There is an issue I have noticed with VMware systems deployed with Nexus vPC technology that involve traffic only making it out of the vPC by disabling half the vPC or getting rid of the vPC completely. Initially you’re thinking this is a Cisco issue and I am here to tell you that you’re wrong.
In the virtual switch port-groups and the VMNIC teaming there is a load balancing algorithm you can choose from. I have seen issues where the VMNICS are set to route based on IP hash but the port-group could be set to something like route based on originating port-id.
If you’re noticing that pinging the machine from the vPC enabled switches, if they have a SVI enabled, that the ping is only responsive on ONE of the devices and from a north end machine, outside the vPC and probably your desk, only gets responses when HALF the vPC is down, you need to immediately check the hashing for the vmnics and the port-group.
Use the command: esxtop – to review what virtual machines are using what vSwitch and vmnic port to further aid in your troubleshooting.
I would highly suggest you keep it the same at both levels, there may be only odd circumstances where mixing these is helpful but you’re likely trading predictability for what may be perceived performance you’re probably not getting.
I was in a training class recently and they were speaking about ECMP and how it “converges” if a link goes down. Let me just say this, that is absolutely incorrect and is just as bad as saying “I have two class C’s”, it really doesn’t bode well with most people.
With ECMP you’re actually installing multiple routes of the same cost into the routing table and you’re either going to load balance based on a per-packet or per flow basis with per-flow being the most preferred because of the nature of TCP operations. Now, how it load balances on which link will be determined upon the algorithm used, most use round-robin.
Please understand, ECMP doesn’t mean the links are of EQUAL bandwidth and latency, just from a metric cost perspective they’re “equal”. When a link goes down there is absolutely no convergence taking place, the packets/flow just get routed out of one of the other available, equal-cost links. Please stop saying they’re “converging” because that makes most think there is either a dynamic computation taking place with a dynamic routing protocol or the router itself is having to install a route into the RIB from the FIB.
WOW, what a year! I started my job at one of the single most amazing companies I could possibly have worked for, VCE. I get to work on all the leading technology and get to expand on my current knowledge of VMware and finally break into SAN and EMC storage, I am more than grateful to be at VCE and love my job, all quirks included.
I also accomplished achieving my CCNP, long time coming, and now I am pecking away at the CCIE which, I hope, to have completed in 2015. My wife and I moved on from our business and decided to focus more on our careers and our marriage, meaning we’re much happier. Spent some great times in Key West and met some wonderful friends for whom I am excited to see more often when we finally move back to Florida!
Now, the review from my perspective, rather brief and will only have two items. First, lets discuss security and the “security professionals” you’re likely to encounter in this field. I once worked for someone who believes she is, and the easily convinced and gullible will agree, a God to security and networking. I have also noticed many, and I do mean many, more pop up just like her at an alarming rate now that network and systems security is on the front page of newspapers, those that haven’t disappeared already, and on your local TV news. No doubt, security is important but I am pissed off at these phonies who’re out there either charging large sums of money to “consult” and others who’re baffling with bullshit rather than dazzling with brilliance to get a job and pretend they’re security experts. I am sorry, but a CISSP is NOT the gold standard for security, I have always considered the CISSP an overhyped “certification” that many like to claim is difficult to get. However, I don’t believe so. In fact, the “experience” requirements you have to meet are rather stupid and can be easily fabricated, or the truth twisted, to get the “write off” you need to be cleared to sit for this piece of paper. Look at the overall exam, it is laced with “good ole’ boy network” sauce and topped with an extra helping of “retardedly easy to maintain” because you never have to actually sit for the test again, just obtain “CEUs” which are laughable requirements. Simply put, I am not happy with the way the security industry is looking, too many phonies out here that need to be weeded out. I agree that a Cisco security certification is Cisco related; however, like I’ve always said about Cisco exams, they do an excellent job of teaching the standards, although not as complete and detailed as I would like to see, but they do a damn excellent job of making sure you understand the protocols and processes along with how to implement, maintain, and troubleshoot their equipment. Perhaps a new joint effort is needed for security certifications, maybe one that will abolish the CISSP and be replaced with a “neutral” certification that all major security vendors can have a “say” in, so everyone is sharing the overall challenges they face and help in building solid security professionals? This isn’t likely to happen and, in my opinion, you need to be a SOLID network engineer prior to doing security because it doesn’t make sense for you to try and secure something you don’t know anything about, something I’ve witnessed from the majority of CISSP I have encountered in my lifetime. It is time for a change, lets start to weed out the phonies and hire real security professionals and you’re likely to discover these true professionals are few and far between; thus, leaving a massive gap to fill.
SDN, man what a buzzword! Quick story: I interviewed at a bank one time, miserable interview process, that ended with the VP sitting in there telling me her story and such. It gets interesting when the topic of SDN is brought up and her comment was exactly this “I would not pay thousands of dollars for SDN just to configure a port.“. I promptly asked, although it was really more of a statement “I don’t think you have a firm understanding of what SDN really is, do you? Because that statement is miserably incorrect and baseless“. Was I aware I insulted her and ruined my chance at the job? Of course! Heck, I didn’t want the job 2 hours into the interview, I was just amused as to how much worse it would get because it makes for a great story to tell. So, we’re starting to see what SDN is and I am happy it is taking real shape. In essence we’re going to be relying on “policies” to allow our traffic to flow across networks and with it comes the possibility of “commoditizing the network” instead of it being solely a differentiated service. Now, do I really believe we’re going to commoditize the network? I am on the fence because I am not sold entirely on brands like Cumulus; however, Juniper recently has the option to deploy their JunOS software on commodity hardware and still get single point of support. Seems great? Sure, but what about replacement hardware? Where will that come from? Just how well tested is each piece of commodity hardware’s ASICs against JunOS? How will it handle dealing with multiple commodity hardware suppliers running JunOS? I think this is a noble idea but the more you dig into it the more it seems like it can either be a game changer or just a science experiment that’ll never see the light of production and mission critical networks. Who knows, I am selling doubt for right now. I am just saying, keep an eye out for Cisco ACI and VMware NSX, these seem to be the solid offerings that, in my opinion, will shape the SDN landscape and will be the leaders. Now, if Arista makes it out of their lawsuit alive, they could be a great competitor in the SDN market; however, if they really did steal code than they should face punishment for this. Right now I am keeping an open mind and looking at all possibilities but I have my money on the ACI and NSX horses until I see someone hit the stables with some solid offerings and you should too.
We know that for switches to cooperate inside each region the following must be configured the same:
- Name – Case Sensitive
- Revision – Any number, but should be the same
- Instance mappings and their respective VLANs
Now, what about the VLANs themselves? What about switches and security? I looked all over for this answer and it was vague at best and each vendors documentation said something a little different from each others. However, this is just my preliminary testing, I added multiple instances to my spanning-tree setup on my Cisco Catalyst 3750. My scenario was as follows along with the outputs:
- Two instances
- Instance 1 had all the real VLANs that were actual VLANs on the switch
- Instance 2 had 2 VLANs mapped
- The first test of MIST2 was with both VLANs not being defined on the switch
- The second test of MIST2 was with one VLAN defined and the other not
- The third test of MIST2 was with both the VLANs defined
Because MST instances themselves do not communicate the actual VLANs or VLAN mappings, and IST/CIST does not actually communicate the actual VLAN-to-Instance mapping either. Instead, we rely on IST0 to transmit the BPDUs that contain our information like: name, revision, checksum/Config digest/hash and the actual configuration digest/checkum/hash is the value to which each switch will calculate to determine if they’re operating in the exact same region or in different regions. The digest/hash/checksum is calculated based on parameters present in the MST configuration table. Want to know more about the hashing? Here is a link: 802.1s explained.
The information is long and boring, but do a search for “digest” and you’ll find yourself deep into figuring out how this all works. The test results are soon to come, I am working on both Catalyst and Nexus outputs to benefit not just enterprise and branch, but for those in the data center who’re having to work in vPC hybrid environments with STP attached devices. More to come…
So, most of you probably got here because you’re probably on your CCIE track and you’re hearing a ton about the 32-bit words in the IPv4 headers and looking for an answer to the topic. It is without question that most may never know exactly what they’re talking about when they say “word” and this can lead to some confusion. First, the definition of a word from Wikipedia is:
“A word is basically a fixed-sized group of digits (binary or decimal) that are handled as a unit by the instruction set or the hardware of the processor. The number of digits in a word (the word size, word width, or word length) is an important characteristic of any specific processor design or computer architecture.”
Essentially, this means each 32 bits, 32 different positions where the values can be 0 or 1 in binary, is a “WORD”. Thus, when they’re referencing the IPv4 header length in a packet capture, you’ll see the size of the header. That header size is calculated by looking at the raw header, generally the next position after the Type, and you’ll find a hexadecimal value, lets say D, which is 13. Thus, you have 13 different 32-bit words.
Now, 13*32=416. Take the 416/8=52 bytes in the IPv4 header. Why 8? There are 8 bits in each byte. So, the next time you hear someone mention there are X number of 32-bit words in an IPv4 header, you now have some idea of what they’re talking about.
We’ve all heard it, entrepreneurship is the “thing” that will save America. Sure, it does help; however, it is not the only thing and we can’t continuously encourage everyone to be leader because, if we were all chefs, who would be the cooks?
I walked away from being a partner in my wife’s business, not because it wasn’t successful, but I absolutely hated what I did there and absolutely hated the whining and complaining from her employees about everything and anything. I took a deep look into myself and came to the realization there are things I liked about owning a business, but I don’t like owning a business. Does that make sense yet?
As I am getting older I am changing (surprise anyone?), and I finally had the opportunity to see what it was I liked about it. You see, I love numbers, I love strategy, I love taking risks and, sometimes, riding the bleeding edge. Hence why I am a network engineer on the brink of obtaining my CCIE-R/S and my eventual CCIE-DC. I love tinkering with things and I love technology, which includes numbers and designing new layouts for networks to achieve different goals, it is entirely fun to me!
What about business though? Well, I know I don’t want to be in my 50’s taking exams to keep my certifications fresh; thus, I will steadily pick at my accounting degree and become a CPA as my “retirement job”. It still challenges my brain, allows me to stay on top of an ever changing field, we all know how often tax rules change, but is much easier on my mind as I get older and it will be something “new” and it allows me to perform the duties I found interesting in owning a business, or at least being a partner in a business without putting up with the headache of dealing with entitled people who will only demand more and give less. In the end, I am not saying everyone is like this; however, I am scared for our future as a nation because I’ve seen more entitled behavior from prospective employees in the last 3-4 years than I’ve seen in a lifetime. Whatever happened to “paying your dues” and earning your stripes? I don’t know and don’t want to deal with it any longer; thus, I woke up and realized I am really not fit to own a business, I am fit to help run one and do key jobs inside of them to help them become better and more competitive, in the IT sector for now and as a CPA when I am drinking a Corona on an Island somewhere.
Providing you’re either: 1. Using a hostname of the device or 2. You’re positive it will receive the same IP, if you’re using an IP address to connect to your machine using RDP that obtains its IP parameters using DHCP:
ipconfig /release && ipconfig /renew
As simple as that. In fact, you can use the same operation “&&” on a Linux box with a BASH shell using whatever interface configuration commands you’re using, if you don’t have a script which already does it for you.
First, lets establish some facts:
- These are not real, medically licensed, Therapists, like OTs, SLPS, or PTs
- This is NOT someone who holds a medical license and cannot provide ANY medical advice
- The qualifications are that you have a B.A. or B.S. in “certain fields” and you fill out of basic form to be approved as a “Play Therapist”
- This is not a medically recognized service when the service is delivered by a “Play Therapist” when billed to private insurance. For procedure code H0036, which is the typical code used for CBRS, to be considered a provided service it must be administered by a psychologist, not a “Play Therapist”.
- A “Developmental Play Therapist” CANNOT recommend any medical service. This means they cannot recommend: OT, SLP, or PT AT ALL! A “Developmental Play Therapist” cannot legally consult with a family about ANY medical service
These “therapists” are just “side workers” who basically contract with the CDSA to provide these “Developmental Play Therapy services” which, as it appears, is just a “stop-gap” before real medical services are applied; thus, these “therapists” cost the tax payer money because their services are utilized before a medical professional has the opportunity to properly diagnose. Once again, the ONLY requirement is the person hold at least a B.A. or B.S. in a “certain field” and fill out a form, no other significant qualifications are required and “continuing education” is minimal at best for someone who is NOT a medical professional.
Think of it this way, would you take your child to someone who isn’t medically licensed to practice medicine regarding a physical illness for months, only to find the problem isn’t solved, before visiting a real physician to receive a real diagnosis? Developmental Play Therapists are simply not therapists and any and all “advice” one may provide you is not real medical advice and should not be taken as such. These “Play Therapists” do not hold a valid medical license and are not licensed medical professionals.
A little investigation into the new ChoicePA website and I start to find some interesting characteristics which really bother me, especially because this was not just built with taxpayer dollar but is also the system which permits and denys healthcare to needy families here in North Carolina. I will touch more on how ChoicePA is going to become one of the first “death panels”, for lack of a better term, for our children’s care here in North Carolina; however, I wanted to bring to light the new website is hosted on legacy software set to become end of support within 330 days of this writing (July 15th, 2015 is end of support for Server 2003 products and for IIS6.0). Read the rest of this entry »
Confused about getting QoS working on your Nexus 9300 platform (I worked with the 9396PX)? Well, if you’re coming from the Nexus 5500 platforms you’re in for a little tweaking to get this working as some things are different. I will quickly outline them and move onto some sample configuration:
- MTU is set on an interface level
- System defined queuing class-maps
- 4 egress queues (0 is default and 1-3 which are already pre-mapped using the above mentioned class-maps)
- Both access and trunk ports, by default, treat all traffic as if it had CoS 0, moving it into the default queue
- QOS ingress service-policy must be applied to ports or port-channels to classify traffic
Here is some basic configuration for setting the QOS policy to classify:
class-map type qos match-all RUBY
match cos 4
class-map type qos match-all EMERALD
match cos 2
class-map type qos match-all DIAMOND
match cos 6
policy-map type qos QOS_POLICY
set qos-group 2
set qos-group 1
set qos-group 3
switchport mode trunk
switchport trunk allowed vlan all
spanning-tree port type edge trunk
service-policy type qos input QOS_POLICY
Now, let’s view the system defined queuing class-maps so you can get an idea of this:
class-map type queuing match-any c-out-q3
Description: Classifier for Egress queue 3
match qos-group 3
class-map type queuing match-any c-out-q2
Description: Classifier for Egress queue 2
match qos-group 2
class-map type queuing match-any c-out-q1
Description: Classifier for Egress queue 1
match qos-group 1
class-map type queuing match-any c-out-q-default
Description: Classifier for Egress default queue
match qos-group 0
Finally, let’s assign some bandwidth allocation around those queues:
policy-map type queuing QUEUING_POLICY
class type queuing c-out-q1
bandwidth percent 10
class type queuing c-out-q2
bandwidth percent 15
class type queuing c-out-q3
bandwidth percent 25
class type queuing c-out-q-default
bandwidth percent 50
Now, we apply this QUEUING policy to the system-qos:
service-policy type queuing output QUEUING_POLICY
I’ll update this more and more as I encounter more QoS with the 9300 platform.