This year, 2020, around November I started to see the global IPv6 BGP Table is getting more than 100K entries. Although the number is going above and under 100K from time to time, starting from the end of November I can safely say it is breaking 100K entries right now. This is an interesting milestone for IPv6. That means a massive majority of people are using IPv6 today. I want to note down this moment. And I want to share 3 of my own observations about the IPv6 BGP table.Source: https://twitter.com/bgp6_table/status/1330964625127583744/photo/1 Number of IPv6 BGP entries is going up and down Internet is a collection of distributed, self-managed networks. No single authority can dictate how the BGP configuration should be done on all different networks. Each of the network administrators could choose when and how to add or remove BGP entries in different occasions. It is natural for BGP table to grow and shrink from time to time. For example, network administrators might decide to remove assigned but not used yet networks from BGP configurations. By this action, the number of BGP entries could go down. Another example, to achieve load spreading, administrators might break their own IPv6 prefixes into smaller ones and advertise them to different BGP neighbors. By this action, the number of BGP entries could go up. And of course, upon expanding networks with more prefixes, or dying companies returning prefixes to Internet Regional Registries, the BGP table would grow or shrink accordingly. Configuration errors could also result in fluctuations of the total number of BGP entries. Source: IPv6 CIDR Report for 30 Nov 20 Projection of 100K time is pretty accurate I have read web pages by APNIC and RIPE projecting the total number of IPv6 BGP entries. They all projected the time of 100K is around the second half of year 2020.  They are pretty accurate in my opinion.Source: APNIC, "BGP in 2019 - The BGP Table" Source: RIPE, "BGP in 2016" IPv6 BGP table is growing much faster than IPv4 For IPv6 BGP: Last year, 2019, around October, I observed IPv6 BGP table is around 80K in size. After around 1 year now, it is over 100K. That is, the growth rate in this interval is 25% (=20/80). For IPv4 BGP: same interval as above, October 2019, I observed IPv4 BGP table is around 800K in size. After the same 1 year up to now, it is over 850K in size. That is, the growth rate in this interval is 6.25% (=50/800) My conclusion is: the growth rate of IPv6 is much higher than that of IPv4, in this interval. One more thing… Many people are also interested in estimates of router memory consumption to hold the whole global BGP table. For IPv6, unfortunately, I cannot find good firsthand samples about the number of entries versus the memory size consumed. I now try to estimate the memory consumption by samples of IPv4. For single IP address, IPv4 is 32 bits, and IPv6 is 128 bits. One IPv6 address is 4 times the size of one IPv4 address. Because essentially BGP entry fields are IP addresses, here I roughly assume IPv6 BGP table should not take more than 4 times the memory consumption of IPv4 BGP table of the same number of entries. I already wrote about this before: every 100K IPv4 BGP entries could take no more than 80 Megabytes of memory. Therefore, my estimate for the same 100K entries of IPv6 BGP table, should not take more than 320 Megabytes of memory. Do you have firsthand numbers of IPv6 BGP memory consumption? How wrong is my estimate ? I would like to hear from you in the comment section below. Overlooking from the top floor of Dragon and Tiger Pagodas (龍虎塔) Zuoying District, Kaohsiung City, Taiwan I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

Software-defined networking (SDN) is an approach to create a centrally controlled programmable packet network. Any protocols with the same approach could be considered as SDN as well. For open protocols, we have one popular standard protocol “OpenFlow” talking among the central controllers to all managed networking devices. Open Network Foundation (ONF) defines OpenFlow protocol. In fact, vendors also have developed proprietary protocols to implement this same approach. For example, Cisco’s ACI is a proprietary SDN solution. Here I summarize 3 most probable scenarios when we deploy SDN. Scenario 1: Open protocol, open multiple vendors Since OpenFlow protocol from ONF is open, any vendors can develop inter-operable software and hardware products. For enterprise customers, the first natural approach is to buy from multiple networking venders. For example, controllers from vendor A, some switches from vendor B, some routers from vendor C, and so on and so forth. The most obvious benefit of this scenario is lower buying cost. Enterprises can buy any compatible networking products from any vendors in the market with the lowest price. White-brand, or no-brand vendors have opportunities to compete on price against existing networking vendors. However, only the buying cost is lower. We also must consider other costs