Networking Podcasts

I have a long commute and I like to make good use of this time. I used to listen to a lot of audiobooks ( was great!), but now I listen mostly to podcasts. Here are some podcasts I recommend:

Packet Pushers LogoPacket Pushers

 “The Packet Pushers Podcast is an audio program published multiple times per month covering the data networking industry. Co-hosts Greg Ferro and Ethan Banks are professional network architects and writers with many years of network engineering and design experience in a variety of industries, as well as being Cisco Certified Internetwork Experts.”

This is a highly technical podcast. I listen to the “Fat Pipe” feed, which is all their podcasts. If that’s too much content for you, there’s several feeds that you can use to limit the content. There’s a great back catalog of episodes here. Really good stuff!

iTunes LinkRSS Link

Wireless LAN Weekly LogoWireless LAN Weekly

“A weekly audio podcast designed to educate, inform, entertain, and inspire Wireless LAN Professionals. Those folks dedicated to the craft of designing, installing, configuring, maintaining, securing, troubleshooting and managing Wireless Networks.”

This is another podcast that has a great back catalog. If you are into wireless, you might want to listen to the whole back catalog. You’ll learn a lot! You might also want to check out the videos recorded at the WLAN Pros Summit.

iTunes LinkRSS Link

No Strings Attached Show LogoNo Strings Attached

Another WLAN focussed podcast. They do a combination of news/discussion episodes and sponsored episodes covering new equipment and software from leading vendors.

iTunes LinkRSS Link

Cisco TAC Security Podcast LogoCisco TAC Security Podcast

“The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product security features, with emphasis on troubleshooting.”

iTunes LinkRSS Link

Cisco Champion LogoCisco Champions Radio

“#CiscoChampion Radio is a podcast series by Cisco Champions as technologists and I.T. professionals, hosted by Cisco’s Amy Lewis (@CommsNinja).”

This podcast covers a variety of Cisco-centric networking topics.

iTunes LinkRSS Link

Class-C Block LogoThe Class-C Block

“The Class-C Block is a show dedicated to all things networking and nerdy. It is the most awesomest place – it is where you want to be. It is the brain child of Matthew Stone and CJ Infantino. The show discusses a variety of networking topics, and occasionally drifts into other nerdy topics.”

iTunes LinkRSS Link

Other IT Podcasts
These podcasts are not necessarily networking related, but they are IT related.

AdaptingIT Logo AdaptingIT

“The idea for this podcast came about when Mike Laverick, Jane Rimmer, and Lauren Malhoit, were discussing how to encourage more women to get involved in the technical community.  This podcast is not necessarily about women in tech, but rather women talking about tech.”

I often don’t listen to the entire show, but I normally listen to at least the beginning and end. Often the middle talks about areas that I either don’t grok or don’t have much interest in.

iTunes Link - RSS Link

Geek Whisperers Logo Geek Whisperers

“The Geek Whisperers came to be in 2013 based on one too many good conversations we could no longer keep private. Focused on Social Media and Community for Enterprise, our home base is High Tech, but we all look far beyond our field and current communities for inspiration.”

This podcast is more about social media and marketing-ish topics. I find it valuable (it’s full of unicorns and bacon), but it might be a bit too inside baseball for those not active in social media.

iTunes LinkRSS Link


No More VLANs Jumping on the Trunk

ThinkGeek Cable MonkeyNo more VLANs jumping on the trunk. That’s what I wanted. Instead, I got all the VLANs and a nice supervisor debilitating loop in the process… From my after action report: “the issue was a configuration error that caused the CPU to peg at 99%, which caused a variety of issues.”

Due to a legacy design that we have been working to retire, we have a layer 2 Ethernet WAN that can’t run STP. Yep, it’s a loop waiting to happen.

We were migrating sites to a new WAN. The circuits come in over a trunk with each site getting a VLAN tag. I was moving the last site from an interface. The procedure I wrote had the VLAN being removed from the interface with “switchport trunk allowed vlan remove ###”. Worked great until we hit the last VLAN on the trunk. When the last VLAN is removed from an interface, you might expect no VLANs to be allowed. If that’s what you expected, you are wrong. When you remove the last VLAN with “switchport trunk allowed vlan”, the port reverts to allowing ALL VLANs.

Unfortunately, since all VLANs were suddenly available on that port, it allowed a bridging loop to be created through the sites that were still connected to both the old and new WANs. This caused a variety of different bits of havoc that resulted in connectivity issues. Yeah, something of an understatement.

So, here’s some lessons I took from this:

  • Dual connected sites should have their legacy WAN ports shut down once they are stable. (This shouldn’t be a problem in a proper L3 design, but is important with our broken L2 design.)
  • Designs that prevent you from using STP to prevent loops need to be fixed sooner rather than later.
  • Entering explicit commands is better than implicit. In this case, “switchport trunk allowed vlan none” would have been better than “switchport trunk allowed vlan remove <last vlan>” and assuming the result will be what you expect.
  • Don’t make assumptions on how a device will behave. Lab it and know.
  • Always verify that changes had the desired effect. Had I verified the interface was configured as expected, the problem would have been discovered immediately and had little or no impact.


2014 Cisco Live Bag

Cisco Live 2014 Bag
It’s getting close to Cisco Live and this year’s bag has been revealed. This is the official photo from Cisco and a couple of spy photos that I’ve been able to obtain from a source close to the project.

Joking aside, it looks like it might be a bit smaller than the recent bags and is one of the convertible messenger/backpack styles. I’m looking forward to getting mine and seeing if it’s going to replace my bag from 2013. which hasn’t quite made it through the last year unscathed…

Cisco Live 2014 Bag Spy PhotoCisco Live 2014 Inside

Cisco Modeling Labs Overview (Updated)

CML Screenshot

A pre-release version of the Cisco Modeling Labs GUI.

[Updated with a few new details from Cisco Live Milan. See bottom of page.]

Virtual Internet Routing Lab (VIRL, or “viral”) has been a subject of discussion  in my network geek corner of the Internet since Cisco announced it last year. In between then and now the name has changed. Apparently someone didn’t like having a “viral” product, so now it’s called Cisco Modeling Labs (CML, or “camel”). Right now, it looks like release will probably be early in the second quarter of 2014.

I have been testing (read “playing”) with a hosted CML server for a couple months and would like to share some of what I have learned about it.

The Basics

The system comes in two primary forms. One is a standalone VM that can be run on a desktop or laptop. The other form is for corporate and the image will run on ESXi or on bare metal. There may eventually be the ability to build clusters with the corporate version, which could allow you to lab some impressively large topologies, but that’s something they are looking at for post-FCS. The system runs in a client/server configuration with a front end client built on Eclipse.

The standalone VM flavor will be an inexpensive version for individuals (probably in $100 range) that will support up to 15 Cisco VMs and up to 100 VMs total. It will be able to run on a laptop and is a VMware image. For the Mac users, this image will run in VMware Fusion. It does not work with VirtualBox and I presume it will not work with Parallels. Neither will be supported, that much is certain. This version actually runs in a client/server configuration, too. There just isn’t a separate computer for the server.

Under the hood, the system is built on Linux using OpenStack, some “middleware”, and multiple VMs. The demo server I have been using is some variation of the corporate version and is hosted at Cisco. This cloud hosted flavor probably will not happen for corporate scale, but they know individuals may want this. When I spoke with the Cisco team they said they have plans for this, but it definitely won’t be an option at FCS.

The Devices

So what devices will you be able to lab with, anyway? The demo environment I’m working with has IOS-XRv, IOSv (a virtual version of the traditional IOS, not IOU-based), CSR 1000v, and NX-OS using Titanium. Titanium is still up in the air as to whether it will be released at FCS. Each business unit makes it’s own decisions about including their products in CML, so we’ll have to wait and see. Cisco says there is a project to add the ASA, but it definitely won’t be ready at FCS. You can, however, drop in a Linux machine and you can add third party machines using Grizzly, OpenStack, KVM. This is not functionality I have been able to test.

To connect the devices you will have the options of Ethernet interfaces and Ethernet interfaces. Any interface type you want, as long as it’s Ethernet. Sorry, no serial interfaces.

The system is essentially layer 3 only. There are no ASIC simulations and since all the cool L2 stuff is done in ASICs, there are no L2 features. It all uses a software-based forwarding plane. It can do 802.1Q tagging, but none of the fancy stuff like pseudowire, FabricPath, VPLS, and the like. [L2 is planned for future release, see update section.]

You will also somehow be able to tie this in to an external network, but I can’t test that, either.

The Scaling

I believe that IOSv can have up to 32 interfaces and IOS-XRv supports 124 interfaces, but I’m not certain I have those numbers correct. I can’t/don’t want to build a topology to test them.

Scale is technically only limited by memory, but on a laptop that’s not going to get you far. I believe one setup I was told about was running on something like a C210 UCS chassis and they were running 37 IOS-XRv nodes with over 2000 tunnels in 60GB RAM and using about 12% CPU.

Memory isn’t as much of an issue as you might initially think. VMs with the same memory share the pages, which helps with memory efficiency. In english, this essentially means that if you are running multiple copies of IOS-XRv, there’s really only one copy of IOS-XRv in RAM. Only the data structures for each instance add to your RAM footprint.

CPU allocation is a bigger issue. There are some tradeoffs in the different VMs. IOSv is CPU hungry but has a small memory footprint at around 300MB. IOSv is CPU hungry because it thinks the CPU is dedicated to it. IOS-XR, by contrast, is very light on the CPU but uses more RAM. IOS-XR is designed for a more modern environment. The CSR should be similar, since it was designed to be a VM from the beginning.

The Teaser

This is just a quick overview. I’m working on another post covering some of CML’s capabilities that really take it beyond being just a way to run virtual routers. That’s where CML starts to strut it’s stuff and become really interesting.

Lastly, if you happen to be in the greater Seattle area on Wednesday, February 26th, I’ll be speaking on CML and demoing the product for the Seattle Network Experts Meetup at the INE office in Bellevue at 17:30 PST.

The Update
An attendee of Cisco Live Milan posted some details from the team’s presentation at that conference on the Cisco Learning Network. Here’s what he had that was new:
  • Other Cisco virtual appliances (beyond the ASA) may be available later. This would cover things like vWLC, vWAAS, etc. Still up to the business units.
  • Titanium (NX-OS) will not be in v1. Hopefully v1.1.
  • The OpenStack implementation is using KVM (which is default for OpenStack).
  • His information says vIOS uses 0.5GB of RAM and CSR and XR both need 3GB.
  • The code for each of these is shared with the hardware versions. It’s recompiled for the different target environment. This means same features and bugs. This is very good for using CML to proof of concept a design or changes.
  • There are plans to deliver L2 functionality for both NX-OSv and IOSv.

Notable Notes from Cisco WLC Release Notes

I finally have the chance to work on upgrading from our WLC4404 controllers to some WiSM2s. The 4400 series controllers are only supported through the 7.0 releases of the WLC software. With 7.6 being released recently, I’m really behind in knowing what the current software can do. I read through all the release notes to see what had changed and took notes while doing so. This blog post is mostly just the notes I took in case they were useful to anyone else. I will also comment that there are a lot of RADIUS updates, mostly regarding allowing a lot more servers. That’s not applicable in my environment, so I didn’t take notes about that, but thought I’d mention it in passing.

What’s new between 7.0 and 7.6

Note: AP1121, AP1220, AP123x, and 1300 no longer supported after 7.0.

Version 7.1 releases
  • Appears to be hardware specific release for AP 3600 and WLC 5500 support.

Version 7.2 releases

  • Better IPv6 dual stack support for clients.
  • HREAP is now FlexConnect
  • FlexConnect Features
  • Efficient AP Upgrade – One FlexConnect AP in a remote office becomes the “master”. It will download new software images and the other APs in the office will download the image from the master.
    • ACLs: You can filter locally switch traffic. - Use case?
    • AAA Override: You can dynamically assign the client’s VLAN.
    • Fast Roaming for voice clients in a FlexConnect group.
    • Peer to peer blocking
  • Minimum RSSI now configurable for rogue detection (yeah!)
  • RF profiles can now be assigned to AP groups to adjust TPC settings based on the group. Good for things like having different settings for high-density or other challenging environments.
    • Only works for APs managed with RRM
  • QoS on a per-vlan basis within the AP.
  • Multicast and video streaming improvements.
  • indoor mesh supported with 3600 now.
  • DHCP option 82 is now ASCII instead of binary.
  • AP behind NAT support. Up to 3 OfficeExtend APs (OEAPs) and be deployed behind nat and up to 50 FlexConnect APs.
  • 802.11u/HotSpot 2.0 support added

Version 7.3 releases

  • Virtual WLC, WLC 8500, and Flex 7500 support
  • AP 2600 support
  • New HA for SSO (stateful switch over)
    • Looks like no internal DHCP support when in HA mode
  • New FlexConnect features
    • Split-tunneling – Very shiny. IP-based decision between locally switched and centrally switch traffic.
      • Supported on 1040, 1140, 1260, 2600, 3500 and 3600.
    • NAT/PAT support on FlexConnect locally-switched VLANs.
    • PPP and PPPoE added for FlexConnect APs.
      • Supported on 1040, 1140, 1260, 2600, 3500 and 3600.
      • Sounds like you can now setup connectivity without needing a router or VPN. Very nice!
    • 802.11u support
    • VLAN-based local and central switching supported. If VLAN is present on local 802.1Q link it will locally switch, if not it will centrally switch.
  • IPv6 added to SRE
  • Packet capture on the remote AP and dump them on an FTP server. Super shiny!
  • More RF profiles
  • VLAN tagging support with untagged fallback. Sounds like support for trunks that tag the native VLAN.
  • bi-directional bandwidth contracts now supported
  • “New Mobility” (aka, Hierarchical Mobility). Adds support for 5760 and 3850 converged switches.

Version 7.4

  • AP1600 support added
  • 802.11w added (standardized MFP). Windows 8 supports this natively, but has a bug in the implementation. Use a newer release.
  • Up to 75 AP with a 2500 series controller, now.
  • 2500, 8500, and 8500 get “extended support” for LAG.
  • AP location string increased from 32 characters to 254.
  • 802.11n mode now supported. Will only advertise 11n speeds. Applied to an RF profile.
  • New SNMP traps for memory and CPU utilization on AP and controller.
  • SFTP support added. Excellent.
  • Support for mDNS is added. Mostly Apple service discovery (AirPlay, AirPrint, etc)
  • AVC support. Uses NBAR and allows you to drop or mark application traffic.
  • NetFlow added, too.
  • WSSI module for AP3600 support.
  • You get a warning if too many RFID tags or clients (max supported numbers vary by controller) are on the controller.
  • Partial 802.11k implementation. (List of neighboring APs that can reduce the need to active and passive scanning)
  • Interesting – 1552 APs can be ordered with GPS and will auto-populate their location in PI. Nice time saver.
  • LLDP and MCI TLV added for 3600, 3500, 2600, 1600, 1140, 1250, 1552 and 1520 APs.

Version 7.5

  • 802.11ac wave 1 support
  • 802.11ac module for 3600 support
  • AP700 support
  • SRE support dropped. That didn’t last long. (Virtual controller is replacement, but ISM300 won’t run it.)
  • Wireless Policy Classification engine – it’s a device profiler to help with BYOD.
  • grep added to controller cli. Too bad the syntax is weird: grep include ‘Up Time’ “show sysinfo”
  • Controller GUI now supports wildcards in filters. (But wouldn’t you rather be using PI?)
  • RAP and MAP APs can now respond to ping prior to association with controller. Good troubleshooting improvement.
  • You can now force deauthentication based on IP, or more importantly, username.
  • More device profiling support. You can enforce per-user and per-device policies.
  • Sounds like protocol packs are now supported. (allows adding additional apps to AVC)
  • mDNS
    • improved to support location specific services (LSS)
    • Some filtering for source (wired vs wireless) added
    • Limit of 100 services removed – 6400 supported in 2500/5500. 16000 supported on 7500/8500
    • You can add an AP to a VLAN the controller is not connected to so it can forward mDNS requests
  • Guests successfully authenticated via web auth can be allowed to sleep for 1h – 720h (with 12h as default) without having to re-auth.
  • Built in rogue policies added. Don’t have to build it by hand anymore.
    • Lots of other updates, primarily centered on active containment.
  • vWLC can now rate limit clients (AP does the work)
  • FlexConnect updates
    • You can now apply WLAN to VLAN mappings to AP Groups.
      • Individual AP settings can override
    • 802.11w added for FlexConnect
    • PPPoE goes away.
  • 802.11w added for mesh APs
  • Default 802.1p tags changed
    • Platinum – 5 (was 6)
    • Gold – 4 (was 5)
    • Silver – 2 (was 3)
  • AP3700 support
  • AP1530 support
  • Universal Small Cell 5310 module for 3600 and 3700 – small licensed cells for mobile operators (3G)
  • DFS added for AP700
  • 802.11ac added for HA
  • DNS based ACLs for onboarding clients – lets clients connect to IT specified sites
  • Apple iOS 7 captive portal support (iOS 7 and earlier both supported)
  • NBAR 6.3.0 protocol pack is available
  • Number of supported sleeping clients increased on most platforms.
  • Auto-recovery from maintenance mode for HA deployments
  • FlexConnect AP can turn off it’s radio if Ethernet is down.
    • Of course, the AP has to have power that’s not PoE…
  • Can now change min/max power assignment while network is operational.
  • HA SKUs can have AP licenses added and become active instead of standby only.
    • Presumably, this allows active/active HA?

Anything 7.0.x or greater can upgrade directly to, with a handfull of caveats. Please read the release notes for the version you are installing. That way you won’t be surprised by caveats I did not note, as there are a number of them. This is just a summary of the things that jumped out to me as interesting and is obviously not a complete set of release notes. Those are here:

After going through this, one of my first thoughts was that the Cisco Wireless certifications need an update again… It seems like voice and wireless just move too fast for the certs to have any hope of keeping up.


Collection of CCIE v5 Links

Yesterday Cisco announced the CCIE v5 blueprints. The majority of the changes look good to me and seem to more accurately reflect todays networks. I like it, myself. More technologies I use and less that I don’t. :) It also looks like VIRL/CML will be pretty useful for those preparing for the v5 lab exam. More on that later…

The rest of this post is intended to be a collection of information regarding the new blueprint so you can do your own research. If you run across useful articles, please leave them in the comments and I’ll add them.

Official Cisco Documents

Blog Posts

Brian McGahan (4xCCIE, CCDE) from INECCIE R&S Version 5 Updates Now Official

Bob McCouch (CCIE): Some Thoughts on CCIE R&S v5

Tony Burke: Cisco CCIE v5

Daniel Dib (CCIE): CCIE RS v5 – My Thoughts

Tom Hollingsworth (CCIE): CCIE Version 5: Out With The Old

Marko Milivojevic (2xCCIE) from IPexpert: CCIE R&S Lab Version 5 – Don’t Panic

Short post from Ethan Banks (CCIE): Burst: CCIE Routing & Switching v5


IPexpert will have a free vSeminar on the updates on Dec. 6. Register here: CCIE R&S V5.0 Blueprint vLecture :: An Overview of the Changes


Your old network gear is EoL, too…

3560V2 Switches

Cisco 3560V2 Switches

Cisco 3650 Unified Access Switches

So yesterday, I pointed out that Your break room phones are EoL. Continuing on that EoL theme for Turkey week, I’m going to complicate your life by letting you know that the ancient network design you have been using with the 3560V2 or 3750V2 switches is going to have to change because those switches have seen their day. So sayeth Cisco. Cisco knows it’s harder to change your infrastructure than your endpoints, so they are generously giving you two years to stop buying those. The End of Sale date isn’t until November 14, 2015. Of course, if you have it on a service contract you’ll be able to stretch those out to 2020. I hope you don’t have to resort to that. Cisco recommends you get modern with a nice 3650 Unified Access switch, and really, why wouldn’t you?

They are a lot more powerful for the same money. To be honest, I was surprised to discover you could even still order the V2. I mean, just look at the 3650 paint job. Who doesn’t what that hidden away in a rack where only you can enjoy it?

2960X Series Switches

Cisco 2960X Series Switches

Of course, I would be remiss if I didn’t remind you to upgrade your 2960 switches to the 2960X Series while you were at it. I mean, those old 2960 switches are EoL, too. You’ll have to start buying newer models, anyway. You may as well make sure they match your shiny new L3 kit, right?

Again, as has been the pattern for the last few generations on these, same price, more power and features. And these have the Enhanced Limited Lifetime Warranty. Buy a couple extras to keep on the shelf and skip the SMARTnet. You’ll save a ton of money. Just don’t tell Cisco I said that.