ipSpace.net Design Clinic
Home » Webinars » Networking Fundamentals » ipSpace.net Design Clinic
Last modified on 2023-03-15 (release notes)
ipSpace.net Design Clinic
1:48:40 March 2023 |
||
|
In March 2023, we discussed BGP routing between WAN edge firewalls and adjacent routers/switches, network device hardening, and connectivity between on-premises data centers and public clouds. |
||
| Hardening Network Devices | 23:20 | 2023-03-08 |
| Direct or VPN Access to a Public Cloud | 18:17 | 2023-03-08 |
1:07:03 BGP Routing with an Edge Firewall |
||
| Challenges and Design Considerations | 31:29 | 2023-03-08 |
| BGP Design Options | 35:34 | 2023-03-08 |
1:41:05 February 2023 |
||
|
In February 2023, we spent the whole session discussing the intricacies of IPv6 small site multihoming and zero-trust network architectures (ZTNA). |
||
1:03:26 Small Site IPv6 Multihoming |
||
| Easy IPv6 Multihoming Scenarios | 10:44 | 2023-03-15 |
| Small Site Multihoming Problem Statement | 14:19 | 2023-03-15 |
| Small Site Multihoming Reality | 13:59 | 2023-03-15 |
| Discussion of Supportable Solutions | 24:24 | 2023-03-15 |
| Site and Host Multihoming Blog Posts | ||
| Default Address Selection for IPv6 (RFC 6724) | ||
| IPv6 Unique Local Addresses (ULA) Made Useless | ||
| IPv6 Site connection to many Carriers (IETF draft) | ||
37:39 Zero-Trust Network Architecture |
||
| ZTNA Overview | 9:28 | 2023-03-15 |
| Microsegmentation in Zero-Trust World | 15:02 | 2023-03-15 |
| Zero-Trust Solutions | 13:09 | 2023-03-15 |
| Network Security Fallacies | ||
| Hiding Malicious Packets Behind LLC SNAP Header | ||
| Replacing Central Router with a Next-Generation Firewall? | ||
1:29:36 September 2022 |
||
|
September 2022 session focused on various aspects of using BGP in the global Internet, from BGP route servers to multihomed customer designs. We also discussed the viability of using GPON in enterprise campus networks, and the ways one could design a VXLAN-based data center interconnect between two bridged fabrics. |
||
| GPON in Campus Networks | 15:41 | 2022-11-02 |
| BGP Route Servers | 15:43 | 2022-11-02 |
| Redundant VXLAN-Based DCI | 11:06 | 2022-11-02 |
37:08 Redundant BGP-Based Internet Access |
||
| Overview of Design Options and Challenges | 10:20 | 2022-11-02 |
| Egress Traffic Engineering | 16:49 | 2022-11-02 |
| Ingress Traffic Engineering | 9:59 | 2022-11-02 |
| Redundant Data Center Internet Connectivity | 928K | 2016-04-18 |
| BGP Convergence Optimization | 268K | 2012-10-30 |
| Living with Small Forwarding Tables | ||
| Default Routes in BGP | ||
| Use BGP Default Route to Replace Static Routing | ||
| Multihoming to a Single ISP | ||
| SDN Router @ Spotify | ||
| SDN Internet Router Is in Production | ||
9:58 Securing Multi-Homed Customer BGP Configuration |
||
| Overview and Sample Designs | 9:58 | 2022-11-02 |
| BGP Operations and Security (RFC 7454) | ||
| Secure Router Templates (Team Cymru) | ||
| Deploying BGP Routing Security (Junos Day One Book) | ||
| The Bogon Reference (Team Cymru) | ||
1:23:07 June 2022 |
||
|
The June 2022 session focused on VXLAN and EVPN: can we use them as a DCI technology, can they replace MPLS/VPN, can we use them to build campus networks, and does it make sense to run them over SD-WAN? We also discussed data center WAN edge equipment selection, public cloud deployment tools, and typical public cloud deployment gotchas. |
||
| VXLAN and EVPN as DCI Technology | 20:54 | 2022-08-16 |
| Multi-Tenant Enterprise Core Network | 16:05 | 2022-08-16 |
| Running VXLAN over SD-WAN | 7:41 | 2022-08-16 |
| Selecting Data Center WAN Edge Equipment | 11:08 | 2022-08-16 |
| Tools for Enterprise Public Cloud Deployments | 7:54 | 2022-08-16 |
19:25 Ad-Hoc Questions |
||
| Using VXLAN with EVPN in Campus Networks | 6:26 | 2022-08-16 |
| Public Cloud Deployment Gotchas | 12:59 | 2022-08-16 |
