Unbelievably, there is a bug on Nexus 7000 that can prevent you from applying any ACLs to the interface. The result is that the following command gives TCAM allocation failures.
ip access-group MYACL in
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtz71765/?referring_site=bugquickviewredir
The solution is to use the following command:
hardware access-list resource feature bank-mapping
Voila!
I was quite proud of the fact that I found the solution in 20 minutes.
Hello
I’ve found a number of times that if you have a crypto map that is applied to an interface, changes made to the transform-set that is applied to this interface are not applied instantaneously. So e.g. you have this crypto map:
crypto map MYMAP ipsec-isakmp 10
set peer 8.8.8.8
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600
set transform-set MYSET
set pfs group5
match address MY_INTERESTING_TRAFFIC
Now if you change MYSET, your router may still send out the old MYSET. Solution no1:
So if you’re troubleshooting a broken S2S VPN, make one change, wait 15 minutes, check, if it’s still not working only THEN make another change.
Today I spent 80 minutes in a troubleshooting session with an engineer from the remote end trying one thing after another and nothing worked. We ended the session and set up another one for the next day. I reverted the config to the original settings + made 1 change that should be ok (but it still wasn’t ok! ), went shopping, came back, and it just worked!
Reading through the new CCDP book, I came across an interesting fact. Turning off trunk mode negotiaion (switchport mode trunk) and DTP (switchport nonegotiate) can reduce the link transition time by 2 seconds!
Further, it is good to put your most important vlans as low-number vlans, because they are first to come up. This can save probably miliseconds rather than seconds but it’s still a timesaver.
Hello
What portals do I use to learn?
It’s difficult to say which one I prefer, because it depends on the level you’re at. If you’re starting, get a subscription at cbtnuggets.com or get Chris Bryant’s course. If you’ve already passed CCNP, probably INE should be the logical next step. Skilsoft courses are a bit different in that there’s more theory and less practice but i’ve found that they can be more indepth in certain areas (e.g. security) than CBT’s equivalents, although INE will usually offer the most depth. CBT is a nice primer if you know nothing and you want to get a feel of what’s coming up.
Something to bear in mind is that before an actual exam you need to read Cisco documentation because a lot of topics don’t come up in any course, sometimes because Cisco didn’t actually specify a given topic in their exam blueprints, sometimes because the trainer didn’t think that the topic was important enough or quite the opposite – a topic could be too complex and they didn’t think that the exam would go into that much detail (SIMOS exam is the best example here where the exam is soooo much more comprehensive than what blueprint says).
Of course, lab up anything you’ve learnt because you will be amazed at how fast you forget stuff you don’t use. Commands are best learnt with your fingers, not with your eyes.
Lastly, don’t exaggerate with the pace. 1-2h of learning a day is probably the absolute maximum for people with some personal life. ”Speed runs” are good only for a short time, I guess. (divorce rates appear to be distinctly higher in CCIE holders)
Hi
As you might know, I’m a big fan of Safari. I’m now preparing for the revised CCDP exam so I was pleasantly surprised when I found the official guide on Safari – one month before the official release date! Nice!!!
I’m hoping to take the exam sometime in March. My plan is to go through the whole CCIE R&S material (which covers a lot of material from CCDP), read the CCDP book plus read as many Cisco validated designs as I can. CCDA was a bit of a challenge because it had some legacy technologies that Cisco should have buried a long time ago so maybe the revised CCDP will actually feature some real-life scenarios. I’ve learnt not to be overly optimistic about the quality of Cisco exams (their NDAs should say ”don’t diss the quality of our exams publicly”) Sorry Cisco – I guess I still hold a grudge about that faulty routing lab you gave me in 2014.
Hello
I was connecting an 886 VA-J Cisco router do a DSL line in Germany the other day and I learnt some useful stuff:
Anschlusskennung+TOnlineNummer#Mitbenutzernummer@t-online.de
So if Anschlusskennung is 11111111, Tonlinenummer is 222222222222 and Mitbenutzernummer is 0001, Kennwort is 3333333, your chap hostname should be:
11111111222222222222#0001@t-online.de.
And the whole config is as follows
interface ATM0 no ip address load-interval 60 no atm ilmi-keepalive ! interface ATM0.7 point-to-point pvc 1/32 bridge-dot1q encap 7 pppoe-client dial-pool-number 1
interface Dialer1 ip address negotiated no ip directed-broadcast encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname 11111111222222222222#0001@t-online.de ppp chap password 333333
If you don’t get an ip address, turn the PPP debug on (debug PPP packet, debug PPP events) and put your thinking cap on, too 🙂
Using NM-16A/S or NM-32A/S is easy peasy, because they are dedicated terminal server modules and you have octal cables. But NM-8A/S is a bit more complex because you need more cables, adapters, and special commands to get this working. Now, I don’t recommend the NM-8A/S modules but sometimes you can get them really cheap compared to the other ones, so here’s how to set it up as a terminal server:
Now power up the 2621xm, go to the serial interface (remember that they’re numbered from the right):
conf t int s1/0 physical-layer async
This causes the serial to go into async mode.
Now issue the command:
show line
This command shows you which line you need to use (in my case it was line 33, because the it’s S1/0 module. If it was S0/0 module, it would be line 1.)
Then, make a loopback0 interface and add an ip address to it:
int loop0 ip addr 10.0.0.1 255.255.255.0
Then, go to the line interface and modify the transport parameters:
conf t line 33 transport input telnet transport output telnet
Finally, create a host/port mapping:
ip host R1 2033 10.0.0.1
This maps the address/port to the name of the router that you want to manage.
Now you can manage other routers by telnetting to this router’s loopback interface:
telnet 10.0.0.1 2033
This moves you to the R1 console port.
Alternatively, just type R1 and press Enter.
You can use Shift+Ctrl+6 and then X to leave the managed router and go back to your terminal server.
Now add more mappings for other managed routers:
ip host R2 2034 10.0.0.1 ip host R3 2035 10.0.0.1 ip host R4 2036 10.0.0.1
and so on and so forth.
Just look at this: Isn’t this beautiful? This is the rack that I’m going to use for demos:
1×3560
2×3550 (soon to be replaced by 3560v2 or 3560e)
2651xm + NM-32A (access server)
ASA 5520 (for vpn users)
1×2801
1×1921
5×1841
1x SRX210 (in case I want to draw a comparison with Junos)
In each rack there will be a small Edimax wifi router so that each group can connect to a separate SSID on a separate wifi band.
Big thanks to Kaziu!!! (”tak to by człowiek się w niedzielę obijał i chodził z kąta w kąt”)
If your routers/switches send useless but high-level messages to your syslog server, you can use a logging discriminator to eliminate some unwanted log messages.
This is an example of a cisco bug message on a Cisco 881 router. It doesn’t mean anything and can only be fixed with an ios upgrade. You can also choose not to do anything about it because nothing is actually broken, but the syslog has a critical class and looks ugly in your kiwi logs.
734605: Jul 15 12:33:26.295 CEST: %SYS-2-CHUNKINVALIDHDR: Invalid chunk header type 1 for chunk 8419EBA4, data 8419FEEC -Process= „Net Background”, ipl= 3, pid= 27, -Traceback= 0x8084F720 0x80037078 0x8034D438 0x8170FA3C 0x8170D6AC 0x8170D978 0x816E6BD0 0x8190F7CC 0x8190FDC0 0x80C13514 0x8144F354 0x803241D4 0x80C1370C 0x8144F354 0x80B3B538 0x81450CC8
To eliminate this critical syslog entry, use a logging discriminator.
logging discriminator NOCHUNK severity drops 2 facility drops SYS mnemonics drops CHUNKINVALIDHDR
logging console discriminator NOCHUNK
logging monitor discriminator NOCHUNK
logging trap warnings
logging host 10.0.0.1 discriminator NOCHUNK
On firewalls, you need a different approach, because the discriminator has not been implemented on ASA.Therefore, you need to add messages on top of a specific logging level.
Logging message 111111 level errors (find message number in cisco documentation)
or use lists:
logging list my_critical_messages level 1
logging list my_critical_messages message 611101-611323
logging trap my_critical_messages
