BGP between ScreenOS and IOS

There are some times where using static routing on firewalls is simply not scalable… As long as the routing is inside a trusted network, I do not see any reason to avoid dynamic routing. Juniper devices (Junos and ScreenOS) can even use virtual routers to split the routing domain into several domains. In the example here below, we will only show how to build a BGP peering between a ScreenOS cluster and two Cisco routers.

[Read more]

Zone-based IOS firewall

Starting with IOS 12.4(6)T Cisco introduced the Zone-Based Policy Firewall in all the IOS with an advanced feature set. This new configuration model allows the router’s administrator to define security zones, assign interfaces to zones, apply security policies between zones as he would have done on a Juniper firewall or on a Cisco ASA.

With CBAC stateful inspection was done on interface level. Now with zone-based firewalls, the inspection is done based on zone pairs (source and destination zones).

Here is an over-simplified exemple [Read more]

Dynamic DNS

If you host your own domain name server and if you want to securely and dynamically update some DNS entries, here is a small howto.

Here is in a nutshell what we are going to do:

1. Create a secret key to securely update the DNS zone
2. Configure a dynamic (sub) zone in your DNS server
3. Create a script to update a DNS entry

[Read more]

Dynamic Multipoint VPN – Dual hub

In a previous article, I exposed how to setup a basic DMVPN network with one hub router in a central location and several spoke routers negotiating a dynamically built IPSec protected GRE tunnel. I also explained the central site should be secured by deploying two hub routers… Here is one solution among others using DMVPN and OSPF. (Should you need another solution you can always contact our professional services)
[Read more]

ClamXav differential update

ClamXav is a free virus checker for Mac OS X. It uses the tried, tested and very popular ClamAV open source antivirus engine as a back end.

The default install of ClamXav does not enable the automatic virus definition update. When a user enables those automatic updates, a ‘good old cron job’ is created for that user. Three minor concerns [Read more]

Dynamic Multipoint VPN

Ever wonder how to provision several hundreds of VPNs from remote offices with dynamic IP to a central site with minimal configuration? Cisco offer an elegant  solution called Dynamic Multipoint VPN. With DMVPN the central site does not need to know the remote site IP in advance, it will learn it via NHRP protocol when the remote router will come up.

[Read more]

IPv6 Firewall with Linux

More and more server hoster have configured IPv6 on their network. And most of their Linux based servers come with a basic IPv6 configuration. Even if IPv6 is not used, it is there and widely open as the netfilter/iptables default policy is ACCEPT. [Read more]

J-Partner Consultant

exp-NETWORKS is proud to announce it became J-Partner Consultant. This partnership with Juniper is a guarantee you can count on exp-Networks expertise on Juniper products.

Here is what Juniper says about J-Partner Consultant:

Consultants play a critical role [Read more]

Cisco certified

All our consultants are Cisco certified.

Here what Cisco says about certifications:

Cisco Certified Network Professional validates knowledge and skills required to install, configure and troubleshoot converged local and wide area networks. With a Cisco certification, a network professional demonstrates the knowledge and skills required to manage the routers and switches that form the network core, as well as edge applications that integrate voice, wireless, and security into the network.