Show IP Protocols

What can we do after “US bans new foreign-made routers”?

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 5 Apr 2026 18:16:00 +0800

On March 23, 2026, Federal Communications Commission (FCC) of the United States announced, “Covered List to Include Foreign-Made Consumer Routers, Prohibiting Approval of New Models”. When a product is in Covered List, it means FCC will not inspect that product. That is, no permission at all from FCC for us to import, sell, or use that product inside the United States. Effectively, the United States bans that product. That is why most press said, “US bans foreign-made routers.”

FACT SHEET: FCC Updates Covered List to Include Foreign-Made Consumer Routers, Prohibiting Approval of New Models

It looked frightening when I first read it. The impacts are not immediate, however.

Jianshan Hill Observation Deck (尖山觀景平台)
overlooking Taipei City, New Taipei City, and Tamsui River of Taiwan.

Only for new models

This new policy only applies to new models of foreign-made routers. For any existing models already approved by FCC, we can still legally import, sell, or use them inside the United States.

New devices on the Covered List, such as foreign-made consumer-grade routers, are prohibited from receiving FCC authorization and are therefore prohibited from being imported for use or sale in the U.S. This update to the Covered List does not prohibit the import, sale, or use of any existing device models the FCC previously authorized.

In addition, FCC also added exceptions to foreign-made routers on this new policy: if Department of War (DoW) or Department of Homeland Security (DHS) approves your foreign-made routers, they are exempt from the Covered List. FCC will inspect them as before and give permission for us to import, sell, or use them if they are qualified.

Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations. Interested applicants are encouraged to submit applications to conditional-approvals@fcc.gov.

My suggestions for foreign manufacturers

Impacts are NOT on consumers. Impacts are on foreign manufacturers. I have two suggestions for foreign manufacturers.

1. Contact and arrange new product lines for approval by DoW or DHS.

According to the same announcement: contact "conditional-approvals@fcc.gov". Although FCC did not provide further details, this is still a viable option.

2. Migrate your manufacturing facilities into the United States.

This new policy only applies to “foreign made” routers. That is, any routers manufactured inside the United States are exempt by this new policy.

One more thing…

The United States raised security standards to protect her own security. I understand and I respect it.

This new policy only applies to “consumer routers.” Higher end routers such as Cisco’s enterprise grade routers are not among them. The United States has already set significantly stricter requirements for enterprise-grade routers, including NDAA compliance.

BGP Millionaire

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 4 May 2025 13:50:00 +0800

【 BGP Millionaire】

I used this tool to generate this plot.
Plot Range: 01-Feb-2025 0001 to 30-Apr-2025 0030.

Recently I observed and noticed that, global IPv4 BGP table size has already grown over 1 million entries, around February to April time in this year, 2025.

I want to clarify this first. By the number “one million” I mean exactly the number “1,000,000”. I understand most people are more familiar with another number “1,024*1,024=1,048,576” as “1 Mega” something. We do not have that many BGP entries today yet. I believe just in weeks the global IPv4 BGP table size will also surpass this “1 Mega” number.

Will this event also trigger BGP packet forwarding problems just like that in 2014? I did a little research, and I found service providers’ routers in recent years have far more capacity than one million entries in hardware packet forwarding information base (FIB) entries. That is, no worry about any incidents at all. We can safely celebrate this “one million” day.

To all TCP/IP networkers, we are all Millionaires today.

One more thing…

How about the number of BGP entries for global IPv6? The global BGP table size for IPv6 is around 220,000, as of May 4, 2025.

I used this tool to generate this plot.
Plot Range: 01-Feb-2025 0001 to 04-May-2025 0004

How do we fix a broken submarine fiber cable?

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sat, 11 Jan 2025 08:02:00 +0800

A submarine cable cutting incident happened recently at the Baltic Sea. Another similar incident also happened north of Taiwan.

I wanted to know more about how to repair a broken submarine fiber cable. I did my research on the Internet. I summarize my findings and list the key fixing steps below.

1. The submarine cable was working.

Initially, the working submarine cable was below the sea water and above the seabed. The submarine cable follows and fits the terrain of seabed.

2. A fault happens.

Examples of faults are punctured insulation, fiber core breaks, and cable cut.

Faults could be natural factors, such as the aging of cable itself, earthquakes, falling rocks, and shark bites. Faults could also be human factors, such as fishing nets dragging, anchoring hits, and malicious sabotage.

3. Use OTDR to pinpoint faulty segments. Send the repair ship to Location A.

Optical Time-domain Reflectometer (OTDR) is a device for us to measure the distance from fiber ends to the fiber core breaks. It will emit laser beams and measure its reflection travel time. With this distance estimation, we can locate the faulty segments on the fiber route map. Now we know faults are happening between Location A and Location B. We can send the repair ship to Location A.

4. Cut the cable at the End A.

Because in the next step we will float End A of this cable to the surface of the sea water, we must cut the cable.

To find the cable and an appropriate spot to cut the cable under the sea water, we can make use of special towed grabbing devices, or undersea robots.

It might surprise you. We do not do undersea repairs of a broken cable. We simply cut the problematic segment away and replace it with spare cable. We do all the splicing at the surface on the repair ship.

5. Attach a buoy to mark and float End A.

Now, we can attach a buoy to float End A to the surface. It also marks the location of End A at the surface so the repair ship can go back to grab End A later.

6. Send repair ship to Location B. Grab End B to repair ship.

The repair ship now can travel to Location B. With the similar approach at Location A, the repair ship can also find and float End B to the repair ship.

We can now grab End B of the cable onto the repair ship.

7. Splice End B to the spare new cable.

We can now splice End B of the cable to spare cable rolls. To splice fiber cables, we usually deploy special splicing and insulation kits to ease up fusion operations of fiber cores on the rocking repair ship.

8. Lay the newly spliced cable way up to Location A.

After the splicing, the repair ship can now lay back the newly spliced cable down to the seabed gradually. Repeat this process all the way back to Location A at the buoy.

9. Splice End A to the newly spliced cable.

At Location A, we can find floated End A of the cable easily because of the buoys. Grab End A to the repair ship and again splice End A to the newly spliced cable.

After this step, the connectivity of the cable restores. We can now also restore the cable back to its original location on the seabed.

10. Release the cable down to seabed.

We can release the repaired cable now from the repair ship and drop it down to the original seabed. We might make cable adjustments when necessary.

One more thing…

We need specialized repair ships first before we can do any repairs of the broken cable. However, few such repair ships are standing by around the globe. Even when the repair ship can travel at a high speed of thirty knots, which is unlikely, it still cannot reach sixty kilometers per hour. It would take days or even weeks just for one repair ship to arrive at the faulty location.

For network operators, we must always have redundant paths and backup cables when we design a submarine fiber cable system.

Next, we also know that the spliced fiber would add up attenuation to the passing signal strength. When we have done enough count of repairing and splicing operations on the fiber cable, the whole fiber cable would become unusable anymore and that is the end of its life. That is, any deployed submarine fiber cables have a limited lifetime. We must be prepared to replace the whole fiber cable when it is out of its lifetime.

Last but not the least, should the broken submarine fiber cable incident be the result of human sabotage, I have two recommendations:

Add more repair ships near the troublesome area. This will reduce our waiting time for the repair ship to arrive.
Add patrolling guard ships along the submarine cable route. Normally, merchant ships should never be stationary and anchored in the middle of the sea. If they do, they are suspicious of intentional sabotage.

What do we use to measure the distance to the fiber core breaks?

Click to show the answer.

"Optical Time-domain Reflectometer (OTDR)"

BGP AS-Path Filtering, Demonstration

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 5 Jan 2025 20:19:00 +0800

How many of you are working with BGP in your daily job? Let me know in the comments below this post.

I also created a live demonstration about filtering based on BGP AS-Path with Regular Expressions. I hope it is helpful to you.

What is the main command demonstrated in this video?

Click to show the answer.

"show ip bgp regexp ..."

Cisco IOS Live demo: Filtering with Regex

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Tue, 31 Dec 2024 16:22:00 +0800

I share my technique about how I use Regular Expression (regex) to filter out show commands' output.

How do you like this video? Let me know at the comments area of this post, or on YouTube.

What is the main command demonstrated in this video?

Click to show the answer.

"show interfaces | include ..."

Cool Immersive Cooling

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Wed, 5 Jun 2024 13:47:00 +0800

I was so amazed about this cooling technology. It is new to me.

Thinking about liquid cooling for servers and networking devices, coming into my mind are tightly sealed water pipes around the circuit boards. This is different. The circuit board and everything simply immerse in liquid.

Cisco Service Provider Tweet

The cooling liquid looks like water to me. However, I know this simple physics that water is electrically conductive. Even a drop of water on a running circuit will surely short-circuit everything and burn break them all. Is there any new coating technology over the metal so circuit boards nowadays can be waterproof?

After watching this video, I now know the key is about the liquid itself.

https://youtu.be/PvmMs6mU0NU?si=-NgiEM5AbHxdu_kE

That liquid is a product named “ElectroCool Dielectric Coolant” by “Engineered Fluids.” It is not conductive up to tens of kilovolts with kiloamperes. When pouring this liquid onto a running circuit board, it is as if a “denser air” is filling and replacing original natural air. All the magic is the liquid itself.

Although I do not have confirmation from Cisco, I do believe the liquid used in Cisco Live demo video should be exactly “ElectroCool Dielectric Coolant,” or at least similar product from other vendors.

I can see benefits of this “cool” liquid coolant:

It is as transparent as air, not conductive, and better capacity for heat dissipation.
This technology makes less fan noises. It makes noisy data centers quiet.
This liquid is not toxic, according to the demo.
Easier to deploy. It is much easier than installing sealed water pipes around circuit boards.
Fiber optics are still working under this liquid. Refraction is not a problem.

One more thing…

I also have a couple of doubts about deploying this technology.

Is this liquid corrosive so circuitry would stop working with enough time? What about rotating fans?
Will this liquid easily vaporize itself so we must refill the liquid frequently?
When this coolant contacts plain water, such as firewater, condensed water drops, or rain waters, what would happen?

It is an interesting new cooling technology for me to observe on.

Breaking 100K Entries is the Global IPv6 BGP Table

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 6 Dec 2020 10:01:00 +0800

This year, 2020, around November I started to see the global IPv6 BGP Table is getting more than 100K entries. Although the number is going above and under 100K from time to time, starting from the end of November I can safely say it is breaking 100K entries right now.

This is an interesting milestone for IPv6. That means a massive majority of people are using IPv6 today. I want to note down this moment. And I want to share 3 of my own observations about the IPv6 BGP table.

Source: https://twitter.com/bgp6_table/status/1330964625127583744/photo/1

Number of IPv6 BGP entries is going up and down

Internet is a collection of distributed, self-managed networks. No single authority can dictate how the BGP configuration should be done on all different networks. Each of the network administrators could choose when and how to add or remove BGP entries in different occasions.

It is natural for BGP table to grow and shrink from time to time.

For example, network administrators might decide to remove assigned but not used yet networks from BGP configurations. By this action, the number of BGP entries could go down.

Another example, to achieve load spreading, administrators might break their own IPv6 prefixes into smaller ones and advertise them to different BGP neighbors. By this action, the number of BGP entries could go up.

And of course, upon expanding networks with more prefixes, or dying companies returning prefixes to Internet Regional Registries, the BGP table would grow or shrink accordingly.

Configuration errors could also result in fluctuations of the total number of BGP entries.

Source: IPv6 CIDR Report for 30 Nov 20

Projection of 100K time is pretty accurate

I have read web pages by APNIC and RIPE projecting the total number of IPv6 BGP entries. They all projected the time of 100K is around the second half of year 2020.

They are pretty accurate in my opinion.

Source: APNIC, "BGP in 2019 - The BGP Table"

Source: RIPE, "BGP in 2016"

IPv6 BGP table is growing much faster than IPv4

For IPv6 BGP: Last year, 2019, around October, I observed IPv6 BGP table is around 80K in size. After around 1 year now, it is over 100K. That is, the growth rate in this interval is 25% (=20/80).

For IPv4 BGP: same interval as above, October 2019, I observed IPv4 BGP table is around 800K in size. After the same 1 year up to now, it is over 850K in size. That is, the growth rate in this interval is 6.25% (=50/800)

My conclusion is: the growth rate of IPv6 is much higher than that of IPv4, in this interval.

One more thing…

Many people are also interested in estimates of router memory consumption to hold the whole global BGP table. For IPv6, unfortunately, I cannot find good firsthand samples about the number of entries versus the memory size consumed. I now try to estimate the memory consumption by samples of IPv4.

For single IP address, IPv4 is 32 bits, and IPv6 is 128 bits. One IPv6 address is 4 times the size of one IPv4 address. Because essentially BGP entry fields are IP addresses, here I roughly assume IPv6 BGP table should not take more than 4 times the memory consumption of IPv4 BGP table of the same number of entries.

I already wrote about this before: every 100K IPv4 BGP entries could take no more than 80 Megabytes of memory. Therefore, my estimate for the same 100K entries of IPv6 BGP table, should not take more than 320 Megabytes of memory.

Do you have firsthand numbers of IPv6 BGP memory consumption? How wrong is my estimate ? I would like to hear from you in the comment section below.

Overlooking from the top floor of Dragon and Tiger Pagodas (龍虎塔)
Zuoying District, Kaohsiung City, Taiwan

I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

Three possible scenarios of Software Defined Networking (SDN)

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 8 Dec 2019 02:14:00 +0800

Software-defined networking (SDN) is an approach to create a centrally controlled programmable packet network. Any protocols with the same approach could be considered as SDN as well.

For open protocols, we have one popular standard protocol “OpenFlow” talking among the central controllers to all managed networking devices. Open Network Foundation (ONF) defines OpenFlow protocol.

In fact, vendors also have developed proprietary protocols to implement this same approach. For example, Cisco’s ACI is a proprietary SDN solution.

Here I summarize 3 most probable scenarios when we deploy SDN.

Scenario 1: Open protocol, open multiple vendors

Since OpenFlow protocol from ONF is open, any vendors can develop inter-operable software and hardware products. For enterprise customers, the first natural approach is to buy from multiple networking venders.

For example, controllers from vendor A, some switches from vendor B, some routers from vendor C, and so on and so forth.

The most obvious benefit of this scenario is lower buying cost. Enterprises can buy any compatible networking products from any vendors in the market with the lowest price. White-brand, or no-brand vendors have opportunities to compete on price against existing networking vendors.

However, only the buying cost is lower. We also must consider other costs to build and maintain a working network. Integration of software and hardware itself is a heavy project.

When we already have a capable team of hardware and software integration, we can work comfortably with this approach. If we simply don’t have such a “Tiger Team”, or we are just about to create a team from scratch, this scenario could be difficult and costly. It could cancel out all benefits of lower buying cost.

Scenario 2: Open protocol, one major vendor

Some vendors are capable to provide all components for OpenFlow. For example, Cisco. In this scenario, basically we buy controllers and network devices from single major vendor. For less important areas, we buy some from other venders in the market.

In this approach, we might have higher buying costs. Because we now have a major vender, we can gain better support from that major vendor. We can also achieve less integration cost because our team have fewer combinations of products to experiment and integrate with. We don’t need a huge team like previous scenario.

I am more familiar with Cisco. Let me summarize what Cisco can provide for OpenFlow.

“Cisco Open SDN Controller” is OpenFlow protocol controller. The software is a commercial distribution of OpenDaylight by OpenDaylight open source project. This software is packaged as a virtual machine format.

In addition, Cisco’s Nexus 3000 and 9000 family switches can run “Cisco OpenFlow Agent” inside to become OpenFlow switches so they can be controlled by standard OpenFlow controllers.

We can deploy OpenFlow by simply selecting all components from Cisco. Because OpenFlow protocol is open, we also have the flexibility to add non-Cisco but OpenFlow compatible devices.

Scenario 3: Close protocol, one vendor

Some vendor can provide all features and benefits of “centrally controlled programmable packet network”, with proprietary protocol. For example, again, Cisco.

Cisco’s Application Centric Infrastructure (ACI) is Cisco’s proprietary SDN solution. With Cisco’s ACI, we can achieve even more than OpenFlow such as:

Device management
Better integration with non-networking devices such as Layer 7 switches and stateful firewalls
Better programmer-friendly abstraction instead of VLANs and subnets.

In this scenario, we have the highest buying cost and we are locked into single vendor. However, we have the lowest integration cost and we now have full support from that single vendor. We only need an even smaller support team and concentrate all resources on using the network instead of experimenting interoperability among vendors.

One more thing…

Winter flowers near Taoyuan High Speed Rail Station.

SDN is a promising approach for next generation networking. Programmable network indeed is the foundation for network automation.

On the other hand, I don’t think it fits well for all types and sizes of customers. Let me talk more about who needs SDN in the coming posts.

I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

Where do we use Cisco Wildcard Masks?

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Mon, 18 Nov 2019 18:52:00 +0800

People might still be interested in about Cisco Wildcard Masks. I try to summarize interesting information about Wildcard Masks in this post.

Use Case 1: IPv4 Access Control Lists on Cisco IOS, IOS XE, and IOS XR

Wildcard masks are for us to select only subsets of IPv4 addresses.

When we define selected source or destination IPv4 addresses for an Access Control List (ACL), we use Wildcard Mask. Here is an example for Cisco IOS and IOS XE.

ip access-list extended ACL-NAME
deny tcp 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22
permit ip any any

Here is an equivalent ACL example for Cisco IOS XR.

ipv4 access-list ACL-NAME
deny tcp 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22
permit ip any any

All Cisco IOS XR Access Control Lists are “extended, and named” in Cisco IOS’s sense. And we don’t need “extended” keyword in IOS XR commands.

Use Case 2: Selecting interfaces to start Routing Protocols on Cisco IOS, and IOS XE

The “network” commands for OSPFv2 and EIGRP are to select interfaces to start OSPF or EIGRP by interfaces’ IPv4 addresses. For example:

router eigrp 99
network 192.168.199.0 0.0.0.255

router ospf 1
network 192.168.201.0 0.0.0.255 area 0

Here, all interfaces with IPv4 addresses covered by “192.168.199.0 0.0.0.255” would be enabled with EIGRP AS 99, and all interfaces with IPv4 addresses covered by “192.168.201.0 0.0.0.255“ would be enabled with OSPF and assigned to area 0.

Just in case you need some help about visualizing Wildcard Masks, you can download an Excel Spreadsheet Wildcard Mask Calculator in this post:

Revised post: Covering Subnet Calculator to understand more about Wildcard Mask

That's all for use cases. We simply don't use Wildcard Masks, in any other scenarios.

NX-OS, ASA, and IPv6 we do not have Wildcard Masks

If you are lucky enough to work on Cisco NX-OS, Cisco ASA alone, you don’t need Wildcard Masks because they are not supported at all on these operating systems.

Or, if you work in IPv6-only world without IPv4, you don’t need Wildcard Masks at all because all IPv6 commands of any Cisco’s operating systems do not use Wildcard Masks at all.

Tamsui River (淡水河) Estuary after sunset.
Tamsui District, New Taipei City, Taiwan.

One more thing…

I always say that we can simply assume Cisco IOS Wildcard Mask are derived by mapping 1s to 0s and 0s to 1s of equivalent subnet mask in binary notation. This brings up a question: why do we need Wildcard Mask at the first place? Why not just reuse IP subnet masks instead of creating new objects like Wildcard Masks?

I don’t have any official information source. In my opinion, “flexibility” might be the cause.

I try to imagine two possible cases. We only want to select IP subnets with “even-number 3rd digits”, or, we want to select any hosts end with number “77”. Here are single line Wildcard Masks to select them out.

Single line Wildcard Mask “192.168.0.0 0.0.254.255” selects IP subnets 192.168.0.0/24, 192.168.2.0/24. 192.168.4.0/24 … 192.168.254.0/24.

Single line Wildcard Mask “192.168.0.77 0.0.255.0” selects 192.168.0.77, 192.168.1.77, 192.168.2.77 … 192.168.255.77.

Subnet masks are not flexible. All subnet masks must begin with contiguous “1”s, and rest of the digits must be “0”s, it is complex to combine many more subnet masks to define the identical selections for above two imaginary examples.

Please don’t get me wrong! I don’t like Wildcard Masks, either. I always avoid Wildcard Masks when managing a network. I do Wildcard Masks only when taking exams. These two imaginary examples are rare in practical networks. Most administrators I know of always group endpoints with IP subnets, instead of confusing even-odd way.

Maybe I will create another post to tell you how I avoid Wildcard Masks!

I am Li-Ji Hong. And this is my blog “Show IP Protocols”. See you next time!

Revised post: Covering Subnet Calculator to understand more about Wildcard Mask

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Tue, 5 Nov 2019 18:05:00 +0800

This tool is an update to my previous post:

Simple visual tool to calculate Cisco IOS Wildcard Mask

Notes for Cisco IOS Wildcard Mask

You can simply assume Cisco IOS Wildcard Mask are derived by mapping 1s to 0s and 0s to 1s of equivalent subnet mask in binary notation.

By definition, “0” bits in a wildcard mask denote the bits you must match the base prefix, and “1” bits denote the bits you simply don’t care.

All subnet masks must begin with contiguous “1”s, and rest of the digits must be “0”. On the other hand, no such requirements are for wildcard masks. That is the major difference between subnet mask and wildcard mask.

Updates

I changed my flow of using this Excel file. You simply input “Starting IPv4 Address”, and the number of contiguous hosts you desire to cover with a single IPv4 subnet, and then this Excel file calculate everything else for you.

Getting this Excel file

Original Excel file is here. You need Microsoft Excel software or LibreOffice Calc to open and play with this file.

“ipv4-covering-first-last.xlsx”

If you are familiar with Google Docs, you can also “Use this template” or save this file to Google Drive for viewing and playing.

One more thing…

I also created a demonstration video using this Calculator on YouTube.

I am Li-Ji Hong. And this is my blog “Show IP Protocols”. See you next time!

Global BGP IPv4 table is around 800K in size

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 3 Nov 2019 14:32:00 +0800

This week the global BGP IPv4 table is around 800,000 entries in size. I bring this up just to give you a head-up and say a “Wow”. I don’t want to make you worry about the number. This is not my intention.

I still remember the “old good time” when I had installed a BGP router (Cisco 3660) with 256 Megabytes of DRAM memory in year 2001. At that time, the BGP table is below 150,000 entries so that router worked well.

Screen capture of CIDR REPORT website on November 3, 2019

The size of router DRAM memory is not a problem today for most of BGP administrators. I had created a post about BGP memory consumption and had this rough estimate: every 100K BGP entries from a single peer requires 80 Megabytes of DRAM.

In other words, to store 800,000 entries today, we simply need around 800 Megabytes (that is 0.8 Gigabytes) DRAM for BGP protocol. This is simply a piece of cake for today’s router hardware.

Even an old Cisco ASR 1000 RP1 router with 4 Gigabytes DRAM supports “up to 1,000,000 IPv4 routes”. No worry on 800K BGP entries.

Taipei City view over Taipei Main Station (台北車站).
August 21, 2019

One more thing…

I just want to remind you when you are planning for BGP Route Reflectors. The memory size could be an issue because you must multiply the above estimates to the number of BGP protocol peers.

Again, with Cisco ASR 1000 RP1 router with 4 Gigabytes DRAM, BGP Route Reflector scalability is “up to 5,000,000 IPv4 routes”. If you are planning a route reflector using this model to have more than 5 BGP peers, you must examine the table size more carefully.

And by the way, IPv6 global BGP table size is around 80K this week. IPv6 table size is still not that huge compared to IPv4 today.

I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

Scanning active IPv4 addresses is difficult? Simpler than you think

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 20 Oct 2019 23:07:00 +0800

It is always a best practice to keep full track of all IP address assignments inside our local area network. From time to time, it might also be a good idea for security purposes to check whether we have any hidden nodes inside our network.

To discover any node with active IP addresses inside our network, we might imagine that we must acquire powerful tools such as Cisco Prime Infrastructure before we can achieve anything. In fact, it might be much easier than you have expected. Let me show you how.

All you must have is a Windows 10 PC. I think that should be easy.

Step 1: Start a PowerShell window with normal user privilege

Type “Windows Logo Key ❖ + R”, in the popup dialog, type “powershell”, and press Enter key to start a new PowerShell window.

Step 2: Type in or copy/paste this one-liner, and press Enter key to run

Here is a PowerShell one-liner I tested on my computer.

$ipv4prefix=$(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.)' } | out-null; $Matches[1]); 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"}

Just in case the variable “$ipv4prefix” is not parsed correctly, or you simply want to scan other networks in different IPv4 prefix, you can manually assign that string. For example, your IP address range is in “192.168.1.X”, you can assign “$ipv4prefix” variable with “192.168.1.”. Please be careful, we need a dot at the end of string. The modified one-liner now becomes like this:

$ipv4prefix="192.168.1."; 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"}

Step 3: Wait for about 5 minutes to finish the scanning and capture your PowerShell window screen.

The output should be something like this screen:

192.168.1.0: False
192.168.1.1: True
192.168.1.2: False
192.168.1.3: False
192.168.1.4: False
192.168.1.5: True
…

Those lines with “True” result are active IP addresses inside your network. The rest of IP addresses are not responding at all.

If you want to print out only active ones, you can attach filters at the end of previous one-liners with “| Select-String True”. For example:

$ipv4prefix=$(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.)' } | out-null; $Matches[1]); 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"} | Select-String True

The output should be like this:

192.168.1.1: True
192.168.1.5: True
…

Playground inside Central Culture Park (中央藝文公園、華山大草原)
Taipei City, Taiwan

One more thing…

In this post I just showed you how easily you can explore your network with simply your Windows 10 PC. You can now imagine that with a Linux desktop we can do even more powerful discovery than this. Here is a one-liner for BASH together with standard tool “awk”:

ipv4prefix="192.168.1."; for i in `seq 1 255`; do ping -c 1 ${ipv4prefix}$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done

Now you have no excuses to say, I cannot do any network exploration until I have Cisco Prime Infrastructure. You can start network discovery right now after reading my post here.

And now you know how easily malicious hackers can find your public IP addresses, and create trouble for you if your public-facing network devices are vulnerable, just like this incident.

Show IP Protocols: Bank lost 1 million US Dollars because of outdated routers

I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

CCNA 2020, My summary of changes

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Thu, 27 Jun 2019 18:12:00 +0800

Cisco recently announced major changes of certification programs and they all will take place on February 24, 2020. In this post, I am giving you my quick summary on CCNA alone.

CCNA Exam Changes (200-301)

The official new exam name for CCNA 2020 is “Cisco Certified Network Associate v2.0 (CCNA 200-301)”. I know it is quite confusing since CCNA exams has already been changed for a couple of times in recent years. I will call this 2020 CCNA by its exam code “200-301” instead.

Compared to current single 200-125 exam, more topics and questions would be tested in the new 200-301, such as Wireless LAN, Automation and Programming. The exam time is also increased. For short, the new CCNA exam would be more challenging to prepare over the current exams.

The good news is, we still have around 8 months to take current single 200-125 exam, before February 24, 2020 from today.

If you are in the middle of CCNA preparation, I recommend keep going, which is also what Cisco recommends. Eight months should be enough for you, no matter you plan to dedicate days to take a classroom training, online training, or use self-studying kits, as tools for exam preparations.

Let’s move on to impacts.

Impacts to CCENT holders

If you plan to achieve CCNA by passing 2 exams in 2 stages, the 2020 changes could impact you the most. This is because CCENT certification itself is also gone after February 24, 2020! Your CCENT passing status could not be re-certified after February 24.

To acquire your CCNA, you must pass both ICND1 (100-105) and ICND2 (200-105) in 8 months from today. Otherwise, you can only restart your whole CCNA certification process after February 24.

Impacts to specialized CCNA, e.g. CCNA Wireless

Specialized CCNA certifications, such as CCNA Wireless, would all be gone after February 24! They all will become the single certification: CCNA. No more individual specialized CCNA anymore. Here is the list of “specialized CCNA” I know would be gone:

CCNA Cloud
CCNA Collaboration
CCNA Cyber Ops
CCNA Data Center
CCDA
CCNA Industrial
CCNA Routing and Switching
CCNA Security
CCNA Service Provider
CCNA Wireless

Wait a minute, what about my passing status of these above certifications?

In fact, Cisco will send you a new CCNA certificate if you are still a valid specialized CCNA holder on February 24. Since you have paid extra efforts for specialized CCNA, Cisco would recognize and count them in credits. These credits would be counted for your future CCNA recertification. I will talk more on CCNA recertification soon in next topic.

For short, if you already are specialized CCNA certificate holder, you still preserve your extra efforts over plain CCNA. If you are in the middle of taking specialized CCNA exam, unless your exam costs are sponsored or requested to do it anyway, then I recommend wait until February 24.

I want to clarify that Cisco do also announce new Cisco Certified Specialist (or CCS for short) certifications. However, do not confuse them with specialized CCNA. Your specialized CCNA exam passing status would not help you to acquire the new CCS certifications. Although the tested topics might be overlapping with your specialized CCNA, you still must take new CCS exams after February 24 to acquire your new CCS certification.

Impacts on CCNA Recertification

After February 24, you have more paths to recertify your CCNA. Originally, you can only re-take the same CCNA exam every 3 years to recertify. After February 24, you have more options. You can take any training classes that Cisco recognizes with credits. If you have acquired more than 30 credits every 3 years, you recertify your CCNA without taking any exams.

Although up to this moment, I don’t find any “credit” assignment rules to training classes yet. I believe Cisco would announce them soon.

In my opinion, this is a more flexible approach because many people have completed many major training classes, and they just don’t have the time to pass the exams.

Shimen Red House (西門紅樓)
Taipei City, Taiwan

One more thing…

I like the new changes to CCNA certification. Although it would be more difficult to prepare for new exams, adding topics such as Automation and Programming is great because this is the trend for TCP/IP networking. I will talk more on automation and programming soon in future posts.

In addition to CCNA, Cisco also announced major changes to CCNP and CCIE, and they all take place on February 24, 2020. If you want to know more on CCNP and CCIE certification changes, please let me know by leaving your questions below.

This is my blog “Show IP Protocols”. I am Li-Ji Hong! Stay tuned!

Links on Cisco.com:
Cisco Certified Network Associate (200-301)
New CCNA exam goes live on February 24, 2020

Google is terminating Google+ service

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Thu, 14 Feb 2019 22:02:00 +0800

Hi, this is Li-Ji Hong speaking. We now know Google is terminating Google+ service. I understand that many of you came from Google+ to find and visit my web site “Show IP Protocols”. To keep updated and connected to my web site “Show IP Protocols”, I recommend you adding at least one of these three services: Twitter, Facebook, and Email subscription.

Twitter

Number 1 is Twitter. In my opinion, Twitter is so much like Google+. I will keep posting new contents on Twitter even after Google+ stops.

If you are already a Twitter user, you can simply follow my handle: hongliji. The full Twitter link is:

https://twitter.com/hongliji

Even if you are not Twitter user at all, I still recommend you adding this link to your browser bookmark. You can come back easier from time to time. On “Show IP Protocols” you basically find only posts that I create. When I come across good articles by others around the web, I would share them to Twitter.

Facebook

Number 2 is Facebook. I started a Facebook Page for “Show IP Protocols” long time ago although I am not managing well on Facebook. If you stay on Facebook all the time, you can simply “Like” or follow this Facebook Page for “Show IP Protocols”.

https://www.facebook.com/showipprotocols

The contents posted on this page should be the same as Twitter.

Email subscription

Last one, Email subscription. Email subscription is my recommended method. You will receive the full texts and photos of my every post via Emails. Email subscription service would be always available even I understand many people like phone Apps more than Emails today.

Click open this link to subscribe on FeedBurner:

http://feedburner.google.com/fb/a/mailverify?uri=ShowIPProtocols&loc=en_US

One more thing…

I felt surprised and sad to know that Google is terminating Google+ service. On the other hand, technologies of Internet would always evolve and be innovated. I will keep my web site “Show IP Protocols” evolving and being innovated, so you would always learn new things when visiting my web site “Show IP Protocols”.

I am Li-Ji Hong. This is “Show IP Protocols”. See you next time!

Cherry blossoms in Taoyuan Brewery (桃園觀光酒廠) of Taiwan Tobacco & Liquor Corporation (TTL)

400G Ethernet, My Observation Notes

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 4 Nov 2018 17:51:00 +0800

I saw a post about Cisco has announced 400G Ethernet switch products.

400G Ethernet means the bit rate can be up to 400 Gbps. Here are some of my observation notes on 400G Ethernet products.

Cisco announced four models of Nexus 400G switches

Screen capture on Cisco.com

In the product page, Cisco announced 4 new models of Nexus switches with 400G Ethernet capability.

Nexus 9316D-GX is for Cisco ACI Spine. Nexus 93600CD-GX is for Cisco ACI Leaf. Nexus 3408-S and Nexus 3432D-S are non-ACI Ethernet switches.

Cisco's Product page is:
https://www.cisco.com/c/en/us/solutions/data-center/high-capacity-400g-data-center-networking/index.html

400G port transceivers: QSFP-DD

All four models use QSFP-DD as 400G Ethernet transceiver type.

Screen capture on Cisco.com.

QSFP Double Density (QSFP-DD) transceivers are the same size on the switch front panel as QSFP transceivers. The switch ports are also compatible with existing QSFP28 transceivers. That means, my current 100G transceivers can be inserted and reused on these new faster Nexus switches.

The fiber connectors: LC or MPO-12

Fiber connectors should be in LC or MPO-12 types.

I cannot find an official datasheet to confirm that at this moment. However, I believe this should be true when I saw photos published on Cisco official web site.

Screen capture on Cisco.com

If my fiber cabling connectors are in types of LC or MPO-12, I can reuse my existing fiber infrastructure to upgrade to 400G Ethernet. When you are planning for new fiber installation, I also recommend choosing LC and MPO-12 connectors.

One more thing…

I believe 400G Ethernet should still be very expensive today in year 2018. I might not need it soon. I know I can reuse my existing expensive 100G Ethernet transceivers and fiber infrastructures when I upgrade to 400G Ethernet in the future. And this makes me feel better.

I am Li-Ji Hong. What do you think about 400G Ethernet? Please share your ideas with me in the comments below! Thank you!

Lotus pond inside Taipei Botanical Garden (台北植物園).
Taipei City, Taiwan

Bank lost 1 million US Dollars because of outdated routers

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Wed, 25 Jul 2018 19:00:00 +0800

A recent news was about hackers hacked into a Russian bank because of outdated routers. When I saw the keyword “router”, I felt that I must dig further about what really happened.

What I have understood now

The victim is PIR Bank. One of the suspects is MoneyTaker. After the breach, PIR Bank hired company Group-IB to do the clean-ups, recovery, and investigating how the hackers got into their internal network.

Up to this moment, Group-IB disclosed hackers exploited the outdated routers of PIR Bank. The model of the routers was Cisco 800 series routers, which was already declared publicly that the End of Support date would be someday in Year 2016, by Cisco. The running Cisco IOS version was 12.4.

My understanding

All the routers involved in this incident in my opinion must had been deployed as Internet VPN routers. They must connect directly to the public Internet. Suppose those routers were purely internal routers without public Internet connections at all, hackers can only have access to them by getting through layers of firewalls. Suppose hackers already had broken through layers of firewalls, then hackers could have attacked directly without exploiting any of those outdated routers.

I believe the VPN protocol used should be IPSec. However, IPSec was not to blame for this incident. Vulnerabilities were in the software or the hardware of those installed routers. It might be some discovered vulnerabilities and hackers took advantages of Zero-day Exploits to hack into the network. Hackers either used the hijacked router as a hopping location or changed the access rules so hackers had backdoor accesses to the internal network.

I also want to emphasize that Cisco is not to blame. Cisco had already announced End of Support long time ago. If a customer insisted to keep using the old outdated routers, customers should take most of the responsibilities.

It was a pity for a loss of nearly 1 Million US Dollars. One million dollars is enough to buy and replace a lot of new routers to prevent this loss.

Enterprises should take actions, my suggestions

Create a complete inventory of routers, especially for those connected to public Internet.
Confirm with network hardware providers which routers are being or getting out of support. Create schedules to replace them as early as possible.
Make sure all supported routers are running most up-to-date patched operating systems and software.

Sun flowers in Taoyuan Agriculture Expo (桃園農業博覽會) 2018.
Taoyuan City, Taiwan

One more thing…

I don't think we should worry about the architecture of Internet VPN and IPSec protocol itself. Many new technologies are relying on Internet VPN and IPSec. For example, Software-defined Wide Area Network (SD WAN) is built on top of Internet VPN and IPSec.

If we make sure all running VPN routers are in healthy condition, Internet VPN architecture is still a cost-effective WAN solution with great flexibilities for enterprises.

BGP Injection instead of Leak, my observation notes for MyEtherWallet incident

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Fri, 27 Apr 2018 03:12:00 +0800

After reading articles by Doug Madory, and by Louis Poinsignon, here are some notes I observed and learned.

[What happened in this incident?]

Hackers somehow made some BGP routers of “eNet” to falsely announce that they own the following 5 IP subnets, which are indeed NOT belonging to “eNet”. The true owner is Amazon. To be more specific, they are for Amazon’s Route 53 DNS name resolution services.

205.251.192.0/24
205.251.193.0/24
205.251.195.0/24
205.251.197.0/24
205.251.199.0/24

The registered domain server for domain “MyEtherWallet.com” is hosted on Amazon Route 53.

Hackers also somehow embedded malicious DNS server (or servers, I really don’t know) also inside service network of “eNet”.

After that, any affected clients’ DNS query for domain “MyEtherWallet.com” would hit hacker’s malicious DNS server. Of course, malicious DNS server would respond with false IP addresses, and those false IP addresses are indeed hacker’s own web servers.

At this moment, clients thought they were accessing “MyEtherWallet.com”, and they indeed were accessing hacker’s web servers.

[Which clients are affected?]

I believe all clients inside “eNet”, and any clients in other Internet Service Providers who trusted “eNet”’s false announcements, would be affected as well.

[Network “eNet” should have been compromised for enough time]

To falsely announce BGP routes, we must either change configurations of hardware routers, or BGP route servers (maybe on Linux).

For me, to configure BGP correctly on a couple of Cisco routers is already a heavy task. It’s not easy. To modify existing BGP configurations to inject false announcements without getting noticed, or without breaking anything at the same time, is even a more difficult task for me.

I really don’t think it would be easier to achieve the same results by working on BGP route servers.

Moreover, hackers even embedded DNS server inside “eNet”’s service network. I really believe hackers had already controlled most of the hardware routers and some hardware servers, maybe for quite a long time, long enough for them to do all such modifications.

I really think some hackers involved in this incident are quite skillful at network hardware maybe Cisco’s or Juniper’s. They could also be CCIEs.

[BGP Injection, instead of BGP Leak]

So, the last thing I want to say is, I would rather call this incident as BGP injection, instead of BGP leak.

Why?

If I hear someone says BGP Leaks, I would feel maybe some unknown bugs inside BGP protocol or some configuration errors caused this incident. As far as I understand now, I really think the false BGP announcements are “intentional”. I would rather say it is BGP Injection.

Although no strong security mechanisms are defined in BGP protocol itself, in this case BGP protocol is not to blame.

Flowers of East Asian sage, around Zhoumei Xian Zai Gang Park (洲美蜆仔港公園)
Taipei City, Taiwan.

One more thing…

Amazon is also not to blame for this incident. Clients’ DNS query packets never reached Amazon at all.

I suggest Internet Service Providers should pay more attention to the security of their service infrastructure. Don’t become another “eNet”.

I also suggest Internet Service Providers should review their incoming BGP policy. In this case, some ISPs other than “eNet” were also affected because their BGP routers “trusted” “eNet”’s false announcements. They affected their own customers and forwarded that false information on at the same time.

Prepare Python 2.7 on Microsoft Windows using PowerShell

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Sun, 10 Sep 2017 12:23:00 +0800

Everyone today talks about the programming language Python while discussing Software-defined Networking (SDN). Since Python is so popular, it would be a good idea for network administrators to know more about Python. First thing first. I talk about how I prepare Python running environment on Microsoft Windows.

It would be nothing special if I only download the installation software from Python official web site by mouse clicking. Instead, I use PowerShell to download and install for me. That is, prepare one scripting running environment using another scripting language.

Here is the recorded video of how I do this.

The version I talk about is version 2.7.13.

One key step of this PowerShell script is to find out the appropriate direct binary download URL first. You can easily copy the URL after visiting Python.ORG official web site.

I list the original PowerShell script below for you to copy/paste. You can try it for yourself.

--- COPY BELOW ---

$url = "https://www.python.org/ftp/python/2.7.13/python-2.7.13.amd64.msi"

$output = "python-2.7.13.amd64.msi"

$start_time = Get-Date

Invoke-WebRequest -Uri $url -OutFile $output

Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)"

.\python-2.7.13.amd64.msi

--- END OF COPY ---

One more thing…

In my opinion, any programming languages should be working well to implement a successful SDN system. Because most of the SDN controller is running on top of a Linux server, basically any programming languages supported by Linux is a good choice.

My conclusion is: if you are already familiar and skillful enough in any mainstream programming languages, such as C, C++, Java, or Perl, you really don’t need to learn Python at all. Python is just one of the options.

However, if you are not good at any programming languages at all, and you only have time to study single language, then my best recommendation for you would be Python. Python is so easy to learn and use. And the most important reason is this. Because Python is so popular, you can find any examples and answers you might ask for by simply a Google Search.

I plan to talk more on Python in the future. What do you think about it? Let me know by leaving your comments below this post.

(I learned the PowerShell script from Hey, I'm Jourdan. "3 ways to download files with PowerShell")

Starting IS-IS routing protocol without CCNP training

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Thu, 18 May 2017 13:22:00 +0800

The routing protocol Intermediate System to Intermediate System (IS-IS) is an advanced and robust link-state protocol used in many service provider networks. Most of the other enterprises I know of prefer to use protocols like OSPF or EIGRP instead of IS-IS. Therefore, enterprise administrators might not be familiar to this protocol at all.

Here I want to share my short note to start IS-IS quickly without digging into protocol details. In case you must configure and maintain an IS-IS network, this note might save you some time.

You can follow these five steps to start IS-IS routing protocol in short time.

Step 1: Prepare a pool of IPv4 addresses as non-overlapping Router-IDs

Router ID is a unique identifier of any single router. Identifiers are just unique numbers. We know one citizen should have one and only one Citizen Identifier. No two citizens share the same identifier. This is the same for router IDs.

No matter we are starting a production network or we just want to practice in lab, my recommendation is to always start from this step. The earlier we do this, the lesser time we might waste afterwards.

In addition, I also recommend reserving a pool of IPv4 addresses just for router IDs. This pool should not overlap with any other network addresses. Any host route (/32) in this pool is for a single router. For easier discussion, I assume we reserve 10.0.0.0/16 for router IDs. Router 1 (R1) is assigned router ID: 10.0.0.1/32, and Router 2 (R2) is assigned router ID: 10.0.0.2/32, and so on.

This unique host address is not just for identifying a single router. We can use this address for management protocols such as SSH, SNMP, and SSL. We can even add DNS mapping so we don’t have to remember the IPv4 address. For example, R1.MyDomain.COM can be mapped to 10.0.0.1. When I am about to manage a router on command line, all I do is starting a SSH to R1.MyDomain.COM, like “ssh admin@R1.MyDomain.COM”.

Step 2: Pick a unique Area ID for Level 1

Here I want to emphasis starting from Level 1 (First Floor, Ground Floor) area. My recommendation is always start from Level 1. Expands to Level 2 only when necessary (most of the time we never need Level 2).

Area ID is a unique number within 0000 to FFFF in hexadecimal (or 0~65,535 in decimal).

If you really want, Area ID Zero (0000) is also a legal IS-IS area number. Area 0000 in
IS-IS is just a normal Level 1 area. This is quite different from OSPF. Because we might easily confuse this area with the special OSPF Area Zero (Backbone Area), I recommend avoid using this area number at all.

Many connected routers are grouped into a single area. All routers in the same area should be assigned with the same Area ID.

For easier discussion, I assume we use Area 7 for Level 1.

Step 3: Compose Network Entity Title (NET) for every router

Network Entity Title (NET) is really an awkward name for many network administrators. It’s just a name used in ISO documents that define IS-IS protocol. It is the format IS-IS protocol recognizes as Router-ID.

You are correct, NET must also be unique, and we must convert the router IDs in Step 1 into this NET format. The question now is “How”.

I learned on Cisco Live an easy trick to convert unique IPv4 address into a unique NET. Here you are.

First, expand the four decimal numbers of IPv4 address to 3 digits. For example,

10.0.0.1 -> 010.000.000.001.

Now we have a 12-digit string. Then, we just see this number as hexadecimal in digits, and reposition the “dots” to separate into 3 parts instead of 4. For example,

010.000.000.001 -> 0100.0000.0001

In case you really want to know, this converted number “0100.0000.0001” is called System ID in IS-IS protocol. We will need this number again when we are expanding the IS-IS network to Level 2 connected topology.

Finally, we can create NET now.

NET is in a format of 49.[Area ID].[System ID].00.
The NET for R1 is now “49.0007.0100.0000.0001.00”.

Step 4: Start IS-IS on every router

We can start IS-IS protocol on every router with the following partial commands.

router isis
net 49.0007.0100.0000.0001.00
is-type level-1
metric-style wide
Interface loopback 999999
! This interface is for easier management only. IS-IS doesn’t need it.
ip address 10.0.0.1 255.255.255.255
ipv6 address fd00::1/128
ip router isis
ipv6 router isis

I purposely neglect the explanation of every components of NET.

Step 5: Enable IS-IS on interfaces.

It is simpler than you might expect. We look at the network map and every connected interface of every connected router should be enabled with IS-IS protocol, like this example.

interface Ethernet0/0
no shutdown
ip router isis
ipv6 router isis

That’s all. Folks!

One more thing…

In the partial configuration example above, “interface loopback 999999” is only for easier management. IS-IS doesn’t need this interface at all. We can safely skip it for plain IS-IS practice.

We can even assign illegal IPv4 address such as 0.0.0.1 or 0.0.0.2 as router IDs for easier typing IS-IS lab practices.

In ISO documents, they don’t call routers as “routers”. They call routers the “Intermediate Systems” instead. Therefore, IS-IS protocol is exactly a protocol for “routers to routers”. Straightforward, isn’t it!

Sunset at Gongguan Waterfront Plaza (公館水岸廣場)
Taipei City, Taiwan

How do we repair a broken submarine fiber cable?

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Wed, 26 Apr 2017 23:43:00 +0800

(Updated here: https://showipprotocols.blogspot.com/2025/01/how-do-we-fix-broken-submarine-fiber.html)

On April 22, 2017, one segment of Asia-Pacific Cable Network 2 (APCN2) that serves Taiwan’s major Internet connectivity with Japan, Europe, and America, was broken. According to some news sources, it might take one month just to fix this outage. I live in Taiwan, and I do feel the Internet speed became slow after this outage. I was wondering how could the repairing take one month.

I want to know how to repair a broken submarine fiber cable. I searched on Google and I found this video. This video was created and published by TE SubCom. I summarize the key steps mentioned in this video, and I also added some of my own notes all in this post. I hope this post together with the original video would help you to understand the repairing operation as well.

How could the submarine fiber cable break in the first place?

Other than uncontrollable natural events such as earthquakes, most of the incidents are caused by human. For example, a towed fishing net might tangle with the cable and snap it. Sometimes biting the cable by sea animals might also damage it.

How to locate the broken spot?

In fact, we can use Optical Time-domain Reflectometer (OTDR) to measure the cable length to the broken spot from a known location first, and then determine this spot according to the cable run map.

Repairing steps in this video

Cutting grapnel deployed on seabed to cut target cable. (0:23)
Holding grapnel deployed on seabed for recovery of cable end. (0:37)
Cable end recovered to cable repair ship. (0:50)
Buoy launch to mark end of cable. (0:56) I call it End A.
Holding grapnel deployed to recover second cable end. I call it End B. (1:42)
Cable end is recovered and brought to shipboard jointing shop. (2:02)
Initial splice - spare cable is spliced to recovered cable end. (2:11)

I believe in this step we must also examine the recovered cable end and cut remove the damaged portions of the cable. Here I call the new End B as End B’. After this step, End B’ is sliced with one end of the spare cable.
Millenia Cable Joint Assembly. (2:53) I believe this is a special hardware to protect the cable joint.
Cable joint and spare cable are deployed as repair ship moves to recover cable buoy. (3:07)
Cable repair ship is positioned to recover buoy and first cable end. That is, End A. (3:16)
Cable ship using dynamic positioning to maneuver. I believe this is to ensure the cable slack. (3:31)
Final cable splice - First cable end is spliced to the end of the spare cable. That is, End A is sliced to the other end of the spare cable. (4:32)
Millenia Cable Joint Assembly. (4:42)
Final splice deployment. (4:53)
Repair complete - Final splice released. (5:07)

One more thing…

We need special repair ships first before we can do anything to repair the broken cable. However, few such ships are standing by around the globe. It would take days or even weeks just to move one such ship to the location of repair.

We must always include backup paths of cables when we design a submarine fiber cable system. This is what I learned first.

Second, we also know that the spliced fiber would add up attenuation to the signal strength. When we have done enough number of repairing and slicing operations on the fiber, the whole fiber would become unusable and thus be at the end of its life.

That is, any submarine fiber cables have a limited lifetime. We must be prepared to replace the whole fiber cable when it is out of its lifetime.

Clear configured allowed VSAN list on trunk ports of Cisco MDS

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Wed, 29 Mar 2017 12:10:00 +0800

A friend asked a good question about how this command works on Cisco MDS FibreChannel switch: “switchport trunk allowed vsan all”.

To my surprise, I cannot find any specific official documents to explain it clearly. I did some experiment on one Cisco MDS 9148. And here is my conclusion.

Bay, beach, and cliff near Chung-De Station. (崇德海灣).
Hualian County, Taiwan.

To clear whole allowed VSAN list and make every VSAN allowed at the same time, use “switchport trunk allowed vsan all” in the interface configuration mode.

To clear whole allowed VSAN list and make every VSAN NOT-allowed at the same time, use “no switchport trunk allowed vsan all”, in the interface configuration mode as well.

Otherwise, just use “switchport trunk allowed vsan” or “switchport trunk allowed vsan add” commands to edit the list of allowed VSAN list.

One more thing…

To edit the allowed VSAN list, remember to use “switchport trunk allowed vsan” command first before “switchport trunk allowed vsan add” commands.

On production network, remember to maintain the allowed VSAN list instead of allowing every new VSANs, just in case you created unnecessary VSANs by typing errors and they might have negative impacts on your MDS performance.

Cisco IOS/IOS XE Vulnerabiliy announced. Disable TELNET fast

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Thu, 23 Mar 2017 07:10:00 +0800

This is just a short notice for you in case you are not aware of it. Cisco announced a vulnerability on Cisco IOS and IOS XE operating system. For short, you only have to disable incoming TELNET service onto the router itself to avoid this vulnerability. You can use Secure Shell (SSH) instead for remote management. SSH is not vulnerable in this problem.

The Jin-Dai Bridge (錦帶橋) in Dahu Park (大湖公園).
Taipei City, Taiwan.

You can read the original announcement for technical details.

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

One more thing…

You can disable TELNET service and enable SSH at the same time by this command:

transport input ssh

You can list listening ports by these commands:

show control-plane host open-ports
show tcp brief

Do more with “the same”

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Wed, 24 Aug 2016 10:31:00 +0800

To emphasis the effectiveness of a new tool, we always hear some people say it would make you “do more with less”. This is so attractive to Chief Officers. How would the other staffs think about this?

Dongshan River Water Park (冬山河親水公園).
The venue of Yilan International Children's Folklore and Folkgame Festival (YICFFF, 宜蘭國際童玩藝術節). Yilan County, Taiwan.

The problem of “do more with less”

With the word “less”, what does that mean? Does that imply we don’t need that much budgets anymore? Does that imply we don’t need more hardware? Does that imply the workforce would be cut down?

Under a not-so-good economic situation, cutting workforce means people would lose their jobs. In the end, I might not welcome and I might defend myself from such new good tools.

It is really a sad story for an effective new tool X becomes an enemy to the people it is going to help.

How about, with the same, we can do more

My suggestion is we change the phrase a little bit, maybe it might not be so offensive to working staffs this way.

Do more, with the same.

That means, we don’t have to reduce budgets. We still need to buy new things. And the most important of all, we would not lose our jobs even if we embrace the new tool.

We all still understand this new tool is so effective, because we can still “do more”.

Embrace new tools, enable business growth

For example, assume we need 100 staffs to take good care of 10 large data centers before. After we add new tool X, we can now take good care of 1,000 large data centers with exactly the same 100 staffs.

With this changed mindset, we don’t need to avoid new automation tools any more. We can now live happily together with the new tools.

The Chief Officers still achieve their business growth. This is a win-win situation.

One more thing...

New tools would save us a lot of time. What can we do then with those extra time?

Of course, you could spend more time browsing my website. Or, you now have enough time to watch all the videos on Cisco Live website.

All photos in this post were taken here:

CCNA v3 Exam is cheaper than v2

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Wed, 18 May 2016 22:57:00 +0800

I create this post just to remind you in case you did not notice it yet.

Shihmen Dam (石門水庫), Taoyuan City, Taiwan. (Wikipedia)

Version 3 Exam costs $250

CCNA Routing Switching Version 3 exam cost is now US$ 250. This is a good news because in v2 the exam cost was US$ 295. That is, the new exam is US$ 45 less than before.

This is great! Isn’t it!

You can take v3 now

Just like before, you can now book CCNA v3 exam on VUE.com. The new exam code for v3 is “200-125”.

If you cannot find this exam on the list, remember to search inside VUE search box with exam code “200-125”.

Last day for v2 is August 20, 2016

If you have to stick to v2 exam, you should remember one thing. The last day to take v2 exam is August 20, 2016, this year. You only have a couple of months left to pass this v2 exam.

One more thing…

Are you preparing CCNA exam? What is the most difficult topic for you to study? Remember to share your story with me in the comments below!

Source: "CCNA Routing and Switching" on Cisco.com

Diffie and Hellman Receive Turing Award 2015

hongliji@gmail.com (Li-Ji Hong (洪李吉)) — Thu, 3 Mar 2016 01:41:00 +0800

When we study IPSec, we know Mr. Diffie and Mr. Hellman invented a method in year 1976 that is the core of Internet Key Exchange (IKE) to create mutually shared secret. We also have to specify and configure DH Group Number in ISAKMP policy sets (crypto-map in Cisco IOS).

A.M. Turing Award Logo. Captured on ACM Official Website.

I am not going to dig in the details about the mathematics behind Diffie-Hellman method. I just want you to know Mr. Diffie and Mr. Hellman receive Turing Award 2015 together.

Photo of Whitfield Diffie, captured on ACM Official Website.

Photo of Martin E. Hellman, captured on ACM Website.

A.M. Turing Award of Association for Computing Machinery (ACM) is the highest honorable award in computer science just like Nobel Prize for other fields of science.

This was released on March 1, 2016.

One more thing…

In case you want to know more about Diffie-Hellman method, I found one video on YouTube is quite helpful for you to understand it more.

Have fun!