It

thanks to inspiration from Robert Woźny, i’ve just launched two separate AS112 sites in Poland. that would never be possible without great folks at ATMAN: Sebastian Olejnik and Damian Nowacki …and at EPIX: Krzysztof Czuszek and Paweł Staszewski what is AS112 all about? as112 AS112 is world-wide project that sinkholes requests coming in from misbehaving or misconfigured DNS clients (which may be your home PC but also some enterprise-y workstation). they send queries looking for answers to questions like “what’s the name of 192.168.0.1?” and because that’s not contained as it should be on the local or company level, it goes all up to the root servers. the question itself may be valid, but as you can see, IP address comes from RFC 1918 space, and therefore - shouldn’t be even appearing in public internet space. either we close those queries at the local level, or they really don’t make much sense once you cross private<>public border. actually, malicious actor could be abusing such queries, responding them in a way that will open your network to attack. ...

Daniel Dib asked recently on Twitter about BGP convergence time for world wide operations. two hours he got in response from his friend seemed a bit too long. I did recently help to spin up new ASN with new IPv4 prefix (well, both came from second hand, but you get the point) and as far as I could tell, propagation took around 15 minutes maximum. so in the interest of self-education, I started digging. ...

WD was recently caught red-handed on trying to sell HDDs to NAS duties that use SMR technology without informing about it (and, actually, by actively trying to misled customers and then silence the whole situation). that ended up in lawsuit. while others were also caught trying to do similar things, they backed up immediately, while WD still tried to say that “white is black, you know, really”. ...

one of the interesting and rarely seen configuration options, is ability to have redundant IPv6 tunnel established from source address tracked by HSRP. if you’re limited by other side of communication - in this example Hurricane Electric - to have only one endpoint of tunnel on your side that’s right tool for task. the way this configuration would work, is that router active in HSRP pair will be the one on which tunnel will be active and forwarding. we’ll be demonstrating this on IPv6 over IPv4 example, but tunnel type doesn’t really matter. ...

recently during casual browsing of WLAN controller i spotted that sometimes users are having problems with receiving responses from DHCP server. i was suprised, as family doesn’t complain - and they’d do that immediately. well, so i went troubleshooting element by element. obviously, switches were primary suspect. why? everything was working, and those DHCP problems were very, very rare - that may mean drops on switch interfaces. Cisco QoS configuration on Catalyst and Nexus switches is far from easy. comparing this however to other vendors… there’s really nothing to compare. on one side you can do whatever you want, on the other side - you can shoot yourself in both foots, stomach and then in the head pretty quickly. just assume, that if you haven’t spent couple of weeks labbing QoS on real hardware - it’s area that you shouldn’t wander alone in unsupervised ;) in very simple terms, either use dedicated GUI for managing campus networks - Cisco DNA Center or stop at either enabling QoS globally (mls qos) or disabling it (no mls qos). ...

while I already mentioned couple of times on this blog, that handling dynamic routing on firewall is asking yourself for unexpected problems, sometimes it’s needed. as Cisco, we don’t normally recommend using ASA or FTD boxes as full table BGP routers. not because they can’t be used in this role, but because we don’t believe it’s a good networking and security practice. here’s example from my home lab testing lab cluster of two ASA 5516-X, running 9.13(1) and getting full BGP feed from my upstream ASR 1001-X router: ...

due to COVID-19 outbreak, we’ve been flooded with request to provide assistance with deploying secure connectivity for remote workers. in some organizations number of remote workers grown from 0 to 7000-10000 in week. some others are serving today over 30000, and here at Cisco, we’re working mostly out of home those days (over 100k people!). thanks to help from my fellow engineers and specialists, we were able to publish following guides, related to building and scaling out VPN headends - both hardware and virtual: ...

recently thanks to Robert Pająk i’ve had an opportunity to speak at fall edition of Akamai Affinity. as the request was to cover the networking side of innovation, i did my best. actually, that was not so recently - back in november last year, to be exact. but indeed quite recently we’ve released news about our 400Gbit/s switch and on the Cisco Live! at Barcelona we’ve demonstrated for the first time ACI evolution - ACI Anywhere. ACI evolves to bridge hardware and software worlds in more flexible ways, and its latest release enables the whole set of functions with pure software solutions (aka ‘cloud’). ...

…if everyone is trying to make your life harder. couple weeks ago I refreshed my private email server on FreeBSD. for some time spam levels were raising and I had to do something about it. old spamassassin was not handling it accurately enough anymore. enter spamd from OpenBSD. current postfix has built in greylisting server that’s working quite well. for my installation I tuned it a bit, by extending period of time that has to pass from last delivery attempt (to 1200 seconds, which is 20 minutes): ...

during one of the design discussions with one of our Customers, I had a chance to discuss a bit about using anycast to scale out delivery via CDN. unfortunately, as more ads served even on popular sites is malware or even miners for different cryptocoins it begs a question - how should you protect the site you’re maintaining? using reputable CDN is good first step. the other one, i didn’t know about (and it seems to be quite natural if you think about it) is to verify hash of the attached resources. this can give you powerful tool to verify and then take an action before page is loaded to verify images or for example JavaScript. ...