IP SLA Supported Operations
Posted by Douglas in Uncategorized on August 10, 2011
Here’s a great command-line tool for finding out what IP SLA methods are supported on your device:
show ip sla application
R1-2621XM#show ip sla application
IP Service Level Agreements
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-II
Time of last change in whole IP SLAs: *03:00:03.891 UTC Wed Feb 9 2011
Estimated system max number of entries: 22845
Estimated number of configurable operations: 22845
Number of Entries configured : 0
Number of active Entries : 0
Number of pending Entries : 0
Number of inactive Entries : 0
Supported Operation Types
Type of Operation to Perform: dhcp
Type of Operation to Perform: dlsw
Type of Operation to Perform: dns
Type of Operation to Perform: echo
Type of Operation to Perform: frameRelay
Type of Operation to Perform: ftp
Type of Operation to Perform: http
Type of Operation to Perform: icmpJitter
Type of Operation to Perform: jitter
Type of Operation to Perform: pathEcho
Type of Operation to Perform: pathJitter
Type of Operation to Perform: rtp
Type of Operation to Perform: slm atm interface
Type of Operation to Perform: slm atm pvc
Type of Operation to Perform: slm controller
Type of Operation to Perform: slm frame-relay interface
Type of Operation to Perform: slm frame-relay pvc
Type of Operation to Perform: slm interface
Type of Operation to Perform: tcpConnect
Type of Operation to Perform: udpEcho
Type of Operation to Perform: voip
IP SLAs low memory water mark: 31191550
R1-2621XM#
High-Level IPSEC VPN Troubleshooting
Posted by Douglas in Uncategorized on August 5, 2011
Troubleshooting IPSEC VPNs can be a daunting task. Combined with strange debug messages that have a variety of solutions when feed into google, they can be a trying experience. It’s been my experience that most IPSEC VPN issues are simple configuration issues – mismatched settings or missing items. So here’s a high-level step through of the troubleshooting process. Its biased towards Cisco products – routers, the ASA platform, and even the PIX.
IKE Phase 1 – This would be the “Policy” portion of the configuration. Its a global command (applies to all VPN tunnels) and is numbered to determine preference. You will configured the encryption (3DES, AES…), the hash (md5, sha…), the authentication method (Pre-Shared key, certificates…) and the diffie-helman group (DH group). Successful ISAKMP can be viewed with commands similar to “show crypto isakmp sa”.
IPSec Transform Set – The transform set specifies the encryption and hash for IPSEC Phase 2, as well as type of IPSEC being using (Almost certainly going to be ESP).
Split Tunnel / Interesting Traffic Access List – You’ll need to define what traffic is “Interesting”; the traffic that will be encrypted. It’s a good idea to idea to ensure that both devices have a “mirror image” of this ACL. In most cases the ACL does NOT have to match exactly, but if you’re having problems it’s good to make sure it is (not to mention a clean and secure configuration!)
Authentication / Preshared Key (PSK) – You’ll need to define a PSK for your peer. I’m not going to get into certificate-based.
Crypto Map – This will bring together your Transform Set, the interesting traffic, and your VPN Peer address (which ties back to your defined PSK) You can only assigned ONE named crypto map to an interface, but like the ISAKMP Policy, you can define multiple peers within a map via numbered priority.
Apply It – Make sure your router has the crypto map assigned in the external interface. ASAs and PIX with have a crypto map command assigning the name of your map to an interface.
Network Address Translation – While you can do NAT, the majority of VPNs I’ve encountered are providing a VPN between private sites with private addressing. You’ll need to ensure that any NAT you’re doing is exempted if this is the case (otherwise your traffic may not match the Interesting Traffic). Most routers will utilize a route-map, while ASA/PIX should use the NAT exemption (aka “nat 0″). If using a router, use the same ACL defined for the Interesting Traffic in a route-map deny statement.
Routing – If you’ve got multiple external interfaces, ensure that the routing table sends the traffic to your peer on the interface address used by your peer. Make sure the route to the remote VPN network uses that same outbound interface.\
Encryption License – Make sure you device is capable of running the encryption you require. Don’t assume your device is licensed for a particular encryption scheme. In the case of routers, ensure your image or 15.x license even supports encryption (although being able to enter the commands is a good sign!).
Still not working? Check all of that again. Twice.
The vexing issue of Ubuntu under Hyper-V
Posted by Douglas in Uncategorized on August 3, 2011
Ever solve a problem and then lose the solution? You found it once on google, but now it’s nowhere to be found?
