Network technologies and trends


February 8, 2016  1:04 PM

What is Palo Alto Networks App ID?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
application, DNS, firewall, Gartner, IPS

When it comes to treating an Application every vendor has a way of treating an App, most of the traditional firewalls treats Applications mostly on port numbers. For example traditional Firewalls treats DNS as port 53 application. And a rule  is configured in traditional firewall to allow port 53 for DNS traffic .  Suppose  an evasive application like BitTorrent attempts to use port 53 for P2P file sharing.  The traditional firewall cannot stop an evasive application unless an external IPS appliance is involved.

PA App1

How ever Palo Alto Networks Next Generation Firewalls treats an Application in different way.  First of all Palo Alto defines application as

” a specific program or feature that can be detected, monitored and blocked if required”

This approach of Palo Alto towards an application is what making them outstanding and hence they are the leaders when it comes to Next Generation Firewalls. Till date they are the leaders even in Gartner Magic Quadrant.

By adopting multiple tactics to classify an application,  When configured to only allow DNS as an application, Palo Alto Networks  Next Generation Firewalls are in position them to block all kind of traffic on port 53 except DNS.

PA App2

Palo Alto Networks  Next Generation Firewalls have complete visibility of the complete traffic flow and pattern, hence they are very affective as a Next Generation Firewall.

February 5, 2016  10:51 AM

Cisco intents to acquire Jasper Technologies

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, cloud, Internet of Things, iot, SaaS, Software as a Service

The era of technology is evolving and trends are moving towards a connected world, be it humans , machines, automobiles or household appliances, people are making efforts to connect them. So did the word “Internet of Things” (IoT) emerged. I could see Cisco is quite serious on this direction and are making a  great progress.

With the intent of acquiring a startup company Jasper Technologies,Inc., based in Santa Clara which delivers cloud-based IoT service platforms, Cisco is further enhancing its stake in IoT segment. It’s the commitment , delivery and acquisitions what made Cisco stronger in many technology domains.  I believe this acquisition of Cisco will make them pioneers in the IoT segment.

“I am excited about the opportunity for Cisco and Jasper to accelerate how customers recognize the value of the Internet of Things,” said Chuck Robbins, Cisco Chief Executive Officer. “Together, we can enable service providers, enterprises and the broader ecosystem to connect, automate, manage, and analyze billions of connected things, across any network, creating new revenue streams and opportunities.”

“IoT has become a business imperative across the globe. Enterprises in every industry need integrated solutions that give them complete visibility and control over their connected services, while also being simple to implement, manage and scale,” said Jahangir Mohammed, Jasper Chief Executive Officer. “By coming together, Jasper and Cisco will help mobile operators and enterprises accelerate their IoT success.”

Cisco is planning to close this acquisition by third fiscal quarter of 2016,  and the current CEO of  Jasper Technologies  CEO Jahangir Mohammed  will run the new IoT Software Business unit .


February 1, 2016  6:37 AM

Oracle to stop Java browser plug-in

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ACS, ASDM, Cisco, Java, Network security appliances, Oracle

Oracle recently announced their decision to stop its Java browser plug-in, well this is a great move from Oracle.  Their next Java Development Kit “JDK 9” will be shipped without a browser plug-in.

These days most of the browsers stopped supporting Oracle Java plug-in for oblivious reasons like vulnerabilities and threats found.  I wish companies like Cisco, Blue Coat stop using Java browser plug-ins  for their products, especially for ASDM , ACS and Blue Coat Proxy SG.

Often those who are into Network Operations have to install many versions of Java to manage many security appliances. I am quite hopeful this new announcement form Oracle will redefine the  GUI management of Network Security Appliances.


January 31, 2016  5:26 AM

What are Address Objects in Palo Alto Networks Next Generation Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, FQDN, HA, Interface, IP range, IPv4, IPv6, Layer 2, LAYER3, Loopback, objects, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN

Like all other firewalls , Palo Alto Networks Firewall supports Address objects. These Address Objects are basically named objects which can be configured on a Palo Alto Networks Firewall . The address object can include an IPv4 or IPv6 address or the FQDN. The address can be configured based on an

  • Single IP address
  • IP Range
  • FQDN

An Address object can be reused as source or destination address across all the security policy rules. Palo Alto Networks Firewalls comes with very handy features of tags, these little simple features makes life easier of a Firewall Administrator as he/she  can easily distinguish the tag object by adding colour to the tag.

In order to add a an  Address Object one need to

  Step 1 – Select Objects > Addresses, and click Add

Adding Object

Step 2- Enter a Name and a Description for the address object.

Address Object Step 2

Step 3- Select Type —IP Netmask, IP range or FQDN

Address Object Step 3

You can also select a Tag  this is optional . Click Ok to save the Address object. One can apply address objects to the security Policies as shown below

Address Object Step 5

Object Group is not a new feature but it comes handy for day to day Firewall Administration.


January 27, 2016  6:00 AM

How to configure OSPF Totally Stubby Area in Cisco Routers- Series 2?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, Cisco IOS, Cisco Routers, IP Routing, Loopback, OSPF, OSPF protocol, Routing, Routing Table

In my previous post we studied the topology and saw how Type 3, Type 4 and Type  LSA routes are installed in non 0 Area. Now lets configure Area 5 as a Totally Stubby Area and see what impact it will have

In order to configure Totally Stubby Area one should use the following Cisco IOS Command in an ABR under OSPF process

router ospf 1

area x stub no-summary

And on the non ABR router of Totally Stubby Area as the following Cisco IOS commands

router ospf 1

area x stub

In our case we need to configure Area 5 as Totally stubby area by using the below Cisco IOS command in Routers R2  which happens to be ABR

R2 OSPF Totally Stubby

And in R3 Router

R3 Totally Stub

Now we have successfully configured Area 5 as Totally Stubby Area, we could see R2 is learning R4 loopback networks 10.0.1.0, 10.0.2.0, 10.0.3.0 & 10.0.4.0 as Type 5 LSA ( OPPF external type 2 routes) and R1-R4 link networks 192.168.14.0 as Type 3 LSA ( Inter area routes) and R2 will inject remove these routes and inject them with a  default route to R3.

R2 -R4 routers

R3 can now only see a default route and if we check the OSPF Data base there are no more Inter-Area specific routes,

R3 Totally Stubby

R3 OSPF Data base TS

Also we cannot see the R4 loopback interface 10.0.1.0 network in the routing table , how ever its there in CEF table

R3 Cef table

And we ping the loopback 1 interface IP 10.0.1.1 of R4

R3 -R4 ping

Well Totally Stubby Area is great feature which helps in reducing the OSPF Database size and also it reduces the CPU utilization of a router.


January 26, 2016  5:16 AM

How to configure OSPF Totally Stubby Area in Cisco Routers- Series 1?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
areas of use, Cisco, Cisco Routers, Loopback, OSPF, OSPF protocol

In this series of posts lets configure OSPF Totally Stubby Area, but before proceeding further lets summarise the below topology

OSPF Totally Stubby Area

  1. Two OSPF Areas Area 0 and Area 5
  2. R1, R2 and R4 are part of Area 0 and OSPF is configured on the directly connected links on each router ( R1 – R2 link , R1-R4 link)
  3. R4 has four loop back interfaces  loopback 1 (10.0.1.1) , loopback 2 (10.0.2.2) ,loopback 3 (10.0.3.3) and loopback 4 (10.0.4.4) ,these loopback interfaces networks are redistributed into OSPF
  4. R2-R3 are part of Area 5, R2 happened to be a ABR
  5. OSPF Area 5 is configured on the interfaces connected between R2-R3.

Currently Area 5 is a normal area and its not been configured as a totally stubby area,  R2 installs the R4 loopback interface networks as Type 5 LSA and forward the same to Area 5

We can see from the below snap shot R2 received R4 loopback networks as Type 5 LSAs and the routes are installed as Type 2 External OSPF routes, also we could see the interface connecting R1-R4 are also advertised as Type 3 LSA

R2 - R4 route

R2 - type 5

R3 sees R4 loopback interfaces network as Type 5 LSA and R1-R4 , R1-R2 links network 192.168.14.0/29 , 192.168.12.0/29  as Type 3 LSAs

R3 LSA table

In next post lets see by what impact Area 5 will have especially after configuring it as  OSPF Totally Stubby Area.


January 25, 2016  4:45 AM

What is OSPF Totally Stubby Area?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco IOS, Default route, IOS commands, OSPF, router

OSPF Totally Stubby Area basically filters out an information of a OSPF database purely based on the LSA types. An ABR  in a Totally Stubby Area  prevents LSA type 3, Type4 and Type 5  to be flooded in to a Totally Stub Area.  It replaces all these types of LSA with a default route. Basically the Totally Stubby Area carries out the concept of Stub area in addition to removing type 3 LSA.

OSPF Totally Stubby Area

 

 

 

 

From the above scenario the ABR R2 will simply strips of Type 5, Type3 and Type 4 LSA and just forward a default route to R3. In order to configure a Totally Stubby Area one need to use Cisco IOS command ” area x stub no-summary” on the ABR Router and Cisco IOS Command ” area x stub” under OSPF process in Totally Stubby routers, where X happens to be the Area number . Now you might be wondering why the IOS commands are different in an ABR and other routers which are part of Totally Stubby Area,  well the IOS command  no-summary tells the ABR not to inject TYPE 3 LSA which represent the Inter-Area routes. I upcoming post lets see how to configure Totally Stubby Area.


January 24, 2016  5:33 AM

How to configure Stub Area in OSPF – Series 2?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, Cisco IOS, Dynamic Routing, IP routing protocols, Loopback, OSPF, OSPF protocol, Routing

In my previous post we studied the topology and saw how Type 5 LSA routes are installed in non 0 Area. Now lets configure Area 5 as a stub area.

Its very easy to configure a stub area , by enabling the Cisco IOS Command  ” area X stub ” in OSPF process one can enable Stub area ,X is the area number.

In our case we need to configure Area 5 as a stub area by using the below Cisco IOS command in Routers R2 and R3

router ospf 1

area 5 stub

R2 Stub

 

 

R3 Stub

 

Now lets examine how R4 loopback interface networks are installed in R3 router

R3 -R4 Routes

We can see there are no specific routes for R4 loopback interfaces, networks 10.0.1.0 , 10.0.2.0, 10.0.3.0 and 10.0.4.0 are replaced by a default route.

We cannot see a specific route for the R4 Loopback interface 1 , its not in the routing table, however when we examine the CEF table we can discover the nexthop  for the network 10.0.1.0 is 192.168.23.3 which happens to be the R2 interface connecting to R3 and also there is a reachability.

R3 CEF

 

 

 

R3-R4 Reachability

 

 

 

By configuring a Stub Area one can install all the external routes ( type 5 LSAs) using a default route, the greatest advantage one could see is the size of routing table and OSPF database is reduced to a smaller size


January 24, 2016  5:28 AM

How to configure Stub Area in OSPF – Series 1?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Loopback, LSA, OSPF, Routing protocols

In this series of posts lets configure OSPF Stub Area, but before proceeding further lets summarize the below topology

OSPF Topology

  1. Two OSPF Areas, Area 0 and Area 5
  2. R1, R2 and R4 are part of Area 0 and OSPF is configured on the directly connected links on each router ( R1 – R2 link , R1-R4 link)
  3. R4 has four loop back interfaces  loopback 1 (10.0.1.1) , loopback 2 (10.0.2.2) ,loopback 3 (10.0.3.3) and loopback 4 (10.0.4.4) ,these loopback interfaces networks are redistributed into OSPF
  4. R2-R3 are part of Area 5, R2 happens to be a ABR
  5. OSPF Area 5 is configured on the interfaces connected between R2-R3.

Currently Area 5 is a normal area and its not been configured as a stub area, currently R2 installs the R4 loopback interface networks as Type 5 LSA and forward the same to Area 5

We can see from the below snap shot R2 received R4 loopback networks as Type 5 LSAs and the routes are installed as Type 2 External OSPF routes

OSPF - R2

OSPF - R2-2

R3 does installs the R4 loopback networks as Type 2 External OSPF routes and they are received as Type 5 LSAs

R3 -E2 routes

R3 -Type 5

 

In the next post lets see what will happen when we configure Area 5 as a Stub Area.


January 22, 2016  9:41 PM

What is OSPF Stub Area?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Default route, IOS commands, LSA, OSPF, OSPF protocol, router

We all know OSPF as routing protocol is one of most widely used IGP protocol, OSPF happens to be the most scalable IGP protocol. OSPF also happens to be one of complex protocols as it deals with various concepts and terminologies. Once such topic where people get confused is OSPF Area types.

I will try to simplify them and present them in an easy language, I am not going to reinvent the wheel , as one can find plenty of resources for OSPF.

What is a OSPF Stub Area ?

OSPF Stub Area basically filters out an information of a OSPF database purely based on the LSA types, Basically  an ABR  in a Stub Area  prevents LSA type 5 to be flooded in to a Stub Area , it removes Type 5 LSA  and replaces them with a default route which is a Type 3 LSA.  To simplify  ABR creates a default route using LSA 3 , listing a  0.0.0.0 with a subnet mask  0.0.0.0 and flood the same into stub area. By using Stub Area feature one can reduce the CPU utilization of a Router .

OSPF Stub Area

From the above scenario we can see Type 3 LSA is exchanged between Area 0 and 5 , however when a Type 5 LSA reaches R2 which is an ABR , it will strip External LSAs  (Type 5 LSAs) and replace them with default route towards the Router R3.

OSPF Stub Area is configured in Cisco Routers using an IOS command

router ospf 1

area 5 stub

In the upcoming post lets see how to configure OSPF stub area in Cisco Routers, we will build a sample topology using Cisco VIRL.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: