Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
The document summarizes APNIC's deployment of IPv6 services, including their initial allocation and address planning, DNS deployment on dual stack servers, web, FTP, mail, load balancing, internal LAN/WiFi, and VPN services. It discusses lessons learned around testing IPv6 functionality before adding AAAA records, using low TTLs initially, ensuring reverse DNS works, and expanding monitoring to cover IPv6 connectivity and services. IPv6 services are now also offered on cloud platforms.
Things I wish I had known about IPv6 before I startedFaelix Ltd
The document discusses things the author wishes they had known about IPv6 before starting to implement it for their small provider network. It covers IPv6 justification in terms of IPv4 address scarcity and rising costs, advice on IPv6 addressing plans and transition technologies, and gotchas like IPv6 neighbor discovery exhaustion issues. The author advocates for embracing IPv6 to avoid expensive IPv4 solutions and make the most of the large IPv6 allocations provided.
WebRTC in Telefonica with TU and Tuenti
TU and Tuenti are exploring using WebRTC for their voice services. This would allow for calling across multiple devices using the same account. They are investigating using their existing XMPP/chat infrastructure for signaling and WebRTC standards like ICE, SRTP, and DTLS for media negotiation and security. Challenges include handling the cellular network leg and avoiding issues like "splash ringing" during call setup across devices on different networks.
VMware expert Motonori Shindo presented on L2 over L3 encapsulation protocols like VXLAN, NVGRE, STT, and Geneve. He explained how each protocol works including header formats and provided ecosystem updates. He believes Geneve has potential as it allows for extensibility through options fields while leveraging NIC offloading, but that VXLAN is already widely adopted. Critics argue its goals could be achieved through other means.
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
The document summarizes APNIC's deployment of IPv6 services, including their initial allocation and address planning, DNS deployment on dual stack servers, web, FTP, mail, load balancing, internal LAN/WiFi, and VPN services. It discusses lessons learned around testing IPv6 functionality before adding AAAA records, using low TTLs initially, ensuring reverse DNS works, and expanding monitoring to cover IPv6 connectivity and services. IPv6 services are now also offered on cloud platforms.
Things I wish I had known about IPv6 before I startedFaelix Ltd
The document discusses things the author wishes they had known about IPv6 before starting to implement it for their small provider network. It covers IPv6 justification in terms of IPv4 address scarcity and rising costs, advice on IPv6 addressing plans and transition technologies, and gotchas like IPv6 neighbor discovery exhaustion issues. The author advocates for embracing IPv6 to avoid expensive IPv4 solutions and make the most of the large IPv6 allocations provided.
WebRTC in Telefonica with TU and Tuenti
TU and Tuenti are exploring using WebRTC for their voice services. This would allow for calling across multiple devices using the same account. They are investigating using their existing XMPP/chat infrastructure for signaling and WebRTC standards like ICE, SRTP, and DTLS for media negotiation and security. Challenges include handling the cellular network leg and avoiding issues like "splash ringing" during call setup across devices on different networks.
VMware expert Motonori Shindo presented on L2 over L3 encapsulation protocols like VXLAN, NVGRE, STT, and Geneve. He explained how each protocol works including header formats and provided ecosystem updates. He believes Geneve has potential as it allows for extensibility through options fields while leveraging NIC offloading, but that VXLAN is already widely adopted. Critics argue its goals could be achieved through other means.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
This document contains configuration details for setting up an ACI Multi-Pod topology including IPN switches, APIC clusters, POD fabrics, access policies, and BGP route reflectors. It provides instructions on configuring the network topology with leaf-spine switches connected across multiple PODs, configuring the APICs with fabric profiles and settings, and setting policies for switch, interface, and fabric configurations.
Romana v2.0 is networking software that allows Kubernetes clusters running in EC2 VPCs to achieve native VPC networking without using overlays. It uses topology aware IPAM to assign pod IPs from different address ranges based on their subnet location. Romana routers maintain routes between these prefix groups and advertise them to the VPC route table. This enables large, multi-AZ Kubernetes clusters to leverage all available VPC routes while supporting features like network policy and inter-availability zone connectivity without an overlay network. A preview release of Romana v2.0 is expected on July 31st.
This document provides instructions on configuring a router on a stick topology. It describes configuring a switch port as a trunk, and then creating subinterfaces on the router's physical interface that correspond to each VLAN. It shows assigning IP addresses to the subinterfaces to act as the default gateway for each VLAN subnet. Finally, it describes configuring PCs with IP addresses in the correct subnets and default gateways, and confirms connectivity between the VLANs via ping tests through the router.
The document describes the configuration of a multi-pod ACI topology with IPN connectivity. It includes steps to configure the APIC clusters, fabric pods, EVPN connectivity between pods, IPN VLANs and subnets, OSPF routing in the IPN, and interface policies for IPN traffic. The goal is to establish IP network connectivity between remote pods using ACI spine switches as IPN routers.
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
This document discusses Kubernetes networking using Open vSwitch and OpenFlow. It provides an overview of Open vSwitch and Kubernetes, explains how containers are networked using Docker and Kubernetes, and how the Container Network Interface (CNI) can be used with Open vSwitch to provide networking. It then covers the networking models and lifecycles of packets between pods on the same node and different nodes.
OpenStack DVR (Distributed Virtual Router) allows L3 routing functions to be distributed across compute nodes by creating router namespaces on each compute node. This avoids bottlenecks and single points of failure at network nodes. DVR supports east-west inter-subnet routing, SNAT for external access without floating IPs, and floating IPs associated with internal VMs for direct external access. Traffic flows are encapsulated in VXLAN/GRE tunnels between compute nodes and routed appropriately within each node's router namespace.
The document discusses the configuration of VLANs on switches and subinterfaces on routers to support both IPv4 and IPv6 routing. VLANs allow logical separation of IP networks on a single physical switch. Subinterfaces on routers assign unique IP addresses, subnets, and VLAN associations to support multiple logical networks on a single physical interface. Example configurations are provided for switches to assign ports to VLANs 10, 20 and 30 and for routers to configure subinterfaces with IPv4 and IPv6 addresses for VLANs 10, 20, 30 using RIP and RIPng routing protocols.
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
This document provides instructions for configuring NetFlow versions 5 and 9 on Cisco routers to monitor network traffic. It explains that NetFlow collects IP traffic data, what versions 5 and 9 are, and how to configure each version on a router by specifying the collector server, export port, and interfaces. It also describes how to verify the NetFlow export and how tools like SolarWinds NetFlow Traffic Analyzer analyze exported data to provide network usage insights.
The document describes the basic BGP configuration of routers R1, R2, and ISPs Airtel, Reliance, and Vodafone. It defines the interfaces of each router and ISP with IP addresses. It also outlines the BGP configuration of each entity with AS numbers, neighbor definitions, and network advertisements. Troubleshooting commands like show ip route, show ip bgp summary, and show ip bgp neighbor are listed.
Best Current Operational Practices - Dos, Don’ts and lessons learnedMaximilan Wilhelm
Max und Falk versammeln knapp 42 Jahre Erfahrung in der Netzwerk- und Open-Source Praxis. In diesem Vortrag stellen sie schmerzhafte Erfahrungen vor und leiten daraus Best Practices für den Netzwerkbetrieb ab. Zusätzlich werden Best Community Practices vorgestellt und der ein oder andere Schwank aus den Anfangszeiten des Internet in Deutschland erzählt.
This document provides an overview of Network Address Translation (NAT) including:
- Why NAT is used to connect networks with private IP addresses to the Internet and during network mergers.
- NAT implementation considerations such as advantages of address conservation and flexibility but disadvantages of delays and incompatible applications.
- Common NAT configurations like dynamic NAT, dynamic NAT with overloading, and static NAT.
The document discusses the evolution of Cisco's ACI fabric and policy domains from ACI 1.0 to 3.0. It defines key ACI terminology and describes ACI MultiPod, which connects multiple pods within a fabric. ACI MultiPod supports configurations with up to 12 pods and 400 leaf switches. It also discusses ACI MultiSite, which extends ACI policies and networking across multiple availability zones or data centers using an Inter-Site Network.
This document discusses various tools used for web conferencing and live streaming including WIT53, Ustream, IPtalk Broadcaster, CamTwist, and Tiarra. It provides information on how to connect these tools via different devices and software configurations like ngIRCd to allow sharing video and audio over IRC in different encodings. Specific instructions are given for connecting CamTwist and Tiarra using UTF8 encoding through IRC and ngIRCd.
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
Herzlichen Glückwunsch! Sie dürfen ein Netzwerk mit mehr als 2 Routern administrieren. Dieser Vortrag erläutert, warum statisches Routing keine Lösung ist und schneller als einem lieb ist zum Problem werden kann. Als Einführung in dynamisches Routing und OSPF, erklärt dieser Vortrag wie sich Router gegenseitig finden, Routen austauschen, was eine Area ist und wie die Link-State Datenbank funktioniert.
OSPF wird praktisch am Beispiel des Bird Internet Routing Daemons und in Zusammenspiel mit klassischen Herstellern gezeigt.
Krzysztof Mazepa - IOS XR - IP Fast ConvergencePROIDEA
This document discusses mechanisms for fast convergence on Cisco IOS-XR platforms like the CRS-1 and 12000 XR routers that allow service providers to achieve sub-second convergence, including IGP fast convergence, IP over DWDM proactive protection, BGP local convergence upon PE-CE link failure, and BGP prefix independent convergence. It provides examples of where these mechanisms should be deployed and evaluates their performance through case studies and test results.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
6th floorsharingsession ep 1 - networking - arp v 1.0A Achyar Nur
Protocol that allows dynamic distribution of the information needed to build tables to translate an address A in protocol P’s address space into a 48.bit Ethernet address. (RFC826)
ARP Terminology, How ARP works, and etc
The document discusses service provider networks and frame relay. It provides instructions on building a frame relay network with hub and spoke routers using dynamic and static frame relay mappings. It also covers configurations for loopback interfaces, RIP routing protocol, and route redistribution between protocols to share routes.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
This document contains configuration details for setting up an ACI Multi-Pod topology including IPN switches, APIC clusters, POD fabrics, access policies, and BGP route reflectors. It provides instructions on configuring the network topology with leaf-spine switches connected across multiple PODs, configuring the APICs with fabric profiles and settings, and setting policies for switch, interface, and fabric configurations.
Romana v2.0 is networking software that allows Kubernetes clusters running in EC2 VPCs to achieve native VPC networking without using overlays. It uses topology aware IPAM to assign pod IPs from different address ranges based on their subnet location. Romana routers maintain routes between these prefix groups and advertise them to the VPC route table. This enables large, multi-AZ Kubernetes clusters to leverage all available VPC routes while supporting features like network policy and inter-availability zone connectivity without an overlay network. A preview release of Romana v2.0 is expected on July 31st.
This document provides instructions on configuring a router on a stick topology. It describes configuring a switch port as a trunk, and then creating subinterfaces on the router's physical interface that correspond to each VLAN. It shows assigning IP addresses to the subinterfaces to act as the default gateway for each VLAN subnet. Finally, it describes configuring PCs with IP addresses in the correct subnets and default gateways, and confirms connectivity between the VLANs via ping tests through the router.
The document describes the configuration of a multi-pod ACI topology with IPN connectivity. It includes steps to configure the APIC clusters, fabric pods, EVPN connectivity between pods, IPN VLANs and subnets, OSPF routing in the IPN, and interface policies for IPN traffic. The goal is to establish IP network connectivity between remote pods using ACI spine switches as IPN routers.
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
This document discusses Kubernetes networking using Open vSwitch and OpenFlow. It provides an overview of Open vSwitch and Kubernetes, explains how containers are networked using Docker and Kubernetes, and how the Container Network Interface (CNI) can be used with Open vSwitch to provide networking. It then covers the networking models and lifecycles of packets between pods on the same node and different nodes.
OpenStack DVR (Distributed Virtual Router) allows L3 routing functions to be distributed across compute nodes by creating router namespaces on each compute node. This avoids bottlenecks and single points of failure at network nodes. DVR supports east-west inter-subnet routing, SNAT for external access without floating IPs, and floating IPs associated with internal VMs for direct external access. Traffic flows are encapsulated in VXLAN/GRE tunnels between compute nodes and routed appropriately within each node's router namespace.
The document discusses the configuration of VLANs on switches and subinterfaces on routers to support both IPv4 and IPv6 routing. VLANs allow logical separation of IP networks on a single physical switch. Subinterfaces on routers assign unique IP addresses, subnets, and VLAN associations to support multiple logical networks on a single physical interface. Example configurations are provided for switches to assign ports to VLANs 10, 20 and 30 and for routers to configure subinterfaces with IPv4 and IPv6 addresses for VLANs 10, 20, 30 using RIP and RIPng routing protocols.
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
This document provides instructions for configuring NetFlow versions 5 and 9 on Cisco routers to monitor network traffic. It explains that NetFlow collects IP traffic data, what versions 5 and 9 are, and how to configure each version on a router by specifying the collector server, export port, and interfaces. It also describes how to verify the NetFlow export and how tools like SolarWinds NetFlow Traffic Analyzer analyze exported data to provide network usage insights.
The document describes the basic BGP configuration of routers R1, R2, and ISPs Airtel, Reliance, and Vodafone. It defines the interfaces of each router and ISP with IP addresses. It also outlines the BGP configuration of each entity with AS numbers, neighbor definitions, and network advertisements. Troubleshooting commands like show ip route, show ip bgp summary, and show ip bgp neighbor are listed.
Best Current Operational Practices - Dos, Don’ts and lessons learnedMaximilan Wilhelm
Max und Falk versammeln knapp 42 Jahre Erfahrung in der Netzwerk- und Open-Source Praxis. In diesem Vortrag stellen sie schmerzhafte Erfahrungen vor und leiten daraus Best Practices für den Netzwerkbetrieb ab. Zusätzlich werden Best Community Practices vorgestellt und der ein oder andere Schwank aus den Anfangszeiten des Internet in Deutschland erzählt.
This document provides an overview of Network Address Translation (NAT) including:
- Why NAT is used to connect networks with private IP addresses to the Internet and during network mergers.
- NAT implementation considerations such as advantages of address conservation and flexibility but disadvantages of delays and incompatible applications.
- Common NAT configurations like dynamic NAT, dynamic NAT with overloading, and static NAT.
The document discusses the evolution of Cisco's ACI fabric and policy domains from ACI 1.0 to 3.0. It defines key ACI terminology and describes ACI MultiPod, which connects multiple pods within a fabric. ACI MultiPod supports configurations with up to 12 pods and 400 leaf switches. It also discusses ACI MultiSite, which extends ACI policies and networking across multiple availability zones or data centers using an Inter-Site Network.
This document discusses various tools used for web conferencing and live streaming including WIT53, Ustream, IPtalk Broadcaster, CamTwist, and Tiarra. It provides information on how to connect these tools via different devices and software configurations like ngIRCd to allow sharing video and audio over IRC in different encodings. Specific instructions are given for connecting CamTwist and Tiarra using UTF8 encoding through IRC and ngIRCd.
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
Herzlichen Glückwunsch! Sie dürfen ein Netzwerk mit mehr als 2 Routern administrieren. Dieser Vortrag erläutert, warum statisches Routing keine Lösung ist und schneller als einem lieb ist zum Problem werden kann. Als Einführung in dynamisches Routing und OSPF, erklärt dieser Vortrag wie sich Router gegenseitig finden, Routen austauschen, was eine Area ist und wie die Link-State Datenbank funktioniert.
OSPF wird praktisch am Beispiel des Bird Internet Routing Daemons und in Zusammenspiel mit klassischen Herstellern gezeigt.
Krzysztof Mazepa - IOS XR - IP Fast ConvergencePROIDEA
This document discusses mechanisms for fast convergence on Cisco IOS-XR platforms like the CRS-1 and 12000 XR routers that allow service providers to achieve sub-second convergence, including IGP fast convergence, IP over DWDM proactive protection, BGP local convergence upon PE-CE link failure, and BGP prefix independent convergence. It provides examples of where these mechanisms should be deployed and evaluates their performance through case studies and test results.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
6th floorsharingsession ep 1 - networking - arp v 1.0A Achyar Nur
Protocol that allows dynamic distribution of the information needed to build tables to translate an address A in protocol P’s address space into a 48.bit Ethernet address. (RFC826)
ARP Terminology, How ARP works, and etc
The document discusses service provider networks and frame relay. It provides instructions on building a frame relay network with hub and spoke routers using dynamic and static frame relay mappings. It also covers configurations for loopback interfaces, RIP routing protocol, and route redistribution between protocols to share routes.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaMyNOG
The document discusses using an SDN controller and BGP EPE to enable inter-domain traffic engineering. The solution uses the controller to calculate optimal paths, push MPLS labels to ingress routers, and dynamically steer traffic to peering links. This allows automatic optimization for congestion and latency while simplifying ASBRs to only label switching with no IP lookup or policies. Telemetry from the network is also used for analytics and machine learning to enable predictive and adaptive traffic engineering across domains.
BGP is a popular routing protocol used in the Data Center (DC). But as the protocol that powers the Internet, it also comes armed with a lot of sophistication that scares many who think a CCIE or CCNA is required to even understand it.
Watch this presentation and learn:
*How BGP fits in the DC with specific use cases
*How to configure and manage BGP traditionally and via new methods
The Cisco Catalyst 3560-CX series WS-3560CX-12PD-S is a fanless, compact Ethernet switch with 12 Gigabit Ethernet ports and 2 Gigabit uplink ports plus 2 10G SFP+ uplinks. It provides 240W of PoE+ power and has a forwarding bandwidth of 34Gbps. The switch has a quiet, fanless design to provide flexible mounting options in space-constrained areas.
This document discusses setting up a redundant LAN network. It describes what a LAN network is and the importance of network redundancy. It then provides details on various methods for implementing redundancy, including creating VPNs, using redundancy protocols like HSRP and VRRP, basic routing, MPLS routing, access lists, NAT/PAT, and configuring redundant LAN connections. The document includes configuration examples and concludes that the project was a valuable learning experience for understanding real-world networking operations.
Now more than ever, today’s businesses require reliable network connectivity and access to corporate resources. Connections to and from business units, vendors and SOHOs are all equally important to keep the continuity when needed. Business runs all day, every day and even in off hours. Most companies run operations around the clock, seven days a week so it’s important to realize that to keep a solid business continuity strategy, redundancy technologies should be considered and/or implemented.
So, we need to keep things up and available all the time. This is sometimes referred to five nines (99.999) uptime. The small percentage of downtime is accounted for unforeseen incidents, or ‘scheduled maintenance’ and usually set to take place during times of least impact, like in the middle of the night, or on holiday weekends if planned. If this is not a part of your systems and network architecture it should be considered if you want to keep a high level of availability. Because things break and unforeseen events do take place, we need to evaluate the need for creating an architecture that is ‘highly available’, or up as much as possible, with failures foreseen ahead of time and the only downtime, is to do planned maintenance.
The document provides details about the Cisco Nexus 3172TQ-XL switch, including its specifications, features, ports, memory, dimensions, standards compliance, and supported protocols. It is a 1 RU switch with 48 10GBASE-T ports, 6 QSFP+ ports, 8GB of RAM, and dual-core 2.5GHz CPUs. It supports technologies like Ethernet, IP routing, VLANs, Spanning Tree, and more.
The Cisco Nexus 3172TQ-32T is a 1 RU switch with 32 10GBASE-T ports and 6 QSFP+ ports, with a switching capacity of 1.4 Tbps and forwarding rate of up to 1 bpps. It has 4 GB of memory, 2 power supplies, and dimensions of 4.4 x 43.9 x 50.5 cm. To enable the remaining 16 10GBASE-T ports, a 16-port upgrade license must be installed.
The WS-C4500X-16SFP+ is a Cisco Catalyst 4500-X Series fixed aggregation switch with 16 1G or 10G Ethernet ports. It delivers scalability, network virtualization, and integrated services for space-constrained campus network environments. The switch has a switching capacity of up to 800Gbps, 4GB of onboard memory, and supports features including IPv4/IPv6 routing, VLANs, QoS, ACLs, and high availability. It measures 4.4 x 43.8 x 53.3 cm and weighs 16.29kg. Optional modules include 8-port 10GE uplink and redundant power supplies.
The document discusses IPv6 addressing, software versions, and topology issues for campus networks. It recommends using a /48 address block and sequentially assigning the remaining 16 bits for subnets. Router software like JUNOS 5.1 and IOS 12.2T and later provide line-rate IPv6 support. Topology designs include layer 2 and 3 campus options with IPv6 routers and dual-stack hosts. The document also covers DNS, equipment needs, and a lack of IPv6 traffic on networks.
The Pug is a breed of dog with a wrinkly, short-muzzled face, and curled tail. The breed has a fine, glossy coat that comes in a variety of colours, most often fawn or black, and a compact square body with well-developed muscles.
Pugs were brought from China to Europe in the sixteenth century and were popularized in Western Europe by the House of Orange of the Netherlands, and the House of Stuart.In the United Kingdom, in the nineteenth century, Queen Victoria developed a passion for pugs which she passed on to other members of the Royal family. Pugs are known for being sociable and gentle companion dogs.[3] The breed remains popular into the twenty-first century, with some famous celebrity owners. A pug was judged Best in Show at the World Dog Show in 2004.
Donald J. Trump For President, Inc. –– Why Now?
On November 8, 2016, the American People delivered a historic victory and took our country back. This victory was the result of a Movement to put America first, to save the American economy, and to make America once again a shining city on the hill. But our Movement cannot stop now - we still have much work to do.
This is why our Campaign Committee, Donald J. Trump for President, Inc., is still here.
We will provide a beacon for this historic Movement as our lights continue to shine brightly for you - the hardworking patriots who have paid the price for our freedom. While Washington flourished, our American jobs were shipped overseas, our families struggled, and our factories closed - that all ended on January 20, 2017.
This Campaign will be a voice for all Americans, in every city near and far, who support a more prosperous, safe and strong America. That’s why our Campaign cannot stop now - our Movement is just getting started.
Together, we will Make America Great Again!
Cisco usNIC: how it works, how it is used in Open MPIJeff Squyres
The document discusses Cisco's usNIC (Cisco Userspace NIC) and Cisco's entry into the server market through its UCS (Cisco Unified Computing System) servers. It provides details on Cisco's 1U and 2U Intel-based servers, which provide low-latency 10 and 40Gb Ethernet connectivity. The document also summarizes how Cisco has achieved the #2 market share position in the blade server market due to customers' demand for data center innovation and Cisco UCS's record-setting performance benchmarks.
The document describes plans for implementing and verifying an eBGP solution:
1. Determine resources and create an implementation plan to configure eBGP routing between autonomous systems.
2. Create a verification plan to verify the eBGP solution is working properly using show and debug commands.
3. Document the results of implementing and verifying the eBGP configuration.
This document describes a technique called simple virtual aggregation that can save router memory by suppressing more specific routes in the Routing Information Base (RIB) and Forwarding Information Base (FIB) if they have the same next hop as the default route. It monitors the default route in the BGP table and suppresses installation of specific routes with the same next hop, reducing the number of routes in RIB/FIB. Testing on a Cisco 3825 router showed this reduced the memory used by BGP and RIB/FIB from 230MB to 73MB. The technique is based on an IETF draft and can help smaller routers avoid running out of data plane memory due to many internet routes.
How we found a firewall vendor bug using Teleport as a bastion jump hostFaelix Ltd
Teleport is an SSH system which we’ve fallen in love with. There are some great security features, of course:
- two factor authentication right out of the box
- acts as ssh certificate authority issuing short-lived credentials
- commercial options for role-based access control
But the features which we find most compelling are the ones you can’t get as easily with the likes of OpenSSH:
- session recording which can be used for audit or to refer back to from troubleshooting tickets
- session sharing so that our customers or junior staff can learn-by-doing, just like having dual controls on a car
- NAT-piercing to help manage devices within customer networks that do not have direct Internet connectivity
We have been using Teleport on a number of projects and with several customers:
- a remote probe deployment to debug a strange, intermittent connectivity problem (given as a talk at UKNOF 40 in conjunction with David Farrar of Exa Networks)
- training sessions with customers’ technical staff to show them a slightly unusual systems administration request — and the resulting session recording is an excellent reference for next time their staff encounter a similar request for changes
- paralleling pair programming we have been able to “observe” or “navigate” while junior staff “drive” the console to perform systems or network adminstration for the first time
I’ve evangelised Teleport because I feel its use fits with our philosophy of openness. Teleport could complement the knowledge sharing that goes on within network operations teams, and help senior staff work out the playbooks and improve operational procedures for their junior staff. At least one service provider was inspired by my longer Teleport presentation at NetMcr and set their junior staff the background task of moving all out-of-band access to their POP infrastructure to Teleport. I hope that their use of this tool empowers their junior engineers to take on more work, while satisfying any regulatory or audit requirements that security staff worry about.
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6Faelix Ltd
During some research which found CVE-2018-19298 (MikroTik IPv6 Neighbor Discovery Protocol exhaustion), I uncovered a larger problem with MikroTik RouterOS’s handling of IPv6 packets. This led to CVE-2018-19299 vulnerability in RouterOS which allowed for remote, unauthenticated denial of service.
Keeping your rack cool with one "/IP route rule"Faelix Ltd
This document discusses how Faelix, an ISP, uses MikroTik hardware and RouterOS at their provider edge to route over 600k IPv4 routes and 30k IPv6 routes. They initially migrated from Quagga and BIRD on Linux servers to MikroTik due to its energy efficiency and affordable hardware. While there were some bugs experienced, MikroTik has proven reliable overall. The document then explains how Faelix is able to firewall traffic with zero filter rules using a single "/ip route rule" to mark and route traffic to a separate routing table based on address lists from fail2ban and AMQP. This allows blocking of attacking traffic at the provider edge across multiple data centers in a
Marek Isalski, Faelix.net Ltd, describes the MikroTik range of routers and their applications, gives a pros and cons summary, and recommendations for budget provider edge deployment.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
4. Who?
Marek and Lou and Laura
A bunch of @NetworkMoose
Giants:
FRR, Routinator 3000, VyOS+contributors, Linux,
netfilter/iptables, Salt+contributors, RIPE+RIRs,
Team Cymru, DigitalOcean+Netbox-contributors…
5. The Story So Far…
2019-04: UKNOF43 MikroTik IPv6 routing vuln talk
Hinted about AS41495's future plans
7. The Story So Far…
2019-04: UKNOF43 MikroTik IPv6 routing vuln talk
Hinted about AS41495's future plans
2019-10: NetMcr40 post-migration tech talk
Mentioned shortcomings and follow-on actions
2020-04: UKNOF46 talk on operational experience
…postponed till next time?
8. The Story So Far…
2019-04: UKNOF43 MikroTik IPv6 routing vuln talk
Hinted about AS41495's future plans
2019-10: NetMcr40 post-migration tech talk
Mentioned shortcomings and follow-on actions
2020-04: UKNOF46 talk on operational experience
…postponed till next time?
no time like the present!
