0

Adding a Syslog Server to a netlab Lab Topology

netlab does not support a Syslog server (yet), but it’s really easy to add one to your lab topology, primarily thanks to the Rsyslog team publishing a ready-to-run container. Let’s do it ;)

Adding a Syslog Server

Rsyslog is an open-source implementation of a Syslog server (with many bells and whistles, most of which we won’t use) that can (among other things) log incoming messages to a file. Even better (for our use case), the Rsyslog team regularly publishes Rsyslog containers; we’ll use the rsyslog/rsyslog-collector container because it can “receive logs via UDP, TCP, and optionally RELP, and can send them to storage backends or files.”

0

A Unified ARP Table (and how to get one when you don’t have one)

How to get one when you don't have one and what happens when its gone! There is so much propaganda out there today (and I am not even referring to politics), it feels good to go back to fundamentals. Few things are more foundational to networking than Address Resolution Protocol (ARP). It is inconceivable to READ MORE

The post A Unified ARP Table (and how to get one when you don’t have one) appeared first on The Gratuitous Arp.

0

Network Labs on a Budget

"Can you suggest some specs for a server for my network labs?" is probably the question I get asked the most. People reach out all the time asking for recommendations. The thing is, I never really know their exact situation or what they’re trying to do in their lab. So, I usually just share what I have and what worked best for me, and let them decide what fits their setup.

In this post, I’ll go over the cheapest way to build your own network lab without spending too much.

What We Will Cover?

• Buying a used mini PC
• Proxmox as the hypervisor (optional)
• Linux as a VM
• Containerlab/Netlab, EVE-NG, Cisco CML
• Proxmox Backup Server (optional)
• Simplest Option for Absolute Beginners

TL;DR

You don’t need expensive hardware to build a solid network lab. A used mini PC with decent specs is more than enough to run tools like Proxmox, Continue reading

0

The strange webserver hot potato — sending file descriptors

I’ve previously mentioned my io-uring webserver tarweb. I’ve now added another interesting aspect to it.

As you may or may not be aware, on Linux it’s possible to send a file descriptor from one process to another over a unix domain socket. That’s actually pretty magic if you think about it.

You can also send unix credentials and SELinux security contexts, but that’s a story for another day.

My goal

I want to run some domains using my webserver “tarweb”. But not all. And I want to host them on a single IP address, on the normal HTTPS port 443.

Simple, right? Just use nginx’s proxy_pass?

Ah, but I don’t want nginx to stay in the path. After SNI (read: “browser saying which domain it wants”) has been identified I want the TCP connection to go directly from the browser to the correct backend.

I’m sure somewhere on the internet there’s already an SNI router that does this, but all the ones I found stay in line with the request path, adding a hop.

Why?

A few reasons:

1. Having all bytes bounce on the SNI router triples the number of total file descriptors for the connection. (one on the backend, Continue reading

0

Contributing to NTC templates

This guide is the steps I follow when adding or updating NTC templates. Contributing to a project in Github is still a learning curve for me, the days of learning CLI by repetition seem long gone so when using or contributing to any of these NetOps type tools I have to keep guides as it is a bit of a struggle to remember with so many new and alien things to know and the sporadic nature that I use them.

0

What’s New in Calico v3.31: eBPF, NFTables, and More

We’re excited to announce the release of Calico v3.31,   which brings a wave of new features and improvements.

For a quick look, here are the key updates and improvements in this release:

• Calico NFTables Dataplane is now Generally Available
• Calico eBPF Dataplane Enhancements
  • Simplified installation: new template defaults to eBPF, automatically disables kube-proxy via kubeProxyManagement field, and adds bpfNetworkBootstrap for auto API endpoint detection.
  • Configurable cgroupv2 path: support for immutable OSes (e.g., Talos).
  • >>Learn More: See how Calico v3.31 makes eBPF installation frictionless and simplifies setup in our Zero-Trust with Zero-Friction eBPF in Calico v3.31 blog
• Calico Whisker (Observability Stack)
  • Improved UI and performance in Calico v3.31.
  • New policy trace categories: Enforced vs Pending.
  • Lower memory use, IPv6 fixes, and more efficient flow streaming.
• Networking & QoS
  • New bandwidth and packet rate QoS controls across all dataplanes.
  • DiffServ (DSCP) support: prioritize traffic by marking packets (e.g., EF for VoIP).
  • Introduces new QoSPolicy API for declarative traffic control.
• Encapsulation & Routing
  • Tech Preview: Felix now handles encapsulation routes (IP-in-IP, no-encap) directly — no BIRD required!
• NAT Control
  • New natOutgoingExclusions config for granular NAT management.
  • Choose between Continue reading

0

HN802: Unifying Networking and Security with Fortinet SASE: Architecture, Reality, and Lessons Learned (Sponsored)

The architecture and tech stack of a Secure Access Service Edge (SASE) solution will influence how the service performs, the robustness of its security controls, and the complexity of its operations. Sponsor Fortinet joins Heavy Networking to make the case that a unified offering, which integrates SD-WAN and SSE from a single vendor, provides a... Read more »

0

Worth Reading 102425

I get the sense that hosting a ccTLD today is challenging, not because of the technical stack, but due to Distributed Denial-of-Service (DDoS) concerns

In times of major change–whether in IT or the economy–organizations should take a fresh look at their sourcing strategy. Companies outsourcing key functions need to re-examine the reasoning and scrutinize the results.

Another multivendor development group, the Ultra Accelerator Link (UALink) consortium, recently published its first specification aimed at delivering an open standard interconnect for AI clusters.

The company conducted a nationwide survey of 3,790 people that asked about real-world experiences and expectations around home WiFi performance. I think every ISP I know could have predicted the gist of the responses, but I think ISPs might be surprised at the percentage of people who are unhappy with WiFi.

DNS was not originally designed with security in mind, making it easy for common threats such as DNS spoofing and man-in-the-middle attacks to reroute unsuspecting users to malicious sites, often without detection.

0

Hedge 285: Post Quantum Crypto

Is quantum really an immediate and dangerous threat to current cryptography systems, or are we pushing to hastily adopt new technologies we won’t necessarily need for a few more years? Should we allow the quantum pie to bake a few more years before slicing a piece and digging in? George Michaelson joins Russ and Tom to discuss.

download

0

TNO047: Advice From Both Sides of the Network Aisle

Senad Palislamovic has held many roles in his time, from engineer to network operator to sales engineer and back again. He’s been around long enough to see trends come and go. Senad visits Total Network Operations to share some of his observations on network automation, AI for NetOps, and the quality of network data. Senad... Read more »

0

DEEP Is Still a Must-Attend Boutique Conference

I love well-organized small conferences, so it wasn’t hard to persuade me to have another talk at the DEEP Conference in Zadar, Croatia. This time, I talked about the role of digital twins in disaster recovery/avoidance testing. You might know my take on networking digital twins; after that, I only had enough time to focus on bandwidth and latency matter, and this is how you emulate limited bandwidth and add latency bit.

0

How To Deploy a Local AI via Docker

If you’re tired of worrying about your AI queries or the data you share within them being used to either train large language models (LLMs) or to create a profile of you, there are always local AI options you can use. I’ve actually reached the point where the only AI I use is local. For me, it’s not just about the privacy and security, but also the toll AI takes on the energy grids and the environment. If I can do my part to prevent an all-out collapse, you bet I’m going to do it. Most often, I deploy local AI directly on my machine. There are, however, some instances where I want to quickly deploy a local AI to a remote server (either within my LAN or a server beyond it). When that need arises, I have two choices: Install a local AI service in the same way I install it on my desktop. Containerize it. The benefit of containerizing it is that the locally installed AI is sandboxed from the rest of the system, giving me even more privacy. Also, if I want to stop the locally installed AI, I can do so with a quick and easy Continue reading

0

IPB186: An Inside Look at RFC 9872 for Discovering v6 Prefixes

RFC 9872 makes recommendations for NAT64 prefix discovery for hosts supporting v4-to-v6 translation. Co-host Nick Buralgio is a co-author of this RFC, so we’re taking the opportunity to talk about it in detail. We discuss the problems RFC 9872 is addressing and why a new RFC was needed for operational guidance, not necessarily defining a... Read more »

0

Breaking the ‘Shared-Nothing’ Bottleneck: A NoSQL Paradigm

While there is no single storage architecture model that fits all NoSQL databases, the often recommended approach is a distributed, shared-nothing architecture using local storage (often flash-based) at each node. At the storage hardware level, direct-attached storage (DAS) would be an example of shared-nothing architecture. This model provides the desired high performance, low latency, fault tolerance and availability that business-critical NoSQL databases like Cassandra and MongoDB require. While DAS offers significant advantages, it’s counterproductive to today’s data center climate of reduced CapEx, OpEx and sustainability initiatives. At the same time, critical data services inherent in a shared networked storage system, such as storage area networks (SANs), are missing in DAS. However, with today’s SAN solutions, you can have your cake and eat it, too: efficiency, data services, resilience and yes, high performance and low latency, too. Modernizing your data platform to a SAN model, using a supplier with a disaggregated, software-defined architecture, can deliver the performance and fault tolerance your NoSQL database requires without compromising efficiency. Why Shared-Nothing Is Common for NoSQL DAS is a prevalent model for performance-sensitive workloads, like NoSQL databases, because historically local flash, especially

