How you can get top grades, to get a best job.

How you can get top grades, to get a best job.

Sometimes you need advice, Ask a teacher to solve your problems.

Sometimes you need advice, Ask a teacher to solve your problems.

Make a Difference with education, and be the best.

Make a Difference with education, and be the best.

Putting Children First. Preparing Children For Success In Life

Putting Children First. Preparing Children For Success In Life

Latest Posts

Thursday, November 15, 2018

Cisco Announced Advanced Security Features on SDWAN Edge Devices

Networks Baseline
Cisco Announced Advanced Security Features on SDWAN Edge Devices
-- By Pankaj Verma

Cisco SDWAN solution was rated high by customers and service providers as one of the secured SDWAN solution available compared to other players in the SDWAN market. It had end to end segmentation and two factor authentications initially with support of high density large deployment. 

And now with new security feature inclusion, Cisco SDWAN security is enhanced exponentially. Latest features introduced includes Enterprise Application Aware Firewall, Intrusion Prevention System, URL Filtering, DNS Security through Cisco Umbrella.

No these advance security features are not intended to replace the dedicated solution available those are still required depends on the data traffic. Customer already have these solutions deployed in DC / DR / Colo Sites. Purpose here is to secure the small remote branch locations with single box solution to meet both connectivity and the security requirement. 

Now all central locations, remote sites, users and devices are protected with suite of security functions.

SDWAN which is primarily a routing stuff is based on SDN principles where services are extracted from hardware and the centralized to reduce the complexity. Cisco SD-WAN is truly Software Defined where routers are forwarding the traffic while other critical functionalities such as Routing, Device Configurations, Policies configurations are centralized and managed by the controller. 

Inline to IBN and SDWAN principles, Cisco is reducing the great level of complexity while implementing the new security features on SDWAN edge devices with very few inputs in simple UI. 

All the new advance security features are implemented from single pane of window (vManage - NMS for Cisco SDWAN solution).

Enterprise landscape is evolving where ease of management, scalability, improved uptime, IT cost reduction and end-to-end security are key asks from enterprises. In short customer wants all good features from security, best of bread routing capabilities and ease of management. 

Cisco has secured a strong position in SDWAN field with announcement of advanced security features address all the challenges stated above – maximum uptime / optimal routing with Overlay network architecture; security with end to end VPNs segments, 2 factor authentications and recently announced security features; and vManage UI to configure, monitor, manage and troubleshoot complete WAN.

Gartner recently release magic quadrant on IPS, Firewall and Edge Routing and all these reports placed Cisco in Leader quadrant. Which means if we put together all these quadrants and say all these technologies are required functionality from customers to address current challenges faced in evolving landscape, Cisco has strong position as is the only vender appearing in all the quadrant in leader section.

Cisco last year announced Intent Based Network (IBN) approach to simplify the network deployment based on the intends keyed in by users. These intents are rendered into configuration and pushed to the end devices. Switching and routing both are very well following IBN approach. 

All new security features are provisioned, managed, troubleshoot through single window which is more to yet to come on - how multiple security solutions are used in various use cases at remote branch end.

Monday, November 12, 2018

Introduction to Next Generation Routing

ılılılı RouteXP ılılılı ılılılı

Introduction to Next Generation Routing : SDWAN
--Written By Pankaj Verma

It the time when more than 50% of the enterprises are evaluating the SDWAN vendor as they want to transition into next generation of routing which is SD-WAN! Let’s talk about SDWAN in general and more and more in way in future! 

Why should I care about SDWAN?
Legacy network topologies are becoming day by day complex and expensive to implement and secure. Tomorrows networks are not able to meet the need of today’s enterprises with agile requirement. 

Trends like multi-cloud data centers, IoT, mobility are putting strain on branch network. 
To address above challenges, there requirement of an overlay network that is transport independent (it should be supported by any media i.e. MPLS, Internet, Point-to-point, 4G) and should provide automation to save IT time to perform day to day repetitive tasks.

What does SDWAN do for an Enterprise?
Reduction of Cost: Legacy network runs on expensive hardware, which require considerable time for configuration and troubleshooting. In addition to this, these networks require stable transport media to Data Center. SDWAN reduces the cost as Internet link (commodity media) can be used for enterprise application securely also the single pane of window to manage the network reduces time to troubleshoot and maintain the network.

Fig 1.1- Next Generation Routing

Reduction of Complexity: Legacy network work in distributed way where every router in the network should be configured with local routing and security policies. This brings a complexity to a network when a new change is required network wide as this router maintains both types of routing one ISP reachability and the other enterprise wide routing configuration. 

Small changes in network become a project for IT team to make sure everything goes smoothly. With SDWAN, network is maintained as entity where policies are defined centrally and deployed network wide also true SDWAN solution introduces the fabric which is an overlay network.

Increased Control over Network: Legacy network that run on carrier circuits depends on the carrier to perform even a small change i.e. introduction to new subnet, monitoring and network design. Enterprises do not have any control over network. SDWAN provides this routing control back to IT team with more visibility into the network.

Reduced Time to Market: Legacy network that run on dedicated circuit provider depends on the carrier to install a new site. This way due to non-feasibility of link at some location may increase the time to market. SDWAN that it transport / media independent do not depends on any circuit and can operate on any available media i.e. Internet, 3G / 4G greatly reduces the time to market.

What should I expect from SDWAN Solution?
SDWAN solution should be Software defined and no to be hardware centric. This should be scalable in terms of supporting the thousands of remote locations. Cost reduction. 

SDWAN solution should be centrally managed solution and be able to perform network wide changes quickly. Should be equipped with powerful GUI functionality to get the Intend from IT and push the network configuration to devices. 

SDWAN solution should be transport and carrier independent and should work with any media available at any given point. Thus, reduction of time to bring the new site.

SDWAN Solution should be flexible enough to meet an enterprise need – components should be virtualized, or appliance based, management should be on-premises or in cloud (Public [SaaS / IaaS] / Private); because one size is not fit for all 😊.

Last but not the least should ensure security from both Data Plane and Control Plane. Yes you got it right when we talk about clear separation of control and data plane the communication between the routers (Data Plane) and the routers and controllers (Control Plane) should be secure. I know this brings the new question how the authenticity of the routers is maintained and ensured!

I hope you find this article informative and should equipped you to make the informed decision to finalize your technology partner for next generation routing journey!

Sunday, November 11, 2018

Introduction to IP access lists

ılılılı RouteXP ılılılı ılılılı
Today I am going to talk about the Access lists. An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects or you can say for each rule we have two conditions and that is Permit or Deny.

Types of Access Lists
There are two categories of access lists: numbered and named.

Fig 1.1- IP access Lists
Numbered Access Lists:-
Numbered access lists are broken down into several ranges, each dedicated
to a specific protocol:

1–99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
300-399 DECnet access list
400-499 XNS standard access list
500-599 XNS extended access list
600-699 Appletalk access list
700-799 48-bit MAC address access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list
1100-1199 Extended 48-bit MAC address access list
1200-1299 IPX summary address access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list

Named Access Lists:-
Named access lists provide a bit more flexibility. Descriptive names can be
used to identify your access-lists. Additionally, individual lines can be
removed from a named access-list. However, like numbered lists, all new
entries are still added to the bottom of the access list.

There are two common types of named access lists:
IP standard named access lists
IP extended named access lists
Standard IP Access List

Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network.

Router(config)# access-list 10 deny ( Just for an Example)
Router(config)# access-list 10 permit any

To apply Access Lists we have to configure the Access-Group on the Interface. Likewise we are taking the interface serial 0 as a reference.

Router(config)# int s0
Router(config-if)# ip access-group 10 in

To view all IP access lists configured on the router:
Router# show ip access-list

To view what interface an access-list is configured on:

Router# show ip interface
Router# show running-config
Extended IP Access List
access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask] [destination address] [wildcard mask] [operator [port]] [log]
Router(config)# access-list 101 permit tcp host eq 80
Router(config)# access-list 101 deny ip
Router(config)# access-list 101 permit ip any any

The above ip address is just taken for the example and don’t have real environment existence.

The first line allows the 172.18.x.x network access only to port 80 on the web server. The second line blocks 172.18.x.x from accessing anything else on the 172.16.x.x network. The third line allows 172.18.x.x access to anything else.
To apply this access list, we would configure the following

Router(config)# int e0
Router(config-if)# ip access-group 101 in

Extended IP Access List Port Operators
In the preceding example, we identified TCP port 80 on a specific host use the following syntax:

Router(config)# access-list 101 permit tcp host eq 80

We accomplished this using an operator of eq, which is short for equals. Thus, we are identifying host with a port that equals 80. We can use several other operators for port numbers:
eq        Matches a specific port
gt         Matches all ports greater than the port specified
lt          Matches all ports less than the port specified
neq      Matches all ports except for the port specified
range   Match a specific inclusive range of ports

ICMP Access List
The specific ICMP port that a “ping” uses is echo. To block specific ICMP  parameters, use an extended IP access list. On Router B, we would configure:

Router(config)# access-list 102 deny icmp echo
Router(config)# access-list 102 permit icmp
Router(config)# access-list 102 permit ip any any

The first line blocks only ICMP echo requests (pings). The second line allows all other ICMP traffic. The third line allows all other IP traffic.

To apply the access lists on other router, you need to configure the follwing as:-

Router(config)# int e0

Router(config-if)# ip access-group 102 in

Popular Posts