Network Technology and thoughts

Single-ended port aggregation and loop
Port aggregation is designed to load or provide redundant backup on the Ethernet link. It has a fundamental conflict with another solution, because it not only supports redundancy, but also load, however, traditional Ethernet cannot achieve multi-path load balancing at all! Another solution mentioned above is the physical loop + STP solution. Therefore, to deploy port aggregation over Ethernet, you must note that it is best to disable it. That is to say, if you enable port aggregation on a device, the peer device must also be aggregated, ensure that no loops occur, and the detection methods include Mac flapping alarm information.

Transmission Network and IP Network
In school or at work, we almost all encounter IP networks, from socket to NIC driver optimization. We may have heard of Frame Relay, ATM, X.25, and others who have participated in Cisco and training. However, we just heard about it and didn't know it personally. In fact, an IP network is only a set of addressing networks. The technology that truly transmits data is the technology below the IP network layer, that is, the WAN technology mentioned above. In general, the topology of the core network is basically a large ring structure with a self-healing function, and the specific encapsulation can adopt various technologies, but almost no direct IP address encapsulation, because IP exchange is not a real exchange, it requires additional computing in it. These additional computing is routing search and address resolution. The core network exchange is basically a real exchange, that is to say, through simple ing matching, we can know the port to which data is to be transmitted, which is the strength of technologies such as ATM and MPLS, so we are used to calling these technologies the link layer technology that encapsulates IP datagram. In fact, are they actually link layer technologies? If the upper layer hosts IP networks, they are indeed. If the upper layer hosts the transport layer, they can also be seen as network layer technologies! These WAN technologies are not really the transmission technology. They are just an encapsulation, and the transmission technology is related to the media, such as SDH on the optical fiber, SONET, and SDH on the copper line. However, we can see that SDH can directly transmit IP packets, because it has its own frame encapsulation mechanism, isn't it messy?
To really understand the network hierarchy, I think we can use the tun/TAP model of openvpn to compare openvpn as a physical layer, so tap is the link layer. If Tun can only carry IP datagram, openvpn is the physical layer with the frame encapsulation function.

Ambiguity and competition between computing and transmission
The reason is that the network speed is reduced because core network transmission resources are very precious in the cloud environment and all users need to share this precious resource, diverse user traffic types... it is an indisputable fact that the expansion of network infrastructure must be put on the agenda. On the other hand, there are more and more types of terminals, and the processing capability is getting stronger and stronger, which leads to more and more traffic and the insufficiency of the underlying network transmission capability!
Can you combine the processor with the network to flatten the peaks and troughs? The answer is yes! The idea of many network acceleration solutions is similar to the rsync idea of Linux. It is to try to design exquisite algorithms to transmit as little data as possible and reduce bandwidth usage, instead, it transmits a small amount of control information, and its idea is somewhat consistent with the compression algorithm. The core of this acceleration solution is to map complex and bandwidth-consuming data encoding into a simple index. First, the index is transmitted before data transmission, then use a dynamic algorithm to transmit data or indexes. The following is an example:
Data: Wang Di sometimes goes to the noodle shop, that is, not every day, not every noon, however, this does not mean that he sometimes eats a bowl of ramen at the noodle shop, and is not sure that all his meals are ramen!
Index: noodle shop-1; every time-2... (digital encoding is much easier than Chinese character encoding !!)
If possible, the transmitted data will be 1 or 2 instead of the ramen room, Wang Di, noon, and other codes. In the end, the network pressure is unmounted to the computing, searching, and inserting of the CPU... the example here does not show the matching rules and the processing of the Miss.

SSL and software UI
It is said that sslvpn does not need to install the client, but also needs the client, that is, the browser, because most browsers implement built-in SSL as a standard, so it seems that no client is needed. I am not criticizing SSL. On the contrary, sslvpn is popular because browsers are increasingly replacing other clients. This means that most of the data can be operated in the browser, and most (if not all) applications can be implemented based on the Web.
People are paying more and more attention to the data itself rather than the means and interfaces for operating the data. In the past, almost every software client had a skin-changing function, I also used Java 1.4.2 to write an irregular window without calling the native method and did not go to bed for a few nights, but now these are no longer noticed, all operations can basically be completed by a well-organized browser. People do not have high requirements on the UI shape of software, but directly put such requirements into hardware, now there is no Internet of Things. A Very dazzling watch and an irregular player, they are much better than displaying a simulated amazing watch on the monitor, irregular players are more attractive!

Ethernet Routing
Ethernet is not a switching network. In the process from the source to the target, its frame header is the lowest available layer. You cannot use the rich "Header" fields of the physical layer, the Ethernet frame header does not have many fields, so it is simple. In fact, it can fully implement a routing mechanism similar to IP Routing Based on MAC addresses. However, it will eventually be more difficult to manage than IP routing, because you know, the IP address routing mask/prefix has a huge effect, but the MAC address is completely irregular. Route aggregation and subnet division are not allowed, and route entries are completely detailed routes, how difficult it will be to support better active routing addressing in address spaces such as Ethernet. The difficulty is not what people realize: increasing the complexity of Ethernet, instead, the address space of Ethernet is not used for routing and addressing. Each MAC address is specified based on global uniqueness, rather than in a designed network topology.
Routing Ethernet must be designed. Multi-path Server Load balancer forwarding and dynamic Shortest Path forwarding are urgently needed on Ethernet, which cannot be achieved by passive STP, on the contrary, because of the existence of STP, some backup paths that should be able to forward traffic are killed as the culprit of the loop, so STPS cannot be smart to identify traffic details?

Server Load balancer/virtualization and IP address
If the previous section shows that the MAC address is not suitable for routing, you must design a new address space and a new Encapsulation Header. This is another saying that the MAC address is not as good as the IP address, it can be said that the IP address is really a hundred steps. Why? Isn't many routing protocols working well on existing IP networks? The fact is that, without the introduction of Server Load balancer virtual machines, the backup technology works very well, because the IP address itself is designed to address and find the world's only IP node in any location, however, Server Load balancer and virtualization have broken the definition of this unique GLobal IDEntifier. For Server Load balancer, what is displayed logically is an IP node, however, what physically participates in addressing is multiple IP nodes. You need to consider which IP node the data will be sent to, which means the layers are separated, and the IP protocol does not support this layer, in terms of technology, Intranet NAT technology and Linux's ipvs and so on have solved this problem in a timely manner. The Virtual Machine Technology illustrates the irrationality of IP addressing from another perspective. We often copy virtual machines in the LAN. However, after copying the virtual machines, we often need to modify their IP addresses. Otherwise, IP addresses may conflict. In fact, A virtual machine is like a virtual machine. The reason why there are multiple virtual machines is that I either want to provide a Server Load balancer function, or want to provide a backup function, to present only one IP address externally, that is to say, the roles and locations of IP nodes can be separated. In fact, VPN + NAT can be used to meet this requirement. For example, both Beijing and Shanghai backup centers can use 192.168.1.13 to indicate the role address (if you do not use a private address, you do not need to use NAT ), the VPN encapsulation policy determines where data is routed. In fact, encapsulation can solve all addressing problems, but it is not beautiful. The above requirement calls for another protocol, that is, lisp, which provides a Dual IP addressing structure. If you look at it carefully, you will find that it is similar to IPSec, only the data in the inner layer is not encrypted. The internal IP address header indicates the role. The external IP address header is responsible for addressing. It is not called VPN because it is more standard.

MPLS is faster than IP
MPLS is deployed on a carrier-level network. It is called an exchange network or a 2.5 layer network. It is faster than a pure IP address because it takes a long time to compute the route lookup process, however, querying and Switching tags is fast. MPLS uses the routing and Label Distribution Protocols generated by the dynamic routing protocol to generate a label exchange table, instead of generating a ing when the data actually arrives, the ing is generated before the data arrives, so that the data can be directly used when the data is routed, in addition, tag-based exchange transmission is highly efficient. In fact, MPLS is not a new concept. The longest mask matching rule of a standard IP network route is only the most primitive method of rollback. Many implementations are more efficient than this, for example, Cisco's CEF technology, even Linux, can use interfaces provided by Netfilter to implement CEF-like technology. The difference between MPLS and these technologies is that it is a standard protocol, it is not just an optimization method. The difference between the standard and the optimization is that although the standard MPLS protocol may not have a high optimization method like CEF for the exchange network, however, standards can derive many other optimization methods, which can be directly supported by the most devices.

Encapsulation or Encapsulation
Will encapsulation make the OSI model fall into seven parts? Many people say yes, but it is not absolute! The standard encapsulation is the lower-layer encapsulation, but the upper-layer encapsulation does not mean that the OSI model is broken. Remember that this encapsulation is not at a logic level. For example, VPN encapsulation can be an IP Encapsulation of Ethernet frames, but an IP address is at the addressing level, while an Ethernet frame is at the P level of the VPN. In short, it is really good to encapsulate this design. It can solve almost any problem on the network. Based on this idea, more and more protocols are designed. At first, it was GRE, VPN, and then MPLS, LISP and so on. They either solve security problems, solve compatibility problems, or solve performance problems and scalability problems. On the contrary, those protocols that are not designed based on encapsulation, such as STPS, the scalability is not that strong, but it is not absolute. The routing protocol is not encapsulation-based, but it works very well, especially those unrelated to the protocol, such as Isis.

Cache ideas and lisp
When the CPU reads data, it tries to read data from the cache. If the line does not hit the data, the request will be sent to the bus. This idea also exists on the Internet, especially after the Internet of Things (IOT) is rolled out, fast data forwarding becomes the most fundamental principle, and the biggest bottleneck of Fast Forwarding is routing search and Policy Routing computing, if the number of nodes increases, the number of Route entries of the core device increases and the computing speed slows down. Compared with lisp, The LISP device stores some ing entries for direct data forwarding. On all lisp devices, there is a BGP network, query the route when no entries are hit. This layer is designed because lisp separates node roles from locations. Therefore, even if the two roles are in the same network segment, their actual locations may be thousands of miles apart, A lisp route entry is a ing of the Role/location next hop. It no longer supports aggregation. If there is no aggregation, the route entry will be greatly increased, therefore, the routing entries of the lisp device are simply degraded to cache. Only a few entries are retained for fast forwarding, and all the data packets that are not hit are uniformly sent to a BGP neighbor, it completes the slow route and then returns a cache update.
The essence of lisp is that many factors are coupled, such as role/location coupling, detailed route entry matching, and route query computing. A lisp device is only responsible for finding entries, send a non-hit packet to your BGP neighbor and receive route entries. Slow operations such as route computing are completed by dedicated devices. Is it different from VPN encapsulation? There is no big difference on the data layer, but there is a big difference in design thinking.

VPN control granularity
The IPSec control granularity is very coarse, because the IP protocol itself only provides the hop-by-hop transmission service and does not make any assumptions for any upper-layer protocols. Therefore, if you want to use an IP-layer VPN to control the application layer, you have to ask for external access-list extensions. Even so, ACL may not necessarily help you too much, after all, it can only control the granularity of Five-element groups. The Linux iptables string match may be helpful to you, but it is too difficult to parse in depth, iptables recently launched L7 match, which is not as effective as expected. Therefore, foreign aid is basically ineffective. Therefore, it is ineffective to control the application layer services by using the IP layer VPN. The best thing is to use access control at the application layer to implement VPN network access. Remember, this is the age of the following technology PK:. the FW policy at the network layer can control SSH logon. B. the sshd configuration file can also control SSH logon!

Crossover between network administrators and System Administrators
Programmers create value on the Internet, and system administrators attempt to spread this value, which is indispensable for network personnel to spread. After entering the virtualization era, network administrators and system administrators will have a crossover. For example, network administrators will not only finish wiring, but also Configure port policies, because ports in the virtualization era may also be virtual, the network management system had to "intrude" into the system administrator's territory to configure something on the virtualization management layer. Therefore, the network management system had to go along.