Analysis of the EPYC 145% performance gain in Cloudflare Gen 12 servers

Cloudflare's network spans more than 330 cities in over 120 countries, serving over 60 million HTTP requests per second and 39 million DNS queries per second on average. These numbers will continue to grow, and at an accelerating pace, as will Cloudflare’s infrastructure to support them. While we can continue to scale out by deploying more servers, it is also paramount for us to develop and deploy more performant and more efficient servers.

At the heart of each server is the processor (central processing unit, or CPU). Even though many aspects of a server rack can be redesigned to improve the cost to serve a request, CPU remains the biggest lever, as it is typically the primary compute resource in a server, and the primary enabler of new technologies.

Cloudflare’s 12th Generation server with AMD EPYC 9684-X (codenamed Genoa-X) is 145% more performant and 63% more efficient. These are big numbers, but where do the performance gains come from? Cloudflare’s hardware system engineering team did a sensitivity analysis on three variants of 4th generation AMD EPYC processor to understand the contributing factors.

For the 4th generation AMD EPYC Processors, AMD offers three architectural variants: 

  1. mainstream classic Zen 4 cores, codenamed Continue reading

Protect against identity-based attacks by sharing Cloudflare user risk scores with Okta

Cloudflare One, our secure access service edge (SASE) platform, is introducing a new integration with Okta, the identity and access management (IAM) vendor, to share risk indicators in real-time and simplify how organizations can dynamically manage their security posture in response to changes across their environments.

For many organizations, it is becoming increasingly challenging and inefficient to adapt to risks across their growing attack surface. In particular, security teams struggle with multiple siloed tools that fail to share risk data effectively with each other, leading to excessive manual effort to extract signals from the noise. To address this complexity, Cloudflare launched risk posture management capabilities earlier this year to make it easier for organizations to accomplish three key jobs on one platform:

  1. Evaluating risk posed by people by using first-party user entity and behavior analytics (UEBA) models

  2. Exchanging risk telemetry with best-in-class security tools, and

  3. Enforcing risk controls based on those dynamic first- and third-party risk scores.

Today’s announcement builds on these capabilities (particularly job #2) and our partnership with Okta by enabling organizations to share Cloudflare’s real-time user risk scores with Okta, which can then automatically enforce policies based on that user’s risk. In this way, organizations can adapt Continue reading

NB499: Juniper Extending AI Umbrella to Security; Should We Regulate AI or AI Outcomes?

Take a Network Break! This week we cover a new Juniper announcement and discuss how the company is bringing its security portfolio under its AI umbrella, Aryaka adding CASB to its SASE menu, and whether the FTC’s prescriptive security requirements for Marriott will actually lead to better security. Cisco invests in a GPU-as-a-Service startup, stealthy... Read more »

Adding DHCP Role to ISE Lab Domain Controller

In the previous post, Setting up Active Directory for ISE Lab, we enabled Active Directory Domain Services. The DNS role was also added automatically as part of this process. In this post, we’ll add DHCP to the server.

Go to Server Manager, click Add roles and features. Click Next until you get to Server Roles. Select DHCP Server. This will display a window asking if required services should be installed:

Click Add Features. Click Next until getting to the Confirmation screen. Select Restart the destination server automatically if required. Since this is a lab, it’s OK to restart.

Select Yes. Then Click Install. The installation starts:

After the installation finishes, click Close.

The DHCP role has been added:

Let’s configure two DHCP scopes, one for employees and one for guests. Open the DHCP app, then expand the server and then IPv4. Right click on IPv4 and select New Scope…

This launches the New Scope Wizard:

Give the scope a name and a description:

Click Next. Then configure starting IP, ending IP, and the subnet mask:

Click Next. I’m not adding any exclusions so clicking Next again. Then configure the lease duration, I’m setting it to 1 day instead of Continue reading

HN753: Getting to Know Cisco’s Network Service Orchestrator (NSO)

On today’s episode, guest James Henderson joins the Packet Pushers to discuss Cisco’s Network Service Orchestrator (NSO). NSO’s role in network automation, its declarative management approach, and the challenges it presents are some of the things James shares with the hosts. They also cover operational requirements, deployment challenges, and performance considerations, in addition to discussing... Read more »

OCP Global Summit 2024

AI networking is a popular topic at the up coming OCP Global Summit in San Jose, California, with an entire morning on Wednesday October 16 devoted to the subject.
Of particular interest is the talk, Leveraging open technologies to monitor packet drops in AI cluster fabrics, by Aldrin Isaac, eBay, describing the challenge, AI clusters operate most efficiently over lossless networks for optimum job completion times which can be significantly impacted by dropped packets. Although networks can be designed to minimize packet loss by choosing the right network topology, optimizing network devices and protocols, an effective monitoring and troubleshooting network performance tool is still required. Such tool should capture packet drops, raise notifications and identify various drop reasons and pin point where the drops caused congestions. In turn, it allows the governing management application to tune configurations of relevant infrastructure components, including switches, NICs and GPU servers.

The talk will share the results and best practices of a TAM (Telemetry and Monitoring) solution being prepared for deployment at eBay. It leverages OCP’s SAI and open sFlow drop notification technologies as part of eBay’s ongoing initiatives to adopt open networking hardware and community SONiC for its data centers.

The sFlow Continue reading

AI for Network Engineers: Backpropagation Algorithm

 Introduction 


This chapter introduces the training model of a neural network based on the Backpropagation algorithm. The goal is to provide a clear and solid understanding of the process without delving deeply into the mathematical formulas, while still explaining the fundamental operations of the involved functions. The chapter also briefly explains why, and in which phases the training job generates traffic to the network, and why lossless packet transport is required. The Backpropagation algorithm is composed of two phases: the Forward pass (computation phase) and the Backward pass (adjustment and communication phase).

In the Forward pass, neurons in the first hidden layer calculate the weighted sum of input parameters received from the input layer, which is then passed to the neuron's activation function. Note that neurons in the input layer are not computational units; they simply pass the input variables to the connected neurons in the first hidden layer. The output from the activation function of a neuron is then used as input for the connected neurons in the next layer. The result of the activation function in the output layer represents the model's prediction, which is compared to the expected value (ground truth) using the error function. The output Continue reading

How Do You Get Experience in IT?

A question I often get is, how do you get experience in IT? For people trying to break into this industry, what can they do to gain experience? How can they showcase that experience to a potential employer even if they are applying for their first job? Breaking into a new industry can be the most difficult thing, you lack experience and most of all you probably lack a network. Here are my thoughts on how you can gain that experience.

University studies

The ROI on university studies will vary depending on if you live in a country like me where studies are financed by tax and there is no tuition, or in a country where it can be very costly. That’s not the argument here, university studies can give some things that is difficult to achieve in any other way. I did three years at a university and here’s why I think it’s really valuable.

Time – Having two or three years of dedicated studies is a luxury you won’t have at any other point in your career. You have a full-time job and trying to learn a new discipline on top of that is going to be much Continue reading

Using BGP NO_EXPORT Community to Filter Transit Routes

In previous BGP policy lab exercises, we covered several mechanisms you can use to ensure your autonomous system is not leaking transit routes (because bad things happen when you do, particularly when your upstream ISP is clueless).

As you probably know by now, there’s always more than one way to get something done with BGP. Today, we’ll explore how you can use the NO_EXPORT community to filter transit routes.

Click here to start the lab in your browser using GitHub Codespaces (or set up your own lab infrastructure). After starting the lab environment, change the directory to policy/d-no-export and execute netlab up.

Weekend Reads 101324


A study by the US General Services Administration (GSA) has revealed that five remote identity verification (RiDV) technologies are unreliable, inconsistent, and marred by bias across different demographic groups.


This time, he included a PoC that caused the ChatGPT app for macOS to send a verbatim copy of all user input and ChatGPT output to a server of his choice.


In the quest to revolutionize medicine, our bodies are becoming living laboratories. By 2030, itメs estimated that bioprinting could address up to 20% of the organ transplant waiting list globally.


Consider this: For every 1,000 human users in your organization, you likely have 10,000 non-human connections or credentials. Some estimates suggest the ratio could be as high as 45-to-1.


The U.S. Department of Justice (DOJ) is considering recommending a federal judge to force Google to sell parts of its business in a bid to eliminate its alleged monopoly on online search, according to a court filing Tuesday.


A US jury has found that employment practices at Cognizant constitute discriminatory conduct toward non-Indian workers in a case that originated in 2013 and claimed the tech giant favored H-1B visa holders from India over local workers.


Consumers are victims of online Continue reading

How to Protect GlobalProtect Portal from Brute Force Attacks?

How to Protect GlobalProtect Portal from Brute Force Attacks?

As soon as you configure GlobalProtect and go to the monitor tab, you will see hundreds or even thousands of attempts on your firewall's public IP on port 443. While protecting your portal with MFA generally mitigates major concerns, it’s still wise to implement as many security measures as possible. In this blog post, we will look at some simple ways to protect your GlobalProtect deployment.

We will look at the following methods.

  1. Disable GlobalProtect Portal
  2. Block access from malicious IPs (EDL)
  3. Security policy based on geo IPs
  4. Blacklist IPs using a Vulnerability Profile
💡
Even though you can take these security measures, it is highly recommended to use 2FA with GlobalProtect VPN, which provides a higher level of security.

Understanding Intrazone Policy

Before we proceed, just a quick note on how Intrazone policy works. By default, the firewall comes with two predefined security rules at the very bottom. The Interzone rule denies traffic between two zones that are not matched by a specific policy above.

How to Protect GlobalProtect Portal from Brute Force Attacks?

However, the default intrazone action is to allow, so traffic within the same zone is allowed by default. If someone initiates traffic from the WAN zone to Palo Alto’s public interface in Continue reading

TNO005: Making Networking Cool Again with Meter (Sponsored)

Meter CEO Anil Varanasi joins Scott Robohn on this sponsored episode of Total Network Operations to talk about Meter’s vision for networking and network operations. In this podcast, recorded the day before Meter’s first public MeterUp event, Anil and Scott discuss Meter’s approach to building new networking equipment, vertical integration of their hardware and software,... Read more »

Memos – Amazing Open Source, Self-hosted Notes App

Memos - Amazing Open Source, Self-hosted Notes App

I've tried many note-taking apps like Evernote, OneNote, and Apple Notes, but none really satisfied me, if I'm being honest. I've always wanted something simple, without any over-complication, and either free or cost-effective. Although, I have to admit, at the moment, I'm using an app called 'Bear Notes,' which costs around £2 per month, and I love the app. It's so minimalist and very user-friendly, but it doesn't have a web GUI or an app for Windows. I'm an Apple user, so it's not a big issue.

That being said, I recently stumbled upon another great self-hosted note-taking app called 'Memos' I just couldn't believe that I didn't know about this until very recently. It's so minimalist and has a Twitter-like feed where you can just chuck on any note, links, or even attachments.

Memos - Amazing Open Source, Self-hosted Notes App
https://www.usememos.com/

Memos Installation

If you already have Docker installed, the installation will take just a few seconds. You can use either docker run or docker-compose.

docker run -d \
  --init \
  --name memos \
  --publish 5230:5230 \
  --volume ~/.memos/:/var/opt/memos \
  neosmemo/memos:stable
services:
  memos:
    image: neosmemo/memos:stable
    container_name: memos
    volumes:
      - ~/.memos/:/var/opt/memos
    ports:
      - 5230:5230

In the Docker configuration for Continue reading

1 8 9 10 11 12 3,697