Category Archives: CCIE studies

CCIE#37401

Image

My first Attempt was Setpember 21st in Toronto.  I arrived onsite at 8:45PM as I talked to the other candidates.  I was the only first timer.  One guy had taken the lab 7 times in the last year.  It was very easy to be discouraged.  By 9:05 the proctor came in to collect our ID’s and it was off to the lab.

Troubleshooting is as hard as everyone says.  The worse part is the clock that ticks in the corner of the screen.  I had 2 hours but it honestly felt like an eternity.  I was able to finish the troubleshooting section with 5 minutes left to review.  I was very confident when I hit the finish button that I had passed troublehsooting.

Off to config.  As soon as I hit the begin lab button I just went brain dead.  I am not sure what happened?  I just lost it.  I felt like I had stage freight.  I felt like i had forgotten everything I had studied in the past year and a half.  I sat and stared at the screen for a good 20 minutes.  I realised where I was and how important the situation was.  I went to the bathroom splashed some water in my face and back to the lab.  By the time I was 50% through layer 2 it was break time.  My prcotor was not the greatest.  I am pretty sure he practiced how to say “Do what you think is right” in the mirrir in the morning.  I asked him a few questions and that was his response everytime.  The lunches are as stressed as everyone says they are.  After lunch I was able to finish the lab.  By 5pm I was finished it was time to take the 5 hour drive back to Pittsburgh.

Driving home I received the message from Cisco to log in and check.  My heart was ready to beat out of my chest.  I told my Wife I would open the email with here.  I got home only to open it to find out I passed TS but failed config :(.  With really really low numbers.  I believe I made a mistake on Layer 2 which affected me throughout the entire lab.

I took a week off of studying to figure out what I did wrong.  I was prepared for the lab topics but I did not prepare for the way the exam was structured.  I wish I took the Mock Exams that are offered by INE.  Fast forward to November I decided to take another stab at it.

This time I was more prepared.  I was able to finish ts with 10 minutes to spare.  I did not realise it but I was clicking on R1 and going to R4… yes I believe Cisco does this on purpose.  I was able to verify I did everything correctly without breaking any of the rules.

Off to config.  I looked at the lab at first read through every question.  I was able to finish layer 2 at the begining of lunch.  I had the same stressful lunch that I had in Toronto.  I was able to finish config with 1 hour for review.  I could not believe the amount of mistakes I made.  Just small little mistakes and how a few mistakes would have caused me to lose points in multiple tickets.  I fixed everything and verified connectivity with a TCL script.  I left RTP for the day hoping by the time I was back home I would get results…. Friday goes by.. Saturday… nothing.  I woke up Sunday at 0600 to an email from Cisco my heart was about to beat out of my chest.  I could not help to think in the back of my head I really do not want to retake this all the work that went into every attempt. I logged in and seen I had passed.  I was so tired, I closed my browser reopened it and checked again.  I did the same sequence 3 times just to make sure!! I passed!!! I went down the hallway to wake my wife up…. I was mid way down the hall I wanted to check on my laptop just one more time to make sure.  This was 1.5 years in the making of a strict 25 hour a week study.

What do I do with this blog now?  What would any new CCIE do… give back to the community which has helped me so much by adding more blog posts and write ups.  I work with newer data center technology, Nexus,WAAS load balancers etc etc. I feel I need to master the newer products out there.

I have to thank my friends, family coworkers and most importantly my biggest supporter my wife.  For all the help she has given me through my frustrations for the past year and a half.  She has easily been my biggest supporter.

-Daniel Hertzberg

CCIE#37401

Advertisements

CCIE Update

I havent blogged in a while due to how busy I am.  Work and study have been the death of me.  My lab is scheduled for September 21st in Toronto for attempt #1.  I pray attempt #1 is my last attempt.  Its alot for me to take in.  I have been studying for this for the past 1.5 years.  Its alot to take in especially when it is 1750 dollars a pop.  I have spent the last year with the same routine.  Work 0800 – 1600 get home take the dog out and study for 3.5-4 hours.  Work out come home and prepare for the next day.  If I pass its odd but I dont know what I will do with all my free time… the wife already has a plan for that of course!

Well wish me luck, as I will make a blog post after I take the lab.

%BGP-4-VPNV4NH_MASK: Nexthop

Wha?

Well I found some interesting stuff while trying to run OSPF as a IGP in a MPLS environment while peering BGP by loop back.  Here is the configuration keep in mind this is with INE’s topology.

ip vrf VPN_A
rd 1:1
route-target export 1:1
route-target import 1:1
!
router bgp 1
neighbor 150.1.1.1 remote-as 1
neighbor 150.1.1.1 update-source lo0
neighbor 150.1.2.2 remote-as 1
neighbor 150.1.2.2 update-source lo0
neighbor 150.1.3.3 remote-as 1
neighbor 150.1.3.3 update-source lo0
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 update-source lo0
neighbor 150.1.5.5 remote-as 1
neighbor 150.1.5.5 update-source lo0
!
address-family vpnv4 unicast
neighbor 150.1.1.1 activate
neighbor 150.1.1.1 send-community both
neighbor 150.1.2.2 activate
neighbor 150.1.2.2 send-community both
neighbor 150.1.3.3 activate
neighbor 150.1.3.3 send-community both
neighbor 150.1.4.4 activate
neighbor 150.1.4.4 send-community both
neighbor 150.1.5.5 activate
neighbor 150.1.5.5 send-community both
!
address-family ipv4 vrf VPN_A
redistribute ospf 3 vrf VPN_A
no synchronization
exit-address-family
!
router ospf 3 vrf VPN_A
redistribute bgp 1 subnets

Then I get this message.. on Each PE router.

*Mar 1 17:10:19.575: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.1.1 may not be reachable from neigbor 150.1.2.2 – not /32 mask
*Mar 1 17:11:26.579: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.3.3 may not be reachable from neigbor 150.1.1.1 – not /32 mask
*Mar 1 17:11:55.683: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.5.5 may not be reachable from neigbor 150.1.1.1 – not /32 mask

On a CE router.

Rack1SW2#sh ip route 155.1.67.7
Routing entry for 155.1.67.0/24
Known via “ospf 1”, distance 110, metric 3, type inter area
Last update from 155.1.58.5 on Vlan58, 00:04:55 ago
Routing Descriptor Blocks:
* 155.1.58.5, from 5.5.5.5, 00:04:55 ago, via Vlan58
Route metric is 3, traffic share count is 1

Traceroute

Rack1SW2#trace 155.1.67.6

Type escape sequence to abort.
Tracing the route to 155.1.67.6

1 155.1.58.5 0 msec 0 msec 9 msec
2 *

Looking over my MPLS forwarding table it appears that since OSPF by default will take my /24 loopback and advertise it by default as a /32 LDP gets confused.  It shows up in the tag switching table as a /24 but a /32 in the routing table.  The fix for this was making each loop back a point-to-point interface under the loopback via OSPF.  Im not sure how this would scale in a large service provider environment… this might even be a IOS bug not sure.

After the change…

Rack1SW2#trace 155.1.67.6

Type escape sequence to abort.
Tracing the route to 155.1.67.6

1 155.1.58.5 8 msec 0 msec 9 msec
2 155.1.146.1 0 msec 8 msec 0 msec
3 155.1.146.6 25 msec * 0 msec

One thing that someone might want to do to make sure that the Loopback is also the router-id as well so there are no problems is by issues the following command under global configuration.

Rack1R1(config)#mpls ldp router-id lo0 force

That way the router-id is always lo0.  By issuing force at the end of the statement it will drop all current ldp connectivity to the loopback.  So if you have MPLS sessions currently using another loopback or interface they will be dropped reinitialize and use lo0.  Otherwise without the force option the mpls neighbor x.x.x.x command will have to be used.

CCIE update

So far I am doing well.  There are some things I am lacking…. going over INE’s vol2 labs to see where I am generally weak I am not very well on the following. QoS,multicast NAT.  I am not entirely concerned that well with NAT.  I honestly have not used it much in the real world other than ASA’s and never on IOS in production networks.

The good part about QoS is I use it heavily at work Catalyst QoS along with router QoS.  Catalyst QoS is finally making sense to me to the point where I can write it out on notepad and make it work but I feel I am not advanced to the point where I could get it going with the gotcha’s and other small problems for the test.  I am planning on going over Multicast with Vol1 next week and anything I do not understand i will spend time labbing it out on a blank vol1 test topology.

Since I am getting married in June and spending majority of June in Greece… Yay!  I am planning on taking the lab the end of summer most likely?  Maybe August or September again.  Mainly I am tired of the old crap.  I really hate learning about Frame-relay, rip and old legacy stuff I would never use.  At this point there is no way I could get the time I have put into this so I might as well get the lab over with.

When I update this again I am hoping to be more efficient with advanced multicast features , QoS and Nat.  I believe once I finish lab 20 of INE and go over the DoCD a few hundred times I will be ready.  its just so hard to spend the 2000 with no promise of passing.

L2tunneling CDP and QinQ

This is a pretty simple topology, I will try to keep it simple  , this is my first experience with L2tunneling.  Ive never read about it in any books.  My first encounter with it was in INE labs.  I worked for a service provider who mainly ran L2 Metro Ethernet circuits and we generally QinQ for internal VLANs but turned CDP off.  From the looks of the interface possibilities you can tunnel CDP,VTP and STP.

This configuration is pretty simple, On CE1 and CE2 this is an access port for VLAN 2.  This vlan is simply trunked across the PE switches. For l2tunnel to work from what I am reading this has to be an access port.

S1

interface FastEthernet0/1
switchport access vlan 2
switchport mode access
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end

S2

interface FastEthernet0/1
switchport access vlan 2
switchport mode access
end
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
end

S3

interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable

S4

interface FastEthernet0/1
switchport access vlan 2
switchport mode access
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end

#Show CDP neighbor on CE1 shows CE2 as CDP is tunneled across
CE1#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
CE2              Fas 0/1           156          R S I     WS-C3560- Fas 0/1

#Show CDP neighbor on CE2

CE2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
CE1              Fas 0/1           147          R S I     WS-C3560- Fas 0/1

If I want to QinQ tunnel which makes more sense for a service provider to run I have to change my PE switches to run Dot1q tunnels.  Which is something in the real world that is used often.  Now in our small topology we are using vlan 2… not everyone can use vlan 2 within the service provider.  If I want to use vlan 2 since everything on my site is in vlan 2 as well as my remote site I have to QinQ tunnel the link between both PE switches.  So I run vlan 2, my service provider puts me within VLAN 200.  So across my PE1 and PE2 switchs it encapsulates one tag in another.  My only changes are on both PE switches.

PE1
#
interface FastEthernet0/1
description to CE1
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end
!
interface FastEthernet0/2
Description trunk to PE2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
end

PE2

interface FastEthernet0/1
description trunk to PE1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
!

interface FastEthernet0/2
description to CE2
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end

Isolating Hosts at layer 2 using VACLs

I received a help ticket from some of the server guys I work with requesting that their new production servers would not be able to talk with the old production servers.  Problem is they are both within the same VLAN.  So my original though was easy PVLANs.  I go to look at the list of the servers and theres a dozen servers that are not allowed to talk with each other.  Then I notice its a reaalllly big subnet /18 and theres a few hundred servers on this vlan.  So if I isolate or even break it down into two different communites these dozen or so servers will be isolated from each other…. and everyone else.  So I had to create a way to make them only isolate from each other… here is a simplistic view of our topology.

So server 192.168.1.7 is NOT allowed to talk to 192.168.1.2 or 192.168.3.. but both servers .2 and .3 need to talk with 192.168.1.6.  PVLANs would not work due to if I put .2 and .3 in their own community .6 would not be allowed to talk with them.  Regular access lists will not work since they are on the same subnet.  So VACLs are my only option.

Start by first creating a filter for each server.

ip access-list extended blockserver7
permit ip host 192.168.1.2 host 192.168.1.7
permit ip host 192.168.1.3 host 192.168.1.7

Next start the VACL-map this is similar to a route-map.

Vlan access-map vacl
action drop
match ip address blockserver7
vlan access-map vacl
action forward
exit

I am only applying this on one switch where .1 and .2 are located.  It is not needed on both switches.

Now where the magic happens apply the VACL to a vlan filter.
vlan filter vacl vlan-list 19

Now anything on vlan 19 on the switch where .2 and .3 are located are not allowed to talk with .7.  If each wanted to talk with .6 it would be permitted as there is a forward action allowing all other traffic on that vlan.

CCIE update

I had a small victory after passing my written exam.  Since I have been going through Volume 1 labs and making sure I know everything in and out.  Its looking like I want to take the lab by July.  Some things I feel I have mastered IGP’s,BGP all layer 2 functions etc etc… stuff I generally work with every day.  As embarassing as it is I have not started on QoS yet, its that one part of this lab that I have never worked with in a production environment so it should be interesting.  I have some things I want to blog in the next upcoming weeks.  Trying to keep up with this work a full time job and be a CCIE is tough business.  I am planning on ending this month with more multicast then jumping into QoS by February.

Passed CCIE Written

I havent updated in a long time, I have just been super busy. I wrote down all sorts of things I want to write blog posts on that I am not 100% on so I can review them later.  I cleared CCIE written yesterday with a 85% yay, I feel sort of jipped.  It really wasnt super hard.  I believe any CCNP with some more multicast,IPv6 and QoS knowledge would have been able to pass this exam without a problem.  I spent close to 6 months(some screwing off with this as well and not going 100% dedication like I did with ccnp) for this exam.

-I spent the last 2 weeks before my exam(Nov 5th) studying all the time.

I read and did the following

-CCIE Routing and Switching Certification(Cisco Press)

-TCP IP Vol1 and Vol2

-Internet Routing Architecture

-BGP O’Reilly book.

-I spent a ton of time with Vol 1 labs for INE just at random.  I Need to follow their guide from now on.  http://blog.ine.com/2010/10/09/how-to-pass-the-ccie-rs-with-ines-4-0-training-program

Im not sure about the lab, when I plan on taking it.  I am *NOT* anywhere near the point where I should be.  Reading INE’s blog post it looks like I need to be able to exactly be able to go and know without even need to cisco as it is just by knowing commands and how things work off the top of my head.  Im really excited for this!!!!  More blog posts to come and more learning of course!!

Dynamips Server on way to begin CCIE training

These past two days have been a pain in my ass with these Quad NICS. I have had some moments were I have raged on networking equipment or machines but I have never been so frustrated. Long story short with older quad NICS some will show up as one MAC address for four NICS. So of course Fedora(Dynamips OS) Freaks out on its ifconfig and gives it 4 interfaces with the same MAC for example…

eth8-eth7 Link encap:Ethernet HWaddr 00:03:BA:6D:76:AA
eth6-eth7 Link encap:Ethernet HWaddr 00:03:BA:6D:76:AA
eth5-eth7 Link encap:Ethernet HWaddr 00:03:BA:6D:76:AA
eth7 Link encap:Ethernet HWaddr 00:03:BA:6D:76:AA

after days of dropping the drive, manually adding mac addresses, not loading the driver in the Kernel I just about decided to just purchase another few. I was extremely lucky I found out a place that has 4 of them needed. They happened to have the Sun 501-4366. I found that the Sun quad NICs with a Intel chipset work great, I am even running a 64 bit OS Fedora Core 14 without any issues. So these other NICs I purchase I put the first one in and it worked…. I really did not want to test the other 3 I was just happy it worked.

So I have everything plugged in from each one of my nics according to the following topology from INE.

INE topology

Here is what it looks like in my new place.
My topology

Here is my cost sheet.

Total Cost

Dynamips Server

AMDX4 3.2ghz
8gb DDR RAM
2TB Hard drive
3xQuad Nic Sun 501-4366 NICS(would not recommend)

Mobo – > BIOSTAR A770E3 AM3 AMD 770 ATX AMD Motherboard – > 79.99

PS – > hec XPOWER780 600W(780W Peak) ATX12V v2.3 / EPS12V v2.91 SLI NVIDIA HYBRID-SLI Certified CrossFire Certified Active PFC Power Supply – > 59.99

CPU – > AMD Phenom II X4 955 Black Edition Deneb 3.2GHz Socket AM3 125W Quad-Core Processor HDZ955FBGMBOX – > 159.99

Case – > HEC Blitz Black Steel Edition ATX Mid Tower Computer Chassis Gaming Case w/ Front Blue LED 120mm Fan & Top 120mm Fan – > 59.99

Memory – > G.SKILL 6GB (3 x 2GB) 240-Pin DDR3 SDRAM DDR3 1600 (PC3 12800) Triple Channel Kit Desktop Memory Model F3-12800CL9T-6GBNQ – > 99.99

2TB drive – > 99.99

SUN 501-4366 Quad NICS – > initnially purchased 3 2 worked, then purchased 4 more I spent 100 total for all 7. – > 100

———————————–

$659.99

Network Gear

Cisco 2511/w 2 octal cables – > local Craigslist add 6 months ago purchased this for $125
4x3550s – > All ebay deals purchased each for 125 shipped 4×125 = 500
100 feet of cable + 75 RJ45’s = home depot ftw!! 20 for the cable 16 for 75 RJ45s = 36

————————————

661

Total:1320.99