Network Break 390: New Juniper Access Switch; Intel To Hike Prices
This week's Network Break podcast discusses new switch hardware from Juniper, the underwhelming outage response by Canadian ISP Rogers, and why SASE growth is exploding. Intel is said to be raising prices across a variety of chips, a security researcher has demonstrated a replay attack that can open and start Honda vehicles, and more.Announcing VMware HCX 4.4
VMware HCX continues to evolve with the release of HCX 4.4 which includes several key enhancements in multiple different areas. These enhancements are going to address new requirements, stabilize the current feature set and provide additional security. This blog aims to highlight the major changes in HCX 4.4.
Transport AnalyticsFollowing the release of HCX 4.1, the HCX team undertook an effort to better understand how various aspects of a network underlay (including bandwidth, packet loss and latency conditions) affect migration outcomes. We called this effort the Network Underlay Characterization for HCX. During the 4.2 release, the characterization exercise enabled us to officially support services over VPN/SD-WAN, along with the Network Underlay minimum requirements to support any underlay agnostically. We also published detailed tech paper (See Network Underlay Requirements and HCX Performance Outcomes). This document guides the reader through the characterization exercise (manually using command line tooling). HCX 4.4 adds Transport Analytics the HCX, allowing the user to execute performance baselining for the HCX service transport on-demand and visualizes transport performance in real-time and as time-series graphs. This enables the migration administrator to understand the network underlay conditions reflected in the transport and plan Continue reading |
A story about AF_XDP, network namespaces and a cookie
A crash in a development version of flowtrackd (the daemon that powers our Advanced TCP Protection) highlighted the fact that libxdp (and specifically the AF_XDP part) was not Linux network namespace aware.
This blogpost describes the debugging journey to find the bug, as well as a fix.
flowtrackd is a volumetric denial of service defense mechanism that sits in the Magic Transit customer’s data path and protects the network from complex randomized TCP floods. It does so by challenging TCP connection establishments and by verifying that TCP packets make sense in an ongoing flow.
It uses the Linux kernel AF_XDP feature to transfer packets from a network device in kernel space to a memory buffer in user space without going through the network stack. We use most of the helper functions of the C libbpf with the Rust bindings to interact with AF_XDP.
In our setup, both the ingress and the egress network interfaces are in different network namespaces. When a packet is determined to be valid (after a challenge or under some thresholds), it is forwarded to the second network interface.
For the rest of this post the network setup will be the following:
e.g. eyeball packets Continue reading
Automation 15. The Good, The Bad and the Ugly of Model-Driven Network Automation Featuring Cisco, Nokia, and OpenConfig YANG
Hello my friend,
All of us (definitely me, at least) are always thrilled hearing news from network vendors on their implementation of model-driven interfaces for network management. Having spent years automating network devices in a text-based paradigm (i.e., from CLI-based automation to full fledged configuration rendering with a replacement), I’m a firm believer that model-driven approach based on YANG modules and protocols such as GNMI, NETCONF, and RESTCONF, is a proper way to go. Recently we disclosed the development we are doing in terms of network topology visualization with DANT. And today we’d like to share lessons learned based on that experience.
We planned to write this blogpost for a few weeks if not months, but due to various reasons it was delayed. We are delighted to finally post it, so that you can get some useful ideas how you can build your own CI/CD pipeline with GitHub, probably the most popular platform for collaborative software development.
2
3
4
5
retrieval system, or transmitted in any form or by any
means, electronic, mechanical or photocopying, recording,
or otherwise, for commercial purposes without the
prior permission Continue reading
Configuring BGP and open-source FRR docker on AWS — Advanced Networking
What is FRR? a. License based AWS internal routing platform b. Only supports static routing and IPSEC vpn c. Open-source internet routing protocol suite for *nix platforms d. Support BGP along with ISIS,OSPF networking protocols Answer is at the end of the post, feel free to skip it, I just did not want to make a spoiler residing just below the question
Before I write anything on implementation, I can vouch for FRR stability. It’s an open source internet routing protocol suite and used by many organisations on bare-metal and cloud instances as well, its very stable and
Simply put, FRR can make your bare metal or a cloud instance a routing platform to connect various networks together. The reason why we explore this is that this setup builds onto other posts on how AWS interacts with various routing platforms hosted from on-premises and to show the possibility if someone is considering FRR as an alternative.
Setup is extremely simple but there is one caveat which consumed almost a day for me to figure out and at last it was an answer to a known problem. FRR builds on Quagga which provided Continue reading
Traffic Mirroring- Interesting one — AWS Advanced Networking
MEDIUM: <https://raaki-88.medium.com/traffic-mirroring-interesting-one-aws-advanced-networking-a7e41027c75>
What is Traffic Mirroring ? a. Used for Content Inspection,Threat Monitoring,Troubleshooting b. Can only be implemented with a Load Balancer c. Needs Elastic Fabric Adapter d. Flow logs capture mirrored traffic Answer is at the end of the post, feel free to skip it, I just did not want to make a spoiler residing just below the question
Traffic Mirroring is an awesome concept which can now be implemented with an AWS VPC. You can mirror the traffic and send packets to a EC2 instance or specific appliances for further processing.
- Used for Content Inspection, Threat Monitoring and Troubleshooting.
- An interesting as aspect is Packet-Format
*So when a packet gets mirrored it gets VXLAN encapsulated, end host/appliance should be able to decapsulate VXLAN header( we will see a PCAP ).
* Two encapsulations – outer GENEVE(from LB if used) and inner VX-LAN
- Connectivity options are good — Inter-region using Transit-VPC or VPC-peering, other post describing Transit VPC — https://towardsaws.com/transit-vpc-aws-advanced-networking-44ca09b80905
- 4 Things for Implementation
* Source (which should be monitored — Network Interface)
*Target (Destination of mirrored Traffic)
*Filter (What traffic types should be Continue reading
Getting Your CIO to Say Yes to Automation: Gluware LiveStream June 28, 2022 (3/7) – Video
Network engineers need to make a business case to get an automation project off the ground, and it needs to describe the benefits and value in language that non-techincal executives can understand. This video offers tips and a simple blueprint to help engineers make the case to CIOs. Host Drew Conry-Murray from the Packet Pushers […]
The post Getting Your CIO to Say Yes to Automation: Gluware LiveStream June 28, 2022 (3/7) – Video appeared first on Packet Pushers.
The Best Outcome Of Automation? Visibility
This post originally appeared on the Packet Pushers’ now-defunct Ignition site on October 28, 2019. I was recently asked a question about the best business outcome of automation. My immediate thought was improved speed of operations by mechanizing operational tasks, like automated software upgrades, creating VLANs, updating ACLs or routing, and so forth. This […]
The post The Best Outcome Of Automation? Visibility appeared first on Packet Pushers.
Friday Mobility Field Day Thoughts
I’m finishing up Mobility Field Day 7 this week and there’s been some exciting discussion here around a lot of technology. I think my favorite, and something I’m going to talk about more, is the continuing battle between 5G and Wi-Fi. However, there’s a lot going on that I figured I’d bring up to whet your appetite for the videos.
- What is mission critical? When you think about all the devices that are in your organization that absolutely must work every time what does that look like? And what are you prepared to do to make them work every time? If it’s a safety switch or some other kind of thing that prevents loss of life are you prepared to spend huge amounts of money to make it never fail?
- Operations teams don’t need easier systems. They need systems that remove complexity. The difference in those two things is subtle but important. Easier means that things are simplified to the point of almost being unusable. Think Apple Airport or even some Meraki devices. Whereas reduced complexity means that you’ve made the up front configuration easy but enabled the ability to configure other features in different places. Maybe that’s by giving Continue reading
Advizex: Automating Security Audits & Remediation with Gluware: LiveStream June 28, 2022 (2/7) – Video
Advizex, a reseller and Gluware customer, discusses how it uses Gluware for security audits and remediation with its clients. This includes network and device discovery, addressing configuration drift, and managing multiple vendors using the Gluware platform. Packet Pushers host Greg Ferro is joined by Michael Burns, Network Architect at Advizex to discuss real-world use cases. […]
The post Advizex: Automating Security Audits & Remediation with Gluware: LiveStream June 28, 2022 (2/7) – Video appeared first on Packet Pushers.
Ansible For Network Automation Lesson 6: Ansible Vault And Loops – Video
In this lesson on using Ansible for network automation, Josh VanDeraa looks at how to get started with Ansible Vault, re-using tasks in multiple playbooks with include_tasks, and leveraging loops in your playbooks. Josh has created a GitHub repo to store additional material, including links and documentation: https://github.com/jvanderaa/AnsibleForNetworkAutomation You can subscribe to the Packet Pushers’ […]
The post Ansible For Network Automation Lesson 6: Ansible Vault And Loops – Video appeared first on Packet Pushers.
Heavy Networking 638: Don’t Block DNS Over TCP
DNS is our subject on today's Heavy Networking. More specifically, DNS transport over TCP. We talk with John Kristoff, one of the forces behind RFC9210, which covers the operational requirements for DNS transport over TCP. This is not an esoteric document covering a tiny, nuanced DNS use case. Instead this doc will likely affect most of you listening, whether you’re a network operator or a name server operator. We talk with John about the implications of this RFC.
The post Heavy Networking 638: Don’t Block DNS Over TCP appeared first on Packet Pushers.
Heavy Networking 638: Don’t Block DNS Over TCP
DNS is our subject on today's Heavy Networking. More specifically, DNS transport over TCP. We talk with John Kristoff, one of the forces behind RFC9210, which covers the operational requirements for DNS transport over TCP. This is not an esoteric document covering a tiny, nuanced DNS use case. Instead this doc will likely affect most of you listening, whether you’re a network operator or a name server operator. We talk with John about the implications of this RFC.Setting Up Public-Private Keys For SSH Authentication
This post originally appeared on the Packet Pushers’ Ignition site on February 18, 2020. The more pedantic in the tech community argue about the merits of public-private key authentication vs. simple password authentication when logging into an SSH host. I have no strong opinion regarding your security posture when using one vs. the other. […]
The post Setting Up Public-Private Keys For SSH Authentication appeared first on Packet Pushers.
Working in public — our docs-as-code approach
Docs-as-code is an approach to writing and publishing documentation with the same tools and processes developers use to create code. This philosophy has become more popular in recent years, especially in tech companies. Automatic link checking is part of this process, which ensures that writer's changes are sound and safe to deploy. By setting the stage with a docs-as-code approach, technical writers can focus on what they do best: ensure that our readers get useful and accurate information that is easy to find, and our documentation speaks a single language.
Besides following a docs-as-code approach, at Cloudflare we handle our documentation changes in public, in our cloudflare-docs GitHub repository. Having our documentation open to external contributions has helped us improve our documentation over time — our community is great at finding issues! While we need to review these contributions and ensure that they fit our style guide and content strategy, the contributions provided by the Cloudflare community have been instrumental in making our documentation better every day. While Cloudflare helps build a better Internet, our community helps build better documentation.
Docs-as-code at Cloudflare
At Cloudflare, we follow a docs-as-code approach to create and publish product documentation in Developer Docs.
Such Continue reading