BGP Labs: Graceful Shutdown
Using the typical default router configurations, it can take minutes between a failure of an inter-AS link and the convergence of BGP routes. You can fine-tune that behavior with BGP timers and BFD (and still get pwned by Graceful Restart). While you can’t influence link failures, you could drain the traffic from a link before starting maintenance operations on it, and it would be a shame not to do that considering there’s a standard way to do that – the GRACEFUL_SHUTDOWN BGP community defined in RFC 8326. That’s what you’ll practice in the next BGP lab exercise.
On the ‘net: Modeling Tunnels
One reason the OSI model isnメt all that useful anymore is because it assumes things about networks that are no longer true, such as the existence of a clear set of protocols neatly layered one atop another. We just donメt build networks this way any longer.
The New Era of AI Centers
In 1984, Sun was famous for declaring, “The Network is the Computer.” Forty years later we are seeing this cycle come true again with the advent of AI. The collective nature of AI training models relies on a lossless, highly-available network to seamlessly connect every GPU in the cluster to one another and enable peak performance. Networks also connect trained AI models to end users and other systems in the data center such as storage, allowing the system to become more than the sum of its parts. As a result, data centers are evolving into new AI Centers where the networks become the epicenter of AI management.
Must Read: Make Two Trips
Tom Limoncelli wrote another must-read masterpiece: sometimes you’ll save time if you make two trips instead of one.
The same lesson applies to network design: cramming too many features into a single device will inevitably result in complex, hard-to-understand configurations and weird bugs. Sometimes, it’s cheaper to split the required functionality across multiple devices.
Must Read: Make Two Trips
Tom Limoncelli wrote another must-read masterpiece: sometimes you’ll save time if you make two trips instead of one.
The same lesson applies to network design: cramming too many features into a single device will inevitably result in complex, hard-to-understand configurations and weird bugs. Sometimes, it’s cheaper to split the required functionality across multiple devices.
Container Security: Protect your data with Calico Egress Access Controls
23andMe is a popular genetics testing company, which was valued at $6B in 2021. Unfortunately, there was a massive data breach in December 2023, which caused a steep decline in the company’s value and trust, plummeting the company to a penny stock. While this breach was not directly related to Kubernetes, the same risks apply to containers running in your Kubernetes environments. If your containerized applications do not have the right egress access controls defined, chances of data exfiltration are much higher.
The basics
A typical modus operandi for threat actors is to look for vulnerabilities or misconfiguration in the environment and workloads, install malicious pods through privilege escalation techniques, and then exploit this unsecured pod to exfiltrate data.
An easy reconnaissance technique by just scanning the cluster network for public-facing workloads will be a first starting point for most attackers. Privilege escalation occurs mostly due to inconsistent or incorrect RBAC policies in Kubernetes through which unauthorized users can gain root privileges. Vulnerabilities in container images as part of the supply chain are also another attack path. All of these techniques will ultimately land on an exposed pod with a remote code Continue reading
PP016: Tabletop Security Exercises: D&D for Grown-ups
Tabletop security exercises can help organizations game out their response to a security incident. From the technical and business considerations to legal and PR implications, a tabletop exercise, like Dungeons and Dragons, lets you play-test attack and defense scenarios. Johna Till Johnson, CEO of Nemertes consulting firm and co-host of the Heavy Strategy podcast, joins... Read more »HW028: Highlights from Wi-Fi World Congress USA
A cardboard box with a circuit printed on it that harvests just enough power to activate a radio and have it chirp something out a short distance: that’s just one of the cool products and 802.11 standards that stood out at this year’s Wi-Fi World Congress USA. Drew Lentz joins the show to recap the... Read more »On the ‘net: Grey Failures and the Law of Large Numbers
You’ve just finished building a 1,000 router fabric using a proper underlay and overlay. You’ve thought of everything, including doing it all with a single SKU, carefully choosing transceivers, using only the best optical cables, and running all the software through a rigorous testing cycle. Time to relax? Perhaps—or perhaps not.
Rule 11 Academy Update 052724
Three new posts this week:
coupon code for first six months for free: BEAG2DRUP0TORNSKUT
Heavy Strategy: Failure and Resilience
Welcome to a crossover episode with the Heavy Strategy podcast! Firing the wrong person, mistakenly rebooting core switches in a massive network, not passing the CCIE exam– today we talk all about failure. For this conversation, we’re joined by fellow Packet Pushers Kyler Middleton and Ned Bellavance, hosts of the Day Two Cloud podcast. We... Read more »HS073: Failure and Resilience
Firing the wrong person, mistakenly rebooting core switches in a massive network, not passing the CCIE exam– today we talk all about failure. For this conversation, we’re joined by fellow Packet Pushers Kyler Middleton and Ned Bellavance, hosts of the Day Two Cloud podcast. We swap stories, discuss response and prevention, and talk about accountability,... Read more »
BGP Route Reflectors Considered Harmful
The recent IBGP Full Mesh Between EVPN Leaf Switches blog post generated an interesting discussion on LinkedIn focused on whether we need route reflectors (in small fabrics) and whether they do more harm than good. Here are some of the highlights of that discussion, together with a running commentary.
Please note that we’re talking about BGP route reflectors in reasonably small data center fabrics. Large service provider networks with millions of customer VPN routes are a completely different story. As always, what you read in a random blog post might not apply to your network design. YMMV.
BGP Route Reflectors Considered Harmful
The recent IBGP Full Mesh Between EVPN Leaf Switches blog post generated an interesting discussion on LinkedIn focused on whether we need route reflectors (in small fabrics) and whether they do more harm than good. Here are some of the highlights of that discussion, together with a running commentary.
Please note that we’re talking about BGP route reflectors in reasonably small data center fabrics. Large service provider networks with millions of customer VPN routes are a completely different story. As always, what you read in a random blog post might not apply to your network design. YMMV.
Calling Time on DNSSEC
Through the lack of clear signals of general adoption of DNSSEC over three decades, then is it time to acknowledge that DNSSEC is just not going anywhere? Is it time to call it a day for DNSSEC and just move on?NB480: New Dell Switch Targets Ethernet AI Fabrics; Nvidia Net Income Leaps 628%
Take a Network Break! Lots of hardware news in today’s episode. We start with a new data center Ethernet switch from Dell designed to accelerate workloads on AI Ethernet fabrics. Public cloud networking startup Alkira raises $100 million in funding. Broadcom announces a 400G NIC that targets AI workloads, and Allegro Packets announces a 400G... Read more »Reclaiming IPv4 Class E’s 240.0.0.0/4
Reclaiming IPv4 Class E’s 240.0.0.0/4
A video recording of
My Network Lab is a Text File
Yes, you read that right. My Network Lab is indeed a text file (YAML file to be more specific). I can share the file with anyone, put it into version control, and never worry about re-creating the lab manually. No more clicking through the GUI and connecting interfaces. How is that even possible? You must be thinking this is clickbait right? Well, I'm talking about using Containerlab to create and manage your network topologies and labs.
My Life Before Containerlab
I started my networking journey with Packet Tracer, then moved on to GNS3. Most of the time, I've used EVE-NG and some Cisco CML. EVE-NG is a great tool, and I still use it for building complex, large topologies with Cisco ISE, multiple firewalls, Active Directory, etc. But when it comes to labbing up pure networking protocols like BGP, OSPF, STP, or even simple IP routing, I needed something very simple that is easy to deploy and manage.
That's when I came across Containerlab which is a Lab-as-a-code tool that helps you set up and manage your network labs easily. Instead of dealing with complex setups and configurations, containerlab simplifies everything for you. Containerlab provides a command-line interface (CLI) that Continue reading
Testing Device Configuration Templates
Many network automation solutions generate device configurations from a data model and deploy those configurations. Last week, we focused on “how do we know the device data model is correct?” This time, we’ll take a step further and ask ourselves, “how do we know the device configurations work as expected?”
There are four (increasingly complex) questions our tests should answer: