Browsed by
Tag: Cisco




(K)ey (R)einstallation (A)tta(C)(K)

Breaking WPA2 by forcing nonce reuse

It’s been a long day and I wanted to have some fun with this post. I was onsite with several customers today when the news broke publicly. I only knew about it at a high-level in the morning and didn’t have time to digest the magnitude nor details of the vulnerability until this evening.

You see, for me this feels somewhat like Deja Vu. I remember the day when it was discovered that WEP had a key weakness in its security algorithm. That weakness was simple. Collect enough 3 Byte Initialization Vectors (IVs) that are transmitted in clear text and you could use commercial off the shelf hardware (Atheros chipset) and software (BackTrack now known as Kali Linux/aircrack-ng/JTR) to crack the key. It’s was stupid simple to execute this attack and ultimately was the demise of WEP.

Fast forward 11+ years and here we are talking about another major vulnerability affecting pretty much EVERY wireless network deployed. The saving grace… This is NOWHERE near as bad as the WEP exploit and can be fixed.

Just the Facts

Next Steps






I wholeheartedly agree with you Mathy!


Catalyst 9300: Hands-On Review

Catalyst 9300: Hands-On Review

Cisco Catalyst 9300 (First Impressions)

I received an email from our awesome lobby ambassador about two packages that arrived in the Malvern office. I didn’t remember what I ordered and quickly forgot about the packages because, it was such a chaotic week. When I finally made my way to the office, I saw the boxes in the mail room and thought “NO! That can’t be them already…”. Upon closer inspection, they were in fact the Catalyst 9300’s I had ordered.

Now, I don’t get as excited about gear as I used to. Perhaps, its’ because I know what’s in store… Software updates, uncomfortable high temps in my home office, figuring out why a certain command syntax isn’t working for me, lots of reading, in other words… WORK!

Then again, this is the Cat9K and the cornerstone of Cisco’s SDA fabric and something our customers are really curious about so, it’s totally worth it!

Here’s what I received.

2x (C9300-24P) w/ DNA Advantage Licensing

Standard (zero-cost) StackPower (30cm) and StackWise-480 (50cm) cables. Single PSU (715W) per switch. 24p of 10/100/1000Mbps PoE and 8x 10Gbps network module (NM).

Let’s start with the new and simplified licensing model for the Catalyst 9Ks.

There are four licenses for the C9300.

Network Essentials
Network Advantage
DNA Essentials 
DNA Advantage

Network Essentials and Advantage are perpetual platform based base licenses. These licenses are locked to the hardware. Between them, the base licensing packages cover switching fundamentals, management automation, troubleshooting, and advanced switching features.

DNA Essentials and Advantage are term based (3, 5, 7 year). In addition to on-box capabilities, the features available with this package provide Cisco innovations on the switch, as well as on Cisco DNA Center, in the APIC-EM. Think of this much like CiscoOne for the Cat3850s.

Licensing Combinations

Cisco DNA Essentials  Cisco DNA Advantage
Network Essentials Yes No
Network Advantage Yes Yes

Essentials and Advantage Package Features


Network Essentials

Network Advantage

Cisco DNA Essentials

Cisco DNA Advantage

Switch features

Switch fundamentals
Spanning Tree Protocol (STP), Rapid STP (RSTP), VLAN Trunking Protocol (VTP), trunking, Private VLAN (PVLAN), dynamic voice VLAN, IPv6, PnP, Cisco Discovery Protocol, 802.1Q tunneling (Q-in-Q), Routed Access – OSPF and RIP, Policy-Based Routing (PBR), Virtual Router Redundancy Protocol (VRRP), Internet Group Management Protocol (IGMP), PIM Stub, Weighted Random Early Detection (WRED), First Hop Security (FHS), 802.1X, MACsec-128, Control Plane Policing (CoPP), Cisco TrustSec® SGT Exchange Protocol (SXP), IP SLA Responder, SSO, EIGRP Stub, Microflow Policing, Class-Based Weighted Fair Queuing (CBWFQ), hierarchical QoS (H-QoS), Application Reporting, Syslog, SNMP

Advanced switch capabilities and scale
BGP, EIGRP, Hot Standby Router Protocol (HSRP), IS-IS, Bootstrap Router (BSR), Multicast Source Discovery Protocol (MSDP), Bidirectional PIM (PIM-BIDIR), Label Switched Multicast (LSM), IP SLA, Full OSPF

Network segmentation
VPN Routing and Forwarding (VRF), Virtual Extensible LAN (VXLAN), Cisco Locator/ID Separation Protocol (LISP), Cisco TrustSec, SD-Wireless, Multiprotocol Label Switching (MPLS), Layer 3 VPN (L3VPN), Multicast VPN (mVPN)

Optimized network deployments
mDNS gateway

Netconf/YANG, PnP Agent, ZTP/Open PnP

Advanced automation
Containers, Python, Cisco IOS Embedded Event Manager (EEM), Autonomic Networking Infrastructure

Telemetry and visibility
Streaming telemetry, sampled NetFlow, Switched Port Analyzer (SPAN), Remote SPAN (RSPAN)

Advanced telemetry and visibility
Flexible NetFlow, Wireshark

Optimized telemetry a visibility
Encapsulated Remote SPAN (ERSPAN), Application Visibility and Control (AVC), NBAR2

High availability and resiliency
NSF, Graceful Insertion and Removal (GIR)

High availability and resiliency


Advanced security
Encrypted Traffic Analytics (ETA)

Cisco DNA Center Features

Day 0 network bring-up automation
Cisco Network Plug-n-Play application, network settings, device credentials

Element management
Discovery, inventory, topology, software image, licensing, and configuration management

Element management

Network monitoring
Product Security Incident Response Team (PSIRT) compliance, end-of-life/end-of-sale reporting, telemetry quotient, client 360, device 360, top talkers/ NetFlow/streaming telemetry collection and correlation

Static QoS configuration and monitoring
EasyQoS application

Policy-based automation
SD-Access, group-based policy for access, app prioritization, monitoring, and path selection;
SD-Access with Integrated Wireless

Network assurance and analytics
Insights driven from analytics and machine learning for the network, clients and applications that cover onboarding, connectivity, and performance

A couple of takeaways from this features & license eye chart.

DNA Advantage is REQUIRED for SMU (hot patching), Encrypted Traffic Analytics, ERSPAN, and AVC/NBAR. DNA Essentials is REQUIRED for advanced network automation and programmability.

All that said, let’s get into my initial impressions of this switch.

  • Design: Very clean industrial design. The top cover almost looks white, but it’s just a light shade of silver. Intuitive icon LED indicators. Clean angles and not as deep as I thought it was. In fact, width and depth are identical at 17.5″. Height is standard 1RU or 1.73″

  • Air Flow: Port side intake and rear exhaust. It also appears that near the front (port-side) there are additional intake vents on the side. Fan noise was very low when the room was properly cooled, but as expected the fan speed and noise ramped up when the room reached 80+℉.
  • StackWise-480 and PowerStack: Data stacking (480Gbps) and power stack use the identical cables and procedure as the 3850. You can stack up to eight switches in a DataStack and 4 in a ring PowerStack or 8 in a star PowerStack topology.
  • Network Modules/Uplinks: Interesting enough, the network modules are backwards compatible with the existing NMs for the 3850s. I thought that was cool, because I have a ton of 3850 NMs and tried them out. Worked 100%. Another observation was the C9300 has a spring loaded mechanism that makes removing the modules seamless and natural. It’s almost as if a helping hand was inside the chassis saying “here’s your network module Shaun, please take good care of it for me”. <GRIN>
    • The hardware installation guide stated the NMs were “hot swappable”, so of course I tried this without gracefully powering down the NM and it worked as expected.
    • “The network module is hot-swappable. If you remove a module, replace it with another network module or a blank module.”

  • Code: I noticed some strange behavior with the factory loaded 16.5.1a (Everest), so I upgraded to 16.6.1 (Everest) and that seemed to correct this issue.
    • Just like the Cat3850, you have install or bundle mode with install mode being the default and recommended mode.
    • New command syntax (new vs. the 3850 & 3.6 IOS-XE) for software install/upgrade.
    • “request platform software package install switch all file flash:xxx.bin auto-copy”
  • System Memory: 16GB of flash RAM and 8GB of DRAM. So, plenty of memory on this platform.
  • RFID tag: I couldn’t for the life of me find the RFID tag. I pinged the Cat9k BU and they enlightened me. #1 my RFID/NFC reader/writer was not compatible with this type of tag (EPC Gen2/ISO 18000-6C compliant) and #2 The tag is in stealth mode under the front bezel. See image for details.
  • Open IOS-XE: One word, AMAZING! I have waited so long for on-box/off-box programmability on the Catalyst platforms and it’s finally here. You got on-box python, bash shell, NETCONF(SSH)/RESTCONF(HTTPS)/YANG, LxC, SMU/hot patching. This ain’t your mommy/daddy’s switch. 
  • ASIC: Doppler/UADP v2.0 programmable ASIC, more buffer and line rate. NUFF SAID!

In summary, I’m excited more than ever for the future of networking and where we go with SDA! From what I experienced with the Cat9300, the BU has done an amazing job delivering on the next generation of enterprise switches and set a very high bar for the competition.

One more thing…
From what I can tell, the C9300 is also less expensive vs. the C3850.

The future of networking is now!

Reference Links

Release Notes for IOS-XE 16.6.1 (Everest):
The Network. Intuitive.

The Network. Intuitive.

A New Network for a New Era

Well, the cat is finally out the bag…

I’ve been biting my lips for the last several months working on campus designs with customers. That’s because internally at Cisco, all the buzz was around bringing SDN and most importantly intent driven networking to the campus in a BIG way. This is very much akin to how Cisco transformed the data center with ACI. In fact, I’ve heard verbatim from customers “why doesn’t Cisco have an ACI like solution for the campus?”.

Like a said earlier, I had to bite my lip each time I heard this comment unless we went through the mutual NDA process and even then we provided only a brief glimpse at what was coming.

I’d like to focus on ACI fabric automation and deployment when I draw a comparison to what I envision software defined access (SD-Access/SDA) will be.

In an ACI data center, I simply cable my spine/leaf switches and plug in my APIC controllers to the leaf.  I then go through a 5 minute setup process to define my credentials, TEP pool, infrastructure VLAN ID, and a couple other simple prompts on the APIC controller.

At this point, my ACI fabric is ready to go and all I need to do is register my leaf switches to the fabric , give them a name and ID and I’m off to the object/policy creation steps. Once my policy model and objects are set, it really becomes rinse and repeat. The key with this intent based networking is agility and automation at scale.

I didn’t have to give each leaf a management IP, specify VLANs, credentials, access methods, trunk ports, setup routing protocols, etc… While that’s how I’ve been doing things for over two decades, recently my eyes were open to what happens to that traditional/static model at scale. Quite frankly, it falls apart unless you got some awesome scripting folks automating box-by-box configs with tools like ansible/jinja/python.

In addition, native/embedded security is critical to detect and mitigate threats in the campus network. Detecting threats in encrypted traffic is a pretty amazing “nerd knob”.

In closing, I see a bright future for the campus network.  A future where the campus wired/wireless/WAN have embedded security functionality, deep contextual information (abstract subnet/vlan ID) of attached devices, is intent driven to allow automation at scale, and intuitive enough to deliver actionable and predictive insights.

If you’re going to Cisco Live next week, expect some major deep dive sessions on Cat9K, DNA, and more.


#WeAreCisco #Innovation

#CiscoDNA #NetworkIntuitive

Links & References

CCIE DNA: Reality or Myth?

CCIE DNA: Reality or Myth?


It all started at #CLUS

Unfortunately, I was unable to attend Cisco Live US in Las Vegas this year. Don’t shed any tears for me as I was fortunate enough to have customers, friends, and co-workers attend. They got me some sweet swag and provided a play-by-play as things unfolded.

One such morsel of information was regarding a “CCIE DNA” or “CCIE GUI”.

At first I was just sitting in front of my monitor drifting into space thinking what the format of such a practical exam would look like. Would it be exploratory like my transition experience from R/S v3 to v4 (open ended questions, remove open ended questions, add troubleshooting, leverage virtual & physical environments, etc)?

Then I envisioned an entire exam based on APIC-EM/APIC-DC, NFV, Postman, and lots of mouse clicking. It’s this very thought that I started to break out in a cold sweat from the possibility of CLI withdrawal.

This was roughly 6 weeks ago… Now that the dust has settled, I decided to dig into this “rumor” a little more. I was especially motivated after I observed confusion in the twittersphere today.


  • At #CLUS 2016 our commander and chief, Mr. Chuck Robbins provided insight into the importance of Digital Network Architecture (DNA). It’s not so much a product, but embracing emerging technologies such as automation, mobility, cloud, IoT, and analytics. In addition, Chuck discussed how important emerging technologies are and how we’ve never brought the application + network together from a visibility perspective.
  • My understanding is Chuck also discussed a DNA user group that would be certifying engineers with reference to the CCIE tracks. I believe this is where some folks walked away with the thought that Chuck announced a standalone CCIE DNA track.
  • I did some fact finding with our very own CCDE/CCAr program manager, Elaine Lopes @elopes01 and the reality is somewhere in the middle. 

The plan is to incorporate the DNA architecture and other evolving technologies into the pertinent CCxE tracks vs. being a separate track.

I can already see hints at this when I downloaded the current (v 2.1) CCDE written blueprint. There’s a new section in version labeled “5.0: Evolving Technologies”. While this doesn’t explicitly state “DNA”, it does have network programability/SDN and cloud which are core to DNA.

2016-08-25 10.32.18 pm

The “evolving technologies” section is NOT isolated to the CCDE either!
You can read more about it at Elaine’s blog titled “Myth Busters & Evolving Technologies” 

2016-08-25 10.33.57 pm

Disclaimer: This is the current plan as I know it. However, as with anything in our field it’s always subject to change. <GRIN>

My 2c FWIW

I’m excited that we’re putting evolving technologies into the various blueprints. There isn’t a day that goes by where a customer conversation doesn’t include leveraging cloud workloads, making sense of all the analytical (especially infosec) data collected, network programability, or “SDN”.

In addition, I feel strongly that using the generic topic of “Evolving Technologies” gives the CCxE program managers the ability to keep the exams fresh and relevant. This is at least the case for the written exams, how evolving technologies is incorporated into the practical is still TBD.

My thought is that the CCxE tracks will start to incorporate DNA into both the written and practicals. How that story unfolds will be one that I’ll watch closely and post updates on.

I’m waiting for a CCIE R/S candidate to say “Gomez, you got an instance of APIC-EM I can lab on?”.

2016-08-25 09.45.02 pm

ConfigBytes: ASA 5506x w/ FirePOWER Services

ConfigBytes: ASA 5506x w/ FirePOWER Services


Getting Started with the ASA5506x & FirePOWER Services


Official Quick Start Guide:

FirePOWER User Guide:

FirePOWER Services for ASA Data Sheet:


TL:DR Key Points

  • Since the ASA5506x doesn’t have built-in switch capabilities (yet), you will need a L2 switch to connect the management interface which is used for firepower services module and your inside ASA interface for management. If you have an L3 switch the FirePOWER management interface can be on a different subnet from your inside ASA interface.
  • Download ASDM 7.4(3)image, ASA 9.4(1)3 and the latest firepower/sourcefire sensor patch ( at this time). Place these files on the ASA flash, upgrade and point to the new ASDM file.
  • Create a username/password w/ PRIV 15 for ASDM access. “username Wu-Tang password KillaBeesOnTheSwarm privilege 15”
  • I highly recommend using the ASA Startup Wizard, this is much easier then a console session (“session srf console”) to the FirePOWER services module for setup of management.
  • Default Username/Password for the SourceFIRE module is admin/Sourcefire
  • Upgrade FirePOWER through ASDM or FireSight. Remember you can use ASDM or FireSight to manage the FirePOWER services.
  • Install your FirePOWER licenses
  • Don’t forget to configure a service policy on the ASA to redirect traffic to the FirePOWER module.


Final Config

5506xFPS(config)# sh run
: Saved
: Serial Number: <removed>
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
ASA Version 9.4(1)3
hostname 5506xFPS
domain-name cisco.lab
enable password <removed>
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
interface GigabitEthernet1/8
description Inside_2
nameif inside2
security-level 100
ip address
interface Management1/1
no nameif
no security-level
no ip address
boot system disk0:/asa941-3-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name cisco.lab
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging buffer-size 8192
logging asdm-buffer-size 250
logging console emergencies
logging asdm alerts
mtu outside 1500
mtu inside2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside2,outside) after-auto source dynamic any interface
route inside2 1
route inside2 1
route inside2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http inside2
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=,CN=5506xFPS
crl configure
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh pubkey-chain
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address inside2
dhcpd dns interface inside2
dhcpd lease 28800 interface inside2
dhcpd enable inside2
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server source outside prefer
dynamic-access-policy-record DfltAccessPolicy
username asa password encrypted privilege 15
username admin password encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
class-map global-class-SF
match any
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description Global+SF
class global-class-SF
sfr fail-close
class inspection_default
inspect dns preset_dns_map
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
policy-map type inspect dns migrated_dns_map_1
message-length maximum client auto
message-length maximum 512
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
profile CiscoTAC-1
no active
destination address http
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 8
subscribe-to-alert-group configuration periodic monthly 8
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end

Video Example of URL Filtering with FirePOWER

Hope this latest #ConfigBytes was helpful!

ConfigBytes: Nexus 6000/5600 Latency & Buffer Monitor

ConfigBytes: Nexus 6000/5600 Latency & Buffer Monitor


Episode 2
Platforms: Nexus 6000 & 5600 (UPC based ASIC)


Latency Monitor:

Full Documentation

The switch latency monitoring feature marks each ingress and egress packet with a timestamp value. To calculate the latency for each packet in the system the switch compares the ingress with the egress timestamp. The feature allows you to display historical latency averages between all pairs of ports, as well as real-time latency data.

You can use the latency measurements to identify which flows are impacted by latency issues. In addition the statistics generated by the switch latency monitoring feature allow you to plan network topologies, manage incident responses and identify root causes for application issues in the network. You can also use the statistics to provide a Service Level Agreement (SLA) for latency intensive applications.

Configuration Example for Switch Latency Monitoring

Requires 7.x code

This example shows how to configure switch latency monitoring:

switch(config)# hardware profile latency monitor base 800
switch(config)# interface ethernet 1/1
switch(config-if)# packet latency interface ethernet 1/2 mode linear step 40
switch(config-if)# packet latency interface ethernet 1/3-4 mode exponential step 40
switch(config-if)# packet latency interface ethernet 1/5 mode custom low 40 high 1200
switch(config)# interface ethernet 2/1
switch(config-if)# packet latency interface ethernet 1/1 mode exponential step 80

Buffer Utilization Histogram:

Full Documentation

The Buffer Utilization Histogram feature enables you to analyze the maximum queue depths and buffer utilization in the system in real time. Instantaneous or real time buffer utilization information is supported by the hardware. You can use software to obtain the history of the buffer usage by polling the hardware at regular intervals. Obtaining an historic timeline of the buffer usage provides a better picture of the traffic pattern in the system and helps in traffic engineering. Ultimately, you are able to make better use of the hardware buffer resources.

On the Cisco Nexus device, every three ports of 40 Gigabit Ethernet or every 12 ports of 10 Gigabit Ethernet have access to a shared 25 Mb packet buffer. 15.6 Mb are reserved for ingress and 8.6 Mb are reserved for egress. The remaining space is used for SPAN and control packets.

The Buffer Utilization Histogram enables you to do the following:

  • Configure buffer utilization history measurements on the interested ports.
  • View buffer utilization over an interval of time.
  • Configure either a slow or a fast polling mode.
  • Copy collected statistics to the buffer_util_stats file on the bootflash drive every hour to allow for later analysis. The collected statistics are appended to the end of the file after an hour and a timestamp is placed in the header that has the interface name.

Configuration Example for Buffer Utilization:

Requires 7.x code

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# hardware profile buffer monitor

Output Examples for Buffer Utilization Histogram

2015-05-14 10.05.56 am

Write Histogram Data to File & Syslog Alert via EEM/Python

Python Script:

import sys
import re
import io
import syslog
from cisco import cli
from sys import argv

def parse_and_print_interface(input_string):
print “Received input – {0}”.format(input_string)
result = re.findall(r’\bEthernet\w+\W+\w+’, input_string)
print result
#print result[0]
show_cli_cmd = “show hardware profile buffer monitor interface ” + result[0] + ” history detail “
# show_cli_cmd = “show hardware profile buffer monitor all history detail”
# Execute the command on the switch
print show_cli_cmd
time1 = cli(“show clock”)
raw_input = cli(show_cli_cmd)
output1 = time1 + raw_input + “\n”
target = open(“/bootflash/EEM_buffer_log”, “a”)
time2 = cli(“show clock”)
raw_input2 = cli(“show interface burst-counters”)
output2 = time2 + raw_input2 + “\n”
target = open(“/bootflash/EEM_burst_log”, “a”)

def main():
print sys.argv

if __name__==”__main__”:

EEM Script:

event manager applet burst_monitor

  event syslog pattern “bigsurusd”

  action 1 cli source -l “$_syslog_msg”

Cisco Smart Install

Cisco Smart Install

This is my first post in a new series called “Config Bytes”.

My objective is simple. Take a technology that I’m working on with a customer and post the data points.


A global company asked me if there was an easy way to provision switches for rapid deployment. They are somewhat limited on networking personal and this would save the team some time if they could automate the staging of switches before deployment . The basic requirements were a standardized image depending on the platform and initial config for access switches. I had two viable solutions to match these requirements 1) Prime Infrastructure Plug & Play 2) Smart Install

2015-03-24 10.56.32 am

Smart Install:

Since the launch of the 3850/3650 access layer switches, we had slides that mentioned all the value add features of the Catalyst line. One of those bullet points was smart install and I remember this for the 3750x as well. At the end of 2014, we put out an updated configuration guide for smart install. I used this as a basis for design and configuration.

You can read up on all the details, but let me summarize a few key points.

  • Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment (ZTD) for new switches. You can ship a switch to a location, place it in the network and power it on with no configuration required on the device.
  • Two roles for the switch infrastructure “clients” & “director”
  • Director can be an multilayer switch or router
  • Clients connect to director and pull down image and config without any intervention (ZTD)
  • If a client switch was already deployed, you must “wr erase” and reload without a startup-config for smart install to work. Out of the box, no intervention required.
  • If using an L3 switch for director the smart install “vstack” VLAN must be up or the director can fallback to a client role. Just make sure the VLAN has at lease one access port up/up if using that SVI for the director.
  • TFTP and DHCP services are required, however they can co-reside on the director. This is how I configured it in the example inline.
  • Make sure your director device has plenty of flash memory to store the images and configs. If you have many different PIDs, your going to need more flash. I found that 2GB on the 3650/4500x was suffice for my customer.
  • Be patient while the image is loaded to the client. This process takes time (sometimes up to an hour).
  • I found that using the .tar format for the images worked the best. I’m not even sure if the .bin format is supported.
  • If you want to verify the supported clients on the director use this command “show stack group built-in ?”

Table A-1 Supported Switches

Switch  Can be Director?  Can be Client? 
Catalyst 6500 Supervisor Engine 2T-10GE Yes No
Catalyst 4500 Supervisor Engine, 6E, 6LE, 7E, 7LE Yes No
Catalyst 3850 Yes Yes
Catalyst 3750-X Yes Yes
Catalyst 3750-E Yes Yes
Catalyst 3750 Yes Yes
Catalyst 3650 Yes Yes
Catalyst 3560-X Yes Yes
Catalyst 3560-E Yes Yes
Catalyst 3560-C No Yes
Catalyst 3560 Yes Yes
Catalyst 2960-S No Yes
Catalyst 2960-SF No Yes
Catalyst 2960-C No Yes
Catalyst 2960-P No Yes
Catalyst 2960 No Yes
Catalyst 2975 No Yes
IE 2000 Yes Yes
IE 3000 Yes Yes
IE 3010 Yes Yes
SM-ES2 SKUs No Yes
SM-ES3 SKUs No Yes
NME-16ES-1G-P No Yes
SM-X-ES3 SKUs Yes Yes

Table A-2 Supported Routers 

Router  Can be Director?  Can be Client? 
Cisco 3900 Series Integrated Services Routers G2 Yes No
Cisco 2900 Series Integrated Services Routers G2 Yes No
Cisco 1900 Series Integrated Services Routers G2 Yes No
Cisco 3800 Series Integrated Services Routers Yes No
Cisco 2800 Series Integrated Services Routers Yes No
Cisco 1800 Series Integrated Services Routers Yes No

Table A-3 Minimum Software Releases for Directors and Clients

Directors  Minimum Software Release 
Catalyst 6500 Supervisor Engine 2T-10GE Cisco IOS Release 15.1(1)SY
Catalyst 4500 Supervisor Engine 7E and 7LE Cisco IOS Release XE 3.4SG
Catalyst 4500 Supervisor Engine 6K and 6LE Cisco IOS Release 15.1(2)SG
Catalyst 3850 Cisco IOS Release 3.2(0)SE
Catalyst 3650 Cisco IOS Release 3.3(0)SE
Cisco 3900, 2900, and 1900 Series Integrated Services Routers G2 Cisco IOS Release 15.1(3)T
Cisco 3800, 2800, and 1800 Series Integrated Services Routers Cisco IOS Release 15.1(3)T
Catalyst 3750-E, 3750, 3560-E, and 3560 Switches Cisco IOS Release 12.2(55)SE
Catalyst 3750-X and 3560-X Switches Cisco IOS Release 12.2(55)SE
SM-X-ES3 SKUs Cisco IOS Release 15.0(2)EJ

Table A-4 Minimum Software Releases for Clients

Smart-Install Capable Clients1 Minimum Software Release 
Catalyst 3750-E, 3750, 3560-E, and 3560 Switches Cisco IOS Release 12.2(52)SE
Catalyst 3750-X and 3560-X Switches Cisco IOS Release 12.2(53)SE2
Catalyst 3560-C Compact Switches Cisco IOS Release 12.2(55)EX
Catalyst 2960 and 2975 Switches Cisco IOS Release 12.2(52)SE
Catalyst 2960-S Switches Cisco IOS Release 12.2(53)SE1
Catalyst 2960-C Compact Switches Cisco IOS Release 12.2(55)EX1
Catalyst 2960-SF Cisco IOS Release 15.0(2)SE
Catalyst 2960- P Cisco IOS Release 15.2(2)SE
IE 2000 Cisco IOS Release 15.2(2)SE
IE 3000 Cisco IOS Release 15.2(2)SE
IE 3010 Cisco IOS Release 15.2(2)SE
SM-ES3 SKUs, NME-16ES-1G-P Cisco IOS Release 12.2(52)SE
SM-ES2 SKUs Cisco IOS Release 12.2(53)SE1
SM-X-ES3 SKUs Cisco IOS Release 15.0(2)EJ

2015-03-24 10.58.00 am

Configuration Example:

n3tArk_3850#sh run | s vstack

description SmartInstall_vstack_lan
description smart_install_vstack_mgmt
vstack group custom 2960c product-id
image flash:c2960c405-universalk9-tar.152-3.E.tar
config flash:smartinstall_config_2960c.txt
match WS-C2960C-12PC-L
vstack dhcp-localserver smart_install
vstack director
vstack basic

n3tArk_3850#sh run int vlan 1

interface Vlan1
description smart_install_vstack_mgmt
ip address

n3tArk_3850#sh run | s tftp

ip tftp source-interface Vlan777
tftp-server client_cfg.txt
tftp-server flash:smartinstall_config_2960c.txt
tftp-server flash:c2960c405-universalk9-tar.152-3.E.tar
tftp-server flash:2960c-imagelist.txt

n3tArk_3850#sh vstack status
SmartInstall: ENABLED

2015-03-24 10.43.20 am

n3tArk_3850#sh vstack download-status
SmartInstall: ENABLED

2015-03-24 10.44.18 am


That’s pretty much it! Here is a link to a YouTube video I created to show how easy this is to get up and running.

Hope this was helpful. Please let feedback/comments in the section if I missed any key points or you want me to elaborate more on something specific.


Cisco Modeling Labs 1.0: First Impressions & Getting Started

Cisco Modeling Labs 1.0: First Impressions & Getting Started

2014-09-16 01.30.37 pm

When a Legend becomes Real

I’m still pinching myself. Last week I delivered my very first Cisco Modeling Labs (CML) 1.0 demo to a customer. Overall, they were pretty darn excited, however there are some things that we need to address to make it a GREAT fit for their specific testing/validation environment.

Let’s take a step back and talk high level about CML for a moment. CML is the Cisco TAC supported variant of VIRL. The FCS date for CML 1.0 was 08.11.14. Almost a month later and several hours behind the wheel, I can say it was totally worth the wait. If your looking for a deep dive into the architecture behind the scenes, check out my previous blog post on the subject.

Let’s start with some of the most important aspects of CML to set expectations accordingly.

  • CML is NOT an emulator. The CML images are compiled specifically for the virtual machine environment (KVM). This is how you can scale to 150-200 nodes. It’s actual IOS/XR/XE/NX-OS code optimized for the VM. I was a huge fan of GNS/Dynamips, but the scale always left something to be desired. This is one of the major issues with emulation, PERFORMANCE.
  • CML WILL NOT validate ASICs, line cards, or any other hardware specific functionality/behavior. If your getting CML for this reason, it will NOT be a good representation.
  • CML is GREAT for config verification and migration/functionality testing. For example going from single IPv4 stack to dual stack, testing PfR configs, IGP configs, route policies, etc…
  • CML will also be GREAT for testing new code and features. The BU’s are committed to updating the CML images. For example: My IOSv image is 15.4(2)T1 which is pretty recent.  “IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.4(2)T1”
  • CML is GREAT for troubleshooting problems in an isolated environment.
  • CML allows you to integrate the virtual simulated environment with the physical lab network.
  • CML images available TODAY/09.16.14 are IOSv (included with your 15 node base license), IOS XR, and IOS XE in the form of CSR1000v. There is also a Linux server image for hosts.
  • CML team recommends UCS C220 M3 server or C460 M2, but you can really bring your own hardware for the host. ESXi 5.0, 5.1 or 5.5 is REQUIRED. Check out this URL for the data sheet and requirements. 
  • There is NO cloud/hosted offering of CML.
  • Be sure to check out the CML Q&A for anything I may have missed.

Craig Brown (TME): Cisco Modeling Labs Overview

Getting Started (see inline for ordering info)

  1. Download the install guide
  2. Setup your ESXi host
  3. Download the CML OVA
  4. Deploy the CML OVA
  5. Run through the “First Time” scripts on the Ubuntu guest
  6. Install the necessary license keys
  7. Add any additional images (IOS-XRv, CSR1000v, linux server)
  8. Download the CML client (OSX or Windows) from http://IP_OF_CML_SERVER/download
  9. Connect to the CML server
  10. Design, Build, Visualize, Simulate

This is a really just an overview. Your gonna want to go through the install guide and ensure your following the requirements and recommendations. I’ll be posting an instructional video on youtube shortly with a step-by-step guide on how to get started.


  • Only GigE virtual interfaces are supported currently. No serial interfaces or 10G/40G
  • Additional images (IOS-XRv, CSR1000v, etc) must be purchased separately. Only IOSv is included with the base license
  • Modeling of traffic patterns (traffic flow creation) are slated for the CML 1.1 release

Thoughts and Closing

In closing, I hope your as excited as I am about CML. It’s been a long time coming and I’m really glad the CML team took the time to get this right. I see many applications for CML in my personal journey. Let’s start with my home lab. I’m blessed to have access to Cisco hardware, but my lab gets HOT and my electric bill goes through the roof. I’ll use CML to validate customer configs, design and test IWAN/PfR configs, CCIE DC studies (NX-OSv image), EEM applet validation, and routing configs. Hopefully this saves me from the hundreds of dollars in electric to run a cat6500 and nexus 3k’s at home. 🙂

I used GNS3/Dynamips and IOU/IOL for many years. I will just say this, CML blows them away. I love GNS, but my problem has also been two fold. Scale and relevance. With regards to relevance, I was running the 7200 image and old IOS code. It’s just not current enough and emulated platforms suffer when it comes to performance. IOU/IOL is internal to Cisco only.

If your wondering about VIRL personal edition, my understanding is we’ll eventually release this to Cisco DEVNET. I just don’t have any committed date (update Dec 1st, 2014) at this point in time. This is going to be great for those studying for Cisco certifications from the CCNA to CCIE level.

If your interested in a 30 day trial of CML, reach out to your Cisco account team.

I hope you found this post informative and helpful. If you have any suggestions on how I can best demonstrate CML, please leave feedback. I’m going to talk to the CML team and see if they plan on conducting a WISP lab at Cisco Live next year. If not, I’ll be hosting one. It’s that good. EVERYONE needs to see it.

UPDATE: I’m told by one of the TME’s that CML will be demoed at Cisco Live, Cancun in Nov. 

Ordering Information

2014-09-16 02.13.06 pm

Next Wave of UCS Innovation

Next Wave of UCS Innovation

Today was a BIG day for us at Cisco. We announced our next wave of UCS products and continue building our data center innovation superhighway. Did we announce one product? NO! We announced four major UCS products today at #UCSGRANDSLAM and it was AWESOME! I knew about this stuff for months, but had to keep quite. As you can imagine, I was at the point of imploding because I just wanted to share this info with EVERYONE. Here is a quick recap of the UCS portfolio expansion announced today.

  • UCS Mini provides the full power of Cisco Unified Computing in a smaller, all-in-one solution that is simple, easy to manage, yet expandable. Great for IoT/IoElocal processing (Fog) and ROBO customers. 

2014-09-04 03.38.09 pm

  • UCS M-Series Modular Servers for Online Content Providers and Cloud Service Providers and for distributed applications in Industrial High Performance Computing (HPC) and Enterprise Grid. What about dedicated hosting and cloud services?


  • Cisco UCS C3160 Rack Server is a modular, capacity-optimized solution ideal for distributed data analytics, unstructured data repositories and media streaming and transcoding. I have one customer looking at this now for vSAN. 

2014-09-04 03.39.28 pm

  • Cisco M4 Generation UCS Rack and Blade Servers are armed with the latest processing power providing increased performance, efficiency and computing density. Intel Haswell architecture, E5 v3. 

2014-09-04 03.40.40 pm

All that said, I’m ecstatic about today’s announcement and can’t wait to hear from our customers on the challenges that can be overcome with these latest additions to the UCS family. I think about five short years ago when naysayers said Cisco had NO PLACE IN THE SERVER MARKET. They were WRONG! We are #1 in the US and #2 worldwide in the x86 blade server market. I’m confident we’ll be the #1 server vendor worldwide in no time at all.

UCS | Powering Applications at Every Scale

As soon as the video of today’s announcement is posted, I’ll link it here. Stay tuned!