Archive

Category Archives for "Networking"

Thoughts on the Collapsed Spine

One of the designs I’ve been encountering a lot of recently is a “collapsed spine” data center network, as shown in the illustration below.

In this design, and B are spine routers, while C-F are top of rack switches. The terminology is important here, because C-F are just switches—they don’t route packets. When G sends a packet to H, the packet is switched by C to A, which then routes the packet towards F, which then switches the packet towards H. C and F do not perform an IP lookup, just a MAC address lookup. A and B are responsible for setting the correct next hop MAC address to forward packets through F to H.
What are the positive aspects of this design? Primarily that all processing is handled on the two spine routers—the top of rack switches don’t need to keep any sort of routing table, nor do any IP lookups. This means you can use very inexpensive devices for your ToR. In brownfield deployments, so long as the existing ToR devices can switch based on MAC addresses, existing hardware can be used.

This design also centralizes almost all aspects of network configuration and management on the spine routers. Continue reading

AWS Networking – Part V: Create Subnet Using AWS Console

When we have created a new VPC, we can start adding subnets to it. We are going to create two subnets. Subnet 10.10.0.0/24 is a Public Subnet in Availability Zone eu-west2c, where we later add an Internet GW. Subnet 10.10.0.0/24 is a Private Subnet in Availability Zone eu-west2a that will use a NAT GW for uni-directional Internet access.


Figure 1-18: VPC Route Table: Routes.

Continue reading

AWS Networking – Part IV: Create VPC Using the AWZ CloudFormation

The focus of this section is to show how we can create a VPC using AWS CloudFormation service. Figure 1-12 shows our example AWS CloudFormation Templates. Its first section, AWSTemplateFormatVersion, specifies the template language format. At the time of writing, 2010-09-09 is the latest and only valid version. We can use the Description section to describe our template. Note that it must follow the AWSTemplateFormatVersion Section. AWSTemplateFormation-Version and Description are optional sections. The Resourcessection specifies the actual AWS resources and their properties. Each AWS resource is identified with a logical name. I have given the logical name NwktVPC for our example VPC. We can use resource-specific logical names for defining dependencies between resources. For example, when adding the AWS::EC2::Subnet resource to our template, we assign the VpcId value by calling it from the AWS::EC2::VPC resource using !REF intrinsinc function. I will explain the process in the Subnet section later. The resources and their properties are defined under logical names. The Resources section is the only required section in AWS CloudFormation-Template. AWS CloudFormation Templates are identified by using Stack Names in AWS Cloud Formation. Our example Stack Name is MyNetworkStack.


Figure 1-12: AWS CloudFormation: VPC.

Continue reading

Another SD-WAN Security SNAFU: SQL Injections in Cisco SD-WAN Admin Interface

Christoph Jaggi sent me a link to an interesting article describing security vulnerabilities pentesters found in Cisco SD-WAN admin/management code.

I’m positive the bugs have been fixed in the meantime, but what riled me most was the root cause: Little Bobby Tables (aka SQL injection) dropped by. Come on, it’s 2021, SD-WAN is supposed to be about building secure replacements for MPLS/VPN networks, and they couldn’t get someone who could write SQL-injection-safe code (the top web application security risk)?

Another SD-WAN Security SNAFU: SQL Injections in Cisco SD-WAN Admin Interface

Christoph Jaggi sent me a link to an interesting article describing security vulnerabilities pentesters found in Cisco SD-WAN admin/management code.

I’m positive the bugs have been fixed in the meantime, but what riled me most was the root cause: Little Bobby Tables (aka SQL injection) dropped by. Come on, it’s 2021, SD-WAN is supposed to be about building secure replacements for MPLS/VPN networks, and they couldn’t get someone who could write SQL-injection-safe code (the top web application security risk)?

