Junos Policy-Based VPNs – Part 1 of 4 – Security Policies
Policy-based VPNs are a pain most of the time, especially when compared to route-based VPNs. Many of the policy-based VPNs …
The post Junos Policy-Based VPNs – Part 1 of 4 – Security Policies appeared first on Fryguy's Blog.
SEC 1. Data plane and control plane protection in the networking (Nokia, Cisco and Mellanox/Cumulus) for IPv4.
Hello my friend,
This is the third article where we use the Mellanox SN 2010 running Cumulus Linux. And today we cover enormously important topic: network security. More precisely, we will speak about the data plane and the control plane protection. Cisco IOS XR and Nokia SR OS accompany us in this journey.
Thanks
Special thanks for Avi Alkobi from Mellanox and Pete Crocker and Attilla de Groot from Cumulus Networks for providing me the Mellanox switch and Cumulus license for the tests.
Disclaimer
This blogpost is the continuation of the previous one, where we have brought the Mellanox SN 2010 to the operational with Cumulus Linux 3.7.9 on board. If you want to learn the details about this process, you are welcomed to read that article.
Brief description
Each week you can find the news describing the security breaches. In the modern economy, where the Internet plays already a key role, all the connected businesses (and almost all businesses are connected) are on the risk caused by casual network scanning and brood force attacks. In addition to that, big companies and governments are quite often the attack targets for other companies, governments and criminals. Therefore, Continue reading
New Content: EVPN on Linux Hosts and External Azure Connectivity
Dinesh Dutt added another awesome chapter to the EVPN saga last week explaining how (and why) you could run VXLAN encapsulation with EVPN control plane on Linux hosts (TL&DR: think twice before doing it).
In the last part of current Azure Networking series I covered external VNet connectivity, including VNet peering, Internet access, Virtual Network Gateways, VPN connections, and ExpressRoute. The story continues on February 6th 2020 with Azure automation.
You’ll need Standard ipSpace.net Subscription to access both webinars.
Docker’s Success a Foundation for Its Struggles
“In a sense, Docker is almost a victim of its own success,” said 451 Research's Jay Lyman....
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
EVPN-VXLAN | Layer 3 Gateway | IRB | JUNOS
I often get asked about EVPN Layer 3 gateway options. And more specifically, what are the differences between IRB with Virtual Gateway Address (VGA) and IRB without VGA. There are many different options and configuration knobs available when configuring EVPN L3 gateway. But I’ve focused on the 3 most popular options that I see with my customers in EVPN-VXLAN environments in a centralised model. I’m also only providing the very basic configuration required.
Each IRB option can be considered an Anycast gateway solution seeing as duplicate IPs are used across all IRB gateways. However, there are some subtle, yet significant, differences between each option.
Regardless of the transport technology used, whether it be MPLS or VXLAN, a layer 3 gateway is required to route beyond a given segment.
This Week: Data Center Deployment with EVPN/VXLAN by Deepti Chandra provides in-depth analysis and examples of EVPN gateway scenarios. I highly recommend reading this book!
IRB Option 1
Duplicate IP | Unique MAC | No VGA
Duplicate IPs are configured on all gateway IRBs and unique MAC addresses are used (manually configured or IRB default). Virtual Gateway Address is not used.
EVPN provides the capability to automatically synchronise gateways Continue reading
It’s crowded in here!
We recently gave a presentation on Programming socket lookup with BPF at the Linux Plumbers Conference 2019 in Lisbon, Portugal. This blog post is a recap of the problem statement and proposed solution we presented.
Our edge servers are crowded. We run more than a dozen public facing services, leaving aside the all internal ones that do the work behind the scenes.
Quick Quiz #1: How many can you name? We blogged about them! Jump to answer.
These services are exposed on more than a million Anycast public IPv4 addresses partitioned into 100+ network prefixes.
To keep things uniform every Cloudflare edge server runs all services and responds to every Anycast address. This allows us to make efficient use of the hardware by load-balancing traffic between all machines. We have shared the details of Cloudflare edge architecture on the blog before.
Granted not all services work on all the addresses but rather on a subset of them, covering one or several network prefixes.
So how do you set up your network services to listen on hundreds of IP addresses without driving the network stack over the edge?
Cloudflare engineers have had to ask themselves this question Continue reading
You cannot cURL under pressure
You cannot cURL under pressure
cURL. The wonderful HTTP plumbing tool that powers both a lot of command line debugging and bash scripts, but also exists as a strong foundation in our applications in the form of libcurl.
Editing Files in a Docker Container
This is the quick and easy way I learned to edit some files within a Docker container. Professional DevOps engineers might be doing it in a different way, this is the network engineers way of doing things 
-Rakesh
Must read: Shades of Lock-in
Gregor Hohpe published an excellent series on Martin Fowler’s web site focusing on various aspects of lock-in. If nothing else, you SHOULD read the shades of lock-in part, and combine it with my thoughts on lock-in in data center networking.
What’s it like to come out as LGBTQIA+ at work?
Today is the 31st Anniversary of National Coming Out Day. I wanted to highlight the importance of this day, share coming out resources, and publish some stories of what it's like to come out in the workplace.
About National Coming Out Day
Thirty-one years ago, on the anniversary of the National March on Washington for Lesbian and Gay Rights, we first observed National Coming Out Day as a reminder that one of our most basic tools is the power of coming out. One out of every two Americans has someone close to them who is gay or lesbian. For transgender people, that number is only one in 10.
Coming out - whether it is as lesbian, gay, bisexual, transgender or queer - STILL MATTERS. When people know someone who is LGBTQ, they are far more likely to support equality under the law. Beyond that, our stories can be powerful to each other.
Each year on October 11th, National Coming Out Day continues to promote a safe world for LGBTQ individuals to live truthfully and openly. Every person who speaks up changes more hearts and minds, and creates new advocates for equality.
For more on coming out, visit HRC's Coming Out Continue reading
Tarek Kamel: A Loss to the Internet Community
It was indeed very sad news yesterday that Tarek Kamel passed away. Despite his suffering and illness, no one expected death could be that close. Just last week I was chatting with friends in common about his persistence in planning to attend the upcoming ICANN meeting in Montreal, with permission from his doctors. That was Tarek Kamel: always forward looking and a real fighter for what he believed in.
Tarek’s death moved not only his family and friends, but a wider group, especially in the Internet community. Let me share why.
Who is He in a Nutshell?
Tarek Kamel had a Ph.D. in electrical engineering and information technology from the Technical University of Munich. From 1992 to 1999, he was the manager of Egypt’s Communications and Networking Department at the Cabinet Information and Decision Support Centre (IDSC/RITSEC). During this period, he established Egypt’s first connection to the Internet, steered the introduction of commercial Internet services in Egypt, and co-founded the Internet Society of Egypt (the Egyptian Chapter).
Kamel joined the Ministry of Communications and Information Technology at its formation in October 1999, where he was appointed senior advisor to the minister. Then he served as the minister of communications and information Continue reading
Heavy Networking 477: Segment Routing Boot Camp With Juniper Networks (Sponsored)
Today on Heavy Networking we go deep on segment routing, a way to encode into a packet the path it should take through the network. Guest Ron Bonica, Distinguished Engineer at Juniper Networks, offers a detailed look at how segment routing works; discusses use cases; explores the differences among SR-MPLS, SRv6, and SRv6+; and more. Juniper is our sponsor for today's show.
The post Heavy Networking 477: Segment Routing Boot Camp With Juniper Networks (Sponsored) appeared first on Packet Pushers.
Colt Rolls ADVA Ensemble Into Latest uCPE Line
Colt launched a new line of uCPE appliances powered by ADVA's Ensemble software platform in a bid...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Ericsson Eyes $700B 5G Growth Opportunity for Service Providers
The vendor warns that revenues from currently available services, namely mobile broadband services,...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
SAP CEO Bill McDermott Clocks Out
In a statement, SAP explained that McDermott “decided not to renew his contract.” The company...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.