I am really, really bummed. I was going to go to Cisco Live 2008 being held in Orlando, in June. Alas, with the upcoming forecasted recession, my company has cut back on expenses. Thus, no trip.

Actually, I was surprised my trip to Sweden didn’t get cancelled.

Anyone planning on going to Cisco Live 2008? Anyone going to blog about it? I would love to hear/see what went on from an observer’s point-of-view.

While no one can control the internet, you can certainly degrade it for many people.

We have a major technological hub in Sweden. Their internet provider (like many others in Sweden and Europe) use Telia as their communications provider. Over the last couple of days, our outbound emails kept queueing up in our systems, and some websites wouldn’t work.

Come to find out, Cogent, a major communications company in US and Europe, have actually depeered Telia from it’s AS routing, making it impossible for Nordic customers (as well as some in Europe, I would imagine) to access systems on Cogent’s network. Even alternate routing was turned off.

Apparently, this is because Cogent got ticked off because of contract dispute about the size and locations of certain internet pipes. They feel it was:

“…for the good of the internet.”

Also, coming from Jeff Henrikson, spokesperson for Cogent:

“Some traffic flow was impeded and some traffic was redirected further than it needed to go.”

“[Telia] wasn’t responding to requests to comply with the contract….[Cogent] wasn’t left with much alternative but to terminate the contract.”

Wow. Can you believe that? See the below links for more information:

http://www2.meltedcube.com/blog/web-internet-telecom/isp-quarrel-partitions-internet/
http://gigaom.com/2008/03/14/the-telia-cogent-spat-could-ruin-web-for-many/

Technorati Tags: cogent, internet, telia

Well, I attended my first user-group meeting here in Tennessee. It’s about time too. I’ve been here for 18 months, and haven’t once looked up or attended any user groups.

Well, March’s User Group went well. It was held at AT&T’s Mobility Office. Pretty large office in Brentwood. The topic was, of course, Cisco and AT&T’s 3G technology.

3G = 3rd Generation.

From AT&T’s website:

The AT&T 3G network uses HSDPA/UMTS technology (High Speed Downlink Packet Access/Universal Mobile Telephone System), which makes it possible to enjoy a variety of feature-rich wireless services. It also gives AT&T the advantage of offering simultaneous voice and data services. That means you can talk and use the Internet at the same time. How’s that for multitasking?

Now, Cisco offers the HWIC cards that SIM cards plug in. In a good area, you can expect 1400Kbps down and approx 700-800Kbps up. Outstanding! You just plugin your SIM card, and configure the card in the IOS. Most modern IOS will accept it, though, the Rep couldn’t recall the minimum version.

Well, as you can imagine, there are some downsides to using wireless. Also, 3G isn’t necessarily available everywhere, though AT&T claims to have 260 metro cities across US so far, with another 80 by the end of the year.

It is interesting technology, to say the least. These HWIC cards will only work in Cisco’s 3800 series routers and below (the 800-series will be avail in the next month). The routers MUST be ISR’s and they MUST have an HWIC slot.

Some of the applications that can be used are:

OOB management
Kiosks, ATM’s, temp systems (such as concert events or those small kiosk stores in a Mall’s walkway)
Construction Trailers, Retail Stores and Outlets
Replacement for ISDN dial
Used for Dial-backup

They fed us with Pizza, so of course we stayed!

Technorati Tags: 3g, att, cisco, hwic, ncug, wireless

So, I purchased a Cisco ASA 5505 to build a VPN Tunnel from a remote office to my main office. Really simple to do, when you are using Easy VPN . Anyway, I wanted to turn on SSH. So, I enabled SSH on the ASA, and tried to access it:

 

[apaxson@netutil ~]$ ssh -l username 1.2.3.4
ssh_exchange_identification: Connection closed by remote host 

 

Hmmmm….. let’s do a debug, and see what happens:

 

asa# debug ssh
Device ssh opened successfully.
SSH0: SSH client: IP = '1.2.3.10' interface # = 1
SSH: unable to retrieve default host public key. Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

 

Ahhhh….. we have to create a default RSA key pair. Let’s do that.

 

asa(config)# ca generate rsa key 1024
WARNING: the 'ca' command syntax has been deprecated
Please use the 'crypto key generate' command.

 

Okaaaay…… looks like we have to change our ways again.

 

asa(config)# crypto key generate rsa

INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
asa(config)#

 

Okay, so far so good. Let’s try to connect again:

 

[apaxson@netutil ~]$ ssh -l username 1.2.3.4
RSA key fingerprint is 9b:99:12:45:6f:7a:bb:37:f4:25:19:1d:d9:0d:62:24.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘1.2.3.4′ (RSA) to the list of known hosts.

 

Outstanding!

Technorati Tags: ASA, cisco, ssh

Minicom is to Linux/Unix as Hyperterminal is to Windows.

In minicom, the key-combination is ctrl+a f

Being in the Nashville area for the last 18 months, I figured it was about time to start getting some social networking processes started in my industry.

I did some looking, and found the Cisco Nashville Users Group. So, I joined.  I haven’t been to a meeting yet, but March’s meeting sounds really interesting. See agenda below. I may joine the Java User Group as well, but haven’t decided if I can commit to that much time yet.

For those that have been following the last few weeks, you’ll know that I was implementing a Metro Ethernet (MAN) network for my company using a Cisco ME-3750 switch, and the frustrations that came with it.

Well, I still went forward using the ME-3750, just not using the ES Ports.  The circuit came up fine.  I thought I was done.  Ran a few simple tests…. yep, communication is working.  So I left to the airport.

A couple of days later, communications started failing.  Intermittent results.  Basically, it stems from ARP not working correctly.  I would try to ping a device, then look at it’s ARP table.  Nothing….. hmmm… wierd.

I then look at the Switch’s mac-address table… yep…. the MAC’s are populating.  So, I go the distance, and place two network sniffers on each end.

The end result, was that sometimes (and only sometimes), an ARP request would get sent out, but the reply would never com back across the link.  Since I was monitoring the actual trunk ports, this must be a problem with the provider.

Well, come to find out, AT&T (who was doing the fiber to copper hand-off for me) has a mac-address table with a maximum entry of 50 entries.  50 entries!!  We have a decent sized network, and we are moving servers to a co-location DR site.  C’mon… we’ll max 50 entries in no time.

I didn’t even know AT&T caps mac-addresses.  Do other providers do this, as well??

Technorati Tags: Cisco, Network, metro-ethernet

Well, it has finally happened.  It was only a matter of time.  Since the Cisco ASA (Adaptive Security Appliance) did exactly what the Pix does, and them some, why support two lines?
Cisco announces that they will stop sales for the Pix Firewall in January 2009.  Support, however, will be continued until 2013.

See Cisco’s press release.

So, let’s talk about these ASA’s.  For those that do not know, the ASA is actually the PIX underneath, with modularity to allow you to expand it to a specific appliance, such as Application Inspection or Virus/Malware/Spyware inspection.  I’m actually using the one with the CSC module, which includes the Virus/Malware/Spyware inspection.  The ASA actually inspects SMTP,HTTP,POP3, and IMAP packets.

When I first purchased and used it 18 months ago, Trend Micro (who owns the scanning engine of the CSC module) had quite a few bugs in it, so, I didn’t like it at first.  Too many problems.  However, over the last 18 months, their updates and bug fixes have seem to stablize it a little bit

You can learn more about the ASA at Cisco’s website, if you aren’t already familiar.

Technorati Tags: Cisco, Network, Security

I am incredibly frustrated, and I’m hoping this post will save countless others from yelling out loud, after finding out you wasted money and hours of troubleshooting for no reason.

First off, a bit of history. Back in my historical posts, I mentioned my thoughts on the 3750-metro series switches. At first, I wasn’t all that impressed with the metro-series. I mean, it seems to be more for the service provider than for the customer. But, if Cisco recommends it for a customer, I should listen, right?

Well, Cisco sales reps are more interested in selling products, than in giving the best answers, and this is a perfect example. So, make sure to listen up, and pay attention.

In building our metro network, we have a fiber line, provided by AT&T. On the customer side, AT&T installed a Cisco switch to terminate the fiber, and hand-off copper. I then, take the copper into my network. But, after connecting my 3750-metro interface (The ES port, for “Enhanced Services”), I never saw a link. Hmmm… did AT&T enable their interface? I asked…. yep. Do I need a cross-over, or did they build the cross-over in their patchpanel? Nope. Straight-through. So, I must provide the cross-over
(And for those that will ask… no I do not trust the auto-sensing MDIX).

Still no luck.

Then, I asked AT&T the interface characteristics: (100Mbit - Full Duplex). Hmmmm…. shouldn’t be a problem. I’ll set my interface to that. What?? I can’t. It only accepts 1000? Let’s look at the docs:

Now, I consider myself a respectful and considerate human being (at times). However, I must say, when I realized that, I was glad I was in an isolated room with no one around. Because I yelled and cussed as I used to when I was a sailor in the Navy. At this point, I realized I have spent between $6k to $8k more than I needed to (I bought 2 metro switches, one for each side of the link), and I just wasted 3 to 4 hours of troubleshooting. I should have gone with my initial feelings about the 3750-metro.

So, what is the difference between the 3750 and the 3750-metro? From Cisco’s website:

And what is this “ES Port” thing. What does it do for me?

So, to summarize, pretty much every enhancement the metro-line offers, is in the ES ports. Other than the redundant power-supplies, this is a wash. The regular Cisco 3750 still has a powerful QoS engine, and the same IOS commands. Now, I’m sure there is more in the metro software image than the standard 3750, but without the ES Ports, what’s the point??? The provider will provide the Q-in-Q tunneling, the heirarchical QoS, etc. What good does it do??

I’m still a little bitter, but by the time you post your comments, maybe I’ll feel better, and listen more. So feel free to let me know what you think. Right now, I’m disappointed, and frankly, quite pi$$ed, because I feel like I was taken advantage of.

My only advice is…. if you get the Cisco 3750-metro, please make sure the provider will hand off a 1000 Gigabit connection. Otherwise, you are sitting on an expensive 3750.

The only thing I can think of, is to place a media-converter in the middle, so I can use the 100Mbit ES interface. But, that just adds another point-of-failure, and this metro network was supposed to alleviate the failures… not add to them…..

((Sigh))

Well, I’m off to Cleveland this week. I’ll be bringing up our first MAN to a new co-located datacenter at Expedient.  We currently have one cabinet there, but look to getting a second cabinet in a few more months, depending on how great it works out.

The only thing I do not like about the 3750-metro switches is that they don’t have a netflow export option.  Personally, I think they should.  Being a multi-layer switch, and intended to be on each side of a MAN, the netflow export would be perfect to analyze the traffic across the MAN link.

What do you all think?  Agree to disagree?

For me, it will be a learning experience.  This will be my first time using the Cisco 3750-metro series switches (I’ve used the 3750’s before but the metro’s allow more fine-grained control on QoS and packet-shaping, though, I lose the Gb interfaces).

I’ll need that QoS and packet-shaping skils, since we only have a 20M fiber link between the two locations, and we’ll be sending voice and video through it, on top of regular data traffic.

To be honest, I’m not that confident in my QoS knowledge.  Yes, I know the fundamentals (at least I think I do…. uh oh), but I’m always nervous I’ll forget one tiny little thing, which will cause disastrous results.  Ah well…. I feel that way everytime I touch a keyboard key.

Wish me luck!

Technorati Tags: cisco, 3750, metro, expedient

Powered by ScribeFire.