ASA Double Nat in 8.4+

Recently I was faced with an issue outside my normal expertise… those of you that know me realize I am anything but a security engineer. But in reality, you must always expand your horizons. One of the projects I’m working on involves migrating between two edge networks. Obviously, for a time there has to be traffic using both networks while you migrate services from one network to the other. This creates an issue from services that may be NAT’d from the inside of the network, where as the current (read: old) default route takes them out a different connection..
In order to solve this, you need to either change the default route, which may not be possible, or start NAT’ing the source address of your traffic. It took me a bit of time to get the details worked out, so I wanted to share what I found out.

Plain Jane Static NAT

Since 8.3, NAT has changed quite a bit. The most obvious change is the use of Object groups pretty much everywhere. In some ways, this simplifies the config. In others, not so much. Basic static NAT takes the form of a single object group that defines the Continue reading

My MacBook Air Docking Solution

I decomissioned my CustoMac to return it to its origins as a gaming rig. This was mainly due to the fact that trying to keep my MacBook and CustoMac in sync was turing out to be very labour intensive... This means I am using my Macbook Air as my main office PC but its limited I/O was proving to be a little bit of a problem!

My MacBook Air Docking Solution

I decomissioned my CustoMac to return it to its origins as a gaming rig. This was mainly due to the fact that trying to keep my MacBook and CustoMac in sync was turing out to be very labour intensive... This means I am using my Macbook Air as my main office PC but its limited I/O was proving to be a little bit of a problem!

I needed:

  • 1 x DVI or HDMI to hook it up to my monitor
  • 1 x 10/100 or 1000 Ethernet as Wireless is not fast enough (especially for Time Machine)
  • 1 x Headphone and 1 x Mic ports to work with my existing headset
  • 1 x USB for my Webcam
  • 2 x spare USB for Memory sticks etc...

While the new range of Thunderbolt docks will be available later this year from the likes of Belkin and Matrox they will be priced in the £200-300GBP range (Expansys have the Belkin dock listed at £279). While it offers all the I/O I want over a high bandwidth connection I don't think I can justify spending over 1/4 the cost of the laptop itself on one... so I came up with a homebrew solution for under Continue reading

My MacBook Air Docking Solution

I decomissioned my CustoMac to return it to its origins as a gaming rig. This was mainly due to the fact that trying to keep my MacBook and CustoMac in sync was turing out to be very labour intensive... This means I am using my Macbook Air as my main office PC but its limited I/O was proving to be a little bit of a problem!

Nexus 2000 Model Number Cheat Sheet

A colleague of mine pointed something out the other day: the numbers and letters that make up the Nexus 2000 (FEX) model actually have meaning! No, I haven't been living under a rock. I think it's pretty clear that with a model number like “2248TP-E” the “22” indicates this is the 2200 series FEX and the “48” indicates it's got 48 ports. But what about the letters that follow the numbers?

I’m attending the International Summit for Community Wireless Networks

I will be giving a updated version of my bufferbloat talk there on Saturday, October 6.  The meeting is about community wireless networks (many of which are mesh wireless networks) on which bufferbloat is a particular issue.  It is in Barcelona, Spain, October 4-7.

We tried (and failed) to make ad-hoc mesh networking work when I was at OLPC, and I now know that one of the reasons we were failed was bufferbloat.

I’ll also be giving a talk at the UKNOF (UK Network Operator’s Forum) in London on October 9, but that is now full and there is no space for new registrants.


KIClet: NX-OS – Ethernet[X] is down (inactive)

This is a short one. I didn’t see a ton of information on this on the internet so I figured I’d put it forward. I’m using a pair of Nexus 2K FEX switches (N2K-C2248TP-1GE) for 1GbE copper connectivity off of a pair of Nexus 5548UP switches. I needed to set one of the 2K ports to access mode and place it in a VLAN. Pretty simple. After configuring one of the 2K ports through the 5K CLI though, I noticed that the port was listed as “down (inactive)”.

KIClet: NX-OS – Ethernet[X] is down (inactive)

This is a short one. I didn’t see a ton of information on this on the internet so I figured I’d put it forward. I’m using a pair of Nexus 2K FEX switches (N2K-C2248TP-1GE) for 1GbE copper connectivity off of a pair of Nexus 5548UP switches. I needed to set one of the 2K ports to access mode and place it in a VLAN. Pretty simple. After configuring one of the 2K ports through the 5K CLI though, I noticed that the port was listed as “down (inactive)”.

KIClet: NX-OS – Ethernet[X] is down (inactive)

This is a short one. I didn’t see a ton of information on this on the internet so I figured I’d put it forward. I’m using a pair of Nexus 2K FEX switches (N2K-C2248TP-1GE) for 1GbE copper connectivity off of a pair of Nexus 5548UP switches. I needed to set one of the 2K ports to access mode and place it in a VLAN. Pretty simple. After configuring one of the 2K ports through the 5K CLI though, I noticed that the port was listed as “down (inactive)”.

AirPlay, VLANs, and an Open Source Solution

As I've written about in the past (here), Apple's AirPlay technology relies on Bonjour which is Apple's implementation of “zero config” networking. One of the things that Bonjour enables is the automatic discovery of services on the network. For example, an Apple TV might advertise itself as being able to receive AirPlay streams. An iPad that is looking for AirPlay receivers would use Bonjour to discover the Apple TV and present it to the user as an AirPlay destination. Both the Apple TV and iPad do all this without any user intervention or configuration (hence the “zero config” part).

That's fine and dandy but what my earlier article focused on was how Bonjour broke down in a network where what I'll call the “server” and the “client” are not in the same Layer 2 domain/VLAN. This is because the service discovery aspect of Bonjour relies on link-local scope multicast. These packets will not cross Layer 3 boundaries in the network.

Spanning-tree Requirements for Cisco ISSU

I had a great conversation with a coworker regarding the requirements for the In-Service Software Upgrade (ISSU) feature on Cisco switches. For this post, I’m using Nexus 5548UP switches as a distribution layer to my Cisco UCS environment, and at the core is sitting a pair of Catalyst 6500s, set up in a VSS pair. For those unfamiliar with ISSU, it is a way for Cisco devices to upgrade their running firmware without the need for a disruptive reboot of the device, which is what has traditionally been used for upgrades to IOS, NX-OS, etc.

Spanning-tree Requirements for Cisco ISSU

I had a great conversation with a coworker regarding the requirements for the In-Service Software Upgrade (ISSU) feature on Cisco switches. For this post, I’m using Nexus 5548UP switches as a distribution layer to my Cisco UCS environment, and at the core is sitting a pair of Catalyst 6500s, set up in a VSS pair. For those unfamiliar with ISSU, it is a way for Cisco devices to upgrade their running firmware without the need for a disruptive reboot of the device, which is what has traditionally been used for upgrades to IOS, NX-OS, etc.

Book list

It is time I’ll place the list online, so with no farther delays and in the order of importance: 1 Routing TCP/IP, Volume 1 (2nd Edition) - By far, the most important book you must read. ...And remember, if you are using Private VLANs or plan to, make sure you visit my Private VLAN appliance site.

When NTP access-control needs ACL for 127.127.7.1?

The very simple answer is when the local NTP master controller is synching to the IP address 127.127.7.1 instead of 127.127.1.1. Ok, I think I need to clarify few things.  In a number of CCIE workbooks, you’ll get a task to configure NTP access-control on the master NTP router to only peer with R1.  After trying for a long time, you lookup the solution guide and realize that you were missing an ACL entry for the local address 127.127.7.1. Or you finished the task, everything works, you check the solution guide and ask yourself “why did they have an ACL for the IP address 127.127.7.1? I did it without it and it worked.”

This is something that I found to be very frustrating and without any information on the web. After doing some of my own research, it appears Cisco made few changes that are not very clearly documented.

To give you an example, R4 is the NTP master and R6 (150.1.6.6) is the NTP peer.

R4#sh run | i ntp | access-list
ntp master 4
ntp access-group peer 1


access-list 1 permit 150.1. Continue reading

The Pros/Cons of Public DNS

I strongly believe that every route/switch engineer, even highly experienced ones, should have at least a fundamental understanding of DNS architectures and best practices. More importantly, it should be understood how DNS is being used in today’s service providers and enterprises. DNS is one of those services that has been applied to many different use cases, such as a form of load balancing, or even an additional layer of security.

The Pros/Cons of Public DNS

I strongly believe that every route/switch engineer, even highly experienced ones, should have at least a fundamental understanding of DNS architectures and best practices. More importantly, it should be understood how DNS is being used in today’s service providers and enterprises. DNS is one of those services that has been applied to many different use cases, such as a form of load balancing, or even an additional layer of security.

ESXi 5 on Cisco UCS – No Local Disks Showing Up

I am installing ESXi 5 on a Cisco UCS B440 M1 blade, and ran into some local disk issues. I used both the stock ESXi 5 image from VMware, as well as the recently released image from Cisco that contains the latest UCS drivers. Same issue on both. The issue was that when I got to the disk selection screen on the ESXi installation, I did not see any disks:

ESXi 5 on Cisco UCS – No Local Disks Showing Up

I am installing ESXi 5 on a Cisco UCS B440 M1 blade, and ran into some local disk issues. I used both the stock ESXi 5 image from VMware, as well as the recently released image from Cisco that contains the latest UCS drivers. Same issue on both. The issue was that when I got to the disk selection screen on the ESXi installation, I did not see any disks:

ESXi 5 on Cisco UCS – No Local Disks Showing Up

I am installing ESXi 5 on a Cisco UCS B440 M1 blade, and ran into some local disk issues. I used both the stock ESXi 5 image from VMware, as well as the recently released image from Cisco that contains the latest UCS drivers. Same issue on both. The issue was that when I got to the disk selection screen on the ESXi installation, I did not see any disks: