those of you working on a daily basis with configuration and reconfiguration of network devices are likely to hit various caveats and surprises. sometimes, we hit problems that take hours to troubleshoot. route? what route? we’re adding new router. it has address of 172.16.0.11 that’s defined on Loopback0. this interface and all other physical interfaces of new router are included in area 0 of OSPF. neighbors see it that way as well:...
if you read my previous pieces about my home network, you know well my core switch is Nexus 93180YC-EX. you know… home, core switch. anycasted services at any point in time I have a number of DNS (and DHCP) servers available, all reachable via either 192.168.168.168 or 2001:470:xx:a6::168. no matter what is going on, at least one should be able to respond. currently, in the “cluster” I have two VMs and two physical Raspberry Pi 4B+....
quick note for those spending weekends on labbing - if you want to log info (from Syslog for example), and the management interface is in separate VRF (very good idea), you need to configure VRF in two, or even three (if you count VRF definition itself) different places. if you forget one, it won’t work. so, first of all, create management VRF definition: ! vrf definition MGMNT rd 444:444 ! optional, but just to keep the numbering across VRFs !...
nice addition to recent IOS-XE images is the info in BGP view when the peak number of prefixes was received: rtr-edge#sh bgp ipv4 unicast summary [...] 6807 received paths for inbound soft reconfiguration BGP activity 1126906/107856 prefixes, 1337822/171863 paths, scan interval 60 secs 878960 networks peaked at 15:02:09 Jan 29 2022 CET (22:53:01.065 ago) [...] rtr-edge#sh bgp ipv6 unicast summary [...] BGP using 102467162 total bytes of memory BGP activity 1126898/107856 prefixes, 1337806/171843 paths, scan interval 60 secs 140720 networks peaked at 05:46:19 Jan 29 2022 CET (1d08h ago) [....
one of the very old tricks, that’s even documented is how to simulate ctrl-break on newer PCs to break into ROMMON during router/switch boot. instead of fighting with SecureCRT on MacOS, I just used it recently. basically, you: disconnect terminal from the device turn device off set terminal to 1200 (yes, you read this right), 8N1 and no flow control turn device on press SPACE for 10-15 seconds (basically, until your terminal drops out some unreadable characters) reconfig terminal to 9600 8N1 and you should be in ROMMON yes, I’m old....
if you’re not accustomed to reading release notes for your favorite platform (Nexus NX-OS in this case), probably you already overlooked that starting with 10.1(2) there’s 2-stage commit system, known from IOS XR. what does that mean, really? that doing changes over CLI, directly in the parser, you can edit/add/remove whole blocks of configuration before committing them to running/actual configuration. so in case when you edit interface IP addressing (always touchy moment, specially for devices you’re 300km away for example) the session could look like this:...
my journey with expert-level Cisco certification began already quite far long time ago - 15 years. and with Cisco certification overall - even couple years earlier than that. I was finally able to get hands-on practice with Cisco Continuing Education program. apart from the fact, that trying to pass exams right now remotely during pandemic has abstract requirements I do generally believe it makes sense. one way or another - I’m recertified until April 2024....
after I decided to save you and myself from spying eyes of Google Analytics, I don’t really look at my blog web statistics. just glancing over logs shows you’re reading - and that’s about all if you ask me. I noticed however, that for some mysterious reason (the doc is almost two decades old!), my very old article about connecting the switches together still gets downloaded like 30-50 times a month (I’m counting only non-bot downloads), and sometimes even more often....
if you happen to have more than one internet connection and they have different usable bandwidths - which is no longer a rarity today - it becomes interesting element in network design. how would you use these links optimally? i have to admit, that i was provoked to sit down and write down this series of post by Marcin Ślęczek post on ccie.pl forum. Marcin is CEO of networkers.pl but by heart, he’s network engineer and sometimes fights with interesting problems....
…but tools have to be used responsibly. first of all, short disclaimer - I’d like to make it perfectly clear before we go into this long piece, that I’m a: …big fan of discussing merits of technology and technology overall. I love technology. I believe having opportunity to create networks, solutions that really connect people and give us chance to exchange information is something I could do for the rest of my life, with full focus and commitment....
Daniel Dib asked recently on Twitter about BGP convergence time for world wide operations. two hours he got in response from his friend seemed a bit too long. I did recently help to spin up new ASN with new IPv4 prefix (well, both came from second hand, but you get the point) and as far as I could tell, propagation took around 15 minutes maximum. so in the interest of self-education, I started digging....
one of the interesting and rarely seen configuration options, is ability to have redundant IPv6 tunnel established from source address tracked by HSRP. if you’re limited by other side of communication - in this example Hurricane Electric - to have only one endpoint of tunnel on your side that’s right tool for task. the way this configuration would work, is that router active in HSRP pair will be the one on which tunnel will be active and forwarding....
last post in the series about my home lab resulted in a number of interesting emails in my inbox. i have to admit that i really appreciate words of praise. as well as those with constructive, critical feedback :) so after short description what is connected where and how (see link above), let’s focus now on services. first and foremost - remember it’s “always DNS” ;) so let’s tackle that....
if you, like me, get bored immediately after you execute copy scp x y, you’ll likely be happy to know that we’re introducing changes in the TCP/IP stack responsible for SCP operations. in NX-OS beginning in 9.3(1), while copying using scp you can add use k-stack, like this: nxos-switch#copy scp://192.168.0.1/nxos.bin bootflash: use-kstack in IOS-XE, starting from 17.2(1), it’s possible to achieve similar speed-up effect by enabling globally ip ssh bulk-mode. the same copy operation should speed up 4-5x over....
after last 13 years spent at Cisco Systems Poland, working in the “field” I decided it’s prime time for something new. something, that can challenge me and give back that sense of new adventure. having opportunity to spend all that time with great people, learning a lot and experiencing even more was great fun. i went through full country chain - from “simple” Systems Engineer, to Architecture Lead, Systems Engineer Manager, then Regional Sales Manager (driving 2/3rds of country business operations) and finally Country Systems Engineer Manager and CTO....
every two (or three, depending how desperate you are) years, in life of every CCIE and CCDE there is this looming deadline called ‘recertification’. panic is usually short lived and ends with ‘push’ - succesful recertification. in variable styles and techniques, but successful nonetheless. i had opportunity recently to execute this dance. and wise words people say, that if you loose daily connection with networking gear and technologies, you very quickly loose and forget expert level skills....
weekend at countryside kind of suprised me… :) so, Cisco 887VAGW+7-E-K9, a little configuration and here we are. ! chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 15 "OK" ! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation slip load-interval 30 dialer in-band dialer idle-timeout 300 dialer string gsm dialer-group 1 async mode interactive ! ip nat translation timeout 60 ip route 0.0.0.0 0.0.0.0 Cellular0 ! dialer-list 1 protocol ip permit !...
it’s interesting to take a look. and then a second look - as a lot of well known networks and hosts appear on those maps: SenderBase malware SenderBase spam and for general SenderBase reports, biggest threat intelligence network go here: SenderBase
…or who needs them anyway today? there’s interesting article written down by one of Google employees, that perfectly describes how ineffective today standard bodies are, and how less and less influence they have on the market. cisco decided to spearhead new solutions without waiting for multi-year discussions, true to the ‘good description and working code’ motto. if we wouldn’t be doing that, there would be no PVLANs, FabricPath (TRILL) but also protocols like LDP or HSRP/VRRP/GLBP....
all memory and CPU related features in IPv6 world is major challenge even for modern hardware. unfortunately this is emphasized with lack of best practices followed by developers writing code. i just noticed there’s Microsoft Windows problem with IPv6 RA. it seems that actual problem is not limited only to RA, but actually - to the whole networking stack when working with link-local addresses. under Microsoft Windows code is allocating memory pretty recklessly....
it will be unique opportunity in Poland and in this part of Europe. with group of my dear friends and design masters - Piotr Jabłoński, Sebastian Pasternacki and Piotr Matusiak i’ll be delivering bootcamp-type of training for CCDE. we’re starting on 5th of may - and you can find more details here.
Maciej Broniarz invited us to take part in new security focused conference. Aegis (just like Aegis - American integrated naval weapons system) will take place on 2nd and 3rd July at University of Warsaw. i hope that most of you will decide to take part of it, as judging from agenda. together with Maciej we’d like to also have a panel on DDoS attacks, and then we’ll deliver session together - ‘security by duct tape’....
i’ve stumbled upon an article of Michael Leonard from Juniper. he decided to take a stab at LISP. i usually call such articles with the title of this post, and the article mentioned is all about it. while we’re discussing in open forums with engineers and architects from Juniper, and in most of them we actually do cooperate - including in LISP, which author doesn’t seem to even know about - it’s sad to look at people who believe attacking competition is everything they should do in life....
if you haven’t noticed by now, in the IOS 15M line we introduced IOS shell. firing it up is just as easy as doing: C2#conf t C2(config)#shell processing full now you have new, UNIX-like commands and options to chain them, including nested grep. C2#sh running-config | wc -l 163 C2#sh running-config | grep ip | grep 2001 ipv6 address 2001:DB8:10::10:254/64 ipv6 route ::/0 2001:DB8:10::10:1 if you by now are fun of such capabilities, having been working with IOS XR - it’s a nice touch :)
using our new blogging platform, i just published short piece about just announced onePK. i’m watching live discussions for over two years now about network control capabilities. i was one of those distanced guys when it comes to OpenFlow “explosion” in popularity. and as time did show - I was right. today even hardware vendors suddenly slowed down a bit and distance themselves from new standard versions, and development tempo also falls down....
i just made a short post describing a bit behavior and characteristics of new Sup720-10GE switching matrix that can be installed in Catalyst 6500 - for cisco-nsp@ folks: In old Sup720 design, the Supervisor itself is connected to the fabric using one channel. This channel is used by Hyperion ASIC to provide for bus interface, and multicast/SPAN features. Because there’s no other way to connect the uplinks on the Sup itself, the Hyperion has it’s interface also terminating the uplinks (2xGE) thus limiting effective throughput/etc....
i’ve had a opportunity today to take the CCDE exam in London again. accompanied by two fellow SEs and one of the engineers working for Cisco Partner in Poland, we’ve took our chances. and it’s definitely better - feedback works. out of 6 scenarios you work only with 4, split statically by 2 for before and after the lunch. questions are more to the point, and there’s less of text to look for information from....
I’ve took a CCDE practical earlier today, and for the second time I’m pretty clueless how it went, however I have a strong feeling that it was similar to my first take: no go. this time I’ve spent 7 hours, not 5, to do the test, however most of the time I was trying to answer questions based on the small set of information provided. again I’m under strong feeling, that the set of information was not enough to judge on some of the questions, not to mention the effect Russ White describes as “you’d be confused for the whole time”....
“Cisco eats in own dog food” or as you may elite-write-it: c15c0 d06 f00d. we announced participation in ISOC IPv6 day as a first vendor. some parts of our infrastructure serve IPv6 natively, but that’s a great opportunity to test it at scale - including hardware and software for systems that’s used for our internal and Customer services. among other things we’re testing AnyConnect 3.0 with native IPv6 support (public version is going to be available in couple of months), ACE 3....
today I’ve met CCDE practical exam heads-on in London. it’s a new one at the Expert level, focusing on designing and redesigning of the networks - according to the virtual needs of virtual customers. after the Networkers CCDE presentation delivered by one of the authors of the CCDE program - Russ White - it’s hard to expect anything different than what they say. it’s very focused on “why”, and “how” is touched only in some generic terms....