Often in my career I have to make an estimate about the so-called "level of effort" (LoE) to do a thing.
What's the LoE for me to do a demo for this customer?
What's the LoE for me to help respond to this RFP?
What's the LoE for me to participate in this conference?
The critical metric by which I usually have to measure the LoE is time. People, equipment, venue, materials, and location are rarely ever a limiting factor. Time is always the limiting factor because no matter the circumstance, you can't just go and get more of it. The other factors are often elastic and can be obtained.
And oh how I suck at estimating time.
As soon as the question comes up, "What's the LoE for...", I immediately start to think, ok, if I am doing the work, I can do this piece and that piece, I can read up on this thing and get it done with slightly more time invested, and then yada, yada, yada... it's done!
What I don't account for is the human element. The unexpected. The fact that we're all different and team members will go about their work in their own way. In other words, the soft, non-technical aspects of doing the thing.
Along these lines, here are 9 things that I would be wise to consider when making time estimates in the future.
I've been asking myself an uncomfortable question lately: "Can IT certifications become a liability? Have I reached a point where my IT certifications have become a liability to me?"
Well, it looks like another major item will get struck from my bucket list this year. I've been accepted to present at Cisco Live in Las Vegas this summer! π
This session is designed to walk through an enterprise network and look at how EIGRP can be engineered with purpose to best suit the needs of the different areas of the network. I will focus a lot on stability and scaling EIGRP and will show the audience how, where, and when to leverage common EIGRP features such as summarization, fast timers, BFD, and wide metrics.
Cacti is a "complete network graphing solution" according to their website. It has also been a thorn in my side for a long time.
See what I did there? Thorn... because it's a cactus... never mind.
When Cacti is in a steady state-when I could get it to a steady state-it was good. Not great, because there was a lot of effort to get it into what I consider "steady state", but good. The rest of the time... thorny.
There are five major things that have driven me up the wall. In no particular order:
I had just lost the RAID array that hosts my ESXi data store. I didn't yet know that's what had happened, but with some investigation, some embarrassment, and a bit of swearing, I would find out that an oversight on my part three years ago would lead to this happening.
I recently decided it would be fun to upgrade the hardware on my main OpenBSD machine at home (because, you know, geek). These Intel NUC machines are pretty interesting. They are pretty powerful, support a decent amount of RAM, certain models support internal storage, and they are very low power and low noise. Perfect for a machine that is a shell/email/development box.
There's a lot of information on the intertoobs about getting ssh-agent "working" in OS X and even more articles about when and how the stock behavior of ssh-agent changed (mostly with respect to how ssh-agent interacted with the Keychain).
This article doesn't cover or care about any of that.
This article is concerned with:
Enabling ssh-agent in such a way that I can "ssh-add" in one terminal window and that same agent (and the loaded keys) is available in all of my other terminal windows.
Enabling use of ssh-agent from MacPorts and/or Homebrew and not the older ssh-agent that OS X ships with in /usr/bin.
To avoid having to put my keys in the Keychain (just a matter of preference).
At the time that I'm writing this I've been working at Cisco for just over 3 years as a Systems Engineer. Prior to that I worked for multiple Cisco customers and was heavily involved in Cisco technologies. I know what a monster cisco.com is and how hard it can be to find what you're looking for.
Since starting at Cisco, the amount of time I've spent on cisco.com has shot up dramatically. Add to that studying for my CCIE and it goes up even more. In fact, cisco.com is probably the number 1 or 2 site I visit on a daily basis (in close competition with Google/searching).
After spending all this time on the site and given how vast the site is and how hard it can be to find that specific piece of information you're looking for, I'm writing this post as an aid to help other techies, like myself, use the site more effectively.
I'm lucky enough to be heading to Cisco Live in San Diego this year to host customers from my area. When I'm not with a customer during the day I plan on attending these sessions:
This has happened to me twice now: upgrading Mac OS X from one release to another and after the dust settles, the search function in Outlook 2011 totally breaks and always returns "no results". As we all know, email sucks and being able to deftly search through that mound of crap in your mail client is the only thing that makes it somewhat bearable.
I don't believe this is well known: Cisco IOS has Role Based Access Control (RBAC) which can be used to create and assign different levels of privileged access to the device. Without RBAC there are two access levels in IOS: a read-only mode with limited access to commands and no ability to modify the running config (also called privilege level 1) and enable mode with full administrative access. There is no middle ground; it's all or nothing. RBAC allows creation of access levels somewhere between nothing and everything. A common use case is creating a role for the first line NOC analyst which might allow them to view the running config, configure interfaces, and configure named access-lists.
When I started studying in earnest for my CCIE, I started a log of how I was spending my time studying, which books and papers I'd read, videos I'd watched, and so on. I thought it would be a neat exercise to look back afterwards at what it took to achieve this goal. I'm also somewhat self-deprecating and tend to minimize my accomplishments, so having this data is a way for me to remember that this wasn't a small accomplishment at all.
I was preparing a presentation the other day about the high level differences between IOS, IOS-XE and NX-OS and one of the things I included in the presentation was the various platform and branch identifiers that's used in each OS. It's just a bit of trivia that I thought would be interesting and might come in handy one day. I'm posting the information I collected below so everyone can reference it.
I was prompted to write this when I observed someone the other day who was sitting in the same training as me taking notes in a self-addressed email. No offense to people who do this, but W. T. F. How are you going to keep track of that email among the dozens/hundreds you receive every single day?
I take a lot of notes for research, certification study, and training. I use MediaWiki for almost all of these notes. Here's why.
I've had enough real life experience with replacing drives in the ZFS pool in my home NAS that I feel comfortable sharing this information with the community.
Anyway, I thought it would be neat to document the tools I'm using today. It'll be interesting to read this in a couple of years to see how things have changed again and maybe it'll give a fellow cert-chaser some ideas for today.
I've been working on something that at this point in my career I never thought I'd be doing: another Cisco Certified Network Associate (CCNA) certification. The CCNA Voice, to be exact. Now that I'm in a job role where I'm expected to be somewhat of a jack-of-all-trades, I can no longer avoid learning voice :-) For a long time I've focused on just the underlying network bits and left the voice "stuff" to others. Since I now need to talk intelligently about Cisco voice solutions, products, and architectures, I decided to go through the CCNA Voice curriculum as a way to establish some foundational knowledge.
This post is about the tools and methods I used to build a small lab to support my studies.
I installed OmniOS on my home filer over the Christmas break. Jumping from a Solaris Nevada build to OmniOS meant figuring out what software packages are available in the OmniOS repositories, what third-party repos are available and what software I would have to compile by hand. Given that this machine is only acting as a filer and isn't running any other services to speak of, the list of software to get up and running is small; however a critical component is apcupsd which talks to the Uninterruptible Power Supply (UPS) and cleanly powers down the filer if the power goes out for an extended time.
The hangup for me is that my UPS connects to the filer via USB, not a serial connection. It took me some hours to figure out how to get apcupsd installed with USB support. Here's how.
Ahh the Christmas break. The perfect time for good food, enjoying the company of family and friends and of course.... IT projects at home! My project last year was to immerse myself in the source code for OpenBSD's snmp daemon so that I could integrate my patch-set for Net-SNMP directly into the native OpenBSD daemon. That was time well spent as I was able to integrate my code in the following weeks. This year I have maintenance to do in the home lab. It looks like 2013 is going to be a busy year as far as getting my hands on new stuff so I want the lab ready to rock.
First project: upgrade my VMware ESXi server from 4.1 to 5.1.
Cisco's Identity Services Engine (ISE) is a powerful rule-based engine for enabling policy-based network access to users and devices. ISE allows policy enforcement around the Who?, What?, and When? of network access.
Who is this user? A guest? An internal user? A member of the Finance department?
What device is the user bringing onto the network? A corporate PC? A Mac? A mobile device?
When are they connecting? Are they connecting to the secure network during regular business hours or at 02:00 in the morning?
These questions can all be answered easily within ISE and are all standard policy conditions that are relatively easy to implement. In the post below I'm going to focus on the How? β How is the user or device connecting to the network? Asked another way, the question is Wired? or Wireless?
I don't really keep up to speed on consumer technology. For me, the enterprise IT space holds more challenge and interest. There is one piece of consumer tech though that has become fully ingrained in my life: the tablet. For that reason, I'm going to summarize my experience in using both Android and Apple based tablets.
I've had two main areas of interest in my IT career. Professionally, I've been a network guy. Designing, building, and supporting IP networks is what pays my bills. On the other side, I'm a Unix geek. Building, tinkering, and hacking code on Unix systems and related open source software has always been fun and challenging for me. Recently I was reflecting on my career and realized that my Unix and open source experience has played a big role in my career as a network engineer. Here's some of the ways I believe network engineers can benefit from Unix experience.
I read two interesting articles on VTP (Cisco's VLAN Trunking Protocol) this week.
The first is an older article from networkworld.com that reminds us all that VTP clients are also capable of updating VLANs on the network, not just servers.
When I first heard that a VTP client can update a VTP server under the right conditions, I was frankly a non-believer. No way. I'd seen evidence to the contrary in several documents at cisco.
If you're an IT professional you've probably been hearing a lot about cloud computing lately. I know I've sat through a number of seminars and sales pitches where people have been touting public cloud services on the merits of lower cost, reducing infrastructure and quicker implementation of services. However, I've noticed that almost none of these presentations discuss the increased reliance on Internet connectivity. With all the focus on the benefits of cloud computing, it's easy to forget that there has to be a trade-off. In order to offer reliable, quality access to public cloud services, your Internet connectivity likely needs some tuning.
One of the first things I wanted to do with my ESXi lab box was to simulate a hard drive failure to see what alarms would be raised by ESXi. This exercise doesn't serve any purpose in the "real world" where ESXi hosts are likely to be using shared storage in all but the most esoteric of installations but since my lab box isn't using shared storage I wanted to make sure I understood the behavior of ESXi during a drive failure. This post is also a guide to my future self should a drive fail for real :-).
It's been a long time since I've taken a run at getting Olive up and working. I wanted to take another stab at it and document how to get a working Olive installation using the latest JUNOS code. I also wanted to document how to get Olive up inside VMware ESXi since I hadn't actually done that before.
Olive refers to a regular PC or virtual machine that is running Juniper Networks' JUNOS software. Juniper created Olive early on so they could perform testing of JUNOS during development. These days Olive is deprecated in favor of cheap, low-end M and J-series routers but is still used by people wanting to evaluate/test JUNOS or those who are studying for Juniper certifications.
For the most part Olive is fully functional as a basic router.
I recently built a VMware ESXi host at home. When I was researching the hardware, I learned there are a number of things to consider when choosing a RAID card for use under ESXi. This article covers those things and offers advice for anyone who is building a similar system.
As part of the recent hardware upgrade to my ZFS file server I replaced the motherboard. I'd never replaced the motherboard on an active Solaris system before and was curious whether it would be at the easy end of the spectrum (like OpenBSD is) or at the impossible end (like any recent version of Windows). This is what I learned.
I recently decided to indulge my inner geek by doing a hardware refresh on my home ZFS file server. The system had served me well since moving to ZFS from my previous system but there was room for improvement.
My file server is full and I have no options for expanding it. The server is a white box system running FreeBSD with a hardware RAID card and 400GB of RAID-5 storage. The hardware is old, the hard drives are old and I can't expand it. It's time for something new.
The goals of this project was to build a low-power, small form factor machine that runs OpenBSD and acts as a firewall/router in a home network or small business setting. This page walks through the hardware I chose and the process I use to get OpenBSD running on the CF card.
Table of Contents Hardware Operating System System Operation Hardware The design has gone through two generations of hardware now.
This guide will explain how to setup a site-to-site IPsec tunnel (i.e., tunnel mode IPsec) between two OpenBSD gateways. Throughout this document there are example configs shown, some of which contain secret key data. DO NOT use these example keys! Create your own (as shown) and keep them private.
fooTable of Contents Introduction The Tools Terminology Building a Site-to-Site Tunnel Starting isakmpd Allowing IPsec Traffic Through pf(4) Filtering Traffic on the Tunnel Adding Redundancy Troubleshooting The Tools OpenBSD ships with all the tools needed to begin using IPsec.
Olive refers to a regular PC that's running Juniper Networks' JUNOS software. Juniper developed Olive early on so they could perform testing of JUNOS during development. These days Olive is deprecated in favor of cheap, low-end M and J-series routers.
CARP is the Common Address Redundancy Protocol. It's a secure, free alternative to the Virtual Router Redundancy Protocol and the Hot Standby Router Protocol. CARP was created and is maintained by the OpenBSD project.
The notes here apply to OpenBSD 5.0 and higher.
Protocol Information Virtual MAC Address The virtual MAC is in the format 00-00-5e-00-01-XX where the last octet is filled in by the CARP vhid. IP Protocol CARP uses IP protocol number 112 (0x70).
OpenBGPD is a free, open-source implementation of the Border Gateway Protocol Version 4. It was created and is maintained by the OpenBSD project.
The notes here apply to OpenBGPD as found in OpenBSD 4.0 and higher.
Path Selection Process OpenBGPD will only ever install one route in the route table for a particular destination network (prefix). If OpenBGPD receives information about that prefix from more than one peer, a decision must be made on which one to use.
The following SNMP MIBs and the accompanying code that extend the Net-SNMP daemon allow administrators to query information from various OpenBSD subsystems. Currently, stats can be queried from:
Packet Filter The kernel sensors framework Common Address Redundancy Protocol (CARP) These MIBs are being integrated into OpenBSD's own snmpd. OpenBSD 5.1 has the kernel sensor and CARP MIBs. OpenBSD 5.1-current has and the future 5.2 release will have the pf MIB. See this post for a bit more detail.
NetPacket provides a base class for a cluster of modules related to decoding and encoding of network protocol packets. Each NetPacket descendant module knows how to encode and decode packets for the network protocol it implements. Protocols that NetPacket can encode/decode include IPv4, TCP, UDP, ICMP, Ethernet, and ARP.
I've written three additional modules for NetPacket that allow the encoding/decoding of IPv6, ICMPv6, and OpenBSD's Packet Filter binary log files. I've also made numerous changes to existing modules, including fixing spelling mistakes, bug fixes, and documentation enhancements.
The goal here is to monitor DNS servers running BIND version 9 and graph the various statistics that it records about itself. The statistics will be made available to the Net-SNMP daemon by a script. From there, the data can be polled by whatever NMS you choose to use.
Table of Contents Getting Stats from BIND Serving Stats via SNMP Download for BIND 9.4 Download for BIND 9.6 and Newer Notes Getting Stats from BIND BIND stores a number of statistics internally.
The goal here is to monitor servers running Postfix to determine the number of email messages delivered locally and abroad and to graph that data. The data will be made available via Net-SNMP for collection using your NMS of choice.
Postfix homepage: http://www.postfix.org/ Basis for this Work The methods outlined below are based on the work of Craig Sanders http://taz.net.au/postfix/mrtg/. Some things that are done different here:
Only one database file is used for storing the data instead of two.
