Cisco on Aaron's Worthless Words

Out-of-band Management - Useful Beyond Catastrophe

Thu, 13 Jul 2023 00:00:00 +0000

I was lucky enough to participate in Tech Field Day Extra at Cisco Live a couple weeks months ago. This event brings independent thought leaders together with a number of IT product vendors that were at Cisco Live to share information and opinions. I was not paid to attend, but the organizers did provide some meals while I was there. There is no expectation of providing any content, so the fact that I’m mentioning it says something. It was a great event and worth a few hours to check out the videos. Thanks to Gestalt IT for getting me involved. OpenGear was there, and it was good to see some new faces and hear some new ideas.

BGP Configuration on FortiOS

Mon, 31 Oct 2022 00:00:00 +0000

I’ve never done a post on Forti-anything, but I’m really appreciating the products Fortinet is putting out lately. They’re transitioning from “run your SMB off of our stuff” to “actually, we’re pretty good for larger companies”, so their GUI lacks features to keep the SMB from blowing stuff up, The advanced features are there in the CLI, and I wanted to use it to show that difference between the GUI and the real config.

Cisco Live 2018 - Yes, I Went Too

Wed, 04 Jul 2018 00:00:00 +0000

It’s been a very busy month or so. June is always like that, it seems. There’s ARRL Field Day, which is always the last rainy weekend in June. This year, Cisco Live was in June, and that typically includes Tech Field Day activities. Right before that, we had the whole family in town for a family reunion. There was all sorts of stuff going on. Now that most of that has blown over, I’ve collected my thoughts and wanted to talk about Cisco Live this year.

An Update for my Adoring Fans

Tue, 05 Jun 2018 00:00:00 +0000

I feel like a teenage girl with a fashion blog who hasn’t posted in 6 months and comes back with “I know I haven’t posted in a while…” Sigh. It’s been right at a year since I actually published a post, so I figured I would give everyone an update.

I’ve had some personal things going on lately, and those have taken all of my energy. We’ve made it through those rough times, so my energy is coming back. I’m feeling better every day, and I hope I can get back to producing some content. And, let me tell you…I’ve got some stuff to talk about.

Cisco Live US 2017 - Saturday Adventure

Fri, 05 May 2017 00:00:00 +0000

For the last couple years, on the Saturday before Cisco Live US kicks off, we like to go and do something in the host city. Nothing big. Nothing fancy. Just something we aren’t going to be able to do once the conference gets going. In San Diego, we went to the zoo. Last year, we went to the National Atomic Testing Museum. This year, we’re going to the National Museum of Organized Crime and Law Enforcement…aka, the Mob Museum.

Cisco Live US 2017 - The Plan So Far

Tue, 21 Feb 2017 00:00:00 +0000

Put it on your calendar. Cisco Live US is June 25 - 29, 2017, in Las Vegas. This is the largest conference I go to every year, and it’s the highlight of my professional year. I’ve been going for a few years now and enjoy it for the content and camaraderie. What are we doing this year?

We’ll fly in on Friday again and do something. No idea what, but I imagine we’ll throw out an invitation for dinner to the public and meet somewhere. If you’re going to be in town, let me know, and we’ll meet up.

Cisco Clock Issue - This Is Really Bad

Sun, 05 Feb 2017 00:00:00 +0000

Check out this advisory from Cisco that came out a couple days ago. You need to read it and act on it immediately! I’ll summarize for you : Thanks to a faulty clock signal component, certain Cisco devices will stop functioning after about 18 months and become really expensive bricks! Reading through it, you’ll see phrases like “we expect product failures” and “is not recoverable.” Seriously, what the hell? This really warms the heart.

QoS? Really?

Sat, 20 Aug 2016 00:00:00 +0000

I wrote this post during Cisco Live and said “I’ll just give it a once-over tonight and publish it.” That was something like 6 weeks ago now. What a loser I am.

Yes, really. QoS has actually gotten some attention this year. After how many years of living in the dark and being feared by junior and senior engineers alike, we’re seeing some really cool technologies coming out for it.

Cisco Live 2016 - Everything Is Coming Together

Tue, 12 Apr 2016 00:00:00 +0000

It seems that Cisco Live is about the only thing I blog about in the last…well, few years. At least I’m still writing, even if it is twice a year. :)

Here’s a summary about Cisco Live for those who live in a dark hole. It’s July 10 - 14, 2016, in Las Vegas. If you do anything with Cisco, you should go. If you do anything with technology that isn’t Cisco, you should go. Bring your significant other. There’s plenty to do for everyone. Anyway, on to the details for this year’s show.

Cisco Live - The Complaints

Tue, 16 Jun 2015 00:00:00 +0000

You should know by now that I always find something to complain about. Is that a bad thing? Probably. Does it help improve things? Absolutely!

Again, I love going to Cisco Live every year. Without question, it’s my favorite event of the year. It’s a great event with great people and great things to do. With that said, let’s look at what could have been a bit better this year.

Cisco Live 2015 - Helping Others

Sun, 14 Jun 2015 00:00:00 +0000

Another year, another Cisco Live. Boy, was it a good one. San Diego is a great city, and convention center there is plenty big to take care of all 25k attendees. On top of that, the city itself is equipped to handle groups of 40 roaming the streets looking for food and entertainment.

This year’s event had the usual stuff that everyone talks about - breakout session, keynotes, exams, etc. - but Cisco stepped outside of technology this year by helping others.

Summary Post - Methods to Manipulate OSPF Costs

Fri, 11 Jul 2014 00:00:00 +0000

There are three ways to manipulate the interface cost in OSPF. One is very direct, one changes the presentation of the interface, and the other changes the calculations for every interface.

Set the cost of the interface directly - Just give it the number you want. Easy. This is the number OSPF will use in the SPF calculations without doing any math on the interface.

R1(config-if)#ip ospf cost 8482

Set the bandwidth of the interface - The formula that OSPF uses to calculate interface cost is pretty easy to remember - (reference bandwidth) / (interface bandwidth). Changing the interface bandwidth will obviously change the result of the calculation. The same caveat for EIGRP route manipulation holds true here; if you change the bandwidth of the interface, you may affect other things like QoS…or EIGRP, now that I mention it.

Summary Post - OSPF Network Statement Order and Matching

Thu, 10 Jul 2014 00:00:00 +0000

When you configure OSPF network statements, IOS orders them most-specific to least-specific then does a top-to-bottom match of the interfaces. It doesn’t matter which order you put them in, the configuration will always be ordered with the longest prefix matches first. Lab time!

I have router R1 with these interfaces.

R1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.0.0.1        YES manual up                    up
FastEthernet0/1            unassigned      YES unset  administratively down down
Loopback100                10.0.101.1      YES manual up                    up
Loopback200                10.2.101.1      YES manual up                    up

Let’s add the OSPF configuration where 10.0.0.0/8 is in area 2 then check what OSPF thinks is happening.

Recap - Cisco Live US 2014

Sat, 31 May 2014 00:00:00 +0000

I don’t think I’m going to give a direct review of Cisco Live US this year. The conference was great with lots of stuff going on, but I really can’t contribute any more than the vast library of other posts on the subject. What I will do, though, is give my take on where I think the conference is headed. These are all my thoughts and have little to do with reality in some cases.

My Schedule for Cisco Live 2014

Fri, 18 Apr 2014 00:00:00 +0000

Everything is in order for my trip to Cisco Live 2014 in San Francisco. Conference passes are purchased. Hotels are reserved. Flights are booked. It’s going to be a great event, and I can’t wait!

Note: My wife will be with me again this year, and she is trying to get a tour group going to look around the city while others are in sessions. If you want to be in on the tourist action, contact her via Twitter.

Taking the Old Approach to Cisco Live 2014

Tue, 25 Mar 2014 00:00:00 +0000

I was just reading through Bob’s blog post from today and wanted to give a rebuttal of sorts. In his post, Bob tells us that’s he’s going to be at Cisco Live US in San Francisco this year but he won’t be coming on the Full Conference pass like he usually does. He’s going with the Social Event pass this year, which is actually a great, great way to attend. I know several people who are thinking about scaling back to the Social Event pass as well, and there’s nothing wrong with doing it like that. There are some things that it doesn’t get you, though.

Read This if You're Going to Cisco Live in May!

Thu, 13 Mar 2014 00:00:00 +0000

Do not tell anyone I told you, but I heard a rumor today. It looks like the attendees will be in for quite a treat for the 25th Anniversary of the Customer Appreciate Event. It seems that we’re all going to be shipped off to AT&T Park for the show! It’s the home of the San Francisco Giants and a beautiful stadium. And guess who’s going to be there? Yes, me. And my wife. And about 984572 of my friends. But so will Lenny Kravitz and Imagine Dragons!

Why Cisco Live Each Year?

Wed, 26 Feb 2014 00:00:00 +0000

We all know what Cisco Live is, right? Networkers? The Cisco users’ conference? If not, then educate yourself, friend. It takes place every year in different parts of the world. I try my best to go every year to the US event and am lucky to be able to go this year. It costs a bagillion dollars and a week of my time; why am I so excited about going? Easy answers in no particular order.

CCIE R&S Written -- Epic Fail (Again Again)

Wed, 07 Aug 2013 00:00:00 +0000

On Friday, and for the fourth time, I took the CCIE R&S Written exam (350-001). For the third time, though, I failed. Let me tell you, I am absolutely devastated. I worked my buns off for the past few weeks, but I’m obviously missing some important piece to put me over the top.

Not only was I disappointed with my overall score, I was disappointed by my score in some of the focus areas. For God’s sake, I made a 50% on each of the routing and switching sections, which is just absolutely embarrassing. I mean, this is my bread and butter here. This is what I do all day every day, and I could only muster a 50%?

QoS Notes - IPP and DSCP Values

Tue, 30 Jul 2013 00:00:00 +0000

This is a study note post, so please don’t take this as written. I’m not the authority on the subject, so please correct me if needed.

Back in the day, somebody decided that we all needed to have a Type of Service (ToS) field in the header of IP packets. Only God knows what this spawn of Satan wanted to do with it, but we’re stuck with it on the CCIE R&S exams.

CCIE R&S Written - Epic Fail (Again)

Sun, 07 Jul 2013 00:00:00 +0000

Yes, I failed. I think it’s pretty typical when you’re at Cisco Live, you stay out drinking and smoking cigars until 01:00, then you sit the exam at 08:00 the next morning. Considering the situation I put myself in, I wasn’t very optimistic about passing, but I figured I had maybe a 40% chance to pass since I didn’t really even study. Are you sensing a theme of ill-preparedness and self-sabotage? Yeah, me, too.

Cisco Live 2013 Insights - Catalyst 3850

Thu, 04 Jul 2013 00:00:00 +0000

Cisco Live is obviously the biggest networking event of the year, and Cisco likes to use all the attention to show off some of their new gear. I must say I was impressed with some of the Enterprise offerings including the 6807-XL, the 6880-X, the 4451-X, and the Sup 8-E for the 4500-E (check out the Nexus 7700, too, even though they aren’t Enterprise class). Those boxes definitely gave me a bit of a tingle when I was checking them out, but my eyes opened up when I saw the 3850 in one of my sessions and on the show floor.

Cisco Live 2013 Insights - Cisco Tactical Operations

Wed, 03 Jul 2013 00:00:00 +0000

While walking through the World of Solutions, we ran across a big black truck with lots of antennas all over it. It was obviously an emergency communications vehicle of some kind, but I was really surprised to see it was a Cisco truck. It turns out that Cisco has a Tactical Operations group (Twitter) that was formed to provide disaster responders with much-needed communications for EMAs, fire, police, medical, etc.

The big truck was the NERV - the Network Emergency Response Vehicle (PDF link). It’s full of traditional HF, VHF, and UHF radios that the ham radio operators usually bring to these disasters. This is a necessity when all phones, cell, and Internet are down. It could be the only way fire fighters are able to call for reinforcements or the only way a hospital can call for more supplies. The NERV, though, takes it to the next level. On top of the radio gear, it is equipped with satellite uplinks for Internet access, wifi, and digital voice and video through UCS Express, IP phones, and Telepresence. Analog voice is always the first method of communications restored via battery- or generator-powered gear, but an area will eventually need a network with voice and video. That’s where the NERV comes in.

Cisco Live 2013 Insights - Cisco Active Advisor

Tue, 02 Jul 2013 00:00:00 +0000

Yes, I went to Cisco Live and survived. It was the social event of the year, but the main focus is learning about the cool, new stuff. One of the booths I visited was a demonstration of Cisco Active Advisor.

This is a cloud-based (BINGO!) application that keeps an eye on the lifecycles of your IOS devices. Using the web interface, you can scan a range of IP addresses from your machine and have your gear automatically added to the service. Once in there, you can see, among other things, the warranty and support contract information for your device. If your contracts is about to expire, it’ll let you know via email. It also tracks any vulnerabilities that may apply and emails you if any are detected. This beats trusting your reseller to send you renewals or watching an RSS feed for PSIRTs and field notices.

A Simple Firewall Upgrade - A True Story

Thu, 20 Jun 2013 00:00:00 +0000

I just got through a big weekend. We upgraded our main production firewall, but the process had a few twists.

The old firewalls, a pair of ASA 5520s, were running at about 80% CPU during the day. That’s high enough that even I cringe when I saw the utilization in ASDM. It was obviously time to upgrade to something with more beef, but we also wanted something that will last for years. After looking around and getting some quotes (that made me jump back in my seat), we finally decided to go with a pair of 5555Xs. These guys give about 10 times the throughput of the 5520 with about 8 times the memory. Seems to match the requirements. Now for the complications we had to work through.

My Schedule for Cisco Live 2013

Sun, 31 Mar 2013 00:00:00 +0000

I’m all set up to go to Cisco Live in Orlando this year. Good thing, too, since I couldn’t make it to San Diego last time. It’ll be a great and fun time as usual, and I’m quite excited.

As it turns out, ARRL Field Day happens to be the weekend leading up to the festivities. I’ve been in contact with the local Orlando club, and they say the attendees are more than welcome to join them. They are meeting at the City of Orlando Emergency Operations Center, which is about 20 minutes away from the Convention Center.

JNCIS - Epic Win (Again)

Sun, 24 Mar 2013 00:00:00 +0000

I spent the last of my Juniper exam vouchers on the JNCIS-SEC exam and passed by the skin of my teeth today. Since I took a new job last month that’s 100% Cisco, this is the last Juniper exam I’ll take for the foreseeable future. Too bad, too. I really like the Juniper exams.

At my previous job, we were 90% Juniper with a whole mess of SRX firewalls around the world. Since this exam is really about that platform, it was pretty logical that I should do alright on it. Of course, a large part of the blueprint was on IDS and UTM, and I have no experience there. For my entire career, those type of devices have been handled by other groups, so I had some studying to do. That’s where I ran into problems. I have absolutely no interest in IDS. I have no interest in UTM. There’s nothing about content scanning and analysis that interests me at all. I promise you all that I tried my best to read up on these topics, but I was asleep after 10 words every time I tried. After rescheduling the exam twice to try and study a bit more, I finally decided it wasn’t worth the trouble and just took the exam…and passed.

A Little Story on Switch Configuration

Tue, 27 Mar 2012 00:00:00 +0000

Here’s another story from the late night. I’ve changed the details to protect the innocent, but you’ll get the idea.

I think most of you know that I started a new job late last year, and I’ve spent my waking hours getting caught up on how the new company works, how everything fits together, and all that jazz. One of the big reasons that I (and a number of others) were brought in was to fix the biggest problem; the company doesn’t have a real central control over customer-facing technologies. There’s a group that does central IT for the company (Exchange, SharePoint, Oracle apps, etc.), but there are dozens and dozens of applications out there. That means there are dozens of “network teams” around the world doing their own thing.

VRF-Aware IPSec Tunnels

Tue, 13 Dec 2011 00:00:00 +0000

Man, time is hard to come by of late. I’ve had so little time to rest that’s it’s hard to get my thoughts together. It’s a good thing in this case, though, since it’s my fantastic job that’s taking all my time. It’s great to see new network and learn their internals…especially when they were designed by some long-time CCIEs who actually knew what they were doing.

One of the big things that I’m dealing with lately is VRFs. I’ve implemented some VRF-lite stuff, but I’ve never had any practical experience with the full force of them. I’m definitely learning here. Since the blog here is really about my sharing what I’ve learned, let’s go through something that came up recently - terminating VPNs on one VRF while passing traffic to another.

Invisible fences for VLANs

Tue, 09 Aug 2011 00:00:00 +0000

This week we have a guest post from CJ Infantino. He is currently writes on convergingontheedge.com. You can find him hanging out on Google Plus as CJ Infantino or follow him @cjinfantino on twitter.

-————————————

The other day I was adding VLANs to the the allowed list on the core routers at work. It was then a question came to mind, “Does the VLAN allowed list filter ingress or egress traffic?”.

Now, because all good engineers would configure the allowed list on both ends – as Aaron would say – in the grand scheme of things this really doesn’t matter, but being the inquisitive guy that I am, I wanted to know.

So I searched, and searched and google’d and could not find the answer. At that point there was only one thing left to do – lab it up!

Frame Relay Notes - DE, FECN, and BECN

Thu, 23 Jun 2011 00:00:00 +0000

All are part of the frame relay congestion management suite.
Frame relay switches monitor links for CIR or oversubscription congestion on links.
- If the VC has a CIR of 256k, the switch knows there is congestion if the customer is sending more than 256k down that VC.
Discard Eligible
- Flag in the LAPF header
  - Marks a frame as eligible to be dropped in case of congestion
  - Marked via the MQC
Forward Explicit Congestion Notification
- Flag in the LAPF header
- Set by the switch when the frame is about to enter a link with congestion on a VC
  - Congestion in one direction
  - FECNs are set when the frame is going into the congestion.
- Receiving router can see that there was congestion on the way.
- FECNs can be used to activate adaptive shaping via FRTS.
- Plain English: If Router B receives a frame with the FECN flag set, that means that there is congestion on the path from Router A to this Router B, and that Router B should expect delays.
Backward Explicit Congestion Notification
- Flag in the LAPF header
- Set by the switch when a frame has just left the link with congestion
  - Congestion is the opposite direction.
  - BECNs are set when the frame has just left a link that has congestion on it.
- Notifies the original sending router that there is congestion along that VC.
- Plain English: If Router A receives a frame with the BECN flag set, that means that there is congestion from Router A towards Router B and that the sending host should calm down a little bit.

http://www.sinclair.org.au/keith/networking/frame_relay.html – Corrections requested.

Frame Relay Notes - LMI, Headers, and Encapsulation

Thu, 23 Jun 2011 00:00:00 +0000

Local Management Interface

Manages link between the router and frame relay switch
Routers send Status Enquiry to the switch
The switch responds with a Status message informing the router of the DLCIs available
Serves as a keepalive
Default keepalive is 10 seconds, 3 misses is failed
Three types
- cisco <- default
- ansi (Annex D)
- q933a

R1(config)#interface s1/0
R1(config-if)#frame-relay lmi-type ansi

Headers and Encapsulation

Link Access Procedure for Frame-mode Bearer Services (LAPF) is the first header
- Includes DLCI, DE, FECN, BECN
- To be read by the frame relay switch
Frame relay encapsulation header is next
- To be read by the router on the other end of the VC
Two types
- cisco : proprietary <- default
- ietf : IETF RFC 2427

R1(config)#interface s1/0
R1(config-if)#frame-relay encapsulation ietf <- for all DLCIs
- or -
R1(config-if)#frame-relay interface-dlci 100 ietf <- for specific DLCIs
- or - 
R1(config-if)#frame-relay map ip 10.0.0.1 ietf <- for specific DLCis

PPP Notes - LFI

Thu, 23 Jun 2011 00:00:00 +0000

Link Fragmentation and Interleaving
A QoS tool to prevent smaller, higher-priority packets from waiting on larger packets to transmit
- For example, VoIP packets and FTP packets
Fragments the larger packets and interleaves them with the smaller packets
Only available in PPP with Multilink
- Can be a multilink bundle with a single link in it
Common to use with LLQ to interleave the delay-sensitive packets
fragment-delay allows you to change the fragment size
- In milliseconds
- size = fragment-delay * bandwidth of interface

R1(config)#interface Multilink 1
R1(config-if)#bandwidth 512
R1(config-if)#ppp multilink interleave
R1(config-if)#ppp multilink delay 10

-- Corrections, please.

Redistribution Notes - AD Manipulation

Wed, 22 Jun 2011 00:00:00 +0000

Manipulating administrative distance (AD) is another way to help with a mutual redistribution scenario.
EIGRPs has different ADs for internal and external (redistributed) routes
OSPF and RIP have the same AD no matter where the route orginated.
This means that routes redistributed into OSPF may be used instead of a local RIP route.
- AD 110 (OSPF) beats 120 (RIP) every time.
The distance subcommand allows you to change the AD on specific routes from specific neighbors.
This example changes the AD of the route to 10.0.0.0/16 advertised from 1.1.1.1 to 121.
- This will make this router prefer a RIP route to the same destination.

ip access-list standard RIP-ROUTES
 permit 10.0.0.0 0.255.255.0
!
router ospf 1
 distance 121 1.1.1.1 0.0.0.0 RIP-ROUTES

– Corrections are encouraged.

Redistribution Notes - Tagging

Mon, 20 Jun 2011 00:00:00 +0000

Tagging provides a way to mark common or similar routes to manipulate later.
In redistribution scenarios with mutual redistribution on two different routers, any routes that gets redistributed from one route process to another are tagged.
- When the other router sees those tags on the route, that route to keep from adding non-optimal routes to its routing table.
Tags can also be used to do other manipulation such as setting higher metrics or changing ADs.

OSPF

CCIE R&S Written Materials

Mon, 13 Jun 2011 00:00:00 +0000

I’m scheduled to take the CCIE R&S Written exam on 10 July at Cisco Live, and I’ve been asked by a handful of people on Twitter exactly what materials I’m using. I figured it would be a good idea to let everyone know so that we all can determine whether or not I’m on the right track. I may get to the exam and find out that the books I’ve been reading aren’t even close. It’s happened before.

BGP Notes - Backdoor Routes

Sat, 11 Jun 2011 00:00:00 +0000

The fact that eBGP has an AD of 20 can be a problem.
- You may have a very short path via EIGRP (or OSPF or RIP or whatever other IGP), but the longer eBGP path will be preferred.
For God’s sake, do not lower the AD of EIGRP! Havoc will ensue.
Using backdoor routes causes eBGP routes to have an AD of 200.
- Allows the shorter-path IGP routes to be added to the routing table.

router bgp 123
 network 1.1.1.0 backdoor

-—-

BGP Notes - Confederations

Sat, 11 Jun 2011 00:00:00 +0000

RFC 3065
BGP confederations reduce the size of full mesh iBGP ASes by dividing it up into different areas.
Confederations also remove the need for BGP synchronization since all iBGP routers will have all routes.
In effect, your iBGP AS gets chopped up into different sub-ASes.
Each router is a member of a sub-AS and is a neighbor with every other router in that sub-AS (full mesh).
- Neighbors within a sub-AS are called confederation iBGP neighbors.
- Confederation iBGP neighbors act just like any other iBGP neighbor.
At least one member of each sub-AS is neighbored with members of different sub-ASes.
- Neighbors in different sub-ASes are called confederation eBGP neighbors.
- Confederation eBGP neighbors have a default TTL of 1 just like true eBGP neighbors.
- The NEXT_HOP PA is not changed when passing routes between sub-ASes.
- LOCAL_PREF is also preserved.
Confederations use the AS_CONFED_SEQ and AS_CONFED_SET fields in the AS_PATH PA.
- These fields act like AS_PATHs to prevent loops.
- These fields are cleared out when the route is passed to an eBGP neighbor.
- If components of a summary route (an aggregate-address) have different AS_CONFED_SEQ values, the AS_CONFED_SET is used.
Confederations ASes are not included when the router decides which route is best.
BGP confederation routers are configured to be in a private ASN.
- The confederations should be private to avoid AS conflicts.
- The confederation identifier defines the AS at it appears to the world.

router bgp 65001
 no synchronization
 bgp confederation identifier 123
 bgp confederation peers 65002 65003
 neighbor 2.2.2.2 remote-as 65002
 neighbor 3.3.3.3 remote-as 65003

-—- Comment with corrections, please.

BGP Notes - Route Reflectors

Sat, 11 Jun 2011 00:00:00 +0000

Route reflectors remove the requirement of having a full mesh iBGP network.
Any iBGP route a router reflector learns is sent to all route reflector clients.
- Non-client iBGP neighbors do not get the new route per iBGP rules.
RR clients are configured like normal iBGP routers.
- All RR client config is done on the route reflector.
RRs and clients are part of a cluster.
- RRs in each cluster must be neighbors with each other.
- Each cluster RR appends the cluster ID to the CLUSTER_ID PA; this is used similarly to AS_CONFED_SEQ.
The ORIGINATOR_ID PA is set by and preserved by the RR.
- If a route contains the ORIGINATOR_ID of the receiving router, the update is ignored.
Only best routes are passed to RR clients and non-client neighbors.

router bgp 123
 no synchronization
 bgp cluster-id 1
 neighbor 6.6.6.6 remote-as 123
 neighbor 6.6.6.6 route-reflector-client

-—- Comment with corrections, please.

BGP Notes - Synchronization

Sat, 11 Jun 2011 00:00:00 +0000

With synchronization on, route must be synchronized to an IGP in order for that routes to be able to be voted ‘best" by BGP.
- That means the exact route must already be in the routing table via an IGP.
- Static routes don’t count.
- This is traditionally accomplished by redistributing BGP routes into an IGP.
- With today’s Internet prefix count over 350k, this may not be such a good idea in some situations.
- Synchronization is off by default.
Synchronization prevents black hole routes from being advertised via iBGP.
- Unless every router is participating in iBGP, there’s no guarantee that any one router will have a route to NEXT_HOP.
Synchronization also prevents a router from advertising the black hole to an eBGP neighbor.
- You don’t want to tell the world you have a path to a prefix when you really have a !N.
Synchronization can be safely disabled with the use of route reflectors or confederations.

-—-

BGP Notes - Authentication

Fri, 10 Jun 2011 00:00:00 +0000

Corrections welcome.

It’s simple as pie to enable MD5 auth to a BGP peer.

R102(config-router)#neigh 192.0.2.101 pass MYKEY

EIGRP Notes - Authentication

Fri, 10 Jun 2011 00:00:00 +0000

Corrections - I invite them.

1. Create the keys in the keychain.

R101(config)#key chain KEYCHAIN
R101(config-keychain)#key 1
R101(config-keychain-key)#key-str
R101(config-keychain-key)#key-string MYKEY

2. Enable authentication on an interface.

R101(config-if)#ip authentication mode eigrp 1 md5

3. Associate keychain with EIGRP.

ip authentication key-chain eigrp 1 KEYCHAIN

OSPF Notes - Authentication

Fri, 10 Jun 2011 00:00:00 +0000

Corrections appreciated.

Type 0 : No authentication. This is the default type.

R0(config-if)#ip ospf authentication null
-----
R0(config-router)#area 1 virtual-link 2.2.2.2 authentication null

Type 1 : Clear text authentication

-----
R0(config-if)#ip ospf authentication
  - or -
R0(config-router)#area 1 authentication
R0(config-if)#ip ospf authentication-key MYKEY live sex online
-----
R0(config-router)#area 1 virtual-link 2.2.2.2 authentication-key MYKEY

Type 2 : MD5 authentication

-----
R0(config-if)#ip ospf authentication message-digest
  - or -
R0(config-router)#area 1 authentication message-digest
R0(config-if)#ip ospf message-digest-key 1 md5 MYKEY
-----
R0(config-router)#area 1 virtual-link 2.2.2.2 authentication message-digest message-digest-key 1 md5 MYKEY

BGP Notes - Path Decision

Thu, 09 Jun 2011 00:00:00 +0000

This is required blogging…and reading for that matter. A good chunk of this is taken from my CCNP posts from last year. Corrections, please.

-—-

How does a BGP router decide which BGP route is the best?

Next-hop : Does the router have a route to the next-hop?

Weight : This is a numeric value where bigger is better. Weight is not passed onto other peers and is a Cisco proprietary feature.

BGP Notes - Path Attribute Categories

Wed, 08 Jun 2011 00:00:00 +0000

Make my corrections! Please!

Well-known mandatory : These PAs must be recognized by all BGP routers and passed along to other peers.

Well-known discretionary : These PAs do not need to be in every update, but they must be recognized by all BGP routers.

Optional transitive : These PAs don’t have to be recognized but they must be passed along to other BGP peers if they are present in an update.

BGP Notes - Message Types

Tue, 07 Jun 2011 00:00:00 +0000

Corrigeme, por favor.

Open : When a neighbor is configured, the router sends an open to that neighbor to get the ball rolling.

Destination:  The neighbor's configured IP
Important fields:
  My AS

Update : The routing information

Destination:  The neighbor's configured IP
Important fields:
  Advertised network Klonopin Online
  Path attributes

Keepalive : Sent every 60 seconds by default

Destination:  The neighbor's configured IP
Important fields:
  Nothing, really

Notification : When something is amiss, the router sends a notification message. The receiver then closes the connection.

BGP Notes - Neighbor States

Tue, 07 Jun 2011 00:00:00 +0000

Corrections appreciated.

Idle : There is no relationship, but the router sends out a TCP SYN to the neighbor to get the ball rolling.

Idle (admin) : The neighbor is admined down.

Connect : The router is waiting for the TCP connection to finish. If the TCP connection finishes, the router sends an open and transitions to OpenSent. If it times out, it transitions to Active.

Active : The router tries Cialis to initiate a TCP connection. If the TCP connection finishes, the router sends an open and transitions to OpenSent.

EIGRP Notes - Route Filtering

Tue, 07 Jun 2011 00:00:00 +0000

As always, correction are encouraged.

You can configure an EIGRP router to filter routes from being advertised or from being accepted.

Objective: Filter out the route to 10.0.254.1/32 from being advertised to the rest of the network via EIGRP.

ip prefix-list PRE1 deny 10.0.254.1/32
ip prefix-list PRE1 permit 0.0.0.0/0 le 32
!
router eigrp 1
 distribute-list prefix PRE1 out

-- OR --

ip access-list standard ACL1
 deny 10.0.254.1 0.0.0.255
 permit any
!
router eigrp 1
 distribute-list ACL1 out

EIGRP Notes - Unequal Cost Path Load Balancing

Mon, 06 Jun 2011 00:00:00 +0000

Per the standard rules, please correct anything that’s wrong.

One of EIGRP’s big features is the ability to use unequal cost paths for load balancing. This is done with the variance command.

variance : A multiplier used to calculate which feasible successors can be used as active routes. The router takes integer and multiplies it by the successor’s feasible distance, and any FS with a an FD less than this new number gets submitted to the routing table manager.

EIGRP Notes - Message Types

Sun, 05 Jun 2011 00:00:00 +0000

Please correct if I’m being stupid…which is a lot of the time.

Hello : Discovers and maintains neighbors

Destination:  224.0.0.10
Important fields:
  K values

Update : An update to the topology such as a route withdrawal or a metric change

Destination:  224.0.0.10 -or- unicast during neighbor discovery
Important fields:
  Message sequence number
  Route being updated including k values to compute metric

Query : Used to ask a neighbor if it has a route to a certain network; see casino online for free stuck-in-active

OSPF Notes - Network Types

Sat, 04 Jun 2011 00:00:00 +0000

Corrections are always welcome.

Broadcast : Think an Ethernet segement

DR/BDR? : Yes Default hello interval : 10 sec Neighbor config required? : No

Point-to-point : Physical point-to-point links, frame-relay point-to-point subifs

DR/BDR? : No Default hello interval : 10 sec Neighbor config required? : No

Nonbroadcast Multiaccess : Frame-relay multipoint or physical

DR/BDR? : Yes Default hello interval : 30 sec Neighbor config required? : Yes

Point-to-multipoint : Partial mesh networks like a frame-relay hub-and-spoke configuration

Wireshark and EtherIP Packets

Sat, 04 Jun 2011 00:00:00 +0000

I got a call from our Systems and Security guys today to talk about a Wireshark capture they had done from a user VLAN. They had noticed two frames that were destined for some seemingly random host in the same network as they were in, but the source and destination IP addresses reported by Wireshark made no sense. The frames were from a web server to an IP address on our wireless network. The web server is on the other side of the firewall, and the wireless network is on the other side of the controller; there was no reason at all that a packet with that source and destination would show up here.

OSPF Notes - LSA Types

Thu, 02 Jun 2011 00:00:00 +0000

Yes, it is inevitable that I cover these. I’m sure network types will be next. Per my usual request, please correct my stupidity.

Type 1 - Router : This LSA type lists all the routers by RID as well as the networks to which that router connects.

Type 2 - Network : These LSAs represent broadcast network where more than one OSPF router may live. Think Ethernet or multipoint segment. These LSAs are flooded by the DR for that segment.

OSPF Notes - Neighbor States

Thu, 02 Jun 2011 00:00:00 +0000

My prediction about covering network types was wrong. I’m going to puke out some information about neighbor states for now. As is always the case, corrections are welcome.

Down : No hellos have been received from this router.

Attempt : This state only applies to manually-configured neighbors on an NBMA network. In this state, a router has sent unicast hellos to the neighbor but has not received any back from it.

OSPF Notes - Message Types

Wed, 01 Jun 2011 00:00:00 +0000

I have had my nose deep in several books in preparation for my CCIE R&S written exam, so I haven’t been blogging much at all. Now that I’ve made it to the more familiar topics, I’m hoping to get some notes posted. I’ll start with OSPF message types.

As always, please feel free to correct me here. I’m learning just like the rest of us.

Hello : These messages are used to establish neighbors and serve as keepalives among other things.

Home-grown IOU Scripts

Mon, 16 May 2011 00:00:00 +0000

I’m sure you’ve all heard of Cisco IOU by now, and I’m finally catching up with the other bloggers of the world by mentioning it. It’s an executable version of an IOS image that runs on a Unix (or Unix-like) platform and it’s the backend behind Cisco’s Learning Labs. Instead of running an emulator and loading up various images, you just run the executable and you’re on the console of a Cisco router. It has layer 2 support, so you can fire up switches as well. Being a binary makes it way more efficient than GNS3 will ever be, and the layer 2 support is a wonderful, wonderful feature to have.

Cisco Live 2011 Schedule

Fri, 29 Apr 2011 00:00:00 +0000

For the first time ever, I’m headed to Cisco Live - the big Cisco users conference in Las Vegas! I usually don’t go to these things since I wind up just hanging out by myself, but I’m meeting all sorts of people there - from bloggers to Tweeps to personal friends. It should be a huge blast, and I can’t wait to get there.

For those interested, here’s my schedule.

Configuring an IPv6 Tunnel with Hurricane Electric

Thu, 31 Mar 2011 00:00:00 +0000

My ISP at home is great. I have infinite bandwidth because they have no idea how to do any rate limiting. Heck, they’re not even skilled enough to know that I have several public IP addresses from their DHCP server. That means, though, that they’re not ready for IPv6. They’ve ignored my emails and support tickets asking about their deployment strategy, so I gave up and looked at turning up a tunnel with a broker. I chose Hurricane Electric for no particular reason; they were just the first ones I found. The setup was super-easy and works flawlessly.

Stubby Post - Final Tally of 3750 Failures

Fri, 18 Mar 2011 00:00:00 +0000

It’s pretty widely known that I hate Cisco 3750 switches. We’ve had so many hardware and software failures with them that I’ve got a seriously bad taste in my mouth. Since I’m leaving for a new company, I thought I’d publish some statistics while I still have access to the numbers.

Total TAC cases online casino usa european roulette opened related to 3750s: 21 Number of 3750G-12S-S replaced: 21 Number of 3750G-24TS replaced: 7 Total number of RMAs issued: 28 Total number of 3750s in the company: ~120 Failure rate: 23.3%

Stubby Post - Cisco IOS Petition

Fri, 11 Feb 2011 00:00:00 +0000

Greg Ferro has brought back the petition for Cisco to provide an emulator to the community for learning. Since our current and only family of emulators is well on Garcinia Mangostana its way to oblivion, I ask that we all take the time and sign this petition. To use a cliché, we need to act now before it’s too late.

Routing IPv6 with BGP - The Basics

Thu, 10 Feb 2011 00:00:00 +0000

Are you sensing a theme lately? Since we covered the basics of the main IGPs (I’m an enterprise guy, so no IS-IS comments, please.), I thought I’d try to describe the basics of advertising IPv6 routes over BGP. Yet again, we’re not going to do any route manipulation or change any of the 948284928 BGP attributes. We’re just trying to get routes exchanged.

Configuration

There’s no new version of BGP for IPv6 here. It’s the standard BGP version 4 that we’ve all been using for years, but we’re going to take advantage of the multiprotocol support (MPBGP, RFC 2858 RFC 4760). We’ll get to the differences in a second, but the first thing to do is to set up the BGP process as normal.

OSPFv3 - The Basics

Tue, 01 Feb 2011 00:00:00 +0000

A few hours ago, the last of the IPv4 addresses were allocated by IANA. Now’s the time to learn more about IPv6! Yesterday, I posted about EIGRP for IPv6, so I think I’ll continue the trend by introducing OSPFv3, which is the IPv6 implementation of OSPF. As always, I’m using Cisco routers here. Just as yesterday, this is just a guide to the absolutely basics; if you want to do some funky OSPF magic, you won’t find it here - perhaps in time, though.

Stubby Post - Changes to CCNA Voice, CCVP, and CCSP

Wed, 20 Oct 2010 00:00:00 +0000

I don’t usually cover news from Cisco, but they’ve changed some certification stuff around again, and I thought I would bring it up. This time they’ve changed the CCNA Voice, CCVP, and CCSP, so, if you’ve on those tracks, be careful what you’re studying!

CCNA Voice

Circle 28 February 2011 on your calendars. That’s when the CCNA Voice track gets a shakeup. The IIUC (640-460) exam will be no more, and passing CVOICE (642-436) will no longer be a valid way to get the cert. After the big day, you’ll have to take ICOMM (640-461). This seems to be a much broader exam instead of having the enterprise and commercial focuses in CVOICE and IIUC, respectively. Look out for both CME- and CUCM-based topics including a troubleshooting section.

IIUC Notes - Powering Cisco Phones

Tue, 21 Sep 2010 00:00:00 +0000

Feel free to correct anything that is wrong or incomplete.

Power over Ethernet (PoE)
- Can provide power to a Cisco phone, access point, security camera, etc., through the network cabling, eliminating the need to plug the phone into the wall for power.
- Generic term for providing power on the Ethernet cable
- Provides centralized power that can be put on a UPS
- Allows devices to be located away from power outlets
- Removes cabling clutter at the user’s desk
- Can be provided through PoE-enabled switches, power panels or inline couplers (power injectors)
- Oversubscription is common
  - If every device on a switch asks for full power, the switch may not be able to handle the load.
- Of course, devices can be powered with a power brick at the desk
802.3af

IIUC Notes - VoIP Structures

Tue, 21 Sep 2010 00:00:00 +0000

Feel free to correct. No need to sugar-coat it; I’m pretty new at this stuff. :)

Advantages of VoIP
- Reduces costs of communications: Eliminates/reduces long distance and international call tolls
- Reduces costs of cabling: No need for second network of phone lines
- Integrates all voice into one large network: All your remote offices can be implemented/maintained/controlled centrally
- Provides mobility: Moves, adds, and changes (MACs) are (nearly) eliminated since your phone is just a network node
- Allows use of IP Softphones
- Unifies emails, voice mails, and faxes: All these can be treated as a single box for user messages
- Increases productivity: Ringing multiple devices at the same time eliminates phone tag. <— pushing it, eh?
- Enhances communications: Applications can be launched/updated from a voice call through application servers
- Provides open, compatible standards: You can connect different vendor devices into the same VoIP network. <— I’ve never seen that happen
Cisco VoIP Structure

Stubby Post - Packetlife's Community Lab

Tue, 14 Sep 2010 00:00:00 +0000

I’m way behind in talking about this, but Jeremy Stretch over at Packetlife.net has a community lab that is free to use. This is a great resource for those of us who are too poor to have their own physical devices for Cisco studies. All you need is an account on the site and a sense of community.

There are two labs to reserve, and each contains a firewall, routers, and switches. This is plenty of stuff to get your feet wet with the gear, let you research some functionality that Cisco promised is great, and to lab out something you’re looking to implement. The lab is offered for free, but Jeremy is giving his time and money for this lab. I think it would be a great idea to drop a few dollars to him via his donate link if you use his stuff. If you’re a regular user and don’t donate, I ask that you do a moral inventory on yourself so you might see just how bad you are being.

Stubby Post - Cabling and EtherChannel

Mon, 13 Sep 2010 00:00:00 +0000

I’ve done it. You’ve done it. We’ve all done it. You turn up another EtherChannel bundle and realize the hard way that your interface descriptions aren’t accurate. Or you’ve swapped out a piece-of-crap 3750 and didn’t notice that the labels on the cables were wrong. In either case, we all know that EtherChannel bundles don’t really work if the links aren’t plugged into the right switches.

So, what do you to make sure that your links are cabled the way you think they are? Personally, I don’t trust any label at all - no matter if I did it or not. At some point, someone has changed something on a switch, and that just might have been a change to where the port is question is cabled. If I was onsite, I would hand-trace the cabling from one end to the other then do it again to make sure I didn’t hose it up the first time. The big problem with this technique is that I’m not everywhere at the same time, and the travel budget isn’t very big these days. If I can’t get my hands on the cables, I relegate myself to using CDP to see what’s on the other end of links when putting ports into EtherChannel bundles.

IIUC Notes - Old School Voice Stuff

Wed, 08 Sep 2010 00:00:00 +0000

These are the notes I’ve taken as I read through the study materials. Feel free to correct anything you see.

Analog phone signaling
- Misc
  - Ground = positive = tip
  - Battery = negative = ring
  - Signaling uses specific frequencies for specific events
- Loop start signaling
  - When a circuit in the phone is completed (i.e., you take it off-hook), the CO detects it and provides services.
  - Susceptible to glare, where the phone requests dialtone at the same time that the CO sends a call.
    - Can connect two different calls if in a business with multiple lines
- Ground start signaling
  - The circuit is temporarily completed to signal the CO for services
  - Doesn’t connect any call to any phone directly
  - Used in PBXes.
- Supervisory signaling
  - On-hook: Circuit is open
  - Off-hook: Circuit is completed
  - Ringing: AC current generated by CO to tell the phone to ring
- Informational signaling
  - Gives information for the caller to use
  - Dial tone
  - Busy
  - Ringback: the ring you hear when you call
  - Confirmation: the call is being attempted
  - Congestion: no lines available to make the call
  - Receiver off-hook
  - Reorder: can’t make the call
  - No such number: can’t find the endpoint
- Address signaling
  - Used to send digits
  - Dual-tone multifrequency (DTMF): uses two electrical signals to indicate a digit; touch tone
  - Pulse: flashes the circuit to indicate a digit; rotary dial
- Disadvantages of analog signaling
  - Attenuation
  - Repeaters can’t differentiate between call and noise
  - One cable pair for each call; think about a pair for each call taking place in Manhattan right now
Digitizing voice

Stubby Post - What's an IDB?

Fri, 03 Sep 2010 00:00:00 +0000

I posed the philosophical question on Twitter the other day asking if single trunk links should be in an EtherChannel bundle just in case you need to expand later. I didn’t really expect an answer, but the ever-verbose @WannabeCCIE pointed out (in not so many words) that you should watch your IDBs. What is that?

That’s an interface descriptor block. I admit that I’m not intimately familiar with them, bu they’re data structs in IOS used to keep track of the interfaces on that device. They come in two flavors - hardware and software. HWIDBs usually represent a physical interface but they also represent tunnels, SVIs, PortChannels, subinterfaces, and any other virtual interface that you can configure. The SWIDBs represent the layer-2 encapsulation of each HWIDB, so you’ll see entries talking about Ethernet, HDLC, PPP, etc. That means that every interface you have on a router consumes two IDBs (there are always exceptions). That’s important because each platform and IOS version combination has a limit to the number IDBs that device supports.

Catalyst 3750s - Bad Luck with a Cisco Logo

Tue, 31 Aug 2010 00:00:00 +0000

Last week, @fletcherjoyce posted an article on his blog about his positive experiences with Cisco’s 3750 switches. If you follow my complaints tweets, you know that I’ve had quite the opposite experience with them. I would never pick on anyone, but I had to throw in my 2 cents.

I’m guessing here, but we have about 50 3750 stacks in the enterprise. Most of them are pairs, you wind up with roughly 120 switches. Since we’ve done about 20 replacements over the last 5 years, that means we have a 17% failure rate. That’s pretty horrible, isn’t it?

Three years later...

Mon, 23 Aug 2010 00:00:00 +0000

Another year of Aaron’s Worthless Words has come and gone. This month marks the third full year of blog posts for me, and things sure have changed since the beginning.

At first, this blog was just for my personal rants, but no one cares about that stuff (thus the title), so I looked to move on to something else. I decided that I would go into the non-technical side of the network field, so I started talking about the Principle of Least Privilege and about cabling standards. That got a bit boring, so I started puking out information on the Content Switching Module from Cisco since I couldn’t find anything worth a cracker outside of the documentation. That was a hit, and the topics started expanding and expanding until we got to where we are now. Today, the articles are published in online magazine and are being translated into other languages around the world. Quite a change from complaining about drivers stopping in the crosswalk. :)

Stubby Post - Set DF to 0 with a Route-map

Fri, 20 Aug 2010 00:00:00 +0000

We ran into an issue the other day where an application was setting the DF bit in IP packets to 1. We thought it may be causing problems, so we looked at setting up a route-map to set the DF bit to 0. It turned out to be a different application problem, but it was a good exercise in looking at what you can do with route-maps and policies.

I set up a lab in GNS3 to replicate and do some captures. It’s a really simple setup. R1 connected to R2 connected to R3.

Syncing IOS Versions on a 3750 Stack

Mon, 16 Aug 2010 00:00:00 +0000

For those that don’t know, when I say “stack”, I mean a group of 3750s connected together using the StackWise technology. When you use a very expensive and very proprietary cable, your individual switches are combined into a single logical device. This means you configure one device to control potentially many switches.

To the point. I’ve spent the last few weeks replacing a mess of 3750s in stacks. These guys are very easy to replace, but the big problem I find is getting the IOS version in sync. When the RMA comes, it’s inevitably got a different version on it, and you’ll see something like this.

Some Cisco Testing Advice

Sat, 24 Jul 2010 00:00:00 +0000

If you follow the blog, you know I’ve had quite an adventure getting my CCNP. Finally, this past Monday, after what seemed liked years of struggling, I finished up my ROUTE test and got the email telling me I’d made it. I’ve learned a lot over the course, but, more than the technical details, I learned more about how to prepare for the exams. It’s too bad I hit the moment of enlightenment after I reached the end of the line. Well, at least this line; there will be others very soon.

ROUTE - Epic Win!

Mon, 19 Jul 2010 00:00:00 +0000

Woohoo! I passed the ROUTE test this morning. That means I’m done with the CCNP track! :)

If you remember, I took it over a week ago and had some bad luck on it. Alright, bad luck is the wrong phrase. I didn’t study enough and failed it. This time, though, I had a special weapon on my side - the ROUTE Foundations book. I haven’t used the Foundations books before, but, I saw some tweets about this one, so I picked it up off of Safari. In just a couple pages, I realized that I was reading the answers to several questions directly out of the book. It was amazing. I only studied my weak points and wound up with 144 more points than I did last time. I can’t say that was entirely because of the book, but I must say it was a big reason.

ROUTE Notes - Further IGP Redistribution

Sun, 18 Jul 2010 00:00:00 +0000

As always, corrections are requested.

Study Questions

I’ve got IGRP and EIGRP both configured with the same AS number. What’s special about this configuration?

If both use the same AS number, then they automatically redistribute their routes into each other without using the redistribute command.

When redistributing one IGP into another, where’s a good place to filter routes?

There’s no one good place, but at the router(s) that’s doing the redistribution is a good start. There’s no need to send an IGP a bunch of routes it doesn’t need.

ROUTE Notes - Even More IGP Redistribution

Sat, 17 Jul 2010 00:00:00 +0000

I didn’t do so well on IGP redistribution the last time out, so here’s some more stuff to study. As always, feel free to correct.

Study Questions

What three things are needed to be able to redistribute one routing protocol into another?

1. One or more links into each routing protocol 2. A proper, working config for each protocol 3. The addition of the redistribute command to one or more of the protocols

ROUTE - Epic Fail (#1?)

Thu, 08 Jul 2010 00:00:00 +0000

I took the ROUTE test today and failed like I usually do. That makes me 3-4 on these P-level tests if you’re scoring at home. Don’t worry, though. I’m not giving up. :)

In atypical fashion, I must say that the ROUTE test was a good test. Let me say that again. The ROUTE test was a good test. I said good, though…not great. There were a few problems with it that I’ll get to, but, overall, this is the best test I’ve ever taken for a Cisco cert. The questions were very well-written and there were no obvious omissions or wrong details. I failed this test because I simply didn’t put in enough work.

ROUTE Notes - Controlling BGP

Tue, 06 Jul 2010 00:00:00 +0000

Corrections, please. I skipped a bunch of BGP intro stuff to get to the juicy center. I’ll see if I can come back later and finish the other parts for posterity.

Study Notes

Is BGP route selection a controversial subject?

Yes. If you ask 1000 network guys the best way to influence BGP, you’ll probably get 1000 different answers.

At what position in the PA list of a BGP update do you find the weight attribute?

You don’t. Weight is a Cisco-proprietary thing.

ROUTE Notes - Branch Office Routing

Mon, 05 Jul 2010 00:00:00 +0000

Corrigeme, por favor.

Study Notes

What do IPSec tunnels give you when a branch office is on a broadband connection?

Privacy through encryption Authentication of the remote peer through ISAKMP Delivery of private data over the public Internet

What do you need to configure to get your branch router talking to the Internet?

ISP connection configuration such as PPPoE or PPPoA DHCP server configuration for internal users NAT Firewall services like inspection and filtering

ROUTE Notes - Implementing IPv6 in an IPv4 Network

Sun, 04 Jul 2010 00:00:00 +0000

Study Questions

Your boss says that ever host in the network needs to be converted over to IPv6 by the end of the day. Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use to help with that conversion?

Native IPv6

The engineering department wants to permanently use IPv6 on their test boxes in two offices. Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use?

Point-to-point tunnels

ROUTE Notes - Routing IPv6

Wed, 30 Jun 2010 00:00:00 +0000

Study Questions

Why would anyone develop a version of RIP that supports IPv6?

I have no idea. Boredom, maybe. Whatever the case, it works just like RIPv2, which is pretty scary.

In EIGRP for IPv4, there are several requirements for two routers to neighbor up. Which of those is not true for EIGRP for IPv6?

The two routers don’t need to be in the same subnet. The concept of the link local address takes care of that need since neighbors always share a common medium like an Ethernet segment or a serial link.

ROUTE Notes - Intro to IPv6

Tue, 29 Jun 2010 00:00:00 +0000

Study Notes

Exactly how big is an IPv6 address?

It’s 128 bits long.

This shouldn’t be on the test, but how many unique addresses is that?

That’s 2^128 or a “3” with 38 zeros after it. That’s also 2^95 addresses for each person on earth.

Surely we’re not writing in binary, are we?

No way. IPv6 uses 32 hex characters. Each character is 4 bits, so we wind up with 128 bits of data.

ROUTE Notes - PBR and IP SLA

Thu, 24 Jun 2010 00:00:00 +0000

Feel free to correct.

Study Questions

What’s the most primitive way to get traffic destined to a single host to use a different path than your dynamic IGP dictates?

Use a static route.

What’s the most primitive way to get traffic sourced from a single host to use a different path than your dynamic IGP dictates?

Use policy-based routing (PBR).

What’s the most primitive way to get traffic sourced from a single host and destined for another host to use a different path than your dynamic IGP dictates?

Use PBR.

ROUTE Notes - More IGP Redistribution

Wed, 23 Jun 2010 00:00:00 +0000

As always, feel free to correct.

Study Notes

When a router redistributes from one routing protocol to another, where does the router get the list of routes to redistribute?

From the routing table. Only IGP A’s routes (not topology or successors) are redistributed into IGP B’s domain.

What are two methods of filtering redistributed routes?

Use a route-map in the redistribute line or a distribute-list.

Of the two methods for filtering, which one has more options?

The route-map method has more options. You can match on all sorts of stuff, including an ACL or interface, and filter based on that.

ROUTE Notes - IGP Redistribution

Tue, 22 Jun 2010 00:00:00 +0000

As always, feel free to correct.

Study Questions

When you redistribute OSPF into EIGRP, what are you really redistributing?

Routes knows via OSPF Networks of OSPF-enabled interfaces

What’s the default cost of an EIGRP route redistributed into OSPF?

What’s the default metric of an OSPF route redistributed into EIGRP?

There is none since EIGRP has all those nifty k-values that have to be processed. Routes actually won’t redistribute without them.

ROUTE Notes - OSPF Virtual Links and Frame Relay Stuff

Mon, 21 Jun 2010 00:00:00 +0000

Feel free to correct. I feel like I’m missing a big piece here, so please fill in a gap if you see one. Thanks. :)

Study Questions

How many area 0s (zero) can you have in an OSPF implementation

Just one.

If my company merges with another company, and we’re both running OSPF, how can we get our networks routing together properly?

The easiest thing to do is to connect your two area 0s together through some physical link. If you can, you can use virtual links to connect an ABR to another ABR to extend the zones together.

ROUTE Notes - OSPF Filtering and Summarization

Sun, 20 Jun 2010 00:00:00 +0000

Feel free to correct all this stuff. Additions are also welcome.

Study Questions

How do I keep an area route from reaching a router in that area?

You don’t. That defeats the whole purpose of having the topology database on every router. If you filtered one route from a router, there’s no way that SPF could calculate routes correctly.

Fine, then. Where do I filter routes?

You filter routes on an ABR or ASBR. Since routers only have the whole topology for their area, it’s safe to filter routes from another area or from a redistributed routing protocol. On a more technical note, you’re filtering type-3 LSAs on an ABR and type-5 LSAs on an ASBR.

ROUTE Notes - OSPF Neighbor Relationships

Fri, 18 Jun 2010 00:00:00 +0000

Feel free to correct.

Study Questions

What are the definitions of the hello and dead intervals?

The hello intervals is how often a router sends hello messages. The dead interval is how long to wait before considering a neighbor dead from lack of hello messages; this is 4x the hello interval by default.

How do you keep OSPF from trying to detect neighbors on an interface?

Don’t configure a network statement for that interface Make that interface passive

ROUTE Notes - Controlling Routes in EIGRP

Thu, 17 Jun 2010 00:00:00 +0000

Corrections welcome.

Study Questions

Why would you ever want to summarize routes?

Summarizing routes minimizes the routes advertised to the network. For example, instead of advertising 192.168.0.0/24, 192.168.1.0/24…192.168.n.0/24, a router can advertise a single route to 192.168.0.0/16. Keeping routing tables small saves hardware resources, minimizes convergence times, helps avoid route flapping, and makes the routing table easier to read for humans.

When will an EIGRP router auto-summarize a route?

If a router has interfaces that that are in different classes of network (Class A, B, C), then that router will auto-summarize those routes up to the classful boundary. For example, if you have a 10.0.0.1/24 and a 192.168.100.1/30, the router will advertise 10.0.0.0/8 and 192.168.100.0/24.

ROUTE Notes - EIGRP Topology Stuff

Thu, 17 Jun 2010 00:00:00 +0000

Study Questions

How do you keep EIGRP from killing your WAN?

You can use the ip bandwidth-percent eigrp AS X command to limit the amount of bandwidth that EIGRP uses to update neighbors.

How does EIGRP calculate how much bandwidth it can use for each frame relay PVC?

By default, EIGRP takes 50% of the (sub)interface’s configured bandwidth (with the bandwidth command) to use for updates on NBMA (non-broadcast mutliaccess) networks like frame relay. This value is divided equally among all the PVC configured on that interface.

ROUTE - Redistribution Nuance #2 - OSPF External Metric Types

Sun, 06 Jun 2010 00:00:00 +0000

Last time, we talked about a nifty little lab I set up for redistribution and how the OSPF ASBRs acted a little differently than I expected. This time, let’s look at how changing external OSPF routes to a metric-type of 1 (E1) affects the routing tables.

Here’s the network again.

The static routes are being redistributed into their respective IGPs, and EIGRP is being redistributed into OSPF. Let’s look at the routing table on R1.

ROUTE - Redistribution Nuance #1 - Admin Distance FTW

Mon, 24 May 2010 00:00:00 +0000

I just got back from Global Knowledge’s ROUTE class, and I must say that it was a great class. John Barnes puts on quite the show and is the best instructor I’ve ever had. I digress, though.

One of the topics we covered was route redistribution, so I went back to the hotel one night and fired off this network in GNS3 to study a bit.

The object was to see how redistributing statics into OSPF and into EIGRP differ. It was also an opportunity to see how EIGRP redistributes into OSPF (and OSPF into EIGRP, but I didn’t make it that far). To do that, I redistributed 10.10.10.0/24 from R1 into OSPF and 10.10.20.0/24 from R4 into EIGRP. I then had R2 and R5 redistribute all EIGRP routes into OSPF. It’s a nice mix, but I saw some weirdness in the paths to 10.10.20.0/24.

Stubby Post - VTP Clients Send Updates

Tue, 18 May 2010 00:00:00 +0000

VTP clients send VLAN updates. Did you know that?

I had a VTP server and client in the same VTP domain, and, when I cabled up the trunk, the client overwrote the VLAN database on the server.

The moral of the story is that the best revision number will win no matter what the operating mode of the switch.

SWITCH - Epic Regression

Tue, 11 May 2010 00:00:00 +0000

Just because I like giving more money to Pearson Vue, I took the BCMSN test today to see how I would do. I passed with no problem.

In my mind, the CCNP is a technical certification, so I expect to be tested on technical topics. Are there topics beyond technology that P-levels should know? Of course there are, but I really don’t think whole chunks of the test should be about a preparation plan and rollback procedures. The BCMSN had a lot more technical questions at a much higher level of expertise; it seems much better suited to the CCNP track than the SWITCH test did.

Stubby Post - Time-based ACLs and Policy-maps

Wed, 28 Apr 2010 00:00:00 +0000

Certain divisions of the company tend to shoot themselves in the foot by kicking off large file transfers during business hours, so I had a thought that maybe we could use time-based ACLs to do some QoSing for those guys. I fired up GNS3 with a 3600 running 12.4(25b) with some virtual PCs on it’s Ethernet interfaces.

time-range BUSINESSHOURS
 periodic daily 8:00 to 17:00
!
ip access-list extended PINGS
 permit icmp any any time-range BUSINESSHOURS
!
class-map match-all PINGS
 match access-group name PINGS
!
policy-map PM-F0/0-OUT
 class PINGS

First, I set the router’s time to outside of the time range and sent some pings over.

A Must-Know: TCPDump

Fri, 06 Jun 2008 00:00:00 +0000

If you’ve never used TCPDump before, you’re missing out on one of the best parts of being a network guy – pointing fingers at everyone else.

TCPDump is an open-source app that copies packets on a machine’s NIC to screen or to file. TCPDump is typically a Linux/Unix app; in the Windows world, TCPDump is replaced by WinDump or Ethereal, now known as Wireshark. It’s a must-know for network dude(tte)s since it lets you capture the packets that a machine is generating. An app may be documented to work one way, but I’ve seen many times where the documentation is out-of-date or just wrong, and I’ve had to look at captures to see what it was actualy doing. I used it one time way back when a developer told me the switch was changing his HTTP POST to an HTTP GET; I captured the packets he was sending, pointed to the GET, and never answered a phone call from him ever again.