Sunday, November 28, 2010

Cisco IOS CLI vs Foundry/Brocade CLI

The CLI for foundry and cisco devices are very similar. Some commands are identical:
show interface
show run

Others are slightly different:
cisco             foundry
-------------     ----------------
show ip int br    show int br

description       port-name

speed 100  
duplex full       speed-duplex 100-full

Some are notably different, such as putting a given port into a given VLAN (natively, not with 802.1q tagging or anything):
vlan 100
int Fa 0/15
switchport mode access
switchport access vlan 100
vlan 100 name MySpecialVLAN by port
untagged eth 15

Sunday, November 21, 2010

gender and drupal

Interesting post over at Wild Unicorn Herd

Open Source people, and Drupal people in particular, pride themselves on having a “doacracy”—a community that values getting stuff done above traditional authority. This could create a beginner-friendly, non-hierarchical environment of subversion and experimentation. In practice we just have white straight cis men getting SUPER DEFENSIVE at the suggestion that maybe they got where they are not only by the sweat of their brow, and shouting down any mention of patriarchy, racism, or any other systemic oppression when people run the numbers and get to wondering why there’s so little minority representation in Open Source.

On the other hand, I'm pleased to see things like the discussion over the expanded 'gender' field at (link here).

hat tip to

Wednesday, November 17, 2010

more than a thousand times better than the nexus 6! take that, roy batty.

Cisco's hot new multiservices platform is the Nexus 7000. I haven't actually laid hands on one, but I figured I'd read up on them a bit. Thus, I blog about it.

It's a move away from IOS-based platforms -- it runs a newfangled "NX-OS". It's a big-assed chassis switch that runs either 10 or 18 modules; each of those configurations takes two supervisor modules, like the old supervisor cards on the Catalyst switches. The bigger chassis can take up to 516 gigabit ethernet connections which is some pretty beefy port density, right there.

The OS, NX-OS, has a similar CLI as IOS to keep with the cisco look and feel, but it is apparently a completely different beast than IOS under the hood: it's built on an embedded Linux kernel. (Historical trivia: IOS is somewhat derived from TENEX, the nonstandard OS for the PDP-10.) Wikipedia tells me that NX-OS doesn't support per-user logins or scp, that it considers all access-lists as extended (about time -- I think IOS's way of handling acl's dates back to when people were running multiprotocol networks that handled more than just IP), and that it doesn't support the 'write' command and instead uses the 'copy' command, which I can live with. It's derived from SAN-OS, which I am also unfamiliar with.

I believe the technical term for this device is "ginormous". The small one, which has 10 horizontal cards, is about half a rack high:

And for scale, here's another one of the 10 slot models next to its 18 slot (arranged horizontally) big sister:

Looking at it, I'd say that even with the cards and power supplies and fans stripped out, you still need a 19" wide lift that can slide inside your cabinet to install it.

Sunday, November 14, 2010

Cheerleading. FOR SCIENCE.

So, there are plenty of instances of women - and men, too - in tech, engineering, science, etc, doing things to show that smart people can be hot. (Sexy oncologists calendars, things like that). It's not quite as often that you see something showing that hot people can be smart. Science Cheerleaders are former (possibly a few current - not sure) professional cheerleaders who have found careers in science and engineering who go around and CHEERLEAD FOR SCIENCE.

Breaking down expectations and stereotypes for nerds and cheerleaders! This is fabulous. I think the only way this could be more awesome is if they were *really* some kind of Banzai Institute sort of group who went around the world doing goodwill appearances that were actually a cover for their real mission of SAVING THE WORLD.

Their web site is at, and here's a video of them at the USA Science and Engineering Festival.

Wednesday, November 10, 2010

Cisco PIX/ASA order of operations for NAT

From this page on


* If IPSec, then check input access list
* Decryption—for Cisco Encryption Technology (CET) or IPSec
* Check input access list
* Check input rate limits
* Input accounting
* Policy routing
* Routing
* Redirect to Web cache
* NAT inside to outside (local to global translation)
* Crypto (check map and mark for encryption)
* Check output access list
* Inspect context-based access control (CBAC)
* TCP intercept
* Encryption


* If IPSec, then check input access list
* Decryption—for CET or IPSec
* Check input access list
* Check input rate limits
* Input accounting
* NAT outside to inside (global to local translation)
* Policy routing
* Routing
* Redirect to Web cache
* Crypto (check map and mark for encryption)
* Check output access list
* Inspect CBAC
* TCP intercept
* Encryption

Sunday, November 7, 2010

Another F5 iRule

I want to pull some percentage of the traffic off and send it to one web server pool and send everything else to a different pool.

Simplest way to do it would seem to be by the last digit of the number of seconds -- that gives me granularity of 10% at a time. To start off, I'm doing just 10% of the traffic, so I'll pick requests with seconds ending in "0"

if { [HTTP::uri] equals "/directme" } {
set foobaz [clock seconds]
if { $foobaz ends_with "0"} {
pool special
else {
pool normal

Wednesday, November 3, 2010

A bit more about the F5

The F5 local traffic manager (LTM) is a load balancer. Here's a quick overview of how it does its basic thing:

Individual web servers are defined as "nodes". Each node can be part of one or more "pools" of web servers. These pools are then assigned as a resource to any of the "virtual servers" that you define.

When you set up a virtual server, you have to indicate what port and protocol you're using. If it's for SSL connectivity and the F5 is handling the encryption, you'll need to indicate what certificates you should be using.

You can specify what healthchecks it should use to determine if a node is up, and what metrics the F5 should use to figure out who to hand the next connection off to when it uses a pool containing several members.


About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.