Using the typical default router configurations, it can take minutes between a failure of an inter-AS link and the convergence of BGP routes. You can fine-tune that behavior with BGP timers and BFD (and still get pwned by Graceful Restart). While you can’t influence link failures, you could drain the traffic from a link before starting maintenance operations on it, and it would be a shame not to do that considering there’s a standard way to do that – the GRACEFUL_SHUTDOWN BGP community defined in RFC 8326. That’s what you’ll practice in the next BGP lab exercise.
One reason the OSI model isnメt all that useful anymore is because it assumes things about networks that are no longer true, such as the existence of a clear set of protocols neatly layered one atop another. We just donメt build networks this way any longer.
In 1984, Sun was famous for declaring, “The Network is the Computer.” Forty years later we are seeing this cycle come true again with the advent of AI. The collective nature of AI training models relies on a lossless, highly-available network to seamlessly connect every GPU in the cluster to one another and enable peak performance. Networks also connect trained AI models to end users and other systems in the data center such as storage, allowing the system to become more than the sum of its parts. As a result, data centers are evolving into new AI Centers where the networks become the epicenter of AI management.
Tom Limoncelli wrote another must-read masterpiece: sometimes you’ll save time if you make two trips instead of one.
The same lesson applies to network design: cramming too many features into a single device will inevitably result in complex, hard-to-understand configurations and weird bugs. Sometimes, it’s cheaper to split the required functionality across multiple devices.
Tom Limoncelli wrote another must-read masterpiece: sometimes you’ll save time if you make two trips instead of one.
The same lesson applies to network design: cramming too many features into a single device will inevitably result in complex, hard-to-understand configurations and weird bugs. Sometimes, it’s cheaper to split the required functionality across multiple devices.
23andMe is a popular genetics testing company, which was valued at $6B in 2021. Unfortunately, there was a massive data breach in December 2023, which caused a steep decline in the company’s value and trust, plummeting the company to a penny stock. While this breach was not directly related to Kubernetes, the same risks apply to containers running in your Kubernetes environments. If your containerized applications do not have the right egress access controls defined, chances of data exfiltration are much higher.
A typical modus operandi for threat actors is to look for vulnerabilities or misconfiguration in the environment and workloads, install malicious pods through privilege escalation techniques, and then exploit this unsecured pod to exfiltrate data.
An easy reconnaissance technique by just scanning the cluster network for public-facing workloads will be a first starting point for most attackers. Privilege escalation occurs mostly due to inconsistent or incorrect RBAC policies in Kubernetes through which unauthorized users can gain root privileges. Vulnerabilities in container images as part of the supply chain are also another attack path. All of these techniques will ultimately land on an exposed pod with a remote code Continue reading
You’ve just finished building a 1,000 router fabric using a proper underlay and overlay. You’ve thought of everything, including doing it all with a single SKU, carefully choosing transceivers, using only the best optical cables, and running all the software through a rigorous testing cycle. Time to relax? Perhaps—or perhaps not.
Three new posts this week:
coupon code for first six months for free: BEAG2DRUP0TORNSKUT
The recent IBGP Full Mesh Between EVPN Leaf Switches blog post generated an interesting discussion on LinkedIn focused on whether we need route reflectors (in small fabrics) and whether they do more harm than good. Here are some of the highlights of that discussion, together with a running commentary.
The recent IBGP Full Mesh Between EVPN Leaf Switches blog post generated an interesting discussion on LinkedIn focused on whether we need route reflectors (in small fabrics) and whether they do more harm than good. Here are some of the highlights of that discussion, together with a running commentary.
Yes, you read that right. My Network Lab is indeed a text file (YAML file to be more specific). I can share the file with anyone, put it into version control, and never worry about re-creating the lab manually. No more clicking through the GUI and connecting interfaces. How is that even possible? You must be thinking this is clickbait right? Well, I'm talking about using Containerlab to create and manage your network topologies and labs.
I started my networking journey with Packet Tracer, then moved on to GNS3. Most of the time, I've used EVE-NG and some Cisco CML. EVE-NG is a great tool, and I still use it for building complex, large topologies with Cisco ISE, multiple firewalls, Active Directory, etc. But when it comes to labbing up pure networking protocols like BGP, OSPF, STP, or even simple IP routing, I needed something very simple that is easy to deploy and manage.
That's when I came across Containerlab which is a Lab-as-a-code tool that helps you set up and manage your network labs easily. Instead of dealing with complex setups and configurations, containerlab simplifies everything for you. Containerlab provides a command-line interface (CLI) that Continue reading
Many network automation solutions generate device configurations from a data model and deploy those configurations. Last week, we focused on “how do we know the device data model is correct?” This time, we’ll take a step further and ask ourselves, “how do we know the device configurations work as expected?”
There are four (increasingly complex) questions our tests should answer: