Tony Mattke

Author Archives: Tony Mattke

RouterJockey is launching a clothing line?!?!???

Ok maybe that title is a bit grandiose… But due to the great response I received Friday morning from the launch of the original PCAP shirt, and the IPv6 follow-up, I decided to create a few new designs and put everything into a store front. If the demand continues I will continue to publish new shirts, and keep up with relaunching original designs into their own campaigns. Not that I expect the demand for these shirts to continue long term, but you never know. Nevertheless I appreciate everyone’s support thus far.

But I need you! Yes… You! I need your ideas, and most importantly I need your feedback. So please, contact me on twitter and let me know what you think. If you like what you see, please share the url for the store.

Without further ado…

2015-09-11 at 1.47 PM-1
Click to visit the RouterJockey shop

The post RouterJockey is launching a clothing line?!?!??? appeared first on Router Jockey.

PCAP or it didn’t happen…. The t-shirt!

front
Some days I don’t know why I do things… But last night I was playing around with creating a PCAP meme when my friend Josh Kittle said he’d be interested in a t-shirt like that. I got to thinking about it and realized some network engineers out there also might enjoy something like this, so I fired up a campaign on teespring!

Let me know what you think, I may do other shirts in the future as this was fun to work on. If you have any ideas you don’t plan on using, let me know and I might work on developing them.

Oh, and since Jay Franklin had to have an IPv6 shirt… I also launched another version with an IPv6 packet capture, and the #IPv6 hashtag on the back.

ipv6-shirt

Click one of the shirts to see them on teespring…

The post PCAP or it didn’t happen…. The t-shirt! appeared first on Router Jockey.

ASA v9.4 Elliptic Curve Cryptography with TLS1.2

cryptoWith ASA version 9.4 Cisco has added support for Elliptic curve cryptography (ECC), which is one of the most powerful types of encryption in use today. While ECC has been in use since 2004, only it’s recently use has skyrocketed. Part of this reason is power consumption… In my limited understanding, experts have concluded that a shorter ECC keys are just as strong as a much larger RSA key. This increases performance significantly, which reduces the power required for each calculation. If you want to learn more about ECC, check out this fantastic article from arstechnica.

That brings me to the issue. Last night I failed over some 5585x’s running > 9.4 that happened to be doing Anyconnect SSL VPN. This morning, my client was seeing issues. Luckily the solution was simple and a college pointed me to the solution fairly quickly. From the Cisco support community page I found later on….

For version 9.4.(x) we have the following information:

Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve Continue reading

Well Known Intervals

planet-oceanListed below are many events which occur on network devices at well-known intervals. The list is provided to serve as an aid while troubleshooting recurring network disruptions. Please consider helping to expand this list by adding other recurrent issues you encounter not already listed.

This list was generated by Jeremy Stretch from PacketLife, but lost after he took his wiki down. Luckily I had previously saved it, as I found it useful, and with his permission I’ve reposted it here.

Short (<=5 minutes)

1 Second

  • Default VRRP hello timer
  • Default EAP-Identity-Request Timeout (Unified WLAN)
  • Default EAP-Request Timeout (Unified WLAN)
  • Default EAPOL-KEY Timeout (Unified WLAN)
  • CleanAir AP Sampling Interval (Unified WLAN)
  • Default Group Specific Query interval (Maximum Response Time of 10) for IGMPv2

2 Seconds

FCC approves net neutrality rules, reclassifies broadband as a utility

Net NeutralityToday is a good day. By a 3-2 vote, the FCC has voted to adopt net neutrality rules to protect the open Internet. This plan will reclassify internet access as a Title II public utility, which in turn gives the agency more regulatory power. While many will say that any power grab by the government is a bad thing, this is certainly good news for consumers. The Internet as a whole has become far too important to be controlled by a few private corporations which are more interested in lining their own pockets rather than listening to public interest. FCC Chairman Tom Wheeler was quoted saying, “This is no more a plan to regulate the Internet than the First Amendment is a plan to regulate free speech.” I couldn’t of said it any better myself.

This plan will put a stop to paid prioritization (see Comcast / Verizon forcing Netflix to pay for bandwidth usage, which is the complete opposite of most peering agreements. ) — It also prevents ISPs from creating Internet slow lanes for traffic as they see fit. Until now, Verizon wireless has been allowed to charge it’s customers monthly fees for access to “business email” Continue reading

Cisco Live 2015 – Mike Rowe Announced as Keynote Speaker

mike-rowe-life-adviceCisco just announced to the Cisco Champion community that the guest speaker for the keynote is going to be none other than …… Mike Rowe!! In case you don’t know, Mike Rowe is an American TV host, narrator, actor, and former opera singer. He is best-known for his extensive work on the Discovery Channel. He has starred on the shows Dirty Jobs, and narrated many shows including Deadliest Catch, American Hot Rod, and Ghost Hunters. He also did a quick stint on the QVC Shopping Network where he was hired after talking about a pencil for nearly eight minutes. According to his bio,  he worked the graveyard shift for just three years, until he was ultimately fired for making fun of products and belittling viewers. I’ve included one of my favorite videos from his time at QVC down below, be sure to check out some of the other ones if you haven’t seen them.

Mike also founded the mikeroweWORKS Foundation, which promotes hard work. Mike has long been a supporter of the skilled trades and his foundation works hard at awarding scholarships to men and women who demonstrate an aptitude for doing the work that America needs. He is also Continue reading

BGP Communities

BGP Communities has to be one of my favorite features added to the BGP protocol.  As you should know by now, BGP passes several attributes between peers that help influence the BGP best path selection algorithm. One of these is the BGP Community attribute. Think of this as another tag placed on the route advertisement that can give us additional information.

This tag is formatted as 32bit value that is typically displayed in two 16 bit parts. The most typical, and most widely accepted best practices treat these as your Autonomous System Number (ASN), followed by a 16 bit attribute. For example, if your ASN was 65248 and you wanted to tag this route with the number 666, you would set something like 65248:666.

As for the second half of our tag, this number is arbitrary. BGP Communities are a transitive attribute that is completely optional. This means that BGP treats these tags as purely information, and that it is up to the network engineer to decide what these values mean, and what to do with them.

RFC 1997 defines some well known communities that have global significance. These values and their operations should be respected by any community Continue reading

Cisco Live 2015 – Customer Appreciation Event Featuring Aerosmith!!

Yes, you heard me right. Aerosmith!

Aero - new version LOGO copy
One of the most looked forward to social events for Cisco Live has always been the Customer Appreciation Events (CAE). Cisco rarely let’s us down when throwing this shindig, and has amazed us in the past with renting out resorts, baseball stadiums, and even Universal Studios.

This year, the CAE will be held on Wednesday June 10th at 7:30 inside Petco Park which is just a short walk from the convention center. With Aerosmith headlining this event it is sure to be huge! So if you haven’t already registered for CLUS15, be sure to do so NOW!!!

Petco-Park-Photo1000x1000 (3)

In other news, it seems that CDW is sponsering a new outdoor social media area for us to connect and hang out by the waterfront. Currently I believe this to be in addition to the normal social media hub that Cisco has been providing us since 2012.

CLUS 2015 BUS STOP

This rendering of the area seems to indicate that it is located behind the convention center, probably in this area…

2015-02-06 at 9.03 PM

If you have any questions about this years event please reach out to @CiscoLive on twitter, or on Facebook!

The post Cisco Live 2015 – Customer Appreciation Event Continue reading

Cisco VIRL released into the wild

virlAfter much waiting from all of us, Cisco has released, on “cyber Monday” no less, VIRL. As you may remember, VIRL was the talk of CLUS 2013, and many of us have been eagerly waiting for this tool ever since. For those of you out of the loop, VIRL enabled users to rapidly design, configure and simulate Cisco network topologies. With this we can run IOSv (IOS Virtual) IOS XRv, CSR1000v (Which runs IOS-XE), and NX-OSv (ala the previously leaked Titanium). The cool factor really starts to come into play when you look at how fast you can deploy the base network configurations. Cisco has leveraged OpenStack, KVM, and AutoNetkit along with their VM Maestro GUI to allow you to quickly create network topologies, and have the base configurations built automagically. The downside is we are missing some features that some of us are rather used to including, Serial interfaces, Cisco ASA, and L2 Support. Hopefully these will arrive in the future, although I’ve heard no rumors of such as of yet….

Pricing is done in two tiers, both of which are annual subscriptions. The personal edition is $199.99/year (But you can save $50 currently by using the virl50 Continue reading

The Unofficial JNCIE-ENT Prep Guide

Some of you may have heard that Jeff Fry has published his Unofficial JNCIE-ENT Prep Guide, but how many of you have purchased it yet? I’ve had the opportunity to look it over as he was completing it, and I must say it is an impressive collection of work. He has stuffed over 500 pages into the workbook and we’re not talking about fluff. Countless hours and many months of work later, he has published it with LeanPub, and will continue to issue updates. That is one of the nice things about Leanpub, with your purchase, you have the right to receive all future updates to the content! And many publishers, at least the ones I’ve purchased from, do push out significant updates to their work. You also receive a 100% guarantee on your purchase, that means if you are not happy, you can receive a full refund within 45 days of purchase. Jeff has also published a sample which includes the full table of contents and small sample section of the content.

If you’re studying for the JNCIE-ENT use the link below and receive 25% off your purchase.

JNCIE-WB_small

The post The Unofficial JNCIE-ENT Prep Guide appeared first on Continue reading

AS-Path Filtering

2014-10-15 at 8.36 AM
Before we get into the how, let’s talk about the why. According to the CIDR Report, the global IPv4 routing table sits at about 525,000 routes, it has doubled in size since mid 2008 and continues to press upwards at an accelerated rate. This momentum, which in my estimate started around 2006, will most likely never slow down. As network engineers, what are we to do? Sure, memory is as plentiful as we could ask for, but what of TCAM? On certain platforms, like the 7600/6500 on the Sup720 and even some of the ASR1ks we have already surpassed the limits of what they can handle (~512k routes in the FIB). While it is possible to increase the TCAM available for routing information, there are other solutions that don’t include replacing hardware just yet.

As far as I know, adjusting TCAM partitioning on the ASR1000 is not possible at this time.

Before I get too deep into this, I should clarify as many of you (yes, I’m looking at you Fry) are asking yourselves why is an ISP running BGP on a 6500… Many of my customers are small ISPs or data centers that have little to no Continue reading

Network Design — Keeping it simple

complexitySince the dawn of time people have skirted best practice and banged together networks, putting the proverbial square peg in the esoteric round hole. For example, new vendor XYZ’s solution has brought in new requirements for deployment. While it may seem easier for to throw together a new firewall, a switch, and maybe some additional routes, and of course Tom‘s favorite… NAT — but where does it stop!? As you continue to pile layer upon layer into your uninspired network design you will soon realize that your “beautiful network” has become the ugly duckling that you need help fixing.

That leads me to my first point. Complex systems are expensive, not only in CAPEX, but in OPEX. When you design and build a network, you have to ensure that you are not building something that no one else has dreamed up, or else your problems will also be unique. And without the additional money to hire top tier engineers, you could be short staffed, or worse yet, facing the problem on your own. The more complex your network becomes, the more likely it is to fail. As I’m often quoted as saying, “The complexity required for robustness, often goes Continue reading

Cisco ISR 4000 – Now with more licensing!

This week an Interop NYC, Cisco launched it’s ISR 4000 Series. This is a new approach for them focused on delivering services to your branch offices. Cisco has dubbed this new approach the Intelligent WAN (IWAN) — but before we talk about that, let’s talk about hardware. Those of us that have been paying attention remember that Cisco announced the ISR 4451 at Cisco Live 2013. The 4451 boasts a multi-core CPU architecture that runs the all to familiar by now IOS-XE. It’s 1-2 Gbps of throughput made it a perfect fit for those looking for something in between a 3945 and an ASR1k. Now Cisco that Cisco has brought the rest of the family into the spotlight it all makes sense.


ISR 4k Family

IWAN focuses on a few key fundamentals to get more bang for your buck. And because Cisco has stuffed some serious hardware into the 4k you won’t see the same performance hits you’re all too familiar with in the ISR series. But more on that in a second. Here is Cisco’s break on on the Intelligent WAN…

  • Transport Independence – Providing flexibility when it comes to connectivity. DMVPN can help augment your network with low cost bandwidth for Continue reading

HP talks SDN at Interop NYC 2014

I generally try to avoid combing my thoughts about presentations, but I have to mention that after sitting down with Glue Networks and their “SDN” presentation, it was truly a breath of fresh air to hear from HP. They went into some details on how they demonstrated the capabilities of their SDN platform. They purposely stretched their network out the limits of what they thought was possible.

On top of that, they spent some time talking about the launch of the very first SDN application ecosystem to market. I have to say, this is a fantastic idea and I’m glad that they brought it to fruition. Not only will the App Store help customers understand the real value behind SDN, as well as discover specific network applications that could help solve problems they’re facing today.

Take a few minutes to listen to Chris Young and Jeff Enters from HP give a fantastic white boarding session on the architecture behind the network they brought to Interop and the specific challenges of building it. Checkout http://hp.com/go/sdn for more info.

Standard TFD Disclaimer

While Cisco and HP were responsible for paying a portion of the travel and lodging costs for me during Continue reading

Installing VMware tools on Cisco ACS

As of ACS v5.4 Cisco has finally included VMware tools for their ADE OS. Unfortunately, when you upgrade, they do not get installed automatically as the installation is triggered during the initial install. This post is for those of us that have upgraded to version 5.4 and didn’t choose to do a fresh install.

First of all, you need to get your hands on the Root Patch. This Root Patch allows you root shell access to the ADE OS, which is just a customized version of Redhat Linux. You can get this patch from TAC by asking them nicely, or telling them you need to install VMware tools on your ACS 5.4 install. I’m sure if you’re clever you can find a copy out in the wild as well. But your mileage may vary…

Installing the ACS Root Patch

This part is pretty simple. Using the ADE OS application installer, install the package using a predefined repository…

acs/eladmino# application install RootPatch-ACS-5-4.tar.gz ftp 
Save the current ADE-OS running configuration? (yes/no) [yes] ? 
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application installation...

Application successfully installed
acs/eladmino# 

Using the Root Patch

After the install, you Continue reading

Using Deny ACEs in your PBR ACL on your Nexus 7k

Quite a while ago I had a need for some network duct tape… Policy Based Routing while useful should only IMHO be used as a temporary fix. But as you know, temporary things soon become part of production and they end up staying around far too long. But I digress. I had a need for some PBR, but soon found out that NX-OS had no support for deny entries in your ACL. This can pose an issue depending on the amount of destinations needed. Mine needed to match everything on the internet, minus RFC1918, and some internal VPN routes and such. Over time, I ended up having to rewrite this 100 line ACL several times, until I saw that NX-OS 6.1(3) had support for deny statements.

I was so excited, I immediately rewrote my ACL into a very svelte 20 lines including remarks. My change window came, I applied my ACL, and was faced with an error message. Luckily, I quickly figured out that we need to enable the ability to use denies.

nexus-7010(config)# hardware access-list allow deny ace

Honestly, I just wanted to get this bit of info out there as I haven’t really seen information on it. Continue reading

Vendor PSA: Words and Phrases to Avoid in Presentations

Over the years IT professionals have sat through countless presentations, conference calls, and keynotes. We’ve been preached too, explained “the problem”, and forced to bear witness to the the future. During such events all of us have had to step up and explain that we already understand the problem, we know who your company is, and we really just want to know how your product works.

Outside of the normal annoyances, there are several words or phrases that invoke pain and disgust in our hearts, one such phrase came up today. While I won’t mention the source, or berate them anymore than they already have been. I do want to put this list out there for future reference… If I’ve forgotten something that drives you crazy, please, feel free to contact me so I can add it here.

  • Cloud — we’ve jumped the shark with Cloud years ago….
  • Gartner — No one that understands technology cares what Garner says. Period.
  • Magic Quadrant — See above.
  • Single Pane of Glass — An overly obvious marking term.
  • Next Generation — Really? Prove it.
  • Game Changer — See above.
  • Software Defined $something — Just like Cloud, we’ve driven this into the ground
  • And Continue reading

Cisco ASA Packet Captures for Fun and Profit

As many of you know my background isn’t in enterprise, but I currently fill that role in my $job. In order to succeed I’ve had to develop many new skills including learning Cisco Wireless, UCS, a little Fibre Channel, and of course Cisco ASA. While I have been using firewalls for many years, I’ve never used the ASA for anything more than a user firewall, or for supporting a small branch. So yes, my skills are lacking in the ASA market compared to other technologies, and when you get deep into the grind with any product you’re going to need some new tricks to aid in your troubleshooting. This is where ASA paacket captures come into place.

Define Interesting Traffic

As with any packet capture, or even log viewing the amount of noise involved generally dwarfs the data you actually want to find. In order to ease your pain Cisco has allowed us filter out packet capture using an ACL.

FW# access-list FOO line 1 extended permit ip any host 10.2.1.5 
FW# access-list FOO line 2 extended permit ip host 10.2.1.5 any 

Once you have your traffic defined, you need to setup your capture. Continue reading

Fixing iMessage on Hackintosh

Mid December 2012 Apple shut down the Messages Beta for Lion, soon after many hackintosh users started noticing issues with signing into iMessage. At some point in time, people far smarter than me managed to patch a little used bootloader called Clover to allow us to log into iMessage, but Clover is young and still full of random issues. Honestly, it never liked the system id on my partition, so I was never able to use it. But now, it seems that someone has patched our widely used Chameleon bootloader! I’ve tested it on my own hackintosh, and many users are also reporting success.

The instructions are simple enough, and should only take you 3 minutes + a reboot to implement and test!

  1. Download the following files to your hackintosh
  2. Execute the following commands

  3. sudo mkdir /Extra/modules
    cd /Extra/modules
    sudo unzip ~/Downloads/FileNVRAM.dylib.zip
    sudo rm -rf __MACOSX
    sudo rm -rf ACPICodec.dylib

    If you have ACPICodec.dylib in your /Extra/modules folder, you need to delete it.

  4. Unzip the Chameleon installer, and run it — make sure you install to your boot disk
  5. Reboot, and try to login to iMessage

Hopefully this will take Continue reading