Recently we had a Cisco Web Security Appliance (WSA) Proxy fail. When I
say fail, I mean a single stick of RAM failed after a reboot. Cisco said
RAM isn't replaceable so we had to RMA the whole box (odd for a device
that is basically a rebadged server...maybe I have a money saving idea
for you Cisco!)
There were a few steps to … Read whole post...
I was recently involved in a project upgrading the core firewall pair
from Checkpoint R71.40 SPLAT to R77.20 GAiA. While very different, a lot
of the configuration is pretty straight forward, and well documented in
various articles on the Checkpoint website.
This setup runs BGP on the firewalls, to learn routes from our internal
VRF's and also the WAN VRF where our MPLS … Read whole post...
We have just undertaken a project to upgrade the Checkpoint Management
server from R71.40 to R77.20. It went very smoothly, and was probably a
lot easier than I first expected.
The first thing to note is that this upgrade cannot be done direct. In
accordance with the upgrade path, you must first upgrade to R75.40.
Luckily for us, we had shiny new … Read whole post...
What you don't need while you are checking your morning emails and
drinking your first cup of coffee of the day is to receive an email
saying that the VSM for the Nexus 1k has rebooted.
By the time we logged on to the Nexus 1000v, it was back up. "show
system redundancy status" showed both VSM's (supervisors) as being up
and HA. The "show … Read whole post...
This is a very short section! I didn't see the point in harping on about
wireshark, I use it most days at work. And the IOS embedded packet
capture was discussed in length further up the blueprint (i.e. in a
previous blog post).
1.3.c Interpret packet capture
1.3.c (i) Using Wireshark trace analyzer
Packet capture can be obtained using a … Read whole post...
This is another difficult section in the blueprint to write about. I
find troubleshooting techniques and methodologies to be quite personal;
no two people's brains work the same way. I guess this is based on how I
do things and some tips I've received from a few people over the years.
1.3.b (i) Diagnose the root cause of networking issue (analyze symptoms, identify … Read whole post...
1.3.a Use IOS troubleshooting tools
1.3.a (i) debug, conditional debug
Debugs can be used on a wide range of functions (debug ?). Some debugs
can be very noisy. Debug conditions can be set to filter out some of the
noise – for example debug condition interface fa0/0 will limit the debug
information to things using that interface. Undebug all does not remove … Read whole post...
As the blueprint goes, this is, in my opinion, the most vague topic to
write about. It is dependent on the understanding of the topics, and how
the changes will impact the existing network. I have skimmed through
this really, with the intention of covering the topics in their actual
topic sections. I am pretty used to evaluating impact - I seem to spend
my entire … Read whole post...
This topic made me think about the starvation stuff. I suppose it is
pretty obvious that UDP wouldn't back off if WRED was employed, but it's
something I never really thought about.
I found a few good videos on YouTube which gave some good RTP/RTCP
1.1.f (i) Starvation
TCP Starvation / UDP Dominance is experienced in times of congestion
where UDP and … Read whole post...
TCP - I thought I'd glance over this section. Turns out there was some
stuff I'd never heard of, such as the bandwidth delay product.
1.1.e (i) IPv4 and IPv6 PMTU
Path MTU Discovery is the process of sending increasingly larger packets
with the DF bit set, until finally a ICMP Destination Unreachable
(Packet too large, DF bit set) message is received. The size … Read whole post...