Creating a single pane of glass for your multi-cloud Kubernetes workloads with Cloudflare

(This is a crosspost of a blog post originally published on Google Cloud blog)

One of the great things about container technology is that it delivers the same experience and functionality across different platforms. This frees you as a developer from having to rewrite or update your application to deploy it on a new cloud provider—or lets you run it across multiple cloud providers. With a containerized application running on multiple clouds, you can avoid lock-in, run your application on the cloud for which it’s best suited, and lower your overall costs.

If you’re using Kubernetes, you probably manage traffic to clusters and services across multiple nodes using internal load-balancing services, which is the most common and practical approach. But if you’re running an application on multiple clouds, it can be hard to distribute traffic intelligently among them. In this blog post, we show you how to use Cloudflare Load Balancer in conjunction with Kubernetes so you can start to achieve the benefits of a multi-cloud configuration.

To continue reading follow the Google Cloud blog here or if you are ready to get started we created a guide on how to deploy an application using Kubernetes on GCP and AWS Continue reading

Worth Reading: MedSec and hackable IoT

In Fall 2016 I was invited to come to Miami as part of a team that independently x0000_sjm_quadraassuramp20crt20dvalidated some alleged flaws in implantable cardiac devices manufactured by St. Jude Medical (now part of Abbott Labs). These flaws were discovered by a company called MedSec. —Matthew Green @cryptographyengeering

The Cost of Cybercrime

Most people paying attention would expect that the cost of cybercrime has gone up in recent years. But a new report has put a number on it: Worldwide cybercrime costs an estimated $600 billion USD a year.

That’s up from $500 billion USD in 2014, the last time security vendor McAfee and think tank the Center for Strategic and International Studies released a similar study. The new estimate amounts to 0.8 percent of global GDP, up from 0.7 percent in 2014.

“Cybercrime is relentless, undiminished, and unlikely to stop,” writes report author James Lewis, senior vice president at CSIS. “It is just too easy and too rewarding, and the chances of being caught and punished are perceived as being too low.”

Lewis points to poorly-protected IoT devices as a particular problem. Insecure IoT devices “provide new, easy approaches to steal personal information or gain access to valuable data or networks,” he writes. They also power botnets that can create massive denial-of-service attacks.

Among the other reasons for the growth in the cost of cybercrime:

• Cybercriminals are embracing new attack technologies.
• Many new Internet users come from countries with weak cybersecurity.
• Online crime is becoming easier through cybercrime-as-a-service Continue reading

Short Take – Breaking Things

Should you be breaking things intentionally on your network? The idea might sound preposterous to some, but in this short take Russ White explains how intentional failures can make your network more resilient.

Russ White

The post Short Take – Breaking Things appeared first on Network Collective.

Cisco and Rackspace Team Up on Multi-Cloud Security

The managed cloud provider deploys more than 22,000 Cisco firewalls.

IDG Contributor Network: It’s time to start thinking differently about IoT

A steady churn of stunningly useless consumer devices has turned IoT into a running joke in the tech community. Worse yet, some applications have gone beyond the silly and into the realm of scary – like internet-connected teddy bears that record your kids (and skimp on security). But there’s a whole other side to IoT. Far removed from the world of consumer gadgetry, IoT is being used behind the scenes to solve real problems and create real value across a wide variety of applications and industries.To read this article in full, please click here

Networking Career: Taking the Road Less Traveled

Why Is Container Security So Difficult?

IT departments want containers to make their lives easier, not harder.

EVPN with MPLS Data Plane in Data Centers

Mr. Anonymous (my most loyal reader and commentator) sent me this question as a comment to one of my blog posts:

Is there any use case of running EVPN (or PBB EVPN) in DC with MPLS Data Plane, most vendors seems to be only implementing NVO to my understanding.

Sure there is: you already have MPLS control plane and want to leverage the investment.

Kathmandu, Nepal is data center 123

We said that we would head to the mountains for Cloudflare’s 123rd data center, and mountains feature prominently as we talk about Kathmandu, Nepal, home of our newest deployment and our 42nd data center in Asia!

Five and three quarter key facts to get started:

• Nepal is home to the highest mountain in the world.
• Kathmandu has more UNESCO heritage sites in its immediate area than any other capital!
• The Nepalese flag isn’t a rectangle. It’s not even close!
• Nepal has never been conquered or ruled by another country.
• Kathmandu, Nepal is where Cloudflare has placed its 123rd data center.
• Nepal’s timezone is 5 hours 45 minutes ahead of GMT.

