Nov
08

Hi Guys, i just wanted to inform you that after a lot of studying , dedication and lot of practice , i have passed my R&S CCIE two days ago , it was my 1st attempt and i feel like i owe a big deal of this success to INE wonderful products , it started about one and half year ago when i took my decission to go for my number, i could remember seeing that time the CCIE numbers rolling on your site and was wondering when the day would come for me to join this list, when i started i almost read every book in INE recommended lists , and sometimes i had to go through the RFCs for guidance ,i used both advanced technologies COD and troubleshooting bootcamp COD , i did lab INE Workbook I , II ,III and IV and the V4 Moc labs which i didnt actually pass any but was so close to , and i have to say that these labs was like a bell ringing for me to take care of my common mistakes and which made me alerted when i was doing th real thing. Finally i cant express how wonderful it is to have your number after all this , iam really HAPPY.

Ahmed Sameh Ashour, CCIE#27395

Congratulations Ahmed! Share in Ahmed's success with $430 off this special workbook bundle containing...

The retail price of this bundle is $1,279 you can get it today through Sunday for only $849. Use discount code: 27395 durning checkout!  These workbooks are ideal for passing the CCIE Lab Exam.

May
07

Thank you to all those who have submitted questions and comments to our blog and our CCIE Instructors. If you have a question, please email them to blog@ine.com.

Question 1:

Can anyone explain what is VPN intercept?

--
Bhavik Joshi

VPN Intercept can mean a few different things, depending on the specific context.

One interpretation is from a driver perspective, where a VPN connection breaks the binding between TCP/IP and the physical interface, acting as a shim.  See also:

http://www.informit.com/articles/article.aspx?p=25042

Another meaning can be in regards to intercepting SSL traffic.

See also:
http://www.howtoforge.com/ssl_vpn_one_time_passcodes_mutual_authentication
PPTP attacks:
http://www.sans.org/security-resources/malwarefaq/pptp-vpn.php
Cisco - VPN-based IPv4 Lawful Intercept Taps -
https://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76LIch2.html#wp1058552

Answered by: Marvin Greenlee, CCIE #12237

Question 2:

Dear Valuable Technical Teachers and Friends,

First of all , i wish and thank you for your great support to those who are
all preparing Network studies. I've completed my CCNA two years back.Now am
preparing for next step. At this point, i have bit confusion of deciding
whether can i do CCNP or CCIE(R&S). I would like to reach a top level in
Cisco Networking technology.So am requesting your suggestions, which is best
for me.

Also can you suggest any good simulators to improve my practical skills.

--
Thanks,
K.Saleem Jaffer

Thanks for the question.   Having the CCIE certification makes for an excellent stepping stone in a technical career.   An important aspect to successfully passing the CCIE lab exam, is a very solid understanding of all the technologies involved.    A great way to prepare for this is through the CCNP level of studies.   If a person chooses that path, they would do well to take time to learn the technologies while studying CCNP, and not have the feeling of just learning enough to pass a CCNP written exam.  By truly  learning the core technologies in CCNP, it will serve as a springboard into the CCIE studies.   Many candidates waste large amounts of time in complex configurations, because they are lacking the basic understanding of the protocols and technologies that make up the scenario.    I would recommend a 1-2 yr plan, that begins with CCNP, carries into CCIE studies, and end with you attaining your CCIE.    Best wishes in your studies and journey.

Keith

Answered by: Keith Barker, CCIE #6783

Question 3:

Hi.

would u mind please, explaining the benefit of command "area x nssa default-information-originate" ? i know how we use it but i don't know its benefit? and do we use this command on ALL of the routers or just ABR? when we don't use this what will happen?

thanks a lot
timaz mohsenzadeh

The benefit of having a default route is that you have somewhere to send traffic when you don't have more specific information.

One point of using stub areas in OSPF is to minimize the information in the OSPF database.

With a stub area, you will have some OSPF routes, but not external routes (E1/E2) in the stub area.  So, if somewhere else across the topology, there is redistribution happening, the device in the stub area won't know about the redistributed networks.  Having a default route out to the ABR can be all that a stub area needs, if the ABR has the routing information to send the traffic forward to the destination.

The R&S Advanced Technologies Class section on OSPF area types shows the difference of not having this command, as well as looking at the contents of the OSPF database.

Marvin

Answered by: Marvin Greenlee, CCIE #12237

Question 4:

Hi everybody
I have a question regarding ISDN Backup. I have two cisco routers 800 (IOS 12.4(15)T5) and 1600 (IOS 12.1(4)).
The 800 router is the primary link with SHDSL and the backup router is the 1600 with ISDN.
I have OSPF running between these two routers and HSRP. Now when the primary link (SHDSL) fails,
the Backup router (1600) should take over. How can I solve this problem. Or what is a suitable solution.
I have searched various forums and cisco, but I can't find any sample according my example.
I am going to be an CCNA. But I guess there is much left to learn.

Thanks for your help.

Regards Alen

Firstly, you dont need OSPF unless you have IGP requirements for other routers behind the border rouers (the 800 and the 1600). You only need HSRP running between the routers and static reliable route on the primary gateway (SHDSL). Next, configure HSRP to track the static route object in the primary router, and lower the priority when the static route fails. Your Cisco 800 should support this functionaly, and the 1600 only needs to know if the active router changes. So here are the steps

1) Create an IP SLA object in the 800 router, pinging your provider's IP ("ip sla" commad)
2) Create an object tracking the state of IP SLA ping object ("track" commad)
3) Create a static default route in the 800 pointing to you ISP and tracking the object above
4) Configure static default route in the 1600
5) Configure HSRP so that 800 is the primary gateway
6) Configure the HSRP to track the object you created before ("standby XX track" command)
7) Ensure HSRP is configured to preempt so primary router may kick back in when the link recovers

This will ensure automatic switchover upon the lost of primary connection and automatic retun back to normal. You may want to read

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

for more information on reliable static routes.

Answered by: Petr Lapukhov's, CCIE #16379

Apr
28

Thank you to all those who have submitted questions and comments to our blog and our CCIE Instructors. If you have a question, please email them to blog@ine.com.

Question 1:

Hi,
Is it possible to recommend the Cisco press books to read when preparing for the Cisco SP Written exam.
Kind Rages

For the written exam, you should make sure you have reviewed the items in the online resources General, Metro Ethernet, and Service Provider sections for the Written Exam Blueprint preparation material.

http://www.cisco.com/web/learning/le3/ccie/sp/online_resources.html

As far as additional books, I recommend reviewing the books in the following sections of the book list:  Cisco Press Titles, MPLS, Service Provider.

http://www.cisco.com/web/learning/le3/ccie/sp/book_list.html

I would also recommend the Cisco Press book titled "MPLS Configuration on Cisco IOS".

Other than books, there are a number of RFCs and other related resources which can be found online.

Answer by: Marvin Greenlee, CCIE #12237

Question 2:

I would very much appreciate if someone could cover this issue for me. I have asked a few times now but never seen anything back on it?

It's regarding MTU:

I would like to know:

How can you tell if you have an MTU Issue

Normally you see your TCP based application getting "stuck" on large transfers. Essentially, the problem only affects transfers that are over MTU size. Most TCP implementations have Path MTU discovery procedure, which uses cetain ICMP message types. Often, these messages are blocked by firewalls (corporate or personal) which breaks Path MTU discover process.

What is the full impact of an MTU Issue as experienced by end users?

TCP based applications that involve bulk transfers stop working. For example, you would be able to establish an FTP connection but the file transfer will be stalled.

How should the network devices be configured and tested to see that all is ok (Marvin touched on it in a video and that was great - but if we could have a little more detail please)

You normally having problems if you are using any sort of tunneling in your network (e.g. MPLS, GRE, QinQ etc). They all reduce maximum MTU and may cause the problems. Use any command line tools to discover the MTU end-to-end, e.g. tracepath command on Linux: http://linux.die.net/man/8/tracepath . Normally, if you are using any tunneling in your routers, make sure you apply the "ip tcp adjust-mss" command. This will resolve practically all problems, though at the expense of some CPU cycles. In many cases it's easier then going around and fixing interface MTU settings, especially if you have to call your ISP for that :)

Isn't there a lot of different MTU settings i.e. Global, TCP, Interface, L2/L3 etc?? What is the differences?

In general, MTU applies to L2 and L3 protocols, as those are normally frame/packet oriented.

For Ethernet switches, it's normally a global setting that applies to all Gigabit Interfaces (100Mbps Ethernet does not support large MTUs with some exceptions). For routers, you normally have basic interace MTU settings (L2, mtu command) and IP MTU (ip mtu). It's like a russian-doll model, lower level MTU should be larger than higher-level one. TCP has the notion of MSS, but this is slightly different from MTU - it's and end-to-end characteristic, negotiated by TCP at the start of the connection.

I noticed that if you have MTU set correctly end-to-end you should be able  to ping with any packet size (within reason) and it works fine, but if there is a slight mismatch anywhere your ping packets will fail at a certain size!  Why is this happening, and why does it work fine then when they match up, is this to do with Fragmentation or something similar???

Right, the router that has lower MTU would drop the exceeding ICMP packets if they have DF bit set. Your best tool for end-to-end MTU discovery would be tracepath utility. Also, just keep in mind that as soon as you are using any tunneling technique in your network you are most likely to run in the problem :)

Would very much appreciate any help with this issue...

Best Regards,

Ian.

I would very much appreciate if someone could cover this issue for me. I have asked a few times now but never seen anything back on it?
Ir's regarding MTU:
I would like to know:
> . How can you tell if you have an MTU Issue
Normally you see your TCP based application getting "stuck" on large transfers. Essentially, the problem only affects transfers that are over MTU size. Most TCP implementations have Path MTU discovery procedure, which uses cetain ICMP message types. Often, these messages are blocked by firewalls (corporate or personal) which breaks Path MTU discover process.
> . What is the full impact of an MTU Issue as experienced by end users?
TCP based applications that involve bulk transfers stop working. For example, you would be able to establish an FTP connection but the file transfer will be stalled.
> . How should the network devices be configured and tested to see that all is ok (Marvin touched on it in a video and that was great - but if we could have a little more detail please)
You normally having problems if you are using any sort of tunneling in your network (e.g. MPLS, GRE, QinQ etc). They all reduce maximum MTU and may cause the problems. Use any command line tools to discover the MTU end-to-end, e.g. tracepath command on Linux: http://linux.die.net/man/8/tracepath . Normally, if you are using any tunneling in your routers, make sure you apply the "ip tcp adjust-mss" command. This will resolve practically all problems, though at the expense of some CPU cycles. In many cases it's easier then going around and fixing interface MTU settings, especially if you have to call your ISP for that :)
> . Isn't there a lot of different MTU settings i.e. Global, TCP, Interface, L2/L3 etc?? What is the differences?
In general, MTU applies to L2 and L3 protocols, as those are normally frame/packet oriented.
For Ethernet switches, it's normally a global setting that applies to all Gigabit Interfaces (100Mbps Ethernet does not support large MTUs with some exceptions). For routers, you normally have basic interace MTU settings (L2, mtu command) and IP MTU (ip mtu). It's like a russian-doll model, lower level MTU should be larger than higher-level one. TCP has the notion of MSS, but this is slightly different from MTU - it's and end-to-end characteristic, negotiated by TCP at the start of the connection.
> . I noticed that if you have MTU set correctly end-to-end you should be able  to ping with any packet size (within reason) and it works fine, but
> if there is a slight mismatch anywhere your ping packets will fail at a certain size!
> Why is this happening, and why does it work fine then when they match up, is this to do with Fragmentation or something similar???
Right, the router that has lower MTU would drop the exceeding ICMP packets if they have DF bit set. Your best tool for end-to-end MTU discovery would be tracepath utility. Also, just keep in mind that as soon as you are using any tunneling technique in your network you are most likely to run in the problem :)
Would very much appreciate any help with this issue...
Best Regards,
Ian.

Answer by: Petr Lapukhov, CCIE #16379

Question 3:

Hi,

I have a question which is troubling me a lot these days during my work.. 1)

What is the difference between Process Switching, Fast Switching and CEF (

have browsed the whole internet but not getting in my head :( )

2) How does the bandwidth statement work in WRED. Please please please

reply...

Warm Regards,

Khan

Hello Khan and thank you so much for actively participating in our Blog site!

1) Let’s walk through the technologies of Process Switching, Fast Switching, and Cisco Express Forwarding as well as Distributed CEF in plain English! Once you go through this material, I recommend you read this document from Cisco that I used as a basis for my response. This article should make perfect sense to you following our discussion here:

(http://www.cisco.com/en/US/docs/ios/12_2/switch/configuration/guide/xcfovips.html)

In order to move traffic from network to network in your infrastructure, a router or multilayer switch engages in two overall, inter-related functions – routing and switching. I am sure you understand the routing piece very well…this is where we typically have a dynamic routing protocol at work (such as OSPF), and this protocol helps build a routing table that is consulted to determine the best path to reach a prefix through the network. In the case of OSPF, this best path determination defaults to using bandwidth as the ultimate determining factor in best pathing.

Where students tend to get confused is in the many flavors of switching that are possible on the device:

  • Process switching
  • Fast switching
  • CEF
  • dCEF (Distrbuted CEF)

First of all, switching on the device involves taking the frame and moving it as quickly as possible from the input interface to the output interface. The switching process also needs to worry about the layer 2 addressing. We will focus here on Ethernet, so the switching process is concerned with addressing the frame with the correct MAC address. As you know, the switching process relies on ARP and the ARP cache to obtain this information.

Process switching is considered the least efficient method of switching on the device. And to think that there was a time where this was all we had! With process switching, the device copies the packet into a system buffer, the route processor then looks up the IP address in the routing table. The frame is then rewritten with the correct destination MAC address and switched to the correct outgoing interface. It is the job of the route processor to calculate the cyclical redundancy check to make sure the frame was not damaged in this procedure.

With Fast Switching, the information required to route and switch the traffic is all stored in a fast-switching cache. In addition to this faster approach, the interface’s processor is able to calculate the CRC, which adds even more to the efficiency of the procedure.

With Cisco Express Forwarding, we have even more efficiency! Now the route processor is building everything it needs to handle the routing and switching of traffic right in memory. The routing table is parsed and stored in memory as something called the Forwarding Information Base (FIB) and the ARP Cache information is stored in what is called the Adjacency Table.

Stepping up the efficiency one more notch – some devices are capable of dCEF. With this approach, the line cards installed in the multilayer switch are capable of doing the CEF right there at the line card level! Wow – more speed.

As you might guess, all devices from Cisco now are defaulting to the CEF mode of operation to provide the greatest performance levels possible right “out of the box”.

2) Hmmm – there is no bandwidth command in WRED that I am aware of…I think you might be confusing two different QoS features here. And both can be used in conjunction with each other…that is probably what you have seen. The bandwidth command is used in the configuration of Class-Based Weighted Fair Queuing to guarantee a minimum amount of bandwidth during times of congestion. While this is cool, the default Congestion Avoidance approach in the queue is Tail Drop. This can be changed by adding WRED (with the random-detect command) to the CBWFQ configuration.

Jul
16

Brian McGahan and myself will be running our first Advanced Troubleshooting Bootcamp the week of Oct 12th and a second run the week of Nov 9th.  The CoD will be released the week after the first bootcamp (Monday Oct 19th).   Information about the new Advanced Troubleshooting Bootcamp can be found here:

http://www.ine.com/ccie-routing-switching-advanced-troubleshooting-bootcamp.htm

The price of the CCIE 2.0 program will increase to reflect the additions of the new Volume 4 workbook and now this new Advanced Troubleshooting Bootcamp (from $2995 to $3595).  For existing 2.0 customers you can upgrade using the links below:

CCIE 2.0 Upgrade Bundle (VOLIV + T/S COD): $595
Current CCIE 2.0 customers can upgrade to newest CCIE 2.0 Program, which includes CCIE R&S Volume IV Lab Workbook and CCIE R&S Advanced Troubleshooting Bootcamp CoD.

http://store.internetworkexpert.com/cart.php?target=product&action=buynow&product_id=801&category_id

CCIE 2.0 Upgrade (T/S COD): $495
Current CCIE 2.0 customers who have already purchased Volume IV can get $100 off the price and upgrade to the CCIE R&S Advanced Troubleshooting Bootcamp CoD.

http://store.internetworkexpert.com/cart.php?target=product&action=buynow&product_id=802&category_id

Subscribe to INE Blog Updates