Can’t apply ACL on nexus 7000?

Unbelievably, there is a bug on Nexus 7000 that can prevent you from applying any ACLs to the interface. The result is that the following command gives TCAM allocation failures.

ip access-group MYACL in

The solution is to use the following command:

hardware access-list resource feature bank-mapping


I was quite proud of the fact that I found the solution in 20 minutes.


Troubleshooting VPN S2S takes patience


I’ve found a number of times that if you have a crypto map that is applied to an interface, changes made to the transform-set that is applied to this interface are not applied instantaneously. So e.g. you have this crypto map:

crypto map MYMAP ipsec-isakmp 10

set peer

set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600

set transform-set MYSET
set pfs group5

Now if you change MYSET, your router may still send out the old MYSET. Solution no1:

  • be patient, wait 15 minutes
  • clear the crypto map, apply it again
  • shut and unshut the interface

So if you’re troubleshooting a broken S2S VPN, make one change, wait 15 minutes, check, if it’s still not working only THEN make another change.

Today I spent 80 minutes in a troubleshooting session with an engineer from the remote end trying one thing after another and nothing worked. We ended the session and set up another one for the next day. I  reverted the config to the original settings + made 1 change that should be ok (but it still wasn’t ok! ), went shopping, came back, and it just worked!


I love the ARCH 300-320 book.

Reading through the new CCDP book, I came across an interesting fact. Turning off trunk mode negotiaion (switchport mode trunk) and DTP (switchport nonegotiate) can reduce the link transition time by 2 seconds!

Further, it is good to put your most important vlans as low-number vlans, because they are first to come up. This can save probably miliseconds rather than seconds but it’s still a timesaver.

How to learn and how we do it


What portals do I use to learn?

  • INE
  • CBT nuggets
  • Chris Bryant’s Bulldog courses at
  • Skilsoft

It’s difficult to say which one I prefer, because it depends on the level you’re at. If you’re starting, get a subscription at or get Chris Bryant’s course. If you’ve already passed CCNP, probably INE should be the logical next step. Skilsoft courses are a bit different in that there’s more theory and less practice but i’ve found that they can be more indepth in certain areas (e.g. security) than CBT’s equivalents, although INE will usually offer the most depth. CBT is a nice primer if you know nothing and you want to get a feel of what’s coming up.

Something to bear in mind is that before an actual exam you need to read Cisco documentation because a lot of topics don’t come up in any course, sometimes because Cisco didn’t actually specify a given topic in their exam blueprints, sometimes because the trainer didn’t think that the topic was important enough or quite the opposite – a topic could be too complex and they didn’t think that the exam would go into that much detail (SIMOS exam is the best example here where the exam is soooo much more comprehensive than what blueprint says).

Of course, lab up anything you’ve learnt because you will be amazed at how fast you forget stuff you don’t use. Commands are best learnt with your fingers, not with your eyes.


Lastly, don’t exaggerate with the pace. 1-2h of learning a day is probably the absolute maximum for people with some personal life. ”Speed runs” are good only for a short time, I guess. (divorce rates appear to be distinctly higher in CCIE holders)

CCDP exam countdown starts as official guide is already out on Safari!


As you might know, I’m a big fan of Safari. I’m now preparing for the revised CCDP exam so I was pleasantly surprised when I found the official guide on Safari – one month before the official release date! Nice!!!

I’m hoping to take the exam sometime in March. My plan is to go through the whole CCIE R&S material (which covers a lot of material from CCDP), read the CCDP book plus read as many Cisco validated designs as I can. CCDA was a bit of a challenge because it had some legacy technologies that Cisco should have buried a long time ago so maybe the revised CCDP will actually feature some real-life scenarios.  I’ve learnt not to be overly optimistic about the quality of Cisco exams (their NDAs should say ”don’t diss the quality of our exams publicly”) Sorry Cisco – I guess I still hold a grudge about that faulty routing lab you gave me in 2014.

DSL usernames and passwords for PPP in Telekom


I was connecting an 886 VA-J Cisco router do a DSL line in Germany the other day and I learnt some useful stuff:

  • if you do not use their Digitalisierungsbox as the modem, you need to get a TAE>RJ11 adapter. TAE end goes to the DSL cube with the cables that the technician installs in your wall, and the RJ11 goes to the VDSL port on your router.
  • it turned out that the syntax for dialer settings is a bit funny. So when they send you a piece of paper with some numbers (Anschlusskennung, T-online-nummer, Mitbenutzernummer, Kennwort), you are actually supposed to use them as follows:

So if Anschlusskennung is 11111111, Tonlinenummer is 222222222222 and Mitbenutzernummer is 0001, Kennwort is 3333333, your chap hostname should be:

And the whole config is as follows

interface ATM0
 no ip address
 load-interval 60
 no atm ilmi-keepalive
interface ATM0.7 point-to-point
 pvc 1/32 
  bridge-dot1q encap 7
  pppoe-client dial-pool-number 1

interface Dialer1
 ip address negotiated
 no ip directed-broadcast 
 encapsulation ppp 
 dialer pool 1 
 dialer-group 1 
 ppp authentication chap callin 
 ppp chap hostname
 ppp chap password 333333


If you don’t get an ip address, turn the PPP debug on (debug PPP packet, debug PPP events) and put your thinking cap on, too 🙂


NM-8A/S module as a terminal server

Using NM-16A/S or NM-32A/S is easy peasy, because they are dedicated terminal server modules and you have octal cables. But NM-8A/S is a bit more complex because you need more cables, adapters, and special commands to get this working. Now, I don’t recommend the NM-8A/S modules but sometimes you can get them really cheap compared to the other ones, so here’s how to set it up as a terminal server:

  • put the module into a 2621xm router (or any of the routers listed on nm-8A/S Cisco page)
  • take a Cisco CAB-232MT cable, connect it to one of the ports on the module
  • take the male end of the CAB-232MT cable and connect it to DB-25female>DB9male adapter.
  • connect the adapter to a standard cisco blue console cable
  • plug the rj45 into some other router’s console port

Now power up the 2621xm, go to the serial interface (remember that they’re numbered from the right):

conf t

int s1/0

physical-layer async


This causes the serial to go into async mode.

Now issue the command:

show line

This command shows you which line you need to use (in my case it was line 33, because the it’s S1/0 module. If it was S0/0 module, it would be line 1.)

Then, make a loopback0 interface and add an ip address to it:

int loop0

ip addr

Then, go to the line interface and modify the transport parameters:

conf t

line 33

transport input telnet

transport output telnet


Finally, create a host/port mapping:

ip host R1 2033

This maps the address/port to the name of the router that you want to manage.

Now you can manage other routers by telnetting to this router’s loopback interface:

telnet 2033

This moves you to the R1 console port.

Alternatively, just type R1 and press Enter.

You can use Shift+Ctrl+6 and then X to leave the managed router and go back to your terminal server.

Now add more mappings for other managed routers:

ip host R2 2034

ip host R3 2035

ip host R4 2036

and so on and so forth.

Rack 1 ready to rumble

Just look at this: Isn’t this beautiful?  This is the rack that I’m going to use for demos:


2×3550 (soon to be replaced by 3560v2 or 3560e)

2651xm + NM-32A (access server)

ASA 5520 (for vpn users)




1x SRX210 (in case I want to draw a comparison with Junos)

In each rack there will be a small Edimax wifi router so that each group can connect to a separate SSID on a separate wifi band.

Big thanks to Kaziu!!! (”tak to by człowiek się w niedzielę obijał i chodził z kąta w kąt”)


Logging discriminator on routers and switches, logging lists on ASA


If your routers/switches send useless but high-level messages to your syslog server, you can use a logging discriminator to eliminate some unwanted log messages.


This is an example of a cisco bug message on a Cisco 881 router. It doesn’t mean anything and can only be fixed with an ios upgrade. You can also choose not to do anything about it because nothing is actually broken, but the syslog has a critical class and looks ugly in your kiwi logs.

734605: Jul 15 12:33:26.295 CEST: %SYS-2-CHUNKINVALIDHDR: Invalid chunk header type 1 for chunk 8419EBA4, data 8419FEEC -Process= „Net Background”, ipl= 3, pid= 27,  -Traceback= 0x8084F720 0x80037078 0x8034D438 0x8170FA3C 0x8170D6AC 0x8170D978 0x816E6BD0 0x8190F7CC 0x8190FDC0 0x80C13514 0x8144F354 0x803241D4 0x80C1370C 0x8144F354 0x80B3B538 0x81450CC8

To eliminate this critical syslog entry, use a logging discriminator.

logging discriminator NOCHUNK severity drops 2 facility drops SYS mnemonics drops CHUNKINVALIDHDR

logging console discriminator NOCHUNK

logging monitor discriminator NOCHUNK

logging trap warnings

logging host discriminator NOCHUNK


On firewalls, you need a different approach, because the discriminator has not been implemented on ASA.Therefore, you need to add messages on top of a specific logging level.

Logging message 111111 level errors (find message number in cisco documentation)

or use lists:

logging list my_critical_messages level 1
logging list my_critical_messages message 611101-611323
logging trap  my_critical_messages