Tejas Jain

What is false acceptance rate? FAR = the percent of unauthorized users incorrectly matched to a valid user's bio metric parameter What is false rejection rate? FRR = the percent of incorrectly rejected valid users What is crossover error rate? The Crossover Error Rate (CER) describes the point where the False Rejection Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system. Moral of the story : As the sensitivity of a biometric system increases, FRRs will rise and FARs will drop. Conversely, as the sensitivity is lowered, FRRs will drop and FARs will rise.

What are subjects? Subject are active entitites that access passive objects. For eg. users can be considered as subjects as they access the objects for performing some action or to accomplish a task. What are objects? Objects are passive entities such as files, accessed by subjects

Preventive - to stop unauthorized or unwanted activity from occurring Detective - to discover / detect unauthorized or unwanted activity Corrective - to restore systems back to normal after unauthorized or unwanted activity has occurred. Deterrent - to discourage attackers from violating security policies or take an unwanted action Recovery - to repair or restore resources and capabilities after a security policy violation Directive - to direct, confine or control the action of subjects to force or encourage compliance with security policy Compensation - to provide alternatives to existing controls to aid enforcement and support of a security policy

Cisco ACI - Port Tracking One of the techniques to speed up convergence in case of internal fabric connectivity failures, "port-tracking" feature addresses an outage where a leaf node loses connectivity to "all" the spine nodes in the Cisco ACI fabric. In such a scenario, the hosts that are connected to such a leaf in active-standby setup are usually not aware of such an outage and continue to send traffic to the now isolated leaf. This is where the port-tracking feature brings down all the host facing ports of the isolated leaf node. For the servers that are dual homed to different leafs, this action would ensure that the uplink to the isolated leaf is not considered for forwarding the traffic. The changes can be made as below: System >> System Settings >> Port Tracking

Cisco ACI has the concept of Anycast Gateway where the default gateway of the subnet (configured with the Bridge domain) exists on the Leaf devices. Now, more importantly, the anycast gateway / SVI (Switched Virtual Interface) is configured (rather programmed) on only those Leaf switches which have endpoints belonging to that bridge domain. How does Cisco ACI determine whether it should configure an SVI on a particular Leaf? It does this via CDP, LLDP or OpFlex (if the endpoints support it). This would imply, that CDP / LLDP is not just there for operational purposes, but rather, it actually holds a powerful influence on the actual traffic forwarding, unlike traditional switches. CDP uses the usual Cisco CDP timers with an interval of 60s and a holdtime of 120s. LLDP uses the usual LLDP timers with an interval of 30s and a holdtime of 120s. CDP support for Fabric Extenders has started from ACI 2.2 release. For older releases, LLDP should do the trick.

For network guys coming from the traditional switching world, the interface configuration on Cisco ACI is not as simple as putting "switchport xxx" command under interface x/x. Rather there is a huge list of interface policies which needs to be configured, which is then referenced in the Interface policy group and then stitched with the actual interface (Interface selector). The list of interface policies are as follows: LLDP - Link Layer Discovery Protocol CDP - Cisco Discovery Protocol LACP - Link Aggregation Control Protocol Port Speed Storm Control MCP - Mis-Cabling Protocol Now each policy type is already configured with the default configuration. The best practice is to not touch this default configuration but create an explicit policy. For example, I always have an LLDP_ON, LLDP_OFF, CDP_ON, CDP_OFF and so on, configured explicitly for my setup. Explicit policies for each of these policy types also enables you to configure other parameters such as the CDP, LLDP i

Traditional catalyst switches like Cisco Catalyst 3750 / 3560, by default do not have IPv6 routing enabled, and simply entering the " ipv6 unicast-routing " won't work! First, enable dual-stack routing by: sdm prefer dual-ipv4-and-ipv6 This should be followed by a reboot, post which enable IPv6 routing by: ipv6 unicast-routing Post which you should be able to do all the IPv6 configuration..