26 Jan

Apple App Transport Security (ATS) and ASA self-signed SSL certificate

Apple care about users privacy and security quite well. Of course it’s a matter of opinion but Apple put strong focus on encryption and peer authentication. In 2015 Apple introduced App Transport Security (ATS) as part of their Network Framework With every release they are putting more and more responsibility on developers and content operators to provide proper traffic encryption proper certificate signing and chain etc. That means if application is trying to connect to HTTP server that does not support latest TLSv1.2 connection should fail.

There is no doubt that ATS is good for end users and that’s right direction every corporation should follow. But switching to TLSv1.2 is not something that can be done just like that, obtaining signed certificate expensive option, especially for development environments or if you are writing apps to just test something or for fun. Self-signed certificates are the solution for such cases but there are few problems that we can encounter.

Read More

16 Jun

MPLS workshop #1 – Basic MPLS Core configuration

This is the first post in a series where I’ll be presenting various aspects of MPLS network. Starting from basics and moving forward to more advanced topics. We’ll be using following topology:

As you can see we have two P routers, three PE routers, four CE routers and one of PE routers will also act as BGP route reflector. Different MPLS L3VPN networks are using different CE-PE protocols. Every router have Loopback0 interface configured with address 10.0.0.x/32 where x is the router number. Subnets on links between routers are addressed in scheme known from CCIE workbooks, that third octet shows between what routers link is configured and fourth octet represents router number. So if we are talking about link between R4 and R5 the address on R4 E0/1 interface is 10.0.45.4/24 and on R5 E0/1 interface 10.0.45.5/24.
Read More

06 Apr

DHCPv6 service

On IOS routers you can disable built-in DHCP server issuing command

no service dhcp

you should expect that it will disable whole DHCP service no matter what protocol it’s going to service. Wellm you are wrong. It disable only IPv4 DHCP service leaving IPv6 one still running. Therefor following configuration

ipv6 dhcp pool IPv6
 dns-server FC00:2::D911:220A
!
interface GigabitEthernet0/0
  ipv6 address FC00:3::1/64
  ipv6 nd other-config-flag
  ipv6 dhcp server IPv6

will still work and built-in DHCP server will assign DNS information to requesting IPv6 host.