ISE Upgrade Notes

Cisco ISE can be quite challenging for some and here are some notes when I was testing an ISE for upgrade

  • DNS server.
    ISE relies so much on DNS server especially when you are running more than a single ISE server. It is also part of the PKI infrastructure when you start using certificates. Make sure you have your DNS with the correct entry for all of the ISE servers.
  • Certificate Expiration.
    Make sure your certificate is not expired when you are performing patch/upgrade.
  • Repository.
    I tried to use the built-in MAC OSX FTP, SFTP (SSH), Tftp Server (”), and TFTPD32 (Windows version) but for whatever reason, the above just didn’t work. I’ve been using those for IOS upgrade and those work just fine.
    I ended up using Filezilla Server ( from Windows box and it worked fine although I had to restarted the FTP Server and Windows box couple of time.
    You can check via cli command on the ISE server and see whether it produce an error. If your repository worked, you will see some file listing in it (note that TFTP does not have file listing feature).

    FusionISE1/admin# show repository REP_FTP
    % Error reading directory on remote server
    FusionISE1/admin# show repository REP_FTP
  • Copy File to Local Disk.
    Since we are transfering large file (>3GB) file, the file might be corrupted during the upgrade. Copy your file from repository to local disk then perform your upgrade.
  • MD5 Checksum.
    I tried to download the upgrade file from several times but always ended up with wrong MD5 checksum. Then I used the Download Manager (Java applet from Cisco) and it finally has the correct sequence.
  • Read the Cisco Documentation.
    Cisco Documentation provides good resource on how to upgrade Cisco ISE. Make sure you read this (several times) before performing your upgrade. Try also to search some caveats based on your ISE version.

It took me 10 hours to upgrade from 1.1 to 1.2 with fresh installed single ISE server but it took me only 1 hour to upgrade from 1.2 to 1.3. This ISE was running via VMwware Fusion in my Macbook Pro with minimum CPU/RAM. Your miles may vary and good luck for your upgrade.

Backpack for Network Engineer

I had been using Samsonite laptop backpack since 2008. It’s just this little problem that it does not have padding on its bottom corner on the laptop compartment. It’s not really a big deal, quite happy so far, until I dropped it exactly on the corner of it. See the photo below and you’ll know how bad it was.

I was quite lucky that it was only cosmetic problem and doesn’t affect the screen nor the internal components.

So, I bought Booq Taipan backpack couple of weeks ago. It really didn’t take long for me to choose as Booq has a good reputation and I’ve been thinking to get one.

I was not exactly happy with it but I thought I was busy and didn’t want to spent much time to do a proper review of it.

It doesn’t take long time for the upper handle to snap and I was quite surprise with Booq quality but I’m glad this happened so get to buy a better one.

After considering that corner protection and handle are important, I choose this Samsonite Viz Air Plus Backpack. Yes, it comes in black.

Image is courtesy from

Corner Protection.
There are three soft air pads located on the bottom and the each corners. It is made from plastic and it’s roughly 1 cm thickness.

Corner air pad on the bottom

Inside Look of The Air Pad.

Lots of pockets.
This bag offers plenty of pockets on the inside and both of the sides. You can put a small water bottle holder on one side just in case you’re on a long night cut-over and far away from drinkable water (who put water dispenser in Data Centre anyway), roomy compartment for your notes, cables, laptop adapter, and sandwiches when you’re travelling during back-to-back meeting on the lunch hour and didn’t get a chance to stop by to get lunch. During the rainy season and I have to walk in the city,  the other side pocket can be used for a small umbrella.

On either of inner or outer pocket, you can put your iPad or notebook. On the top, there’s a small bag but roomy enough to put your stuff that requires quick access.

Outer Pocket

Inner Pocket

Laptop Pocket

Sleeve for Roller Case.
It also has a sleeve at the back that you can slip your backpack on your roller case just in case you’re travelling by plane and your backpack was just too heavy for you to run between connecting flights. This is the difference between plus and non-plus version.

Sitting up or laying down.
One important feature to mention, you can sit this bag up. If you don’t have this choice, you had to lay down your backpack and all of your stuff will be sitting on top of your laptop. Doesn’t really matter how good the padding is, you better pray your laptop screen can handle the weight. It is also easier to pick from the floor from the sit up position and you don’t have to look for a wall or table leg for your backpack to lean into. It will only get dirty on the bottom but not the back so you don’t have to worry too much when you putting it back on. It also helps while you’re on a train that you can put it down between your leg.

After what happened to me previously with Booq backpack, I should pay more attention to handle. Samsonite made the handle quite a handful so it’s really comfortable to hold. It is made from leather-like material (polyester) and it’s not just a ribbon-band that gives you uncomfortable grip. It looks like the handle is stitched securely to the bag, I will let you know if this handle ripped someday.

Cloth Lining.
This is somewhat beneficial or annoying depending your like. I prefer to have poly lining than cloth. The cloth is bright yellow and it’s easier to get dirty. Polyester on the other hand,  can also provide the similar protection (although not as soft) but it’s easier to clean.

The Look.
Sometimes I will need to attend a business meeting and require a suit. I can hand-handled this backpack and it doesn’t make me look like a college graduate.

The Good.
+ Corner protection bumper.
+ Good handle.
+ Roomy bag with lots of pockets.
+ Sleeve.
+ Can be positioned sitting up.
+ Suitable for business meeting.

The Bad
– Cloth lining.

Very happy with most of the built and Samsonite has put a good thought on creating a not-so-big laptop backpack but actually quite roomy with lots of pocket. I actually only use few of it but I’m sure it can fit most of your daily routine.


If you’re tasked to configure an Internet router, what features/services you would usually put in? You most definitely require NAT for LAN to Internet IP address translation, ACL for blocking unnecessary traffics from Internet to LAN, and might be a bit of router hardening by locking down some unnecessary services and management/control plane.

Intrusion Prevention System (IPS) can be a good additional step when you want to secure your Internet router (or even Firewall) by adding some knowledge to the router whether the incoming packets are harmful to your network.

Cisco has some very good documentation on how to configure Cisco IOS IPS including where to download the necessary files.

You will need to get at least IOS release 12.4(15)T3 and IOS IPS Signature packages. Don’t get confused with ASA IPS Signature. IOS IPS has different signature format than ASA IPS.

For some of you might want to try to this on GNS3. Unfortunately, after several attempts, I could not make it work. I decided to use a real Cisco 1841 router. For those who are studying for CCNA Security, purchasing an $50 Cisco 1841 router can also be a good investment.

How to Fail CCIE Exam and Learn From It.

A note to myself.

Time flies!

It’s been a little more than a year since I wrote a post to my blog. Quite a few things happened in my life and priorities change.

I decided to postpone my CCIE RS lab for sometime after several failed attempts. No, I’m not giving up yet, It’s just better for myself and my family that I take a pause for it until we’re sure I can dedicate myself into it.

After several failed attempts, things are getting more clear to me than before. If I could summarise these attempts in one sentence it would be that I didn’t pay enough respect to it.

It really took me some time to sit down and accept it and most importantly learn from it. Now I even have more respect to those who passed this exam, especially those who passed it in the first attempt.

So, how can I learn from this?

With the plethora of blogs and articles you may find, those are written by people who already passed the exam.

I’m putting some notes here on how I could learned from it and someday I won’t be relying on luck any more to pass it.

1. What’s the point?
Himawan spotted the first thing, in fact the most important thing about this. You need to see the big picture about this and visualise what’s the benefit for you. At the end of the day, If you can’t see the end of this you pretty much don’t know exactly where you’re going.

Imagine that someday you’ll get tired and you asked yourself, “what’s the point?” You have to be ready with an answer. Whether that you see this in your family, in yourself, or trying to be someone else. There’s no right or wrong answer on this but it must be strong or even crazy enough to wake you up 3am in the morning or staying up late until 3am in the morning for more than a few months!. What’s your point?

2. There’s no shortcut!
I’m not talking about cheating here. That’s not my point at all. Yes, I’ve seen too many engineer have CCIE RS on his business card but have no idea how things work out. And what frustrate me more is to know that I know better than them but still cannot pass it. For those who understands my point here would know that I’m not bragging at all.

It’s like running, you need to do a proper warm up first to be able to run properly. The better you prepare the longer you can run. Who would have thought that strengthen your ham-string would help you to run and move better. People will see how fast or how long you run. What they don’t see is you’ve been training for months for that run. Biceps and abs are more likely the most prefered training because it gives you visible result but training your ham-string will give you stronger foundation and prevent injury. You ought to be stronger instead of look stronger.

3. Motivation Lies.

“We think that inspiration and enthusiasm are what we need to make it through the hard time in life but it’s not. It’s resilience. And resilience happens when our hope becomes a muscle we called perseverance.” – Erwin McManus.

I have lost my sight somewhere and losing the meaning of it and I was searching for crumbs of motivation, inspiration, and enthusiasm that were long gone before I even realised. These things are feeling, and feeling lies. You will not be able keep on going when you only feel it’s right or feel like doing it.

You will have a problem in your family and your work, and probably yourself. People will understand why you have failed. But somewhere in other part of the world there are more than 40,000 people passed this exam despite their issues.

I learned that people who are passed this exam are people who persevere even when they don’t feel like it.

Tackle this with your consciousness and not your feeling by making an honest plan. I’ve chatted with this 4x CCIE and he mentioned that he only studied 3 hours a day. That’s less than what I’ve been doing but he made it to get four of those. Jot down your plan and keep track of it and don’t rely on your feeling.

There are definitely more advise you can get (and even better one), but this one is for myself, the other I.

You will definitely be able to pass this if you’re smart or strong. But this game for me, it’s really not about how strong or smart, this game is for those who persevere.

Router ACL on SVI; Inbound or Outbound?

Just a little note for SVI Access-List (or Cisco calls it Router ACL on SVI).
Three routers configured as below.

! R1

int f0/0
 ip addr
 no shut

router ospf 1
 net a 0
! R2
int vlan 100
 ip addr
int f1/0
 switchport mode access
 switchport access vlan 100
int f0/0
 ip addr

router ospf 1
 net a 0

! R3

int f0/0
 ip addr
 no shut

router ospf 1
 net a 0
ip http server

I’m testing the Access-list on SVI and testing it by ICMP and HTTP from R1 ( to R3 ( and check the matches on the ACL. I’m expecting that the HTTP access will be denied and ICMP will be allowed.

The direction of the access-list and the SVI (inbound or outbound) tested as below.

! R2
Extended IP access list ACL
    10 deny tcp host host eq www
    20 permit ip any any (1 match)

int vlan 100
 ip access-group ACL out
! RESULT. ICMP and HTTP access are both OK

! R2
Extended IP access list ACL
    10 deny tcp host eq www host 
    20 permit ip any any (5 matches)

int vlan 100
 ip access-group ACL in

! RESULT. ICMP and HTTP access are both OK

! R2
Extended IP access list ACL
    10 deny tcp host eq www host (6 matches)
    20 permit ip any any 

interface Vlan100
 ip access-group ACL out

! RESULT. ICMP OK, HTTP access is opened then timed-out.
! R2
Extended IP access list ACL
    10 deny tcp host host eq www (3 matches)
    20 permit ip any any 

interface Vlan100
 ip access-group ACL in


Summary. The rule of thumb for the direction of the ACL on SVI above are:

ACL always have the form of , while the direction of the ACL int SVI works as below:

  • If it’s INBOUND (“ip access-group ACL out”), then it means “It’s going OUT TO the VLAN100 access ports.”
  • If it’s OUTBOUND (“ip access-group ACL in”), then it means “It’s going AWAY from the VLAN100″

As much as it’s confusing as it can be, I prefer to use VLAN ACCESS-MAP.

Router Output Queue

Output Queue
For the egress queue, router interface uses two queues. The first queue is, like Input queue, Output queue is a software queue. The default queuing mechanism is FIFO and it can be change to WFQ or CBWFQ. The default value for this queue is 40 packets.

Rack1R1#sh int e0/0 | i queue
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Output queue: 0/40 (size/max)
Rack1R1#    sh int e0/0 | i Queueing
  Queueing strategy: fifo

Continue reading

Router Input Queue

We know that Router interfaces uses CEF switching on all of its interfaces. When the CPU is too busy to switch the new incoming packets, these packets will be stored in the Input Queue. There is only 1 Input queue and the queuing mechanism is always FIFO. By default the maximum packets can fill up this queue are 75 packets. This value can be change with hold-queue <value> in under the interface command. If the input queue is full and the CPU still not able to switch the packets. New incoming packets will be dropped.

R1#sh int f0/0
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
R1#conf t
R1(config)#int f0/0
R1(config-if)#hold-queue 100 in
R1#sh int f0/0
  Input queue: 0/100/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo ! This is OUTPUT Queuing mechanism.

Continue reading

IPv6 no-advertise and no-autoconfig.

By default, IPv6 addresses configured on an interface are advertised in Router Advertisement (RA). The command ipv6 nd prefix no-advertise will block the RA for the specified prefix. Command ipv6 nd prefix <IPv6> 14400 14400 no-autoconfig will advertise the prefix with A-bit (AUTOCONFIG) bit cleared.

This will work for scenario where you want to block the RA for specific address (no-advertise) or just want to block the specific address from being used for stateless auto-configuration (no-autoconfig).

In addition to that, by default, RA is automatically advertised on Ethernet or FDDI interface (but not other type of interface). ipv6 nd ra suppress will supress periodic unsolicited RA, but it does not suppress RAs in response to a Router Solicitation (RS). Use ipv6 nda ra suppress all to suppress all.


Notes for OSPF DR/BDR Peering priority

  • Higher priority value (0-255) is better.
  • Default value is 1
  • Can be set via neighbor command or interface command.
  • Neighbor command sets neighbor priority while interface command sets its own interface priority. Thus, both commands will not interfere each other. Again, one is for neighbor and other is for its own interface.
  • If the local interface priority is set and the other router uses neighbor priority command, then interface priority will take precedence.

Continue reading

You think you know DTP?

First, What’s DTP? Having a look on Google will reveal quite a few (if not too many) article about DTP. It’s basically a protocol which negotiate whether a link should turn into a Trunk link or not. You might be aware that the newer switches (e.g. 3560 on-wards) will have its link set as Dynamic Auto by default.

3560(config)#do sh int f0/14 sw | i Administrative Mode
Administrative Mode: dynamic auto

Continue reading