FRRouting (Linux) with pure IS-IS, the only way it currently (10.3) works is to copy the loopback IPv4 address to the interfaces that you need to do IPv4 routing on. The OpenFabric (IS-IS “extension” draft) does support true unnumbered interfaces and routes IPv6.
Let’s unpack this. There are (at least) four reasons a router needs an address associated with an interface1:
Calico provides a unified platform for all your Kubernetes networking, network security, and observability requirements. From ingress/egress management and east-west policy enforcement to multi-cluster connectivity, Calico delivers comprehensive capabilities. It is distribution-agnostic, preventing vendor lock-in and offering a consistent experience across popular Kubernetes distributions and managed services. Calico eliminates silos, providing seamless networking and observability for containers, VMs, and bare metal servers, and extends effortlessly to multi-cluster environments, in the cloud, on-premises, and at the edge.
Improved observability to visualize and troubleshoot workload communication with Calico Whisker and the Goldmane API.
Kubernetes Network Policies are critical for preventing ransomware, achieving microsegmentation to isolate sensitive assets for compliance, and thwarting attacks from malicious actors. However, implementing them effectively can be challenging due to the complexity of identifying, testing, and rapidly updating policies to meet evolving threats. Calico Open Source 3.30 introduces staged policies to enable teams to audit and validate policies before they are enforced, reducing the risk of misconfigured policies and improving security and compliance.
The ability to manage Kubernetes ingress traffic with Calico Ingress Gateway, a 100% upstream, enterprise-ready implementation Continue reading
In this blog, I’ll walk you through the design, development, and lessons learned while building a multi-agent AI customer support assistant using the LangChain framework and related AI tools. 🎮💬 🎯 Motivation: Why Build This? At KGeN, a game aggregation platform connecting publishers and gamers, our primary users are gamers and clan chiefs (micro-community leaders). … Continue reading 🤖 AI Customer Support using an Agentic Framework→
The Internet relies on the Border Gateway Protocol (BGP) to exchange IP address reachability information. This information outlines the path a sender or router can use to reach a specific destination. These paths, conveyed in BGP messages, are sequences of Autonomous System Numbers (ASNs), with each ASN representing an organization that operates its own segment of Internet infrastructure.
Throughout this blog post, we'll use the terms "BGP routes" or simply "routes" to refer to these paths. In essence, BGP functions by enabling autonomous systems to exchange routes to IP address blocks (“IP prefixes”), allowing different entities across the Internet to construct their routing tables.
When network operators debug reachability issues or assess a resource's global reach, BGP routes are often the first thing they examine. Therefore, it’s critical to have an up-to-date view of the routes toward the IP prefixes of interest. Some networks provide tools called "looking glasses" — public routing information services offering data directly from their own BGP routers. These allow external operators to examine routes from that specific network's perspective. Furthermore, services like bgp.tools, bgp.he.net, RouteViews, or the NLNOG RING looking glass offer aggregated, looking glass-like lookup capabilities, drawing Continue reading
Damien Garros, CEO and co-founder of OpsMill is with us once again for today’s podcast. Since we last spoke with Damien, OpsMill has emerged from stealth mode and is making progress as one of the leaders in network source of truth in the field. Today, we’ll talk through the progress Infrahub has made and get... Read more »
On April 12th, SR Linux failed one of the netlab integration tests. We keep adding functionality to these tests as we discover edge cases we didn’t test before, so sometimes a device that passed the test before might fail the modified version.
Wireless security takes center stage in this episode of Packet Protector. Jennifer Minella and guests discuss “secure by default” efforts by WLAN vendors; the current state of PSK, SAE, and WPA3; NAC and zero trust; more WLAN vendors adding AI to their products (or at least their messaging); and more. Jennifer is joined by Jonathan... Read more »
For much of the two-plus years since ChatGPT hit the market and kicked off the generative AI frenzy, the market tilted toward well-resourced hyperscalers like Google, Amazon Web Services, and Microsoft as well as Tier 2 cloud service providers, with powerful – and expensive – accelerators and massive large language models like Meta’s Llama with 405 billion parameters. …
⚠️ WARNING ⚠️ This blog post contains graphic depictions of probability. Reader discretion is advised.
Measuring performance is tricky. You have to think about accuracy and precision. Are your sampling rates high enough? Could they be too high?? How much metadata does each recording need??? Even after all that, all you have is raw data. Eventually for all this raw performance information to be useful, it has to be aggregated and communicated. Whether it's in the form of a dashboard, customer report, or a paged alert, performance measurements are only useful if someone can see and understand them.
This post is a collection of things I've learned working on customer performance escalations within Cloudflare and analyzing existing tools (both internal and commercial) that we use when evaluating our own performance. A lot of this information also comes from Gil Tene's talk, How NOT to Measure Latency. You should definitely watch that too (but maybe after reading this, so you don't spoil the ending). I was surprised by my own blind spots and which assumptions turned out to be wrong, even though they seemed "obviously true" at the start. I expect I am not alone in these regards. For that Continue reading
This will be probably last visualization example for a while because I stopped working with network visualizations for some time now. But I wanted to finish publishing some last examples … Read More
How far ahead should you plan, and what things belong in your strategic plan? Conventional wisdom holds that a 3-year planning horizon is “about right”–but in a period of rapid technical and geopolitical change (such as we’re arguably in right now) does that go too far out, particularly when agile methodologies recommend shorter action plans... Read more »
You could always implement a bridged segment with a set of links connecting edge nodes to a VLAN-capable device. For example, you could use the following topology to connect two Linux hosts through a bridge running Arista EOS:
There are many reasons why Nvidia is the hardware juggernaut of the AI revolution, and one of them, without question, is the NVLink memory sharing port that started out on its “Pascal” P100 GOU accelerators way back in 2016. …
Take a Network Break! Guest co-host Tom Hollingsworth steps in for Johna Johnson. We start with Google patching a significant Chrome vulnerability and de-elevating Chrome running with admin rights when it launches on Windows. On the news front, we discuss a report, unconfirmed as of recording time, that Arista is acquiring VeloCloud, then discuss Broadcom... Read more »
IPv4 addresses have become a costly commodity, driven by their growing scarcity. With the original pool of 4.3 billion addresses long exhausted, organizations must now rely on the secondary market to acquire them. Over the years, prices have surged, often exceeding $30–$50 USD per address, with costs varying based on block size and demand. Given the scarcity, these prices are only going to rise, particularly for businesses that haven’t transitioned to IPv6. This rising cost and limited availability have made efficient IP address management more critical than ever. In response, we’ve evolved how we handle BYOIP (Bring Your Own IP) prefixes to give customers greater flexibility.
Historically, when customers onboarded a BYOIP prefix, they were required to assign it to a single service, binding all IP addresses within that prefix to one service before it was advertised. Once set, the prefix's destination was fixed — to direct traffic exclusively to that service. If a customer wanted to use a different service, they had to onboard a new prefix or go through the cumbersome process of offboarding and re-onboarding the existing one.
As a step towards addressing this limitation, we’ve introduced a new level of flexibility: customers can Continue reading
AI is no longer on the horizon. It’s part of how people and products work today. And as AI finds its way into more business applications and processes, it can create new risks. On today’s Tech Bytes, sponsored by Palo Alto Networks, we talk about how Palo Alto Networks is addressing those risks so that... Read more »
I was considering an AI add-on that would have access to the netlab documentation and help you figure out how to use it for a few years, but never got around to implementing it (and surprisingly, with all the AI hype out there, there were no volunteers submitting pull requests). A few weeks ago, someone suggested adding an MCP server as an interface to ipSpace.net content, but the discussion quickly devolved into vague ideas.
However, as ChatGPT now has access to the live Internet, I decided to try out whether it can get the job done with a bit of prompting.
TL&DR: After a hiccup, it worked surprisingly well.
I’ve worked with Cisco, Arista, and Juniper switches most of my life, but when I first started using UniFi switches in my homelab, I found myself a bit confused. The way VLANs are configured on UniFi switches is slightly different from what I was used to. In this post, I’ll go through how to configure VLANs on UniFi switches, specifically focusing on the USW-Pro-Max-16 and USW-Lite-8 models.
Quick Recap on VLANs
VLAN stands for Virtual LAN, and it's a way to logically segment a network, even if all devices are connected to the same physical switch. Different vendors use slightly different terms when it comes to VLAN port types. For example, Cisco calls them access and trunk ports, while others might refer to them as untagged and tagged ports.
An untagged (or access) port is typically used to connect end devices like PCs or printers. These devices have no awareness of VLANs, they just send regular Ethernet frames. When the switch receives a frame on an access port, it tags it with the VLAN configured for that port before forwarding it internally or out via a trunk port.
Tagged (or trunk) ports are used between switches or to other Continue reading