ICND- Is Cisco oN Drugs – The road to being certifiable – Part 1

So I have a dirty little secret that I’m going to let you in on. Until recently the only IT certification that I held was an expired MCP certification dating back to the days of NT4.0. That’s right, I wasn’t a CCanything, and didn’t really see the need. I had years of experience on my resume, and didn’t want to put myself through the emotional distress caused by chasing certifications. There was also the question in the back of my mind: “if I begin taking exams, when do I stop, ccna, ccnp, ccie?”

So for reasons that will be explained later, I decided that it was time to begin the journey to become certifiable certified. Rather than jump directly into the Route, Switch, and Tshoot exams, which I really wanted to do, I instead decided to make myself step through it one step at a time, beginning with ICND1. I spent a week going over the material, just to be certain I knew what to expect, and scheduled the exam.

I wouldn’t say that I have “test anxiety” but anytime you spend $125 on an exam there are going to be strong emotions involved. I went into the exam a little nervous, but still expecting to pass easily.

This brings me to the reason that I HATE certification exams. I was shocked throughout the exam at how many poorly worded questions there were. I felt like I was arguing semantics with someone over whether or not “yes” means “yes” always or just on the odd and even numbered days. It finally led to the question that if I had been in an argument, I would have walked away before resorting to violence.

A loose paraphrase of the question was:

Which are swapped to change a straight-through cable to a crossover cable?
1 and 2
2 and 4
1 and 3
etc.
etc.

Now, the very first answer was “1 and 2” , which I understood to mean “the orange pair that includes wires 1 & 2” so I clicked the check box and then began looking for “3 and 6” to indicate the green pair. The only problem was, there was no “3 and 6” as an answer. I re-read the question, and all of the answers, still no “3 and 6”, I re-re-read, and still no dice.

At this point, I had seen a couple of poor questions or examples, and I was about to chalk this up as “another screw up on this stupid exam” and just click a box so that I could move on. But, I couldn’t stand to be beaten by such a simple question. I re-re-re-read the question, and finally figured out what they were really asking.

The question was really asking which STRANDS, WIRES, or PINS are swapped, not which PAIRS. Why one of those simple words was not used, I cannot tell you. It would have made the 4 minutes I spent on that question less than 20 seconds. At this point I was so frustrated with the many poorly worded questions, I spent 5 minutes writing a comment on this question before I moved on.

By the end of the exam I was sure that I had passed, and when my last two questions were “complex” subnetting questions, I guessed because I didn’t feel like doing the math, and wanted to be done with the exam. I passed with a great score, and ~20 minutes left.

I don’t mind challenging questions. I like to think, and want to know that when I complete an exam I have accomplished something. At the end of the ICND1 exam,  I had figured out what Cisco was TRYING TO ASK enough times to pass. That is all that I feel I accomplished.

Making people decipher and decode poorly written questions does not vet them as a capable certification candidate.

I now know that ICND really stands for “Is Cisco oN Drugs”

RSA can’t be trusted. Death to RSA.

RSA has finally admitted that it’s root certificates were compromised, which affects ALL SecurID tokens.

I personally feel that this shows absolute failure on the part of RSA. First, their root certificate was compromised. Second, rather than admit it, begin contacting customers immediately, and notifying the public, they chose to hide behind NDA’s while their customers were being compromised. RSA’s excuse for their lack of communication was that they didn’t want to give the attackers more information that could be used to exploit further companies. Based on the target of the attacks: Lockheed, Northrup Grumman, and L3 Communications, it is clear that the attackers knew everything already.

A company that was built on trusts and security has now been found completely untrustworthy and insecure. I expect to see major lawsuits resulting from this. I hope to see heads roll.

The company I work for uses these tokens. We have asked RSA for more information multiple times, but they have been slow in providing anything.

http://www.net-security.org/secworld.php?id=11122

Google warns of World IPv6 Day

Google is warning users of tomorrow’s test of IPv6, and more importantly of the fact that current IPv4 addresses have been depleted. I was only able to see the yellow banner in Linux running Firefox4, it never appeared on my Windows 7 machine. Google warning of IPv6 testing on June 8th.

While the banner is sure to cause some discussion among the non-networking crowd, I wish Google had included a link to more information. Instead they only include a link to test a users internet connection for IPv6 readiness. I don’t think the average user understands that their ISP is responsible for providing IPv6 connectivity, or of the problems that currently face IPv4.

I will give Google credit for starting the conversation. Hopefully, tomorrow there will be a lot of companies asking themselves what they must do to be ready for IPv6. Enterprise must lead IPv6 adoption, because as we all know, carriers are more than happy to sit on their butts as long as no one complains. The fact that so many ISP are considering CGN is a perfect example of that.

The velociraptor died after choking on a rib bone, so creating IPv7 is out of the question

OK, I admit it. I’ve had my head stuck firmly in the sand for almost 11 years. 11 years ago, to the month, I was sitting in my first TCP/IP class. I had fought through the first two days of class feeling mentally exhausted. I was finally beginning to wrap my head around IPv4 and variable length subnet mask. In fact, I was understanding IPv4 well enough that I could help my fellow students decipher the statements coming from our newly minted (and very proud of it) CCIE.
I was feeling pretty good about myself, and may have started to strut, just a little, as I moved from desk to desk, helping other students.
I should mention now, that I’m fairly quick on the up-take. I’m not bragging, simply stating that I meet the minimal requirements to be a geek. For some reason, I had really struggled with IPv4, so once I felt like I had a firm grasp of the concept, I was feeling pretty good.
My CCIE instructor, from his seat of power, saw a little pride develop in his class as more people caught the basics of VLSM. He, in the ultimate wisdom which comes with that coveted CCIE number, decided it was time to strangle those good feelings until they were most certainly dead. He did so, by launching into a 30 minute diatribe of how IPv4 would die a “quick death” and how IPv6 would take its place.
I’m sure you can imagine the look of horror on the faces of the students in the room. He certainly saw it, and fed off the fear as he blew through the broad topic that is IPv6. He delighted in mentioning that every device would have multiple IP’s, that each IP would be part of a different subnet. He threw out new words like anycast to a group of people who barely understood muilticast and unicast.
Wait, what?
In 30 minutes, he convinced three students that IT was not really the field they wanted to pursue, and the rest that IPv6 was EVIL. I was so affected and confused by that 30 minute rant, it took me five years before I had a practical understanding of subnetting IPv4 networks again.
Since that time, I have done my best to ignore the existence of IPv6. I used the fact that vendors were still releasing new products without IPv6 support as a reason to keep my eyes and ears firmly closed.
<My IPv6 Rant>
I believe that when IPv6 was being created someone said, “Yes, we COULD do that, but SHOULD we do that”. The rest of the attendees sat silently as he was taken from the room, and forced to watch his organs being fed to a genetically engineered, but very bored, velociraptor. The group then hired a soothsayer to read the velociraptor droppings, which gave us IPv6, reality TV, and the song “Friday”. The velociraptor died after choking on a rib bone, so creating IPv7 is out of the question.
</My IPv6 Rant>
With that said, IPv6 is here to stay, and it’s time for us, as Network Engineers, to get on board. We can’t complain about NAT64, without being willing to make the commitment to IPv6. When new protocols like TRILL are brought up for discussion, it’s easy to get excited. TRILL takes something that we already know (IS-IS, L2, etc) and simply builds on it. It is also transparent to layers 4-7, so it doesn’t affect non-network types.
IPv6, causes us to backtrack. It changes all of the rules. It’s not just IPv6, it’s new routing protocols, DNS, application stacks, etc. We have to forget what we learned in IPv4, and relearn it for IPv6. Server admins and developers will also have to update their skills. It’s painful.
With that acknowledged, we can’t put off learning to subnet, route, and filter IPv6. It’s time to begin examining IPv6 routing protocols, and buying equipment or ordering circuits which don’t support IPv6 should be out of the question. Yes, it does feel like starting from scratch. Yes, you will have to learn every protocol that you thought you knew all over again. Yes, IPv6 makes everything more complicated.
System Admins and developers can’t support IPv6 until we do. We must move forward, so that they can move forward.
Most network engineers agree that NAT is a poor solution to the problem staring us down. There are only a few other options. We can upgrade our skills, beginning the long arduous task of becoming experts in IPv6. We can ignore the change, until we are required to upgrade; then deal with entire IT teams being unprepared, learning on the fly, while implementing poor solutions in the near-term. Finally, we can make the same choice that those three classmates of mine did. “Maybe networking isn’t for me, I’ll go do something easier, like lion taming.”

Could Cisco Prime be the first step towards OpenFlow competition?

As it has been clear from my previous post, I have a love/hate relationship with Cisco. I love some of their products and I love working in IOS. There are also things that I hate: Cisco’s management platform and the lack of consistency between product lines; subnet mask vs. wildcard mask being a great example. Another thing I hate, Cisco’s management tools. CiscoWorks is a joke, and in smaller environments, where CiscoWorks would be overkill, companies are left with Cisco Network Assistant(CNA).

<RANT>
I realize that CNA is free, that Cisco doesn’t make any money on it, and that it was never meant for large enterprise. However, if there has ever been a product deserving of a “Beta” tag, I’m not sure what it is. What a piece of junk!
</RANT>

Now Cisco has released Cisco Prime. In all of the articles that I have read, the primary function is listed as “unified access across wired and wireless networks”. Clearly Cisco intends this to be a security solution. However, as you read further, things get a little more interesting. Here are the features as per a Cisco Blog post: http://bit.ly/gWBijM

Centralized Policy. Support any user on any device and provide secure access across the entire network by setting a single set of policies that can be distributed and enforced across the entire network.

Network Management. Unified management via Cisco Prime for wired and wireless networks helps increase IT efficiency, reduce IT training, and decrease time to resolve IT issues by providing a converged service-centric management platform.

Automation for Voice and Video. Ensure consistent high-quality user experience on any end-point. The latest innovations using Cisco Medianet enhancements provide automation and troubleshooting in the network to deliver application quality of experience, particularly video. Plus, organizations can reduce cost and time when resolving application choke points in the network, and scale applications to any endpoint with greater speed and efficiency.

The last two items are what piqued my interest. Unified network management, bandwidth control and shaping for audio and video; aren’t these features discussed when OpenFlow comes up? Is it possible that Cisco has recognized the need to address OpenFlow now, before it gets a stronger foothold in the market?

If I’ve properly read between the lines, and my guesses are accurate, there are a few things to remember. IF, then:

-This product has been rushed to production. I wouldn’t touch it within the first 6-9 months, or until it’s been upgraded at least once.
-Let’s face it, some of Cisco’s best new to market products were bought, not built internally. This was built internally. Enough said.
-Prime’s feature set will explode over the next few years, to make it better compete with the full OpenFlow feature set.
-The next version of IOS, ASA, WCS, etc. will have new hooks for this software to continue it’s feature expansion. Use caution with new versions of code for any devices. New hooks in the software = new security vulnerabilities and new bugs
-We may actually see a great security/network management product from Cisco in the next couple of years!

Texas Hold’em and the IETF – Did Brocade bet against TRILL?

For the last two post, which you can find HERE and HERE, I’ve knocked Cisco around. For those who don’t know me, I should warn that I am an equal opportunity offender. With that in mind, let’s take a look at Brocade’s implementation of TRILL.

As most of you should know, TRILL uses IS-IS on Layer 2 to identify the shortest path between switches, and load balance across those paths. Since this is happening at layer 2, not layer 3, it does away with Spanning Tree, which means more bandwidth and faster fail-over using the same number of ports, fiber paths, cables, and switches.

Of course, despite the fact that we all understand the above to be true, Brocade decided to go their own way and replace IS-IS with FSPF or Fabric Shortest Path First.

If you haven’t done much work in SAN environments, you may not be familiar with FSPF. Brocade created FSPF in 1997 to answer bandwidth concerns in Fiber Channel SANS. It has since become the standard path selection protocol in Fiber Channel fabrics.

With that understanding, let me back up and rephrase. As TRILL utilizing IS-IS was being developed by the IETF, Brocade a member of the IETF, decided to implement their own version of TRILL utilizing FSPF.

Brocade along with Cisco are both offenders. They both claim to be working with the IETF, yet at the same time both have released competitors to TRILL. Are we to believe that Brocade worked to make TRILL the best possible solution at the same time that they were creating a competitor to it? What about Cisco and FabricPath?

Both companies claim that their solution “extends” TRILL with additional features.

Were those “extended” features brought up in meetings when the TRILL standard was being discussed? Did the IETF choose to ignore those suggestions? I doubt it.

Cisco, Brocade, and most like every other vendor sat at the table the same way a poker player does during a game of texas hold ’em. No one showed their cards, but everyone watched the flop, river, and turn cards, to see what they could create with their own hands to drive the other players off the table.

Make no mistake, TRILL did not benefit from Brocade, Cisco, or any other vendor’s presence on the committee. Their involvement was for their own purposes, not the benefit of customers.

Openflow, Merchant Silicon, and the end of the reign of King John.

Early this morning, I finally had an opportunity to listen to the latest episode of Packet Pushers Podcast.

In the podcast, the guys discuss Openflow and the impact it could have on the networking industry. One of the points mentioned in the podcast was that Cisco is apparently using merchant silicon in the latest 10GB Nexus switch, the 3000. I was shocked when I heard this, and had to do a little research to verify. Sure enough, it seems that Cisco’s latest Nexus switch is built on Broadcom chipsets. Wow.

Let me say that again…Wow. To recap, here is my favorite Cisco blog post regarding Cisco and merchant silicon by Douglas Gourlay, an ex-Cisco Senior Manager of Product Marketing.

http://blogs.cisco.com/datacenter/on_merchant_silicon_and_mowing_my_yard/

To quote the post:

Do major automobile manufacturers outsource engine design and development to other firms? Of course not, they design and build their engines. Do manufacturers of more consumer goods like lawn mowers outsource their engines? Absolutely, they go to specialized engine manufacturers because the core value of what they offer is either a certain price point, or the value is not tied to the engine. So the question then – is do you want to ride to work or school in a car, or on a lawnmower?

Ok, so if Cisco is using merchant silicon in their Nexus line, it seems to me that the course adjustment that Big John emailed his employees about last week wasn’t the beginning. Maybe John was trying to answer rumors that had already started within Cisco’s ranks. Change was in the air, questions were being asked, and it all had to be addressed.

What would cause such a shift in Cisco? Is it possible that Cisco already realizes that being faster is no longer relevant in an age of Openflow, TRILL, IPV6, etc. etc.? There is no doubt that Cisco has felt the pressure from HP, Juniper, and other vendors. In fact, my current role is in a company that made that jump from Cisco to HP and Juniper when Cisco tried to sell Nexus 7K’s when 4507’s  or 6509’s would have been the better solution. Cisco didn’t just lose a customer here, Cisco made enemies. (I get scowls when I mention Cisco.)

Is it possible that Cisco realizes that the days of huge profit margins on every device it sells are coming to a close? Is it possible that maybe, just maybe, Cisco realizes that it’s not the only game in town?

For years, people bought Cisco for the additional features that Cisco offered. PAGP, ISL, EIGRP, LWAPP were all answers to problems that no one else had addressed. They were good answers at the time, and all led the industry standards by a couple of years. Now, the alternatives 802.1Q, LACP, OSPF, and CAPWAP have replaced those proprietary Cisco protocols. Looking at the environment now, I don’t see any areas where Cisco has a unique answer. Either the networking community has a solution (Openflow, TRILL), or each vendor has their own unique solution to the same problem (Qfabric, Unified Fabric).

Let’s look ahead 3 years. If an engineer has the option of buying products from Cisco which cost a lot more, and must be managed individually, or buying products from a range of vendors that all must compete in a cost effective manner, and all of which support unified management through Openflow, and all of which have the same features, which would he choose?

Two closing thoughts:

Apple is trying to teach the tech world a lesson: specs alone doesn’t make a better product. For Cisco to compete, they have to focus on features that answer real world problems, not imaginary scenarios. IPv6 and TRILL vs. Who really uses an ASA for deep packet inspection on a regular basis?

Cisco is a very big ship, and it will take a long time to turn. Watching from the shore, we have only begun to realize that it is turning, and have no idea where the new heading points.