Non Cisco Emergency GBIC/SFP’s

Monday, February 20th, 2012

Today saw me in a spot where I had a dead Fiber SFP. You guessed it. 3750 chassis. Well I only had a few laying around and some were Linksys and one was stripped of stickers.

Needing this link back up whilst I waited for a new one I plugged in a non-Cisco SFP. Behold the error.

%PHY-4-UNSUPPORTED_TRANSCEIVER: Unsupported transceiver found in Gi1/0/1
%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65538 has bad crc

All SFP/GBIC’s contained burnt in Hardware ID, Vendor Name, Serial and CRC. The following command which is undocumented allows to bypass this error and brings up the interface!

LAB-SW-A(config)# service unsupported-transceiver
LAB-SW-A(config)# no errdisable detect cause gbic-invalid

Voila! There you go. Quick fix. Just note that when you issue a Show Tech for TAC, it will reveal that you have suppressed this message and that you have overridden support of Cisco Only SFP/GBICs. That means no help!

 

Filed in Cisco, SWITCH, Tips | Tagged , , , , , | Permalink | Comments (0)

Wanting CD drivers when installing from USB

Thursday, February 16th, 2012

Well I must say that I have deviated from networking blogs once again to bring you a Microsoft fix. This silly error plagued me tonight. Installing Windows 7 Ultimate x64 on one of my laptops. I have a legitimate key that I use to install my versions of Windows but at this stage after moving house I have lost media/key.

I made a USB boot disc from the ISO. Using Jellybean I suck the key out of an existing install. Easy enough. After booting into Windows 7 installer I am faced with this silly error.

“Load Driver A required CD/DVD drive device driver is missing. If you have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now. Note: If the Windows installation media is in the CD/DVD drive, you can safely remove it for this step.”

 

Awesome. Well I am installing off a USB. It doesn’t apply to me. Initially I curse then I thought “Oh well if I remove the CD drive.. *click*”. Well it did it again. No worries. You want to really know what fixes it?

Swapping USB ports. Simple as that. Off it goes on its merry way. Peculiar.

Anyway, Jobs done.

Filed in Tips | | Permalink | Comments (0)

Does a Tight Budget or a Time Crunch Mean It’s Okay to Compromise Security?

Wednesday, February 8th, 2012

Ignorance? Tight budget? A lack of management comprehension?

I’ve just walked out of a meeting in which I drew upon the largest dose of self-control in my young career. The topic was expansion – new network, new designs, new servers. Factor in some delicious VMware server clusters and possibly some 4500 series switches, and this isn’t a project to gawk up. What has got me riled up this morning is the fact that all anyone wanted was the end result. They also wanted it, you guessed it, yesterday! No matter what corners were to be cut, the project was required to be done. The biggest corner cutting came at security.

I raised this point and asked, “It’s nice to want all this, and this is how we are going to achieve our end result, but what has my red flag raised is security. Nothing you have mentioned addresses this.” The curt reply was to make it work within the budget. This off-the-cuff, flippant response irked me, but I know not to fight fire with fire.

I have thought about how to solve this roadblock while teaching my colleagues/superiors about the importance of security. I want to do this in a way that highlights the need for security, as well as the steps that can be taken to minimize compromise and theft. I know currently that management are of the mindset, “A breach hasn’t happened to us.” A cotton-wool protected cocoon safely tucked away inside of virgin-guarded Internets has people foregoing firewalls and IDS/IPS systems. But generally, it’s not “if” an attack happens, it’s “when.” Gosh, I know my 1841 router at home shows port scans against it more commonly than Lady Gaga wears crazy outfits, let alone an enterprise Internet-facing device.

Now, sitting back at my Macbook, I am currently calming down. But I am adamant that the next meeting I walk into, I will be armed with reasons why we need security. Hopefully, I can find information about breaches into companies similar to the one I am assigned. Maybe then, reason will be seen just as light is seen when a light switch is flipped on. Things like:

  • Why you can’t put a price on security, but what you can expect from spending X,Y, or Z amounts.
  • Why you can’t pretend you will be okay.
  • You wouldn’t expose your own body to harm. Why expose your network?

I’ve put this post out to the Packet Pushers community, and have some questions.

  • Have there been situations where you have needed to calm yourself and recollect before trying again? I’d love to hear about it.
  • Currently, I am working with the minuscule budget figures that are left over to implement a rock-star security solution. How have others dealt with similar situations?
Filed in Security | Tagged , , | Permalink | Comments (0)

Breaking down the blueprint.

Tuesday, February 7th, 2012

Having passed the CCNP ROUTE exam last September I have experience the importance of finding out what is required of you. With the CCNA I felt that by reading the books with some light Packet Tracer (I just threw up in my mouth) you had enough knowledge to pass the exam.

With my ROUTE exam I realised very quickly from the depth of the information presented that studying to align to blueprint topics was important. Cisco publish the blueprint for each exam on the Cisco Learning Network. This is vital for Professional level exams in my opinion. For the CCIE you must align your studies with the blueprint. (Note that a valid CCO account is required to access.)

Today I am going to show my methodology to learning a topic. Being an exposed to a variety of technologies in my current position most things that appear on a certification I have used or read about before. Only occasionally I have come across technology that is 100 percent new to me on a certification exam.

Step 1 – Choose the Desired Certification

This depends on you, you and well, just you. Don’t study for something you aren’t interested in or study for something trying to predict market trends. Study and pursue something you enjoy. Why? Passion. Passion for a technology, just like your career is contagious. It spreads. It allows your brain to absorb more information when you genuinely enjoy a topic or subject. ( That’s how I feel about Routing/Switching/Security and I have zero evidence other than my gut feeling)

Step 2 – Read the blueprint

This is important. I don’t mean look at it and see what technology it is asking you to know about. Read the fancy words!

Note the language used!

Let’s use this SWITCH exam blueprint as an example. Note the words such as Determine, Create, Configure, Verify, and Document. These give indication to the depth of knowledge required for each technology. Below is my determined level of depth. Feel free to comment if you believe otherwise.

  • Determine - Assess hardware and software capabilities and requirements based on information presented.
  • Create – Make based on your own experience a document, implementation or verification plan based on well-known technical and life-cycle information.
  • Configure - Pretty easy one here. Actually sit at the CLI/GUI and deploy the said technology. In the case of the above picture you should be able to configure things like STP and its flavors, assign vlan’s and implement trunks.
  • Verify - Confirm! This is very important. What show commands prove that you have done what is required. How do you know what vlan is assigned to what port? Confirm by verifying commands with show output.
  • Document – This one is a bit silly but somewhere in that Cisco Press OCG or FLG there will be an obscure page telling you the information to include when documenting the change. This really is an industry experience in my opinion.

Step 3 – Recommended reading

Cisco publish official certification guides and foundation learning guides for nearly all of their exams. This is supplemented by technology specific books. I have for all my exams thus far lashed out and bought the OCG and FLG of each exam. I believe in the fact that information from multiple sources is key to understanding topics thoroughly. When I bang my head against a wall, sometimes all I need is the same information presented in a different way. I believe the Cisco Press books are great for this.

Step 4 – Additional Information

This is important. Industry vendors, non-certification publications, Audio/Video demonstrations or RFC’s. Take your choice. Absorb what you can. Get deep. Just remember that you should aim for a depth that gives you a solid understanding of the topic. You want to learn this topic and not just memorize it.

I am very lucky in the fact that I have access to a variety of vendor offerings regarding the certifications that I am currently studying. INE, IP Expert, CBT Nuggets, Cisco Press, and O’Reilly just to name a few. Add to this the blogged experiences of fellow engineers and the IETF’s RFCs which are the holy grail of information you have no reason not to know the required exam information.

Step 5 – Lab. 

All this reading is one thing. Knowledge is power. Time to transform this knowledge into handy CLI skills. Get down and dirty. You learn so much about deployment from actually doing. It is one thing to use software such as GNS3, IOU and Rack Rentals. It is another to physically do it. The latter is hard to do but I recommend taking note of what you do when you work on physical equipment.

Now, back to certification labbing. Create, break, fix, optimize, break again, add another technology. Watch how the network adapts or changes. If you don’t know why then write down what happened and go research if that’s how it was supposed to react. I think it is a great idea to create a production style network (Choose Cisco IOU ( Don’t ask me where to get it) or GNS3 for this) and treat it like you would your workplace. Set a continuous ping from end to end. Change the routes in the core without loosing connectivity. Test yourself. Test your knowledge. Only then will you truly understand the power of the knowledge your brain contains!

Another way of labbing is to create a new company. As you work through your certification studies you should strive to add more and more to it. In the case of SWITCH start with some VLAN’s. As you go through add ISL and 802.1q trunks. Experiment with VTP. Pretend to audit your network and lock it down with  security mechanisms. Add in access layer security, tighten up your STP domain, or simply explore some IOS hardening options. Each technology could be added to a blog. Starting a blog is a great idea to get your opinion and technology you use out to a larger audience. I feel that this is a topic in its own right and a blog best saved for another day.

Step 6- Notes

I take notes. Hand written believe it or not. I feel for myself personally it increases retention. I create notes for written theory and lab work. Whilst you are studying theory there are lots of little bits of information which are vital to your studies. Timers, caveats, and default settings which you may need to remember or compare. I also take notes of when I am labbing. I draw diagrams of my network. I draw how I want STP to converge if I pull this link out. I write down what went wrong and where my mistake was when it didn’t converge the way I wanted it to.

Step 7 – Wrap up

Well now I have gone through my information I generally peruse through my materials again and re-read my notes. I will continue to lab and attack each topic. I need the information to gel so I always keep reading. It’s possible for me to read a chapter or a blog or a section of notes repeatedly for me to understand it.

Ant’s Thoughts

“A mind needs books as a sword needs a whetstone, if it is to keep its edge.” - Tyrion Lannister

I hope that this has helped you on the path to certification or just topic breakdown. This blog applies to certification blueprints but can EASILY be adapted to topics in general and not just of the network discipline. If you structure your learning you will find that the retention of details and topics becomes easier. Just remember that you must dedicate yourself to your craft. Always read. Keep learning and keep reading. You can never stop. The day you stop learning is the day you will plateau. These exams are a test of your knowledge and network prowess. They are not a recital.

 

Filed in Certification | Tagged , , , , | Permalink | Comments (2)

Married Life

Wednesday, February 1st, 2012

On a crazy Melbourne day the December before last I proposed to my girlfriend at the time. She said yes and fast forward just over a year and we got married. I have now entered married life as of the 20th of January this year.

We got married at a little boutique hotel called Lindenderry and celebrated with my friends and family. ( @Networkjanitor managed to make it down from that bush state up north! ) I had the best time of my life and now have the best wingman for life.

She has supported me in so many ways and is a driving factor in getting my CCIE. She believes in me. It’s great to have someone to share your dreams and aspirations with.

This is just a blog post really to show off a picture of my beautiful wife and our special day.

Mr and Mrs Burke

Filed in Uncategorized | | Permalink | Comments (3)

Challenge Lab – SWITCH

Wednesday, January 4th, 2012

Fellow packet herders. I have set myself a challenge lab encompassing some stuff I have learned. I feel it’s time to challenge myself in the public arena and post the results. I am aiming to find some time this week to hit this out. I am looking to be a little busy with wedding preparations but I do have some down time nights that I am going to attempt to lab this out.

SW-A and SW-B are Cisco 3560-x and SW-C and SW-D are 2960S. All four are 48 ports. Just adjust the requirements of interface ranges to match your hardware.

 

SWITCH CHALLENGE LAB

 

Switch Placement

  • Switch A and B are distribution
  • Switch C and D are access
  • Any two ethernet devices will act as hosts to test security

Initial Connectivity

  • All links to be cabled as per the diagram
  • Configure Gi0/7-8 and Gi0/11-12 on each switch using a IEEE trunking standard.
  • Gi0/9-10 on all switches should use ISL. DTP frames must not be sent.
  • These same links need to provide more bandwidth. Bundle these using a proprietary method
  • Distribution switches must handle negotiation of these interfaces.
  • Enforce bundle protocol

VLAN & VTP

  • Create a Vlan Trunking Protocol domain called Cisco-Inferno
  • Set the mode to server for SW-A. Set all others as clients
  • Create a VTP password and ensure version 2 is used.
  • Create the Following VLANS
    • Vlan 10 Servers 10.0.10.0/24
    • Vlan 20 Storage 10.0.20.0/24
    • Vlan 30 LWAPP 10.0.30.0/24
    • Vlan 40 Desktop 10.0.40.0/24
    • Vlan 50 Wireless 10.0.50.0/24
    • Vlan 100 Management 10.0.100.0/24
  • Assign names to the VLANS
  • Assign IP address to each device from the Management VLAN.

 

Spanning-Tree and L2 Redundancy

  • Enable 802.1w mode of Spanning-Tree
  • Set Vlan 10,20,100 on SW-A to be Root Bridge and make them Secondary on SW-B
  • Set Vlan 30,40,50 on SW-B to be Root Bridge and make them Secondary on SW-A

Layer 3

  • Create SVI’s for VLANs 10,20,30,40,50 using the IP address of 10.0.x.2 (x= VLAN number) on SW-A
  • Create SVI’s for VLANs 10,20,30,40,50 using the IP address of 10.0.x.3 (x= VLAN number) on SW-B
  • Convert the bundle between SW-A and SW-B (Gi0/11-12) to a L3 link. Use the address range of 10.0.5.0/30

 

Switch Security

Now that base connectivity has been established in out network it is time to implement some security and keep those pesky people out.

  • Ports Gi0/24-40 should reside in VLAN 40. Ports Gi0/40-44 should be in VLAN 50. Apply this to SW-C/SW-D
  • Enable across all access ports in VLAN 40 on SW-C/SW-D the ability to err disable if a BPDU is detected
  • On SW-D enable port fast unconditionally across VLAN 40 and 50 ports
  • On SW-C enable port fast in such a way it will loose its port fast status if a BPDU is received on VLAN 40 and 50 ports
  • A lobby PC will be connected to Gi0/1 an Gi0/3. Enable the ability to learn the MAC Address dynamically and err disable the port if a different device is detected.
  • Gi0/16-20 on SW-C/SW-D require up to 5 different devices to be learned before violating.
  • Gi0/30 on SW-C needs a static assignment of the MAC 0000.000a.baba
  • Gi0/30 on SW-D needs a static assignment of the MAC 0000.000b.cafe
  • Block access from VLAN 40 and 50 into VLAN 100

 

High Availability

This network requires a strong level of uptime and the time has come to implement some HA technologies.

  • You are to use a proprietary standby protocol
  • SW-A and SW-B will be supporting each other in a HA setup. Virtual IP addresses are to be 10.0.x.1/24 of each VLAN.
  • Group Numbers should represent VLAN numbers
  • Follow good design principals when implementing HA – Think how L2 STP is placed.
  • If SW-A is active, SW-B should be standby. Visa Versa.
  • Ensure that if a switch goes down and comes back up that it regains it’s active status.

 

Filed in Uncategorized | | Permalink | Comments Off

Clarity : BPDU Guard vs BPDU Filter

Wednesday, January 4th, 2012

In a stunning moment of clarity I figured out the two. It did take far longer that what was required but I feel now I can tick these two technologies off as being understood why you would use them and when you would use them.

Bridge Protocol Data Unit’s known also as BPDU’s play a fundamental part in a spanning-tree topology. No matter your flavour you will have BPDU’s.

BPDU – A quick breakdown

BPDU’s are sent out by a switch to exchange information about bridge ID’s and cost’s of the root path. A switch will use it’s MAC address and sent it to the STP multicast address of 01:80:c2:00:00:00. There are Configuration BPDU’s, Topology Change Notification BPDU’s and Topology Change Notification Acknowledgement BPDU’s. Exchanged at a frequency of every 2 seconds by default, BPDU’s allow switches to keep a track of network changes and when to block or forward ports to ensure a loop free topology.

BPDU Guard

BPDU Guard is designed to protect your switching network. Remember that a Port-fast port is designed to be connected to a device where BPDU’s aren’t expected. This could be a end user device, server or access-point.  When an unexpected BPDU is detected (an end-user wants to plug in a switch in his cubicle) the port will shutdown and enter a err-disable state.

When enabled globally this is a fantastic solution to protecting port-fast ports on access switches where you don’t expect a switch to be plugged in. BPDU guard when enabled on a per port interface, is conditional. It requires the port to be portfast enabled. If you require BPDU guard to be enabled unconditionally then you must do that on the port itself.

Global

SW1(config)# spanning-tree portfast bpduguard default

Interface

SW1(config)# int gi0/10
SW1(config-if)# spanning-tree bpduguard enable

BPDU Filter

Initially I was stumped as to why you would use this. Why on earth would you want to stop BPDU’s from being sent or received on a port. I immediate though it was ludicrous. It wasn’t until I had a discussion with the man of infinite wisdom @networkjanitor (Kurt Bales) did I understand it’s use. The point of demarcation is a fantastic place to use BPDU filter. When an ISP hands off a tail in the DC from their switch infrastructure, neither party want’s anything to do with the others STP topology. This one of the uses of this feature. Probably the best one I have found.

First of all, BPDU filter disables spanning-tree on a port period. It does this by restricting sending and receiving BPDU’s. Simple enough. When enabled on a global level, BPDU filter will apply to all portfast ports. When a port links up it will transmit some BPDU’s out before the port starts to filter BPDUs.

Remember that if a BPDU is received on a portfast interface, the interface will lose portfast status and because BPDU filtering relies on this it will become disabled.

Global

SW1(config)# spanning-tree portfast default
SW1(config)# spanning-tree portfast bpdufilter default

Interface

SW1(config)# int gi0/24
SW1(config-if)# spanning-tree bpdufilter enable

 

Anthony’s Wrap

I’ve used BPDU guard a whole lot. After learning at college you could bring down an entire block of lab’s with a switch configured a certain way, I made sure that no network under my jurisdiction would suffer the same fate. Couple BPDU guard with err-disable recovery and you have protection. BPDU filter could also be placed on access layer ports too. Another way to negate pesky attacks from inquisitive minds.

Filed in Certification, Cisco, Security, Study, SWITCH | | Permalink | Comments Off

SWITCH Booked

Monday, December 19th, 2011

HSRP, VRRP, STP, RSTP, SPAN, CEF, NSF

I’ve finally booked my exam. 25 hours and 5 minutes from now I will be sitting down to my SWITCH exam. Rounding out the theory of the NP certification and leaving a practical exam infront of me before CCNP makes me feel good. Looking to TSHOOT out before I get married on the 20th of January. All depends on work/wedding load. I have a week of Annual leave over Christmas and New year.

Here’s to the hurdle tomorrow.

I will let you know how I go.

Anthony.

Filed in Certification, Cisco, SWITCH | | Permalink | Comments (2)

I asked for an Apple and I was given a orchard.

Friday, December 16th, 2011

I work for the Department of Education in Victoria, Australia. My position is sub-contracted out to private companies and we fulfil government tenders for schools. I am currently engaged at higher learning campuses where my role is to look after the network.It was budget time and after we determined what we want we got to the topic of IT department computers. We had a hodgepodge setup of Acer desktops and other devices which were aged and not performing for our daily tasks. I personally had a Lenovo R61. We initially looked at other desktops but decided a laptop would suit.  Enter the 2011 Macbook Pro 13 inch laptop. Sleek, pretty and functional. UNIX-based and appeals to my sense of logic. No blue screens with my USB to Serial and most devices just work! My initial unboxing was an experience. I feel it is something that Apple strive for is the user experience. The smell, the well-thought out packaging and everything else right down to considerate protective wraps and cable layout.

OSX PostMorning Treats

Network Engineer requirements

Having used MacBooks in the education sector for a while, I know my way around the basics and the user administrative side. For me to make the move I had to set up a terminal server ahead of ordering and confirm the applications I needed to run my network (Administrative snap ins for 2008R2) would be fine. That and the SQL database stuffs.

My requirements of work at the following

  • Remote Desktop
  • Terminal
  • Graphing
  • Email\PDF

Once I was happy with that I went and sought out a better remote desktop program. The Remote desktop connection program that comes with Office 2011 is terrible. Crashes harder and more often than Mark Webber seems too. CoRD was my program that replaced RDC. It is fantastic. Allows to have multiple connections and save a list of favourites including the profiles, settings and what you want to connect. First item success.

Second was onto terminal. There are many versions out there. OSX comes with Terminal built in. It can screen console cables to terminal, ssh, telnet and create coffee. Well maybe not the last. But fantastic nonetheless. Oh it also has tabs. For me, Tabs are a must. Kinda started that bad habit a long time ago. Another success.

One thing that Microsoft has kept on their side is Visio. What a shame. I like Visio. This was almost the sole reason for not moving until I discovered Omnigraffle. Thanks to the Packet Pushers and the blogs on there for bringing it to my attention. This is mac’s equivalent for Visio. Works well with only a few minor moments where I had been lost. Rather excited about the fact that this ticks another off the lift.

Email is dealt with the built in mail app. Works well. Exchange plays nicely. PDF reading is also done natively. That sums up my simple requirements. Nice and easy migration really. Hardware pretty standard feedback amongst what is already well known. Solid battery life, decent processor and enough ram. HDD capacity is fine. I am not wanting to carry all my gigamegabits in the same place.

What fine sandwiches you have there!

My thoughts

There are some great blog posts from Ivan Pepelnjak or young Tom over at Networking Nerd both have done great articles on converting to the Darkside.  In my role I really only need a handful of applications to do my job. We can perform this on OSX/Linux/Windows and we will fulfil our job requirements. I feel it does come down to personal preference. What else is required by the enterprise you work for? What is needed for BAU? If you need a platform specific app that is critical then lean towards that. I, for one feel that there is nothing wrong with what ever you pick. I have had no qualms or major grievance using OSX. Heck, on the plus side iPhoto/Aperture are kinda neat.

 

 

 

 

Filed in Tips | Tagged , , | Permalink | Comments Off

RPR RPR+ – brain download for SWITCH

Thursday, December 1st, 2011

Router Processor Redundancy (RPR)

Redundant Supervisor Engines – Handy having two brains!

When implemented back in the day in IOS 12.1(13)F it was a great technology. Over time NSR and SSO have addressed the shortcomings with better failover times. RPR on the 6500 series is around 2-4 minutes and on the 4500 series less than 60 seconds. RPR+ only available on the 6500 series comes in at around 30-60 seconds. In this day and age that is a noticeable downtime and isn’t transparent to the end user.

Supervisor engine that forwards all the L2/L3 traffic is the active supervisor engine. The other supervisor engine waits in standby. Both supervisor engines talk to each other.

Trigger  Event
Routing/Switching processor crash Switching modules power cycled
Manual Subsystems on standby are activated
Removal ACLs reprogrammed into Supervisor engine.

RPR+

Improved switch over times and Reduced to around 30-60 seconds with no reloading of modules required.

Easy configuration makes RPR (when it was used) too good to not configure!

sw(config)# redundancy
sw(config-red)# mode rpr-plus

Simple as that.

Verify with the following

sw# show redundancy states
Filed in Certification, Cisco, redundancy, Study, SWITCH | | Permalink | Comments Off