February 18, 2013
Have you ever wanted to do a transparent failover with Juniper SRX cluster firewalls? When the redundancy group 0 switch from one box to the other, the route-engine has to be restarted and all the dynamic routing protocols have to be restarted. Usually this means huge impact on the traffic… [Read more]
June 6, 2012
Tonight, 6th of June at midnight, one year after the World IPv6 day, major Internet service providers (ISPs), home networking equipment manufacturers, and web companies around the world are coming together to permanently enable IPv6 for their products and services for the World IPv6 Launch.
This Time It is For Real! Happy IPv6!
May 19, 2012
In some situation you might have to change the BGP AS number used by a router. When the router peers with several other routers it is not always easy to change all the peering at the same time… Luckily you may do it one by one with the “local-as” neighbor command under bgp process.
This small article shows the different options of local-as command and their impact on the received and advertised routes. [Read more]
October 26, 2011
There are some times where using static routing on firewalls is simply not scalable… As long as the routing is inside a trusted network, I do not see any reason to avoid dynamic routing. Juniper devices (Junos and ScreenOS) can even use virtual routers to split the routing domain into several domains. In the example here below, we will only show how to build a BGP peering between a ScreenOS cluster and two Cisco routers.
April 23, 2011
Our website is IPv6 enabled and is registered to take part to the World IPv6 day. During that day major websites will offer their content over IPv6 for a 24-hour “test flight”.
You can test your IPv6 connectivity by checking the logo here above…
On our side, we’re assuring this website is still IPv6 reachable via the IPv6 Forum certification program:
February 21, 2011
Starting with IOS 12.4(6)T Cisco introduced the Zone-Based Policy Firewall in all the IOS with an advanced feature set. This new configuration model allows the router’s administrator to define security zones, assign interfaces to zones, apply security policies between zones as he would have done on a Juniper firewall or on a Cisco ASA.
With CBAC stateful inspection was done on interface level. Now with zone-based firewalls, the inspection is done based on zone pairs (source and destination zones).
Here is an over-simplified exemple [Read more]
May 16, 2010
Thanks to company like Hurricane Electric or SixXS it is very easy to connect to IPv6 Internet backbone even if your ISP does not provide native access to IPv6. Those companies provide free access to their tunnel brokers. A tunnel broker is a dual homed router connected to IPv4 Internet backbone on one side and to IPv6 backbone on the other side. The concept is quite simple, you have access to the IPv4 world and you want to access the IPv6 world. You just need to build a 6in4 tunnel from your DSL router or from your PC or actually from whatever IPv4/IPv6 capable you want to the tunnel broker on the IPv4 side and you’ll encapsulate your IPv6 traffic into that tunnel. The broker will decapsulate your IPv6 packets and send them to the IPv6 Internet backbone. The tunnel broker will also advertise your IPv6 range to the backbone in order to allow the traffic to flow back to your 6in4 tunnel. [Read more]
March 6, 2010
In a previous article, I exposed how to setup a basic DMVPN network with one hub router in a central location and several spoke routers negotiating a dynamically built IPSec protected GRE tunnel. I also explained the central site should be secured by deploying two hub routers… Here is one solution among others using DMVPN and OSPF. (Should you need another solution you can always contact our professional services)
February 10, 2010
Cisco Application Control Engine Module (ACE) load-balancers are designed to work in standalone mode or in cluster mode. When running in standalone mode, software upgrade has obviously a great impact on the traffic going through the load-balancer. All the sessions will be dropped and no new session will be accepted until the ACE restarts with the new image (up to 8 minutes). [Read more]
September 22, 2009
Ever wonder how to provision several hundreds of VPNs from remote offices with dynamic IP to a central site with minimal configuration? Cisco offer an elegant solution called Dynamic Multipoint VPN. With DMVPN the central site does not need to know the remote site IP in advance, it will learn it via NHRP protocol when the remote router will come up.