Cisco Live US! 2016

I am fortunate enough, to be able to goto Cisco Live US! again this year.
Last year was such an experience, that my hopes are really high for this year as well.

I will be arriving on Friday the 8th and leaving on the 15th. Not a long stay this time, but it was what my boss could arrange for.
Again this year I will be bringing my better half, so she can experience the city and hopefully we’ll get a few hours of sightseeing in between commitments.

One of the things that im really looking forward to, is meeting up with friends and peers. This year is a bonus for me, as I get to say Congratulations to my friend Daniel (lostintransit.se) in person and not just on the phone, on passing the CCDE practical exam!

Also, a first for me, will be meeting up with Darren (mellowd.co.uk). We have been talking for a long time on twitter, mail and webex and im really looking forward to meeting him in person.

When we get closer to the event, I will be posting my Cisco Live! schedule here.

If you happen to be around the Las Vegas area, or even at Cisco Live!, drop me a line and maybe we can meet up!

See you there!

GETVPN Example

A couple of weeks ago I had the good fortune of attending Jeremy Filliben’s CCDE Bootcamp.
It was a great experience, which I will elaborate on in another post. But one of the technology areas I had a bit of difficult with, was GETVPN.

So in this post a I am going to setup a scenario in which a customer has 3 sites, 2 “normal” sites and a Datacenter site. The customer wants to encrypt traffic from Site 1 to Site 2.

Currently the customer has a regular L3VPN service from a provider (which is beyond the scope of this post). There is full connectivity between the 3 sites through this service.

The topology is as follows:

Topology

GETVPN consists of a few components, namely the Key Server (KS) and Group Members (GM’s), which is where it derives its name: Group Encrypted Transport. A single SA (Security Association) is used for the encryption. The Key Server distributes the information to the Group Members through a secure transport, where the Group Members then use this information (basically an ACL) to encrypt/decrypt the data packets.

The routing for the topology is fairly simple. (See Routing Diagram) Each client as well as the KeyServer uses a default route to reach the rest of the topology. Each CE router runs eBGP with the provider, where it redistributes the conntected interfaces into BGP for full reachability between the sites.

Routing-Topology

At this point, lets verify that we have full connectivty through the L3VPN SP.

On CE-1:

CE1#sh ip bgp
BGP table version is 7, local router ID is 192.168.12.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.10.1.0/24     0.0.0.0                  0         32768 ?
 *>  10.10.2.0/24     10.10.1.2                              0 100 100 ?
 *>  10.10.3.0/24     10.10.1.2                              0 100 100 ?
 *>  192.168.12.0     0.0.0.0                  0         32768 ?
 *>  192.168.23.0     10.10.1.2                              0 100 100 ?
 *>  192.168.34.0     10.10.1.2                              0 100 100 ?

We are learning the routes to the other sites.

And connectivity from Client-1:

Client-1#ping 192.168.34.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.34.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/25 ms

The interesting part takes place on the KeyServer along wi th CE1 and CE3.

If we take a look at the configuration on the KeyServer.

First off, we have a regular extended ACL that defines what traffic we want to encrypt. This ACL is the one that gets “downloaded” to CE1 and CE3:

ip access-list extended CRYPTO_ACL
 permit ip 192.168.12.0 0.0.0.255 192.168.34.0 0.0.0.255
 permit ip 192.168.34.0 0.0.0.255 192.168.12.0 0.0.0.255
 

 

Register-ACL-Download

Next up we have an ISAKMP policy which is used during the information communication with the KeyServer. This policy is present on all the Group Members (GM’s) and the KeyServer:

crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 2
crypto isakmp key SUPERSECRET address 0.0.0.0        

In this example we use a simple Pre Shared Key with the Any address form. This can (and probably should) be either certificate based. However, this complicates matters, so i skipped that.

Next is the transform set for IPsec which will be used. Notice that we use tunnel mode.

crypto ipsec transform-set GET-VPN-TRANSFORM-SET esp-aes esp-sha256-hmac 
 mode tunnel

This transform set is being referenced in a IPsec profile configuration:

crypto ipsec profile GETVPN-PROFILE
 set transform-set GET-VPN-TRANSFORM-SET 

This is nesecary in order for the next configuration, which is the entire GDOI aspect:

crypto gdoi group GDOI-GROUP
 identity number 100
 server local
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile GETVPN-PROFILE
   match address ipv4 CRYPTO_ACL
   replay counter window-size 64
   no tag
  address ipv4 192.168.23.1

Here we are creating a GDOI configuration, where we have a unique identifier for this group configuration (100). We are telling the router that its the server. Next is the public key we have created with an name this time (“crypto key generate rsa label “). This is used for rekeying purposes. And notice that we are using unicasting for the key material. This could just as well have been multicast, but again, that requires you have your infrastructure multicast capable and ready.

We then reference our previous IPsec profile and specify our crypt “ACL”. Lastly we specify which “update source” should be used for this server (which the other GM’s will use to communicate to/from).

If we then match this to what is configured on CE1 and CE3:

crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 2
crypto isakmp key SUPERSECRET address 0.0.0.0        
crypto gdoi group GDOI-GROUP
 identity number 100
 server address ipv4 192.168.23.1
crypto map MYMAP 10 gdoi 
 set group GDOI-GROUP
 crypto map MYMAP

And on the interface towards the SP we apply the crypto map:

CE1#sh run int g1.10
Building configuration...

Current configuration : 115 bytes
!
interface GigabitEthernet1.10
 encapsulation dot1Q 10
 ip address 10.10.1.1 255.255.255.0
 crypto map MYMAP
end

 

Crypto Map Topology

We can see that we have the ISAKMP configuration which I mentioned thats being used for a secure communication channel. Next we simply have the location of our KeyServer and the Identifier and thats pretty much all. Everything else is being learned from the Key Server.

After everything has been configured, you can see the log showing the registration process:

*May 15 10:37:53.245: %CRYPTO-5-GM_REGSTER: Start registration to KS 192.168.23.1 for group GDOI-GROUP using address 10.10.3.1 fvrf default ivrf default
*May 15 10:38:23.356: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*May 15 10:38:23.395: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x5DB57E80F97A9A1DC16B9DBBCF7CB169
*May 15 10:38:23.395: %GDOI-5-GM_REGS_COMPL: Registration to KS 192.168.23.1 complete for group GDOI-GROUP using address 10.10.3.1 fvrf default ivrf default
*May 15 10:38:23.668: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 192.168.23.1 for group GDOI-GROUP & gm identity 10.10.3.1 fvrf default ivrf default

Another form of verification is the “show crypto gdoi” command structure, which gives you alot of information on the process:

CE1#sh crypto gdoi 
GROUP INFORMATION

    Group Name               : GDOI-GROUP
    Group Identity           : 100
    Group Type               : GDOI (ISAKMP)
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 0
    IPSec SA Direction       : Both

     Group Server list       : 192.168.23.1
                               
Group Member Information For Group GDOI-GROUP:
    IPSec SA Direction       : Both
    ACL Received From KS     : gdoi_group_GDOI-GROUP_temp_acl

    Group member             : 10.10.1.1       vrf: None
       Local addr/port       : 10.10.1.1/848
       Remote addr/port      : 192.168.23.1/848
       fvrf/ivrf             : None/None
       Version               : 1.0.16
       Registration status   : Registered
       Registered with       : 192.168.23.1
       Re-registers in       : 1580 sec
       Succeeded registration: 1
       Attempted registration: 3
       Last rekey from       : 0.0.0.0
       Last rekey seq num    : 0
       Unicast rekey received: 0
       Rekey ACKs sent       : 0
       Rekey Received        : never
       DP Error Monitoring   : OFF
       IPSEC init reg executed    : 0
       IPSEC init reg postponed   : 0
       Active TEK Number     : 1
       SA Track (OID/status) : disabled

       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 0
       After latest register : 0
       Rekey Acks sents      : 0

 ACL Downloaded From KS 192.168.23.1:
   access-list   permit ip 192.168.12.0 0.0.0.255 192.168.34.0 0.0.0.255
   access-list   permit ip 192.168.34.0 0.0.0.255 192.168.12.0 0.0.0.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 84613
    Encrypt Algorithm        : 3DES
    Key Size                 : 192     
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 2352    

TEK POLICY for the current KS-Policy ACEs Downloaded:
  GigabitEthernet1.10:
    IPsec SA:
        spi: 0xA3D6592E(2748733742)
        KGS: Disabled
        transform: esp-aes esp-sha256-hmac 
        sa timing:remaining key lifetime (sec): (1815)
        Anti-Replay(Counter Based) : 64
        tag method : disabled
        alg key size: 16 (bytes)
        sig key size: 32 (bytes)
        encaps: ENCAPS_TUNNEL

Among the most interesting is the KEK policy and the ACL thats in place.

If we then verify from Client-1, we can see that we have a couple of seconds timeout while the encryption is being setup, and from there we have connectivity:

Client-1#ping 192.168.34.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.34.1, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 2/2/2 ms

So from something thats in theory very complex, this is very efficient from a both a configuration as well as a control-plane point of view. I know it certainly helped me understand the steps involved in setting GETVPN to create this lab, so I hope its been relevant for you as well!

February – A busy month indeed!

Wow, what a busy month this has been!

So I started my new job on February 1st and thus far, everything has been really great.
My new coworkers are very friendly and helpful.

I’ve spent the better part of february, trying to get to grips with the SP network I will be focusing on from now on. Im still not where I want to be yet, but im getting there. One of the guys I will be working very closely with, started cleaning up the network when he was hired 9 months ago and he’s done a really great job with what he’s had to work with.

There are still some work to be done however, which is the very reason they have hired me and another very good friend of mine. A well run network is a dynamic beast which needs to be tamed. On top of that, the company growth has been around 30% a year, so alot of structure and processes needs to come with that growth, which is where I can really make a difference.

I’ve also had the good fortune of being selected as a 2016 Cisco Champion, which was a very nice surprise. I tried to squeeze in a few good technical posts last year, which I hope was useful to someone on the net. I’ve attended a few briefings so far, but they have mainly been about topics which I dont know enough about to offer any commentary on (UCS for example). Im hoping they are working on something in the routing realm as well πŸ™‚

So for 2016, my primary objective is as previously stated, the CCDE certification.
Next month is Jeremy Filliben’s CCDE bootcamp, which I will be attending. I hope this will kick my butt into gear (I knew the change of jobs would hit my CCDE preparation). Im still aiming for a shot at the practical in late August.

Our Slack study group (Which Daniel Dib and I started) has grown quite a bit and includes a fair number of experts in different areas. If you are serious about CCDE or network design in general, dont be shy to mail me for an invite.

There are however, technologies which I also want to be familiar with to the level of blogging about them.

These include:

– Practical Segment Routing.
– Cisco’s iWAN solution.
– A deep knowledge of the ASR9K platform.
– Programmability (Python, API’s, etc.).
Now, back to work I go πŸ™‚

/Kim

Doing right in the VAR role!

This post is my follow-up on a recent discussion on twitter.

Working for a VAR (Value Added Reseller) is not always the glamours life some make it out to be.

Working as a consultant, what you are really doing, is being the CEO of your own service company.
What you are selling, is basically your own services. The fact that your paycheck is being signed by someone else doesnt/shouldnt really matter.

The customer is building a relationship with you, as much as the company you are working for.
On top of that, you are continually building rapor in the networking world, so in my opinion, I would rather leave the customer with a good solution, rather than having to stick with the insane budgets that sales people end up shaving a project down to, just to get the contract.

So what can you do to create the outcome that is beneficial for all parties concerned (The customer, Your employer and yourself)?

Well, what I have tried in the past, is try and emphasize the importance of leaving the customer with the right solution based on his/her requirements and constraints. This discussion should involve both the technical side of things, as well as any account manager(s)/sales people involved. Try and focus on the long term results, such as customer satisfaction and reoccurring sales because of it.

Toward the customer, do your best to explain why solution X is better than Y, because of the requirements that are in place. Most people are sensible enough that, if you just take your time to explain the solution and have your reasoning in place, they will understand. Both of these (explaining and reasoning), is important for you to build the before mentioned rapor with the customer.

In the end, you should end up with a customer that will ask you for advice when in need, and trust your judgement when you recommend a solution. By doing this you effectively put the “fluff” from the account manager(s) aside and focus on the important work.

As engineers, we tend to focus on the technical side of a solution, but to be successful in our role(s), we also need to pay attention to the human/social aspect. Personally, this is an ongoing exercise, which I try to be very cognitive about when engaging with the customer.

So to summarize:

– Be a teamplayer, but know you are the one who has to face the customer regularly.
– Do your best to understand the customer and his/her requirements.
– Take your time to explain your solution to the customer.
– Never take the customer for granted.
– Pay attention to the social/human aspect when engaging with both the customer and your coworkers.

Now go and have a sit-down with that customer of yours!

/Kim

Passed the CCDE written. Now what?

I was fortunate enough to finally pass the CCDE written exam yesterday morning.

That begs the question of “Now What?”

Well, I will spend a couple of days putting together a study strategy, based on where I am now compared to where I need to be in order to pass the exam. As it looks now, I am probably going for a fall 2016 exam date. That gives me enough time to settle into a new job with everything that entails.

It also means that I will need to spend 2-3 hours of study per day (some weekends more than that), with a combination of watching Cisco Live 365 videos and reading CVD’s/Books.

On top of that, my good friend Daniel Dib and I, along with hopefully a few others will have some design discussions using Webex. We have been told its really important to iron out different design ideas with other people. Especially if we can get a group together with people from different areas of expertise (Datacenter, Service Provider, Enterprise etc.).

Alas, an update to this story will come shortly! πŸ™‚

Take care!

Time for change

Its time for a change!

It was a tough decision, but i’ve decided that I need some new challenges in my professional life. To that effect, i’ve quit my old job and joined a different VAR/SP where I will be working in a skilled team of network engineers.

My duties will include maintaining and expanding a growing MPLS network, with all the services one can build on top of such a beast. Along with that, I will be attached to large enterprise customers, helping with design and implementation.

The new job is very supportive of my effort to go after the elusive CCDE certification, which was a big part of my decision as well, so expect more updates in that direction!

I’ve had some great years with awesome coworkers, but I have great confidence in the coming years as well!

Finally, a big thanks to my family and friends for supporting me through this decision process!

/Kim

Stay tuned for important news in December!!

I’ve got some important news which I will reveal in the beginning of December!

So stay tuned πŸ™‚

 

Why Cisco?

Why do i keep focusing so much on Cisco, when there are clearly alot of different vendors out there with similar products and technologies?

There are several reasons for this.

1) I began the professional part of my networking career with Cisco.
2) Cisco has a proven track record when it comes to education and learning.
3) Even though not always the best match for all use-cases, Cisco is a big player in almost all areas of networking.
4) The networking opportunities provided by Cisco is by far the best of what ive seen. Take for example the Cisco Learning Network.
5) Cisco Press is really awesome in my opinion. They have alot of really high quality books out there.
6) Great opportunities to interact with the company. By this i mean to participate in programs like Cisco Champions and different SME (Subject Matter Expert) related activities.
7) Cisco documentation is not perfect, but its hands down the best I’ve seen across multiple vendors.
8) And ofcourse Cisco Live! πŸ™‚

That being said, recently i have begun to take a more neutral look at technologies. The reason being, that in this day and age, proprietary technologies become less prefered than open and standardised ones. This means that more interopability is possible, and to understand the big picture one cannot rule out other players.

All in all, i see alot of value in leaning towards Cisco. At least thats my outlook on things at the moment.

The case for lifelong learning.

People often ask me why i keep studying and when i will be “done”.
To me, this type of question seems odd, because i am committed to lifelong learning.

I am of the opinion that going through life without learning something all the time would be a life wasted. I think this goes back to the early explorers. Discovering new things, whether it be a new continent or simply a piece of knowledge really excites a certain type of people.

I am by no means comparing myself to these great explorers, but i understand what drove these legendary people to do the things they did, whether it be Columbus or more recently modern day astronauts.

My studies, whether they be in the field of networking or more personal related, will continue until the day i leave this crazy world.

There so much information and knowledge thats readily available in our day and age, that i would find it hard to simply ignore it and just lean back and say: “thats it, im done!”.

As I write this post, its about 6am in the morning. Part of my morning ritual is getting to the office early and spending some time studying before i start work. It helps me get into the mental rythm.

So I have a job for your! Tonight, instead of spending an hour or more watching TV, try and pick a book on a topic thats of interest to you, and read for a bit. You’ll be amazed at how it makes you feel. Afterwards you will have picked up a bit of knowledge you didnt have before! – Its THAT easy!

Thanks for taking the time to read this post!

My first Cisco Live!

Even thoughΒ im still in San Diego, Cisco Live! US 2015 is but a memory.

But what a memory it is! It being my first time attending a Cisco Live conference, I didn’t really know what to expect.

What I was met with, was a conference full of really sharp and nice people. The conference staff was very helpful and polite and really made an impression on me, from the time I first stepped onto the pavement outside San Diego convention center.

We (I brought my better half to the US) arrived very late on saturday, so after a good nights sleep I took the bus to the convention center to register and pick up the first piece of swag, the famous Cisco Live bag.

One of the great benefits of attending the conference was meeting with my good friend Daniel Dib (from lostintransit.se). I hadn’t seen him since January, so it was really cool to meet up with him during the week.

On Monday Daniel and I attended a session together, but most other sessions I went to alone. For the record, I paid for this trip out of my own pocket, so I didn’t have any co-workers or anything to tag along.

Tuesday was also spent in sessions, but in the evening there was the famous CCIE party, where my +1 was a friend of Daniel. Rihkka, a network engineer from Finland. She’s also in the VIP program along with Daniel. It was very nice meeting her. Also met with people from back home for morning coffee (which was actually Iced Coffee since it was fairly hot outside).

Wednesday I gave the CCDE written a shot, but unfortunately didn’t pass. Its a really weird exam if you ask me. Its supposed to be a technology design exam, but, I dont know. It just irks me somehow. Also, I had the good fortune of having a talk with Jeremy Filliben (http://www.jeremyfilliben.com), a renowned CCDE trainer. He gave some good advice along with information about his upcoming CCDE training programs. Very nice guy indeed. Since I lost track of Daniel for lunch, I was fortunate enough to run into Rihkka again. So we had lunch together where she could explain a bit more about Finland to me πŸ™‚

Thursday, things slowed down a bit. I decided to cancel some sessions to get time to meet up with folks. During this day I also had a chance to meet with some folks from the Cisco Champion program, which was very good. Unfortunately a private QoS session for Cisco Champions was cancelled, which I was pretty bummed about. It would have been pretty awesome to meet Tim Szigeti. The QoS guy πŸ™‚

Finally I said my goodbye’s to Daniel and headed back to the hotel. My first Cisco Live conference under my belt!

Would I recommend this as a good value for a network engineer? Absolutely!! the inspiration from the breakout sessions alone would be enough to justify it, but the social aspect of it all is what really makes the point!

I will do my very best to come back next year!