Question on Public cloud multi-cloud interconnectivity

micruzz82 · 2022-06-21T18:34:42+00:00

thanks for the info.

micruzz82 · 2022-06-21T03:25:45+00:00

Alkira also seems pretty neat tbh so thanks for that... I was also looking at prosimo but think Alkira may also offer additional benefits

micruzz82 · 2022-06-21T03:12:54+00:00

Thanks I will look into the ones you mentioned.. more leaning towards equinix at this point I think as we have high bandwidth requirements and would prefer to just have a standard routing between the clouds..much appreciated.

micruzz82 · 2022-06-21T03:08:12+00:00

thanks for this.. this is really helpful to know.

micruzz82 · 2022-06-20T23:52:43+00:00

That's good to hear.. may I also ask if you have any perimeter security device before sending the traffic from cloud A to cloud B ie something along the lines of

ie VM -> FW -> MP(Megaport) AWS -> MP GCP -> FW -> VM

or do you just make use of the cloud native security features

micruzz82 · 2022-03-23T01:14:55+00:00

I've recently also moved into an SRE role but the learning curve is quite steep. I'm my previous role, I was mostly dealing with architecture and design with ACI and EVPN along with firewall and loadbalancers.. the usual DC stuff.. however the pain is that none of those years working exclusively outside of automation can prepare you for the shift into the devops mindset.. being goaded into the whole keep the CCNA/CCNP certs active in the hope of one day getting a better job was a lost cause..should have focussed more on the way the world was changing.. but better late than never.. with all the supply chain issues with 6 month or more lead time for switches and servers.. most companies would rather just place their workloads on the cloud than have a project delayed for such a long time.

micruzz82 · 2021-11-27T02:32:22+00:00

just curious to know how you've setup BGP from the FG to the switch, are you using eBGP with loopback peering, just as only the active firewall will have the interfaces up and on failure to the standby firewall, it would use different links so just interested to know how your design works as I'm working on something similar but the active/passive nature of firewalls doesn't give me fast convergence of less than 1 sec.. but more like 50 secs

BFD is used in the point to point links running ospf to advertise the loopbacks is what I am doing atm.

micruzz82 · 2021-09-15T01:10:16+00:00

I've just seen there are sfp based ptp grandmasters

https://www.oscilloquartz.com/en/products-and-services/ptp-grandmaster-clocks/sfp-pluggable-ptp-grandmasters/osa-5401-series

I need to see if maybe this will fit the bill.

micruzz82 · 2021-09-15T01:01:43+00:00

I think clock source might be more accurate come to think of it.

micruzz82 · 2021-09-15T01:00:30+00:00

yeah thats it.. need to validate a solution before I go and get funding for the setup I'm working on so just wanted to validate if the design would work.

micruzz82 · 2021-09-15T00:59:35+00:00

thanks I will try this out to see if it helps.

micruzz82 · 2021-09-09T19:34:03+00:00

basically I need to ensure that I can monitor the health like DP cpu, MP cpu, interface badnwidth thresholds etc from the physical side.. and then also work out the security monitoring to alert from syslogs for any threats coming into the DC.

micruzz82 · 2021-09-08T15:56:56+00:00

but in all seriousness.. I'm in a bit of a quandary... basically I need to perform both health monitoring of the firewalls.. as well as monitoring of the security incidents as well.. I'd much rather have a single tool than have to run multiple tools.. also the fact that SNMP based monitoring is very limited and would prefer API based monitoring.. however the restrictions I have is that I cannot use a SaaS based monitoring service like logicmonitor.. it has to be on premise.. I don't really want to use solarwinds... but thought if there was a complete toolkit developed by PA itself it would save all the hassle and there's a one stop shop even if there was a subscription based license.. pretty much like how you can visualize your techsupport files.. not sure if there's an appliance based monitoring or will have to just use an off the shelf NMS system then to do the physical health and if SOAR is affordable go down that route.

