Teneo !!!

Aaron’s blog on Networking, and Enterprise Technology

Tag Archives: Cisco

Why do I choose complexity?

I have always loved complex systems.  Not because they make me feel smart, or because I just want to be the only one who knows how to do it.  But, because it opens up options for me.

For example, when I was deciding on a phone system 3 years ago, it boiled down to “Shortel” and “Cisco”.  One of Shortel’s selling points was that it takes 2 minutes to setup a new user.   Well, that’s true…. setting up a new user/phone/call center agent can take up to 10 minutes for someone not familiar with the interface on Cisco.

So, why did I choose Cisco?  Because it was more expensive and more complicated?  Not really.  I chose Cisco, because while it does take me longer to setup a user, that means I have more options in the setup process that I can work with later.  More flexibility means more solutions when presented with challenges.

I recently heard this motto on a podcast from PacketPushers, that said, “I love complexity, because it gives me options”.  I feel that is so true.

Maybe that’s why I choose Unix over Windows, Domino over Exchange, Plone over Sharepoint, and Cisco over Shoretel.  The more flexibility I have, the better the solutions I can give, when challenged by the business to do something extra-ordinary.

Network Lockout Trap!

Ever logged in remotely into a switch or router and made a typo or change that locked you out of the system?  Boy, I have!  And, recently on Twitter, same thing happened to someone else.

I was on my core switch, and instead of working on interface g0/23, I fat-fingered it, and worked on interface g0/24.  Why is this a problem?  Well, I was assigning a vlan, which shutdown a trunk port to another part of the building!

Now, before someone starts arguing about proper network design regarding multiple up-link ports, I’ll just say, “Yeah, I know”.  This part of the building didn’t have one, and it should have.

Anyway, how do you prevent that from happening?  Once you do that, you kinda lock yourself out, right?

Well, for Cisco, you can do the command “reload in XX” prior to doing a configuration that you *think* may adversely affect something.  Where XX is in minutes.  This way, if you don’t cancel it, the device will automatically reload itself.  And, since you didn’t have time to save it, it will reload back to the original saved config.

When you are done, and everything seems fine, you cancel it with: reload cancel.  (Oh, and don’t forget this, or you’ll reload the box, even if nothing is wrong.  I’ve done that too!)

Here is the big gotcha!  If you lock yourself out, the device will reload totally.  This means, if the device is doing anything else, that will also shutdown.  So be cautious when doing this.  Can you imagine reloading a Core Router with multiple data connections, simply because you shutdown 1 serial line??

That’s one thing I *LOVE* about Juniper!!!  I cannot stress how awesome this is!  First, Juniper uses a COMMIT option.  This means, your entire configuration is checked for errors, and *then* saved.  Whereas, Cisco implements the command as soon as you enter it.  So, if you are configuring 2 interfaces for aggregation on a Juniper switch, you configure everything first….. then commit the entire configuration to running AND saved memory.

Now, that’s a benefit.  But why include that in this post?  Because Juniper has a COMMIT CONFIRM command.  This means, you can rollback your commit if you dont’ confirm it.  While it may sound JUST like the Cisco “reload in XX” command, it isn’t.  It rollsback the configuration….. NOT REBOOT.  This means, existing processes are un-touched.

Can you tell I’m getting impressed more and more with Juniper?  HAHA

Anyway, hope this post helps.

Juniper replacing Cisco?

Okay, well, maybe not *that* dramatic, but it got you reading, didn’t it? 🙂

So, in a previous post, I mentioned how impressed I was in Juniper’s EX switching line. I mean, they were running the internet (and most ISP’s still are), so they must know Ethernet and IP pretty well, right?

Well, after using 1 Juniper EX 3200 switch, I was impressed at the features it gave, and compared extremely well to managing Cisco’s. There is a bit of a learning curve, but once you get over it, you start appreciating the different ways you maintain it. Especially if you have a *nix background, as JUNOS is built on BSD.

