CCIE Written Blueprint: 1.1.a Describe basic software architecture differences between IOS and IOS XE

I have had an idea. I decided the best way to focus on the CCIE topics to study for the written exam (and try and reign myself in from just reading the “interesting” stuff!) is to aim for the exam topics…if I know all of them, how can I fail?

The exam topics are available here: Cisco CCIE Written Exam Topics

I have copied these out in to a word document, and I intend to write a small paragraph about each topic. It’s concise, consolidated and easy to revise from, yet makes me read tons of stuff I wouldn’t usually read to learn enough information.

So to start…here is section 1.1.a: Describe basic software architecture differences between IOS and IOS XE.

Continue reading

Non-Transitive or Transitive? – BGP Path Attributes

ID-100217670I was reading about BGP Path Attributes and came across this table (thanks to http://netcerts.net/bgp-path-attributes-and-the-decision-process/):

LIST OF BGP PATH ATTRIBUTES
Attribute Name Category / Class
ORIGIN Well-Known Mandatory
AS_PATH Well-Known Mandatory
NEXT_HOP Well-Known Mandatory
LOCAL_PREF Well-Known Discretionary
ATOMIC_AGGREGATE Well-Known Discretionary
AGGREGATOR Optional Transitive
COMMUNITY Optional Transitive
MULTI_EXIT_DISC (MED) Optional Non-Transitive
ORIGINATOR_ID Optional Non-Transitive
CLUSTER LIST Optional Non-Transitive
MULTIPROTOCOL Reachable NLRI Optional Non-Transitive
MULTIPROTOCOL Unreachable NLRI Optional Non-Transitive

I didn’t quite understand what “non-transitive” meant, so I labbed it up to find out…

 

Continue reading

OSPF Network Types – A Neighbour Killer?

salary-comicYep, I spell neighbour the British way. No, I don’t do it in IOS. But I should be able to. 🙂

While going over some OSPF stuff today, I found a statement saying that OSPF network types have to match for routers for form a neighbour relationship. Because I’m a nerd, I questioned this. My reason? I don’t remember OSPF network type being a field in the hello packet header. And if it’s not in the header, how can the neighbour tell…therefore, how can it be a criteria?
Continue reading

CCIE….here goes

I’m taking the plunge.

Following on from CCNP R&S, I took a break from studying. A lot has happened since I passed. I got a proper networking job, I’m working as a network engineer responsible for a data centre and European branch offices. That was a steeper learning curve than my cert’s, so I had to focus on it. I’ve moved house. Twice.

Anyway, time to get back on it. And I’m going for the big one. I want my number. :). CCIE #xxxxx to follow. It’s going to be a long slog.

Currently reading “Routing TCP/IP Vol 1 2nd Ed” (gotta love a kindle for portability), and watching videos with my shiny new INE Ultimate All Access Pass.

Let’s go!

IronPort Proxy Logs – Viewing something useful

proxy_serverOne of the most frustrating things about working with the IronPort proxy servers is how difficult it is to view the log files. The logs are stored on the proxy server in text files – these are often multiple gigabytes in size – downloading takes an age, and opening them in Windows is next to impossible.

Fortunately, if you SSH to the management interface of the proxy, you can use grep to parse the IronPort proxy logs. I find it easier to tail the log file (that is, start from the end). This is no use for historic logs, but if you can ask the user to test while you have the tail of the log open, you can view their connection requests live.

The command for this is:

grep -t -e “text_to_search” accesslogs

The -t in this specifies to tail the logs. If you drop this, it will grep through the entire log file – this can take some time. The -e denotes the regular expression that is to follow – I generally stick the URL (or a portion of it) in to this. And accesslogs specifies that the log you wish to search is the access log. Log names can be found in the Web GUI.

If you use the -t option, it will hang and say “Ctrl-C to stop”. Perform the test while it is in that state, and you will see a log entry flash up.

The log entries are in standard quid format – a good description of that can be found here: http://proxyadvices.wordpress.com/2012/11/09/ironport-squid-log-interpretation/

Checkpoint VPN Error: According to the policy the packet should not have been decrypted

checkpoint_logI encountered an issue recently while trying to allow access to a new subnet over an existing VPN. The far end device was a Cisco router, and had an access list matching an entire class A subnet which was applied to the crypto map. The traffic destined for the new subnet was arriving at our firewall, and showing in the logs as dropped, with the error:

According to the policy the packet should not have been decrypted

I found a few things on the internet, but the solution wasn’t immediately clear. Firstly, here are the rules (as I understand them) of a Checkpoint VPN:

When the firewall receives a packet, before it even looks at the rule base, it looks at whether any VPN encryption / decryption is required.

If the packet is not already encrypted:

  • If the source address is not in a peer’s encryption domain, and the destination address is not in the local encryption domain, or
  • If the source address is not in the local encryption domain, and the destination address is not in a peer’s encryption domain, then pass the packet without encryption.Continue reading

Archiving and deleting IOS images

Archive

Image courtesy of renjith krishnan / FreeDigitalPhotos.net

I recently had the need to upgrade the IOS on a Cisco switch (think it was a 3750). As usual, the flash was too small so I needed to remove (and archive/save) the old IOS before putting the new one on. A lot of the images these days include HTML and other things, so are contained in folders rather than a single file. So, how do you take a backup of the image, delete it, and install the new one, without doing each file individually?Continue reading

New web and mail servers

Image courtesy of ddpavumba / FreeDigitalPhotos.net

Image courtesy of ddpavumba / FreeDigitalPhotos.net

Apologies, but some of you may have found that this site has been intermittently offline for the past few days.

I have taken it upon myself to learn some more unix, and build my own web and mail servers to host my sites (plus a couple of others I currently support, and allow room for expansion).

I thought I’d share my experiences, and maybe a few hints and tips — mostly just an overview, because I have done so much crap in the last few days that I’ve forgotten half of it!Continue reading

Bulk DNS Lookup in Windows Powershell – Better than NSLookup!

 

So firstly, I’ve just seen that’s its been over 3 months since I last posted – for anyone that looks back here regularly, Sorry! Thanks for coming back though, I am going to try to be more active.

I started a new job at the end of August as a Network Engineer as part of the network team in a data centre supporting multiple European sites. It’s been a steep learning curve and has eaten most of my time. I’ve learnt more in the last three months than I thought possible, and loved every minute of it!

I’ve got a lot of things I could post about, but today I thought I’d start with a handy little script which I wrote in Windows Powershell which can take a list of host names (or IP’s) from a text file, and perform a DNS Lookup on them.

Continue reading