Archive for the ‘Network Design’ Category

Policy-Based Routing on IOS-XE Causes GRE Tunnel to drop

June 25th, 2018 No comments

I wanted to use PBR on our DMVPN tunnels to set the next-hop address to a Layer 3 switch on the LAN.  We set it up and it seemed to work fine.  Then it was noticed that is a site went down even briefly and the tunnel dropped, the tunnel would never re-establish itself (The tunnel interface remained line up/protocol down).  We recreated the problem in our lab and it consistently failed.  We moved the tunnel to an IOS router and that wasn’t affected.

It was eventually revealed that apparently, PBR is handled differently in IOS-XE and IOS routers.

The problem occurs when a route-map is attached to an interface with only a “set” operation and no “match” (When there is no match specified there is an implicit “match any any”) OR when a match “any any” is used.  Read more…

Categories: CISCO, Network Design Tags:

Secure Hashing Algorithms SHA-1 and SHA-2

May 15th, 2015 No comments

First implemented by the National Security Agency (NSA) in 1993, the Secure Hashing Algorithm (SHA) is used by certification authorities such as Verisign and Thawte to sign certificates and Certificate Revocation Lists. SHA is used to generate unique hash values from files.

This is the SHA-1 hash fingerprint from the website:

root@raspberrypi:/# echo | openssl s_client -connect 2>/dev/null | openssl x509 -fingerprint -noout
SHA1 Fingerprint=EA:D2:F2:79:18:A0:CD:2B:10:3B:12:01:CF:B1:9E:CC:AF:0F:28:0C

SHA versions:

  • SHA0 Obsoleted
  • SHA1 Currently the most widely implemented
  • SHA2 Stronger than SHA-1 due to longer hash (SHA224, SHA256, SHA384 and SHA512)

As part of their SHA-2 migration plan, Microsoft, Google, and Mozilla have announced that they will stop trusting SHA-1 certificates. Google began phasing out trust in SHA-1 certificates in November 2014. Read more…

Categories: Network Design, Security Tags: ,

F5 BIG-IP: Monitoring TCP Applications

April 4th, 2014 No comments

LTM has built-in application health monitor templates for many TCP-based application protocols (FTP, HTTP, HTTPS, IMAP, LDAP, MSSQL, NNTP, POP3, RADIUS, RTSP, RPC, SASP, SIP, SMB, SMTP, SOAP).

If you need to monitor an application which depends on an upper layer protocol for which there is not a built-in monitor template, LTM provides a number of options to build a monitor based on the underlying transport layer protocol– TCP. Read more…

Categories: Network Design Tags:

Installing a Signed X.509 SSL Certificate into ASA via the CLI

March 11th, 2014 No comments

Having already generated the RSA key-pair on the ASA with “crypto key generate rsa mod 2048”) create a trustpoint for the VPN users, generated an SSL cetificate and CSR and have received the signed X.509 certificate and CA and intermediate SSL certificates, the certificate and CA certs will need to be installked onto the Cisco ASA.  This procedure describes the method using the CLI. Read more…

Categories: Network Design, SSL/TLS Tags:

Cisco ASA – Comparison of NAT Configuration Scenarios

October 18th, 2013 No comments

This aide-memoir describes and compares NAT configuration (Identity NAT, NAT Exemption/Identity NAT and also compares the syntax between ASA version 8.4.2 and below.  There are some considerable differences to the syntax and some of the better-known commands have been deprecated. Read more…

Categories: CISCO, Network Design, Security Tags: , ,

Long Fat Pipes: TCP WSCALE, TCP SACK and Time Stamp Options

October 14th, 2013 No comments

Long Fat Pipes
High-capacity packet satellite channels are LFN’s  (Delay 4 x 35‘800 km = 470ms RTT) and modern terrestrial long-haul fibre-optic paths will also fall into the LFN class. There are three fundamental performance problems with the current TCP  over LFNs:

• Window Size Limit (2^16 or max 65k bytes) – Remedy: TCP option “Window scale”
• Recovery from Segment Losses – Remedy: TCP option “selective acknowledgement”
• Round-Trip Measurement – Remedy: TCP option “Time stamp” Read more…

Understanding HTTP Pipelining and Connection Jumping

August 10th, 2013 No comments

Browsers can setup two or more TCP connections to an HTTP server to facilitate parallel downloads. As the browser parses the Web page it is aware of which objects it needs to download.

Rather than send the requests in series over a single connection, the requests are sent over parallel connections to enable faster downloading of the Web page. Another technique used by browsers to improve the performance is “HTTP pipelining”. Read more…

IPv6 – Making sense out of an IPv6 Address

May 9th, 2013 No comments

Courtesy of Keith Barker

Useful Riverbed SteelHead Wireshark Filters

June 16th, 2012 No comments

Useful Wireshark filters

To Find Inner channel splice setup: eq 0x1

Using Riverbed Wireshark 1.8.2 you can use a new feature to find all inner channel traffic for a conversation. You can for instance use the Inner channel splice setup filter eq 0x1 to display all splice setups or some other method.

When you have identified the splice connection you are interested in you can then right click on the connection in Wireshark and choose the ‘Find the inner channel’ option to try to locate the entire inner channel connection. You can also right click on any part of an optimised connection to obtain the same result.

Read more…

Virtual Routing and Forwarding (VRF)

December 28th, 2011 No comments

Two videos which explain about VRF configuration and troubleshooting. the first is an excellent overview and the second a practical demonstration of VRF configuration:

  1. Ivan Pepelnjak – Introduction to Virtual Routing and Forwarding (VRF) tables
  2. Keith Barker – Cisco VRF and troubleshooting

Read more…

Categories: CISCO, Network Design Tags: