Category Archives: Cisco

CiscoLive 2017 Las Vegas Day 1 – Opening Keynote & More

It was a great opening day of CiscoLive 2017 in Las Vegas! First session of the day had to do with using Cisco Umbrella (OpenDNS) to track down cyber activity within your network…

An excellent introduction to Cisco Umbrella

Next up was the opening keynote by Cisco CEO Chuck Robbins…

Opening keynote by Cisco CEO Chuck Robbins

His keynote was actually interesting and well done, with little of the humorous hi-jinks of years past…it was professional. His main point concerned how things are changing in the network industry, and in big ways. I may not be involved with all of the new networking technologies that are on the horizon, but one thing was very apparent…I need to adapt to the new world. If I stick to the traditional routing and switching of years past, I might find myself on the outside looking in. And that is not a good thing!! An indication of this is the evolution of Cisco certifications…

Next generation of Cisco certifications

Keep your skill set up to date…or be left behind.

Next up, Chuck had a special guest come up to the platform to discuss the partnership between Cisco and Apple. Yep…the guest was Apple CEO Tim Cook…

Guest CEO Tim Cook from Apple

As for the afternoon, I spent most of it in the vendor expo “World of Solutions”….there was LOTS to see and do, AND learn!! I spent most of my time learning about SD-WAN technologies, updated security solutions, and logging/SIEM solutions. Plus, my wife attended with me!! Yes, I’m a lucky man…my wife is part geek too, and she loves attending CiscoLive with me. I purchased a “Social” pass for my wife which allows her to attend each days keynote address, World of Solutions, and the Cisco Customer Appreciation Event on Wednesday evening. She had a wonderful time today, as did I.

At the end of the day, we took the monorail down the Las Vegas strip and watched the Bellagio Fountains light show…make sure you don’t pass this up, it was well worth the time!!

Bellagio Fountains at nightime

Time to get some rest…it’s going to be another long day tomorrow…

Cisco IOS Feature/License Options

I need to add a feature (or license) to a number of my Cisco routers. This can get a bit confusing though, as Cisco made changes to their licensing model when they introduced the ISR G2 series of routers (IE: 1900, 2900 & 3900 series).

These routers use a “universal” image, and you simply license the features you want…in my case the routers are licensed for IPBase and UC, and I need to add the SEC (Security) license to the router. The license tree is pretty simple…

License options for newer Cisco routers

For my older routers, I’m currently running SP Services and I need to add Security/VPN, which means I need to upgrade to Advanced IP Services.

Feature set (IOS) options for older routers

Either way, Cisco is going to get a lot more money from me!!

CVD’s – Cisco Validated Design Guides

If you ever need some help in designing a network, wondering what’s the best practices for security or wireless, then Cisco has some very helpful information for you! Over the years, Cisco has put together a bunch of official network designs that you can review and use to assist with your own network design challenges. Cisco calls them CVD’s…or, Cisco Validated Designs. When they first started out, the designs were very technical and written in a bit of a bland manner (written by CCIE’s no doubt). Now, however, they are very colorful, lots of visuals and slick copy art, but…they are still technical and very helpful!!  (I would imagine they are still written by a bunch of CCIE’s, but then filtered through a design/publishing group of some sort.)

Take a look at this link:  Cisco Validated Designs

I’m in the process of reviewing and upgrading my core VTI/DMVPN infrastructure, and I’m reading through the CVD “Intelligent WAN Technology Design Guide”….

Cover pae for the CVD iWAN guide

Cover page for the CVD iWAN guide

This design guide is NOT light reading…it’s 287 pages of very technical information and sample configurations…VERY cool. It’s going to take me several days to digest this thing…but already it has answered several questions that I’ve been wondering about.

When you’re viewing the CVD webpage, scroll down near the bottom to the “Design guides by category”…as you can see, there are a ton of options which should cover just about anything you are interested in.

Enjoy!!

Nexus Switches – Time to do Some Serious Learning!

I have yet to work with the Cisco Nexus line of switches…just never had the opportunity. I’ve worked a lot over the years with Cisco’s chassis class line of switches (5500’s and 6500’s), and a bunch of their stackable switches (3600’s and 3700’s). So, all of a sudden, I need to learn about Cisco’s 9000 line of Nexus switches…and fast. What to do??

Read…a lot. I spent a fair amount of time this weekend just reading up on a bunch of technical papers from Cisco. Here is a great starting point…scroll down to see a large variety of topics pertaining to the 9000 series…

Cisco Nexus 9000 Line of Switches

The next thing I did was setup a small two-tier Nexus network simulation within VIRL.  This is very cool…I am able to check out configurations, learn the NX-OS syntax, and just have some fun playing with the Nexus switches. Topology was straight forward, and I have BGP and OSPF in the mix…(AutoNetkit is your friend)…

Simple Nexus switch simulation running in Cisco VIRL

Simple Nexus switch simulation running in Cisco VIRL

Now, running a Nexus simulation within VIRL is not perfect…there are still some features that don’t work, such as vPC (Virtual Port-Channel), but it is a good start. And it is sure helping me out a lot.

Note:  There is a bug in the NX-OSv VIRL node that ends up creating all of the switch interfaces with the same MAC address (0000.0000.002f).  Obviously, nothing works if this is the case. The VIRL team is working on this, but there is a work-around…simply use AutoNetkit to create the switch configs, and each interface will have proper MAC addresses created. If you would rather do most of the configuration yourself, then still use AutoNetkit but choose the “Infrastructure Only” option…you will end up with a minimal starting configuration, but with working MAC addresses. AND…remember to click the “Build Initial Configurations” button before you start the simulation!!

Enjoy!!

Cisco Security Advisory – IKE Vulnerability in ASA Code (CRITICAL)

Cisco ASA (via cisco.com)

Cisco ASA (via cisco.com)

Cisco released a critical security advisory today concerning an IKE vulnerability within the ASA software OS…and let me tell you, this will affect a LOT of people! If you are running one of the affected software versions (and I am), then you will want to update your ASA appliance very soon. I’ll have mine updated in the next couple of days.

Don’t delay. Once you read the advisory, you will know why!

Riverbed Interface Configuration via Command Line Interface (CLI)

Yes, it’s been a while since I did much of any postings, but I’ve been both very busy at work and out of state on vacation. Things are starting to calm down a bit now, so back to some network related postings…

I worked late last night upgrading a batch of out-dated Cisco 3750 switches (first generation), installing a stack of new 3650 switches. I have to admit, these switches are nice! But like most all of Cisco’s stuff, they don’t play well with other vendors products in terms of interface auto-negotiation. The existing switches were all 10/100 interfaces, and we had a Riverbed device installed between the switches and router, so all of the related interfaces were manually configured for 100 Mb, full duplex.

Since the new switches were all gig, and the router was too, I reconfigured them for auto/auto for both speed and duplex.  But I needed to configured the Riverbed device too.  (When I first brought everything online, the Cisco devices came up 100/half….not good at all.)

Since the GUI interface on the Riverbed does not handle interface configurations very well, I connected to the device via SSH and configured the interfaces using the command line…which as we all know is the best way to do anything!! As you can see, interface wan0_0 is configured for 100/full…

Command showing current settings for wan0_0 interface

Command showing current settings for wan0_0 interface

To change the configuration is easy…here are some of the options…

Interface configuration options

Interface configuration options

And here I changed both wan0_0 and lan0_0 interfaces for auto/auto operation…

Setting interfaces to auto/auto

Setting interfaces to auto/auto

It was that simple. I then unplugged both cables to my router and switch, reconnected them, and all interfaces came up 1000Mb (gig) and full duplex.

Working with Riverbed on the command line is rather easy, and you will find many of the commands are similar to Cisco.

DHCP Scope Configuration – Oops

So for the last couple of days, I’ve been in Nevada at one of our remote sites. (On a side note, the “middle of nowhere” pretty much describes all of Nevada!!) I was setting up a wireless bridge to connect separate parts of a large aggregate plant…it was a very busy few days. We kept running into problems, which took up a lot of time to resolve, but eventually we got things working. As I was testing the new subnet hanging off the bridge, I noticed that DHCP was not working…hmmm, very strange. I’ve configured DHCP many times over the years, and it just works. Time to troubleshoot…

First test was easy…I configured a static IP on my laptop and everything worked great. Next I drove over to the other end which housed the main switch and router, and plugged into a port configured for the new VLAN….and no DHCP. Say what? Hmmm…I must have made a mistake on my configuration…but the DHCP pool looks good…

Config for the DHCP pool

Config for the DHCP pool

And the subinterface configuration looks good too…

Sub-interface config looks good too

Sub-interface config looks good too

Very interesting…the only thing left was the DCHP excluded-address config, but that’s so easy, I know that’s not the problem.  But I checked it out anyways…

DHCP excluded-address config....oops

DHCP excluded-address config….oops

Say what?? How could I have messed that up? But I have to say, the configuration was doing exactly what I asked it to do…basically not handing out any IP’s!! So after a quick edit, everything was working properly…

The proper excluded-address configuration

The proper excluded-address configuration

So remember, most of the time, it will be the simple things that get you.

Cisco VWIC3-1MFT-T1/E1 Controller PRI Issue

Hats off to Dan, my co-worker….he’s been chasing a PRI issue at one of our new sites. He has a Cisco 2951 router with a VWIC3-1MFT-T1/E1 card installed, and when the PRI circuit is un-plugged and plugged back in, the circuit refuses to come up. However, if you reboot the router, the circuit will come up. (Rebooting the router is not a good fix, just in case you are wondering.)

As part of his troubleshooting, he replaced the VWIC3 card with a VWIC2 card and it works just fine…no issues. After working with Cisco TAC, he found out he was hitting a known bug with this VWIC3 card and IOS software (15.3(3)M6). At least the fix was easy…he simply had to add the command “hwic_t1e1 equalize” under the controller T1 interface…like this…

Adding in the hidden controller T1 command

Adding in the hidden controller T1 command

What’s interesting is it’s a hidden command…if you list the available commands under controller T1 0/0/0, you won’t see this command…

A hidden command...interesting!

A hidden command…interesting!

And I just bet there are a bunch more hidden commands that we don’t know about!!

Cisco Security Alert – ROMMON Firmware Hack

Cisco Security Alert

Cisco Security Alert

Well, it looks like the hackers are at it again. (BTW…I use the term “hackers” as my preferred term “slimy dog-poop scum” is too wordy…but either one works just as well.) Cisco just released a security alert concerning a hack which replaces the ROMMON firmware (the boot firmware) with malicious ROMMON code. This code does work, in terms of booting the router/switch properly, but it also contains malicious code. Fortunately, you do need either privileged access or physical access to the device. Note the credibility level…”Confirmed”.

Check out Cisco’s security alert here.