60 posts tagged with "networking"
Running Suricata as more than a noisy alert firehose. IDS versus inline IPS modes, AF_PACKET and NFQUEUE deployment, ruleset management with suricata-update, and the threading and tuning that keep it from becoming the bottleneck.
A two-peer WireGuard tunnel is trivial; a full mesh of dozens of nodes is a different problem. The n-squared key challenge, AllowedIPs as a routing table, keepalives for NAT, and running a dynamic routing protocol over the mesh instead of static routes.
Proxmox SDN turns scattered Linux bridges and hand-managed VLANs into a declarative, cluster-wide network model. Zones, VNets, and subnets explained, plus an EVPN zone that gives VMs routed overlays across nodes.
Cloud gives you LoadBalancer Services for free; bare metal does not. MetalLB in BGP mode advertises Service IPs to your routers for real ECMP load balancing — how to configure the pools, peers, and advertisements, and why BGP mode beats L2.
Cilium replaces the kube-proxy iptables mess with an eBPF dataplane, adds identity-based network policy up to L7, and gives you Hubble for flow visibility. How it works and how to reason about policy that follows pods, not IPs.
XDP runs your code in the driver, before the kernel builds an sk_buff — the fastest place to touch a packet in Linux. What XDP is, a working drop program, how to load it and inspect maps, and where it fits versus iptables and DPDK.
The Linux tc subsystem is powerful and famously cryptic. Qdiscs, classes, and filters demystified, an HTB hierarchy that actually shares bandwidth, fq_codel to kill bufferbloat, and ingress policing with IFB.
Treat network config like code: review in merge requests, validate offline with Batfish, push with a diff gate, and roll back on failure. A GitLab pipeline that turns "SSH in and paste" into a reviewable, reversible process.
Network access control on the wired enterprise edge. 802.1X with MAB fallback, dynamic VLAN assignment from RADIUS, and the fail-open design that keeps the office working when the RADIUS server is unreachable.
SNMP polls; gNMI streams. How model-driven telemetry with gNMI subscriptions, gnmic, and OpenConfig paths replaces the poll-and-pray loop, and how to land the data in Prometheus without writing a collector.
A source of truth only earns the name when config is generated from it, not typed beside it. Modeling your network in NetBox, pulling it with pynetbox, and using it as a dynamic inventory so the database and the devices cannot drift.
When Ansible YAML stops scaling, Python automation takes over. How Nornir handles inventory and concurrency, NAPALM abstracts vendor CLIs, and the two combine into config push with diffs and rollback.
Two upstreams, real control over traffic. Outbound steering with local-preference, inbound steering with AS-path prepend, MED, and provider communities, and why inbound is always the harder half.
The four MANRS actions turned into real config. Building prefix filters with bgpq4, enforcing AS-path sanity, deploying BCP38 anti-spoofing with uRPF, and keeping your PeeringDB and IRR records honest.
How an internet exchange route server actually works, and how to build one with BIRD 2. Transparent AS_PATH, per-client filtering, RPKI validation, and the BGP communities members use to control who they peer with.
Inter-subnet routing in EVPN-VXLAN fabrics comes in two flavors that behave very differently at scale. How asymmetric and symmetric IRB forward, why VNI sprawl matters, and which one to standardize on.
Standards-based all-active multihoming in EVPN-VXLAN fabrics. How ESI, Type-1 and Type-4 routes, aliasing, and split-horizon work on Junos QFX, and what to check when a link fails.
Build a VXLAN BGP EVPN fabric on Nexus from scratch. Covers the OSPF underlay, BGP EVPN overlay, NVE configuration, distributed anycast gateway, and the verification commands that prove it actually forwards.
Operate Nexus spine/leaf fabrics without surprises. Covers vPC operational checks, port-channel hygiene, OSPF/BGP underlay verification, and failure drills before go-live.
Build a production-ready IOS-XE edge router. Covers secure management, IP SLA tracking for real failover, logging configuration, and common mistakes that break production.
Design maintainable Junos routing policies. Covers policy-statement structure, community naming, prefix-lists, and safe defaults that prevent routing disasters.
Understand BGP FlowSpec for traffic filtering. Covers FlowSpec rules, BGP distribution, rate limiting, and why FlowSpec enables network-wide filtering from a single point.
Configure VXLAN on VyOS for datacenter overlays. Covers VXLAN concepts, static and multicast modes, head-end replication, MTU, and why VXLAN enables scalable Layer 2 networks.
Configure GRE, IPIP, and SIT tunnels on VyOS. Covers tunnel types, MTU considerations, keepalives, GRE keys, and why simple tunnels solve simple problems.
Understand EVPN architecture and concepts. Covers EVPN route types, MAC/IP learning via BGP, multi-homing, VXLAN integration, and why EVPN is the future of overlay networking.
Understand VPLS concepts and configuration. Covers virtual switch model, BGP signaling, pseudowires, MAC learning, and why VPLS provides multipoint L2 connectivity.
Configure MPLS L3VPN on VyOS. Covers VPNv4 address family, route distinguishers, route targets, PE-CE routing, and why L3VPN provides scalable multi-tenant connectivity.
Configure BGP Labeled Unicast on VyOS. Covers label distribution via BGP, inter-AS MPLS, seamless MPLS concepts, and why BGP-LU replaces LDP in modern designs.
Understand MPLS fundamentals on VyOS. Covers label switching, LDP configuration, penultimate hop popping, MPLS forwarding, and why MPLS is still relevant for service provider networks.
Configure BGP route dampening on VyOS. Covers dampening parameters, penalty calculation, route suppression, reuse thresholds, and why dampening prevents unstable routes from destabilizing your network.
Configure route leaking between VRFs on VyOS. Covers import/export policies, selective leaking, shared services, and why route leaking provides controlled cross-VRF connectivity.
Master BGP communities on VyOS. Covers standard, extended, and large communities, common use cases, community-based filtering, and why communities are the language networks speak.
A practical guide to automating network infrastructure using Ansible. Real examples from production environments including device configuration, backup strategies, and compliance checking.
Configure OSPF and BGP graceful restart on VyOS. Covers GR mechanics, helper mode, restart timers, and why graceful restart prevents traffic loss during maintenance.
Implement BFD on VyOS for sub-second failure detection. Covers BFD timers, integration with BGP and OSPF, multihop BFD, and why routing protocol keepalives are too slow.
Debug policy-based routing on VyOS. Covers rule evaluation order, mark verification, table inspection, common misconfigurations, and why PBR debugging needs systematic verification.
Debug ARP and IPv6 ND issues on VyOS. Covers ARP table analysis, stale entries, duplicate IP detection, proxy ARP, neighbor discovery, and why Layer 2 problems look like Layer 3 failures.
Master packet capture on VyOS for troubleshooting. Covers tcpdump filters, capture strategies, decoding protocols, saving and analyzing captures, and why packets never lie.
Master VyOS connection tracking internals. Covers conntrack tables, tuning limits, timeout configuration, debugging full tables, and why conntrack is the invisible stateful firewall engine.
Master TCP MSS clamping on VyOS for tunnels and PPPoE. Covers MSS vs MTU, clamping configuration, troubleshooting fragmentation, and why MSS clamping fixes problems MTU changes cannot.
Master network path diagnostics on VyOS. Covers MTR interpretation, traceroute variants, PMTUD troubleshooting, detecting packet loss patterns, and why ping alone is never enough.
Configure VyOS user management properly. Covers local user creation, SSH key authentication, privilege levels, password policies, and why root password should be disabled.
Master VyOS upgrades without downtime or disasters. Covers image management, rollback procedures, pre-upgrade testing, migration paths, and why upgrades need a playbook, not improvisation.
Build maintainable VyOS configurations with consistent naming, strategic comments, firewall groups, and policy structure. Learn standards that make configs readable years later.
Master VyOS configuration sessions for team environments. Covers session isolation, concurrent editing, merge strategies, and why sessions prevent "who changed what" mysteries.
Master VyOS commit-confirm to prevent remote lockouts. Covers automatic rollback, confirmation workflow, timeout tuning, and why every remote change should use confirm.
Practical VyOS automation with Git, templates, and safe deployment practices. Covers config backup strategies, Jinja2 templates, Ansible integration, rollback procedures, and why automation reduces errors only if you have rules of the game.
Honest guide to VyOS high availability using VRRP and conntrack sync. Covers failover configuration, state synchronization, what actually fails over and what doesn't, testing procedures, and why HA is a set of failure scenarios, not a checkbox.
Using VRF on VyOS for network isolation that goes beyond VLANs. Covers VRF creation, inter-VRF routing, route leaking, firewalling between VRFs, and maintaining a clear mental model of your segmentation.
BGP fundamentals on VyOS using FRR. Covers eBGP/iBGP setup, prefix-lists, route-maps, communities, max-prefix protection, and why BGP without filtering is an incident waiting to happen.
Practical OSPF configuration on VyOS. Covers areas, passive interfaces, authentication, MTU issues, and the small details that cause OSPF adjacencies to fail silently.
Practical traffic shaping and QoS configuration on VyOS. Covers queue disciplines, traffic prioritization, fighting bufferbloat, and understanding where the actual bottleneck is.
Configuring reliable multi-WAN failover on VyOS with proper health checking. Covers dual ISP setup, weighted load balancing, SLA monitoring, and why failover without tracking is false confidence.
Configuring reliable IPsec site-to-site VPNs on VyOS. Covers IKEv2 setup, NAT traversal, dead peer detection, rekeying, and systematic debugging when things go wrong.
Complete WireGuard setup on VyOS covering site-to-site tunnels, mobile clients, kill switches, split vs full tunnel, and the two things that make WireGuard stable: MTU and routing policy.
How to route specific traffic through different gateways on VyOS. Covers routing by source, destination, domain, and application with real-world examples like split-tunnel VPN.
Practical IPv6 configuration on VyOS for home networks. Covers Router Advertisements, DHCPv6, stateless vs stateful addressing, firewall rules, and debugging ND/RA issues.
A practical guide to setting up VyOS from scratch. Covers WAN/LAN configuration, NAT, DHCP, DNS forwarding, and basic firewall rules with validation at every step.
Reliable IP address management for Proxmox VMs. Covers DHCP strategies, MAC-to-IP mapping, router integrations, inventory collection, and why IP addresses are data that must be collected automatically.
Proxmox networking fundamentals and common pitfalls. Covers Linux bridges, VLAN configuration, bonding modes, network isolation, and why 99% of virtualization network problems are inconsistent Layer 2.