Why we moved from Cisco switches to Huawei Cloud Engine switches

I don’t work for Huawei and nor have they commissioned me to write this. I hate having to say that but I feel like I need to. I like to write the odd article about tech and why I have deployed it as it’s a genuine customer view/end-user view and I like to report on good or bad that I see as I go through my IT life.

One of the most recent projects that has just gone live is moving our Cisco switches (Core and Distribution layers) to Huawei. In part there are a number of reasons why we moved away from Cisco.

  1. For starters the commercials for Huawei are considerably cheaper when you sit them next to Cisco. As an example buying into the Cloud Engine series which in my mind is the same as buying into Nexus for Cisco is as much as 60% cheaper.
  2. The actual through-put on the Huawei switches are for the most part higher than Cisco. I don’t have any hard facts to back this up so don’t shoot me down, I am just going on what I found in my R&D
  3. When you look at features that you get for you hard-earned cash you do get a hell of a lot more for less
  4. Our first experience of Huawei support whilst on a POC was first class and they are a lot more agile than Cisco when it comes to bug fixes and changes. I realise that Cisco are huge but we need to work with more agile vendors so this suits us
  5. In fact the actual POC and getting access to the loan equipment was excellent, they really went the extra mile to make sure we had the full experience, again I have found Cisco to be a bit anal when it comes to that type of thing, especially when you are not a huge customer.
  6. We got access to their “Hedex” documentation store which is awesome. Basically they give you an offline copy of all of their documentation, but to top it off the documentation not only has numerous config examples, they are all really good and they actually walk you through a technology from basics. Awesome when you are stuck on site and there is no Internet and you need to configure TRILL for example.

In closing if you are in a similar situation to me (limited budget, aged network etc) and you want to future proof your network I would consider Huawei. Ours have been in production for three months and have shown no issues at all. If you are a die-hard Cisco guy like me then you will be able to transition quickly to the Huawei IOS. In fact I will put a post out about that soon.

 

Cisco ASA wont boot – ERROR: Booting system, please wait

Just a quick one, I had this on one of our ASA firewalls, post swapping out its PSU.

ASA Boot Error

Its a lovely error as it just sits there and does nothing. You cannot get into RONMON as this is the first message that pops up on boot.

After a bit of playing I found that one of my RAM chips was causing the ASA to stop, when removed it booted fine. Reseating the RAM again and all was well.

Simple answer to an odd error.

Hope this helps someone else in the future.

How to bring a failed Cisco ASA back into a cluster

In my day-to-day I do a lot with Cisco technology and I tend to forget some of my commands that I use, so I thought I would start to put a few more bits on the blog. Hence this post. I will admit that there is a lot on the web about this subject but I found a couple of gotcha’s that I thought were worth documenting.

First points to note if you have any advanced licensing that is not covered by a SmartNet you will be in trouble. As when the replacement unit arrives it will be shipped with no licenses and you cannot reassign licenses in the Cisco portal if it’s not paired to a SmartNet. I like to think of your license as an OEM license that lives and dies with the machine.

Make sure that the new unit has the same amount of RAM as again the failover will not pair up if the RAM does not match. The same goes for the ASA OS version. In our case Cisco actually shipped one with a matching OS.

Not knowing how your ASA died, I will detail two processes for bring the ASA back online. I am only talking about bring an Active/Standby pair back online.

First the simple one. Your ASA died and was shipped out, so you have a new device with no config.

Normal
0

false
false
false

EN-GB
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}

Check that your current live ASA has failover enabled and if its Primary or Secondary.

Do a show run failover

ASA01# show run failover

Failover {Denotes that Failover is enabled}

failover lan unit primary

failover lan interface failover GigabitEthernet0/2

failover link failover GigabitEthernet0/2

failover interface ip failover 172.16.100.100 255.255.0.0 standby 172.16.100.101

If it’s not the primary then change that so it is by using the command Failover LAN unit primary

Take your new ASA and perform the following steps. Please note I am not going to detail all the commands to do these steps.

Install your licenses

Configure your host name

Select your Interfaces for Outside, Inside and Failover. I would match your other ASA if I were you. Label the ports with a description and enable them

Configure your Failover interface

Failover lan interface if_name

Configure your active and standby IP’s for the failover interface

failover interface ip failover 172.16.100.100 255.255.0.0 standby 172.16.100.101

Configure your device to the be secondary

Failover lan unit secondary

Enable failover

Now we had this scenario where it was just the power supply that had died and we swapped that out and powered the device back on. All our config was there, but before making it live we took some additional steps to ensure that no complications occurred.

1.       In our case it was the primary that failed, so using a terminal connection we hopped on and took a look at what was going on.

2.       Firstly we turned failover off using the command No failover

3.       Then we set the unit to be the secondary

4.       We then set our current active unit to now be the primary

5.       We then plugged in the failover interface and enabled failover on the now secondary unit, with in a few seconds they saw each other and paired up. This was the output that we observed.

ASA01(config)# failover

ASA01(config)# Failover LAN became OK

Switchover enabled

Configuration has changed, replicate from mate.

Detected an Active mate

Beginning configuration replication from mate.

INFO: Specified entry already exists in access-list “XXXXXXX”

INFO: Specified entry already exists in access-list “XXXXXXX”

End configuration replication from mate.

6.       We then brought each interface up, first the inside and then the outside.

7.       A show failover state proved that we were back in business.