Sunday Thought: Perfect Peace

The Lord does, at times, provide perfect peace. Take a listen.
Perfect peace

Pic Of The Week : Beach

SonicWall: Content Filtering

Im on the fence still about SonicWall for SOHO.  There is no way I would choose it over Check Point or Palo Alto, but for small offices, I guess I'm not opposed.  It does do content filtering, which is good.  I know most firewalls do, and they should at this point in the game.  I have to say I have had good luck with the content filtering portion of the SonicWall.  I guess I'm not sad with it.  But again, for true enterprise level businesses, this is not what I would choose.

Access Switch Comparison: Brocade ICX 7450/7250 Versus Cisco 3850/3650

I wanted to do a switch comparison between the newer Cisco 3850/3650 and the newer Brocade ICX 7450/7250 switches.  I came up with a newer spreadsheet for myself and my sales guys, so that we could do quick comparisons between the newer products.  So for this post, I thought I would compare a few performance differences between the Cisco 3850 and 3650 access switch as opposed to the Brocade ICX 7450 and 7250 access switches.  Its always an interesting comparison when honestly looking at the performance specs.  Here below is an "apples to apples" comparison of the most powerful switches of each of the series.

These two are the better performing access closet switches:
Brocade 7450-48P
336 Gbps switching backplane
250 Mpps forwarding rate
160 Gbps stacking rate
12 switch capability in stack
12 10Gig ports

Cisco 3850-48P
176 Gbps switching backplane
130.95 Mpps forwarding rate
480 Gbps stacking rate
9 switch capability in stack
4 10Gig ports

These two are the lesser performing access closet switches:
Brocade 7250-48P
256 Gbps switching backplane
190 Mpps forwarding rate
80 Gbps stacking rate
12 switch capability in stack
8 10Gig ports

Cisco 3650-48PD
176 Gbps switching backplane
104.16 Mpps forwarding rate
160 Gbps stacking rate
9 switch capability in stack
4 10Gig ports

For network performance and honest comparisons, I'll be sticking with Brocade.

Why Do You Not Have Capsa Yet???

I have said many times in the past.  Capsa is literally my best friend as a network troubleshooter.  You can interview people all you want to figure out what the problem is, but Capsa saves me so much time in troubleshooting, that all I really need from a customer is what a "general" description of what the problem is.
If you are a network consultant and do not have Capsa, do yourself a favor.  Save yourself time and money by getting this in your toolkit.  Its built specifically for network engineers and troubleshooting purposes.  Even if you just do network assessments, this will help you and your customers KNOW what is going on, on the network.
In my experience, I can tell you it has saved me time and money in troubleshooting networks.  Not only that, but it has also given much needed information to my customers, even when I was not troubleshooting anything.  I do network assessments regularly when time permits.  I want to make sure my customers know what is going on, on their network.  Capsa is one way I do this.
Why do I tell you about Capsa so much?  Because I want you to have the ability to be a great network engineer.

Cisco CUCM: Upgrade Process From CUCM 8.5 To 10.5

I recently just did a Cisco CUCM upgrade from MCS servers running 8.5 to UCS servers running 10.5.1.  I thought I would generically outline the process I took to get there.

Moving 8.5.1-12900 CUCM production environment to the new 10.5.1 UCS BE7K environment.

• Install 8.5.1-10000 on a new virtual server on the UCS server.
• Upgrade from 8.5.1-10000 to 8.5.1-12900, so that this matches the current production environment.
• Take a backup of the current production environment, running 8.5.1-12900.
• Restore the backup to the UCS environment you did the upgrade on (on the UCS publisher). This has to be the exact same version of the production CUCM.
• Upgrade UCS 8.1.5 to UCSInstall_UCOS_8.6.2.25900-8.sgn.  
• Install ciscocm.version3-keys.cop.sgn file from 8.6 download to be able to upgrade to 10.5.1.
• Upgrade 8.6 to UCSInstall_UCOS_10.5.1.10000-7.sgn.
• Do a backup of 10.5.1 on the "upgraded" UCS virtual server.
• Install 10.5.1-10000-7 from scratch (which is the pre-loaded version that came on the UCS).
• Do a restore from the "upgraded" version on UCS to the new install on the UCS. 
• Add subscribers.

Good Memorial Day To You

Sunday Thought: So I Can Just Be Me...

Give the lyrics some thought.  Take 3.5 minutes to hear the message in this song.  God meant us to be who he made us to be, and for Him to be our God.
So I can just be me

Pic Of The Week: Slide

Packet Capture: VPN Troubleshooting

There are some edge devices that don't necessarily make it easy to troubleshoot vpns.  So a packet capture is in order.  In this scenario, something isn't right on the vpn.  I cant get traffic across from one side to the other.  It appears that, on the customer side that I'm visiting, the traffic is not making it to the other side of the vpn.  The customer doesn't have a reliable way to determine "what" the problem is.  So I'm going to take a packet capture on the public side of the firewall to see if I can tell anything interesting.
Notice the source below.  You shouldn't see the private address as the source address, but you do. I am expecting to see a public address (my peer) as the source and a public address (their peer) as the destination.  I know this because of where I'm placing my packet capture.  Again, keep packet captures as a integral part of your troubleshooting capabilities.

Brocade 7250/7450 Switch Specs

Have you guys seen the newer Brocade 7250 and 7450 switches?  They are looking pretty decent in the performance spec area.  Its looking to me like I will be replacing the 64XX series access switches with these guys when appropriate.  Don't get me wrong, I'm not sad with the 6450s.
Take a look at the backplane and forwarding specs here below.  These are pretty good for access closet switches.  I think I personally will be preferring the 7450s over the 7250s.  But the 7250s still look really good for areas you need POE in the closets.  I think the only one I might try to stay away from is the 7250-24G, but still its better than the Cisco 3850 24 port series when it comes to performance.

What Is A VPN "Encryption ACL" (Cisco - Interesting Traffic) (Check Point - Encryption Domain)

There are numerous terms for, what I call, the encryption ACL for a VPN.  Cisco calls it "interesting traffic".  Check Point calls is an "encryption domain".  Im sure the other vendors have their own words for it as well.  So what is it and what does it do?
We are taught that this is what defines the traffic that is to go across the VPN.  For the sake of this conversation, Im going to be talking about remote-access, not site to site VPNs.  I can do site to site VPNs in another post.  But I think its important for you to know what actually happens when you configure this.  Not on the firewall, but on the remote end.  The client side.
You see, you have to define what is allowed across the VPN.   Although it is for the firewalls benefit, its also for the client side.  How does the client know what is allowed.  Afterall, you dont configure anything on the client side when it comes to "allowed" or "denied" traffic, right?
So, here is the thing.  When you configure your ACL for encryption, you are also telling the client side what the routing table, on the client side, needs to look like.  In fact, you are modifying the routing table on the client pc, with this ACL.  It literally serves two purposes (for firewall and for client).  So, you all know I like proof, so here is the proof.
First, lets look at two ACLs.  This is on a Cisco firewall.
Here is the NAT ACL.  I do have it set correctly, because in this case, its a nonat situation.  And, it DOES have to be configured correctly for the VPN to work, if you are not NAT'ing.
access-list nonat extended permit ip any 10.10.12.0 255.255.255.0

Now, here is the "encryption ACL".
access-list remote_access extended permit ip any 10.10.12.0 255.255.255.0

Now, this gives it a "default route".  Im going to show you what route it puts into the client side pc.  Before I do though, I want to tell you that I want to be able to get to the 10.255.16.X network.  That is the goal I have in mind.  Also, I have my DHCP on the ASA to hand out 10.10.12.X IPs to the client side of a remote-access user.  Now, lets see the routing table before I VPN into the ASA:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.5     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.5    281
      192.168.0.5  255.255.255.255         On-link       192.168.0.5    281
    192.168.0.255  255.255.255.255         On-link       192.168.0.5    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.0.5    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.0.5    281
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.15.1.1  Default
===========================================================================

IPv6 Route Table

===========================================================================

Notice its nothing special.  Just what I have on my laptop when all is normal.  Now, lets VPN into the ASA.  The one where you see the ACLs above.  Notice below, once I VPN'ed in, the highlighted routes are what is added to my routing table.  The one I want you to notice though is the extra default route that was added.  Now, I have two default routes: the one that is my own default gateway, and the one that the ASA put on my pc with the ACL named "remote_access".

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.5     25
          0.0.0.0          0.0.0.0       10.10.12.1       10.10.12.2    100
       10.10.12.0    255.255.255.0         On-link        10.10.12.2    281
       10.10.12.2  255.255.255.255         On-link        10.10.12.2    281
     10.10.12.255  255.255.255.255         On-link        10.10.12.2    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.5    281
      192.168.0.1  255.255.255.255         On-link       192.168.0.5    100
      192.168.0.5  255.255.255.255         On-link       192.168.0.5    281
      192.168.0.5  255.255.255.255       10.10.12.1       10.10.12.2    281
    192.168.0.255  255.255.255.255         On-link       192.168.0.5    281
    192.168.0.255  255.255.255.255       10.10.12.1       10.10.12.2    281
    216.109.3.131  255.255.255.255      192.168.0.1      192.168.0.5    100
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.0.5    281
        224.0.0.0        240.0.0.0         On-link        10.10.12.2    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.0.5    281
  255.255.255.255  255.255.255.255         On-link        10.10.12.2    281
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.15.1.1  Default
===========================================================================

Now, remember, I want to get to the 10.255.16.X network.  But, you dont see it here, except in the default route (which I have two).  Let me ping the address I want to get to, to verify I cant get to it:
C:\Users\skillen>ping 10.255.16.7

Pinging 10.255.16.7 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.255.16.7:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Lets delete that extra default route out (the one the ASA put in place).  Two default routes is causing me problems, so Im going to delete it out.
C:\Users\skillen>route delete 0.0.0.0 mask 0.0.0.0 10.10.12.1
 OK!

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.5     25
       10.10.12.0    255.255.255.0         On-link        10.10.12.2    281
       10.10.12.2  255.255.255.255         On-link        10.10.12.2    281
     10.10.12.255  255.255.255.255         On-link        10.10.12.2    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link       192.168.0.5    281
      192.168.0.1  255.255.255.255         On-link       192.168.0.5    100
      192.168.0.5  255.255.255.255         On-link       192.168.0.5    281
      192.168.0.5  255.255.255.255       10.10.12.1       10.10.12.2    281
    192.168.0.255  255.255.255.255         On-link       192.168.0.5    281
    192.168.0.255  255.255.255.255       10.10.12.1       10.10.12.2    281
    216.109.3.131  255.255.255.255      192.168.0.1      192.168.0.5    100
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.0.5    281
        224.0.0.0        240.0.0.0         On-link        10.10.12.2    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.0.5    281
  255.255.255.255  255.255.255.255         On-link        10.10.12.2    281
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.15.1.1  Default
===========================================================================

Notice in the above "route print" on the remote-access client, the default route that the ASA put in is gone.  I took it out with the route delete command in a DOS prompt.  Im still connected though to the ASA via the Cisco VPN client.  

Now, lets add our own route in a DOS prompt on the remote-access client.  We are going to add in the 10.255.16.X network, so that we can get across the VPN to the destination I really want to get to.  Our default gateway for that will be the IP address of the ASA (10.10.12.1).

C:\Users\skillen>route add 10.255.16.0 mask 255.255.255.0 10.10.12.1

 OK!

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.5     25

       10.10.12.0    255.255.255.0         On-link        10.10.12.2    281

       10.10.12.2  255.255.255.255         On-link        10.10.12.2    281

     10.10.12.255  255.255.255.255         On-link        10.10.12.2    281

      10.255.16.0    255.255.255.0       10.10.12.1       10.10.12.2     26

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.0.0    255.255.255.0         On-link       192.168.0.5    281

      192.168.0.1  255.255.255.255         On-link       192.168.0.5    100

      192.168.0.5  255.255.255.255         On-link       192.168.0.5    281

      192.168.0.5  255.255.255.255       10.10.12.1       10.10.12.2    281

    192.168.0.255  255.255.255.255         On-link       192.168.0.5    281

    192.168.0.255  255.255.255.255       10.10.12.1       10.10.12.2    281

    216.109.3.131  255.255.255.255      192.168.0.1      192.168.0.5    100

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       192.168.0.5    281

        224.0.0.0        240.0.0.0         On-link        10.10.12.2    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       192.168.0.5    281

  255.255.255.255  255.255.255.255         On-link        10.10.12.2    281

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

          0.0.0.0          0.0.0.0        10.15.1.1  Default

===========================================================================

Notice above, the highlighted new route on my laptop for the 10.255.16.X network.  Its in place and pointed to the ASA.  Keep in mind, what I just put in does still fall under the "remote_access" ACL (meaning the source of "10.255.16.X" is covered under "any").  Now, lets ping that IP address of 10.255.16.7 now.

C:\Users\skillen>ping 10.255.16.7

Pinging 10.255.16.7 with 32 bytes of data:

Reply from 10.255.16.7: bytes=32 time=57ms TTL=63

Reply from 10.255.16.7: bytes=32 time=98ms TTL=63

Reply from 10.255.16.7: bytes=32 time=56ms TTL=63

Reply from 10.255.16.7: bytes=32 time=51ms TTL=63

Ping statistics for 10.255.16.7:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 51ms, Maximum = 98ms, Average = 65ms

Now we are in good shape.  You can do this route modification on your laptop as long as the destination falls under the same range as the source in the encryption ACL.  Its rare that you will ever want to modify this.  However, I have, in times past, needed to do so to get to what I wanted to.  Thankfully, you do still have some control.

Cisco CUCM: Upgrading The Phone System

Cisco has made it pretty easy to do upgrades.  In this example, I'm doing a minor upgrade from 8.5 to 8.5.1-17900, so that I can do a restore from the production backup I took.  You have to go into OS Administration, then choose software install/upgrades.  Its pretty easy from there.  You just get your SFTP server going, put the ISO file in the correct directory, and do the upgrade.

Sunday Thought: Hebrews 9:11-15

So Christ has now become the High Priest over all the good things that have come. He has entered that greater, more perfect Tabernacle in heaven, which was not made by human hands and is not part of this created world. With his own blood—not the blood of goats and calves—he entered the Most Holy Place once for all time and secured our redemption forever.

Under the old system, the blood of goats and bulls and the ashes of a young cow could cleanse people’s bodies from ceremonial impurity. Just think how much more the blood of Christ will purify our consciences from sinful deeds so that we can worship the living God. For by the power of the eternal Spirit, Christ offered himself to God as a perfect sacrifice for our sins. That is why he is the one who mediates a new covenant between God and people, so that all who are called can receive the eternal inheritance God has promised them. For Christ died to set them free from the penalty of the sins they had committed under that first covenant.
(Hebrews 9:11-15)

Home Projects: Backyard Arbor

Brocade: Still Doing Well

More access closet installs.

Company Culture: Part 4 ~By Brad Moore

Today, Brad Moore shares with us what it's like to have a good company culture. He writes a really good technical blog @ showconfig.net, which is listed on my IT blogs page. Check his blog out! Thanks Brad. 
~~Shane Killen.

What does working for a company with good culture feel like? It feels great, let me tell you. How do you define an excellent culture? That’s not as easy as you might think, as each worker may have a different definition of why they like working for a good company. However, I have found that good companies tend to have the following traits…

• Communication – As Shane already explained, communication (whether done well or poorly) can make or break a work environment. The last several companies I’ve worked for all did a great job of communicating…whether it was positive news or negative, we workers always knew what was going on.
• Family – When working at a good company, you feel like a family. Case in point…I’ve been working at my current company for 13 years now.  Back in 2004, my wife passed away due to cancer.  She had been in the ICU for over a month, and I had to spend a lot of time at the hospital and at home taking care of our kids.  I worked when I could, but it wasn’t a lot…perhaps half a day, sometimes none.  I had only been at the company for two years at that time, so I didn’t have a lot of vacation or sick time, so I quickly used it all up.  When I finally came back to work full time, I found out I still had a week of vacation and a couple days of sick time on the books, yet my paycheck never changed. Family takes care of family.
• Fun – Yes, you can have fun at work.  And a good culture not only allows for that, but encourages it. In fact, my IT department just attended a local baseball game several weeks ago and had a great time.  We joke with each other, kid each other…and we all work well together.
• Training – A good company wants their employees to continuously grow and learn, and become better. It helps both the company and the employee.
• Protection – What do I mean by that?  Think of a mother hen protecting her young.  I was Senior Network Engineer at a previous company, and if my network went down, the company would lose about $250,000 in profit per hour.  (During the Christmas season that hourly rate was over $1 million dollars of profit!!)  Talk about pressure.  However, my boss protected me from all of the upper managers…they were not allowed to call me at all.  Every 30 minutes, she would call me and I would give her a quick update and projected ETA.  Otherwise, I was left in peace to work the problem and get the network back up.  That meant a lot to me…still does.
• Accountability – This can cut both ways, but all good companies must hold every employee accountable.  What separates a good company from a bad one is “fairness”.  Accountability, if applied fairly for all, is a cornerstone of a good company.  No favorites…everyone treated the same.  In the long run, this will result in a strong and productive team…and in today’s economy, that is a powerful advantage.

Check Point And Cisco: (IPSEC VPN) Phase 2 Security Association Incompatibilities

So what is it, when you have a site to site vpn between a Check Point and Cisco firewall, its sometimes near impossible to get phase 2 combinations of encryption and hash higher than 3DES/MD5 to work out.  I have seen this often in the past.  I go with AES-256 and SHA1.  But for some reason, I get very unpredictable results.  That might mean I can ping across one minute, but the next I cant.  It has also meant that I can one way traffic.  The thing is, that when I change to 3DES/MD5, the vpn works perfectly and consistently.  So why is that?
I dont know the answer right now, but Ill certainly be looking into it.  I dont want to use 3DES/MD5.  I prefer to go higher.

Company Culture: Part 3

I have seen and heard, on more than a few occasions, where employees feel "unimportant" or "not valued" when management refuses to communicate with them.  I keep hearing the same common thing: "When I call my 'manager', they never answer and they never call back".  I also hear the same about text messaging.  Every time I hear this, I just dont get it.  Why would a manager just not have the desire to make a 60 second phone call OR a 15 second text message???  Its beyond me, but I can tell you, it takes a toll on company morale, which leads to bad company culture.

You Should Keep That Freeware That You Like So Much...

I mean the download, not necessarily that actual application itself.  I keep finding that the freeware things I like using so much keeps getting bought by some company, only to make you pay for it.  I hate that.  I recently had one program I really liked that used to be free.  Now, someone wants to make money off of it and, lets face it, I don't want to pay for it.  I'm just saying that if you like something that is free, store the freeware install somewhere where you can get to it once someone buys it and then makes you pay for it.  I know that if you are IT, you know what I'm talking about.

Sunday Thought: Road To Emmaus

I love this little video, linked below. I'm thankful that there are people out there that take the time to make these. I ask you to verify what this video talks about. It's undeniable. 

Road to Emmaus

Pic Of The Week: Above

Palo Alto: Running A Threat Summary Report

Here is another report generator 'how to' I put together for a client.  I thought I would share this as well.  This is for reporting on threats.

SIP Call Explained

TranslatorX is an excellent tool.  I highly recommend it, especially for troubleshooting SIP calls.

Palo Alto: Running A Usage Report

I put this together for a customer and thought I would share with you guys.  This is how to run a custom report on the Palo.

SIP: Interesting To See The Call Flow On A Failed Call

Its interesting to watch a call fail.  Even more interesting, you can see the dial-peers of the CUBE in action when you have the preference command for dial-peers that match a destination pattern.  In this example, you have two CUCMs (publisher and subscriber) and both end up not being able to take the call.  Its interesting to see the CUBE send to both though, indicating that it tried to send the packets (the call) to the second CUCM when the first one failed.

Sunday Thought: Psalm 73:26

Pic Of The Week: Concert

Company Culture: Part 2

Part 2 ~ of a series on company culture.
So how do you find out about the company culture of a business?  It may not be important to you, but I think to some people, it might be.  I think the older I get, the more important it is to me.  So, I started a list of questions that I think I wouldn't mind asking, that might give you an idea of the culture of the company:
1. "What time do you normally come in to work and leave for the day?" (Are they flexible?)
2. "What are the busiest times of year, and what are those times like?" (Really, what are the expectations of busy/stressful times)
3. "What kind of person fits in well here and what type of person isn't a strong fit?" (Listen if they describe you as someone that doesn't fit well.  Be honest with yourself as well. If you don't fit, don't keep trying for it.  You will be miserable.)
4. "If you could change one thing about the culture here, what would it be?" (Listen for clues for something you might not like.)
5. "What do you wish you knew about working at this company before starting work here?" (Again, listen.)
6. "How long do employees typically stay at the company?" (Verify this on LinkedIn.  Do they have a high turnover rate?)
7. "Does the company invest in technical training for employees?  If so, how much per person, per year?"

You get the idea.  Whatever is important to you, ask.  You shouldn't be ding'ed for asking things that concern you.  If you are, then you probably didn't want to work there anyway.