Archive for May, 2010
In a recent post here on the INE blog, we received some follow-up questions similar to the following:
“Why do IPSec peers end up using tunnel mode, even though we had explicitly configured transport mode in the IPSec transform-set?”
It is an excellent question, and here is the answer. In a site to site IPSec tunnel the “mode transport” setting is only used when the traffic to be protected (traffic matching the Crypto ACLs) has the same IP addresses as the IPSec peers, and excludes all other IP addresses. When Crypto ACLs include IP addresses beyond of the 2 peer endpoints the “mode transport” setting is ignored, and tunnel mode is negotiated (due to IP addresses, other than the 2 peers, being part of the crypto ACL). There is also an option for the key word “require” after “mode transport” which will prevent the peers from negotiating tunnel mode, and if the IP addresses in the Crypto ACLs are outside of the peers’s own IP addresses, IKE phase 2 will not successfully complete.
One notable exception to this, is GET VPN, where the KS policy of tunnel mode or transport mode will be used by the group members (whichever mode the KS has configured), regardless of the IP addresses used in the KS ACL for policy.
Below is a site to site example. Let’s use the following topology, with R1 and R3 being peers, and a Crypto ACL that says to encrypt all ICMP traffic, regardless of the IP addresses. This Crypto ACL will cause our peers to ignore the mode transport option, and negotiate tunnel mode.
Below are the full configs, some debug output, and show commands to demonstrate that even with transport mode explicitly configured in the transform sets, if the crypto ACLs don’t exclusively include the endpoints of the VPN tunnel, the two peers go ahead and negotiate tunnel mode instead of transport mode. Note the Crypto ACL includes all ICMP from any source to any destination.
First, here is R1: Continue Reading
It isn’t my fault, they configured it that way before I got here! That was the entry level technician’s story Monday morning, and he was sticking to it.
Here is the rest of the story. Over the weekend, some testing had been done regarding a proposed BGP configuration. The objective was simple, R1 and R3 needed to ping each others loobacks at 126.96.36.199 and 188.8.131.52 respectively, with those 2 networks, being carried by BGP. R2 is performing NAT. The topology diagram looks like this:
The ping between loopbacks didn’t work, but R1 and R3 had these console messages:
R1# %TCP-6-BADAUTH: No MD5 digest from 10.0.0.3(179) to 10.0.0.1(28556) (RST)
Coming June 7th, 2010 – CCIE Voice Deep Dive
As my 4-year recertification timeline was about to lapse, I had to go and pay $350 to recertify There was no other challenge, as I picked CCDE written for recertification, keeping in mind to take the practical test again this year. To my greatest surprise, the exam was almost the same it was in September 2007, when I took the beta version. Just this time the number of questions was 100 not 170 and they give you chance to review and navigate among the questions (just like it was in old CCIE Written). Apparently, the CCDE written test engine has never been updated the way that CCIE R&S Written was, with the new scoring model based on 1000 points. Since 2007 I spent considerable amount of time studying (back then I went unprepared, but still passed with 70 point) so the exam went disappointedly easy, as I haven’t seen anything new that I didnt see in 2007. As usual, the main focus is on IP Routing with the addition of Tunneling techniques (MPLS, GRE, IPSec) along with QoS, Network Management and Network Security. You may find the very detailed blueprint here (though formatting is broken in a number of places):
The books I found most helpful to prepare were:
- Definitive MPLS Network Designs
- BGP Design and Implementation
- IS-IS: Deployment in IP Networks
- OSPF: Anatomy of an Internet Routing Protocol
- Optimum Routing Designs (you may mainly concentrate on IGP protocols and refer to the book above for BGP)
- EIGRP for IP: Basic Operation and Configuration
- Cisco IP Routing by Alex Zinin (for you hardcore routing fans)
- OSPF and ISIS: Choosing and IGP for Large Scale Network
- Layer 2 VPN Architectures
- Interconnections, 2nd edition: Bridges, Routers, Switches and Internetworking Protocols. (Just for fun reading and a lot of background information)
- IP Quality of Service by Srinivas Vegesna
The below one might be a good candidate for review the week before your exam. However, be aware of its condensed format and some technical inconsistencies:
- CCDE Quick Reference by Russ White and Mosaddaq Turabi.
Lastly, anyone preparing for the CCDE certification – even though the written test is easy, do not take it lightly as you’ll need all the knowledge during the practical test. There are other challenges in the practical exam, but hopefully the plan I developed to deal with that will work for me – we’ll see
INE knows Voice. As the only CCIE vendor on the market employing 4 CCIE Voice Instructors, we are constantly trying to pool our collective brain-trust to find a better way to communicate what we know to you, to help you achieve your goals in passing this rigorous practical exam. We’ve all been mulling over for some time now the best possible way to get this information from our heads, to yours. We gave the idea a go where each of us would perform a vulcan mind-meld with the student, however there are still a few roadblocks in the way of us being able to achieve success with this method. The biggest issue we kept running into was that once Petr would step into the room and begin his knowledge transfer, the candidate’s brain would often overheat and we ended up taking a few too many to the hospital to have their brains cooled down with liquid nitrogen. Needless to say – we haven’t quite worked out all of the technical glitches out of our method just yet.
So instead the idea was collectively reached that we should instead develop a brand new product that allows us to perform a sort of “Deep Dive” with each candidate. The concept of this “deep-dive” method goes far beyond what most candidates expect and subsequently receive when purchasing some fashion of Self-Paced On-Demand or Classroom Bootcamp style training. Instead we take one subject, whatever that subject may be for the day, and we vet it fully. To that end I mean that we don’t stop collectively learning until the concept is grasped fully by all candidates.
The format of each class module will be focused around roughly a 4-5 hour window of instruction per topic, however some topics will inevitably go longer. If a topic spans more than the time allotted in a single day’s module, then and there another day to complete the materials will dynamically be scheduled, and any attending students will automatically be added to the continued new module.
The specific breakdown for each module will look like this:
- I will lead the discussion for each and every class module
- We will collectively discuss and fully understand all concepts involved in the technology topic for a given day
- We will then define a very specific set of Tasks to be accomplished
- We will whiteboard the Tasks, notes about them, and how they will be logically implemented*
- We will then demonstrate with live, hands-on interaction, how the concepts are implemented and properly configured
- We will test the configuration thoroughly
- While testing, I will vary the configuration so that we all can see how different permutations effect the outcome
- We will Debug and Trace the working configuration to understand what we ‘should be seeing’
- We will then break the configuration and Troubleshoot with more Debugs and Traces to contrast from the working set
*Each whiteboard sketching will available for download after each module as separate JPG or PDF documents
Cisco has been doing a much better job introducing new topics into the CCIE R&S Written exam.
Be sure to run through Practice Exam 2 again soon as we have updated this exam with some new questions centered around optimizing the network.
Here is a sample for all blog readers to enjoy:
The two engineers, as they grabbed a quick lunch, looked over the following diagram.
The 184.108.40.206/24 network is GRE. The routing in place, uses the tunnel interfaces to reach the remote networks of 220.127.116.11 and 18.104.22.168. The IPSec policy is to encrypt all GRE traffic between R1 and R3. R1 and R3 are peering with each other using loopback 11 and loopback 33 respectively.
The technicians considered the traffic pattern if a host on the 22.214.171.124/24 network sent a packet to a device on the 126.96.36.199/24 network.
Then they reviewed the configurations (below), and discussed them. Based on what they saw, they just couldn’t agree completely with each other regarding the following questions?
1. How many IP headers would be in each packet.
2. What would the source and destination address be of each IP header.
3. What order the IP headers would be in (beginning with the outside header).
4. Would the IPSec be using transport or tunnel mode.
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
So they called for the expert, YOU, to assist in these questions.
Are you up to the challenge. Answering even 1 of them will be appreciated, so take moment now, and GO FOR IT !
Post your ideas, and we will put all the people who post ideas into a virtual hat, and draw a winner to receive 100 rack tokens to our preferred lab gear provider, graded labs. Please have your posts in by
If you have spent any time in the R&S forums in the IEOC, you have seen the username ndiayemalick. Malick has achieved Elite status in the forum and is always challenging and helping his peers with his excellent posts.
Thank you so much Malick, and we look forward to celebrating your number soon. We are placing 100 GradedLabs rack rental tokens in your account as a small gesture of our appreciation.
I am sure many are interested in Malick’s story…here it is:
My name is Malick Ndiaye as you already know. I was born in Senegal, West Africa. When I was 15, I moved with my family to the US, precisely Columbus, Ohio. Two and half years later, in 2001, I got my High School Diploma. Since I finished high school early (January 2001 instead of June 2001) and got all the credits I need to graduate, I started preparing my MCSE. At that time, it was a very hot certification to have, but I never finished it.
People tend to underestimate the important of IGP routing features in modern network. So here is a small challenge scenario for you to practice OSPF traffic engineering. Take a look at the diagram below for information on the topology and link bandwidth. You may assume that every router has a loopback interface for network testing and OSPF router-id selection.
There is a large cloud of media servers behind R4, and the users behind R1 need to use full 300Mbps of bandwidth when downloading files off the servers. The network is running single-area OSPF for IP routing. Ensure you can accomplish the above goal without using MPLS Traffic Engineering or Policy Based Routing. You are allowed to create additional logical interfaces, but the routing protocol, OSPF areas, physical links and their characteristics should remain unchanged. Keep the amount of changes to minimum and do not introduce new IP addresses.
The first person to provide a working solution will receive 100 rack rental tokens from our partner company GradedLabs. Please use your valid e-mail address when posting a comment, so we can locate your INE account.
OK I forgot to rule out the “route-via” option Try solving the task without relying on any “policy-based” routing decisions.
The winner is: Antonie Henning (http://21500.net). Ivan Pepelnjak helped finding a logical “loophole” in my scenario by pointing to the “route-via” option available with GRE tunnels and correctly stating there should be 6 end-to-end tunnels to implement proper load-balancing. Hans Verkerk was close in his idea, but used static routing which was slightly against the rules and not as elegant as Antonie’s solution. Chris Stos-Gale and Nitzan Tzelniker came with the correct solution as well, but Antonie completed the challenge ahead of them. Thanks to everyone for participating in the challenge, it’s been fun!
INE is thrilled to announce the Live Online 5-Day QoS bootcamp. The course begins June 7, 2010 at 11 AM EST US. This course includes:
- The Live Online class
- The Recorded Online class
- An interactive, self-paced version
- An audio bootcamp version
- A full Implementing QoS practice exam with a Tell Me Why PDF
This one-of-a-kind course is targeted at CCIE R&S, Voice, Wireless, and Security candidates, as well as students pursuing their CCIP professional-level certification. Here is the course At A Glance:
Module 1 Overview of QoS
Module 2 Components of QoS
Module 3 The MQC
Module 4 Classification and Marking
Module 5 Congestion Management
Module 6 Congestion Avoidance
Module 7 Policing and Shaping
Module 8 Link Efficiency
Module 9 AutoQoS
Module 10 QoS on Cisco Security Equipment
Module 11 QoS and Wireless