Configuration of BGP afi/safi L2VPN EVPN and NVE Tunnel Interface
Overlay Network Routing: MP-BGP L2VPN/EVPN
EVPN Fabric Data Plane – MP-BGP
Instead of being a protocol, EVPN is a solution that utilizes the Multi-Protocol Border Gateway Protocol (MP-BGP) for its control plane in an overlay network. Besides, EVPN employs Virtual eXtensible Local Area Network (VXLAN) encapsulation for the data plane of the overlay network.
Multi-Protocol BGP (MP-BGP) is an extension of BGP-4 that allows BGP speakers to encode Network Layer Reachability Information (NLRI) of various address types, including IPv4/6, VPNv4, and MAC addresses, into BGP Update messages. The MP_REACH_NLRI path attribute (PA) carried within MP-BGP update messages includes Address Family Identifier (AFI) and Subsequent Address Family Identifier (SAFI) attributes. The combination of AFI and SAFI determines the semantics of the carried Network Layer Reachability Information (NLRI). For example, AFI-25 (L2VPN) with SAFI-70 (EVPN) defines an MP-BGP-based L2VPN solution, which extends a broadcast domain in a multipoint manner over a routed IPv4 infrastructure using an Ethernet VPN (EVPN) solution.
BGP EVPN Route Types (BGP RT) carried in BGP update messages describe the advertised EVPN NLRIs (Network Layer Reachability Information) type. Besides publishing IP Prefix information with IP Prefix Route (EVPN RT 5), BGP EVPN uses MAC Advertisement Route (EVPN RT 2) Continue reading
BGP Labs: EBGP Sessions over IPv6 LLA Interfaces
If you insist on building your network with EBGP as a better IGP, make sure your implementation supports running IPv4 and IPv6 address families over EBGP sessions established between IPv6 link-local addresses (the functionality lovingly called unnumbered EBGP sessions).
Want to practice that neat trick? Check out the EBGP Sessions over IPv6 LLA Interfaces lab exercise.
BGP Labs: EBGP Sessions over IPv6 LLA Interfaces
If you insist on building your network with EBGP as a better IGP, make sure your implementation supports running IPv4 and IPv6 address families over EBGP sessions established between IPv6 link-local addresses (the functionality lovingly called unnumbered EBGP sessions).
Want to practice that neat trick? Check out the EBGP Sessions over IPv6 LLA Interfaces lab exercise.
NAN062: The Team Behind Nautobot (Part 1)
Today we chat with the maintainers of Nautobot, the open source network source of truth and network automation platform. Jason Edelman, Ken Celenza, John Anderson explain how their day jobs at professional services company, Network to Code, informs their work on Nautobot. They walk us through Nautobot’s core, out-of-the-box capabilities as well as the extensibility... Read more »Fat Pipe Transition Notification – May 2024
Hey, everyone. Ethan here with a behind-the-scenes administrative request. Several thousand of you subscribe to the Packet Pushers’ Fat Pipe. In the Fat Pipe, we’ve been stuffing every single podcast we produce. The problem is that we produce way too many shows–one almost every weekday–for the average podcast client to absorb them all. We can... Read more »3 observability best practices for improved security in cloud-native applications
Why is observability important for better security?
Observability, especially in the context of cloud-native applications, is important for several reasons. First and foremost is security. By design, cloud-native applications rely on multiple, dynamic, distributed, and highly ephemeral components or microservices, with each microservice operating and scaling independently to deliver the application functionality. In this type of microservices-based architecture, observability and metrics provide security insights that enable teams to identify and mitigate zero-day threats through the detection of anomalies in microservices metrics, such as traffic flow, process calls, syscalls, and more. Using machine learning (ML) and heuristic analysis, security teams can identify abnormal behavior and issue alerts.
Observability also enables security teams to visualize the blast radius in the event of a breach. Using this information, teams can apply mitigating controls, such as security policy updates, to isolate the breached microservice and thereby limit exposure.
And finally, observability helps DevOps teams maintain the quality of service by identifying service failure and performance hotspots, and conducting a detailed investigation with capabilities such as packet capture and distributed tracing.
Observability challenges
DevOps and SRE teams today are being overwhelmed by an enormous amount of data from multiple, disparate systems that monitor infrastructure and Continue reading
Managing Multiple Python Versions with pyenv
In my Python journey, I've always stuck to just one version of Python at a time. I happily used Python 3.9 for quite a while, then switched to Python 3.10 without any issues. Everything was perfect until recently when I tried installing a Python application using pip, but no matter what I did, the installation kept failing. I couldn't fix the issue even after hours of Googling.
That's when I finally decided to check the documentation (which I should have done from the start), and there it was, this application requires a minimum Python version of 3.8 and was only tested on versions 3.8 and 3.9. That made me think, maybe I should have installed it using Python 3.9, but how? I'm no expert in Linux or Unix systems, and I worried that reinstalling Python 3.9 could mess up other projects I'd built on 3.10.
So, I started exploring how to manage multiple Python versions on the same machine, and that's when I stumbled upon a tool called 'pyenv'. This seemed like the perfect solution to my problem, so I decided to learn more about it.
Python For Network Engineers Continue reading
Cisco vPC in VXLAN/EVPN Network – Part 2 – Configuring vPC
When building leaf and spine networks, leafs connect to spines, but leafs don’t connect to leafs, and spines don’t connect to spines. There are exceptions to this and vPC is one of those exceptions. The leafs that are going to be part of the same vPC need to connect to each other. There are two ways of achieving this:
- Physical interfaces.
- Fabric peering.
We will first use physical interfaces and then later remove that and use fabric peering. Now, my lab is virtual so take physical with a grain of salt, but they will be dedicated interfaces. The following will be required to configure vPC:
- Enable vPC.
- Enable LACP.
- Create vPC domain.
- Create a VRF for the vPC peer keepalive.
- Configure the interface for vPC peer keepalive.
- Configure the vPC peer keepalive.
- Configure the vPC peer link interfaces.
- Configure the vPC peer link.
This is shown below:
The vPC is now up:
Leaf1# show vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
Continue reading
Testing Pi-hole Development Version 6
Pi-hole, the network-wide ad-blocking solution, has recently undergone significant updates, introducing a range of new […]
The post Testing Pi-hole Development Version 6 first appeared on Brezular's Blog.
PP012: Planning for a Post Quantum Cryptography World
The classical encryption algorithms that currently undergird our IT infrastructure will be broken once there’s a powerful and stable enough quantum computer to do the job. Quantum-resistant algorithms are being developed by NIST, but implementation and deployment of these algorithms still have to be addressed. So what does all this mean for busy IT and... Read more »HW026: Wireless Training and Certifications for IoT
With the rapid growth of IoT across enterprise and industrial spaces, now is a good time to check in on the wireless training and certification landscape beyond Wi-Fi. Today, Tom Carpenter, the Director of Education for the Certified Wireless Network Professionals joins us to give a lay of the land. He explains how the protocols... Read more »
Repost: The Real LISP Mobility Use Case
Béla Várkonyi is working on an interesting challenge: building ground-to-airplane(s) networks providing multilink mobility. Due to its relative simplicity, he claims LISP works much better than BGP in that environment.
In some newer routers BGP would not be such a big bottleneck, but you need a lot of knob turning in BGP to get it right, while in LISP it is quite simple.
If you have many thousands concurrent airplanes with multi-link and max. 16 subnets with different routing policies on each, and the radio links are going up and down, then you have a large number of mobility events.
Repost: The Real LISP Mobility Use Case
Béla Várkonyi is working on an interesting challenge: building ground-to-airplane(s) networks providing multilink mobility. Due to its relative simplicity, he claims LISP works much better than BGP in that environment.
In some newer routers BGP would not be such a big bottleneck, but you need a lot of knob turning in BGP to get it right, while in LISP it is quite simple.
If you have many thousands concurrent airplanes with multi-link and max. 16 subnets with different routing policies on each, and the radio links are going up and down, then you have a large number of mobility events.
History of Networking: Updated Links
Someone told me some (or many?) of the links are broken to the History of Networking recordings. I went through the S3 bucket and renamed all the files so there are no spaces (because S3 buckets don’t always work right with spaces), and then checked them all to make certain they work. Along the way I found three or four episodes that were recorded and not on the HoN page, so I added them.
Check out the corrected listing here.
I think I have one more recording that was never edited and published; I will probably put it in the Hedge stream in the next month or two just so it’s out there.
Tech Bytes: Using ZTNA for VPN Consolidation, Protecting Dev Access with SSE (Sponsored)
Zero Trust Network Access, or ZTNA, is a core element of a Security Service Edge because it enables secure remote access to on-prem and cloud-based applications. On today’s episode, sponsored by HPE Aruba Networking, we dig into ZTNA from HPE’s perspective and hear customer stories on how it’s being used for third-party access, VPN consolidation,... Read more »NB476: IBM Buys HashiCorp; Running Data Centers With Vegetable Oil?
Take a Network Break! We welcome guest commentator Kyler Middleton of Day Two Cloud to discuss the IBM/HashiCorp deal, then pivot to new Wi-Fi 7 APs from HPE Aruba Networking, and discuss why a data center builder in Ireland is constructing a power generation plant alongside the generator–and powering it partly with vegetable oil. Noncompete... Read more »Q1 2024 Internet disruption summary
This post is also available in 日本語, 한국어, Deutsch, Français, Español.
Cloudflare’s network spans more than 310 cities in over 120 countries, where we interconnect with over 13,000 network providers in order to provide a broad range of services to millions of customers. The breadth of both our network and our customer base provides us with a unique perspective on Internet resilience, enabling us to observe the impact of Internet disruptions. Thanks to recently released Cloudflare Radar functionality, this quarter we have started to explore the impact from a routing perspective, as well as a traffic perspective, at both a network and location level.
The first quarter of 2024 kicked off with quite a few Internet disruptions. Damage to both terrestrial and submarine cables caused problems in a number of locations, while military action related to ongoing geopolitical conflicts impacted connectivity in other areas. Governments in several African countries, as well as Pakistan, ordered Internet shutdowns, focusing heavily on mobile connectivity. Malicious actors known as Anonymous Sudan claimed responsibility for cyberattacks that disrupted Internet connectivity in Israel and Bahrain. Maintenance and power outages forced users offline, resulting in observed drops in traffic. And in Continue reading
netlab: Global and Node VRFs
When designing the netlab VRF configuration module, I tried to make it as flexible as possible while using the minimum number of awkward nerd knobs. As is often the case1, the results could be hard to grasp, so let’s walk through the various scenarios of using global and node VRFs.
netlab allows you to define a VRF in the lab topology vrfs dictionary (global VRF) or in a node vrfs dictionary (node VRF). In most cases, you’d define a few global VRFs and move on.
netlab: Global and Node VRFs
When designing the netlab VRF configuration module, I tried to make it as flexible as possible while using the minimum number of awkward nerd knobs. As is often the case1, the results could be hard to grasp, so let’s walk through the various scenarios of using global and node VRFs.
netlab allows you to define a VRF in the lab topology vrfs dictionary (global VRF) or in a node vrfs dictionary (node VRF). In most cases, you’d define a few global VRFs and move on.