Second CCIE, or CCDE?
“Should I get a second CCIE, or a CCDE?” A number of people have asked me this recently; in the process of answering those questions, I’ve developed a couple of lines of reasoning that I thought worth sharing here. No, I’ve not been posting much recently — I’m wrapped up in a bunch of different […]
Author information
7 Tips For Improving Your Communications Skills at Work
In my last article, I identified the importance of effective communication in the workplace. Today’s article is a follow-up that offers several suggestions meant to help individuals improve these skills. Some tips may be more or less relevant to the situations that are specific to an individual’s role. As I mentioned in my previous article,l […]
Author information
The post 7 Tips For Improving Your Communications Skills at Work appeared first on Packet Pushers Podcast and was written by Paul Stewart.
London Seminar – Multicast & Product Updates
Date: September 17th, 2013
Time: 8:30am
Venue: The Four Seasons London at Canary Wharf
Please join us for an informal breakfast seminar to discuss the IP routing management needs of organizations in the financial services, broadcast video, and other industries. Attendees will also receive a Packet Design product update from Matt Sherrod, Vice President of Products, and see a demonstration of the newly-released Multicast Explorer which offers unprecedented real-time and historical visibility into multicast routing operations as well as powerful modeling capabilities. In addition to breakfast, attendees will have a chance to win a Beats by Dre™ Bluetooth Speaker.
Who should attend: Network routing engineers, network architects, planners and administrators; network operations engineers and managers, directors and vice presidents of network infrastructure and IP communications.
New York Seminar – Multicast & Product Updates
Date: September 12th, 2013
Time: 8:30am
Venue: The Westin at Times Square
Please join us for an informal breakfast seminar to discuss the IP routing management needs of organizations in the financial services, broadcast video, and other industries. Attendees will also receive a Packet Design product update from Matt Sherrod, Vice President of Products, and see a demonstration of the newly-released Multicast Explorer which offers unprecedented real-time and historical visibility into multicast routing operations as well as powerful modeling capabilities. In addition to breakfast, attendees will have a chance to win a Beats by Dre™ Bluetooth Speaker.
Who should attend: Network routing engineers, network architects, planners and administrators; network operations engineers and managers, directors and vice presidents of network infrastructure and IP communications.
Cisco Nexus vPC Config-Sync
In my previous blogs NX-OS vPC FEX config example and Configuring VSS Cisco 6500 and vPC, I've covered virtual Port-Channels in detail. For those new to this terminology, virtual port-channel or vPC makes a pair of Cisco Nexus 5K/7K switches (vPC peers) appear as a single logical switch to a downstream device. Arp tables, mac address tables and route tables can be synchronized across the vPC Peer-Link (link connecting the two peer switches). This provides great redundancy in typical Data Center networks.
Every time I configure a Nexus environment at a Data Center, or a campus core, I have to explain to the end user that the configurations on the vPC peers are not synchronized. Say for example you configure Eth1/30 on Nexus-1, and forget to configure Eth1/30 on Nexus-2, and a device is dual homed to Eth1/30 on both Nexus switches, then when vPC failover occurs and vPC Primary/Secondary roles are switched over, the new primary switch will not have any configuration in store for Eth1/30, and this will cause a service disruption.
To avoid this, you have to be very meticulous and have matching configurations across both vPC peers. Or, you can use configuration synchronization available Continue reading
Understanding Flow Export Terminology
The variety of terms used to describe network flow export technologies and components can be pretty confusing. Just last year I wrote a post on web usage tracking and NetFlow that is already a bit obsolete, so here's an attempt to explain some of the newer terms and capabilities in use today.NetFlow Version 5
NetFlow v5 is sort of the least common denominator in flow technologies. Almost all vendors and devices that support a flow export technology will do NetFlow v5. Because it's only capable of exporting information about packet fields up to layer 4, however, it's not flexible enough to use for analytics that require information about the application layer. NetFlow v5 tracks only the following data:
- Source interface
- Source and destination IP address
- Layer 4 protocol
- TCP flags
- Type of Service
- Egress interface
- Packet count
- Byte count
- BGP origin AS
- BGP peer AS
- IP next hop
- Source netmask
- Destination netmask
Netflow v9 was Cisco's first attempt at defining an extensible flow export format, defined in RFC 3954 back in 2004. It provides a flexible format for building customizable flow export records that contain a wide variety of information types. Many of the goals for Continue reading
EtherChannel – Quick and Dirty
EtherChannel allows you to aggregate several switch links into a single, fast, fault-tolerant, logical interface. 16 links can be defined for an EtherChannel, however, a maximum of 8 will be active at any one time. The other links are placed on standby.
While having multiple links between two switches can possibly create bridging loops, EtherChannel avoids this by bundling the links into a single logical interface. This logical interface can be configured as an access or trunk interface.
For ports to be members of the same EtherChannel, there are some restrictions. Ports must:
- Belong to the same VLAN
- Have identical STP settings
- Have identical speed/duplex settings
- Note: In addition, if the EtherChannel is to be used as a trunking interface, all ports must be in trunking mode, have the same native VLAN, and pass the same set of VLANs.
The full duplex maximum bandwidth for 8 links is as follows:
- Fast EtherChannel (FEC): 1600 Mbps
- Gigabit EtherChannel (GEC): 16Gbps
- 10-Gigabit EtherChannel (10GEC): 160Gbps
- Note: This is theoretical; maximum bandwidth is not likely to be achieved due to unequal load balancing, and other factors.
Load Balancing
EtherChannel load balancing across the links can occur in a number Continue reading
Brocade Auth-Change-Wait-Time
The other day I was at work doing an interoperability test with Cisco and Brocade multilayer switches, and we ran into a strange issue that really highlighted my “tunnel view” to the Cisco world.
We were setting up basic OSPF stuff using md5 authentication and we couldn’t get the Cisco and Brocade to form an adjacency. A debug ip ospf adjacency command on the Cisco switch revealed that the Cisco was using “type 2” authentication, and the Brocade was using “type 0”.
Here’s a quick breakdown of the authentication types:
| Type 0 | No authentication |
| Type 1 | Clear text authentication |
| Type 2 | md5 authentication |
I set up a SPAN on the Cisco switch and sure enough, we were getting the OSPF Hello packets from the Brocade with no authentication.
After some digging, it turns out the Brocade has an Auth-Change-Wait-Time command in interface configuration mode. This is set to 300 seconds (5 minutes) by default. While I don’t quite understand it, the description states it allows for graceful authentication implementation. So after you enable md5 on the interface, it waits 300 seconds before actually sending OSPF Hellos with authentication. We toyed around with it Continue reading
OSPF LSA Manipulation Vulnerability – 8/1/2013
Vulnerability Details
OSPF LSA Manipulation Vulnerability in Multiple Cisco Products
· Summary
Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.
The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.
To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.
OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability.
· Affected Products
Cisco devices that are running Cisco IOS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability.
Cisco devices that are running Cisco IOS Continue reading
UCS Central – Keeping It Classless Labs
I put together a lab on UCS Central, showing how you can load all the necessary software up in a hypervisor environment.UCS Central 1.1 Lab
I saw the announcement that Cisco had posted the emulator for UCS version 2.1(2a) a week ago. @CiscoServerGeek that integrates with UCS Central 1.1, right? — Frank Jimenez (@franjimecsco) July 26, 2013 This was pretty cool, seeing as the firmware version in general had only been out for a few weeks, and the emulators have traditionally taken a bit longer after their firmware release. I took this as an opportunity to set up my own UCS Central lab.UCS Central – Keeping It Classless Labs
I put together a lab on UCS Central, showing how you can load all the necessary software up in a hypervisor environment.UCS Central – Keeping It Classless Labs
I put together a lab on UCS Central, showing how you can load all the necessary software up in a hypervisor environment.UCS Central 1.1 Lab
I saw the announcement that Cisco had posted the emulator for UCS version 2.1(2a) a week ago. @CiscoServerGeek that integrates with UCS Central 1.1, right? — Frank Jimenez (@franjimecsco) July 26, 2013 This was pretty cool, seeing as the firmware version in general had only been out for a few weeks, and the emulators have traditionally taken a bit longer after their firmware release. I took this as an opportunity to set up my own UCS Central lab.Security Word of the Day: Stoogecraft
Today’s word of the day comes to Packetpushers courtesy of Seth Godin*: Stoogecraft. Stoogecraft is what happens when people or organizations in power do what feels right in the short run without thinking at all about the alternatives or the implications. It’s the result of fear or boredom or a misplaced focus. Sound familiar? Stoogecraft […]
Author information
The post Security Word of the Day: Stoogecraft appeared first on Packet Pushers Podcast and was written by Mrs. Y.
Nobody says it but we all feel like frauds
I am going to deviate a little bit from my normal career advice here and talk about something a bit more personal for me. I have told this story to colleagues at times over the past several years, and I am always a little surprised that everyone appears to feel the same way. But we […]
Author information
The post Nobody says it but we all feel like frauds appeared first on Packet Pushers Podcast and was written by Michael Bushong.
Teaching Without a Teaching Degree
So, let’s say you’re a technical admin, engineer, architect, whatever (most of you are). It’s probably safe to say that nearly all of you (I fit into this) have an occupation where our primary ongoing task is some combination of system or network administration, design, software and hardware engineering work, including build-out or troubleshooting, etc. Maybe it’s all of these. No matter what, it’s a safe assumption that a big, or maybe even number one reason we all get paid is because we’re really good at the technical work.Teaching Without a Teaching Degree
So, let’s say you’re a technical admin, engineer, architect, whatever (most of you are). It’s probably safe to say that nearly all of you (I fit into this) have an occupation where our primary ongoing task is some combination of system or network administration, design, software and hardware engineering work, including build-out or troubleshooting, etc. Maybe it’s all of these. No matter what, it’s a safe assumption that a big, or maybe even number one reason we all get paid is because we’re really good at the technical work.Quiz #16 – BGP Filtering Updates
Company ABC is in process of configuring BGP Confederations between its sites. During a small transition period, there will be no BGP between R3 and R2, but instead only static routing. Have a look at the quiz and try answering the question !