Just Because You Can, Doesn't Mean You Should!

Cisco Live - Wednesday

2010-07-01T16:02:57Z

Wednesday was a very busy day. I am sure that a great many people are dragging this morning, as is typically the case with all Customer Appriciation Events I have been to.

Solving Security Challenges with Cisco IOS Embedded Events Manager: this session is cool for many reasons. The presenter made videos demonstrating the creation and testing of several scripts for different purposes. I have only ever used IOS EEM for one thing and it certainly wasn't my first choice, but it worked so well, I am very interested in expanding its use in my customer networks. Some specific examples included bouncing an interface that was "stuck" after a special kind of attack or creating an email alert after interface utilization exceeds a pre-defined threshold.

FCoE - Design, Operations, and Managerment Best Practices: Since I am actively involved with designing a large datacenter, I thought this would be a good session to attend. I attended many SAN classes last year, but just didn't really "get it". The FC review at the beginning of this session really helped alot. We covered alot of the architectural options available today, as well a those that will be available when FCoE multi-how is supported.

Advanced IEEE 802.1x Design and Troubleshooting: While I have deployed 802.1x several times, I thought it would be beneficial to see what is new out there. They have several updated ideas. 802.1x Monitor Mode is a great way to evaluate how prepared an organization is for wired 802.1x.

Of course the customer appriciation event is a very popular destination. We had several cover bands playing songs from a wide range of artists with Tina Turner, Garth Brooks and of course Elvis impersonators. Smash Mouth was definately the star of the show. Everything was high energy. I got to spend some time with very intersting people talking, learning, and partying. iPhone picture from the show with this years hat (orange Elvis hair with integrated glasses) will be posted as soon as I get around to syncing the phone.

Cisco Live - Tuesday

2010-06-30T16:09:00Z

Tuesday was the first "official" day of Cisco Live!.

Overlay Virtual Transport: This session covered the new L2 transport technologies for datacenters. This technology is going to become very popular due to the L2 access requirements for VMotion across physical data center locations.

Keynote: John Chambers: John is a remarkable speaker and a visionary. In some ways this keynote was quite similar to previous ones, however it helps highly the continuity of Cisco's long term vision. John emphasized the speed at which Cisco is attempting to innovate and build/expand technologies. Cisco also unvieled the new Cius - Cisco's tablet based answer to the iPad with mobile telepresence and two high definition (720p) cameras, 3G/4G wireless and a docking station that doubles as a Cisco IP phone. <- I want one :)

Introduction to Cisco Layer 2 Multipathing (L2MP): How many people out there love to hate Spanning-tree? If you don't, you probably should. What if you could change your blocked spanning tree ports into multiple active load balanced paths and never have to see spanning-tree again? Well you can... Soon. Trill (future standard), L2MP or FabricPath (new name) will become the way we handle redundant L2 paths in the future, at least on Nexus, once the new hardware that can support the appropriate tags has been released.

Cisco Trusted Security & Security Group Tagging: This session covered TrustSec and some of the features around making this happen. Unfortunately I had to leave before the class was finished, so I hope to post more later after I finish reviewing the recorded content.

CCIE/CCDE NetVet Reception: John Chambers met with the CCIE/CCDE NetVets (those attended 3 or more of the previous 5 networkers events) and answered questions and accepted comments from the gathered audience. Answers were very candid (some subject to NDA, but I forget which so I must be vague). Questions included supply chain issues, Certification - related questions (Value of CCDE/CCA, Possible master level implementation certification), Network Management, UCX, HP/IBM partner status, etc.

CCIE Party: Event at the VooDoo lounge on the 51st floor of the Rio Hotel. The local signature drink, the Witch Doctor, was flowing quite readily. Kicking party with a live band, and plenty of geeks, well lubricated, networking. Always a good event.

Hangover - fortunately missing, but we will see how that goes after the Customer Appriciation event Wednesday night. I am not sure that IOS EEM was the best class for the morning after events like these, but such is life!

Cisco Live - Monday

2010-06-29T15:06:40Z

Yestarday was a busy day for me at Cisco Live. Here is a brief summary:

CCDE Written exam: I decided to take advantage of the free certification exam to recertify my CCDE. Unfortunately I had no time to study, but I managed to remember enough MPLS-TE to pass anyway.

Cisco Catalyst 3750 Switch Architecture: This session went over the details of the capabilities of the hardware at a very low level. It covered all the 3750 models. There was a discussion on how licensing will work in the new 3750-X (Yea! IPv6 has been moved down to IP Services!). Details on the Stackwise and Stackwise Plus functionality only served to underscore how cool the new 3750-X is!

Secure Borderless Network Design: Borderless Networks is really an umbrella architecture that combines other technologies and techniques to enable highly secure and mobile solutions. This session covered the internet module portion of this, specifically the ASA, IPS, and WSA. VPN technologies were also touched upon.

Cisco ASR1000 Series Routers: System & Solution Architecture: Imagine an ISR router (2800 for example) that can do NAT, IOS Firewall and IPS, and VPN at the same time at 20 Gbps! Wow. This session discussed the hardware capabilities and options and how they interoperate to support this highly available chassis. I am going to be looking for oppertunities where this product might fit in the future.

I also spent a few minutes hanging out in the Certification Lounge. I found that the CCDE could be recertified with any expert level certification, even though the website says otherwise. I also met one of the first two CCAr's last night. He was part of the internal team for CCDE, but not for CCAr. At least one other individual is in the CCAr path right now. Unfortunately I secured financing too late to be in the CCAr on this round, but another opening will be coming soon.

Cisco Live! 2010 - Las Vegas

2010-06-28T17:54:17Z

Hello from Cisco Live! Attached is my schedule for the week. I hope to see you there!

Sunday
Start: 4:00 PM End: 5:30 PM	GENCOL-1001 Mandalay Bay G	Cisco Collaboration Welcome Session
Monday
Start: 7:30 AM End: 9:30 AM	CCDE Writen Exam - Recertification	CCDE Writen Exam - Recertification
Start: 9:30 AM End: 11:30 AM	BRKARC-3437 Islander A	Cisco Catalyst 3750 Switch Architecture
Start: 12:30 PM End: 2:30 PM	BRKSEC-2000 Islander C	Secure Borderless Network Design
Start: 3:00 PM End: 5:00 PM	BRKARC-2001 South Pacific E	Cisco ASR1000 Series Routers: System & Solution Architectures
Tuesday
Start: 8:00 AM End: 9:30 AM	BRKDCT-2049 South Seas F	Overlay Transport Virtualization
Start: 10:00 AM End: 11:30 AM	GENKEY-7846 Event Center	Keynote and Welcome Address
Start: 12:30 PM End: 2:30 PM	BRKDCT-1022 Islander C	Introduction Cisco Layer 2 Multipathing (L2MP)
Start: 2:45 PM End: 3:45 PM	GENSSN-7827 Event Center	CA Technology Presents: The Impact of Mass Virtualization on Network Management
Start: 4:00 PM End: 6:00 PM	BRKSEC-2046 South Pacific B	Cisco Trusted Security (CTS) & Security Group Tagging
Wednesday
Start: 8:00 AM End: 10:00 AM	BRKSEC-3076 Banyan B	Solving Security Challenges with Cisco IOS Embedded Event Manager
Start: 10:00 AM End: 10:30 AM	GENNOC-11223 Bayside Foyer	Cisco Live Network Operations Center Tour
Start: 10:30 AM End: 11:30 AM	GENKEY-7847 Event Center	Cisco Technology Keynote
Start: 12:30 PM End: 2:30 PM	BRKSAN-2047 South Pacific C	FCoE - Design, operations and management best practices
Start: 2:45 PM End: 3:45 PM	GENSSN-7828 Mandalay Bay G	The Borderless Enterprise: Driving Innovation from the Core
Start: 4:00 PM End: 6:00 PM	BRKSEC-3005 Islander C	Advanced IEEE 802.1x Design and Troubleshooting
Thursday
Start: 8:00 AM End: 10:00 AM	BRKARC-3001 South Pacific H	Cisco Integrated Services Router G2 - Architectural Overview and Use Cases
Start: 10:30 AM End: 11:30 AM	GENKEY-7848 Event Center	Closing Keynote: Author Ben Mezrich
Start: 12:00 PM End: 2:00 PM	BRKSEC-2044 Islander C	Next-Generation Network Access Policy with Cisco Access Control System (ACS)
Start: 2:30 PM End: 4:30 PM	BRKCCIE-1001 South Pacific J	Cisco Data Center Certification - Breakout Session

Nexus 1000V

2010-03-30T16:49:59Z

Over the last two days I have gotten the oppertunity to install the Nexus 1000V Virtual Distributed Switch. This is a very interesting platform. Unfortunately there are tons of new terminology, but the concepts are still very much the same.

The VSM is the Virtual Supervisor Module. This is a virtual machine (guest) that runs in ESX like any appliance or other guest operating system. It is in reality, NX-OS functioning like any supervisor module in a 4500 or 6500 switch, or similarly to the Nexus 5010 for those already familliar with Nexus hardware. A given Nexus 1000V can have up to two VSMs running, preferably on different physical hosts. The VSMs sync just like supervisor modules would.

The VEM is a Virtual Ethernet Module. This is a software component that is integrated with the ESX operating system (by patch management/RPM install techniques) and connects to the VSM for its configuration. This is analgous to a WS-X6148 line card or a Nexus 2148 Fabric Extender.

Once these components are up and running the system is a virtual blade chassis who's centralized configuration extends across all ESX servers in a datacenter. Way cool stuff. The Port-Profile configurations are exceedingly powerful and would be super kick-butt if they were integrated into the other switch platforms.

Some of the more confusing points are VPC/EtherChannel configuration, and some of the design practices.

More to come...

Hello form Cisco Live! 2009

2009-06-28T14:47:35Z

Well, I made it finally to my first Techtorial this year, Enterprises Quality of Service. Long flights, and a distinct lack of sleep did not stop a great many people from attending the pre-conference techtorials this year. Things this year seem relatively normal comapred to the last two, however part of the sccavenger hunt this year seems to be the certification ribbons and the Cisco Powered lounge (hideout and coffee!)

The thing I miss the most is the USB flash drives Cisco gave out last year. These had a wealth of information and participants didn't have to go and find it and waste precious bandwidth downloading it. Only 13 minutes left to get the last 40% of this 100 MB file!

Austin Network Engineer Users' Group - July 2009

2009-06-28T14:40:58Z

Unfortunately, we will not be having a User's Group meeting in July. I do apologize for the inconvinence, but I will be out of town working with a Customer. I am putting together some options for August's meeting any any input you have would be great. I haven't quite cocmpleted my whitepaper on QoS, but when it is done, I will post a link to it here.

Austin Network Engineer Users' Group - May 2009

2009-05-08T08:15:37Z

Next Wednesday the Austin NEUG is getting together again. Below is the text of the invite. I hope to see everyone there!

Wednesday, May 13th, 6:30 - 8:30 PM

LOCATION:
CALENCE
1130 Rutherford Lane

Suite 208

Austin, TX 78753

TOPIC:
Multi-Protocol Label Switching

This month we the user group will discuss Multi-Protocol Label Switching (MPLS) technology and configuration. Ryan Hicks will be presenting MPLS fundamentals from both the carrier and customer perspective. A MPLS core will be created to demonstrate the technology. Virtual router labs will be provided, so please bring your laptop! The following are some of the specific features/tasks that will be discussed:

• Overview of carrier switching technologies (MPLS, ATM, Frame-Relay, etc)

• Understanding of VRFs

• MPLS PE and P router configuration (Provider)

• MPLS CE router configuration (Customer)

There is no charge to attend and refreshments will be served. Meetings are open to anyone interested in discussing the network engineering industry in a vendor-neutral, education-focused environment.

We are a local community of network engineer professionals who come together to network and learn about engineer-related topics in a vendor-neutral, education-focused environment.

Meetings will be held the second Wednesday of every month.

If you know someone who would be interested in attending this event, please feel free to pass on this information.

Austin Network Engineer Users' Group - March 2009

2009-03-12T18:17:28Z

I would like to thank everyone for coming to last night's user group meeting. For anyone that has missed it, We had Jeff Kline and Brandon Beck from Cisco presenting on SAN technologies. We discussed the advantages of Data Center Ethernet, Cisco's Virtual Switching System and Multichannel Ethernet, and various storgate technologies such as SCSI, iSCSI, Fiber Channel, FCIP, and FCoE. I will post a link to the presentations here as soon as I have them.

We started a discussion for future topics. It looks like we will be working through configuration and labs on Cisco's Call Manager Express product during the next two sessions. Please make sure to bring your laptops for these, as we are going to have virtual routers set up in individual pods. We will also have a limited number of physical FXO/FXS ports and phones available for testing.

After these two sessions we have options available for the next one. There has been discussions on having a troubleshooting session which I am thinking might be a Layer-2 troubleshooting primer, involving spanning-tree and other switch technologies. Other possibles are having Solar Winds demo/train on some of thier management tools or having Cisco back out to talk about WAAS or ACE. Please send me your feedback on what you want for the next session.

DS3 Troubleshooting

2009-01-23T01:51:30Z

Recently, I was helping a customer migrate from a traditional frame-relaly network to a MPLS cloud. The first step, obviously was to bring up the DS3 at the headquarters end. The went just fine. IP connectivity was established and BPG cam up instantly. A few days later it became time to cut over the first remote location. The remote sites were reusing the same T1 frame port, only with a different PVC. The turnup seemed to go ok, IP connectivity and a BGP session had been established in advance of the cut. We filtered out the routes to prevent data shifting across the new PVC until we were readay. During the tessting phase, PCs were able to access the internet and Internal applications were working. There was however one problem, the phones would not register with the call manager.

We started noticing that the default route advertised by the headquarters through the MPLS cloud was flapping. Turns out that the DS3 at the headquarters was the reason for the route flap. The DS3 started bouncing up and down frequently. We decided to back out the changes and remain on the original circuit until we cound determin the cause. looking at the DS3 controller yeilded output like this:

   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 33743, since reset 67688179
   Data in current interval (297 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 45 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     2 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 248 Unavailable Secs
     1 Line Errored Secs, 1 C-bit Errored Secs, 0 C-bit Sev Err Secs

The only problem is the telco can't seem to find a problem. The most obvious thing to do here is validate linecode configurataions throughout the path of the circuit. Unfortunately if this was the problem the circuit wouldn't be anywhere near as stable as it is. We did the check anyway, but it was unhelpful. The IXC decided to loop the circuit at the customer end and run patters with a T-Berd tester. Typically testing circuits with a T-Berd yields usable results. In this case everything came back clean.

"It is an old maxim of mine that when you have excluded the impossible, whatever remains, however improbable, must be the truth." (Doyle, 1892) It is impossible for the circuit to not work, yet have nothing wrong. Therefore, either there is a bug in the router IOS, a hardwaare defect/failure, or the T-Berd's resultss are wrong. So, to eliminate the first two possibilities, we disconnect the T3 at the DMARC and create a hard loop. A neat trick you can do with virtually any circuit that can be looped is to issue the no keepalives command and ping the interfaces own address. No keepalives turns off the Frame-relay LMI, HDLC or other frames, and forces the interfaces to believe they are up. I don't have pattern testing abilities on this hardware, so a couple of pings with different patterns should do the trick! Good news is, the pings all work, bad news is... one of the tests fails when the IXC has the circuit looped!

I suppose I should back up... When doing ping tests, you should hit certain types of patterns. Circuits have issues with bit syncronization, which is the reason for the different kinda of line coding in use on T1 and T3 circuits. If changes in the bit pattern don't happen every so often the PLL circuit that establishes clock syncronization with the carrier. Unfortuntely, user data can't be relied on to change 0s to 1s often enough. To test for problems, certain patterns are quite common: 0x0000, 0xffff, 0xaaaa, and 0x5555. The first two patterns are all ones and all zeros, The second two are the same, alternating ones and zeros. Theses tests help you uncover a one's density problem on many circuits.

In this case, the 0x0000 pattern failed when connected to the telco. Since this fails quite consistantly when I try it, why does the telco's tests all come back clean? The answer is simple: The T-Berd doesn't do an all 0's pattern test at the DS3 level!

Eventully with a near endless series of loops in both the IXC and LEC, we discover that 0x0001 (15 0s in a row) passes and 0x0000 (16 0s in a row) fails. The IXC uses Alcatel equipment thaat by default has a setting that disallows excess 0s in DS3 circuits. When we sent an all 0s pattern, the carrier recieved a different pattern, due to the Alcatel changing the bits in transit. This introdiced linecoding errors on the DS3, and obviously caused problems with whatever traffic was modified. After changing this setting in 3 of the Alcatel muxes, the all 0s pattern worked.

CCDE Results

2009-01-08T05:42:40Z

On Saturday immediately following Christmas, Santa Clause, who looks remarkably similar to my mailman presented me with a shiney white envelope from Vue, among other things (likely bills or some other such nonsense). Where I live, it is a long way down the driveway to the house - a trip made even longer by the anticipation and anxiety welling up inside me. A nearly a month late and near constant clicking on the refresh button the last several days, I had to fight just to keep from flinging the remainder of the post to the wind. The fact that several highly skilled engineers had already posted less than stellar news on the Cisco Learning Network just the night before.

After finally making it to the house, filled with my wife's guests, I ever so quietly and calmly slid my shakey hands down the length of the envelope's lid and tried to lean against the counter to steady the paper so I could actually focus on it long enough to read the only word I could actually see clearly while in this state: CONGRATULATIONS! After the trembling stopped, I found my way to the second page to find my score report which was conspicously missing anything that remotely resembled a score or a report, but did contain a number. From the beginning of the beta program it was decided that there would be a new numbering scheme for CCDEs, but it was not announced what it would be.

Well that question was now answered: 20080001. 1? 1? Really? Its been nearly two weeks since that day, and I still have trouble with that. First let me say that Cisco only invited the best to the beta program. 200 people took the beta written. 60 were invited to the beta practical, of which 42 (ish) attended. And out of those, I got the first number? All I can say is wow! So far only 3 people have acknowledged reciept of a CCDE number, and from the rumor mill, that is all that passed. 7% Ouch. I have to feel humbled here, because there are bigger names than mine that attended. Some people doing the things I had dreamed, but they didn't pass. Don't get me wrong: I am very excited, and proud of what is truely a once in a lifetime experience!

If you ever get the chance to participate in a beta program from Cisco, no matter what it is - DO IT!

To all of my peers that took this exam: You all passed in my eyes. Congratulations for helping to make an important new certification for the Cisco community. I hope you all attend the next exam on Feb 11, 2009. I expect to hear about the next CCDEs soon! A special congradulations goes out to the other beta participants that passed.

Michael Morris CCDE#20080002

Reinhold Fisher CCDE#20080003

PIX/ASA Emulation using GNS

2008-12-10T22:23:46Z

Many folks are likely practicing for certifications and have trouble being able to get thier hands ahold of real equipment to praactice on. GNS3 is a great tool for basic emulation of routers, switches (with some tricks) and firewalls!

Most folks want to emulate an ASA, which I am not currently aware of any product thaat will do this, but for the moment, the PIX code is virtually identical! The primry differences what most people will notice (from an emulation perspective anyway) is that the interfaces have slight differences (Ethernet0-5 vs. Ethernet0/0-3 & Management0/0) and the SSM modules are not present and the IPS and Content inspection commands for the service policies won't exist.

But what aabout licensing? This is where the real trouble happens, your emulated PIX by default won't have an activation key or serial number. Ooops! This means no VPN, not even DES! No failover either! Therefore you can't test any config that requires these features. What you need to do is to locate a valid PIX somewhere. In my case, I have a PIX 515E at work in our lab.

I pulled a show ver from that PIX and made note of the Serial Number and Activation Key. Once I had these, I go into GNS3 and right click on my PIX (from the network topology window) and select configure. Obviously you need to select your PIX code file here, but you can also paste in the activation key. You will get an error if you just paste it in though. You must change the spaces in the activation key into commas ",". The serial number field requires the information to be entered in hex. So open your handy calculator and enter the decimal serial number from the real unit or from the show ver and convert it to hex. You can then past this number into the field in GNS3 with a "0x" in front of it. Depending on the code you choose, the activation key may or may not work at this point. If it doesn't simply enter config mode on your virtual PIX and enter the activation-key command. after a save and reboot the PIX should accept the key and work with the same license as the real one.

Just as an important note: This is NOT intended as a way to bypass Cisco's licensing. You should not even think about using a GNS3/PEMU emulated firewall for production security purposes. If you have a production need, eBay a PIX or better yet, buy a shiney new ASA 5505. Only use this information in a lab. Also, don't even think about asking me for activation keys or serial numbers.

Cisco 4500 Intermittant High CPU Utilization - Part 2

2008-12-04T21:09:49Z

As a followup to my previous entry with the same subject (Part 1), We have discovered more information. It turns out that the router alert packets weren't the cause of the high utilization, but instead mearly a piece of the larger puzzle.

The CPU utilization issue became so unbearable that something had to be done, and unfortunately, modifying all Macintosh systems on the network to stop using mDNS wasn't an option. A few of the systems were changed with no noticable impact, but that could be because the number of systems changed constituted less than 1% of the systems at that campus. Instead something else would have to be tried... Somthing on the network...

Being confident that the previous troubleshooting was accurate, and with assurances that nothing production other than GhostCast was using multicast, multicast routing was turned off on the switch. This was a bold and rather drastic move, but it should solve the problem, right? Wrong. The number of packets hitting the CPU with the router alert option set remained constant, and CPU usage continued to behave as it had before. If I had thought thiss through a bit more, I would have realized that traffic to the 224.0.0.x/24 multicast address range are meant to stay local, therefore the traffic would continue.

The next step was to create an access list that blocks the mDNS group address destination address. After that is created, it is added as a Port ACL on each client facing switch port. Suddenly, we now have a real change in status. CPU Usage dropped from 100% to 21% as soon as the interface range command was completed.

The big question here is why did this work, and what caused the switches poor performance? The 4500 is capable of handling much higher volumes of multicast traffic, and it has distributed hardware processing of multicast. It turns out that the 224.0.0.0/24 range is reserved for L2 local multicast, such as routing protocols, All routers, All hosts, etc. Because of this fact, the 4500 was designed to send all multicast traffic destined to any address in this range directly to the CPU weather it was needed/subscribed, or not. I think an inbound 224.0.0.0/24 multicast filter should be considered a basic security requirement for every network in order to prevent inadvertant or intentional DoS against the switched infrastructure regardless of weather multicast is officially in use on the network!

1.5 Factor Authentication?

2008-10-24T04:03:44Z

So, with all the recent concern over PCI and similar security requirements, lots of people are considering multi-factor authentication technologies whenever the cost/convenience tradeoff makes sense. VPN and other remote access technologies are places where this kind of technology makes good sense. About a year ago I was asked to help implement a two factor authentication scheme for VPN using a Cisco ASA firewall. There was a sincere desire to avoid having to pay for RSA tokens or smart cards, so we decided to use the technology that the customer had available, certificates. In theory, one could use a certificate as something you have and then provide a username and password during x-auth as something you know.

To implement this, I changes the ISAKMP profile to use RSA-SIG authentication instead of pre-shared keys. I set up the remote access VPN as normal, including X-AUTH. When the VPN client connected, we discovered that everything we did actually worked! Since making something work the first time is not typically my specialty, I knew something must have been wrong. A bit of thinking and testing later, the other shoe finally dropped! We connected to the VPN using USER1's certificate, but tried USER2's username and password. Much to my dismay, it worked.

While this does technically pass the definition of two factor authentication, at least as far as the auditors are concerned, I wouldn't call it a good long term plan. TAC to the rescue! My confidence was shattered when I was informed that this was a new feature according to the design engineers and wouldn't be available until spring-ish 2008. Fast forward about a year and guess where I am? In the past few months I happened to notice a command that I thought enabled the X-AUTH username to certificate CN check. Apparently I was wrong, as it doesn't work. Well to be exact, the command I am referencing, username-from-certificate, works when paired with another command, pre-fill-username. Unfortunately, but not surprisingly, the latter command only applies to WebVPN/SSLVPN!

I am planning on opening a TAC case in the morning on this as well as calling my local SE, in the mean time I am going to assume this is another sign of the death of IPSec (the other sign being no 64-bit OS support).

UPDATE: It turns out that this feature was requested and supplied in version 8.0(3) 1. Unfortunately only for AnyConnect. There are no plans to support the IPSec client with certificate CN validation. Ouch, another nail in the coffin for the good old IPSec VPN client. I guess I better spend some time snuggling up next to the WebVPN/SSL VPN command reference guides!

Cisco 4500 Intermittant High CPU Utilization

2008-10-23T15:23:46Z

Recently a problem came up on a single site of a multi-site network. This one site had a problem with high CPU utilization on thier Cisco 4510R layer-3 switch. This switch is the core of this particular site, and there are other similarly configured locations with similar hardware.

Troubleshooting begins with all the usual suspects: show ver, show mod, show proc cpu, show log. Nothing stands out except the show proc cpu shows Cat4k Mgmt LoPri is taking up 70-80% of the CPU. I am relatively new to the Catalyst 4500 Sup 6 card, and spend most of my time on the 6500 platform. I quickly discover that this is a process with many threads. The details can be seen by executing a differenet command, show platform health. This command breaks down all the different threads that make up the management processes within a Catalyst 4500 switch. It also details target and actual CPU utilization statistics.

In this case, I find that K5CpuMan Review is taking up a lot more CPU than it is supposed to. Now I must say the name of this process surely means something to someone, but not to me. Apparently this is the name of the process that handles all CPU switched packets. (That was my first guess obviously!) Now packets can be CPU switched for many reasons. They might be destined for the CPU, there could be a misconfiguration, or they could be marked in a way that forces intermediate systems (routers and switches) to look at them.

The next step is to determine what traffic is being directed at the CPU and why. This step will probably invoice some debug commands. The good news to those out there that shiver at the idea of using debugs in a live production network is that the commands we will use have to impact on the performance of the equipment. Essentially, the platform is doing this stuff already; the commands just make it log the information so it is visible. Oh, these commands do NOT survive a reboot and don't show up in when a show debug is executed. What I would like to know is why not just leave these features on all the time? If we want to see where packets are coming from that are destined for the CPU, we execute debug platform packet all count. After the debug has been running for a bit, we can display the results with show platform cpu packet statistics. Unfortunately in this case nothing stands out as an obvious source for the problem.

For grins I decided to look at some other old standby commands: show interface stats and show ip traffic. show interface stats will normally show what traffic is switched by which mechanism. Unfortunately, process switched traffic is at 0 for all interfaces. We did learn something though; the traffic affecting the processor is destined for the processor. The next command, show ip traffic, is actually very telling. Below is an example capture of what this symptom might look like. Notice that there is a non-zero value for packets with options? Out of the 3.4 million packets handled by the processor in this example, 1.8 million of them have an IP option defined. Upon further examination, all of the 1.8 million packets have the router alert option defined!

LAB Router#show ip traffic
IP statistics:
Rcvd: 3249411 total, 2367891 local destination
         0 format errors, 0 checksum errors, 200092 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 1857133 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 1857133 alert, 0 cipso, 0 ump
         0 other

I know what you are thinking, "What are IP options, and why is this important?" Well, IP options were flags created to allow hosts and routers to be informed about the special nature of a packet. RFC 2113 created the Router Alert, IP Option 20. This option tells the router to inspect any packet with this option passing through it, even if it is not destined for it. This inspection provides value when implementing RSVP and other similar protocols.

So lets see what's causing these packets to be marked with the Router Alert option. Another platform specific and non-impacting debug command can create a 1024 packet deep circular sniffer trace buffer. To enable this feature we execute debug platform packet all buffer. To view the results, we show platform cpu packets buffered. Now that's odd! I know packets are going to the processor, but they are not getting logged by the debug command we just executed. I am going to blame that on the difference between the Sup-6e and the other processors. The Sup-6e doesn't always do what the others are capable of. However other options exist! A sniffer hooked to the switch might just do the trick, but what interface do we monitor? Well, the CPU of course! The change we would make from the normal SPAN setup is in the source: monitor session 1 source cpu queue all rx. Now we just keep capturing until the options value of the show ip traffic command starts to increment...

Other things to consider here is the possibility of a Denial of Service (DoS) attack. A few years ago Cisco released a field advisory that explains a vulnerability in IOS when a router is subjected to packets with certain IP options set. However, if this issue was a DoS attack, one would expect to see a spike in traffic coming from one port, but as we have already seen, the show platform cpu packets statistics shown no specific spike in traffic, meaning the traffic is coming from everywhere, and is most likely normal traffic.

The sniffer is truly the tool to solve this particular issue. Once the packet capture came back, IGMP packets correlated with the increase in the alert option in the show ip traffic counters were discovered. Most of the IGM packets were multicast joins to 224.0.0.251: mDNS. mDNS is very rare in production networks, typically isolated to HP printers that are set to thier defaults. Apparently Mac OSX has and application called Bonjour that performs dynamic discovery on the network. One of the protocols in use by this application is mDNS. This application was discovered because the source MAC address in the sniffer trace ties to an Ethernet OUI registered to Apple.

The troubleshooting steps I have lined out here are a combination of personal experience and things TAC suggested. Afterwards, TAC emailed me a link to a document that contains a lot of these steps, some of which may be more applicable to other situations.

http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml