CCIE DC Attempt #1: Did Not Pass

Earlier this month, I drove my rental car up to Cisco’s infamous 150 Tasman Drive after being stuck on the 101 for about an hour. I checked in, sat down, and dug into my very first CCIE lab attempt. A bit over 8 hours later, I knew I didn’t pass, but I got a good feel for what the lab is like.

My preparation for the exam had been very unbalanced, working extensively with some parts of the blueprint, while other aspects of the blueprint I hadn’t really touched in over a year. So I was not surprised at all to see the “FAIL” notice when I got my score.

The good news is that I think with the right preparation on my weak parts, I can pass on the next attempt (which I haven’t yet scheduled, but will soon).

The following animated GIF is what it’s like to do parts of a CCIE lab exam that you haven’t prepared for.

beavis

 

 

 

CCIE Data Center Beta Written Results Are In! (351-080)

And Cisco probably couldn’t be happier that the results are finally in. It’s been more than 3 months since the beta closed, and after a few promises of “soon”, we finally got our results today. Over at the Cisco learning community message boards for CCIE DC, there was a virtual riot going on.

Guys? I think we’d better get those results posted…

Once I got word they were live on PearsonVUE, I logged in and…. I failed.

Smug Cisco Guy: Way to go, dumbass.

At least we got our results.

To find out your status, go to PearsonVUE, log into your account, and check your history. It’ll show the pass or fail. Beyond pass/fail, we have to await the score report to find our what our weak areas were. My guess I was really weak on the 7K/5K stuff. I know I got all the ACE-related questions right, and most of the storage and UCS seemed pretty evident to me. I’ll have to wait and see, of course. I’ve scheduled a re-take for October 5th, so I’ve got some books to hit. Queue the montage…

Cisco ACE 101: Tony’s 5 Steps to a Happy VIP

I’ve been teaching Cisco ACE for over four years now, and I developed a quick trick/check list to teach students the minimum configuration to get a virtual service (VIP) up and running. And since the CCIE Data Center lab will soon be upon us, I’m sharing this little trick with you. I call it “Tony’s 5 Steps to a Happy VIP”. And here it is:

Step #1: ACL
Step #2: class-map: Defines the VIP address and port
Step #3: policy-map: Which server farm(s) do we send traffic to
Step #4: policy-map: Multi-match, will pair every class-map to its policy-map
Step #5: service-policy: Apply step #4 to the VLAN interface

Using that checklist, you can quickly troubleshoot/understand most ACE configurations. So what does that list mean?

First off, let’s define what a VIP even is: In load balancing terms, it refers to an IP and TCP or UDP port combination. In that regard, it’s a bit of a misnomer, since VIP is an acronym for “Virtual IP”, and only implies an IP address. Depending on the vendor, a VIP can be called a “Virtual Server”, “Virtual Service”, although it’s commonly referred to simply as “VIP”. It’s whatever you point the firehouse of network traffic to.

I’m not anti-GUI (in fact, I think the GUI is increasingly necessary in the network world), but in the case of the ACE (and CCIE DC) you’re going to want to use the CLI. It’s just faster, and you’re going to feel the need for speed in that 8 hour window. Also, when things go wrong, the CLI (and config file) is going to allow you to troubleshoot much more quickly than the GUI in the case of the ACE.

The CLI for Cisco ACE can be a little overwhelming. For some reason, Cisco decided to use the Modular QoS CLI (MQC) configuration framework. To me, it seems overly complicated.  Other vendors have CLIs that tend to make a lot more sense, or at least is a lot easier to parse with your eyes. If you’re familiar with class-maps, policy-maps, and service-policies, the transition to the ACE CLI won’t be all that difficult. It works very similar to setting up QoS. However, if you’re new to MQC, it’s going to be a bit of a bumpy ride.

How I felt learning MQC for the first time

The Configuration

Here is a very basic configuration for an ACE:

access-list ANYANY line 10 extended permit ip any any 

rserver host SERVER1 ip address 192.168.10.100
  inservice 
rserver host SERVER2 ip address 192.168.10.101 
  inservice 
rserver host SERVER3 ip address 192.168.10.101 
  inservice

serverfarm host SERVERFARM1
  rserver SERVER1
    inservice
  rserver SERVER2
    inservice
  rserver SERVER3
    inservice 

class-map match-all VIP1-80 
  2 match virtual-address 192.168.1.200 tcp eq http

class-map match-all VIP1-443
  2 match virtual-address 192.168.1.200 tcp eq https

policy-map type loadbalance first-match VIP1-POLICY
  class class-default 
    serverfarm SERVERFARM1 

policy-map multi-match CLIENT-VIPS 
  class VIP1-80
    loadbalance vip inservice 
    loadbalance policy VIP1-POLICY
  class VIP1-443
    loadbalance vip inservice
    loadbalance policy VIP1-POLICY

interface vlan 200 
  description Client-facing interface 
  ip address 192.168.1.10 255.255.255.0 
  access-group input ANYANY
  service-policy input CLIENT-VIPS 
  no shutdown
interface vlan 100
  description Server VLAN
  ip address 192.168.10.1 255.255.255.0
  no shutdown

Step #1: ACL

It’s not necessarily part of the VIP setup, but you do need to have an ACL rule in before a VIP will work. The reason is that the ACE, unlike most load balancers, is deny all by default. Without an ACL you can’t pass any traffic through the ACE. (However, ACLs have no effect on traffic to the ACE for management.)

Many an ACE configuration problem has been caused by forgetting to put an ACL rule in. My recommendation? Even if you plan on using specific ACLs, start out with an “any/any” rule.

access-list ANYANY line 10 extended permit ip any any

And don’t forget to put them on the interface facing the client (outside VLAN).

interface vlan 200 
  description Client-facing interface 
  ip address 192.168.1.10 255.255.255.0 
  access-group ANYANY input 
  service-policy input CLIENT-VIPS 
  no shutdown

Once you get everything working, then you can make a more nailed-down ACL if required, although most don’t since there is likely a firewall in place anyway (even the Cisco example configurations typically only have an any-any rule in place).

If you do use a more specific ACL, it’s often a good idea to switch back to any-any for troubleshooting. Put the more specific rule in place only when you’re sure your config works.

Step #2: class-map (VIP declaration)

The next step is to create a class-map that will catch traffic destined for the VIP. You should always include an IP address as well as a single TCP or UDP port. I’ve seen configurations that match any TCP/UDP port on a specific IP address, and this is usually a really, really bad idea.

class-map match-all VIP1-80
  2 match virtual-address 192.168.1.200 tcp eq http

This defines a VIP with an address of 192.168.1.200 on port http (port 80). Even if you set up multiple ports on the same IP address, such as port 80 and 443, use different class-maps and configure them separately.

Step #3: policy-map (what do we do with traffic hitting the VIP)

Here is where the VIP is defined as either a Layer 4 VIP or a Layer 7 VIP. The example below is a simple Layer 4 VIP (the ACE is not aware of anything that happens above Layer 4). You can get a lot fancier in this section, such as sending certain matched traffic to one server farm, and other traffic to others, and/or setting up persistence. Again, this is the most basic configuration.

policy-map type loadbalance first-match VIP1-POLICY
  class class-default <-- This matches everything
    serverfarm SERVERFARM1 <-- And sends it all right here

Step #4: policy-map (round-up policy-map, pairs a VIP with a decision process, and all the pairs are joined into a single statement)

You will typically have multiple Step 2′s and Step 3′s, but they exist as independent declarations so you’ll need something to round them all up into a single place and join them. In most configurations, you will typically only have one multi-match policy-map. This multi-match is where you marry a Step 2 class-map to a Step 3 policy-map. In this example, two separate class-maps use the same policy-map (which is fine).

policy-map multi-match CLIENT-VIPS 
  class VIP1-80 <-- This VIP...
    loadbalance vip inservice 
    loadbalance policy VIP1-POLICY <-- ...sends traffic to this policy
  class VIP1-443 <-- This VIP...
    loadbalance vip inservice
    loadbalance policy VIP1-POLICY <-- ...sends traffic to this policy

Step #5: service-policy (apply the round-up to the client-facing interface)

Finally, for any of this to work, you’ll need to apply the Step 4 multi-match policy-map to a VLAN interface, the one that faces the client.
interface vlan 200 

 description Client-facing interface 
 ip address 192.168.1.10 255.255.255.0 
 access-group input ANYANY <-- Step 1's ACL is applied
 service-policy input CLIENT-VIPS <-- Step 5's multi-match policy map is applied
 no shutdown <-- Don't forget the no shut!

Hope this helps with demystifying the ACE configuration. A short little check list can really help save time, especially in a time-constrained environment like a CCIE lab.

Po-tay-to, Po-ta-to: Analogies and NPIV/NPV

In a recent post, I took a look at the Fibre Channel subjects of NPIV and NPV, both topics covered in the CCIE Data Center written exam (currently in beta, take yours now, $50!). The post generated a lot of comments. I mean, a lot. Over 50 so far (and still going).  An epic battle (although very unInternet-like in that it was very civil and respectful) brewed over how Fibre Channel compares to Ethernet/IP. The comments look like the aftermath of the battle of Wolf 359.

Captain, the analogy regarding squirrels and time travel didn’t survive

One camp, lead by Erik Smith from EMC (who co-wrote the best Fibre Channel book I’ve seen so far, and it’s free), compares the WWPNs to IP addresses, and FCIDs to MAC addresses. Some others, such as Ivan Pepelnjak and myself, compare WWPNs to MAC addresses, and FCIDs to IP addresses. There were many points and counter-points. Valid arguments were made supporting each position. Eventually, people agreed to disagree. So which one is right? They both are.

Wait, what? Two sides can’t be right, not on the Internet!

When comparing Fibre Channel to Ethernet/IP, it’s important to remember that they are different. In fact, significantly different. The only purpose for relating Fibre Channel to Ethernet/IP is for the purpose of relating those who are familiar with Ethernet/IP to the world of Fibre Channel. Many (most? all?) people learn by building associations with known subjects (in our case Ethernet/IP)  to lesser known (in this case Fibre Channel) subjects.

Of course, any association includes includes its inherent inaccuracies. We purposefully sacrifice some accuracy in order to attain relatability. Specific details and inaccuracies are glossed over. To some, introducing any inaccuracy is sacrilege. To me, it’s being overly pedantic. Pedantic details are for the expert level. Using pedantic facts as an admonishment of an analogy misses the point entirely. With any analogy, there will always be inaccuracies, and there will always be many analogies to be made.

Personally, I still prefer the WWPN ~= MAC/FC_ID ~= IP approach, and will continue to use it when I teach. But the other approach I believe is completely valid as well. At that point, it’s just a matter of preference. Both roads lead to the same destination, and that is what’s really important.

Learning always happens in layers. Coat after coat is applied, increasing in accuracy and pedantic details as you go along. Analogies is a very useful and effective tool to learn any subject.

Cisco ACE: Insert Client IP Address

Source-NAT (also referred to as one-armed mode) is a common way of implementing load balancers into a network. It has several advantages over routed-mode (where the load balancer is the default gateway of the servers), most importantly that the load balancer doesn’t need to be Layer 2 adjacent/on the same subnet as the servers.  As long as the SNAT IP address of the load balancer has bi-directional communication with the IP address of the servers, the load balancer can be anywhere. A different subnet, a different data center, even a different continent.

However, one drawback is that with Source NAT the client’s IP address is obscured. The server’s logs will show only the IP address of the SNAT address(s).

There is a way to remedy that if the traffic is HTTP/HTTPS, and that’s by having the load balancer insert the true source IP address into the HTTP request header from the client. You can do it with the ACE by putting it into the load balance policy-map.

policy-map type loadbalance http first-match VIP1_L7_POLICY
  class class-default
     serverfarm FARM1
     insert-http x-forwarded-for header-value "%is"

But alone is not enough. There are two extra steps you need to take.

The first step is you need to tell the web server to log the x-forwarded-for. For Apache, it’s a configuration file change. For IIS, you need to run an ISAPI filter in IIS.

The other thing you need to do is fix the ACE’s attention span. You see, by default the ACE has a short attention span. The HTTP protocol allows you to make multiple HTTP requests on a single TCP connection. By default, the ACE will only evaluate/manipulate the first HTTP request in a TCP connection.

So your log files will look like this:

1.1.1.1 "GET /lb/archive/10-2002/index.htm"
- "GET /lb/archive/10-2003/index.html"
- "GET /lb/archive/05-2004/0100.html HTTP/1.1"
2.2.2.2 "GET /lb/archive/10-2007/0010.html"
- "GET /lb/archive/index.php"
- "GET /lb/archive/09-2002/0001.html"

The “-” indicates Apache couldn’t find the header, because the ACE didn’t insert it. The ACE did add the first source IP address, but every request after it in the same TCP connection was ignored.

Why does the ACE do this? It’s less work for one, only evaluating/manipulating the first request in a connection. Since browsers will make dozens or even hundreds of requests over a single connection, this would be  a significant saving of resources. After all, most of the time when L7 configurations are used, it’s for cookie-based persistence. If that’s the case, all the requests in the same TCP connection are going to contain the same cookies anyway.

How do you fix it? By using a very ill-named feature called persistence-rebalance. This gives the ACE a longer attention span, telling the ACE to look at every HTTP request in the TCP connection.

First, create an HTTP parameter-map.

parameter-map type http HTTP_LONG_ATTENTION_SPAN
  persistence-rebalance

Then apply the parameter-map to the VIP in the multi-match policy map.

policy-map multi-match VIPsOnInterface
  class VIP1
    loadbalance vip inservice
    loadbalance policy VIP1_L7_POLICY
    appl-parameter http advanced-options HTTP_LONG_ATTENTION_SPAN

When that happens, the IP address will show up in all of the log entries.

1.1.1.1 "GET /lb/archive/10-2002/index.htm"
2.2.2.2 "GET /lb/archive/10-2003/index.html"
1.1.1.1 "GET /lb/archive/05-2004/0100.html HTTP/1.1"
2.2.2.2 "GET /lb/archive/10-2007/0010.html"
1.1.1.1 "GET /lb/archive/index.php"
2.2.2.2 "GET /lb/archive/09-2002/0001.html"

But remember, configuring the ACE (or load balancer in general) isn’t the only step you need to perform. You also need to tell the web service (Apache, Nginx, IIS) to use the header as well. None of them automatically use the X-Forwarded-for header.

I don’t know if they’ll try to trick you with this in the CCIE Lab, but it’s something to keep in mind for the CCIE and for implementations.

CCIE Data Center: It’s Official

My twitter mentions was blowing up like a Michael Bay movie about the news that the CCIE Data Center certification was officially-officially announced at Cisco Live! in Melbourne this week. We’ve been teased with it for years, such as thinking we were getting it at Cisco Live last year, but our hopes were dashed. Even when A PDF was found on the Virtual Live site, we were still a little apprehensive.  Now we finally have full on confirmation.

Timeline? Written beta tests will be available in May, and apparently any passing grades there will allow you to take the lab. The CCIE DC Lab will be available September.

I’ll be taking the beta written the first day I possibly can, and likely will take the lab shortly after it’s available.

The equipment/subject list was what we expected from the PDF found at the Cisco Virtual Live website.

Let’s take a look at the equipment list, shall we?

Cisco Catalyst Switch 3750

Hilariously enough, this is the one device in the entire list of devices that I can’t ever remember having logged into. I’ve got Cat 6K experience, but not the 3750s. I’ll have to figure out what I need to know on these guys.

Cisco 2511 Terminal Server

Well, duh. Plenty of experience here, although I could stand to brush up on it. I wonder if they’ll make us set it up, or if it’s transparent to the infrastructure.

MDS 9222i

Interesting choice, instead of an MDS 9500. I’m studying for the CCIE Storage anyway, so this should be good. I don’t see mention of FICON, which is good. Because screw FICON.

Nexus 7009, 5548, 2232 FEX

I’ve taught Nexus before, and I’m still cert’d to do so, I just haven’t in a while. Fortunately, it doesn’t appear that any routing protocols are including in the subject list. I don’t deal with routing on a day-to-day basis, so it’s tough to get practice on them. My old nemesis is listed though, multicast (and IGMP).  FabricPath and OTV are fairly new to me, but I should be able to get up and running on them quickly, especially since FabricPath is TRILL-ish.

Nexus 1000v

I’ve taught Nexus 1000v (DCUCI). Could always use more practice, but I’m good there.

Cisco UCS B-Series, Cisco ACE 4710 Appliance

UCS? ACE? Why Cisco, I thought’d you never ask.

I’ve been teaching ACE for the past 4 years, and I’ve done lab and course development for it. I’ve been teaching UCS almost weekly for the past 2 years, and I’ve also done course and lab development for it. So I’m totally prep’d for this, both written and lab.

I may not even need to study for the UCS and ACE sections. (ed: Bold statement there, buddy.)

Dual Attached JBODs

Need some lab practice on this with the MDS.

Not For Your Laundry Room

One thing is certain, you’re not going to build your own home lab on this. The equipment list is fairly cash intensive, so it’ll be interesting to see how the rental racks get priced out. As soon as I possibly can, I’d love to start teaching CCIE DC boot camps.

Tony’s Take

Now that it’s all official, I’m stoked. This is the CCIE I’ve always dreamed of. A R&S CCIE wouldn’t really help my day-to-day work, and there’s lots of aspects of a R&S that don’t really interest me. Everything about the CCIE DC (except the 3750s perhaps) interests me. Data center was a pretty big gap in Cisco’s certification track (there were a couple of specialization certifications but they don’t have much cachet).

You’ll be seeing a lot of posts from me in regards to my prep for the tests and the lab. Perhaps I’ll put together an ACE workbook. Should be fun.

CCIE Data Center: It’s On Like Donkey Kong

My colleague Mike Crane pointed me to a PDF, and it looks like the CCIE Data Center certification is on, and it’s going to be announced at Cisco Live Australia this month.

This is how I looked when I saw the PDF on CCIE DC

If you go to the Ciscolive Virtual Session catalog (you can sign up to the site for free), and take a look at BRKCRT-1612. It lists the topics covered in the blueprint as:

  • Cisco Nexus 7000, 5000, 2000, 1000v
  • Cisco ACE 4710 (and presumably the GSS)
  • Cisco MDS
  • UCS
  • Catalyst 3750 (really?)

Pretty much what we expected, although there’s no WAAS (which surprised me). The ACE portion also surprised me, as I’d wondered if Cisco was really committed to the ACE. If it’s going to be in the CCIE DC track, they’re locked in to the ACE line for years.

But yeah, I’m so into this. The only CCIE track before DC that was even remotely relevant to what I do was Storage. If I went for the R&S it would represent maybe 20% of what I do, with 80% being fairly extraneous. DC is right up my alley.

Initial Thoughts on Apple’s New Initiative

When I heard about Apple’s new education initiative, I got excited. For one, it’s Apple. And yes, I’m a fanboy. So, like… Squeeeeeeee.

Tony, you have a problem

But it’s not algebra or geography books geared towards primary education that excites me (although that’s pretty cool), it’s how it could revolutionize IT ebooks.

Right now the primary market for technical books is print books. There are technical eBooks available on a variety of eBook platforms, but for the most part, technical books are a print business, with eBooks as an afterthought.

This approach has worked since the tech industry begain, but it does have its limiations.

For one, tech books usually have a percentage of its content that’s out of date by the time it reaches the shelves. Technical books can take over a year to get from outline to ending up on the shelves, and naturally the fast-paced moves from under the book. And going an update or corrections to a book is a major effort. If it’s C programming, it’s probably not too much of an issue. But a book on FCoE or VXLAN? There’s bound to be lots of changes and corrections within the span of a year.

What do you mean my book on cell phones isn’t current?

Also, eBooks right now are mostly just electronic versions of the paper books (ed: duh). The electronic format could do a whole lot more than just words on page, as shown by Apple in their presentation. With a fully interactive eBook, there could be animations (really awesome for networking flows), interactive quizzes (and huge test banks, not just 10 questions per chapter).

And right now eBooks seem to be an afterthought. Not all physical titles are available in eBook format (hint, several important and influential Fibre Channel books), and the ones that are can seem like a rush job. In my preparation for the CCIE Storage written test, I picked up this ebook on the Kindle platform: CCIE Network Storage. The ebook version was riddled with formatting errors which made it sometimes difficult to follow. Also, it looks like they’ve seem to have even taken it off Kindle.

Right now my favorite eBook format is the Kindle. Despite being an Apple fanboy, Kindle has the largest library of technical books, by far. And Kindle’s reader and cloud storage make managing your library stupid easy. Apple also makes it easier, although the platform is limited to Apple devices, and the tech library doesn’t seem to be as comprehensive. All of this this is in stark contrast to Adobe’s shitty eBook platform, which seems to want to destroy eBooks.

The Controversy

So the controversy is in Apple’s EULA. If you create an iBook with the iBook Author, that “Work” must be distributed through the Apple iBook store if you charge a fee for it. The tricky part is how Apple defines the term “Work”. Right now it’s a bit ambiguous. Some claim that the term “Work” defines the totality of the book. Others (like the Ars article) say “Work” only defines the output of the iBook Author program (PDF of Apple’s proprietary eBook format).

So if I write a book, and create an eBook version of it with Apple’s iBook Author (which looks like it create amazingly interactive ebooks), can I take the material from the book and make a (probably less interactive) Kindle version of the book?

Tony’s Take

Whether you like Apple or not, you have to admit this certainly ups the game. It’s high time eBooks took center stage for technical eBooks, instead of being an afterthought.

Right now the networking and data center landscape is changing fast, and we need new and better ways to cram new knowledge into our brainbags. A good interactive ebook, riddled with animations, audio, and large test banks would certainly go a long way to help. I don’t really care if it’s Apple or Amazon that provide that format. But right now, it looks like Apple is the only one saddling up.

Is The Pearson VUE Testing Center Network Collapsing?

Since my day job is teaching, I need to do a lot of certification tests. There are periods of time when I seem to live in a Pearson VUE testing center. However, In the past three months I’ve noticed the number of testing centers has dropped significantly.  There used to be three in the Portland metro area, but about three months ago that number went down to zero. One came back, but there aren’t any open testing dates until March now.

Which is a problem, because I need to do my VCP5 certification before Feb 29th, 2012, otherwise in order to get the VCP5 certification I’ll have to take a course (I’m a current VCP4 holder).

I brought this up on Twitter a few months ago, and a few people responded they had issues as well recently with no local testing centers.

So I wonder, is the Pearson VUE testing network collapsing? Or is it just Portland, Oregon?

My dream of a VCP5 is collapsing

Dare To Be Stupid

I was fortunate to be a guest again on the Packet Pusher’s Podcast recently, and one of the topics was an audience question regarding how to keep up with all that’s going on in the networking world. The group as a whole came up with some great insights, but I thought this would also make a great blog post.

Depending on your point of view, it can either be an exciting time or a terrifying time to be in data center networking. Here’s a small list of all the new stuff that you’re likely going to have to be familiar with: LISP, OTV, SPB, Fabric Path, TRILL, FCoE, FCoTR, BSP, IPv6, IS-IS, VXLAN, NVGRE, NPV, NPIV, EVB, as well as technologies that have been around for a little while but are much more prominent in a networker’s life such as iSCSI and Fibre Channel. And that’s just the data center. With campus and enterprise networking, you’ve got VOIP, unified communications, MPLS, VPLS, metro Ethernet, and more.

*BSP: The Bullshit Protocol. Used to see if you’re paying attention.

So how do you keep up with all this? I’ll admit, it can be a bit overwhelming. But the answer comes from the timeless wisdom of Weird Al Yankovic: Dare to be stupid.

One of the greatest mistakes I see people making in IT is that they stop learning. This is a common folly, and it never ends well. I know this because this is a mistake I’ve made big time. Let’s take the wayback machine to the late ’90s, early 2000′s.

This was a period in my career where I thought I was hot shit. In the late 90s and early 2000s, I was an expert in load balancing, and everyone who wanted to know information about load balancing came to me. I was Mr. Load Balancer.


We all have an inner one of these

But there were huge, huge gaps in my knowledge. Gaps in networking, gaps in system administration, and gaps in my HTTP knowledge. During the heyday of the First Great Internet Bubble, technical talent was a scarce and precious resource, and anyone with experience and skills did very, very well. It made for a great living, but the downside was that it made it very easy to ignore skills gaps, and ignore those gaps I did. I thought that because I was hot shit, that I didn’t need to spend too much time learning. I didn’t dare be stupid.

But it caught up with me. I did a telephone interview with a load balancing vendor, and I got ripped to shreds. They found the gaping holes in my knowledge easily, and it was quite a humbling experience. Initially I was angry, and I thought they were being overly pedantic (something I still dislike). But it wasn’t the IP header overhead of an unlaiden swallow that I didn’t know, it was core concepts that I didn’t know.

It took a while, but my ego healed enough to realize I had a problem: I had to get my shit together. They were right to rip me to shreds (they were nice about it, but having large areas of ignorance in an area you thought you knew well is fairly unpleasant).

Moral of the story? Don’t rest on your laurels, and dare to be stupid. Otherwise, it will be your undoing. And if you’ve been too chicken to be stupid, it’s not too late. I eventually got my shit together. When I started my tract to become a Cisco Certified Systems Instructor (CCSI), I confronted those huge gaps head on, and it was humbling. On my first attempt at the CCNA, I failed so badly that I thought Johns Chambers was going to get a phone call. I thought I was good at networking, but I couldn’t even do proper subnetting. (Like most sysadmins, if it wasn’t a class C subnet, 255.255.255.0, I was completely lost.)

What the fuck does 255.255.255.224 mean?

Eventually I learned subnetting, networking, and filled in the gaps. And I know what 255.255.255.224 means. So always be learning. And a trick I’ve used to continually learn is to learn something not related to computers. You’d be amazed at the insights you can get from learning a completely unrelated skill. For instance, in the past 5 years I’ve learned how to scuba dive, fly a plane, and ball room dance. Each one of those gave me incredible insights into how I learn. Keep at it.

The Magic Words

The three magic words in IT are also among the most painful to say: “I don’t know”. That’s especially true for me, an IT instructor. I’m supposed to know the answer, but I don’t always do. So saying “I don’t know” is quite painful.

In IT, knowledge is our currency, and ignorance is poverty. So it’s really tough to admit ignorance. But it’s important to fight that urge, and say the words “I don’t’ know”.

Even with that motto, part of me still cringes when those words escape my lips. I have a confession to make: During the most recent podcast I was on, Ethan asked me if I knew about vPC with the Nexus 2000 FEX. My response was “It’s been so long since I taught Nexus 7000″. That was basically me being too much of a chicken shit to say “I have no frakkin’ clue.”

Don’t Be An Asshole

Have you ever worked with someone who made you feel small? Where they seem to take delight in showing you how you fucked up? Do they take delight in highlighting your ignorance? Someone who enjoys a good gotcha?

Fuck those people.

Also, stay away from them. Avoid them like the plague. They create environments that are not conducive to learning. Learning is filling in the gaps of knowledge, and it’s tougher to do that when you don’t feel safe to admit you don’t know the answer.

I used to work with a guy like that back in 1998. I was a green Unix administrator whippersnapper, and there was a senior admin who used his powers for evil. He would lord his knowledge over us lesser experienced people. It was a hostile environment for growing. It backfires on them, however, since they stop growing too. They’ll be stuck at their skill level, because they’ll avoid areas where they aren’t the smartest person in the room. They don’t dare to be stupid.

And for Kirk’s sake, don’t be one of those people. Don’t be an asshole, be a teacher. If someone has a lesser level of knowledge on a subject, don’t berate them, don’t lord it over them, help them understand. Want to know how well you know a subject? Explain it to someone who ins’t familiar. You’ll figure out a topic much more comprehensively to that. That’s one of the secrets of blogging, you learn more about a subject simply by writing about it and organizing your thoughts on it (and coming up with clever pictures and captions).

Pull A Superman 2

I’m fortunate enough to have been invited to be a delegate for Network Field Day 2. If you’re not familiar with Network Field Day, it’s a networking-oriented offshoot of Tech Field Day, the brain child of Stephen Foskett, storage expert extrordinarre (check out his great talk on iSCSI and FCoE). If you want to keep up with the future of IT developments, whether it’s storage, networking, or virtualization, pay attention to Tech Field Day and its offshoots. The companies that present (for the most part) aren’t pitching old ideas, they’re pitching what’s next. (For instance, Fsck It! We’ll Do It All in SSDs!)

When I take a look at the other delegates for the upcoming Network Field Day 2, I can only come to one conclusion: I’m not worthy.

Ivan Pepelnjak, Greg Ferro, Ethan Banks, Tom Hollingsworth, Brandon Carrol, (along with my fellow former condescending Unix administrator Mrs Y.) these some of the smartest, most experienced people in networking. And they love to share. I’m not at their level, and I’m likely going to embarrass myself. But I’m going anyway, because it’s a great opportunity to soak up as much knowledge from them as I can. I’m even preparing my own Superman 2 chamber, where I can steal their powers and abilities. And I’m doing it by daring to be stupid.

Surround yourself with people who know more than you, and like sharing that knowledge. You’ll naturally soak up their power.

So if you want to increase your kung fu, learn all the things, and bring out your inner “fuck yea”, then dare to be stupid.

Follow

Get every new post delivered to your Inbox.

Join 65 other followers