How do ACLs handle fragments ?
This post represents the solution and explanation for quiz-22. It presents how fragmented traffic is handled differently by a simple access list. It is a long read about fragmentation, Path MTU Discovery, MSS and other stuff...
Poster: Network Safety Starts With You
Being a Network Engineer is a hazardous and even dangerous profession yet the Health and Safety division doesn't seem to care about the network damage and prevention.
It's time for us to stand up and start our own ITIL-compliant safety campaign. I've prepared the following handy sign for you to print and place on your cubicle wall to remind you to be safe out there.
The post Poster: Network Safety Starts With You appeared first on EtherealMind.
Using EEM to Remotely Change a WAN IP – Part 1
I often work remotely on customers’ infrastructures with their remote hands on-site. When a small office or branch changes ISPs or IP blocks, I occasionally find myself in a position where I have to change the only public IP address of a device like a branch office router or firewall, with no out-of-band management. The trouble with this is fairly obvious (on a Cisco device): by changing the IP address via which I am accessing the device over SSH, I will lose my own management session to it. Once the management session is lost, I can’t update the default route, and now the device is broken and I get to walk the on-site hands (who are often not very Cisco-literate) through changing a default route.
There are, of course, several ways to avoid this situation all together:
- Have out-of-band access using a 3G/4G/LTE-connected terminal server (I wrote about one of these before)
- Use a remote app like GetConsole so the remote hands can get me console access out of band using their smart phone
- Use something with a proper commit/rollback mechanism like a Juniper device
- Dial-up modem to the AUX port!
Clearly, from the list above, there are means to Continue reading
Get Ansible to Work on Mac OS X Mavericks
running ansible on mavericks If you’re trying to run an ansible-playbook or just testing around using a Mac running OS X Mavericks. There’s a good possibility that you’ll hit a...[[ Summary content only, you can read everything now, just visit the site for full story ]]
BGP VPNv4 Troubleshooting Commands
Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
When working with MPLs Layer 3 VPN a lot of people get stuck with the verification, simply because they don’t know the bgp vpnv4 troubleshooting commands. This post will step through some of the verification you can use to verify the routes end to end through a simple MPLS Layer 3 vpn topology. The topology […]
Post taken from CCIE Blog
Original post BGP VPNv4 Troubleshooting Commands
Don’t forget to restart all your OpenSSL binaries
The wonder of UNIX is that you can delete running binaries and loaded shared libraries. The drawback is that you get no warning that you're still actually running old versions. E.g. old heartbleed-vulnerable OpenSSL.
Server binaries are often not forgotten by upgrade scripts, but client binaries almost certainly are. Did you restart your irssi? PostgreSQL client? OpenVPN client?
Find processes running with deleted OpenSSL libraries:
$ sudo lsof | grep DEL.*libssl apache 17179 root DEL REG 8,1 24756 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
Or if you're extra paranoid, and want to make sure everything is using the right OpenSSL version:
!/bin/sh
set -e
LIB="/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0"
if [ ! "$1" = "" ]; then
LIB="$1"
fi
INODE="$(ls -i "$LIB" | awk '{print $1}')"
lsof | grep libssl.so | grep -v "$INODE"
- Run this as root in case lsof otherwise wouldn't be able to get at the data (e.g. if you run grsec)
- This assumes all libssl is on one filesystem, since it only checks inode number
- The easiest solution is of course to restart the whole machine, but there's really no reason to if you don't want to
HTIRW: DNS Lookups
Note: Some of this will be really basic for a lot of folks, but bear with me — in looking at the entire system as a system, there are going to be parts of each piece you’ll already know, and other parts you don’t know. Let’s begin where most users will recognize they’re interacting with […]
Author information
26 – Is VxLAN a DCI solution for LAN extension ?
One of the questions that many network managers are asking is “Can I use VxLAN stretched across different locations to interconnect two or more physical DCs and form a single logical DC fabric?”
The answer is that the current standard implementation of VxLAN has grown up for an intra-DC fabric infrastructure and would necessitate additional tools as well as a control plane learning process to fully address the DCI requirements. Consequently, as of today it is not considered as a DCI solution.
To understand this statement, we first need to review the main requirements to deploy a solid and efficient DC interconnect solution and dissect the workflow of VxLAN to see how it behaves against these needs. All of the following requirements for a valid DCI LAN extension have already been discussed throughout previous posts, so the following serves as a brief reminder.
DCI LAN Extension requirements
Strongly recommended:
- Failure domain must be contained within a single physical DC
- Leverage protocol control plane learning to suppress the unknown unicast flooding.
- Flooding of ARP requests must be reduced and controlled using rate limiting across the extended LAN.
- Generally speaking, rate limiters for the control plane and data plane must be Continue reading
Awesome Putty tips and tricks for work and the CCIE Lab!
Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
If you use Putty on a daily basis or have only encountered it in the CCIE lab exam then you will know what a great tool it is. Simple and effective (with no tabs!) Most people though may not use putty on a daily basis preferring something like SecureCRT so will not be familiar with […]
Post taken from CCIE Blog
Original post Awesome Putty tips and tricks for work and the CCIE Lab!
NPM build error
NPM build error
NPM has a bunch of useful stuff on it, however you could in life while using NPM get this:
stack Error: "pre" versions of node cannot be installed, use the --node dir flag instead
This error basically says “Give me the node
Don’t Disable IP Unreachables it Just Breaks Things
PERFORMANCE NOT YOUR PROBLEM? Then by all means disable ip unreachables in your networks, specially at the edge, whether it’s the WAN or your Transit / Internet connections. There are very few...[[ Summary content only, you can read everything now, just visit the site for full story ]]
Configuring Mellanox switches
The following commands configure a Mellanox switch (10.0.0.252) to sample packets at 1-in-10000, poll counters every 30 seconds and send sFlow to an analyzer (10.0.0.50) using the default sFlow port 6343:sflow enableFor each interface:
sflow agent-ip 10.0.0.252
sflow collector-ip 10.0.0.50
sflow sampling-rate 10000
sflow counter-poll-interval 30
interface ethernet 1/1 sflow enableA previous posting discussed the selection of sampling rates. Additional information can be found on the Mellanox web site.
See Trying out sFlow for suggestions on getting started with sFlow monitoring and reporting.
Coffee Break – Show 6
News of the Networking Industry in the time it takes to drink a coffee (more or less). This week we are joined by Amy Engineer to parse the news and dig into the business of technology.Coffee Break – Show 6
News of the Networking Industry in the time it takes to drink a coffee (more or less). This week we are joined by Amy Engineer to parse the news and dig into the business of technology.
Author information
The post Coffee Break – Show 6 appeared first on Packet Pushers Podcast and was written by Greg Ferro.
Coffee Break – Show 6
News of the Networking Industry in the time it takes to drink a coffee (more or less). This week we are joined by Amy Engineer to parse the news and dig into the business of technology.
The post Coffee Break – Show 6 appeared first on Packet Pushers.
CWNA CWSP CWAP Study Resources
General Resources
Quick overview of 802 legacy, 802.11a, 802.11b, 802.11g, 802.11n, and the 802.11ac draft standard.
Free Wi-Fi Learning Resources from CWNP
The CWNP Question of the Day (QOTD)
CWNP Study Guide CD-ROM Downloads
Packetlife WLAN cheat sheet
CWNA
Certified Wireless Network Administrator (CWNA) Overview of the Certificfation
CWNA Certified Wireless Network Official Study Guide: Exam PW0-105 (CWNP Official Study Guides)
Here is the link to download the updated PW0-105 CWNA exam objectives
Wi-Fi Back to Basics – 2.4 GHz Channel Planning
Wikipedia page on WLAN Channels
Introduction to Wi-Fi Wireless Antennas
Wi-Fi CERTIFIED™ for WMM®-Power Save
Aerohive’s Medium Contention & Mac Sublayer WiFi 101 video (28:00)
Radio Frequency Measurements (1:13)
Memorize 802.11 MCS values and Data rates for CWNA or CWDP (YouTube Video)
CWSP
CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204 (CWSP Official Study Guides)
Here is the link to download the updated PW0-204 CWSP exam objectives
EAP Types (Excel file for my own reference)
Marcus Burton, Director of Product Development at CWNP, Continue reading
DMVPN Tunnels => Have a Transport VRF
WHAT IS A TRANSPORT VRF? What do I mean be a transport VRF, lets expand on that a bit. The transport VRF is used to carry tunnel source, to tunnel destination traffic. Simplistic example, imagine a...[[ Summary content only, you can read everything now, just visit the site for full story ]]
BGP Peer in wrong AS
Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
When configuring BGP with a remote peer you might get the error message BGP peer in wrong AS *Apr 18 08:39:15.455: %BGP-3-NOTIFICATION: received from neighbor 10.0.12.2 passive 2/2 (peer in wrong AS) 2 bytes 0002 This means that you have mis-matched AS numbers in your BGP configuration. You can phone up the remote end and […]
Post taken from CCIE Blog
Original post BGP Peer in wrong AS
My Schedule for Cisco Live 2014
Everything is in order for my trip to Cisco Live 2014 in San Francisco. Conference passes are purchased. Hotels are reserved. Flights are booked. It’s going to be a great event, and I can’t wait!
Note: My wife will be with me again this year, and she is trying to get a tour group going to look around the city while others are in sessions. If you want to be in on the tourist action, contact her via Twitter.
As per tradition (a new tradition, but a tradition nonetheless), here is my schedule for the week. Also as tradition, I’m bound to only do about 20% of what’s documented here. If you’ve ever been, you know what I mean. Here we go.
<strong>Saturday, May 17</strong>
<strong>13:00</strong> - Arrive in SFO
<strong>Sunday, May 18</strong>
<strong>14:00</strong> - Exam
<strong>16:00</strong> or so - Tweetup
<strong>Monday, May 19</strong>
<strong>08:00</strong> - <a href="https://www.ciscolive2014.com/connect/sessionDetail.ww?SESSION_ID=2182">BRKCRT-2001 - NX-OS, IOS, IOS-XR,
</a> <a href="https://www.ciscolive2014.com/connect/sessionDetail.ww?SESSION_ID=2182">Unique and Similar at the Same Time</a> w/ <a href="https://www.ciscolive2014.com/connect/speakerDetail.ww?PERSON_ID=767D7F27ADC21F9EC5B18A984682E57E/?cid=000334090">Joseph Rinehart</a>
<strong>10:00</strong> - <a href="https://www.ciscolive2014.com/connect/sessionDetail.ww?SESSION_ID=3114">BRKCRT-2000 - HardCore IPv6 Routing - No Fear</a>
w/ Scott Morris, Donnie Moss
<strong>13:00</strong> - <a Continue reading
Dealing with MySQL resource shortage
Dealing with MySQL resource shortage
You may in life while working with mysql get the following errors:
ERROR 1016 (HY000) at line 1: Can't open file: './blah/table.frm' (errno: 24)
or
``` SQL Error (23): Out of resources when o