I hope you all have a Merry Christmas. Be safe and know that The Lord God loves you. So much so, that He came in human form and became the substitute for what we actually deserved.
Peace be with you all.
Friday, December 22, 2017
Merry Christmas
I was reminded by a friend, via email, that he hadn't seen a post here in a while. My apologies for that. I had a small accident with a power tool, and I have not been able to type without finger pecking, which is difficult for me. My power drill decided to behave badly on me, which left me with a couple of spiral breaks in my hand. So I'm getting to her over this as quickly as I can.
I hope you all have a Merry Christmas. Be safe and know that The Lord God loves you. So much so, that He came in human form and became the substitute for what we actually deserved.
Peace be with you all.
I hope you all have a Merry Christmas. Be safe and know that The Lord God loves you. So much so, that He came in human form and became the substitute for what we actually deserved.
Peace be with you all.
Monday, November 27, 2017
Check Point Firewall: Adding A User In CLI
Here is a quick "how to" on adding a user in Check Point via command line (CLI). It just as easy to go into the GUI and do this, but I have found that when I'm in CLI anyway and need to do this, this is a quick template for me.
add user NewUserName uid 0 homedir /home/NewUserName
set user NewUserName gid 100 shell /etc/cli.sh
set user NewUserName password
(then you will verify the password you just typed in)
add rba user NewUserName roles adminRole (for adding an administrator)
save config
add user NewUserName uid 0 homedir /home/NewUserName
set user NewUserName gid 100 shell /etc/cli.sh
set user NewUserName password
(then you will verify the password you just typed in)
add rba user NewUserName roles adminRole (for adding an administrator)
save config
Friday, November 24, 2017
Been In NYC...
There are a lot of cool things about NYC. It's a place my family and I really enjoy coming to. From the Top of the Rock, you can see Trump Tower. It's the red, white and blue building. No matter which side of the fence you reside on politically, that's pretty cool.
Saturday, November 11, 2017
Small Update
Sorry for the lack of posts. It's been busy. I have some technical things to post about, and will try to get them up soon. Just wanted to update. I hope you all are doing well.
Monday, November 6, 2017
Do The Right Thing
My wife and I went to Nashville not long ago to see a musician named Ron Pope. One of his openers was a group called Ages and Ages. They were really cool, and they had this song called Do The Right Thing. Click on that link and give it a listen.
Saturday, November 4, 2017
Home Projects: Security Light
I just realized on that Cisco IP SLA catalyst config, that I didn't post the ASA config for it. I'll do that this coming week.
Until then, I'm getting tired of people coming around and lifting door handles in my neighborhood. Maybe a new security light will deter them. My driveway light just didn't work, so I replaced it today.
Until then, I'm getting tired of people coming around and lifting door handles in my neighborhood. Maybe a new security light will deter them. My driveway light just didn't work, so I replaced it today.
Friday, November 3, 2017
Home Projects: Pictures On The Wall
Well, getting the frames straight on the wall isn't easy. But with a little effort, you can do it.
Tuesday, October 24, 2017
Cisco IP SLA
I did a IP SLA configuration on two Cisco 4500s the other day. Its really a great solution for multi path or dual-ISP, if you dont run a routing protocol. See below, the config and some notes.
Topology:
Config for Site 1:
ip sla 1
icmp-echo 10.15.0.2 source-ip 10.15.0.1
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 10.2.3.0 255.255.255.0 10.15.0.2 track 1
ip route 10.2.3.0 255.255.255.0 10.0.10.5 10
Config for Site 2:
ip sla 1
icmp-echo 10.15.0.1 source-ip 10.15.0.2
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 10.20.15.0 255.255.255.0 10.15.0.1 track 1
ip route 10.20.15.0 255.255.255.0 10.20.3.253 10
Notes:
10.15.0.2 is the IP address on Site 2 fiber port.
10.15.0.1 is the IP address on Site 1 fiber port.
10.0.10.5 is the IP address on Site 1 LAN Firewall port.
10.20.3.253 is the IP address on Site 2 LAN Firewall port.
Basically, if the fiber goes down, then change the routing table to go across the VPN to the remote site, is the idea here.
Site 1 4500:
Switch#sh track
Track 1
IP SLA 1 reachability
Reachability is Up
1 change, last change 00:02:09
Latest operation return code: Over threshold
Latest RTT (millisecs) 4
Tracked by:
Static IP Routing 0
Admin_Switch#sh ip route
...
S 10.20.3.0/24 [1/0] via 10.15.0.2
Switch# config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan 99
Switch(config-if)#shut
Switch(config-if)#exit
Switch(config)#exit
Switch#sh track
Track 1
IP SLA 1 reachability
Reachability is Down
2 changes, last change 00:00:02
Latest operation return code: Timeout
Tracked by:
Static IP Routing 0
Switch#sh ip route
...
S 10.20.3.0/24 [10/0] via 10.0.10.5
Topology:
Config for Site 1:
ip sla 1
icmp-echo 10.15.0.2 source-ip 10.15.0.1
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 10.2.3.0 255.255.255.0 10.15.0.2 track 1
ip route 10.2.3.0 255.255.255.0 10.0.10.5 10
Config for Site 2:
ip sla 1
icmp-echo 10.15.0.1 source-ip 10.15.0.2
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 10.20.15.0 255.255.255.0 10.15.0.1 track 1
ip route 10.20.15.0 255.255.255.0 10.20.3.253 10
Notes:
10.15.0.2 is the IP address on Site 2 fiber port.
10.15.0.1 is the IP address on Site 1 fiber port.
10.0.10.5 is the IP address on Site 1 LAN Firewall port.
10.20.3.253 is the IP address on Site 2 LAN Firewall port.
Basically, if the fiber goes down, then change the routing table to go across the VPN to the remote site, is the idea here.
Site 1 4500:
Switch#sh track
Track 1
IP SLA 1 reachability
Reachability is Up
1 change, last change 00:02:09
Latest operation return code: Over threshold
Latest RTT (millisecs) 4
Tracked by:
Static IP Routing 0
Admin_Switch#sh ip route
...
S 10.20.3.0/24 [1/0] via 10.15.0.2
Switch# config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan 99
Switch(config-if)#shut
Switch(config-if)#exit
Switch(config)#exit
Switch#sh track
Track 1
IP SLA 1 reachability
Reachability is Down
2 changes, last change 00:00:02
Latest operation return code: Timeout
Tracked by:
Static IP Routing 0
Switch#sh ip route
...
S 10.20.3.0/24 [10/0] via 10.0.10.5
Switch(config)#int vlan 99
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#exit
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#exit
Switch#sh track
Track 1
IP SLA 1 reachability
Reachability is Up
3 changes, last change 00:00:03
Latest operation return code: Over threshold
Latest RTT (millisecs) 4
Tracked by:
Static IP Routing 0
Switch#sh ip route
...
S 10.20.3.0/24 [1/0] via 10.15.0.2
Switch#
Friday, October 20, 2017
VPN: IKEv1 And IKEv2
While configuring some VPNs today, the question came up about using IKEv1 vs IKEv2. I don't want to get into the technical details about the differences in the two (I'll do that in the next post), but I do want you to know that the two are not compatible with each other. So if you use IKEv2 on one side, you have to use it in the other side.