to build and maintain a working network. Integration of software and hardware itself is a heavy project. When we already have a capable team of hardware and software integration, we can work comfortably with this approach. If we simply don’t have such a “Tiger Team”, or we are just about to create a team from scratch, this scenario could be difficult and costly. It could cancel out all benefits of lower buying cost. Scenario 2: Open protocol, one major vendor Some vendors are capable to provide all components for OpenFlow. For example, Cisco. In this scenario, basically we buy controllers and network devices from single major vendor. For less important areas, we buy some from other venders in the market. In this approach, we might have higher buying costs. Because we now have a major vender, we can gain better support from that major vendor. We can also achieve less integration cost because our team have fewer combinations of products to experiment and integrate with. We don’t need a huge team like previous scenario. I am more familiar with Cisco. Let me summarize what Cisco can provide for OpenFlow. “Cisco Open SDN Controller” is OpenFlow protocol controller. The software is a commercial distribution of OpenDaylight by OpenDaylight open source project. This software is packaged as a virtual machine format. In addition, Cisco’s Nexus 3000 and 9000 family switches can run “Cisco OpenFlow Agent” inside to become OpenFlow switches so they can be controlled by standard OpenFlow controllers. We can deploy OpenFlow by simply selecting all components from Cisco. Because OpenFlow protocol is open, we also have the flexibility to add non-Cisco but OpenFlow compatible devices. Scenario 3: Close protocol, one vendor Some vendor can provide all features and benefits of “centrally controlled programmable packet network”, with proprietary protocol. For example, again, Cisco. Cisco’s Application Centric Infrastructure (ACI) is Cisco’s proprietary SDN solution. With Cisco’s ACI, we can achieve even more than OpenFlow such as: Device managementBetter integration with non-networking devices such as Layer 7 switches and stateful firewallsBetter programmer-friendly abstraction instead of VLANs and subnets. In this scenario, we have the highest buying cost and we are locked into single vendor. However, we have the lowest integration cost and we now have full support from that single vendor. We only need an even smaller support team and concentrate all resources on using the network instead of experimenting interoperability among vendors. One more thing… Winter flowers near Taoyuan High Speed Rail Station. SDN is a promising approach for next generation networking. Programmable network indeed is the foundation for network automation. On the other hand, I don’t think it fits well for all types and sizes of customers. Let me talk more about who needs SDN in the coming posts. I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

People might still be interested in about Cisco Wildcard Masks. I try to summarize interesting information about Wildcard Masks in this post. Use Case 1: IPv4 Access Control Lists on Cisco IOS, IOS XE, and IOS XR Wildcard masks are for us to select only subsets of IPv4 addresses. When we define selected source or destination IPv4 addresses for an Access Control List (ACL), we use Wildcard Mask. Here is an example for Cisco IOS and IOS XE. ip access-list extended ACL-NAME  deny tcp 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22  permit ip any any Here is an equivalent ACL example for Cisco IOS XR. ipv4 access-list ACL-NAME  deny tcp 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22  permit ip any any All Cisco IOS XR Access Control Lists are “extended, and named” in Cisco IOS’s sense. And we don’t need “extended” keyword in IOS XR commands. Use Case 2: Selecting interfaces to start Routing Protocols on Cisco IOS, and IOS XE The “network” commands for OSPFv2 and EIGRP are to select interfaces to start OSPF or EIGRP by interfaces’ IPv4 addresses. For example: router eigrp 99  network 192.168.199.0 0.0.0.255 router ospf 1  network 192.168.201.0 0.0.0.255 area 0 Here, all interfaces with IPv4 addresses covered by “192.168.199.0 0.0.0.255” would be enabled with EIGRP AS 99, and all interfaces with IPv4 addresses covered by “192.168.201.0 0.0.0.255“ would be enabled with OSPF and assigned to area 0. Just in case you need some help about visualizing Wildcard Masks, you can download an Excel Spreadsheet Wildcard Mask Calculator in this post: Revised post: Covering Subnet Calculator to understand more about Wildcard Mask That's all for use cases. We simply don't use Wildcard Masks, in any other scenarios. NX-OS, ASA, and IPv6 we do not have Wildcard Masks If you are lucky enough to work on Cisco NX-OS, Cisco ASA alone, you don’t need Wildcard Masks because they are not supported at all on these operating systems. Or, if you work in IPv6-only world without IPv4, you don’t need Wildcard Masks at all because all IPv6 commands of any Cisco’s operating systems do not use Wildcard Masks at all. Tamsui River (淡水河) Estuary after sunset. Tamsui District, New Taipei City, Taiwan. One more thing… I always say that we can simply assume Cisco IOS Wildcard Mask are derived by mapping 1s to 0s and 0s to 1s of equivalent subnet mask in binary notation. This brings up a question: why do we need Wildcard Mask at the first place? Why not just reuse IP subnet masks instead of creating new objects like Wildcard Masks? I don’t have any official information source. In my opinion, “flexibility” might be the cause. I try to imagine two possible cases. We only want to select IP subnets with “even-number 3rd digits”, or, we want to select any hosts end with number “77”. Here are single line Wildcard Masks to select them out. Single line Wildcard Mask “192.168.0.0 0.0.254.255” selects IP subnets 192.168.0.0/24, 192.168.2.0/24. 192.168.4.0/24 … 192.168.254.0/24. Single line Wildcard Mask “192.168.0.77 0.0.255.0” selects 192.168.0.77, 192.168.1.77, 192.168.2.77 … 192.168.255.77. Subnet masks are not flexible. All subnet masks must begin with contiguous “1”s, and rest of the digits must be “0”s, it is complex to combine many more subnet masks to define the identical selections for above two imaginary examples. Please don’t get me wrong! I don’t like Wildcard Masks, either. I always avoid Wildcard Masks when managing a network. I do Wildcard Masks only when taking exams. These two imaginary examples are rare in practical networks. Most administrators I know of always group endpoints with IP subnets, instead of confusing even-odd way. Maybe I will create another post to tell you how I avoid Wildcard Masks! I am Li-Ji Hong. And this is my blog “Show IP Protocols”. See you next time!

This tool is an update to my previous post: Simple visual tool to calculate Cisco IOS Wildcard Mask Notes for Cisco IOS Wildcard Mask You can simply assume Cisco IOS Wildcard Mask are derived by mapping 1s to 0s and 0s to 1s of equivalent subnet mask in binary notation. By definition, “0” bits in a wildcard mask denote the bits you must match the base prefix, and “1” bits denote the bits you simply don’t care. All subnet masks must begin with contiguous “1”s, and rest of the digits must be “0”. On the other hand, no such requirements are for wildcard masks. That is the major difference between subnet mask and wildcard mask. Updates I changed my flow of using this Excel file. You simply input “Starting IPv4 Address”, and the number of contiguous hosts you desire to cover with a single IPv4 subnet, and then this Excel file calculate everything else for you. Getting this Excel file Original Excel file is here. You need Microsoft Excel software or LibreOffice Calc to open and play with this file. “ipv4-covering-first-last.xlsx” If you are familiar with Google Docs, you can also “Use this template” or save this file to Google Drive for viewing and playing. One more thing… I also created a demonstration video using this Calculator on YouTube. I am Li-Ji Hong. And this is my blog “Show IP Protocols”. See you next time!

This week the global BGP IPv4 table is around 800,000 entries in size. I bring this up just to give you a head-up and say a “Wow”. I don’t want to make you worry about the number. This is not my intention. I still remember the “old good time” when I had installed a BGP router (Cisco 3660) with 256 Megabytes of DRAM memory in year 2001. At that time, the BGP table is below 150,000 entries so that router worked well. Screen capture of CIDR REPORT website on November 3, 2019 The size of router DRAM memory is not a problem today for most of BGP administrators. I had created a post about BGP memory consumption and had this rough estimate: every 100K BGP entries from a single peer requires 80 Megabytes of DRAM. In other words, to store 800,000 entries today, we simply need around 800 Megabytes (that is 0.8 Gigabytes) DRAM for BGP protocol. This is simply a piece of cake for today’s router hardware. Even an old Cisco ASR 1000 RP1 router with 4 Gigabytes DRAM supports “up to 1,000,000 IPv4 routes”. No worry on 800K BGP entries. Taipei City view over Taipei Main Station (台北車站). August 21, 2019 One more thing… I just want to remind you when you are planning for BGP Route Reflectors. The memory size could be an issue because you must multiply the above estimates to the number of BGP protocol peers. Again, with Cisco ASR 1000 RP1 router with 4 Gigabytes DRAM, BGP Route Reflector scalability is “up to 5,000,000 IPv4 routes”. If you are planning a route reflector using this model to have more than 5 BGP peers, you must examine the table size more carefully. And by the way, IPv6 global BGP table size is around 80K this week. IPv6 table size is still not that huge compared to IPv4 today. I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

It is always a best practice to keep full track of all IP address assignments inside our local area network. From time to time, it might also be a good idea for security purposes to check whether we have any hidden nodes inside our network. To discover any node with active IP addresses inside our network, we might imagine that we must acquire powerful tools such as Cisco Prime Infrastructure before we can achieve anything. In fact, it might be much easier than you have expected. Let me show you how. All you must have is a Windows 10 PC. I think that should be easy. Step 1: Start a PowerShell window with normal user privilege Type “Windows Logo Key ❖ + R”, in the popup dialog, type “powershell”, and press Enter key to start a new PowerShell window. Step 2: Type in or copy/paste this one-liner, and press Enter key to run Here is a PowerShell one-liner I tested on my computer. $ipv4prefix=$(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.)' } | out-null; $Matches[1]); 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"} Just in case the variable “$ipv4prefix” is not parsed correctly, or you simply want to scan other networks in different IPv4 prefix, you can manually assign that string. For example, your IP address range is in “192.168.1.X”, you can assign “$ipv4prefix” variable with “192.168.1.”. Please be careful, we need a dot at the end of string. The modified one-liner now becomes like this: $ipv4prefix="192.168.1."; 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"} Step 3: Wait for about 5 minutes to finish the scanning and capture your PowerShell window screen. The output should be something like this screen: 192.168.1.0: False 192.168.1.1: True 192.168.1.2: False 192.168.1.3: False 192.168.1.4: False 192.168.1.5: True … Those lines with “True” result are active IP addresses inside your network. The rest of IP addresses are not responding at all. If you want to print out only active ones, you can attach filters at the end of previous one-liners with “| Select-String True”. For example: $ipv4prefix=$(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.)' } | out-null; $Matches[1]); 0..255 | %{"$ipv4prefix$_"}| % {"$($_): $(Test-Connection -count 1 -quiet -ComputerName $($_))"} | Select-String True The output should be like this: 192.168.1.1: True 192.168.1.5: True … Playground inside Central Culture Park (中央藝文公園、華山大草原) Taipei City, Taiwan One more thing… In this post I just showed you how easily you can explore your network with simply your Windows 10 PC. You can now imagine that with a Linux desktop we can do even more powerful discovery than this. Here is a one-liner for BASH together with standard tool “awk”: ipv4prefix="192.168.1."; for i in `seq 1 255`; do ping -c 1 ${ipv4prefix}$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done Now you have no excuses to say, I cannot do any network exploration until I have Cisco Prime Infrastructure. You can start network discovery right now after reading my post here. And now you know how easily malicious hackers can find your public IP addresses, and create trouble for you if your public-facing network devices are vulnerable, just like this incident. Show IP Protocols: Bank lost 1 million US Dollars because of outdated routers I am Li-Ji Hong. This is my blog “Show IP Protocols”. See you next time!

Cisco recently announced major changes of certification programs and they all will take place on February 24, 2020. In this post, I am giving you my quick summary on CCNA alone. CCNA Exam Changes (200-301) The official new exam name for CCNA 2020 is “Cisco Certified Network Associate v2.0 (CCNA 200-301)”. I know it is quite confusing since CCNA exams has already been changed for a couple of times in recent years. I will call this 2020 CCNA by its exam code “200-301” instead. Compared to current single 200-125 exam, more topics and questions would be tested in the new 200-301, such as Wireless LAN, Automation and Programming. The exam time is also increased. For short, the new CCNA exam would be more challenging to prepare over the current exams. The good news is, we still have around 8 months to take current single 200-125 exam, before February 24, 2020 from today. If you are in the middle of CCNA preparation, I recommend keep going, which is also what Cisco recommends. Eight months should be enough for you, no matter you plan to dedicate days to take a classroom training, online training, or use self-studying kits, as tools for exam preparations. Let’s move on to impacts. Impacts to CCENT holders If you plan to achieve CCNA by passing 2 exams in 2 stages, the 2020 changes could impact you the most. This is because CCENT certification itself is also gone after February 24, 2020! Your CCENT passing status could not be re-certified after February 24. To acquire your CCNA, you must pass both ICND1 (100-105) and ICND2 (200-105) in 8 months from today. Otherwise, you can only restart your whole CCNA certification process after February 24. Impacts to specialized CCNA, e.g. CCNA Wireless Specialized CCNA certifications, such as CCNA Wireless, would all be gone after February 24! They all will become the single certification: CCNA. No more individual specialized CCNA anymore. Here is the list of “specialized CCNA” I know would be gone: CCNA CloudCCNA CollaborationCCNA Cyber OpsCCNA Data CenterCCDACCNA IndustrialCCNA Routing and SwitchingCCNA SecurityCCNA Service ProviderCCNA Wireless Wait a minute, what about my passing status of these above certifications? In fact, Cisco will send you a new CCNA certificate if you are still a valid specialized CCNA holder on February 24. Since you have paid extra efforts for specialized CCNA, Cisco would recognize and count them in credits. These credits would be counted for your future CCNA recertification. I will talk more on CCNA recertification soon in next topic. For short, if you already are specialized CCNA certificate holder, you still preserve your extra efforts over plain CCNA. If you are in the middle of taking specialized CCNA exam, unless your exam costs are sponsored or requested to do it anyway, then I recommend wait until February 24. I want to clarify that Cisco do also announce new Cisco Certified Specialist (or CCS for short) certifications. However, do not confuse them with specialized CCNA. Your specialized CCNA exam passing status would not help you to acquire the new CCS certifications. Although the tested topics might be overlapping with your specialized CCNA, you still must take new CCS exams after February 24 to acquire your new CCS certification. Impacts on CCNA Recertification After February 24, you have more paths to recertify your CCNA. Originally, you can only re-take the same CCNA exam every 3 years to recertify. After February 24, you have more options. You can take any training classes that Cisco recognizes with credits. If you have acquired more than 30 credits every 3 years, you recertify your CCNA without taking any exams. Although up to this moment, I don’t find any “credit” assignment rules to training classes yet. I believe Cisco would announce them soon. In my opinion, this is a more flexible approach because many people have completed many major training classes, and they just don’t have the time to pass the exams. Shimen Red House (西門紅樓) Taipei City, Taiwan One more thing… I like the new changes to CCNA certification. Although it would be more difficult to prepare for new exams, adding topics such as Automation and Programming is great because this is the trend for TCP/IP networking. I will talk more on automation and programming soon in future posts. In addition to CCNA, Cisco also announced major changes to CCNP and CCIE, and they all take place on February 24, 2020. If you want to know more on CCNP and CCIE certification changes, please let me know by leaving your questions below. This is my blog “Show IP Protocols”. I am Li-Ji Hong! Stay tuned! Links on Cisco.com: Cisco Certified Network Associate (200-301) New CCNA exam goes live on February 24, 2020

Hi, this is Li-Ji Hong speaking. We now know Google is terminating Google+ service. I understand that many of you came from Google+ to find and visit my web site “Show IP Protocols”. To keep updated and connected to my web site “Show IP Protocols”, I recommend you adding at least one of these three services: Twitter, Facebook, and Email subscription. Twitter Number 1 is Twitter. In my opinion, Twitter is so much like Google+. I will keep posting new contents on Twitter even after Google+ stops. If you are already a Twitter user, you can simply follow my handle: hongliji. The full Twitter link is: https://twitter.com/hongliji Even if you are not Twitter user at all, I still recommend you adding this link to your browser bookmark. You can come back easier from time to time. On “Show IP Protocols” you basically find only posts that I create. When I come across good articles by others around the web, I would share them to Twitter. Facebook Number 2 is Facebook. I started a Facebook Page for “Show IP Protocols” long time ago although I am not managing well on Facebook. If you stay on Facebook all the time, you can simply “Like” or follow this Facebook Page for “Show IP Protocols”. https://www.facebook.com/showipprotocols The contents posted on this page should be the same as Twitter. Email subscription Last one, Email subscription. Email subscription is my recommended method. You will receive the full texts and photos of my every post via Emails. Email subscription service would be always available even I understand many people like phone Apps more than Emails today. Click open this link to subscribe on FeedBurner: http://feedburner.google.com/fb/a/mailverify?uri=ShowIPProtocols&loc=en_US One more thing… I felt surprised and sad to know that Google is terminating Google+ service. On the other hand, technologies of Internet would always evolve and be innovated. I will keep my web site “Show IP Protocols” evolving and being innovated, so you would always learn new things when visiting my web site “Show IP Protocols”. I am Li-Ji Hong. This is “Show IP Protocols”. See you next time! Cherry blossoms in Taoyuan Brewery (桃園觀光酒廠) of Taiwan Tobacco & Liquor Corporation (TTL)

I saw a post about Cisco has announced 400G Ethernet switch products. 400G Ethernet means the bit rate can be up to 400 Gbps. Here are some of my observation notes on 400G Ethernet products. Cisco announced four models of Nexus 400G switches Screen capture on Cisco.comIn the product page, Cisco announced 4 new models of Nexus switches with 400G Ethernet capability. Nexus 9316D-GX is for Cisco ACI Spine. Nexus 93600CD-GX is for Cisco ACI Leaf. Nexus 3408-S and Nexus 3432D-S are non-ACI Ethernet switches. Cisco's Product page is: https://www.cisco.com/c/en/us/solutions/data-center/high-capacity-400g-data-center-networking/index.html 400G port transceivers: QSFP-DD All four models use QSFP-DD as 400G Ethernet transceiver type. Screen capture on Cisco.com. QSFP Double Density (QSFP-DD) transceivers are the same size on the switch front panel as QSFP transceivers. The switch ports are also compatible with existing QSFP28 transceivers. That means, my current 100G transceivers can be inserted and reused on these new faster Nexus switches. The fiber connectors: LC or MPO-12 Fiber connectors should be in LC or MPO-12 types. I cannot find an official datasheet to confirm that at this moment. However, I believe this should be true when I saw photos published on Cisco official web site. Screen capture on Cisco.com Screen capture on Cisco.com If my fiber cabling connectors are in types of LC or MPO-12, I can reuse my existing fiber infrastructure to upgrade to 400G Ethernet. When you are planning for new fiber installation, I also recommend choosing LC and MPO-12 connectors. One more thing… I believe 400G Ethernet should still be very expensive today in year 2018. I might not need it soon. I know I can reuse my existing expensive 100G Ethernet transceivers and fiber infrastructures when I upgrade to 400G Ethernet in the future. And this makes me feel better. I am Li-Ji Hong. What do you think about 400G Ethernet? Please share your ideas with me in the comments below! Thank you! Lotus pond inside Taipei Botanical Garden (台北植物園). Taipei City, Taiwan

A recent news was about hackers hacked into a Russian bank because of outdated routers. When I saw the keyword “router”, I felt that I must dig further about what really happened. What I have understood now The victim is PIR Bank. One of the suspects is MoneyTaker. After the breach, PIR Bank hired company Group-IB to do the clean-ups, recovery, and investigating how the hackers got into their internal network. Up to this moment, Group-IB disclosed hackers exploited the outdated routers of PIR Bank. The model of the routers was Cisco 800 series routers, which was already declared publicly that the End of Support date would be someday in Year 2016, by Cisco. The running Cisco IOS version was 12.4. My understanding All the routers involved in this incident in my opinion must had been deployed as Internet VPN routers. They must connect directly to the public Internet. Suppose those routers were purely internal routers without public Internet connections at all, hackers can only have access to them by getting through layers of firewalls. Suppose hackers already had broken through layers of firewalls, then hackers could have attacked directly without exploiting any of those outdated routers. I believe the VPN protocol used should be IPSec. However, IPSec was not to blame for this incident. Vulnerabilities were in the software or the hardware of those installed routers. It might be some discovered vulnerabilities and hackers took advantages of Zero-day Exploits to hack into the network. Hackers either used the hijacked router as a hopping location or changed the access rules so hackers had backdoor accesses to the internal network. I also want to emphasize that Cisco is not to blame. Cisco had already announced End of Support long time ago. If a customer insisted to keep using the old outdated routers, customers should take most of the responsibilities. It was a pity for a loss of nearly 1 Million US Dollars. One million dollars is enough to buy and replace a lot of new routers to prevent this loss. Enterprises should take actions, my suggestions Create a complete inventory of routers, especially for those connected to public Internet.Confirm with network hardware providers which routers are being or getting out of support. Create schedules to replace them as early as possible.Make sure all supported routers are running most up-to-date patched operating systems and software. Sun flowers in Taoyuan Agriculture Expo (桃園農業博覽會) 2018. Taoyuan City, Taiwan One more thing… I don't think we should worry about the architecture of Internet VPN and IPSec protocol itself. Many new technologies are relying on Internet VPN and IPSec. For example, Software-defined Wide Area Network (SD WAN) is built on top of Internet VPN and IPSec. If we make sure all running VPN routers are in healthy condition, Internet VPN architecture is still a cost-effective WAN solution with great flexibilities for enterprises.