0

EVPN Route Type 5

In a previous post, EVPN Deepdive Route Types 2 and 3, I covered route types 2 and 3. In this post I’ll cover route type 5 which is used for advertising IP prefixes. This route type is covered in RFC 9136.

There are two main use cases for advertising IP prefixes in EVPN route type 5:

• Advertising external prefixes into the VXLAN network.
• Advertising prefixes for connectivity towards silent hosts.

The first scenario is pretty obvious. There are other places in the network, such as remote offices via a WAN, partners and external parties, as well as the internet. To route towards these destinations, a route type is needed and this is route type 5. Remember, route type 2 only provides host routing which poses the following problems for external connectivity:

• Advertising everything as /32 and /128 would be highly inefficient.
• It requires an EVPN speaker to generate the RT2 and the external prefixes are originated from non-EVPN speakers.
• It would not be possible to advertise a default route.
• Without RT5, external connectivity would have to be advertised from another protocol than EVPN.

The last bullet may be worth expanding a bit on. If the external prefixes aren’t advertised Continue reading

0

TSMC Is A Bellwether For IT, But It Is Not The Weather Of All IT

There is no question that Taiwan Semiconductor Manufacturing Co is one of the best bellwethers of the IT industry. …

TSMC Is A Bellwether For IT, But It Is Not The Weather Of All IT was written by Timothy Prickett Morgan at The Next Platform.

0

Tech Bytes: Palo Alto Networks Optimizes Dynamic Content And User Experience With App Acceleration (Sponsored)

Today on the Tech Bytes podcast we talk about accelerating dynamic content to improve application performance and the user experience. The increase of remote and hybrid workers, and more applications being delivered from the cloud, can complicate IT’s efforts to measure and improve application performance. Today’s sponsor, Palo Alto Networks, shares its approach to accelerating... Read more »

0

NB463: Cisco Buys eBPF Startup For Cloud-Native Networking; Garter Forecasts $5 Trillion In IT Spending

This week’s Network Break examines why Cisco bought eBPF startup Isovalent (hint: it’s about cloud-native networking), why Broadcom is cranking up pressure on VMware resellers and customers (hint: it’s about money), and why Google Cloud is sort of dropping fees for customers who want to exit the cloud (hint: it’s about getting out ahead of... Read more »

0

Juniper Acquisition by HPE – What Might it Mean for Enterprise Customers?

Significant overlap between HPE and Juniper network portfolios may force some customers to reevaluate their hardware and software options.

0

Expect Datacenters To Get Denser, Hotter, And Smarter

The datacenter industry today looks very different than it did a decade ago. …

Expect Datacenters To Get Denser, Hotter, And Smarter was written by Tobias Mann at The Next Platform.

0

Using SSH with the Pulumi Docker Provider

In August 2023, Pulumi released a version of the Docker provider that supported SSH-based connections to a Docker daemon. I’ve written about using SSH with Docker before (see here), and I sometimes use AWS-based “Docker build hosts” with my M-series Macs to make it easier/simpler (and sometimes faster) to build x86_64-based Docker images. Naturally, I’m using an SSH connection in those cases. Until this past weekend, however, I hadn’t really made the time to look deeper into how to use SSH with the Pulumi Docker provider. In this post, I’ll share some details that (unfortunately) haven’t yet made it into the documentation about using SSH with the Pulumi Docker provider.

First, let’s talk about some prerequisites to making this work.

1. You’ll need Docker installed locally. I fairly certain this is only the docker CLI (much in the same way the Pulumi Kubernetes provider requires kubectl to be installed locally), but I haven’t verified this for certain yet. I tested this from a Linux system running Docker 24.0.7; I think the earliest version that is supported is 18.09.
2. You’ll need Docker installed on the remote SSH host (obviously). I used Flatcar Container Linux (stable channel) on AWS.
3. Continue reading

0

Q4 2023 Internet disruption summary

Cloudflare’s network spans more than 310 cities in over 120 countries, where we interconnect with over 13,000 network providers in order to provide a broad range of services to millions of customers. The breadth of both our network and our customer base provides us with a unique perspective on Internet resilience, enabling us to observe the impact of Internet disruptions.

During previous quarters, we tracked a number of government directed Internet shutdowns in Iraq, intended to prevent cheating on academic exams. We expected to do so again during the fourth quarter, but there turned out to be no need to, as discussed below. While we didn’t see that set of expected shutdowns, we did observe a number of other Internet outages and disruptions due to a number of commonly seen causes, including fiber/cable issues, power outages, extreme weather, infrastructure maintenance, general technical problems, cyberattacks, and unfortunately, military action. As we have noted in the past, this post is intended as a summary overview of observed disruptions, and is not an exhaustive or complete list of issues that have occurred during the quarter.

Government directed

Iraq

In a slight departure from the usual subject of Continue reading

0

How To Get Over The Memory Wall

SPONSORED: MemCon 2024 is billed as a one stop shop for emerging technologies in the memory and storage domain, and a hub for efficient data movement and management. …

How To Get Over The Memory Wall was written by David Gordon at The Next Platform.

0

Simulate a Silent Host in a VXLAN Network

I’m working on a blog post explaining route type 5 in EVPN. To demonstrate a scenario with a silent host, I want to simulate this behavior. Normally, hosts can be quite chatty and ARP for their GW, for example. In this post I will show how arptables on Linux can be used to simulate a silent host.

Currently the leaf switch has an ARP entry for the host:

Leaf4# show ip arp vrf Tenant1

Flags: * - Adjacencies learnt on non-active FHRP router
       + - Adjacencies synced via CFSoE
       # - Adjacencies Throttled for Glean
       CP - Added via L2RIB, Control plane Adjacencies
       PS - Added via L2RIB, Peer Sync
       RO - Re-Originated Peer Sync Entry
       D - Static Adjacencies attached to down interface

IP ARP Table for context Tenant1
Total number of entries: 1
Address         Age       MAC Address     Interface       Flags
198.51.100.44   00:15:20  0050.56ad.7d68  Vlan10           

It is possible to ping the host from the leaf switch:

Leaf4# ping 198.51.100.44 vrf Tenant1
PING 198.51.100.44 (198.51.100.44): 56 data bytes
64 bytes from 198.51.100.44: icmp_seq=0 ttl=63 time=1.355 ms
64 bytes from 198.51.100.44:  Continue reading

0

Secure Access Service Edge (SASE) Boosts Your Company Cybersecurity

Many enterprises view SASE as the right technology to provide their increasingly distributed workforce with access to corporate resources in a way that protects users, data, and the company.

0

Why The New England Patriots Tapped Cisco to Modernize Its Stadium Network

Cisco revamped Gillette Stadium’s network infrastructure focusing on the delivery of stellar video and fan experiences while meeting the Wi-Fi needs of retailers, security services, and more.

0

HN717: Network Source(s) Of Truth – A Roundtable Discussion

On today’s episode, we discuss networking sources of truth. That’s right, sources of truth, because you’re likely to have more than one depending on your environment and your point of view. On LinkedIn, Ethan quoted someone at the AutoCon0 conference who essentially said that the network itself shouldn’t be used as a source of truth.... Read more »

0

Weekend Reads 011924

Pressure to resolve incidents quickly that often comes from peers, leadership, and members of affected teams only adds to the chaos of incident management, causing more human errors. Coordinating incidents such as this through the process of having an Incident Commander role has shown more controllable outcomes for organizations around the world.

The Kimsuky Group, believed to be a North Korea-based advanced persistent threat (APT) group active since 2013, struck again several times this year.

QUIC supports connection migration, allowing the client to migrate an established QUIC connection from one path to the other. QUIC’s path validation mechanism can be used to attack the peer and make it consume an unbounded amount of memory.

The NVM Express consortium has updated its specifications by adding a Computational Storage Feature, creating a standardized way for applications to talk to storage devices that include some processing capability.

Post Office chief exec Nick Read left British politicians shocked with his evidence before a Parliamentary committee yesterday after he admitted he could not say when the public body at the center of the historic miscarriage of justice knew when its system was at fault.

We’re only a few weeks into 2024, and violations of people’s Continue reading

0

BGP EVPN Part III: BGP EVPN Local Learning Fundamentals

Multi-Protocol BGP (MP-BGP) is a BGP-4 extension that enables BGP speakers to encode Network Layer Reachability Information (NLRI) of various address types, such as IPv4/6, VPNv4, and MAC addresses, into BGP Update messages. MP-BGP features an MP_REACH_NLRI Path-Attribute (PA), which utilizes an Address Family Identifier (AFI) to describe service categories. Subsequent Address Family Identifier (SAFI), in turn, defines the solution used for providing the service. For example, L2VPN (AFI 25) is a primary category for Layer-2 VPN services, and the Ethernet Virtual Private Network (EVPN: SAFI 70) provides the service. Another L2VPN service is Virtual Private LAN Service (VPLS: SAFI 65). The main differences between these two L2VPN services are that only EVPN supports active/active multihoming, has a control-plane-based MAC address learning mechanism, and operates over an IP-routed infrastructure.

EVPN utilizes various Route Types (EVPN RT) to describe the Network Layer Reachability Information (NLRI) associated with Unicast, BUM (Broadcast, Unknown unicast, and Multicast) traffic, as well as ESI Multihoming. The following sections explain how EVPN RT 2 (MAC Advertisement Route) is employed to distribute MAC and IP address information of Tenant Systems enabling the expansion of VLAN over routed infrastructure. 

The Tenant System refers to a host, virtual machine, Continue reading

0

Hedge 209: User Interface Stupidity

User interface design is notoriously bad for networking gear–but why, and what can we do about it? Frank Seesink joins Tom and Russ to talk about user interface stupidity.

download

0

Technology Short Take 173

Welcome to Technology Short Take #173! After a lull in links to share last time around, it looks like things have rebounded and folks are in full swing writing new content for me to share with you. I think I have a decent round-up of links for you; hopefully you can find something useful here. Enjoy!

Networking

• This article on running WireGuard in Docker may prove useful if that’s an approach I decide to adopt for my AWS lab infrastructure.
• Natalie Marek educates readers on VPC endpoints.
• Russ White laments some of the issues facing network engineering.

Servers/Hardware

• Alex Ellis provides some details on his workflow for booting Raspberry Pi 5 from NVMe.
• Tom Hummel finds himself veering back into a hardware-based home lab (instead of a cloud-based lab).

Security

• Rory McCune shares some information about a change in kubeadm version 1.29 pertaining to administrative credentials.
• Quintessence Anx of SPIRL shares some guidance on how to construct SPIFFE IDs.
• A set of vulnerabilities in the open source reference implementation of the UEFI specification has been uncovered. The flaws, referred to as PixieFail, specifically affect the PXE network boot process. BleepingComputer has more details.

Cloud Computing/Cloud Management

• Dean has published Continue reading

0

BGP Labs: Work with FRR and Cumulus Linux

FRR or (pre-NVUE) Cumulus Linux are the best bets if you want to run BGP labs in a resource-constrained environment like your laptop or a small public cloud instance. However, they both behave a bit differently from what one might expect from a networking device, including:

• Interfaces are created through standard Linux tools;
• You have to start the FRR management CLI from the Linux shell;
• If you need a routing daemon (for example, the BGP daemon), you must enable it in the FRR configuration file and restart FRR.

A new lab exercise covers these intricate details and will help you get fluent in configuring BGP on FRR or Cumulus Linux virtual machines or containers.

0

BGP Labs: Work with FRR and Cumulus Linux

FRR or (pre-NVUE) Cumulus Linux are the best bets if you want to run BGP labs in a resource-constrained environment like your laptop or a small public cloud instance. However, they both behave a bit differently from what one might expect from a networking device, including:

• Interfaces are created through standard Linux tools;
• You have to start the FRR management CLI from the Linux shell;
• If you need a routing daemon (for example, the BGP daemon), you must enable it in the FRR configuration file and restart FRR.

A new lab exercise covers these intricate details and will help you get fluent in configuring BGP on FRR or Cumulus Linux virtual machines or containers.

0

Taming Network Complexity with Digital Twins

Digital twins can help manage and troubleshoot complex networks by providing an accurate replica of the network's configuration and state.