I discovered my passion and overall awe for Network Engineering in 1998. My manager at the time showed me how he was able to copy files from one machine to the other over 10Base2 (Thin Net) connections. He later put me in charge of converting the network from Thin Net to 10BaseT ethernet using Allied Telesyn and Madge Network Hubs. I have a love for what I do, and have enjoyed every aspect of my career. I relish meeting new people, sharing my knowledge with others, directing my network team, as well as the path my firm takes with regards to network technologies, product offerings and solutions. My current position allows me to leverage my experience to ensure that our network solutions and offerings, meet our client budgetary needs, satisfy their ROI requirements, and lastly, leaves our clients satisfied that they have chosen the right partner for their network needs. I am trained in the fine art of analyzing, assessing, designing, scaling, selling, building and maintaining small to enterprise scale computer networks. My background is in Cisco LAN/WAN networking, but can and have worked in vendor agnostic environments. My skill set includes Switching, Routing, Security (Firewalls/IPS/IDS/VPN/authentication/TrustSec/MACsec/ISE/etc...),Wireless (lightweight and autonomous), and WAN acceleration. I am Cisco Meraki CMNA Certified, CCNA Certified, CCNP Certified, CCNA Wireless Certified, CCNA Security Certified, Comp TIA Network+ Certified and was made a Cisco Champion in 2019.
I discovered my passion and overall awe for Network Engineering in 1998. My manager at the time showed me how he was able to copy files from one machine to the other over 10Base2 (Thin Net) connections. He later put me in charge of converting the network from Thin Net to 10BaseT ethernet using Allied Telesyn and Madge Network Hubs. I have a love for what I do, an
Cisco has FINALLY heard us! The purveyors and Champions of the Small to medium business markets, and produced the first match to the Cisco ASA5505. First they gave us the 5506 and we were all upset about the fact that the ports were NOT switched. Well with this we can run ASA and FTD code, join it to FMC, and comming in 6.5 code we can get 650Mbps of IPS traffic throughput on this baby! This fills a HUGE hole in the market. I'm so happy to this this. What are your thoughts???
... View more
I recently used the bridge group function on 9.7. It made me so upset. I made one bridge group, and I had to make an if-name for every physical interface in the 1 bridge-group. It's crazy, I had to have separate NAT statement for each interface. It's a HORRIBLE and HORRIFIC implementation of L2 on the firewall. I'm so disappointed by Cisco. After 2+ years of complaining, this is the hot mess we get.
... View more
I attended the NY Networkers last month and cornered the Security guys.
Right now, L2 on the 5506 is in beta. They are not giving us switching capabilities on the 5506. They are going to give us bridge group capabilities.
I was hoping for a switchPort no switchPort type of configuration. I think that's more of Cisco not listening to its smaller customers, and the different cisco Business Units not communicating with each other. I think they are rebuilding something that other Cisco business units have already built.
... View more
Cisco has no intention of meeting our requiest to add switching functionality to the 5506. They have not found the 5506 or 5508 lines to be worth the re-engineering time required. The SMB space who notoriously used the 5505 line of ASA's was not considered a factor in the decision making, the features Cisco developed and added into the larger scale companies was more important, as those companies purchase in quantity. Guys, this decision Cisco made was purely a sales/monetary decision and not technical. Think about it, the time that this thread has been opened is more than enough time to add the "switchport" command and other related capabilities to the 5506 ASAs. It comes down to money, and the clients that use the 5506 and 08, are nt as important fiscally as the significantly larger firms on the larger platforms.
Cisco's big fail, is Palo Alto's big win....
... View more
I have been an AIRconsole user for 2 years, I own a Standard and an XL version. This device is so simple, easy to use and a must have for any network engineering consultant. No need to sit in that cold data center, no need to patch your console cable to a near by office. Bluetooth, wifi, and bridging makes this a true networking swiss army knife.
... View more
I'm going to be honest, I am a Cisco person, I have been drinking the Cisco Cool aid for years and years. When it comes to Cisco's ASA product offerings, I have become so disheartened by the lack of attention the SMB and medium sized business have been receiving. When I talked to the Cisco Security Products engineers at the world of solutions, and explained to them how lacking the 5506 is, they didn't even realize there was a business use case for the switch ports on a 5505. Cisco is focusing their efforts on the high end products and the people who really build their user communities are left out high and dry.
I started deploying A few PAlo Alto Firewalls, because the ASA is missing so much, and I've actually found myself happier. Licensing is a PAIN (more than Cisco), but once you get the hang of it, the licensing is a no brainer. I hate to say it, but the ASA is losing ground.
... View more
I work for a firm who performs solution deployments, and maintenance services, I was one of the first people at Cisco live 2012 excited to experience Cisco converged wireless. I have been feeling its pain as it's been growing over the years. Every deployment had issues:
Access Points joining and disjoining controllers randomly,
users associating and dissociating randomly,
SSIDs randomly appearing and disappearing.
Instances where users won't get DHCP addresses until associated for about 30 to 50 seconds.
Issues with Captive portal dropping the user to a non existent page: SR 637469071, you have to turn off Captive portal.
The default WEBPAGE, is a blank page tieh username and password on it, there's no default generic Cisco logo type page like AIREoS.
My favorite is the lack of documetation on generating a CSR and applying a certificate to the WEBAUTH portal SR: 637450199 . TAC provides you instructions from the AIRE-OS documentation, as there is no specific IOS-XE documentation. The last TAC guy I worked with (who was awesome, by the way) gave me a document, written by a customer, who wanted to help others with the LACK of documentation in this area.
The command: wireless mgmt-via-wireless
This was recently added to IOS-XE, the idea is, you run the command and it allows wireless users to SSL or HTTP/HTTPS to the switch. It seems so simple (I was eventually told, its a Cisco command, thats under development and is not supported. The command exists in AIRE-OS. Its just another buggy Cisco Innovation, that already exists. This feature should have been available on Converged wireless' since its inception, but now that its here, it only works sometimes. T What I've found is that even when this feature is turned on to allow Wireless users manage the switch, wireless users cannot access the switch until you turn it off again and turn it back on a few times. If you reboot the switch, it's 50/50 chance that it will be off again, even if its still enabled in the config. SR 637368821
I just want to end with, I have high hopes for this product and hope that Cisco puts a bit more effort into its development, to bring both AIRoS and Converged wireless to equivalent offerings.
... View more
I attended Cisco live this year, and met Eric Kostlan and another engineer on the design team for these FWs from Cisco. When I talked to them, they couldn't get passed the use case scenarios we are all bringing up here. It almost seemed as if they were focused on enterprise rather than the "small business" use cases the original 5505, seemed to fit into perfectly. Enterprise won't use a 5506, why make these ports routed ports? It's interesting that Eric Said the words "Course correction", they gave me the same rhetoric. Whatever "course correction" means in Cisco world, I'm waiting on the "no switchport" command to be release so we can get passed all this. Also, not to hijack this thread, but I pinned them against the wall with regard to L7 PBR (eg. if facebook go ISP 2, if Business critical traffic go ISP1), I told them lower end competitors eg.. sonicwall, watchguard, fortinet, all do this on box (Hell the Cisco WLC can even do it), why can't the ASA55xx?
... View more
I recently Installed WLC 7.5 and began a basic Web Auth Customization. I performed my usual CLI commands to upload my image, when I found a new option, tranfer download datatype icon. I tried uploading a small image to see what it would change, and I didn't see anything in particular. Does anyone know what this changes? (No it did not change the Cisco logos anywhere in the gui, at least that I could see) (Cisco Controller) >transfer download datatype ? code Download an executable image to the system. config Download Configuration File. eapcacert Download a eap ca certificate to the system. eapdevcert Download a eap dev certificate to the system. icon Download an executable image to the system. image Download a web page logo to the system. ipseccacert Download a IPSec ca certificate to the system. ipsecdevcert Download a IPSec dev certificate to the system. login-banner Download controller login banner. (Only Text file supported: Max 1500 bytes & 18 lines, Non printable characters not supported) signature Download a signature file to the system. webadmincert Download a certificate for web administration to the system. webauthbundle Download a custom webauth bundle to the system. webauthcert Download a web certificate for web portal to the system.
... View more
I solved this problem, Cisco TAC did not find the answer at all, even after 4 months. I found the answer to my problem at Cisco Live, when I sat down with an Engineer for lunch Arkaidy Shapiro, The Nexus Technical Marketing Engineer. The resolution was that I was incorrectly redistributing Eigrp into BGP. I used the Eigrp Process number in the command (redistribute eigrp 2211 route-map vrf-Tenant1) I should have used the Eigrp Process name "Eigrp Clients" So the command should have been (redistribute eigrp Clients route-map vrf-Tenant1).
... View more
Anyone, I have had a TAC case opened on this for at least a month and a half. I am trying to perform routing leaking in a multi-Tenant environment on a Cisco N5K running the "Route Leaking Capable" version of Code 6.0(2)N1(1), released earlier this year. I've got it working where local networks are being advertised from Tenant1 VRF to the SharedVoice VRF and vice versa, but learned routes within the tenant1-VRF are not being distributed to the sharedVoice-VRF. For example Tenant 1 runs EIGRP within their VRF, and that VRF is learning routes from their remote office. I need to leak those learned routes into the shared VRF. I and TAC are getting no where fast. Any Help would be appreciated. Here is what I can give, in the below example tenant 1 is learning 10.128.5.0/24 and .6.0/24 in eigrp, but those learned routes never make it into the sharedvoice VRF routing table. vrf context vrf-Tenant1 ip route 0.0.0.0/0 Vlan2211 172.22.11.254 ip route 172.24.251.0/24 Vlan2211 172.22.11.254 address-family ipv4 unicast route-target import 65000:2201 route-target export 65000:2211 vrf context vrf-SharedVoice ip route 0.0.0.0/0 Vlan2201 172.22.1.254 address-family ipv4 unicast route-target import 65000:2211 route-target export 65000:2201 route-map rm-BgpToEigrp-Clients permit 10 match as-number 65000 set metric 100000 1 255 1 1500 ip prefix-list pl-vrf-Tenant1 seq 10 permit 10.128.5.0/24 ip prefix-list pl-vrf-Tenant1 seq 15 permit 10.128.6.0/24 route-map rm-vrf-Tenant1 permit 10 match ip address prefix-list pl-vrf-Tenant1 ip access-list acl-SharedVoice-StaticToEigrp 10 permit ip any anyip access-list acl-SharedVoice-StaticToEigrp 10 permit ip any any route-map rm-acl-SharedVoice-StaticToEigrp permit 10 match ip address acl-SharedVoice-StaticToEigrp interface Vlan2201 description SharedVoice Production Vlan no shutdown vrf member vrf-SharedVoice no ip redirects ip address 172.22.1.2/24 ip router eigrp Clients hsrp version 2 hsrp delay reload 120 hsrp 2201 preempt delay minimum 30 priority 110 timers 1 5 ip 172.22.1.1 interface Vlan2211 description Tennant 1 Production Vlan no shutdown vrf member vrf-Tenant1 no ip redirects ip address 172.22.11.2/24 ip router eigrp Clients hsrp version 2 hsrp delay reload 120 hsrp 2211 preempt delay minimum 30 priority 110 timers 1 5 ip 172.22.11.1 router eigrp Clients vrf vrf-Tenant1 autonomous-system 2211 redistribute bgp 65000 route-map rm-BgpToEigrp-Clients maximum-paths 1 address-family ipv4 unicast router-id 172.22.11.2 vrf vrf-SharedVoice autonomous-system 2201 redistribute static route-map rm-acl-SharedVoice-StaticToEigrp redistribute bgp 65000 route-map rm-BgpToEigrp-Clients maximum-paths 1 address-family ipv4 unicast router-id 172.22.1.2 router bgp 65000 vrf vrf-Tenant1 address-family ipv4 unicast network 172.22.11.0/24 redistribute eigrp 2211 route-map vrf-Tenant1 vrf vrf-SharedVoice router-id 172.22.1.2 address-family ipv4 unicast network 172.22.1.0/24 redistribute direct route-map rm-vrf-SharedVoice sho ip route vrf vrf-Tenant1 IP Route Table for VRF "vrf-Tenant1" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] '%<string>' in via output denotes VRF <string> 0.0.0.0/0, ubest/mbest: 1/0 *via 172.22.11.254, Vlan2211, [1/0], 4w1d, static 10.128.5.0/24, ubest/mbest: 1/0 *via 172.22.11.253, Vlan2211, [90/38912], 2w2d, eigrp-Clients, internal 10.128.6.0/24, ubest/mbest: 1/0 *via 172.22.11.253, Vlan2211, [90/38912], 2w2d, eigrp-Clients, internal 172.22.1.0/24, ubest/mbest: 1/0, attached *via 172.22.1.2%vrf-SharedVoice, Vlan2201, [20/0], 4w1d, bgp-65000, external, tag 65000 172.22.11.0/24, ubest/mbest: 1/0, attached *via 172.22.11.2, Vlan2211, [0/0], 4w1d, direct 172.22.11.1/32, ubest/mbest: 1/0 *via 172.22.11.1, Vlan2211, [0/0], 1w6d, hsrp 172.22.11.2/32, ubest/mbest: 1/0, attached *via 172.22.11.2, Vlan2211, [0/0], 4w1d, local 172.24.251.0/24, ubest/mbest: 1/0 *via 172.22.11.254, Vlan2211, [1/0], 4w1d, static 172.24.252.0/24, ubest/mbest: 1/0 *via 172.22.11.252, Vlan2211, [90/77056], 4w1d, eigrp-Clients, internal 172.24.253.0/24, ubest/mbest: 1/0 *via 172.22.11.253, Vlan2211, [90/38656], 4w1d, eigrp-Clients, internal sho ip route vrf vrf-sharedVoice IP Route Table for VRF "vrf-SharedVoice" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] '%<string>' in via output denotes VRF <string> 0.0.0.0/0, ubest/mbest: 1/0 *via 172.22.1.254, Vlan2201, [1/0], 4w1d, static 172.22.1.0/24, ubest/mbest: 1/0, attached *via 172.22.1.2, Vlan2201, [0/0], 4w1d, direct 172.22.1.1/32, ubest/mbest: 1/0 *via 172.22.1.1, Vlan2201, [0/0], 1w6d, hsrp 172.22.1.2/32, ubest/mbest: 1/0, attached *via 172.22.1.2, Vlan2201, [0/0], 4w1d, local 172.22.10.0/24, ubest/mbest: 1/0, attached *via 172.22.10.2%vrf-Tenant2, Vlan2210, [20/0], 00:36:02, bgp-65000, external, tag 65000 172.22.11.0/24, ubest/mbest: 1/0, attached *via 172.22.11.2%vrf-Tenant1, Vlan2211, [20/0], 00:41:02, bgp-65000, external, tag 65000 172.22.12.0/24, ubest/mbest: 1/0, attached *via 172.22.12.2%vrf-Tenant3, Vlan2212, [20/0], 00:36:36, bgp-65000, external, tag 65000 172.22.13.0/24, ubest/mbest: 1/0, attached *via 172.22.13.2%vrf-Tenant4, Vlan2213, [20/0], 00:37:16, bgp-65000, external, tag 65000 172.22.99.0/24, ubest/mbest: 1/0, attached *via 172.22.99.2%vrf-Tenant5, Vlan2299, [20/0], 00:37:49, bgp-65000, external, tag 65000 Thanks in advance for your help!
... View more