Author: Valter Popeskic

Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.

About Reflexive Access Lists

Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.

In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.

I created the lab topology in GNS3:

I was planning for some time now to make a list of books I read recently, here’s the list

It should be something like a book reading suggestion list in order to maybe help you pick the right materials in your networking technology learning journey.

On the top are the books I used most while studying for my certs but also some of them are the books that I usually carry with me on my Kindle or PDF wherever I go. It is always a good idea to have those books on you so you can have a look at some details when you need them.

I already wrote about Control Plane Protection in one of my previous posts focused on Cisco device configuration. Here we will make the same thing on Juniper device, I was using Juniper SRX300 and Juniper SRX1500 devices in my lab.

CoPP ??

Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous.

A network device, which starts the receive more control traffic that his processor can process, will eventually experience control traffic packet drops and it will lead to some of the router functions to become unstable. Some of the most common control traffic generating services on a router are routing protocols with different update packets, Spanning Tree with BPDU packets, HSRP, CDP, ARP, and different management traffic services like SSH, SNMP, RADIUS etc.

Some of those control plane traffic types are more important than others but they all have in common the fact that they don’t normally use much bandwidth to function. Having that in mind, it is easy to conclude that the situation above with router processor at 100% because of control plane traffic is most surely caused by a DDoS attack towards your device.

More unusual is the situation when a neighboring device is experiencing some kind of malfunction which makes him send large amounts of control plane traffic out of his interfaces towards your device.

CoPP is the best way to avoid this kind of attacks or malfunctions to get in the way of your network device stability. CoPP is basically configuration of QoS inbound to your device control plane (CPU).

CoPP Best Practices

The way to configure CoPP in the most stable and effective way is to use guaranteed minimal available bandwidth for each control plane traffic type.

If you have a Juniper device that needs to be sent to RMA or you are just putting it to some other use on your network, you will probably want to completely clear the configuration on it.

There are different ways to do it for different purpose.

If you want to securely wipe all data from this device and make it completely like when you received it from the store then next command is the right one to use:

I know, this is not about networking but I received few great feedbacks to my posts about the matter so I decided to share with you the materials I used to write it. It’s not about networking, but it is about everything.

QUANTA?!

I was writing about quantum cryptography and quantum key distribution process few months ago (which are network related). When I started to write those articles I was not aware that it will take me more that two months to write something close to understandable about quantum world. As it came out, like many times before, I was in unknown unknowns with that part of physics. I needed to start from scratch and learn some basics about quantum physics so I could understand and finally write about the application of quantum theory to computer network encryption process.

I went through few very interesting and not to extensive books and articles which helped me to get the basic info about quantum physics. Quantum physics basically describes how everything in the universe works starting from small to huge things and stuff that can not be described as things like different energy states etc. Things work differently if you zoom inside atoms and the way stuff is working down there will blow your mind.