Tech Brief Video Series – VXLAN

Hello, I have created a “VXLAN Tech Brief” Series. Kindly click on the links to view the videos. I’m trying out a few video styles.

VXLAN A – VXLAN – Virtualization & VM Mobility – >

“The traditional physical world consists of single server application deployments where one application is installed on a single physical server. This era proved an inefficient use of server hardware resources as single app per server deployments never fully utilized hardware resources such as RAM and CPU. Then along came server virtualization and the hypervisor. Server virtualization provides the ability to carve a physical server into multiple hosts, known as Virtual Machines (VM). Each VM operates with its independent Operating System/Application utilizing an abstraction layer of the physical host’s hardware – CPU, RAM, and NIC. The server’s hardware is shared among multiple VMs.”

VXLAN B – VXLAN – Dynamic MAC Learning – >

“Initially, Ethernet started with a Thick Coax Cable – a single cable was used to connect all workstations together. It was later replaced by the twisted pair cables – unshielded twisted pair UTP and shielded twisted pair STP in the late 1990-2000s. On Ethernet networks, each host has a unique MAC address for identification. Devices with multiple NICs require multiple MAC addresses, one MAC address per NIC. So how do you talk to a group of hosts and ensure that all other hosts don’t receive the traffic?

Broadcast and Multicast communication. Multicast involves sending to a group of receivers in a single stream, whereas broadcast involves sending to all receivers. Multicast is similar to a broadcast in the sense that it sends to a group of machines. However, multicast sends to SOME MAC addresses while broadcasts send to ALL MAC addresses. All hosts receive broadcast traffic whether they like it or not. When a host sends a packet to the broadcast MAC address (FF:FF:FF:FF:FF:FF), it is delivered to all stations on the wire. A Broadcast received by a host requires processing so it’s a good idea to keep broadcasts to a minimum on your network.”

VXLAN C – VXLAN – Introducing Overlay Networking ->

“Essentially, an overlay is either placing Layer 2 or Layer 3 over a Layer 3 Core. The Layer 3 Core is known as the underlay. This removes a lot of the drawbacks and scaling issues that we had with traditional Layer 2 connectivity which uses VLANs. The multi-tenant nature of overlays is designed to get away from these L2 challenges allowing you to build networks at a much larger scale. Layer 2 and layer 3 overlays. We have both Layer 2 and Layer 3 overlays. Layer 2 overlays emulate a Layer 2 network and map Layer 2 frames into an IP underlay. If you are emulating a Layer 2 network, you have to somehow emulate Layer 2 flooding behavior. This is the bread and butter of how Layer 2 networks work, and that doesn’t change just because you decide to create a Layer 2 overlay.”

VXLAN D – VXLAN – Introducing VXLAN – >

“The VLAN tag field defined in 1. IEEE 802.1Q has 12 bits for host identification, supporting a maximum of only 4094 VLANs. Its common these days to have a multi-tiered application deployment where every tier requires its own segment and with literally thousands of multi-tier application segments this will for sure run out. Then came along Virtual extensible local area network (VXLAN). VXLAN uses a 24-bit network segment ID, called a VXLAN network identifier (VNI), used for identification. This is much larger than the 12 bits used for traditional VLAN identification.”

VXLAN E – VXLAN – VXLAN Operations – >

“Finding out the destination VTEP. The big decision is how you discover the destination VTEP IP address. The destination VTEP IP address needs to be mapped to the end host destination MAC address. The mechanism used to do this affects the scalability & VXLAN domain functionality. We need some kind of control plane element. The control plane element of VXLAN can be deployed as a flood and learn mechanism, which is not a real control plane or you can have an actual control plane (that does not flood and learn) or even use an orchestration tool for VTEP to IP mapping. Many vendors implement this differently.”

VXLAN F – VXLAN – VXLAN Phases – >

“VXLAN went through a number of phases for ways to get the remote VTEP IP information. Initially, it started with a flood and learning the process and finally moved to the use of a proper control plane – EVPN. EVPN is a pretty good control plan as previous methods rely on data plane Flood and Learn behavior hindering the scalability of VXLAN domains.”

More videos to come!

Additional VXLAN information can be found in the following:


Tech Brief Video Series – Cloud Security

Hello, I have created a “Cloud Security Tech Brief” Series. Kindly click on the links to view the videos. I’m trying out a couple of videos styles.

Cloud Security A – Cloud Security – Cloud Pyramid – >

“Clouds operate under different service models – Infrastructure of a service IaaS, Platform of a service PaaS and Software of a Service SaaS service models. These service models provide different abstraction layers to the consumer and as a result offer different security requirements to the consumer. Public Cloud Providers are not a single type and A generic evaluation of security cannot be generalized amongst all of them. In the case of Infrastructure of a service, the computing resource provided is specifically that of virtualized hardware. Examples include Rackspace, Amazon Web Services (AWS), Microsoft Azure, Google Compute Engine (GCE)”

Cloud Security B – Cloud Security – CloudBleed – >

“The following security incidents – CodeSpace, Ashley Madison, iCloud Leak, and Leak Pass were at the application layer and not the fault of the clouds providers infrastructure. Apart from Cloudbleed which was a bug was affecting a popular CDN providers Reverse Proxies/Edge nodes. This security bug was definitely a cloud vulnerability & the CDN providers infrastructure was at fault. The CloudBleed Bug was a RAM Leak which caused the CDN reverse proxy servers to run past the end of a buffer and return memory that contained private information during HTTP requests.”

Cloud Security C – Cloud Security – Hypervisor Vulnerabilities – >

“The cloud is a technology that combines resources such as CPU, Hard Disk Drive, Network Interface Cards, Bandwidth and places them into a virtualization pool for consumers to use as required. Virtualization and orchestration are key components to the cloud. The virtualization side of things is carried by what is known as the hypervisor. And it is this abstraction layer created by the hypervisor that allows the sharing of the system’s physical resources.”

Cloud Security D – Cloud Security – Secure Web Gateway – >

“The increase of zero-days attacks, automatic botnets spreading and malicious threats hiding in SSL traffic has resulted in a web security model that is broken. One precaution you can take is to implement a Secure Web Gateway (SWG) either as a cloud-based or on-premise device. A Secure Web Gateway is a security solution that filters unwanted traffic enforcing a range of security policies. SWGs are implemented as both an on-premises hardware or virtualized appliance or cloud-based. They may also be deployed in a hybrid mode which combines on-premises appliances and cloud-based services.”

Cloud Security E – Cloud Security – Introducing Tokenization – >

“We have a number of ways to secure data and tokenization is one them. Others include encryption with either provider managed keys or customer BYOK. We also have different application layer encryption. Tokenization is a way to keep data secure while making online paying easier. It involves the replacement of for example credit card numbers by a surrogate number or “token” and then either centralizing or outsourcing the card data to a 3rd party. The transaction gets passed to a 3rd party payment service provider and then to the acquiring bank that provides the merchant account and finally to the issuing bank to supply the actual CC or DC. The issuing bank could be for example VISA which then responds back with payment confirmation. Thus, understanding the need for a secure merchant payment account provider such as Easy Pay Direct (visit EPD here) is important for safe and efficient financial transactions. The prudent way to go about this would be to invest in an efficient high-risk merchant account company. A trusted merchant account provider who could assist business owners with payment optimization and work to reduce or eliminate the possibility of fraud. More about payment security online (PCI Compliance) can be found at TokenEx.”

More Videos to come!!

Additional Cloud Security information can be found at the following:


Explainer Video Type 1 – CorsaTechnologies

If you asked a company network security officer exactly how a CORSA Red Armor NSE worked, there’s a chance they will say no idea. Indeed, this new piece of technology can be hard to understand if you don’t already have one. That’s why I was chosen to help explain it. Kindly click on the link to view a newly created Explainer Video Type 1 for Corsa Technologies. I do everything from script creation to video production so nothing is outsourced. Here is the link to the video –

The graphics are simple enough to be watched at lower definitions but please watch at 1080p for best results. You might need to copy and paste the links.
Explainer videos are great for people who want to learn a new skill or technology, but visually need help to understand what they are doing and how they should do it in the best way possible. Sites such as Explainly can help businesses/people understand how to up their video production through new ways developed within media. Some businesses find that using these types of videos can help them to reach their customers, as well as explain the purpose of their business through a form of quickly consumable media. You can see an example of this through Whiteboard Animated Explainer Videos and similar types of content.

Animation has come a long way since its initial start and learning how to best animate can prove beneficial to the exposure of your business. Some standard video production effects like Premiere Pro Pan and Zoom can be used with animation so there’s no need to animate additional frames. This can save time in the long run whilst making a minimal impact on the production quality of the video.

I’ve made many explainer videos in my series called Technology Brief. Give them a watch and see how simple animation can make a complex technology easier to explain.
My YouTube Channel can be found here –


Nominum Security Report

I had the pleasure to contribute to Nominum’s Security Report. Kindly click on the link to register and download – Matt Conran with Nominum

“Nominum Data Science just released a new Data Science and Security report that investigates the largest threats affecting organizations and individuals, including ransomware, DDoS, mobile device malware, IoT-based attacks and more. Below is an excerpt:

October 21, 2016, was a day many security professionals will remember. Internet users around the world couldn’t access their favorite sites like Twitter, Paypal, The New York Times, Box, Netflix, and Spotify, to name a few. The culprit: a massive Distributed Denial of Service (DDoS) attack against a managed Domain Name System (DNS) provider not well-known outside technology circles. We were quickly reminded how critical the DNS is to the internet as well as its vulnerability. Many theorize that this attack was merely a Proof of Concept, with far bigger attacks to come”




NS1 – Adding Intelligence to the Internet

I recently completed a two-part guest post for DNS-based company NS1. It discusses Internet challenges and introduces NS1 traffic management solution – Pulsar. Part 1, kindly click – Matt Conran with NS1 and Part 2, kindly click – Matt Conran with NS1 Traffic Management. 

Application and service delivery over the public Internet is subject to a variety of network performance challenges. This is because the Internet is compiled of different fabrics, connections points, and management entities, all of which are dynamic, creating unpredictable traffic paths, and unreliable conditions. While there is an inherent lack of visibility into end-to-end performance metrics, for the most part, the Internet just works, and packets eventually get to their final destination. In this post, we’ll discuss key challenges affecting application performance and examine the birth of new technologies,multi-CDNN designs and how they affect DNS. Finally, we’ll look at Pulsar, our real-time telemetry engine developed specifically for overcoming many performance challenges by adding intelligence at the DNS lookup stage




Midokura – Distributed Design

I recently completed a two-part guest post for Midokura, part 1 is found at this link: Midokura Matt Conran and part 2 is found at this link: Midokura Matt Conran. They have an interesting architecture based on an overlay model and the entire solution is completely distributed, which brings many benefits discussed in the post. It clashes with the traditional networking mind, especially when it comes to storing network state and state retrieval. All the topology maps and network state are held in different databases (Zookeeper and Cassandra), redundantly situated in the network.

Part 1 introduces the Midokura concepts, traffic flow details and complexity to the edge architecture. Part 2 introduces distributed database and physical / underlay networking. I would very much appreciate some feedback.





Smarter Networks: Nuage Networks & SD-WAN

This is a two-part post – Part 1 (this post) introduces the challenges of traditional WAN and Part 2 describes Nuage Networks SD-WAN solution.  


It’s a 24/7 connected world and traffic diversity is putting the Wide Area Network (WAN) edge to the test. Today’s applications should not be hindered by underlying network issues or a poorly designed WAN. The business requires designers to find a better way to manage the WAN by adding intelligence with improved flow management, visibility, and control. The WAN’s role has changed, from providing basic inter-site connectivity to adapting via technology to meet the demands of the business applications. It must proactively manage flows over all available paths, regardless of transport type. Today’s networks should be driven by business requirements and the business should dictate the directions of flows, not the limitations of a routing protocol.  

The building blocks of the WAN have remained stagnant while the application environment has dynamically shifted, sure speeds and feeds have increased but the same architectural choices that were best practice 10 or 15 years ago are still being applied and this is hindering rapid business evolution. How will the traditional WAN edge keep up with new application requirements?  

Nuage Networks SD-WAN solution challenges this space and overcomes existing WAN limitations by bringing intelligence to routing at an application level. Now, policy decisions are made by a central platform that has full WAN and data center visibility. A transport agnostic WAN optimizes the network and the decisions you make about it. In the eyes of Nuage, “every packet counts” and mission-critical applications are always available on protected premium paths.  


Routing Protocols at the WAN Edge  

Routing protocols assist in the forwarding decisions for traffic based on destinations with decisions made on a hop-by-hop basis. This limits the number of paths the application traffic can take. Paths are further limited to routing loop restrictions – routing protocols will not take a path that could potentially result in a forwarding loop. Couple this with the traditional forwarding paradigms of primitive WAN designs and the result is a network that is unable to match today’s application requirements. We need to find more granular ways to forward traffic.  

There has always been a problem with complex routing for the WAN. BGP supports best path and ECMP to provide some options for path selection and solutions like Dynamic Multipoint VPN (DMVPN) operate with multiple control planes that are hard to design and operate. It’s painful to configure QOS policies on a per-link basis and design WAN solutions to incorporate multiple failure scenarios. The WAN is the most complex module of any network yet so important as it acts as the gateway to other networks such as the branch LAN and data center.  


BGP: Best Path & Failover Only  

At the network edge where there are two possible exit paths, it is often desirable to choose a path based on a unique business characteristic. For example, use a historical jitter link for web traffic or only use premium links for mission-critical applications. The granularity for exit path selection should be flexible and selected based on business and application requirements. Criteria for exit points should be application-independent, allowing end-to-end network segmentation.  



BGP is an external policy-based protocol commonly used to control path selection. BGP peers with other BGP routers to exchange Network Layer Reachability Information (NLRI). Its flexible policy-orientated approach and outbound traffic engineering offer tailored control for that slice of the network. It offers more control than an Interior Gateway Protocol (IGP) and reduces network complexity in large networks. All of these factors have made BGP the de facto WAN edge routing protocol.

However, the path attributes used to influence BGP do not take into consideration any specifically tailored characteristics, such as unique metrics, transit performance, or transit brownouts. By default when BGP receives multiple paths to the same destination, it runs the best path algorithm to decide the best path to install in the IP routing table; generally, this path selection is based on AS-Path. AS-Path is not an efficient measure of end-to-end transit. It misses the shape of the network, which can result in long path selection or paths experiencing packet loss.  

Traditional WAN route down one path and by default have no awareness of what’s happening at the application level (packet loss, jitter, retransmissions). There have been many attempts to enhance the WANs behavior. For example, SLA steering based on enhanced object tracking would poll a metric such as Round Trip Time (RTT). These methods are popular and widely implemented, but failover events occur on a configurable metric. All these extra configuration parameters make the WAN more complex. Simply acting as band-aids for a network that is under increasing pressure.

“This post is sponsored by Nuage Networks. All thoughts and opinions expressed are the authors”