Cisco Live Europe 2019 Barcelona

Another Cisco Live went with all its usual new product announcements and marketing drives for the next big thing. This year I have been more busy than usual with meetings with customers and I have not participated in all the technical sessions of previous years. In the end this actually allowed me to pay more attention to the real needs of customers rather than just technology. One of the elements that emerged most frequently was the need for more attention to the quality of the code.

ENC9K Implementing Cisco Catalyst 9000 Switches

Keeping up with the new releases of the various manufacturers is an important part of the job of every network engineer. Usually it is enough to see the videos available online but from time to time it is necessary to take one more step. Cisco has released the new Catalyst 9000 family that integrates with 1/20/2019 12:11:45 PM and ISE to build an SDA network. The Catalyst 9k family, strong of IOS XE, also allows programmability levels not previously possible.

IT Blog Awards

I’m pleased to announce that my blog has been selected as a finalist in the Most Entertaining category of the IT Blog Awards, hosted by Cisco This blog is a project that I have been carrying out for years in the (little) free time between a demanding job, the study and the family. I think it is important to dedicate time to the blog because it has allowed me to meet many awesome people, actively participate in the community and make my contribution to the ecosystem that has helped me at the beginning of my career.

Tech Field Day Extra at Cisco Live Europe 2018

I had the honor and pleasure of being invited again to attend Tech Field Day, this time for an Extra event at Cisco Live Europe in Barcelona. Cisco Live is a week full of product announcements, technical session, (social) networking with fellow network engineers, meetings with colleagues and customers, discussions with Cisco engineers about products and roadmap. This is exhausting and exciting at the same time but it definitely worth the effort.

Cisco ASA show connections ordered

When a customer calls with a problem or request I often see a chance to investigate a technology, learn something new or apply random skills to find a creative solution. This time is about an ASA, customer noticed too much traffic on the Internet facing interface. Syslog, Netflow, bandwidth monitoring and any other useful tools are totally missing, only the old good CLI to help. The MVP We can get a list of all active connections from ASA with

NFD16 day two - Cisco Project Starship a.k.a. Intersight

Day two of NFD16 with Cisco. The presentation was split in two parts. First part for Intersight, second part for Tetration. I’ll post here just a few thoughts about Intersight. Merakify all the servers! What’s Cisco Intersight? If you’re familiar with cloud-managed devices like Meraki the concept is quite similar. A Cisco server runs the Device Connector client that links to a central management portal that runs on Cisco DC SaaS.

TAC Security Workshop - Poland

This week I attended and event organized by Cisco TAC in Krakow. I’ve been in may Cisco events (Live, PVT, Pint etc.) but It was the first time for me at a TAC workshop and I was curious about it. The Agenda Agenda was clear: tree days with TAC engineers presenting best practices for installation and configuration with a clear focus on troubleshooting methods and tools. I was not disappointed by the contents: marketing was reduced to minimum, all the presenters were skilled TAC engineers and all the sessions were very detailed.

Cisco Live Europe 2017 Berlin

It’s time for CLEUR again, for the second year in Berlin, that’s 5 years in a row and I still get excited when the date arrives. #CLEUR #CCIE #netvet #ciscochampion #merakimaster — Gian Paolo (@gp_ifconfig) February 21, 2017 I won’t repeat many consideration’s I’ve already made last year. This year my main focus was security, I attended many FirePower, AMP and FTD sessions. General routing/switching and wireless are topics I can see in other partner events or learn by myself watching recordings later.

Cisco ASA boot problem

Cisco ASA memory problem ASA doesn’t boot: Launching BootLoader... Default configuration file contains 1 entry. Searching / for images to boot. Loading /asa825-k8.bin... Booting... Press ESC to interrupt boot: Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. We’re now in rommon: rommon #0> Check variables: rommon #3> set ROMMON Variable Settings: ADDRESS= SERVER= GATEWAY= PORT=Ethernet0/0 VLAN=untagged IMAGE= CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 Config network parameters.

Drop and bogons list on Cisco router

The Cyberspace a.k.a. the Internet is full of bad guys wanting to mess with our computers right? Of course everyone of us have a firewall configured with proper access and inspection rules, don’t ya? Spamhaus and Team Cymru can help providing list of known bad IPs and subnets that should be filtered in our networks. Spamhaus DROP list “DROP (Don’t Route Or Peer) and EDROP are advisory “drop all traffic” lists, consisting of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers).

Cisco Live 2016 Europe

Hi CLEUR! This year, for the fourth year in a row, I’ve attended Cisco Live Europe. I’ve earned the “Netvet” status, that means my name was on the wall before the keynote, ain’t that great? ;-) Aesthetics apart, this year’s event was the biggest I’ve attended so far, twelve thousands people in a huge venue (for European standards) and a lot of sessions available. Here’s my recap of the event.

Welcome 2016 Cisco Champions

With a good amount of surprise I’ve been nominated Cisco Champion for 2016: Because of your impactful and valuable contributions to the IT community, you have been chosen out of hundreds of nominees to be part of the 2016 Cisco Champion program. Congratulations! Cisco Champion resources Communities Twitter list

Simple Cisco switch inventory with bash and snmp

Scripts, usually I write some because I don’t like repetitive tasks and I’m lazy, meaning I prefer automation over useless hard work. Don’t know where I found this quote but I like it: Don't spend your time doing work a well-trained monkey could do. Today’s request was quite simple: get model and serial number from a bunch of Cisco switches. I now NEDI, Observium and LibreNMS can do that but I preferred to write a quick script I could use as a one shot tool instead of a complete software solution.

Cisco ASA VPN with over overlapping addresses and twice NAT

IP addressing design is a topic that follows every networker from the basic to the architect level of experience. Usually we just pick a random range from RFC1918 and address all the devices. But then VPN happens, and with VPN comes the risk of overlapping. How do we fix overlapping? With NAT of course! In this post I’ll show how to use twice NAT to allow VPN connections with overlapping addresses.

Quick config: SSL VPN on Cisco IOS via CLI

Platform: CISCO2921 IOS version: 15.3(3)M5 Load the anyconnect package on the flash of the router and configure anyconnect client package (be patient, this may take a while…): crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.1.04011-k9.pkg sequence 1 SSLVPN Package SSL-VPN-Client (seq:1): installed successfully Create a virtual template, that’s the interface the VPN clients will attach to: interface Virtual-Template1 ip address Create a local pool to assign IP addresses to VPN clients:

Meraki CMNA

Today I’ve attended a Meraki technical training course at Cisco offices. The training was organized in short presentations of product features followed by hands-on labs based on all the products available today. I was suprised to find not only people from small companies or system integrators but more that 50% of the attendees were from Cisco Gold Partners sent to evaluate the products for “managed network” services. Cloud managed network gear is quite a hot topic today and I expect many projects in the future will involve this kind of solutions.

Cisco Nexus 9000 training DCINX9K

This week I attended a two days training of Cisco DCINX9K. The training is focused on Cisco Nexus 9000 switches in NX-OS mode. NX9K can run two different software images, the full ACI image with all the cool SDN stuff and the traditional NS-OX image with some cool features like Python, Rest API, VX-LAN and more. Now it’s time to improve my Python skills and borrow a couple of boxes to do some labs.


Today I had a chat about MTU with a customer. MTU is my second favorite topic for tech talks in front of the coffee machine, STP is still the first because there are so many misconceptions about it. Even QoS is funny, people has many creative ideas and expectations from it. Let’s talk about MTU. Everything begun today from a ping (it’s italian in the screenshot, but you know the output by heart right?

Flowcontrol, port buffers and dropped packets

A few days ago a customer called worried by the flow control counters increasing on his Cisco 4510 switch, he just sent me this asking for an explanation: CORE_4510#show interfaces flowcontrol Port Send FlowControl Receive FlowControl RxPause TxPause admin oper admin oper --------- -------- -------- -------- -------- ------- ------- Gi1/1 on on desired on 28972 107274064 Gi1/2 on on desired on 9494 111534 Gi1/3 on on desired on 32580 1406178 Gi1/4 on on desired on 1278 84112 .

MTU on Nexus switches - CDP and vCenter

Some time ago I’ve installed the new core switches for a customer: a couple of Nexus 7000, a couple of 5000 and twelve Nexus 2232TM, Virtual port channels, VLANs, Radius auth and so on.. all the usual configs a good network engineer does. Since the Nexus 5000 are connected to an iSCSI storage I’ve configured Jumbo frames. Customer called complaining that MTU isn’t correctly set and I must fix it.

CCNA 10 years

Ten years ago I’ve passed my first Cisco exam: CCNA! What was supposed to be just a marginal skill for a junior systems engineer became both my job and my passion. Ten years and 21 Cisco exams later (and a bunch of other vendors), with 2 labs in Brussels, 1 FAIL and 1 PASS, I’m still excited about networking and I hope the next ten year will be as valuable and inspired.

Cisco Live 2014 Milan

Last week I had the opportunity to attend Cisco Live in Milan. This is my second time at Cisco Live, I’ve been in London last year. Some people still doesn’t know what Cisco Live is. Is it an event for pre-sales? A technical training? A party with free beer for nerds? I can say it is it all and much more. At Cisco Live you have the opportunity to participate in very deep technical sessions, some with hands-on labs, and to talk with the smartest guys in Cisco.

Cisco Live! for my fellow italian networkers (italian only)

Questo post e’ dedicato ai networkers iscritti al CUG di per condividere la mia esperienza del Cisco Live! 2013 a Londra. Ho visto diversi messaggi in ML e dato che la risposta sarebbe un po’ lunga e magari puo’ interessare a piu’ persone ho deciso di scrivere direttamente un post qui. Ho avuto il piacere di partecipare al Live! 2013 a Londra e salvo imprevisti a Gennaio parteciperò anche a quello di Milano.

Four letters more CCDP

Today I’ve passed 642-874 ARCH exam that in conjunction with CCIE and CCNP entitles to obtain the CCDP certification. To prepare the exam I’ve used the official study guide along with the documents in the Cisco Design Zone. The hardest part of the exam preparation was to study technologies I’ve never really implemented and to focus on design, scalability and restrictions more than on the commands.

Cisco WLC roaming debug + gawk + sed

Quite often I have to debug a wireless client roaming across lighweight Cisco APs to confirm it moves between APs as expected in the network design. On the WLC the command is “debug client MAC”. The command shows all the events related to the specific client including: Reassociation received from mobile on AP 00:23:ab:ba:YY:XX that means client moved to the AP with radio MAC 00:23:ab:ba:YY:XX. Since I’ve named all the APs and and I’ve a map with all the positions, I’d like to see the names in the debug instead of MAC.

My CCIE experience

In really enjoyed to read all the blog post of people passing the CCIE lab exam over the years. I’ve found the stories very inspirational so now it’s time for me to give back. I started working as a system engineer in 2001 supporting Microsoft Windows 2000 client and server for a bank. I had the opportunity to work with some network engineers for a project and being intrigued by the new world I started to study what seemed to be the right choice for the moment: Cisco CCNA.

CCIE lab numbers preallocation myth certification value

Cisco stopped to publish CCIE statistics some time ago but in Cisco Live presentations we can find some slides like this: A couple of days ago on twitter Bob McCouch who passed his lab on February 21st posted this: I know 14 days are not enough to make statistics, but let’s play with the numbers since they’re very fresh. There’re 9 CCIE lab locations worldwide, suppose each lab locations ha 5 seats per day.

Recipe: NTP server/client with auth

NTP client / server with authentication SERVER CONFIG ntp authentication-key 1 md5 0802657D2A36 7 ntp master 5 CLIENT CONFIG ntp authentication-key 1 md5 1531223F2705 7 ntp authenticate ntp trusted-key 1 ntp server key 1 Notes: the client authenticates the time source, server must have the key.

Cisco Live! Europe 2013

Cisco Live! Europe: I’m in! First time here, the impression is like being in the Willy Wonka chocolate factory with the big difference you can touch everything without disappear. As my job is not focused on a single technology I’m registered to many different sessions, from WiFi to Security, from FCoE to Routing/Switching. A longer review will follow. It’ll be a long week. _ _

PVLAN Quick Notes

Private VLAN configuration: vlan 300 private-vlan primary private-vlan association 301-302 ! vlan 301 private-vlan isolated ! vlan 302 private-vlan community Port configuration: interface GigabitEthernet1/0/1 switchport private-vlan host-association 300 301 switchport mode private-vlan host What about the SVI? interface Vlan300 ip address private-vlan mapping ? WORD Secondary VLAN IDs of the private VLAN SVI interface mapping add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list If we add a private-vlan mapping to the SVI it works like a promicuous port for all the secondary vlans mapped, reachable by both isolated and community ports:

Netflow quick notes

Netflow quick notes for basic config. NETFLOW EXPORT Send NetFlow data to a collector: From? (source) Where? (destination, port) How? (udp, sctp, backup) Version? (1,5,9) SAMPLING / FILTERING Not all traffic is evaluated to generate NetFlow statistics. Sampling (one packet each N) of filtering (sampling only on a class of traffic). applied to interface applied to policy map (with optional filter) “filter” is applied with “match” in the class map and netflow-samples in policy-map AGGREGATION CACHE Aggregate flows based on some criteria.

File prompt quiet

When a router config is saved with copy run start IOS asks for a destination filename: RTR#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] To bypass the request and use the default name startup-config do this: RTR(config)#file prompt quiet And then again copy run start will not require the filename: RTR#copy run start Building configuration... [OK] This command may be useful inside EEM scripts that can’t run intecartive commands.

OSPF Forward Address

OSPF Forward Address (FA): works like BGP next-hop for OSPF external routes advertised only if next-hop is on a not-passive and multiaccess interface if there’s not a route to FA address, route is not installed FA = –> cost to ABR FA <> –> cost to FA address NSSA –> FA is ASBR IP –> remove FA with “area 1 nssa no-summary translate type7 suppress-fa”

How to change a L2L VPN peer IP on Cisco ASA 8.3(2)4

Today a customer called to change the IP address of a L2L VPN peer on his Cisco ASA 8.3(2)4. The task can be divided in 3 steps: 1) Get the VPN password. It should be written somewhere in the network documentation, as stated by rule 7, but you know, password sometimes just get lost. 2) Find and update crypto map asa# sh run | b peer You should get a line like

Copy files to ASA via SCP

Sometimes it can be useful to copy files to and from a Cisco ASA Firewall via SCP. To enable SCP just type: ssh scopy enable

Certified in Cisco Data Center Support for UC Specialist

Today I passed Cisco 642-983 DCUCI exam and it was a surprise to see two certifications on my Cisco curriculum: Cisco Unified Computing Technology Support Specialist and Cisco Data Center Support for UC Specialist The next step would be “Cisco Data Center Unified Computing Support Specialist” but since VCP is a requirement and is not in my plans I have to skip that cert.

Cisco DCUCI training

This week I’m attending Cisco DCUCI course in Milan. I have no experience on blade servers or Cisco UC plaftorm and it’ll be a great opportunity to learn new topics and move another step towards the datacenter. I’ve prepared for this course watching Cisco PEC videos and reading the two must-read books from Silvano Gai: I/O Consolidation in the Data Center Cisco Unified Computing System (UCS) Cisco provides an emulator for the Cisco UCS , available only to Partners.

Certified in CCNP Security

Today I passed this Cisco exam: (642-647) Deploying Cisco ASA VPN Solutions v1.0 (VPN) and my CCSP certification is now updated to the new CCNP(Security). I’ve prepared the exam on the Cisco Press Official Cert Guide. The exam was not very hard, probably because I work on Pix/Asa platforms since 2007. The guide is very complete and actually I’ve re-learned some topics and how to deploy SSL and WebVPN in a better way, easyer to manage and to scale.

PPPoE peer IP address

Quick note about PPPoE address assignment. IPCP CLIENT interface Dialer1 **ip address negotiated** encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent end SERVER ip dhcp-server interface Virtual-Template10 ip address peer default ip address dhcp end DHCP CLIENT interface Dialer1 ip address dhcp encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent end SERVER interface Virtual-Template10 ip address ip helper-address 1.

Autoinstall - Frame Relay

First of all: autoinstall works only on the first serial interface of the router, don’t forget it. This is the topology for the small lab: R1 is a TFTP server, it stores R3 configuration in flash. R3 has no configuration. R2 interface is configured as follow: `` interface Serial1/0 ip address ip helper-address encapsulation frame-relay ip ospf network broadcast ip ospf 1 area 0 serial restart-delay 0 frame-relay map ip 10.

Autoinstall - LAN

Autoinstall is a quite interesting topic, it deserves some labbing. Start from the DOC-CD as usual, we focus on the LAN implementation first. You can find HERE the flowchart of the autoinstall process. This guide is quite clear too: AutoInstall Using DHCP for LAN Interfaces This is the topology we’ll use: R1 and R2 will start without configuration. R3 is the DHCP server that provides TFTP informations to R1 and R2.


RMON is generally an easy task, can be tricky but usually on CCIE workbooks the task are fair. The hardest part for me is to find the MIB to monitor. This is the task: monitor interface Vlan1, send a trap if it receives more than 100 packets every 30 seconds, send a trap if it goes under 50 packets every 30 seconds. First step: find Vlan1 ifindex. R#sh snmp mib ifmib ifindex Vlan99: Ifindex = 10 Virtual-Access2: Ifindex = 13 FastEthernet4: Ifindex = 5 FastEthernet0: Ifindex = 1 FastEthernet2: Ifindex = 3 Loopback0: Ifindex = 12 Null0: Ifindex = 6 Virtual-Access1: Ifindex = 11 Vlan1: Ifindex = 7 Virtual-Template1: Ifindex = 9 NVI0: Ifindex = 8 FastEthernet1: Ifindex = 2 FastEthernet3: Ifindex = 4 So Vlan1 has ifIndex value 7.

Conditional Debug

Conditional debugging is used to filter debugging messages: R#debug condition ? application Application called called number calling calling card card glbp interface group interface interface ip IP address mac-address MAC address match-list apply the match-list standby interface group username username vcid VC ID vlan vlan voice-port voice-port number xconnect Xconnect conditional debugging on segment pair A quick example: filter RIP events only for interface Serial1/1. We just need to enable a debug condition for interface S1/1:


Snmp v3 is described in many RFC, like RFC3414 and so on. History and security of the various SNMP versions are easy to find and well known, let’s focus on configuration. SNMPv3 can work in three ways: noAuthNoPriv authNoPriv authPriv For the tests I use a Cisco871 as snmp-server and a OSX computer to walk the MIBs. noAuthNoPriv No authorization, no encryption Router configuration; R(config)#snmp-server view noAuthNoPriv internet included R(config)#snmp-server user user1 noAuthNoPriv v3 R(config)#snmp-server group noAuthNoPriv v3 noauth read noAuthNoPriv Query from OSX