Cisco ASA show connections ordered

When a customer calls with a problem or request I often see a chance to investigate a technology, learn something new or apply random skills to find a creative solution. This time is about an ASA, customer noticed too much traffic on the Internet facing interface. Syslog, Netflow, bandwidth monitoring and any other useful tools are totally missing, only the old good CLI to help. The MVP We can get a list of all active connections from ASA with

NFD16 day two - Cisco Project Starship a.k.a. Intersight

Day two of NFD16 with Cisco. The presentation was split in two parts. First part for Intersight, second part for Tetration. I’ll post here just a few thoughts about Intersight. Merakify all the servers! What’s Cisco Intersight? If you’re familiar with cloud-managed devices like Meraki the concept is quite similar. A Cisco server runs the Device Connector client that links to a central management portal that runs on Cisco DC SaaS.

TAC Security Workshop - Poland

This week I attended and event organized by Cisco TAC in Krakow. I’ve been in may Cisco events (Live, PVT, Pint etc.) but It was the first time for me at a TAC workshop and I was curious about it. The Agenda Agenda was clear: tree days with TAC engineers presenting best practices for installation and configuration with a clear focus on troubleshooting methods and tools. I was not disappointed by the contents: marketing was reduced to minimum, all the presenters were skilled TAC engineers and all the sessions were very detailed.

Cisco Live Europe 2017 Berlin

It’s time for CLEUR again, for the second year in Berlin, that’s 5 years in a row and I still get excited when the date arrives. #CLEUR #CCIE #netvet #ciscochampion #merakimaster — Gian Paolo (@gp_ifconfig) February 21, 2017 I won’t repeat many consideration’s I’ve already made last year. This year my main focus was security, I attended many FirePower, AMP and FTD sessions. General routing/switching and wireless are topics I can see in other partner events or learn by myself watching recordings later.

Cisco ASA boot problem

Cisco ASA memory problem ASA doesn’t boot: Launching BootLoader... Default configuration file contains 1 entry. Searching / for images to boot. Loading /asa825-k8.bin... Booting... Press ESC to interrupt boot: Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. We’re now in rommon: rommon #0> Check variables: rommon #3> set ROMMON Variable Settings: ADDRESS= SERVER= GATEWAY= PORT=Ethernet0/0 VLAN=untagged IMAGE= CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 Config network parameters.

Drop and bogons list on Cisco router

The Cyberspace a.k.a. the Internet is full of bad guys wanting to mess with our computers right? Of course everyone of us have a firewall configured with proper access and inspection rules, don’t ya? Spamhaus and Team Cymru can help providing list of known bad IPs and subnets that should be filtered in our networks. Spamhaus DROP list “DROP (Don’t Route Or Peer) and EDROP are advisory “drop all traffic” lists, consisting of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers).

Cisco Live 2016 Europe

Hi CLEUR! This year, for the fourth year in a row, I’ve attended Cisco Live Europe. I’ve earned the “Netvet” status, that means my name was on the wall before the keynote, ain’t that great? ;-) Aesthetics apart, this year’s event was the biggest I’ve attended so far, twelve thousands people in a huge venue (for European standards) and a lot of sessions available. Here’s my recap of the event.

Welcome 2016 Cisco Champions

With a good amount of surprise I’ve been nominated Cisco Champion for 2016: Because of your impactful and valuable contributions to the IT community, you have been chosen out of hundreds of nominees to be part of the 2016 Cisco Champion program. Congratulations! Cisco Champion resources Communities Twitter list

Simple Cisco switch inventory with bash and snmp

Scripts, usually I write some because I don’t like repetitive tasks and I’m lazy, meaning I prefer automation over useless hard work. Don’t know where I found this quote but I like it: Don't spend your time doing work a well-trained monkey could do. Today’s request was quite simple: get model and serial number from a bunch of Cisco switches. I now NEDI, Observium and LibreNMS can do that but I preferred to write a quick script I could use as a one shot tool instead of a complete software solution.

Cisco ASA VPN with over overlapping addresses and twice NAT

IP addressing design is a topic that follows every networker from the basic to the architect level of experience. Usually we just pick a random range from RFC1918 and address all the devices. But then VPN happens, and with VPN comes the risk of overlapping. How do we fix overlapping? With NAT of course! In this post I’ll show how to use twice NAT to allow VPN connections with overlapping addresses.

Quick config: SSL VPN on Cisco IOS via CLI

Platform: CISCO2921 IOS version: 15.3(3)M5 Load the anyconnect package on the flash of the router and configure anyconnect client package (be patient, this may take a while…): crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.1.04011-k9.pkg sequence 1 SSLVPN Package SSL-VPN-Client (seq:1): installed successfully Create a virtual template, that’s the interface the VPN clients will attach to: interface Virtual-Template1 ip address Create a local pool to assign IP addresses to VPN clients:

Meraki CMNA

Today I’ve attended a Meraki technical training course at Cisco offices. The training was organized in short presentations of product features followed by hands-on labs based on all the products available today. I was suprised to find not only people from small companies or system integrators but more that 50% of the attendees were from Cisco Gold Partners sent to evaluate the products for “managed network” services. Cloud managed network gear is quite a hot topic today and I expect many projects in the future will involve this kind of solutions.

Cisco Nexus 9000 training DCINX9K

This week I attended a two days training of Cisco DCINX9K. The training is focused on Cisco Nexus 9000 switches in NX-OS mode. NX9K can run two different software images, the full ACI image with all the cool SDN stuff and the traditional NS-OX image with some cool features like Python, Rest API, VX-LAN and more. Now it’s time to improve my Python skills and borrow a couple of boxes to do some labs.


Today I had a chat about MTU with a customer. MTU is my second favorite topic for tech talks in front of the coffee machine, STP is still the first because there are so many misconceptions about it. Even QoS is funny, people has many creative ideas and expectations from it. Let’s talk about MTU. Everything begun today from a ping (it’s italian in the screenshot, but you know the output by heart right?

MTU on Nexus switches, CDP and vCenter

Some time ago I’ve installed the new core switches for a customer: a couple of Nexus 7000, a couple of 5000 and twelve Nexus 2232TM, Virtual port channels, VLANs, Radius auth and so on.. all the usual configs a good network engineer does. Since the Nexus 5000 are connected to an iSCSI storage I’ve configured Jumbo frames. Customer called complaining that MTU isn’t correctly set and I must fix it.

Cisco Live 2014 Milan

Last week I had the opportunity to attend Cisco Live in Milan. This is my second time at Cisco Live, I’ve been in London last year. Some people still doesn’t know what Cisco Live is. Is it an event for pre-sales? A technical training? A party with free beer for nerds? I can say it is it all and much more. At Cisco Live you have the opportunity to participate in very deep technical sessions, some with hands-on labs, and to talk with the smartest guys in Cisco.

Cisco WLC roaming debug + gawk + sed

Quite often I have to debug a wireless client roaming across lighweight Cisco APs to confirm it moves between APs as expected in the network design. On the WLC the command is “debug client MAC”. The command shows all the events related to the specific client including: Reassociation received from mobile on AP 00:23:ab:ba:YY:XX that means client moved to the AP with radio MAC 00:23:ab:ba:YY:XX. Since I’ve named all the APs and and I’ve a map with all the positions, I’d like to see the names in the debug instead of MAC.

My CCIE experience

In really enjoyed to read all the blog post of people passing the CCIE lab exam over the years. I’ve found the stories very inspirational so now it’s time for me to give back. I started working as a system engineer in 2001 supporting Microsoft Windows 2000 client and server for a bank. I had the opportunity to work with some network engineers for a project and being intrigued by the new world I started to study what seemed to be the right choice for the moment: Cisco CCNA.

CCIE lab numbers preallocation myth certification value

Cisco stopped to publish CCIE statistics some time ago but in Cisco Live presentations we can find some slides like this: A couple of days ago on twitter Bob McCouch who passed his lab on February 21st posted this: I know 14 days are not enough to make statistics, but let’s play with the numbers since they’re very fresh. There’re 9 CCIE lab locations worldwide, suppose each lab locations ha 5 seats per day.

Recipe: NTP server/client with auth

NTP client / server with authentication SERVER CONFIG ntp authentication-key 1 md5 0802657D2A36 7 ntp master 5 CLIENT CONFIG ntp authentication-key 1 md5 1531223F2705 7 ntp authenticate ntp trusted-key 1 ntp server key 1 Notes: the client authenticates the time source, server must have the key.

Cisco Live! Europe 2013

Cisco Live! Europe: I’m in! First time here, the impression is like being in the Willy Wonka chocolate factory with the big difference you can touch everything without disappear. As my job is not focused on a single technology I’m registered to many different sessions, from WiFi to Security, from FCoE to Routing/Switching. A longer review will follow. It’ll be a long week. _ _

File prompt quiet

When a router config is saved with copy run start IOS asks for a destination filename: RTR#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] To bypass the request and use the default name startup-config do this: RTR(config)#file prompt quiet And then again copy run start will not require the filename: RTR#copy run start Building configuration... [OK] This command may be useful inside EEM scripts that can’t run intecartive commands.

OSPF Forward Address

OSPF Forward Address (FA): works like BGP next-hop for OSPF external routes advertised only if next-hop is on a not-passive and multiaccess interface if there’s not a route to FA address, route is not installed FA = –> cost to ABR FA <> –> cost to FA address NSSA –> FA is ASBR IP –> remove FA with “area 1 nssa no-summary translate type7 suppress-fa”

How to change a L2L VPN peer IP on Cisco ASA 8.3(2)4

Today a customer called to change the IP address of a L2L VPN peer on his Cisco ASA 8.3(2)4. The task can be divided in 3 steps: 1) Get the VPN password. It should be written somewhere in the network documentation, as stated by rule 7, but you know, password sometimes just get lost. 2) Find and update crypto map asa# sh run | b peer You should get a line like

Copy files to ASA via SCP

Sometimes it can be useful to copy files to and from a Cisco ASA Firewall via SCP. To enable SCP just type: ssh scopy enable

Monitor Cisco router UPTIME with Nagios and Cacti

On a customer’s network we noticed that the Internet facing router reboots because of a software error. We stumbled on this issue by chance, just because one of the reboots was during a videoconference. Nobody noticed the problem before and they really don’t know if the problem was there since the installation of the router a couple of years ago. They have Nagios running to monitor the network, so I’ve configured it to monitor the router uptime too.

Certified in Cisco Data Center Support for UC Specialist

Today I passed Cisco 642-983 DCUCI exam and it was a surprise to see two certifications on my Cisco curriculum: Cisco Unified Computing Technology Support Specialist and Cisco Data Center Support for UC Specialist The next step would be “Cisco Data Center Unified Computing Support Specialist” but since VCP is a requirement and is not in my plans I have to skip that cert.

Cisco DCUCI training

This week I’m attending Cisco DCUCI course in Milan. I have no experience on blade servers or Cisco UC plaftorm and it’ll be a great opportunity to learn new topics and move another step towards the datacenter. I’ve prepared for this course watching Cisco PEC videos and reading the two must-read books from Silvano Gai: I/O Consolidation in the Data Center Cisco Unified Computing System (UCS) Cisco provides an emulator for the Cisco UCS , available only to Partners.

Certified in CCNP Security

Today I passed this Cisco exam: (642-647) Deploying Cisco ASA VPN Solutions v1.0 (VPN) and my CCSP certification is now updated to the new CCNP(Security). I’ve prepared the exam on the Cisco Press Official Cert Guide. The exam was not very hard, probably because I work on Pix/Asa platforms since 2007. The guide is very complete and actually I’ve re-learned some topics and how to deploy SSL and WebVPN in a better way, easyer to manage and to scale.

PPPoE peer IP address

Quick note on PPPoE address assignment. !!!!! IPCP !!!!! !!!!! CLIENT interface Dialer1 ip address negotiated encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent end !!!!! SERVER ip dhcp-server interface Virtual-Template10 ip address peer default ip address dhcp end !!!!! DHCP !!!!! !!!!! CLIENT interface Dialer1 ip address dhcp encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent end !!!!! SERVER interface Virtual-Template10 ip address 10.

Autoinstall - Frame Relay

First of all: autoinstall works only on the first serial interface of the router, don’t forget it. This is the topology for the small lab: R1 is a TFTP server, it stores R3 configuration in flash. R3 has no configuration. R2 interface is configured as follow: `` interface Serial1/0 ip address <strong> ip helper-address</strong> encapsulation frame-relay ip ospf network broadcast ip ospf 1 area 0 serial restart-delay 0 frame-relay map ip 10.

Autoinstall - LAN

Autoinstall is a quite interesting topic, it deserves some labbing. Start from the DOC-CD as usual, we focus on the LAN implementation first. You can find HERE the flowchart of the autoinstall process. This guide is quite clear too: AutoInstall Using DHCP for LAN Interfaces This is the topology we’ll use: R1 and R2 will start without configuration. R3 is the DHCP server that provides TFTP informations to R1 and R2.


RMON is generally an easy task, can be tricky but usually on CCIE workbooks the task are fair. The hardest part for me is to find the MIB to monitor. This is the task: monitor interface Vlan1, send a trap if it receives more than 100 packets every 30 seconds, send a trap if it goes under 50 packets every 30 seconds. First step: find Vlan1 ifindex. R#sh snmp mib ifmib ifindex Vlan99: Ifindex = 10 Virtual-Access2: Ifindex = 13 FastEthernet4: Ifindex = 5 FastEthernet0: Ifindex = 1 FastEthernet2: Ifindex = 3 Loopback0: Ifindex = 12 Null0: Ifindex = 6 Virtual-Access1: Ifindex = 11 <strong>Vlan1: Ifindex = 7</strong> Virtual-Template1: Ifindex = 9 NVI0: Ifindex = 8 FastEthernet1: Ifindex = 2 FastEthernet3: Ifindex = 4 So Vlan1 has ifIndex value 7.

Conditional Debug

Conditional debugging is used to filter debugging messages: R#debug condition ? application Application called called number calling calling card card glbp interface group interface interface ip IP address mac-address MAC address match-list apply the match-list standby interface group username username vcid VC ID vlan vlan voice-port voice-port number xconnect Xconnect conditional debugging on segment pair A quick example: filter RIP events only for interface Serial1/1. We just need to enable a debug condition for interface S1/1:


Snmp v3 is described in many RFC, like RFC3414 and so on. History and security of the various SNMP versions are easy to find and well known, let’s focus on configuration. SNMPv3 can work in three ways: noAuthNoPriv authNoPriv authPriv For the tests I use a Cisco871 as snmp-server and a OSX computer to walk the MIBs. noAuthNoPriv No authorization, no encryption Router configuration; R(config)#snmp-server view noAuthNoPriv internet included R(config)#snmp-server user user1 noAuthNoPriv v3 R(config)#snmp-server group noAuthNoPriv v3 noauth read noAuthNoPriv Query from OSX: