Monday, March 29, 2010

Interview w/ AT&T Singapore

'
I was interviewed last Friday with AT&T Singapore. I was able to talk to Renato Gonzales the Manager and Avil Pinto Team Lead.

Renato first ask me how I’m doing and what I feel. I cordially reply that I’m a little bit nervous. He asks me to rate my self in L2, L3 and security. I said that I will put L2 on top of my list with 9, second will be L3 with 7 and Security with 6.

After that small introduction he introduces me to Avil for the technical interview. He started asking if I just stay at home and prepare for the interview or I go to work. I replied that I went to work since my shift is 6AM-3PM, I was able to work and still have enough time to went home for the interview. Avil throw the following questions below.
  1. Describe VLAN and why it should be used?
  2. How can you allow traffic to traverse from one VLAN to another?
  3. What firewall policy should you create to allow this traffic?
  4. What are the types of NAT?
  5. How can I clear NAT table?
  6. What are the types of Firewall?
  7. Differentiate Firewall and Access List?
  8. What are the STP port statuses?
  9. What’s the STP membership process?
  10. What’s the ARP process?
  11. What’s the TCP connection process?
  12. What layer DNS operates?
  13. What does the OSPF multicast address?
  14. Describe BGP?
  15. If I have connectivity problem between my branch office going to my central office, how should you troubleshoot this issue?

We spent almost an hours for the entire interview. With the very bad telephone voice quality I was glad that finished without any major communication issue.

Renato ask me how do I feel and I laugh and said to him “to tell me how I should feel” then he replied that I’m doing okay. He then proceeds and ask me if I have any question for them. I just then said that I’ve done a few digging on the net and found out that they have many Filipino guys on their team and in fact they have considerable amount of people from Network Team Accenture Philippines and that I was able to find Avil’s Facebook account and able to browse his friend list. They then replied that I’m correct and Avil said that he also from Accenture in India.

I hope I get this job… with the money that I’ll be getting at the same time improve my experience drastically since I’ll be working on a big telecommunication company. I will be expose into a lot of technologies and gain a lot of knowledge and at t he same time be able to provide the needs of my family. Hopefully this job is for me…

Tuesday, March 23, 2010

Configure switch interface for VMPS DOT1X authentication

'
PC(w/ Cisco Secure Services Client)--------EdgeSwitch----------ACS(TACACS)---------DomainControler

Edge switch interface configuration below depending on the Cisco Catalyst Switch Model.

For Cisco Catalyst Switch 4500 series:

interface Fa1/1
switchport mode access
switchport voice vlan <Voice VLAN>
speed 100
duplex full
qos trust cos
authentication event no-response action authorize vlan <Guest VLAN>
authentication host-mode multi-host
authentication port-control auto
authentication timer reauthenticate 60
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x max-req 10
storm-control broadcast level 20.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
end

For Cisco Catalyst Switch 6500 series:
interface Fa1/1
switchport
switchport mode access
switchport voice vlan <Voice VLAN>
speed 100
duplex full
mls qos trust cos
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout quiet-period 5
dot1x timeout reauth-period 60
dot1x max-req 10
dot1x guest-vlan <Guest VLAN>
storm-control broadcast level 20.00
spanning-tree portfast
spanning-tree bpduguard enable
end

Monday, March 22, 2010

Change trunk native VLAN from 1 to 2

'
SwitchB |----------------trunk---------------|SwitchA

Current Trunk Configuration:

SwitchA:

SwitchA#sh int g0/1 trunk

Port        Mode         Encapsulation  Status        Native vlan

Gi0/1       on           802.1q         trunking      1

Port      Vlans allowed on trunk

Gi0/1       1-4094

Port        Vlans allowed and active in management domain

Gi0/1       1-2,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       1-2,10,20,30

SwitchB:

SwitchB#sh int g0/1 trun

Port        Mode         Encapsulation  Status        Native vlan

Gi0/1       on           802.1q         trunking      1

Port      Vlans allowed on trunk

Gi0/1       1-4094

Port        Vlans allowed and active in management domain

Gi0/1       1-2,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       1-2,10,20,30

Change Native VLAN on SwitchA:

SwitchA:

SwitchA#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SwitchA(config)#int g0/1

SwitchA(config-if)#switchport trunk native vlan 2

SwitchA(config-if)#

23:32:19: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan i

d 1 on GigabitEthernet0/1 VLAN2.

23:32:19: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet0/1 on VLAN0001.

Inconsistent peer vlan.

23:32:19: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/1 on VLAN0002.

 Inconsistent local vlan.

SwitchB:

SwitchB#

23:32:58: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan i

d 2 on GigabitEthernet0/1 VLAN1.

23:32:58: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet0/1 on VLAN0002.

Inconsistent peer vlan.

23:32:58: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/1 on VLAN0001.

 Inconsistent local vlan.

Change Native VLAN on SwitchB:

SwitchA:

23:35:22: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLA

N0001. Port consistency restored.

23:35:22: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLA

N0002. Port consistency restored.

SwitchB:

SwitchB#conf t

SwitchB(config)#int g0/1

SwitchB(config-if)#switchport trunk native vlan 2

SwitchB(config-if)#

23:36:01: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLA

N0002. Port consistency restored.

23:36:01: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLA

N0001. Port consistency restored.

Final Trunk Status:

SwitchA:

SwitchA#sh int g0/1 trunk

Port        Mode         Encapsulation  Status        Native vlan

Gi0/1       on           802.1q         trunking      2

Port      Vlans allowed on trunk

Gi0/1       1-4094

Port        Vlans allowed and active in management domain

Gi0/1       1-2,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       1-2,10,20,30

SwitchB:

SwitchB#sh int g0/1 trunk

Port        Mode         Encapsulation  Status        Native vlan

Gi0/1       on           802.1q         trunking      2

Port      Vlans allowed on trunk

Gi0/1       1-4094

Port        Vlans allowed and active in management domain

Gi0/1       1-2,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned

Gi0/1       1-2,10,20,30

Analysis:

When you change the native end of the trunk’s native VLAN both switch will detect VLAN inconsistency (native VLAN mismatch) and put the interface on blocking state on both VLAN 1 and 2, I think other VLAN will continue forwarding data and will not be affected with the configuration. When you then move forward and configure the other end, then the switches detect that the native VLAN mach and consistent the switch then move and unblock the interface forward traffic.

Wednesday, March 10, 2010

Zenoss and Netscreen global policy training.

'
My teammate Sherwin Hidalgo conducted a training about Zenoss and Netscreen global policy, during our weekly meeting. He is about to resign and this part of the resignation process.

Zenoss is an open source NMS (Network Management System) We are currently moving to this platform in exchange with our Cisco Works. Cisco's NMS is just unreliable it just sends a lot fo false positive alarms. We just waisted a lot of man hours setting it up and a lot of money for the licence.
  1. Search option at the upper right corner of the window. Just put the device hostname and press enter then the device window page will display. Inside the device windows you have 7 tabs (Arrow Down, Status, OS, Hardware, Software, Events and Perf)

    1. Arrow – Inside you can conduct connectivity test from the Zenoss server going to the device like ping and snmpwalk.
    2. Status – you can check device basic information like IP address, MAC address etc.
    3. OS – you check the device interfaces including the sub interfaces. Click the interface to see the interface utilization graph.
    4. Events – you’ll be able to check the alerts generated.
    5. Perf – you will be able to check the cpu and memory utilization.

  2. Location option at the lower left corner of the window. Its one of the option under Browse By. Clicking the option menu you will be able to browse the devices by location groups.

Netscreen global policies will be check last on the policy check of the firewall. The order will be below.
  1. Interzone – If the source and destination zones are different (e.g. trust to untrust).
  2. Intrazone – If the source and destination zones are the same, the security device performs a policy lookup in this policy set list. Traffic will flow from one interface to another within the same zone.
  3. Global – If the security device does not find a match, the device then checks the global policy list.

Global policy should be configured per Vsys. This should be used for policies that are common to the entire Vsys (e.g. Access to mail servers, shared internet access). You should place the “Deny Any Any” at the last portion and remove it from Interzone and Intrazone if not the Global policy will not be check.

Tuesday, March 9, 2010

Change STP VLAN priorities and implement STP root Guard

'
I created the change below to correct our STP load balancing between the primary core switch and the secondary core switch. Previous implementation incorrectly set the VLAN STP priorities and we have to implement this change before we can add root STP root guard on all uplink ports going to the edge switches. This is done to project our core switches from taking over as the root of our STP domain from any one who will configure a switch connected to the edge with lower priority.

 With this implementation we can make sure that only the two core switches (primary and secondary) can only be elected as the root bridge.

----------------------------------------------------
                    | CoreSW1001 | CoreSW1002
---------------+----------------+-----------------
Odd VLAN   | 8192                 | 16384
---------------+----------------+-----------------
Even VLAN | 16384              | 8192
----------------------------------------------------

CoreSW1001:

conf t
spanning-tree vlan 215 priority 8192

spanning-tree vlan 202 priority 16384

CoreSW1002:

conf t
spanning-tree vlan 215 priority 16384

spanning-tree vlan 202 priority 8192

-------------------------
enabling STP Root Guard
-------------------------

CoreSW1001:

cont t
int r "all uplink interface"
spanning-tree guard root
end
wr mem

CoreSW1002:

conf t
int r "all uplink interface"
spanning-tree guard root
end
wr mem

Friday, March 5, 2010

Enabling Cisco device to authenticate locally to VTY/Con line

'
My wife called me yesterday asking how to enable authentication on VTY line using the created local account. I try to walk her thru and ask her some details about the username command with are the command to create local account and password respectively. She said that they already done that part but when they try to remote the device the account and password is not accepted. So the next thing I ask is to check what the config they put inside the VTY line is. Cut the story short we end the call without resolving the issue and I told her that I will simulate this when I arrive at the office.

At round 6PM and I'm already free I decide to go with the simulation using the two catalyst Cisco switch on my cubicle. Setup the switch with the power cable and the console cable connection to my PC. I starting to configure the switch with "username deviceadmin privilege 15 secret 0 MyPasswd" then instead of using the VTY line I decided to use the con lines since I was already connected to it. I enter the con line then try to search the list of available commands, the only command that I find relevant to my problem is the login command with the parameter of local. I use the command save my config the reload the switch.

After the reload I was ask for the user and password so I enter the username information that I just created and it’s was a success. My newly created local account was used to authenticate access to my console. I move further and created another account with lesser privilege and again it was accepted with the limitation of not being able to enter configure terminal. For the complete command please check below.

Commands:

SW01#conf t

SW01(config)#username deviceadmin privilege 15 secret 0 MyPasswd

SW01(config)#exit

Sw01#line con 0

Sw01(config-line)#login local

Thursday, March 4, 2010

STP VLAN root primary|secondary 2nd post

'
I just find out today from my lead that we are not really using the command above as part of our VLAN creation steps instead we statically set VLAN priority to 8192 for the root bridge and 16384 for the secondary root bridge.
We just try to use the Cisco macro command root primary and root secondary because our boss insisted on using it. Now we know that this command give's/set 24576 and 28372 priority value to the root and the secondary root bridge respectively.
I don't really see any problem in using the macro command or setting the priority value by your self as long as your being consistent and not mix the two command in a single setup.

Wednesday, March 3, 2010

Job Interview with Lawson

'
I went to Lawson office at Net2 bldg. Bonifacio Global City today for an interview for Network Administrator position. At about 10:30 my contact person from HR named Lara called my name and ask me to follow her on the interview room. She ask me HR stuff like why I'm applying? What am looking for a job? etc. After a short chat with her she endorse me to the technical guys for the technical interview.

Two guys arrived I believed from the network department of Lawson, I wasn't able to get the name of the other guy but the other one named Marku. When they arrive they start going through with my resume, since they only have one copy so i offered the copy that i brought. Marku start by asking me personal and HR type of question like, what i think i need to improve my self? I was caught off gourd with the questions because i was expecting a technical interview. I try to answer all the mushy question with the best of my ability and we get into a little argument when they told me that my answers are contradicting. When we finally went to the technical stuff they only ask me one scenario question and that's it, where done. I think that technical question is just formality they already maid up their mind that I'm not the guy, after the personal question that they thrown at me.

I guess I'm not that good with interview any more but with the questions that was thrown at me with those two BS I think they are not really looking for a technical savvy network engineer, they are more looking for someone to be their PA or something.

Will that's life, applying for a job really sucks all I want right now is to complete my CCNP and have a better chances of being pirated so that i wont have to undergo the whole recruitment process.

Tuesday, March 2, 2010

STP VLAN root primary|secondary

'
I just was testing this on live network. We are trying to find out how this Cisco Macro command will be able to set the STP priority. We expect that we get a priority of 8192 for the primary root bridge and 16384 for the secondary root bridge, but after we created a new VLAN and implemented the commands on our primary core switch as the primary root and secondary core as the secondary root and we get the following setting below:

Core1:

Core1#sh run | i span

Spanning-tree vlan 999 priority 24576

Core2:

Core2#sh run | i span

Spanning-tree vlan 999 priority 28372

We really don’t know why this priority setting is deferent from the previous VLAN STP implementations done on the same core switches.

I’ll be posting the answers if I can find out the explanation behind this.