Cisco 851 and 871 bridge between LAN and WAN interfaces during boot process
Our security experts have replicated the behavior and reported it to Cisco PSIRT. Fortunately it's a known vulnerability, documented as CSCsd60259 (release note is available on CCO to registered users) and fixed with a ROMMON upgrade.
New routers are shipped with new ROMMON version, so you shouldn't be seeing this behavior on brand new boxes … but one cannot help but wonder why such a nasty behavior was not documented as a field notice/security advisory.
RTBH links (and thanks for the acronym :)
The search results produced a few very interesting links, among them a well-structured presentation on RTBH that refers to a paper describing how you can detect remote DoS attacks with the backscatter analysis (assuming the attackers are randomly spoofing source IP addresses).
How do you know you're an SP-geek
- You're creating a multi-AS BGP test lab on Sunday evening;
- The core AS is running 12.2SRC code;
- You insert a P-router in the core network ... because every large network has P-routers;
- You create BGP session templates instead of configuring two parameters of a few IBGP neighbors;
- You configure MPLS in the core network instead of using BGP on all routers ... because it saves you a few BGP sessions ... and that's the way things should be done anyway;
- When configuring OSPF, you define inter-AS links as passive interfaces ... not because you're running OSPF in the other AS but for security reasons :)
- ... add your comment here ...
Please Comment: Is Asymmetric Routing Harmful?
We've always been trying to minimize asymmetric routing, in both design and implementation phase, as it impacts a number of IP services/features, including:
- Network Address Translation;
- Content-based Access Control (CBAC);
- Reflexive access lists;
- Redundant firewalls (at least until recently);
- IP Multicast;
In some scenarios, asymmetric routing can impact delay/jitter and consequently the perceived quality of service.
However, asymmetric routing is a reality within the Internet (it's close to impossible to guarantee symmetric routing even for multi-homed end users) and it might even help in some scenarios (low-speed/low-delay upstream link with high-speed/high-delay downstream link).
What's your opinion? Is asymmetric routing harmful? Should we strive to avoid it ... or do you just accept it as one of facts of life?
The “fallback global” VRF option does not exist in Cisco IOS
I'm reading your book MPLS and VPN Architecturesand I've found the ip vrf forwarding name fallback global command in the “Additional Lookup in the Global Routing Table” section. I can only find this command in Junos, but not in IOS.
… and he was right. When we were writing the book, we described several features that were still in development as it looked like they would be in the production code by the time the book was published. Many of them made it into the public IOS releases (for example, the Carrier's Carrier architecture), but some of them (like this command) simply vanished from the surface.
However, it looks like the engineers that switched from Cisco to Juniper took the concept with them and implemented it in JunOS, so JunOS has this feature but IOS doesn't.
This article is part of You've asked for it series.
A bug in the IOS “section” filter
Web Citation Archive
Labor day
The Impact of tx-ring-limit
Setting the size of the hardware output queue in Cisco IOS with the (then undocumented) tx-ring-limit (formerly known as tx-limit) has been a big deal when I was developing the first version of the QoS course that eventually became the initial release of the Implementing Cisco Quality of Service training.
However, while it's intuitively clear that the longer hardware queue affects the QoS, years passed before I finally took the time to measure the actual impact.
Display operational IPv6 interfaces
PE-A#show ipv6 interface brief | section up
Serial1/0 [up/up]
unassigned
Serial1/1 [up/up]
FE80::C800:CFF:FEA7:0
Loopback0 [up/up]
unassigned
The definition of the associated follow-up lines depends on the printout. Usually the indented lines are assumed to belong to a section, but you might be surprised.
What Is CLNS?
According to the results of my recent Do you use CLNS poll, around 10% of my readers use CLNS in their network, while 36% of them wonder what that acronym stands for.

Let's start with the acronyms. CLNS (Connection-Less Network Service) in combination with CLNP (Connection-Less Network Protocol) is the ISO (International Standards Organization) equivalent to IP.
MAC addresses on VLAN interfaces
Almost-Dynamic Routing over ADSL Interfaces
Recently I had to implement Internet access using ADSL as the primary link and ISDN as the backup link. Obviously the most versatile solution would use the techniques described in my Small Site Multi-homing articles, but the peculiarities of Cisco IOS implementation of the ADSL technology resulted in a much simpler solution.
IOS implementation of PPPoE links uses dialer interfaces. However, the “dialing” on these interfaces is activated as soon as the underlying PPPoE session is active (before the first interesting packet is routed to the interface). When the simulated dial-out occurs, the router starts PPP negotiations including the IPCP handshake, which usually results in an IP address assigned to the dialer interface. Net result: if the dialer interface has an IP address, the PPPoE session is obviously active (and vice versa).
Hot air party
However, what really prompted me to start writing this post was the "wisdom" spread by industry journalists. Network world was still moderate; the gentleman at LinuxWorld had some strong opinions. It would be OK if they would stop at bashing the new module (and questioning the value-for-price is always fair), but of course it's more fun being all over the place, evangelizing the beauties of PC-based open-source routers and the demise of traditional router vendors. While there's (yet again) nothing wrong with open-source, let's bring a bit of the history into the picture:
- 15 years ago, someone had a great idea to install WAN cards and routing software into PC servers. The journalists greeted that idea as the downfall of dedicated routers. Guess what ... it flopped and the router market continued to grow.
- Cheap Layer-3 switches have been greeted as the next router killer. We still have routers and switches in our networks.
- People have been using Linux as their home firewalls for years ... and it hasn't really impacted the low-end router market; SOHO users are still preferring to buy Linksys (or whatever other cheap low-end brand) over configuring firewall on Linux.
- Public-domain BGP implementations have been around for as long as I can remember and they are not bad. Some people with very low budget use them for route servers ... but Cisco and Juniper are still selling high-end boxes.
In the real world of networks that have more than a few routers, if you have enough budget to buy yourself a good night's sleep, you usually install dedicated routing hardware ... but I guess this is not the sort of story that would sell the industry journals.
Interesting posts
A few interesting posts found on the Internet: