Blog Posts in January 2014
The layer-3-only Hyper-V Network Virtualization forwarding model implemented in Windows Server 2012 R2 thoroughly confuses engineers used to deal with traditional layer-2 subnets connected via layer-3 switches.
As always, it helps to take a few steps back, focus on the principles, and the “unexpected” behavior becomes crystal clear.
2014-02-05: HNV routing details updated based on feedback from Praveen Balasubramanian. Thank you!
If you want to implement overlay virtual networking with VMware products today, you have two options: use vCNS 5.5 or NSX for vSphere… and I would be hard pressed to choose one or the other.
When I started blogging in 2006, I had no idea that I’d still be doing it 8 years later… and I never dreamed of writing my 2000th post (this one, according to my blogging platform).
A virtual cake I got from my lovely daughter ;)
As always, Enno exceeded my wildest expectations, and offered me to have a full-day SDN workshop during this year’s conference – an offer I simply couldn’t refuse.
SDN, security, IPv6, Heidelberg, fantastic presenters and audience, great organizers – it can’t get any better … all you have to do is register.
From the IPv6 Trivia department: can a host with an ULA address reach a service with a global IPv6 address? Can a host with only a link-local address reach a service with a global IPv6 address? The answer to both questions might be Yes (but you better know what scopes and zones are if you want to figure it out).
Just in case you've missed it: the ultimate explanation of DevOps, NetOps and other automation ideas.
You know how hard it is to get the network traffic statistics: interface counters are too coarse, Netflow records are too granular, Sflow is sampling… life is hard for network monitoring Goldilocks.
In the Network Monitoring video (part of Real-Life OpenFlow Use Cases webinar) I explained an interesting alternative: you could get (hardware permitting) traffic counters with ever OpenFlow flow entry, resulting in any granularity you need.
Almost three years ago the OpenFlow/SDN hype exploded and the Open Networking Foundation started promoting the concept of physically separate control and data planes. Let’s see how far its founding members got in the meantime:
Chris Wahl claimed in one of his recent blog posts that vSphere doesn't need LAG band-aids. He's absolutely right – vSphere’s loop prevention logic alleviates the need for STP-blocked links, allowing you to use full server uplink bandwidth without the complexity of link aggregation. Now let’s consider the networking perspective.
More news from the IPv6 is not like IPv4 department: there's no DF bit in IPv6, so you have to use slightly different troubleshooting tricks to figure out the path MTU size (and they depend on the operating system). More in a detailed blog post by my good friend Matjaž Straus.
The first part of the Real-life OpenFlow Use Cases webinar focused on controller design and implementation choices that can significantly impact the scalability of an OpenFlow solution:
- Proactive versus reactive flow setup;
- Hop-by-hop versus path-based forwarding;
- State explosion with OpenFlow 1.0;
You could tell we had great fun with these topics: we spent more than half an hour on five slides.
When Open Networking Foundation claimed ownership of Software-Defined Networking, they defined it as separation of control and data plane:
[SDN is] The physical separation of the network control plane from the forwarding plane, and where a control plane controls several devices.
Does this definition make sense or is it too limiting? Is there more to SDN? Would a broader scope make more sense?
During my ExpertExpress engagements with engineers building multi-tenant cloud infrastructure I often get questions along the lines of “How do I integrate my public IaaS cloud with my MPLS/VPN WAN?” Here are a few ideas.
My recommendation to use ULA addresses for internal communications within organizations that don’t have their own provider-independent address space resulted in the following comment:
[…] Having ULA for internal company communication and global IPv6 addresses for communication with the Internet will cause lots of issues with application guys since now application has to bind to specific IPv6 address for internal communications and another IPv6 address to go to the Internet.
Numerous aspects of IPv6 may still be broken, but fortunately this is not one of them.
Software-Defined Networking is clearly a tautological term – after all, software defined networking device behavior ever since we stopped using Token Ring MAUs and unmanaged hubs. Open Networking Foundation claims it owns the definition of the term (which makes approximately as much sense as someone claiming they own the definition of red-colored clouds), but I was always wondering who coined the term in the first place.
Gordon sent me a whole list of NSX gateway questions:
- Do you need a virtual gateway for each VXLAN segment or can a gateway be the entry/exit point across multiple VXLAN segments?
- Can you setup multiple gateways and specify which VXLAN segments use each gateway?
- Can you cluster gateways together (Active/Active) or do you setup them up as Active/Standby?
The answers obviously depend on whether you’re deploying NSX for multiple hypervisors or NSX for vSphere. Let’s start with the former.
Every time someone wonders about the viability of unicast reverse path forwarding (uRPF) as source address validation technique at the edge of an ISP network, someone else inevitably claims it can’t possibly work due to asymmetrical routing issues. Is the situation really so black-and-white?
Ed Horley wrote another great post arguing you don’t need Unique Local Addresses in an IPv6 network … and I couldn’t figure out what the problem was until I got the underlying context: it seems many engineers try to transplant their IPv4 mentality into IPv6 world and see ULAs as a nice replacement for RFC1918 with NAT66 or NPT66 on the private network edge. No wonder Ed argues against that.
A few days ago I described how most OpenFlow data center fabric solutions use out-of-band control plane (separate control-plane network). Can we do something similar when running OpenFlow switch (example: Open vSwitch) in a hypervisor host?
TL&DR answer: Sure we can. Does it make sense? It depends.
Someone left the following comment on one of my blog posts a few days ago:
IPv6 to a network engineer is like Communism to a Marxist. It would come in such a distant future that it would be in a form we can barely picture accurately. […] So my money is on NAT444, at least in the US.
Meanwhile on planet Earth (in 2014):