What was one of the most common questions in our SR Linux discord in 2023?
EVPN? YANG? Streaming Telemetry? Programmability? Scaling DC workloads?
No. VLANs 😅
This buddy hurt you good in your early days, right? With global VLANs, trunks, and forgotten add? Your understanding of VLANs provisioning might get clouded by the industry-standard way of doing things, which may result in a lot of confusion when you start working with SR Linux.
Get yourself comfy, we are about to have a deep dive into VLANs on SR Linux.
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel.
Pretty scary stuff, innit? Any Network Engineer/Admin understands the importance of SSH in their daily work. It's the most common way to access network devices, and it's the most secure way to do so. Is it now?
On December 18th 2023, a group of researchers from the Ruhr University Bochum publicly disclosed a new attack (CVE-2023-48795: General Protocol Flaw) on SSH protocol, called Terrapin. Targeting the very best SSH Binary Packet Protocol researchers proved that an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.
But what does it mean to us, Network Engineers? Do we need to rush the vendors patching the SSH servers in their NOSes? Let's figure it out.
SR Linux supports a number of user authentication methods, including local authentication, TACACS+, and RADIUS. In this post, we will look at how to configure RADIUS authentication and authorization on SR Linux. As you may have already guessed, we will have a lab environment to play with sporting the FreeRADIUS server and a single-node SR Linux lab. Let's get started!
Show commands are the bread and butter of any network engineer. They are used to view the current configuration and state of the network element and are often a key tool used in troubleshooting.
Naturally, there are many show commands available on the SR Linux platform ranging from the basic commands to display environmental information to more advanced commands to display the state of the network element and its protocols. And since the SR Linux is a relatively new Network OS we wanted to make sure you can easily find the show commands you need by providing a growing list most useful show commands cataloged by topic.
Please welcome the new SR Linux Show Commands page that gets you on the fast track to finding the show commands you need.
Countless times I've been in a situation where I needed to share my terminal with someone or being asked to connect to someone's device instead.
Either I exhausted my networking foo and needed help from a colleague, or I was the one who was asked to help. In both cases, the problem was the same - how to quickly, securely1 and effortlessly share the terminal with someone else.
The problem is not new and there are many options on the table. From installing a VPN software and sharing the credentials, through zero-trust solutions like teleport, to using a simple SSH tunnel. All of these solutions are great, but they require some setup and configuration. And sometimes you just want to share your terminal with someone without going through the hassle of setting up a VPN or a zero-trust solution.
The sshx.io open-source service that just popped out offers a simple solution to this problem.
Install the multi-arch lightweight2sshx binary on your machine
Run sshx
Share the URL with someone
Enjoy collaborative terminal in a responsive web UI with a multi panel canvas
I felt an immediate urge to try it out with SR Linux. And it worked like a charm!
Containerlab already made it possible to quickly launch labs on demand with just a few commands. You would need to clone a repository with the lab and then call containerlab deploy to start the lab.
Simple enough, but quite often you want to run this simple SR Linux lab to test something quickly using a very basic topology. At times like this it is cumbersome to find and clone the repository and then call deploy command. Can we make it even more simple? Yes, we can!
It's taken much longer than we anticipated and wanted (Big co problems...) but we're finally here, SR Linux GPT release day!
Given the excitement surrounding generative AI, especially after the public release of OpenAI's ChatGPT, it's no surprise that everyone has been exploring the potential value of integrating generative AI into their products and applications. We're no exception. It's an ongoing journey for us, and we're thrilled to start unveiling some of our findings!
The SR Linux Command Line Interface (CLI) stands out as one of the most advanced and user-friendly CLI systems I've encountered. It breaks away from the conventional "industry standard" and introduces several innovative concepts that greatly enhance the ease of configuring and managing the network operating system. Among these innovations are "CLI wildcards and ranges," which, once mastered, can significantly improve your overall experience and efficiency.
The idea of using wildcards and ranges is not novel, as some CLI systems already include support for them. Nevertheless, SR Linux takes the concept of ranges and wildcards one step further, and in this post, we will explore how to harness their power effectively.
In the era of applications, it is easy to forget about the underlying infrastructure that interconnects them. However, the network is still the foundation of any application as it provides the connectivity and services that applications rely on.
The most popular container orchestration system - Kubernetes - is no exception to this rule where infrastructure is essential for several reasons:
DC fabric: Almost every k8s cluster leverages a DC fabric underneath to interconnect worker nodes.
Communication Between Services: Kubernetes applications are often composed of multiple microservices that need to communicate with each other. A well-designed network infrastructure ensures reliable and efficient communication between these services, contributing to overall application performance.
Load Balancing: Kubernetes distributes incoming traffic across multiple instances of an application for improved availability and responsiveness. A robust network setup provides load balancing capabilities, preventing overload on specific instances and maintaining a smooth user experience.
Scalability and Resilience: Kubernetes is renowned for scaling applications up or down based on demand. A resilient network infrastructure supports this scalability by efficiently routing traffic and maintaining service availability even during high traffic periods.
Getting familiar with all these features is vital for any network engineer working with a fabric supporting a k8s cluster. Wouldn't it be great to have a way to get into all of this without the need of a physical lab?
In this blog post we will dive into a lab topology that serves as a virtual environment to test the integration of a Kubernetes cluster with an IP fabric. The emulated fabric topology consists of a SR Linux-based Clos fabric with the Kubernetes cluster nodes connected to it. The k8s cluster features a MetalLB load-balancer that unlocks the capability of announcing deployed services to the IP fabric.
Throughout the lab, we will explore the way k8s services are announced to the IP fabric, and how L3 EVPN service with Anycast Gateway can be leveraged to create a simple and efficient overlay network for external users of the k8s services.
As for the tooling used to bring up the lab we will use Minikube to deploy a personal virtual k8s cluster and Containerlab will handle the IP fabric emulation and the connection between both environments.
Today, I'm sharing another piece of my experience from the NANOG88 conference where I had the privilege of presenting a tutorial featuring pyGNMI, a powerful tool for diagnosing network issues. During my talk, I used pyGNMI to visualize EVPN Layer2 and Layer 3 domains, sorting them by switch or network instance. I also added a special feature that detects discrepancies in the settings between different switches using the same EVPN domain – a great way to catch typos in your BGP/VXLAN settings.
Note
The script demonstrates how to use pyGNMI to retrieve BGP EVPN information from a list of routers. It then formats the data for easy viewing. For real world use cases, you would likely wrap pyGNMI with Nornir and leverage Nornir's inventory and task management capabilities, like shown here.
For this demonstration, I leveraged containerlab and Nokia SR Linux to build a VXLAN-EVPN Fabric, replicating a typical configuration I often use in my Kubernetes labs. I incorporated eBGP for underlay communication, and the topology I utilized comprised two spines, two leaf switches, and a border leaf.
In this blog post we are going to dive into the details of the script, discovering how it works and what it is capable of. If you want to try it out yourself, you can find the source code in the pygnmi-srl-nanog88 repo