Over the last year, I haven’t been writing many new blog posts. I have been pretty busy with a new job, but also starting a new networking group called the Chicago Network Operators Group (CHI-NOG). The idea behind it is that there aren’t that many places where network engineers can meet to talk about technology, learn something new and network with each other. The communities are mostly virtual and that’s something I wanted to change by creating CHI-NOG.
I usually don’t think much about Pseudowires Sub-TLV until I encountered two IOS-XR boxes that didn’t use the same value and didn’t forward any packets. There is a special corner case of pseudowires using Flow Labels Transport (FAT) that can cause unexpected behavior and if you don’t watch out you might drop traffic. In this post I’ll go over the details of using FAT with different IOS-XR versions and what can go wrong.
GNS3 has been a crucial tool used by many network engineers to emulate computer networks. It has proven to be fundamental studying for all network certification levels such as CCNA, CCNP and CCIE. It has been crucial for network design validations within many companies. With the news of Cisco’s VIRL, many said that GNS3 will disappear, but that doesn’t seem to be the case. GNS3 is going through a major redesign and needs the help of all the engineers that it helped over the years.
Recently I came across an idea to implement anycast DNS within an enterprise environment. The concept is similar to Google’s public DNS, but at an enterprise level. Using IP SLA DNS, a static tracked route and some redistribution it makes it an easy solution. The biggest benefits is that all internal clients can use the same DNS IP address no matter what locations they reside in; additional benefit is distributing the load when DNS attacks occur.
When configuring RSVP, the “ip rsvp bandwidth (bandwidth) [per flow limit]” command there is an optional parameter which limits the per flow bandwidth of individual RSVP reservation. When using Call Admission Control for VoIP, that is the rate of an individual voice call in one direction, but the behavior is not as clear cut as it seems.
Configuring RSVP on DMVPN mGRE tunnels requires few extra steps and a little bit of calculations to figure out the additional overhead. Without correctly configured overhead, the mismatch between RSVP and available LLQ bandwidth can cause degraded VoIP call performance. Continue reading
When using RSVP Call Admission Control (CAC) for VoIP, DMVPN and RSVP have limitations that prevent RSVP from working over DMVPN. If you have VoIP and you can’t use location based CAC, RSVP is the only answers. So what’s the problem with RSVP over DMVPN? The root of the problem is RSVP’s loop prevention mechanism. In this post I’ll describe an original solutions to make RSVP CAC work over DMVPN.
At Cisco Live I was able to attend the CCIE Service Provider technical session by Vincent Zhou who is the product manager of CCIE SP. It was a very good informative session (BRKCCIE-9163) that gave a nice insights into the lab test. Below are my notes from the session, hopefully you’ll find them useful.
At Cisco Live in Orlando I had the chance to demo the Virtual Internet Routing Lab (VIRL). It is Cisco’s answer to GNS3 or Junipers’ Junosphere using virtualization to create virtual network topologies. This tools will be as revolutionary as GNS3, but at a much larger scale. It is an awesome tool that can be used for certification studying but also to validate production designs. Everyone I spoke to couldn’t wait to get their hands on it, including me!
I’ve been trying to setup a BFD neighbor for a link connecting two important sites on a Nexus 7010. That link is only using iBGP for routing. This seems like a really easy thing to, unless you run into bad documentation with few key missing facts.
In the good old days of IPv4, an interface on a host could have only one IPv4 IP address. Things were very simple, every IP host would use that one address as the source IP for all communication. When we get into IPv6, each interface can have multiple IPv6 addresses. These addresses have different scopes such as global, unique-local and link-local. If an IPv6 enabled host would like to send a packets to another host, which source IPv6 address does it choose? What if it has four addresses: 2001:10::3/64 (Global from ISP A), 2001:23::3/64 (Global from ISP B), fc00:23::3/64 (Unique-Local) and fe80:23::3 (Link-Local)?
EIGRP Offset-list is usually used to increase the metric of routes being advertised over a link, but can it be used to filter EIGRP prefixes?
I thought about using offset-list in RIP to filter specific routes and thought how about doing the same thing in EIGRP? I haven’t run into any examples or blog posts of using Offset-list in EIGRP to filter routes so I thought about labing it out to see if that’s possible. Continue reading
Is there a way to provide internet service over a dot1q tunnel using VLAN tunneling? Yes, there is a way, it is not the most intuitive method but works nicely. Continue reading
Recently I had to recover the admin password on the Nexus 5548. The Cisco doc was a little bit uncleared so I figured I’ll make some notes on it.
First thing reboot the switch. The power supplies on these don’t have a on/off switch so you’ll have to pull the power cable. Continue reading
I updated the CCIE page to include CCIE Supermemo questions. Please go to CCIE Supermemo Questions. As time progresses I’ll update more and more of these.
The very simple answer is when the local NTP master controller is synching to the IP address 127.127.7.1 instead of 127.127.1.1. Ok, I think I need to clarify few things. In a number of CCIE workbooks, you’ll get a task to configure NTP access-control on the master NTP router to only peer with R1. After trying for a long time, you lookup the solution guide and realize that you were missing an ACL entry for the local address 127.127.7.1. Or you finished the task, everything works, you check the solution guide and ask yourself “why did they have an ACL for the IP address 127.127.7.1? I did it without it and it worked.”
I was troubleshooting an OSPF area range summarization and came upon something I haven’t seen before called Passive Advertisement. There weren’t too many Cisco documents that explained it so I decided to post a really quick description explaining it in little detail and where you could see it . This could be useful for the CCIE troubleshooting section, when dealing with OSPF area summarization problems.
I will use R3 to demonstrate. This router is connected to area 0 and area 1 which makes it the only ABR connecting the two areas. R3 should be sending a summary route 220.127.116.11/16 for the two component routes 18.104.22.168/24 and 22.214.171.124/24. Looks pretty simple. To verify, I check the output of show ip ospf to make sure the area 0 range 126.96.36.199 255.255.0.0 command is configured:
What is IPv6 6to4 tunnel address? 2022::/16 or 2002::/16? How do you convert the IPv4 address into IPv6 6to4 tunnel address? Well there is the long way, which you should understand and then there is the easy way in case you need to configure it really quickly. I found this nice method where you can use the IPv6 General Prefix feature to automatically calculate the conversion. Originally this feature was used to create a variable for IPv6 network, the “general-prefix”, to easily change all IPv6 addresses in case reassignment of IP subnets.
Reading the IPv6 Configuration Guide (Implementing Traffic Filters and Firewalls for IPv6 Security), I came across a little known fact that seems to be very important when configuring IPv6 access-lists on IOS.
Usually when I configured an IPv4 ACL, I explicitly defined a deny ip any any at the end, which seems like the best practice. But what happens when you do that same thing with IPv6 ACLs.
The CCIE certification is a very honored and respected industry certification, but it comes at a high cost of time and money. When I started studying for the certification, I couldn’t find a lot of details on its expense, so I decided to keep a running total. I wouldn’t say that these numbers are representative of all cases, but only one CCIE. Knowing these figures helps in terms of budgeting especially when comparing individual financing versus expensing it from a company training budget.
Understanding the theory of each protocol is one thing, but being able to configure it is another thing. After reading a number of books, I purchased a collection of CCIE R&S practice workbooks. The first set that I purchased was Internetwork Expert’s workbooks (Vol1, Vol2 and Vol3) to get my hands on experience with each CCIE topic. Once I was finished the majority of INE workbooks, I bought IP Expert Volume 2 and Volume 3.
Troubleshooting lab is designed for a CCIE candidate to fix an issues of a pre-configured network. Tickets are very well defined as well as the expected behavior. There are about 10 tickets presented, some are worth 2 points and some 3 points. The troubleshooting lab has an automatic cutoff time after 120 minutes. All devices are virtualized using Cisco’s IOU (IOS on Unix).
The way I approached the troubleshooting section is by reading all of the tickets first. Yes, that will eat up about 10 minutes of your allocated 120 minutes, but it is well worth it. During the initial read, I created a table which tracked:
The CCIE configuration is a 6 hour test. The main goal of this section is to test you knowledge in building a network from scratch. All devices are real physical routers and switches, no Cisco IOU.
Similarly to the troubleshooting lab, I read the whole lab from start to finish. Just as the troubleshooting section I created a table to help me track of all the tasks and its requirements (see below for a sample and explanation).
The CCIE Routing and Switching test deals with a vast number of technologies. Remembering everything is rather difficult throughout the preparation process. Each CCIE will tell you that you need to have some sort of a method of documenting all of this new knowledge. During my studies I mainly used three types of documentation: mind maps, personal wiki and flashcards. One other very important aspect of CCIE documentation is the navigation of the DocCD.
Before anyone is allowed to schedule the CCIE Lab test, they have to pass the CCIE Written exam 350-001, which is a 120 minute test consisting of 90-110 question (see the link for official blueprint). CCIE candidates usually do either one of these two: take the CCIE written test before doing any workbooks/labs or take the exam before they are ready to schedule the lab test. I did the latter. To me it made more sense to configure each topic and have hands on experience, before taking the written test. I finished the technology based labs and scheduled my written test. As my main preparation, I used Bosom Exam Environment and utilizing the CCIE written question. I think Boson has a very useful study tool to review content and fill in any new gaps for their written exam questions. I passed it on my first attempt.
Thursday July 27th was was quite a day for me, full of ups and downs at RTP Cisco building number 3. I arrived 10 minutes before 7 AM. Slowly other candidates arrived. Everyone was returning at least for the second time including me. Since the last time I attempted the lab in January, Cisco moved their testing room to a smaller room on the left side of the building. I had the same proctor as before, David Blair.
I’m extremely excited to have passed the CCIE Routing and Switching lab at RTP on July 26th 2012. Currently, I’m working on a write up on my long journey and should be able to share it with everyone soon.
As you may know that the backdoor feature of BGP changes the AD to 200. But is there a way to modify it?
There is a way, it’s not very intuitive. When you configure a network as a backdoor network you are creating a local-route that you don’t originate to others. To modify a local-route you can use the distance bgp command. Remember that bgp distance format it:
distance bgp (eBGP) (iBGP) (Local/Backdoor)
Below is a quick example where I use the route 10.1.4.0/24 as a backdoor route.
router bgp 5
network 10.1.4.0 mask 255.255.255.0 backdoor
neighbor 10.1.45.4 remote-as 4
distance bgp 20 200 233