First off I’d like to say that this is just a minor issue, more relating for routers versus switch, I’m still a lot happier at how Cisco implements config and features as opposed to most if not all of their competitors…

At a customer I’ve recently had to commit a grave operational sin; to connect a small switch at the end of a floor patch. These things are normally operational nightmares as they have a tendency to quickly bring an entire LAN environment down to its knees when such a ‘switch’ is connected to the network twice. Always by accident but having management kick you for something someone else did is not anyone’s idea of fun. I won’t go into the underlying principles here as I’m assuming most who frequent my blog will know about broadcast storms, their causes and the tools and solutions available to mitigate the risks.

Our justification to operations was that we wanted a few more local LAN ports to test VoIP devices on than we had available through floor patches. As such I reasoned with Operations that this was a calculated choice to segregate our testing from the rest of the LAN but still make it as realistic as possible. Using the means available meant that I had to make do with a Cisco 1801. Single routed and 8 switched interfaces. Think of it as a router with one Ethernet interface and an 8 port HWIC-ESW nailed to it. Didn’t need the ATM or WiFi it has.

So I set out, disabling IP routing, admin down all non-Ethernet ports. set up the vlan database -old style, remember?-; I did not want this baby to participate in VTP, in fact I don’t think it even can! It’s limited to 8 vlans. Pulled two cables to it. One switched port as trunked with some data and voice vlans and configured the routed interface for management access.

All sweet and dandy, tested the BPDU-guard functionality prior to installation by connecting an access-port to the LAN. Clunk! it went down as desired, result I thought… Then when installing the LAN wouldn’t bring up the LAN port. Doh! I’d missed that the 1801 doesn’t send BPDU’s until a VLAN becomes active. I’d checked if spanning-tree was operational, and it wasn’t until I brought an interface up. So I disabled STP for all vlans in the VLAN database. Now my laptop received an IP address and the data VLANs all worked.

So, time to connect a Mitel phone. No dice, it received it’s first DHCP response with VLAn information, then it would just sit ennuncing it was waiting for a DHCP response. Dang, I’d configured the voice vlan so why did the switch not detect the phone, enable trunking so that the phone could send it’s DHCP request on the voice VLAN?

It was only when I started reading up on HWIC-ESW voice-VLAN config I noticed that Cisco hasn’t implemented the auto enable of dot1q trunking when a phone is detected… The solution is to add two lines of code; “switchport truck native vlan xyz” and “switchport mode trunk”. The crux is that this platform is at heart a router, not a native switch…

Cisco documentation

Categories: Networking, VoIP, Work
No Comments »

Long live Social http://alexking.org/blog/2012/05/22/social-2-5

Testing automatic posting to Twitter and Facebook from my blog, sorry if you consider this spam.

Tags: facebook,twitter,wordpress
Categories: CCIE R&S
No Comments »

This one has been coming for a while… Last time I went for my CCIE was Q3 2007 and it’s been pretty quiet here since. In the mean time I’ve moved country, changed jobs and moved again, though not as far. So how is my CCIE doing? Well to be honest, it’s not.

You see, I came from a sponsored certification track -which incidentally I forged with my employer at the time- and thus had to sort out a transfer sum from my new employer. No problem for the Dutch employment market, at least at the time. But here in the UK I had no such luck, suffice to say that financially it was not a good idea to move country. My new employer expressed that they would be happy to support attaining CCIE status. Little did I know that we had completely different concepts of ‘support’.

Loving a new challenge I quickly settled into my new position, only to find two years had gone before the question of attaining CCIE popped up again. No wonder really when you have a 100% billable target and there’s plenty of over time involved in the projects at hand. Then when things settled down and I moved to another customer I only found myself further and further away from technology. Yes I still design and have a consulting role but I’m in no way challenged and kept on my toes protocol wise. It took a few technical interviews to fully realise the impact of this.

Which brought me to this point: Either, I work and retrain myself towards CCIE in my own time, hope my employer will pay for the lab and favour me with a week off for full-time study. Or do I let go of the desire to attain CCIE and trust that there will be employers out there who are smart enough not to be blind sided by a the highly praised numbers of my peers.

In conclusion I refuse to ask my family for a long and hefty sacrifice once again, been there done that. I’m now one kid and two cancers (promisestoday.com/@maizymoo tweet) further and value my own time more than my career, if this means UK employers don’t like me any more than so be it. I know what I’m capable of, just wish I was better at convincing prospective employers…

Tags: CCIE,cisco
Categories: CCIE R&S, Main blog, Work
No Comments »

Recently I’ve been doing more on Alcatel as I’m working in O2′s test-bed down in Slough, slaving away at testing aspects of their new LLU broadband core and new BT 21CN wholesale connectivity. Although I’ve not been able to write a lot in recent years due working for an integrator rather than an ISP; I’m mostly not allowed or it’s unwise for me to divulge what I’m working on…

However, it’s common knowledge that many providers use Alcatel and they seem to do pretty well in the ‘booming’ broadband market. Hence I thought I’d share a little snippet of an annoyance I recently encountered.

When using an Alcatel 7210 to sniff traffic and interconnect different media; 1Gbps copper and 10Gbps fibre. I found that sniffing is counter intuitive to people only trained on Cisco. A few pointers:

1. Port mirror destinations are defined in configuration
2. Port mirror sources are set through debug commands
3. When mirroring VPLS ports (I needed an e-pipe/Layer-2 tunnel) I found that egress sources did not work, only ingress did and only one ingress port can be set per mirror session. It did not matter if I use the port or the SAP as source.

I was left to sniff in two places to capture both up- & down-stream traffic. YMMV as a 7750 will be different, but I don’t have one available to me to test on…

Commands used:

#--------------------------------------------------
echo "Mirror Configuration"
#--------------------------------------------------
  mirror
    mirror-dest 4 create
      sap 1/1/4 create
      exit
      no shutdown
    exit
    mirror-dest 11 create
      sap 1/1/11 create
      exit
      no shutdown
    exit
  exit

And the debug command:

*A:<hostname># debug mirror-source 4 port ?
- no port ...
- port <port-id> egress ingress
- port <port-id> egress
- port <port-id> ingress
- port lag ...

*A:<hostname># debug mirror-source 4 sap ?
- no sap <sap-id> [ingress]
- sap <sap-id> {[ingress] }

As can be seen above capturing by SAP is only supported at ingress. Using port and SAP yielded the same result, only ingress packets were ever sent to the destination port. Despite show mirror stating both Egr & Ing.

*A:<hostname># show mirror mirror-dest 11

===============================================================================
Mirror Service
===============================================================================
Service Id       : 11                   Type          : Ether
Description      : (Not Specified)
Admin State      : Up                   Oper State    : Up
Forwarding Class : be                   Remote Sources: No
Slice            : 0
Destination SAP  : 1/1/11               Egr QoS Policy: 1

-------------------------------------------------------------------------------
Local Sources
-------------------------------------------------------------------------------
Admin State      : Up

-Port                                   1/1/26                          Egr Ing
===============================================================================

Tags: 7210,Alcatel,port mirroring,port span
Categories: Networking, Work
No Comments »

Two days ago my wife was notified by one of her customers of a defacement of their site. Obviously this kinda stuff always happens when I’m ill and the last thing I want to be doing is dealing with some random hacker. This post is about what I found and how this should motivate people to at all times update their websites with the latest security fixes and practices.

As far as I’m aware no sensitive data was access nor was any serious damage done other than a few index.html files over written. The only real loss is the joomla site that was broken into as the owner is on holiday and hadn’t updated it for a while, suffice to say it’s down for the time being.

Show me more… »

Tags: apache2,hackers,htaccess,joomla,linkedin
Categories: Main blog
Comments Off

Type-2 interconnects are fun, but mtu issues are not. When faced with migrating subnets  from one MPLS cloud to another -different AS numbers you see- the three common inter-AS types were taken off the shelf and dusted off…

Show me more… »

Tags: 3600,7600,cisco,IP,linkedin,MP-eBGP,mpls,mtu
Categories: Networking
Comments Off

Seeing this initiative made me think of my wife who has spent the last year carving out her own piece of the IT industry. Some may call me biased, true. Call it what you like, I’m taking this opportunity to put my wife in the limelight and honour her for her efforts and achievements after we relocated to the UK.

Show me more… »

Tags: linkedin
Categories: Main blog
Comments Off

Doing a network upgrade of 28 sites, 60 services and roughly 160 old devices to just 60 devices. Python has become my friend for reading configs, creating csv files and verification. Will be posting my scripts later. I’m sure there are clever people out there who can tell me where I went wrong or what I could be doing better. However time fails me to post them right now.

Tags: cisco,linkedin,migration,nortel,python
Categories: Work
Comments Off

Been hacking away as I found out I couldn’t edit a page nor did the page show up. My about page linked to the gallery instead. Spilt some blood and danced around on the keyboard loads. the result:

Note to self: DO NOT alter permalinks for pages! my about page was linked as who-am-i and this caused major issues. I also turned off the automatic XHTML corrections in the write-options page, not sure what it does so I’d rather get an error when writing a page than have my site go down. Priorities they say…

next to that my gallery now runs mod_rewrite in safe mode which works fine and I’ve re-linked an image on my about page. I recon the link was old style from WP 2.3 and older versions of WPG2 and Gallery2.

Please let me know if you find any issues, particularly with missing images. I hope all is well now and my server won’t die another terrible dead due to rewite/permalink hell.

Finally I have found the real culprit: /.htaccess was messing with things. What made it hard to find was that this file has been in place for a few years now. Upgrading WordPress to v2.7 as well as WPG2/Gallery2 tipped the balance.

What worked?
RewriteRule ^$ /wordpress/ [R=301,L]

Instead of:
RewriteCond %{REQUEST_URI} !^/.+
RewriteRule ^(.*)$ /wordpress/ [R=301,L]

Tags: linkedin,mod_rewrite,XHTML
Categories: Main blog
Comments Off

It appears my host was under attack this morning. Have mitigated as much as I could but there’s only so much one can do against dns ddos attacks… Sorry for todays downtime.

Categories: Main blog
Comments Off

Please excuse me while I hunt some issues with this site after upgrading wordpress, gallery2 and wpg2…

Categories: Main blog
Comments Off

Note to self: disable and/or clear rewrite rules before upgrading… (Still in stormy water, just testing if I can update posts now)

Tags: doh,maintenance,rewrite,site
Categories: Main blog
Comments Off

I’ll leave the debate to others about running services on routers. As usual ymmv and all that, though besides the obvious objections I think it’s quite cool of my little c877 to proxy DNS and serve what it has locally. Imho, my home DNS config is not heavy enough to warrant rigging up DNS on my Samba server.

My first google tonight led me to an article on the excellent ios hints and tricks site (ioshints.info). Though this is for a full public DNS server it was a little overkill for me, please read this article as well if you do plan to go that route.

My goal was to have my DSL router serve local IP’s for a few public and local domain names. For example this allows me to use sip.djerk.nl as my proxy address in my soft-phone both at home and away.

The following code is what I ended up with.

Show me more… »

Tags: dns,ios,linkedin
Categories: Networking
Comments Off

Not posted much about moving countries yet. As I’m on a roll I might as well just give a little update for all those who know me and wonder what I’m up to.

We’re not out of the boxes yet but working hard to get there. Hayley’s work and my CCIE are both ensuring that many hours are spent cleaning, drilling, moving and sorting. Trying to fit the same ammount of stuff in a different house is proving to be quite the challenge. It’s much like one of those kiddy puzzles where you have to move the squares around to find the picture. I often ended up picking the squares out and then putting them back in order. Sadly I can’t apply the same process here.

Due to family and work related deadlines we’ll have to get the study in order before the end of the month. Now if only I can get my phone system to behave and get myself access to nscglobals CCIE lab then I should be all set to go come March.

Tags: moving,UK
Categories: Main blog
Comments Off

Not posted much recently, it’s time to add some more meat…

Last week I passed the F5 BIG-IP LTM v9.0 essentials exam. Was easier than I thought, however tomorrow I may be humbled further as I go for the advanced version of the F5 BIG-IP LTM v9.0 test. Studying with the training books from 4 days worth of training but without further hands on is not what I call fun. Admittedly it’s a lot easier than CCIE so what really am I moaning about. I suppose it the fact that I’m not studying for my next lab…

Tags: exam,F5
Categories: Main blog, Work
3 Comments »