Nothing sparks engineering debate quite as much as ‘network change control’. It’s one of those topics we love to hate. We feel buried by useless bureaucracy. We ask, ‘Why can’t our managers just trust us, instead of weighing us down with meaningless process and red tape’?
This may be a controversial perspective but I think we’ve gotten exactly what we deserve. We endure heavyweight change control procedures because when we make network changes we break stuff. We break stuff in truly spectacular ways, in ways we could never have predicted. We hit weird bugs, asymmetric configuration, faulty hardware, poor process, or we just have a brain fart/fat-finger/etc.
Continue reading →
VTY ACLs don’t block HTTP/S access
Posted on by John Harrington
2
I was doing some testing on a 3750X and saw that the http and http services were enabled. I knew that you could apply an ACL to restrict HTTP access, but had assumed that the HTTP security was an optional extra on top of the VTY ACL.
I tested this … and found out I was wrong. Although http(s) uses the same inband access path as SSH, web admin is not restricted in any way by VTY ACLS.
This will be quite obvious to some readers but it wasn’t for me, so I’ll assume at least one other person on the interwebz had the same issue.
Continue reading →
Link Utilisation Varies By Packet Size
Posted on by John Harrington
2
I said to a colleague recently, “you can’t get 100% link utilisation on an Ethernet link”. When I tried to explain myself I wished I could link to a simple blog post with a nice graph. So here’s a quick blog post with a nice graph. I have talked a little about link speed in a previous post, but I wanted expand on this and add a quick graph to back up the argument.
Continue reading →
SPAN Scaling Challenge
Posted on by John Harrington
2
I’m facing a mini scaling challenge with Cisco SPAN (Switched Port ANalyzer) session and thought it would be good to share it with you fine folk.
SPAN Challenge
A 3750X switch is currently SPAN-ing a 10Gbps interface to a 1Gbps egress port. A server is directly attached and is using dump cap to capture a subset (5%) of the overall traffic for analysis.
The 10G link under-utilised, but is running close to the 1Gbps traffic limit in the Rx direction. Tx traffic is very low by comparison, but the SPAN session is capturing both directions.
The aggregated flow from both directions is overrunning the SPAN destination 1Gbps port. The challenge is to ensure we can continue to capture without discarding any interesting data. Let’s explore the options together.
Continue reading →
Four Trouble Ticket Survival Tips
Posted on by John Harrington
Reply
Sometimes the phrase ‘working the ticket queue’ is code for ‘doing meaningless work’. If you find yourself playing whack-a-mole with your ticket queue, then this is the post for you. You should strive to do meaningful work and this post discusses some ways to get more value out of the trouble ticketing process. Continue reading →
3 Suggestions for Network Automation
Posted on by John Harrington
Reply
Network automation is a hot topic right now. However, many of the automation solutions focus on edge-port provisioning. I can understand why vendors are chasing this niche; port-provisioning is a high-volume and error-prone activity.
Network Automation Ideas
Port provisioning isn’t the only cause of heartache in networking. In this post I’ve shared a few painful problems that the network industry could tackle instead. I want to get you thinking and talking about the poor processes which sap your concentration and resolve, and how we could tighten your process then automate the pain away.
