CCIE Review Questions
I updated the CCIE page to include CCIE Supermemo questions. Please go to CCIE Supermemo Questions. As time progresses I’ll update more and more of these.
EBGP Peering Not Established over a Default Route
This post represents the solution and explanation for quiz-4. The quiz shows that, although the BGP speakers can reach each other, they do not establish an eBGP session. Read more to understand the problem.
Quiz #5 – OSPFv3 Default Route into a NSSA Area
Your company's network consist of a CORE block running OSPF Area 0 and multiple buildings with 2x distribution switches per building running OSPF NSSA areas.
You have asked your junior colleague to configure OSPFv3 (for IPv6) to match the same design as OSPFv2 (for IPv4), but something goes awfully wrong.
Getting IPv6 Done: A Step-by-Step Framework for Planning an IPv6 Deployment
It often happens during one my IPv6 training courses that a participant comes up and asks (or puts it as something that was missing from the training) – “What are the specific steps for deploying IPv6?”. This often leaves me … Continue reading
TCP Handshakes, Routing, Hairpinning – Oh My!
I’m working on setting up a lab that consists of leading storage and compute products for testing, and I ran into some interesting issues with a few different things…some with respect to the way the Cisco ASA does hairpinning, as well as allowed connections in such a configuration. There were also some routing issues experienced as a result, and I want to explore my experience in all of this during this post.TCP Handshakes, Routing, Hairpinning – Oh My!
I’m working on setting up a lab that consists of leading storage and compute products for testing, and I ran into some interesting issues with a few different things…some with respect to the way the Cisco ASA does hairpinning, as well as allowed connections in such a configuration. There were also some routing issues experienced as a result, and I want to explore my experience in all of this during this post.TCP Handshakes, Routing, Hairpinning – Oh My!
I’m working on setting up a lab that consists of leading storage and compute products for testing, and I ran into some interesting issues with a few different things…some with respect to the way the Cisco ASA does hairpinning, as well as allowed connections in such a configuration. There were also some routing issues experienced as a result, and I want to explore my experience in all of this during this post.Baby Bro, Part 3: Containers and Loops
Bro has four main container types, which I'm going to cover in somewhat nontraditional order:- tables
- sets
- vectors
- records
A table is a collection of indexed key-value pairs: the same idea is referred to as a dictionary, associative array, or hash table in other languages. Here's a simple example that pairs letters with their place in the alphabet:
1 | event bro_init() |
Running it, we get this:
jswan@so12a:~/bro$ bro tables.bro
{
[3] = c,
[1] = a,
[2] = b
}
Note that the output isn't in the same order as the script; in Bro, like in most other languages, hash tables are unordered.
Iterating over a table with a "for" loop returns the key, again like other languages:
1 | event bro_init() |
And the output:
jswan@so12a:~/bro$ bro tables.bro
Continue reading
Find link errors with op script
A new short post today for network support technicians, engineers... One thing that you usualy check when you manage a case regarding service disruption is packet loss! The first step is to check if you have packet loss at physical layer due to framing...Find link errors with op script
A new short post today for network support technicians, engineers... One thing that you usualy check when you manage a case regarding service disruption is packet loss! The first step is to check if you have packet loss at physical layer due to framing...NAT – Port Forwarding in Both Directions
This post represents the solution and explanation for quiz-3.
NAT on Cisco IOS can be pretty frustrating sometimes and it may take time and practice to master it.
Save multiple Artboards as indiviudal EMF or WMF files in Adobe Illustrator CS6
I've been creating a set of networking icons in Adobe Illustrator. To get these in a usable vector format for Visio and OmniGraffle stencils I need them in EMF or WMF format. Unfortunately the built-in Export function in Illustrator doesn't support Artboards for EMF/WMF but instead outputs one single file, so I needed to find a different solution...
Save multiple Artboards as indiviudal EMF or WMF files in Adobe Illustrator CS6
I've been creating a set of networking icons in Adobe Illustrator. To get these in a usable vector format for Visio and OmniGraffle stencils I need them in EMF or WMF format. Unfortunately the built-in Export function in Illustrator doesn't support Artboards for EMF/WMF but instead outputs one single file, so I needed to find a different solution...
First of all, I needed to split my main AI file in to individual files for each Artboard.
To do this, I went to File > Save As > Adobe EPS and selected the Artboard option.
Next was to individually export these to EMF and WMF.
First choice was to create a Workflow in Automator but for some reason. Automator's Watch Me Do action was unable to recognise that Illustrator was open - It returned some error about the application not being open (even though it was).
Second choice was AppleScript, but as it turns out Adobe don't have the EMF or WMF available as formats for the export action in their AppleScript library.
Finally I found the "Actions" menu in Illustrator.
I created a new folder called "My Actions"
Create a new Action called "Export to EMF" and started recording the Continue reading
Save multiple Artboards as indiviudal EMF or WMF files in Adobe Illustrator CS6
I've been creating a set of networking icons in Adobe Illustrator. To get these in a usable vector format for Visio and OmniGraffle stencils I need them in EMF or WMF format. Unfortunately the built-in Export function in Illustrator doesn't support Artboards for EMF/WMF but instead outputs one single file, so I needed to find a different solution...
Cisco Ironport WSA with WCCP and IP Spoofing
Recently I had to set up a transparent proxy with the Cisco Ironport Web Security Appliance (WSA) using WCCP on a Catalyst 6500 with a Sup720, with IP spoofing and web cache ACLs enabled. Like with many technologies, this turned out to be pretty simple but I couldn't find it documented all in one place. Perfect blog fodder!The network topology looked like this (simplified, but not by much):
Normally when you set up a transparent proxy with WCCP, the IP address of the proxy server is used as the source of the HTTP requests. The problem in this topology is that I wanted the real source address of the client to appear in the firewall logs. The IP spoofing feature on the WSA allows this to happen, but it requires configuring bidirectional WCCP redirection on the Cat6k. If this had been a Cisco ASA firewall, we could have enabled WCCP there and saved some trouble, but in this case the network was using a firewall from another vendor that didn't support WCCP.
One important thing to realize about WCCP on the Catalyst 6500 with the Sup720 is that WCCP egress redirection is done with software switching rather than in Continue reading
Cisco IP Phone switchport voice vlan and CDP
I was under the wrong impression for quite a long time that Cisco IP phones require a 'switchport voice vlan ' command on the switchport that they connect to for the Phones to show up in cdp neighbors. The 'sw voice vlan ' command associates an auxilary VLAN to the port that is known as VVID (VLAN ID) for voice service. This VVID is associated with the phone during a cdp neighbor lookup.
I thought if I didn't use 'sw voice vlan ' then my phone would not show up as a cdp neighbor on the switch. But I guess I was wrong. I set up the switchport as 'sw access vlan 80' where 80 was the Voice VLAN and I could see the phone come up, register, grab the right IP though DHCP and show up on cdp neighbors.
I had to do this because of a Cisco small business SG300 switch that we had to install in one of the maintenance offices that does not support the 'sw voice vlan id' command.
As always, comments and feedback much appreciated!
ASA 5515-X ASDM/SSH fix
If you are planning on installing a new Cisco ASA 5515-X, or any other ASA from their 55X5-X line of ASAs, running 8.6 or above, you might run into a situation where you cannot SSH into the ASA or access ASDM.
Start off by verifying if you have activated the 3DES license. If not, grab the 3DES license key from cisco product license registration. Once Cisco emails you the activation key, console into your ASA and type 'activation-key ' under the global configuration mode. This will allow SSH version 2 on the ASA. You can verify this by doing a 'show version' on the ASA and checking the status next to 'VPN-3DES-AES'.
Next, create a username and password like you would.
username admin password cisco encrypted privilege 15
Then allow SSH on the inside and/or outside on all/specific subnets. Configure SSH version 2.
ssh 10.0.10.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
And finally allow LOCAL authentication.
aaa authentication ssh console LOCAL
Next, you need to add an ssl encryption standard to the ASA. Most browsers and SSH/Telnet clients will reject the cipher that is present on the ASA by default.
ssl Continue reading
Cisco 4500-X
At a recent new install, I had the opportunity to configure a 4500-X switch for the Data Center. It is a good alternative to a Nexus 5000 if you want 10G uplinks and are tight on budget. Of course, you will miss out on vPC and FEX which I configure are the most important features of the Nexus switches in the Data Center. But if you have 2 4500-X as redundant uplink switches, you can connect downstream devices such as UCS and SAN fabric over 10G uplinks.
Even though the 4500-X data sheets say the switch is a 32 10G SFP+ port, you have the option of using 1G or 10G GLC/SFP modules. I used a variety of copper/fiber modules to connect to routers, servers, switches and an ASA. The switch uses auto negotiation to drop down to 1G in case of copper connections. This link lists all compatible hardware for the Cisco 4500-X switch.
I had to set up a temporary fiber connection between this switch and HQ which routes to remote offices over MPLS. So for the time being, I set up a L3 port on the 4500 and set up basic static routing (ipbase does not support Continue reading
mDNS Gateway in the Cisco Wireless LAN Controller
I'm not sure why I've taken such an interest in mDNS, service discovery, and the Bonjour protocol, but I have. It probably has something to do with my not being able to use AirPlay at home for such a long time because, like any true network geek, I put my wireless devices on a separate VLAN from my home media devices. I mean, duh. So now I keep an eye out for different methods of enabling mDNS in the network in anticipation of my own experience in my home network becoming one of my customer's experience in their enterprise network.