Routing and Switching


Inexpensive 802.1x Solutions

Many enterprises in the DoD and US Federal Government are struggling with how to implement inexpensive 802.1x solutions for their wired LANs.  Especially in the DoD, there are specific regulations that require the use of 802.1x on the Unclassified Networks (NIPRNet) and Classified Networks (SIPRNet).  For your reference, those requirements are called Security and Technical […]


DNS: Back to Basics for Network Engineers

Speaking with quite a few network engineers in the last few months, I was shocked by the lack of real understanding of the Domain Naming System (DNS).  It shocked me because it is the singular application functionality that is entirely network-based.  Meaning that DNS is the foundation of the Internet, and from their perspective, should […]


Authentication for OSPFv3 Address Family support in IOS-XE? Think again

Bottom line up front: Cisco has a broken implementation of OSPFv3 authentication. This story begins like many do with network engineers trying to do their best in implementing IPv6 after a thorough and exhaustive engineering exercise.  Cisco’s Aggregation Services Router (ASR) routing platform running IOS-XE, starting with version 3.1.0 until the most recent  3.09.02 S, […]


Yubikey and Windows Domain 2-Factor Authentication

Picking up where we left off last, I was showing you the awesome usefulness, security and affordability of Yubikey (Yubico’s 2-Factor authentication token) and using it for 2-factor authentication on network devices.  Well, I’d like to go another step forward: 2-Factor authentication for Windows computers to a Windows Active Directory environment.  If your enterprise deployment […]


Nexus vPC Peer-Link Interface Options

A colleague brought up a very important issue in regards to vPC survivability.  There are Nexus vPC Peer-Link interface options.  Take a look at the below diagrams.  As you can see, we have a big problem here with survivability that can often be overlooked: if the one single vPC layer-3 peer-link interface goes down for […]


Nexus 7000 IPv6 Configuration Pitfalls

I have recently started working in a datacenter configuring quite a few Nexus 7000 series switches to act mainly as datacenter access switches – mainly making use of the popular features of Virtual Device Contexts (VDCs) and Virtual Port-Channels (vPCs).  Well, IPv6 is a key part of the network environment. So for the last week, […]


Cisco IPv6 IOS Hardening – DoD Style

***Updated on 14 May 2014 – regarding NET-IPv6-022, See below*** Thousands of network engineers in the DoD out there looking at implementing IPv6 now have to address a few Security and Technical Implementation Guidance (STIG) items that they used to just annotate as “Not Applicable – NA.”  Now, IPv6 security is important.  If you are […]


Why 802.1x is Not Enough: How to Implement SeND – Part 2

Last month I presented the case as to why 802.1x authentication is not enough for local network (wired or wireless) security (go back here to read).  In this post I will present an alternative: IPv6 Secure Neighbor Discovery (SeND).  If you have an IPv6 enterprise, small IPv6 deployment, or a little IPv6 lab then pay […]


Why 802.1x is Not Enough: Use IPv6 SeND – Part 1

There’s been much debate in the IPv6 community regarding the abysmal support or IPv6 Secure Neighbour Discovery (SeND).  To get you up to speed on what IPv6 Secure Neighbour Discovery is think IPv6 + 802.1x-like + ARP security + PKI environment.  Later in this blog I’ll show you how to set up an IPv6 SeND […]


SDN, Open Flow and Cisco ONE: A First Look

Software Defined Networking (SDN) is the new buzzword in IT today.  It has become synonymous with things like cloud, cyber security, CDN, and yes even IPv6.  The curious thing is that they are all inter-related.  Open Flow, which is a specification of the Open Network Foundation, has defined this new phenomenon as something that, “enables […]


World IPv6 Launch: One Week Out

One week ago today (6 June 2012), the Internet Society (ISOC) led the charge on a voluntary initiative called World IPv6 Launch.  Participating in this event were: five home router vendors, 77 Internet Service Providers, and 3,013 websites.  By signing up as a website or ISP, you were committing to enabling IPv6 on your network […]


IPv6 RA Guard Implementation Advice

Bravo to Fernando Gont for getting out a great Internet Draft (soon-to-be RFC) on the Implementation Advice on IPv6 Router Advertisement (RA) Guard.  This has been one of the open, gaping wounds in the side of IPv6 enterprise deployment for years.  In fact, many of us in the IPv6 and IPv6 security fields love to […]


Create a Dynamips/Dynagen lab with just a Laptop & a Switch

It’s actually just as easy as that.  If you are looking to create a fully functional router and/or server lab used for training classes or a configuration test lab, and looking to do it with the smallest footprint ever, then read on! The Laptop I started off trying to find a laptop that would work […]