A little investigation into the new ChoicePA website and I start to find some interesting characteristics which really bother me, especially because this was not just built with taxpayer dollar but is also the system which permits and denys healthcare to needy families here in North Carolina. I will touch more on how ChoicePA is going to become one of the first “death panels”, for lack of a better term, for our children’s care here in North Carolina; however, I wanted to bring to light the new website is hosted on legacy software set to become end of support within 330 days of this writing (July 15th, 2015 is end of support for Server 2003 products and for IIS6.0). Read the rest of this entry »

Confused about getting QoS working on your Nexus 9300 platform (I worked with the 9396PX)? Well, if you’re coming from the Nexus 5500 platforms you’re in for a little tweaking to get this working as some things are different. I will quickly outline them and move onto some sample configuration:

  • MTU is set on an interface level
  • System defined queuing class-maps
  • egress queues (0 is default and 1-3 which are already pre-mapped using the above mentioned class-maps)
  •  Both access and trunk ports, by default, treat all traffic as if it had CoS 0, moving it into the default queue
  • QOS ingress service-policy must be applied to ports or port-channels to classify traffic

Here is some basic configuration for setting the QOS policy to classify:

class-map type qos match-all RUBY
match cos 4
class-map type qos match-all EMERALD
match cos 2
class-map type qos match-all DIAMOND
match cos 6

policy-map type qos QOS_POLICY
class RUBY
set qos-group 2
class EMERALD
set qos-group 1
class DIAMOND
set qos-group 3

interface port-channel20
switchport mode trunk
switchport trunk allowed vlan all
spanning-tree port type edge trunk
mtu 9216
service-policy type qos input QOS_POLICY

Now, let’s view the system defined queuing class-maps so you can get an idea of this:

class-map type queuing match-any c-out-q3
Description: Classifier for Egress queue 3
match qos-group 3
class-map type queuing match-any c-out-q2
Description: Classifier for Egress queue 2
match qos-group 2
class-map type queuing match-any c-out-q1
Description: Classifier for Egress queue 1
match qos-group 1
class-map type queuing match-any c-out-q-default
Description: Classifier for Egress default queue
match qos-group 0

Finally, let’s assign some bandwidth allocation around those queues:

policy-map type queuing QUEUING_POLICY
class type queuing c-out-q1
bandwidth percent 10
class type queuing c-out-q2
bandwidth percent 15
class type queuing c-out-q3
bandwidth percent 25
class type queuing c-out-q-default
bandwidth percent 50

Now, we apply this QUEUING policy to the system-qos:

system qos
service-policy type queuing output QUEUING_POLICY

I’ll update this more and more as I encounter more QoS with the 9300 platform.

This is an oldie, but goodie:

I only wish there was a link to explain more things in detail as there are a lot of people who don’t understand SNMP to the max. None-the-less, a great starting point, regardless of manufacturer, the beauty of standard protocols!

 

  • It isn’t your fault you were born into this mess.
    • As a child, you are the victim of your parent’s inability to provide a better means of living, you had no choice in who you were going to be born to, it is just unfortunate you weren’t dealt a better hand. However, God gave us all a shot at this life, learn to play the hand you have until you’re able to ask for new cards.
  • Kids will be cruel because you’re poor.
    • Just remember rule #1, it isn’t your fault you don’t have new clothes or  you’re wearing last year’s clothing; however, children will be cruel because their parents have money (a key thing to take notice on). Just remember this, a lot of the kids I went to school with, who picked on me because of my unfortunate circumstance, aren’t doing so well today.
  • Education is important, no matter what.
    • I am a high school drop out, plain and simple. I was set to fail in this life because I gave up and didn’t see education as an important resource to survive in life, I felt I could make it without it. I also needed to work for help pay bills and eat; however, that intention got shot to hell (and it will for you too because you’re too young to make these kind of decisions). High school is a critical point in your life, you’ll get to experience many things which will never come your way again. I hear people talk about their high school experiences, from the everyday goofy, prom, football games, and graduation…these are things I never got to experience and, just like me, you’ll feel left out of the conversation. Stay in school, no matter what.
  • When you’re old enough to make choices to impact your future, you’re no longer the victim.
    • I stand by lesson #1 because children are innocent; however, when you’re grown enough to make a decision for yourself, you are no longer the victim, suck it up and start asking yourself “Ask not what can society do for me, but what I can for society”. This simple quote is powerful, what can you do for others to show you’re destined for greatness? No one likes someone who pulls the victim story, people love success stories about someone pulling themselves up by their own bootstraps. You have a choice, the happy ending success story or the never ending sad song of playing the victim. When I tell my story, I tell a success story, one born into poverty, the troubles I faced and how made it to where I am, never once blaming anyone besides myself for my dumb decisions, instead, I talk about the lessons I learned.
  • Quit blaming others for everything.
    • You can now make your own choices which can have immediate and long term impact on your life; however, there are things which either you have no immediate or long term control over; however, this gives you absolutely no right blame others. There is no “man” with his foot on your neck, no one gives a damn about the color of your skin any longer, people care about your attitude and how you handle yourself, you will be judged by this. I grew up in the ghetto of West Palm Beach, Florida and was treated the same by “outsiders” who only saw where I came from, they didn’t care that I was white, I was to be avoided because I was on the wrong side of the tracks because I acted like it, plain and simple. When I carried myself like a respectable human being, spoke clear English, and treated others the way I wanted to be treated, no one realized I was from the ghetto.
  • Respect everyone, even if you absolutely hate them.
    • Having spent time in a juvenile program which based itself on basic military principles, I learned the hard way I can hate a person so much I wouldn’t piss on them if they caught fire, but I still had to not only give them respect, but learn to function as one dysfunctional team. You’re not going to like everyone in this world and they’re not going to like you; however, you must treat them with respect and if you have to work with them, learn to work with them in a way that you function as one well designed machine. In life, you’re not going to choose who you work with and sometimes you’re going to wish they get run over by a bus; however, you must learn to work with them during the times you need to, after that, you can pretend they don’t exist. People are going to recognize quickly if you’re disrespecting them or choosing not to work with them, this is selfish and childish. If the other person is behaving like a child, take the high road. It isn’t a good trait to throw people under the bus or “show them out”, a lot can be said of someone who’ll stand up for someone when they’re being kicked and already down, intelligent people will notice this trait, idiots will cheer for the opposite, decide who you want on your side?
  • No one is going to throw a parade for doing your job.
    • Don’t be a show boat, every respectable adult hates this. Getting a paycheck and advancing in your career is reward enough. In the business world there simply isn’t time to pat everyone on their back each time they do their job. Be thankful for the job you have now, do it to the best of your ability, even if the job isn’t your “destination job”, see point #8.
  • Do your best at everything, no matter what the circumstance.
    • This trait will show, even while working for minimum wage, you gave it all you had. I worked at various minimum wage jobs early in life and I gave them all I had, knowing these jobs were not what I would be doing forever, the job was not below me. If you say the job is below you, you’re insulting the people who have to work these jobs to survive and feed their families. My mother worked at McDonalds for not much more than minimum wage to give us a roof and food in our stomachs, if she could have done better, she would have in a heartbeat, but she was doing all she could do. There are some people who, if they could, would find better jobs and there are some people who don’t care to do any better and prefer to just “get by”, by choice (likely the victim and/or the leeching kind who only do the minimum to get by in life by choice). The former person you have to respect, because they’re doing all they can do in a shitty situation, the latter person, while still deserving of respect, you should have no sympathy for.
  • Focus on your future and yourself
    • I only had a GED and wasn’t in college, I didn’t have the luxury of living on campus getting free meals, I had to work to survive and plan my future through hard work and self-study. Thus, I had little to no time for weekly clubbing, parties, and other excursions. I made one major mistake, I settled down with a woman far too early in life, which distracted me from doing better than what I could do now. Friends are invaluable, but do not fall into their lifestyle choices by following them into the clubs each weekend spending copious amounts of money and time into something which does not benefit you. Learn to budget your money and spend wisely, this trait will follow you the rest of your life, even when  you’re making $100,000/year. Focus on how to get out of poverty, focus on what it is you want for a career to reach the former goal. Learn to spend your free time studying and internships in the discipline you want to pursue. I worked various engineering companies before I realized I didn’t want to be a mechanical engineer; however, when I landed some time in an IT department, I was hooked and knew IT was to be my career. While it seemed fun to go out to the clubs each weekend, I knew there was more to life than living weekend-to-weekend, paycheck-to-paycheck; thus, I kept my eye on the prize on the horizon and kept accelerating until I got there, one minor goal at-a-time until I reached the end . As an example, only one guy I knew from the days of clubbing each weekend is doing well, everyone else is back to living paycheck-to-paycheck, weekend-to-weekend…except now they’re the creepy old guy in the club.
  • When you’ve made it, find someone with just as much to gain and lose to marry
    •  Once you’ve accomplished pulling yourself out of poverty, landed in your career, and have a stable life, it is ok to find someone to spend your life with. But take it from me, you will want to find someone with similar goals and has as much or more to lose than you do. Never settle on a person, no matter how lonely you are, never settle. Once you’ve become the person you want to be you’ll learn to associate yourself with the successful type of person you desire. Just remember, you have to ask yourself, I want them, but will that type of person want me? This is why you have to look for someone with just as much or more to lose than you do, because someone with nothing to lose and everything to gain will be easy to find and they’ll do whatever they can do to sink their claws in you. My ex-wife was exactly like this and this cost me a lot of pain and suffering, not to mention major monetary losses because she was at rock bottom in life and I was on the rise, she just wanted a free ride. There are plenty of women like Carolyn out there, be aware of them and leave them alone, they’re not even worthy of a one night stand, you’ll never turn a trick into a treat. However, my current wife and I met at a key point in our lives, both on the rise in our careers and looking to accelerate as fast possible. We both knew we needed to take risks and with each of us having exactly the same and more to gain or lose, we took the leap of faith and took the risks and we are pleasantly rewarded. You should evaluate our situation with the same amount of observation, learn from others failed endeavors, try not to repeat them and life will be that much easier.

