Using VASI to exchange IGP routes between VRF’s
I attended the packet pushers party on Friday 17th and managed to have some of my questions answered during what was a great show. My current project is to provide L3 services into one of our sites where the incumbent … Continue reading
My certification journey (J-Net)
This blog has also been published to the Juniper J-Net community portal
In 2005, when I was 18 years old, I finished high school I already knew what I wanted to do. I wanted to start a career in IT! The only thing I didn’t know was in what direction I wanted to go. So, I did a little bit of everything. The first important decision I took was to only finish high school and start working without going to university. I figured that, with enough dedication and focus, 4-5 years of work experience added with the right technical certifications would get me further in the IT world than a degree would get me. After 6 years I think I can say that it definitely worked for me!
Servers and Programming
I started with passing exams and getting my MCSE on Windows 2003. I had a few small companies where I was managing all IT systems. The largest one was my dad’s company where I was managing 4 servers, 10 workstation and 20 mobile devices (yes even in 2006 we had a custom developed Windows Mobile 5 application and all engineers were carrying smartphones). I was co-developing the custom Continue reading
Op script : all in one command
I've scheduled to write a post regarding Junos load balancing but I must carry out more tests before writing it. So I decided to post my code of a troubleshooting 'op' script which allows to display in one command all protocols related information of...Op script : all in one command
I've scheduled to write a post regarding Junos load balancing but I must carry out more tests before writing it. So I decided to post my code of a troubleshooting 'op' script which allows to display in one command all protocols related information of...Common EAP Methods
Challenge and Response methods
- EAP-MD5: Uses MD5 based challenge and reponse for authentication
- EAP-GTC: Generic Token and OTP authentication
Certifcate based methods
- EAP-TLS: Uses X509v3 OKI certificates and TLS mechanism for authentication
Tunneling Methods
- PEAP: Tunnels over EAP types in an encrypted tunned, much like web-based SSL
- EAP FAST: Tunneling method designed to require no certificates for deployment
Note: This is not a comprehensive list.
802.1x Roles
Role of the 802.1x Client Software
- Supplicant is responsible for initiating on authenication sessions with the authenticator
- Supplicant software can be included in the operating system or you can install a third party supplicant
Role of 802.1x Authenticator
- The authenticator is refered to as the NAD (Network Access Device) such as a switch, WLAN controller, firewall, etc..
- The supplicant is challenged by the authenicator, the supplicant enters credentials and the NAD passes credentitals to the authentication server. The authenticator also enforces policies on each 802.1x port.
Role of the 802.1x Authentication Server
- Performs Authentication, Authorization and Accounting
- Validates the authentication credentials of the supplicants that are forwarded by the NAD
- Policy look-up based on the supplicant idenitiy and group affiliation and passes the policy to the NAD. This can be the for of DACL (Downloadable ACL) or VLAN assignment
- An authentication server for Cisco can include Cisco ISE or Cisco ACS
Role of the Dirctory Server in 802.1x
- Cisco ISE supports
- local user database (does not scale)
- Supports Active Directory
- LDAP
- RSA Tokens
- RSA Secure ID
- Certificate
Omnigraffle Stencil for Cisco Nexus
I am a MAC user and I have been looking but could not find a OmniGraffle Stencil with the Cisco Nexus icons, so I ended making one. I have also submitted the stencil to Graffletopia.com Feel free to download it and from Graffletopia or Mediashare:Cisco Nexus Hardware.gstencil.zipFiled under: General info
Cisco ISE and ip http server
We're all hardcore network engineers here right? We all sling packets using nothing but the CLI on our gear? We've all got the “CLI OR DIE” bumper sticker? OK. We're all on the same page then. So, when you're configuring Cisco Identity Services Engine (ISE) and the documentation says it's mandatory to enable “ip http server” on your switches in order to do central web authentication (CWA) (ie, the captive portal for authenticating users on guest devices) that probably makes you uncomfortable right?
Fear not. It's not as bad as it sounds. I'll explain why.
NX-OS Virtual PortChannels and Best Practices
Port-Channels, are a way of aggregating physical links together so that you can load balance traffic over each link to increase bandwidth, and create more redundancy. You might commonly see this configured between two switches, as shown below: Each link works together to form a logical, loop-free interface. These are relatively commonplace, and in this scenario highly useful because it prohibits spanning tree from blocking one of these ports, allowing the switch to utilize each link.NX-OS Virtual PortChannels and Best Practices
Port-Channels, are a way of aggregating physical links together so that you can load balance traffic over each link to increase bandwidth, and create more redundancy. You might commonly see this configured between two switches, as shown below: Each link works together to form a logical, loop-free interface. These are relatively commonplace, and in this scenario highly useful because it prohibits spanning tree from blocking one of these ports, allowing the switch to utilize each link.VRFs and Shared Services Cheating with Junos
The shared services area of the network is meant to provide common services — such as DNS, DHCP, and Internet access — to multiple logical networks/VRFs/customers. Cisco publishes a validated design for shared services that describes the use of multiple virtual firewalls and routers to provide connectivity between the shared services module and the VRFs in the network. I'm going to describe a method of collapsing the shared services firewalls and virtual routers into a single instance running on a single box using some of the features found in Juniper's Junos platform.
BYOD
BYOD (Bring Your Own Device) - There are security concerns when allowing employees, customers, and business partners to bring in there own device and plug it into the corporate network. Cisco has consolidated its ACS and NAC platform into a new product called ISE (Identity Services Engine). This new platform centralizes and simplifies the administration and empowers security groups the ability to make automated decisions. Have a look at the video below:Terry: this one is for you as I am sure this challenge has come up many times.
Additional Interface Statistics
Sometimes you may need to have some additional interface statistics, for example the amount of packets per range of sizes. You can use netflow to collect some stats like these. But if you don't have netflow on all your router interfaces or for troubleshooting...Additional Interface Statistics
Sometimes you may need to have some additional interface statistics, for example the amount of packets per range of sizes. You can use netflow to collect some stats like these. But if you don't have netflow on all your router interfaces or for troubleshooting...Some Out-of-Box NetApp Tweak Suggestions
It’s interesting to me to see the differences in infrastructure products as it pertains to out of the box, or default configuration. Take for instance, the relationship between a firewall and a switch. Your average firewall is configured “closed”, meaning that if you want to allow anything, you have to explicitly allow that certain type of traffic. If you do not, it is not allowed. A switch, on the other hand, is configured to be functional above all, out of the box.Some Out-of-Box NetApp Tweak Suggestions
It’s interesting to me to see the differences in infrastructure products as it pertains to out of the box, or default configuration. Take for instance, the relationship between a firewall and a switch. Your average firewall is configured “closed”, meaning that if you want to allow anything, you have to explicitly allow that certain type of traffic. If you do not, it is not allowed. A switch, on the other hand, is configured to be functional above all, out of the box.MX960 and E-SCB: Full Power
The aim of this post is to provide the detailed procedure for upgrading the Switch Control Boards (SCB) of an MX960 chassis in order to overcome some limitations of the old SCB that are : - Unable to use the full load of the 16x10GE card and to keep fabric...Cisco and their inconsistencies
Cisco is known for the inconsistencies between platforms and different IOS versions. I came across another that was rather annoying. Now between linecards. Trying to configuring the following standard sub-interface Ethernet AToM tunnel on a Cisco 7606 with a ES+ linecard: Yields the following misleading error… This is enough to annoy you for some time. […]
Calculating IPv4 Summary Prefixes
Given a list of IPv4 prefixes of the same length, how do you find the summary address (or addresses) for them? This post describes a method and uses some worked examples to illustrate. The post draws deeply from the CCIE … Continue reading