ABR node for summarization for example.
EIGRP vs OSPF in Full Mesh, Ring and Hub and Spoke Topologies
The full mesh may require a lot of logical connections, OSPF with Mesh-group feature can scale but it can be a scaling problem for the EIGRP networks. If we think that in real-life networks, EIGRP is usually used in Hub and Spoke topologies most of the time, expecting EIGRP to run on Full-mesh topologies is not Continue reading
BGP vs OSPF 10 Important differences between them!
In this post, we will compare BGP and OSPF. We will look at some of the important aspects when we compare BGP vs OSPF. Although OSPF is used as an IGP and BGP is used mainly as an External routing protocol, we will compare from many different design aspects. Also, BGP can be used as an Internal IGP protocol as well and we will take that into consideration as well.
We prepared the above comparison chart for BGP vs OSPF comparison. We will look at some of those important Comparison criteria from a design point of view.
BGP vs OSPF Scalability
One of the biggest reasons we choose BGP, not OSPF is Scalability. BGP is used as a Global Internet routing protocol and as of 2022, the Global routing table size for IPv4 unicast prefixes is around 900 000. So almost a million prefixes we carry over BGP on the Internet.
So, proven scalability for BGP we can say. OSPF usually can carry only a couple of thousands of prefixes, this is one of the reasons, OSPF is used as an Internal dynamic routing protocol, not over the Internet.
BGP vs OSPF in Full Mesh, Ring and Hub and Continue reading
What the Dahua & Hikvision Controversy Means for Your Network Privacy
Being able to scan an entire network for all the devices connected to it brings greater confidence and security when accessing and downloading data.PIPEFAIL: How a missing shell option slowed Cloudflare down
At Cloudflare, we’re used to being the fastest in the world. However, for approximately 30 minutes last December, Cloudflare was slow. Between 20:10 and 20:40 UTC on December 16, web requests served by Cloudflare were artificially delayed by up to five seconds before being processed. This post tells the story of how a missing shell option called “pipefail” slowed Cloudflare down.
Background
Before we can tell this story, we need to introduce you to some of its characters.
Cloudflare’s Front Line protects millions of users from some of the largest attacks ever recorded. This protection is orchestrated by a sidecar service called dosd, which analyzes traffic and looks for attacks. When dosd detects an attack, it provides Front Line with a list of attack fingerprints that describe how Front Line can match and block the attack traffic.
Instances of dosd run on every Cloudflare server, and they communicate with each other using a peer-to-peer mesh to identify malicious traffic patterns. This decentralized design allows dosd to perform analysis with much higher fidelity than is possible with a centralized system, but its scale also imposes some strict performance requirements. To meet these requirements, we need to provide dosd with very Continue reading
Cisco BGP Weight Attribute 3 Things you must know!
BGP Weight Attribute is used in Cisco routers. In this post, with the below topology, we will look at why the BGP weight attribute is used, why it BGP weight shouldn’t be used, advantages and disadvantages of the BGP weight attribute.
Cisco BGP Weight Attribute
Let’s first define what is BGP Weight attribute. BGP selects the best path based on the BGP path attributes. Weight is considered a very important tie-breaker in BGP’s best-path selection.
When there are two paths to any BGP destination prefix, the BGP Weight attribute is compared before BGP Local Preference and many other BGP Path attributes.
Since this is not BGP’s best path selection post, and assuming you already know the process, please note, Weight attribute is compared before even BGP Local Preference.
But, let’s have a look at the below topology to understand it better.
In the above topology, we want to use the left path for the prefixes in AS1, thus we have a higher BGP Local preference value.
As the BGP Local preference value is exchanged internally between all IBGP neighbors, both left and right routers in AS65000, use the left exit point, which is Local Pref 100 to reach the Continue reading
BGP Interview Questions
BGP Interview questions and answers are shared here. In this post, we will look at some of the important BGP questions that are asked in the Interviews and some of the certification exams. You can consider this as a BGP Quiz and test your BGP knowledge.
Which of the below option is the reason to run IBGP? (Choose Two)
A. It is used for the reachability between PE devices in the MPLS network
B. It is used to carry EBGP prefixes inside an Autonomous System
C. It is used with Route Reflectors for the scalability reason in large scale networks
D. It is used to prevent failures outside your network from impacting your internal network operation
Answer: One of the correct answers to this question is to carry EBGP prefixes inside an Autonomous system. IGP is used for the reachability between PE devices in an MPLS network. Option C is valid but not the correct answer, because; the question is asking about the reasons, not the best practices.
Option D is one of the correct answers as well because, with IBGP, the internal network is protected from outside failures by separating the local failure domains.
That’s why; the answers to Continue reading
BGP Labeled Unicast Interoperability Challenges
Jeff Tantsura left me tantalizing hint after reading the BGP Labeled Unicast on Cisco IOS blog post:
Read carefully “Relationship between SAFI-4 and SAFI-1 Routes” section in RFC 8277
The start of that section doesn’t look promising (and it gets worse):
It is possible that a BGP speaker will receive both a SAFI-11 route for prefix P and a SAFI-42 route for prefix P. Different implementations treat this situation in different ways.
Now for the details: