One of my users was complaining about error messages he's getting from Google Wallet when trying to buy the yearly subscription. He wrote "When I try to login with my Google credentials I get some kind of error page where I can't do anything unless I supply them with scan copies of an ID." Is anyone else experiencing problems? Thank you!
by Ivan Pepelnjak (noreply@blogger.com) at January 27, 2012 11:53 AM
Did you rush to try OSPF Loop Free Alternate on a Cisco 7200 after reading my LFA blog post ... and disappointedly discovered that it only works on Cisco 7600? The reason is simple: while LFA does add feasible-successor-like behavior to OSPF, its primary mission is to improve RIB-to-FIB convergence time.
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 27, 2012 07:31 AM
Today I attended Node Summit. Node Summit is a conference to discuss the ecosystem around Node. Node is a very important tool. If you have not heard of Node then today is the day you need to start paying attention to it. You can find my summary of the first day of Node Summit here to learn more. Back to the topic at hand. One of the speakers today made the statement that security is everyone’s job. That speaker was Steve Pawlowski. Steve is a senior fellow and CTO at Intel. I can tell you that he is definitely a smart guy. He gave a talk discussing many aspects of the cloud. This ranged from measuring pico joules per execution on processors to cloud designs. His comments around security really hit home for me.
Assume we have a simple triangular network:
Now imagine the A-to-C link fails. How will OSPF react to the link failure as compared to EIGRP? Which one will converge faster? Try to answer the questions before pressing the Read more link ;)
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 26, 2012 06:18 AM
Have you ever found yourself troubleshooting a problem caused by a coworker or consultant mistyping a command? It happens, everyone makes mistakes, but what's frustrating is when people won't own up and admit they made the mistake. Not only is it dishonest, it can impede a fast resolution by knowing what to undo.
As a result, you might find yourself wishing there was a relatively simple way to see every command typed into every router and switch in the network... Well, there is, and it's really easy to configure.
Configuration Change Notification and Logging, or simply Configuration Logging, is Cisco's method to log every configuration command entered on your Cisco IOS routers and switches. The feature was introduced in 12.3(4)T & 12.2(25)S, so it should be available in almost any IOS device that's been upgraded in the last 5 years. It can log locally up to a specified number of lines of config, and even send the commands off to a syslog server.
The following examples are from a Cisco 3550 switch and demonstrate how to configure and monitor change logging.
Over the coming weeks I will be running a new series here on Troubleshooting Voice. I often have students in class that report to me that one of the most difficult parts of their CCIE Voice exam experience was having to deal with the inner workings of some of the protocols and how to read and decipher them accurately. I have also begun to see this more and more across the various mailing lists and forums, and so I decided it was time to start an entire series on these not-to-be-feared topics. Since these protocols are covered quite in-depth in the CCNP Voice course (most specifically in the CVOICE portion), I highly encourage people starting out in Unified Communications, not to skip the lower level courses, and to really dig in at that CCNA Voice and then CCNP Voice level, before going into the CCIE Voice. At each level something is presented that is not explained at the next level, so it really is crucial to go through each progression of the track in a sequential and systematic order. This goes especially for those who might already have a CCIE, and think they understand what the CCIE is all about. They probably understand very well what the exam itself is all about, however the underlying Voice technologies are quite vastly different than the data world they may be used to. In fact, I hear this quite a lot from people making the jump from a R&S IE to the Voice side of the realm – “Man, this Voice stuff is totally different!“.
To begin with, we will start out a bit easy, and go over the basics of everyone’s favorite client/server gateway protocol – MGCP or “Media Gateway Control Protocol”.
MGCP has a series of commands that are exchanged between the client and the server. In the basic Cisco UC world (basic meaning enterprise side of things rather than the carrier side), the client (‘gateway’) is almost always an IOS voice-enabled router, and the server (‘call agent’) is always the Unified Communications Manager (UCM).
Here are the basic commands that are used to exchange messages between call-agent and gateway:
Connection Commands
Audit Commands
Request Command
Endpoint Command
Notify Command
Restart Command
Now, let’s look at each command in a bit more detail.
Three messages are used by a call-agent to manage an RTP connection on a media gateway
CRCX = CReate Connection
Two messages are used by a call-agent to query the status of a media gateway
AUCX = Audit Connection
One message is used by a call-agent to request a notification of events on a media gateway
RQNT = Request for Notification
One message is used by a call-agent to manage a media gateway
EPCF = EndPoint ConFiguration
One message is used by the media gateway to notify the call-agent about an event which the call-agent requested notification about
NTFY = Notify
One message is used by the media gateway to tell the call-agent that it is in the process of restarting
RSIP = ReStart In Progress

Scott Lowe asked a very good question in his Technology Short Take #20:
VXLAN uses UDP for its encapsulation. What about dropped packets, lack of sequencing, etc., that is possible with UDP? What impact is that going to have on the “inner protocol” that’s wrapped inside the VXLAN UDP packets? Or is this not an issue in modern networks any longer?
Short answer: No problem.
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 25, 2012 06:28 AM
Today, more than ever, companies have been adopting new open source tools to use in production. It seems like the NoSQL movement has opened up companies to adopting newer more cutting edge technology faster than ever. Tools like redis, CouchDB, MongoDB, and Node seem to be showing up all over the Internet in many new web applications. This is fantastic as the technologies behind these products are quite amazing. I use them everyday in the various tools that I have written and it is just a joy to work with. But I was thinking who tests this stuff for security issues. According to Linus’ Law most of these products should be fairly secure but how many eyes do you really need to ensure their aren’t potential security threats in these technologies? These tools have been adopted by thousands of organizations and they have them running naked on the Internet. I wondered what would happen if you tried to attack these services and what could be the potential impact.
Just ahead of our brand new CCNA Voice live online bootcamp beginning this Monday, I thought it might be nice to provide an easy-to-follow graphic for those starting out in Voice (or on any other Cisco networking track). This graphic was from last year, but remains quite easy to follow for each and every Cisco track.
Be sure you have a high resolution set if you wish to see the entire thing, otherwise scrolling may be necessary.
Click here for the Cisco Career Certification Path poster
In the Redundant DMVPN Design, Part 1 I described the options you have when you want to connect non-redundant spokes to more than one hub. In this article, we’ll go a step further and design hub and spoke sites with multiple uplinks.
Fact: DMVPN tunnel endpoints have to use public IP addresses or the hub/spoke routers wouldn’t be able to send GRE/IPsec packets across the public backbone.
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 24, 2012 07:23 AM
Really interesting write-up, let's see if the world follows Google's advice (since that's what it will take!).
http://googlecode.blogspot.com/2012/01/lets-make-tcp-faster.html
by peter_revill (noreply@blogger.com) at January 23, 2012 06:39 PM
I've heard people say cell phones are rude. I say cell phones are merely a tool, it's the people that are rude. Give a rude person a cell phone, and they'll be rude with a cell phone.
During a live performance by Slovakian violinist Lukas Kmit, someone's Nokia went off. Instead of storming off the stage, Lukas made lite of it and mocked the ringtone. Check it out in this video..
One of my readers couldn’t figure out which IPv6 webinar to buy. He wrote:
I bought your Service Provider IPv6 Introduction webinar. I’m also interested in Building IPv6 Service Provider Core and Building Large IPv6 Access Networks. I realized that the second training is not released yet and it says that it's an update session for the first training, so do I need to buy both? I would like to download all the material related to the trainings so I would watch them whenever I need.
It seems I did overcomplicate a few things, so I’ll try to clear up the confusion I created.
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 23, 2012 06:53 AM
The following are a few tips I've learned to make working with connectors in Visio a little smoother. Feel free to contribute your own in the comments.
Visio's default method of depicting connectors which cross but do not intersect is to illustrate one line arcing over the other. This is great for electrical drawings and other schematics, but isn't always accommodating of network topologies, especially when one line intersects a number of other closely-spaced lines.

For a cleaner look, we change the line jump style to "gap," which renders aesthetically pleasing white space to highlight line crossings. From the Developer tab on the ribbon, select Show ShapeSheet > Page. (If you don't have the Developer tab, go to File > Options > Customize Ribbon and enable it.) The page's ShapeSheet pops up in a window consuming the bottom half of the screen. Under the Page Layout heading, double-click the LineJumpStyle key and select "2 - visLOJumpStyleGap" from the available options. Press enter to save the selection.


According to Google Analytics these were the most popular posts I wrote in December 2011:
by Ivan Pepelnjak (noreply@blogger.com) at January 22, 2012 10:56 AM
The popular file sharing site MegaUpload was shut down by the US FBI and Department of Justice on Thursday, January 19, and executives from the company were taken into custody. This story is very well covered by the Wall Street Journal and includes a copy of the indictment for your reading.
As you would expect, this was a wildly popular site with users from all over the world. So much so that even notable celebrities appear in a video discussing MegaUpload, almost endorsing it. Previous work by Arbor Networks showed that content providers and hosting sites like MegaUpload are the new “Hyper Giants”. With enough global data, you can actually see the traffic drop when the shutdown occurs. Based strictly on the traffic rates it appears that the shutdown started just after 19:00 GMT on January 19, with traffic plummeting down over the next two hours. The graphic here shows three main client regions – Asia-Pacific, Europe, and the US.
Over the past 24 hours, the top countries (in aggregate) using MegaUpload were the United States, France, Germany, Brazil, Great Britain, Turkey, Italy, and Spain, although dozens more countries are represented.
As for the traffic drop off, we’re not the only ones to notice. As seen on Twitter, South America experienced a dramatic traffic drop at about the same time, presumably due to this MegaUpload shutdown. Furthermore, we’re seeing reports of a fake MegaUpload site that is supposedly a malware infection site.
Friends of mine from elsewhere in the world have been joking that the Internet seems to be running a bit smoother today. That may be, given how much bandwidth appears to have been freed up.
About six months ago, I wrote out my predictions about the rumored CCIE Data Center certification. I figured it would be a while before we saw anything about it. In the interim, there are a lot of people out there that are talking about the desire to have a CCIE focused on things like Cisco UCS and Nexus. People like Tony Bourke are excited and ready to dive head first into the mountain of material that is likely needed to learn all about being an internetworking expert for DC equipment. Sadly though, I think Tony’s going to have to wait just a bit longer.
I don’t think we’ll see the CCIE Data Center before December of 2012.
DISCLAIMER: These suppositions are all based on my own research and information. They do not reflect the opinion of any Cisco employee, or the employees of training partners. This work is mine and mine alone.
Why do I think that? Several reasons actually. The first is that there are new tests due for the professional level specialization for Cisco Data Center learning. The DC Networking Infrastructure Support and Design Specialist certifications are getting new tests in February. This is probably a refresh of the existing learning core around Nexus switches, as the new tests reference Unified Fabric in the title. With these new tests imminent, I think Cisco is going to want a little more stability in their mid-tier coursework before they introduce their expert level certification. By having a stable platform to reference and teach from, it becomes infinitely easier to build a lab. The CCIE Voice lab has done this for a while now, only supporting versions 4.2 and 7.x, skipping over 5.x and 6.x. It makes sense that Cisco isn’t going to want to change the lab every time a new Nexus line card comes out, so having a stable reference platform is critical. And that can only come if you have a stable learning path from beginning to end. It will take at least 6 months to work out the kinks in the new material.
Speaking of 6 months, that’s a bit of the magic number when it comes to CCIE programs. All current programs require a 6 month window for notification of major changes, such as blueprints or technology refreshes. Since we haven’t heard any rumblings of an imminent blueprint change for the CCIE SAN, I doubt we’ll see the CCIE DC any sooner than the end of the year. From what I’ve been able to gather, the CCIE DC will be an add-on augmentation to the existing CCIE SAN program rather than being a brand new track. The amount of overlap between DC and SAN would be very large, and the DC core network would likely include SAN switching in the form of MDS, so keeping both tracks alive doesn’t make a lot of sense. If you start seeing rumors about a blueprint change coming for the CCIE SAN, that’s when you can bet that you are 6-9 months out from the CCIE DC.
One other reason for the delay is that the CCIE Security lab changes still have not gone live yet (as of this writing). There are a lot of people in limbo right now waiting to see what is changing in the security internetworking expert realm, many more than those currently taking the CCIE SAN track. CCIE Security is easily the third most popular track behind R&S and SP. Keeping all those candidates focused and on task is critical to the overall health of the CCIE program. Cisco tends to focus on one major track at a time when it comes to CCIE revamps, so with all their efforts focused on the security track presently, I doubt they will begin to look at the DC track until the security lab changes are live and working as intended. Once the final changes to the security lab are implemented, expect a 6-9 month window before the DC lab goes live.
The final reason that I think the DC will wait until the last part of the year is timing. If you figure that Cisco is aiming for the latter part of the calendar year to implement something, it won’t happen until after August. Cisco’s fiscal year begins on August 1, so they tend to freeze things for the month of August while they work out things like reassigning personnel and forecasting projections. September is the first realistic timeframe to look at changes being implemented, but that’s still a bit of a rush given all the other factors that go into creating a new CCIE track. Especially one with all the moving parts that would be involved in a full data center network implementation.
Tom’s Take
Creating a program that is as sought after as the CCIE Data Center involves a lot of planning. Implementing this plan is an involved process that will require lots of trial and error to ensure that it lives up to the standards of the CCIE program. This isn’t something that should be taken lightly. I expect that we will hear about the changes to the program around the time frame of Cisco Live 2012. I think that will be the announcement of the beta program and the recruitment of people to try the written test beta. With a short window between the release of the cut scores and beta testing the lab, I think that it will be a stretch to get the CCIE DC finalized by the end of the year. Also, given that the labs tend to shut down around Christmas and not open back up until the new year, I doubt that 2012 will be the year of the CCIE DC. I’ve been known to be wrong before, though. So long as we don’t suffer from the Mayan Y2K bug, we might be able to get out butts kicked by a DC lab sometime in 2013. Here’s hoping.
It’s hard for me to admit, but there just might be a corner use case for split subnets and inter-DC bridging: even if you move a cold VM between data centers in a controlled disaster avoidance process (moving live VMs rarely makes sense), you might not be able to change its IP address due to hard-coded IP addresses, be it in application code or configuration files.
Disaster recovery is a different beast: if you’ve lost the primary DC, it doesn’t hurt if you instantiate the same subnet in the backup DC.
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 20, 2012 12:03 PM
A while ago I described the pre-standard way Cisco IOS used to get delegated IPv6 prefixes from a RADIUS server. Cisco’s documentation always claimed that Cisco IOS implements RFC 4818, but you simply couldn’t get it to work in IOS releases 12.4T or 15.0M. In December I wrote about the progress Cisco is making on the DHCPv6 front and iord@intracom.com commented that IOS 15.1S does support RFC 4818. You know I absolutely had to test that claim ... and it’s true!
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 19, 2012 01:53 PM
2012-01-19: The initial version of this post contained a serious error: Cisco IOS DHCPv6 server does not create host routes; without on-link prefix, the router cannot forward the packets to the attached end-hosts.
IPv6 hosts can use stateless or stateful autoconfiguration. Stateless address autoconfiguration (SLAAC) uses IPv6 prefixes from Router Advertisement (RA) messages; stateful autoconfiguration uses DHCPv6. The routers can use two flags in RA messages to tell the attached end hosts which method to use:
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 19, 2012 10:44 AM
We’ve added a new CCIE Voice bootcamp in London, UK this June, and loads of new CCIE R&S bootcamps to our schedule.
Of course with every 10-Day R&S or Voice Bootcamp purchase, INE gives you your choice (at no extra cost whatsoever) of adding on either:
OR
Of course, you may still choose to attend simply the first or second week of any of these classes listed on the schedule.
Most of the DMVPN-related questions I get are a variant of the “how many tunnels/hubs/interfaces/areas do I need for a redundant DMVPN design?” As always, the right answer is “it depends” (and I can always help you with your design if you’d like to get a second opinion), but here’s what I’ve learned so far.
Read more ...by Ivan Pepelnjak (noreply@blogger.com) at January 17, 2012 07:03 AM