Monday, December 29, 2014

EIGRP - Extended NAMED ACLs are not allowed in distribute-list.

Quick post regarding an error message I came across when trying to configure eigrp distribute-list with extended NAMED ACLs.

% The ACL cannot be created or an ACL with the same name but incompatible type already exists.

Router version CSR1000v - Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)

 R5(config)#ip access-list extended PBR_EIGRP  
 R5(config-ext-nacl)#deny ip host 155.1.0.1 host 150.1.4.4  
 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.4.4  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.4.4  
 R5(config-ext-nacl)#deny ip host 155.1.0.1 host 150.1.6.6  
 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.6.6  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.6.6  
 R5(config-ext-nacl)#deny ip host 155.1.0.1 host 150.1.1.1  
 R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.1.1  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.1.1  
 R5(config-ext-nacl)#deny ip host 155.1.0.1 host 150.1.2.2  
 R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.2.2  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.2.2  
 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.7.7  
 R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.7.7  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.7.7  
 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.9.9  
 R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.9.9  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.9.9  
 R5(config-ext-nacl)#permit ip any any  

 R5(config-router)#distribute-list PBR_EIGRP in
 % The ACL cannot be created or an ACL with the same name but incompatible type already exists.
 R5(config-router)#^Z

Thursday, December 18, 2014

CCIE v5 INE Home Lab - Part 3 - Console to Routers / Automating scripts

Don't you love it when it all comes together and all the puzzle pieces fall into place. Well I hope that this blogtorial does exactly that. In part 1 and part 2, we laid the groundwork and the foundation to successfully get a lab up and running and in this blogtorial we are going to finish it off with:
  • How to console into the virtual routers? 
  • How to get all initial configs prep'd so we can have concentrate on doing the labs rather than setting up the labs?
  • How to automate the loading of the initial configs? 
I know it's a lot to cover in one post, but I also didn't want to breakup this series into too many parts. So without further adieu, let's get started and I will try to streamline it and post as much screenshots as possible. Here is the overview and where we will be spending most of the blogtorial.


I normally would do it for free but I have had tons of requests and questions regarding the lab setup and scripts. So for a nominal fee I will configure your entire VMWare ESXi server / all the routers / the Linux VMs / auto loading scripts. More importantly it includes an easy to use WEB GUI to load the config files. Contact me via arwinr@gmail.com if you are interested. 

Screenshot of the WEB GUI. 

Note: Thomas Kjær pointed out in one of the comments below that ESXi version 6 recently released does not limit 4 serial per Linux VM. Therefore, instead of creating 4 linux VM you could just do it all in one Linux VM, but you would have to edit the scripts accordingly. 

Thursday, November 13, 2014

CCIE v5 INE Home Lab - Part 2 - Configuring CSR1000v on VMware ESXi and connecting Physical Switches

CCIE is not earned by completing the written and passing the lab, CCIE is earned in the 1000s of hours of lab, the 3am wake ups, and the countless of hours of studying ... that's what makes you a CCIE. While you are on this journey you are going to go through a transformation, and you will start to see things differently, you will start to troubleshoot differently, you will start to perceive situations differently and simply put ... you just become one of the best at your craft .... with that being said ....

In part 2 of this series, we will configure 10 CSR routers, and connect it to the virtual switch that we created in Part 1. Unlike many other tutorials on the Internet that demonstrates how to get serial over network to console into the routers, I am going to take a different approach on how to console into the routers. Main reason is that serial over network is only available for either 60 days as a demo or you have to get the enterprise license which is over $2000.


I normally would do it for free but I have had tons of requests and questions regarding the lab setup and scripts. So for a nominal fee I will configure your entire VMWare ESXi server / all the routers / the Linux VMs / auto loading scripts. More importantly it includes an easy to use WEB GUI to load the config files. Contact me via arwinr@gmail.com if you are interested. 

Screenshot of the WEB GUI. 

Tuesday, November 11, 2014

Understanding OSPF - Forward Metric in E2 Routes

In this blogtorial we are going to look into a minor detail regarding OSPF E2 routes that most literature happen to leave out and that is the Forward Metric of E2 routes. Cisco NX-OS and Arista EOS don't even show this Forward Metric in their output of show commands. As you are probably studying for your CCNA or CCNP you are told that the main difference between OSPF E2 vs E1 routes is that E1 takes into consideration the costs of each hop to reach the ASBR while E2 metric is by default 20. What if I told you that routers do consider cost of the path to the ASBR even for E2 routes with a default metric of 20? Before you get fooled into believing otherwise, take a look at the topology below.

As a side note the metric of redistributed E2 routes varies by platform, for example it is 1 in Arista.

Simple topology below ...

CCIE v5 INE Home Lab - Part 1 - Configuring VMware ESXi

"Every day you wake up you have two options, you can either look at the clock at 3:30am, tap the snooze button, go back to sleep, and dream about being a CCIE or you can tap into that whisper inside you telling you to get up and go pursue your dream about being a CCIE" .... with that being said ....

I've spent numerous hours exploring many different options on setting up the CCIE v5 hybrid (physical/virtual) home lab and I've finally settled on VMware ESXi. Although, you have many other options like Linux/KVM/VirtualBox, this method was the easiest for me. I am going to break this topic "CCIE v5 INE Home Lab" into a 3 part series blogtorial. If you follow the series step by step, you will end up with a complete home lab with everything you need to do the INE labs.

Here is an overview of the entire series and how it will be split up.

Part 1 - How to install and configure VMware ESXi Hypervisor and vSwitch? 
Part 3 - Script to automate the loading of initial router configs.

I normally would do it for free but I have had tons of requests and questions regarding the lab setup and scripts. So for a nominal fee I will configure your entire VMWare ESXi server / all the routers / the Linux VMs / auto loading scripts. More importantly it includes an easy to use WEB GUI to load the config files. Contact me via arwinr@gmail.com if you are interested. 

Screenshot of the WEB GUI. 


Note: Thomas Kjær pointed out in one of the comments below that ESXi version 6 recently released does not limit 4 serial per Linux VM. Therefore, instead of creating 4 linux VM you could just do it all in one Linux VM, but you would have to edit the scripts accordingly. 

Monday, November 3, 2014

CCIE Journey - 11/3/14 - Study Plan v5

I am back on the CCIE v5 studies again. I have been studying on and off for a few years now, but now I am motivated more than ever. After reviewing blogs/discussion boards on how people who are also on the same grueling but equally rewarding journey studied for their CCIE exam, I put together a study schedule that I believe fits my busy schedule. The most challenging aspect of studying for one of the toughest exam is finding "uninterrupted" time slots where you can actually study. People always ask me “when do you find the time to study with family, kids, work and life?” My response to them is always the same "you don’t find time. You and I both have the same amount of time in day. What matters is how you utilize it". If you need more time to do what you want – then be awake for most of the day and get up early!!

CCIE has been sort of like a light switch in my brain that I have been turning on and off and this time I am rewiring this light directly into the main grid and it's staying on ... constant. Here is the study schedule for now till I get closer to my full 8hr labs. 

Wednesday, September 24, 2014

PHP - Connecting to PSQL from PHP

Quick post on how to connect to PSQL from PHP, run queries, and retrieve results. You can use the same syntax for inserts, updates and other statements.

linux-test# vim test.php

Tuesday, September 23, 2014

PHP - Reading a file into an array

Quick post on how to read a file into an array. As always there are more than one way to do this.

First create a test.txt file with some lines in it.

linux-test# echo 1st line >> test.txt
linux-test# echo 2nd line >> test.txt
linux-test# echo 3rd line >> test.txt
linux-test# echo 4th line >> test.txt

Thursday, September 11, 2014

BGP - Troubleshooting Lab 3

Objective: 
  • Establish iBGP between R1 and R2. 
Restrictions: 
  • Cannot change AS numbers on any of the routers.
  • No other static routes can be added 
  • No interface changes
  • No tunnels
Topology below:
I came across this issue the other day and it took me a few minutes to figure it out. So let's see how y'all do. 

Post your comments below on how you would solve this issue. 

Tuesday, September 9, 2014

Linux RP_Filter RPF_Check

"Network Engineer T-Shirt ... Fixing your network one misconfigured server at a time" -- I saw that shirt today online and I should have purchased it :). I came across an issue today where multicast was being received on the Server on eth1 (confirmed by tcpdump) but it was not showing up in the application. After checking out PIM/IGMP/Mroutes/Routers/Switches I started checking out the Server because the network looked like it was configured correctly.

Thursday, August 28, 2014

Convergence between SVI vs Routed Interface - Cisco 3548 NXOS


Convergence of SVI vs. Routed link on a Cisco 3548 Nexus running A1.1c

Link failures were simulated by “shut” on the remote interface.

SVI – L2 VLAN

 switch#  
 2014 Aug 28 10:04:06.348524 switch %ETHPORT-5-IF_DOWN_LINK_FAILURE: Interface Ethernet1/9 is down (Link failure)  
 2014 Aug 28 10:04:06.478105 urib: "direct": 1.1.1.0/24 no more next hops  
 2014 Aug 28 10:04:06.478419 urib: 1.1.1.0/24 Deleting & Freeing  
 2014 Aug 28 10:04:06.479344 urib: "local": 1.1.1.1/32 no more next hops  
 2014 Aug 28 10:04:06.479618 urib: 1.1.1.1/32 Deleting & Freeing  
 2014 Aug 28 10:04:06.479954 urib: "broadcast": 1.1.1.255/32 no more next hops  
 2014 Aug 28 10:04:06.480215 urib: 1.1.1.255/32 Deleting & Freeing  
 2014 Aug 28 10:04:06.480542 urib: "broadcast": 1.1.1.0/32 no more next hops  
 2014 Aug 28 10:04:06.480951 urib: 1.1.1.0/32 Deleting & Freeing  
 2014 Aug 28 10:04:06.696703 urib: "am": 1.1.1.2/32 no more next hops  
 2014 Aug 28 10:04:06.697117 urib: 1.1.1.2/32 Deleting & Freeing  

Route deletion = 478419 – 348524 =  129895us

Wednesday, August 27, 2014

Configuring Arista - VARP aka Virtual ARP

Traditional FHRP (First Hop Redundancy Protocol) such as VRRP or HSRP allows only one gateway to forward at any given point in time. There is an 'Active' forwarder while the other forwarder stays in standby mode monitoring and only to become 'Active' when there is a failure on the 'Active' node. VARP or Virtual ARP (Arista's proprietary) solves this issue elegantly by allowing all configured nodes to be forwarding traffic rather the one of the node sitting idle. In this blogtorial we will configure and verify VARP and since there is not really much to the configuration, this 'how-to' should be a quick one. If you need a primer on FHRP such HSRP/VRRP/GLBP/IRDP please see my other blogtorials here.

Consider this topology with a traditional FHRP deployed such as VRRP.


Configuring Arista MLAG - Basic setup

Layer 2 All links forwarding none blocking ... Take that Spanning Tree!! (-- no offense Radia Perlman :) --) This is what you get with Arista's proprietary MLAG -- short for Multi-Chassis Link Aggregation. Although Spanning-Tree is extremely efficient at preventing loops and keeping your network healthy, it does come with a hefty price tag -- essentially blocking half of your uplinks. In this blogtorial, we will go through brief overview of spanning-tree and then deep dive into MLAG concepts, caveats, and configurations. As of this writing, MLAG is currently supported on Arista's 75xx, 7500E, 7048, 7150, 7050, 7050X, 7250X, and 7300X. If you are familiar with Cisco's proprietary vPC (Virtual Port-Channel) then most of this should be fairly straight forward.

Consider this traditional Layer 2 design where half of your links are blocked to prevent loops in the network.


Wednesday, August 20, 2014

PHP - Connecting to MYSQL and running queries

TIDBIT blogtorial - Short and informational.

MYSQL connection and handling queries
 // Create connection  
 $con=mysqli_connect("localhost","username","password","dba");  
 // Check connection  
 if (mysqli_connect_errno()) {  
      echo "Failed to connect to MySQL: " . mysqli_connect_error();  
 }  

 //Query String  
 $current_query = "select test from testtable";  
 //Get the results  
  $current_query_result = mysqli_query($con,$current_query);  
 //Loop through the results  
    while ($row = mysqli_fetch_array($current_query_result, MYSQL_NUM)) {  
     echo "Row value is $row[0]\n";  
    }

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.

Wednesday, August 6, 2014

Checkpoint Firewall FTP issues - 'quote password' or Account command ('ACCT')

I usually post stuff about Cisco, but recently I got exposure to Checkpoint so I am adding Checkpoint to my library. I am currently working on a 3 part series on "how-to" install virtual Checkpoint Firewalls on a Linux KVM hypervisor. A quick search on Google reveals 0 posts related to this, so mine might be the first "how-to" on this topic. Stay tuned for more Checkpoint related posts in the near future.

Here is my first post on Checkpoint regarding the FTP issue "Wrong username or password". I will try to keep it short!!  

Trying to FTP from command prompt on a windows machine.

 Command line ftp:  
 ftp ###.###.###.###  
 Connected to ###.###.###.### (###.###.###.###).  
 220 Check Point FireWall-1 Secure FTP server running on XXXXXX  
 Name (###.###.###.###:XXXXX): usernamejoe  
 331 password: you can use password@password  
 Password:  
 200 password: you can use 'quote password' or Account command ('ACCT')  
 ftp> pass  
 Passive mode off.  
 ftp> ls  
 421-Access denied - wrong user name or password   
 421 aborted  

Monday, August 4, 2014

Cisco Nexus ERROR MSG - SFP Validation Failed

I came across the other day when I was bringing up a new connection on a Cisco 3548 Nexus.

"SFP validation failed"

This happens when the speed is set on an interface and the SFP does not support it. To fix it get into interface config mode and type.

 switchport host
 shut
 no speed
 no duplex
 no shut

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.



Cannot SSH into ASA - ssh_exchange_identification: Connection closed by remote host

I usually write quiet a bit but I figured I would keep track of these small error messages also. So here it goes .. last week I ran across an issue on one of the ASAs. Here is the error message.

"ssh_exchange_identification: Connection closed by remote host"

How to fix it?

Telnet or console into the ASA and type this in the global config mode.

ASA(config)#crypto key generate rsa modules 1024

Save the config (wr).

That should resolve your issue.

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.

Friday, January 31, 2014

100K+ page views :)

Started this blog a few years back ... never thought I would have this many hits .. Thanks

100K+!!!