Network technologies and trends

December 4, 2015  6:21 AM

Palo Alto Networks Firewall Interface Types –  Virtual Wire Sub interface

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, Internet, LAYER3, Loopback, Palo Alto Networks, Switch, tunnel, VLAN

In past few posts we were talking more about what is Virtual wire? and how it can be implemented. Lets talk briefly about the Virtual wire sub interfaces in this post.

Palo Alto in V-Wire Subineterface

Virtual Wire Sub interfaces are quite useful when one needs to manage traffic in a multi-tenant  network setup. It does offer lot of flexibilities in enforcing distinct policies especially when multi-tenant network are in place. Once can easily separate and classify traffic into different zones by using either VLAN tags  or VLAN tags in conjunction with IP Classifiers.  Yet one more deployment flexibility offered by Palo Alto Networks firewalls.

November 30, 2015  6:30 AM

How to configure Palo Alto Firewall in Virtual Wire mode?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Ethernet, Firewalls, HA, Interface, LAYER3, Loopback, Palo Alto Networks, tunnel, VLAN

Configuring Palo Alto Firewall in Virtual Wire mode is quite easy, in this post using below topology I am going to demonstrate how to configure a Palo Alto Networks Firewall in Virtual Wire or V-Wire mode.

Palo Alto in V-wire mode

You could see from the above topology , we have a laptop with an IP Address in  VLAN 20 placed in the trust zone trying to access an internet in the untrust zone.  The laptop is configured with a default gateway which happens to the IP address of our Internet Router and this is in untrust zone  and belongs to VLAN 1.

We have a Palo Alto Firewall with two interfaces connected to a Cisco Switch. One interface ,ethernet 1/2 connected to interface G1/0/2 in a Cisco  Switch , configured as a part of V-Wire with VLAN 20 and this belongs to trust zone.

Where as the Palo Alto Firewall interface ethernet 1/1 is connected to Cisco Switch interface G1/0/1 and is configured as part of V-Wire with Vlan 1 and this belongs to Untrust Zone

Now lets configure the same and see how traffic flows

Step 1 – Configure Cisco Switch for trust zone interfaces with VLAN 20

interface gigabitEthernet 1/0/2


switchport access vlan 20

spanning-tree portfast

no shut

interface gigabitEthernet 1/0/3


switchport access vlan 20

spanning-tree portfast

no shut

Step 2 – Configure Cisco Switch for Untrust Zone Interfaces with VLAN 1

interface gigabitEthernet 1/0/1


switchport access vlan 1

no shut

interface gigabitEthernet 1/0/4


switchport access vlan 1

no shut

Step 3 –  Configure Virtual Wire called Test-V-Wire by clicking

Network >Virtual Wire

You can use any name you want ,

Step 3

In our case  we will name Test-V-Wire and interfaces ethernet 1/1 and ethernet 1/2 part of Interface1 and Interface 2

Step 3-B

Step 4 – Lets configure two zones names Untrust and Trust and assign ethernet 1/1 to be part of untrust zone and ethernet 1/2 to be part of trust zone.

Step 4 -A – Configure Trust Zone

Network> Zone>Add

Step 4

Give the name Trust, select Type to be Virtual Wire and add the interface ethernet 1/2 to be part of Trust Zone as demonstrated below

Step 4-B

Step 4-C

Step 4 -B – Configure UnTrust Zone

Network> Zone>Add

Step 4-D

Step 5 – Create a Security Policy to allow access from trust zone to untrust zone ( This can be configured as per your requirements with security profiles, URL filtering etc)


Step 5

Give the name to your Security Policy ( V-Wire-Policy)

Step 5-b

Add Source Zone ( Trust)

Step 5-C

Add Destination Zone ( Untrust)

Step 5-D

Allow the access, you can also configure Application policy and Service/URL Category if needed . In our case we are allowing all kind of traffic

Step 5-E

The final Security Policy should look like this

Step 5-F

You can also monitor the traffic passing through the V-Wire, you can see from the below snapshot I am accessing Skype, pinging the default gateway (Vlan1) from my laptop (Vlan 20) and my traffic is passing from Trust zone to Untrust zone by using the Rule V-Wire-Policy which we created



This is really a great feature from Palo Alto and the Virtual Wire can implemented easily without any modifications to existing network Design.

