network Archives - NETRAVNEN BLOGGING

EVPN Learning Ressources – WIP

RFC’s
- Drafts
YouTube
- Playlists
Routing Daemons
Linux Hypervisors
Commercial Vendors
Blog Posts
Side notes
- VXLAN Packet
- PBB Packet Format

RFC’s

Drafts

YouTube

Revisiting BGP Data Center Design – 2023-08-31
EVPN multi-homing: an open alternative to MLAG (Nokia TechTalks) – 2023-05-15
EVPN Route Types (Nokia TechTalks) – 2023-05-15
EVPN Multi-homing in 10 (Nokia TechTalks) – 2023-04-12
EVPN Route Types in 10 (Nokia TechTalks) – 2023-04-12
Using Gateways for SRv6 and MPLS Interworking (Nokia) – 2022-04-21
Seamless Data Center Interconnect options using EVPN & various tunnel stitching {NANOG} – 2022-10-26
EVPN Deep Dive – All EVPN Route Types explained by Orhan Ergun and Toni Pasanen – 2020-04-28
Understanding ASICs for Network Engineers (Pete Lumbis) {NANOG} – 2020-02-21
SONiC: Open Source NOS in Data Center {NANOG} – 2019-11-05
Understanding ASICs For Network Engineers (Pete Lumbis) {Packet Pushers} – 2019-06-17

Playlists

Intro To EVPN With Tony Bourke – 2021-06-26
EVPN MPLS on Cisco IOS-XE and Cisco IOS-XR – 2023-05-11
Between 0x2 Nerds – Several EVPN episodes (Podcast format)

Routing Daemons

Linux Hypervisors

Proxmox Docs: SDN

Commercial Vendors

Blog Posts

Side notes

Bird2 does not (yet) have EVPN SAFI support on the ROADMAP
MikroTik RouterOS has no support. Unknown if it will ever be implemented.
IANA – Address Family Numbers (AFI’s)
IANA – Subsequent Address Family Identifiers (SAFI) Parameters

VXLAN Packet

PBB Packet Format

LibreNMS Alerts

An overview of LibreNMS alerts used to monitor different anomalies.

RPKI Session down – JUNOS

Trigger alert if we logged a RPKI session has gone down within the last 1 hour. Match based on syslog events from device. (Device > log > syslog)

syslog.msg LIKE '%RPD_RV_SESSIONDOWN%'
AND syslog.timestamp >= macros.past_60m
AND macros.device_up = 1

Broadcast packets exceeds threshold – JUNOS

Trigger alert if more than 300 broadcast pkt/s on 10/25/100 GbE interfaces. ifAlias (interface description on the network device) needs to begin with “PEERING”.

ports_statistics.ifInBroadcastPkts_rate > 300
AND ports.ifAlias LIKE 'PEERING%'
AND macros.device_up = 1
AND (
  ports.ifName LIKE 'et-%'
  OR ports.ifName LIKE 'xe-%'
)

How-to VPN: Private Internet Access (PIA) and MikroTik Router

⚠ Information in this post is outdated since the launch of PIA’s ‘Next-Gen’ VPN network in 2020, sunsetting the then-existing set-up ⚠

First create a vpn profile to use when creating l2tp/pptp connections
to privateinternetaccess.

/ppp profile add change-tcp-mss=yes \
comment="PIA VPN" \
dns-server=209.222.18.222,209.222.18.218 \
name=privateinternetaccess only-one=no \
use-compression=no use-encryption=required \
use-ipv6=no use-mpls=no use-upnp=no

Create the l2tp interface

/interface l2tp-client add \
comment="PIA VPN Netherlands" \
connect-to=nl.privateinternetaccess.com \
disabled=no name=pia-de-l2tp \
profile=privateinternetaccess \
user=[l2tp-username] \
password=[l2tp-password]

[l2tp-username] Your PIA username for l2tp/pptp/socks connections beginning with ‘x’ (not ‘p’!)
[l2tp-password] Your PIA password for l2tp/pptp/socks connections

Create a firewall mangle rule to mark IPv4 traffic we want to
go through the VPN.

/ip firewall mangle add \
action=mark-routing \
chain=prerouting \
comment="PIA VPN Netherlands" \
new-routing-mark="PPTP RM" \
passthrough=yes \
src-address=[ip-range-to-forward-through-vpn]

[ip-range-to-forward-through-vpn]

Fx. 192.168.1.0/24 or 192.168.1.2-192.168.1.254

Create the NAT rule and tell it to use the VPN interface.

/ip firewall nat add \
action=masquerade chain=srcnat \
comment="PIA VPN Netherlands" \
out-interface=pia-de-l2tp

Create a corresponding default route to match the previous NAT
rule. Which only get used when IPv4 traffic has been marked with
‘PPTP RM’.

/ip route add \
comment="PIA VPN Netherlands" \
disabled=yes distance=1 \
gateway=pia-de-l2tp routing-mark="PPTP RM"

Now you should see traffic from clients in the IPv4 range
of [ip-range-to-forward-through-vpn] go through the VPN.

NB: If you want to use another country apart from Netherlands. Check out Private Internet Access list of locations here: PIA VPN Tunnel Network

“Switching” to IP fabrics – Namex Bits

At the beginning of 2021, Namex IXP has started the rollout of its next-generation peering platform, the active infrastructure which is at the core of its network interconnection facility. This new platform relies on an IP fabric design with VXLAN as the overlay network and BGP EVPN as the control plane protocol. The development of this project started back in March 2020 and saw Mellanox and Cumulus Networks (both parts of NVIDIA corporation now) as major technological partners.

Before diving into the details, a brief historical note may help to understand the drivers and motivations behind such technical choices.

More at “Switching” to IP fabrics – Namex Bits – https://blog.namex.it/2021/04/switching-to-ip-fabrics/

WireGuard on pfSense

Netgate has “just” published their first blog post, describing official WireGuard support in the latest development snapshot of pfSense 2.5.0.

As a network engineer, routing enthusiast, technical supporter, and DN42 participant. Hearing about the upcoming WireGuard support for pfSense has me very excited due to the ease of use. And simplistic configuration. Making it – in my opinion – the most attractive VPN solution for P2P-mesh VPN network(s) and Road Warrior access on-the-go. Plus the support for WireGuard is close to ubiquitously supported on *most* major platforms via direct development support (& 3rd party software solutions).

Netgate mentioning – in their blog post – they have been a sponsor for the development needed to get WireGuard supported on FreeBSD has me thankful, even thou I am not a paying customer of theirs (i.e. a prosumer #wfh).

pfSense not having WireGuard support. When OPNsense introduced WireGuard (& ZeroTier) support months ago. Have had me seriously consider over the Christmas period to switching my prosumer firewall solution to OPNsense. Just for the VPN support of WireGuard & ZeroTier alone. Now, however… I am convinced to stick with pfSense for more years to come. And excitedly looking forward to the next stable release that will very hopefully include the recently announced WireGuard support. (/^▽^)/

Summary by Phoronix:
https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-pfSense-Introduced
Netgate blog post:
https://www.netgate.com/blog/wireguard-for-pfsense-software.html
Latest Docs:
https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html
WireGuard commits to pfSense repo:
https://github.com/pfsense/pfsense/search?q=wireguard&type=commits

Working with TC on Linux systems – dasblinkenlichten

With that out of the way – I wanted to spend some time in this post talking about the command line tool found on Linux systems called tc. We’ve talked about tc before when we discussed creating some network/traffic simulated topologies and it worked awesome for that use case. If you recall from that earlier post tc is short for Traffic Control and allows users to configure qdiscs. A qdisc is short for Queuing Discipline. I like to think of it as manipulating the Linux kernels packet scheduler.

Working with TC on Linux systems

Increasing Port Density in Data Centers | Network Computing

Demands for connectivity in the data center are rising, especially in hyperscale data centers where 1728- or 3456-fiber cables are becoming more popular. Connecting such high-fiber-count cables to servers and switches is the key challenge because there’s only so much rack space available. Fiber patch panels are at the center of this challenge. To address this issue, the industry is increasing port density in patch panels to accommodate the ongoing thirst for bandwidth.

Source: Increasing Port Density in Data Centers | Network Computing

Hands-on with Intel Co-Packaged Optics and Silicon Photonics Switch – ServeTheHomeVideo

Hands-on with Intel Co-Packaged Optics and Silicon Photonics Switch

Watch this video on YouTube.

We get some hands-on time in the Intel lab with their new switch. Based on the recently acquired Intel Barefoot Tofino 2 switch ASIC, we see the world’s first (publicly shown like this) working set of switches using both silicon photonics as well as co-packaged optics. We also explain why pluggable optics will be going away in future generations of network switches as they will consume too much power in the 51.2Tbps generation of switches.

Tag: network