Archive for the 'Work' category

Port-security maximum 3 (for phones)

 | 7 Aug 2007 23:22

3 for phones? Was reading this and it stated the following. Nice one to keep in mind during the lab…

switchport port-security maximum 1 (or 3 for phones)

If port-security is turned on, the default number of allowed mac-addresses is 1. For an IP phone, we need 3 – one for the workstation, one for the phone on the voice Vlan and one for the phone on the native Vlan for CDP.

[edit] It’s funny checking this that the smartport macro only sets the maximum at 2:

--------------------------------------------------------------
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template
...
# Enable port security limiting port to a 2 MAC
# addressess -- One for desktop on data vlan and
# one for phone on voice vlan
switchport port-security
switchport port-security maximum 2

[edit] Sneaking a peak at my 877 home cpe I notice that indeed the mac address of my 7960 phone is seen on both the data and voice vlan…

home-cpe#sh mac-address-table
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- -------------------
0011.2189.c317 _______ Dynamic ____ 1 __ FastEthernet0
0011.2189.c317 _______ Dynamic ___ 10 __ FastEthernet0

(irrelevant output removed)

Other 3550 voip phone ready access-port stuff from the same page:

Show me more… »

3550 mls qos

 | 22:37

Reading CCIE Practical Studies Volume II on Safari I thought I’d check out mls qos on the 3550 I have in my CCIE lab. Being familiar with the QoS mapping on a 6500 (sup720) and a 4500 (sup IV?), I was surprised to find something I’d not seen before:

  • Policed-dscp map

So I started searching for what it’s for and I quickly found the following information.

Show me more… »

Transparent bridging

 | 31 Jul 2007 18:16

Two things I learned today about bridging:

1) When bridging on a router that is only forwarding the bridged traffic it’s best (not needed apparently) to turn off ip routing:

no ip routing
!
bridge <123> protocol ieee

2) When bridging and routing IRB or CRB then it’s advisable to enable routing within the bridge-group:

bridge irb
bridge <123> protocol ieee
bridge <123> route ip

IRB = Integrated Routing & Bridging
CRB = Concurrent Routing & Bridging

What the heck is EEK?

 | 29 Jul 2007 16:25

Q. What the heck is F/R EEK?
A. frame-relay End-to-End Keepalive

EEK can only be used to bring down the sub interfaces. The physical interfaces will remain up as long as they are receiving lmi’s from their local (CO) frame switch. Arguably EEK is pointless due to the fact that LMI will indicate that a certain pvc isn’t available anymore. Whatever it’s use I’d never heard of it before.

Netstat but then for IOS

 | 28 Jul 2007 16:49

Not sure how long this has been there but I just noticed it in 12.4T:

Router#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 --any-- 67 0 0 2211 0

For those who’re wondering what a router listens to by default, it’s dhcp. To turn it off issue the following command:

no service dhcp

Researching regular expressions (filter show commands)

 | 25 Jul 2007 11:07

While trying to figure out whether I could find an AND operator rather than just the OR “|” I stubled across the following:

C2611XM#show ver | ?
_append____Append redirected output to URL (URLs supporting append operation only)
_begin_____Begin with the line that matches
_exclude___Exclude lines that match
_include___Include lines that match
_redirect__Redirect output to URL
_section___Filter a section of output
_tee_______Copy output to URL

A number of these are new to me… A nice recent addition is the ‘section’ key word, it shows the section following the matched line. This allows for displaying the running config of an access-list which previously was not possible:

C2611XM(config-ext-nacl)#do sr | section http
ip http server
no ip http secure-server
ip access-list extended http
_permit tcp any any eq www
_permit tcp any eq www any

This condensed quote from CCO lists a couple of things to remember:

show <command> | append <url> – Redirects the output of any show command to be appended to a specified file.
show <command> | redirect <url> – Redirects the output of any show command to a specified file.
show <command> | tee <url> – Copies the show command output to a file while displaying it on the terminal.

The Cisco IOS File System (IFS) uses URLs to specify the location of a file system, directory and file. Typical URL elements include:

prefix:[directory/]filename

Prefixes can be local file locations, such as flash: or disk0:. Alternatively, you can specify network locations using the following syntax:

ftp:[[//[username[:password]@]location]/directory]/filename
tftp:[[//location]/directory]/filename

The rcp: prefix is not supported.

Defective Serial module

 | 24 Jul 2007 00:53

Rats, had to spend more time in my hosted CCIE lab to replace a defective NM-8A/S in my F/R switch. But at least all my serial connectivity is up/up and the new F/R switch, a 3640 with a mere 16Mb of flash, is configured with a full mesh of PVC’s.

I feel ready to try some mock labs, having started one tonight I remember how difficult it is to translate/superimpose the hardware layouts. Oh well I guess I’ll get the hang of it sooner or later. It feels like last year was such smooth sailing between the bootcamp and the exam. Must be about the grass being greener elsewhere again…

I actually configured my first port channels today, or it’s been so long I can’t remember the last time. Funny having a 3548 and 3560, one starts to notice old and new config. Kinda nice as a hint of what new features might be emphasised in the lab. For those who’re wondering, for example: The 3548 uses ‘port groups’ where the 1st interface in the group holds the etherchannel config, but the 3560 uses channel-group style config which creates port-channel interfaces for the etherchannel config.

Another lesson learned: STP trouble can occur if one side of the etherchannel has been configured but not the other, so shut down the interfaces before adding them to an etherchannel. Also it’s best to create etherchannels from interfaces without prior config.

Note to self…

 | 00:38

When using a Bluetooth (BT) keyboard, check the batteries first before spending time on troubleshooting network problems… It appears that the keyboard just slows down rather than just cutting out.

Cool Cisco IOS hints site

 | 15 Jul 2007 21:01

Well it’s cool for us ppl who prepare for the CCIE R&S lab and possibly other Networking workaholics too 🙂

http://ioshints.blogspot.com/

I first thought this guy workes for Cisco but this is far from the truth…

IPv6 routing (OSPFv3)

 | 14 Jul 2007 21:55

Well I guess I was wrong that IP BASE or TELCO feature-set would do fine for R&S labbing. They lack IPv6 and if they do have IPv6 then they don’t have IPv6 routing (OSPFv3) capability.

Remembering the noises about IPv6 really coming our way in the next year or two I think we’ll be upgrading a lot of routers… IP PLUS and ENT BASE seem to be the feature-sets to go for but my flash and ram don’t support the images. I guess I’ll have to dig out all the old memory and hope I can make it match (and stable).

Any help is welcome. My 3640 are limited to 64/16, the 2600’s to 40/8 and 48/16. All I have is a beefy 2691 (128/32) and my 7200’s with 128 and flash cards (48 and 2x 20Mb [eek]). Does anyone have a simple site listing which memory type is supported per platform?

[July 16th 2007] Well I went rummaging through a pile of old memory and it looks like I can max out my 3640’s to 128 ram. I’ still failing in the flash department… 🙁
Heehee, just found “c3640-is-mz.124-1c.bin and ‘3g.bin IP PLUS” which are just under 24Mb so I may just have saved myself a lot of hassle. It has OSPFv3 support and everything else I need, bar tcp intercept and MPLS.

Networkers EMEA 2008

 | 21:46

Last weeks news: Networkers EMEA 2008 will be in Barcelona. For the diary: Monday Jan 21st – Thursday 24th.

I’m counting on being there, though untill my manager gives approval and it’s been booked I will not know fur sure… 🙂

Personal lab updates

 | 14:23

Right, back on the number hunt I’ve listed up for ccielab@groupstudy.com and am currently upgrading most of my routers to 12.4 or in case of my two 7200’s with NPE-200’s 12.3.

The feature-sets are a right mix too but I hope that I’ll be OK there. Personally I think that the enterprise feature-set is not needed when labbing for R&S as SNA, DSLw and the likes were removed in Jan 2006. I do try to have crypto in there as securing routing protocols is a hot item these days.

Next to IOS upgrades I’ve ordered some more serial cables to add to my lab as it will give me a lot more flexibility. I guess it’s one of the down sides of having ones lab in a datacenter and not at home. Ooh and not being able to manually reload routers is another issue I have. Luckilly it doesn’t happen that much but my 2621 with 40/8 (ram/flash) did not like 12.3(3i) IP as it complains about IOMEM and just halts during boot. (I can feel another trip to the datacenter coming) Cables should be in next week so I’ll have to work at the datacenter late coming Friday (in the UK on Wednesday and Thursday).

MAC filtering

 | 7 Jul 2007 20:25

Just reading up on stuff and came across the I/G and U/L bits in the MAC address. The I/G bit is the first bit of the MAC address, reading MSB to LSB, the U/L bit the second.

I/G: Binary 0 means the address is a unicast; Binary 1 means the address is a multicast or broadcast.
U/L: Binary 0 means the address is vendor assigned; Binary 1 means the address has been administratively assigned, overriding the vendor-assigned address.

Say I’d want to Deny Multicast & Broadcast and also Administratively assigned addresses, then the following ACL would be best (out of the three options, due to ACL length).

mac access-list extended MACL-official-Ucast-only
permit any 0000.0000.0000 00ff.ffff.ffff
!
interface FastEthernet1/0/10
mac access-group MACL-official-Ucast-only in

2nd Lab exam coming up!

 | 23 May 2007 10:54

10th of August is my next lab date. After booking the 14th then the 4th of September, the 10th of August came up and I snapped it up as soon as I could.

For all those wondering whether you can easily change your lab date. It’s easy enough, you just book another date and it moans at you that you already have a date. You’ll have to option to have the system delete your previous date replacing it with the one you’re trying to book. Took me a while to figure that one out but apparently it is listed somewhere on the Cisco CCIE site but I had a hard time finding it, was only after I heard the answer to my question from Cisco that a colleague pointed me to a page with the info I’d been looking for…

Blown away: Netwokers EMEA 2007

 | 23 Feb 2007 23:33
809

EEK, just noticed I’d not written anything about attending Networkers yet. Well I had a whale of a time and not just because of a rather cool ‘customer appreciation event’, the former Cisco party. But because I was able to attend a fabulous Techtorial and I managed to discuss a lot of issues with key people from Cisco.

Networkers has really changed my view on Cisco, the technical guys there were really interested in what we, the customers, had to say. They welcomed open discussion during their sessions and handed out business cards galore. I even received mail during the weekend after with answers to questions I posed during face-to-face Design sessions in between the presentations/normal sessions.

I must clarify that I registered my sessions very early and I planned it meticulously. I’ve only been to level 3 sessions which kept me safe from hot air marketing talk etc. Also I agree with Cisco when they say that what you get out of it is what you put into it and it really paid off for me. I’ve got so much info to take back with me and process that I’m glad I made so many notes. It surely was way more valuable than a month of full time classroom training.

Further things that impressed me were: Explanations of road-maps, a few of them even more than 12 months ahead. How approachable everyone was. How I managed to baffle one of the speakers during an MPLS VPN Design session I walked into; MPLS VPN hub-and-spoke via a firewall without using a vlan per vrf. There is no solution…

Better stop here else I’ll never stop. I will probably divulge into one or more of the subjects I attended some time in the future, but I’d better not promise anything… 😉