So, based on my experience on that one switch, I decided to go for it. I purchased 4 Juniper 4200 switches to be placed in a stack for my L2/L3 Server backbone. The cost difference was significant if I wanted to do the same thing with Cisco’s 3750’s. However, one of the biggest differences with the “Virtual Chassis” that the Juniper’s implement and *not* Cisco, is the ability to use a 10Gb uplink (copper or fiber) to attach to another switch for the virtual switch fabric. Yes, that means, if you use fiber, you can have another switch several km away, and still participate in the Virtual Chassis. Though, I’m not using that implementation, it’s impressive to see.

The specs are just about even across the board between the Cisco 3750 (10/100/1000) and the Juniper 4200 (10/100/1000) switches. One of the differences is that the Juniper only has 8 PoE ports, though, that doesn’t matter to me in this implementation, as this is only for a server backbone, but still a difference nonetheless.

Another difference is in the stacking backplane. Cisco’s Stacking cables are 32Gbps each, giving a total switching fabric of 64Gbps between switches. Juniper’s cables are rated at 64Gbps each, giving a total switching fabric of 128Gbps between switches.

I haven’t quite gotten into the QoS piece just yet, which is a flaw in my part. Though I know the Juniper switch has QoS features (8 queues per port), I should have worked with it more before implementing these 4200’s. A bit of an oversight, that I hope won’t come back to haunt me later. I haven’t looked at marking CoS on these switches yet. Anyone have any thoughts/experience?

While I still wouldn’t consider replacing my core with Juniper just yet, I do plan on implementing them at my access-layer.

If you have not considered Juniper yet for your switching-line, I highly recommend you give them a shot. Again, there is a small learning curve, but worth it.

Changing the break character on Cisco

Greg Ferro, Ethereal Mind, posted a great post on how to change the break character on Cisco’s.  This can be handy for folks like me, who always forget, just because it’s not a usual or routine thing for me.

He also explains how using Terminal Access Servers can get annoying, because the Terminal Access server is receiving the break, and not your current connection.  Similar to doing a CTRL+ALT+DEL in a Windows Terminal Session.

Nice post, Greg.  I can use something like this in my arsenal.

Styx being reborn – SQL Netflow Collector

Okay, after my last post about whether I should get back to rebuilding my netflow collector, Styx….. I finally made a decision.  I’m going to push on.

The main reason is because there really isn’t anything out there to give you the data you want.  Yes, there are some really great products out there, but you are limited to the graphs and data exports that the programming company *want* you to see.

Styx is different.  Yes, it will have the same kind of graphs, but puts you back in the driver’s seat.  The way I see it….. if you are saavy enough to know that you need netflow data, then you are competent enough to know what data you want to see.

Styx has an OLAP engine that will allow you to drill-down to see the data you need.  You can do all the “data-mining” you want.  Of course, I’m still building it, so it’s more like a fantasy than real life… but it IS in progress:  http://styx.javaforge.com

It’s built on SQL, so you can use your favorite reporting package.  Of course, on high-traffic networks, you could be analyzing millions of records, so to be efficient is a major challenge.  But, one that I’m willing to overcome.

Thanks to everyone for your comments on my previous post, as well as, the many emails I received.  I appreciate your feedback, advice, and confidence in me.

Once this package is available to use, I would love to have your help in letting me know what’s most important to you.

Until then, I will continue coding……. java-style!!

Cheers!

Killer show command – The ‘section’ filter

More often than not, I’m wanting to pull out a small subset from my Cisco box’s running-configuration.

Usually, I would do a “show run | beg xxxx”, and just type in where I want the configuration to start from.

This is handy, so you don’t have to page through lots of text before finding your area. The problem is, the paging brings the text you entered to the top. By the time you “break” through the paging, you’ve already entered several lines, and your text is now scrolled up.

Enter the “section” filter. A filter command included in the ‘T’-series of the IOS since 12.3. This is really new to me, though it’s been out there awhile.

This will now give you the entire ‘section’ of the configuration (i.e. the indented text of a configuration object).

For example, if you wanted to see your BGP configuration, you would enter:

#show run | section router bgp.

Or, if you want to see all of your router configs:

#show run | section router

VERY HANDY!!

