Hi
In the summary-address command, can anyone explain to me what essentially the difference is with these in a NSSA? To me, in a NSSA, they essentially do they same thing, do they not? What would warrant the use of one over the other?
↧
nssa-only vs not-advertise
↧
SAN and Fibre Channel PLOGI failure debugging
Hi
I have an issue on FC/SAN network:
My topology is this one:
initiator -------- nexus-5672 ----------- nexus-7010 ------- nexus-5672 -------- brocade switch ------ target
- I have a target connected to a FC switch.
- I have a initiator connected to a FCOE network, in other words, on a simple nexus-5672 Ethernet switch.
All indicators are good:
Initiator is connected on a F port
FCOE configuration is declared on nexus 5672 switch
* I have a simple VSAN mapped on a simple VLAN configured all along this path
* I have a VFC configured on nexus-5672
No zoning, no zonesets exist on any points
All messages are going well from initiator to targets, FLOGI sequences succed, but PLOGI exchange failed.
Do anybody here know a possible reason for this ?
Regards
↧
↧
EIGRP OTP v DMVPN
Hello All,
Does anyone have any thoughts on why someone might choose to use EIGRP OTP over DMVPN? I'm drawing a blank and the only things I can come up with are that OTP config might be simpler and that maybe GETVPN is preferred for encryption over encrypted GRE.
↧
Ticket 7 - Why no RPF Check Failure?
Hi,
the first thing I did in this ticket is an mtrace on R17 towards the Loopback of R15. As expected I got a "no route" output for this because the prefered route is towards R16. However, there is no PIM running on this interface. As a consequence, I increased the OSPF cost on the interface g1.1617 to change the IGP route towards R18.
Later I was a bit surprised that this was not part of the sample solution so I labbed it up again and tried without increasing the OSPF cost on the g1.1617 link. Surprisingly, it still worked even though the output didn't make a lot of sense to me. The (S,G) tree will be built over the link where no PIM is running if this is the prefered route to reach R15's loopback. The "show ip mroute" output stated that the incoming interface was "Unknown" or something similar.
How is it that there is no RPF Check Failure on R17 when we receive the multicast packet sourced from R15's loopback interface from R18? This is a mistery to me.
Florian
↧
95% Remote: Network Security Engineer--Full-Time
Overview:
The Network Security Engineer (NSE) is responsible for managing and maintaining network security systems. The NSE will utilize an advanced expertise in network security to provide daily support for multiple clients.
Primary Responsibilities:
- Maintain network security systems including firewalls, VPN, ISE, and IDS/IPS solutions, with a focus on Cisco ASAs and associated FirePOWER services
- Troubleshooting client network security incidents
- Moves, Adds, Changes, and Deletions for client security requests
- Maintain documentation applicable to network security systems, processes and procedures
- Monitor networking equipment and the health of the network
- Review and interpretation of security logs
- Assist with ongoing compliance and development of security policies and procedures
Qualifications:
- Minimum of 2 years work experience with Cisco security solutions
- Working knowledge of Cisco ISE
- Working knowledge of Cisco FirePower services and related offerings
- Detailed understanding of the TCP/IP protocols
- Experience in security maintenance of network and security devices in a large enterprise environment (routers, switches, firewalls, intrusion detection/prevention systems)
- A strong understanding of best network security practices at all layers of the OSI Model
- Advanced knowledge of Cisco firewall and information security principles and practices
- Excellent oral and written communication skills; ability to interact with internal and external stakeholders.
- Must demonstrate strong analytical, reasoning and problem solving skills.
- Ability to set priorities and adapt to changes in a quick, professional manner.
- Ability to use discretion when handling confidential information.
- Ability to effectively perform in a team environment
- Excellent communications skills
Certifications:
Required: Cisco Certified Network Associate (CCNA) – Security
Required: Cisco Certified Network Professional (CCNP)
Preferred: Cisco Certified Internetwork Expert (CCIE) – Security
↧
↧
Next hop Interface or IP
Hi
I have just donw one of the R&S v5 labs in the IP Routing section which asks for you to add a static route between R4 and R5 to each others loopbacks via their vlan 45 LAN, then, make a static route again to the loopback /16 so 150.1.0.0/16, via the DMVPN network.
I didnt get it spot on, but one of the things I dont get, it why the answer is to route to the /32's with a next hop interface rather than a next hop IP. The proviso of the task is that the LAN route is favoured over the DMVPN route unless it becomes unreachable.
See below....
- Configure R4 and R5 with IPv4 static routes to each other’s Loopback0 prefixes via the Ethernet segment between them.
- Configure R4 and R5 with IPv4 static routes for 150.1.0.0/16 prefix via the DMVPN cloud.
- Ensure that traffic between R4's and R5’s Loopback0 prefixes is primarily routed over the Ethernet segment, and DMVPN cloud is used only if Ethernet link is DOWN.
Are there 2 correct answers to the static to the loopbacks, or, am I missing something findamental that i will get using the next hop interfac vs the next hop IP (which, as they are sharing a subnet, is the same path anyway)?
Thanks
Anthony
↧
Netflow in Nexus ?
If want to capture netflow traffic between Clients inside a vlan, and clients to outside wolrd via gateway (svi on that vlan).
.
Is this the right way to do it ?
1. Between clients inside vlan :
vlan configuration X
ip flow monitor MONITOR input
ip flow monitor MONITOR output
2. clients to outside world via gateway (svi on that vlan)
interface vlan X
ip flow monitor MONITOR input
ip flow monitor MONITOR output
Note:
This's assuming flow recorder, flow exporter and flow monitor has been set up.
↧
R&S/Pre-Sales| St. Louis, MO| Cisco Gold Partner
Systems Consultant--R&S Pre-Sales
SUMMARY
We are seeking a senior VMware, Cisco and Storage engineer with an overall understanding
of our Access Practice and the technologies within. Knowledge of storage area
networks and storage sub-systems is also desirable. This person will lead all
phases of project deliverables for customers.
PURPOSE OF POSITION
To provide administrative, engineering and architectural level consultation for
various customers in addition to pre-sales assistance, scope development,
support and training for customer base. You may also be responsible for
managing and supervising other engineers in the completion of projects to
design/implement/troubleshoot software, hardware, and associated peripherals on
computer networks. This position delivers infrastructure consulting and
activities, including installation, configuration, upgrading, updating and
troubleshooting of servers, networks, and related infrastructure. Identifies
problems and provides resolutions utilizing knowledge of operating systems,
BIOS, software applications and vendor specific hardware.
RESPONSIBILITIES
· Implementation of best practice procedures for Cisco network architecture design, development, implementation, and maintenance/support.
· Implementation of best practice procedures for Netapp network architecture design, development, implementation, and maintenance/support.
· Cisco Support and Level 3 troubleshooting with 24/7 support experience.
· Windows, Terminal Services, Active Directory and GPO troubleshooting.
· Netapp Support and Level 2 or 3 troubleshooting with 24/7 support experience is desirable.
· Design and Implementation of routed and switched networks specific to LAN/WAN/VPN REQUIREMENTS -Experience with design, configuration, and implementation of Cisco UCS -Experience with VMware or currently VMware Certified (VCP) is a huge plus
· Strong understanding of Windows 2008R2/2012.
· In-depth knowledge of Cisco IOS and related Network infrastructure (LAN/WAN/VPN)
· Proven knowledge and configuration experience of Cisco WAN routers (2800, 3800, 7200)& LAN/Nexus switches (3700, 4500, 4948, 6500, 2k,3k,5k,7k), Cisco ASA / PIX Firewall, Cisco wireless access points and controllers
· Proven knowledge and experience with QoS, Routing Protocols (Static, BGP, EIGRP, OSPF), Spanning Tree, Layer 3 Switching, and VPNs (IPSec, MPLS, VPLS)
· Knowledge and / or configuration of Citrix products including NetScaler, WANScaler, and Access Gateway solutions.
· Experience with network analysis tools and troubleshooting techniques -Excellent documentation skills are required and the ability to make presentations to a technical audience desired.
· Cisco CCNP, and MCSE certifications are strongly desired.
· Experience as a lead consultant in designing and deploying Windows 2008R2/2012 and Active Directory projects is a big plus.
· Excellent technical and interpersonal skills required.
↧
Access port PC and phone in different VRF's.
Have an interesting scenario as part of a network migration. One where the network is split into the default vrf and a new VRF. The situation arises that the PC access vlan SVI will be in one VRF while the voice VLAN SVI is assigned to the other VRF. PC plugs into the phone switch. Routing between the VRF's is functioning via a FW. Trying to imagine how this would cause issues for VoIP calls, if any. As long as the IP phone is still able to register with it's call manager in the appropriate VRF I don't see how this would cause issues. Am I missing something? Thanks.
↧
↧
if u were weak on Multicast - ATC or Deep Dive videos?
hey guys - I was going to do some investigating - I'm really weak on Multicast - in fact, it's my weakest topic - I use MPLS, QOS, and most of the other technologies but I almost feel like I'm at square one on multicast
I'm thinking of diving into the ATC - I have Beau Williamson's book, but I'd like to know if there isn't a better way to look at this topic instead of diving right into the ATC's - the Deep dives or some of the early CCNA/CCNP multicast videos
Thought I'd ask in case anyone else is in my predictment
RB
↧
OSPFv2 SPF Calc Options - iSPF, Partial, Full
I've been getting these mixed up, so maybe this will help someone too:
Incremental SPF - iSPF - Calcs SPF only on what changed. Topological changes (small/minor).
Ex: New Stub router add, Link failure of link not part of Shortest Path Tree (SPF uses RIDs to calc SPT).
Partial SPF - PRC - Partial Route Calcs - Add/delete/metric change of prefixes (NLRI). No change to SPT. No link changes.
LSAs (those that carry prefix info!): 3, 4, 5, 7
Ex: External route changes (external to an AREA, NOT just OSPF E1/E2/N1/N2... they weren't very clear on this).
Bonus Pt: Using Redistribution to bring route info into OSPF vs. Intra Area, within an Area. Option to scale single Area OSPF. Less Type 1 and 2 LSAs.
Full - Changes (major) to SPT, must do Full SPF Calc.
LSAs: 1, 2
Ex: Metric change of link that would cause SPT to change (that would require Calc of alternate links, meaning not a Stub router).
IS-IS does it a little bit differently, more like OSPFv3, but I'm still new to IS-IS, so I'll leave that for someone else to add to for now.
Thanks!
https://ccdewiki.wordpress.com/2013/06/06/partial-vs-full-spf-calculation/
https://learningnetwork.cisco.com/thread/71147
http://www.gossamer-threads.com/lists/cisco/nsp/160671?do=post_view_threaded
-Good pts on OSPFv3, IS-IS
http://www.networkers-online.com/blog/2008/12/fast-convergence-partial-spf-calculation/
↧
Differences in OSPF RFC1583 and RFC2328 compatibility
After watching Brian's ATC video on OSPF Areas and LSAs I thought I was finally clear on how OSPF will pick the exit point for external prefixes - intra-area external are preferred over inter-area external...or so I thought.
I did a quick and dirty topology: R3 ---- R4 ---- R5 ---- R6
R3 and R4 e0/0 are in Area 0
R4 e0/1 and R5 and R6 are in Area 1
R3 and R6 are both redistributing prefix 172.16.100.0/24 using default Type 2 and metric 20
Based on what I was hearing from Brian I would expect R5 to always choose R6 as the exit point to reach the external prefix due to the fact that R5 has a Router LSA for R6 which means they are in the same area.
When everything comes up and the SPF has been run I expect R5 to use R6 as the next hop, which it does:
Routing entry for 172.16.100.0/24
Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 10
Last update from 10.1.56.6 on Ethernet0/0, 00:18:37 ago
Routing Descriptor Blocks:
* 10.1.56.6, from 6.6.6.6, 00:18:37 ago, via Ethernet0/0
Route metric is 20, traffic share count is 1
I would expect that I could raise the OSPF cost of e0/0 on R5 to 1000 and it should still use R6 as the exit point, but it does not it switches over to using R3:
Routing entry for 172.16.100.0/24
Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 20
Last update from 10.1.45.4 on Ethernet0/1, 00:00:01 ago
Routing Descriptor Blocks:
* 10.1.45.4, from 3.3.3.3, 00:00:01 ago, via Ethernet0/1
Route metric is 20, traffic share count is 1
Then I started to do a little research and found that the intra-area external over inter-area external preference is only honored if both of the following conditions are true:
1) The router is running in rfc 2328 compatibility mode instead of rfc 1583 compatibility
2) The intra-area ASBR needs to be in a non-backbone area
RFC1583 compatibility just uses the best cost to reach the closest ASBR. I wonder if the CSR1000v routers that Brian was using during the ATC recording run rfc2328 out of the box to make the path selection do what he says in the video?
I run a lot of Juniper in my environment and when I saw one of my core switches preferring an inter-area ASBR over an intra-area ASBR to reach some external prefixes I was quite perplexed as to why. Now I know...I think :-)
↧
VIRL on packet
All,
I have depoyed VIRL on packet bare metal 32 gig ram, and can only fire up a few nodes i.e. 4 CSR1000V and 3 XR images on the SP 4.0 INE topology is there any tips or recommendation to be able to run the full topology ?
↧
↧
Cisco IOS calculated Rate shown
Hi all,
I have a "beginner" question for you.
When I see rates on different show outputs like these ones:
AA#sh policy-map int FastEthernet0/0/0.2 input | i offered
30 second offered rate 3933000 bps
30 second offered rate 6302000 bps
30 second offered rate 4761000 bps
30 second offered rate 4776000 bps, drop rate 0000 bps
AA#sh int FastEthernet0/0/0 | i 30 sec
30 second input rate 19753000 bits/sec, 1629 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
How is the rate calculated? Does it take into consideration the full bits put on the wire (L2+L3+L4+Payload)? Or it just looks at everything above L2? Or above L3?
Did not manage to find info about this on google.
↧
question about eigrp
hi everyone
iam into this lecture with mr keith bogart into ccnpv2 lectures :-
EIGRP Metric Manipulation -- Part 1
note :- line with red i draw with myself
1- r18 will adv 188.188.188.0 to r19 , then r19 will adv it to Rx to r20
notice that r20 have same network 188.188.188.0 as directly connected network
does r20 will adv network 188.188.188.0 directly cnnected to r19 , or will adv network 188.188.188.0 that he rcv via rx
or r20 will adv both networks ?
i hope to undersanding my question
thanks
↧
Service Provider base configs for Virl
Hi,
Does any one have the base config for IPV4 and IPv6 basic connectivity ?
I have been going through the new ATC videos but unable to ping certain routers for i.e. between XR1 and XR2
RP/0/0/CPU0:XR2#sh run inter gi 0/0/0/0.1112
Wed Apr 13 07:33:23.581 UTC
interface GigabitEthernet0/0/0/0.1112
ipv4 address 10.11.12.12 255.255.255.0
ipv6 address 2001:10:11:12::12/64
encapsulation dot1q 1112
RP/0/0/CPU0:XR1#sh run inter gi 0/0/0/0.1112
Wed Apr 13 07:32:49.879 UTC
interface GigabitEthernet0/0/0/0.1112
ipv4 address 10.11.12.11 255.255.255.0
ipv6 address 2001:10:11:12::11/64
encapsulation dot1q 1112
↧
CCIE SPv4 Rack Rentals
↧
↧
CCIE SPv4 Rack Rentals now posted
↧
Full Scale Lab 4 task 2.4
Is this normal ?
RP/0/0/CPU0:XR1#conf t
Sun Feb 13 09:20:38.743 UTC
RP/0/0/CPU0:XR1(config)#router isis 1000
RP/0/0/CPU0:XR1(config-isis)#address-family ipv6 unicast
RP/0/0/CPU0:XR1(config-isis-af)#single-topology
RP/0/0/CPU0:XR1(config-isis-af)#!
RP/0/0/CPU0:XR1(config-isis-af)#interface Loopback0
RP/0/0/CPU0:XR1(config-isis-if)#address-family ipv6 unicast
RP/0/0/CPU0:XR1(config-isis-if-af)#!
RP/0/0/CPU0:XR1(config-isis-if-af)#!
RP/0/0/CPU0:XR1(config-isis-if-af)#interface GigabitEthernet0/1/0/0.195
RP/0/0/CPU0:XR1(config-isis-if)#address-family ipv6 unicast
RP/0/0/CPU0:XR1(config-isis-if-af)#!
RP/0/0/CPU0:XR1(config-isis-if-af)#!
RP/0/0/CPU0:XR1(config-isis-if-af)#interface POS0/6/0/0.1920
RP/0/0/CPU0:XR1(config-isis-if)#address-family ipv6 unicast
RP/0/0/CPU0:XR1(config-isis-if-af)#commit
RP/0/0/CPU0:Feb 13 09:20:43.453 : isis[285]: %ROUTING-ISIS-6-IIH_IF_ADDRESS : IIH received from POS0/6/0/0.1920 contains unusable IPv6 interface address: no interface address TLV
↧
Question about "area [#] nssa translate type7 always" command and TE for NSSA areas with multiple exits
Hello,
I have 2x questions I am hoping to get some help with. Both involve OSPF NSSA areas with multiple exit points and traffic engineering by controlling which ABR performs translation
The first question i have is how does the "area [#] nssa translate type7 always" work when configured on an ABR and there are multiple ABRs present. When I say 'work' I generally maybe hopefully understand a little about what this command does in term of 7/5 translation and how that can be used for TE. What i don’t understand and cannot seem to find any information or a clear explanation on is the magic that makes this command work. What signaling or communication takes place that allows 1 ABR to assert itself over the other?
The second question i have again relates to the "area [#] nssa translate type7 always" command with an NSSA area that has multiple exit ports. I have the preferred method is to modify the RIDs on the ABRs if you need to perform any TE as the "area [#] nssa translate type7 always" is unreliable.
Any thoughts ore feedback on either question would be greatly appreciated.
↧