Cold ACE ?

Ever seen an ACE in standby cold state? This means the standby ACE has not been able to synchronize properly with the active ACE. It usually happen when the standby ACE is missing some certificates, keys or script files referrenced by the active ACE. This usually happen after an RMA. In that state, the ACE won’t be able to perform a stateful failover and all the sessions would be lost should a failover occur. [Read more]

Playing with BGP Local-AS

In some situation you might have to change the BGP AS number used by a router. When the router peers with several other routers it is not always easy to change all the peering at the same time… Luckily you may do it one by one with the “local-as” neighbor command under bgp process.

This small article shows the different options of local-as command and their impact on the received and advertised routes. [Read more]

BGP between ScreenOS and IOS

There are some times where using static routing on firewalls is simply not scalable… As long as the routing is inside a trusted network, I do not see any reason to avoid dynamic routing. Juniper devices (Junos and ScreenOS) can even use virtual routers to split the routing domain into several domains. In the example here below, we will only show how to build a BGP peering between a ScreenOS cluster and two Cisco routers.

[Read more]

ACE Stickyness

Load-balancers like ACE are used – as their name says – to balance traffic among several servers able to serve the same content. The easiest case is to load-balance web static content. In that particular case, when a client get a page composed of several objects (e.g. style sheets, images) it does not really matter which server is providing the different objects because each server has a local copy of the same content. So if the server farm is composed of four servers, it does not matter if server 1 is providing the html code, server 2 some images, server 3 the style sheet and server 4 nothing… It is completely transparent to the end user.

[Read more]

HA Load-balancing with IP Anycast

Nowadays, having a load-balancer in datacenters is more and more crucial not only to assure an easy scalability but also to assure high availability (HA). If properly configured, the load-balancer will be able to detect a failed application server, will remove it from its resource pool and will eventually reassign clients to other available servers. [Read more]

Zone-based IOS firewall

Starting with IOS 12.4(6)T Cisco introduced the Zone-Based Policy Firewall in all the IOS with an advanced feature set. This new configuration model allows the router’s administrator to define security zones, assign interfaces to zones, apply security policies between zones as he would have done on a Juniper firewall or on a Cisco ASA.

With CBAC stateful inspection was done on interface level. Now with zone-based firewalls, the inspection is done based on zone pairs (source and destination zones).

Here is an over-simplified exemple [Read more]

Dynamic Multipoint VPN – Dual hub

In a previous article, I exposed how to setup a basic DMVPN network with one hub router in a central location and several spoke routers negotiating a dynamically built IPSec protected GRE tunnel. I also explained the central site should be secured by deploying two hub routers… Here is one solution among others using DMVPN and OSPF. (Should you need another solution you can always contact our professional services)
[Read more]

ACE software upgrade

Cisco Application Control Engine Module (ACE) load-balancers are designed to work in standalone mode or in cluster mode. When running in standalone mode, software upgrade has obviously a great impact on the traffic going through the load-balancer. All the sessions will be dropped and no new session will be accepted until the ACE restarts with the new image (up to 8 minutes). [Read more]

Dynamic Multipoint VPN

Ever wonder how to provision several hundreds of VPNs from remote offices with dynamic IP to a central site with minimal configuration? Cisco offer an elegant  solution called Dynamic Multipoint VPN. With DMVPN the central site does not need to know the remote site IP in advance, it will learn it via NHRP protocol when the remote router will come up.

[Read more]

Cisco certified

All our consultants are Cisco certified.

Here what Cisco says about certifications:

Cisco Certified Network Professional validates knowledge and skills required to install, configure and troubleshoot converged local and wide area networks. With a Cisco certification, a network professional demonstrates the knowledge and skills required to manage the routers and switches that form the network core, as well as edge applications that integrate voice, wireless, and security into the network.