Blog Posts in April 2015
PF_RING Deep Dive with Luca Deri on Software Gone Wild
Whenever software switching nerds get together and start discussing the challenges of high-speed x86-based switching, someone inevitably mentions PF_RING, an open-source library that gives you blazingly fast packet processing performance on a Linux server.
I started recording a podcast with Luca Deri, the author of PF_RING, but we diverted into discussing ntopng, Luca’s network monitoring software. We quickly fixed that and recorded another podcast – this time, it’s all about PF_RING, and we discussed these topics:
Going Back to the Mainframes?
25 years ago when I started my networking career, mainframes were all the rage, and we were doing some crazy stuff with small distributed systems that quickly adapted to topology changes, and survived link, port, and node failures. We called them routers.
Yes, we were crazy and weird, but our stuff worked. We won and we built the Internet, proving that we can build networks bigger than any mainframe-based solution could ever hope to be.
How Do I Start My IPv6 Addressing Plan?
One of my readers was reading the Preparing an IPv6 Addressing Plan document on RIPE web site, and found that the document proposes two approaches to IPv6 addressing: encode location in high-order bits and subnet type in low-order bits (the traditional approach) or encode subnet type in high-order bits and location in low-order bits (totally counter intuitive to most networking engineers). His obvious question was: “Is anyone using type-first addressing in production network?”
Terastream project seems to be using service-first format; if you’re doing something similar, please leave a comment!
On SDN Controllers, Interconnectedness and Failure Domains
A long long time ago Colin Dixon wrote the following tweet in response to my Controller Cluster Is a Single Failure Domain blog post:
He’s obviously right, but I wasn’t talking about interconnected domains, but failure domains (yeah, I know, you could argue they are the same, but do read on).
OMG, VXLAN Encapsulation Has No Security!
Every now and then someone actually looks at the VXLAN packet format and eventually figures out that VXLAN encapsulation doesn’t provide any intrinsic security.
TL&DR Summary: That’s old news, the sky is not falling, and deploying VXLAN won’t make your network less secure than traditional VLAN- or MPLS-based networks.
Hardware Gateways in Overlay Virtual Networks
Whenever I’m running an SDDC workshop or doing on-site SDN/SDDC-related consulting, the question of hardware gateways between overlay virtual networks and physical world inevitably pops up.
My usual answer: You have to understand (A) what type of gateway you need, (B) what performance you need and (C) what form factor will give you that performance. For more details, watch the Hardware Gateways video from Scaling Overlay Virtual Networks webinar
Rearchitecting L3-Only Networks
One of the responses I got on my “What is Layer-2” post was
Ivan, are you saying to use L3 switches everywhere with /31 on the switch ports and the servers/workstation?
While that solution would work (and I know a few people who are using it with reasonable success), it’s nothing more than creative use of existing routing paradigms; we need something better.
NSONE – Data-Driven DNS on Software Gone Wild
DNS is a crucial component in modern scale-out application architectures, so when Alex Vayl and Kris Beevers from NSONE contacted me just as I was starting to work on my Active-Active Data Centers presentation, I was more than interested to hear what their solution can do.
The result: Episode 29 of Software Gone Wild in which we discussed a number of topics including:
How Do I Get Started with SDN and Virtualization?
Here’s a short question I got from one of my readers:
I am a CCIE in SP/DC & working as Technical Architect in US. I follow your website but I don’t know where to start for SDN/Virtualization/Openstack…
I guess he’s not alone, so here’s a long list of resources I put together in the last 5+ years.
Before I get started: you’ll find links to most of these resources on ipSpace.net SDN Resources page.
Design Challenge: Multiple Data Centers Connected with Slow Links
One of my readers sent me this question:
What is best practice to get a copy of the VM image from DC1 to DC2 for DR when you have subrate (155 Mbps in my case) Metro Ethernet services between DC1 and DC2?
The slow link between the data centers effectively rules out any ideas of live VM migration; to figure out what you should be doing, you have to focus on business needs.
Video: IPv6 Microsegmentation
The video of my Troopers 15 IPv6 Microsegmentation presentation has been published on YouTube. As with the Automating Network Security video, it’s hard to read the slides; you might want to look at the slide deck on my public content web site.
You’ll find more about this topic, including tested Cisco IOS configurations, in IPv6 Microsegmentation webinar.
There’s a Difference between Scaling and Not Being Stupid
I was listening to one of the HP SDN Packet Pushers podcasts in which Greg made an interesting comment along the lines of “people say that OpenFlow doesn’t scale, but what HP does with its IMC is it verifies the amount of TCAM in the switches, checks whether it can install new flows, and throws an alert if it runs out of TCAM.”
Are your ESXi uplinks saturated?
Iwan Rahabok sent me a link to a nice vRealize setup he put together to measure maximum utilization across all uplinks of a VMware host. Pretty handy when the virtualization people start deploying servers with two 10GE uplinks with all sorts of traffic haphazardly assigned to one or both of them.
Oh, if the previous paragraph sounds like Latin, and you should know a bit about vSphere/ESXi, take a hefty dose of my vSphere 6 webinar ;)
ntopng Deep Dive with Luca Deri on Software Gone Wild
PF_RING is a great open-source project that enables extremely fast packet processing on x86 servers, so I was more than delighted when Paolo Lucente of the pmacct fame introduced me to Luca Deri, the author of PF_RING.
When we started chatting, we couldn’t resist mentioning ntopng, another open-source project Luca is working on.
More Layer-2 Misconceptions
My “What Is Layer-2 and Why Do You Need It?” blog post generated numerous replies, including this one:
Pretend you are a device receiving a stream of bits. After you receive some inter-frame spacing bits, whatever comes next is the 2nd layer; whether that is Ethernet, native IP, CLNS/CLNP, whatever.
Not exactly. IP (or CLNS or CLNP) is always a layer-3 protocol regardless of where in the frame it happens to be, and some layer-2 protocols have no header (apart from inter-frame spacing and start-of-frame indicator).
New Webinar: vSphere 6 Networking Deep Dive
The VMware Networking Deep Dive webinar was getting pretty old and outdated, but I always managed to get an excuse to postpone its refresh – first it was lack of new features in vSphere releases, then bad timing (doesn’t make sense to do a refresh in June with new release coming out in August), then lack of documentation (vSphere 6 was announced in August 2014; the documentation appeared in March 2015).
Article: Is NFV Relevant for Enterprise Networks?
Network Computing recently published my “Yes, NFV Is Important For The Enterprise” article. Short summary: NFV is (like BGP and MPLS) yet another technology that is considered applicable only to service provider networks but makes great sense in some enterprise contexts.
I’ll talk about enterprise aspects of NFV at Interop Las Vegas, and describe some NFV technical details and typical use cases in an upcoming webinar.
IPv6 is 20 years old
Video: IPv6 Myths and Reality
I was talking and writing about IPv6 myths for years, but like any good myth they tend to be pretty robust. Unfortunately, as I explained in the IPv6 Myths and Reality part of IPv6 High Availability Strategies webinar, the reality seems pretty bleak: all we got are longer addresses, half-baked protocols, unsolved challenges, and heaps of confusion.
What Is Layer-2 and Why Do We Need It?
I’m constantly ranting against large layer-2 domains; recently going as far as saying “we don’t really need all that stuff.” Unfortunately, the IP+Ethernet mentality is so deeply ingrained in every networking engineer’s mind that we rarely ever stop to question its validity.
Let’s fix that and start with the fundamental question: What is Layer-2?
Arista EOS Available on Whitebox Switches
A few months ago Gigamon did the right thing: they figured out that their true value lies not in the hardware boxes, but in the software running on them, and decided to start offering their GigaVUE-OS on whitebox switches.
So far, Arista is the only other networking vendor that figured out it doesn't make sense to resist the tide - Arista EOS is now available on Open Compute Networking whitebox switches.
Update 2015-04-02: If you followed the links in this blog post, you probably figured out that it’s an April Fools’ one. However, that’s not the end of the story…