quick note for those spending weekends on labbing - if you want to log info (from Syslog for example), and the management interface is in separate VRF (very good idea), you need to configure VRF in two, or even three (if you count VRF definition itself) different places. if you forget one, it won’t work. so, first of all, create management VRF definition: ! vrf definition MGMNT rd 444:444 ! optional, but just to keep the numbering across VRFs !...
since first tuning of FreeBSD TCP/IP stack somewhere in 4.x, I’m typically fiddling with the /etc/sysctl.conf contents from time to time. you know, just to tune stuff. in the meantime, a lot of things has changed in FreeBSD TCP/IP stack, including introduction of modularity. however, MacOS X that is based on FreeBSD is much more conservative and some options are not available. therefore, on my MacOS systems I use following /etc/sysctl....
BGP Blackholing is back - with small steps (‘better done than perfect’). go ahead and visit the current project page with “quick howto”. happy blackholing!
nice addition to recent IOS-XE images is the info in BGP view when the peak number of prefixes was received: rtr-edge#sh bgp ipv4 unicast summary [...] 6807 received paths for inbound soft reconfiguration BGP activity 1126906/107856 prefixes, 1337822/171863 paths, scan interval 60 secs 878960 networks peaked at 15:02:09 Jan 29 2022 CET (22:53:01.065 ago) [...] rtr-edge#sh bgp ipv6 unicast summary [...] BGP using 102467162 total bytes of memory BGP activity 1126898/107856 prefixes, 1337806/171843 paths, scan interval 60 secs 140720 networks peaked at 05:46:19 Jan 29 2022 CET (1d08h ago) [....
one of the very old tricks, that’s even documented is how to simulate ctrl-break on newer PCs to break into ROMMON during router/switch boot. instead of fighting with SecureCRT on MacOS, I just used it recently. basically, you: disconnect terminal from the device turn device off set terminal to 1200 (yes, you read this right), 8N1 and no flow control turn device on press SPACE for 10-15 seconds (basically, until your terminal drops out some unreadable characters) reconfig terminal to 9600 8N1 and you should be in ROMMON yes, I’m old....
if you’re not accustomed to reading release notes for your favorite platform (Nexus NX-OS in this case), probably you already overlooked that starting with 10.1(2) there’s 2-stage commit system, known from IOS XR. what does that mean, really? that doing changes over CLI, directly in the parser, you can edit/add/remove whole blocks of configuration before committing them to running/actual configuration. so in case when you edit interface IP addressing (always touchy moment, specially for devices you’re 300km away for example) the session could look like this:...
as I get old, seems I’m missing obvious signals. my logs were screaming about it, friends made touchy comments… and nothing. after moving to hugo, despite the fact it has built-in RSS feed support, I somehow missed that completely. fortunately, it’s enough to add template to your page definition and… it works. and that’s about it. that’s all. RSS works now. hurray.
one of the most common, but at the same time easiest problems to solve, when you’re working with FreeBSD system installed on too small disk is rebuilding the system. in my specific case, it was very old i386 system initially installed around release 6 on a 20GB HDD. at around release 11 I ran out of tricks to pull and still make it, so had to finally add a disk. fortunately, just before that, the machine was moved from physical box to virtual machine....
after I decided to save you and myself from spying eyes of Google Analytics, I don’t really look at my blog web statistics. just glancing over logs shows you’re reading - and that’s about all if you ask me. I noticed however, that for some mysterious reason (the doc is almost two decades old!), my very old article about connecting the switches together still gets downloaded like 30-50 times a month (I’m counting only non-bot downloads), and sometimes even more often....
FreeBSD just migrated to git, and while handbook is being updated, you can do the migration yourself. first of all, move original src directory (if you’re synchronizing over SVN) away, along with customized kernel config file. for my deployments I do: mv /usr/src /usr/src.old then, let’s install git - it’s not (yet) installed by default: pkg install git last, but not least, you need to invoke git to clone the source repository....
if you happen to have more than one internet connection and they have different usable bandwidths - which is no longer a rarity today - it becomes interesting element in network design. how would you use these links optimally? i have to admit, that i was provoked to sit down and write down this series of post by Marcin Ślęczek post on ccie.pl forum. Marcin is CEO of networkers.pl but by heart, he’s network engineer and sometimes fights with interesting problems....
Raspberry Pi 4 that comes originally without any case, or can be bought with original case, can bring you headaches. it’s absolute great and genius computer (never ask me how many I own… ;) ) in version four has really very fast CPU - Broadcom BCM2711. it contains four ARM Cortex A72 cores clocked with up to 1.5GHz and dedicated GPU complex. problems people all around internet report problems however with overheating of this little beast, and what’s more - problems with getting stable 4k 60Hz video output (just remember, there are two video outputs, but 60Hz is only achievable on the socket next to USB-C power supply)....
…but tools have to be used responsibly. first of all, short disclaimer - I’d like to make it perfectly clear before we go into this long piece, that I’m a: …big fan of discussing merits of technology and technology overall. I love technology. I believe having opportunity to create networks, solutions that really connect people and give us chance to exchange information is something I could do for the rest of my life, with full focus and commitment....
as you may have read recently I was playing with open source routing protocol packages again. from pure CLI familiarity reasons, I kept myself to FRRouting, which is evolution of Quagga, which itself is evolution of Zebra. and Zebra syntax and CLI is based on Cisco IOS. FRRouting thanks to Job Snijders for correcting me on the name - it’s no longer OpenFRR, it’s FRRouting. sorry! :) unfortunately, while it worked very well for my home network (FRRouting that is), when deploying in AS112 I hit some unexpected behaviors quite quickly after starting the project....
after last blog on sharing full bgp feed for IPv4, I got a number of interesting questions. given many of you were asking to have also IPv6 available, I decided to extend the project to cover that as well. disclaimer you’re doing this ON YOUR OWN. i’m not responsible for anything on your end and service itself. so if it crashes your router, makes all traffic to follow different paths, or essentially anything that you can’t control - you’re completely on your own....
Daniel Dib asked recently on Twitter about BGP convergence time for world wide operations. two hours he got in response from his friend seemed a bit too long. I did recently help to spin up new ASN with new IPv4 prefix (well, both came from second hand, but you get the point) and as far as I could tell, propagation took around 15 minutes maximum. so in the interest of self-education, I started digging....
one of the interesting and rarely seen configuration options, is ability to have redundant IPv6 tunnel established from source address tracked by HSRP. if you’re limited by other side of communication - in this example Hurricane Electric - to have only one endpoint of tunnel on your side that’s right tool for task. the way this configuration would work, is that router active in HSRP pair will be the one on which tunnel will be active and forwarding....
recently during casual browsing of WLAN controller i spotted that sometimes users are having problems with receiving responses from DHCP server. i was suprised, as family doesn’t complain - and they’d do that immediately. well, so i went troubleshooting element by element. obviously, switches were primary suspect. why? everything was working, and those DHCP problems were very, very rare - that may mean drops on switch interfaces. Cisco QoS configuration on Catalyst and Nexus switches is far from easy....
update this project is still on, but at different IP. please refer to this updated description. old post below recent thread on nanog@ list got me back to old project that i was thinking about long time ago. and here it is - i just launched free-of-charge, load-your-router-with-full-live-bgp-feed service :) if you’re interested in joining the free project, disregard the information below and jump directly to latest version here disclaimer you’re doing this ON YOUR OWN....
last post in the series about my home lab resulted in a number of interesting emails in my inbox. i have to admit that i really appreciate words of praise. as well as those with constructive, critical feedback :) so after short description what is connected where and how (see link above), let’s focus now on services. first and foremost - remember it’s “always DNS” ;) so let’s tackle that....
while I already mentioned couple of times on this blog, that handling dynamic routing on firewall is asking yourself for unexpected problems, sometimes it’s needed. as Cisco, we don’t normally recommend using ASA or FTD boxes as full table BGP routers. not because they can’t be used in this role, but because we don’t believe it’s a good networking and security practice. here’s example from my home lab testing lab cluster of two ASA 5516-X, running 9....
as you can easily guess, i’m networking geek. my home network was thus built with hacking, not with ‘smallest footprint possible’ in mind. it’s great if you can test your “great” ideas before recommending them to anyone, and of course getting feel of new features is also a plus in this case. so, my first assumption was it has to be fast - fiber. both floors are connected with fiber network, that’s aggregated near front door, in the cloakroom....
my 256GB SSD drive in MacPro 2013 started to fill up recently. i went on short googling to see how to extend it without relying on NAS of course. and i get nice offer. it seems that good people in the internet found a way to interface typical NVMe disk drives with the socket Apple uses. and so i became user of 1TB Samsung SSD drive. that upgrade gave me also speed bump - on encrypted drive transfers shoot up from 500MBbs (reading) and 380MBbs (writing) to 1....
…if everyone is trying to make your life harder. couple weeks ago I refreshed my private email server on FreeBSD. for some time spam levels were raising and I had to do something about it. old spamassassin was not handling it accurately enough anymore. enter spamd from OpenBSD. current postfix has built in greylisting server that’s working quite well. for my installation I tuned it a bit, by extending period of time that has to pass from last delivery attempt (to 1200 seconds, which is 20 minutes):...
my old poor LSI 9211-8i RAID card, that was powering my cache NAS server, decided to die. my spare 9261-8i, to my complete suprise, was halting FreeNAS at the boot… and i was not able initially to troubleshoot the problem. it was dropping mysterious timeout errors: mfi0: COMMAND 0xfffffe000150dc08 TIMEOUT AFTER 59 SECONDS mfi0: COMMAND 0xfffffe000150dc90 TIMEOUT AFTER 59 SECONDS mfi0: COMMAND 0xfffffe000150dc18 TIMEOUT AFTER 59 SECONDS run_interrupt_driven_hooks: still waiting after 60 seconds for xpt_config my google-fu immediately shown me some potential solutions, but they were totally random nad kind of voodoo-magic (‘disable Firewire controller!...
during the last 30 years, processor speeds has increased from millions of cycles to billions - multiplied by multi-core and special mechanisms that increase the efficiency of working with ‘boring’ cores. Pentium 66 processor from 1993 contained 3.2 million transistors, which is anyway quite a value, considering they are packed into a space comparable to that of four dices - and contains one main unit. available today Xeon E5-2699v4 has 22 cores operating at nominal frequency 2....
FreeNAS is special edition of tuned-up FreeBSD, with GUI available over WWW to enable easy setup and maintenance. i had to migrate recently my old Synology 1815+ thanks to well known Intel SNAFU with Atom CPUs. interestingly enough, even Synology own service department declined to RMA the NAS, without even discussing the situation. so i managed to setup quickly 12x 3.5" bay server. i had five 3.5" 8TB HDDs from Synology that i wanted to rescue data from....
every two (or three, depending how desperate you are) years, in life of every CCIE and CCDE there is this looming deadline called ‘recertification’. panic is usually short lived and ends with ‘push’ - succesful recertification. in variable styles and techniques, but successful nonetheless. i had opportunity recently to execute this dance. and wise words people say, that if you loose daily connection with networking gear and technologies, you very quickly loose and forget expert level skills....
weekend at countryside kind of suprised me… :) so, Cisco 887VAGW+7-E-K9, a little configuration and here we are. ! chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 15 "OK" ! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation slip load-interval 30 dialer in-band dialer idle-timeout 300 dialer string gsm dialer-group 1 async mode interactive ! ip nat translation timeout 60 ip route 0.0.0.0 0.0.0.0 Cellular0 ! dialer-list 1 protocol ip permit !...
it’s subject old as world (password-protected world, that is). i had to do some of cleanup on my devices and i hit a problem with 4096 bit keys. so, just as a reference that may be helpful somewhere for someone - you import keys to Cisco IOS without any special problems: router#conf t Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip ssh pubkey-chain router(conf-ssh-pubkey)#username TEST router(conf-ssh-pubkey-user)#key-string router(conf-ssh-pubkey-data)#AAAAB3NzaC1yc2EAAAADAQABAAACAQDCiLBaopUwsFb9YJNhGqVYqBajlrH S/zwD6/yR6N8VcRzrpqMMNCFXe1q5GMGM[...]ANWInd9GHBjTzbJWVwavxy1ooQewii8ErofZuv1l/SXSdXLzfL p0zMoZ0L+BNPS0j4XBS0N3t8Vl8oVixqIeG2BNTCNaDDt6hx2Q== lukasz@bromirski....