Cisco on Aaron's Worthless Words

Cisco Live 2018 - Yes, I Went Too

Wed, 04 Jul 2018 00:00:00 +0000

It’s been a very busy month or so. June is always like that, it seems. There’s ARRL Field Day, which is always the last rainy weekend in June. This year, Cisco Live was in June, and that typically includes Tech Field Day activities. Right before that, we had the whole family in town for a family reunion. There was all sorts of stuff going on. Now that most of that has blown over, I’ve collected my thoughts and wanted to talk about Cisco Live this year.

Cisco Live US 2017 - The Plan So Far

Tue, 21 Feb 2017 00:00:00 +0000

Put it on your calendar. Cisco Live US is June 25 - 29, 2017, in Las Vegas. This is the largest conference I go to every year, and it’s the highlight of my professional year. I’ve been going for a few years now and enjoy it for the content and camaraderie. What are we doing this year?

We’ll fly in on Friday again and do something. No idea what, but I imagine we’ll throw out an invitation for dinner to the public and meet somewhere. If you’re going to be in town, let me know, and we’ll meet up.

Cisco Clock Issue - This Is Really Bad

Sun, 05 Feb 2017 00:00:00 +0000

Check out this advisory from Cisco that came out a couple days ago. You need to read it and act on it immediately! I’ll summarize for you : Thanks to a faulty clock signal component, certain Cisco devices will stop functioning after about 18 months and become really expensive bricks! Reading through it, you’ll see phrases like “we expect product failures” and “is not recoverable.” Seriously, what the hell? This really warms the heart.

QoS? Really?

Sat, 20 Aug 2016 00:00:00 +0000

I wrote this post during Cisco Live and said “I’ll just give it a once-over tonight and publish it.” That was something like 6 weeks ago now. What a loser I am.

Yes, really. QoS has actually gotten some attention this year. After how many years of living in the dark and being feared by junior and senior engineers alike, we’re seeing some really cool technologies coming out for it.

Cisco Live 2016 - Everything Is Coming Together

Tue, 12 Apr 2016 00:00:00 +0000

It seems that Cisco Live is about the only thing I blog about in the last…well, few years. At least I’m still writing, even if it is twice a year. :)

Here’s a summary about Cisco Live for those who live in a dark hole. It’s July 10 - 14, 2016, in Las Vegas. If you do anything with Cisco, you should go. If you do anything with technology that isn’t Cisco, you should go. Bring your significant other. There’s plenty to do for everyone. Anyway, on to the details for this year’s show.

Cisco Live - The Complaints

Tue, 16 Jun 2015 00:00:00 +0000

You should know by now that I always find something to complain about. Is that a bad thing? Probably. Does it help improve things? Absolutely!

Again, I love going to Cisco Live every year. Without question, it’s my favorite event of the year. It’s a great event with great people and great things to do. With that said, let’s look at what could have been a bit better this year.

Cisco Live 2015 - Helping Others

Sun, 14 Jun 2015 00:00:00 +0000

Another year, another Cisco Live. Boy, was it a good one. San Diego is a great city, and convention center there is plenty big to take care of all 25k attendees. On top of that, the city itself is equipped to handle groups of 40 roaming the streets looking for food and entertainment.

This year’s event had the usual stuff that everyone talks about - breakout session, keynotes, exams, etc. - but Cisco stepped outside of technology this year by helping others.

Recap - Cisco Live US 2014

Sat, 31 May 2014 00:00:00 +0000

I don’t think I’m going to give a direct review of Cisco Live US this year. The conference was great with lots of stuff going on, but I really can’t contribute any more than the vast library of other posts on the subject. What I will do, though, is give my take on where I think the conference is headed. These are all my thoughts and have little to do with reality in some cases.

My Schedule for Cisco Live 2014

Fri, 18 Apr 2014 00:00:00 +0000

Everything is in order for my trip to Cisco Live 2014 in San Francisco. Conference passes are purchased. Hotels are reserved. Flights are booked. It’s going to be a great event, and I can’t wait!

Note: My wife will be with me again this year, and she is trying to get a tour group going to look around the city while others are in sessions. If you want to be in on the tourist action, contact her via Twitter.

Taking the Old Approach to Cisco Live 2014

Tue, 25 Mar 2014 00:00:00 +0000

I was just reading through Bob’s blog post from today and wanted to give a rebuttal of sorts. In his post, Bob tells us that’s he’s going to be at Cisco Live US in San Francisco this year but he won’t be coming on the Full Conference pass like he usually does. He’s going with the Social Event pass this year, which is actually a great, great way to attend. I know several people who are thinking about scaling back to the Social Event pass as well, and there’s nothing wrong with doing it like that. There are some things that it doesn’t get you, though.

Read This if You're Going to Cisco Live in May!

Thu, 13 Mar 2014 00:00:00 +0000

Do not tell anyone I told you, but I heard a rumor today. It looks like the attendees will be in for quite a treat for the 25th Anniversary of the Customer Appreciate Event. It seems that we’re all going to be shipped off to AT&T Park for the show! It’s the home of the San Francisco Giants and a beautiful stadium. And guess who’s going to be there? Yes, me. And my wife. And about 984572 of my friends. But so will Lenny Kravitz and Imagine Dragons!

Why Cisco Live Each Year?

Wed, 26 Feb 2014 00:00:00 +0000

We all know what Cisco Live is, right? Networkers? The Cisco users’ conference? If not, then educate yourself, friend. It takes place every year in different parts of the world. I try my best to go every year to the US event and am lucky to be able to go this year. It costs a bagillion dollars and a week of my time; why am I so excited about going? Easy answers in no particular order.

Cisco Live 2013 Insights - Catalyst 3850

Thu, 04 Jul 2013 00:00:00 +0000

Cisco Live is obviously the biggest networking event of the year, and Cisco likes to use all the attention to show off some of their new gear. I must say I was impressed with some of the Enterprise offerings including the 6807-XL, the 6880-X, the 4451-X, and the Sup 8-E for the 4500-E (check out the Nexus 7700, too, even though they aren’t Enterprise class). Those boxes definitely gave me a bit of a tingle when I was checking them out, but my eyes opened up when I saw the 3850 in one of my sessions and on the show floor.

Cisco Live 2013 Insights - Cisco Tactical Operations

Wed, 03 Jul 2013 00:00:00 +0000

While walking through the World of Solutions, we ran across a big black truck with lots of antennas all over it. It was obviously an emergency communications vehicle of some kind, but I was really surprised to see it was a Cisco truck. It turns out that Cisco has a Tactical Operations group (Twitter) that was formed to provide disaster responders with much-needed communications for EMAs, fire, police, medical, etc.

The big truck was the NERV - the Network Emergency Response Vehicle (PDF link). It’s full of traditional HF, VHF, and UHF radios that the ham radio operators usually bring to these disasters. This is a necessity when all phones, cell, and Internet are down. It could be the only way fire fighters are able to call for reinforcements or the only way a hospital can call for more supplies. The NERV, though, takes it to the next level. On top of the radio gear, it is equipped with satellite uplinks for Internet access, wifi, and digital voice and video through UCS Express, IP phones, and Telepresence. Analog voice is always the first method of communications restored via battery- or generator-powered gear, but an area will eventually need a network with voice and video. That’s where the NERV comes in.

Cisco Live 2013 Insights - Cisco Active Advisor

Tue, 02 Jul 2013 00:00:00 +0000

Yes, I went to Cisco Live and survived. It was the social event of the year, but the main focus is learning about the cool, new stuff. One of the booths I visited was a demonstration of Cisco Active Advisor.

This is a cloud-based (BINGO!) application that keeps an eye on the lifecycles of your IOS devices. Using the web interface, you can scan a range of IP addresses from your machine and have your gear automatically added to the service. Once in there, you can see, among other things, the warranty and support contract information for your device. If your contracts is about to expire, it’ll let you know via email. It also tracks any vulnerabilities that may apply and emails you if any are detected. This beats trusting your reseller to send you renewals or watching an RSS feed for PSIRTs and field notices.

My Schedule for Cisco Live 2013

Sun, 31 Mar 2013 00:00:00 +0000

I’m all set up to go to Cisco Live in Orlando this year. Good thing, too, since I couldn’t make it to San Diego last time. It’ll be a great and fun time as usual, and I’m quite excited.

As it turns out, ARRL Field Day happens to be the weekend leading up to the festivities. I’ve been in contact with the local Orlando club, and they say the attendees are more than welcome to join them. They are meeting at the City of Orlando Emergency Operations Center, which is about 20 minutes away from the Convention Center.

The Usual End of the Year Tripe

Sun, 30 Dec 2012 00:00:00 +0000

The year is finally coming to an end, so it’s time yet again to look at goals and embarrass myself by publicly admitting that I didn’t meet them. Oh, well. Let’s get this done so I can go back to sleep.

I changed the layout of the blog, so the page with my goals isn’t really visible. Here’s what I claimed I would do this past year.

Select a CCIE training vendor - Yeah…this didn’t happen. This is a very high-priced item, and I simply couldn’t afford the packages I wanted. We’re talking $8k - $10k for everything. Yikes! I asked management at work to pay for it. They said they would but that I would have to agree not to leave the company for some long length of time. I didn’t want to put myself in a situation where finding a new job meant writing a check for $10k, so I decided to pass on it. Without the financial backing, this ended with me just sighing pitifully on my couch.
Take the CCIE R&S lab - Of course this didn’t happen without the first one. I guess I could have bought the materials that I could and just got on a bus to Raleigh to see what happens. This whole thing was complicated by the fact that the new job is 95% Juniper. My waking hours at work and my study time at home were spent trying to figure out how Junos works; I tried my best, but it was just too difficult for me to study both at the same time. For the trifecta of excuses, I also had an issue with my study area. I went from a 4-bedroom house to a 1-bedroom apartment when we moved for the new job. There’s no quiet space at all to study at all - a huge problem I need to fix.
Pass JNCIA-Junos exam - Wo! I actually did this one. I took this exam a few months back and passed it without any problems. Good for me! One out of three!

As for my goals, it really wasn’t a very good year. Even for me, it was bad. I’ll tell you, though, it’s very hard to study when you don’t have one subject or a place to do so. Definitely things I need to work on in 2013.

An Interesting Interview Story

Fri, 31 Aug 2012 00:00:00 +0000

We’ve been looking for a new Network Engineer for quite a while but are having no luck at all. There is plenty of talent out there, but finding a high-end Juniper guy is almost impossible around here. We’ve loosened up our requirement for Juniper experience just to get someone in for interviews. This led us to one prospect and an interesting story.

This guy’s resume was very impressive. For the last 5 years, he’s been the Network Architect at a very large company. His experiences were off the chart. Large-scale Enterprise deployments. Monster PCI environments. Years of Juniper experience. Years of Cisco experience. I had to talk to this guy, so I got a phone interview with him.

CCIE R&S Written - Epic WIN!

Wed, 24 Aug 2011 00:00:00 +0000

The wife and I had a romantic day driving several hours to a small town to take Cisco exams. If this doesn’t get me some action, I don’t know what else to try.

I’ve already used the phrases “skin of my teeth” and “a pass is a pass” on Twitter today for good reason. Passing is a score of 790, and I blew that away with a 790. One more lapse in concentration and I would have been making up more excuses instead of smiling. I think I’ve mentioned this before, but I have this weird reaction to taking exams where I don’t get nervous at all until after I’m finished. Walking into the testing center, I was fine. Walking out, I was shaking like Northern Virginia. It was so bad that I could barely hold on to the door knob when trying to leave, so I guess that I’m really prouder than I thought I was.

OSPF Notes - LSA Types

Thu, 02 Jun 2011 00:00:00 +0000

Yes, it is inevitable that I cover these. I’m sure network types will be next. Per my usual request, please correct my stupidity.

Type 1 - Router : This LSA type lists all the routers by RID as well as the networks to which that router connects.

Type 2 - Network : These LSAs represent broadcast network where more than one OSPF router may live. Think Ethernet or multipoint segment. These LSAs are flooded by the DR for that segment.

OSPF Notes - Neighbor States

Thu, 02 Jun 2011 00:00:00 +0000

My prediction about covering network types was wrong. I’m going to puke out some information about neighbor states for now. As is always the case, corrections are welcome.

Down : No hellos have been received from this router.

Attempt : This state only applies to manually-configured neighbors on an NBMA network. In this state, a router has sent unicast hellos to the neighbor but has not received any back from it.

OSPF Notes - Message Types

Wed, 01 Jun 2011 00:00:00 +0000

I have had my nose deep in several books in preparation for my CCIE R&S written exam, so I haven’t been blogging much at all. Now that I’ve made it to the more familiar topics, I’m hoping to get some notes posted. I’ll start with OSPF message types.

As always, please feel free to correct me here. I’m learning just like the rest of us.

Hello : These messages are used to establish neighbors and serve as keepalives among other things.

Home-grown IOU Scripts

Mon, 16 May 2011 00:00:00 +0000

I’m sure you’ve all heard of Cisco IOU by now, and I’m finally catching up with the other bloggers of the world by mentioning it. It’s an executable version of an IOS image that runs on a Unix (or Unix-like) platform and it’s the backend behind Cisco’s Learning Labs. Instead of running an emulator and loading up various images, you just run the executable and you’re on the console of a Cisco router. It has layer 2 support, so you can fire up switches as well. Being a binary makes it way more efficient than GNS3 will ever be, and the layer 2 support is a wonderful, wonderful feature to have.

Cisco Live 2011 Schedule

Fri, 29 Apr 2011 00:00:00 +0000

For the first time ever, I’m headed to Cisco Live - the big Cisco users conference in Las Vegas! I usually don’t go to these things since I wind up just hanging out by myself, but I’m meeting all sorts of people there - from bloggers to Tweeps to personal friends. It should be a huge blast, and I can’t wait to get there.

For those interested, here’s my schedule.

Stubby Post - Final Tally of 3750 Failures

Fri, 18 Mar 2011 00:00:00 +0000

It’s pretty widely known that I hate Cisco 3750 switches. We’ve had so many hardware and software failures with them that I’ve got a seriously bad taste in my mouth. Since I’m leaving for a new company, I thought I’d publish some statistics while I still have access to the numbers.

Total TAC cases online casino usa european roulette opened related to 3750s: 21 Number of 3750G-12S-S replaced: 21 Number of 3750G-24TS replaced: 7 Total number of RMAs issued: 28 Total number of 3750s in the company: ~120 Failure rate: 23.3%

Stubby Post - Cisco IOS Petition

Fri, 11 Feb 2011 00:00:00 +0000

Greg Ferro has brought back the petition for Cisco to provide an emulator to the community for learning. Since our current and only family of emulators is well on Garcinia Mangostana its way to oblivion, I ask that we all take the time and sign this petition. To use a cliché, we need to act now before it’s too late.

Stubby Post - Changing the Prompt on the ASA

Thu, 20 Jan 2011 00:00:00 +0000

RichardF commented on an article I wrote last November and mentioned the prompt command in the ASA. I never set aside any time to research it, but I finally took the time today while waiting for a maintenance window.

This is one of those little things in life that make me happy. Since the active ASA always has the same hostname and IP address, I find it hard to keep track of to which firewall I’m actually connected. That “configurtions are no long in sync” message you get when you conf t on the standby firewall really irks me. With the prompt command, I can see which firewall I’m on and in what state it is.

Stubby Post - Null VTP Domain Scare

Wed, 05 Jan 2011 00:00:00 +0000

Remember a few weeks back when I had a bad day? I was actually at HQ that day to do some work for a project, but that got put off due to the extenuating circumstances. When we finally got back around to do the work, we wound up adding a switch in the data center to extend a VLAN over to a rack.

Another Blow to Dynamips/Dynagen/GNS3

Tue, 30 Nov 2010 00:00:00 +0000

It looks like Cisco is trying to crack down on illegal distribution of their software. I can’t really blame them since it’s their property.

Configuring an Active/Passive ASA Pair

Sat, 20 Nov 2010 00:00:00 +0000

A buddy asked for some help on configuring a pair of ASAs in active/passive mode, and, by pure coincidence, my newest project is to set up the same. I’ve done it many time, but it’s one of those things that you don’t really do every day (unless you’re a VAR or something). These things always get covered in rust very quickly in my head, but, once I get one or two details back to the surface, it all comes flooding back. I better take the time to jot down the details.

Stubby Post - Changes to CCNA Voice, CCVP, and CCSP

Wed, 20 Oct 2010 00:00:00 +0000

I don’t usually cover news from Cisco, but they’ve changed some certification stuff around again, and I thought I would bring it up. This time they’ve changed the CCNA Voice, CCVP, and CCSP, so, if you’ve on those tracks, be careful what you’re studying!

CCNA Voice

Circle 28 February 2011 on your calendars. That’s when the CCNA Voice track gets a shakeup. The IIUC (640-460) exam will be no more, and passing CVOICE (642-436) will no longer be a valid way to get the cert. After the big day, you’ll have to take ICOMM (640-461). This seems to be a much broader exam instead of having the enterprise and commercial focuses in CVOICE and IIUC, respectively. Look out for both CME- and CUCM-based topics including a troubleshooting section.

CME Exercise #1

Thu, 07 Oct 2010 00:00:00 +0000

I tried something like this earlier this year with STP. It got rave reviews (from my mother), so I figured I try it again.

Below is a list of requirements for configuring a router as a call processor. In a lab or in your head, configure the router to support the features as listed. This isn’t a contest or anything like that. If you get it right, a virtual thumbs up is all I can afford to give you. There are some licensing issues for running this stuff in GNS3/dynamips, so I can’t help you out on that. I’ll just hint that GNS3 and dynamips will bind to real networks and that copies of a compatible IP softphone are available.

IIUC Notes - Voice Ports and Dial Peers

Mon, 04 Oct 2010 00:00:00 +0000

More of my IIUC study notes. As always, feel free to correct. I really need to have a real post, don’t I?

show voice port summary

Shows the voice ports available for use

R1#show voice port summary
                                          IN       OUT
PORT           CH   SIG-TYPE   ADMIN OPER STATUS   STATUS   EC
============== == ============ ===== ==== ======== ======== ==
50/0/1         1      efxs     up    up   on-hook  idle     y
50/0/1         2      efxs     up    up   on-hook  idle     y
50/0/2         1      efxs     up    up   on-hook  idle     y
50/0/2         2      efxs     up    up   on-hook  idle     y
50/0/3         1      efxs     up    up   on-hook  idle     y
50/0/4         1      efxs     up    up   on-hook  idle     y
50/0/5         1      efxs     up    up   on-hook  idle     y

An ephone-dn shows up as efxs, so all these are ephone-dns.
Channels are numbered 0-23; timeslots are numbered 1-24

FXS Ports

IIUC Notes - More Phone Features

Sat, 02 Oct 2010 00:00:00 +0000

Here are some more notes from my IIUC studies. As always, corrections requested.

Paging

Broadcasts messages to a group for a one-way communication
Paging groups are used to limit which phones get the broadcast
Paging can be unicast or multicast
- Unicast groups limited to 10 members
- Multicast requires mcast support on the network
Paging configurations can be unicast, multicast, or multiple-group

! Unicast Paging
! When 1044 is dialed, ephone 1 is paged
R1(config)#ephone-dn 44
R1(config-ephone-dn)#number 1044
R1(config-ephone-dn)#paging
R1(config-ephone-dn)#exit
R1(config)#ephone 1
R1(config-ephone)#paging-dn 44

IIUC Notes - Phone Features

Fri, 01 Oct 2010 00:00:00 +0000

Here are some more notes from my IIUC studies. As always, corrections requested.

