Bryan would love to get hands-on SDN experience and sent me this question:
I was recently playing around with Arista vEOS to learn some Arista CLI as well as how it operates with an SDN controller. I was wondering if you know of other free products that are available to help people learn.
Let’s try to do another what-is-out-there survey.
Read more ...Today is September 27, 2015. It's a rare Super Blood Moon. And it's also CloudFlare's birthday. CloudFlare launched 5 years ago today. It was a Monday. While Michelle, Lee, and I had high expectations, we would never have imagined what's happened since then.
In the last five years we've stopped 7 trillion cyber attacks, saved more than 94,116 years worth of time, and served 99.4 trillion requests — nearly half of those in the last 6 months. You can learn more from this timeline of the last five years.
Every year we like to celebrate our birthday by giving something seemingly impossible back to our users. Two years ago we enabled on our Automatic IPv6 Gateway, allowing our users to support IPv6 without having to update their own servers. Last year we made Universal SSL support available to all our customers, even those on our free plan. And this year, we announced the expansion across Mainland China, building the first truly global performance and security platform.
We celebrated in San Francisco last week with CloudFlare's first Internet Summit Continue reading
We put a lot of energy into new projects. We argue about the design, we plan the cutover, we execute it…and then we move on. But decommissioning the old system is critical part of any project. It’s not over until you’ve switched off the old system.
Years ago I was involved in the buildout of a new network. The new network was a thing of beauty. A clear design, the best equipment, redundant everything. It was replacing a legacy network, one that had grown organically.
The new network was built out. Late one night the key services were cut over, and things were looking good. Everyone was happy, and we had a big party to celebrate. The project group disbanded, and everyone moved on to other things. Since the project was closed out, funding & resources stopped. Success, right?
Except…the old equipment was still running. A handful of applications were left on the old network. Some annoying services used undocumented links between the networks. Even worse, disused WAN links were still in place, and still being billed for.
The problem was that the project was officially ‘over.’ Who’s responsible for finishing off that last bit of cleanup?
I’ve seen similar things in Continue reading
HP makes more negative headlines, IPv4 dries up, and AWS' outage becomes a learning opportunity.
If AWS provides its own load balancing, what happens to F5?
This Week On The Internet looks at an AI Barbie, the effect of mobile devices on young kids, how to fight surveillance, and funny cooking advice.
The post Skynet Barbie, Tablet Babysitters: This Week On The Internet appeared first on Packet Pushers.
interface FastEthernet4
ip address dhcp
no shutdown
Sep 25 19:48:23.316: DHCP: Received a BOOTREP pkt
Sep 25 19:48:23.316: DHCP: Scan: Message type: DHCP Offer
...
Sep 25 19:48:23.316: DHCP: Scan: DNS Name Server Option: 192.168.100.4
lab-C881#ping google.com
Translating "google.com"...domain server (192.168.100.4) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 205.158.11.53, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
lab-C881#show hosts summary
Default domain is fragmentationneeded.net
Name/address lookup uses domain service
Name servers are 192.168.100.4
Cache entries: 5
Cache prune timeout: 50
lab-C881#
I ran into an “exciting” bug yesterday. It was seen in a 4500-X VSS pair running 3.7.0 code. When there has been a switchover meaning that the secondary switch became active, there’s a risk that information is not properly synced between the switches. What we were seeing was that this VSS pair was “eating” the packets, essentially black holing them. Any multicast that came into the VSS pair would not be properly forwarded even though the Outgoing Interface List (OIL) had been properly built. Everything else looked normal, PIM neighbors were active, OILs were good (except no S,G), routing was there, RPF check was passing and so on.
It turns out that there is a bug called CSCus13479 which requires CCO login to view. The bug is active when Portchannels are used and PIM is run over them. To see if an interface is misbehaving, use the following command:
hrn3-4500x-vss-01#sh platfo hardware rxvlan-map-table vl 200 <<< Ingress port Executing the command on VSS member switch role = VSS Active, id = 1 Vlan 200: l2LookupId: 200 srcMissIgnored: 0 ipv4UnicastEn: 1 ipv4MulticastEn: 1 <<<<< ipv6UnicastEn: 0 ipv6MulticastEn: 0 mplsUnicastEn: 0 mplsMulticastEn: 0 privateVlanMode: Normal ipv4UcastRpfMode: None ipv6UcastRpfMode: None routingTableId: 1 rpSet: 0 flcIpLookupKeyType: IpForUcastAndMcast flcOtherL3LookupKeyTypeIndex: 0 vlanFlcKeyCtrlTableIndex: 0 vlanFlcCtrl: 0 Executing the command on VSS member switch role = VSS Standby, id = 2 Vlan 200: l2LookupId: 200 srcMissIgnored: 0 ipv4UnicastEn: 1 ipv4MulticastEn: 0 <<<<< ipv6UnicastEn: 0 ipv6MulticastEn: 0 mplsUnicastEn: 0 mplsMulticastEn: 0 privateVlanMode: Normal ipv4UcastRpfMode: None ipv6UcastRpfMode: None routingTableId: 1 rpSet: 0 flcIpLookupKeyType: IpForUcastAndMcast flcOtherL3LookupKeyTypeIndex: 0 vlanFlcKeyCtrlTableIndex: 0 vlanFlcCtrl: 0
From the output you can see that "ipv4MulticastEn" is set to 1 on one switch and 0 to the other one. The state has not been properly synched or somehow misprogrammed which leads to this issue with black holing multicast. It was not an easy one to catch so I hope this post might help someone.
This also shows that there are always drawbacks to clustering so weigh the risk of running in systems in clusters and having bugs affecting both devices as opposed to running them stand alone. There's always a tradeoff between complexity, topologies and how a network can be designed depending on your choice.
Details of that Series A funding remain elusive, however.
CloudFlare servers are constantly being targeted by DDoS'es. We see everything from attempted DNS reflection attacks to L7 HTTP floods involving large botnets.
Recently an unusual flood caught our attention. A site reliability engineer on call noticed a large number of HTTP requests being issued against one of our customers.
Here is one of the requests:
POST /js/404.js HTTP/1.1
Host: www.victim.com
Connection: keep-alive
Content-Length: 426
Origin: http://attacksite.com
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.4; zh-cn; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/42.0.0.0 Mobile Safari/537.36 XiaoMi/MiuiBrowser/2.1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://attacksite.com/html/part/86.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,en-US;q=0.8
id=datadatadasssssssssssssssssssssssssssssssssssssssssssassssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssadatadata
We received millions of similar requests, clearly suggesting a flood. Let's take a deeper look at this request.
First, let's note that the headers look legitimate. We often see floods issued by Python or Ruby scripts, with weird Accept-Language or User-Agent headers. But this one doesn't look like it. This request is a proper request issued by a real browser.
Next, notice the request is a POST and contains an Origin header — it was issued by an Ajax (XHR) cross Continue reading
Earlier this week, my colleague Bob Noel wrote a blog post on converged networking. As industry buzz surrounding hyperconvergance gets louder and louder, it is important to take into account the network that underpins these hyperconverged systems of tomorrow. Here at Plexxi we know that the network has to be more dynamic, innovative and agile to deliver on the promise of hyperconverged infrastructure and we’re thrilled to be a part of the conversation and the solution. Take a look at Bob’s blog post to learn more about our converged networks and why the network is so important for successful converged deployments.
Below please find a few of our top picks for our favorite news articles of the week. Enjoy!
CBR: What does hyper-converged infrastructure mean for the future of enterprise application delivery?
By Gary Newe
Hyper-convergence is an extension of a converged infrastructure, where compute, server, storage, networking resources and software are pooled together on commodity hardware. They are usually systems from separate companies but designed to work very well together. The benefits of this include massively simplified management, which makes things faster, more agile and more efficient. It’s one of the foundations of virtualisation, but hyper-convergence allows for even Continue reading
VXLAN is an encapsulation protocol you can use for network virtualization. We'll discuss VXLAN use cases, pros and cons, and design considerations.
The post Show 256 – Design & Build 6 – VXLAN Use Cases appeared first on Packet Pushers.