0

N4N041: Switched Virtual Interface (SVI) and Integrated Routing and Bridging (IRB)

If you’ve ever wondered what the difference is between a Switched Virtual Interface (SVI) and Integrated Routing and Bridging (IRB), today’s show is for you! Ethan Banks and Holly Metlitzky start with some history and the basics of communication between layer 2 and layer 3 and then explain how the concepts of SVI and IRB... Read more »

0

Lab: Drain Traffic From an IS-IS Node Before Starting Maintenance

Here’s a cool feature every routing protocol should have: a flag that tells everyone a node is going down, giving them time to adjust their routing tables before disrupting traffic flow.

OSPF never had such a feature; common implementations set the cost of all interfaces to a very high value to emulate it. BGP got it (the Graceful BGP Session Shutdown) almost 30 years after it was created. IS-IS had the overload bit from day one, and it’s just what an IS-IS router needs to tell everyone else they should stop using it for transit traffic. You can try it out in the Drain Traffic Before Node Maintenance lab exercise.

Click here to start the lab in your browser using GitHub Codespaces (or set up your own lab infrastructure). After starting the lab environment, change the directory to feature/5-drain and execute netlab up.

0

Posts from the Past, October 2025

Every now and then, I publish one of these “Posts from the Past” articles that looks back on content I’ve created and posted over the life of this site. This year marks 20 years of content—I can hardly believe it! Don’t worry, though; you won’t have to go through 20 years of past posts. Here is a selection of posts from mid- to late October over the last decade or so. I hope you find something useful, informative, or at least entertaining!

October 2024

Last year I shared information on how to use Pulumi to stand up an Amazon Elastic Kubernetes Service (EKS) cluster with Bottlerocket OS on the Kubernetes nodes—without using any higher-level Pulumi components.

October 2022

In 2022, after getting irritated with what I felt was a poor user experience when accessing Azure Kubernetes Service (AKS) clusters created with Pulumi, I published this post on how to change the Kubeconfig file for a more streamlined user experience.

October 2021

Cluster API is the name of the game for multiple posts in October 2021. First I wrote this article on kustomize transformer configurations for Cluster API v1beta1 (so that you can use kustomize to manipulate Cluster API manifests), Continue reading

0

D2DO285: The Death of IaC Has Been Greatly Exaggerated

While declaring the death of Infrastructure as Code (IaC) or Terraform may get you clicks on LinkedIn, IaC is alive and kicking. On today’s Day Two DevOps we talk about why IaC still matters. Guest Malcolm Matalka argues that IaC provides the tools and a model for managing infrastructure across its lifecycle in a structured... Read more »

0

Public Videos: Graph Algorithms in Networks (Part 1)

The first half of the Graph Algorithms in Networks webinar by Rachel Traylor is now available without a valid ipSpace.net account; it discusses algorithms dealing with trees, paths, and finding centers of graphs. Enjoy!

0

When to Use BGP, VXLAN, or IP-in-IP: A Practical Guide for Kubernetes Networking

When deploying a Kubernetes cluster, a critical architectural decision is how pods on different nodes communicate. The choice of networking mode directly impacts performance, scalability, and operational overhead. Selecting the wrong mode for your environment can lead to persistent performance issues, troubleshooting complexity, and scalability bottlenecks.

The core problem is that pod IPs are virtual. The underlying physical or cloud network has no native awareness of how to route traffic to a pod’s IP address, like 10.244.1.5 It only knows how to route traffic between the nodes themselves. This gap is precisely what the Container Network Interface (CNI) must bridge.

The CNI employs two primary methods to solve this problem:

1. Overlay Networking (Encapsulation): This method wraps a pod’s packet inside another packet that the underlying network understands. The outer packet is addressed between nodes, effectively creating a tunnel. VXLAN and IP-in-IP are common encapsulation protocols.
2. Underlay Networking (Routing): This method teaches the network fabric itself how to route traffic directly to pods. It uses a routing protocol like BGP to advertise pod IP routes to the physical Continue reading