Networking & Security

MPLS works based on underlying IGP protocol. It may be OSPF or IS-IS, but whatever we choose, we are still dependant to IGP path calculation. Of course we may manipulate the cost of path and this way provide traffic enginering, but MPLS has its own mechanism.

Simple Modular Policy Framework and application inspection enable us for example inspection of FTP connection. When we use passive mode we need beside opened  port 21 as a control channel also any random port as a data channel. Thanks to MPF and  traffic inspection ASA knows what is the number of this random port and entire…

Cisco recently has made a small step to improve ASA  and has implemented logical tunnels, what means we got route based VPN! Really? Did we?  Not so fast. Yes, we got route based VPN but still we have to add  routes manually.

Generic Route Encapsulation enables us bulding point to point tunnels. There are 2 kinds of tunnels GRE over IPSEC and IPSEC over GRE. They both work in tunnel mode by default but as we see in a while, work in completely different way.

The one of the biggest issue that we may encounter on during redistribution is routing loop. If suboptimal routing causes latencies and network inefficiency , routing loops causes the loops until TTL value gets decrease to 0, what influence not only on network efficiency but also causes that some part of the network will be…

The ‘BGP community’ is an additional information (attribute) added to prefixes, that is being advertised to the BGP neighbors. Based on this information a BGP neighbor can make a decision what else to do with received prefix. For example we may mainpulate attributes, filter routes, etc.

If you use VRFs, sometimes you may want to use something what is being called “route leaking”. Route leaking consists in importing and exporting prefixes between VRFs or between VRF and global routing table. In this article I’ll show you how to implement route leaking in 5 different ways.

NAT and ACL are one the first things that are being configured right after deployment of the new ASA or Router on the edge. They behave differently in both cases and knowing which feature is proceed first over the other in particular direction can save us a lot of time and nerves.    

Dual Cloud DMVPN failover solution is the most reliable way to achieve reachability in any case of failure. If one of the routers get fail we still have another one, if one of the ISPs links has died we have the second one. In the scenario I assumed there are only 2 Hubs and 2 Spokes but…

NAT on ASA differs to NAT on IOS routers regarding configuration.At first glance may seems to be very confusing, but as we see in a while the crucial is understanding where particular types of NAT takes place, then configuration is easy.

Regarding Fault Tolerance ASA provides 2 solutions: Active/Standby and Active/Active. Whereas Active/Standby is simple in use Active/Active provides not only redundancy but load sharing as well. On the other hand, requires more expansive license. Anyway, in this article we will compare them and see how to configure. 

Multiple Context on ASA provides the highest level of virtualization, within one single chassis we get 2 virtual firewalls. Each with separate Data and Control Plane. Idea similar to VRF but in Multiple Context we may share one interface between 2 contexts what makes its more sophisticated.

ACLs can filter traffic at layer 3 and 4. Usually it will be enough, but sometime we need to  subject the trafic to more granular inspection before we reject any host ? Then filtering on access lists will not work and Modular Policy Framework has to be used. But as you see for yourself MPF can do…

There are 3 ways regarding authentication within IKEv1 and IKEv2. So we have,  pre shared keys, rsa-enc and rsa-sign. Each of them provides different level of security. In this article we will focus on RSA based methods and we lab them out.

Nowadays, when access layer switches have 1GB ports, increasing the number of an upstream links to the distribution layer is necessary. Let’s have a look on etherchannel feature, the way that we may achieve that and how to configure its on layer 2 and 3.