Posts Tagged ‘CCDA’

It is a common mistake to assume X number of ports in an etherchannel equates to the common port speed * X; however, this is grossly incorrect and I’ll attempt to explain this behavior to you in layman terms

First, you should ALWAYS combine etherchannel bonds in even numbers (2, 4, 6, or 8). Why? It is the hashing algorithm used to determine how to load balance across the Etherchannel, more to come on how that works.

Second, you need to examine the traffic patterns on your network. If you have a model where your servers live in the “core” of your office and you have access switches connecting back to the core through etherchannel, you’re likely to have a lot of different source addresses (IP and MAC address) going to a common destination address (IP and MAC address). This is especially true of a backup server solution pulling backups for all your computers in the network or for users sending their default gateway traffic to a router which has a L3 port-channel configured from the core switch, which is a common network pattern you’ll find today. Finally, you can have server-to-server traffic patterns, where the source and destination IP addresses remain constant; however, the servers are probably utilizing numerous source and destination TCP/UDP ports; thus, the Etherchannel carrying this traffic needs to be adjusted. What about if the both models are going across the same Etherchannel (clients to the server and server-to-server) and you can’t build a separate etherchannel? The only recommendation here is to examine your traffic carefully, figure out what is more effective for your organization, we won’t get into that here.

Third, you need to understand what load balancing algorithms are available to you. However, take notice, this largely depends on the equipment you’re using. If your organization, like one I have worked inside, has decided that using 3650/3750 devices as a “core” to their network, you’re limited to the basic; however, if your organization uses true core switches (4500, 6500, 6800) you have all the options available to you. I will list the options available in ALL models below

  • src-ip – Source IP address only
  • dst-ip – Destination IP address only
  • src-dst-ip – Source and destination IP address only (XOR)
  • src-mac – Source mac address only
  • dst-mac – Destination mac address only
  • src-dst-mac – Source and Destination mac address only (XOR)

Now, here is what you’ll find available on true core switch models, in addition to the above:

  • src-port – Source port only
  • dst-port – Destination port only
  • src-dst-port – Source and Destination port only (XOR)
  • src-dst-mixed-ip-port – Source and destination IP along with the Source and Destination ports
  • src-mixed-ip-port – Source IP address and port
  • dst-mixed-ip-port – Destination IP address and port

The above commands all depend on what you’re running in your infrastructure, hardware and code level. It pays to put in the appropriate devices according to their duties. If you’re using devices like a 3560/3750 as your “core” you could be out of luck considering the few options available to you with one exception, you can look at installed a 10GB module in your switch and running Etherchannel 10GbE. This WILL NOT fix the load balancing issue but it will provide you the increased bandwidth to get you through until you’re capable of installing the appropriate hardware to support your needs This is given you’re using fiber for Inter-switch links and it supports 10GbE across the distances you’re looking to span.

Understanding your traffic patterns will be a process; however, one I think a lot of you forget is about the L3 Etherchannel you could be using between your core switch and your router. Think about this, the switch resolves the next-hop default gatway and this NEVER changes; thus, destination traffic address is always the same; thus, if you want to see if you’re able to utilize that Etherchannel more appropriately, set your etherchannel to hash based on source mac address towards the router.

I won’t let this get too long, I’ll follow up with some nice diagrams later.

Want to know what subnets are being discovered/learned off a specific interface? The the show ip cef [interface]

wan-gw1#show ip cef ser2/0
nexthop Serial2/0
nexthop Serial2/0
nexthop Serial2/0
.....Lines omitted for brevity

Just that simple, just remember the purpose of CEF, if you forgot, read: Cisco IP CEF Overview

Let’s just get down to business, we all use it but few of us understand what any of it means. The documentation is a little, well, complicated for some people so I aim to give you a better understanding of the Cisco configuration register, also known as the config register or config-reg. Read the rest of this entry »

I have seen a lot of these courses go up online and you find people flocking to them for this super easy way into a big salary IT networking job overnight. I don’t believe one can go from the skills of a CCNA to a CCNP in X number of weeks. The vast difference between the skills you’ll need in the CCNP is so far from the CCNA concept it isn’t funny. In fact, I have long said I would love to see Frame Relay disappear in favor of configuring for more real world scenarios like: MPLS and Metro-E. However, they keep churning out Frame Relay information because it is easy to learn. Perhaps this is the reason why we have so many white board interviews that can last hours upon hours because we’re churning out CCNA/P certified engineers with little to no real world experience. I believe in the long term approach by gaining valuable work experience and studying along the way. If you’re looking to get ahead you should also purchase lab equipment and learn at home when you can, nothing at all replaces learning the hard way by trying to build it yourself and test all kinds of scenarios. If you’re looking for a quick way to get certified without experience these classes will help you get there, just don’t expect to do that well in white board interviews. If you’re a seasoned vet and just want to make sure you pass the first time because you’re a busy IT professional, these are good too.

Far too many times we’re so deep into our IT careers we forget we were once novice engineers and others may have been frustrated by our lack of understanding. However, time and time again I find people state things like “They’re just not that smart” and this is a complete line of crap and this line of thinking needs to be eradicated from all of our minds. I am guilty of this but I find it makes me look dumb to others. I challenge myself to stop thinking such negative thoughts and instead attempt to educate others and make them better engineers. In this field we’re not going to get anywhere if we horde knowledge and shut out others. Now, there are some men/women you just can’t reach no matter how much you care about helping them. If you find yourself explaining yourself over and over just ask yourself ‘Are they ignorant to what I am explaining or do they just don’t care?” Remember, we can actually fix “stupid” by educating but we can’t alter a persons bad work ethic.

Spanning-tree is the red headed step child of networking and I firmly believe it is not spanning-trees fault, I blame ignorance of the engineer. Spanning-tree is a tool and like any tool it is typically designed with a specific purpose; however, like most tools in life, you can apply the tool against something else not intended to get desired results. The ignorance people have for spanning-tree causes a lot of issues on networks I have had to resolve in the past and they were relatively easy to resolve. I will explain the single most forgotten configuration parameter: bridge priority: Read the rest of this entry »

In a VTP environment I would recommend using passwords in your domains to prevent malicious users from screwing with your VTP domain. Just remember, if they have the domain name and a higher revision number, you can kiss your setup goodbye! Make sure the passwords are set on each switch and good luck.

If you’re wondering if you should use this I think you should. Having any traffic unauthenticated is just stupid and you’re asking for issues on your network with someone coming in and sniffing your traffic and discovering that you have hello messages with no or plain text authentication set. One shouldn’t have to explain the benefits; however, do understand that EIGRP has the advantage of using multiple keys in a ring that have expirations which helps rotate keys to prevent someone from getting a key that has been in use for years. OSPF does not have such a feature in IOS.

If you are working with the Nexus NX-OS and you want to redistribute static routes into EIGRP you MUST use route-maps. See below on how to use these in Nexus.

Read the rest of this entry »

I recently got into a facebook debate with someone about experience versus debate. The opponent was a public sector employee and had been their entire life. However, it got me to thinking about this subject and it brings up a valid point about certifications and real life experience. I have seen first hand, from previous employers, that you can get someone who can sit for classes for a certification and knock out multiple certs in a year; however, are they really useful? In my opinion, probably not because anyone can take a cram class and the next day, or that day, sit for the exam and pass because the answers are fresh in their heads. The question to ask is: do you really understand the material and technology? Read the rest of this entry »