A while back, I started blogging on the subject of IPsec troubleshooting. In that blog post, I mentioned that in order to successfully troubleshoot IPsec in a fast and efficient manner it is necessary to have a good knowledge of how IPsec works and to follow a good troubleshooting methodology.

So, in this blog post, I am going to describe a simple and efficient troubleshooting methodology. This methodology is shown in the following figure:

Figure 1: IPsec Troubleshooting Methodology

Read more

A while back I had my first experience using a Cisco Telepresence system (3000), and I thought that I would share some thoughts.

My overall impression is that it is pretty spooky (at least the first time you use it). Sat there ‘across' the Telepresence virtual meeting room from people who are on the other side of the world, you can almost believe that they really are just across the room.

This impression is obviously completely different from older, less sophisticated video conferencing units that sometimes give the impression that other participants are located in another universe, and are perhaps members of an alien species.

Read more

So, Brocade has bought Foundry. I may be wrong, but to me it looks like these companies have gazed into the future, not liked what they have seen, and jumped into each other's arms out of fright!

Personally, I think that Cisco are right in believing that storage and Ethernet networks will converge in the data center - and Cisco has just the device to ease that convergence: the Nexus 7000. If Cisco is right about this transition, Brocade might end up getting squeezed further.

Read more

Depending on their size and configuration, IPsec VPNs can be relatively easy to design and deploy, even if you are not all that knowledgeable about how IPsec actually works. But, if you don't understand how IPsec works and you don't apply a good troubleshooting methodology, then when your IPsec VPN breaks or doesn't work in the first place, you'll probably have to resort to what I call ‘stab-in-the-dark' (SITD) troubleshooting.

Read more

While protocols like MGCP, SIP, H.323 (H.225/H.225 RAS/H.245), and SCCP provide signalling in VoIP/IP telephony/unified communications networks, the Real Time Transport Protocol (RTP) is used to transport the voice and video media packets.

RTP has a number of important characteristics, including the following:

Read more

Since Cisco launched the new Nexus range of switches, quite a number of people have asked me whether the advent of the Nexus switches heralds the demise of the Catalyst 6500. Furthermore, I have heard that some of Cisco's competitors have been telling anyone who will listen that the 6500 will soon be gone.

Anyway, with all this apparent uncertainty (or misinformation) around I thought I'd find out what is really going on, so I asked some folks at Cisco and they confirmed that the 6500 will be around for a long time to come.

Read more

Last time in this series of posts on telephony protocols, I looked at H.323, a complex framework of standards and protocols that are used to enable multimedia communication over packet networks. This time I'll be taking a look at a comparatively simple protocol, the Skinny Client Control Protocol (SCCP). In contrast to some of the other telephony protocols, you'll be glad to know that there comparatively little that you need to remember about it for the exams!

Read more

Note: if you have been following my series on CCIE Voice / CCVP Exam Objectives, and are wondering why that series has stopped, don't worry because it hasn't. I'll be alternating between subjects over the next few weeks and months - and there will be plenty more on CCIE Voice / CCVP Exam objectives.

When the Nexus 7000 switch was introduced, one of its major features trumpeted by Cisco was virtualization in the form of Virtual Device Contexts (VDCs). But what exactly are VDCs, and how might they help you in your network?

Read more

In my previous blog post, I described the most important H.323 protocols, standards, and network elements. This time I'll be taking a look at how those network elements communicate.

As mentioned last time, H.225 RAS allows communication between endpoints and gatekeepers, using UDP ports 1718 and 1719. There are a number of different H.225 RAS messages, including:

Gatekeeper discovery (Gatekeeper Request [GRQ], Gatekeeper Confirm [GCF], and Gatekeeper Reject [GRJ]): used by endpoints to discover gatekeepers with which to register.

Read more

So far in this series I have described two telephony protocols (SIP and MGCP) that feature prominently on the CCIE Voice and CCVP exam blueprints. In this blog entry, I am going to describe another, H.323.

H.323 is a collection or framework of ITU standards for interactive multimedia communications over a packet network. Not only does it appear in a large proportion of Cisco's IP telephony/voice related exams, but there is also a huge installed base of H.323 enabled devices out in the field - so, whether you are focused on passing exams or doing a great job (hopefully both!), you're going to need to have a good understanding of it.

Some of the most important protocols and standards that make up the H.323 framework are:

Read more

A telephony protocol that features prominently in the CCIE Voice and CCVP exam blueprints (as well as the real world!) is the Media Gateway Control Protocol (MGCP). MGCP is a master-slave protocol that involves a Media Gateway Controller (MGC, the master) and Media Gateways (MGs, the slaves).

MGCP is often used in Cisco Unified Communications Manager / CallManager (UCM/CCM) networks, with UCM/CCMs functioning as the MGCs that control voice gateways (MGs).

Read more

Last time I gave a high level overview of SIP and also took a look at SIP network element types. This time, I'll be looking at SIP message and method types, and describing how SIP network elements communicate. If you can't remember the SIP network elements that I described last time, it's probably a good idea to take a quick look at my last post.

There are two overall types of SIP message:

Requests: a SIP request is sent from SIP clients (UACs, such as SIP phones) to a SIP servers. Requests are used to invoke certain operations on the servers.

Read more

Since I posted on the subject of passing the CCIE Voice exam, I have had a number of requests to blog some more on some of the individual CCIE Voice exam objectives. So, in response to these requests, I'll be posting on these objectives starting with telephony protocols. If you are currently studying for your CCVP exams rather than CCIE Voice, you'll also find a lot of useful information here.

There are a number of telephony protocols including the Session Initiation Protocol (SIP), Media Gateway Control Protocol (MGCP), H.323, and the Skinny Client Control Protocol (SCCP). I am going to start this series of blog posts by taking a look at SIP.

Read more

Since Cisco announced the Nexus 7000, I have seen and heard quite a lot of criticism of NX-OS, often on the basis that it will force engineers to learn a whole new CLI. But Cisco believe that NX-OS is ‘IOS-like', and that engineers have nothing to worry about. So, what's the truth?

I've had access to NX-OS for a few weeks now, and initially at least I had no manuals. I decided to test just how 'IOS-like' NX-OS is.

My rough-and-ready test consisted of using standard IOS commands to configure a wide variety of layer-2 and layer-3 features and functions. In this blog post, I'll share a small but representative sample - just enough to get the flavor of NX-OS. 

Read more

As I mentioned last time, L2TPv3 has a plethora of capabilities, including the capability to be used for remote access VPNs, the capability to transport a number of Layer-2 protocols in a pseudowire configuration, the capability to transport MPLS Layer-3 VPN traffic, and the capability to transport IPv6 over an IPv4 backbone network.

In this blog post, I am going to focus on the most popular application for L2TPv3 - pseudowires.

The first question to answer in regard to L2TPv3 pseudowire configuration is, ‘What is a pseudowire?'. As I mentioned briefly last time, a pseudowire is simply an emulated circuit. By using L2TPv3, it is possible to extend a number of layer-2 circuit types over an IP backbone network.

Read more

L2TPv3 has been around for a while now, but it seems to be one of those things that not too many people know about.

Typically, when I raise the subject of L2TPv3, I get one of the following reactions:

‘L2TPv3 pseudowhat?'

‘Nobody uses that anymore - it's obsolete, isn't it?'

‘That's a good solution for tunnelling PPP, but we're talking about Ethernet.'

So, for those who aren't really aware of L2TPv3 or what it can do, I thought I'd blog a little on the subject.

The first thing to say about L2TPv3 is that it is not L2TPv2, but it is based on L2TPv2. And the first thing to say about L2TPv2 is that it is neither L2F nor PPTP, but it is based on both of those protocols.

Read more

I don't know if anyone noticed, but Cisco and Juniper announced some new switches a few days ago. Anyway, Network World has asked me to comment on these switches, so here are some initial thoughts.

Cisco and Juniper have been going at each other all-guns-blazing for years in the service provider market, but until now there have only been limited skirmishes in the enterprise market. Now that Cisco has announced its Nexus switching platform, and Juniper has finally unveiled its EX switches, I think it is safe to say that we can expect renewed and greatly intensified hostilities in the enterprise market.

So, how do Cisco's Nexus and Juniper's EX switches compare?

Read more

Well, I’ve finally resurfaced after a hectic few weeks (sorry about the delay).

The nice people at Network World have persuaded me - I’m here to stay! As I rove from client site to client site and deal with a variety of technical challenges, I’ll be blogging (some more) on VPNs, IP telephony, and many other subjects. And I’ll be offering some advice on best practice. 

Read more

Last time I looked at some important questions to ask when selecting a site-to-site VPN protocol or technology. This time I will discuss some the important questions to ask when choosing a remote access VPN. 

Read more

One of the most common questions that I am asked is what type of VPN an organization should deploy. So, in the hope that it will save some people some time, I thought I’d just go through some of the most basic considerations when choosing a VPN protocol. 

Let’s suppose you’ve decided to deploy a VPN to connect your organization’s/customers’ sites (a site-to-site VPN). But you are not sure which VPN technology and type you should deploy – should it be IPsec, MPLS layer-3, MPLS layer-2, L2TPv3-based, or another technology? 

Read more

In my last blog post, I recommended a number of ways to avoid the first five of my top ten reasons why IPsec VPNs fail. As promised, in this blog post, I'll finish this particular topic by explaining how to avoid the final five in my top ten, as well as describing one or two other things to look out for.

So, straight to it:

Read more

Well, based on a number of emails I have received, some people were quite surprised to learn in my first blog post that poorly designed and configured IPsec VPNs are vulnerable not only to the NSA and GCHQ, but also to pretty much anyone with minimal technical skills and the ability to read instructions.

So I thought I'd follow up over the next couple of blogs posts with a few recommendations to help you avoid the pitfalls that I described in my previous post.

1. Use of weak pre-shared keys:

Read more

As an independent consultant, I am often asked to be a ‘fresh set of eyes’ and perform a network assessment. This sometimes involves an examination of an IPsec VPN.

Read more