Put it on your calendar.  Cisco Live US is June 25 - 29, 2017, in Las Vegas.  This is the largest conference I go to every year, and it’s the highlight of my professional year.  I’ve been going for a few years now and enjoy it for the content and camaraderie.  What are we doing this year?

We’ll fly in on Friday again and do something.  No idea what, but I imagine we’ll throw out an invitation for dinner to the public and meet somewhere.  If you’re going to be in town, let me know, and we’ll meet up.

I wrote this post during Cisco Live and said “I’ll just give it a once-over tonight and publish it.”  That was something like 6 weeks ago now. What a loser I am.

Yes, really. QoS has actually gotten some attention this year. After how many years of living in the dark and being feared by junior and senior engineers alike, we’re seeing some really cool technologies coming out for it.

It seems that Cisco Live is about the only thing I blog about in the last…well, few years.  At least I’m still writing, even if it is twice a year.  :)

Here’s a summary about Cisco Live for those who live in a dark hole.  It’s July 10 - 14, 2016, in Las Vegas.  If you do anything with Cisco, you should go.  If you do anything with technology that isn’t Cisco, you should go.  Bring your significant other.  There’s plenty to do for everyone.  Anyway, on to the details for this year’s show.

You should know by now that I always find something to complain about.  Is that a bad thing?  Probably.  Does it help improve things?  Absolutely!

Again, I love going to Cisco Live every year.  Without question, it’s my favorite event of the year.  It’s a great event with great people and great things to do.  With that said, let’s look at what could have been a bit better this year.

Another year, another Cisco Live.  Boy, was it a good one.  San Diego is a great city, and convention center there is plenty big to take care of all 25k attendees.  On top of that, the city itself is equipped to handle groups of 40 roaming the streets looking for food and entertainment.

This year’s event had the usual stuff that everyone talks about - breakout session, keynotes, exams, etc. - but Cisco stepped outside of technology this year by helping others.

Everything is in order for my trip to Cisco Live 2014 in San Francisco.  Conference passes are purchased.  Hotels are reserved.  Flights are booked.  It’s going to be a great event, and I can’t wait!

Note:  My wife will be with me again this year, and she is trying to get a tour group going to look around the city while others are in sessions.  If you want to be in on the tourist action, contact her via Twitter.

While walking through the World of Solutions, we ran across a big black truck with lots of antennas all over it.  It was obviously an emergency communications vehicle of some kind, but I was really surprised to see it was a Cisco truck.  It turns out that Cisco has a Tactical Operations group (Twitter) that was formed to provide disaster responders with much-needed communications for EMAs, fire, police, medical, etc.

The big truck was the NERV - the Network Emergency Response Vehicle (PDF link).  It’s full of traditional HF, VHF, and UHF radios that the ham radio operators usually bring to these disasters.  This is a necessity when all phones, cell, and Internet are down.  It could be the only way fire fighters are able to call for reinforcements or the only way a hospital can call for more supplies.  The NERV, though, takes it to the next level.  On top of the radio gear, it is equipped with satellite uplinks for Internet access, wifi, and digital voice and video through UCS Express, IP phones, and Telepresence.  Analog voice is always the first method of communications restored via battery- or generator-powered gear, but an area will eventually need a network with voice and video.  That’s where the NERV comes in.

Yes, I went to Cisco Live and survived.  It was the social event of the year, but the main focus is learning about the cool, new stuff.  One of the booths I visited was a demonstration of Cisco Active Advisor.

This is a cloud-based (BINGO!) application that keeps an eye on the lifecycles of your IOS devices.  Using the web interface, you can scan a range of IP addresses from your machine and have your gear automatically added to the service.  Once in there, you can see, among other things, the warranty and support contract information for your device.  If your contracts is about to expire, it’ll let you know via email.   It also tracks any vulnerabilities that may apply and emails you if any are detected.  This beats trusting your reseller to send you renewals or watching an RSS feed for PSIRTs and field notices.

I’m all set up to go to Cisco Live in Orlando this year.  Good thing, too, since I couldn’t make it to San Diego last time. It’ll be a great and fun time as usual, and I’m quite excited.

As it turns out, ARRL Field Day happens to be the weekend leading up to the festivities.  I’ve been in contact with the local Orlando club, and they say the attendees are more than welcome to join them.  They are meeting at the City of Orlando Emergency Operations Center, which is about 20 minutes away from the Convention Center.

The year is finally coming to an end, so it’s time yet again to look at goals and embarrass myself by publicly admitting that I didn’t meet them.  Oh, well.  Let’s get this done so I can go back to sleep.

I changed the layout of the blog, so the page with my goals isn’t really visible.  Here’s what I claimed I would do this past year.

• Select a CCIE training vendor - Yeah…this didn’t happen.  This is a very high-priced item, and I simply couldn’t afford the packages I wanted.  We’re talking $8k - $10k for everything.  Yikes!  I asked management at work to pay for it.  They said they would but that I would have to agree not to leave the company for some long length of time.  I didn’t want to put myself in a situation where finding a new job meant writing a check for $10k, so I decided to pass on it.  Without the financial backing, this ended with me just sighing pitifully on my couch.
• Take the CCIE R&S lab - Of course this didn’t happen without the first one.  I guess I could have bought the materials that I could and just got on a bus to Raleigh to see what happens.  This whole thing was complicated by the fact that the new job is 95% Juniper.  My waking hours at work and my study time at home were spent trying to figure out how Junos works; I tried my best, but it was just too difficult for me to study both at the same time.  For the trifecta of excuses, I also had an issue with my study area. I went from a 4-bedroom house to a 1-bedroom apartment when we moved for the new job.  There’s no quiet space at all to study at all - a huge problem I need to fix.
• Pass JNCIA-Junos exam - Wo!  I actually did this one.  I took this exam a few months back and passed it without any problems.  Good for me!  One out of three!

As for my goals, it really wasn’t a very good year.  Even for me, it was bad.  I’ll tell you, though, it’s very hard to study when you don’t have one subject or a place to do so.  Definitely things I need to work on in 2013.

We’ve been looking for a new Network Engineer for quite a while but are having no luck at all.  There is plenty of talent out there, but finding a high-end Juniper guy is almost impossible around here.  We’ve loosened up our requirement for Juniper experience just to get someone in for interviews.  This led us to one prospect and an interesting story.

This guy’s resume was very impressive.  For the last 5 years, he’s been the Network Architect at a very large company.  His experiences were off the chart.  Large-scale Enterprise deployments.  Monster PCI environments.  Years of Juniper experience.  Years of Cisco experience.  I had to talk to this guy, so I got a phone interview with him.

The wife and I had a romantic day driving several hours to a small town to take Cisco exams.  If this doesn’t get me some action, I don’t know what else to try.

I’ve already used the phrases “skin of my teeth” and “a pass is a pass” on Twitter today for good reason.  Passing is a score of 790, and I blew that away with a 790.  One more lapse in concentration and I would have been making up more excuses instead of smiling.  I think I’ve mentioned this before, but I have this weird reaction to taking exams where I don’t get nervous at all until after I’m finished.  Walking into the testing center, I was fine.  Walking out, I was shaking like Northern Virginia.  It was so bad that I could barely hold on to the door knob when trying to leave, so I guess that I’m really prouder than I thought I was.

Yes, it is inevitable that I cover these.  I’m sure network types will be next.  Per my usual request, please correct my stupidity.

Type 1 - Router : This LSA type lists all the routers by RID as well as the networks to which that router connects.

Type 2 - Network : These LSAs represent broadcast network where more than one OSPF router may live.  Think Ethernet or multipoint segment.  These LSAs are flooded by the DR for that segment.

My prediction about covering network types was wrong.  I’m going to puke out some information about neighbor states for now.  As is always the case, corrections are welcome.

Down : No hellos have been received from this router.

Attempt : This state only applies to manually-configured neighbors on an NBMA network.  In this state, a router has sent unicast hellos to the neighbor but has not received any back from it.

I have had my nose deep in several books in preparation for my CCIE R&S written exam, so I haven’t been blogging much at all.  Now that I’ve made it to the more familiar topics, I’m hoping to get some notes posted.  I’ll start with OSPF message types.

As always, please feel free to correct me here.  I’m learning just like the rest of us.

Hello : These messages are used to establish neighbors and serve as keepalives among other things.

For the first time ever, I’m headed to Cisco Live - the big Cisco users conference in Las Vegas! I usually don’t go to these things since I wind up just hanging out by myself, but I’m meeting all sorts of people there - from bloggers to Tweeps to personal friends. It should be a huge blast, and I can’t wait to get there.

For those interested, here’s my schedule.

It’s pretty widely known that I hate Cisco 3750 switches. We’ve had so many hardware and software failures with them that I’ve got a seriously bad taste in my mouth. Since I’m leaving for a new company, I thought I’d publish some statistics while I still have access to the numbers.

Total TAC cases online casino usa european roulette opened related to 3750s: 21 Number of 3750G-12S-S replaced: 21 Number of 3750G-24TS replaced: 7 Total number of RMAs issued: 28 Total number of 3750s in the company: ~120 Failure rate: 23.3%

RichardF commented on an article I wrote last November and mentioned the prompt command in the ASA.  I never set aside any time to research it, but I finally took the time today while waiting for a maintenance window.

This is one of those little things in life that make me happy.  Since the active ASA always has the same hostname and IP address, I find it hard to keep track of to which firewall I’m actually connected.  That “configurtions are no long in sync” message you get when you conf t on the standby firewall really irks me.  With the prompt command, I can see which firewall I’m on and in what state it is.

I don’t usually cover news from Cisco, but they’ve changed some certification stuff around again, and I thought I would bring it up.  This time they’ve changed the CCNA Voice, CCVP, and CCSP, so, if you’ve on those tracks, be careful what you’re studying!

CCNA Voice

Circle 28 February 2011 on your calendars.  That’s when the CCNA Voice track gets a shakeup.  The IIUC (640-460) exam will be no more, and passing CVOICE (642-436) will no longer be a valid way to get the cert.  After the big day, you’ll have to take ICOMM (640-461).  This seems to be a much broader exam instead of having the enterprise and commercial focuses in CVOICE and IIUC, respectively.  Look out for both CME- and CUCM-based topics including a troubleshooting section. 

I tried something like this earlier this year with STP.  It got rave reviews (from my mother), so I figured I try it again.  

Below is a list of requirements for configuring a router as a call processor.  In a lab or in your head, configure the router to support the features as listed.  This isn’t a contest or anything like that.  If you get it right, a virtual thumbs up is all I can afford to give you.  There are some licensing issues for running this stuff in GNS3/dynamips, so I can’t help you out on that.  I’ll just hint that GNS3 and dynamips will bind to real networks and that copies of a compatible IP softphone are available.

More of my IIUC study notes.  As always, feel free to correct.  I really need to have a real post, don’t I?

show voice port summary

• Shows the voice ports available for use

R1#show voice port summary
                                          IN       OUT
PORT           CH   SIG-TYPE   ADMIN OPER STATUS   STATUS   EC
============== == ============ ===== ==== ======== ======== ==
50/0/1         1      efxs     up    up   on-hook  idle     y
50/0/1         2      efxs     up    up   on-hook  idle     y
50/0/2         1      efxs     up    up   on-hook  idle     y
50/0/2         2      efxs     up    up   on-hook  idle     y
50/0/3         1      efxs     up    up   on-hook  idle     y
50/0/4         1      efxs     up    up   on-hook  idle     y
50/0/5         1      efxs     up    up   on-hook  idle     y

• An ephone-dn shows up as efxs, so all these are ephone-dns.
• Channels are numbered 0-23; timeslots are numbered 1-24

FXS Ports

Here are some more notes from my IIUC studies.  As always, corrections requested.

Paging

• Broadcasts messages to a group for a one-way communication
• Paging groups are used to limit which phones get the broadcast
• Paging can be unicast or multicast
  • Unicast groups limited to 10 members
  • Multicast requires mcast support on the network
• Paging configurations can be unicast, multicast, or multiple-group

!  Unicast Paging
!  When 1044 is dialed, ephone 1 is paged
R1(config)#ephone-dn 44
R1(config-ephone-dn)#number 1044
R1(config-ephone-dn)#paging
R1(config-ephone-dn)#exit
R1(config)#ephone 1
R1(config-ephone)#paging-dn 44

Here are some more notes from my IIUC studies.  As always, corrections requested.

Local Directory

• Allows users to look up names
• Allows names to show up when dialing or receiving a call
• Most phones have a directory button; some have a menu options for the directory

R1(config)#ephone-dn 1
R1(config-ephone-dn)#name Roger Smith

• Directory entries can be added manually

R1(config-telephony)#directory entry 1 1700 Corporate Fax
R1(config-telephony)#directory entry 2 1701 HR Fax

• By default, sorting is done alphabetically by first name.
• Sorting can be changed

R1(config-telephony)#directory last-name-first

More study notes.  Correct if wrong, though I hope I get some of it right since I already since I’m an R&S guy.  :$

**Switchport Configuration
**

• switchport mode access:  This config makes the port an access port that carries the primary and voice VLAN traffic
• switchport mode trunk:  This config akes the port a trunk unconditionally, but it will still send DTP messages
• switchport nonegotiate:  This config keeps the port from sending DTP messages.
• switchport mode dynamic auto:  If the port receives DTP messages, it will become a trunk.  If not, it will be an access port.
• switchport mode dynamic desirable:  The port actively sends DTP messages trying to become a trunk.  This is the default configuration on a Cisco switch.

Cisco IP Phone Boot Process

These are some of my notes on my IIUC studies.  Since I am a novice as voice stuff, please let me know what I get wrong.

An ephone is a representation of a phone.  It’s basically a structure of features that a phone will have. 

Configuration in CME:

R1(config)#ephone 34  <– This is just a tag and has nothing to do with an extension or phone
R1(config-ephone)#mac-address 1111.2222.3333    <– Assigns this ephone to the phone with that MAC address

Feel free to correct anything that is wrong or incomplete.

• Power over Ethernet (PoE)

  • Can provide power to a Cisco phone, access point, security camera, etc., through the network cabling, eliminating the need to plug the phone into the wall for power.
  • Generic term for providing power on the Ethernet cable
  • Provides centralized power that can be put on a UPS
  • Allows devices to be located away from power outlets
  • Removes cabling clutter at the user’s desk
  • Can be provided through PoE-enabled switches, power panels or inline couplers (power injectors)
  • Oversubscription is common
    • If every device on a switch asks for full power, the switch may not be able to handle the load.
  • Of course, devices can be powered with a power brick at the desk

• 802.3af

Feel free to correct.  No need to sugar-coat it; I’m pretty new at this stuff.  :)

• Advantages of VoIP

  • Reduces costs of communications:  Eliminates/reduces long distance and international call tolls
  • Reduces costs of cabling:  No need for second network of phone lines
  • Integrates all voice into one large network:  All your remote offices can be implemented/maintained/controlled centrally
  • Provides mobility:  Moves, adds, and changes (MACs) are (nearly) eliminated since your phone is just a network node
  • Allows use of IP Softphones
  • Unifies emails, voice mails, and faxes:  All these can be treated as a single box for user messages
  • Increases productivity:  Ringing multiple devices at the same time eliminates phone tag.   <— pushing it, eh?
  • Enhances communications:  Applications can be launched/updated from a voice call through application servers
  • Provides open, compatible standards:  You can connect different vendor devices into the same VoIP network.   <— I’ve never seen that happen

• Cisco VoIP Structure

I’m way behind in talking about this, but Jeremy Stretch over at Packetlife.net has a community lab that is free to use.  This is a great resource for those of us who are too poor to have their own physical devices for Cisco studies.  All you need is an account on the site and a sense of community.

There are two labs to reserve, and each contains a firewall, routers, and switches.  This is plenty of stuff to get your feet wet with the gear, let you research some functionality that Cisco promised is great, and to lab out something you’re looking to implement.  The lab is offered for free, but Jeremy is giving his time and money for this lab.  I think it would be a great idea to drop a few dollars to him via his donate link if you use his stuff.   If you’re a regular user and don’t donate, I ask that you do a moral inventory on yourself so you might see just how bad you are being.

These are the notes I’ve taken as I read through the study materials.  Feel free to correct anything you see.

• Analog phone signaling

  • Misc
    • Ground = positive = tip
    • Battery = negative = ring
    • Signaling uses specific frequencies for specific events
  • Loop start signaling
    • When a circuit in the phone is completed (i.e., you take it off-hook), the CO detects it and provides services.
    • Susceptible to glare, where the phone requests dialtone at the same time that the CO sends a call.
      • Can connect two different calls if in a business with multiple lines
  • Ground start signaling
    • The circuit is temporarily completed to signal the CO for services
    • Doesn’t connect any call to any phone directly
    • Used in PBXes.
  • Supervisory signaling
    • On-hook:  Circuit is open
    • Off-hook:  Circuit is completed
    • Ringing:  AC current generated by CO to tell the phone to ring
  • Informational signaling
    • Gives information for the caller to use
    • Dial tone
    • Busy
    • Ringback: the ring you hear when you call
    • Confirmation:  the call is being attempted
    • Congestion:  no lines available to make the call
    • Receiver off-hook
    • Reorder:  can’t make the call
    • No such number:  can’t find the endpoint
  • Address signaling
    • Used to send digits
    • Dual-tone multifrequency (DTMF):  uses two electrical signals to indicate a digit; touch tone
    • Pulse:  flashes the circuit to indicate a digit; rotary dial
  • Disadvantages of analog signaling
    • Attenuation
    • Repeaters can’t differentiate between call and noise
    • One cable pair for each call; think about a pair for each call taking place in Manhattan right now

• Digitizing voice

I posed the philosophical question on Twitter the other day asking if single trunk links should be in an EtherChannel bundle just in case you need to expand later.  I didn’t really expect an answer, but the ever-verbose @WannabeCCIE pointed out (in not so many words) that you should watch your IDBs.  What is that?

That’s an interface descriptor block.  I admit that I’m not intimately familiar with them, bu they’re data structs in IOS used to keep track of the interfaces on that device.  They come in two flavors - hardware and software.  HWIDBs usually represent a physical interface but they also represent tunnels, SVIs, PortChannels, subinterfaces, and any other virtual interface that you can configure.  The SWIDBs represent the layer-2 encapsulation of each HWIDB, so you’ll see entries talking about Ethernet, HDLC, PPP, etc.  That means that every interface you have on a router consumes two IDBs (there are always exceptions).  That’s important because each platform and IOS version combination has a limit to the number IDBs that device supports.

Last week, @fletcherjoyce posted an article on his blog about his positive experiences with Cisco’s 3750 switches.  If you follow my complaints tweets, you know that I’ve had quite the opposite experience with them.  I would never pick on anyone, but I had to throw in my 2 cents.

I’m guessing here, but we have about 50 3750 stacks in the enterprise.  Most of them are pairs, you wind up with roughly 120 switches.  Since we’ve done about 20 replacements over the last 5 years, that means we have a 17% failure rate.  That’s pretty horrible, isn’t it?

For those that don’t know, when I say “stack”, I mean a group of 3750s connected together using the StackWise technology.  When you use a very expensive and very proprietary cable, your individual switches are combined into a single logical device.  This means you configure one device to control potentially many switches.

To the point.  I’ve spent the last few weeks replacing a mess of 3750s in stacks.  These guys are very easy to replace, but the big problem I find is getting the IOS version in sync.  When the RMA comes, it’s inevitably got a different version on it, and you’ll see something like this.

Woohoo!  I passed the ROUTE test this morning.  That means I’m done with the CCNP track!  :)

If you remember, I took it over a week ago and had some bad luck on it.  Alright, bad luck is the wrong phrase.  I didn’t study enough and failed it.  This time, though, I had a special weapon on my side - the ROUTE Foundations book.  I haven’t used the Foundations books before, but, I saw some tweets about this one, so I picked it up off of Safari.  In just a couple pages, I realized that I was reading the answers to several questions directly out of the book.  It was amazing.  I only studied my weak points and wound up with 144 more points than I did last time.  I can’t say that was entirely because of the book, but I must say it was a big reason.

As always, corrections are requested.

Study Questions

• I’ve got IGRP and EIGRP both configured with the same AS number.  What’s special about this configuration?

If both use the same AS number, then they automatically redistribute their routes into each other without using the redistribute command.

• When redistributing one IGP into another, where’s a good place to filter routes?

There’s no one good place, but at the router(s) that’s doing the redistribution is a good start.  There’s no need to send an IGP a bunch of routes it doesn’t need.

I didn’t do so well on IGP redistribution the last time out, so here’s some more stuff to study.  As always, feel free to correct.

Study Questions

• What three things are needed to be able to redistribute one routing protocol into another?

1. One or more links into each routing protocol 2. A proper, working config for each protocol 3. The addition of the redistribute command to one or more of the protocols

I took the ROUTE test today and failed like I usually do.  That makes me 3-4 on these P-level tests if you’re scoring at home.  Don’t worry, though.  I’m not giving up.  :)

In atypical fashion, I must say that the ROUTE test was a good test.  Let me say that again.  The ROUTE test was a good test.  I said good, though…not great.  There were a few problems with it that I’ll get to, but, overall, this is the best test I’ve ever taken for a Cisco cert.  The questions were very well-written and there were no obvious omissions or wrong details.  I failed this test because I simply didn’t put in enough work.

Corrections, please.  I skipped a bunch of BGP intro stuff to get to the juicy center.  I’ll see if I can come back later and finish the other parts for posterity.

Study Notes

• Is BGP route selection a controversial subject?

Yes.  If you ask 1000 network guys the best way to influence BGP, you’ll probably get 1000 different answers.

• At what position in the PA list of a BGP update do you find the weight attribute?

You don’t.  Weight is a Cisco-proprietary thing.

Corrigeme, por favor.

Study Notes

• What do IPSec tunnels give you when a branch office is on a broadband connection?

Privacy through encryption Authentication of the remote peer through ISAKMP Delivery of private data over the public Internet

• What do you need to configure to get your branch router talking to the Internet?

ISP connection configuration such as PPPoE or PPPoA DHCP server configuration for internal users NAT Firewall services like inspection and filtering

Study Questions

• Your boss says that ever host in the network needs to be converted over to IPv6 by the end of the day.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use to help with that conversion?

Native IPv6

• The engineering department wants to permanently use IPv6 on their test boxes in two offices.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use?

Point-to-point tunnels

Study Questions

• Why would anyone develop a version of RIP that supports IPv6?

I have no idea.  Boredom, maybe.  Whatever the case, it works just like RIPv2, which is pretty scary.

• In EIGRP for IPv4, there are several requirements for two routers to neighbor up.  Which of those is not true for EIGRP for IPv6?

The two routers don’t need to be in the same subnet.  The concept of the link local address takes care of that need since neighbors always share a common medium like an Ethernet segment or a serial link.

Study Notes

• Exactly how big is an IPv6 address?

It’s 128 bits long.

• This shouldn’t be on the test, but how many unique addresses is that?

That’s 2^128 or a “3” with 38 zeros after it.  That’s also 2^95 addresses for each person on earth.

• Surely we’re not writing in binary, are we?

No way.  IPv6 uses 32 hex characters.  Each character is 4 bits, so we wind up with 128 bits of data.

Feel free to correct.

Study Questions

• What’s the most primitive way to get traffic destined to a single host to use a different path than your dynamic IGP dictates?

Use a static route.

• What’s the most primitive way to get traffic sourced from a single host to use a different path than your dynamic IGP dictates?

Use policy-based routing (PBR).

• What’s the most primitive way to get traffic sourced from a single host and destined for another host to use a different path than your dynamic IGP dictates?

Use PBR.

As always, feel free to correct.

Study Notes

• When a router redistributes from one routing protocol to another, where does the router get the list of routes to redistribute?

From the routing table.  Only IGP A’s routes (not topology or successors) are redistributed into IGP B’s domain.

• What are two methods of filtering redistributed routes?

Use a route-map in the redistribute line or a distribute-list.

• Of the two methods for filtering, which one has more options?

The route-map method has more options.  You can match on all sorts of stuff, including an ACL or interface, and filter based on that.

As always, feel free to correct.

Study Questions

• When you redistribute OSPF into EIGRP, what are you really redistributing?

Routes knows via OSPF Networks of OSPF-enabled interfaces

• What’s the default cost of an EIGRP route redistributed into OSPF?

20

• What’s the default metric of an OSPF route redistributed into EIGRP?

There is none since EIGRP has all those nifty k-values that have to be processed.  Routes actually won’t redistribute without them.

Feel free to correct.  I feel like I’m missing a big piece here, so please fill in a gap if you see one.  Thanks.  :)

Study Questions

• How many area 0s (zero) can you have in an OSPF implementation

Just one.

• If my company merges with another company, and we’re both running OSPF, how can we get our networks routing together properly?

The easiest thing to do is to connect your two area 0s together through some physical link.  If you can, you can use virtual links to connect an ABR to another ABR to extend the zones together.

Feel free to correct all this stuff.  Additions are also welcome.

Study Questions

• How do I keep an area route from reaching a router in that area?

You don’t.  That defeats the whole purpose of having the topology database on every router.  If you filtered one route from a router, there’s no way that SPF could calculate routes correctly.

• Fine, then.  Where do I filter routes?

You filter routes on an ABR or ASBR.  Since routers only have the whole topology for their area, it’s safe to filter routes from another area or from a redistributed routing protocol.  On a more technical note, you’re filtering type-3 LSAs on an ABR and type-5 LSAs on an ASBR.

Feel free to correct.

Study Questions

• The obvious first question involves the common LSA types and their function.  Can you list them?

Type-1 - Router - Lists each router their connected IP addresses Type-2 - Network - Lists all the transit, or multiaccess, networks Type-3 - Net Summary - Defines a  host route for interarea routes; this is from the ABR Type-4 - ASBR Summary - Defines a host route for an external (to OSPF) route; this is from an ASBR Type-5 - AS External - Lists the networks advertised into OSPF from external sources (redistribution) Type-7 - NSSA External - External routes injected into a not-so-stubby area

Feel free to correct.

Study Questions

• What are the definitions of the hello and dead intervals?

The hello intervals is how often a router sends hello messages.  The dead interval is how long to wait before considering a neighbor dead from lack of hello messages; this is 4x the hello interval by default.

• How do you keep OSPF from trying to detect neighbors on an interface?

Don’t configure a network statement for that interface Make that interface passive

Corrections welcome.

Study Questions

• Why would you ever want to summarize routes?

Summarizing routes minimizes the routes advertised to the network.  For example, instead of advertising 192.168.0.0/24, 192.168.1.0/24…192.168.n.0/24, a router can advertise a single route to 192.168.0.0/16.  Keeping routing tables small saves hardware resources, minimizes convergence times, helps avoid route flapping, and makes the routing table easier to read for humans.

• When will an EIGRP router auto-summarize a route?

If a router has interfaces that that are in different classes of network (Class A, B, C), then that router will auto-summarize those routes up to the classful boundary.  For example, if you have a 10.0.0.1/24 and a 192.168.100.1/30, the router will advertise 10.0.0.0/8 and 192.168.100.0/24.

Or neighborships, as they call it in the book.  What a terrible word.

Study Questions

• What settings must match between two routers in order to become EIGRP neighbors?

Both routers must be in the same primary subnet Both routers must be configured to use the same k-values Both routers must in the same AS Both routers must have the same authentication configuration (within reason) The interfaces facing each other must not be passive

Study Questions

• How do you keep EIGRP from killing your WAN?

You can use the ip bandwidth-percent eigrp AS X command to limit the amount of bandwidth that EIGRP uses to update neighbors.

• How does EIGRP calculate how much bandwidth it can use for each frame relay PVC?

By default, EIGRP takes 50% of the (sub)interface’s configured bandwidth (with the bandwidth command) to use for updates on NBMA (non-broadcast mutliaccess) networks like frame relay.  This value is divided equally among all the PVC configured on that interface.

Last time, we talked about a nifty little lab I set up for redistribution and how the OSPF ASBRs acted a little differently than I expected.  This time, let’s look at how changing external OSPF routes to a metric-type of 1 (E1) affects the routing tables.

Here’s the network again.

The static routes are being redistributed into their respective IGPs, and EIGRP is being redistributed into OSPF.  Let’s look at the routing table on R1.

I just got back from Global Knowledge’s ROUTE class, and I must say that it was a great class.  John Barnes puts on quite the show and is the best instructor I’ve ever had.  I digress, though.

One of the topics we covered was route redistribution, so I went back to the hotel one night and fired off this network in GNS3 to study a bit.

The object was to see how redistributing statics into OSPF and into EIGRP differ.  It was also an opportunity to see how EIGRP redistributes into OSPF (and OSPF into EIGRP, but I didn’t make it that far).  To do that, I redistributed 10.10.10.0/24 from R1 into OSPF and 10.10.20.0/24 from R4 into EIGRP.  I then had R2 and R5 redistribute all EIGRP routes into OSPF.  It’s a nice mix, but I saw some weirdness in the paths to 10.10.20.0/24.

I did my standard 2ish-hour drive to the closest testing center today to take the SWTCH test (642-813).  Utter failure.  That’s 3 for those scoring at home.

The test was the absolute worst I’ve ever taken.  I know that I complain a lot, but this is totally justified in my eyes.  My 4th grade spelling tests were better than this.  I’ve seen kindergarten plays with better production value.

First of all, it was poorly written.  Whoever wrote those questions has a few pieces of information about English sentence structure missing from their skill set.  A sentence needs a verb, right?  Well, a lot of the sentences were missing those.  It’s kind of important to know what the whole point of the sentence is, or is that too much to ask?  The “drag this over here” exercise questions all started with the same 13-word phrase that left the question so long that it was unreadable.  A couple of commas would have been nice in some.  Others I just had to infer from the answers what they were trying to ask.

I’ve got a few switches daisy chained together with single links and have enabled UplinkFast on them.  This switch is not the root bridge; F0/24 is the root port and F0/23 is a blocked alternate port. I’ve got debug spanning-tree uplinkfast on to help out.

SW3#sh span | incl 0/2[34]
Fa0/23           Altn BLK 3019      128.23   P2p
Fa0/24           Root FWD 3019      128.24   P2p

Now let’s unplug F0/24 and see what happens.

Here’s an STP exercise for you.  Given the bridge priorities, MAC addresses, and interface types in the diagram, calculate the root bridge, root ports, designated ports, and blocked ports.  You can click on the image to enlarge it.  I’ll post a solution in the next few days.  As always, feel free to comment and ridicule my utter idiocy.  Be gentle, though; I don’t usually post exercises like this.

Send any configuration BPDUs questions my way.

Yeled left a comment earlier this week asking if I’d seen Google’s Capirca.  I’d heard of it and checked out some presentation slides on it, but I’d never actually tried it out, so, in keeping with the script, I downloaded it to see what it could do.  Remember, now, that I’ve been playing with it for about 2 hours now, so I’m no expert on its use.

Capirca is a Python-based solution that Google came up with to automate ACL creation on their many thousands of routers around the world.  You can’t blame them for wanting to automate it, either.  How many times do you think they ran into problems with typos or keying errors from their network guys across those devices?

*  For definitions of “changed” and “Internet”

Today Cisco announced their new CRS-3 that replaces the CRS-1.  The CRS-3 has some damn impressive numbers for sure with 322Tbps, or about 1 LOC/sec (that’s a Library of Congress per second).  In three to five years, it might enable some technologies that we can’t use today, but I think “chang[ing] the Internet” is a bit of a stretch.  I’m sure it’s ultra-cheap, too.

I’m still working on the ONT test and doing labs, so I marked up a lab for me to work.  I’m using the same setup as I did last time.  The two routers are 3640s running 12.4(25b).

Part of the lab was to identify HTTP traffic coming into F0/0 and mark it as CS3.  That’s pretty easy, right?  Of course, the lab I made up was a little more complicated, but the point comes clear with a simpler example.

I failed the ONT test today.  It was an utter lack of subject matter knowledge that did me in from the beginning.  When the first three questions mention things that I’ve never even heard, it’s going to be a long test.  I’ll take blame on it for sure, but the test was a lot darker than I imagined it would be.

I heard from a couple people that the ONT test was the easiest of the 4 CCNP test.  I must say today’s test was a LOT harder than the ISCW test I took back in December.  Most of the questions were fair, but there were a few that were down-right evil or unanswerable.  Without giving too much away, there were some matching questions that had multiple items with multiple answers, rendering the answer to a guess.  I even ran into a CLI question about the WLC, which surely wasn’t mentioned anywhere I studied, and I don’t have a spare sitting around on which to test.  The icing, though, was the number of questions about FRTS; I know I need to understand it, but the magical question dice landed on that topic way too many times in my opinion.

Elements of Cisco Unified Wireless Network

• Client devices - Cisco compatible extensions on WLAN clients
• Mobility platform - allows configuration of LWAPs through WLCs
• Network unification - integration into the rest of the network with WLCs doing RF management, IPS, etc.
• World-class network management - centralized management through WCS
• Unified advanced services - supports advanced technologies and threat detection

WLAN Implementation

Autonomous and LWAP

Wireless LAN Services Engine (WLSE)

• Traditional WLAN weaknesses
  • SSID for security
  • Vulnerable to rogue APs
  • MAC filtering for security
  • WEP
• WEP weaknesses
  • Disribution of static keys is not scalable
  • WEP keys can be cracked easily
  • Vulnerable to dictionary attacks
  • No protection against rogue APs
• Benefits of 802.1x
  • Centralized authentication through Radius via AAA
  • Mutual authentication between client and auth server
  • Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
  • Automatic dynamic WEP keys
  • Roaming
• Requirements of 802.1x
  • EAP-capable client (supplicant)
  • 802.1x-capable AP (authenticator)
  • EAP-capable auth server

Table 1. Characteristics of the EAP variants

A coworker brought an interesting problem to me the other day.  He wanted to move a serverfarm from one server VLAN to another without taking an outage.  Since I didn’t want to have to come into the office late at night to do work, I decided to see what we could do.

It turned out to be pretty easy.  We tend to think of CSM VLANs as pairs – you have the client VLAN for the web servers where the vserver sits and the server VLAN where the serverfarm sits.  The CSM doesn’t know about these relationships; all it cares about is whether the servers are in a server VLAN, and we can use that to our advantage here.

Here are some more notes from my studies.  Of course, no one cares about them but me, but it’s my blog.  I’m sure someone will find it useful.  Please help to correct dumbass mistakes.

• Congestion

  • Speed mismatch - traffic leaves a lower-bandwidth interface than the one it came in on
  • Aggregation problem - lots of links with one egress of equal bandwidth
  • Confluence problem - a bunch of traffic needs to egress out of the same interface

• Queuing

Here’s another set of notes from my ONT studies.  I’m sure someone will find it useful.  Please help to correct dumbass mistakes.

• Classification is done with traffic desriptors

  • Ingress interface
  • CoS value on ISL or 802.1P frames
  • Source/destination IP address
  • IP Precedence or DSCP value
  • MPLS EXP
  • Application type

• Layer 3 QoS

  • Type of Service (ToS) is 8-bit field.
  • First 3 bits of ToS are the IP precedence.
  • First 6 bits of ToS are the DSCP value.
  • Last 2 bits of ToS are explicit congestion notification (ECN).

• Layer 2 QoS

I’ll try to keep it a little shorter this time.

Major issues for converged enterprise networks

• Available bandwidth: competition among applications
  • Fixes
    • Increase bandwidth: More power!
    • Properly queue based on classification and marking: QoS
    • Compress: cRTP, TCP header compression, etc.
• Delay: Lead time to get a packet to the destination
  • Types of delay
    • Processing delay: routing, switch delay
    • Queuing delay: how long a frame stays in an output queue
    • Serialization delay:  how long to put the frame on the wire
    • Propagation delay: the time to cross the physical medium
• Jitter (delay variation): Variation is the delay
  • Different delays mean different arrival times
  • De-jitter buffers save up packets to reduce jitter (like the old CD writers)
  • Fixes
    • More bandwidth
    • Prioritize sensitive data and forward first
    • Remark (reclassify) packets based on sensitivity
    • Enable L2 payload compression: make sure compression delay isn’t worse than the jitter
    • Use header compression
• Packet loss: Packets are lost in the network somewhere
  • Fixes
    • More bandwidth
    • Increase buffers space: more room for the queue on the interface
    • Provide guaranteed bandwidth: Queuing and QoS
    • Congestion avoidance
      • Random Early Detection (RED) and weighted RED (WRED) drop packets before the queue is full
      • Selective dropping is better than FIFO or LIFO dropping

QoS History

Here are some of the notes I’ve been taking while reading over the ONT book. I hope it benefits somebody.  Feel free to correct any stupid mistakes as a paraphrase to avoid a lawsuit.

There’s way too much info here.  I’ll refine the process a little better for the next topics.

Benefits of Packet Telephony Networks

• More efficient use of bandwidth and equipment - Packet telephony networks don’t dedicate channels or a static bandwidth to a call; it’s just another network application.
• Consolidate network expense - The common infrastructure (IP-based networks) keeps you from having to support another distinct network for voice like in traditional PBX implementations.
• Improved employee productivity - The phone can be used for more than just phone calls by utilizing the XML interface to run applications or provide content from the network.
• Access to new communications devices - IP phones can communicate with computers, network gear, PDAs, etc., and not just the PBX.

Packet Telephony Components

Wow.  A new entry.  Everyone sit down before you pass out.

I’ve got a real-world example for you today.  We have an ASA 5540 installed at a business unit with interfaces in multiple networks, including one containing the production servers and another containing the accounting servers.  The production network sits on a 7600 that’s not ours, so, to avoid IP conflicts, we are statically NATting connections into that network.  The 7600 has with many, many VLANs, and, since the firewall production servers are on different VLANs, there’s an interface VLAN between us.  Sounds pretty straightforward, but it just wasn’t working when we try to connect between the interfaces.

I apologize to my adoring fans (both of you) for the lack of posting.  I’m in the middle of moving, buying a new house, selling my current house, getting a mortgage, etc.  I’ve up until 11:30 nearly every night filling out forms and going through red tape.  Don’t get me started on getting money from a 401k!  Anyway…

I got in this morning, and a coworker was telling me that the data center’s HVAC was crippled due to an oil leak, and it was 90F in there.  D’oh!  It wasn’t quite that high, but it was warm.  Luckily, all of our network gear is on the end of the rows with AC, so we’re safe, but it got me thinking about monitoring temperature of our 6500s via SNMP.  I’ve done it via Cacti, but I never really looked how to do it manually.

EtherChannel lets you aggregate links into one logical connection, but the distribution of traffic is not uniform.  It does not use per-packet load-balancing or the like to determine what interface in the bundle to use.  Instead, it uses a XOR function on packet information to generate a hash that is used to determine what interface to use.

By default, the switch will use both the source and destination IP addresses to generate the hash, but there are lots of others.

I’ve decided to take on the CCNP certification, so I’m going to wind up with a few posts will be more my own notes than anything.  :)

A switch port on a 2960 comes up with a default configuration on VLAN 1.  What happens from the perspective of spanning-tree?

• First, the port comes up on blocking mode.  This is to make sure that loops aren’t created without first listening to the network to see what’s going on.
• Next, if the port may be a root or designated port, the port is moved to the listening state.  In this state, the port can send and receives BPDUs only.  It can’t send traffic, but it can discover the other switches participating in STP.
• After the forwarding delay, the port goes into the learning state.   In this state, the port can send and receive BPDUs as in listening, but it can now receive traffic.  It can’t yet send any.
• After the forwarding delay again, the port goes into the forwarding state.  The port can now send and receive data.

If the port is configured with spanning-tree portfast, the mode goes from blocking directly to forwarding without going through these steps.  Obviously you don’t want a switch plugged into a port configured for portfast since you may wind up with a loop.

SSH is more than just a shell.  You can copy files from and to a server or piece of network gear with it.  You can use it to tunnel traffic.  Possibly my favorite, though, is to use SSH to run a command on a remote box without interacting with a shell.

One of my biggest pet peeves with IOS (or pretty much any Cisco OS) is the lack of complex filtering.  Let’s say I want to look at all the downed ports and interfaces on modules 3 and 6 of my 6509.  I can’t easily do that with command from the IOS, but, on my Linux box, I can use multiple grep commands to get exactly what I want really easily.  Let’s work through the example, shall we?

We discussed SPANs earlier, but let’s talk about RSPANs for a bit.

Can anyone guess what the “R” means?  You guessed it – “Remote”.  An RSPAN is a way to get traffic from a SPAN source on one switch to a SPAN destination on another switch that’s connected via a trunk.

The basic premise is that a special VLAN is created on all the switches and allowed to traverse the trunks.  You then set up a SPAN session that copies your traffic to this special VLAN.  This VLAN then gets the traffic to the other switches through some voodoo magic to be used as source for a SPAN on another switch.

I can’t believe I haven’t blogged on this yet.  SPANs are one of my favorite things in the world.

The switched port analyzer (SPAN) is a mechanism on Cisco switches that allows you to take traffic on one port and copy it to another.  It’s generally used to get traffic to a sniffer or IDS for analysis, but it’s a great tool to use to sample traffic from a host for troubleshooting.

I must be bored since I’m posting again.

A colleague asked me to change the failed value of a TCP probe today.  It was no big deal, but, when I looked to see the status of the change, I noticed interesting stati of the RIPs.

switch#sh mod csm 7 probe name TCP80-PROBE detail
probe           type    port  interval retries failed  open   receive
---------------------------------------------------------------------
TCP80-PROBE  tcp     80    20       3       120     10
Description: Quick fail recovery
recover = 3
real                  vserver         serverfarm      policy          status
------------------------------------------------------------------------------
192.168.1.45:80       VS01            FARM01        (default)       ???
192.168.1.44:80       VS01            FARM01        (default)       ???
192.168.1.43:80       VS01            FARM01        (default)       ???
192.168.1.42:80       VS01            FARM01        (default)       ???

It seems that when a change is made to a probe, the CSM discards the state of the probe and starts over.  If you catch it before the first probe is finished, you’ll get a status of “???".  I’m just picturing the CSM saying “Uhh…I…don’t…know”.

I’ve talked about probes and stuff on the CSM, but I never mentioned what happens to the connections to a server that fails.  That is, if I’m connected to server A in a cluster and that server suddenly commits ritual seppuku, what happens to my connection through the CSM?

Remember how the CSM works?  You connect to the VIP, some state tables are updated, your packet’s destination IP is changed to a RIP, and the packet is forwarded.  The point I want to emphasize this time is the state table.  If you were to send another packet to the same VIP on the same port, the CSM would look in its state table and see that you’re already connected to a server and just forward you on over after a NAT.  What if that server has suddenly died?

Did you catch the article on setting up fault tolerance on the CSM?  In that article, I mentioned that Cisco recommends a dedicated trunk for the FT VLAN if you have two HA CSMs in two chassis.  Discuss amongst yourselves while I drone on.

Why should you set up a dedicated trunk for this stuff?  The most obvious reason is to be sure that normal traffic doesn’t step on the syncing traffic.  Since we’re syncing state information as well as configuration, the frames need to arrive in a timely manner.  Any errors could potentially disrupt the FT process, which is bad.  You surely don’t want the primary to fail only to find out that the standby doesn’t have the complete or current config.

We ran into this today, and, though I knew it existed, I never actually saw it in the wild.  I’m talking about MAC access-lists.

In the example setup, we have a DMZ off of a firewall that contains a whole mess of servers – email, web, ftp, etc.  These should all be in the DMZ for sure, but they shouldn’t talk to each other.  If a bad guy was able to own my FTP server, he would have a nice platform to use to attack my email server.  That’s not cool, so we’ve put in MAC access-lists to help out.

I’ve run across articles for these apps a thousand times, so I thought I’d get in on the action. Dynamips and dynagen are a pair of apps that make simulating Cisco routers very easy. I use them constantly at the office (and even at home on the couch) to try out new configs and even new IOS versions.

Dynamips is the brains behind the operation. It was written to simulate Cisco 7200s for testing, but, eventually, it came to support several platforms, including 3600s, 3700s, and 2600s. You can use it to simulate a whole series of routers that are directly connected together through their interfaces, through virtual switches, or even connected to real interfaces on your box to pass traffic out through the real network. It uses real ]IOS images, so you can run whatever you can download. The problem with it is that it’s very complicated to use; if you did a fully-populated 7206, your command line would be 5 lines long and not make a lot of sense.

I like [tag]layer-3[/tag] [tag]switch[/tag]es. They give some great flexibility and bang-for-the buck, but most people overlook one issue with these things that can cause security problems. Most people configure the [tag]VLAN[/tag]s, put an IP on the VLAN interfaces, and put it in production, but the packets don’t actually flow the way they think they do.

Let’s check an example. Here’s what the proverbial you had in mind when you plugged your web server, management server, and firewall into your 3750.

Remember the article on router-on-a-stick? And the one on HSRP? Let’s add to that example network, shall we? Let’s make those routers into edge routers so they connect your internal network to the Internet with some size circuit. Let’s just say they each terminate DS3s to different providers.

Here’s our network now (I’m experimenting with Visio alternatives, so excuse the diagram footer there). Let’s assume that we have [tag]HSRP[/tag] set up like the HSRP article and that we have many sub-interfaces on the Ethernet side of the routers like the ROAS article. Also, Router1 is the HSRP active peer and each router has a default route pointing to the upstream ISP through interface Serial 0/0.

In the article describing a router-on-a-stick, I mentioned that I would use two routers that run HSRP for availability, so I figured that I would write up a short post on what it is and how it works.

HSRP (Hot Standby Router Protocol) is a Cisco-proprietary protocol for establishing two or more layer-3 devices as a fault-tolerant gateway. Please note that it is not a routing protocol like OSPF or BGP. HSRP provides availability and fault-tolerance…it does not advertise routes. I actually found several Google results that said it was a routing protocol. Those were on the first page of the results, so be careful when searching! Webopedia.com is terrible.

Ever heard of a router-on-a-stick? Go ahead and laugh…everyone does. It’s a funny name for a very serious topic, though. A router-on-a-stick is a network configuration that uses a single router interface as a gateway for more than one network segment. You literally take a single Ethernet interface, put it on multiple VLANs, and set up the IP address stuff.

Here’s how it works: The router is plugged into a port on a switch that is configured as a trunk that carries all the important VLANs. The router is configured with Ethernet sub-interfaces (just as you do frame-relay or ATM sub-interfaces) – one for each VLAN. Piece of cake.