9. Where?
This story all took place in:
Reynolds House (Equinix MA2)
Williams House (Equinix MA1)
…and then "laps of honour" in:
AQL DC2
Telehouse West and North
Interxion LON2
12. Why?
RIPE NCC Update 2019-10-02
Today we allocated the last of our contiguous /22
IPv4 address blocks. We still have approximately
one million addresses available, in the form of
/23s and /24s, and we will continue making /22-
equivalent allocations made up of these smaller
blocks. Once we can no longer allocate the
equivalent of a /22, we will announce that we have
reached run-out. We expect this to occur in
November 2019.
21. How?
4x 10G SFP+ ports (must not be RJ45, cannot be
QSFP+ with SFP+ breakout)
At least 2x 1G RJ45 ports
Low CPU power draw
Prefer GHz over cores (single-thread performance)
~16 Gb RAM
Ideally 1U
Ideally dual PSU and IPMI
27. VyOS
Linux
FRR (Quagga fork) for routing protocols
iproute2, iptables, ipset, etc
VyOS 1.3: planned XDP (eXpress Data Path) support
Like DPDK / FDIO / VPP (but less tap/vif mess)
Up towards 20Mpps per CPU core…!
28. SaltStack
Big investment in Salt @faelix
Use it for bare metal (virtualisation clusters)
Use it for our ISP services and NFVs
Use it for full-/part-managed customer VPSs
…why not use it for routers?
VyOS includes salt-minion (agent)
29. Introducing: hphr
"Halophile Router" (salt-loving)
Uses Netbox for single source-of-truth
Uses SLS (YAML) for anything not possible in Netbox
Generates a VyOS router configuration file
Loads, compares, commits, saves to config.boot
Released open-source: github.com/faelix/hphr
40. BCP38 Implementation
Throws away entire VyOS firewall stack
Native commands are off-limits fragility
Currently using iptables
Will transition to nft it's the future, offload, etc
Eventually move this into XDP
Along with routing decision more PPS
69. So: Reboot the Router
https://phabricator.vyos.net/T1514
FRR's running-config not "refreshable" if a
daemon crashes, can only reboot router to make
VyOS send new running-config
or: delete protocols bgp 41495, commit,
load /config/config.boot, commit
Rebooting a router is annoying, but we're in a
maintenance window, the other router is ok, so we're
gonna be ok.
73. FRR Converges BGP Fast
Router booted up
Began configuring itself
Brought interfaces up
Brought BGP instance up
Cogent transit session established
Peering sessions on LINX established
…then …?
74. FRR Converges BGP Fast
Router booted up
Began configuring itself
Brought interfaces up
Brought BGP instance up
Cogent transit session established
Peering sessions on LINX established
…then VyOS applied prefix-lists and route-maps
75. FRR Converges BGP Fast
Router booted up
Began configuring itself
Brought interfaces up
Brought BGP instance up
Cogent transit session established
Peering sessions on LINX established
…then VyOS applied prefix-lists and route-maps :-(
76. FRR Converges BGP Fast
Router booted up
Began configuring itself
Brought interfaces up
Brought BGP instance up
Cogent transit session established
Peering sessions on LINX established
…then VyOS applied prefix-lists and route-maps :-(
99. XXXTODO
Add features to FRR, provide VyOS workarounds, or
make Salt states for router reboot maintenance
Speed-up VyOS' prefix-list insertion into FRR T2425
VyOS to refresh config into FRR's daemons T2175
Fragility of VyOS firewalling when replaced with
barebones iptables from hphr
NIC parameter and bare metal router sysctl tuning
XDP (hopefully we get time to follow on from @atoonk)
100. What We Achieved
Two very long nights of maintenance (plus London)
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering* (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
101. VYOS & RPKI
AT THE
BGP AS EDGE
E: marek @ faelix . net
T: @maznu
E: lou @ faelix . net
T: @gremlinlou