Today's Heavy Networking goes deep on Network Access Control (NAC) for wired and wireless networks. Our guest is Arne Bier, a Senior Consulting Engineer and CCIE. We hit a bunch of topics including MAC authentication bypass, client certificates, EAP methods, and more. We also discuss reasons why NAC is worth deploying despite the effort.
Opening night of Web Summit 2021, at the Altice Arena in Lisbon, Portugal. Photo by Sam Barnes/Web Summit
Global in-person events were back in a big way at the start of November (1-4) in Lisbon, Portugal, with Web Summit 2021 gathering more than 42,000 attendees from 128 countries. I was there to discover Internet trends and meet interesting people. What I saw was the contagious excitement of people from all corners of the world coming together for what seemed like a type of normality in a time when the Internet “is almost as important as having water”, according to Sonia Jorge from the World Wide Web Foundation.
Here’s some of what I heard in the halls.
With a lot happening on a screen, the lockdowns throughout the pandemic showed us a glimpse of what the metaverse could be, just without VR or AR headsets. Think about the way many were able to use virtual tools to work all day, learn, collaborate, order food, supplies, and communicate with friends and family — all from their homes.
While many had this experience, many others were unable to, with some talks at the event focusing on the digital divide and how “Internet access Continue reading
In this Linux tip, learn how to use the free command. It doesn't mean a command that you are not paying for, but one that tells you how much memory – physical and swap – is being used on your Linux system including how much is "free" and how much is available.
Here’s one of the secrets to AWS’s unprecedented scale and financial success: they quickly figured out that some services are not worth delivering. Most everyone else believes in building snowflake single-customer solutions to solve imaginary problems, effectively losing money while doing so.
Here’s one of the secrets to AWS’s unprecedented scale and financial success: they figured out very early on that some services are not worth delivering. Most everyone else believes in building snowflake single-customer solutions to solve imaginary problems, effectively losing money while doing so.
In a previous
post
I showed you how to configure a port mirror in Proxmox.
In that post, I used a bit of a dirty hack (bash scripts and crontab)
to ensure the port mirror is activated if the host or the VM
reboots.
Luckily for me, I have some really smart colleagues who mentioned
...continue reading
In a previous
post
I showed you how to configure a port mirror in Proxmox.
In that post, I used a bit of a dirty hack (bash scripts and crontab)
to ensure the port mirror is activated if the host or the VM
reboots.
Luckily for me, I have some really smart colleagues who mentioned
...continue reading
Snippet from internal presentation about UDP inner workings in Spectrum. Who said UDP is simple!
Historically Cloudflare's core competency was operating an HTTP reverse proxy. We've spent significant effort optimizing traditional HTTP/1.1 and HTTP/2 servers running on top of TCP. Recently though, we started operating big scale stateful UDP services.
Stateful UDP gains popularity for a number of reasons:
— QUIC is a new transport protocol based on UDP, it powers HTTP/3. We see the adoption accelerating.
— We operate WARP — our Wireguard protocol based tunneling service — which uses UDP under the hood.
Although UDP is simple in principle, there is a lot of domain knowledge needed to run things at scale. In this blog post we'll cover the basics: all you need to know about UDP servers to get started.
Connected vs unconnected
How do you "accept" connections on a UDP server? If you are using unconnected sockets, you generally don't.
But let's start with the basics. UDP sockets can be "connected" (or "established") or "unconnected". Connected sockets have a full 4-tuple associated {source ip, source port, destination ip, destination port}, unconnected Continue reading
A friend of mine sent me a link to a lengthy convoluted document describing the 17-step procedure (with the last step having 10 micro-steps) to follow if you want to run NSX manager on top of N-VDS, or as they call it: Deploy a Fully Collapsed vSphere Cluster NSX-T on Hosts Running N-VDS Switches1.
You might not be familiar with vSphere networking and the way NSX-T uses that (in which case I can highly recommend vSphere and NSX webinars), so here’s a CliffsNotes version of it: you want to put the management component of NSX-T on top of the virtual switch it’s managing, and make it accessible only through that virtual switch. What could possibly go wrong?
A friend of mine sent me a link to a lengthy convoluted document describing the 17-step procedure (with the last step having 10 micro-steps) to follow if you want to run NSX manager on top of N-VDS, or as they call it: Deploy a Fully Collapsed vSphere Cluster NSX-T on Hosts Running N-VDS Switches1.
You might not be familiar with vSphere networking and the way NSX-T uses that (in which case I can highly recommend vSphere and NSX webinars), so here’s a CliffsNotes version of it: you want to put the management component of NSX-T on top of the virtual switch it’s managing, and make it accessible only through that virtual switch. What could possibly go wrong?
No part of this blogpost could be reproduced, stored in a
retrieval system, or transmitted in any form or by any
means, electronic, mechanical or photocopying, recording,
or otherwise, for commercial purposes without the
prior permission of the author.
Network Automation Is So Popular These Days… Shall I Do Something Different?
Network Automaton is indeed getting more and more popular. There are a few reasons for that: one the one hand, networks getting more complex with all fancy SDx technologies (SDN, SD-WAN, SDA, etc); on the other hand, it is required to deliver new services quicker and quicker. Doing the things manually Continue reading
Flexible infrastructure choices and application architectures are changing the way that modern enterprises run their distributed environments (see Figure 1). Enterprises have become application-centric, investing significant effort and resources in continuous delivery goals and DevOps practices in order to automate routine IT and operations tasks.
Hardware-based application delivery controllers (ADCs) have been the staple of application delivery in data centers for the last two decades. However, these legacy load balancing solutions aren’t keeping up with the changes in modern, dynamic capacity and automation needs. Legacy hardware-based ADCs have become inflexible in the face of changing requirements, delaying application rollouts and causing overspending and overprovisioning in many cases. Most enterprises experience the “do more with less but faster” challenges shown in Figure 2 when it comes to rolling out new applications or updates, which can often take weeks.
With aggressive continuous delivery goals and ever-greater customer expectations, businesses are pushing back against delays due to hardware provisioning and manual configurations of ADCs that slow time to market for application deployments and updates.
Figure 1: Computing today: Evolving app architectures and infrastructure heterogeneity.
Figure 2: Legacy hardware-based load balancing solutions are not keeping up with the modern pace of business.
When we analyzed the financial reports coming out of hyperconverged platform maker Nutanix thirteen weeks ago, we lamented the fact that while Nutanix defined a new market and is one of the leaders in that market, it has been unable to expand its market fast enough to become a profitable company even after being in the field for more than a decade. …
The enterprise rush to embrace multicloud and hybrid cloud has not slowed over the past several years and, indeed, has only accelerated during the COVID-19 pandemic as organizations rushed to leverage cloud services to adapt to their suddenly highly distributed IT environments, with most of their employees working remotely. …
It's always better to catch misconfigurations and security issues earlier in your pipeline rather than later. That's especially true for cloud services where a simple configuration error can expose sensitive assets to the entire Internet. On today's Day Two Cloud podcast we discuss how to incorporate security checks into your Infrastructure-as-Code (IaC) workflows. Our guest is Christophe Tafani-Dereeper, a cloud security engineer.
It's always better to catch misconfigurations and security issues earlier in your pipeline rather than later. That's especially true for cloud services where a simple configuration error can expose sensitive assets to the entire Internet. On today's Day Two Cloud podcast we discuss how to incorporate security checks into your Infrastructure-as-Code (IaC) workflows. Our guest is Christophe Tafani-Dereeper, a cloud security engineer.
I got into an interesting debate after I published the Anycast Works Just Fine with MPLS/LDP blog post, and after a while it turned out we have a slightly different understanding what anycast means. Time to fall back to a Wikipedia definition:
Anycast is a network addressing and routing methodology in which a single destination IP address is shared by devices (generally servers) in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops.
Based on that definition, any transport technology that allows the same IP address or prefix to be announced from several locations supports anycast. To make it a bit more challenging, I would add “and if there are multiple paths to the anycast destination that could be used for multipath forwarding1, they should all be used”.
I got into an interesting debate after I published the Anycast Works Just Fine with MPLS/LDP blog post, and after a while it turned out we have a slightly different understanding what anycast means. Time to fall back to a Wikipedia definition:
Anycast is a network addressing and routing methodology in which a single destination IP address is shared by devices (generally servers) in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops.
Based on that definition, any transport technology that allows the same IP address or prefix to be announced from several locations supports anycast. To make it a bit more challenging, I would add “and if there are multiple paths to the anycast destination that could be used for multipath forwarding1, they should all be used”.
It is refreshing to find instances in the IT sector where competing groups with their own agendas work together for the common good and the improvement of systems everywhere. …
