I was invited to Cisco’s office in New York City to share my thoughs and opinions of the new NetPro site. There will be a forum, blog, wiki and maybe a Netpro certification.
I liked the new site and I am looking forward to the launch.
Cisco NetPro is getting a much needed facelift.
Posted by Peter Kurdziel on November 9, 2009
Posted in Routing & Switching Lab | Leave a Comment »
Narbik’s CCIE Routing & Switching Trouble Shooting Workbook – SAMPLE LAB
Posted by Peter Kurdziel on November 6, 2009
http://www.micronicstraining.com/classes/index.php?dispatch=products.view&product_id=29829
The CCIE Routing and Switching troubleshooting mock labs work book
contains 10 lab scenarios designed to prepare the CCIE candidates for
the new Troubleshooting section of the CCIE R&S lab exam. Every lab
contains 15 trouble tickets, plus a brain teaser question. The solution
contains detailed explanation with “Show” and “Debug” command and most
of the trouble tickets are tested. This work book is written by Narbik
Kocharians (Triple CCIE) and Dan Schetcher (Triple CCIE).
This work book is in FULL color and it comes in Secure PDF with No Printing option.
See Download Free Sample Chapter at the bottom of the page.
http://www.micronicstraining.com/classes/index.php?dispatch=products.view&product_id=29829
Posted in Routing & Switching Lab | Leave a Comment »
Nexus 1000v initial setup
Posted by Peter Kurdziel on October 27, 2009
For installation see: 1000V demo video’s
Part 1 – VSM Install
http://vimeo.com/5719299
Part 2 – Connecting the VSM to vCenter
http://vimeo.com/5721462
Part 3 – Configuring Uplink Port Profiles
http://vimeo.com/5746855
Part – - Installing the VEM
http://vimeo.com/5792424
Connecting the Nexus 100v to Vmware virtual center:
N1KV-1# config t
N1KV-1(config)# svs conn vc
N1KV-1(config-svs-conn)# remote ip add 192.168.189.128 <— IP address of VCenter
N1KV-1(config-svs-conn)# protocol vmware-vim <— this is the only protocol available
N1KV-1(config-svs-conn)# vmware dvs datacenter-name DC <— the datacenter name
N1KV-1(config-svs-conn)# connect <——————-connect to Vcenter
Note: Command execution in progress..please wait
Configuring uplink port profiles:
N1KV-1# config t
N1KV-1(config)# port-Profile system-uplink
N1KV-1(config-port-prof)# sw mo tr
N1KV-1(config-port-prof)# sw tr all vlan add 51,52
N1KV-1(config-port-prof)# no shut
N1KV-1(config-port-prof)# channel-group auto sub-group cdp <– if you use multiple physical NICs.
N1KV-1(config-port-prof)# system vlan 51,52 <—add the control and packet vlans created in vsphere.
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)# capability uplink
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)# vmware port-group
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)# state enabled <— enable
N1KV-1(config)# vlan 53 <—- define a new vlan for VMs to use.
N1KV-1(config-vlan)# name VM-Data
N1KV-1(config-vlan)# exit
N1KV-1(config)# port-profile data-uplink < — for data traffic
N1KV-1(config-port-prof)# sw mo tr
N1KV-1(config-port-prof)# sw tr all vla add 53
N1KV-1(config-port-prof)# no shut
N1KV-1(config-port-prof)# channel-group auto sub-group cdp <– if you use multiple physical NICs.
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)#
N1KV-1(config-port-prof)# vmware port-group
N1KV-1(config-port-prof)# state enabled <— pushes the port profile to the vcentr server
Note: Processing command..
N1KV-1(config)# port-profile Test-VM < —- for VM traffic
N1KV-1(config-port-prof)# sw mo acc
N1KV-1(config-port-prof)# sw acc vlan 53 <— defined earlier VM-Data traffic
N1KV-1(config-port-prof)# no shut
N1KV-1(config-port-prof)# vmware port-group
N1KV-1(config-port-prof)# tate enabled <— pushes the port profile to the vcentr server
Note: Processing command..
N1KV-1(config-port-prof)# end
You will need to install the VEM – Virtual Ethernet Modules and install the vem code in vsphere.
Posted in Uncategorized | Leave a Comment »
Netflow tools
Posted by Peter Kurdziel on October 27, 2009
Stager is a system for aggregating and presenting network statistics.
Stager is generic and can be customized to present and process any kind
of network statistics. The backend collects data and stores reports in
a database, automatically handling the aggregation of hourly statistics
into days, weeks, and months. The Web frontend presents data in tables,
matrices, or plots. The reports are fully customizable, and their
definitions are stored in an XML file.
http://software.uninett.no/stager/
The nfdump tools collect and process netflow data on the command line
http://nfdump.sourceforge.net/
NfSen is a graphical web based front end for the nfdump
netflow tools.
http://nfsen.sourceforge.net/
Posted in Other, Real World, Security | Leave a Comment »
Layer 1 Voice T1 Troubleshooting
Posted by Peter Kurdziel on October 27, 2009
Layer 1 Voice T1 Troubleshooting
Common problems
Misconfiguration at one end
Switch type must match
Channels must match
Clock must be opposite
Isdn protocol-emulate must be opposite
Dial peers coordinated
Layer 1 – needs to match
· Framing – ESF or SF (aka D4)
· Line coding – B8ZS (use with ESF) or AMI (use with SF)
· Cable length – Can induce attenuation if needed for short cables
· Clocking – MUST be set correctly – one side provides to the other
· Channels in use – Depends on protocol and call-control agent
Troubleshooting Commands for ISDN PRI
Show controller t1 x/y·
Show voice port summary·
Show isdn status (shows Layer 1 and Layer 2status)·
Show dialplan number {digits}·
Debug isdn q921·
Debug isdn q931 (most useful to see signaling)·
Debug voice ccapi inout
T1 CAS (Channel Associated Signaling)
Layer 1 – needs to match
· Framing – ESF or SF (aka D4)
· Line coding – B8ZS (use with ESF) or AMI (use with SF)
· Cable length – Can induce attenuation if needed for short cables
· Clocking – MUST be set correctly – one side provides to the other
· Channels in use – Depends on protocol and call-control agent
Troubleshooting Commands for T1-CAS
Show controller t1 x/y
Show voice port summary
Show dialplan number {digits}
Debug vpm sig (to see cas signaling)
Debug voice dspapi (to see the digits at low level)
Debug voice ccapi inout
Ref: Cisco techtorial
Posted in Troubleshooting | Leave a Comment »
Cisco SLA Packet Samples – generate traffic
Posted by Peter Kurdziel on October 26, 2009
|
|
|
|
|
|
Posted in Troubleshooting | Leave a Comment »
Online web-based ping: remote ping a server or web site using our network with 38 checkpoints worldwide
Posted by Peter Kurdziel on October 24, 2009
http://just-ping.com
Posted in Troubleshooting | Leave a Comment »
Tutorial: BGP/MPLS Layer 3 VPNs
Posted by Peter Kurdziel on October 24, 2009
Tutorial: BGP/MPLS Layer 3 VPNs
http://www.nanog.org/meetings/nanog30/abstracts.php?pt=NjIxJm5hbm9nMzA=&nm=nanog30
Posted in BGP, MPLS, VPN | Leave a Comment »
Cisco Games – Become a CEO. Change the World. Play Cisco myPlanNet.
Posted by Peter Kurdziel on October 23, 2009
Become a CEO. Change the World. Play Cisco myPlanNet. Come check out Cisco myPlanNet 1.0. Cisco myPlanNet 1.0 is a simulation game that puts you into the shoes of a service provider CEO. You manage your business as it evolves from the stone age of dial-up, through the broadband and mobile connected eras, and into the dawning of the medianet age. Play it now on the Cisco Learning Network games arcade.
|
The Cisco Mind Share Game: The Cisco Mind Share Game is the most comprehensive learning game from Cisco yet! This fun and challenging game covers more than half the content of the CCENT/ CCNA exam was designed to reinforce a variety of standard networking skills and help you practice these new skills in preparation for CCENT and CCNA Cisco certification exams.
Play the FREE Demo Version Now or Download the FULL Version Now! |
|
Cisco myPlanNet 1.0 is a simulation game in which you play a service-provider CEO who must manage the company as it evolves from the “stone age” of dial-up, through the broadband- and mobile-connected eras, into the dawning of the “medianet age.” Connect your citizens with the next-generation IP network and guide them into the Connected Life with the wonders of visual networking. Reach for the top and engage in discussions with your fellow players.
|
|
Subnet Troubleshooting Game: If you enjoyed Cisco’s popular Subnet game, try the next step – the Subnet Troubleshooting game! Diagnose and fix the subnet scheme for an operational network while minimizing impact to users. Hone your subnetting skills as you work your way up from branch office to corporate headquarters.
|
|
Multiplayer Challenge(in SPANISH, too!): Play online with other players or against the computer and see if all your studying has paid off! Prepare for your certification and have a blast while you do! Contains questions from CCENT, CCNA, CCNP; CCDP and CCVP certifications in the following courses: ARCH, BGP, BSCI, CVOICE, ICND-1, ICND-2, MPLS and QOS.
Play in English Now – or- Juegue en Español Ahora ! |
|
The Binary Game: Come play the game enjoyed by hundreds of thousands of people all over the world. This game is posted on dozens of game sites and played in more than 125 countries. The game is not only fun, but it is considered by many to be the best way to learn how to use the binary number system.
|
|
Cisco Edge Quest: Online game introducing the new Cisco ASR 1000 Series Routers. Players maneuver a router craft through various levels and increasingly use the power of the Cisco ASR 1000 Series Router to defend the network edge!
|
|
Network Defenders: Puts you in control of your company’s network security. It’s a hostile world out there and malicious hackers are trying to get into your network and wreak havoc on your data. Learn about the risks and how to guard against them.
|
|
SAN Rover: The research station on Mars needs a robust network to sore and manage the exploration data being gnerated. You have been assigned to build a Storage Area Network (SAN) for the station. Command the Rover to tread the hostile terrain of the Red Planet.
|
|
Secure Volunteer: You have chosen to volunteer for NetHope, a nonporfit consortium of leading international organizations that provide connectivity in the developing world. You find out when you arrive that the director has been looking for you.
|
|
The Cisco Subnet Game: Master the often-challenging world of subnetting! Helpful if you are preparing for a Cisco CCENT or CCNA Certification or just trying to understand subnetting better for your job.
|
|
Subnet Slingshot: You will be working with one of the maintenance droids on to replace the gravity core on one of Outpast Athens’ decks that is in rough shape. You have to work fast or the ship’s deck will lose gravity.
|
|
Unified Communications Simulation Challenge: As CIO of My, Inc., it is up to you to choose the migration path to produce the highest productivity and efficiency by migrating to IP voice, video, and collaboration using Cisco Unified Communications applications.
|
|
Wireless Explorer: Your spacecraft, equipped with the latest wireless technologies, is docking on planet Berellius Prime. You must welcome aboard an envoy of alien scientists sent to study the latest technologies on Earth and configure open wireless access to the ship’s mainframe correctly for each alien.
|
|
IPC Rockin’ Retailer: You manage the employees of IP Beats, a music store and live performance venue. Despite the success of IP Beats, the communmications and inventory systems are highly outdated. Learn how to configure the Cisco IP Communications Solution to address IP Beats’ needs and be a company hero with your boss.
|
|
Peter Packet: This superhero helps messages move across the Internet. Follow him on his exciting adventures along the Internet highway. Play the game and learn how the Internet works to help Peter bring important life-saving messages to different locations worldwide. With your help, he can overcome hackers and viruses to help kids in different places around the globe.
|
|
The Realm: Though this is not actually a game, but more of a colorful comic-book-like experience, we thought we’d provide a link here for your entertainment. “Welcome to the Digital Era on Earth, where a new class of criminal has emerged. To stop these menaces, a select group of Cisco engineers has been appointed to develop a state-of-the-art security force that must battle Botnets, Malware, Spam and Intruders, assuring the safety and security of every citizen in the human network.”
|
Posted in Routing & Switching Lab | Leave a Comment »
Cisco Config Best Practices
Posted by Peter Kurdziel on October 22, 2009
Router configuration Best Practices
DOCUMENT- DOCUMENT- DOCUMENT
I can not stress that enough. Always get a copy of the current running config and keep it in a safe place. I had one router where a vendor configured it, I just happen to get a copy for my records. 5 months later they took a power hit and guess what, the vendor had never saved the config to NVRAM. Without my notes, this would have been very bad.
To protect against a “smurf” attack use the following comand:
!
no ip directed-broadcast
!
Other easy security measures are:
!
no service tcp-small-server
no service udp-small-server
!
You should have names that make sense. Just an IP or nothing at all makes troubleshooting much more difficult then it needs to be.
To configure the host name:
router(config) hostname california_wan ; note the lower case. Not all software can handle uppercase correctly so lower case is “safer”
Remember that SNMP can get this name from the sysName variable so again, use a name that makes sense.
Interfaces:
Always.. always use a description for each interface. A very good idea with WAN links is to use the circuit number as part of the description. When you are on the phone trying to troubleshoot a down link, this small detail can be a lifesaver for you.
Including the contact and phone number adds to your work load as this information tends to be rather transitory nowdays
!
interface serial 0.1 point to point
description San Fransico to New York PVC, circuit 001BHAC56789-001
ip address 123.456.789.1
!
You can see how easy this is to read and when you are trying to troubleshoot problems, this is what you want, nice clear descriptions
Get into the habit of specifing the bandwidth even if it’s not needed. Some protocols like OSPF use the bandwidth to help figure out the metrics using this information.
If your link is slower the 256K, you *may* want to use the following command to make more buffer available depending on the link load
!
no ip route-cache
!
Always configure a loopback address. This provides several positive things.
OSPF will by default use the loopback as the router ID or use the highest IP number as the router ID. If you plan this right, you can make your OSPF IDs make sense
10.10.10.1
10.10.10.2
10.10.10.3 etc
Also with OSPF, each time a link “flaps” all the routers must recalculate the route changes. Since the loopback doesnt “flap”, the network will be more stable
You can telnet to it without regard to whether the interface is “up” or not. SNMP polling is the same thing.
A stable interface is very important to protocols like SNA which is very sensitive to time delays and outage. This also applies to DLSW, STUN and RSBR
IP or PPP from a laptop if you find yourself in a bind.
SNMP
SNMP is one of those double edged swords. It can be very useful but dangerous to your peace of mind if not handled well. SNMP has two types of communities. Read Only and Read/Write. The read/write is the dangerous one. With this string, you are god on the router and there is not any password checking ( normally)
Read/write SNMP is a way to get out of the nasty box of configuring the enable password and then promptly forgetting it or mistyping it. Not that this EVER happens ( dont ask how I know this one)
It very easy to configure
router(config)snmp-server community string RO; read only snmp string
router(config)snmp-server community string RW; read/write snmp string
Do NOT use common names, your name, words like sex and the like. There are dictionary based SNMP crackers out there so be careful with your choices. Better yet, get a cracker and look at the dictionary to get an idea of what is in them.
I alway use the snmp-server chassis-id serial-number to ID the router so I can get the SN remotely.
You can specify access lists to restrict the number of workstations with access to the SNMP info.
!
access-list 60 permit 123.456.789.1 0.0.0.0 ; limits access to a single IP
!
If you want to be very paranoid then consider the following comand
!
snmp-server trap-authenication
!
This sends traps to your management station whenever a invalid community string is tried. Fun huh?
A very good friend is called SYSLOG. This is a great way to get a nice log file about things that happen to interfaces, events and debugging. I happen to use a Wintel syslog deamon from Kiwi software. There are many to choose from from both Wintel and Unix/linux
To work with syslog, use the following commands.
!
logging on
logging buffered
!
loggin 123.456.789.1 ; the IP address is the syslog management workstation
!
CDP
Very useful to both you and hackers. So the rule is if you plan to use it( good idea), make sure you turn it OFF on any outside interfaces.
!
interface ethernet 0
ip address 123.456.789.2 255.255.255.0
!
no cdp enabled
!
Telnet access is something many people ignore. It’s prefectly acceptable to lock down your telnet ports to some degree. Just dont make it too restrictive ( like having to hit a certain router then bounce back)
use a strong password, again, not common names etc. Dont leave printouts of the running-config laying around. There are several password crackers that can be used to compromise your passwords if you give someone a chance
!
access-list 1 permit 1.2.3.0 0.0.0.255
!
line vty 0 4
access-class 1 in
login
password xxxxx
exec-timeout 5 0
!
source:http://www.tek-tips.com/faqs.cfm?fid=404
Posted in Best practices, Real World | Leave a Comment »