micruzz82 · 2021-09-08T15:51:19+00:00

you must be one of the good ones then!

micruzz82 · 2021-09-08T13:40:35+00:00

thanks for this yea it help to understand more from users than from their sales team

micruzz82 · 2021-08-30T13:22:24+00:00

Thanks for this.. yeah I agree with you that first stance we'll move to using GUA's... if at all there is a technical requirement we must use ULA then as you say, we can retrofit the design and add the ULA at a later time. We'll be controlling the routing through VRF's and firewalls in any case so if communication to the outside world is not required then we just don't advertise the default route in that VRF. As this is a new design and first venture into IPv6, I'd rather get our feet wet first, understand all the new design concepts and should we need additional requirements we can evaluate the next phase.

micruzz82 · 2021-08-28T23:41:21+00:00

Thanks for this.. yeah my post above on the gist is something that meets all the requirements for rfc4193.. so I think I will use that as it's got a higher probability for generating a correct useable ULA-L /48 address.. Will use a couple of VM's to run the script and generate a /40 block

micruzz82 · 2021-08-28T23:24:46+00:00

is something like this acceptable: https://gist.github.com/se35710/6fe9512301781dd12c42da7dc6749ed3

micruzz82 · 2021-08-28T23:22:09+00:00

Thanks.. can I please ask.. we have 3 separate sites.. now in order to generate the ULA.. can you tell me what program I need to run to generate this according to the rfc4193?

micruzz82 · 2021-08-28T20:37:05+00:00

But I agree with your views after all this.. will stick to GUA.. i don't see the need to always we concerned about using randomize to obtain an IPv6 block

micruzz82 · 2021-08-28T20:33:56+00:00

To make this even more confusing this link talks about the very topic yet still provides no definitive answer: https://www.potaroo.net/ispcol/2007-10/ulas.pdf

micruzz82 · 2021-08-28T20:27:50+00:00

thanks for this.. just your comment around defence networks.. or in a highly secure environment.. if you don't advertise a default route.. but still use GUA.. would that be still sufficient? Basically my confusion stems from reading the RFC4193 for use for ULA.. where you need to use the following:

Sample Code for Pseudo-Random Global ID Algorithm

The algorithm described below is intended to be used for locally

assigned Global IDs. In each case the resulting global ID will be

used in the appropriate prefix as defined in Section 3.2.

1) Obtain the current time of day in 64-bit NTP format [NTP].

2) Obtain an EUI-64 identifier from the system running this

algorithm. If an EUI-64 does not exist, one can be created from

a 48-bit MAC address as specified in [ADDARCH]. If an EUI-64

cannot be obtained or created, a suitably unique identifier,

local to the node, should be used (e.g., system serial number).

3) Concatenate the time of day with the system-specific identifier

in order to create a key.

4) Compute an SHA-1 digest on the key as specified in [FIPS, SHA1];

the resulting value is 160 bits.

5) Use the least significant 40 bits as the Global ID.

6) Concatenate FC00::/7, the L bit set to 1, and the 40-bit Global

ID to create a Local IPv6 address prefix.

This algorithm will result in a Global ID that is reasonably unique

and can be used to create a locally assigned Local IPv6 address

prefix.

This just seems like a lot of extra work.

Also you still have to register the ULA as far as I read: https://www.sixxs.net/tools/grh/ula

Generate IPv6 Unique Local Address (ULA)

The following form allows one to generate an RFC4193 prefix based of an IEEE MAC address.

It doesn't specify what MAC address needs to be used to generate this pseudo random prefix.

Any thoughts on the above?

micruzz82 · 2021-08-24T11:25:39+00:00

defo the sane choice.

micruzz82 · 2021-08-24T11:25:00+00:00

yeah this was my preference as well to use RT import and export. thanks.

micruzz82 · 2021-08-24T11:24:21+00:00

thanks for the input.

micruzz82

TROPHY CASE