Bird on Bird, Episode 4 of BGP Perf testing

1st Post Comparing Open Source BGP Stacks 2nd Post Followup Measuring BGP Stacks Performance 3rd Post Comparing Open Source BGP stacks with internet routes After the last post, I thought the this post would be either adding interesting BGP policy. But that’s tricky. It’s going to take some rethinking about...

Looking at your Linux system’s network interface with ethtool

The ethtool utility on Linux allows you to view and change some of your network-driver and interface-card settings, especially for wired devices. These include their speed, whether the interface uses auto-negotiation, and whether it runs in half- or full-duplex mode. Ethtool also provides an easy way to view or troubleshoot your network interface.More than likely, ethtool is already available on your Linux system. However, to check, you can use one or both of these commands:$ which ethtool /usr/sbin/ethtool $ sudo ethtool —version ethtool version 5.13 To get a sense of how this utility can control settings, run a command like the one below. The -h means “help”. You’ll likely find yourself looking at 10 pages or so of syntax like what is shown here.To read this article in full, please click here

Looking at your Linux system’s network interface with ethtool

The ethtool utility on Linux allows you to view and change some of your network-driver and interface-card settings, especially for wired devices. These include their speed, whether the interface uses auto-negotiation, and whether it runs in half- or full-duplex mode. Ethtool also provides an easy way to view or troubleshoot your network interface.More than likely, ethtool is already available on your Linux system. However, to check, you can use one or both of these commands:$ which ethtool /usr/sbin/ethtool $ sudo ethtool —version ethtool version 5.13 To get a sense of how this utility can control settings, run a command like the one below. The -h means “help”. You’ll likely find yourself looking at 10 pages or so of syntax like what is shown here.To read this article in full, please click here

Tape backup as a defense vs. ransomware

Tape is definitely not the best choice for primary recovery, but it does have features that make it a credible option for restoring systems and data that have fallen victim to ransomware without having to pay the ransom.The cloud has many more upsides than tape as a recovery tool in general, but there are circumstances where tape should be seriously considerd, and ransomware recovery is one of them.How to choose the best NVMe storage array When cloud’s not good enough Using the cloud for ransomware recovery—or not—has become somewhat of a religious discussion in many circles. Choosing the cloud offers many positive things, including cost, speed, and immediate availability—all great advantages when responding to a ransomware attack.To read this article in full, please click here

Tape backup as a defense vs. ransomware

Tape is definitely not the best choice for primary recovery, but it does have features that make it a credible option for restoring systems and data that have fallen victim to ransomware without having to pay the ransom.The cloud has many more upsides than tape as a recovery tool in general, but there are circumstances where tape should be seriously considerd, and ransomware recovery is one of them.How to choose the best NVMe storage array When cloud’s not good enough Using the cloud for ransomware recovery—or not—has become somewhat of a religious discussion in many circles. Choosing the cloud offers many positive things, including cost, speed, and immediate availability—all great advantages when responding to a ransomware attack.To read this article in full, please click here

Tape backup as a defense vs. ransomware

Tape is definitely not the best choice for primary recovery, but it does have features that make it a credible option for restoring systems and data that have fallen victim to ransomware without having to pay the ransom.The cloud has many more upsides than tape as a recovery tool in general, but there are circumstances where tape should be seriously considerd, and ransomware recovery is one of them.How to choose the best NVMe storage array When cloud’s not good enough Using the cloud for ransomware recovery—or not—has become somewhat of a religious discussion in many circles. Choosing the cloud offers many positive things, including cost, speed, and immediate availability—all great advantages when responding to a ransomware attack.To read this article in full, please click here

Tech Bytes: Operationalizing EVPN For Data Center Networks With Nokia (Sponsored)

On today’s Tech Bytes podcast, sponsored by Nokia, we dive into data center networking and EVPN. Nokia’s SR-Linux operating system can help you build a data center fabric with EVPN, and in this episode we’re going to discuss how Nokia operationalizes that protocol.

The post Tech Bytes: Operationalizing EVPN For Data Center Networks With Nokia (Sponsored) appeared first on Packet Pushers.

Arrcus Brings Network Automation and API Accessibility to the Edge

Arrcus, a well-funded edge network software startup that is working to make a name for itself in the expanding multicloud arena. But even as enterprise adoption of multicloud and hybrid cloud strategies continues to rise, he sees the future being at the network and compute edge. “Everybody talks about how you can get benefits from large pools of centralized capacity in the public cloud,” said Ayyar, whose was announced as chairman and CEO on Sept. 15. “What I feel very, very confident about is that this action is almost passé in terms of the clouds, and it’s moving a lot more into the edge. The pendulum is swinging from consolidated and large data centers doing everything to highly distributed and disaggregated infrastructures doing things that are point of consumption, point of sale, Continue reading

Network Break 351: Juniper’s Wired Campus Fabric Challenges Cisco; More Azure Holes Revealed

Today's Network Break podcast discusses Juniper's new wired campus effort and how it leverages Mist Cloud for to help automate its campus fabric, a new set of Azure vulnerabilities, robust SD-WAN growth with the biggest players reaping most of the rewards, free space optics for hard-to-wire regions, and more tech news.

The post Network Break 351: Juniper’s Wired Campus Fabric Challenges Cisco; More Azure Holes Revealed appeared first on Packet Pushers.

Containernet

Containernet is a fork of the Mininet network emulator that uses Docker containers as hosts in emulated network topologies.

Multipass describes how build a Mininet testbed that provides real-time traffic visbility using sFlow-RT. This article adapts the testbed for Containernet.

multipass launch --name=containernet bionic
multipass exec containernet -- sudo apt update
multipass exec containernet -- sudo apt -y install ansible git aptitude default-jre
multipass exec containernet -- git clone https://github.com/containernet/containernet.git
multipass exec containernet -- sudo ansible-playbook -i "localhost," -c local containernet/ansible/install.yml
multipass exec containernet -- sudo /bin/sh -c "cd containernet; make develop"
multipass exec containernet -- wget https://inmon.com/products/sFlow-RT/sflow-rt.tar.gz
multipass exec containernet -- tar -xzf sflow-rt.tar.gz
multipass exec containernet -- ./sflow-rt/get-app.sh sflow-rt mininet-dashboard

Run the above commands in a terminal to create the Containernet virtual machine. 

multipass list

List the virtual machines

Name                    State             IPv4             Image
primary Stopped -- Ubuntu 20.04 LTS
containernet Running 192.168.64.12 Ubuntu 18.04 LTS
172.17.0.1

Find the IP address of the mininet virtual machine we just created (192.168.64.12).

multipass exec containernet -- ./sflow-rt/start.sh

Start sFlow-RT. Use a web browser to connect to the VM and Continue reading

How to customize your HTTP DDoS protection settings

How to customize your HTTP DDoS protection settings
How to customize your HTTP DDoS protection settings

We’re excited to announce the availability of the HTTP DDoS Managed Ruleset. This new feature allows Cloudflare customers to independently tailor their HTTP DDoS protection settings. Whether you’re on the Free plan or the Enterprise plan, you can now tweak and optimize the settings directly from within the Cloudflare dashboard or via API.

We expect that in most cases, Cloudflare customers won't need to customize any settings. Our mission is to make DDoS disruptions a thing of the past, with no customer overhead. To achieve this mission we’re constantly investing in our automated detection and mitigation systems. In some rare cases, there is a need to make some configuration changes, and so now, Cloudflare customers can customize those protection mechanisms independently. The next evolutionary step is to make those settings learn and auto-tune themselves for our customers, based on their unique traffic patterns. Zero-touch DDoS protection at scale.

Unmetered DDoS Protection

Back in 2017, we announced that we will never kick a customer off of our network because they face large attacks, even if they are not paying us at all (i.e., using the Free plan). Furthermore, we committed to never charge a customer for DDoS attack traffic Continue reading