Cisco Nexus 7000 upgrade to 8Gb

When upgrading a Nexus 7000 to NX-OS version 5.2 (using more than 1 VDC) or to NX-OS v6+, Cisco claims the need to upgrade the system memory to 8Gb. Note I have run on v5.2 using only 4Gb per SUP using 2 VDCs and it has worked just fine, but I should mention that the […]

Symmetric and Asymmetric Algorithms – Basic Differences

Symmetric uses only one key for both encryption and decryption. Sender and receiver share the same shared secret to transfer data securely. Algorithms include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish. Also referred to as "secret key" encryption.

DES - 56bit keys
3DES - 112bit and 168bit keys
AES - 128bit, 192bit, and 256bit keys
IDEA (International Data Encryption Alogrithm) - 128bit keys
RC2 - 40bit and 64bit keys
RC4 - 1bit to 256bit keys
RC5 - 0bit to 2040bit keys
RC6 - 128bit, 192bit, and 256bit keys
Blowfish - 32bit to 448bit keys

Asymmetric uses one key for encryption and another key for decryption referred to as public key infrastructure encryption. Key lengths generally ranging from 512 to 4096bits.

Example of asymmetric encryption RSA,EIGamal, Eliptical Curves, and Diffie Hellman

My certification journey (J-Net)

This blog has also been published to the Juniper J-Net community portal

In 2005, when I was 18 years old, I finished high school I already knew what I wanted to do. I wanted to start a career in IT! The only thing I didn’t know was in what direction I wanted to go. So, I did a little bit of everything. The first important decision I took was to only finish high school and start working without going to university. I figured that, with enough dedication and focus, 4-5 years of work experience added with the right technical certifications would get me further in the IT world than a degree would get me. After 6 years I think I can say that it definitely worked for me!


Servers and Programming

I started with passing exams and getting my MCSE on Windows 2003. I had a few small companies where I was managing all IT systems. The largest one was my dad’s company where I was managing 4 servers, 10 workstation and 20 mobile devices (yes even in 2006 we had a custom developed Windows Mobile 5 application and all engineers were carrying smartphones). I was co-developing the custom Continue reading

Op script : all in one command

I've scheduled to write a post regarding Junos load balancing but I must carry out more tests before writing it. So I decided to post my code of a troubleshooting 'op' script which allows to display in one command all protocols related information of...

Common EAP Methods

Challenge and Response methods

  • EAP-MD5: Uses MD5 based challenge and reponse for authentication
  •  EAP-GTC: Generic Token and OTP authentication

Certifcate based methods

  • EAP-TLS: Uses X509v3 OKI certificates and TLS mechanism for authentication

Tunneling Methods

  • PEAP: Tunnels over EAP types in an encrypted tunned, much like web-based SSL
  • EAP FAST: Tunneling method designed to require no certificates for deployment
Note: This is not a comprehensive list.

802.1x Roles

Role of the 802.1x Client Software

  • Supplicant is responsible for initiating on authenication sessions with the authenticator
  • Supplicant software can be included in the operating system or you can install a third party supplicant

Role of 802.1x Authenticator

  • The authenticator is refered to as the NAD (Network Access Device) such as a switch, WLAN controller, firewall, etc..
  • The supplicant is challenged by the authenicator, the supplicant enters credentials and the NAD passes credentitals to the authentication server. The authenticator also enforces policies on each 802.1x port.

Role of the 802.1x Authentication Server

  • Performs Authentication, Authorization and Accounting
  • Validates the authentication credentials of the supplicants that are forwarded by the NAD
  • Policy look-up based on the supplicant idenitiy and group affiliation and passes the policy to the NAD. This can be the for of DACL (Downloadable ACL) or VLAN assignment
  • An authentication server for Cisco can include Cisco ISE or Cisco ACS

Role of the Dirctory Server in 802.1x

  • Cisco ISE supports 
    • local user database (does not scale)
    • Supports Active Directory
    • LDAP
    • RSA Tokens
    • RSA Secure ID
    • Certificate

Omnigraffle Stencil for Cisco Nexus

I am a MAC user and I have been looking but could not find a OmniGraffle Stencil with the Cisco Nexus icons, so I ended making one. I have also submitted the stencil to Feel free to download it and from Graffletopia or Mediashare:Cisco Nexus Hardware.gstencil.zipFiled under: General info


BYOD (Bring Your Own Device) - There are security concerns when allowing employees, customers, and business partners to bring in there own device and plug it into the corporate network. Cisco has consolidated its ACS and NAC platform into a new product called ISE (Identity Services Engine). This new platform centralizes and simplifies the administration and empowers security groups the ability to make automated decisions. Have a look at the video below:

Terry: this one is for you as I am sure this challenge has come up many times.

Additional Interface Statistics

Sometimes you may need to have some additional interface statistics, for example the amount of packets per range of sizes. You can use netflow to collect some stats like these. But if you don't have netflow on all your router interfaces or for troubleshooting...

MX960 and E-SCB: Full Power

The aim of this post is to provide the detailed procedure for upgrading the Switch Control Boards (SCB) of an MX960 chassis in order to overcome some limitations of the old SCB that are : - Unable to use the full load of the 16x10GE card and to keep fabric...

Cisco and their inconsistencies

Cisco is known for the inconsistencies between platforms and different IOS versions. I came across another that was rather annoying. Now between linecards. Trying to configuring the following standard sub-interface Ethernet AToM tunnel on a Cisco 7606 with a ES+ linecard: Yields the following misleading error… This is enough to annoy you for some time. […]

Future residential INET users, I’m so sorry

I never believed IPv6 will be NAT free, but as idealist I hoped there is good chance there will be mostly only 1:1 NAT and each and every connection will get own routable network, /56 or so, residential DSL, mobile data, everything

Unfortunately that ship has sailed, it's almost certain majority of residential/non-business products will only contain single directly connected network, since we (as a community, I don't want to put all the blame to IPv6 kooks) failed produce feasible technical way to do it and spent too much time arguing on irrelevant matters. I'm reviewing two ways to provide INET access on DSL, no PPPoX, as it's not done in my corner of the world, and show why it's not practical to provide the end customer routable network

Statically configure per customer interface

At DSLAM (or other access device) customer would be placed in unique virtual-circuit (Q, QinQ...) all would terminated on unique L3 logical interface in PE router. Interface would have static /64 ipv6 address and ipv6/56 network routed to say ::c/64. IPv4 could continue to be shared subnet via 'unnumbered' interface.

This is by far my favorite way of doing residential IPv6 it, it supports customer Continue reading

Log only protocol events

Sometimes it may be very useful to monitor only protocol and link events especialy during maintenance windows. Hereafter, I monitor : - Link UP/DOWN - ISIS adj UP/DOWN - OSPF neighbor UP/DOWN - LDP neighbor/session UP/DOWN - MPLS LSP UP/DOWN - RSVP neighbor...

Next Subjects

I've planned to write posts during the next weeks regarding these subjects: - Enhanced-SCB's detailed migration procedure on MX960: get the full power of your MX and your 3D cards. - Understanding Hashing / Load-balancing on MX: for ichip/TRIO based cards....


Hello, I've opened this blog to share my passion for networking and especially networking on Junos platform. I provide technical information only based on my experience, my tests in Lab and the public documentations. I'm a french guy and my english is...

Its time we retire Authentication Header (AH) from the IPsec Suite!

Folks who think Authentication Header (AH) is a manna from heavens need to read the Bible again. Thankfully you dont find too many such folks these days. But there are still some who thank Him everyday for blessing their lives with AH. I dread getting stuck with such people in the elevators — actually, i dont think i would like getting stuck with anybody in an elevator, but these are definitely the worst kind to get stuck with.

So lets start from the beginning.

IPsec, for reasons that nobody cares to remember now, decided to come out with two protocols – Encapsulating Security Payload (ESP) and AH, as part of the core architecture. ESP did pretty much what AH did, with the addition of providing encryption services. While both provided data integrity protection, AH went a step further and also secured a few fields from the IP header for you.

There are bigots, and i unfortunately met one a few days ago, who like to argue that AH provides greater security than ESP since AH covers the IP header as well. They parrot this since that’s what most textbooks and wannabe CCIE blogs and websites say. Lets see if securing the IP header Continue reading

How does Openflow and SDN help Virtualization/Cloud

Introduction to Software Defined Networking and OpenFlow

Often time I hear the term Openflow and Software Defined Networking Networking used in many different context which range from solving something simple and useful to literally solving the world hunger problem (or fixing the world economy for that matter). I often get asked to explain the various aspects of how Openflow is changing our lives. So here goes a explanation of the religion called Openflow (and Software Defined Networking) and various ways its manifesting itself in our day to day life. Again its too much to write in one article so I will make it a series of 3 articles. This one focuses on the protocol itself. The 2nd article will focus on how people are trying to develop it and some end user perspective that I have accumulated in last year or so. The last article in series will discuss the challenges and what are we doing to help.

Value Proposition

The basic piece of Openflow is nothing more than a wire protocol that allows a piece of code to talk to another piece of code. The idea is that for a typical network equipment, instead of logging in and configuring Continue reading