EVPN Deepdive Route Types 2 and 3

In my last post on Configuring EVPN, we setup EVPN but configured no services. In this post we will configure a basic L2 service so we can dive into the different EVPN route types. This post will cover route type 2 and 3 together as you will commonly see these together. This post will cover:

  • Discovery of VTEPs.
  • How to map a VLAN to a VNI.
  • Automatic generation of RD and RT.
  • Advertising MAC- and optionally IP address (route type 2).
  • Ingress replication with dynamic discovery of VTEPs (route type 3).

The topology we will use for this post is shown below:

Before diving into configuration, let’s discuss something that is often overlooked, VTEP discovery.

VTEP discovery

Without EVPN, VXLAN uses flood and learn behavior for discovery of VTEPs. This means that any host sending VXLAN frames would be considered a trusted VTEP in the network. This is obviously not great from a security perspective. When using EVPN, adding VTEPs is based on BGP messages. A VTEP will learn about other VTEPs based on these BGP updates. It’s not a specific route type, but rather any type of EVPN message. This makes it more difficult to add a rogue Continue reading

Modern Network Troubleshooting

I’ve reformatted and rebuilt my network troubleshooting live training for 2023, and am teaching it on the 26th of January (in three weeks). You can register at Safari Books Online. From the site:

The first way to troubleshoot faster is to not troubleshoot at all, or to build resilient networks. The first section of this class considers the nature of resilience, and how design tradeoffs result in different levels of resilience. The class then moves into a theoretical understanding of failures, how network resilience is measured, and how the Mean Time to Repair (MTTR) relates to human and machine-driven factors. One of these factors is the unintended consequences arising from abstractions, covered in the next section of the class.

The class then moves into troubleshooting proper, examining the half-split formal troubleshooting method and how it can be combined with more intuitive methods. This section also examines how network models can be used to guide the troubleshooting process. The class then covers two examples of troubleshooting reachability problems in a small network, and considers using ChaptGPT and other LLMs in the troubleshooting process. A third, more complex example is then covered in a data center fabric.

A short section on proving Continue reading

VRF Without Route Target – Will the Route Be Exported?

Yesterday I posted a tricky question to Twitter. If you have a working VPNv4 environment and create a VRF with only a Route Distinguisher (RD) but without Route Targets (RT), will the route be exported? The answer may surprise you! The configuration supplied in the question was similar to the one below:

vrf definition QUIZ
 rd 198.51.100.1:100 
 !
 address-family ipv4
 exit-address-family
!
interface GigabitEthernet2
 vrf forwarding QUIZ
 ip address 203.0.113.1 255.255.255.0
!
router bgp 65000
 !
 address-family ipv4 vrf QUIZ
  network 203.0.113.0

Notice how this VRF has a RD but no RT. Will this router, PE1, advertise the route into VPNv4? Most would say no, but the answer is yes. Let’s first check that we see the route locally on PE1 in VRF QUIZ:

PE1#show bgp vpnv4 uni vrf QUIZ 203.0.113.0
BGP routing table entry for 198.51.100.1:100:203.0.113.0/24, version 4
Paths: (1 available, best #1, table QUIZ)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    0.0.0.0 (via vrf QUIZ) from 0.0.0.0 (198.51.100.1)
      Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
      mpls  Continue reading

Back On Track in 2024

It’s time to look back at my year that was and figure out where this little train jumped off the rails. I’ll be the first to admit that I ran out of steam chugging along toward the end of the year. My writing output was way down for reasons I still can’t quite figure out. Everything has felt like a much bigger task to accomplish throughout the year. To that end, let’s look at what I wanted to do and how it came out:

  • Keeping Track of Things: I did a little bit better with this one, aside from my post schedule. I tried to track things much more and understand deadlines and such. I didn’t always succeed like I wanted to but at least I made the effort.
  • Creating Evergreen Content: This one was probably a miss. I didn’t create nearly as much content this year as I have in years past. What little I did create sometimes felt unfocused and less impactful. Part of that has to do with the overall move away from written content to something more video and audio focused. However, even my other content like Tomversations was significantly reduced this year. I will Continue reading

BGP EVPN Part-I: Challenges in Traditional Switched Datacenter Networks

Inefficient Link Utilization

The default Layer 2 Control Plane protocol in Cisco NX-OS is a Rapid Per-VLAN Spanning Tree Plus (Rapid PVST+), which runs 802.1w standard Rapid Spanning Tree Protocol (RSTP) instance per VLAN. Rapid PVST+ builds a VLAN-specific, loop-free Layer 2 data path from the STP root switch to all non-root switches. Spanning Tree Protocol, no matter which mode we use, allows only one active path at a time and blocks all redundant links. One general solution for activating all Inter-switch links is placing an STP root switch for odd and even VLANs into different switches. However, STP allows only a VLAN-based traffic load balancing.


CPU and Memory Usage

After building a loop-free data path, switches running Rapid PVST+ monitor the state of the network by using Spanning Tree instance-based Bridge Protocol Data Units (BPDU). By default, each switch sends instance-based BPDU messages from their designated port in two-second intervals. If we have 2000 VLANs, all switches must process 2000 BPDUs. To reduce CPU and Memory consumption caused by BPDU processing, we can use Multiple Spanning Tree – MSTP (802.1s), where VLANs are associated with Instances. For example, we can attach VLANs 1-999 to one instance and Continue reading

Goodbye, ipSpace.net Subscription

I ran the first webinar as an independent author almost exactly fourteen years ago1, with the first ticket sold just before New Year’s Eve. I kept focusing on individual webinars until someone asked me, “Would it be possible to buy access to everything you did?” His question effectively created the ipSpace.net subscription, with the first one sold in late 2010 (I still have the email that triggered the whole process).

Read more …

Goodbye, ipSpace.net Subscription

I ran the first webinar as an independent author almost exactly fourteen years ago1, with the first ticket sold just before New Year’s Eve. I kept focusing on individual webinars until someone asked me, “Would it be possible to buy access to everything you did?” His question effectively created the ipSpace.net subscription, with the first one sold in late 2010 (I still have the email that triggered the whole process).

Read more …

Apollo 11 notes

I was re-reading the Apollo 11 mission reports, as one does, and decided to take some notes along the way.

If you’re interested in these things, I also highly recommend curiousmarc’s series on the Apollo comms hardware.

Notes

First time I’ve seen the word “doff”. Can’t wait to use it in daily conversation.

The rocket equation is a beast. The LM descent stage had 8’210kg of propellant. The ascent stage only 2’365kg.
– Volume 1, Page 50

In total 10’849kg out of 15’061 (72%) of the LM was propellant. (excluding the astronauts themselves)

The LM flown on Apollo 10 did not have the landing program in its computer. To prevent the temptation to land?
– Volume 1, Page 62

Armstrong’s parents were “Mr. and Mrs. Stephen Armstrong”. Michael Collins’ mother is mentioned, but her name is also lost to history, as she’s referred to as “Mrs. James L. Collins”. Only Buzz Aldrin’s mother is named (and what a name!), as Marion Moon Aldrin.

All three were born in 1930, making them turn 39 in 1969.
– Volume 1, Page 76-78

“High speed” data mode is 2400bps, divided into 240 bit blocks.
– Volume 1, Page 93

Aside from the Continue reading

Configuring EVPN on NX-OS

In this post we will configure EVPN on NX-OS. We will reuse the VXLAN topology from my previous post. The following will describe the setup in this post:

  • VXLAN topology with OSPF as the IGP in the underlay using unnumbered links.
  • EVPN in the overlay using iBGP.
  • Spines acting as route reflectors.
  • Separate loopbacks for IGP, BGP, and NVE.
  • Ingress replication based on EVPN.
  • Enhancements such as anycast gateway, ARP suppression, etc., will be covered in future posts.

The BGP topology is shown below:

I will cover all the details of configuring EVPN and establishing the BGP sessions. We will then cover the actual exchange of routes in detail in separate posts in the future.

Starting out, the following globals and features need to be configured:

Next, let’s configure BGP on the spines with the following settings:

Then let’s configure BGP on the leafs:

The devices will now advertise that they have AFI L2VPN and SAFI EVPN:

The BGP sessions are now up:

Leaf1# show bgp l2vpn evpn sum
BGP summary information for VRF default, address family L2VPN EVPN
BGP router identifier 192.0.2.3, local AS number 65000
BGP table version is 4, L2VPN EVPN config peers  Continue reading

Tigera Closes Out 2023 with Significant Momentum for Calico as Demand for Container Security Accelerates

As 2023 comes to a close, we’re happy to report that we’ve had a successful year full of powerful product advancements and notable third-party recognition.

Key product enhancements

  • Plug-and-play Runtime Threat Defense Combines signature and behavior-based threat detection to protect against both known and zero-day threats. Calico Runtime Threat Defense provides preconfigured threat detectors to detect most common MITRE attack techniques for container and network-based attacks.
  • Security Score and Recommended Actions Provides an unparalleled view of security risks, enabling enterprises to identify, prioritize and mitigate them swiftly.
  • Streamlined autoscaling with Windows HostProcess Container – Simplifies Kubernetes operations while saving time and resources.
  • IPv6 support for eBPF – Empowers enterprises to enhance the performance and scalability of their applications, ensuring they meet the demands of modern workloads.
  • Calico cluster mesh for VxLAN – Offers a scalable solution for multi-cluster deployments, enabling multi-cluster pod-to-pod connectivity and enhancing security and visibility.

With these new enhancements, Calico is the industry’s most complete solution for securing and observing Kubernetes environments.

User feedback

Calico Open Source users represent a robust sample of IT professionals from across industries and use cases. We polled these users to better understand their needs and compiled the insights into Continue reading

The Terrapin Attack: A New Threat to SSH Integrity

This new vulnerability, Terrapin, breaks the integrity of SSH’s secure channel. Yes, that’s just as bad as it sounds. Anyone who does anything on the cloud or programming uses Secure Shell (SSH). So any vulnerability is bad news. Guess what? I’ve got some bad news. Researchers at Ruhr University have found a  significant vulnerability in the SSH cryptographic network protocol, which they’ve labeled CVE-2023-48795: General Protocol Flaw; CVE-2023-46446: Rogue Session Attack in AsyncSSH poses a serious threat to internet security. Terrapin enables attackers to compromise the integrity of SSH connections, which are widely used for secure access to network services. The Terrapin attack targets the SSH protocol by manipulating prefix sequence numbers during the handshake process. This manipulation enables attackers to remove messages sent by the client or server at the beginning of the secure channel without detection. The attack can lead to using less secure client authentication algorithms and deactivation-specific countermeasures against keystroke timing attacks in OpenSSH 9.5. Terrapin is a Man-in-the-Middle The good news — yes, there is good news — is that while the Terrapin attack Continue reading

Introduction to EVPN In VXLAN Networks

In previous posts I described VXLAN using flood and learn behavior using multicast or ingress replication. The drawback to flood and learn is that frames need to be flooded/replicated for the VTEPs to learn of each other and for learning what MAC addresses are available through each VTEP. This isn’t very efficient. Isn’t there a better way of learning this information? This is where Ethernet VPN (EVPN) comes into play. What is it? As you know, BGP can carry all sorts of information and EVPN is just BGP with support to carry information about VTEPs, MAC addresses, IP addresses, VRFs, and some other stuff. What does EVPN provide us?

  • Ability to discover VTEPs.
  • Messaging of MAC prefixes and IP prefixes.
  • Reduced amount of flooding.
  • Optionally ARP suppression.

Note that the use of EVPN doesn’t entirely remove the need for flooding using multicast or ingress replication. Hosts still need to use ARP/ND to find the MAC address of each other, although ARP suppression could potentially help with that. There may also be protocols such as DHCP that leverage broadcast for some messages. In addition, there may be silent hosts in the fabric where VTEP is not aware that the host is Continue reading

1 135 136 137 138 139 3,793