Mountains

The mountainous nation of Nepal is home to Mount Everest, the highest mountain in the world, known in Nepali as Sagarmāthā. Most of us learn that at school; however there’s plenty of other mountains located in Nepal. Here’s the ones above 8,000 meters (extracted from the full list) to get you started:

• Mount Everest at 8,848 meters
• Kanchenjunga at 8,586 meters
• Lhotse at 8,516 meters
• Makalu at 8,463 meters
• Cho Oyu at 8,201 meters
• Dhaulagiri I at 8,167 meters
• Manaslu at 8,156 meters
• Annapurna I at 8,091 meters

Continue reading

Viewing Cisco Proximity with SpectrumView

I wanted to share a quick trick for troubleshooting Cisco Proximity. For those that haven’t stumbled onto this particular technology, Proximity is a feature in Spark Connected and Traditional Cisco Video Endpoints that provides a pairing channel for screen sharing. Specifically, the codec announces its presence and connection information via 22khz audio stream. The client device then uses that connection information to make a connection over the network and share the screen with the codec. Since 22khz is beyond what the human ear can hear, there is a need for some other tool to check for its presence.

The tool I use to check for the pairing channel presence is SpectrumView and is available in the Apple App Store.

SpectrumView

There are a couple options that need to be manually configured before the tool displays the higher frequency used for the pairing process:

• Recording – Audio Sampling Rate 48000
• Display – This may be necessary to adjust if you don’t see anything. I typically set mine to about 15dB

With the proper settings and within range of a proximity enable device, some output should be visible just above 20kHz.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical Continue reading

Viewing Cisco Proximity with SpectrumView

I wanted to share a quick trick for troubleshooting Cisco Proximity. For those that haven’t stumbled onto this particular technology, Proximity is a feature in Spark Connected and Traditional Cisco Video Endpoints that provides a pairing channel for screen sharing. Specifically, the codec announces its presence and connection information via 22khz audio stream. The client device then uses that connection information to make a connection over the network and share the screen with the codec. Since 22khz is beyond what the human ear can hear, there is a need for some other tool to check for its presence.

The tool I use to check for the pairing channel presence is SpectrumView and is available in the Apple App Store.

SpectrumView

There are a couple options that need to be manually configured before the tool displays the higher frequency used for the pairing process:

• Recording – Audio Sampling Rate 48000
• Display – This may be necessary to adjust if you don’t see anything. I typically set mine to about 15dB

With the proper settings and within range of a proximity enable device, some output should be visible just above 20kHz.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical Continue reading

Viewing Cisco Proximity with SpectrumView

I wanted to share a quick trick for troubleshooting Cisco Proximity. For those that haven’t stumbled onto this particular technology, Proximity is a feature in Spark Connected and Traditional Cisco Video Endpoints that provides a pairing channel for screen sharing. Specifically, the codec announces its presence and connection information via 22khz audio stream. The client device then uses that connection information to make a connection over the network and share the screen with the codec. Since 22khz is beyond what the human ear can hear, there is a need for some other tool to check for its presence.

The tool I use to check for the pairing channel presence is SpectrumView and is available in the Apple App Store.

SpectrumView

There are a couple options that need to be manually configured before the tool displays the higher frequency used for the pairing process:

• Recording – Audio Sampling Rate 48000
• Display – This may be necessary to adjust if you don’t see anything. I typically set mine to about 15dB

With the proper settings and within range of a proximity enable device, some output should be visible just above 20kHz.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical Continue reading

BrandPost: DIY Not the Best Approach to SD-WAN

Wide area networks (WANs) were not designed for the load that most enterprises need them to handle today. Demand for data across the distributed enterprise is growing exponentially; virtually all enterprises are using cloud technology in some form; and the Internet of Things is growing expanding the scope of networks far beyond servers, PCs, tablets and smartphones. So, it shouldn’t be a surprise that many are eagerly turning to software-defined WANs (SD-WANs) to deal with those growing needs.SD-WANs reflected the ongoing movement to software-defined IT assets and increasing reliance on virtualization to make those assets available where and when needed. But few organizations have the fortitude—or budget—to rip and replace core pieces of their existing infrastructure, such as MPLS, which provides Class of Service prioritization and Quality of Service management.To read this article in full, please click here

HPE Revenue, Stock Skyrockets Under Neri’s First Earnings Report

Hyperconverged revenue alone grew over 200 percent, compared to a year earlier.

BrandPost: Sorting Through SD-WAN Options

Most enterprises rely on a combination of MPLS and IPsec to implement virtual private networks (VPNs) across the organization’s wide area network (WAN). But the emergence of mobile devices and cloud-based applications, along with enormous growth in data volumes, has them scrambling for more flexible, more cost-effective options. Many expect software-defined network (SDN) technologies, and in particular SD-WANs, to provide the solution, but sorting through all the options can be a challenge.Backed by venture capital, SD-WAN appliance vendors have been popping up all over the place. But appliance-based point solutions represent somewhat of a do-it-yourself scenario, and it’s important to understand whether they’ll inhibit or enhance what an enterprise can gain from SD-WAN deployment.To read this article in full, please click here

Understanding IPv6 – The 7 Part Blog Series and the 28 minute CHI-NOG Snippet

New to IPv6 or know someone who is?  Below you will find my 7 part blog series of my lessons learned during my IPv6 journey and how I now teach IPv6 to others newer to it.  Prefer a YouTube instead?  At the end you will find the very rapid paced .. 28 minute… presentation I did of this for CHI-NOG in 2016.

     Understanding IPv6: The Journey Begins (Part 1 of 7)

   Understanding IPv6: Link-Local ‘Magic’ (Part 2 of 7)

Understanding IPv6: A Sniffer Full Of 3s (Part 3 of 7)

  Understanding IPv6: What Is Solicited-Node Multicast? (Part 4 of 7)

  Understanding IPv6: Prepping For Solicited-Node Multicast (Part 5 of 7)

Understanding IPv6: The Ping Before Solicited-Node Multicast (Part 6 of 7)

Understanding IPv6: Solicited-Node Multicast In Action (Part 7 of 7)

JUNIPER QFX10K | EVPN-VXLAN | MAC LEARNING VERIFICATION | SINGLE-HOMED ENDPOINT

This article is all about EVPN-VXLAN and Juniper QFX technology. I’ve been working with this tech quite a lot over the past few months and figured it would be useful to share some of my experiences. This particular article is probably going to be released in 2 or 3 parts and is focused specifically on the MAC learning process and how to verify behaviour. The first post focuses on a single-homed endpoint connected to the fabric via a single leaf switch. The second part will look at a multihomed endpoint connected via two leaf switches that are utilising the EVPN multihoming feature. And, lastly, the third part will focus on Layer 3 Virtual Gateway at the QFX10k Spine switches. The setup I’m using is based on Juniper vQFX for spine and leaf functions with a vSRX acting as a VR device. I also have a Linux host that is connected to a single leaf switch.

Overview

When verifying and troubleshooting EVPN-VXLAN it can become pretty difficult to figure out exactly how the control plane and data plane are programmed and how to verify behaviours. You’ll find yourself looking at various elements such as the MAC table, EVPN database, EVPN routing Continue reading

Understanding IPv6: Solicited-Node Multicast In Action (Part 7 of 7)

The last few blogs in my series on IPv6 have focused on solicited-node multicast, which provides the functionality for Neighbor Discovery in IPv6 addressing. We ended the last blog with a cliffhanger, asking, “In IPv6, how do we find the Layer 2 MAC address associated with a Layer 3 IPv6 address?”

Time to put the pieces together
In this series of blogs, I have laid out all the varying puzzle pieces needed to answer this question. Let’s start putting those puzzle pieces together.

In this blog, we learned that, if a device has an IPv6 global address of 2001:DB8::AB:1/64, then, according to RFC 4291, it must also “compute and join” the IPv6 solicited-node multicast address FF02::1:FFAB:1.

By the same logic, that means the node associated with the IPv6 address of 2001:DB8::AB:2 must “compute and join” the IPv6 solicited-node multicast address FF02::1:FFAB:2.

So our first puzzle piece gets us to here:

But so what? How does that get us any closer to getting the DMAC associated with Router B’s IPv6 global unicast address? All it did was give us a multicast address that this IPv6 unicast address must join.

Let’s add another piece of the puzzle. From this Continue reading

Understanding IPv6: The Ping Before Solicited-Node Multicast (Part 6 of 7)

In a previous blog, we looked at the basics of IPv6 solicited-node multicast. Going back to our Router A and Router B environment, if we sniff the wire while pinging from Router A’s IPv6 address to Router B’s IPv6 address, what will we see? Spoilers! Suffice it to say we will see some IPv6 solicited-node multicast very much in action.

Ping in IPv4

Before we jump into IPv6, let’s first do an IPv4 ping from Router A to Router B. When we sniff the wire we can review the mechanisms of how IPv4 does all of this on the wire.

When ping 10.10.10.2 is entered on Router A, the router knows it is being asked to build an ICMP echo request message and put it “out on the wire” with a destination IP address of 10.10.10.2. But in order to make the request “ready” to put out on the wire to get to 10.10.10.2, Router A needs more than simply the destination IPv4 address.

For the purposes of this post, we will look at four things the router needs before sending the ICMP echo request out on the wire. These Continue reading