Posts

The thing that actually makes this interesting The fun of this setup was never VXLAN for its own sake. It is that the FortiGate is the only router for every overlay segment, which means traffic I normally cannot see gets inspected like everything else. That sentence is the whole security story, so it is worth unpacking before anything else. A quick disclaimer up front, because it is the most common misconception: VXLAN is not a security feature. It does not encrypt anything, it does not authenticate anything, and an overlay is not inherently safer than a VLAN. What the overlay gives you is an architecture in which certain strong patterns become cheap and natural. The security comes from the patterns, not the encapsulation. The rest of this post is those patterns, then an honest list of what the overlay does not do for you. ...

The setup, and the question A while back I built an EVPN/VXLAN overlay between a FortiGate and a three node Proxmox cluster. The overlay segments come out of Proxmox SDN (an EVPN zone with a handful of VNets), and the FortiGate plays anycast gateway for them. I wrote up the build itself in a separate post; this one is only about the thing I wanted to know once it was actually working: what does all that encapsulation cost me in throughput? ...

Recap, and the problem with where we left off In part 1 I convinced a FortiGate and a Proxmox cluster to form a working VXLAN segment with nothing more than matching VNI, port, and a static list of peer addresses. That works, but it has a built in tax: every VTEP has to list every other VTEP. Adding a host means editing the peer list on every existing box, and the only way a VTEP learns which MAC lives behind which remote VTEP is to flood unknown traffic everywhere and watch the replies. ...

Why VXLAN I already run VLANs through my core switch to carve up the lab, and that works well enough. What I wanted to play with was decoupling a segment from the physical switch entirely. VXLAN does that by wrapping the guest’s Layer 2 frame inside a UDP packet (destination port 4789 by default) and shipping it to whatever VXLAN Tunnel Endpoint (VTEP) holds the other end. To a VM the bridge looks like any other bridge, but the “wire” underneath it is now an IP path I control instead of a switchport. ...

Concept Managing server fan speed is crucial for maintaining an optimal balance between cooling efficiency and noise levels, especially in environments where temperature control and acoustics are important. Dell servers, like many other enterprise-grade hardware, come equipped with Intelligent Platform Management Interface (IPMI) capabilities. With the help of ipmi-tools, we can access and control various hardware components of the server, including fan speed, remotely or locally, without needing direct access to the operating system. ...

Context This project has been a culmination of a few projects coalescing together at the same time: I’ve been wanting to play with Cloud-Init in a local environment for a little while now, and I’ve been finding myself spinning up more and more VMs to test some networking automation. After a couple of nights of tweaking, I’ve found myself feeling really enjoying the amount of time I saved compared to manually creating VMs, and I wanted to summarize up my thoughts here. ...

Context DDNS allows for the dynamic update of DNS entries and attributes - what a fitting name. This can be an extremely valuable resource for professionals and homelabbers who need to deal with dynamically assigned IP addresses in keeping things connected. I personally use Cloudflare as a DNS proxy for my various domains, which used to be managed by Google Domains until they sold that business to Squarespace; I’ve since been moving everything to Porkbun. ...

I have been trying to gather my thoughts about using Ansible as a network engineer for a while now; but I’ve never found a good perspective to tell the story through. Even to begin to summarize how useful Ansible can be in a network setting can be a daunting task; my ongoing Obsidian web of notes seems to grow exponentially the more I explore. Intro and context Since I have to start somewhere, I think that covering the basic framework of how I use Ansible, and some of the most common tasks that I have been able to automate and speed up over time. ...

Towards the end of 2023 I decided to try learning markdown as a way to make my notetaking more efficient. Part of this effort was trying out the various markdown editors for Windows and Linux, and there are dozens of good ones. One of the most often recommended programs is Obsidian, which I have really grown to love over this time. Calling Obsidian a markdown editor is really underselling it; it is really a Personal Knowledge Management (PKM) system. Without diving too deep into a field I am still very new too myself, Obisidian allows you to link notes and knowledge together in customizable ways. ...

Over the last few months, I have been playing around with moving my website from Wordpress where it has lived in one form or another since around 2004. When I first installed it, I believe I was really just looking for some software to run on my newly hacked together LAMP server; I never imagined I would use it for so long. A plain quote — stays blue, no label. Note Blue, with a “Note” label and info icon. Warning Amber. Caution Red. ...