Multi-sa support for VTIs


Tired of old crypto maps? ios-xe 16.12 has something for you, then.

This nifty little feature works just like crypto maps behind the scenes, but logically it’s a tunnel. All you need to do is create a tunnel with ip unnamed and add: tunnel protection policy ipv4 <crypto ACL name>:

interface Tunnel0
 ip unnumbered GigabitEthernet0/0/0
 tunnel source GigabitEthernet0/0/0
 tunnel mode ipsec ipv4
 tunnel destination
 tunnel protection ipsec policy ipv4 CACL
 tunnel protection ipsec profile PROF

Isn’t this just great?

I’ve tested this feature on 16.12.3 and it seems fine. So you can have a crypto map (your old VPN connections) on your outside interface and, slowly but surely, you can delete all your crypto map entries one by one, transforming them into new VTI tunnels.
One immediate benefit I can think of is the possibility to have QoS on your tunnels, plus you no longer have to deal with the fact that your tunnels are traffic-triggered. You don’t have to wait for your business partner to say: hey tunnel isn’t working, because you will see it in the status of your tunnels so you can monitor them with SNMP. How cool is that.

For now i’ve tested this on my CSR1000v in GNS3. Hopefully I’ll be able to convince someone at work to allow an upgrade on my ASRs so that I can see how this works in production.

I’ll try to see if this also works with DVTIs (virtual templates etc.).

Cool stuff i’ve found in the new core 300-401 coursebook


I’ve gone through 60% of the book so far (switching, routing, and most of wireless) and I must say it’s a bad book. There’s ton of theory, very little configuration. It may be good as a refresher book just before the exam but I think this approach will just produce paper tigers. But what do i know.

I’ve managed to find some new stuff, though. I’ll keep expanding this. I still have 12 chapters to go.

  1. BGP AIGP – cool stuff, if you have thousands of PEs, and if you’ve grouped them in private BGP AS but for some reason each BGP AS has a different IGP, AIGP lets BGP make routing decisions based on IGP metric.
  2. VRRP v3. This just adds ipv6 support and changes the config to address family config. Nothing fancy.

ISE binary certificate comparison mystery


I’m wondering if anyone has encountered the same problem with binary certicate comparison. The scenario is as follows:

  • the client hires a new employee
  • an AD account is created for that employee.
  • Meanwhile, a PC is prepared for that employee and an IT person logs to that PC for the first time. CA shares a copy of the certificate with AD.
  • The employee receives the PC but can’t log into the network
  • ISE says that no valid account has been found in AD for this certificate IF binary certificate comparison is used. If it is not used, ISE accepts the certificate as valid.

If the certificates are refreshed on the PC, all is well again.

My theory is that this is due to the fact that there are multiple domain controllers and I think that there might be problems if the domain controller receives the certificate from CA before the object is replicated on that branch domain controller and mapping of machine account to machine certificate fails on that controller. My theory is further corroborated by the following bug:

and the following forum entry:



What I do when i don’t do IP


You can totally skip this entry if you’re only interested in networks. It’s just that i’ve met a few new colleages recently who had the impression that I spent my whole life in the cisco world (and this is so not true! i spend the other half in junos 😀 ) so I’ve decided to show that there’s more to me than just the network guy.
So the other part of what I do is that I learn languages and read books in those languages. I’ve developed this system recently where I try to read 4 books in french, 1 in spanish and 1 in german to stop from getting all rusty. (I think i’d like to learn Arabic as well but it’s definitely not a goal for this decade. Maybe 2030-2040).

I don’t use my languages at work every day but I have been able to use my spanish to talk to clients from south america on a number of occasions and it really boosted my relationship with those clients. I use german occasionally and it’s been a massive help in my career because (unsurprisingly) few network people can speak german on a professional level. But overall I learn languages just to be able to read literature. I read really diverse stuff. Books by Graham Greene, Juli Zeh, Sapkowski, Stephen King, hell, i’ve even read 12 rules for life by Jordan Peterson lately. Although I don’t have the same drive to read for pleasure as in the past (which may be due to the fact that i read too much for work purposes and my brain is in overload most of the time), i can still manage one book a month. In the past i would have been mortified at sharing this poor(ish) result but times have changed and I’m as close to being proud of that as I can be. I have a full time job, i’m a dad and I still read one book a month. Do you get an ”average-at-all” badge if you’re the best dentist-driver? or the best baker among rock singers? or the most-overweight half-marathon participant ? Jack of many trades, master of none 🙂

CCNP and CCIE ENCOR 300-401 finally out


The book is finally out, at least on Safaribooks. I’ve read 1/3 so far and it’s a nice little refresher of things i read a long time ago and managed to forget, like what happens if you have MST between 2 switches with 2 links connecting them. Now you map vlan 10 instance 1 but leave vlan 20 in instance 0. Then you try to load balance the traffic by putting vlan 10 on upper link and vlan 20 on lower link only. Of course the vlan 20 traffic will be blocked because IST is a member of all interfaces 😀 so you end up with connectivity only on vlan 10 and hosts in vlan 20 lose connectivity. Of course, why would you not map all vlans to mst instances other than 0 ? laziness, i guess. I’ll try to read the whole book this week to see if it’s any good. I kind of expected more depth, but maybe this is the idea of the ”core” book? to keep it simple?

Anyways, i’ve been playing with very random things recently, like dmvpn with ikev2 and certificates between ASRs and new shiny c1116s. Something that is worth testing in gns3 is a weird situation where a branch router is reloaded and dmvpn gets stuck in NHRP state. What i’ve found is that the hub router mistakenly deletes both the old IKE and the new IKE, so it can never decrypt the data. It’s only when DPD on the branch router reinitializes IKE that NHRP starts working properly. So a quick and dirty fix of this bug is to lower DPD to 30 seconds but the bug is still there whenever a branch site loses power. oh well.
Another activity that i’ve been lucky to be assigned to was testing of 9336 nexus switches for a server block with an emphasis on vPC. It’s rare that you can get a free lab so I tried to test a lot of vPC features, like vPC autorecovery, layer3 peer router, peer switch etc. All in all the best assignment i’ve had in months.

Finally, i’d like to share a hilarious ”team work” situation i’ve seen recently; it’s quite recent so i hope nobody feels offended but i can’t help myself: the client reports (6 months ago) that a company laptop may have been stolen and asks the firewall team to block an internal IP from talking with the enterprise network. The brave fw team blocks this one IP and the matter is put to sleep. Now fast forward to October. A client PC can’t connect to certain IPs. The brave fw team receives the incident and logs a comment saying that everything is fine, because this deny action is as per client request 6 months earlier. The confused NOC team asks to remove the rule because it is no longer needed, the laptop was never stolen in the first place, and this is quite possibly a different laptop that happened to receive the same IP because this IP is in the dhcp scope. This request is rejected by the fw team who says that the IP address in question should simply be excluded from the DHCP scope instead because the rule was created based on customer request so it should stay. The ticket then detiorates into a senseless ping-pong (my opinion is so much better than yours etc.).
It is so sad that each team lives in their antinuke silo where everything is comfy and warm, with thick ITIL carpets and linen. And you do not leave your silo because your friends are inside and outside there could be wolves! and dragons! or worse – blood traitors! Giving in to your enemy request once is like inviting a vampire into your home. One never knows what will happen. It’s best to barricade the door and wait for the postnuclear winter. You can only leave your bunker according to ITIL rules. Does ITIL say to eat? No? then die of hunger we shall!

GNS 2.2 is coming…


Every now and then I have a look how the good old GNS is changing and I was kind of amused to see that the 2.2 update will bring the link awareness, that is: if you don’t connect a cable between two devices, the link will be down/down. Before, any link that you unshut would be automatically up.
Anyways, I’m kind of ”between jobs” at the moment as i’m moving to a different team so I feel like i’m in a limbo. Stll, if everything goes according to plan in the next 2 months, there are a few courses that i’d like to do in the future, depending on what i’ll be doing in my new team. It’s either CCIE wireless from networkdojo or CCIE enterprise from Micronics. Or maybe both.

On a slightly related note, i’ve been reading 12 rules for life by Jordan Peterson and I found this passage that I thought was very inspiring. If you have a choice between security and self-improvement, it’s a good idea to choose improvement.

“You are by no means only what you already know. You are also all that which you could know, if you only would. Thus, you should never sacrifice what you could be for what you are. You should never give up the better that resides within for the security you already have—and certainly not when you have already caught a glimpse, an undeniable glimpse, of something beyond.”

It’s important to have someone to look up to.


I was watching another video with Jordan Peterson today and I was reminded of how important it is to have an authority figure in your life, someone you can look up to, someone that you can listen to every day. Especially now where the world is changing at a pace never seen before, we are getting a bit lost, and there are many questions that nobody seems to have a good answer to. How to catch up with the changing technology and expectations at our workplace? What is my role in the family that is so unlike the family I was part of as a child? how to keep my life balanced and meaningful? Am I smart enough to get ahead in life or in my job?

A decade ago, back when I started learning about IP networks, I was lucky enough to stumble upon Jeremy Cioara, an amazing instructor from CBTnuggets. But he’s not only that: he can create an atmosphere where you can believe that you can achieve anything you want, that you are capable of achieving your goals, and that your goals are worth fighting for. Once in a while Jeremy will share with you his vision of the world, or he will tell a story about his wife and kids, how he deals with pressure etc., And even though it’s supposed to be strictly about IT, these extra bits and pieces about ”the world of Jeremy” are such a great addition to these courses because then Jeremy becomes a real person, a person that has the same challenges that you have, a person that also deals with the lack of time, with any mistakes he’s made at work etc. And he is able to maintain an unbelievable level of optimism and certain insouciance that makes you feel that this can be indeed the best job you can get because no problem is insurmountable.

For a few years Jeremy’s words were probably nearly 90% of all words that I heard every day as i spent up to 6 hours every day watching CBT. I’m fairly sure that if it hadn’t been for Jeremy, I wouldn’t have achieved that much in such a short period of time. And it would have been much more painful with any other trainer. So if you’re like me, try to browse through a few IT portals with video courses and see if any person in particular comes across as someone that you admire or at least someone you don’t mind watching for very extended periods of time.

So to all Jeremies, Brians and Jordans out there: cheers! You are the leaders of men in the age of technology and fast-paced change.



Cisco Field Notices


Once in a while Cisco releases a so-called Field Notice, and i’ve learnt that it’s a good idea to subscribe to those notifications because they can spare you a lot of trouble.

Usually a field notice means a bug so critical that it is imperative that you upgrade your devices as soon as humanly possible. The device may crash, die, steal your money, attempt to leave the data center and kill your relatives or worse.

You can subscribe to those notifications at . They will send you a validation email. Once you validate your email account, you will start getting notifications about bugs and field notices.

One example from this week was a FN for 3650, whose constant memory leaks meant that my SNMP manager kept creating tickets ”device lost”, because the device wasn’t responding to snmp polls.


A more flagrant example (a catastrophy, really) was the time where the clocks failed on ASAs after a certain time…








Multicast: your bidir RP needs to know that it’s the RP for bidir groups


Today a real no-brainer (especially in hindsight). I had a config where the distribution switch has some vlan interfaces with multicast devices connected to access switches downstream. The problem was that devices on different vlans couldn’t communicate with multicast even though PIM sparse was enabled on both vlan interfaces and RP was set for all groups for bidir traffic. The problem was really simple: if you add the keyword bidir, make sure that on RP you set the same bidir keyword, otherwise it only wants to be an RP for non-bidir multicast traffic.

The lesson here is again very simple: divide the problem into digestible chunks:

  • what vrf are you looking at?
  • is the RP for the same vrf? do you have any RP-address config where you have bidir for some groups only?
  • is sparse mode enabled? or bidir?
  • what can you see in show ip mroute? S,G entries or only *,G entries? why?
  • what can you see in show ip igmp membership tables?
  • where is the RP? what can you see on the RP? Does it know that it is the RP and is PIM enabled on the interface with the IP address that is the RP? Is the same mode enabled (sparse? bidir?) Is it bidir for all groups or only for some?

A bit of research (especially if you deal only occasionally with multicast) doesn’t hurt. That way you know (and you’re not surprised…) why you only see *,G entries when bidir is enabled.