Have A Safe New Years Eve All!

At The Cross...

Have you ever really listened to the words of the song "Love Ran Red"? Oh man, there are some powerful lyrics in this song.
"There is a place where mercy reigns and never dies.  There is a place where streams of grace flow deep and wide."

"There is a place where sin and shame are powerless. Where my heart has peace with God, and forgiveness."

Where is that place? It's at the cross! Those lyrics are meant for you.

Brocade ICX Switch: DHCP Config And Related Commands

Below is the config that I typically do for running DHCP on a core ICX switch.  This was done on version 08030aa firmware.
CONFIG:
ip dhcp-server pool Data
dhcp-default-router 10.10.10.22
dns-server 10.10.10.19 8.8.8.8
domain-name company.com
excluded-address 10.10.10.1 10.10.10.49
lease 1 0 0
network 10.10.10.0 255.255.255.0
deploy
ip dhcp-server enable

Below are some related commands you might find helpful.  Note that the "Server uptime" does not start until you type in the "ip dhcp-server enable" command above.
SSH@CompanyCore#sh ip dhcp-server summary

DHCP Server Summary:

                    Total number of active leases:  4
           Total number of deployed address-pools:  1
         Total number of undeployed address-pools:  0
                                    Server uptime:  00d:00h:15m:51s
SSH@CompanyCore#
SSH@CompanyCore#show ip dhcp-server address-pools

Showing all address pool(s):

                    Pool Name:  data
 Time elapsed since last save:  00d:00h:23m:56s
Total number of active leases:  4
           Address Pool State:  active
        IP Address Exclusions:  10.10.10.1 10.10.10.49
      Pool Configured Options:
          dhcp-default-router:  10.10.10.22
                   dns-server:  10.10.10.19  8.8.8.8
                  domain-name:  company.com
                        lease:  1 0 0
                      network:  10.10.10.0 255.255.255.0
CompanyCore#

Quote For The Day: 2

"I have not failed. I just found 10,000 ways that won't work." -Thomas Edison

Sunday Thought: Softly And Tenderly

Alan Jackson - Softly and Tenderly

Home Projects: Tabletop Modification

I didn't have a pic of the week, so I thought I would post a home project this Saturday.  Not long ago, I built this "pallet table" for my daughter. My wife decided that it didn't look right, and that the top needed to be solid instead of "looking" like a pallet. Not only that, but she thought that it needed to be stained. Below is the post I did for making the table, and also a picture of the final product.

http://www.shanekillen.com/2015/12/home-project-pallet-coffee-table.html?m=0

FROM the top TO the bottom:

Merry Christmas To All

All is well.  By Carrie Underwood and Michael W Smith.

More For 2016

Merry Christmas Eve to you.  I have some exciting things coming up on the blog for 2016. I'll be certainly continuing the IT technical posts as I normally do, which is the main portion of this blog.  But I'll also have a few other things as well. I'm planning a product review of Colasoft's NChronos, which so far looks like an excellent product. I'll also be posting more home project posts. I'll be updating a 1935 home and I'm really excited about it (pictured below is the old school attic). Also I'll be putting in more quotes of the day as well.
Thank you for reading the blog this year. I hope you keep coming around.

Brocade ICX7250: Good Replacement Switches For Access Layer

I've been putting in some Brocade ICX7250 switches recently, which is the new low end enterprise access closet switches Brocade has out now for the ICX series.  These are really worth a look.  Up to 256Gbps switching backplane, up to 190Mpps, 80Gig stacking capability (up to 12 in a stack), SDN capable, with 8 10gig ports.  And cheaper than a ICX6450.  This could act as a core for a small office.  I would not hesitate to do that.  It does L3 and performs well.

Quote For The Day: 1

I have decided to add a "quote for the day" on occasion to the blog. Just something to mix in with all the technical stuff.  We can start with Estee Lauder:
"I never dreamed of success. I worked for it."

Brocade ICX7250: Port Assignments

Just FYI, here is a visual of the ICX7250 port assignments.

Sunday Thought: White Christmas

This is my absolute favorite version of this song.  White Christmas by Otis Redding  May you be blessed today and everyday. May The LORD shine His face upon you, and bring you peace.

Pic Of The Week: Sunset Red

Sometimes It's Just Not What You Think

Now this was a strange one.  One of my customers and I was putting in a Check Point 4800 appliance with all the blades (App and URL filtering, IPS, etc).  We were testing Internet connectivity and found that, on a 100Meg circuit, we had 89Meg down and 15Meg up.  On the public side of the firewall, we got 90Meg down, 90Meg up.  Hmm, it must be the firewall.

So after disabling every blade it had, we still had the same results.  So after some time and frustration, we finally replaced the cat5 patch cable between the check point and next hop router and that resolved the problem. Sometimes, these kind of problem can drive you crazy. I found it fitting to cut this cable.

Palo Alto: Where To Go To Generate An AVR Report

Generating an AVR is important to my customers when I'm putting in a demo Palo unit.  They want to see what the new firewall will see over their current firewall.  Here is how you run that report for upload to Palo.

Then when you download this from the unit, upload it to the AVR site.

Palo Alto: NAT Testing In CLI

I like that vendors allow you to test things in CLI.  Testing NAT is sometimes necessary in troubleshooting issues.  When you dont know for sure if your NAT is configured correctly or not, you can go into CLI and test it out.

shane@PA-3050(active)> test nat-policy-match destination 7.7.7.7 source 10.10.10.1 protocol 6 destination-port 80

Source-NAT: Rule matched: Users-Outbound
10.10.10.1:0 => 5.5.5.5:13666 (6), ethernet1/1

Take One WITH The Team

I was working at a customer site one day not long ago when something ended up taking the network down.  I was working at one of their remote sites when the incident happened, and I didn't even know that it went down.  However, when all was done, the whole network team was summoned into the network managers office.  He said that the main VP wanted to talk to us, and it wasn't going to be pleasant.  It was during that moment when I had heard what had actually happened that made the network go down.  It didn't have anything to do with me, but I've been at this company for quite a while now working with them.  So, when it came time for the network team to get a butt chewing, I went in with them to get it too.
Look, I'm part of their team.  If I go in and partake in the glory that the network team gets at that company when things are done well, I think I should also go in with the team to get reamed when that happens.  Close nit teams do that.  You share in their glory when all goes well, but you also share in the butt chewing as well when they don't.

Sunday Thought: Where Could I Go But To The LORD

Elvis is one of my favorites. And he did gospel really well. Check this one out.

Pic Of The Week: Cahaba River

Fiber Loopback

This came with a check point appliance. Nice little loopback fiber cable. Good for testing your Gbic and switch interface.

Home Project: Pallet Coffee Table

My daughter asked me some time back to make her a coffee table made out of a pallet.  I just recently got around to it and below is the transformation.  Now I realize this is not something you would go buy and expect perfection.  But, keep in mind, its a pallet table.
Started with this...

I had to cut another one like it to get the other pieces I needed...

Now some modifications...

Legs...

Final product...

A hammer and a screw can personalize it somewhat for them.

Replaced Equipment

What do you do with an old Cisco 6509 thats no longer being used?  It makes for a good desk base.
This was a "from Cisco to Cisco" replacement.

A Network Engineer's Story: Why I Prefer Brocade Switches Over Cisco

This post in something I have wanted to do for some time.  I have people who ask me my thoughts between two vendors quite often.  Usually, the comparison is Brocade vs Cisco.  I also get asked a lot why I like Brocade so much.  The story I'm about to tell you is "my" story of how I came to some professional and personal vendor conclusions. This road was not easy for me, because being a Cisco guy was important to me in my career growth. In fact, I got to where I am now because of my pursuit of Cisco.  I would not have changed that if I'm being truthful.  But, as I have grown a little older and a little more open minded to technologies, there are some realities that I have just had to face.  So bear with me while I tell you my story of how my head got turned around when looking at network gear for my customers.

One day as I came into my office, one of the owners came up to me and told me that he would like for me to meet with a vendor that was coming in.  That wasn't unusual, even if we were interested or not.  It was part of my job to evaluate technologies, and this guy wanted me to take a listen to this company.  The next day, in walked the sales guy from this vendor to have this meeting.  He was from Brocade.  Honestly, I did not want to be introduced to them, nor have anything to do with them.  I was very happy as a Cisco engineer at the consulting firm I work at and life was good.  And after all, I had started this networking career pursuing Cisco fifteen years earlier (at that time).  That was what I wanted to do early on, and that is what I "grew up" on in this IT career of mine.  At the time of this writing, that guy walked into our office about five years ago.

As I sat down, I can tell you I was already closed off to what this guy had to say.  Why would I be interested in Brocade?  I'm a Cisco guy, and everyone knows that Cisco is the way to go, right?  I let this guy talk for an hour or so, and I can tell you that I just was not into this conversation.  As far as I was concerned, this guy just wasted a hour of my time. So I let that owner know I wasn't interested, among other things about this meeting, and went on my way to support my customers.

About a week later, that same owner came back to me and asked me to look at Brocade again.  I can still hear his exact words: "I really need you to look at this."  To me, this meant that he was wanting to start some kind of relationship with Brocade.  I couldn't figure out why he wanted this, but I did meet with them again and gave them a chance to discuss their switching products.  I did listen a little more openly this time.   And hey, to me, this was just another meeting.  At that time, it didn't mean anything to me.  Again, this was about five years ago or so from the time of this writing.

Time went on and I had discussions, etc with several people from Brocade.  Still, nothing standing out at that point.  I do remember one thing in particular the owner had said to me that was interesting.  He said that a Cisco IP phone would boot up faster on a Brocade switch than it would on a Cisco switch.  I immediately didn't believe that.  After all, that just didn't seem logical to me.  I asked him if he had seen that, and he said he had not.  But that was something that he was told.  By who, I still don't know.

So the time finally came where one of my sales guys actually sold 118 Brocade switches to one of the school systems in the state I'm from. This was a network refresh project, and we were replacing all Cisco switches to Brocade gear.  I guess I had to get my feet wet a little in Brocade land, and I was the engineer on this particular project.  So I traveled up to this customer and started working on this with one of the Brocade engineers that wanted to go onsite with me.  I wont bore you with the details of the project, but there was one thing that caught my attention in this network refresh.  This customer has a Cisco phone system.  And one thing I noticed when we were replacing the network gear was that the IP phones actually DID boot up faster on the Brocade switches than on the Cisco switches.  That, to me, was a turning point that I was not expecting.  A point in which I told myself that I had to look at this honestly.  After all, I always made good decisions about technology.  I just didn't always make honest decisions about technology.

Now, let me explain the last two sentences that I just said, where I said that I made good decisions, but not always honest decisions.  What I mean is that I pride myself in doing the very best for my customers.  I take pride in knowing I do the right things for them when it comes to design and equipment.  I consider it my responsibility to tell my customers, as a trusted network adviser, what needs to be done in their networks and with what technologies.  And Cisco was, and is, a good vendor to put in as my customer infrastructure.  To me, that is a good decision, although, it was not honest when I consider the three things that are important to me now.  You see, honestly, Cisco was a good technology to put in for routing and switching.  But, was it the best product to put in for my customer?  When I told my customers that "Cisco is the best gear you can get", was I being honest with them?  As far as I knew at that time, the answer was always yes.  But in reality, my lack of switch comparisons during that time would say that no is probably the real answer.  I mean, I knew Cisco well technically, and Cisco certainly has a good reputation.  What else did I need?

So, what is important to me now, that I would evaluate in gear for the network infrastructure?  If you read my blog, you know there are three main things I talk about to my customers:
1.  Price
2.  Performance
3.  Features

Now, back to five years ago when I saw that Cisco IP phone boot up faster on a Brocade switch over a Cisco switch.  When I saw that, I knew I had to really look into this.  When I started "honestly" looking at the comparisons between Cisco and Brocade, I could not believe what I was seeing on paper.  I took the time to do the real "apples to apples" comparisons between what a Cisco switch performed at, and what a Brocade switch performed at.  After all, I do that when I buy a new car.  Why wouldn't I do that with network gear?  And, I worked with both Cisco and Brocade gear in testing as much as I could.  Not only that, I did the performance comparisons between the two vendors, along with feature set and pricing (through my sales guys) comparisons.  I even put everything in a spreadsheet to compare the two vendors as far as performance and features goes that were important to me, so that I could see them side by side.  I have to tell you, when I did this, this was the point when I realized that I had to change my "product view", as a network guy.  I could no longer say the things I used to say, if I were going to be honest.

So, now lets fast forward five years to the now (at the time of this writing).  I have around 20 years of Cisco experience and 5 years experience with Brocade.  These are the conclusions that I have personally found in the three things I mentioned above that are important to me:
1.  Price --> Brocade has always beat Cisco, when comparing "apples to apples".  In fact, at the time of this writing, I just had my sales guy do a quote for an "apples to apples" comparisons of three Cisco switches and three Brocade switches.  Brocade was literally half the price of the Cisco quote.
2.  Performance -->  In doing the honest comparisons, again "apples to apples", I can tell you that from what I see, Brocade always beats Cisco in performance specs.  Its not my fault, I don't make the gear.  But I do evaluate it.
3.  Features -->  Cisco always wins when it comes to feature set.  Honestly, its just what I have found.  However, 99% of my customers don't need that extra feature set that only Cisco offers.  With only one exception that I recall (object tracking), Brocade has always had what my customers needed then and for their next five year plan.  (Keep in mind, I do a lot of advanced configurations)

So what do I do with this information now?  Its important to me to do my customers right.  Its important to me to be a "trusted network adviser" to them.  It is up to me to make sure I always present the right solutions for them, based on the three things that I feel are important for their company.  I get paid by them to make the best decisions I can make for them. And if they choose to go with my advice or not, that is up to them.  I have compared many vendors specs against each other.  In fact, it is my responsibility to make sure I'm presenting the best of #1 and #2 to my customers, and #3 when they need it. I have spent countless hours on comparisons, and will continue to do so as long as I'm in the IT services business. It's my responsibility as a technical engineer to my customers.

Now, all that said, let me give you one more reason to consider with the above in why I believe in the Brocade product.  First, I have had very few problems with Brocade.  Cisco is a solid product, but my experience in the last five years says that Brocade is equally a solid product as well in operation in the network.  Sure, electronics is electronics with any vendor.  I have seen Cisco fail and I have seen Brocade fail electronically, although very few on both.  But, in my own experience, I have seen just as solid of manufacturing in Brocade as I have in Cisco.

I have met a lot of engineers and IT managers in my career. I have come to find a couple of things:
1:  I have found that when you come across engineers that are very good with a particular brand, they typically want to stay with that product in their company environment. And I think the reason is that it's because that is what they know how to work on. They are comfortable with that and don't want to change because of that. But is that putting your company needs first?  There was a time when I myself had this mindset in my career.
2:  I have found that when technical people, especially IT managers, make decisions on equipment, they base it on price, without consideration to performance or features.  It's new to them and they think things like "Its got a gig interface" or " The sales guy said this...".  Money is really they overriding factor.
3:  I've seen managers, not so much technical engineers, just trust the sales guy or engineer they like. And that is dangerous, because the selling engineer may only know about a certain brand of switch, which is what he is going to try to sell. And that may not be good for YOUR company.

 For me right now, its Brocade as my choice switching gear.  To me, they are the top performers when I honestly look at the switching gear.  They are the ones putting in more bang for the buck, from what I see.  Do the research yourself, and see what you come up with.
-- Shane

Sunday Thought: How Great Thou Art

A oldie, but a good one. Carrie Underwood - How Great Thou Art

Pic Of The Week: Pomegranate

Brocade And Cisco Switches

I really like that the whole line of Brocade's ICX series has the capability of doing both L2 and L3 (at least static routing).  That is just not the case with Cisco.  I ran into this today on a Cisco 3750-X with a LAN BASE license.  The customer had not purchased the license for L3 capability (IP BASE), so now we are waiting on that to get purchased so we can put it on the switch for the static routing we need (I'm talking about one default route).
If you want detailed explanations of Cisco licensing for the firmware and capabilities, you can go here.

Brocade ICX: Upgrading to 8.X From A Prior Version And The Affects On LAGs

I came across a stack of 6610s recently that I needed to upgrade to FCXR08010h.bin.  I was coming from FCXR07300f.bin and I was concerned about what it would do to the link-aggregations (LAGs) in the config.  However, I remembered that I had read (and even posted in one of my blog entries) that when you upgrade, the upgrade process will convert for you to the new format for configuration of LAGs.  With that said, I loaded the new firmware onto the stack (which copied automatically to all switches in the stack) and did the upgrade.
I was surprised at two things.
1.  It was still very fast to boot up.  I thought it might take a little time to do the conversion, but it didnt.  It was just as fast as a regular bootup of the ICX6610.
2.  I was surprised that I didnt have to do anything to correct the configuration.  It turned out perfect without any issue at all.  I see pretty regularly when I do upgrades to other vendor equipment where I have to go in and correct some config that didnt get properly converted over.  I see that a lot in the ASA world.  However, in dealing with these LAGs on the Brocade ICX series, I had no issue at all.  Very nice.
One of the things I did for my own comfort was to go and read the migration process that Brocade has posted.  See below, I think its good information when you want to upgrade to the new 8.X code.

I got the following from this location at Brocade's site:  http://www.brocade.com/content/html/en/configuration-guide/fastiron-08030b-l2guide/GUID-A28179D3-231C-46AF-82F2-6675607B81A9.html

Migrating from a previous release to 08.0.00a LAG or LACP configuration

If you are upgrading from a version of the software prior to 08.0.00a and have either LAGs or LACP configured, the previous configuration will be automatically updated with the new commands to form an LAG that is equivalent to the previous configuration. To accomplish this, the old trunk and link-aggregation commands are maintained during startup configuration parsing, but disabled during normal configurations.

The following are the major differences between in LAG configuration in 08.0.00a and prior releases:

• A LAG is not created until a LAG is deployed using the deploy command.
• LACP is not started until a dynamic LAG is deployed.
• The number of LAG ports can range between 1 and 16 on Brocade ICX 7750, Brocade ICX 7450, and Brocade ICX 7250 devices. For FSX 3rd generation modules, the port range is between 1 and 12. For Brocade ICX 6430, Brocade ICX 6450, Brocade ICX 6610, and Brocade ICX 6650 devices, the port range is between 1 and 8. A LAG is created even if a static or dynamic LAG has only one port.

The following process is followed during the conversion of the trunk and link-aggregation to the new LAG commands.

1. For any static lag configured using the trunk ethernet stack/slot/port to stack/slot/port command, the following conversion procedure is followed.
   1. A static LAG is created containing the port list specified in the trunk command. This LAG is then automatically deployed.
   2. The lowest-numbered port from the original trunk list is selected as the primary port of the LAG.
   3. The converted LAG is named "LAG_x", where "x" is a unique number assigned by the system starting from 1.
2. For any dynamic link aggregation (LACP) group configured using the port-level link-aggregate commands, the following conversion procedure is followed.
   1. A dynamic LAG is created by grouping all ports in the original configuration having the same link-aggregation key.
   2. If link-aggregate active/passive is configured originally, the converted dynamic LAG is configured as deployed, otherwise is not be converted because such ports were originally not operating under LACP.
   3. If the original mode is passive, the converted dynamic LAG will be configured as deploy passive . Otherwise active mode is the default.
   4. The timeout configuration set by the command link-aggregate configure timeout will be converted to the lacp-timeout command.
   5. The value of the link-aggregate configure key command is used in the conversion in determining the set of ports that form an LAG, so prior to upgrade the key must be configured on all the link-agg groups. In the new LAG user interface, there is no need for a user to explicitly configure a key. Each dynamic LAG will automatically select a unique key for the system. Hence the original configured key will not be retained.
      NOTE

      You cannot copy configurations to the running configurations from a TFTP server. It is not supported when you upgrade from a software version earlier to 08.0.00a to 8.0 configuration. The configuration must be saved on flash as startup configuration and reload is required without write-memory.
   6. The command link-aggregate configure system-priority is retired and will not be directly converted. This value is currently not in use by the system's LACP protocol processing, and will maintain a default value of 1.
   7. The lowest-numbered port will be selected as the primary port of the LAG.
   8. Port names configured in the original interface configuration will be converted to port names within the LAG.
   9. The converted LAG will be named "LAG_x", where "x" is a unique number assigned by the system starting from 1.

Cisco Switch: Checking Optical Power Levels

When you run into poor fiber conditions, you need to prove it so that you can move on instead of banging your head with the customer trying to get you to "make it work".  Below, there is a useful command for that.
Notice the highlighted at the bottom.  On the left side is the actual reading of the optical receive power from the other side.  Notice the low level thresholds though.  Probably enough to cause issues, which it did for me.
2960#show int GigabitEthernet2/0/49 transceiver detail
ITU Channel not available (Wavelength not available),
Transceiver is internally calibrated.
mA: milliamperes, dBm: decibels (milliwatts), NA or N/A: not applicable.
++ : high alarm, +  : high warning, -  : low warning, -- : low alarm.
A2D readouts (if they differ), are reported in parentheses.
The threshold values are calibrated.

                              High Alarm  High Warn  Low Warn   Low Alarm
          Temperature         Threshold   Threshold  Threshold  Threshold
Port       (Celsius)          (Celsius)   (Celsius)  (Celsius)  (Celsius)
--------- ------------------  ----------  ---------  ---------  ---------
Gi2/0/49    35.5                90.0        85.0       -40.0      -45.0

                              High Alarm  High Warn  Low Warn   Low Alarm
           Voltage            Threshold   Threshold  Threshold  Threshold
Port       (Volts)            (Volts)     (Volts)    (Volts)    (Volts)
---------  ---------------    ----------  ---------  ---------  ---------
Gi2/0/49   3.31                  3.63        3.46        3.13       2.97

           Optical            High Alarm  High Warn  Low Warn   Low Alarm
           Transmit Power     Threshold   Threshold  Threshold  Threshold
Port       (dBm)              (dBm)       (dBm)      (dBm)      (dBm)
---------  -----------------  ----------  ---------  ---------  ---------
Gi2/0/49    -5.5                -2.7        -3.5        -9.0       -9.9

           Optical            High Alarm  High Warn  Low Warn   Low Alarm
           Receive Power      Threshold   Threshold  Threshold  Threshold
Port       (dBm)              (dBm)       (dBm)      (dBm)      (dBm)
-------    -----------------  ----------  ---------  ---------  ---------
Gi2/0/49   -25.8         -       3.0         0.0       -23.0      -26.0

Back Up Your Network Configs

Just as the title suggests, you should always back up your configs. I just did this today on a check point management station for a client (upgrade export). We didn't have a current backup, so I took one so that if anything happened, we could get back up quickly.  It's always better to be safe than sorry.
So I have found in the past where some customers will call me asking if I know how something was configured.  Basically, then are hoping that I have a backup of the config, in most cases, because something died and now needs to be restored with a new piece of gear or the repaired gear.  Always make sure you can recover from a disaster.

Sunday Thought: Worth

I took a trip last weekend to Minneapolis to a customer site.   Nothing worth mentioning really technically.  But I did have two encounters that were worth mentioning.  I met two people in particular that made the trip worth mentioning.
The first guy was a native Afghan who drove me to the airport from my hotel.  He pulled up in a large black Yukon SUV and off we went on a 30 minute drive.  He was interesting to me.  He was 58 years old and had lived in MN for 32 years.  As he and I talked casually on that drive, it was just interesting to me how he had a lot of the same kind of thoughts that I have.  Things like work ethic, treating people good, family values, etc.  I could tell he was a good man.  And I was happy to meet him for the 30 minute drive we had.  Ill never see that man again.  But Ill remember that drive for a while.  The main thing I got from that drive is that I think people generally are the same all around the world.  I know the weird/crazy/etc ones are the loudest ones, but I think generally, people are basically the same all around the world.
The second guy I met was on the plane back from MSP to ATL.  He was a 55 years old and from Spokane, WA.  He has some interesting insights about life that I could really appreciate.  Some things that his father had passed down on to him and some things that he had just learned about life.  I enjoyed talking about comparisons between where we lived, pictures of our family, and just life discussions.  We had 2.5 hours to discuss things, and I'm very glad to have met this guy.  He said two things that stuck with me.
1.  The first thing he said was that a man's net worth does not determine his self worth.
2.  The second thing he said was that for everyone of us, it ends the same way down here.

Even though I only got to spend a total of 3 hours with these two people, I'm thankful to have had that time.  I think it may be time to be more in tune with the time I'm spending with people.  I'm working on it.

Pic Of The Week: Brocade VDX

Friday After Thanksgiving

This is a off day for me, so I'm just posting a picture I took this week of the sky.  I really like these.

Happy Thanksgiving USA

Brocade Switch: How To Redo The Crypto Key For SSH Access For An ICX 6610

Its very rare, but sometimes I have to delete out the crypto key I generated for SSH access.  In fact, I can only think of twice that I have had to do this on a Brocade switch.  Here is how I did this the second time.
.6610(config)#crypto key zeroize rsa

RSA Key pair is successfully deleted
.6610(config)#crypto key gen rsa mod 2048
.6610(config)#
Creating RSA key pair, please wait...
RSA Key pair is successfully created
.6610(config)#

Cisco ASA: Finding Out What Port Is Being Used For An Application In A Packet Capture

I had run a packet capture on an ASA to see if I could find the traffic that was being reported as dropped packets.  The IT staff had told me that the application, the one being blocked, was going out on a particular port.  However, when I didn't see that traffic coming in on that port, I did another packet capture to the destination IP address.  This proved that the traffic was going out on port 25 instead.  See the highlighted below.  Setup your ACL to match what you are looking for, and apply where you need to.
asa(config)# sh capture capin

18 packets captured

   1: 07:56:52.065853 3.3.3.3.44986 > 120.120.120.120.25: S 1199789812:1199789812(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   2: 07:56:52.098246 3.3.3.3.44986 > 120.120.120.120.25: . ack 99226430 win 258
   3: 07:56:52.134026 3.3.3.3.44986 > 120.120.120.120.25: P 1199789813:1199789827(14) ack 99226483 win 258
   4: 07:56:52.172629 3.3.3.3.44986 > 120.120.120.120.25: P 1199789827:1199789833(6) ack 99226652 win 257
   5: 07:56:52.172979 3.3.3.3.44986 > 120.120.120.120.25: F 1199789833:1199789833(0) ack 99226652 win 257
 ...
18 packets shown
asa(config)#

Brocade Switch: Why Does My Switch Keep Booting To The Old Firmware?

I ran into this the other night when I was making some topology changes.  I had several switches I wanted to upgrade to the newer 8.X code, and one of them had a statement that caused me to reboot the switch twice instead of just once.  This particular ICX6450 had the statement "boot sys fl sec" in place, meaning to boot up to the secondary code.  However, I did put in the "boot sys fl pri" command to make sure it booted up to the primary one, the one I just upgraded to.  But, I didnt see in the config that the secondary line was before the primary line.  In fact, I just didnt bother to look really.  However, when I went in and saw the below, I took the secondary statement out and all was well.
...
!
boot sys fl sec
boot sys fl pri

Switch(config)#no boot sys fl sec

Sunday Thought: Good Good Father

Take a few to think about this.  Chris Tomlin has a song called "Good Good Father".

Pic Of The Week: Birmingham

Birmingham, AL

Brocade Switch: Three Commands To Find A Device In CLI

I had a post a few days ago (here) about finding a device and where its plugged into the network at on a Cisco switch.  Brocade is no different, except one keyword.  I have it highlighted in RED below.

telnet@core#ping 192.168.1.21
Sending 1, 16-byte ICMP Echo to 192.168.1.21, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 192.168.1.21      : bytes=16 time<1ms TTL=128
Success rate is 100 percent (1/1), round-trip min/avg/max=0/0/0 ms.

telnet@core#sh arp 192.168.1.21
No.   IP Address       MAC Address    Type     Age Port           Status
1     192.168.1.21       0050.569a.1234 Dynamic  0    1/1/14*2/1/16 Valid

telnet@core#sh mac-address 0050.569a.1234  <---- Cisco has the keyword "address", where Brocade does not
Total active entries from all ports = 234
MAC-Address     Port           Type          Index  VLAN
0050.569a.1234  1/1/14*2/1/16  Dynamic       50764  102
telnet@core#

As shown above, the device Im looking for is downstream on a lag.  I know this because I configured the lag.  Anyway, almost the same process.

Re-Categorizing On The Right

I'm in the process of re-categorizing posts to try to make it easier to find what you might be looking for.  Just FYI.

Cisco ASA: "Removing peer from peer table failed, no match!" For VPN

My customer says that the VPN to a certain customer of theirs is down on the ASA.  Nothing change on our side.  So the obvious answer is that something changed on their side.  So I get him to run a constant ping to the remote side network where he is trying to get to.  But, I see the below message when doing a "show cryp isa"

6   IKE Peer: 4.2.26.166
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

I also see this in the logs:

Nov 09 11:02:44 [IKEv1]: IP = 4.2.26.166, Removing peer from peer table failed, no match!
Nov 09 11:02:44 [IKEv1]: IP = 4.2.26.166, Error: Unable to remove PeerTblEntry

As it turns out, their Internet connection is down.  When it came back up, so did the VPN.

Pinging A Broadcast Address

One thing I like to do is to find ways that I can use to find information when I need to.  Afterall, in IT, information about networks or devices can be valuable.  So when thoughts cross my mind, sometimes I feel the need the test them out.

Now first, I do realize that I could have easily taken a IP scanner to find this info out. My personal favorite is Angry IP Scanner (not the Java based one).  All I wanted to do was to find the IPs of my Sonos gear at my house.  So I decided to do this the more interesting way.  I did a ping of 192.168.0.255 at home.  My packet capture that I was running, saw the responses from the devices on my network.  Here below is what I found when I did the ping.

You can see the following IPs of my Sonos gear, as proved by the L2 info on the NIC:

192.168.0.8

192.168.0.10

192.168.0.12

192.168.0.17

192.168.0.23

Now, most of you wont find that useful.  I, however, will, when it comes to information gathering. 

Brocade Switch: Interface Uptime Counter

One thing I like about the Brocade interface command is that it shows the uptime.  Very nice feature for sure.  You need this sometimes in troubleshooting.  The port below has been up for 11 seconds.

6610(config)#show int eth 1/1/17
GigabitEthernet1/1/17 is up, line protocol is up
  Port up for 11 seconds
  Hardware is GigabitEthernet, address is cc4e.243f.c698 (bia cc4e.243f.c6a8)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of 3 L2 VLANs, port is tagged, port state is FORWARDING
  BPDU guard is Enabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  No port name
  Inter-Packet Gap (IPG) is 96 bit times
  MTU 10200 bytes, encapsulation ethernet
  300 second input rate: 12016 bits/sec, 18 packets/sec, 0.00% utilization
  300 second output rate: 26776 bits/sec, 32 packets/sec, 0.00% utilization
  243 packets input, 20083 bytes, 0 no buffer
  Received 14 broadcasts, 0 multicasts, 229 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  490 packets output, 50609 bytes, 0 underruns
  Transmitted 406 broadcasts, 84 multicasts, 0 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                 471                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                   0                   0
    6                  19                   0
    7                   0                   0
6610(config)#

Sunday Thought: The Case For Christ

If you don't know who Jesus is or what He did for you, it's worth researching for yourself. It's literally a matter of life and death.  Start with something easy. The Case For Christ is a good and easy read.

Praying for France today.

It's high time to get rid of the evil in this world.

Cisco Switch: Three Commands To Find A Device In CLI

I was tasked to find a bunch of printers on the network.  Cable labeling was a train wreck, and we needed to know where all the printers were so that we could change them to appropriate vlans.  Thankfully, the company knew the IP addresses of the printers.  So, if they know that, I can find the printers.

First, get the printer in the arp table by pinging it.
Cisco_Switch#ping 192.168.13.71
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.71, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1000 ms

Then, find out the mac address.
Cisco_Switch#sh arp 192.168.13.71
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.13.71             0   0080.9176.1234  ARPA   Vlan1

Then, find out what port its on.
Cisco_Switch#sh mac add add 0080.9176.1234
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0080.9176.1234    DYNAMIC     Gi2/0/5
Total Mac Addresses for this criterion: 1

Cisco Switch: Setting NTP For Time

Real quick, here is how to setup NTP on a Cisco switch.  Real easy.  This customer is in the CST timzone, which is -6.

CiscoSwitch#sh ntp stat
%NTP is not enabled.
CiscoSwitch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
CiscoSwitch(config)#ntp server 192.168.9.4
CiscoSwitch(config)#clock timezone CST -6
CiscoSwitch(config)#exit
CiscoSwitch#sh ntp assoc

  address         ref clock       st   when   poll reach  delay  offset   disp
*~192.168.9.4       132.163.4.101    2      1     64     1  5.000  -0.500 939.37
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
CiscoSwitch#sh clock
*00:25:50.210 CST Mon Jun 17 1996
CiscoSwitch#sh clock
22:43:45.299 CST Tue Nov 3 2015

Brocade Switch: Recommended Firmware Versions To Date

Just FYI.  Brocade recommended firmware versions.

Brocade Switch: BPDU Guard

You really have to be careful where you implement BPDU guard on switches.  I have customers that need to have unmanaged switches, for whatever reason, in their network.  On the link-aggregation ports below (or "lag"), it sees a BPDU coming in from a downstream switch.  What does it do when you have "stp-bpdu-guard" enabled on the primary interface?  ERR-DISabled.  Now, I agree, that is what you want to happen to get rid of those unmanaged switches.  However, in some cases, you have to let them live.

Corp6610(config-if-e1000-1/1/14)#sh run int eth 1/1/14
interface ethernet 1/1/14
 port-name *** Switch Uplink ***
 stp-bpdu-guard

RSTP: Received BPDU on BPDU guard enabled Port 1/1/14 (vlan=15), errdisable Port 1/1/14

Corp6610(config-if-e1000-1/1/14)#no disable
Corp6610(config-if-e1000-1/1/14)#sh lag LAG05
Total number of LAGs:          5
Total number of deployed LAGs: 5
Total number of trunks created:5 (115 available)
LACP System Priority / ID:     1 / cc4e.243f.XXXX
LACP Long timeout:             120, default: 120
LACP Short timeout:            3, default: 3

=== LAG "LAG05" ID 5 (static Deployed) ===
LAG Configuration:
   Ports:         e 1/1/14 e 2/1/14
   Port Count:    2
   Primary Port:  1/1/14
   Trunk Type:    hash-based
Deployment: HW Trunk ID 3
Port    Link    State   Dupl Speed Trunk Tag Pvid Pri MAC             Name
1/1/14  ERR-DIS None    None None  5     No  15   0   cc4e.243f.XXXX  *** Switch Uplink
2/1/14  ERR-DIS None    None None  5     No  15   0   cc4e.243f.XXXX

Sunday Thought: Looking Forward

I have to say that the music of the 80s was just when I started getting into music. I still love the sound of that time for some reason.
With that, I came across an oldie that I like. It's called "Another Time And Another Place".

Pic Of The Week: Indoor Ride

Cisco ASA: Capture ASP-DROP Command

There are times when you just have to take advantage of some cool troubleshooting tools that these companies put out.  Cisco has a pretty cool CLI command that I like when I just cant seem to see the config problem with my eyes.  Its the below capture command.  I used this when trying to troubleshoot why I couldnt get packets across the VPN.  I could see it on the interface in a packet capture, but going back, it was getting dropped.  How do I know that?  First, my packet capture told me when I looked on the inside interface of the ASA.  I saw it.  I also saw the packet coming back on the inside interface as well.  But, it turns out that there was an ACL dropping it, as shown below.  Once I saw this, I immediately took  off the ACL (to test) and the packets went through the VPN just fine after that.  Then, I modified the ACL to resolve the issue.

ASA# capture asp-drop type asp-drop acl-drop
ASA# show capture asp-drop

32 packets captured
...
  27: 14:05:42.770162 802.1Q vlan#15 P0 10.10.15.25 > 10.10.50.127: icmp: echo reply Drop-reason: (acl-drop) Flow is denied by configured rule
  ...
32 packets shown
ASA#

Brocade Switch: I've Got This One Thing In Particular That I Don't Like

Don't think by the title that I've lost that lovin' feeling about Brocade.  I haven't.  But, if the truth were told, there is always something that you would change.  I mean, I just ripped Palo for the ACC thing in a recent post, but I love the Palo product.  Check Point is an awesome firewall also, but doing complex troubleshooting is a nightmare.  I could complain about Cisco in how on these 2960-XRs that I'm having to deal with, you have to manually copy the firmware to each switch in a stack.  My point is that you can pick something out of every vendor and rip it one.
So I always say good things about Brocade.  But, I have one thing that I don't love about config in the CLI.  When you have a layer 3 vlan (meaning a vlan and a ve interface with an IP in the config (or a routed vlan)), I dont like that when you take all ports out of a vlan, it automatically takes off the "router-interface ve X" command off the vlan.  Not only that, but if you had an IP address on the VE interface, it takes that off too.  And vice versa, that it wont let you configure a "router-interface ve X" command UNTIL you put a port in the vlan.  It just seems like you should have more control than that over your configuration.

Pic Of The Mid-Week: Kansas City Royals

On occasion, you know I do a mid week picture.  While at one of my customers this past week in Kansas City to do a topology change on the network, I came up on this on one of the buildings.   I really like this town.  Even outside of work, most of my conversation revolves around the Royals and the world series.

Brocade Switch: How To Add A Port Into Multiple Vlans At A Time

I like in Brocade how you can go and and ports to multiple vlans at the same time.  When you are in config mode, if you will just type in multiple vlan numbers after your vlan command, it will go into all of them.  See below.  I have three examples of something I was working on.

Corp6610(config-vlan-30)#vlan 21 40 50 55 60
Corp6610(config-mvlan-21*60)#tagg eth 1/1/23
Added tagged port(s) ethe 1/1/23 to port-vlan 21.
Added tagged port(s) ethe 1/1/23 to port-vlan 40.
Port(s) ethe 1/1/23  are already a member of VLAN 50
Added tagged port(s) ethe 1/1/23 to port-vlan 55.
Added tagged port(s) ethe 1/1/23 to port-vlan 60.
Corp6610(config-mvlan-21*60)#


Corp6610(config)# vlan 10 15 50
Corp6610(config-mvlan-10*50)#no tagg eth 1/1/16

Corp6610(config-mvlan-10*50)#vlan 30 40 50
Corp6610(config-mvlan-30*50)#tagg eth 1/1/16
Corp6610(config-mvlan-30*50)#
Added tagged port(s) ethe 1/1/16 ethe 2/1/16 to port-vlan 30.
Added tagged port(s) ethe 1/1/16 ethe 2/1/16 to port-vlan 40.
Added tagged port(s) ethe 1/1/16 ethe 2/1/16 to port-vlan 50.

Brocade Switch: Layer 3 Interface Config

Doing this post from my phone, so it will be brief and to the point. I usually like doing L3 with vlans. However, there are times when I want to do it only on an interface and not via a vlan. Here is how you do it on the L3 code of a Brocade switch:
Config t
Interface 1/1/1
route-only
ip address 10.10.10.1/24
wr me

Sunday Thought: Photograph

There is a song called 'Photograph' that I have come to really like. In that song, he says that love is the only thing that he has known.
While listening to this song together, my wife and I had the following words:
Me: "Wouldn't that be great if love was the only thing we ever knew"?
My wife: "That would be heaven".

When I think about that song, it also says that love makes us feel alive. If love is what we will feel in heaven, and love makes us feel alive, can you imagine?

Pic Of The Week: Rose

From my daughter's wedding day.

Cisco ASA: VPN Lifetime Count

Did you know that VPNs resend their information after a certain amount of time?  Yep, its true.  After the lifetime expires, they resend their SA info.  You can see the remaining times when you do a show crypto isakmp sa detail on the Cisco ASA.

asa# sh cryp isa sa det
   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 4.4.4.164
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 42302
2   IKE Peer: 5.5.5.104
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : aes             Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 28616

Home Projects: Stablizing Old Floors

It never fails, I always come out bleeding when I go under my house. Since we were having a lot of people over, I needed to make sure my floors were stable and supported well. I've been underneath the house and done this before, but over time, things just settle in. So now I'm back underneath the house again to make sure all is sturdy again.
Now I don't like confined spaces, but someone had to do this. Might as well be me.

And, it never fails:

Switch Banners

I get on a lot of switches during a weeks time.  Although rare, I do, occasionally, see a creative banner.  Most of the time people want you to know they are monitoring your session and are going to prosecute you to the fullest extent when they catch you.  Below is the latest one that was a little different than the norm.  I found it on a Cisco switch.

**********************************************

        Speak friend and enter
                else leave

**********************************************

Palo Alto: 7.X and ACC

Update on this 11/13/15: Palo got in touch with me about this and walked me through the new way of doing things. It's not as bad as I thought. You can still see what you want to see, you just have to create your own search for it via filters. I'm ok with this. However for people who don't know or understand the Palo, this might be a little more difficult for some. I, however, am ok with this now that I understand what Palo is trying to do. 

So most people know I'm a fan of Palo Alto firewalls.  But, I came across something today that I didn't like.  ACC used to have a great console for finding out info fast.  That is, in 6.X and below.  Now, in 7.X, its harder to dig down without having to go through the logs.  Why would Palo do this?  I have no idea.  But I'm not happy about this change.  I doubt it will change, but I made it a point to talk to TAC about this when I called about a support issue.

Home Projects: Stairs

I like home projects, especially if they are outside. I had a few things I needed to do before my daughter's wedding, and I thought I would post a few of them in the next few days.  One of these was fixing some steps on the side of my house. I didn't get a good before pic, but did of the process.

Finished product:

Sunday Thought: Two Wolves

I watched a movie last night called Tomorrowland.  Nothing special about it really, but they did make mention of something interesting.  They mention the two wolves story. One filled with darkness and the other filled with light. Both of them always fighting each other. The question was asked, "Which wolf wins the fighting?"  The answer: "The one you feed."
It seems to me that we who are Christians are the same. We have an "old self" and a "new self". I think our old self is the sinful nature that we were born into. The new self being what God would have us be, turning away from our sinful desires. The new self being the transformation into what God would have us to be.  So which one do we feed? The sinful nature or our new self?

Pic Of The Week: Cotton

The Hunt For The Rogue DHCP Server

Man, I hate these things.  You know, when someone plugs in a device that gives out DHCP by default, just so they can have more than one port to plug into for their devices?  I had this happen on a network, where the 10.254.236.X address was being given out to some clients.  This turned a little ugly, since the whole network (including remotes) reside on a single vlan with L2 across to the remote sites.  I was able to track it down though.  I had to ping the default gateway (which was the rogue dhcp server) to get an mac address entry on the PC.  Once I had that (by doing arp -a on the PC on the command prompt), then I was able to find the mac address on the switching gear.  I tracked it down through several switches (across the MPLS network) and shut down the port.  When I went onsite to find it, it lead me to the place below.  Where it goes, no one knows.

Whats Under The Hood: Your Network Gear

(Be patient in this post, its really about network switches.)
You know, when you are looking for a car to buy, what are some of the things you look for?  I suppose the answers are different for each person.
Here is what I don't do though.  I don't say to myself for criteria:
1.  Will this car do 80 mph?
2.  How much does this car cost?

I tend to ask more questions than that:
1.  Is the engine a V8, V6?
2.  How any mpg does it get?
3.  What are the safty ratings?
4.  Yes, how much does it cost?
5.  Has this car been taken care of? (oil changes, gaskets, etc)
6.  Is the body in good shape?
7.  Does the engine feel good when driving?
Etc, etc.

I go through a lengthy check of what I know to check on the car as well.  I check everything I can on the engine.  I look at the gaskets, boots, fluid leaks, check for stains, hose condition, wear on critical parts, etc, etc.  I take a good look at the vehicle.
The reality is that on cars, most calls, if not all, will do 80 mph.  Now, lets compare for a minute.  My Dodge 1500 will do 80 without issue.  RPMs are low during that time as well.  My engine doesnt even think about it.  However, I had a Honda Civic at one point in life where it would do 80 mph, but the engine was obviously struggling.  Which one would I prefer?  Obviously my truck.
Now, on to the switch conversation.  Whats under the hood?  I hear so often IT Directors, when deciding what switch gear to buy, say things like this: "Its a gig speed to the desktop".  "Its cheaper than the other brand".  "This brand is what we know how to manage".
It amazes me that people who are making device decisions are actually uneducated on how to make good decisions.  I mean, you take your next five year investment and you base your decision on price?  Or, you make an uninformed decision based on what the sales guy told you?  Its time to get informed folks.
So, what do you look for?  I always say three things are what you look for:
1.  Yes, price is something to look at.  But not the most important.
2.  Performance of the equipment.  Most companies need performance in the network.  Switching backplane, forwarding rate, stacking bandwidth, number of switches allowed in a stack, memory, SDN capable.  These are important in the decision making comparisons.
3.  Features of the equipment.  Most companies now a days just need QoS, routing and number of 10gig ports, switching, and maybe PoE.  However, you also need SDN capability for the future.  Other than that and other common to all vendor features, thats mostly it.
4.  I'm going to add this in, although I don't normally tell people this.  But product support is important also.  How good is the vendor support when you call in?

I always compare switch vendors in performance.  If you think that all you need is gig speed to the desktop, you are setting yourself up for potential planning failure for your network needs for not only now, but for the next five years.  Even though my old Civic would do 80 mph, it wouldn't be the best option for performance, comfort or other options I needed for daily use of a vehicle.  Same thing with switches.  You have to know what you are looking at when you make decisions that affect your company.
Now, with that said, the next statements are for the IT consultant.  Its YOUR responsibility to educate your customers.  Its YOUR responsibility to let them know how to make good decisions.

Unfortunate Experience

The day after my daughter's wedding, my wife and I thought we would go to the beach for a couple of days. About an hour and a half into the drive, we didn't make it.  We threw a rod, which leads us to the below pic.  And, if you want a good laugh at my expense, the video below the pic is sure to make you laugh, at least a little.

Brocade Fiber SFP Connected To Cisco Fiber SFP: No Link

I ran into this the other day.  My customer had a Brocade ICX6450 acting as the core (I know, don't say it) and was trying to connect a Cisco 2960 via fiber to it.  Well, the fiber link just wouldn't come up.
But, I knew there was something special that you did have to do when connecting a Cisco and Brocade together (sometimes) when you have issues like this.  Turns out that I had to run this command on the Cisco port: "speed nonegotiate"
That resolved my problem and the link came right up.

Sunday Thought: Held

Great lyrics in this song. Casting Crowns - Held

Pic Of The Week: Wedding Day

Today my daughter is getting married. So we have been preparing.

SonicWall: Dual-ISP Configuration

All firewalls I know have dual-ISP backup configuration availability.  SonicWall is no different.  If you have dual-ISPs, then certainly set it up.  Its on the Failover and LB (Load Balancing) page.  Its easy and works well.

Packet Capture: More Proving Whats There

More packet captures on the ASA.  Sometimes you just have to know how far the packet is getting.  This time its across a VPN.  I need to see what the packets actually are getting across, and not just look at the counters.  Im trying to see if one DNS server is sending traffic back.  Yep, the 192.168.1.100 DNS server is sending traffic back.  I see this on the inside interface of the ASA.  Looks good.

ASA# sh capture
capture capin type raw-data access-list 191 interface inside [Capturing - 28987 bytes]
ASA# sh capture capin

143 packets captured

   1: 14:03:29.546663       192.168.1.100.53 > 192.168.5.64.54137:  udp 373
   2: 14:24:47.714761       192.168.5.64.61552 > 192.168.1.100.53:  udp 55
   3: 14:24:47.717064       192.168.1.100.53 > 192.168.5.64.61552:  udp 55
   4: 14:24:47.931943       192.168.5.64.53348 > 192.168.1.100.53:  udp 35
   5: 14:24:47.932340       192.168.1.100.53 > 192.168.5.64.53348:  udp 90
   6: 14:24:47.970271       192.168.5.64.50397 > 192.168.1.100.53:  udp 32
   7: 14:24:47.970683       192.168.1.100.53 > 192.168.5.64.50397:  udp 79
   8: 14:24:48.015196       192.168.5.64.63238 > 192.168.1.100.53:  udp 45
   9: 14:24:48.015853       192.168.1.100.53 > 192.168.5.64.63238:  udp 98
  10: 14:24:48.059841       192.168.5.64.64395 > 192.168.1.100.53:  udp 39
  11: 14:24:48.090159       192.168.1.100.53 > 192.168.5.64.64395:  udp 39
  12: 14:24:48.135307       192.168.5.64.62142 > 192.168.1.100.53:  udp 42
  13: 14:24:48.136025       192.168.1.100.53 > 192.168.5.64.62142:  udp 111
  14: 14:24:48.172140       192.168.5.64.52743 > 192.168.1.100.53:  udp 35
  15: 14:24:48.174566       192.168.1.100.53 > 192.168.5.64.52743:  udp 110
...
143 packets shown
ASA#

Cisco ASA: Troubleshooting With Logs

I was having to troubleshoot a VPN between a Check Point and an ASA the other day.  I came up with this message in the ASA logs:

%ASA-7-713222: Group = 5.8.15.51, IP = 5.8.15.51, Static Crypto Map check, map = BHM, seq = 30, ACL does not match proxy IDs src:5.8.15.51 dst:192.168.2.10
%ASA-7-713221: Group = 5.8.15.51, IP = 5.8.15.51, Static Crypto Map check, checking map = BHM, seq = 40...

It appears that the Check Point is trying to use the public address instead of the non-NAT'ed address.  My point here is that the ASA logs are very important for troubleshooting issues.  Maybe you can look at the config and just find the solution.  Maybe you need the logs.  Either way, setting the appropriate log levels in troubleshooting is important.  It helped me determine that the ASA was fine and that the Check Point needed some work.

Brocade Switch: Brief Interface Status

Sometimes I just need to see if a port is up or not.  I dont need all the statistics.  So when I do a show interface eth 1/2/2 on the switch, I dont want to wait for the console to scroll down.  I just want a short answer, is the port up or not.  Here is the commmand to do just that.
ICX6450#sh int bri eth 1/2/2

Port    Link    State   Dupl Speed Trunk Tag Pvid Pri MAC            Name
1/2/2   Down    None    None None  None  Yes N/A  0   cc4e.2463.xxxx
ICX6450#
ICX6450#

Pic Of The Week: Hay People

Targus Backpack 2

A few years ago, I wrote a post about my Targus backpack vs a Swiss backpack I had. It's been 10 years now, and the zipper finally broke on that old Targus. Man, that was a great backpack.
Link to that post
So now I had to buy a new one.  I chose Targus again, and I'm glad I did.  Very comfortable and lightweight, I chose the Targus Legend. I'm looking forward to using this thing.  Below, I already have all my gear inside it.