OMG, VXLAN Encapsulation Has No Security!

Every now and then someone actually looks at the VXLAN packet format and eventually figures out that VXLAN encapsulation doesn’t provide any intrinsic security.

TL&DR Summary: That’s old news, the sky is not falling, and deploying VXLAN won’t make your network less secure than traditional VLAN- or MPLS-based networks.

Hardware Gateways in Overlay Virtual Networks

Whenever I’m running an SDDC workshop or doing on-site SDN/SDDC-related consulting, the question of hardware gateways between overlay virtual networks and physical world inevitably pops up.

My usual answer: You have to understand (A) what type of gateway you need, (B) what performance you need and (C) what form factor will give you that performance. For more details, watch the Hardware Gateways video from Scaling Overlay Virtual Networks webinar

Great News: My Workshops Are Available from NIL Data Communications

In the last few months I ran into a sweet problem: dozens of organizations would like to have on-site SDN, SDDC or IPv6 workshop. Obviously I had to turn many of them down, and my calendar is almost full till early November.

A week ago I also found a solution: my friends at NIL Data Communications will start offering the same workshops with their instructors.

Rearchitecting L3-Only Networks

One of the responses I got on my “What is Layer-2” post was

Ivan, are you saying to use L3 switches everywhere with /31 on the switch ports and the servers/workstation?

While that solution would work (and I know a few people who are using it with reasonable success), it’s nothing more than creative use of existing routing paradigms; we need something better.

Update 2015-04-22 14:30Z - Added a link to Cumulus Linux Redistribute Neighbor feature.

When Did SDN Really Start?

You might remember my blog post claiming we had a system with SDN-like properties more than 20 years ago.

It turns out SDN is older than that – Rob Faulds found an old ComputerWorld ad from 1989 promoting AT&T SDN service, and it seems SDN was in operation as early as 1985.

NSONE – Data-Driven DNS on Software Gone Wild

DNS is a crucial component in modern scale-out application architectures, so when Alex Vayl and Kris Beevers from NSONE contacted me just as I was starting to work on my Active-Active Data Centers presentation, I was more than interested to hear what their solution can do.

The result: Episode 29 of Software Gone Wild in which we discussed a number of topics including:

How Do I Get Started with SDN and Virtualization?

Here’s a short question I got from one of my readers:

I am a CCIE in SP/DC & working as Technical Architect in US. I follow your website but I don’t know where to start for SDN/Virtualization/Openstack…

I guess he’s not alone, so here’s a long list of resources I put together in the last 5+ years.

Before I get started: you’ll find links to most of these resources on ipSpace.net SDN Resources page.

Design Challenge: Multiple Data Centers Connected with Slow Links

One of my readers sent me this question:

What is best practice to get a copy of the VM image from DC1 to DC2 for DR when you have subrate (155 Mbps in my case) Metro Ethernet services between DC1 and DC2?

The slow link between the data centers effectively rules out any ideas of live VM migration; to figure out what you should be doing, you have to focus on business needs.

Video: IPv6 Microsegmentation

The video of my Troopers 15 IPv6 Microsegmentation presentation has been published on YouTube. As with the Automating Network Security video, it’s hard to read the slides; you might want to look at the slide deck on my public content web site.

You’ll find more about this topic, including tested Cisco IOS configurations, in IPv6 Microsegmentation webinar.

There’s a Difference between Scaling and Not Being Stupid

I was listening to one of the HP SDN Packet Pushers podcasts in which Greg made an interesting comment along the lines of “people say that OpenFlow doesn’t scale, but what HP does with its IMC is it verifies the amount of TCAM in the switches, checks whether it can install new flows, and throws an alert if it runs out of TCAM.

Are your ESXi uplinks saturated?

Iwan Rahabok sent me a link to a nice vRealize setup he put together to measure maximum utilization across all uplinks of a VMware host. Pretty handy when the virtualization people start deploying servers with two 10GE uplinks with all sorts of traffic haphazardly assigned to one or both of them.

Oh, if the previous paragraph sounds like Latin, and you should know a bit about vSphere/ESXi, take a hefty dose of my vSphere 6 webinar ;)

ntopng Deep Dive with Luca Deri on Software Gone Wild

PF_RING is a great open-source project that enables extremely fast packet processing on x86 servers, so I was more than delighted when Paolo Lucente of the pmacct fame introduced me to Luca Deri, the author of PF_RING.

When we started chatting, we couldn’t resist mentioning ntopng, another open-source project Luca is working on.

More Layer-2 Misconceptions

My “What Is Layer-2 and Why Do You Need It?blog post generated numerous replies, including this one:

Pretend you are a device receiving a stream of bits. After you receive some inter-frame spacing bits, whatever comes next is the 2nd layer; whether that is Ethernet, native IP, CLNS/CLNP, whatever.

Not exactly. IP (or CLNS or CLNP) is always a layer-3 protocol regardless of where in the frame it happens to be, and some layer-2 protocols have no header (apart from inter-frame spacing and start-of-frame indicator).

New Webinar: vSphere 6 Networking Deep Dive

The VMware Networking Deep Dive webinar was getting pretty old and outdated, but I always managed to get an excuse to postpone its refresh – first it was lack of new features in vSphere releases, then bad timing (doesn’t make sense to do a refresh in June with new release coming out in August), then lack of documentation (vSphere 6 was announced in August 2014; the documentation appeared in March 2015).

Article: Is NFV Relevant for Enterprise Networks?

Network Computing recently published my “Yes, NFV Is Important For The Enterprise” article. Short summary: NFV is (like BGP and MPLS) yet another technology that is considered applicable only to service provider networks but makes great sense in some enterprise contexts.

I’ll talk about enterprise aspects of NFV at Interop Las Vegas, and describe some NFV technical details and typical use cases in an upcoming webinar.

IPv6 is 20 years old

An interesting message appeared on v6ops mailing list a few days ago: the first interconnect between independent IPv6 implementations was established 20 years ago. No wonder some youngsters who don't know any better treat this venerable protocol like a modem and ignore it in favor of IPv4 ;)