Anyways, Ubuntu has a curious bug where the (legacy) network drivers will work briefly during startup when deployed as a guest O/S under Microsoft Hyper-V (2008 R2 in my case). Those running a single CPU won’t have this issue. This is solved quite simply…
apt-get remove irqbalance
Carbon-Based Networking and Managing Your Career
Posted by Douglas in Miscellaneous on July 28, 2011
Before I started down the path of obtaining my CCIE, I finally came to the realization that I, and I alone, was the one that needed to be in charge of my career (I do however have a Chief Adviser – my lovely wife!). Company training programs, managers, recruiters – they all have a myriad of competing goals that may not line up with yours. Once I reached my goal of obtaining the CCIE certification, I began to consider my next steps, and a big one for me was Carbon-based networking – as opposed to the silicon-based networking I spend the rest of my time on. The other has been one of the more complicated tasks of setting my own road map and deciding what I was going to study next.
I got a little reinforcement from this recent post: Getting Plugged In by Matthew Norwood.
My own goals including writing and blogging more… so here you have it:
Professional Road Map – Manufactures and vendors have road maps, and you should to. Plan your career – where are you at, where do you want to be? Short and long term, plan your career. A new job can change things rapidly, but that’s no reason as to not have a destination in mind.
Education and Training – Shocking news, everything we’re doing in IT and networking has massive change. If your company gives you large amounts of time and money to study, then consider yourself very lucky. For the rest of us, you need to expect to study on your own time, and to some extent your own dime. Certainly take what you can get, but be leery of sudden training courses on products or technologies not on your personal road map. Consider them carefully before jumping at the chance just because it’s company-sponsored training. Downtime, slow days, flex days are all good for making the time to study.
Personal Brand – I must admit, I think of cheesy lines from Austin Powers when using this phrase. However, you mostly likely already have a personal brand – especially given today’s social networks (LinkedIn CEO stresses personal brand creation). My personal experience is to be careful what things you choose to do and say on this front, things can quickly make it back to you. I welcome the refreshing frank talk by many of those I follow on twitter and whose blogs I read, and perhaps even get a little thrill from their free speech – but I’ve learned a hard lesson and and would recommend careful consideration on that front – so everything I say online I expect to be heard by a customer or a business partner, and thus I try to choose my words carefully.
Carbon-Based Networking – I recently attended my very first “networking” event, or at least by the definition everyone outside of IT thinks of when someone says “networking”. There’s no active Cisco Users Group around me – so my first event was the IT Martini Hour in Cleveland, Ohio and I’ve got plans to attend a Northeast Ohio Information Security Forum meeting soon, as well as an Association of Information Technology Professionals meeting. Branch out, meet new people, expand your comfort zone – even if it’s uncomfortable.
Control that MAN Bandwidth
Say what you will about the state of the Internet in the USA, but one thing is certainly true – Business-class service prices continue to trend downward and bandwidth upward. Enter the MAN (Metropolitan Area Network) for small and medium businesses everywhere. Rejoice in the multi-megabit speeds climbing to 1Gbps and beyond. All with a simple Ethernet interface for ease-of-use and flexibility.
Enter the age-old question: “Why is the network SLOW?” Network Engineers everywhere cringe. But before you issue a declaration of absolution for the network, let’s take a step back and investigate. Today we’re going pick apart a 500 Mbps MAN service that has poor performance when running backups across the link.
Our network is simple enough, a pair of 2960G switches on each side of our MAN link. Our server engineers have done their own homework and report the backup performs at much higher speeds on the local networks; it’s only across the MAN when they encounter the issue. Let’s tackle the easy questions:
- Line Errors – Both switches are reporting no errors over a significant amount of time.
- Duplex Settings – Carriers frequently don’t support Auto-negotiation which may lead to a misconfiguration on the customer side. We would expect errors with a mismatch, but always check the operational status. Ours is locked in at 1 Gbps/Full-Duplex.
- Latency and Loss – Latency is sitting at a lovely 1.7ms and there’s no loss and +/- 2ms jitter.
- Replicate the Issue – Is it really happening? What speeds are we getting really?
In replicating the issue, the traffic flows yeild an interesting result: 170 Mbps in one direction and 340 Mbps in the other direction. Time to get the carrier involved? Use a fine tooth comb through the configurations of the switches? It’s the middle of the day and we have NO service window, so we’ll do both.
- Configuration Review – Simple configurations, nothing fancy here.
- Carrier – The carrier tech is obsessed with duplex settings, but we’ve vetted those – and they’ve got no errors either. Policing? None. Shaping? No to that as well.
It’s important to determine what methods your carrier is using to control your traffic. Your fix may not differ one way or the other, but until you ask you can’t be sure. Ours is controlling our bandwidth by limiting the number of channels we’re getting across their SONET backbone. Ours requires a dispatch and a service window to perform invasive testing and that’s not an option at the moment – and quite possibly unneeded.
Confused? Intrigued? Know the answer? (Hint: It’s in the title)
All of our pain and suffering is relieved by one simple command applied on both ends of our link:
srr-queue bandwidth limit 50
This simple command is going to idle our port 50% of the time, effectively setting our rate to 500 Mbps and matching what the carrier is allowing. And the test results? Around 420 Mbps in each direction, and 250 Mbps full-duplex with both sides transmitting.
It’s important to control your traffic flows when you encounter high-to-low speed transitions. From sub-rate interfaces, policing or shaping, or aggregation points – YOU want to be in control of what and how your data is policed or shaped. Don’t leave it for your carrier to decide.
CCIE v4 Troubleshooting Advice
Posted by Douglas in Miscellaneous, TechTalk on July 13, 2011
On June 30th, 2011, I sat for the CCIE Routing and Switching exam for the second time. Fortunately, this time I passed both sections and got my long sought-after digits. For the purpose of this article, I’ll point out that I passed troubleshooting on my first attempt as well. It seems to me that there’s a fair amount of stress and concern over the troubleshooting section – so here is my perspective.
Strategy – No, not the test-taking strategy but one that encompasses how you’re going to achieve the over-all goal of passing the CCIE. What training do you require? What vendors? Realistic expectations of your skills and the time you can put into studies. Be honest with yourself about your skill level and strengths/weaknesses and target them. Rack rentals are great, but building your own lab at home means 24/7 access. Before I purchased a single book to start my preparation, I had a strategy. I was never a fan of the “I know everything… I know nothing” concept that goes with studying for the CCIE. I prefer to think of it as strengths and weaknesses (some weaker than we’d like). The only luck you need is getting a test that plays to your strengths instead of your weaknesses.
Preparation – With all the information out there, how could I possibly even bother mentioning this? Making small talk with my fellow candidates just minutes before going in to take the test, I met a candidate that was surprised to hear me mentioned the 30+ routers we were about to face in the troubleshooting portion of our labs. He may have passed – I don’t know, but that’s a lot of take in when you’re expecting something decidedly different. If you’ve settled on one vendor, go find the free resources offered by the other vendors. Even if you don’t contribute, there are many great resources – Group Study, CCIE study blogs, and I’ve had some excellent discussions on Twitter.
Time Management. Everybody talks about it – you must do it! I believe an effective study plan will utilize both labs focused on learning (non-timed, focused on learning the technologies and methodologies) as well a assessments (time and graded). I’ve heard things along the lines of “A well-prepared candidate can complete the troubleshooting within ONE hour”. I didn’t come close to this on my first attempt, but on my second attempt I went in with this goal and met it (although I did spent another 30 minutes checking and re-checking my work). Cisco tells you exactly what to expect, 10 tickets with 11-12 issues and a 120 Minute clock. 10 Minutes per ticket. If you can’t do this on the assessments, you may not be ready.
Experience. It’s hard to beat this, the psychological aspect of the CCIE exam is in full effect in troubleshooting. If you’re used to network down situations with your boss or customer standing over your shoulder and freaking out, then you’re going to be better prepared than those without. If you don’t have this experience, my best advice is to be sure to complete as many timed troubleshooting assessments as you can. Learn to work under the stress, do it until it’s almost a mundane event.
Reading Comprehension and Difficulty. Both still apply, but I felt the test was very clear about the issues and required resolutions. But I’m sure this is one area that allows Cisco to adjust the exam’s difficulty with little effort. I did feel that my assessment exams were frequently more difficult than CCIE in that they had too many tickets and required universal connectivity – which I take as a positive for study but something YOU must plan for when considering your strategy for troubleshooting. The real exam WILL challenge you with some things you’ve not thought about or seen before, so it’s important for the study exams to push you harder. Overall, the “zoomed view” (absent on my first attempt and a welcome addition on my second) helped to identify where in the network the issues where and I felt the clarity of the tickets had been improved.
Search - According to Cisco, they’re enabling a search functional. Avoid it like the plague. Scanning search results could be a risky waste of time. If you know the DocCD structure, you can find everything you need in just a few clicks. Learn the DocCD.
“Show run” – Learning to troubleshoot without “show run” is a critical method to teach you how to think about problems in a new light. I HATED this method when I was first working on the study labs, but it is now a technique I leverage frequently. I firmly believe you’ll be a better engineer for this. But if you stick with the materials that teach you to read and use the debugs,your skills as well as insights will improve. BUT, for the real exam, “show run” CAN be the fastest route to a solution. Conversely, it can also be your downfall (i.e., don’t get tunnel vision).
Debug – Honestly, I’ve always felt that if you need this in the troubleshooting section you may be in trouble. I can see scenarios where using this once may be viable, but it just did not fit into my time management methodology. I’m sure there are some who can wield debug faster than my show commands (including a focused show run), but I’ve always felt it was slower. You need to know it, and how to use it quickly and effectively – I used (and needed!) debug in both of my configuration exams.
Spot the issues – This method is used a lot to address complexities in the configuration lab. It still applies to troubleshooting. Yes, we want to work from the ground up and test layer 1, layer 2, etc. But at the same time, there are common issues and the proverbial “low hanging fruit”. Don’t be afraid to go with your instinct for a first or second guess as to what the core issue is. But be quick to abandon that premise and start at Layers 1 and 2 (1 for the real world, 2 for the lab – it is virtual after all).
Points Tally – I did not spend time tracking my points in troubleshooting. Another procedure I viewed as a waste of precious time. Solve them all and who needs to keep track of points? Conversely, I did not tally points in configuration during attempt #1 but added it to my regimen for #2 – which I can say was as a helpful productive step. For troubleshooting, I simply wrote down any ticket numbers I was unsure of or skipped, and came back to those after finishing the “easier” tickets.
Confidence – You’ve got to have it. Clicking that “End Session” button can be difficult when there’s time left on the clock. Even though I didn’t have the performance I would have liked in my troubleshooting assessments, I was always 100% confident about this section. I never once though I wouldn’t pass it. Configuration, for me, was just the opposite (both in assessment scores and my concern over it, I needed those extra 30 minutes). Plan your strategy – if you’re easily bothered by your performance on study or assessment labs, don’t take them or grade them leading up to the exam. I heard lots of stories about cramming multiple lab days or boot camps the week leading into the exam. I took the opposite approach, I didn’t do ANY the days before the exam (only light reading and review) and only some focus labs (ungraded) the weekend before. At that point there shouldn’t be much new material, and you most definitely should not be altering your test-taking strategy.
That’s my advice for you. I always felt the troubleshooting section was far more approachable than the configuration.I don’t expect my techniques to work for everyone, and I’m sure some of my advice may go against the grain, but hopefully this article has provided some useful insight. Best of luck to you.
DCNI-2
Posted by Douglas in Miscellaneous on July 6, 2009
There’s not a lot on the internet concerning Cisco Data Center Networking Infrastructure Support Specialist tests. I’ve taken a lot of Cisco tests in the past year, and I’m still not very comfortable going into them (and I’m not somebody that feels they “don’t test well”… just the opposite!). But not having access to any legitimate resources (Searching for 642-974 has far more NDA-breaking brain dump results than legitimate resources) didn’t really help. I like books! I’m don’t really think the tests provided at the end of the Cisco Press books really prepare you for the actual tests, but at least it’s something.
I ended up taking two classes, the first was Firefly’s ICND5+7 class for the Nexus 5000 and 7000 taught by Dan Murray. Can’t speak highly enough of the class or my instructor. Material and the lab equipment was well done, and Dan really knows his stuff, especially in the SAN arena.
The second was the Cisco’s PEC (Partner Education Connection) class for DCNI-2. I’m finding I’m not overly fond of the delivery of the PEC, but it definately covered 99% of the test. I thought there was one question not covered, but that could just be me. By contrast, I know the ONT test vs the Cisco Press “Authoritive self-study guide” had a couple of missed technologies that left me hanging when it came to the test time.
As for 642-9764 DCNI-2 test, you really need to know the high availability technologies leveraged by the Nexus, both from the routing protocols and the platform itself. And I think that’s about all I’m willing to say…
Quick Reference Guide – RIPv2
Posted by Douglas in Reference Guides on July 1, 2009
EIGRP – Part 2
Posted by Douglas in Reference Guides on June 22, 2009
Again, expanding on the detail already available over at packetlife.net EIGRP… so here’s “Part 2″ of EIGRP.
Quick Reference Guide – OSPF “Part 3″
Posted by Douglas in Reference Guides on June 16, 2009
I wanted some more detail than provided by packetlife.net OSPF Part 1 & 2… so here’s “Part 3″ of OSPF.
