VXLAN terminology and what it means

What are some of the various terminology used in VXLAN?

VNI/VNID: Virtual Network Identifier or VXLAN Network Identifier

Layer2 VNI carried in VXLAN bridged packets. VNI is configured per VLAN.

Layer3 VNI carried in VXLAN routed packets across VTEPs. One L3 VNI per tenant (VRF) Note: Tenant, VRF, L3VNI are sometimes used interchangeably

VTEP: VXLAN Tunnel End Point

Performs VXLAN encapsulation/decapsulation

NVE: Network Virtualization Edge

Logical representation of the VTEP

VXLAN Gateway

Device that forwards traffic between VXLANs

It could be both Layer 2 and Layer 3 forwarding.

Anycast Gateway

All VTEPs are configured with the same IP and MAC on a host facing SVI

Underlay Network: Provides the transport for VXLAN

VXLAN an us OSPF,ISIS,EIGRP, BGP, or Multicast routing

China proposes replacement to TCP/IP

China’s “New IP” proposal to replace TCP/IP has a built in “shut up command” for censorship

 

The Chinese government and the Chinese telecommunications companies such as Huawei under its control are proposing a “New IP” addressing system for the internet to replace TCP/IP. The New IP system includes top-down checks and balances and such features as a “shut up command” that would allow a central controller to stop packets from being received or sent by a target “New IP address.” The China led proposal was first unveiled at the International Telecommunications Union (ITU) meeting in September 2019

Learning, Certifications and the WISP

One of the most asked questions which come up in the xISP world is “How do I learn this stuff?”.   Depending on who you ask this could be a lengthy answer or a simple one-sentence answer.  Before we answer the question, let’s dive into why the answer is complicated.

In many enterprise environments, there is usually pretty standard deployment of networking hardware.  Typically this is from a certain vendor.  There are many factors involved. in why this is.  The first is the total Cost of Ownership (TCO).  It almost always costs less to support one product than to support multiples.  Things like staff training are usually a big factor.  If you are running Cisco it’s cheaper to train and keep updated on just Cisco rather than Cisco and another vendor.

Another factor involved is the economies of scale.  Buying all your gear from a certain vendor allows you to leverage buying power. Quantity discounts in other words.  You can commit to buying a product over time or all at once.

So, to answer this question in simple terms.  If your network runs Mikrotik, go to a Mikrotik training course.  If you run Ubiquiti go to a Ubiquiti training class.

Now that the simple question has been answered, let’s move on to the complicated, and typically the real world answer and scenario.  Many of our xISP clients have gear from several vendors deployed.  They may have several different kinds of Wireless systems, a switch solution, a router solution, and different pieces in-between.  So where does a person start?

I recommend the following path. You can tweak this a little based on your learning style, skill level, and the gear you want to learn.

1. Start with the Cisco Certified Network Associate (CCNA) certification in Routing and Switching (R&S).  There are a ton of ways to study for this certification.   There are Bootcamps (not a huge fan of these for learning), iPhone and Android Apps (again these are more focused on getting the cert), online, books, and even youtube videos. Through the process of

studying for this certification, you will learn many things that will carry over to any vendor.  Things like subnetting, differences between broadcast and collision domains, and even some IPV6 in the newest tracks.  During the course of studying you will learn, and then reinforce that through practice tests and such.  Don’t necessarily focus on the goal of passing the test, focus on the content of the material.  I used to work with a guy who went into every test with the goal of passing at 100%.  This meant he had to know the material. CompTIA is a side path to the Cisco CCNA.  For reasons explained later, COMPTIA Network+ doesn’t necessarily work into my plan, especially when it comes to #3. I would recommend COMPTIA if you have never taken a certification test before.

2. Once you have the CCNA under your belt, take a course in a vendor you will be working

the most with.  At the end of this article, I am going to add links to some of the popular vendor certifications and then 3rd party folks who teach classes. One of the advantages of a 3rd party teacher is they are able to apply this to your real-world needs. If you are running Mikrotik, take a class in that. Let the certification be a by-product of that class.

3.Once you have completed #1 and #2 under your belt go back to Cisco for their Cisco Certifed Design Associate (CCDA). This is a very crucial step those on a learning path overlook.  Think of your networking knowledge as your end goal is to be able to build a house.  Steps one and two have given you general knowledge, you can now use tools, do some basic configuration.  But you can’t build a house without knowing what is involved in designing foundations,  what materials you need to use, how to compact the soil, etc.  Network design is no different. These are not things you can read in a manual on how to use the tool.  They also are not tool-specific.   Some of the things in the Cisco CCDA will be specific to Cisco, but overall it is a general learning track.  Just follow my philosophy in relationship to #1. Focus on the material.

Once you have all of this under your belt look into pulling in pieces of other knowledge. Understanding what is going on is key to your success.  If you understand what goes on with an IP packet, learning tools like Wireshark will be easier.  As you progress let things grow organically from this point.  Adding equipment in from a Vendor? Update your knowledge or press the new vendor for training options.  Branch out into some other areas , such as security, to add to your overall understanding.

WISP Based Traning Folks.
These companies and individuals provide WISP based training. Some of it is vendor focused. Some are not.  My advice is to ask questions. See if they are a fit for what your goals are.
-Connectivity Engineer
Butch Evans
Dennis Burgess
Rick Frey
Steve Discher
Baltic Networks

Vendor Certification Pages
Ubiquiti
Mikrotik
Cisco
Juniper
CWNA
CompTIA

If you provide training let me know and I will add you to this list.

The problem with routing registries

Anyone who has followed me or I have done IP work for knows I am a fan of Internet Routing Registries (IRR).  However, there is a glaring issue with these registries.  I will use the example I ran into today.

A downstream client of a WISP client bought 67.158.57.0/24 off the open market about a year ago.  They finally have things in place where they are looking to announce this IP space to the world.  I helped them set up BGP to my client ISP and sent out the normal LOAs to the upstream providers.  I received this back from Hurricane Electric.

The IRR entry for this prefix does not list 14333.
https://www.radb.net/query?keywords=67.158.57.0%2F24
Please update IRR and let me know. I can add this to your prefix filter.

And a Subsequent followup message

I can add this prefix to your filter, based on the LOA. However the reason we require IRR entries for prefixes is because our peers only accept our re-announcements if there are correct IRR entries authorizing the announcement. 

Can you confirm what the source ASN will be for this announcement?
If a customer of yours is going to re-announce this to you, and that ASN is listed on:
https://www.radb.net/query?keywords=67.158.57.0%2F24
Then this will work. However if you plan to announce this sourced from your ASN 14333, this will not be picked up past our network.

This highlights one of the glaring issues with registries.  There are no checks and balances when it comes to stale data in registries. The same is true with access lists in provider routers.

What I am guessing happened is when the /20 block was carved up and sold it’s information was never removed from the routing registry.  Since this is RADb and it does not talk directly with ARIN we have some inconsistencies going on.

The following RFC illustrates many of the issues folks run into.
https://tools.ietf.org/html/rfc7682
From the summary of the document

As discussed above, many of the problems that have traditionally stifled IRR deployment have, themselves, become historical. However, there are still real operational considerations that limit IRR usage from realizing its full effectiveness.

To further complicate this Hurricane Electric is referencing data in RADb, which is a paid registry.

So what are am I going to have to do? In order to make this right, I will have to reach out to RADB and have them edit the registry to start with. Since this customer, nor the ISP, are members of RADb it will take time.

Quick home VPN using Mikrotik and an existing router

I had a situation today where we had an office worker needing to work from home.  This user had a Housefull of devices and a router managed by the Fiber to the home provider. This user had devices attached to the wifi on the provider router and such.  Normally I would want to replace this router, but it would be an undertaking.

For this setup, we used a Mikrotik MAP lite.
https://www.ispsupplies.com/MikroTik-RBmAPL-2nD

My quick solution was to have the user install the Mikrotik mAP as an ethernet device off of the provider’s router.  We then established a VPN tunnel from this device to the ISP’s network they work for.

 

We then added routes in the Mikrotik to the 3 networks they needed to access across the L2tp tunnel.  This user runs the Dude and Winbox. Once the tunnel was established we had two issues to overcome.

1. You have to add a nat rule in order for traffic behind the Mikrotik to reach the devices on the other side of the tunnel.  I simply added a nat rule that looks like this:

add action=masquerade chain=srcnat out-interface=all-ppp src-address=\
192.168.88.0/24

We could have done this in a few different ways, but remember this was a quick setup.

2. I needed the laptop they were working on the be able to route the three prefixes to the Mikrotik, thus going out the VPN.  In our setup, the laptop only has 2 default gateways.  It does not know any other routing info.

I created a bash script with the following in it. In short, you add the text below into a notepad file and save it with the extension of .bat.

route ADD 10.2.0.0 MASK 255.255.0.0 192.168.88.1
route ADD 10.3.0.0 MASK 255.255.0.0 192.168.88.1
route ADD 10.4.0.0 MASK 255.255.0.0 192.168.88.1

If you need help on creating a bash script
https://www.howtogeek.com/263177/how-to-write-a-batch-script-on-windows/

Once I had the file, which I simply saved into the Dude folder on the desktop, I created a shortcut on the desktop.  You will want to right-click on the shortcut and do the following.

It is important to note you are only able to do this on a shortcut in Windows, not the actual file itself.  No idea why. The script is important because this user brings the laptop back and forth.  I did not want to create persistent routes on the computer because the office network is different.  If you do not do persistent routes they will be after a reboot.  This way the user double clicks on the script shortcut when they login to the computer and before firing up the dude.

There are many other ways to accomplish this.  This was one of the quickest and less-impacting to the user and fewer things to support. One of the downsides to this setup is the user maintains two physical connections to two physical routers.  In this instance, the user could hardwire into the Mikrotik and maintain a wireless connection to the FIOS router.

If given more time you could have the laptop wired into the Mikoritk as your desk and have the wireless on the Mikrotik become a wireless client back to the FIOS router. This would make the setup a little more mobile.

#teleworker @packetsdownrange #j2 #vpn

Ultimate DD-WRT router guide

An interesting post about DD-WRT crossed my inbox awhile back.  Like most interesting things I saved it to look at later.

Custom firmware, such as DD-WRT makes the process easier, and provides you with a lot of additional options as well; thereby turning a standard $100 router into a super router that is suitable for any home or office.

With this DD-WRT router guide you’ll be increasing your wireless range, data transfer rates, creating NAS solutions, setting up a VPN Service, and so much more in no time at all. Some of these, you can even implement without having DD-WRT.

Don’t have the time to read all of this today? I’d recommend at least reading the introduction so you can find out what this “DD-WRT” business is all about.

https://proprivacy.com/vpn/guides/dd-wrt

VXLAN and why you should care as a service provider

As some of you may have heard Mikrotik has added in some VXLAN support in the latest RouterOS7 beta.  What is VXLAN and how would service providers use it? Let’s start out with some broad information about VXLAN

Where does TRILL and VXLAN fit in to your network strategy?

The always interesting RFC read
https://tools.ietf.org/html/rfc7348

This document describes Virtual eXtensible Local Area Network
   (VXLAN), which is used to address the need for overlay networks
   within virtualized data centers accommodating multiple tenants.  The
   scheme and the related protocols can be used in networks for cloud
   service providers and enterprise data centers

Boil it down for me. What is vxlan?
In short, VXLAN allows you to create a layer2 network on top of a layer3 network. It allows you to bind separate layer2 domains and make them look like one. If you are thinking this looks like a GRE tunnel, you are correct except the layer2 domains are still separate with tunnels. VXLAN is mainly touted as a way to interconnect data centers. If you are having to use spanning-tree then VLXLAN is an answer.

Okay, but why not use tunnels or MPLS?
VXLAN allows you to accomplish what GRE does without having to change the network design. By using VXLAN you are also able to have standalone layer2 domains that talk to each other. With the tunnel approach, you have to do a lot of manual configuration.

Is this just a data center thing?
VXLAN was designed to solve many of the edge computing and hyper-scale computing issues. Imagine having compute nodes in different parts of a data center or even in different data centers.  You want all of those nodes on the same VLAN.  With GRE you could extend that VLAN, but with VXLAN you can have two standalone layer2 VLANs that are merged together. VXLAN also solves the 4096 VLAN issue.  This is important in hyper-scale cloud computing.

VXLAN benefits in a nutshell

  • increases layer2 segments to 16 million
  • Centralize control
  • Standards-based
  • Scalable

VXLAN downsides in a nutshell

  • Multicast must be available
  • more overhead to layer2 packet
  • no built-in encryption
  • Slow adoption of ipv6 support by open source

What about the service provider? How can I use this?
In a service-provider network, you have things like broadcast issues. Basically, bridging is bad. Your layer2 networks need to be contained. Imagine you are a service provider who is providing LTE services. You may have an LTE VLAN on your network.  Historically you would have to extend your VLAN across the network in order to do management and access your LTE core. Now you have this large broadcast domain across your entire network.  Or worse yet, you have tunnels to other cities or locations you don’t have physically connected to your network.  Now you have tunnels a part of your LTE VLAN.  MTU issues and other things are now a part of your life.

With VXLAN each LTE node can have its own layer2 VLAN but still talk to the others. This prevents the broadcast storms which can occur.

Another use for VXLAN is a way to allow managed service providers to deploy large scale networks over the 4000 limits of VLANs.  You could literally deploy thousands of layer2 segments to tenants

Why I should or should not care about VXLAN as a service provider?
If you just have a couple of layer2 networks to extend across your network VXLAN is not for you. However, VXLAN does allow for multipath routing and other protocols to be extended to remote networks.

VXLAN adds 50+ bytes of overhead to the layer2 frame. In many service provider networks, this is not an issue due to MTU being raised for MPLS, etc.   IP multicast must be extended across the entire network. Mac addresses are used in creating a distribution network across all of the routed layer2 domains.

Large service providers have started looking at segment routing to solve many of the issues I talk about. This causing them to gravitate toward EVPN. EVPN allows for BGP for the control plane and MPLS for the data plane. More on this coming soon.

In closing, VXLAN is an ultra-cool technology and has use cases for service providers.  Other methods also exist to solve these issues in the service provider world. For those of you looking to learn all you can, I will be posting a list of links for my Patreon folks.