November 29, 2015  11:18 AM

Evolving technologies will be part of all CCIE and CCDE Written exams

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Cisco Press, cloud, Internet of Things, Network, Network programmability, NFV

Cisco has announced a major revamp for their CCIE  and CCDE written exams, starting July 26,2016 Cisco will include a new section titled “Evolving Technologies”. Except CCIE Data Center all other CCIE Lab exams remains intact. So those who will be appearing for CCIE and CCDE  written exam after July 26,2016 should master the following  Evolving technologies domain

  1. Cloud

1.1: Compare and contrast Cloud deployment models

  • Infrastructure, platform, and software services (XaaS)
  • Performance and reliability
  • Security and privacy
  • Scalability and interoperability

1.2: Describe Cloud implementations and operations

  • Automation and orchestration
  • Workload mobility
  • Troubleshooting and management
  • OpenStack components
  1. Network Programmability

2.1: Describe functional elements of network programmability (SDN) and how they interact

  • Controllers
  • APIs
  • Scripting
  • Agents
  • Northbound vs. Southbound protocols

2.2: Describe aspects of virtualization and automation in network environments

  • DevOps methodologies, tools and workflows
  • Network/application function virtualization (NFV, AFV)
  • Service function chaining
  • Performance, availability, and scaling considerations
  1. Internet of Things

3.1: Describe architectural framework and deployment considerations for Internet of Things (IoT)

  • Performance, reliability and scalability
  • Mobility
  • Security and privacy
  • Standards and compliance
  • Migration
  • Environmental impacts on the network

Looking at the new topics, one can assume how important technologies like cloud, network programmability, Internet of things are. And these topics covers 10% of the total score. Cisco is ensuring that  evolving technology does play a vital role in coming days.  The new recalibrated  exam topics shown below are something which candidates need to focus on.

Written Exam Topics Used for

Testing BEFORE July 25, 2016

Written Exam Topics Used for Testing On

July 25, 2016 and Beyond

CCIE Routing and Switching Existing exam topics version 5.0 Recalibrated exam topics version 5.1
CCIE Wireless Existing exam topics version 3.0 Recalibrated exam topics version 3.1
CCIE Security Existing exam topics version 4.0 Recalibrated exam topics version 4.1
CCIE Service Provider Existing exam topics version 4.0 Recalibrated exam topics version 4.1
CCIE Collaboration Existing exam topics version 1.0 Recalibrated exam topics version 1.1
CCDE Existing exam topics version 2.0 Recalibrated exam topics version 2.1
CCIE Data Center Existing written exam 350-080 and its corresponding exam topics will be available for candidates who are scheduled to take the test BEFORE July 25, 2016. The new unified exam topics version 2.0 will be used for the new written exam (400-151) and lab exam and is recommended for candidates scheduled to take the test on July 25, 2016 or beyond.

I believe it’s a welcome move from Cisco and I could see Cisco wants to capitalize the market by ensuring the new CCIEs are aware of these new evolving technologies at least at some extent. Also I expect Cisco Press will come out with the appropriate study guides and titles.

November 28, 2015  3:22 PM

Cisco releases VIRL 1.0.0

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, Java, Jitter, Latency, link, OpenStack, OpenVPN, TCP

Yesterday I received an email from Cisco VIRL about their new release of VIRL 1.0.0

Hello VIRL Family! Happy Thanksgiving (if you’re celebrating!)

We are very happy to announce the release of VIRL 1.0.0 – a major upgrade release packed full of new features! 🙂

The VIRL team really surprised their customers with the release of new version especially when we are not expecting any major release from them.  The new  VIRL release 1.0.0 has some major changes , as Cisco VIRL is moving from Openstack Icehouse to Openstack Kilo. Those who have previous release of VIRL cannot upgrade to the new version. They must have received an email from Cisco with the download link for the new version as Cisco is also stoping the support for VIRL 0.9.293 on 25 December 2015.

The new release contains the following version

  • Openstack Kilo
  • VM Maestro 1.2.4 Build Dev-363
  • AutoNetkit 0.20.9/0.20.22
  • Live Network Collection Engine 0.7.20

Platform reference model VMs included in the new release

  • IOSv – 15.5(3)M image
  • IOSvL2 – 15.2.4055 DSGS image
  • IOSXRv – 5.3.2 image
  • CSR1000v – 3.16 XE-based image
  • NX-OSv 7.2.0.D1.1(121)
  • ASAv 9.5.1
  • Ubuntu 14.4.2 Cloud-init

Linux Container images included in the new release

  • Ubuntu 14.4.2 LXC
  • iPerf LXC
  • Routem LXC
  • Ostinato LXC

Some of the new features which grabbed my attention are as follows

  • OpenVPN –  allows users to connect from their laptop to their VIRL server.
  • Link Latency, jitter and packet-loss controls – Users can now set latency, packet loss and jitter directly on the link.
  • Static TCP port allocation controls – Users can now specify the tcp port numbers they wish to when connecting to the console, auxiliary or monitor port of a particular node in their simulation.
  • Web Editor – User can run an ALPA release of topology design tool which can be run within a web-browser.
  • VM Maestro Java Runtime Environment bundled – Users don’t need to install the java to use VM Maestro
  • VM Maestro active canvas

One can also capture  a packet in the newly released VIRL. More details can be accessed from the VIRL community portal.

November 26, 2015  4:41 AM

Palo Alto Networks Firewall Interface Types –  Virtual Wire

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Decryption, Ethernet, Firewalls, HA, Interface, LAYER3, Loopback, NAT, Palo Alto Networks, Security policy, tunnel, VLAN

We all know Palo Alto Network Firewalls offers quite flexibility deployment options, one can also deploy Palo Alto Networks in Virtual Wire or V-Wire mode. This is the beauty of Palo Alto Networks Firewalls , the flexibility it offers cannot be matched by some of the leading firewall vendors. Though other vendors offers the same feature  better known as transparent firewalls.

Virtual Wire mode can be deployed by pairing a set of two physical interfaces into a single set and in V-Wire mode one does not needs to assign either an IP Address or a mac address.  Virtual Wire is also referred to as a “Bump in the Wire” of “Transparent In-Line”. By default certain Palo Alto Networks Firewalls comes with preconfigure Virtual Wire mode and Ethernet ports 1 and 2 are part of that default V-Wire.

Palo Alto V-Wire Mode

These kinds of deployment comes very handy, especially when one does not wants to do any kind of  switching or routing  and simply wants to plug and play with the Palo Alto Networks firewall.  The biggest value Palo Alto Networks offers in Virtual Wire mode is, it supports features like App-ID, decryption , Content-ID , User-ID and NAT by using all these features one can certainly inspect the traffic passing through Virtual Wire and can apply the security policy. In upcoming  post lets configure a Palo Alto Firewall in Virtual -Wire Mode and see how it works.

November 23, 2015  5:24 AM

How to configure Palo Alto Firewall in TAP Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, Applications, Ethernet, Firewalls, HA, Interface, LAYER3, Loopback, Palo Alto Networks, tunnel, VLAN

In one my recent post we discussed what is TAP mode in Palo Alto Networks Firewall and the flexibility it offers when it comes to deployment.

I have a Palo Alto Networks Firewall 3050 connected to a Cisco Catalyst 2960 Switch and I am using the following topology to demonstrate TAP configuration. As you can see the Laptop is connected to Cisco switch on port no G1/0/8 and the Palo Alto Firewall is connected to Cisco Switch port G1/0/1 . We will configure a SPAN in Cisco Switch and our source will be G1/0/8 ( Laptop) and the  destination will be G1/0/1 ( Connected to Palo Alto Firewall). Basically we will monitor all the traffic from the host Laptop towards Internet. You can also configure RSPAN the principle remains the same.

Palo Alto Firewall Tap mode

Step 1

Lets configure SPAN in  Cisco Catalyst Switch using following CLI commands


monitor session 1 source interface gigabitEthernet 1/0/8 both

monitor session 1 destination interface gigabitEthernet 1/0/5

Cisco Siwtch SPAN

Step 2

Configure  Ethernet 1/5 as TAP mode by  going to Network -> Interface -> ethernet1/5 -> Interface Type  and select Tap

Screen Shot 2015-11-23 at 7.36.26 AM

Step 3

Assign a Security Zone to ethernet 1/5 as with out this we cannot create Security Rule to monitor the traffic

Network-> Zone->Add

Screen Shot 2015-11-23 at 7.41.48 AM

Name : Name of the zone you want  -> Type : Should be TAP and add ethernet 1/5 to be part of new Zone you are creating as shown

Screen Shot 2015-11-23 at 7.43.44 AM

Step 4

Create a Security policy so that we can monitor the traffic in the logs tab and can also see the details in ACC tab, without configuring the Security Policy one cannot monitor the traffic spanning through the Palo Alto Network Firewall in TAP mode. Ensure that the rule is at the top and both the source zone and destination zone are same as demonstrated below

Policies -> Security -> Add

Screen Shot 2015-11-23 at 7.51.08 AM

You can use any name you want

Screen Shot 2015-11-23 at 7.54.08 AM

Add Source Zone – In our case its TAP_ZONE

Screen Shot 2015-11-23 at 7.53.11 AM

Add Destination Zone – In our case its TAP_ZONE

Screen Shot 2015-11-23 at 7.53.21 AM

Allow the traffic and click ok and commit to save the policy

Screen Shot 2015-11-23 at 7.53.39 AM

You final policy should be like this

Screen Shot 2015-11-23 at 8.00.36 AM

One can now see what kind of traffic is passing through the Palo Alto Network Firewall in TAP mode

Monitor -> Logs -> Traffic

Screen Shot 2015-11-23 at 8.02.14 AM

Also one see more details like the risk level and what application are accessed  in Application Command Center (ACC)

Screen Shot 2015-11-23 at 8.05.54 AM


So far I have never experience such a granular report offered by any firewalls. This kinds of value added features obliviously makes Palo Alto Networks Firewall a leader in Next Generation Firewall.

November 22, 2015  6:52 AM

Cisco Certification Tracking Tool is not working

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Cisco Certification Tracking Tool is not working since almost a week , looks a like some major compromise happened with this portal.  Once you login to any of the tracking sites you will some of these errors

Screen Shot 2015-11-22 at 9.37.05 AM

Screen Shot 2015-11-22 at 9.36.37 AM

Screen Shot 2015-11-22 at 10.06.05 AM

Cisco also published a blog about this outage, well its quite unfortunate that an unauthorized third party placed malware on their Credential Manager System, which supports this Cisco Certifications Tracking System. Until this issue is fixed no one can verify Cisco Certifications.

I hope Cisco will fix this and have a permanent fix for this issue.

November 21, 2015  8:27 AM

A review of CCDE Study Guide by Marwan Al-shawi

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
BGP, Cisco, Cisco certifications, Cisco Press, EIGRP, Network design, Networking, OSPF, Protocols, VPN

Since I received the “CCDE Study Guide” from Jamie Shoup till date, I simply couldn’t able resist reading such a wonder book from Marwan Al-shawi.  I believe it was a great initiative from Marwan Al-shawi to write this book. Since I read this book from cover to cover I believe it’s the right time for me to write a complete review of this book.

CCDE book

As mentioned in my initial review , Marwan did a great job in penning down this title, he has gone an extra mile to come out with this title. The topics are organised well and he addressed almost all the topics of CCDE blue print at very high level. The “CCDE Study Guide” is divided into 6 parts with following chapters

Part I Business-Driven Strategic Network Design

  • Chapter 1 Network Design Requirements: Analysis and Design Principles

Part II Next Generation – Converged Enterprise Network Architectures

  • Chapter 2 Enterprise Layer 2 and Layer 3 Design
  • Chapter 3 Enterprise Campus Architecture Design
  • Chapter 4 Enterprise Edge Architecture Design

Part III Service Provider Networks Design and Architectures

  • Chapter 5 Service Provider Network Architecture Design
  • Chapter 6 Service Provider MPLS VPN Services Design
  • Chapter 7 Multi-AS Service Provider Network Design

Part IV Data Center Networks Design

  • Chapter 8 Data Center Network Design

Part V High Availability

  • Chapter 9 Network High-Availability Design

Part VI Other Network Technologies and Services

  • Chapter 10 Design of Other Network Technologies and Services

I enjoyed reading almost all the topics, yet got bored on the topics which I don’t have much exposure. The book is addressed at very high level. In order to enjoy this book one should posses good understanding of the concepts be it MPLS, MPLS TE, MPLS VPN or as simple as of Layer 2 Network Design. Marwan is no where attempting you to understand topics from grasp level. I can understand Marwan must have gone through tons of technical resources to come with such a wonderful title. His experience and knowledge  is quite visible in the content he developed.

Few things which I really liked in this title are

  • The design scenarios presented are quite useful and there are plenty of them
  • The design goals one should consider
  • The business driven factors
  • Enormous  amount of Diagrams which complement the text.
  • The seamless flow of topics
  • Design related Questions
  • Further Reading Section

Its also good to see this title now part Safari Online, those who have Safari subscription can enjoy reading this book even for enhancing their design principles.

This title would have added extra value if the following things were considered

  • A small design challenge at the end of each chapter based on exam pattern
  • Typos
  • Hyperlinking  all the reference materials ( few hyperlinks are there)

Over all a must read book not only for those who are perusing CCDE but also for those who are involved in Designing complex networks. Also I would like to thank  Marwan Al-shawi  for coming out with such a great book as its quite helpful to me.

November 19, 2015  6:44 AM

CCIE Data Center Version 2 is coming

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Cisco Press, VXLAN


With the introduction of ACI, Nexus 9k and many other SDN components I was expecting Cisco will soon announce the new version of CCIE Data Center.

As anticipated Cisco announced the revision of CCIE Data Center from Version 1.0 to 2.0, to be a CCIE Data Center v2.0, Cisco will be testing the candidate’s knowledge and capabilities on the latest skill and technologies which are broadly classified into six domains.

CCIE Data Center v1.0

CCIE Data Center v.20

    1. Cisco Data Center Architecture
    2. Cisco Data Center Infrastructure-Cisco NX-OS
    3. Cisco Storage Networking
    4. Cisco Data Center Virtualization
    5. Cisco Unified Computing System
    6. Cisco Application Networking Services
  1. Cisco Data Center L2/L3 Technologies
  2. Cisco Data Center Network Services
  3. Data Center Storage Networking and Compute
  4. Data Center Automation and Orchestration
  5. Data Center Fabric Infrastructure
  6. Evolving Technologies

When you compare Domain topics of CCIE Data Center v1.0 and Data Center v2.0 form above shown table one could notice Cisco is introducing  more technology centric topics, the interesting catch here is Evolving Technologies . One could certainly experience below technical topics like in CCIE Data Center v2.0 exams

  • EVPN
  • LISP
  • Policy Driven Fabric (ACI)

Following are the some of the key hardware changes in the CCIE Data Center v.2.0 blueprint

  • APIC Cluster
  • Nexus 9300
  • Nexus 7000 w/ F3 Module
  • Nexus 5600
  • Nexus 2300 Fabric Extender
  • UCS 4300 M-Series Servers

I believe Cisco took a strategic decision to announce the new version of CCIE Data Center exam as this will empower them to capitalise the huge SDN market share, its been a general tendency of the customers to adopt the SDN solutions based on the availability of technical resources. I hope Cisco will certainly add value to their CCIE certifications and ensure strict guidelines are followed when it comes to delivery of the exam and also make their exams more realistic.

Those who are preparing for the CCIE Data Center v1.0 exam don’t need to panic as they have time until July 2, 2016.

  • Last day to test for the v1.0 written – July 22, 2016
  • First day to test for the v2.0 written – July 25, 2016
  • Last day to test for the v1.0 lab – July 22, 2016
  • First day to test for the v2.0 lab – July 25, 2016

Screen Shot 2015-11-19 at 9.36.59 AM

One more change one is going to experience in CCIE Data Center v2.0 lab is the introduction of Diagnostic module which lasts for 60 minutes and focuses on the skills required to properly diagnose network issues, without having device access. The main objective of the Diagnostic module is to assess the skills required to properly diagnose network issues. These skills include:

  • ·  Analyze
  • ·  Correlate

– Discerning multiple sources of documentation (in example e-mail threads, network topology diagrams, console outputs, logs, and even traffic captures.)

In the Diagnostic module, candidates need to make choices between pre-defined options to indicate:

  • ·  What is the root cause of an issue
  • ·  Where is the issue located in the diagram
  • ·  What is the critical piece of information allows us the identify the root cause
  • ·  What piece of information is missing to be able to identify the root cause

However the Configuration and Troubleshooting module follows the same pattern of  CCIE Data Center v1.0 , basically it consists of one topology  where the candidate has to complete the given tasks in 7hours of time.

Since the introduction of Diagnostic module in CCIE R&S v 5.0  Cisco is keep on adding this module every new version of CCIE exams be it CCIE Service Provider or CCIE Data Center.

I wish all the CCIE Data Center aspirers a best of luck and I am pretty sure soon training materials will be out by Cisco Press and INE as they seems to be pioneers when it comes to CCIE Study Materials.

November 16, 2015  7:39 PM

Palo Alto Networks Firewall Interface Types – Tap Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Ethernet, Firewalls, Interface, Palo Alto Networks, Switch

As discussed in one my post, we all know Palo Alto Networks Firewall allows us to implement in many modes, one such mode is TAP Mode. Now you all might be wondering what is a TAP mode?

TAP Mode is basically used to monitor the traffic passing through the firewall, basically a TAP Mode interface can be easily used for

  • POC of Palo Alto Network Firewalls
  • To monitor passively all the traffic passing across a network using SPAN or mirror port

Palo Alto Tap Mode

One can easily configure SPAN/RSPAN in his/ her network Switch and pass the traffic thought the Palo Alto Firewall to monitor the traffic, by doing so one can have a complete visibility of the network and Palo Alto Networks really comes with a some great reports as well. This kind of monitoring can be done in TAP mode only, it reads all the spanned traffic and there will be a visibility in Palo Alto Network Firewall ACC tab.

To place a Palo Alto Networks Firewall one doesn’t  need to do any changes to their existing network design also in TAP Mode the traffic will not blocked or any URL filtering can be enabled. It’s a really a cool feature from Palo Alto Networks Firewall , in my next post lets see how a Palo Alto Networks can be configured in TAP mode. One nice little feature Palo Alto Network Firewall supports is, it  can process the encrypted SPAN traffic.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: