SlideShare a Scribd company logo

Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security

Faelix Ltd
Faelix Ltd

Full table BGP on VyOS converge time in seconds Routing on MikroTiks converges near-instantly BCP38 (customers cannot spoof source address) IRR filtering (only accept where route/route6 object) RPKI (will not accept invalid routes from P/T) Templated configuration (repeatable, automated) Single source of truth (the docs become the config) VyOS SaltStack YAML Netbox
 BGP OSPF FRR RPKI IRR XDP
 bgpq3 UTRS RTBH NetFlow RIPE NCC Update 2019-10-02

Technology
1 of 54
Download to read offline
SALT + NETBOX + VYOS = NETWORK AUTOMATION
 + ROUTING SECURITY MAREK ISALSKI — FAELIX https://faelix.link/netmcr40
VyOS SaltStack YAML Netbox
 BGP OSPF FRR RPKI IRR XDP
 bgpq3 UTRS RTBH NetFlow MAREK ISALSKI — FAELIX https://faelix.link/netmcr40
Who? Marek and Lou and Laura A bunch of @NetworkMoose Giants: FRR, Routinator 3000, VyOS+contributors, Linux, netfilter/iptables, Salt+contributors, RIPE+RIRs, Team Cymru, DigitalOcean+Netbox-contributors…
Where? This story all took place in: Reynolds House (Equinix MA2) Williams House (Equinix MA1)
Why? DFZ
Why? RIPE NCC Update 2019-10-02 Today we allocated the last of our contiguous /22 IPv4 address blocks. We still have approximately one million addresses available, in the form of
 /23s and /24s, and we will continue making /22- equivalent allocations made up of these smaller blocks. Once we can no longer allocate the equivalent of a /22, we will announce that we have reached run-out. We expect this to occur in November 2019. +4000routesby 2020
Why? 1M routes in 200 days
Why? DFZ
Why?
Why?
How? DFZ
OSPF Area 0 How? DFZ 800k routes800k routes default! default!
HARDWARE
How? 4x 10G SFP+ ports (must not be RJ45, cannot be QSFP+ with SFP+ breakout) At least 2x 1G RJ45 ports Low CPU power draw Prefer GHz over cores (single-thread performance) ~16 Gb RAM Ideally 1U Ideally dual PSU and IPMI
How? SM Chassis: Front I/O, Redundant 400W PSUs SM X11SCM-F (2x RJ45 Intel® I210-AT + OOB/IPMI) Xeon E3-1265Lv5 (4c/8t, 2.9GHz, 45W) 16GB DDR4 2666 ECC, 2x 240Gb SSDs Intel X710-DA4 (4x SFP+ NIC)
How?
How?
SOFTWARE
VyOS Linux FRR (Quagga fork) for routing protocols iproute2, iptables, ipset, etc VyOS 1.3: XDP (eXpress Data Path) Like DPDK / FDIO / VPP (but less tap/vif mess) 20Mpps per CPU core…!
SaltStack Big investment in Salt @faelix Use it for bare metal (virtualisation clusters) Use it for our ISP services and NFVs Use it for full-/part-managed customer VPSs …why not use it for routers? VyOS includes salt-minion (agent)
Introducing: hphr "Halophile Router" (salt-loving) Uses Netbox for single source-of-truth Uses SLS (YAML) for anything not possible in Netbox Generates a VyOS router configuration file Loads, compares, commits, saves to config.boot OSS release coming soon: github.com/faelix/hphr
Addressing
Connections
Sub-Interfaces
OSPF, BGP, etc?
Netbox ≈ "physical infra" Using SaltStack's "pillar" in two ways: Netbox for DCIM / IPAM SLS (YAML-syntax) files for OSPF, BGP, etc
Peering/Transit Interface
P/T Interface: BCP38 bgpq3
P/T Interface: NetFlow
BGP Peering bgpq3
BGP Peering
BGP Peering RPKI via RTRR
BGP Upstream
BGP Upstream RPKI via RTRR
RPKI Routinator 3000
GOTCHAS
BGP C/P Protection bgpd state -> unresponsive : no response yet to ping sent 90 seconds ago
BGP C/P Protection /usr/lib/frr/watchfrr.sh restart bgpd
BGP C/P Protection 847177 bgp routes removed from the rib bgpd restarting, we're gonna be ok?!
[NARRATOR VOICE] THEY WERE NOT "OK"
bly$ show ip bgp summary % BGP instance not found
 bly$
Architecture of VyOS protocols { bgp 41495 { ……… } } router bgp 41495 ………"VyOS" /config/config.boot FRR running-config https://phabricator.vyos.net/ T1514
So: Reboot the Router https://phabricator.vyos.net/T1514 FRR's running-config not "refreshable" if a daemon crashes Can only reboot router to make VyOS send new running-config Rebooting a router is annoying, but we're in a maintenance window, the other router is ok, so we're gonna be ok.
[NARRATOR VOICE] THEY WERE NOT "OK"
FRR Converges BGP Fast Router booted up Began configuring itself Brought interfaces up Brought BGP instance up Cogent transit session established Peering sessions on LINX established …then VyOS applied prefix-lists and route-maps :-(
FRR Converges BGP Fast Router booted up Began configuring itself Brought interfaces up Brought BGP instance up Cogent transit session established Peering sessions on LINX established …then VyOS applied prefix-lists and route-maps :-(
ANNOUNCING 800K ROUTES TO LINX MAN (BY ACCIDENT) T1698 + T1148 + T944 BUGS! Achievement
 Unlocked :(
FRR Impedance Mismatch 
 router bgp 41495 neighbor 195.66.244.6 remote-as 6939 neighbor 195.66.244.6 soft-reconfiguration inbound neighbor 195.66.244.6 maximum-prefix 200000 neighbor 195.66.244.6 prefix-list hphr-DFZ-IPv4 in neighbor 195.66.244.6 prefix-list auto-AS-FAELIX out neighbor 195.66.244.6 route-map AS6939-LINX-in-IPv4 in neighbor 195.66.244.6 route-map TRANSIT-out-IPv4 out neighbor shutdown no shutdown
FRR Impedance Mismatch "Since FRR lacks a command for creating peers in down state, no other workaround is possible." Bug: T1148 router bgp 41495 neighbor 195.66.244.6 remote-as 6939 neighbor 195.66.244.6 soft-reconfiguration inbound neighbor 195.66.244.6 maximum-prefix 200000 neighbor 195.66.244.6 prefix-list hphr-DFZ-IPv4 in neighbor 195.66.244.6 prefix-list auto-AS-FAELIX out neighbor 195.66.244.6 route-map AS6939-LINX-in-IPv4 in neighbor 195.66.244.6 route-map TRANSIT-out-IPv4 out
BGP C/P Protection added to hphr
THIS STORY ISN'T OVER…
XXXTODO Add features to FRR, provide VyOS workarounds, or make Salt states for router reboot maintenance Nerf watchfrr, and make it possible for VyOS to refresh config into FRR's daemons Fragility of VyOS firewalling when replaced with barebones iptables from hphr NIC parameter and bare metal router sysctl tuning XDP in VyOS 1.3
What We Achieved Two very long nights of maintenance (both overran) Full table BGP on VyOS converge time in seconds Routing on MikroTiks converges near-instantly BCP38 (customers cannot spoof source address) IRR filtering (only accept where route/route6 object) RPKI (will not accept invalid routes from P/T) Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
BEER TIME FOR MAREK, QUESTION TIME FOR LOU E: marek @ faelix . net T: @maznu E: lou @ faelix . net T: @gremlinlou

Recommended

"SRv6の現状と展望" ENOG53@上越
"SRv6の現状と展望" ENOG53@上越"SRv6の現状と展望" ENOG53@上越
"SRv6の現状と展望" ENOG53@上越Kentaro Ebisawa
 
VPP事始め
VPP事始めVPP事始め
VPP事始めnpsg
 
NETCONFとYANGの話
NETCONFとYANGの話NETCONFとYANGの話
NETCONFとYANGの話Masakazu Asama
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングTomoya Hibi
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6Ahmed AbdelSalam
 
無料で仮想Junos環境を手元に作ろう
無料で仮想Junos環境を手元に作ろう無料で仮想Junos環境を手元に作ろう
無料で仮想Junos環境を手元に作ろうakira6592
 
Multi Chassis LAG for Cloud builders
Multi Chassis LAG for Cloud buildersMulti Chassis LAG for Cloud builders
Multi Chassis LAG for Cloud buildersJuniper Networks (日本)
 
IPv4/IPv6 移行・共存技術の動向
IPv4/IPv6 移行・共存技術の動向IPv4/IPv6 移行・共存技術の動向
IPv4/IPv6 移行・共存技術の動向Yuya Rin
 

Recommended

"SRv6の現状と展望" ENOG53@上越
"SRv6の現状と展望" ENOG53@上越"SRv6の現状と展望" ENOG53@上越
"SRv6の現状と展望" ENOG53@上越Kentaro Ebisawa
 
VPP事始め
VPP事始めVPP事始め
VPP事始めnpsg
 
NETCONFとYANGの話
NETCONFとYANGの話NETCONFとYANGの話
NETCONFとYANGの話Masakazu Asama
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングTomoya Hibi
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6Ahmed AbdelSalam
 
無料で仮想Junos環境を手元に作ろう
無料で仮想Junos環境を手元に作ろう無料で仮想Junos環境を手元に作ろう
無料で仮想Junos環境を手元に作ろうakira6592
 
Multi Chassis LAG for Cloud builders
Multi Chassis LAG for Cloud buildersMulti Chassis LAG for Cloud builders
Multi Chassis LAG for Cloud buildersJuniper Networks (日本)
 
IPv4/IPv6 移行・共存技術の動向
IPv4/IPv6 移行・共存技術の動向IPv4/IPv6 移行・共存技術の動向
IPv4/IPv6 移行・共存技術の動向Yuya Rin
 
3GPP 5G NSA introduction 2(EN-DC RRC Timer)
3GPP 5G NSA introduction 2(EN-DC RRC Timer)3GPP 5G NSA introduction 2(EN-DC RRC Timer)
3GPP 5G NSA introduction 2(EN-DC RRC Timer)Ryuichi Yasunaga
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
JANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsJANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsKentaro Ebisawa
 
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-HidekiNishizawa
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Dockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたDockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたnpsg
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionRasoul Mesghali, CCIE RS
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27Kentaro Ebisawa
 
ONIC-Japan-2019-OVN public
ONIC-Japan-2019-OVN publicONIC-Japan-2019-OVN public
ONIC-Japan-2019-OVN publicManabu Ori
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRoutingFaisal Reza
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
データセンターネットワークでのPrometheus活用事例
データセンターネットワークでのPrometheus活用事例データセンターネットワークでのPrometheus活用事例
データセンターネットワークでのPrometheus活用事例Yahoo!デベロッパーネットワーク
 
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1Febrian ‎
 
EVPN for Cloud Builders
EVPN for Cloud BuildersEVPN for Cloud Builders
EVPN for Cloud BuildersJuniper Networks (日本)
 
OFI libfabric Tutorial
OFI libfabric TutorialOFI libfabric Tutorial
OFI libfabric Tutorialdgoodell
 
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelOlivier Bonaventure
 
FlexEのご紹介 - JANOG 39.5 発表資料
FlexEのご紹介 - JANOG 39.5 発表資料FlexEのご紹介 - JANOG 39.5 発表資料
FlexEのご紹介 - JANOG 39.5 発表資料Juniper Networks (日本)
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 

More Related Content

What's hot

3GPP 5G NSA introduction 2(EN-DC RRC Timer)
3GPP 5G NSA introduction 2(EN-DC RRC Timer)3GPP 5G NSA introduction 2(EN-DC RRC Timer)
3GPP 5G NSA introduction 2(EN-DC RRC Timer)Ryuichi Yasunaga
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
JANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsJANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsKentaro Ebisawa
 
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-HidekiNishizawa
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Dockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたDockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたnpsg
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27Kentaro Ebisawa
 
ONIC-Japan-2019-OVN public
ONIC-Japan-2019-OVN publicONIC-Japan-2019-OVN public
ONIC-Japan-2019-OVN publicManabu Ori
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRoutingFaisal Reza
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1Febrian ‎
 
OFI libfabric Tutorial
OFI libfabric TutorialOFI libfabric Tutorial
OFI libfabric Tutorialdgoodell
 
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelOlivier Bonaventure
 

What's hot (20)

3GPP 5G NSA introduction 2(EN-DC RRC Timer)
3GPP 5G NSA introduction 2(EN-DC RRC Timer)3GPP 5G NSA introduction 2(EN-DC RRC Timer)
3GPP 5G NSA introduction 2(EN-DC RRC Timer)
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
JANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsJANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source Implementations
 
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
Telecom Infra Projectの取り組み -光伝送におけるハードとソフトの分離-
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
Dockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたDockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみた
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing Introduction
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27
 
ONIC-Japan-2019-OVN public
ONIC-Japan-2019-OVN publicONIC-Japan-2019-OVN public
ONIC-Japan-2019-OVN public
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux Kernel
 
データセンターネットワークでのPrometheus活用事例
データセンターネットワークでのPrometheus活用事例データセンターネットワークでのPrometheus活用事例
データセンターネットワークでのPrometheus活用事例
 
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
NFVアプリケーションをOpenStack上で動かす為に - OpenStack最新情報セミナー 2017年7月
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1
 
EVPN for Cloud Builders
EVPN for Cloud BuildersEVPN for Cloud Builders
EVPN for Cloud Builders
 
OFI libfabric Tutorial
OFI libfabric TutorialOFI libfabric Tutorial
OFI libfabric Tutorial
 
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernel
 
FlexEのご紹介 - JANOG 39.5 発表資料
FlexEのご紹介 - JANOG 39.5 発表資料FlexEのご紹介 - JANOG 39.5 発表資料
FlexEのご紹介 - JANOG 39.5 発表資料
 

Similar to Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security

VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Nat Morris
 
VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話upaa
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdateAPNIC
 
SRv6-TOI-rev3i-EXTERNAL.pdf
SRv6-TOI-rev3i-EXTERNAL.pdfSRv6-TOI-rev3i-EXTERNAL.pdf
SRv6-TOI-rev3i-EXTERNAL.pdfYunLiu75
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
 
NZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightNZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightMark Smith
 
Operational Issues inIPv6 --from vendors' point of view--
Operational Issues inIPv6 --from vendors' point of view--Operational Issues inIPv6 --from vendors' point of view--
Operational Issues inIPv6 --from vendors' point of view--Shinsuke SUZUKI
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksLaurent Bernaille
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxM.Qasim Arham
 
OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...
OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...
OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...OpenNebula Project
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaMyNOG
 
IXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP ManagerIXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP ManagerAPNIC
 
Ipv6 deployment at the university of warwick - networkshop44
Ipv6 deployment at the university of warwick - networkshop44Ipv6 deployment at the university of warwick - networkshop44
Ipv6 deployment at the university of warwick - networkshop44Jisc
 

Similar to Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security (20)

VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
Practice Lab CSC
Practice Lab CSCPractice Lab CSC
Practice Lab CSC
 
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
 
Remote peering
Remote peeringRemote peering
Remote peering
 
VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment Update
 
SRv6-TOI-rev3i-EXTERNAL.pdf
SRv6-TOI-rev3i-EXTERNAL.pdfSRv6-TOI-rev3i-EXTERNAL.pdf
SRv6-TOI-rev3i-EXTERNAL.pdf
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
 
NZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightNZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing Right
 
FD.io - The Universal Dataplane
FD.io - The Universal DataplaneFD.io - The Universal Dataplane
FD.io - The Universal Dataplane
 
Operational Issues inIPv6 --from vendors' point of view--
Operational Issues inIPv6 --from vendors' point of view--Operational Issues inIPv6 --from vendors' point of view--
Operational Issues inIPv6 --from vendors' point of view--
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay Networks
 
IPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob HammIPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob Hamm
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
 
Ipv6
Ipv6Ipv6
Ipv6
 
OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...
OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...
OpenNebulaConf2018 - Scalable L2 overlay networks with routed VXLAN / BGP EVP...
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
 
IXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP ManagerIXP Route Servers with RPKI and IXP Manager
IXP Route Servers with RPKI and IXP Manager
 
Ipv6 deployment at the university of warwick - networkshop44
Ipv6 deployment at the university of warwick - networkshop44Ipv6 deployment at the university of warwick - networkshop44
Ipv6 deployment at the university of warwick - networkshop44
 

More from Faelix Ltd

Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handoutFaelix Ltd
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESFaelix Ltd
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
Bastion jump hosts with Teleport
Bastion jump hosts with TeleportBastion jump hosts with Teleport
Bastion jump hosts with TeleportFaelix Ltd
 
How we found a firewall vendor bug using Teleport as a bastion jump host
How we found a firewall vendor bug using Teleport as a bastion jump hostHow we found a firewall vendor bug using Teleport as a bastion jump host
How we found a firewall vendor bug using Teleport as a bastion jump hostFaelix Ltd
 
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6Faelix Ltd
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Faelix Ltd
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...Faelix Ltd
 

More from Faelix Ltd (9)

Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
Bastion jump hosts with Teleport
Bastion jump hosts with TeleportBastion jump hosts with Teleport
Bastion jump hosts with Teleport
 
How we found a firewall vendor bug using Teleport as a bastion jump host
How we found a firewall vendor bug using Teleport as a bastion jump hostHow we found a firewall vendor bug using Teleport as a bastion jump host
How we found a firewall vendor bug using Teleport as a bastion jump host
 
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
 

Recently uploaded

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security

  • 1. SALT + NETBOX + VYOS = NETWORK AUTOMATION
 + ROUTING SECURITY MAREK ISALSKI — FAELIX https://faelix.link/netmcr40
  • 2. VyOS SaltStack YAML Netbox
 BGP OSPF FRR RPKI IRR XDP
 bgpq3 UTRS RTBH NetFlow MAREK ISALSKI — FAELIX https://faelix.link/netmcr40
  • 3. Who? Marek and Lou and Laura A bunch of @NetworkMoose Giants: FRR, Routinator 3000, VyOS+contributors, Linux, netfilter/iptables, Salt+contributors, RIPE+RIRs, Team Cymru, DigitalOcean+Netbox-contributors…
  • 4. Where? This story all took place in: Reynolds House (Equinix MA2) Williams House (Equinix MA1)
  • 6. Why? RIPE NCC Update 2019-10-02 Today we allocated the last of our contiguous /22 IPv4 address blocks. We still have approximately one million addresses available, in the form of
 /23s and /24s, and we will continue making /22- equivalent allocations made up of these smaller blocks. Once we can no longer allocate the equivalent of a /22, we will announce that we have reached run-out. We expect this to occur in November 2019. +4000routesby 2020
  • 7. Why? 1M routes in 200 days
  • 10. Why?
  • 12. OSPF Area 0 How? DFZ 800k routes800k routes default! default!
  • 14. How? 4x 10G SFP+ ports (must not be RJ45, cannot be QSFP+ with SFP+ breakout) At least 2x 1G RJ45 ports Low CPU power draw Prefer GHz over cores (single-thread performance) ~16 Gb RAM Ideally 1U Ideally dual PSU and IPMI
  • 15. How? SM Chassis: Front I/O, Redundant 400W PSUs SM X11SCM-F (2x RJ45 Intel® I210-AT + OOB/IPMI) Xeon E3-1265Lv5 (4c/8t, 2.9GHz, 45W) 16GB DDR4 2666 ECC, 2x 240Gb SSDs Intel X710-DA4 (4x SFP+ NIC)
  • 16. How?
  • 17. How?
  • 19. VyOS Linux FRR (Quagga fork) for routing protocols iproute2, iptables, ipset, etc VyOS 1.3: XDP (eXpress Data Path) Like DPDK / FDIO / VPP (but less tap/vif mess) 20Mpps per CPU core…!
  • 20. SaltStack Big investment in Salt @faelix Use it for bare metal (virtualisation clusters) Use it for our ISP services and NFVs Use it for full-/part-managed customer VPSs …why not use it for routers? VyOS includes salt-minion (agent)
  • 21. Introducing: hphr "Halophile Router" (salt-loving) Uses Netbox for single source-of-truth Uses SLS (YAML) for anything not possible in Netbox Generates a VyOS router configuration file Loads, compares, commits, saves to config.boot OSS release coming soon: github.com/faelix/hphr
  • 26. Netbox ≈ "physical infra" Using SaltStack's "pillar" in two ways: Netbox for DCIM / IPAM SLS (YAML-syntax) files for OSPF, BGP, etc
  • 37. BGP C/P Protection bgpd state -> unresponsive : no response yet to ping sent 90 seconds ago
  • 39. BGP C/P Protection 847177 bgp routes removed from the rib bgpd restarting, we're gonna be ok?!
  • 41. bly$ show ip bgp summary % BGP instance not found
 bly$
  • 42. Architecture of VyOS protocols { bgp 41495 { ……… } } router bgp 41495 ………"VyOS" /config/config.boot FRR running-config https://phabricator.vyos.net/ T1514
  • 43. So: Reboot the Router https://phabricator.vyos.net/T1514 FRR's running-config not "refreshable" if a daemon crashes Can only reboot router to make VyOS send new running-config Rebooting a router is annoying, but we're in a maintenance window, the other router is ok, so we're gonna be ok.
  • 45. FRR Converges BGP Fast Router booted up Began configuring itself Brought interfaces up Brought BGP instance up Cogent transit session established Peering sessions on LINX established …then VyOS applied prefix-lists and route-maps :-(
  • 46. FRR Converges BGP Fast Router booted up Began configuring itself Brought interfaces up Brought BGP instance up Cogent transit session established Peering sessions on LINX established …then VyOS applied prefix-lists and route-maps :-(
  • 47. ANNOUNCING 800K ROUTES TO LINX MAN (BY ACCIDENT) T1698 + T1148 + T944 BUGS! Achievement
 Unlocked :(
  • 48. FRR Impedance Mismatch 
 router bgp 41495 neighbor 195.66.244.6 remote-as 6939 neighbor 195.66.244.6 soft-reconfiguration inbound neighbor 195.66.244.6 maximum-prefix 200000 neighbor 195.66.244.6 prefix-list hphr-DFZ-IPv4 in neighbor 195.66.244.6 prefix-list auto-AS-FAELIX out neighbor 195.66.244.6 route-map AS6939-LINX-in-IPv4 in neighbor 195.66.244.6 route-map TRANSIT-out-IPv4 out neighbor shutdown no shutdown
  • 49. FRR Impedance Mismatch "Since FRR lacks a command for creating peers in down state, no other workaround is possible." Bug: T1148 router bgp 41495 neighbor 195.66.244.6 remote-as 6939 neighbor 195.66.244.6 soft-reconfiguration inbound neighbor 195.66.244.6 maximum-prefix 200000 neighbor 195.66.244.6 prefix-list hphr-DFZ-IPv4 in neighbor 195.66.244.6 prefix-list auto-AS-FAELIX out neighbor 195.66.244.6 route-map AS6939-LINX-in-IPv4 in neighbor 195.66.244.6 route-map TRANSIT-out-IPv4 out
  • 51. THIS STORY ISN'T OVER…
  • 52. XXXTODO Add features to FRR, provide VyOS workarounds, or make Salt states for router reboot maintenance Nerf watchfrr, and make it possible for VyOS to refresh config into FRR's daemons Fragility of VyOS firewalling when replaced with barebones iptables from hphr NIC parameter and bare metal router sysctl tuning XDP in VyOS 1.3
  • 53. What We Achieved Two very long nights of maintenance (both overran) Full table BGP on VyOS converge time in seconds Routing on MikroTiks converges near-instantly BCP38 (customers cannot spoof source address) IRR filtering (only accept where route/route6 object) RPKI (will not accept invalid routes from P/T) Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
  • 54. BEER TIME FOR MAREK, QUESTION TIME FOR LOU E: marek @ faelix . net T: @maznu E: lou @ faelix . net T: @gremlinlou