Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
BaseballPCHiker
Jan 16, 2006



I think Tufin will do something like that but its been a while since I've dealt with that software. Might want to look into it though.

Adbot
ADBOT LOVES YOU

tortilla_chip
Jun 13, 2007

k-partite

https://github.com/google/capirca

Kazinsal
Dec 13, 2011







By chunking through several hundred dollars a month in cloud vCPUs.

They tend to also have some pretty hilariously abysmal license tiers that correspond to lower vCPU requirements for lower throughput, but nobody is going to buy a license for a cloud based 10 Mbps firewall.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Meraki's virtual MX doesn't do anything other than provide a way to build a VPN tunnel between a Meraki network and Azure, the license costs a shitload, and you still consume compute resource costs.

It's also trash and only exists because the IPsec support on MX boxes is so incredibly lovely. It would be cheaper to buy a Fortigate box to manage your VPN tunnels and then just sit it next to any Meraki stuff you have, and throw some static routes in each box.

BurgerQuest
Mar 17, 2009



We have quite a few Forti/Meraki deployments for similar reasons. Works well enough with VDOMs so stakeholders can self manage. Trunks back into the Meraki wifi as VLANs/SSID.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Are there any tools around specifically for debugging vxlans? I've been having some serious network problems lately and one of the big issues I'm facing is I basically don't know how to deal with vxlans. TCPdump is a nightmare for this, as far the 1990s style I've been trying to use it, and hasn't been working well because what I naively expect traffic to be like isn't what it actually is on the wire.

tortilla_chip
Jun 13, 2007

k-partite

If you've got the pcap with the fully encpsulated packet you could just rip headers off at the right offset to get normal IP/ethernet traffic.

ate shit on live tv
Feb 15, 2004



Speaking of VXLAN, am I right in trying to do anything I can to just get rid of layer2 rather then trying to throw more network complexity at solving a problem that shouldn't exist anymore in 2021?

Why do we need to preserve IP addresses when migrating VMs? I work for a modern software company. We use middleware applications that fully understand layer3, DNS and don't need layer2 adjacency. Hell most of them run in docker containers. Our application ingests data on a local machine, and sends it to a DNS defined dynamic endpoint. Yet our datacenter is full of vlans spanned across hundreds of switches with network sizes ranging from /22 to /19! The environment is stable, and the applications that run on all those vlans are well-behaved so we don't have issues, but our deployment process uses MaaS and expects different applications to be put into different vlans.

Anyway, I don't see any reason for VXLAN except to try to preserve bad server side programming.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

ate poo poo on live tv posted:


Anyway, I don't see any reason for VXLAN except to try to preserve bad server side programming.

vxlan is mostly bad, yeah.

https://docs.cilium.io/en/v1.9/concepts/networking/routing/

The only reason I'm using vxlan is because it completely abstracts away the underlay network. I could and should be just leveraging the aws SDN since everything is all fully routed anyway. But that's slightly difficult for a few reasons.

1) Limitations on how many IPs you can have per ENI. This is irritating to deal with for a few reasons
2) Its slightly more portable for when we start doing k8s on bare metal, or in GCP like we thought we might.
3) We already started with vxlans and its a big deal to change

ate poo poo on live tv posted:

Why do we need to preserve IP addresses when migrating VMs? I work for a modern software company. We use middleware applications that fully understand layer3, DNS and don't need layer2 adjacency. Hell most of them run in docker containers. Our application ingests data on a local machine, and sends it to a DNS defined dynamic endpoint. Yet our datacenter is full of vlans spanned across hundreds of switches with network sizes ranging from /22 to /19! The environment is stable, and the applications that run on all those vlans are well-behaved so we don't have issues, but our deployment process uses MaaS and expects different applications to be put into different vlans.

What's the need to even migrate a VM here? What's the difference between migrating a VM and creating a new one in your case.

ate shit on live tv
Feb 15, 2004



Methanar posted:


What's the need to even migrate a VM here? What's the difference between migrating a VM and creating a new one in your case.



I think it's because somewhere there exists an ip->customer mapping that is defined on turn-up.

Pile Of Garbage
May 28, 2007





Methanar posted:

1) Limitations on how many IPs you can have per ENI. This is irritating to deal with for a few reasons

Interested to know why this is an issue if you don't mind indulging me. When I've deployed stuff in the past if I need another IP in the VPC I just add another ENI. If I need the EC2 instance to handle traffic not specifically for it then I disable source/destination check on the relevant ENI.

Adbot
ADBOT LOVES YOU

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Pile Of Garbage posted:

Interested to know why this is an issue if you don't mind indulging me. When I've deployed stuff in the past if I need another IP in the VPC I just add another ENI. If I need the EC2 instance to handle traffic not specifically for it then I disable source/destination check on the relevant ENI.

If you're not using vxlans, you're programming in pod IPs directly to an ENI on a host with the expectation that the pod cidrs are all fully routed in the underlay already.

I can't remember the exact details of the issue regarding IPs/ENI but a year and a half ago when this was a discussion point it was an issue. We typically use c5.9xls today, so maybe there was a concern that we might limit ourselves to 30 pods per host which in some cases might be an issue

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply