D2DO256: Alkira’s Universal Transit: Simplifying Hybrid & Multi-Cloud Networks (Sponsored)

We are firmly entrenched in a hybrid cloud world, from on-prem data centers to multiple cloud platforms to branch and remote offices, not to mention wandering end users connecting via VPN. While the network is the common substrate among all these locations, every cloud provider has its own network implementation. Managing, monitoring and securing all... Read more »

Exploring Internet traffic shifts and cyber attacks during the 2024 US election

Elections are not just a matter of casting ballots. They depend on citizens being able to register to vote and accessing information about candidates and the election process, which in turn depend on the strength and security of the Internet. Despite the risks posed by potential cyberattacks aimed to disrupt democracy, Cloudflare did not observe any significant disruptions to campaigns or local government websites from cyberattack.

Tuesday, November 5, 2024 was Election Day in the United States. It not only decided the next president and vice president but also included elections for the US Senate, House of Representatives, state governorships, and state legislatures. Results confirm that Republican Donald Trump won the presidential election.

In this blog post, we examine online attacks against election-related sites — some of which were notable but none were disruptive — and how initial election results impacted Internet traffic across the US at both national and state levels, with increases in traffic as much as 15% nationwide. We’ll also explore email phishing trends and general DNS data around news interest, the candidates, and election-related activity.

We’ve been tracking 2024 elections globally through our blog and election report on Cloudflare Radar, covering some of the more Continue reading

Using a BGP Route Server in an Internet Exchange Point

A BGP route server is like a BGP route reflector but for EBGP sessions. In its simplest implementation, it receives BGP updates over EBGP sessions and propagates them over other EBGP sessions without inserting its own AS number in the AS path (more details).

BGP route servers are commonly used on Internet Exchange Points (IXPs), and that’s what you can practice in the BGP Route Server in an Internet Exchange Point lab exercise.

Click here to start the lab in your browser using GitHub Codespaces (or set up your own lab infrastructure). After starting the lab environment, change the directory to session/5-routeserver and execute netlab up.

Palo Alto High Traffic Latency Troubleshooting

Palo Alto High Traffic Latency Troubleshooting

We all know that firewalls are limited by hardware resources. Larger devices support higher throughput, while smaller ones may not perform as well. When experiencing slow traffic or latency issues on a firewall, we typically check resource usage and session counts to see if we are reaching these limits. If we are, that often concludes our troubleshooting. But what if we aren't hitting these limits and still experience traffic slowness? In this blog post, we'll explore a few methods to troubleshoot high latency issues on Palo Alto firewalls.

Please note that this troubleshooting is applicable when the dataplane CPU and session count are well below the limit, but you are still experiencing some form of latency issues or random packet loss. If this issue sounds familiar, please continue reading.

Packet Descriptors (on-chip)

If you find yourself in a situation where resource usage is well under the limit but you are still experiencing high latency, the next step is to identify sessions that consume too much of the on-chip packet descriptor.

You can run the following command on any hardware-based firewall model (not a VM-Series firewall) to identify, for each slot and dataplane, the on-chip packet descriptor percentage used, the top Continue reading

You Are Paying The Clouds To Build Better AI Than They Will Rent You

Think of it as the ultimate offload model.

One of the geniuses of the cloud – perhaps the central genius – is that a big company that would have a large IT budget, perhaps on the order of hundreds of millions of dollars per year, and that has a certain amount of expertise creates a much, much larger IT organization with billions of dollars – and with AI now tens of billions of dollars – in investments and rents out the vast majority of that capacity to third parties, who essentially allow that original cloud builder to get their own IT operations for close to free.

You Are Paying The Clouds To Build Better AI Than They Will Rent You was written by Timothy Prickett Morgan at The Next Platform.

Joining ISE to Active Directory

Most ISE deployments use a join to Active Directory to be able to query AD groups, perform user lookups, etc. In this post, I’ll join my ISE lab server to AD. First I’m going to create two OUs in my AD, one for users and one for computers. Why not use the default ones? They are containers, not OUs, which means you can’t apply GPOs to them. Additionally, it makes for cleaner separation from the built-in accounts and allows for applying policies that won’t affect them. I’m creating two OUs:

  • iselab users.
  • iselab computers.

This is done by going to Active Directory Users and Computers, then right clicking the AD domain and selecting New -> Organizational Unit:

Give the OU a name and then click OK:

Repeat for the computers OU. You should now be able to see the OUs:

I’m going to create a user named Bob that I’ll be using to test login later. Right click the users OU and then select New -> User:

Enter the name and logon name:

Click Next. Enter a password for the user. As this is a lab, I won’t require that the user changes the password and the Continue reading

Running Routing Protocols over Tunnels

James got confused by a statement made by Hannes Gredler in his IS-IS book:

Things behave really badly if the total IGP cost over the tunnel undermines the total topologies’ cost. What happens next is that the tunnel “wraps” around itself, ultimately causing a meltdown of the entire network.

Let’s unpack that, starting with “Why would you need a tunnel?”

NB502: AWS Revenue Growth Lags Cloud Competitors; Microsoft Entra ID Forces MFA

Take a Network Break! This week we discuss Google adding traffic shaping to its cross-cloud interconnect, Aviatrix bringing hybrid cloud transit to its cloud networking service, and Microsoft forcing MFA for Entra ID customers. Microsoft CEO Satya Nadella forgoes $5 million in incentive pay for Microsoft security lapses, Extreme Networks adds new features to its... Read more »

netlab 1.9.2: STP, LAG, Cisco IOL, Edgeshark

While I was busy fixing bugs in the netlab release 1.9.2, other contributors added exciting new features:

Other new features include:

From Python To Go 001. Get Started.

Dear friend,

As mentioned in previous blogpost, I’ve kicked the new series of blog posts related to Go (Golang programming language) and how to pick that up. Originally my idea was just to explain some concepts, pretty much I’ve done back in past with Code eXpress (CEX) for Python. But then I’ve thought through it further and decided to write a side-by-side guide with Python and Go together, exactly as I’ve done before with multi vendor network automation, when started writing about Nokia SR OS and Cisco IOS XR back in 2016.

Do I Need Both Python And Go?

In our opinion, yes, you do need both. Each of these programming languages shines in some areas more than another. And both of them are applicable to network and infrastructure automation. As such, we recommend to study both, but to start with Python as it is easier and at this stage is wider used than Go. So we encourage you to start with our Network Automation Trainings:

We offer the following training programs in network automation for you:

HN756: Alkira Enhances Its Multi-Cloud Networking With ZTNA and Security (Sponsored)

Alkira provides a Multi-Cloud Networking Service (MCNS) that lets you connect public cloud and on-prem locations using a cloud-delivered, as-a-service approach. But Alkira offers more than just multi-cloud connectivity. On today’s sponsored episode of Heavy Networking, we dig into Alkira’s full set of offerings, which include networking, visibility, governance, and security controls such as firewalls... Read more »

TNO007: Good Foundations Are Key To Leveraging AI for Network Operations

In this episode of Total Network Operations the conversation focuses on the impact and implementation of AI on network operations. Host Scott Robohn is joined by guest Michael Wynston to discuss the foundational requirements for AI implementation, such as well-documented processes, version control, and lab testing. Michael also talks about the need for lifelong learning... Read more »