Author Archives: Paul Stewart, CCIE 26009 (Security)

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.

ASA Pro Tip — A Better Prompt

The Cisco ASA FW has a simple and robust failover mechanism. It works so well that sometimes an administrator may not realize that the load has moved from the primary device to the secondary device. When connecting to the IP … Continue reading

Posted in Uncategorized | 2 Comments

ASA Active/Standby with BDI/BVI

I see a lot of ASA designs and they are typically flanked with switches. One of the reasons for this is that the failover requirements typically dictate that the devices to be layer 2 adjacent in each security zone. There … Continue reading

Posted in Uncategorized | 4 Comments

Quickly Adding an NMS to VIRL

I’ve spent the last few days experimenting with APIC-EM and the path trace capabilities. My lab environment is currently leveraging VIRL (Virtual Internet Routing LAB). Since it wasn’t obvious how to integrate APIC-EM with the lab platform, I wanted to … Continue reading

Posted in Uncategorized | Leave a comment

A Broken Process Placing Consumers at Risk

Below is a chat session I had with Pearson Vue several months ago as I attempted to schedule a recertification exam. Apparently, I have two accounts with them and that prevents next day test scheduling. To put it mildly, I don’t … Continue reading

Posted in Uncategorized | Leave a comment

APIC-EM Path Trace Examples – Overlay Networks

Since seeing the APIC-EM Path Trace demo for the first time and seeing how it represents CAPWAP, I’ve been curious how well it deals with other types of overlay/underlay networking. This article is a brief synopsis of that testing and provides … Continue reading

Posted in Uncategorized | 1 Comment

Voice Gateway and Voice VRF – Caveats

Many networks leverage what is known as a VRF. These are used for traffic isolation and create separate routing instances within a router. It is important that vrf awareness is confirmed for any service (DHCP, Voice GW, etc) being locally … Continue reading

Posted in Uncategorized | Leave a comment

ACL Trace in APIC EM

I wanted to take just a moment to share the output of an APIC-EM ACL Trace (option in Path Trace). For this example, I have built out the topology below. The applicable configuration for CSR1000v-2 is as follows–

Posted in Uncategorized | Leave a comment

FLAT Networks in VIRL Require Promiscuous Mode

So I’m sure this is in the documentation somewhere. But for anyone else out there who is getting inconsistent results with FLAT interfaces in VIRL, Promiscuous Mode support in ESXi seems to be a requirement. Definitely something to check…

Posted in Uncategorized | Leave a comment

Connecting VIRL to the Outside World

I’ve been leveraging VIRL for some time to build and test self-contained labs. I’ve always known that there was some ability to connect to the world outside of this environment. Recently, I decided to configure this functionality and I wanted … Continue reading

Posted in Uncategorized | 3 Comments

Hairpinning traffic through ASA with State Bypass

Several years ago I wrote an article about the Woes of Using an ASA as a Default Gateway. I have received a lot of feedback about this post and recently had a request for an update around ASA > 8.3. … Continue reading

Posted in Uncategorized | 3 Comments

Creating a Firepower Peer to Peer Dashboard

Peer to peer applications are a significant challenge for policy enforcement solutions. Any flows that slip through as an undetermined application type may allow the file sharing app to function. The first key to addressing this challenge is simple visibility … Continue reading

Posted in Uncategorized | Tagged | Leave a comment

Firepower Access Control Policies

The Firepower ecosystem is a powerful NGIPS/NGFW solution. At that heart of the configuration construct is what is known as the Access Control Policy. Comparing this to something familiar is possible by thinking about the much simpler filtering feature in the … Continue reading

Posted in Uncategorized | Tagged | 1 Comment