For more information, you can find it here: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtshfltr.html

 

UPDATE:   CCIEPersuit had blogged about this command back in 2007 (see, told you it wasn’t new, that’s just how far behind the times I am).  It is a MUCH more descriptive entry than mine.

Busyout Voice B-Channels on Cisco Router

I have been looking forever for a good command to just busy out my PRI circuits from my gateway. There is a way to do it in Call Manager Service Parameters, but that seems to be only good for MGCP gateways. My gateway is H.323. Plus, I couldn’t figure out how to identify that one specific controller, from my 5 controllers on that gateway.

So, here is what I used to busy-out my PRI B-channels gracefully. Start off in global config mode, and change to your D-Channel interface:


voice_gw(config)# interface Serial0/1:23

Then, issue your busyout command. Here, I’m placing all my channels out of service:


voice_gw(config-if)# isdn service b_channel 0-23 state 2 soft

b_channel=0-23 – This is my range. You can certainly just insert one channel, or a different range.

state=2 – 0=InService, 1=Maint, 2=OutOfService

soft – This means, place them in the defined state, when the channel becomes idle. (in other words, do not disconnnect active channels until they hang up)

I’m not crazy if I use the term “router-on-a-stick”

If many of you have watched Jeff Dunham’s shows, you’ll no doubt be familiar with José, the Jalepeño on a stick.  (Jeff Dunham is a hilarious ventriliquist).  So, don’t think I’m nuts or crazy if I use the term “router-on-a-stick”.  It’s not a reference to José or being silly.

Why do I bring this up?  Well, I was talking to a technician, trying to get him to understand VLAN’s, and that you actually have to have a router (Layer3 device) in order for the two VLAN’s to communicate.  He asked, “I have 20 VLANS!  I can’t have that many interfaces on my small 1800 router!”.

Hence, the coined term, Router on a stick.  Basically, you use a single cabled interface (the stick if you straighten out the cable — sorry for the visual), and turn it into multiple logical interfaces.  You can then assign virtual IP addresses on each virtual interface, and route between them, still only using the 1 physical interface.

I was then asked, most appropriately, “How do you get multiple VLAN’s over a single cable?”.  Ahhh…. now you are talking about trunking.

VLAN’s are nothing more than the exact piece of data (the frame in this case, since we are talking Layer2), with 1 ity-bity-tiny difference…. a VLAN tag.  A frame that is tagged in a certain VLAN cannot cross another VLAN boundry.  So, you create a trunk interface, to pass all the frames in certain VLANs, or all of them.

Trunking can be done in two ways…. ISL (blehhh… don’t use it) and 802.1q.  If you build a trunk between the switch interface and the router, you can then pass all the trunk data to the router, and have the newly created logical interfaces receive the packet and send it on for routing.

No doubt, I have left gaps in my explanation.  I did this because I only wanted to give you an overview, and the definitions.  I didn’t get into detail, because many others have done this (and probably a better job than me).  Cisco also has a quick document written up.  http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

Good Luck, and don’t hesitate to ask questions, or correct me areas where I may be mistaken (I do that from time to time 🙂 )

Review: Cisco Firewall Video Mentor

I have just finished reviewing the Cisco Firewall Video Mentor training from the well-known publisher, Cisco Press. I was quite pleased with it overall. David Hucaby (CCIE# 4594) does a great job walking you through each of the labs and content.

This video covers both the ASA firewall concepts, as well as the FWSM concepts on a Cisco 6500.

If you are still intrigued, I invite you to review Lab 7 for free at InformIT, where Mr. Hucaby actually shows you, in real-time, the fail-over process in action for the firewalls. You can review it here: http://www.informit.com/content/downloads/digital/firewall_007.mov

This training video shows how to start, configure, troubleshoot, and maintain beginning and advanced concepts to the Cisco ASA and Cisco FWSM devices.

My first impressions were excellent. I was pleasantly surprised how well they merged video, audio, and concepts into a 2D training session. I felt as though I was really in a classroom, just without the ability to ask questions, though, there really wasn’t much need, as he was very thorough. He uses diagrams and Powerpoint to teach concepts, and then moves to screen mode, to demonstrate actions in real-time (such as watching two firewalls failover to the other or building new routes)

Another fantastic advantage, is it’s multiplatform requirements. The last training CD’s I reviewed required Windows. Sure, it was done in Flash, but either required Windows to execute it, or the flash files were buried under so many folders, it was too cumbersome to use. The Video Mentor for Cisco Firewall works with Windows, Mac, and Linux. You just need a browser with Flash 7, a DVD drive, and an open mind!

The first Lab goes through the initial configuration. Don’t let this lab be daunting for the beginners. Mr. Hucaby does a fantastic job walking you through it. He even goes through “basic cisco command-line” concepts, so even the most basic beginner to Cisco concepts can learn. Outside of learning how to physically connect your machine to the console port, David talks you through everything else.

David walks you through all the different options with configuring interfaces, including security-level concepts, redundancy, and vlans. He also replicates a “down” condition, showing how the firewall processes a redundant connection in real-time.

The training goes over basic routing techniques, including understanding the standard Cisco routing table. The video also goes into detail and step-by-step instructions on how to setup SLA Monitoring in order to “watch” a route. If that route fails, a new failover route is created. Mr. Hucaby also shows how to receive routes via OSPF, and shows it in real-time. Debugging is also covered for the routing and tracking topics.

One of the most impressive pieces of this video, in my opinion, is the monitoring, in real-time, of a failover in process between two firewalls. Using debugging mode, you can actually watch what each firewall does during the process. David also discusses why and how the firewalls do it, during the process.

Do not let this video fool you. It’s not just for beginners. Mr. Hucaby does a great job transitioning from basic use, to advanced concepts, including using MPF (Modular Policy Framework), and firewall contexts. Another topic for the seasoned administrator, is the capturing of data traffic across the firewall, as well as testing your policies using the packet tracer.

Now, for the scoring. Keep in mind, that this meaningless scoring mechanism really offers no value whatsoever, since I’m just now coming up with the categories as I write. While it won’t give you a good comparison to other products like it, it should give you an idea of how I rate certain aspects.

Content: 9 out of 10. Really, the content of the video was excellent. Each topic flowed easily into the next, while still standing on its own, if you are skipping chapters. When the author “seems” to make a mistake, he explains why. You are, in effect, learning from someone else’s mistakes. Another form of learning.

Presentation: 9 out of 10. Each chapter has a 30-second introduction of the author as he explains what’s coming up. This gives you a real sense of “human” contact, rather than some narrating voice for 5 hours. Plus, having powerpoint animations DURING the video as the author types was very productive. It gives you eye-stimulation as well as content during the video. Great job.

Entertainment: 4 out of 10. I felt really bad giving this great video such a low score, but no training software is ever perfect. The author, while incredibly bright and knowledgeable, seemed nervous and fairly monotone during the introductions. I felt that the training could use a little light humor or off-the-cuff tangents at times. I feel entertainment is very important in training, and thought I should include this category.

Usability: 10 out of 10. This video was able to be used, out-of-the-box on my Windows XP, Windows Vista, Mac OS Tiger, and Linux Fedora Core 9, without doing anything. You double-click on the icon or program that comes up, and you are rockin. Can’t get any easier than that. You also have a main-menu system that you choose all the different chapters, and can view the current Lab’s PDF. Very easy to navigate. I couldn’t think of any way you can get any better.

Understanding: 8 out of 10. The content that David goes over is easy to understand for novices, yet, he does not seem like he’s talking down to the seasoned administrators. Unlike other training courses I’ve heard, he concentrates more on the topics, than on his level of knowledge. There were, however, times where I wished he would go into more detail when discussing common-practices.

Overall, the meaningless Teneo score is 80 out of 100, and that is only because of the low Entertainment score. This video is definitely on my high-list of recommendations. I was very pleased with the overall “production” and “content”. If you are a beginning firewall administrator, or a seasoned administrator that would like to “fill-in-the-gaps” as it were, this video is definitely for you!