Juniper QFX10k | EVPN-VXLAN | IRB Routing | BGP

IRB Routing over EVPN-VXLAN on Juniper QFX10K is now officially supported by Juniper! EVPN master Tom Dwyer informed me that support had been added. A quick check on the VXLAN Constraints page confirms the same. Although, note that IS-IS is still not yet officially supported.

So, what’s the use case? Let’s say there’s a vSRX, hosted in a blade chassis environment, which requires dynamic route updates from the core network. The blade chassis is connected to an EVPN-VXLAN fabric via multi-homed layer 2 uplinks utilising EVPN ESI. In order to establish a BGP peering with the core network, the vSRX must peer with the SPINE devices via the EVPN-VXLAN fabric. 

Overview

This article explains how to establish an EBGP peering between a QFX10K IRB interface and a vSRX in an EVPN-VXLAN environment. The vSRX is hosted in an ESXi hypervisor, which is connected via LEAF1 and LEAF2. A /29 network is used on VNI300 and an EBGP peering is established between SPINE1 & vSRX1 and between SPINE2 & vSRX1. A default route is advertised by both QFX10K SPINEs towards vSRX1. 

QFX10k-IRB-ROUTING-2

 

Device Details:

SPINE – QFX10K  – 17.3R3
LEAF – QFX5110  – 17.3R3
vSRX – 15. Continue reading

It’s a Wrap – Highlights from the DockerCon 2019 Keynote Sessions

If you missed DockerCon in San Francisco this year or were unable to watch the livestream, no need to worry – we have you covered. You can catch all the demos, get the latest announcements and find out what is next for the Docker ecosystem by watching the replay sessions on demand.

Day 1: Docker Enterprise 3.0, Customer Innovation Awards, Robots and More

On Tuesday,  we kicked off the first day of DockerCon with product announcements, demos and customer guest speakers. During the session, we presented Docker Enterprise 3.0, the only desktop-to-cloud enterprise container platform enabling organizations to build and share any application and securely run them anywhere – from hybrid cloud to the edge. Additionally, we announced this year’s winners of the Customer Innovation awards, featuring Carnival, Citizens Bank, Liberty Mutual, Lindsay Corporation and Nationwide.

On-stage, the Docker team also demonstrated  Docker Applications, Docker Kubernetes Service (DKS) and new features and capabilities in Docker Desktop Enterprise – all designed to accelerate the application development and deployment pipeline. They keynote closed with a demonstration from R.O.S.I.E, the robot built by two Liberty Mutual engineers using Docker.

 To learn first hand everything featured Continue reading

Heavy Networking 447: Building A Networking Career Outside The Big City

Today's Heavy Networking is a roundtable show where we talk with engineers about the challenges of building a networking career when you don't live in a big city. We talk about how to find jobs, get training, advance your skills, and build community. Our guests are Phil Gervasi, Ryan Booth, and Eric Stover.

The post Heavy Networking 447: Building A Networking Career Outside The Big City appeared first on Packet Pushers.

Weekend Reads 050219

To say that Kubernetes provides no security features would be wrong. Kubernetes provides some functionality designed to help secure a containerized application. But it would be equally wrong to call Kubernetes a container security tool. Kubernetes’s ability to secure containers is strictly limited. —Sonya Koptyev

There is no denying the impact of the European Union General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. We were all witness — or victim — to the flurry of updated privacy policy emails and cookie consent banners that descended upon us. It was such a zeitgeist moment that “we’ve updated our privacy policy” became a punchline. —Daniel Barber

One of the fascinating parts of my job is seeing how different groups in email have radically disparate points of view. A current example is how much value senders put on spamtraps compared to ISPs and filtering companies —Laura Atkins

I loosely define capability decay as things that happen when security teams go backwards, and the specific ways — the decay modes — in which this may happen (this is my inner physicist speaking). —Hinne Hettema

On April 12 the FCC issued a new Notice for Proposed Rulemaking in Docket 19-71 Continue reading

Cisco’s Catalyst for Change

You’ve probably heard by now of the big launch of Cisco’s new 802.11ax (neé Wi-Fi 6) portfolio of devices. Cisco did a special roundtable with a group of influencers from the community called Just The Tech. Here’s a video from that event covering the APs that were released, the 9120:

Fred always does a great job of explaining the technical bits behind the APs. But one thing that caught my eye here is the name of the AP – Catalyst. Cisco has been using Aironet for their AP line since they purchased Aironet Wireless Communications back in 1999. The name was practically synonymous with wireless technologies for many people in the industry that worked exclusively with Cisco technologies.

So, is the name change something we should be concerned about?

A Rose Is a Rose Is An AP

Cisco moving toward a unified naming convention for their edge solutions makes a lot of sense. Ten years ago, wireless was still primarily 802.11g-based with 802.11n still a few months away from being proposed and ratified. Connectivity hadn’t quite yet reached the ubiquitous levels of wireless that we see today. The iPhone was only about to be on its third Continue reading

Stuff The Internet Says On Scalability For May 3rd, 2019

Wake up! It's HighScalability time:

 

Event horizon? Nope. It's a close up of a security hologram. Makes one think.

 

Do you like this sort of Stuff? I'd greatly appreciate your support on Patreon. I wrote Explain the Cloud Like I'm 10 for people who need to understand the cloud. And who doesn't these days? On Amazon it has 45 mostly 5 star reviews (105 on Goodreads). They'll learn a lot and hold you in awe.

 

Number Stuff:

  • $1 trillion: Microsoft is the most valuable company in the world (for now)
  • 20%: global enterprises will have deployed serverless computing technologies by 2020
  • 390 million: paid Apple subscriptions, revenue from the services business climbed from $9.9 billion to $11.5 billion, services now account for “one-third” of the company’s gross profits
  • 1011: CubeStat missions
  • $326 billion: USA farm expenses in 2017
  • 61%: increase in average cyber attack losses from $229,000 last year to $369,000 this, a figure exceeding $700,000 for large firms versus just $162,000 in 2018.
  • $550: can yield 20x profit on the sale of compromised login credentials

Quotable Stuff:

eBPF can’t count?!

eBPF can't count?!
Grant mechanical calculating machine, public domain image
eBPF can't count?!

It is unlikely we can tell you anything new about the extended Berkeley Packet Filter, eBPF for short, if you've read all the great man pages, docs, guides, and some of our blogs out there.

But we can tell you a war story, and who doesn't like those? This one is about how eBPF lost its ability to count for a while1.

They say in our Austin, Texas office that all good stories start with "y'all ain't gonna believe this… tale." This one though, starts with a post to Linux netdev mailing list from Marek Majkowski after what I heard was a long night:

eBPF can't count?!

Marek's findings were quite shocking - if you subtract two 64-bit timestamps in eBPF, the result is garbage. But only when running as an unprivileged user. From root all works fine. Huh.

If you've seen Marek's presentation from the Netdev 0x13 conference, you know that we are using BPF socket filters as one of the defenses against simple, volumetric DoS attacks. So potentially getting your packet count wrong could be a Bad Thing™, and affect legitimate traffic.

Let's try to reproduce this bug with Continue reading

Technology Short Take 113

Welcome to Technology Short Take #113! I hope the collection of links and articles I’ve gathered for you contains something useful for you. I think I have a pretty balanced collection this time around; there’s a little bit of something for almost everyone. Who says you can’t please everyone all the time?

Networking

  • Via the Kubernetes blog, Box announced it has open sourced a project called kube-iptables-tailer, which turns packet drops from iptables into Kubernetes events that can be logged for easier troubleshooting. The GitHub repository for the project is here.
  • Via BlueCat Networks, John Capobianco shares his network automation journey. In part 1, John discusses the frameworks/tooling and the goals for his network automation efforts; in part 2, John digs into getting started with Ansible and the initial impact of his efforts.
  • Diógenes Rettori has a comparison of Istio and Linkerd as solutions for service mesh. Personally, I could’ve done without the little product advertisement at the end, but that’s just me.
  • Here’s a good article on packets-per-second limits in EC2.

Servers/Hardware

Security

10 Hot IoT security startups to watch

The internet of things is growing at breakneck pace and may end up representing a bigger economic shift in networking than the internet itself did, making security threats associated with the IoT a major concern.This worry is reflected by investments being made in startups that focus on stopping threats to the IoT, the industrial IoT (IIoT) and the operational technology (OT) surrounding them.To read this article in full, please click here(Insider Story)

1 1,250 1,251 1,252 1,253 1,254 3,848