Figured I would pass this along. I started
reading chapter 15 in the CCNP Switch certification Guide; Integrating Wireless
LANs. While reading the first few pages, I quickly wanted to get a sniffer out
and check out all of these 802.11 frame specifications that it references.
Some examples are DIFS(duration timer) and the
random back off timer. I decided to fire up Wireshark, but the frames
kept appearing as 802.3(Ethernet) frames. This is known as "fake"
Ethernet headers. Unfortunately, with the current WIFI card installed in my
laptop, I won’t be able to sniff 802.11 traffic.
Per Wire Shark:
Without any interaction, capturing on WLAN's
may capture only user datapackets with "fake" Ethernet headers. In this case, you won't see any
802.11 management or control packets at all, and the 802.11 packet headers are
"translated" by the network driver to "fake" Ethernet
packet headers.
http://wiki.wireshark.org/CaptureSetup/WLAN
You can also download a 802.11 capture and learn how to read it by following this document.
http://www.cse.ust.hk/~muppala/csit5610/labs/Wireshark_labs/Wireshark_802_11.pdf
Monday, January 14, 2013
Sunday, January 6, 2013
Keeping Current as a Network Engineer & Working your way to becoming a Network Architect
Keeping Current:
It’s crucial to always stay current in any industry that you work in. You want to be the one bringing new ideas to the table and possibly have new solutions to common problems that companies face. Some of the following websites I follow to keep myself current in the Network Industry along with the Data Center Industry are below.
http://www.datacenterknowledge.com/
http://www.networkworld.com/topics/lan-wan.html
Certifications are also a great way to keep current and enhance your skill sets.
Working your way to becoming a Network Architect:
My long term goal is to become a Network Architect and I have found that reading a ton of White Papers along with test results from third party vendors is going to greatly help me achieve this goal. Cisco puts out some great white papers on proven design guides that I highly recommend for anyone to read. The following link is a perfect example and yes I read the entire white paper along with others.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html
This has helped me tremendously in being able to design a better network and with my CCNP studies. Cisco also has another great resource, it’s called Cisco Validated Design Program. Check out the following link, its design guides for pretty much every type of network. These are proven and tried design guides from true industry experts.
http://www.cisco.com/en/US/netsol/ns741/networking_solutions_program_home.html
Reading benchmark or test results is another great way to get a key understanding on how to evaluate a product before you buy it and what to look for in new hardware. I follow this website and a majority of Vendors put third party evaluation results on their own website.
http://www.networktest.com/
It’s crucial to always stay current in any industry that you work in. You want to be the one bringing new ideas to the table and possibly have new solutions to common problems that companies face. Some of the following websites I follow to keep myself current in the Network Industry along with the Data Center Industry are below.
http://www.datacenterknowledge.com/
http://www.networkworld.com/topics/lan-wan.html
Certifications are also a great way to keep current and enhance your skill sets.
Working your way to becoming a Network Architect:
My long term goal is to become a Network Architect and I have found that reading a ton of White Papers along with test results from third party vendors is going to greatly help me achieve this goal. Cisco puts out some great white papers on proven design guides that I highly recommend for anyone to read. The following link is a perfect example and yes I read the entire white paper along with others.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html
This has helped me tremendously in being able to design a better network and with my CCNP studies. Cisco also has another great resource, it’s called Cisco Validated Design Program. Check out the following link, its design guides for pretty much every type of network. These are proven and tried design guides from true industry experts.
http://www.cisco.com/en/US/netsol/ns741/networking_solutions_program_home.html
Reading benchmark or test results is another great way to get a key understanding on how to evaluate a product before you buy it and what to look for in new hardware. I follow this website and a majority of Vendors put third party evaluation results on their own website.
http://www.networktest.com/
9 Common Spanning Tree Mistakes
Great read on STP common mistakes. Article is from 2013.
http://www.networkworld.com/community/blog/9-common-spanning-tree-mistakes?
http://www.networkworld.com/community/blog/9-common-spanning-tree-mistakes?
Thursday, January 3, 2013
Interface-Range Command on Non Contiguous Ports
Ever needed to make changes to multiple interfaces that are not within the same range? I know I have and always wondered how to update interfaces that were not sequntially ordered. Here is how.
We need to create a macro and then invoke it before we apply our changes.
Creating the macro:
Cisco_4948E_01#config t
Cisco_4948E_01(config) define interface-range joel GigabitEthernet1/20 , GigabitEthernet1/22 , GigabitEthernet1/24
Invoking the Macro: This now put us into interface configuration mode
Cisco_4948E_01(config)#interface range macro joel
Cisco_4948E_01(config-if-range)#
Cisco_4948E_01(config-if-range)#description macro-test
Verification that our change were successful:
Cisco_4948E_01#show interfaces description | include macro-test
Gi1/20 down down macro-test
Gi1/22 down down macro-test
Gi1/24 down down macro-test
We need to create a macro and then invoke it before we apply our changes.
Creating the macro:
Cisco_4948E_01#config t
Cisco_4948E_01(config) define interface-range joel GigabitEthernet1/20 , GigabitEthernet1/22 , GigabitEthernet1/24
Invoking the Macro: This now put us into interface configuration mode
Cisco_4948E_01(config)#interface range macro joel
Cisco_4948E_01(config-if-range)#
Cisco_4948E_01(config-if-range)#description macro-test
Verification that our change were successful:
Cisco_4948E_01#show interfaces description | include macro-test
Gi1/20 down down macro-test
Gi1/22 down down macro-test
Gi1/24 down down macro-test
Tuesday, December 11, 2012
RSTP sync process.
Great write up on RSTP sync process.
http://routemyworld.com/2009/06/19/bcmsn-rstp-convergence-changes-and-compatibilty/
http://routemyworld.com/2009/06/19/bcmsn-rstp-convergence-changes-and-compatibilty/
Wednesday, December 5, 2012
Upgrading an ASA5520 - IOS Upgrade 9.1
In order to create a port-channel between an ASA5520 and a 4948 I needed to upgrade the code. The process is very simple to say the least. For some reason I expected it to be difficult. The process I followed is below.
1. Confirm the feature set you are looking for is supported in the new code and look for any new potential gotchas. Its is customary to request a BUG SCRUB from Cisco before deploying any new code.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/asa_91_general_config.html
2. Download the code from the Cisco portal.
3. Confirm you have enough space for the new code. Use the DIR command.
Cisco-ASA5520-01# dir
Directory of disk0:/
129 -rwx 16275456 06:03:42 Jan 30 2011 asa821-k8.bin
130 -rwx 11348300 09:15:52 Jan 30 2011 asdm-621.bin
6 drwx 4096 00:03:46 Jan 01 2003 log
13 drwx 4096 00:03:54 Jan 01 2003 crypto_archive
14 drwx 4096 00:04:28 Jan 01 2003 coredumpinfo
132 -rwx 12105313 09:13:20 Jan 30 2011 csd_3.5.841-k9.pkg
133 drwx 4096 09:13:24 Jan 30 2011 sdesktop
134 -rwx 2857568 09:13:26 Jan 30 2011 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
135 -rwx 3203909 09:13:26 Jan 30 2011 anyconnect-win-2.4.1012-k9.pkg
136 -rwx 4832344 09:13:28 Jan 30 2011 anyconnect-macosx-i386-2.4.1012-k9.pkg
137 -rwx 5209423 09:13:30 Jan 30 2011 anyconnect-linux-2.4.1012-k9.pkg
118 -rwx 3080 13:40:55 Dec 05 2012 8_2_1_0_startup_cfg.sav
255582208 bytes total (170237952 bytes free)
4. Upload the code onto the device via tftp. Use the following command copy tftp disk0:/ and you will be prompted for the ip address of the tftp server, source file name, and press enter unless you want to change the name of the file once its uploaded, I never do. Confirm the MD5 key with what was show on the Cisco website.
5. Change your boot statement and confirm it took. I always like to setup two statements in case there are any issues with the first IOS code.;
config t
boot system disk0:/asa911-k8.bin
boot system disk0:/asa821-k8.bin
end
!
WR
!
Cisco-ASA5520-01# show bootvar
BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin
Current BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin;disk0:/end
CONFIG_FILE variable =
Current CONFIG_FILE variable =
6. Save your configuration and reload the device with the reload command.
7. Confirm your new code is running with the show version command.
Cisco-ASA5520-01# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.2(1)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
1. Confirm the feature set you are looking for is supported in the new code and look for any new potential gotchas. Its is customary to request a BUG SCRUB from Cisco before deploying any new code.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/asa_91_general_config.html
2. Download the code from the Cisco portal.
3. Confirm you have enough space for the new code. Use the DIR command.
Cisco-ASA5520-01# dir
Directory of disk0:/
129 -rwx 16275456 06:03:42 Jan 30 2011 asa821-k8.bin
130 -rwx 11348300 09:15:52 Jan 30 2011 asdm-621.bin
6 drwx 4096 00:03:46 Jan 01 2003 log
13 drwx 4096 00:03:54 Jan 01 2003 crypto_archive
14 drwx 4096 00:04:28 Jan 01 2003 coredumpinfo
132 -rwx 12105313 09:13:20 Jan 30 2011 csd_3.5.841-k9.pkg
133 drwx 4096 09:13:24 Jan 30 2011 sdesktop
134 -rwx 2857568 09:13:26 Jan 30 2011 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
135 -rwx 3203909 09:13:26 Jan 30 2011 anyconnect-win-2.4.1012-k9.pkg
136 -rwx 4832344 09:13:28 Jan 30 2011 anyconnect-macosx-i386-2.4.1012-k9.pkg
137 -rwx 5209423 09:13:30 Jan 30 2011 anyconnect-linux-2.4.1012-k9.pkg
118 -rwx 3080 13:40:55 Dec 05 2012 8_2_1_0_startup_cfg.sav
255582208 bytes total (170237952 bytes free)
4. Upload the code onto the device via tftp. Use the following command copy tftp disk0:/ and you will be prompted for the ip address of the tftp server, source file name, and press enter unless you want to change the name of the file once its uploaded, I never do. Confirm the MD5 key with what was show on the Cisco website.
5. Change your boot statement and confirm it took. I always like to setup two statements in case there are any issues with the first IOS code.;
config t
boot system disk0:/asa911-k8.bin
boot system disk0:/asa821-k8.bin
end
!
WR
!
Cisco-ASA5520-01# show bootvar
BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin
Current BOOT variable = disk0:/asa911-k8.bin;disk0:/asa821-k8.bin;disk0:/end
CONFIG_FILE variable =
Current CONFIG_FILE variable =
6. Save your configuration and reload the device with the reload command.
7. Confirm your new code is running with the show version command.
Cisco-ASA5520-01# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.2(1)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
Saturday, December 1, 2012
Cisco ASA Oversubscription - Maximizing Throughput (ASA 5550) Part 1
This week I ran into an oversubcription issue on an ASA5550. To alleviate the issue, we followed the recommendations below from Cisco. I am including some of the conditions I saw before the change. Keyword is Alleviate, depending on your traffic rates you might resolve the problem going this route. In other cases, you would just have to get a second pair or firewalls to segregate traffic or just upgrade to 10GB. The best way to determine this is to place a sniffer between the ASA and drill down as close to the microsecond to see the microbursts on the line and data rate patterns.
Maximizing Throughput (ASA 5550)
Show Traffic
----------------------------------------
Per Slot Throughput Profile (1 minute)
----------------------------------------
Packets-per-second profile:
Slot 0: 12654 89%|********************************************
Slot 1: 1603 11%|*****
Bytes-per-second profile:
Slot 0: 1649003 76%|**************************************
Slot 1: 511183 24%|************
On the interface level, you would see the Underruns counter increment along with the Overruns counter (See below). To try and alleviate or resolve this issue move one of the ports to Gi1/X and mmonitor it over a few days.
Per Cisco:
ASA5550/act# show interface gigabitEthernet 0/1
Interface GigabitEthernet0/1 "HM", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6771, MTU 1500
IP address 192.168.1.1 subnet mask 255.255.255.0
24794625 packets input, 4336231091 bytes, 0 no buffer
Received 4648 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40981082 packets output, 3012528711 bytes, 1614642 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HM":
23737668 packets input, 3724976676 bytes
42595724 packets output, 2342955016 bytes
6597 packets dropped
Maximizing Throughput (ASA 5550)
The ASA 5550 has two internal buses providing
copper Gigabit Ethernet and fiber Gigabit Ethernet connectivity. For Slot 1 (Bus
1), you can use either the copper ports or the fiber ports. The copper ports are
enabled by default.
For maximum throughput, configure the ASA so that traffic is
distributed equally between the two buses. Lay out the network so that traffic
enters through one bus and exits through the other.
For example, the following figure shows the ASA configured so
that traffic from the unsecure network and the secure network is evenly
distributed between Bus 0 and Bus 1. Traffic from hosts on the secured network
flows through interface 0/0 on Bus 0 to hosts on the unsecured network. Traffic
from hosts on the unsecured network flows through interface 1/0 on Bus 1 to
hosts on the secured network.
http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/5500_quick_start.html#wp35995
On the ASA you can issue the show traffic command and near the end of the output you will see the following output. Ideally you would want this to be balance. In this case, both of the oversubscribed interfaces were both on Slot 0.
----------------------------------------
Per Slot Throughput Profile (1 minute)
----------------------------------------
Packets-per-second profile:
Slot 0: 12654 89%|********************************************
Slot 1: 1603 11%|*****
Bytes-per-second profile:
Slot 0: 1649003 76%|**************************************
Slot 1: 511183 24%|************
On the interface level, you would see the Underruns counter increment along with the Overruns counter (See below). To try and alleviate or resolve this issue move one of the ports to Gi1/X and mmonitor it over a few days.
Per Cisco:
Interface overruns, no buffer
and underruns often show that the firewall cannot process all the traffic it is
receiving on its NIC. Overruns and no buffers indicate that input traffic is
too much on a given interface. The interface maintains a receive ring where
packets are stored before they are processed by the ASA. If the NIC is
receiving traffic faster than the ASA can pull them off the receive ring, the
packet will be dropped and either the no buffer or overrun counter will
increment. Underruns behavior similarly but deal with the transmit ring
instead.
ASA5550/act# show interface gigabitEthernet 0/0
Interface GigabitEthernet0/0 "HH", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6770, MTU 1500
IP address 192.168.168.2, subnet mask 255.255.255.248
56937880 packets input, 12657181986 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
831 input errors, 0 CRC, 0 frame, 831 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
33686564 packets output, 5457717040 bytes, 577125 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HH":
56937881 packets input, 11616408550 bytes
34263689 packets output, 5097504222 bytes
12365 packets dropped
Interface GigabitEthernet0/0 "HH", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6770, MTU 1500
IP address 192.168.168.2, subnet mask 255.255.255.248
56937880 packets input, 12657181986 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
831 input errors, 0 CRC, 0 frame, 831 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
33686564 packets output, 5457717040 bytes, 577125 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HH":
56937881 packets input, 11616408550 bytes
34263689 packets output, 5097504222 bytes
12365 packets dropped
ASA5550/act# show interface gigabitEthernet 0/1
Interface GigabitEthernet0/1 "HM", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6771, MTU 1500
IP address 192.168.1.1 subnet mask 255.255.255.0
24794625 packets input, 4336231091 bytes, 0 no buffer
Received 4648 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40981082 packets output, 3012528711 bytes, 1614642 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HM":
23737668 packets input, 3724976676 bytes
42595724 packets output, 2342955016 bytes
6597 packets dropped
Subscribe to:
Posts (Atom)