More Information |
||
| VXLAN-to-VXLAN Bridging in DCI Environments | ||
| Data Center Switching ASICs Tradeoffs | ||
| Hardware Differences between Routers and Switches | ||
1:16:58 April 2022 |
||
|
In April 2022 we discussed Carrier Ethernet and Content Deliver Network (CDN) basics and revisited application deployment challenges in multi-cloud environments. Ad-hoc topics included DNS and DHCP in data centers, and scale-out DMZ infrastructure in public clouds. |
||
| Carrier Ethernet Basics | 10:00 | 2022-05-30 |
| Building Carrier Ethernet Networks | 18:16 | 2022-05-30 |
| Content Delivery Networks | 11:18 | 2022-05-30 |
| Running Applications in Multi-Cloud Environment | 19:31 | 2022-05-30 |
| Networking Engineers in Multi-Cloud World | 11:08 | 2022-05-30 |
6:45 Ad-Hoc Questions |
||
| Using DHCP and DNS in Data Centers | 2:43 | 2022-05-30 |
| Scale-Out Cloud DMZ | 4:02 | 2022-05-30 |
More Information |
||
| Packet Fabric | ||
| Could We Build an IXP on Top of VXLAN Infrastructure? | ||
| IS-IS in Avaya’s SPB Fabric: One Protocol to Bind Them All | ||
| Shortest Path Bridging (SPB) and Avaya Fabric | ||
1:19:31 March 2022 |
||
|
March 2022 session focused on data center leaf-and-spine fabrics. Topics included inter-VRF route leaking, storage integration, migration to a new fabric, ECMP monitoring, and deployment of VXLAN/EVPN in small data centers. We also continued the WAN encryption discussion with an overview of Data Center Interconnect encryption options. |
||
| Inter-VRF Route Leaking | 17:30 | 2022-04-02 |
| Integrating Storage in Leaf-and-Spine Fabrics | 22:32 | 2022-04-02 |
| Data Center Interconnect Encryption | 16:40 | 2022-04-02 |
| Migrating to a Leaf-and-Spine Fabric | 6:33 | 2022-04-02 |
| Monitoring ECMP Behavior in Leaf-and-Spine Fabric | 12:42 | 2022-04-02 |
3:34 Ad-Hoc Questions |
||
| VXLAN and EVPN in Small Data Center | 3:34 | 2022-04-02 |
Further Reading |
||
| An Update on Router Buffering | ||
A fantastic article describing numerous aspects of network buffering, from TCP behavior and congestion control to application requirements and buffer sizing recommendations |
||
| Move Fast, Unbreak Things - NANOG NetNorad presentation by Petr Lakuphov | ||
| Facebook OpenNetNorad tool | ||
| Facebook UdpPinger | ||
| Google Backbone Monitoring, Localizing Packet Loss in a Large Complex Network | ||
| VXLAN Ping and Traceroute with Lukas Krattiger | ||
1:38:07 January 2022 |
||
|
In January 2022 session we discussed Enterprise WAN design (focusing mostly on routing protocol and transport technology selection), encrypted multi-cloud connectivity, and multi-tenant public cloud networking. |
||
| Encrypted Public Cloud Connectivity | 20:21 | 2022-03-01 |
| Multi-Tenant Public Cloud Networking | 8:51 | 2022-03-01 |
55:07 Enterprise WAN Design |
||
| Routing Protocol Selection | 22:30 | 2022-03-01 |
| Routing Protocol Q-A | 6:58 | 2022-03-01 |
| Adapting Your Design to Transport Technologies | 10:56 | 2022-03-01 |
| Multi-Layer Transport | 14:43 | 2022-03-01 |
13:48 Ad-Hoc Topics |
||
| Impact of Transit Gateway on Application Performance | 4:59 | 2022-03-01 |
| Using Public Cloud as SD-WAN | 5:29 | 2022-03-01 |
| MACsec over Carrier Ethernet Networks | 3:20 | 2022-03-01 |
More Information |
||
| IOS Classic versus IOS XE OSPF Behavior | ||
| Open-Source DMVPN Alternatives | ||
| Integrating DMVPN-based Internet VPN with MPLS/VPN WAN | ||
| BGP Routing in DMVPN Access Network | ||
| Critical Vulnerabilities in AWS | ||
| Azure's Terrible Security Posture | ||
1:32:23 December 2021 |
||
|
December 2021 session was focused on VRFs -- we started with Multi-VRF designs and continued with "should one run Internet services in a VRF" (and why would we do that). We also tackled the endless dilemma: should servers connected to multiple leaf switches use link aggregation (+ LACP) or individual links? |
||
| Multi-VRF Designs | 25:47 | 2022-01-18 |
| Internet in a VRF | 25:17 | 2022-01-18 |
| Multi-Homed Servers | 34:06 | 2022-01-18 |
7:13 Ad-Hoc Topics |
||
| VXLAN and EVPN on Linux Hosts | 7:13 | 2022-01-18 |
1:28:31 November 2021 |
||
|
Topics of November 2021 session included leaf-and-spine fabrics outside of data centers, migrating application stacks into public clouds, and the differences between point-to-point and VLAN interfaces. We also continued the brownfield microsegmentation discussion from the September 2021 session. |
||
| Leaf-and-Spine Fabrics Outside of Data Centers | 22:59 | 2021-12-27 |
| Migrating Application Stacks into Public Clouds | 16:36 | 2021-12-27 |
| Point-to-Point versus VLAN Interfaces | 12:17 | 2021-12-27 |
36:39 Short Questions |
||
| Unified Multi-Domain Policy | 12:37 | 2021-12-27 |
| Scaling VMware Private Cloud | 4:16 | 2021-12-27 |
| Brownfield Microsegmentation | 19:46 | 2021-12-27 |
Further Reading |
||
| Could We Build an IXP on Top of VXLAN Infrastructure? | ||
| Automation Win: Recreating Cisco ACI Tenants in Public Cloud | ||
| Building an IXP with VXLAN and EVPN | ||
1:25:55 October 2021 |
||
|
The session was focused on subnets and IPv6 (with a whiff of microsegmentation). We discussed the optimal subnet sizes, first steps in IPv6 deployments, IPv6 address plans and prefix delegation, and scale-out data center firewalls. |
||
| Subnet Sizing | 25:11 | 2021-11-27 |
| First Steps in IPv6 Deployments | 29:08 | 2021-11-27 |
| Scalable Data Center Firewalls | 15:34 | 2021-11-27 |
| IPv6 Addressing Plans and Prefix Delegation | 16:02 | 2021-11-27 |
Additional Information - Subnet Sizing |
||
| Subnet sizing and heterogeneous subnets | ||
| ARP Problems in EVPN | ||
Additional Information - IPv6 Deployments |
||
| Preparing an IPv6 Address Plan | ||
| Analyzing Dual Stack Behavior and IPv6 Quality (Geoff Huston, 2012) | ||
| Best Current Practice: IPv6 Prefix Assignment for End-users (RIPE 690) | ||
| Happy Eyeballs (RFC 8305) | ||
| Happy Eyeballs – Happiness Defined by Your Perspective | ||
| Why Does DHCPv6 Matter? | ||
| Do We Need Multiple Global IPv6 Addresses Per Interface (RFC 7934) | ||
| IPv6 Neighbor Discovery exhaustion attack and IPv6 subnet sizes | ||
| IPv6 Prefixes Longer Than /64 Might Be Harmful | ||
| Are Unnumbered Interfaces Harmful? | ||
Additional Information - Scalable Data Center Security |
||
| I Don’t Need no Stinking Firewall ... or Do I? | ||
| Replacing the Central Firewall | ||
| Replacing Central Router with a Next-Generation Firewall? | ||
| Combine Physical and Virtual Appliances in a Private Cloud | ||
| Firewalls in a Small Private Cloud | ||
| Considerations for Host-based Firewalls (Part 1) | ||
| Considerations for Host-based Firewalls (Part 2) | ||
| Using Flow Tracking to Build Firewall Rulesets... and Halting Problem | ||
| Fixing Firewall Ruleset Problem For Good | ||
| Illumio Core Architecture | ||
1:33:41 September 2021 |
||
|
In September 2021 we discussed microsegmentation (and lack of good solutions) in campus networks, how to provide IP transport to third-party suppliers across an enterprise backbone, and when and where one would use software- or hardware-based overlay virtual networks. Ad-hoc topics included routing in public clouds, SR-IOV, eBPF, SoNIC and IPv6-only deployments. |
||
| Microsegmentation in Campus Networks | 27:17 | 2021-10-01 |
| IP Transport Across Enterprise IP Backbone | 25:57 | 2021-10-01 |
| Overlay Virtual Networking Implementation Options | 17:11 | 2021-10-01 |
23:16 Ad-Hoc Topics |
||
| Subnet Routing in AWS VPC | 4:25 | 2021-10-01 |
| SR-IOV Resource Limitations | 2:06 | 2021-10-01 |
| eBPF Overview | 8:18 | 2021-10-01 |
| SoNIC on Whitebox Switches | 2:40 | 2021-10-01 |
| IPv6-only Deployments | 5:47 | 2021-10-01 |
Networking Fundamentals
