Archive for May 2014

GNS3 1.0 Alpha 6 - Mac OS X support is back!

12:35:00 3 Comments
GNS3 1.0 Alpha 6 is out today and with it is native Mac OS X support!

The full list of changes in the latest alpha release is:

  • Mac OS X DMG package (Only tested on OSX Mavericks).
  • New host names management.
  • New project dialog (in preparation for cloud support).
  • Logs saved to files (GNS3_client.log and GNS3_server.log).
  • Relative paths support for IOS/IOU images in project files. Fixed decoding errors when reading device configs.
  • Fixed privileged access checks for IOU.
  • Fixed validation issue with c2600 XM chassis.
  • Fixed VPCS start on Linux/UNIX. Fixed Ethernet hub when loading a project.
And here we are running the new version, natively on my Macbook Air:

GNS3 1.0 Alpha 6


About GNS3 1.0 Alpha 6

It runs perfectly fine on my Macbook Air, but I do think that this machine is a bit underpowered for running anything intensive, with just the below set up my fan sounds like a small engine trying to take off!


GNS3 1.0 Alpha 6 Mac OSX routers

With a medium sized topology my CPU is pretty maxed out.

GNS3 1.0 Alpha 6 Mac OSX CPU

The routers are all running natively in GNS3 though, if I were to harness the new ability of GNS3 1.0 to work with IOU then I could offload the running of the routers to a more suitable server, and leave all the fun stuff (GUI and configuration) to run on my laptop. The original GNS3 runs great on my iMac though, and it's nice to have a native version of the new alpha release.

The scoop on CML and VIRL!

12:15:00 2 Comments
It's always nice on a wet British morning when the sky looks grey and drab and you don't want to get out of bed to have something to counterbalance the crap UK weather.

Firstly one of my sons woke up at 5:40am, usually this would mean the start to my day, but one quick nappy change later and he was back in his bed fast asleep, they then woke up at a very respectable 7:30 allowing the wife and I to get a rare lie-in together.

The second was getting a message from Craig at Cisco. He picked up on a post that I made on some information on CML (Cisco Modeling Lab) and offered "to clear up people's questions and misinformation". Clearly there are a lot of people wanting to hear more about CML, and more importantly, to start having some real hands on experience of it, so I wasn't going to pass up the chance to quiz him, and having him clarify what we know (or what we think we know) would certainly be a good idea.

Over the last few months we have heard a lot of supposed "fact" about CML, how it is what used to be code named VIRL, and quite frankly, there is probably more wrong information out there than truth.

So with coffee in hand I sent him a few questions through Google+, and he got back to me on email.

I am pasting things in context of my questions to him. My questions are in bold, Craig's replies are in blue. We'll start with Craig's introduction so you can get an understanding of who he is in relation to CML.

Hi Craig, thanks for getting in touch. I have a few questons about CML, and then would love to hear anything else you'd like to add.

In terms of introductions, I am the Cisco Technical Marketing Engineer for Cisco Modeling Labs, and you can reference these answers. I represent CML within the organization called Learning@Cisco (L@C) who will be launching CML which is based on VIRL. There are other organizations such as the Innovate team and the OnePk team who also use VIRL

CML is built for the Corporate users that are looking to validate
VIRL will be available via Devnet and will be free for any registered user to download. This will be a community-supported platform. For more information on 'Devnet', please take a look at https://developer.cisco.com/site/devnet/home/index.gsp. More information on VIRL will be posted there soon. Target FCS is 7/30

People ask what’s the difference between VIRL and CML? L@C collaborated with the Innovation team (the developers of VIRL) to productize it, run the full test regime so that it’s stable, document, and provide TAC support.
VIRL will be available in other formats, available to customers, but not with the testing regime, TAC supported version, docs, and so on.

I started my studies (as most do) with my head deep into Packet Tracer, will CML replace Packet Tracer?

I haven’t had a conversation about what the story and to be honest, I haven’t compared to two products yet – but will put that on my to-do list

 Cisco are very evidently embracing the open networking technologies that are emerging, so will CML link into the ONE (onePK) suite?

For onePk, you can install the OnePk All-in-one OVA today and the CML OVA and they will communicate. Also, I installed the OnePK API directly in the CML server and that works too

 What is the estimated release date for the "consumer" version? I have heard from different sources that it will be available through DevNet for free, or that it will be sub $100, is this the case?

Answered above in Craig's introduction.

Will CML have a new logo?

This is the CML logo

Does CML support DMVPN?

Not at this time.

 Will CML (at some stage) have more support for layer 2? Clearly these functions are more ASIC driven, but as the CCIE requires the ability to do spanning-tree this is something that people will be looking for

Yes, we are building a Layer 2 image now and working around some of the ASIC issues.

Speaking of the CCIE, Cisco have said that the lab will be 100% virtualized, is CML going to be the back-end for the new exam?

Yes, CML will be the backend for L@C CCIE labs, in the future. (L@C runs the CCIE labs so that’s the correlation)

 CML supports connections to real equipment, which will probably overcome the layer 2 issue, does this mean that (in time) we would be able to join CML and GNS3 networks?

CML does have external connections for both L2 and L3 so you can connect to external devices or other virtual images

Will CML allow us (again in time) to run other vendors equipment within it?

 In the first release you can run any image that runs within OpenStack, Cisco image or other.
So there you go, some concrete information from Cisco!

sh brief

In short:
  • CML and VIRL are actually separate
  • VIRL will be free, and out soon (end of July by the looks of it)
  • VIRL will be community supported, CML will  have full Cisco support (TAC, documentation etc)
  • Integration with ONE (onePK) will be possible (how cool is that?!)
  • There will be ASIC support! (in time)
  • It will connect to GNS3!
  • It will run OpenStack images (Ubuntu, RedHat variants, SuSe)
Keep watch on the DevNet site and keep your eyes open around the end of July for VIRL.

I would like to express my thanks to Craig for taking the time out to answer the questions, and to clear up the confusion surrounding CML and VIRL.

Some information on CML - from Cisco!

12:21:00 3 Comments

Finally we have some information on CML that is a little bit more concrete., havn't seen a logo for it, so I am still using the old VIRL one.

Head over to http://www.cisco.com/go/cml and you'll find some tasty information about the Corporate edition of CML. There is not any information about the consumer version as of yet, I don't expect that much will differ though!

CML requirements

We have a CML Excel Capability Calculator, and it looks like you'll need a pretty beefy machine. To run (as an example) 15 IOSv routers and ten IOS XRv routers along with two small server images, then you are looking at a requirement of 21248Mb memory, or approx 21Gb.

As a break-down of the requirements IOSv requires 512Mb, whilst CSR1000v and IOS XRv both require 3Gb. Cisco do, obviously, tout their UCS C220 M3 blades, tricked out with 16 cores and 128Gb of memory along with EXSi (5.0, 5.1 or 5.5) as a host environment.

Clearly this does not make the corporate edition of CML a cheap prospect.

The host machine (running the GUI) needs a minimum of 2GB, and 1GB free disk space, Firefox or Chrome, Windows 7 or Windows 8, or for a MAC user then OSX 10.8 or 10.9, along with JRE 6 or 7, so not very taxing from that standpoint.

Anyway, to confirm some things we already knew it comes in the form of a separate GUI and server. It also ships with an IOS 15.4(2)T IOS XRv image, and a linux server.

What does CML support?

Unsurprisingly hardware functions and Layer 2 technologies are not supported  - so no Spanning-Tree, HA or anything that requires an ASIC! Do not fear though as CML does offer the ability to connect to real networks, and the list of supported technologies certainly outweighs the unsupported.

I want to order CML!

The product code for the base package of CML is R-CML-CE-K9=. This includes the Cisco Modeling Labs 1.0 software and a total of 15 supported nodes.

Extra nodes can be bought in packs of 10, 50 and 100 through expansion packs.

You can also purchase the IOS-XRv Simulation Site VM License and CSR 1000V e-PAK (in standard, advanced or premium packages) and these extras are a yearly subscription.

IOU - Image is everything

04:10:00 9 Comments

Finding the right image for IOU can be a tricky thing to do, depending on what you are looking for. Things may look correct, but when you dig deeper down into it, you might not get the results you are looking for.

This all came about when discussing HSRP and IOU limitations with Maureen on a post about HSRP and ASICs.

IOU Images for Switches and for Routers

IOU images come in two flavors. We have Layer 2 images for switches, and we have router images. Calling the Layer 2 switch images is a bit of a misnomer, because they can actually perform layer 3 functionality (such as having a layer 3 vlan interface), so don't worry too much about it being called layer 2 (or l2 in the filename). Don't ask me to supply the images though, that's your homework...

IOU Switch images

IOU Switch images are usually named i86bi_linux_l2-<image>-<date> such as:
  • i86bi_linux_l2-ipbasek9-ms.jan24-2013-B
  • i86bi_linux_l2-ipbasek9-ms.jan24-2013-team_track
  • i86bi_linux_l2-ipbasek9-ms.may8-2-13-team_track
  • i86bi_linux_l2-upk9-ms.june20_2012_golden_spike
  • i86bi_linux_l2-adventerprise-ms.nov11-2013-team_track
Most of these are using the ipbasek9 image. But there are others out there.

IOU Router images

Router images follow pretty much the same naming format:
  • i86bi_linux-adventerprisek9-ms.152-2.15.T
  • i86bi_linux-adventerprisek9-ms.152-4.M1
  • i86bi_linux-jk9s-ms.150-1.XJR111.358_120107
  • i86bi_linux-p-ms.june20_2012_golden_spike
Needless to say that a router image is not the same as a switch image.

Not all IOU images are equal

So what's the point of this anyway?

Take the following topology:


We have three switches and one host. The top two switches are set up with HSRP running for vlan 10, with trunk ports between them and the third switch, that just has vlan 10 configured. The VPCS host is on an access port that's in vlan 10. The configuration is as follows:
SW1#sh run int e0/0
Building configuration...

Current configuration : 103 bytes
!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex auto
end

SW1#sh run int e0/1
Building configuration...

Current configuration : 103 bytes
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex auto
end

SW1#sh run int vlan 10
Building configuration...

Current configuration : 147 bytes
!
interface Vlan10
 ip address 10.10.1.2 255.255.255.0
 standby 10 ip 10.10.1.1
 standby 10 priority 150
 standby 10 preempt delay minimum 60
end

SW1#

SW2#sh run int e0/0
Building configuration...

Current configuration : 103 bytes
!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex auto
end

SW2#sh run int e0/1
Building configuration...

Current configuration : 103 bytes
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex auto
end

SW2#sh run int vlan 10
Building configuration...

Current configuration : 109 bytes
!
interface Vlan10
 ip address 10.10.1.3 255.255.255.0
 standby 10 ip 10.10.1.1
 standby 10 priority 90
end

SW2#

SW3#sh run int e0/0
Building configuration...

Current configuration : 103 bytes
!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex auto
end

SW3#sh run int e0/1
Building configuration...

Current configuration : 103 bytes
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex auto
end

SW3#sh run int e0/3
Building configuration...

Current configuration : 93 bytes
!
interface Ethernet0/3
 switchport access vlan 10
 switchport mode access
 duplex auto
end

SW3#
Nothing too hard here, but the image makes all the difference.
SW1#sh ver
Cisco IOS Software, Solaris Software (I86BI_LINUXL2-ADVENTERPRISE-M), Experimental Version 15.1(20131216:211730) [mmen 106]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 16-Dec-13 13:50 by mmen

ROM: Bootstrap program is Linux

SW1 uptime is 1 hour, 5 minutes
System returned to ROM by reload at 0
System image file is "unix:/home/gns3/Documents/GNS3/images/i86bi_linux_l2-adventerprise-ms"
With this image we don't get any working HSRP. Both the top two switches think that they are the active switch: 
SW1#sh standby vlan 10
Vlan10 - Group 10
  State is Active
    2 state changes, last state change 01:02:08
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.904 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is unknown
  Priority 150 (configured 150)
  Group name is "hsrp-Vl10-10" (default)
SW1#

SW2#sh standby vlan 10
Vlan10 - Group 10
  State is Active
    2 state changes, last state change 01:03:07
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.032 secs
  Preemption disabled
  Active router is local
  Standby router is unknown
  Priority 90 (configured 90)
  Group name is "hsrp-Vl10-10" (default)
SW2#
Debugging HSRP shows that the two are not talking to each other, even though CDP and ARP look fine:
SW1#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SW2              Eth 0/0           162             R S I  Linux Uni Eth 0/0
SW3              Eth 0/1           122             R S I  Linux Uni Eth 0/0
SW1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.1               -   0000.0c07.ac0a  ARPA   Vlan10
Internet  10.10.1.2               -   aabb.cc80.0100  ARPA   Vlan10
SW1#debug standby
HSRP debugging is on
SW1#
*May 23 07:39:26.362: HSRP: Vl10 Grp 10 Hello  out 10.10.1.2 Active  pri 150 vIP 10.10.1.1
SW1#
*May 23 07:39:29.211: HSRP: Vl10 Grp 10 Hello  out 10.10.1.2 Active  pri 150 vIP 10.10.1.1
SW1#
*May 23 07:39:31.624: HSRP: Vl10 Grp 10 Hello  out 10.10.1.2 Active  pri 150 vIP 10.10.1.1
SW1#
*May 23 07:39:34.614: HSRP: Vl10 Grp 10 Hello  out 10.10.1.2 Active  pri 150 vIP 10.10.1.1
SW1#
*May 23 07:39:37.568: HSRP: Vl10 Grp 10 Hello  out 10.10.1.2 Active  pri 150 vIP 10.10.1.1
SW1#
*May 23 07:39:40.328: HSRP: Vl10 Grp 10 Hello  out 10.10.1.2 Active  pri 150 vIP 10.10.1.1
SW1#
*May 23 07:39:43.090: HSRP: Vl10 Grp 10 Hello  out 10.10.1.2 Active  pri 150 vIP 10.10.1.1
SW1#
No HSRP traffic gets returned. If we switch images we do get a bit further:
SW1#sh ver
Cisco IOS Software, Solaris Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.1(20130124:233217) [dstivers-jan24-2013-team_track 101]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 24-Jan-13 16:17 by dstivers

ROM: Bootstrap program is Linux

SW2 uptime is 7 minutes
System returned to ROM by reload at 0
System image file is "unix:/home/gns3/Documents/GNS3/images/i86bi_linux_l2-ipbasek9-ms.jan2"

SW1#sh standby vlan 10
Vlan10 - Group 10
  State is Active
    2 state changes, last state change 00:01:36
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.160 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is 10.10.1.3, priority 90 (expires in 10.592 sec)
  Priority 150 (configured 150)
  Group name is "hsrp-Vl10-10" (default)
SW1#

SW2#sh standby vlan 10
Vlan10 - Group 10
  State is Standby
    1 state change, last state change 00:01:21
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.256 secs
  Preemption disabled
  Active router is 10.10.1.2, priority 150 (expires in 10.256 sec)
  Standby router is local
  Priority 90 (configured 90)
  Group name is "hsrp-Vl10-10" (default)
SW2#
So HSRP looks good from the viewpoint of the switches. However, not all is well from the VPCS guest:
VPCS2> ip 10.10.1.254 /24
Checking for duplicate address...
PC1 : 10.10.1.254 255.255.255.0

VPCS2> sh arp

arp table is empty

VPCS2> ping 10.10.1.2
10.10.1.2 icmp_seq=1 ttl=255 time=1.500 ms
10.10.1.2 icmp_seq=2 ttl=255 time=5.000 ms

VPCS2> ping 10.10.1.3
10.10.1.3 icmp_seq=1 ttl=255 time=3.500 ms
10.10.1.3 icmp_seq=2 ttl=255 time=4.000 ms

VPCS2> ping 10.10.1.1
10.10.1.1 icmp_seq=1 timeout
10.10.1.1 icmp_seq=2 timeout

VPCS2> sh arp

aa:bb:cc:80:04:00  10.10.1.2 expires in 65 seconds
aa:bb:cc:80:05:00  10.10.1.3 expires in 68 seconds
00:00:0c:07:ac:0a  10.10.1.1 expires in 70 seconds

VPCS2>
It can see that there is the HSRP VIF, but cannot reach it. SW3 also knows of the VIF: 
SW3#sh mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0000.0c07.ac0a    DYNAMIC     Et0/0
  10    0050.7966.6802    DYNAMIC     Et0/0
  10    aabb.cc80.0400    DYNAMIC     Et0/0
  10    aabb.cc80.0500    DYNAMIC     Et0/0
Total Mac Addresses for this criterion: 4
SW3#
So it goes to show that although things might look like they are working in IOU switches, downstream hosts might have a different idea about the network - so much so that things may not actually be reachable. Getting the correct image is important where IOU is concerned. The people who enable us to get these images do a great job, but obviously cannot replicate 100% a device that relies on hardware to perform complex switching functions. There maybe functions that work in the first image used, that do not work in the second image I used. It can be a bit hit and miss.

If I do find an image that works in this scenario I will update the post, or if you know of one then please leave a comment below.

GNS3 1.0 Alpha 5!

12:28:00 Add Comment
It seems like it was just a couple of days ago that GNS3 1.0 Alpha 4 came out, and already the team at GNS3 are back with another new update.

GNS3 1.0 Alpha 5

What's new in GNS3 1.0 Alpha 5?

  • VPCS support (only version >= 0.5b1, available on https://github.com/GNS3/vpcs/releases)
  • Fixed console port errors when loading a project.
  • Fixed startup-config errors when loading a project.
  • Fixed minor issues on Mac OS X (DMG file coming soon).
  • IOU default startup-configs for layer 2 and layer 3 images. Allowing for faster loading times too.
  • Option to prevent starting the local server when opening the GUI.
  • Prevent devices to be started, stopped or suspended if their status is not right
  • More checks for cloud connections.
  • Show item coordinates in the status bar.
  • Amend device configs (hostname) when renaming.
  • UDP connection checks.
So some cool stuff here, especially the Virtual PC Simulator support, and more hints that the Mac OSX version is about to drop imminently. I am certainly looking forward to the Mac OSX version, hopefully the separation of gui from workload (i.e. IOU) will mean that my Macbook Air fans wont sound like that are about to send my laptop into the air like an aeroplane. I won't be switching to it on my iMac just yet as I need the current version for writing my next book.

Things are moving along at a pretty rapid pace over at GNS3 HQ, they are making great strides! Well done guys!

NSA in my ASA? It's LESS likely than you think

03:27:00 2 Comments
Der Spiegel recently ran an article on how the NSA is re-routing shipments of ASAs from Cisco through to their TAO (Tailored Access Operations) centers and implanting JETPLOW, a firmware which modifies the OS on booting offering the NSA a backdoor into the router, as well as in conjuntion with their BANANAGLEE exploit can send the data on to the NSA.

Scary shit right?

Probably not, but it has got many people scared, and understandably so.

What is JETPLOW?

According to this leaked document, JETPLOW is a modification of the ASA firmware.


It works on the PIX 500 series and ASA series 5505, 5510, 5520, 5540 and 5550. You can see some pictures of JETPLOW being installed below (well, kind of its a Cisco device on a desk, but it's from a leaked document):


Should I be worried?

That depends really. The point here is that this is all targeted, it is not routinely done on all of the ASAs, just ones destined for companies targeted by the NSA. If you are worried about the ASA and are thinking about ditching all your Cisco equipment then you really need to think about who you are going to choose next, as well as your whole stance on being on the internet.

Cisco are not alone 

Cisco ASAs are not the only vendor affected. Juniper are as well in the same way with the FEEDTHROUGH, SOUFFLETHROUGH, GOURMETTHROUGH, STUCCOMONTANA, SIERRAMONTANA, and SCHOOLMONTANA  modifications, Huawei are affected by the HALLUXWATER and HEADWATER modifications. These are just the ones that have been leaked, whether they are doing the same to say Arista or HP, who knows. Again there is nothing to suggest that every device is affected. I am sure that the NSA have better things to do than to be retro-fitting every single router and firewall that they can get their hands on, and they probably arn't interested in you either. They are more interested in terrorists and threats to their own country than reading about what you did on holiday, or listening to you order your lunch, which they could do, as they have the technology. There is a massive list of known NSA/GCHQ exploits here. It's an impressive list.

Did Cisco know about JETPLOW?

Cisco say that they were unaware. Considering that John chambers, CEO of Cisco has written an open letter to the President asking him to curtail the NSA activities and that Cisco are being very open about this in the forums, along with their Trustworthy Systems initiative, I would say the Cisco probably wern't aware. They are a multi-billion company based on being best-of-breed, they are not going to sell out their customers for a few gold coins.

If you read the above forum link there are a lot of people who don't believe that Cisco was not complicit in this. There are a number of comments on the blog that suggest that they (the commenter) will be throwing their Cisco hardware "in the trash", it's this kind of knee-jerk reaction that fuels the fire. But it's also misguided and short-sighted. You do know how the internet runs, right? Your traffic goes from A to B. In-between A and B are a whole bunch of routers and companies that can be traffic shaping for their own behalf, or on behalf of the country they are in, for any purpose that they want. You might have thrown Cisco out of your door, but you may also have introduced something that is equally or more-so susceptible to manipulation and your data still travels along paths that may also be tapped. Anyway if you have something to hide then they'll probably have targeted your computer anyway.

What are Cisco doing about it, and can I check for JETPLOW?

Cisco are working on a forensic toolsuite, no idea when it's going to be released, but they are working on it.

Frankly nothing is safe on the computer, or on the internet. As one commenter (Adelaide_girl) said on the Cisco forum "...every wall one man can build, another can tear down". This is very true. I will be testing the ASAs I look after once the toolsuite is released, do I expect to find anything that will cause concern? No, not in the slightest. If I thought I were being targeted by the NSA then I would be checking much much more than just my firewall, they are probably in my iPhone (using DROPOUT JEEP), or watching everything I do on my screen with a $30 device called RAGEMASTER.

The long and short of it is that if you have nothing to hide then you have nothing to worry about.

 EDIT: I have retracted my last sentence as (rightly so) pointed out in the comments is a good argument that this could potentially open up the floodgates for more subversive usage.

Booked my CCIE lab bootcamp!

02:33:00 5 Comments
The company I work for is pretty good at sending us on training, we get to pick and choose what we want to do, we get a generous budget and if it's applicable to our role then we can go on it.

So far I havn't really taken them up on this, we did a whole group training thing on Zabbix last year, but I have never asked them for any training specific to my role, mainly because my role was so all-encompassing that picking a singular topic was difficult. Now my role is very network centric the idea of attending a CCIE bootcamp is a sensible one. But which one? I have written about them before, but this post is much more polarised, and takes into account the more personal issues with training that I have come to understand as I have progressed in my CCIE studies.

CCIE Bootcamps

Bootcamps usually bring up a mental picture of being hours and hours of lectures, long days followed by long nights of studying. I did one before when I did my CEH and before that when I went on a RedHat linux course. Finding the correct training partner for you is a tricky one, and the same factors in this decision for one person are not necessarily the same for another.

So here's the rub. I have twin sons, they are at the great age of two and a half that means that everyday they do something new, the novelty of this has not worn off and I love watching them grow day by day, which means that I relish the time I get with them. This also means that I don't particularly want to be studying from the time they get up and not getting home until well after their bedtime. Bedtime is daddy's time with them. I come home, they ask me to get the Spiderman lego out, we play with it, or we watch Bubble Guppies or Fireman Sam, then I put them to bed and read them a couple of stories. My wife looks after them during the day, and twins are tiring. They have the energy of ten Duracell bunnies combined, so that hour or so that I have with them in the evening gives her a bit of a rest.

But I do need to go on the training. But which one did I pick?

CCIE Online Training

Online training is great for some, if you have the quiet environment where you can be 100% dedicated with no interuptions. I do work from home one day a week, and this is because the boys are at my mums for the day. They go to nursery on a Monday and a Friday morning, but that does leave a large amount of time when the noise level in the house would be too distracting.

IP Expert do a great range of online CCIE courses, as well as live ones, but not any live ones in the UK. So they are not really an option for me.

This leaves the choice hovering between INE and Micronics.

INE CCIE Bootcamp

INE offer a ten day course split over five working days, so that would mean that I get the weekend to spend as family time. These are in London which would mean about an hour and half of travel. The days are between 10 and 12 hours long, which would mean that I would get home at around half ten in the evening. If the day runs later then I stand the chance of missing the last train home, and its a very long walk.

I was trying to get on this a few months ago, but it would have been a mix of v4 and v5, and I am only going to try for the v5, it gives me a bit more breathing space. I didnt get the OK in time though to put through the order, so didn't end up going. I did spend a lot of time going back and forth with Tami at INE though and she was really helpful. The cool things with INE is that they offer a package deal - you can get a free iPad mini loaded with the course ware, or you can get INE to pay for your lab exam, or 2 free graded mock exams. I was going to opt for the free lab exam (option B) which seemed like good value for the $6k that the course costs.

They have another bootcamp in London in September / October, so this would be a good option.

The problem I have with London though is that it would cost me another £350 in travel costs (about $500 ish). The upside is that they have excellent instructors whose names are synonymous with the CCIE, and you get a very excellent workbook.

Narbik CCIE Bootcamp (Micronics)

The other option is the 10 day end to end bootcamp from Micronics training, run by Narbik Kocharians, and he's the guy who has written the new CCIE v5 Certification guide. It runs over the same set of days as the INE course. It's called End-To-End "No Excuses". Why are there no excuses? The course runs for ten days, straight. No weekend off, its ten days long. Here's the breakdown:

Day 1: 9am - 9pm
Day 2: 9am - 9pm
Day 3: 9am - 9pm
Day 4: 9am - 4am
Day 5: 9am - noon
Day 6: 9am - 6pm
Day 7; 9am - 6pm
Day 8: 9am - 8pm
Day 9: 9am - 8pm
Day 10: 9am - 4am

The nice thing is that it's really close to where I live in Bedfordshire, so I can drive to and from it, no worries about train costs, missing trains because the day runs later than planned, but look at days 4 and 10. The day ENDS AT 4AM! This is because there are two fully graded 8 hour lab exams. There are three in all, with a 6 hour one on the first day. It's harsh. It would make for a very tiring course. But they are well placed within the course. The following day for the first 8 hour exam finishes at noon, followed by a couple of 6PM finishes, which means that I would get to see the boys. Still a 4AM finish? That's hardcore. I don't stay up till 4AM very often, certainly not since my misspent youth, and that generally entailed (without getting into the illicit details) drinking lots of tea and laughing hysterically at comedy DVDs, followed by a long walk along the river. 4AM now that I am a happily married father-of-two? Yeah, it ain't gonna happen unless there is a bloody good reason.

Anyway, with the Micronics training you get the Foundation workbook which bridges the gap between the CCNP and the CCIE, you get this before the course starts so you are well prepared. When the course starts you also get Cisco 360s Routing and Switching v5 course ware, the Advanced CCIE Routing and Switching 5.0 Technology Focused Workbook and the Advanced Troubleshooting 5.0 workbook (these are all secure copies in PDF format).

The Micronics training costs less than the INE, but you don't get the lab exam for free. So it roughly works out the same.

Which CCIE bootcamp did I choose?

The 4AM finishes really made me think again about going for the Micronics training, they also only take PayPal, so I would have to pay for it and then get reimbursed by the company, whereas INE will send you an invoice, and there are not any 4AM finishes. But then there arn't the graded exams, unless you go for that option (Option C), but then you don't get the exam fee paid for either.

In the end I went for Narbik's training. It's closer to home, I like the fact that you get to do a proper simulation of the 8 hour lab exam and finishing at noon or 6pm does allow me to see my kids. The 4AM finishes is a little worrying, but then this is the CCIE, and no one said it would be easy.

I think I might get this T-Shirt printed up:

Review: SDN and OpenFlow for Beginners with Hands on Labs

02:48:00 Add Comment
I have just finished reading SDN and OpenFlow for beginners with Hands on Labs by Vivek Tiwari, and I can honestly say that I was really impressed. If you have read a few of my posts before then you probably know that I am not a fan of overly expensive books - and this is really good value for money. It's not a long book, and is priced very reasonably at $7.99.

Vivek is a double CCIE (Routing and Switching and Service Provider) and his experience within the field and as a mentor definitely comes through. His writing style is friendly and anecdotal making what could be a very dry topic come across as interesting and fun.

SDN and OpenFlow for Beginners

The book is split into two parts.

An introduction to OpenFlow and SDN

Part one covers "What is SDN?" where we get a very good technical and also non-technical breakdown of what SDN actually does and a history of SDN and OpenFlow. He then goes into greater depth explaining CAM and TCAM functions, and why these are important to understand in order to benefit from what SDN has to offer.

With a good understanding of CAM and TCAM he then explains the concepts behind flows and actions, before going into the OpenFlow protocol, and then into the advantages of OpenFlow, and how it can benefit the different areas of the business from both a financial standpoint and from an engineering view.

Lastly in part one we have the future of SDN.

Hands on Labs on SDN using OpenFlow

Part two is where the real fun starts. Vivek walks us through setting up our own little lab using freely available tools, and a great example of using OpenFlow to manage our network. He walks us through installing OpenDaylight, mininet, VMWare player, and some other tools, such as Putty, we well as a quick pointer in how to snoop on OpenFlow conversations in Wireshark.

The examples may not be extensive, but this is not meant to be an extensive book, it's meant to get you up and running. That said the example he gives, of using OpenDaylight to set the default gateway for our switches is a very good and relevant one that shows the power of the SDN tools at our command.

Overall thoughts

This is a really good book. It's priced really nicely and it won't take long to read. The formatting for kindle is well done, which for a technical book is not the easiest thing in the world, and it is very easy to read.

If you have any interest in SDN, and really you should as it's going to take off massively over the next couple of years then you should definitely buy this book.

GNS3 1.0 Alpha 4!

13:09:00 7 Comments

GNS3 1.0 Alpha 4 is out today, coming in a week or so before the next bank holiday in the UK. I am sure that the bank holiday releases are just a coincidence, unless the developers are really keen on celebrating the "International Day of Families" (yeah I don't know what it's about either - alternatively it could be released in celebration of Paraguay's Independence Day).

GNS3 1.0 Alpha 4

So anyway, enough about random world wide holiday talk, let's have a look at what's new (and fixed):

Whats new in GNS3 1.0 Alpha 4?

Now we have the following changes:

  • Show Windows interface names in cloud tooltips.
  • Disconnect the server if the version differs from the GUI version.
  • Move cloud code to a builtin module and support for clouds on remote servers.
  • Options to use the default IOU RAM & NVRAM values.
  • Changed the name of default base startup and private configs.
  • Added “All files” filter when looking for an IOU or IOS image in the file broswer.
  • Graceful server shutdown on Windows.
  • Error message that JIT sharing is only supported in Dynamips unstable.
  • New UDP and console port allocation system for IOU. Fixes duplicated port issues.
  • Delete some Dynamips files that are useless to save in projects.
  • Fix: the path to GNS3 server was not saved.
  • Fix: RAM and NVRAM IOU image settings not propagated when creating an IOU device.
  • Fix: bug where IOS nvram/disk files were not kept after closing a topology.
  • Fix: bug that prevented changing any IOU device setting when connected to another node.
  • Fix: duplicated node id issue.
  • Fix: major bug with ghost instance overwriting any second router files (R2).
  • Fix: error when ldd cannot be found.
  • Fix: issues with local base configs for IOS.
Some pretty cool stuff here, especially the third item - "support for clouds on remote servers", this isn't to say that we can have multiple IOU servers sitting out there, it's close, very close, but not there just yet:

Multiple IOU servers in GNS3

So close!

Still no sign of the ability to add text to topologies though. I do miss that.
MPLS for Cisco Networks - technical editor in, color pages out!

MPLS for Cisco Networks - technical editor in, color pages out!

02:03:00 6 Comments
My second book entitled "MPLS for Cisco Networks" is coming along really well. I have had some very good feedback for my first book "BGP for Cisco Networks" so I am really encouraged that people are finding it a worthwhile read.

Self publishing CCIE books and pricing

I have learnt a few things from writing my first book, mainly about pricing. 

Firstly no matter how low you price it there will be people in a certain certification forum who will still ask for copies for free. You would think that with it being priced reasonably people would be more inclined to purchase it, but there are still some people who want everything for free.

Secondly price does matter. Publishing on Kindle is a pretty good way (not saying that it's foolproof) to make sure that it doesn't end up being shared for free across the globe, so my intellectual property is fairly well secured, plus as the kindle app is available on pretty much everything it can reach a very wide audience. Kindle allows me to be flexible on price, and overheads are low. That said the print version does just as well as the mobi version. Reading on a tablet is great, but there is nothing like holding a physical book, but pricing a printed book can be tricky - which I'll explain in a moment.

Anyway, back to the subject in hand, I am not digressing (much) as there is a purpose to all of this. 

A technical editor!

So firstly the good news. I got an email a little while ago from someone who had bought my book and he said (in a nice way) that it had a couple of run on sentences and a few bits of train of thought in it, and would I like him to do some technical editing. Some might have thought this to be a bit cheeky, but in no way was it phrased like a sales pitch, and he has a good history in teaching and in networking. I thought it would make a lot of sense. Hopefully he can polish off my book, and together we can create something a little larger than me just working by myself. His name is Beau, and hopefully we'll do a little introduction for him later.

On to the less good news - it's not bad news, but it's a little gripe more than anything.

MPLS for Cisco Networks in black and white

One of the feedbacks that I received was that it would have been nice to have color pages. I totally agree with this, especially as the next book has different areas referred to by colors of Red, White and Blue, rather than say Company A, Company B etc. This looks great so far, but something will be a little lost in translation to black and white print.

So what are the options? Well, the printed version which is priced at a mere $14.99 does not make much in profit. Once Createspace/Amazon have taken their cut, I get about $5, there is also a holding tax of 30% on top of that because I am a UK resident, so really its not looking like I can retire any time soon, I am doing this because I wanted to write a book and do something creative that people would find beneficial, money is not the primary objective. Nonetheless, if I wanted to create a 250 page book at $14.99 in black and white then we are looking at $5 royalty. If we switch to color print then I would actually owe Createspace over $9. So to make the same royalty of $5 the book would have to cost over $39! This goes against the whole idea of making the books affordable.

I am not Cisco, I can't release a book at ridiculous prices - such as the kindle only CCIE v5 Route and Switch Configuration Practice Labs at $50+, or the official v5 certification guide at $99. Don't get me wrong, I am not knocking these books as they are really good, and well worth the investment, I just don't see why they have to be so expensive. The exam is expensive enough, so there needs to be a break in expenditure somewhere. Which is why I priced my books at what I think is a reasonable level.

So sadly color print will not be an option. There will be color diagrams available on the website under the CCIE books menu when its released, probably in PDF or jpg, or both. If anyone has any recommendations then I am all ears.
HSRP, Cisco Emulation software and ASICs

HSRP, Cisco Emulation software and ASICs

12:29:00 4 Comments
I wrote sometime back about how to implement HSRP using Cisco IOU and in GNS3, but it has been pointed out that even though it might look like it works, in fact it's actually a little more hit and miss, with some people having issues, such as not being able to ping the Virtual IP address configured on the HSRP standby group - check out the comments to follow the reference, hopefully you'll understand why I am writing this subsequent post.

A recap on HSRP

HSRP (Hot Standby Routing Protocol) allows you to set up the same SVI (Switched Virtual Interface) on a pair of switches so that you have some redundancy, in the event that one switch is unavailable then the virtual IP address assigned to the standby group will still be available. The virtual IP address is given the same MAC address, which is a combination of the well-known HSRP MAC address (0000:0c07:ac) and the standby group number (in our case this is 10, which is 0a in hexadecimal).

HSRP is Cisco specific, other vendors user the industry standard of VRRP (Virtual Router Redundancy Protocol), there is also GLBP (Gateway Load Balancing Protocol) for routers.

We will be using two different versions of GNS3 for this, the first is the publicly available 0.8.6 version, because that can still use qemu, which means that we can use the IOSv images to try this out on, as well as the image c3660-is-mz.124.25b referenced in the first article. If you haven't checked out how to get the IOSv images from onePK into GNS3 then you might want to have a quick read of it.

So the goals for this post are to prove that we can get HSRP working between two devices. One should show up as the active and one as the standby, and we should be able to ping the virtual IP assigned to the HSRP group. As per the original post we need to create a multi-layer switch to enable the required functions, this still holds true today, so do have a read over the original article.

For each example we will have an HSRP group, number 10, one switch will use the IP address 10.10.1.2/24, the other will use 10.10.1.3/24 and they will have a virtual IP address of 10.10.1.1. The HSRP MAC address will be 0000.0c07.ac0a, so this is what we will be looking for in our ARP table.

Let's check out GNS3 first.

HSRP using native GNS3

Once we have set up our multi-layer switch in GNS3, the configurational steps for our first switch are as follows:
R4#vlan database
R4(vlan)#vlan 10
VLAN 10 added:
    Name: VLAN0010
R4(vlan)#exit
APPLY completed.
Exiting....   
*Mar  1 00:00:35.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int vlan 10
R4(config-if)#ip add 10.10.1.2 255.255.255.0
R4(config-if)#standby 10 ip 10.10.1.1
R4(config-if)#standby 10 pri 150
R4(config-if)#standby 10 preem del min 60
R4(config-if)#no shut
R4(config-if)#int fa 1/10
R4(config-if)#switchport mode trunk
*Mar  1 00:02:00.087: %DTP-5-TRUNKPORTON: Port Fa1/10 has become dot1q trunk
*Mar  1 00:02:00.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
R4(config-if)#no shut
R4(config-if)#
*Mar  1 00:02:30.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  1 00:02:30.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
R4(config-if)#
*Mar  1 00:02:51.699: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby
*Mar  1 00:02:52.199: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active
R4(config-if)#exit
R4(config)#exit
R4#
*Mar  1 00:03:34.879: %SYS-5-CONFIG_I: Configured from console by console
R4#
So far our first device is looking healthy for HSRP. The second switch is very similar:
R5#vlan database
R5(vlan)#vlan 10
VLAN 10 added:
    Name: VLAN0010
R5(vlan)#exit
APPLY completed.
Exiting....
R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int fa1/10
R5(config-if)#switchport mode trunk
*Mar  1 00:02:45.687: %DTP-5-TRUNKPORTON: Port Fa1/10 has become dot1q trunk
*Mar  1 00:02:46.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
R5(config-if)#no shut
R5(config-if)#exit
R5(config)#int vlan 10
R5(config-if)#
*Mar  1 00:02:53.711: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
R5(config-if)#ip add 10.10.1.3 255.255.255.0
R5(config-if)#standby 10 ip 10.10.1.1
R5(config-if)#standby 10 pri 90
R5(config-if)#
*Mar  1 00:03:16.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
R5(config-if)#
*Mar  1 00:03:40.299: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby
R5(config-if)#
With our trunk setup to carry the VLAN information, as well as the HSRP multicast, we should be able to check that everything is in order. Using the command "sh standby vlan" with the vlan number we can check the HSRP settings and status. Let's check to see if we have everything we are hoping for, including the correct ARP entries and making sure that the interfaces are pingable: 
R4#sh standby vlan 10
Vlan10 - Group 10
  State is Active
    2 state changes, last state change 00:03:19
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.724 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is 10.10.1.3, priority 90 (expires in 7.344 sec)
  Priority 150 (configured 150)
  IP redundancy name is "hsrp-Vl10-10" (default)
R4#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.1               -   0000.0c07.ac0a  ARPA   Vlan10
Internet  10.10.1.2               -   cc04.38a1.0000  ARPA   Vlan10
R4#ping 10.10.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.1               -   0000.0c07.ac0a  ARPA   Vlan10
Internet  10.10.1.3               0   cc05.38a1.0000  ARPA   Vlan10
Internet  10.10.1.2               -   cc04.38a1.0000  ARPA   Vlan10
R4#

R5#sh standby vlan 10
Vlan10 - Group 10
  State is Standby
    1 state change, last state change 00:03:22
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.992 secs
  Preemption disabled
  Active router is 10.10.1.2, priority 150 (expires in 7.376 sec)
  Standby router is local
  Priority 90 (configured 90)
  IP redundancy name is "hsrp-Vl10-10" (default)
R5#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.3               -   cc05.38a1.0000  ARPA   Vlan10
R5#ping 10.10.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/21/24 ms
R5#ping 10.10.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/21/24 ms
R5#sh arp        
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.1               0   0000.0c07.ac0a  ARPA   Vlan10
Internet  10.10.1.3               -   cc05.38a1.0000  ARPA   Vlan10
Internet  10.10.1.2               0   cc04.38a1.0000  ARPA   Vlan10
R5#
So arp looks good and we can ping the Virtual IP address for the standby group, with no problems here. Let's check out HSRP on IOU next.

HSRP using IOU

With the same configuration (apart from the priority of 150 on the first device) as before running on the IOU routers do we have the same level of visibility?
Switch#sh standby vlan 10
Vlan10 - Group 10
  State is Active
    2 state changes, last state change 00:00:34
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.984 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is 10.10.1.3, priority 90 (expires in 9.904 sec)
  Priority 100 (default 100)
  Group name is "hsrp-Vl10-10" (default)
Switch#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.1               -   0000.0c07.ac0a  ARPA   Vlan10
Internet  10.10.1.2               -   aabb.cc80.0100  ARPA   Vlan10
Internet  10.10.1.3               0   aabb.cc80.0200  ARPA   Vlan10
Switch#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Switch#sh ver | i IOS
Cisco IOS Software, Solaris Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.1(20130124:233217) [dstivers-jan24-2013-team_track 101]
Switch#sh ip int bri     
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  up                    up      
Ethernet0/1            unassigned      YES unset  up                    up      
Ethernet0/2            unassigned      YES unset  up                    up      
Ethernet0/3            unassigned      YES unset  up                    up      
Vlan10                 10.10.1.2       YES manual up                    up      
Switch#

Switch2#sh standby vlan 10
Vlan10 - Group 10
  State is Standby
    1 state change, last state change 00:00:29
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.912 secs
  Preemption disabled
  Active router is 10.10.1.2, priority 100 (expires in 9.696 sec)
  Standby router is local
  Priority 90 (configured 90)
  Group name is "hsrp-Vl10-10" (default)
Switch2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.3               -   aabb.cc80.0200  ARPA   Vlan10
Switch2#ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Switch2#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Switch2#sh ver | i IOS
Cisco IOS Software, Solaris Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.1(20130124:233217) [dstivers-jan24-2013-team_track 101]
Switch2#
Again arp looks good and we can ping the virtual IP address again.

EDIT:-

It just goes to show that image is everything. As Maureen (in the comments below) has pointed out whilst following this blog and my posts about HSRP, nothing is 100% guaranteed when using a virtualized environment.

If you try adding a guest to the mix then it probably won't be able to ping the standby address, and if you do, it probably won't last. I will go into it in more depth in my post about IOU Images and functions.

Finally lets check out IOSv.

HSRP using IOSv on GNS3

HSRP is slightly different on IOSv, there are no vlan commands, and instead everything is performed under the interface, so technically it's not enabling redundancy for a vlan, it's enabling it for the interface, but the principal remains the same, it still requires the same coding within IOS for the feature to work, and multicast for the communication to flow over. I am including it here because of this. 
SW1(config)#int gi 0/0
SW1(config-if)#ip add 10.10.1.2 255.255.255.0
SW1(config-if)#standby 10 ip 10.10.1.1
SW1(config-if)#standby 10 pri 150
SW1(config-if)#standby 10 preem delay min 60
SW1(config-if)#no shut
SW1(config-if)# 
*May 11 16:11:44.818: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*May 11 16:11:45.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
*May 11 16:12:05.647: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 10 state Standby -> Active
SW1(config-if)#exit
SW1(config)#exit
SW1#sh standby
*May 11 16:12:25.655: %SYS-5-CONFIG_I: Configured from console by consoleand 
GigabitEthernet0/0 - Group 10
  State is Active
    2 state changes, last state change 00:00:27
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.272 secs
  Preemption enabled, delay min 60 secs
  Active router is local
  Standby router is 10.10.1.3, priority 90 (expires in 9.232 sec)
  Priority 150 (configured 150)
  Group name is "hsrp-Gi0/0-10" (default)
SW1#

SW2(config)#int gi 0/0
SW2(config-if)#ip add 10.10.1.3 255.255.255.0
SW2(config-if)#standby 10 ip 10.10.1.1
SW2(config-if)#standby 10 pri 90      
SW2(config-if)#no shut
SW2(config-if)#
*May 11 16:11:44.460: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*May 11 16:11:45.460: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
*May 11 16:12:29.371: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 10 state Speak -> Standby
SW2(config-if)#
SW2(config-if)#exit
SW2(config)#exit
SW2#sh stand
GigabitEthernet0/0 - Group 10
  State is Standby
    1 state change, last state change 00:00:23
  Virtual IP address is 10.10.1.1
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.744 secs
  Preemption disabled
  Active router is 10.10.1.2, priority 150 (expires in 10.480 sec)
  Standby router is local
  Priority 90 (configured 90)
  Group name is "hsrp-Gi0/0-10" (default)
SW2#
So it certainly looks like HSRP works on IOSv, let's make sure by looking at arp, and seeing if we can ping the virtual IP address: 
SW1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.1               -   0000.0c07.ac0a  ARPA   GigabitEthernet0/0
Internet  10.10.1.2               -   00ab.60a2.3000  ARPA   GigabitEthernet0/0
SW1#ping 10.10.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 3/8/11 ms
SW1#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
SW1#sh ver | i Version
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.4(1.24)T0.9, MAINTENANCE INTERIM SOFTWARE
SW1#

SW2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.2               0   00ab.60a2.3000  ARPA   GigabitEthernet0/0
Internet  10.10.1.3               -   00ab.1061.0700  ARPA   GigabitEthernet0/0
SW2#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/7/11 ms
SW2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.1.1               0   0000.0c07.ac0a  ARPA   GigabitEthernet0/0
Internet  10.10.1.2               0   00ab.60a2.3000  ARPA   GigabitEthernet0/0
Internet  10.10.1.3               -   00ab.1061.0700  ARPA   GigabitEthernet0/0
SW2#sh ver | i Version
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.4(1.24)T0.9, MAINTENANCE INTERIM SOFTWARE
SW2#
So again, all good and we are three for three.

So why am I going over this again, if actually I am only proving that it does work? Well, it's all to do with mileage, and your mileage may vary. Remember we are dealing with emulated, or virtualized hardware, so there will be issues, especially when we come across things that the router, or more specifically switch, generally offload to ASICs. With all the benefits that Cisco emulation software offers, the one thing it cannot do is truly emulate the functions contained within the ASIC.

What's a running shoe brand got to do with Cisco emulation software?

An ASIC is an Application-Specific Integrated Circuit, not to be confused with ASICS the running shoe manufacturer. These ASICs are so complex that they can (depending on the type of ASIC) be referred to as a system on a chip. It is this off-loading that makes running a virtualised switch, with the full functionality and speed as a proper hardware one, extremely difficult to implement.

The most common Cisco specific ASIC you will encounter is the port ASIC, and these handle traffic forwarding, QoS and ACL lookups. A number of switches have within these port ASICs their TCAM, which holds the IPv4 and IPV6 addresses, MAC addresses, and Access Control Entries.

For a greater understanding of packet flow within a switch and how this is governed by the ASIC then have a look at this PDF from Cisco Live.

So in short, we can get close, but close is a very relative term, finding the right IOU or GNS3 image can be a bit of a mission.

It will be interesting to see how CML stands up to higher-level switch functionality when it is finally released. One would think that as it is the basis for the new version of the CCIE exam then it will be supported. Time will tell on that!

In an ideal world we would all have the required hardware, it wouldn't cost more than a cup of coffee, and it would fit into your pocket. But for the moment we'll have to see how far our mileage gets us.

IOSv in GNS3

05:38:00 8 Comments
Following on from the Cisco ViRL - a first taste! post where I said that I was going to try and get the IOSv image working in GNS3 I have done a bit of playing around. After a few misses I finally got it working. So here is my walk through.

Firstly you need to get the ova file out of the onePk image - once you have loaded the onePk vm you can connect to it using WinSCP and get the ova file from /usr/share/vmcloud/data/images/vios.ova.

Importing the onePK vIOS ova file into VirtualBox

I first tried setting the IOSv image up as a VirtualBox guest and adding it to GNS3 that way. No go, and it bluescreened my laptop. DONT TRY THIS AT HOME KIDS!

Creating a vIOS Qemu guest (attempt 1)

Secondly I tried to create a Qemu guest by extracting the files from the ova and running a bunch of qemu commands to create an img file. I didn't get a bluescreen, and the image loaded, but nothing much happened after that, and I couldn't console onto it. So it was pretty useless.

Creating a vIOS Qemu guest (attempt 2)

The second attempt, and the one that works it to first extract the contents of the ova file. make sure that the Qemu settings in GNS3 work, so the All-in-One version of the GNS3 software is best, so that you get all the Qemu goodness.

Qemu settings for GNS3

The resulting vmdk can be run directly as a qemu guest. So with the following settings:

Qemu-flavor: -x86_64
Identifier name: anything you like
Binary Image: the extracted vmdk file
RAM: 384Mb works well, though Cisco recommend 512Mb
Number of Nics: anyting up to 8
NIC Model: e1000

IOSv qemu guest in GNS3

You can then drag a Qemu guest onto GNS3. If you want one, drag on two and delete the first one, for some reason it didnt seem to like the first one, probably due to a numbering thing with the telnet ports.

When you click on boot the Qemu screen will come up, it will appear to hang at "Booting 'IOSv', this is fine, you should now be able to console onto the devices. I added one 7200 router (R1) with two gigabit ethernet interfaces (1.1.1.1/24 and 2.2.2.1/24) and three vIOS images (deleting the first one). The IOSv images had IP addresses 1.1.1.2 and 2.2.2.2 connecting them to the 7200 via gi 0/1, and 3.3.3.1 and 3.3.3.2 connecting them to each other vis gi 0/0. CDP worked, and so did ping:

Ping between IOS and IOSv in GNS3
Pinging between IOSv guests in GNS3

I have uploaded a video showing all of the steps.


Enjoy your brand new IOSv!


Redesigned CCIE (blog)!

Redesigned CCIE (blog)!

01:51:00 Add Comment
Just like Cisco have redesigned the CCIE exam, I have redesigned the site over the weekend. I liked the previous style, but as I usually include a lot of console output in my posts, having a 3 column template did severely decrease the real-estate, making output harder to read.

The real impetus was trying to read the posts on getting started with onePK, especially the one on the link between onePK and Cisco CML. There was too much word wrapping for my liking, it was starting to make things distracting.

So I found a nice responsive template. I especially like the fact that the middle column on the front page is hidden when viewing a post, makes for a nicer experience I think.

I do still need to tweak a few things, the space between and after the pre tags (used for console output) needs increasing again, but in general I do think its much more readable.

Hopefully you as the reader will agree that the changes make this a better CCIE blog and resource site!

As always I appreciate your feedback.

GNS3 Alpha 3 is here

10:25:00 4 Comments
gns3 logo

Another long bank holiday weekend in the UK heralds another GNS3 alpha release, it's not as much of a huge change as going from Alpha 1 to Alpha 2 was (as that brought with it the ability to connect native GNS3 routers to IOU images), but there is some cool stuff anyway. The changes with GNS3 1.0 Alpha 3 are:

  • Follow the “VMware model” to organize projects.
  • Topology files have the .gns3 extension instead of .net (they are still supported).
  • Fixed problem to capture on TAP or Ethernet interfaces when not root.
  • Updated the upload page.
  • Server request validations.
  • Graceful shutdown for the server & modules
  • Checks for valid IOS & IOU images
  • Checks for missing shared library dependencies in an IOU image.
  • Explicit error message for missing 32-bit binary support on 64-bit Linux when starting IOU.
  • Check if iouyap can access Ethernet and TAP devices.
  • Windows network interfaces support in clouds (need improvements but it works…)
  • Update tooltips to show node IDs.
  • Ranges for Dynamips UDP, console, auxiliary console and hypervisor ports.
  • Use Dynamips UDP NIO auto back-end for UDP tunnel connections (excepting stubs).
  • The GUI can check the server version.
  • Explicitly show an error if an IOS network module cannot be added or removed.
  • Support for –version on the command line for both the server and GUI.
  • Delete IOS ghost files when closing a project.
  • Check for the correct locale on Linux/UNIX.
  • Fixed bugs with duplicated node IDs.
  • Save exception.log in the same directory as the GNS3 settings file.
  • Added the view -> docks menu.
  • Checks on node ID returned by the server.
So what are the important things here? Well it looks like the cloud support (for connecting GNS3 to real equipment) is working again, but most of the things above are little fixes than major changes.

The speed in which alpha 2 followed alpha 1, and now alpha 3 has followed alpha 2 in an equally short space of time, does show the commitment from the GNS3 folks. It probably won't be long until we see the first beta being released!

I would like to have the ability to add notes back again soon though please! 

Cisco ViRL - a first taste!

04:49:00 4 Comments
I was playing around with the onePK VM yesterday when I noticed something a little interesting, well, OK, it was all interesting, but something really stood out:

Cisco VIRL network topology

When you launch the nodes it looks like it uses a file with a .virl extension!

So it looks like onePk shares some of it's code with ViRL (or to call it by its official name, CML). We can dig a little deeper into the virl file and have a little poke about, I havn't seen much about it I last wrote about it, so it'll be nice to get a little taster if what is to come.

From an ssh connection (if you have given the onePK vm an IP on your network you can do "sudo apt-get install openssh-server") and then simply cd through to /usr/share/vmcloud/data/examples/3node/ and do "vi 3node.virl".

.virl files

What we are presented with is a bunch of XML, and if you have read anything about ViRL/CML then you'll know that it uses XML to share configuration data.

The first line gives us a little insight that there is a schema for CML, and specifically for the vmmaestro GUI interface (the last line):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <topology xmlns="http://www.cisco.com/VIRL" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" schemaVersion="0.3" xsi:schemaLocation="http://www.cisco.com/VIRL http://cide.cisco.com/vmmaestro/schema/virl.xsd">

Next we have the node information, one for each of our routers, but I am only showing one example here:

<node name="router1" type="SIMPLE" subtype="vios" location="188,263" vmImage="/usr/share/vmcloud/data/images/vios.ova">
<extensions>
<entry key="bootstrap configuration" type="String">/usr/share/vmcloud/data/examples/3node/router1.con</entry>
<entry key="import files" type="String">/home/cisco/vmcloud-example-networks/3node/router1.p12</entry>
</extensions>
<interface name="GigabitEthernet0/0"/>
<interface name="GigabitEthernet0/1"/>
<interface name="GigabitEthernet0/2"/>
<interface name="GigabitEthernet0/3"/>
</node>

Interestingly because the IOSv routers used in onePK come in an ova format if might be possible to run these as standalone VirtualBox routers, or even bring them into GNS3. I might have a play with that later on!. Don't try and cat the .p12 file, it's not humanly readable.

Each router has a bootstrap configuration, in the form of a .con file, so we'll look at those in a moment.

We then have another node, which looks to be our management communication - to allow is access to the routers:

<node name="vmc_lan_1" type="SEGMENT" location="374,520"/>
<node name="eth1" type="ASSET" location="671,235">
<interface name="none0"/>
<interface name="none1"/>
</node>

Lastly we have our physical connection information, followed by the closing topology brackets:

<node name="lan_ex" type="SEGMENT" location="722,161"/>
<connection src="/topology/node[1]/interface[1]" dst="/topology/node[2]/interface[1]"/>
<connection src="/topology/node[1]/interface[2]" dst="/topology/node[3]/interface[1]"/>
<connection src="/topology/node[1]/interface[3]" dst="/topology/node[4]"/>
<connection src="/topology/node[2]/interface[2]" dst="/topology/node[4]"/>
<connection src="/topology/node[3]/interface[2]" dst="/topology/node[4]"/>
<connection src="/topology/node[3]/interface[3]" dst="/topology/node[6]"/>
<connection src="/topology/node[5]/interface[1]" dst="/topology/node[6]"/>
<connection src="/topology/node[1]/interface[4]" dst="/topology/node[6]"/>
<connection src="/topology/node[2]/interface[3]" dst="/topology/node[5]/interface[2]"/>
</topology>

So we should be able to see that node 1 connects to nodes 2 and 3 through its first and second interfaces - GigabitEthernet0/0 and GigabitEthernet0/1 respectively, and from the router, that certainly seems to be the case:

Connectivity through virl configuration

Reachability is also good:

Pinging routers in onePK

.con files

Looking at the router1.con file it is pretty standard Cisco configuration, I have removed extra exclamation marks though to make it a bit shorter:
cisco@onepk:/usr/share/vmcloud/data/examples/3node$ cat router1.con
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!
username CISCOUSERNAME privilege 15 password 0 CISCOPASSWORD
!
redundancy
!
interface GigabitEthernet0/0
 ip address 10.10.20.110 255.255.255.0
 duplex auto
 speed auto
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.10.30.110 255.255.255.0
 no shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 10.10.10.110 255.255.255.0
 no shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/3
 ip address dhcp
 no shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
banner exec ^C
************************************************************************
*vIOS - Cisco Systems Confidential                                     *
*                                                                      *
*This software is provided as is without warranty for internal         *
*development and testing purposes only under the terms of the Cisco    *
*onePK Software Development Kit License Agreement. Under no            *
*circumstances may this software be used for production purposes or    *
*deployed in a production environment.                                 *
*                                                                      *
*By using the software, you agree to abide by the terms and conditions *
*of the Cisco onePK Software Development Kit License Agreement as well *
*as the terms and conditions of the Cisco End User License Agreement at*
*http://www.cisco.com/go/eula                                          *
*                                                                      *
*Unauthorized use or distribution of this software is expressly        *
*Prohibited.                                                           *
************************************************************************
^C
banner incoming ^C
************************************************************************
*vIOS - Cisco Systems Confidential                                     *
*                                                                      *
*This software is provided as is without warranty for internal         *
*development and testing purposes only under the terms of the Cisco    *
*onePK Software Development Kit License Agreement. Under no            *
*circumstances may this software be used for production purposes or    *
*deployed in a production environment.                                 *
*                                                                      *
*By using the software, you agree to abide by the terms and conditions *
*of the Cisco onePK Software Development Kit License Agreement as well *
*as the terms and conditions of the Cisco End User License Agreement at*
*http://www.cisco.com/go/eula                                          *
*                                                                      *
*Unauthorized use or distribution of this software is expressly        *
*Prohibited.                                                           *
************************************************************************
^C
banner login ^C
************************************************************************
*vIOS - Cisco Systems Confidential                                     *
*                                                                      *
*This software is provided as is without warranty for internal         *
*development and testing purposes only under the terms of the Cisco    *
*onePK Software Development Kit License Agreement. Under no            *
*circumstances may this software be used for production purposes or    *
*deployed in a production environment.                                 *
*                                                                      *
*By using the software, you agree to abide by the terms and conditions *
*of the Cisco onePK Software Development Kit License Agreement as well *
*as the terms and conditions of the Cisco End User License Agreement at*
*http://www.cisco.com/go/eula                                          *
*                                                                      *
*Unauthorized use or distribution of this software is expressly        *
*Prohibited.                                                           *
************************************************************************
^C
!
line con 0
line aux 0
line vty 0 4
 transport input all
!
onep
 transport type tls localcert demoTP disable-remotecert-validation
 start
!
! IOS PKI will fail to import the tftp file if we attempt this before
! the config has been fully applied. So if we just do:
!   crypto pki import demoTP pkcs12 [location] [etc...]
! We would see something similar to this in the boot log:
!   *Nov 29 19:27:32.415: CRYPTO_PKI: Copying pkcs12 from flash1://bootstrap_admin.con
!   *Nov 29 19:27:32.492: %PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.
! Therefore we use a short delay before loading the pkcs12 file:
!
event manager applet load_identity
 event timer countdown name Delay time 20
 action 0.0 cli command "enable"
 action 1.0 cli command "config terminal"
 action 2.0 cli command "file prompt quiet"
 action 3.0 cli command "crypto pki import demoTP pkcs12 flash2://router1.p12 password NOTsecure"
 action 4.0 syslog msg "Loaded bootstrap identity certificate"
!
end
Pretty cool stuff really, and it looks like when CML is finally released configuration will not be too hard, even without the fancy GUI! I am rather liking this onePK!
Subscribe to: Posts (Atom)