Saturday, October 14, 2017
Thursday, October 12, 2017
Cisco ASR920 Problem
This was an interesting evening. I went onsite to a customer and put in one of those TZ600 SonicWall firewalls I just configured. Once I got it in place, I noticed the normal ARP issue that you have on the next hop router. So I rebooted the ISP router. As it turns out, there is a firmware issue on these Cisco ASR920 routers that when you reboot the system, if you have fiber modules in the ASR, it can cause an issue forwarding traffic, even though the interfaces are up. The fix? Literally, pull out the Gbic modules and re-seat them. All OK after that.
Monday, October 9, 2017
Two SonicWall TZ600s
This week, I have two SonicWall TZ600 firewalls to get setup for a company. They will have site to site VPN and will provide these small offices with some security. It's certainly not an enterprise solution, but OK for a small office like these.
Sunday, October 8, 2017
Sunday Thought: Make Me New On The Inside
This is an interesting passage. Highlighted in yellow below...
Sunday, October 1, 2017
Saturday, September 30, 2017
It's Never Ending...
Just keep in mind, when it comes to security of company data, everyone is a target. You have to protect yourself with appropriate cyber security. Sonic was the latest we have heard of. Who is next?
Wednesday, September 27, 2017
Check Point Firewall: CPView In CLI
Just real quick, if you go into CLI of Check Point, there is a command called cpview. Its a good, quick look at some statistics that might be helpful to you. Try it out, and get a feel for it.
Monday, September 25, 2017
Types Of Learners
Have you ever considered how you learn things the best? Recently, I have. I've tried to give some real consideration to why I get distracted so easily when studying for a particular certification. You see, I'm an auditory learner. For whatever reason, it's just how God made me. So when I hear noises around me, I've found I get distracted from actually studying. It turns out that I need silence to best accomplish my studying. And even more odd, when I study, I need to actually speak it out and hear myself say it. I've done this in the past, and can recognize that this IS actually correct for me.
I would encourage you to figure out your learning style. Just in life in general, it's probably a good idea to know about yourself. God made everyone of us carefully and specifically. We should probably look at ourselves and how we were made in order to become what we are supposed to be in this life.
Go try this test out and see what your learning style is: Learning style
When I look up what kind of learning tips are best for me, this is the sort of thing that comes up, which I can verify is true:
I would encourage you to figure out your learning style. Just in life in general, it's probably a good idea to know about yourself. God made everyone of us carefully and specifically. We should probably look at ourselves and how we were made in order to become what we are supposed to be in this life.
Go try this test out and see what your learning style is: Learning style
When I look up what kind of learning tips are best for me, this is the sort of thing that comes up, which I can verify is true:
Sunday, September 24, 2017
Sunday Thought: One Mouth, Two Ears
Have you ever heard that phrase "God gave us one mouth and two ears"?
There is that Bible verse about being quick to listen and slow to speak (James 1:19). You have also heard that phrase "seek to understand, then be understood"?
Let's commit to that. To understand first, then to be understood.
There is that Bible verse about being quick to listen and slow to speak (James 1:19). You have also heard that phrase "seek to understand, then be understood"?
Let's commit to that. To understand first, then to be understood.
Saturday, September 23, 2017
More Google Search Tips
As a consultant, I've always been proud of the fact that I could find pretty much whatever I needed on the internet. However, I've recently come across more helpful hints: google search helps
It's time I work on my search skills a little more.
It's time I work on my search skills a little more.
Wednesday, September 20, 2017
Site Search
Someone recently emailed me and told me I needed to add a search feature to this blog. Well, to search this blog, it's really simple. Here is what you do, from Google:
site:www.shanekillen.com brocade upgrade
If I want to search the Network Fun site for brocade upgrade, I just type in the above. It's really helpful.
site:www.shanekillen.com brocade upgrade
If I want to search the Network Fun site for brocade upgrade, I just type in the above. It's really helpful.
Tuesday, September 19, 2017
Cisco PBR And The SDM Prefer Command
Cisco has some good features in their switching gear. Like most vendors, they do policy based routing also.
I found myself in a small predicament. You see, my customer has this 7450 Brocade switch, which is way better than any campus Cisco access switch on the market. The only thing was, they didn't have the premium license needed for PBR. But, it just so happened that there was an old 3560 switch laying around, and PBR was an active feature on it. The only thing I had to do was to do the "sdm prefer routing" command and a reload, and it was ready for configuration. PBR is a great feature. As one of my old bosses put it, "them's the big boys".
Before config, I decided to draw it out.
I found myself in a small predicament. You see, my customer has this 7450 Brocade switch, which is way better than any campus Cisco access switch on the market. The only thing was, they didn't have the premium license needed for PBR. But, it just so happened that there was an old 3560 switch laying around, and PBR was an active feature on it. The only thing I had to do was to do the "sdm prefer routing" command and a reload, and it was ready for configuration. PBR is a great feature. As one of my old bosses put it, "them's the big boys".
Before config, I decided to draw it out.
Monday, September 18, 2017
White Rhino Security
You guys know that when you go somewhere in your car, and you get out to go inside your destination, do you lock your car doors? If so, why?
Most of us answer yes, we do lock our doors when we leave it. Why? Because we don't want anyone getting what we leave inside the car.
So, do you consider your company data and employee data of the same importance? Do you lock the internet doors to your company? The cybersecurity door?
Contact me on the right side of this page, and let's discuss your security concerns. Or at a minimum, let me get you educated on what you should be thinking about.
Most of us answer yes, we do lock our doors when we leave it. Why? Because we don't want anyone getting what we leave inside the car.
So, do you consider your company data and employee data of the same importance? Do you lock the internet doors to your company? The cybersecurity door?
Contact me on the right side of this page, and let's discuss your security concerns. Or at a minimum, let me get you educated on what you should be thinking about.
Sunday, September 17, 2017
Out Of Town Weekend
Needtobreathe played a concert in Memphis this weekend, so we decided to take a small roadtrip. It's only a couple of hours from Birmingham and we decided to do some of the things we used to do years ago, along with the concert.
Always work hard during the week, and take some fun time on the weekends. And always thank God for the blessings you have. He is a good God, just believe and trust in that, no matter where you are in life.
Here we are at the Peabody Hotel.
Always work hard during the week, and take some fun time on the weekends. And always thank God for the blessings you have. He is a good God, just believe and trust in that, no matter where you are in life.
Here we are at the Peabody Hotel.
Saturday, September 16, 2017
Cross Training
I have the opinion that investing in people is important. One way to do that is by cross training people in certain IT fields.
Currently, I'm in the process of training a few routing and switching guys to be firewall guys also. And vice versa. It's interesting to hear the conversations that are taking place between the two groups now. I have started easing back to the back of the room and i just listen, and I'm thrilled to hear the two groups intermingle with each other, now without me prompting the conversations and guiding it through. I'm excited and thrilled, to say the least. I really enjoy watching people grow in their careers.
Currently, I'm in the process of training a few routing and switching guys to be firewall guys also. And vice versa. It's interesting to hear the conversations that are taking place between the two groups now. I have started easing back to the back of the room and i just listen, and I'm thrilled to hear the two groups intermingle with each other, now without me prompting the conversations and guiding it through. I'm excited and thrilled, to say the least. I really enjoy watching people grow in their careers.
Wednesday, September 13, 2017
Nails
I bought a magnet on a stick recently and went over to the old '35 house where we recently had the shed in the back yard torn down. I thought I would pick up as many nails as I could, since my daughter and son-in-law are living there. This is what I picked up. That's a 16 ounce bottle.
Sunday, September 10, 2017
Saturday, September 9, 2017
Friday, September 8, 2017
California
As my wife and I go along on this road trip, she told me that California may be the most beautiful place she has ever seen. She said this as we were driving down Hwy 1 through Big Sur. As I think back across everywhere we have been so far in CA, she may be right about it.
Thursday, September 7, 2017
Wednesday, September 6, 2017
Somewhere In Northern AZ
Some things you just have to see. This was just past Clift Dwellers, AZ. The picture really just doesn't do it. Add complete silence to this picture, and you can get an idea.
Tuesday, September 5, 2017
Monday, September 4, 2017
Sunday, September 3, 2017
Saturday, September 2, 2017
The Tearing Down Of A Shed
At the ole '35 house, there is this shed that sits in the back yard. Its not of any real value to the house, and there is another person that wants it. So she is having someone come over to tear it down. I have no idea what they are planning to do with it. Maybe some scrap wood? I'm just not sure, but it will be out of my way, and I'm OK with that.
Friday, September 1, 2017
Quote For The Day: 54
"The reason we have such a high standard of living is because advertising has created an American frame of mind that makes people want more things, better things, and newer things." - Robert Sarnoff |
Thursday, August 31, 2017
Pic Of The Week: Old Disk...
I found this in a project manager's office as I was having a discussion with him.
Wednesday, August 30, 2017
Quote For The Day: 53
“Relish the opportunity to be an outsider. Embrace that label -- being an outsider is fine, embrace the label -- because it's the outsiders who change the world and who make a real and lasting difference.” ~~ Donald Trump
Monday, August 28, 2017
Quote For The Day: 52
“The more people tell you it's not possible, that it can't be done, the more you should be absolutely determined to prove them wrong. Treat the word 'impossible' as nothing more than motivation.” ~~ Donald Trump
Sunday, August 27, 2017
Saturday, August 26, 2017
Seafoam
Today, I'm working to clean out my engine of my Dodge Ram 1500. So I have decided that I will be using Seafoam to clean it out. I've used this before, and it works well.
First, I've already poured some into my oil. This should break loose and sludge and carbon buildup. Also, I've put some into my gas tank. This should clean out the injectors, fuel pump, etc. I will also pour some into the intake. If you are comfortable with working on cars, look into this. I think it's worth it to extend the life of your engine.
First, I've already poured some into my oil. This should break loose and sludge and carbon buildup. Also, I've put some into my gas tank. This should clean out the injectors, fuel pump, etc. I will also pour some into the intake. If you are comfortable with working on cars, look into this. I think it's worth it to extend the life of your engine.
Friday, August 25, 2017
Check Point Firewall: "enabled_blades" In CLI
Why is this useful? Its probably not. But its just FYI to you. I guess because I can type this in quicker and just get what I need instead of waiting on dashboard to come up and look at this. If you type "enabled_blades", you get the same check boxes you see in dashboard, just in CLI. See dashboard below, and CLI below that.
Thursday, August 24, 2017
Wednesday, August 23, 2017
Quote For The Day: 51
“Never stop fighting for what you believe in and for the people who care about you.” ~~ Donald Trump
Tuesday, August 22, 2017
Check Point Firewall: The Difference Between ZDEBUG, FW MONITOR, And TCPDump
Ok. I said a few days ago that I would write this post about the differences between these three commands. Here it is. I had a lot of info I wanted to put into this, but for the sake of just getting the info out there, I decided to just give the basics of the commands. Just FYI, these three commands have been very helpful to me in troubleshooting. And honestly, in the beginning of this, I could only tell you the difference between two of these three commands. Now, its different and I hope this helps you as well.
FW CTL ZDEBUG is a CLI
command that is for seeing dropped packets in real-time on the firewall. This can include packets that are dropped
from the Check Point application OR from the OS of the box. From the application, this could mean the
Rulebase, IPS, etc. From the OS, this
could mean dropped packets due to a full queue, etc. ZDEBUG is especially helpful in determining
the reason a packet is dropped. The
reality is that some packets that are dropped just do not show up in SmartView
Tracker.
Below is an example of some dropped packets and the reasons:
;[cpu_9];[fw4_6];fw_log_drop_ex: Packet proto=6
157.216.110.162:36299 -> 64.25.9.4:23 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 10; <-- This was dropped because of the Check Point firewall
rulebase. Rule 10 was a rule that it
matched and dropped.
;[cpu_10];[fw4_5];fw_log_drop_ex: Packet proto=6
195.88.209.216:51921 -> 64.25.9.22:33909 dropped by fw_handle_first_packet
Reason: Geo Protection; <-- Simple enough.
This packet is from Russia, which is blocked on this firewall.
fw ctl zdebug drop is the CLI command. This captures all packets that are
dropped. You can use the grep option to
cut down on the amount of traffic you see and specifically search for traffic
you want to see.
fw ctl zdebug drop | grep 10.19.4.4 will search for any dropped packet with a
source or destination IP address of 10.19.4.4.
FW MONITOR is a CLI command
that is for packet capturing through the firewall in
real-time. This command does not
show dropped packets. fw monitor allows
you to capture packets at multiple capture positions within the FireWall-1
kernel module chain; both for inbound and outbound packets. This enables you to
trace a packet through the different functionalities of the firewall. The
primary mode of troubleshooting would be to use the something like the
following to see packets for source of 29.27.7.2 or destination of 29.27.7.2:
fw monitor -e "accept src=29.27.7.2 or dst=29.27.7.2;" This will show you the stages of the IP of
29.27.7.2 as a source or destination.
Most of the time, you want to see the packet go all the way
through the kernel. Your command might
look something like this:
fw monitor -e "accept host (29.27.7.2);" This will show you the 4
stages that this particular IP goes through, and is most likely what you will
use the most. You are basically looking
at this view of the packet traversal below.
This will help you determine if packets are coming through, and if
NAT’ing and routing is working.
You can also expand this view by using the –p
all option, as show below:
fw monitor –p all -e "accept host (29.27.7.2);"
You are basically looking at a multiple point view of the
packet traversal through the firewall:
TCPDump is a CLI command
that allows you to capture packets on the interface. You see packets, real-time, as they hit the
interface, but not through the
firewall. Only on the interface is where
you are capturing on. This is similar to
the way packet captures work on a Cisco ASA or what you would see in Wireshark. If you see a packet coming in an interface,
but not out an interface, you will probably need to run the fw
monitor command to find out where it is failing. If you suspect dropped packets, you can use
the zdebug command.
tcpdump -i eth1 host
172.24.8.200 <---- Tells to
monitor eth1 for this hosts.
NOTES***
'tcpdump -i' captures
traffic on specific interface.
'tcpdump -e' displays
Source and Destination MAC addresses.
CTRL+C stops
'tcpdump'.
By default, only the first 68 bytes
of every packet are captures, unless the capture size is increased with '-s'
flag. For users running without data encryption, passwords are also copied into
this file.
Monday, August 21, 2017
CISSP And The CISO
As some of you know, I'm currently working on the CISSP certification. And during this time, I have asked myself this question: Why does a technical resource need this certification?
I'm sure some people will disagree, but for me, the answer is: They don't.
I'm still going to get it, because I know people want you to have it with what I do for a living. But honestly, the topics on the CISSP exam do not reflect what a technical person really needs to know.
However, for management, yes, I can see it. They DO need this cert, based on what I'm studying. And to me, it should be a requirement of any CISO who is actively working as a company security policy manager (because policy is what they really are supposed to do). What I'm studying is about policy, not how to stop someone from hacking into the network or even best practices with config.
CISOs get paid a lot of money. You need to require them to have this cert.
I'm sure some people will disagree, but for me, the answer is: They don't.
I'm still going to get it, because I know people want you to have it with what I do for a living. But honestly, the topics on the CISSP exam do not reflect what a technical person really needs to know.
However, for management, yes, I can see it. They DO need this cert, based on what I'm studying. And to me, it should be a requirement of any CISO who is actively working as a company security policy manager (because policy is what they really are supposed to do). What I'm studying is about policy, not how to stop someone from hacking into the network or even best practices with config.
CISOs get paid a lot of money. You need to require them to have this cert.
Sunday, August 20, 2017
Sunday Thought: Acts 10:15
In a time of so much hostile fighting and so much backbiting here within the US, this is an interesting thought. When the Gentiles and the Jews didn't necessarily get along, God was very clear to Peter in this message:
Saturday, August 19, 2017
Pic Of The Week: Dust
Remember when I talked about vacuuming out my vents when working on my HVAC? Well, this was one of the intakes. This is an old 1950s house, and it's probably never been cleaned out since the duct work was put in.
Friday, August 18, 2017
Quote For The Day: 50
“Never, ever give up. There will be times in your life you'll want to quit, you'll want to go home, you'll want to go home perhaps to that wonderful mother that's sitting back there watching you and say, 'Mom, I can't do it. I can't do it.' Just never quit. Go back home and tell mom, dad, ‘I can do it, I can do it. I will do it.’ You're going to be successful.”. ~~ Donald Trump
Thursday, August 17, 2017
Check Point Firewall: Difference Between "fw mon", "zdebug" And "TCPDump"
I've decided that there is just some documentation that is missing on a few topics. The difference between these Check Point commands (fw monitor, zdebug, and tcpdump) is something that needs some explaining. I'm putting this together and will have this one up in a few days. Stay tuned...
Wednesday, August 16, 2017
Quote For The Day: 49
“Remember this: Nothing worth doing ever, ever, ever came easy. Following your convictions means you must be willing to face criticism from those who lack the same courage to do what is right.” ~~ Donald Trump
Friday, August 11, 2017
Check Point Firewall: tcpdump In CLI
I've had to do some troubleshooting on a network issue recently, where I needed to do a tcpdump to verify that the packets were actually leaving the firewall. It is. You can see it coming in from the private IP of 10.10.10.10, then being NAT'ed to the public 55.55.55.55 and on to 4.2.2.2.
[Expert@CheckPoint1:0]# tcpdump -i any -vvv dst 4.2.2.2
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
12:25:20.917906 IP (tos 0x0, ttl 127, id 8280, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10 > 4.2.2.2: ICMP echo request, id 1, seq 19, length 40
12:25:20.918146 IP (tos 0x0, ttl 126, id 8280, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 19, length 40
12:25:21.919046 IP (tos 0x0, ttl 127, id 8285, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10 > 4.2.2.2: ICMP echo request, id 1, seq 20, length 40
12:25:21.919096 IP (tos 0x0, ttl 126, id 8285, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 20, length 40
12:25:26.863785 IP (tos 0x0, ttl 127, id 8291, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10 > 4.2.2.2: ICMP echo request, id 1, seq 21, length 40
12:25:26.863884 IP (tos 0x0, ttl 126, id 8291, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 21, length 40
12:25:27.862351 IP (tos 0x0, ttl 127, id 8293, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10> 4.2.2.2: ICMP echo request, id 1, seq 22, length 40
12:25:27.862397 IP (tos 0x0, ttl 126, id 8293, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 22, length 40
12:25:30.053671 IP (tos 0x0, ttl 127, id 8304, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10 > 4.2.2.2: ICMP echo request, id 1, seq 23, length 40
12:25:30.053732 IP (tos 0x0, ttl 126, id 8304, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 23, length 40
12:25:31.066946 IP (tos 0x0, ttl 127, id 8306, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10> 4.2.2.2: ICMP echo request, id 1, seq 24, length 40
[Expert@CheckPoint1:0]# tcpdump -i any -vvv dst 4.2.2.2
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
12:25:20.917906 IP (tos 0x0, ttl 127, id 8280, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10 > 4.2.2.2: ICMP echo request, id 1, seq 19, length 40
12:25:20.918146 IP (tos 0x0, ttl 126, id 8280, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 19, length 40
12:25:21.919046 IP (tos 0x0, ttl 127, id 8285, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10 > 4.2.2.2: ICMP echo request, id 1, seq 20, length 40
12:25:21.919096 IP (tos 0x0, ttl 126, id 8285, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 20, length 40
12:25:26.863785 IP (tos 0x0, ttl 127, id 8291, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10 > 4.2.2.2: ICMP echo request, id 1, seq 21, length 40
12:25:26.863884 IP (tos 0x0, ttl 126, id 8291, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 21, length 40
12:25:27.862351 IP (tos 0x0, ttl 127, id 8293, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10> 4.2.2.2: ICMP echo request, id 1, seq 22, length 40
12:25:27.862397 IP (tos 0x0, ttl 126, id 8293, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 22, length 40
12:25:30.053671 IP (tos 0x0, ttl 127, id 8304, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10 > 4.2.2.2: ICMP echo request, id 1, seq 23, length 40
12:25:30.053732 IP (tos 0x0, ttl 126, id 8304, offset 0, flags [none], proto: ICMP (1), length: 60) 55.55.55.55 > 4.2.2.2: ICMP echo request, id 46253, seq 23, length 40
12:25:31.066946 IP (tos 0x0, ttl 127, id 8306, offset 0, flags [none], proto: ICMP (1), length: 60) 10.10.10.10> 4.2.2.2: ICMP echo request, id 1, seq 24, length 40
Thursday, August 10, 2017
Wednesday, August 9, 2017
Home Projects: Killing Roaches
If it's one thing I don't care for, it's roaches. Here in central Alabama, there are a lot of them. And sometimes, they get into the house.
So, it's time to kill them. I found a mixture that is supposed to do the trick:
1 part boric acid
1 part sugar
1 part flour
Mix all three together and you get the final product. (Don't mix this where you eat.) If you have carpet or hardwoods, put this on something like aluminum foil, to protect your floor.
I set some of this mixture outside to test this out, and sure enough, I saw five roaches at one time of checking it, all on top of the mixture. I read that it takes killing three generations of them to totally get rid of them inside (6 to 8 weeks). Let's see how this works out.
So, it's time to kill them. I found a mixture that is supposed to do the trick:
1 part boric acid
1 part sugar
1 part flour
Mix all three together and you get the final product. (Don't mix this where you eat.) If you have carpet or hardwoods, put this on something like aluminum foil, to protect your floor.
I set some of this mixture outside to test this out, and sure enough, I saw five roaches at one time of checking it, all on top of the mixture. I read that it takes killing three generations of them to totally get rid of them inside (6 to 8 weeks). Let's see how this works out.
Tuesday, August 8, 2017
The Data Center Walk-through...
One thing I'm making sure I do at one customer in particular, is a walk-through of the data center. Once a week, one member of my team walks through the customer data center. Its important. There is a lot of gear in this data center. Probably around 40 racks or so.
What are we looking for? Lights. Or, missing lights. Amber lights. Anything that doesnt look right. I know that in the top of each rack, I expect to see 6 power supply lights. And in some racks, 8 power supply lights. I know that for each Aggregation and Core switches (12 total), that I should see 4 power supply lights, 2 supervisor lights, 6 lights across the top front of the Nexus gear, and I should never see an amber light, or one that is out (or blinking).
Every rack has a certain amount of "green lights" on it. Even the sound can be help you determine if something isn't right. And if you look at these often enough, you start to notice when something doesn't "look right" or "sound right". It actually gets easy to see when something isn't functioning correctly. For example, I can tell you within a few seconds if a power supply has gone bad, just by glancing at the rack. I've trained my eyes on what to look for, and its a huge benefit to the operation of the data center. Could I automate this? Probably. But I would rather "know" the data center myself instead of depending on even more electronics and software to tell me when it thinks something is wrong.
Get to know your data center (or closets) more intimately. You will be glad you did.
What are we looking for? Lights. Or, missing lights. Amber lights. Anything that doesnt look right. I know that in the top of each rack, I expect to see 6 power supply lights. And in some racks, 8 power supply lights. I know that for each Aggregation and Core switches (12 total), that I should see 4 power supply lights, 2 supervisor lights, 6 lights across the top front of the Nexus gear, and I should never see an amber light, or one that is out (or blinking).
Every rack has a certain amount of "green lights" on it. Even the sound can be help you determine if something isn't right. And if you look at these often enough, you start to notice when something doesn't "look right" or "sound right". It actually gets easy to see when something isn't functioning correctly. For example, I can tell you within a few seconds if a power supply has gone bad, just by glancing at the rack. I've trained my eyes on what to look for, and its a huge benefit to the operation of the data center. Could I automate this? Probably. But I would rather "know" the data center myself instead of depending on even more electronics and software to tell me when it thinks something is wrong.
Get to know your data center (or closets) more intimately. You will be glad you did.
Monday, August 7, 2017
Home Projects: A Leaky Roof
In that old '35 house of mine, I had a place in the roof that had a leak. I had been up in the attic myself to look for this leak, but I just couldn't find it. So I had to call a roofer to look at this and get it fixed, but I learned something the other day that I just hadn't thought of.
See this picture below. That roofer came out and he immediately saw the problem after climbing up on top of the roof. He saw this carpenter nail, just below one of the shingle lines. Notice the tip of the nail. Its rusty. Water has definitely been there. So some liquid tar and a few minutes later, leak fixed.
See this picture below. That roofer came out and he immediately saw the problem after climbing up on top of the roof. He saw this carpenter nail, just below one of the shingle lines. Notice the tip of the nail. Its rusty. Water has definitely been there. So some liquid tar and a few minutes later, leak fixed.
Thursday, August 3, 2017
Pic Of The Week: A Good Day
My home security caught this image this morning. Its me, starting the day off consulting and a lunch at the shooting range for target practice with my son-in-law. Not a bad day.
Wednesday, August 2, 2017
Check Point Firewall: Modifying The FWKERN.CONF File To Overcome Dropped Packets From The Queue Buffer
Here recently, I had a server guy come to me and tell me that he needed some network help to get an issue of his resolved. Long story short, his NetApp replication from one site to another was failing, and he couldn't find anything wrong in his configuration to solve the issue. After troubleshooting the firewall and network from my perspective, I didn't see anything wrong either. This, needless to say, did not help him out any.
However, after further review, I found that the reason I didn't see anything in my firewall logs was because it wasn't making it to the Check Point application itself. There actually were dropped packets, just at the OS level. This took some time to troubleshoot, but what we found was that the queue limit buffer was getting too much traffic and was dropping packets.
So, what did we do? Well, the default queue limit is set to 2048 by default (in Gaia on the Check Point appliances). We wanted to up that limit to 8196, since we had plenty of memory to do so (don't do this unless you know for sure you have plenty of resources, as this may not resolve your issue). In this case, my CPU (CPU #1) was consistently hitting 100% utilization. So, time to edit the fwkern.conf file.
After logging into Check Point in CLI, and going into expert mode, I then went to /var/opt/fw.boot/modules directory. There, the fwkern.conf file resides. I went into VI editor and put in the following:
fwmultik_input_queue_len = 8196
After coming out of VI editor and rebooting the HA cluster, everything worked well and his NetApp issue was resolved. No more dropped packets from the buffer and CPU down to 10%. To check what your setting is at, do the following:
[Expert@CheckPoint:0]# fw -i k ctl get int fwmultik_input_queue_len
fwmultik_input_queue_len = 2048
However, after further review, I found that the reason I didn't see anything in my firewall logs was because it wasn't making it to the Check Point application itself. There actually were dropped packets, just at the OS level. This took some time to troubleshoot, but what we found was that the queue limit buffer was getting too much traffic and was dropping packets.
So, what did we do? Well, the default queue limit is set to 2048 by default (in Gaia on the Check Point appliances). We wanted to up that limit to 8196, since we had plenty of memory to do so (don't do this unless you know for sure you have plenty of resources, as this may not resolve your issue). In this case, my CPU (CPU #1) was consistently hitting 100% utilization. So, time to edit the fwkern.conf file.
After logging into Check Point in CLI, and going into expert mode, I then went to /var/opt/fw.boot/modules directory. There, the fwkern.conf file resides. I went into VI editor and put in the following:
fwmultik_input_queue_len = 8196
After coming out of VI editor and rebooting the HA cluster, everything worked well and his NetApp issue was resolved. No more dropped packets from the buffer and CPU down to 10%. To check what your setting is at, do the following:
[Expert@CheckPoint:0]# fw -i k ctl get int fwmultik_input_queue_len
fwmultik_input_queue_len = 2048
Monday, July 31, 2017
When It HVAC Rains, It Seems Like It Pours
Ok, I'm not a fan of HVAC problems. But while I was in my basement last night, I noticed water on my basement floor. Ugh.
It was coming from where the coil was housed. I've seen this before, but couldn't remember what the problem was. See below in the first picture. But then my wife reminded me that the hose line that directs condensation out of the unit was probably clogged up. And she was right. So I took our shop vac and put the hose on backwards so it would blow air out instead of vacuum and connected it to the water line. It cleared the line right out and no more clog.
It was coming from where the coil was housed. I've seen this before, but couldn't remember what the problem was. See below in the first picture. But then my wife reminded me that the hose line that directs condensation out of the unit was probably clogged up. And she was right. So I took our shop vac and put the hose on backwards so it would blow air out instead of vacuum and connected it to the water line. It cleared the line right out and no more clog.
Sunday, July 30, 2017
Thursday, July 27, 2017
The HVAC Verdit Is In...
I talked to my son-in-law today about yesterday's post. If you didn't read it, we did some work on the HVAC intake where we basically covered every single crack/hole/entrance in the duct-work of the intake (in the crawlspace) that was not the actual intake vent ("return", as its called) inside the house. I asked him if the "air seemed any better?" (meaning colder if you are from the South). His reply was that yes, in fact, it actually does seem better.
That makes me feel good about fixing these two HVAC systems to be more efficient and cooler. If you are reading this, I would encourage you to take a look at yours also.
By the way, if you are thinking that it takes an HVAC guy to do something like this, don't think that. I'm no where near that.
That makes me feel good about fixing these two HVAC systems to be more efficient and cooler. If you are reading this, I would encourage you to take a look at yours also.
By the way, if you are thinking that it takes an HVAC guy to do something like this, don't think that. I'm no where near that.
Wednesday, July 26, 2017
The Ole '35 House...
A few days ago, I posted about trying to fix my HVAC and that basement smell that was coming through the unit. And an unintended consequence of that fix was better efficiency of the unit, based on what we used to like the temperature at, as opposed to what we like it at now. So I decided to go over to the '35 house that we redid and look at that unit.
My son-in-law an I crawled under the house (something I'm generally opposed to) and looked at the intake of the unit. And sure enough, something very similar. There were places in the intake where crawl space air was entering into the unit. They were not experiencing the same smell as I did, but I'm wondering more about the efficiency of the unit now.
So we put hvac tape everywhere there was an intake opening that did not belong, and now I'm just waiting to hear back from my son-in-law on if the is any difference.
After my experience, I would highly recommend you check out your own unit. I don't mean get someone to do it. I mean YOU do it. I've had hired hands come and look and never mention this, or fix that basement smell. I just don't think they are as interested as you are in your unit efficiency.
My son-in-law an I crawled under the house (something I'm generally opposed to) and looked at the intake of the unit. And sure enough, something very similar. There were places in the intake where crawl space air was entering into the unit. They were not experiencing the same smell as I did, but I'm wondering more about the efficiency of the unit now.
So we put hvac tape everywhere there was an intake opening that did not belong, and now I'm just waiting to hear back from my son-in-law on if the is any difference.
After my experience, I would highly recommend you check out your own unit. I don't mean get someone to do it. I mean YOU do it. I've had hired hands come and look and never mention this, or fix that basement smell. I just don't think they are as interested as you are in your unit efficiency.
Sunday, July 23, 2017
Saturday, July 22, 2017
HVAC And The Basement Smell
Have you ever smelled the smell of a basement? If you have an unfinished basement, you probably know what I'm talking about. Half of my house sits over a crawl space with a dirt floor. So imagine your basement smell inside your living area now. Not as strong as the basement, but you still notice it.
My house is an older house. Some people have said that it's just the way an older house smells. Well, I don't think that having the smell of your basement is normal. Or, it shouldn't be. So I set off to fix this issue.
First, I called my HVAC guy. He came out and really didn't do much. And he charged me $75 for coming out. And, the smell was still coming through the HVAC when he left.
Next, I decided to pursue it myself. So, I ended up in the basement in the crawl space. I ended up finding an intake duct run that was slightly disconnected from the vent up on the main floor. Once I connected it back up and taped it up, I found that the problem of the smell upstairs was resolved.
Here is the interesting thing though. When we want to keep it cold at night for sleeping, we normally keep it at 69 to 70 degrees. Now, after fixing this intake issue, 73 degrees is too cold. Even tonight, 74 degrees was too cold. We have noticed that the efficiency of the HVAC system is much better now. All it took was for me to go down and examine the whole duct system and correct any problems that I saw. Now, our unit is doing much better.
My house is an older house. Some people have said that it's just the way an older house smells. Well, I don't think that having the smell of your basement is normal. Or, it shouldn't be. So I set off to fix this issue.
First, I called my HVAC guy. He came out and really didn't do much. And he charged me $75 for coming out. And, the smell was still coming through the HVAC when he left.
Next, I decided to pursue it myself. So, I ended up in the basement in the crawl space. I ended up finding an intake duct run that was slightly disconnected from the vent up on the main floor. Once I connected it back up and taped it up, I found that the problem of the smell upstairs was resolved.
Here is the interesting thing though. When we want to keep it cold at night for sleeping, we normally keep it at 69 to 70 degrees. Now, after fixing this intake issue, 73 degrees is too cold. Even tonight, 74 degrees was too cold. We have noticed that the efficiency of the HVAC system is much better now. All it took was for me to go down and examine the whole duct system and correct any problems that I saw. Now, our unit is doing much better.
Thursday, July 20, 2017
Cisco Data Center: Enabling PBR (Policy Based Routing) On Cisco Nexus 9Ks
I've recently came upon the need to do some PBR (Policy Based Routing) on some core Nexus 9Ks within a data center environment. Its interesting, to say the least, that Cisco is full of "We don't support" statements. It makes me miss the Brocade days, even though they were not perfect either (although better). So before we get into the config part, lets take a look at the "Cisco doesn't support" statements that they make:
1. A policy-based routing route map can have only one match or set statement per route-map statement.
2. A match command cannot refer to more than one ACL in a route map used for policy-based routing.
3. The same route map can be shared among different interfaces for policy-based routing as long as the interfaces belong to the same virtual routing and forwarding (VRF) instance.
4. Using a prefix list as a match criteria is not supported. Do not use a prefix list in a policy-based routing route-map.
5. Policy-based routing supports only unicast traffic. Multicast traffic is not supported.
6. Policy-based routing is not supported with inbound traffic on FEX ports.
7. Policy-based routing is not supported with Layer 3 port-channel subinterfaces.
8. An ACL used in a policy-based routing route map cannot include deny access control entries (ACEs).
9. Policy-based routing is supported only in the default system routing mode.
10. The Cisco Nexus 9000 Series switches do not support the set vrf and set default next-hop commands.
11. Policy-based routing traffic cannot be balanced if the next hop is recursive over ECMP paths. Instead, use the set {ip | ipv6} next-hop ip-address load-share command to specify the adjacent next hops.
12. Beginning with Cisco NX-OS Release 6.1(2)I3(2), the Cisco Nexus 9000 Series switches support policy-based ACLs (PBACLs), also referred to as object-group ACLs. For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
13. If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
Now, lets get into the config of this. I have two Nexus 9Ks as my core. I'm using L3 ports in this particular case.
CORE2(config)# feature pbr
CORE2(config)# ip access-list PBR_2_9504s_PERMIT
CORE2(config-acl)# permit ip 10.45.0.0/16 any
CORE2(config-acl)# exit
CORE2(config)# ip access-list PBR_2_9504s_DENY
CORE2(config-acl)# permit ip 10.45.0.0/16 10.0.0.0/8
CORE2(config-acl)# exit
CORE2(config)# route-map PBR_2_9504s deny 10
CORE2(config-route-map)# match ip address PBR_2_9504s_DENY
CORE2(config-route-map)# route-map PBR_2_9504s permit 20
CORE2(config-route-map)# match ip address PBR_2_9504s_PERMIT
CORE2(config-route-map)# set ip next-hop 192.168.10.1 192.168.10.2 load-share
Now, lets apply it to the two L3 interfaces:
int eth 1/1
ip policy route-map PBR_2_9504s
int eth 2/1
ip policy route-map PBR_2_9504s
Lets look at the config for a moment. Notice that the route-map references two statements. "route-map PBR_2_9504s deny 10" points to ACL "PBR_2_9504s_DENY" in the statement "match ip address PBR_2_9504s_DENY". That is because of this particular "Cisco doesnt support" statements:
An ACL used in a policy-based routing route map cannot include deny access control entries (ACEs).
Then you move on to the permit statements, of which you want to permit the particular action. In this case, I want to set the next hop to two different IPs (because of the redundancy in the network). "route-map PBR_2_9504s permit 20" gets me to the permit actions. It points to the ACL of "PBR_2_9504s_PERMIT" in the command "match ip address PBR_2_9504s_PERMIT". Next, I send it to the next hops with the load sharing command "set ip next-hop 192.168.10.1 192.168.10.2 load-share". I then apply it to the interfaces.
Now, some other things to know about the Nexus 9K and PBR. You have to have Enterprise Services licensing.
CORE2# sh license usage
Feature Ins Lic Status Expiry Date Comments
Count
--------------------------------------------------------------------------------
TP_SERVICES_PKG No - Unused -
NETWORK_SERVICES_PKG Yes - Unused Never -
LAN_ENTERPRISE_SERVICES_PKG Yes - In use Never -
--------------------------------------------------------------------------------
CORE2#
Next, the load-sharing is per flow, not per packet. This is per Cisco documentation:
"You can optionally configure this command for next-hop addresses to load balance traffic for up
to 32 IP addresses. In this case, Cisco NX-OS sends all traffic for each IP flow to a particular IP
next-hop address."
Also, if you use the "set" command in the first part of the route-map, it will have no effect. Cisco says this:
"The set command has no effect inside a route-map... deny statement."
1. A policy-based routing route map can have only one match or set statement per route-map statement.
2. A match command cannot refer to more than one ACL in a route map used for policy-based routing.
3. The same route map can be shared among different interfaces for policy-based routing as long as the interfaces belong to the same virtual routing and forwarding (VRF) instance.
4. Using a prefix list as a match criteria is not supported. Do not use a prefix list in a policy-based routing route-map.
5. Policy-based routing supports only unicast traffic. Multicast traffic is not supported.
6. Policy-based routing is not supported with inbound traffic on FEX ports.
7. Policy-based routing is not supported with Layer 3 port-channel subinterfaces.
8. An ACL used in a policy-based routing route map cannot include deny access control entries (ACEs).
9. Policy-based routing is supported only in the default system routing mode.
10. The Cisco Nexus 9000 Series switches do not support the set vrf and set default next-hop commands.
11. Policy-based routing traffic cannot be balanced if the next hop is recursive over ECMP paths. Instead, use the set {ip | ipv6} next-hop ip-address load-share command to specify the adjacent next hops.
12. Beginning with Cisco NX-OS Release 6.1(2)I3(2), the Cisco Nexus 9000 Series switches support policy-based ACLs (PBACLs), also referred to as object-group ACLs. For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
13. If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
Now, lets get into the config of this. I have two Nexus 9Ks as my core. I'm using L3 ports in this particular case.
CORE2(config)# feature pbr
CORE2(config)# ip access-list PBR_2_9504s_PERMIT
CORE2(config-acl)# permit ip 10.45.0.0/16 any
CORE2(config-acl)# exit
CORE2(config)# ip access-list PBR_2_9504s_DENY
CORE2(config-acl)# permit ip 10.45.0.0/16 10.0.0.0/8
CORE2(config-acl)# exit
CORE2(config)# route-map PBR_2_9504s deny 10
CORE2(config-route-map)# match ip address PBR_2_9504s_DENY
CORE2(config-route-map)# route-map PBR_2_9504s permit 20
CORE2(config-route-map)# match ip address PBR_2_9504s_PERMIT
CORE2(config-route-map)# set ip next-hop 192.168.10.1 192.168.10.2 load-share
Now, lets apply it to the two L3 interfaces:
int eth 1/1
ip policy route-map PBR_2_9504s
int eth 2/1
ip policy route-map PBR_2_9504s
Lets look at the config for a moment. Notice that the route-map references two statements. "route-map PBR_2_9504s deny 10" points to ACL "PBR_2_9504s_DENY" in the statement "match ip address PBR_2_9504s_DENY". That is because of this particular "Cisco doesnt support" statements:
An ACL used in a policy-based routing route map cannot include deny access control entries (ACEs).
Then you move on to the permit statements, of which you want to permit the particular action. In this case, I want to set the next hop to two different IPs (because of the redundancy in the network). "route-map PBR_2_9504s permit 20" gets me to the permit actions. It points to the ACL of "PBR_2_9504s_PERMIT" in the command "match ip address PBR_2_9504s_PERMIT". Next, I send it to the next hops with the load sharing command "set ip next-hop 192.168.10.1 192.168.10.2 load-share". I then apply it to the interfaces.
Now, some other things to know about the Nexus 9K and PBR. You have to have Enterprise Services licensing.
CORE2# sh license usage
Feature Ins Lic Status Expiry Date Comments
Count
--------------------------------------------------------------------------------
TP_SERVICES_PKG No - Unused -
NETWORK_SERVICES_PKG Yes - Unused Never -
LAN_ENTERPRISE_SERVICES_PKG Yes - In use Never -
--------------------------------------------------------------------------------
CORE2#
Next, the load-sharing is per flow, not per packet. This is per Cisco documentation:
"You can optionally configure this command for next-hop addresses to load balance traffic for up
to 32 IP addresses. In this case, Cisco NX-OS sends all traffic for each IP flow to a particular IP
next-hop address."
Also, if you use the "set" command in the first part of the route-map, it will have no effect. Cisco says this:
"The set command has no effect inside a route-map... deny statement."
Tuesday, July 18, 2017
Python
OK, so if you read yesterday's post, you will understand where I'm going with this. Today, I've started my 10 minutes of Python for each day. I'm not saying it will be fast going, but you have to start somewhere.
Monday, July 17, 2017
Some Career Thoughts
Hi all. I hope you guys are doing well. I wanted to ask you a question. Have you noticed in the last year or so, that the job description for the "network engineer" has changed? I have. It appears that now, if you don't have Python and scripting skills, along with server experience, then you may not be a candidate for them. The job landscape is getting interesting for sure. It certainly appears that its time the network guy now has to grow into something more than routing and switching.
Sunday, July 9, 2017
Sunday Thought: Value
Sometimes, it happens. You are making a living, but in the wrong place. I've seen this with a friend of mine in particular. I saw this below, and it makes me think of him each time I see it. Its OK to think better of yourself than your employer thinks of you. In fact, you should. They don't know you like you know you. Besides, they look at you from a "performance" standpoint. That's not how God looks at you.
Friday, July 7, 2017
Update...
Hey guys. I hope all is well with you. I wanted to take some time to give you an update on how things are going here.
First, I have to say I have missed regularly posting on this blog. It's something that crosses my mind often as something I "need to go do", but time has just not permitted. I've put a lot of effort in the past into this site, and I have to say I've missed doing so recently. So when you see me put up things that are not technical recently, it's really just to get something up here as a thought, etc.
At this point, I'm taking a CISSP class once a week, for three hours each night. I thought this would keep me on track in my studying, but the truth is that it hasn't. The reality is that it's just made me feel like I need more time. The problem is that life gets in the way of studying. I've realized that as being a middle aged, responsible person, there are just the things you "have" to do in life over the things you "need" or "want" to do. Honestly, making a living, getting things fixed, spending time with your loved ones, etc, is just more important than studying. And the reality is that there are only a certain amount of hours in the day. I'll get the studying done at some point, but with White Rhino and the rest of life going on, I'll just have to pace it as I can. It's going to happen, just in the time I can make it happen. I've noticed that as I was younger and trying to get certifications, it was much easier to do. Either that, or I didn't prioritize life's problems, challenges, etc correctly. I've just noticed that now, it takes me a little longer to obtain these certification goals. Either way, I'm not sad about it, and if you are reading this and have felt the same way, don't you feel bad either. Life is more than certifications.
I've noticed a few things, especially listening to the people that teach this CISSP class. These people get up and talk about themselves in an intro. And it sounds impressive, I must say. But there are some realities I've noticed. First, either they know everything about the subject matter they are talking about, but they lack in many other areas in life. Meaning, if their car broke down, they wouldn't know how to fix it. But they sure can do this security thing or that without problem. But again, don't ask them how to fix a plumbing leak or change the air filter in the HVAC. They won't know. I'm not saying this is bad, they just aren't "well rounded". You have to decide which you prefer in life, and no answer is wrong, just different than the next guys decision. For me, when people depend on me in life, I'd rather be "well rounded" in my knowledge. That's just me.
I've also noticed that as I probe the people teaching this class (and other technical people), when I dive deeper into a topic, they may not actually know the answers. For instance, a guy talked about building generators in the CISSP class. When I asked him a specific question about how it worked, he didn't really know. He just knew the basic that it kept the power on. Not a big deal to me, as he probably knew how to change a flat tire on his car. Which I respect. My observation and point here is that everyone has knowledge in something, but may not actually know everything. People tend to hide that from other people. No big deal, just remember that as you talk to people. They may act like they know everything, but they don't.
I've rambled on long enough about the CISSP. I'll get it like I did the SSCP recently, just in MY time.
Now, some recent things: I cut the end off my finger off. No big deal, it's healing nicely. I thought it would be noticeable when it was done healing, but it looks like you won't be able to notice either at all or much. It still probably needs a few more weeks to heal, and I think it will be fine. I did this fixing a toilet of all things. One small note on this: funny how super glue can stop bleeding. Next, I've had to learn about some hvac stuff. Fixing some leaks in the duct system. Not fun, but something that I've had to get into recently to fix a problem I've had. Also, maintaining the cars. Just something you have to do when you are responsible for the vehicles. I actually love working on cars. I could name many other things going on, but you get the point. That's why studying is just not the number one priority right now.
Now, let's get to the most important thing going on. Read your Bible. That's where real knowledge and wisdom is at. Not certification wisdom or changing the oil in your car wisdom. Life wisdom. God (YHWH) doesn't lie to you. He created this life, and He knows how you should live it. And if you don't recognize that name in parenthesis, look it up. The God of the Bible actually tells us His name. Do the research, you will be glad you did.
First, I have to say I have missed regularly posting on this blog. It's something that crosses my mind often as something I "need to go do", but time has just not permitted. I've put a lot of effort in the past into this site, and I have to say I've missed doing so recently. So when you see me put up things that are not technical recently, it's really just to get something up here as a thought, etc.
At this point, I'm taking a CISSP class once a week, for three hours each night. I thought this would keep me on track in my studying, but the truth is that it hasn't. The reality is that it's just made me feel like I need more time. The problem is that life gets in the way of studying. I've realized that as being a middle aged, responsible person, there are just the things you "have" to do in life over the things you "need" or "want" to do. Honestly, making a living, getting things fixed, spending time with your loved ones, etc, is just more important than studying. And the reality is that there are only a certain amount of hours in the day. I'll get the studying done at some point, but with White Rhino and the rest of life going on, I'll just have to pace it as I can. It's going to happen, just in the time I can make it happen. I've noticed that as I was younger and trying to get certifications, it was much easier to do. Either that, or I didn't prioritize life's problems, challenges, etc correctly. I've just noticed that now, it takes me a little longer to obtain these certification goals. Either way, I'm not sad about it, and if you are reading this and have felt the same way, don't you feel bad either. Life is more than certifications.
I've noticed a few things, especially listening to the people that teach this CISSP class. These people get up and talk about themselves in an intro. And it sounds impressive, I must say. But there are some realities I've noticed. First, either they know everything about the subject matter they are talking about, but they lack in many other areas in life. Meaning, if their car broke down, they wouldn't know how to fix it. But they sure can do this security thing or that without problem. But again, don't ask them how to fix a plumbing leak or change the air filter in the HVAC. They won't know. I'm not saying this is bad, they just aren't "well rounded". You have to decide which you prefer in life, and no answer is wrong, just different than the next guys decision. For me, when people depend on me in life, I'd rather be "well rounded" in my knowledge. That's just me.
I've also noticed that as I probe the people teaching this class (and other technical people), when I dive deeper into a topic, they may not actually know the answers. For instance, a guy talked about building generators in the CISSP class. When I asked him a specific question about how it worked, he didn't really know. He just knew the basic that it kept the power on. Not a big deal to me, as he probably knew how to change a flat tire on his car. Which I respect. My observation and point here is that everyone has knowledge in something, but may not actually know everything. People tend to hide that from other people. No big deal, just remember that as you talk to people. They may act like they know everything, but they don't.
I've rambled on long enough about the CISSP. I'll get it like I did the SSCP recently, just in MY time.
Now, some recent things: I cut the end off my finger off. No big deal, it's healing nicely. I thought it would be noticeable when it was done healing, but it looks like you won't be able to notice either at all or much. It still probably needs a few more weeks to heal, and I think it will be fine. I did this fixing a toilet of all things. One small note on this: funny how super glue can stop bleeding. Next, I've had to learn about some hvac stuff. Fixing some leaks in the duct system. Not fun, but something that I've had to get into recently to fix a problem I've had. Also, maintaining the cars. Just something you have to do when you are responsible for the vehicles. I actually love working on cars. I could name many other things going on, but you get the point. That's why studying is just not the number one priority right now.
Now, let's get to the most important thing going on. Read your Bible. That's where real knowledge and wisdom is at. Not certification wisdom or changing the oil in your car wisdom. Life wisdom. God (YHWH) doesn't lie to you. He created this life, and He knows how you should live it. And if you don't recognize that name in parenthesis, look it up. The God of the Bible actually tells us His name. Do the research, you will be glad you did.
Sunday, July 2, 2017
Saturday, June 17, 2017
Pic Of The Week: Target Practice
17+1 with this Ruger SR9e. Below was my first round at about 10 yards out.
Subscribe to:
Posts (Atom)