4th November 2025

we travelled and then we also tidied up and expanded again...

So it's November and some amazing things happened.

1. I went to Auckland and visited my second data center (hello anyone from Geekzone, Vetta and Data Vault crew).
2. I caught up with some amazing people.
3. I had some amazing food.
4. I won some prizes.
5. Appreciated the Taylor Swift rack in Data Vault.
6. Given more hardware (Fortinet are kinda nice).
7. Bought more hardware (oh boy).
8. Had my first Cisco TAC interaction(this almost went sideways).
9. There are now 6 routers in the network lab... Soon to be 7.
10. I cleaned up the configuration and killed a dead default route.

Let's start with the event and why I travelled to Auckland on the second flight out from Christchurch to Auckland...

The flight to Auckland and Data Vault at Grafton.

Originally I had planned to take a +1 with me but they had to bail out due to circumstances. So I met up with someone who I had conversed with but never met, the planets aligned to ensure I wasn't going to be alone. NZ586 on an Airbus A320 and we took to the skies. We ended up meeting with another Quic user and we drove around, had a quick brunch around Mission Bay with coffee, and then us as the trio, drove towards Grafton. We got to learn how Data Vault started, what it housed and the plans they have to continue filling it with networking, servers, power and cooling.

I met a lot of amazing people.

Yep, caught up with friends, industry peers, met new people and even got to have a few drinks and won some prizes after the tours were done. I also got to have a sit down with a few of them and got some renewed determination and encouragement. So these blogs will continue and they will likely get more in depth.

Fortinet is kind of nice.

During my time at Auckland, I was given a Fortinet Fortigate 80E which not only has some serious hardware but a pretty amazing software stack (seriously, you know who you are, thank you both). This will go into the Lab to replace the Core lab router (C899G) and it won't just be faster but it will be easier and it will give me more experience with multiple vendors. I also have a Fortinet AP to go along with this as well.

The lab got updated and I bought some more gear.

So the lab has now grown again, this time we now have Cisco ISR 1841 with some serial interfaces as well as 2 Fast Ethernet 100mbps interfaces as well. The 1841 is dubbed Chatham and they have a interesting configuration(this will get it's own blog) that allows for not only dynamic routing but back up links as well. Won't spoil 😉. I also put back in the hAP AC which I configured with only OSPF and it just worked. Got default routes, could route to the production network and other lab networks. That was pretty satisfying that my OSPF configuration just works. And speaking of OSPF...

So we need to talk about OSPF again... Briefly.

So I wasn't entirely honest when I said it just worked. There was some fixes we had to do. So let's talk about those fixes.

You can fool yourself with default routes.

default-information originate is a command that will send the default route if it exists. Now the default route actually didn't exist in my OSPF configuration. So I had to install one, from somewhere. Unfortunately I made the incorrect decision to install a default route from the core and not from the Production router. So the production router, ended up with a dud route that was invalid.

So the fix is simple. no default-information originate and instead fix this on the Production router side and enable Originate Default = Always.

[yukari@yakushima-nz1] /routing/ospf> instance/print
Flags: X - disabled, I - inactive 
 0   name="ospf-instance-1" version=2 vrf=main router-id=0.1.1.1 originate-default=always

This installs the default route from the production router as OSPF flows down to every router performing in OSPF. This makes OSPF just work. We can route to every network imaginable that participates in OSPF and we can also go out to the internet... and I didn't configure a single static route.

And I opened up my first Cisco TAC case... because I bought something for a $2 coin...

Yep... I bought something that caused me to open up my first Cisco TAC case. A Cisco ASA5506-X. This is a VPN and Firewall appliance, but you can use it as a router... if you really want it to... It's also a x86 device and it makes no attempts to hide it.

ciscoasa> show ver

Cisco Adaptive Security Appliance Software Version 9.16(4)42 
SSP Operating System Version 2.10(1.1611)
Device Manager Version 7.20(1)

Compiled on Fri 22-Sep-23 03:02 GMT by builders
System image file is "disk0:/asa9-16-4-42-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 45 secs

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Hello Intel Atom... But this is not the latest build... and this build is subject to two CVEs. One of them was a 9.9... No way could I lab with this and even expose this. Now I had three options...

1. Accept my loses.
2. Only allow certain IP addresses to talk to this (using my Mikrotik to filter this out).
3. Open up a Cisco TAC and fix it properly.

I chose option 3. So I opened up my first TAC case. The process was convoluted. Because I am a complete nobody to Cisco, I don't have service contracts, I am not the original owner of any of my Cisco gear. Cisco has no business with me. I am nothing to them. So after some reddit threads, I went through the Live Chat.

They almost didn't want to. Until I posted a link to the literal security bulletin about it. So I got my TAC case. After some back and forth, the TAC engineer posted a link to the exact firmware from the Cisco Support website. Great! Except I can't download it... because it requires a service contract. I raised this and the TAC engineer then directly attached the firmware in the TAC case and I could download it. ASA5506 now patched! I then decided to question as I have other Cisco hardware such as my ISR 2911, 1841, 2960X(which IS one of two production switches) and the C899G-LTE(which I have plans to actually use in my production network), so what are my options I asked? The response is not on them, do not blame or have a go at the engineer. The problem is the people above the engineer.

Regarding your questions about future support, here is a breakdown of our policy and the options available to you as a learning network engineer:
1. Future TAC Case Creation
You mentioned having to push hard to create the recent TAC case. I want to clarify why this may have happened and what to expect in the future:

    The Key Differentiator is the Contract: While the ASA 5506 may have an End-of-Support (EoS) date in 2026 (meaning the hardware is still within its lifecycle), active TAC access and software download entitlement are primarily linked to an active, paid service contract (like Smart Net Total Care) assigned to the device’s serial number.
    The Vulnerability Exception: The reason we were able to provide the software and support recently was due to the nature of the issue—a critical, published security vulnerability (PSIRT). Cisco often makes exceptions for critical security patches to allow customers to mitigate high-risk exposures.
    Future Cases: For standard technical issues on your SOME DEVICES HERE (non-critical security issues, configuration help, hardware troubleshooting), the standard requirement of an active service contract tied to that specific device's serial number will apply. Without a contract, the case creation system may automatically flag it, requiring manual intervention or escalation for us to assist.

2. Software Download Entitlement (SOME DEVICES HERE)
You are absolutely correct: Downloading official Cisco IOS and ASA software requires an active service contract linked to the specific hardware serial number. This policy is in place to ensure proper licensing, support, and management of our software distribution.
Since your lab equipment does not have active contracts, you will be unable to access the latest IOS images via the standard Customer Download Portal.
Your Options for Learning and Software Access
Given your unique situation as an individual who works for a company with Cisco contracts, here are the most effective, policy-compliant paths forward:

    Internal Company Resources: Since you work for a company with active contracts, I strongly recommend speaking with your internal IT team or Cisco Account Manager. Companies often have site licenses or special arrangements that might permit you to use software images for non-production, lab/learning purposes under their entitlement.
    Cisco Software Trials: You can request a 30-day software trial for specific images via the Cisco Software Center. This requires registration and is intended for short-term evaluation, which can be useful for your lab work.
    Cisco DevNet: This is the best free resource for a learning engineer. DevNet provides free sandbox environments with access to the latest Cisco OS, firewalls, and networking devices. You can practice configurations for your CCNA/CCNP using real, current code without needing to update your physical gear.

Your commitment to continuous learning is fantastic, and I encourage you to leverage those DevNet and trial resources.

So there will be cheap Cisco hardware that is still very good in today's networks... but because you don't pay Cisco money... you don't get access and security vulnerability patching is convoluted. Yes I shouldn't complain, but the amount of e-waste, the extra hassle of someone trying to learn and we put EOL devices behind a giant convoluted and mysterious support model? Leaves a slightly sour taste in the mouth. And then we talk about sustainability...

Again do not attack or go after the people who didn't make these decisions... So no witch hunting the support people. But the decisions made in the boardrooms were absolute bizarre... and Cisco should do better (Cisco are not the only one.) My suggestion? Just don't paywall the firmware and don't hide EOL firmware (I cannot legally download the 1841 firmware). That is all anyone could ask for and that would make things better. You don't have to support us... just release the firmware (And don't come after me... I would like a cordial conversation and to discuss the options, you know where to find my email 😉).

So what's next?

Likely going to release another blog this month as I want to talk about OSPF more in detail and a real use case for it. I also want to dive into IPv6 and there will probably be a bit of a break as I'm going on holiday.

👋