Kevin Dorrell, CCIE #20765

02 Feb 2009

Networkers 2009

Filed under: General, IOS features, LAN Switching, Security — dorreke @ 20:10

Networkers 2009 is all over now, and things are getting back to normal.  So what did I take away from the conference?


I mean the other sort of networking: the human network.  It was good to finally meet some of my fellow bloggers: stretch and Ethereal Mind, for example. It was also good to meet marikakis again, a colleague in the NetPro discussion group.

Talking of this sort of networking: “Network Management” can mean different things to different people.  A colleague once booked into a “Network Management” seminar, then found out that the seminar was about how to manage a company by leveraging person-to-person “networks”.

802.1X Techtorial

I spent a whole day looking at 802.1X.  Actually a significant part of that time was spent looking at Cisco’s ACS (Access Control System).  The two or three days follow gave me a chance to reflect on the tool, and chat to the people on the security booth.  The more I reflected, the more I was convinced I need to do an 802.1X project.  I also bought a book about security, and I might even consider going down the security track when my CCIE comes up for renewal.

IOS Instrumentation

Two of my sessions dealt with the interesting and fun recesses of IOS.  The BoF session was really an opportunity for Cisco to brainstorm about these features.  There is a ton of stuff in IOS that is very rarely used: stuff like the EEM (Embedded Event Manager) TCL scripting.  There is a community dedicated to these features at ciscobeyond. One of the conclusions we came to was that Cisco has not made a very good job of publicizing these features.

The other session relating to this was “13 Smart Ways to Configure Your Cisco IOS Network Elements”.  This was a really fun session that, “like all bad ideas, was formulated over a beer”.  It was a bet, based around “there must be at least a dozen ways to configure a router.”   EEM is only one of them, and there are well more than the 13 the speaker listed.  I can’t wait to get back to the lab to try some of them out.

VSS and layer-2 architectures

I went to several sessions about VSS, both in campus architectures and the data centre.  I detected an interesting change of emphasis over last year’s offering.  Last year they were still pushing pure layer-3 architectures.  At the same time I was struggling with how to split a server cluster over two sites.  Over course, this is not easy to do with a layer-3 architecture; you need at least one layer-2 interconnect to carry the heartbeat.

This year, they seem to have woken up to the need for a layer-2 interconnect between the data centres.  They offer VSS as a way to provide redundancy for that interconnect.  I still stubbornly use Rapid Spanning Tree for various reasons connected with my architecture, which makes me feel a distinct minority.  I suppose you can get away with it provided there are not too many hops between the data centres.

Advanced BGP

I always try an attend a session by Russ White if he is there.  His style is eclectic, to say the least, with about 50% of the time spent on anecdote and sidelines.  That’s what makes the presentation memorable and entertaining.  Must be confusing for anyone whose native language is not English tho`!  Good guy, and what a huge knowledge base!

Other stuff

Just a few more observations:

  1. The “World of Solutions” was tiny compared with previous years, so full marks to those who did attend.  Companies must really be feeling the pinch. I was impressed with SolarWinds for taking the time to show me their Orion network management centre.  No marks for Computer Associates, who I wanted to grill about my problems with their Spectrum product, but who did not attend this year.
  2. I was impressed with the Nexus 1000v virtual switch.  This is an add-on to VMware and replaces the ESX virtual switch.  What it does is to make one huge virtual switch across your VMware domain, which means you can apply policies to invidual virtual machines: policies that move with the machine whenever it goes vmotion.
  3. I’m getting too old for the Cisco party.  It was a bit entertaining, but a lot brash and noisy.  The best Networkers party was the one in Monte Carlo in 1995, or the one in Vienna in 1999 (?), with a group that covered a range of musical tastes, not just hip hop, punk, and rap.
  4. The keynote address by Prof. Brian Cox was cool, but not very much to do with networking.  He could have tied in the theme of collaboration a bit more explicitly.

30 Apr 2008

NMC Lab 18

Filed under: General, Security — dorreke @ 20:48

This lab is the most difficult I ever tried.  I suppose it didn’t help that I failed to do a proper read-through before I started, so I missed the VPN requirement 18.7.6, which actually changes the whole approach to the redistribution.  So I went steaming through the first 6 sections in under two hours, then came to a screaching halt at the VPN section, and ended up taking  a further two hours over it.

18.8 – Security.  IPsec VPN is something I have not done before.  I really don’t think (please God !!) I am going to get it in the exam, ‘cos I’m not taking CCIE security.  If I do then I’m sunk.  I’m just going to type in the solution in the AK, and hope something sticks for now.  Just look at those routes disappear as soon as I set the tunnel mode to ipsec ipv4, and come back again as soon as I attach the profile.  Magic!  Haven’t a clue (yet) what it means.

R2(ipsec-profile)#int Tu25
R2(config-if)#tunnel mode ipsec ipv4
*Apr  8 17:21:14.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel25, changed state to down
*Apr  8 17:21:14.271: is_up: 0 state: 4 sub state: 1 line: 0 has_route: True
*Apr  8 17:21:14.275: RT: del via, rip metric [120/1]
*Apr  8 17:21:14.275: RT: delete subnet route to
*Apr  8 17:21:14.275: RT: NET-RED
*Apr  8 17:21:14.275: RT: interface Tunnel25 removed from routing table
*Apr  8 17:21:14.279: RT: del via, connected metric [0/0]
*Apr  8 17:21:14.279: RT: delete subnet route to
*Apr  8 17:21:14.279: RT: NET-RED
R2(config-if)#tunnel protection ipsec profile VPN
*Apr  8 17:22:12.082: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr  8 17:22:14.061: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel25, changed state to up
*Apr  8 17:22:14.065: is_up: 1 state: 4 sub state: 1 line: 0 has_route: False
*Apr  8 17:22:14.065: RT: SET_LAST_RDB for
  NEW rdb: is directly connected
*Apr  8 17:22:14.065: RT: add via, connected metric [0/0]
*Apr  8 17:22:14.065: RT: NET-RED
*Apr  8 17:22:14.073: RT: interface Tunnel25 added to routing table
*Apr  8 17:22:14.185: RT: SET_LAST_RDB for
  NEW rdb: via
*Apr  8 17:22:14.185: RT: add via, rip metric [120/1]
*Apr  8 17:22:14.189: RT: NET-RED

So, on to IPv6, only to find that once again I should have read ahead.  The Frame Relay and OSPF sections give you two possible topologies for the R1 connection: physical interface with inverse-arp switched off for those DLCIs you don’t want to use, or a multipoint interface s0/0.124 with interface-dlci statements for the DLCIs you do want to use.  I chose the first solution.  But the IPv6 wording talks about the IPv6 address on R1-S0/0.124.  Humph!

01 Apr 2008

NMC Lab 14

Filed under: IPv6, LAN Switching, NAT, RIP, Security — dorreke @ 22:10

Busy busy busy, so I only have time for a few notes which I hope I shall expand later.  Just to punish myself for my mistakes … 🙂

  • 14.4.1 : RIP : I read too much into the requirements.  I read 14.4.1 as meaning that I should set up neighbor relations R2<–>R6<–>R4, but not R2<–>R4.  Then I wondered why there was nothing in the requirements about the route from R2 to and from R4 to  (Of course, the answer would have been no ip split-horizon on R6-F0/0.)  But it seems I “spotted an issue” that wasn’t there in the first place! 
  • 14.8.1 : Security : I’m just going to have to sit down and read the Command Reference for all those itty-bitty security commands.  Boring or what!
  • 14.9 : IPv6 : Don’t mess about thinking “can I get away without specifying link-local addresses”.  In a frame-relay configuration, they are absolutely essential so that you can set frame-maps to them.  Do them as a matter of course.  Oh, and the pseudo-broadcast should only go to the link-local at the other end of the DLCI, not to any of the others.  I wasted an hour on the IPv6 section that should have taken me half that time.
  • 14.10.2 : Layer-3 access list on Catalyst layer-2 port.  This can be done; I know because I do it all the time on my 4500 switches at work.  What I am a bit puzzled at here is that the access-lists don’t seem to be counting packets.  My first attempt didn’t include return traffic for telnet, so I know the access-list is working.  So why doesn’t it count packets?
  • 14.11.2 : NAT : ip nat source list 11 pool IG overload will not do instead of ip nat inside source list 11 pool IG overload. I’m not sure what it does without the “inside” keyword, but it does accept the command, and it doesn’t do the job I wanted it to.  Careful!

15 Mar 2008

NMC Lab 11 : Role-Based CLI Access

Filed under: IOS features, Security — dorreke @ 16:21

I am looking at section 11.12 – Router Management – which I skipped when I did this lab.  This is all about role-based CLI Access.  Using this feature, you can define different views of the CLI for different users, and retrict what they can do in each.  I think it is unlikely to come up in the exam, but it is as well to know about it.  The feature is described in the Security documentation, and not in the Configuration Fundamentals where I first looked for it.

16 Feb 2008

NMC Lab 7.12 – Security

Filed under: Security — dorreke @ 11:59

I racked my brains about where to activate this access list.  Logically, I would put it as an incoming access-list on the Internet connection.  It would be definitely a question for the proctor: “Which interface will be connected to the Internet?”  I applied it to Fa0/0, which happens to be the same as the SHOWiT.

What did they mean “”Packets destined for the default network”?  The nearest entry they have in their access-list for that is deny ip any host  Is that what they were referring to.  For me, that was one of the two entries I put in for “broadcast packets”.  So I went one stage further and guessed deny ip any  I wonder whether I would have been marked down for that.

They also wanted to block multicast packets.  I blocked just the multicast range deny ip any  That is what they do in the AK, but the SHOWiT has deny ip any  I hope either would be accepted.

There are so many questions here that I am bound to have fallen foul of one of them, so “Nil points”, which is depressing.

Blog at