Protecting Router & Switch Control Plane with CoPP/CPP…
A CoPP/CPP model that classifies and polices routing, management, and ICMP traffic on the router/switch control plane to reduce CPU exhaustion and adjacency…
333 posts
Deep dives into software, cloud computing, AI and technology trends.
A CoPP/CPP model that classifies and polices routing, management, and ICMP traffic on the router/switch control plane to reduce CPU exhaustion and adjacency…
Reducing the risk of rogue neighbors and route injection in the routing domain through OSPF/IS-IS authentication, key rotation, and control-plane hardening.
Traffic steering discipline for multi-region services using GSLB, built around health signals, hold-down, and controlled failback.
An operating model for the BMC (iDRAC/iLO/IPMI) attack surface using segmentation, identity, audit, and break-glass to keep it secure and auditable.
A controlled-transition, telemetry, and runbook approach for enterprise policy and visibility in a world of encrypted DNS via DoH/DoT/DoQ.
A practical runbook for steering traffic with localpref, community, prepend, and MED in multi-ISP and multi-POP environments — measurable and reversible.
A practical architecture and operations guide for handling long-lived HTTP/2 connections, idle timeouts, and retry storms without losing your SLO.
An expand/contract approach for schema changes without downtime, plus backfill strategy, dual-write risks, and a rollback plan.
When are sticky sessions essential and when are they technical debt for WebSocket, long TCP sessions and stateful applications? A decision matrix grounded…
An SSO broker design that unifies legacy SAML applications and modern OIDC services under a single identity policy — secure and operationally manageable.
When some users work and others don't, a frequent cause is broken PMTUD and an MTU blackhole. Diagnosis steps and a permanent fix.
A practical edge design guide that addresses routing, health signals, capacity, and attack scenarios together to see Anycast's real benefits.
ZTNA isn't just about inbound access. A practical approach to data leakage with egress (outbound) control, DLP signals and service-centric segmentation.
GRE tunnels, BGP signaling, capacity, and an operational runbook to keep the service up by diverting traffic to scrubbing during an attack.
Designing, monitoring, and writing an incident runbook for the max-prefix guardrail that protects edge routers during route leaks and bad-prefix waves.
Build a sustainable DNS security control by blocking threat domains via RPZ at the recursive resolver, with proper exception handling and observability.
Choosing the right path for application classes via active probes that measure latency/jitter/loss; rapid diagnosis during degradation and a controlled…
A practical model that lowers supply-chain risk on self-hosted CI runners with isolation, network boundaries and OIDC-based short-lived authorization.
Build an operational telemetry pipeline by collecting and enriching IPFIX/NetFlow streams for DDoS triage, capacity planning, and anomaly detection.
A practical approach to managing HTTP/3 traffic over UDP/443 without breaking security, visibility, or performance.
Protecting Secrets with real cryptography rather than just base64: encryption configuration, KMS integration, and an operational rotation model.
Hardening campus and data center backbones by encrypting L2 links with MACsec (802.1AE): design choices, risks, and operations.
Pull your firewall rule set out of the 'don't touch it, it'll explode' state with hitcount, log evidence, ownership, and a wave-based approach to safely…
A practical architecture guide that handles hub-spoke and Transit Gateway design together with security, route control, and operational observability.