In all of this, thank God for the believers who take the chance on you when you’re up-and-coming in life, they’re the ones who really did believe you.

Recently, my wife, who is also my business partner, came to the realization we were having one common problem at our office, our administrator. Nicole is an excellent clinician and is dedicated to her field like none other; however, this makes her a terrible business person because she is far too focused on helping someone. What this meant was keeping someone who clearly wasn’t fit for the job they took on and had gone far too long in that position; thus costing the company thousands in unprocessed and ill reported claims along with paying her a salary to which I have absolutely no idea what she did to earn it. Now, what makes this decision tough? Her child was a former patient and Nicole had grown close to the family. That isn’t all of it either, this woman had serious medical issues she needed to go into surgery for and would be out of commission for weeks on end and couldn’t be at the office to perform the duties of her job.

So, the prime time to have let her go had been passed because Nicole only saw that our office administrator was taking a “load” off her, that being answering phones and scheduling, which can be time consuming but shouldn’t take all of her 4 hours to perform each day. So, with the best time to have let her go already long gone I was faced with having to advise her that she wouldn’t have to work from home while recovering, because her value add to the business was absolutely zero and I would have paid her money to do absolutely nothing. So, she was told to focus on her recovery and to visit the office when she was fit enough to do so; however, it was advised she would likely just be paid her last paycheck but we were unsure if we would be in need of her services after that.

Here is something we all should learn from this scenario, learn to let people go, it could be the best thing for everyone involved. I watched this office administrator sink into a hole she could no longer crawl out of; however, someone else couldn’t see who was holding the shovel and had assumed this person was of some value, only until Nicole saw how far behind we actually were, which was costing us thousands of dollars per month. If you own a business or sit on a board where you have the responsibility of hiring and terminating people, never be afraid to cut someone loose if they’re failing at their job, it serves no good if the person isn’t able to come up to speed in a reasonable time to help support the business, you’ll only hurt yourself and those who also believe in your small business. Learn to let people go before they end up a bigger disappointment, one you’ll regret. Instead, learn from the mistake so it becomes a lesson you can use later on when deciding who to hire and when to terminate someone. Once again, terminating someone is stressful for both parties involved, but sometimes you have to learn to let that person go so they can realign themselves with a different organization, perhaps in a different role, to achieve success because they’re obviously never going to achieve it here.

It is a common mistake to assume X number of ports in an etherchannel equates to the common port speed * X; however, this is grossly incorrect and I’ll attempt to explain this behavior to you in layman terms

First, you should ALWAYS combine etherchannel bonds in even numbers (2, 4, 6, or 8). Why? It is the hashing algorithm used to determine how to load balance across the Etherchannel, more to come on how that works.

Second, you need to examine the traffic patterns on your network. If you have a model where your servers live in the “core” of your office and you have access switches connecting back to the core through etherchannel, you’re likely to have a lot of different source addresses (IP and MAC address) going to a common destination address (IP and MAC address). This is especially true of a backup server solution pulling backups for all your computers in the network or for users sending their default gateway traffic to a router which has a L3 port-channel configured from the core switch, which is a common network pattern you’ll find today. Finally, you can have server-to-server traffic patterns, where the source and destination IP addresses remain constant; however, the servers are probably utilizing numerous source and destination TCP/UDP ports; thus, the Etherchannel carrying this traffic needs to be adjusted. What about if the both models are going across the same Etherchannel (clients to the server and server-to-server) and you can’t build a separate etherchannel? The only recommendation here is to examine your traffic carefully, figure out what is more effective for your organization, we won’t get into that here.

Third, you need to understand what load balancing algorithms are available to you. However, take notice, this largely depends on the equipment you’re using. If your organization, like one I have worked inside, has decided that using 3650/3750 devices as a “core” to their network, you’re limited to the basic; however, if your organization uses true core switches (4500, 6500, 6800) you have all the options available to you. I will list the options available in ALL models below

  • src-ip – Source IP address only
  • dst-ip – Destination IP address only
  • src-dst-ip – Source and destination IP address only (XOR)
  • src-mac – Source mac address only
  • dst-mac – Destination mac address only
  • src-dst-mac – Source and Destination mac address only (XOR)

Now, here is what you’ll find available on true core switch models, in addition to the above:

  • src-port – Source port only
  • dst-port – Destination port only
  • src-dst-port – Source and Destination port only (XOR)
  • src-dst-mixed-ip-port – Source and destination IP along with the Source and Destination ports
  • src-mixed-ip-port – Source IP address and port
  • dst-mixed-ip-port – Destination IP address and port

The above commands all depend on what you’re running in your infrastructure, hardware and code level. It pays to put in the appropriate devices according to their duties. If you’re using devices like a 3560/3750 as your “core” you could be out of luck considering the few options available to you with one exception, you can look at installed a 10GB module in your switch and running Etherchannel 10GbE. This WILL NOT fix the load balancing issue but it will provide you the increased bandwidth to get you through until you’re capable of installing the appropriate hardware to support your needs This is given you’re using fiber for Inter-switch links and it supports 10GbE across the distances you’re looking to span.

Understanding your traffic patterns will be a process; however, one I think a lot of you forget is about the L3 Etherchannel you could be using between your core switch and your router. Think about this, the switch resolves the next-hop default gatway and this NEVER changes; thus, destination traffic address is always the same; thus, if you want to see if you’re able to utilize that Etherchannel more appropriately, set your etherchannel to hash based on source mac address towards the router.

I won’t let this get too long, I’ll follow up with some nice diagrams later.

Much like on firewalls you can create object groups in Nexus, which you can utilize when you’re implementing ACLs


object-group ip address {OBJECTNAME}
{subnet/mask}
{subnet/mask}
{subnet/mask}...
exit

ip access-list {ACL_NAME} permit ip addrgroup {OBJECTNAME} [destination]

Makes like simple, huh? What about showing the access-list that has been configured with an object group? Well, under the show access-lists summary you won’t see this, you’ll need to “expand”

show access-lists {ACL_NAME} expanded

In Cisco IOS, this is a monumental pain in the ass if you have a lot of interfaces, typically you’re searching the running config by eye or, if you know how to script, you can send the output to text and filter it the information to get what you need. However, all that sucks because in NX-OS you can just do this

show access-lists summary

The output will give you not only what access-lists is tied to what interface, but also the direction the ACL is applied to. You’ll see the configured section and the active session. Just remember, you can configure the ACL on the interface, but if the interface is not IP enabled, or just plain down, it will not be listed in the active section.

Why do VTP in the data center? I have absolutely no explanation for this, it is generally just a bad idea to use VTP to begin with. Perhaps “easy” is one argument, but look at the problems you face with it:

  • Rogue switch with higher revision can screw the network
  • ON some IOS versions, if not all, the VLAN configuration doesn’t reside in the startup-config
  • Rogue switch can be used to gather VLAN information on the network, helping form an inside attack

In a data center you expect a highly available, reliable, and secure computing environment, this is something VTP simply doesn’t offer for a network in the data center. Look at the Nexus lineup, VTP is a feature which is disabled by default! What a great concept, finally! I’ll go ahead and just say it, if you’re using VTP in the data center, you’re just being lazy.

Want to know what subnets are being discovered/learned off a specific interface? The the show ip cef [interface]

wan-gw1#show ip cef ser2/0
0.0.0.0/0
nexthop 10.129.23.65 Serial2/0
10.16.0.0/12
nexthop 10.129.23.65 Serial2/0
10.32.0.0/16
nexthop 10.129.23.65 Serial2/0
.....Lines omitted for brevity

Just that simple, just remember the purpose of CEF, if you forgot, read: Cisco IP CEF Overview