Local Directory

Allows users to look up names
Allows names to show up when dialing or receiving a call
Most phones have a directory button; some have a menu options for the directory

R1(config)#ephone-dn 1
R1(config-ephone-dn)#name Roger Smith

Directory entries can be added manually

R1(config-telephony)#directory entry 1 1700 Corporate Fax
R1(config-telephony)#directory entry 2 1701 HR Fax

By default, sorting is done alphabetically by first name.
Sorting can be changed

R1(config-telephony)#directory last-name-first

IIUC Notes - Getting Phones on the LAN

Thu, 30 Sep 2010 00:00:00 +0000

More study notes. Correct if wrong, though I hope I get some of it right since I already since I’m an R&S guy. :$

**Switchport Configuration
**

switchport mode access: This config makes the port an access port that carries the primary and voice VLAN traffic
switchport mode trunk: This config akes the port a trunk unconditionally, but it will still send DTP messages
switchport nonegotiate: This config keeps the port from sending DTP messages.
switchport mode dynamic auto: If the port receives DTP messages, it will become a trunk. If not, it will be an access port.
switchport mode dynamic desirable: The port actively sends DTP messages trying to become a trunk. This is the default configuration on a Cisco switch.

Cisco IP Phone Boot Process

IIUC Notes - Assigning Ephone-dns to Ephone Buttons

Thu, 23 Sep 2010 00:00:00 +0000

These are some of my notes on my IIUC studies. Since I am a novice as voice stuff, please let me know what I get wrong.

An ephone is a representation of a phone. It’s basically a structure of features that a phone will have.

Configuration in CME:

R1(config)#ephone 34 <– This is just a tag and has nothing to do with an extension or phone
R1(config-ephone)#mac-address 1111.2222.3333 <– Assigns this ephone to the phone with that MAC address

IIUC Notes - Powering Cisco Phones

Tue, 21 Sep 2010 00:00:00 +0000

Feel free to correct anything that is wrong or incomplete.

Power over Ethernet (PoE)
- Can provide power to a Cisco phone, access point, security camera, etc., through the network cabling, eliminating the need to plug the phone into the wall for power.
- Generic term for providing power on the Ethernet cable
- Provides centralized power that can be put on a UPS
- Allows devices to be located away from power outlets
- Removes cabling clutter at the user’s desk
- Can be provided through PoE-enabled switches, power panels or inline couplers (power injectors)
- Oversubscription is common
  - If every device on a switch asks for full power, the switch may not be able to handle the load.
- Of course, devices can be powered with a power brick at the desk
802.3af

IIUC Notes - VoIP Structures

Tue, 21 Sep 2010 00:00:00 +0000

Feel free to correct. No need to sugar-coat it; I’m pretty new at this stuff. :)

Advantages of VoIP
- Reduces costs of communications: Eliminates/reduces long distance and international call tolls
- Reduces costs of cabling: No need for second network of phone lines
- Integrates all voice into one large network: All your remote offices can be implemented/maintained/controlled centrally
- Provides mobility: Moves, adds, and changes (MACs) are (nearly) eliminated since your phone is just a network node
- Allows use of IP Softphones
- Unifies emails, voice mails, and faxes: All these can be treated as a single box for user messages
- Increases productivity: Ringing multiple devices at the same time eliminates phone tag. <— pushing it, eh?
- Enhances communications: Applications can be launched/updated from a voice call through application servers
- Provides open, compatible standards: You can connect different vendor devices into the same VoIP network. <— I’ve never seen that happen
Cisco VoIP Structure

Stubby Post - Packetlife's Community Lab

Tue, 14 Sep 2010 00:00:00 +0000

I’m way behind in talking about this, but Jeremy Stretch over at Packetlife.net has a community lab that is free to use. This is a great resource for those of us who are too poor to have their own physical devices for Cisco studies. All you need is an account on the site and a sense of community.

There are two labs to reserve, and each contains a firewall, routers, and switches. This is plenty of stuff to get your feet wet with the gear, let you research some functionality that Cisco promised is great, and to lab out something you’re looking to implement. The lab is offered for free, but Jeremy is giving his time and money for this lab. I think it would be a great idea to drop a few dollars to him via his donate link if you use his stuff. If you’re a regular user and don’t donate, I ask that you do a moral inventory on yourself so you might see just how bad you are being.

Stubby Post - GNS3 Vault for the Win!

Sat, 11 Sep 2010 00:00:00 +0000

I was thinking about firing off some GNS3 labs as exercises for everyone to use. My thought was that I could generate a few small networks with a requirements doc and have people do the leg work as practice or for a study aid. You know, configure OSPF over this frame relay network or GLBP for load-balancing gateways. I gave up on that dream (like I do a lot of them), and wound up clicking around on GNS3 Vault. Rene Molenaar has already thought ahead and developed about 60 labs exercises that can be downloaded.

IIUC Notes - Old School Voice Stuff

Wed, 08 Sep 2010 00:00:00 +0000

These are the notes I’ve taken as I read through the study materials. Feel free to correct anything you see.

Analog phone signaling
- Misc
  - Ground = positive = tip
  - Battery = negative = ring
  - Signaling uses specific frequencies for specific events
- Loop start signaling
  - When a circuit in the phone is completed (i.e., you take it off-hook), the CO detects it and provides services.
  - Susceptible to glare, where the phone requests dialtone at the same time that the CO sends a call.
    - Can connect two different calls if in a business with multiple lines
- Ground start signaling
  - The circuit is temporarily completed to signal the CO for services
  - Doesn’t connect any call to any phone directly
  - Used in PBXes.
- Supervisory signaling
  - On-hook: Circuit is open
  - Off-hook: Circuit is completed
  - Ringing: AC current generated by CO to tell the phone to ring
- Informational signaling
  - Gives information for the caller to use
  - Dial tone
  - Busy
  - Ringback: the ring you hear when you call
  - Confirmation: the call is being attempted
  - Congestion: no lines available to make the call
  - Receiver off-hook
  - Reorder: can’t make the call
  - No such number: can’t find the endpoint
- Address signaling
  - Used to send digits
  - Dual-tone multifrequency (DTMF): uses two electrical signals to indicate a digit; touch tone
  - Pulse: flashes the circuit to indicate a digit; rotary dial
- Disadvantages of analog signaling
  - Attenuation
  - Repeaters can’t differentiate between call and noise
  - One cable pair for each call; think about a pair for each call taking place in Manhattan right now
Digitizing voice

Stubby Post - What's an IDB?

Fri, 03 Sep 2010 00:00:00 +0000

I posed the philosophical question on Twitter the other day asking if single trunk links should be in an EtherChannel bundle just in case you need to expand later. I didn’t really expect an answer, but the ever-verbose @WannabeCCIE pointed out (in not so many words) that you should watch your IDBs. What is that?

That’s an interface descriptor block. I admit that I’m not intimately familiar with them, bu they’re data structs in IOS used to keep track of the interfaces on that device. They come in two flavors - hardware and software. HWIDBs usually represent a physical interface but they also represent tunnels, SVIs, PortChannels, subinterfaces, and any other virtual interface that you can configure. The SWIDBs represent the layer-2 encapsulation of each HWIDB, so you’ll see entries talking about Ethernet, HDLC, PPP, etc. That means that every interface you have on a router consumes two IDBs (there are always exceptions). That’s important because each platform and IOS version combination has a limit to the number IDBs that device supports.

Catalyst 3750s - Bad Luck with a Cisco Logo

Tue, 31 Aug 2010 00:00:00 +0000

Last week, @fletcherjoyce posted an article on his blog about his positive experiences with Cisco’s 3750 switches. If you follow my complaints tweets, you know that I’ve had quite the opposite experience with them. I would never pick on anyone, but I had to throw in my 2 cents.

I’m guessing here, but we have about 50 3750 stacks in the enterprise. Most of them are pairs, you wind up with roughly 120 switches. Since we’ve done about 20 replacements over the last 5 years, that means we have a 17% failure rate. That’s pretty horrible, isn’t it?

Syncing IOS Versions on a 3750 Stack

Mon, 16 Aug 2010 00:00:00 +0000

For those that don’t know, when I say “stack”, I mean a group of 3750s connected together using the StackWise technology. When you use a very expensive and very proprietary cable, your individual switches are combined into a single logical device. This means you configure one device to control potentially many switches.

To the point. I’ve spent the last few weeks replacing a mess of 3750s in stacks. These guys are very easy to replace, but the big problem I find is getting the IOS version in sync. When the RMA comes, it’s inevitably got a different version on it, and you’ll see something like this.

Some Cisco Testing Advice

Sat, 24 Jul 2010 00:00:00 +0000

If you follow the blog, you know I’ve had quite an adventure getting my CCNP. Finally, this past Monday, after what seemed liked years of struggling, I finished up my ROUTE test and got the email telling me I’d made it. I’ve learned a lot over the course, but, more than the technical details, I learned more about how to prepare for the exams. It’s too bad I hit the moment of enlightenment after I reached the end of the line. Well, at least this line; there will be others very soon.

ROUTE - Epic Win!

Mon, 19 Jul 2010 00:00:00 +0000

Woohoo! I passed the ROUTE test this morning. That means I’m done with the CCNP track! :)

If you remember, I took it over a week ago and had some bad luck on it. Alright, bad luck is the wrong phrase. I didn’t study enough and failed it. This time, though, I had a special weapon on my side - the ROUTE Foundations book. I haven’t used the Foundations books before, but, I saw some tweets about this one, so I picked it up off of Safari. In just a couple pages, I realized that I was reading the answers to several questions directly out of the book. It was amazing. I only studied my weak points and wound up with 144 more points than I did last time. I can’t say that was entirely because of the book, but I must say it was a big reason.

ROUTE Notes - Further IGP Redistribution

Sun, 18 Jul 2010 00:00:00 +0000

As always, corrections are requested.

Study Questions

I’ve got IGRP and EIGRP both configured with the same AS number. What’s special about this configuration?

If both use the same AS number, then they automatically redistribute their routes into each other without using the redistribute command.

When redistributing one IGP into another, where’s a good place to filter routes?

There’s no one good place, but at the router(s) that’s doing the redistribution is a good start. There’s no need to send an IGP a bunch of routes it doesn’t need.

ROUTE Notes - Even More IGP Redistribution

Sat, 17 Jul 2010 00:00:00 +0000

I didn’t do so well on IGP redistribution the last time out, so here’s some more stuff to study. As always, feel free to correct.

Study Questions

What three things are needed to be able to redistribute one routing protocol into another?

1. One or more links into each routing protocol 2. A proper, working config for each protocol 3. The addition of the redistribute command to one or more of the protocols

ROUTE - Epic Fail (#1?)

Thu, 08 Jul 2010 00:00:00 +0000

I took the ROUTE test today and failed like I usually do. That makes me 3-4 on these P-level tests if you’re scoring at home. Don’t worry, though. I’m not giving up. :)

In atypical fashion, I must say that the ROUTE test was a good test. Let me say that again. The ROUTE test was a good test. I said good, though…not great. There were a few problems with it that I’ll get to, but, overall, this is the best test I’ve ever taken for a Cisco cert. The questions were very well-written and there were no obvious omissions or wrong details. I failed this test because I simply didn’t put in enough work.

ROUTE Notes - Controlling BGP

Tue, 06 Jul 2010 00:00:00 +0000

Corrections, please. I skipped a bunch of BGP intro stuff to get to the juicy center. I’ll see if I can come back later and finish the other parts for posterity.

Study Notes

Is BGP route selection a controversial subject?

Yes. If you ask 1000 network guys the best way to influence BGP, you’ll probably get 1000 different answers.

At what position in the PA list of a BGP update do you find the weight attribute?

You don’t. Weight is a Cisco-proprietary thing.

ROUTE Notes - Branch Office Routing

Mon, 05 Jul 2010 00:00:00 +0000

Corrigeme, por favor.

Study Notes

What do IPSec tunnels give you when a branch office is on a broadband connection?

Privacy through encryption Authentication of the remote peer through ISAKMP Delivery of private data over the public Internet

What do you need to configure to get your branch router talking to the Internet?

ISP connection configuration such as PPPoE or PPPoA DHCP server configuration for internal users NAT Firewall services like inspection and filtering

ROUTE Notes - Implementing IPv6 in an IPv4 Network

Sun, 04 Jul 2010 00:00:00 +0000

Study Questions

Your boss says that ever host in the network needs to be converted over to IPv6 by the end of the day. Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use to help with that conversion?

Native IPv6

The engineering department wants to permanently use IPv6 on their test boxes in two offices. Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use?

Point-to-point tunnels

ROUTE Notes - Routing IPv6

Wed, 30 Jun 2010 00:00:00 +0000

Study Questions

Why would anyone develop a version of RIP that supports IPv6?

I have no idea. Boredom, maybe. Whatever the case, it works just like RIPv2, which is pretty scary.

In EIGRP for IPv4, there are several requirements for two routers to neighbor up. Which of those is not true for EIGRP for IPv6?

The two routers don’t need to be in the same subnet. The concept of the link local address takes care of that need since neighbors always share a common medium like an Ethernet segment or a serial link.

ROUTE Notes - Intro to IPv6

Tue, 29 Jun 2010 00:00:00 +0000

Study Notes

Exactly how big is an IPv6 address?

It’s 128 bits long.

This shouldn’t be on the test, but how many unique addresses is that?

That’s 2^128 or a “3” with 38 zeros after it. That’s also 2^95 addresses for each person on earth.

Surely we’re not writing in binary, are we?

No way. IPv6 uses 32 hex characters. Each character is 4 bits, so we wind up with 128 bits of data.

ROUTE Notes - PBR and IP SLA

Thu, 24 Jun 2010 00:00:00 +0000

Feel free to correct.

Study Questions

What’s the most primitive way to get traffic destined to a single host to use a different path than your dynamic IGP dictates?

Use a static route.

What’s the most primitive way to get traffic sourced from a single host to use a different path than your dynamic IGP dictates?

Use policy-based routing (PBR).

What’s the most primitive way to get traffic sourced from a single host and destined for another host to use a different path than your dynamic IGP dictates?

Use PBR.

ROUTE Notes - More IGP Redistribution

Wed, 23 Jun 2010 00:00:00 +0000

As always, feel free to correct.

Study Notes

When a router redistributes from one routing protocol to another, where does the router get the list of routes to redistribute?

From the routing table. Only IGP A’s routes (not topology or successors) are redistributed into IGP B’s domain.

What are two methods of filtering redistributed routes?

Use a route-map in the redistribute line or a distribute-list.

Of the two methods for filtering, which one has more options?

The route-map method has more options. You can match on all sorts of stuff, including an ACL or interface, and filter based on that.

ROUTE Notes - IGP Redistribution

Tue, 22 Jun 2010 00:00:00 +0000

As always, feel free to correct.

Study Questions

When you redistribute OSPF into EIGRP, what are you really redistributing?

Routes knows via OSPF Networks of OSPF-enabled interfaces

What’s the default cost of an EIGRP route redistributed into OSPF?

What’s the default metric of an OSPF route redistributed into EIGRP?

There is none since EIGRP has all those nifty k-values that have to be processed. Routes actually won’t redistribute without them.

ROUTE Notes - OSPF Virtual Links and Frame Relay Stuff

Mon, 21 Jun 2010 00:00:00 +0000

Feel free to correct. I feel like I’m missing a big piece here, so please fill in a gap if you see one. Thanks. :)

Study Questions

How many area 0s (zero) can you have in an OSPF implementation

Just one.

If my company merges with another company, and we’re both running OSPF, how can we get our networks routing together properly?

The easiest thing to do is to connect your two area 0s together through some physical link. If you can, you can use virtual links to connect an ABR to another ABR to extend the zones together.

ROUTE Notes - OSPF Filtering and Summarization

Sun, 20 Jun 2010 00:00:00 +0000

Feel free to correct all this stuff. Additions are also welcome.

Study Questions

How do I keep an area route from reaching a router in that area?

You don’t. That defeats the whole purpose of having the topology database on every router. If you filtered one route from a router, there’s no way that SPF could calculate routes correctly.

Fine, then. Where do I filter routes?

You filter routes on an ABR or ASBR. Since routers only have the whole topology for their area, it’s safe to filter routes from another area or from a redistributed routing protocol. On a more technical note, you’re filtering type-3 LSAs on an ABR and type-5 LSAs on an ASBR.

ROUTE Notes - OSPF Topology Stuff

Sun, 20 Jun 2010 00:00:00 +0000

Feel free to correct.

Study Questions

The obvious first question involves the common LSA types and their function. Can you list them?

Type-1 - Router - Lists each router their connected IP addresses Type-2 - Network - Lists all the transit, or multiaccess, networks Type-3 - Net Summary - Defines a host route for interarea routes; this is from the ABR Type-4 - ASBR Summary - Defines a host route for an external (to OSPF) route; this is from an ASBR Type-5 - AS External - Lists the networks advertised into OSPF from external sources (redistribution) Type-7 - NSSA External - External routes injected into a not-so-stubby area

ROUTE Notes - OSPF Neighbor Relationships

Fri, 18 Jun 2010 00:00:00 +0000

Feel free to correct.

Study Questions

What are the definitions of the hello and dead intervals?

The hello intervals is how often a router sends hello messages. The dead interval is how long to wait before considering a neighbor dead from lack of hello messages; this is 4x the hello interval by default.

How do you keep OSPF from trying to detect neighbors on an interface?

Don’t configure a network statement for that interface Make that interface passive

ROUTE Notes - Controlling Routes in EIGRP

Thu, 17 Jun 2010 00:00:00 +0000

Corrections welcome.

Study Questions

Why would you ever want to summarize routes?

Summarizing routes minimizes the routes advertised to the network. For example, instead of advertising 192.168.0.0/24, 192.168.1.0/24…192.168.n.0/24, a router can advertise a single route to 192.168.0.0/16. Keeping routing tables small saves hardware resources, minimizes convergence times, helps avoid route flapping, and makes the routing table easier to read for humans.

When will an EIGRP router auto-summarize a route?

If a router has interfaces that that are in different classes of network (Class A, B, C), then that router will auto-summarize those routes up to the classful boundary. For example, if you have a 10.0.0.1/24 and a 192.168.100.1/30, the router will advertise 10.0.0.0/8 and 192.168.100.0/24.

ROUTE Notes - EIGRP Neighbor Relationships

Thu, 17 Jun 2010 00:00:00 +0000

Or neighborships, as they call it in the book. What a terrible word.

Study Questions

What settings must match between two routers in order to become EIGRP neighbors?

Both routers must be in the same primary subnet Both routers must be configured to use the same k-values Both routers must in the same AS Both routers must have the same authentication configuration (within reason) The interfaces facing each other must not be passive

ROUTE Notes - EIGRP Topology Stuff

Thu, 17 Jun 2010 00:00:00 +0000

Study Questions

How do you keep EIGRP from killing your WAN?

You can use the ip bandwidth-percent eigrp AS X command to limit the amount of bandwidth that EIGRP uses to update neighbors.

How does EIGRP calculate how much bandwidth it can use for each frame relay PVC?

By default, EIGRP takes 50% of the (sub)interface’s configured bandwidth (with the bandwidth command) to use for updates on NBMA (non-broadcast mutliaccess) networks like frame relay. This value is divided equally among all the PVC configured on that interface.

ROUTE - Redistribution Nuance #2 - OSPF External Metric Types

Sun, 06 Jun 2010 00:00:00 +0000

Last time, we talked about a nifty little lab I set up for redistribution and how the OSPF ASBRs acted a little differently than I expected. This time, let’s look at how changing external OSPF routes to a metric-type of 1 (E1) affects the routing tables.

Here’s the network again.

The static routes are being redistributed into their respective IGPs, and EIGRP is being redistributed into OSPF. Let’s look at the routing table on R1.

ROUTE - Redistribution Nuance #1 - Admin Distance FTW

Mon, 24 May 2010 00:00:00 +0000

I just got back from Global Knowledge’s ROUTE class, and I must say that it was a great class. John Barnes puts on quite the show and is the best instructor I’ve ever had. I digress, though.

One of the topics we covered was route redistribution, so I went back to the hotel one night and fired off this network in GNS3 to study a bit.

The object was to see how redistributing statics into OSPF and into EIGRP differ. It was also an opportunity to see how EIGRP redistributes into OSPF (and OSPF into EIGRP, but I didn’t make it that far). To do that, I redistributed 10.10.10.0/24 from R1 into OSPF and 10.10.20.0/24 from R4 into EIGRP. I then had R2 and R5 redistribute all EIGRP routes into OSPF. It’s a nice mix, but I saw some weirdness in the paths to 10.10.20.0/24.

Stubby Post - VTP Clients Send Updates

Tue, 18 May 2010 00:00:00 +0000

VTP clients send VLAN updates. Did you know that?

I had a VTP server and client in the same VTP domain, and, when I cabled up the trunk, the client overwrote the VLAN database on the server.

The moral of the story is that the best revision number will win no matter what the operating mode of the switch.

SWITCH - Epic Fail

Thu, 06 May 2010 00:00:00 +0000

I did my standard 2ish-hour drive to the closest testing center today to take the SWTCH test (642-813). Utter failure. That’s 3 for those scoring at home.

The test was the absolute worst I’ve ever taken. I know that I complain a lot, but this is totally justified in my eyes. My 4th grade spelling tests were better than this. I’ve seen kindergarten plays with better production value.

First of all, it was poorly written. Whoever wrote those questions has a few pieces of information about English sentence structure missing from their skill set. A sentence needs a verb, right? Well, a lot of the sentences were missing those. It’s kind of important to know what the whole point of the sentence is, or is that too much to ask? The “drag this over here” exercise questions all started with the same 13-word phrase that left the question so long that it was unreadable. A couple of commas would have been nice in some. Others I just had to infer from the answers what they were trying to ask.

Stubby Post - UplinkFast

Wed, 28 Apr 2010 00:00:00 +0000

I’ve got a few switches daisy chained together with single links and have enabled UplinkFast on them. This switch is not the root bridge; F0/24 is the root port and F0/23 is a blocked alternate port. I’ve got debug spanning-tree uplinkfast on to help out.

SW3#sh span | incl 0/2[34]
Fa0/23           Altn BLK 3019      128.23   P2p
Fa0/24           Root FWD 3019      128.24   P2p

Now let’s unplug F0/24 and see what happens.

SWITCH - STP Exercise #1

Thu, 22 Apr 2010 00:00:00 +0000

Here’s an STP exercise for you. Given the bridge priorities, MAC addresses, and interface types in the diagram, calculate the root bridge, root ports, designated ports, and blocked ports. You can click on the image to enlarge it. I’ll post a solution in the next few days. As always, feel free to comment and ridicule my utter idiocy. Be gentle, though; I don’t usually post exercises like this.

Send any configuration BPDUs questions my way.

A Quick Intro to Google's Capirca

Sun, 11 Apr 2010 00:00:00 +0000

Yeled left a comment earlier this week asking if I’d seen Google’s Capirca. I’d heard of it and checked out some presentation slides on it, but I’d never actually tried it out, so, in keeping with the script, I downloaded it to see what it could do. Remember, now, that I’ve been playing with it for about 2 hours now, so I’m no expert on its use.

Capirca is a Python-based solution that Google came up with to automate ACL creation on their many thousands of routers around the world. You can’t blame them for wanting to automate it, either. How many times do you think they ran into problems with typos or keying errors from their network guys across those devices?

ONT - Epic Fail Part 2

Fri, 19 Mar 2010 00:00:00 +0000

I took the ONT again today. The stench of failure is upon me for a second time, and I’m beginning to think I’m not the god-like person that everyone thinks I am. I went into the test very confidently. I did extra time on my weak points from the last attempt and knew it inside and out. I put hours and hours of lab time in and got other books and online materials involved. I was absolutely convinced that I would blow this thing away, but, alas, it was not to be.

ASA 8.3.1 – Smart Tunnel and NAT Changes

Fri, 12 Mar 2010 00:00:00 +0000

I’ll start off with a warning. I’ve been running 8.3.1 on my home 5505 for a few hours now. Not only is this not really enough time for a thorough review, it’s also not the environment to test enterprise-level configurations. There are also a lot of details missing that I just don’t know about yet, so please do some research on your own to figure out what’s going to break if you upgrade your ASA.

Stubby Post: Cisco Has Changed the Internet*

Tue, 09 Mar 2010 00:00:00 +0000

* For definitions of “changed” and “Internet”

Today Cisco announced their new CRS-3 that replaces the CRS-1. The CRS-3 has some damn impressive numbers for sure with 322Tbps, or about 1 LOC/sec (that’s a Library of Congress per second). In three to five years, it might enable some technologies that we can’t use today, but I think “chang[ing] the Internet” is a bit of a stretch. I’m sure it’s ultra-cheap, too.

NBAR and HTTP Data Conversations

Mon, 08 Mar 2010 00:00:00 +0000

I’m still working on the ONT test and doing labs, so I marked up a lab for me to work. I’m using the same setup as I did last time. The two routers are 3640s running 12.4(25b).

Part of the lab was to identify HTTP traffic coming into F0/0 and mark it as CS3. That’s pretty easy, right? Of course, the lab I made up was a little more complicated, but the point comes clear with a simpler example.

QoS Pre-classify and Class-map Order

Sat, 06 Mar 2010 00:00:00 +0000

I’m still studying for the ONT test, so I did some labs tonight. One of them was to demonstrate the qos pre-classify command for tunnel interfaces. When you have a packet sent over a GRE tunnel, the ToS field gets copied to the GRE packet, but there’s no way to see the original packet’s higher-level headers on the way out the interface. This can be a problem if your service policy needs to see protocol, port, IPs, etc. The fix for that is to enable qos pre-classify on the tunnel interface and cyrpto map; doing so will provide a copy of the original packet to the physical interface to classify the packet thoroughly.

Stubby post: ROUTE Cert Kit Giveaway

Thu, 04 Mar 2010 00:00:00 +0000

Rofi at ITDualism is giving away a ROUTE cert kit to a random commenter. Swing by there and put your name in the hat.

ONT - Epic Fail

Tue, 16 Feb 2010 00:00:00 +0000

I failed the ONT test today. It was an utter lack of subject matter knowledge that did me in from the beginning. When the first three questions mention things that I’ve never even heard, it’s going to be a long test. I’ll take blame on it for sure, but the test was a lot darker than I imagined it would be.

I heard from a couple people that the ONT test was the easiest of the 4 CCNP test. I must say today’s test was a LOT harder than the ISCW test I took back in December. Most of the questions were fair, but there were a few that were down-right evil or unanswerable. Without giving too much away, there were some matching questions that had multiple items with multiple answers, rendering the answer to a guess. I even ran into a CLI question about the WLC, which surely wasn’t mentioned anywhere I studied, and I don’t have a spare sitting around on which to test. The icing, though, was the number of questions about FRTS; I know I need to understand it, but the magical question dice landed on that topic way too many times in my opinion.

ONT Notes - WLAN Management

Sat, 13 Feb 2010 00:00:00 +0000

Elements of Cisco Unified Wireless Network

Client devices - Cisco compatible extensions on WLAN clients
Mobility platform - allows configuration of LWAPs through WLCs
Network unification - integration into the rest of the network with WLCs doing RF management, IPS, etc.
World-class network management - centralized management through WCS
Unified advanced services - supports advanced technologies and threat detection

WLAN Implementation

Autonomous and LWAP

Category	Autonomous	LWAP
Access Point	Autonomous APs	LWAPs
Control	Individual configurations	Configuration through WLCs
Dependency	Independent operations	Dependent on WLC
Management	CiscoWorks WLSE and WDS	WCS
Redundancy	Through APs	Through WLCs

Wireless LAN Services Engine (WLSE)

ONT Notes - 802.1x and Encryption on LWAPs

Fri, 12 Feb 2010 00:00:00 +0000

Traditional WLAN weaknesses
- SSID for security
- Vulnerable to rogue APs
- MAC filtering for security
- WEP
WEP weaknesses
- Disribution of static keys is not scalable
- WEP keys can be cracked easily
- Vulnerable to dictionary attacks
- No protection against rogue APs
Benefits of 802.1x
- Centralized authentication through Radius via AAA
- Mutual authentication between client and auth server
- Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
- Automatic dynamic WEP keys
- Roaming
Requirements of 802.1x
- EAP-capable client (supplicant)
- 802.1x-capable AP (authenticator)
- EAP-capable auth server

Table 1. Characteristics of the EAP variants

ONT Notes - QoS On Wireless Networks

Thu, 11 Feb 2010 00:00:00 +0000

Wireless LANs (WLANs)
- Extensions to wired LANs
- Carrier sense multiple access collision avoidance (CSMA/CA) as media access method
- Uses distributed coordinated function (DCF) for collision avoidance
- DCF is based on RF carrier sense, inter-frame spacing (IFS), and random wait timers
Wifi QoS standards
- 802.11e
  - IEEE standard
  - 0-7 priority levels
- Wifi Multimedia (WMM)
  - Four access categories
    - Platinum (voice) - 6 or 7 802.11e
    - Gold (video) - 4 or 5 802.11e
    - Silver (BE) - 0 or 3 802.11e
    - Bronze (Background) - 1 or 2 802.11e
- WMM and 802.11e replace DCF with EDCF
Cisco Split-MAC
- Splits functions between Lightweight access points (LWAPs) and WLAN controllers (WLCs)
- LWAPs handle real-time functions
  - Beacon generation
  - Probe transmission and response
  - Power management
  - 802.11e/WMM scheduling and queuing
  - Packet buffering
  - Encryption/decryption
  - Control frame/message processing
- WLCs handle non-real-time functions
  - Association/disassociation/reassociation
  - 802.11e/WMM resource reservation
  - 802.1x EAP
  - Key management
  - Authentication
  - Fragmentation
  - Ethernet-WLAN bridging
End-to-end QoS
- Step 1: WLC copies DSCP from switch to outer DSCP and outer 802.1p and sends to LWAP over LWAPP tunnel
- Step 2: LWAP copies outer DSCP from WLC to 802.11e/WMM field and sent to client
- Step 3: LWAP copies 802.11e/WMM value from the client to outer DSCP and sends it to WLC
- Step 4: WLC copies outer DSCP from WLAP to 802.1p (CoS) fields and sends it to the switch
Web interface (do you even need to know this?)
- Controller>QoS Profiles
  - Per-User Bandwidth Contracts - set avg data rate, burst data rate, avg real-time rate, and burst real-time rate
  - Over the Air QoS
    - Maximum RF usage per AP (%)
    - Queue Depth - queue size before dropping packets
    - Wired QoS Protocol - 802.1p or None
- Controller>WLANs>Edit
  - For each WLAN ID, set the QoS value: plat, gold, silver, bronze
  - WMM Policy
    - Disabled - 802.11e/WMM QoS requests are ignored
    - Allowed - 802.11e/WMM QoS requests are sent
    - Required - 802.11e/WMM QoS requests are required

ONT Notes - AutoQoS

Wed, 10 Feb 2010 00:00:00 +0000

AutoQoS benefits
- Automates QoS for most deployments
- Protects business-critical apps to maximize availability
- Simplifies QoS deployments
- Reduces configuration errors
- Cheaper, faster, and simpler deployments
- Follows DiffServ
- Allows complete control over QoS configs
- Allows modification of auto-generated configs
AutoQoS phases of evolution
- AutoQoS VOIP - Early version that configures the basics without discovery
- AutoQoS for Enterprise - Second version that only runs on routers and uses two-step process
  - Autodiscovery using NBAR
  - Generation of class maps
AutoQoS key elements
- Application classification
- Policy generation
- Configuration
- Monitoring and reporting
- Consistency
Interfaces that you can configure AutoQoS on
- Serial ifs with PPP and HDLC
- FR point-to-point subifs (NOT multipoint)
- ATM point-to-point subifs
- FR-to-ATM links
Prerequsites
- No Qos policy already configured on if
- CEF enabled on if
- Correct bandwidth configured on if
- IP address on low-speed if
Configuring AutoQoS Enterprise on a router (NOT a switch)
- auto qos discovery - begins discovery process
- auto qos - generates and applies MQC-based policies
Configuring AutoQoS VOIP
- auto qos voip [ trust | cisco-phone ]
Verifying AutoQoS on router
- show auto discovery qos - get autodiscovery results
- show auto qos - examine configuration generated
  - Number of classes
  - Classification options
  - Marking options
  - Queuing mechanisms
  - Other QoS mechanisms
  - If, subif, PVC where policy is applied
- show policy-map interface - look at if stats
Verify AutoQoS VOIP
- show auto qos
- show policy-map interface
- show mls qos maps - shows CoS to DSCP mappings
Possible issues with AutoQoS
- Too many traffic classes - manually consolidate some
- Configuration doesn’t change - rerun AutoQoS
- Configuration may not fit your situation - fine-tune it by hand
Fine-tuning AutoQoS
- Use QPM
- CLI
- copy policy into editor, change, reapply
AutoQoS can match on characteristics besides ACLs and NBAR
- match input interface
- match cos
- match ip precedence
- match ip dscp
- match ip rtp

ONT Notes - Pre-classify and End-to-end QoS

Thu, 04 Feb 2010 00:00:00 +0000

VPNs (Didn’t ISCW cover this?)
- Provide
  - Confidentiality
  - Integrity
  - Authentication
- Types
  - Remote-access
    - Client-initiated
    - NAS-initiated
  - Site-to-site
    - LAN-to-LAN
    - Extranet
L3 Tunneling protocols
- GRE
- IPSec
Pre-classify allows traffic to be classified before being sent across a tunnel or crypto-ed.
- qos pre-classify
- Provides a view into the original IP headers
- To classify on pre-tunnel header, apply the policy to the tunnel interface WITHOUT pre-classify.
- To classify on post-tunnel header, apply the policy to the physical interface WITHOUT pre-classify.
- To classify on pre-tunnel header, apply the policy to the physical interface WITH pre-classify.
SLA - agreement with provider to guarantee QoS mechanisms across their network based on your markings.
- Assures availability, loss, throughput, delay, and jitter.
End-to-end QoS
- To be effective, each hop in the path must have QoS configured similarly.
- Necessary in three locations
  - Campus - within the customer network
  - The edges - customer facing the provider, provider facing customer
  - On the provider network
QoS tasks
- Campus access switches
  - Speed/duplex settings
  - Classification
  - Trust
  - Phone/access switch configs
  - Multiple queues on switch ports, including priority for VOIP
- Campus distribution
  - L3 policing and marking
  - Multiple queues on switch ports, including priority for VOIP
  - WRED
- WAN edge
  - SLA definitions
  - LLQ
  - LFI
  - WRED
  - Shaping
- Provider cloud
  - Capacity planning
  - PHB
  - LLQ
  - WRED
Enterprise campus QoS implementation
- Implement multiple queues to avoid congestion
- Assign VOIP and video to highest priority queue
- Esablish trust boundaries
- Use policing to rate-limit excess traffic
- Use hardware QoS when possible
Control Plane Policing (CoPP)
- Applies QoS policy to traffic destined for the router
  - Routing protocols
  - Management protocols
- Can be used to avoid DOS attacks
- Applied to control-plane in global config

ONT Notes - Congestion Avoidance, Policing, Shaping, and Link Efficiency

Wed, 03 Feb 2010 00:00:00 +0000

Tail drop drawbacks
- TCP synchronization - Dropping TCP packets from different flows can cause them all to window down and back up again at the same time in cycles.
- TCP starvation - Non-TCP or aggressive flows can starve everyone else out when TCP throttles back.
- No differentiated drop - Tail drop doesn’t care who you are, so you get dropped if the queue is full.
RED - Random Early Detection
- Avoids tail drop by randomly dropping packets from the queue before it gets full
- Only dropped TCP flows slow down instead of everyone who has sent a packet since the queue filled
- Queues are smaller.
- Link utilization is more efficient
- Configured with
  - Minimum threshold - start dropping when the queue is this size
  - Maximum threshold - if the queue is this big, start tail dropping
  - Mark probability denominator (MPD) - 1/MPD is the ratio of packets to drop when between the thresholds
WRED - Weighted RED
- Based on IP precedence or DSCP values
- Less-important packets are dropped more aggressively than important packets
- Applied to an interface, VC or a class within a policy map
CBWRED - Class based WRED
- Configured with CBWFQ
Policing
- Limits subrate bandwidth (give you 100kbps on a T1)
- Limits traffic of certain applications
- Any traffic that exceeds police is dropped or re-classified; it’s a hard limit
- Inbound or outbound
Shaping
- Sets a limit but buffers any in excess
- Requires memory to store the buffer
- Buffers = delay and/or jitter
- Outbound only
- Can respond to network signals like BECNs and FECNs
Token and bucket
- The queue is a bucket; if a byte of data needs to be sent, it needs a token.
- If there are enough tokens, the traffic is considered conforming.
- If there aren’t enough tokens, the traffic is considered exceeding, which triggers the drop (policing), re-classify (policing), or buffer (shaping).
Frame relay traffic shaping (FRTS)
- Only controls frame relay traffic
- Applied on subif or DLCI
- Support fragmentation and interleaving
- Reacts to FECNs and BECNs
Compression
- Removed redundancy and patterns in data
- Less data = less latency
- Hardware compression or hardware-assisted compression does not involve the main CPU
- Software compression does
- Payload compression
- Header compression
Link fragmentation and interleaving
- Small data might be waiting for larger data pieces to finish sending
- Chunks data into smaller fragments so they don’t have to wait
- Interleaving shuffles flows in the Tx queue

Migrating CSM Serverfarms to Other Server VLANs

Mon, 25 Jan 2010 00:00:00 +0000

A coworker brought an interesting problem to me the other day. He wanted to move a serverfarm from one server VLAN to another without taking an outage. Since I didn’t want to have to come into the office late at night to do work, I decided to see what we could do.

It turned out to be pretty easy. We tend to think of CSM VLANs as pairs – you have the client VLAN for the web servers where the vserver sits and the server VLAN where the serverfarm sits. The CSM doesn’t know about these relationships; all it cares about is whether the servers are in a server VLAN, and we can use that to our advantage here.

ONT Notes - Queuing

Sun, 24 Jan 2010 00:00:00 +0000

Here are some more notes from my studies. Of course, no one cares about them but me, but it’s my blog. I’m sure someone will find it useful. Please help to correct dumbass mistakes.

Congestion
- Speed mismatch - traffic leaves a lower-bandwidth interface than the one it came in on
- Aggregation problem - lots of links with one egress of equal bandwidth
- Confluence problem - a bunch of traffic needs to egress out of the same interface
Queuing

ONT Notes – Classification, Marking, and NBAR

Fri, 22 Jan 2010 00:00:00 +0000

Here’s another set of notes from my ONT studies. I’m sure someone will find it useful. Please help to correct dumbass mistakes.

Classification is done with traffic desriptors
- Ingress interface
- CoS value on ISL or 802.1P frames
- Source/destination IP address
- IP Precedence or DSCP value
- MPLS EXP
- Application type
Layer 3 QoS
- Type of Service (ToS) is 8-bit field.
- First 3 bits of ToS are the IP precedence.
- First 6 bits of ToS are the DSCP value.
- Last 2 bits of ToS are explicit congestion notification (ECN).
Layer 2 QoS

ONT Notes - Intro to QoS

Thu, 21 Jan 2010 00:00:00 +0000

I’ll try to keep it a little shorter this time.

Major issues for converged enterprise networks

Available bandwidth: competition among applications
- Fixes
  - Increase bandwidth: More power!
  - Properly queue based on classification and marking: QoS
  - Compress: cRTP, TCP header compression, etc.
Delay: Lead time to get a packet to the destination
- Types of delay
  - Processing delay: routing, switch delay
  - Queuing delay: how long a frame stays in an output queue
  - Serialization delay: how long to put the frame on the wire
  - Propagation delay: the time to cross the physical medium
Jitter (delay variation): Variation is the delay
- Different delays mean different arrival times
- De-jitter buffers save up packets to reduce jitter (like the old CD writers)
- Fixes
  - More bandwidth
  - Prioritize sensitive data and forward first
  - Remark (reclassify) packets based on sensitivity
  - Enable L2 payload compression: make sure compression delay isn’t worse than the jitter
  - Use header compression
Packet loss: Packets are lost in the network somewhere
- Fixes
  - More bandwidth
  - Increase buffers space: more room for the queue on the interface
  - Provide guaranteed bandwidth: Queuing and QoS
  - Congestion avoidance
    - Random Early Detection (RED) and weighted RED (WRED) drop packets before the queue is full
    - Selective dropping is better than FIFO or LIFO dropping

QoS History

ONT Notes - VOIP Networks

Sun, 10 Jan 2010 00:00:00 +0000

Here are some of the notes I’ve been taking while reading over the ONT book. I hope it benefits somebody. Feel free to correct any stupid mistakes as a paraphrase to avoid a lawsuit.

There’s way too much info here. I’ll refine the process a little better for the next topics.

Benefits of Packet Telephony Networks

More efficient use of bandwidth and equipment - Packet telephony networks don’t dedicate channels or a static bandwidth to a call; it’s just another network application.
Consolidate network expense - The common infrastructure (IP-based networks) keeps you from having to support another distinct network for voice like in traditional PBX implementations.
Improved employee productivity - The phone can be used for more than just phone calls by utilizing the XML interface to run applications or provide content from the network.
Access to new communications devices - IP phones can communicate with computers, network gear, PDAs, etc., and not just the PBX.

Packet Telephony Components

CSCtd31622 - CSM, Cookies, and the year 2010

Fri, 08 Jan 2010 00:00:00 +0000

It seems that we have another piece of evidence that Cisco doesn’t like the CSM. From what I’m able to creatively interpret, the software developers didn’t think anyone would be running the CSM for very long, so they set a variable that expires CSM-inserted cookies at 01:01:50GMT on 1 January 20101. If you’re using cookies to make connections sticky, that means you may see some unexpected results; this shouldn’t affect the web servers’ cookies.

ASA and Proxy ARP

Fri, 11 Sep 2009 00:00:00 +0000

Wow. A new entry. Everyone sit down before you pass out.

I’ve got a real-world example for you today. We have an ASA 5540 installed at a business unit with interfaces in multiple networks, including one containing the production servers and another containing the accounting servers. The production network sits on a 7600 that’s not ours, so, to avoid IP conflicts, we are statically NATting connections into that network. The 7600 has with many, many VLANs, and, since the firewall production servers are on different VLANs, there’s an interface VLAN between us. Sounds pretty straightforward, but it just wasn’t working when we try to connect between the interfaces.

Getting Temperature Data from a 6500 via SNMP

Wed, 19 Aug 2009 00:00:00 +0000

I apologize to my adoring fans (both of you) for the lack of posting. I’m in the middle of moving, buying a new house, selling my current house, getting a mortgage, etc. I’ve up until 11:30 nearly every night filling out forms and going through red tape. Don’t get me started on getting money from a 401k! Anyway…

I got in this morning, and a coworker was telling me that the data center’s HVAC was crippled due to an oil leak, and it was 90F in there. D’oh! It wasn’t quite that high, but it was warm. Luckily, all of our network gear is on the end of the rows with AC, so we’re safe, but it got me thinking about monitoring temperature of our 6500s via SNMP. I’ve done it via Cacti, but I never really looked how to do it manually.

BCMSN Notes - EtherChannel Distribution

Tue, 23 Jun 2009 00:00:00 +0000

EtherChannel lets you aggregate links into one logical connection, but the distribution of traffic is not uniform. It does not use per-packet load-balancing or the like to determine what interface in the bundle to use. Instead, it uses a XOR function on packet information to generate a hash that is used to determine what interface to use.

By default, the switch will use both the source and destination IP addresses to generate the hash, but there are lots of others.

BCMSN Notes -- STP States

Fri, 22 May 2009 00:00:00 +0000

I’ve decided to take on the CCNP certification, so I’m going to wind up with a few posts will be more my own notes than anything. :)

A switch port on a 2960 comes up with a default configuration on VLAN 1. What happens from the perspective of spanning-tree?

First, the port comes up on blocking mode. This is to make sure that loops aren’t created without first listening to the network to see what’s going on.
Next, if the port may be a root or designated port, the port is moved to the listening state. In this state, the port can send and receives BPDUs only. It can’t send traffic, but it can discover the other switches participating in STP.
After the forwarding delay, the port goes into the learning state. In this state, the port can send and receive BPDUs as in listening, but it can now receive traffic. It can’t yet send any.
After the forwarding delay again, the port goes into the forwarding state. The port can now send and receive data.

If the port is configured with spanning-tree portfast, the mode goes from blocking directly to forwarding without going through these steps. Obviously you don’t want a switch plugged into a port configured for portfast since you may wind up with a loop.

Using SSH to Run Commands on a Router or Switch

Thu, 30 Apr 2009 00:00:00 +0000

SSH is more than just a shell. You can copy files from and to a server or piece of network gear with it. You can use it to tunnel traffic. Possibly my favorite, though, is to use SSH to run a command on a remote box without interacting with a shell.

One of my biggest pet peeves with IOS (or pretty much any Cisco OS) is the lack of complex filtering. Let’s say I want to look at all the downed ports and interfaces on modules 3 and 6 of my 6509. I can’t easily do that with command from the IOS, but, on my Linux box, I can use multiple grep commands to get exactly what I want really easily. Let’s work through the example, shall we?

Server NIC Aggregation to a Cisco Switch

Tue, 14 Apr 2009 00:00:00 +0000

Have you even noticed that your new servers all have 2 NICs on the board? At least all of them that I’ve seen in the last 3 years have. A lot of server admin actually use them in a NIC teaming scenario where both NICs are used as one logical device – much the same as Etherchannel on a switch. This provides some fault tolerance and availability in case of failure, which is good idea in most cases.

RSPANs on Cisco Switches

Wed, 18 Mar 2009 00:00:00 +0000

We discussed SPANs earlier, but let’s talk about RSPANs for a bit.

Can anyone guess what the “R” means? You guessed it – “Remote”. An RSPAN is a way to get traffic from a SPAN source on one switch to a SPAN destination on another switch that’s connected via a trunk.

The basic premise is that a special VLAN is created on all the switches and allowed to traverse the trunks. You then set up a SPAN session that copies your traffic to this special VLAN. This VLAN then gets the traffic to the other switches through some voodoo magic to be used as source for a SPAN on another switch.

SPANs on Cisco Switches

Fri, 13 Mar 2009 00:00:00 +0000

I can’t believe I haven’t blogged on this yet. SPANs are one of my favorite things in the world.

The switched port analyzer (SPAN) is a mechanism on Cisco switches that allows you to take traffic on one port and copy it to another. It’s generally used to get traffic to a sniffer or IDS for analysis, but it’s a great tool to use to sample traffic from a host for troubleshooting.

CSM Probe Status of ???

Fri, 20 Feb 2009 00:00:00 +0000

I must be bored since I’m posting again.

A colleague asked me to change the failed value of a TCP probe today. It was no big deal, but, when I looked to see the status of the change, I noticed interesting stati of the RIPs.

switch#sh mod csm 7 probe name TCP80-PROBE detail
probe           type    port  interval retries failed  open   receive
---------------------------------------------------------------------
TCP80-PROBE  tcp     80    20       3       120     10
Description: Quick fail recovery
recover = 3
real                  vserver         serverfarm      policy          status
------------------------------------------------------------------------------
192.168.1.45:80       VS01            FARM01        (default)       ???
192.168.1.44:80       VS01            FARM01        (default)       ???
192.168.1.43:80       VS01            FARM01        (default)       ???
192.168.1.42:80       VS01            FARM01        (default)       ???

It seems that when a change is made to a probe, the CSM discards the state of the probe and starts over. If you catch it before the first probe is finished, you’ll get a status of “???". I’m just picturing the CSM saying “Uhh…I…don’t…know”.

Fail Actions on CSM Serverfarms

Fri, 20 Feb 2009 00:00:00 +0000

I’ve talked about probes and stuff on the CSM, but I never mentioned what happens to the connections to a server that fails. That is, if I’m connected to server A in a cluster and that server suddenly commits ritual seppuku, what happens to my connection through the CSM?

Remember how the CSM works? You connect to the VIP, some state tables are updated, your packet’s destination IP is changed to a RIP, and the packet is forwarded. The point I want to emphasize this time is the state table. If you were to send another packet to the same VIP on the same port, the CSM would look in its state table and see that you’re already connected to a server and just forward you on over after a NAT. What if that server has suddenly died?

Configuring Dedicated Trunks for the CSM

Mon, 24 Nov 2008 00:00:00 +0000

Did you catch the article on setting up fault tolerance on the CSM? In that article, I mentioned that Cisco recommends a dedicated trunk for the FT VLAN if you have two HA CSMs in two chassis. Discuss amongst yourselves while I drone on.

Why should you set up a dedicated trunk for this stuff? The most obvious reason is to be sure that normal traffic doesn’t step on the syncing traffic. Since we’re syncing state information as well as configuration, the frames need to arrive in a timely manner. Any errors could potentially disrupt the FT process, which is bad. You surely don’t want the primary to fail only to find out that the standby doesn’t have the complete or current config.

Using MAC Access-lists

Mon, 27 Oct 2008 00:00:00 +0000

We ran into this today, and, though I knew it existed, I never actually saw it in the wild. I’m talking about MAC access-lists.

In the example setup, we have a DMZ off of a firewall that contains a whole mess of servers – email, web, ftp, etc. These should all be in the DMZ for sure, but they shouldn’t talk to each other. If a bad guy was able to own my FTP server, he would have a nice platform to use to attack my email server. That’s not cool, so we’ve put in MAC access-lists to help out.

The Cisco Network Hierarchical Model

Wed, 06 Feb 2008 00:00:00 +0000

I got my CCNP certification library the other day to finally get myself another cert, so I’ve been doing some reading of late. The thing I hate about certs is that, even if you have all the experience in the world, there’s always a whole mess of academic stuff that no one really knows or cares about. One of those things is the Cisco Network Hierarchical Model. This model is purely academic and comes with the caveat that you may or may not want to need to use this model in your situation. In other words, here’s what we recommend, but do what you want to make your network run properly.

Free and Awesome Network Tools

Sun, 18 Nov 2007 00:00:00 +0000

We all have limited budgets these days. Long gone are the days of unlimited resources and uncontrollable expansion of the network, so it’s important that any network dude or dudette pay attention to the open-source world. Below is a list of stuff I use at the office and at home to monitor, trend, and alert the network. All this stuff is free and runs on Linux to save even more cash.

A Simple BGP Lab with Dynamips/Dynagen

Sat, 10 Nov 2007 00:00:00 +0000

I assume you take every word I say to heart and that you’ve been using Dynamips/Dynagen for a few days now, right? Good. That’s a start, but let’s break down a simple lab to make sure everyone’s on the same page. I run my labs on Linux most of the time, so you’ll see my commands for that platform. You’re a smart one, so you can figure out what to do on Windows. :)

Dynamips and Dynagen

Fri, 02 Nov 2007 00:00:00 +0000

I’ve run across articles for these apps a thousand times, so I thought I’d get in on the action. Dynamips and dynagen are a pair of apps that make simulating Cisco routers very easy. I use them constantly at the office (and even at home on the couch) to try out new configs and even new IOS versions.

Dynamips is the brains behind the operation. It was written to simulate Cisco 7200s for testing, but, eventually, it came to support several platforms, including 3600s, 3700s, and 2600s. You can use it to simulate a whole series of routers that are directly connected together through their interfaces, through virtual switches, or even connected to real interfaces on your box to pass traffic out through the real network. It uses real ]IOS images, so you can run whatever you can download. The problem with it is that it’s very complicated to use; if you did a fully-populated 7206, your command line would be 5 lines long and not make a lot of sense.

Monitoring the CSM with SNMP

Wed, 24 Oct 2007 00:00:00 +0000

I had an article a few weeks ago about the Cisco CSM, which is a load-balancer module for the 6500 series switches. This thing is a pretty good device, but monitoring the connections to each VIP and RIP is not very straightforward. If you have an SNMP monitoring system like Cacti or MRTG, you need to know the OID to monitor, but it doesn’t work like anything else in the world.

Object Tracking and HSRP

Fri, 19 Oct 2007 00:00:00 +0000

We’ve done some tracking with HSRP in other articles, but there are lots and lots of ways to use object tracking on an HSRP device. In our example network, we tracked the interface, and, if it went down, we decremented the standby priority. What if just the line protocol goes down? How about if the BGP peer on the other end stops sending you routes? If you don’t know that object tracking is the answer, you didn’t read the title.

Intro to Policy Routing

Sat, 13 Oct 2007 00:00:00 +0000

I like [tag]layer-3[/tag] [tag]switch[/tag]es. They give some great flexibility and bang-for-the buck, but most people overlook one issue with these things that can cause security problems. Most people configure the [tag]VLAN[/tag]s, put an IP on the VLAN interfaces, and put it in production, but the packets don’t actually flow the way they think they do.

Let’s check an example. Here’s what the proverbial you had in mind when you plugged your web server, management server, and firewall into your 3750.

Getting Started with the Cisco CSM

Wed, 03 Oct 2007 00:00:00 +0000

Cisco’s Content Switching Module (CSM) is an application accelerator. Or is it an application networking service module? I hate those fancy buzzwords – it’s a load balancer. It’s a module for the 6500 series switches that lets you load balance services in any VLAN and can also be set up for high-availability. I could go on for a while about the features, but let’s keep it simple for now. A short tutorial, if you will.

Finding Hosts on Layer 2

Thu, 27 Sep 2007 00:00:00 +0000

Most firewalls should block [tag]ICMP[/tag] requests to them, so how do you know that your router or server has layer-2 connectivity to one? It’s pretty elementary, actually, but I’ve found that not a lot of people know this trick. If you ping the firewall, it will receive the ICMP packet and drop it per the rulebase. In this process, though, the firewall has to answer [tag]ARP[/tag] requests, which will be stored in the router or server’s ARP table. If you see it in there, you have connectivity.

HSRP Interface Tracking

Sun, 23 Sep 2007 00:00:00 +0000

Remember the article on router-on-a-stick? And the one on HSRP? Let’s add to that example network, shall we? Let’s make those routers into edge routers so they connect your internal network to the Internet with some size circuit. Let’s just say they each terminate DS3s to different providers.

Here’s our network now (I’m experimenting with Visio alternatives, so excuse the diagram footer there). Let’s assume that we have [tag]HSRP[/tag] set up like the HSRP article and that we have many sub-interfaces on the Ethernet side of the routers like the ROAS article. Also, Router1 is the HSRP active peer and each router has a default route pointing to the upstream ISP through interface Serial 0/0.

SNMP v3 is Easy!

Sun, 16 Sep 2007 00:00:00 +0000

I finally got around to looking into [tag]SNMP[/tag] v3 and was shocked at how easy it actually is. When I first looked up info on it so many moons ago, I saw table after tables of views and privilege levels and thought I would have to put in a billion hours getting it customized. I settled down and went through some Google results and found a blog post by Richard Bejtlich that shows the simplest of configurations. Works like a champ!

Setting Up SSH on IOS Devices

Wed, 05 Sep 2007 00:00:00 +0000

By default, most Cisco [tag]IOS[/tag] devices come configured to be accessed via telnet. This is probably fine for your house, but I really cringe when I run across corporate networks that use [tag]telnet[/tag] to access the devices. Telnet is old and out-dated and can be very dangerous. It’s in plain-text, which means that anyone who sees the packets can get your username and password. It also has no remote identification mechanism, so you can’t guarantee you’re talking to the device you think you are; you could be telnetting to a rogue device on your network without knowing it. [tag]SSH[/tag] gives you both things and more.

Running HSRP for Availability

Wed, 22 Aug 2007 00:00:00 +0000

In the article describing a router-on-a-stick, I mentioned that I would use two routers that run HSRP for availability, so I figured that I would write up a short post on what it is and how it works.

HSRP (Hot Standby Router Protocol) is a Cisco-proprietary protocol for establishing two or more layer-3 devices as a fault-tolerant gateway. Please note that it is not a routing protocol like OSPF or BGP. HSRP provides availability and fault-tolerance…it does not advertise routes. I actually found several Google results that said it was a routing protocol. Those were on the first page of the results, so be careful when searching! Webopedia.com is terrible.

Router-on-a-Stick

Mon, 20 Aug 2007 00:00:00 +0000

Ever heard of a router-on-a-stick? Go ahead and laugh…everyone does. It’s a funny name for a very serious topic, though. A router-on-a-stick is a network configuration that uses a single router interface as a gateway for more than one network segment. You literally take a single Ethernet interface, put it on multiple VLANs, and set up the IP address stuff.

Here’s how it works: The router is plugged into a port on a switch that is configured as a trunk that carries all the important VLANs. The router is configured with Ethernet sub-interfaces (just as you do frame-relay or ATM sub-interfaces) – one for each VLAN. Piece of cake.

Common Cisco IOS Commands

Fri, 17 Aug 2007 00:00:00 +0000

Here’s a list of IOS commands that I use all the time that aren’t a part of the basics. I obviously use more than just these, and you do, too, but I hope there’s at least one eye-opener in there.

show env all: Shows the environment status, including fan, power supplies, etc. Good for making sure the environment is alright. show history: Shows your command history since you logged onto the device. Good for remembering what command you put into get those stats the boss needs. Configuration changes don’t show up here. show inventory: Shows a nice list of what the device has hardware-wise. It’s good for a router with a bunch of modules or a switch with a bunch of cards. show interface trunk: Shows all the trunks on a switch along with pruning information. Good for making sure all VLANs are propagating around the network. show interface capabilities: Shows what the interface is capable of doing – not just what’s its configured to do. show interface counters: Shows byte and packet information for every interface. Good for quickly showing statistics without having to look at all the show interface garbage. show mac-address-table: Shows the CAM table on a switch. Good for tracking down where a host is plugged into. show tcp brief: Shows all TCP connections associated with the device like SSH sessions or BGP. show users: Shows who’s logged onto the device. Good for finding a line to clear to kick everyone off the box.

Mixed-platform LANs and Spanning Tree

Fri, 10 Aug 2007 00:00:00 +0000

We just an HP C-class blade chassis which included two GbE2c network modules. These modules are Nortel switches running AlteonOS that connect the blades to the rest of your network. When I turned these guys up the other day, every VLAN stopped working, so I ran down to the data center and unplugged the uplink. I called HP and soon found out that the GbE2c doesn’t play nice with Cisco switches out-of-the-box. Since we have a Cisco network (not now, I guess), we can into some problems.