cisco nxos route redistribution


wanted to redistribute some static routes into eigrp, this is handled differently in nxos.  all redistributes need to use a route map, easiest to populate the route map with a prefix list.

examine your static routes…

n7k1# sh run | inc "ip route "

ip route
ip route
ip route
ip route

create a prefix list of subnets you want into eigrp..

ip prefix-list examplestatic seq 15 permit
ip prefix-list examplestatic seq 20 permit
ip prefix-list examplestatic seq 25 permit

create a route-map, add your prefix-list to it…

route-map examplestaticmap permit 10
match ip address prefix-list examplestatic

add them to your eigrp instance…

router eigrp 14
 redistribute static route-map examplestaticmap

validate whether the routes showed up on your other routers; this is a downstream ios device:

2911#sh ip route
Routing entry for
  Known via "eigrp 14", distance 170, metric 52224, type external
  Redistributing via eigrp 14
  Last update from on GigabitEthernet0/0, 3w5d ago
  Routing Descriptor Blocks:
  *, from, 3w5d ago, via GigabitEthernet0/0
      Route metric is 52224, traffic share count is 1
      Total delay is 1040 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1492 bytes
      Loading 1/255, Hops 4, from, 3w5d ago, via GigabitEthernet0/0
      Route metric is 52224, traffic share count is 1
      Total delay is 1040 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1492 bytes
      Loading 1/255, Hops 4
2911#sh ip route | beg 10.20.10
D EX [170/52224] via, 3w5d, GigabitEthernet0/0
                       [170/52224] via, 3w5d, GigabitEthernet0/0

that’s it.  my examples show up twice because i did the redistribution on two n7ks.

Categories : geek

wedding shower


there was a pinata game.  the pinata was shaped like a baseball, but filled with sex toys.

nate ended up with it on his head.

Categories : events



I don’t like unions.

That said, I see no reason government should be allowed to tell people how they can organize. I find it hilarious a bunch of people who claim to be for small government, want government to be able to dictate how people can negotiate. Further, there shouldn’t have to be laws allowing people to collectively bargain. In a free society that’s like having laws allowing people to breath.

lab & test multicast


there’s a couple decent tools to lab & test multicast routing.  one is mcast.exe and the other is VLC.  the third, i suppose, is to join a cisco interface to a multicast group.  dan mentioned a fourth tool, nortel’s multicast hammer.

symantec endpoint protection 11 disabled broadcast & multicast by default.  you will need to disable this if you have it installed.  🙂

mcast.exe is a part of the windows 2003 resource kit.  in windows 7, you need to run your command prompt as administrator for it to work.  on the “source side”, all you need to specify is a source interface/ip-address and multicast group.  i usually test with more packets of obnoxious sizes.  🙂  overriding TTL gives you more testing options.

mcast /intf: /send /grps: /pktsize:65535 /numpkts:20000000000 /ttl:128

on the “destination side”, all you need to specify is a source interface/ip-address and multicast group.

mcast /intf: /recv /grps:

another way to test is with VLC.  i’ve tested this in 0.98 and 1.1.  it’s easier & faster from the command line than the GUI.  on the “source side”, you need to specify a destination multicast group, port, and override the default TTL of 1.

vlc -vvv c:\media\SomeShow.S02E03.720p.HDTV.x264-CTU.mkv –sout udp: –ttl 255 –loop

for the “destination side”, specify a multicast group and port to tune into

vlc udp://

i found an annoying nuance in VLC 1.1 or windows 7 for a client tuning into a multicast stream

vlc udp://@

last but not least, a cisco interface.

sw1(config-if)#do sh run int loopback 153
Building configuration...

Current configuration : 121 bytes
interface Loopback153
ip address
ip pim sparse-mode
ip igmp join-group

verify igmp memberships. maybe check pim rp if you’re up for it:

sw1#sh ip igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter Group Accounted Vlan2 3d02h 00:02:57 Loopback153 00:01:56 00:02:49 Vlan2 27w4d 00:02:52 Vlan2 1w1d 00:02:51 Vlan2 07:09:12 00:02:53 Vlan1 27w4d 00:02:52

Categories : geek



quotes of the day.

I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours.

– stephen f roberts


If they say “Just God. I only believe in the one God,” I’ll point out that they are nearly as atheistic as me. I don’t believe in 2,870 gods, and they don’t believe in 2,869.
– Ricky Gervais

zombie walk detroit


i attended zombie walk detroit 2010, especially since it was happening around my job.  🙂  there were 3-4 blocks of zombies walking around greektown, right around when the detroit lions ended.  there was complete chaos in the streets.







zombie robot

zombie robot? robot zombie?



there’s much more over here.

Categories : events  photography

poor, poor soul


someone with netware 4.1 still around..

cozumel anniversary trip


we went to cozumel for our five year anniversary. we took a bunch of friends and family with us. we swam, snorkeled, ate, read, toured, shopped, scootered, and relaxed.

highlight pictures below the cut.  rest of the pictures are over here.

Categories : events  photography

easter offensive


by artist Raoef Mamedov. seems you can find more work over here.

click the image for high-res.

thanks tmbo

Categories : OMG DUDA WTF

IronPort Web-Security and Cisco ASA 5500 series


Some nuances I figured out while setting up an IronPort Web-Security appliance with a ASA firewalls.  The how-tos I’ve seen online were a bit lacking.

It’s easiest to use WCCP to hand-off traffic to the IronPort WSA.  WCCP requires basically three things to function:  Which ACLs you want to redirect, where you want to redirect them to, and which WCCP ‘service’ you want to use:

  1. In ASDM, the standard ACLs can be edited in Firewall | Advanced | ACL Manager
  2. Create an ACL of IPs you want to (or not) redirect to your WSA.  Redirect only the TCP/UDP services you want sent to the WSA.  If you configure ip/any in the ACL, then all packets will get sent over to the WSA.  This seems to break ICMP.  Do this through the GUI or from the CLI.  Some http-based apps don’t like this redirection so putting a ‘deny’ at the top of the ACL works.
  3. Create another ACL of your IronPort WSAs.  I think these need to be on the same subnet as the WCCP is happening (multicast and all).  i didn’t try putting the WSA on a separate interface than the ASA, nor did i try it with multicast routing enabled between them either.
  4. Third, we need to configure the redirection, and which interfaces the ASA listens to for WCCP.  In the GUI, Device Management | Advanced | WCCP.  Create a Service Redirection first.  This binds which IPs get to which WSAs.  Leave it on Web Cache for the simplest configuration.  I tried setting a password but that seemed to break WCCP.  (See notes below)

    The ‘redirection’ binds which interface the ASA listens for WCCP on.
  5. Lastly, don’t forget to set up ACLs so your WSAs can access the internet
  6. configuring the WSA-end of things is straight forward.  following the instructions from the help menu is about all you need.


  • So far, I’ve only worked with the WSA 6.3.x code tree.
  • About policy matching:  Identity Polcy matches first.  Whether it’s IP or authentication based, first rule wins.  Take the matching Identity Policy that won and match it to the first Access Policy.  Then applications, URL categories, objects, etc.
  • As of ASA code 8.2.1, WCCP load balancing is only hash-based.  There’s no way to change it to (subnet) mask balancing.  if you need mask balancing, use an IOS-based device for now.
  • As of ASA code 8.2.1, any time you apply policy on the WSA (update access lists, identities, anything at all, really) you need to re-apply the service group (step 4); delete the policy, apply it.  create the policy and apply it.
  • The redirection password may be an issue with re-applying WSA policies.  We’re in production now so I haven’t taken it down to play.
  • If you use a ‘warning’ page for suspect URL categories (streaming media, social networking, etc) and you have hash-based load balancing, the users will get warned from each WSA you have load balanced
  • At this time, there’s no central management for multiple WSAs.  If you change policy on one WSA, you need to apply it to the other manually.
Categories : geek