x5 CCIE - Brian Dennis
+
x3 CCIE - Brian McGahan
+
x4 CCIE - Petr Lapukhov
and now….
+
x4 CCIE - Scott Morris
at InternetworkExpert à It’s the Cisco equivalent of the Real Madrid Galacticos! J
Posted in CCIE Blogs, Personal, ccie
Week 24 à “It’s a relief that I no longer need to keep to the ridiculous schedule I had set for myself! à Fully-prepared in 17 days! à Who was I kidding?”
Week’s Study Time: Study Hours = 11 inc. Lab Hours = 0 Total study time so far: Total Study Hours = 291 inc. Total Lab Hours = 20.5 What I have studied this week: Recent test scores: |
The ‘CCIE Quickfire’ workbook I have created is maturing nicely; I have been running through all of the questions at least twice a day over the last few days and it’s becoming a fantastic tool to aid my short and long term memory of all things routing and switching. I have been using the 2 hours of study in the evening to review notes and then update the workbook with new questions for each technology I come up against, I am however going to need to re-arrange the workbook every now and again - knowing ‘Ethernet Basics’ inside-out obviously isn’t as important as knowing ‘BGP’ yet I’ll be answering the questions on it many more times the way the workbook is arranged at the moment…..
Here is a copy of the workbook as it is at now (right click – save target as), my colleague “SP” has been a great help to me over the last few days because he has also worked through a few questions and pointed out little bits of information I should add in.
I’ve spotted one or two excellent articles around the ‘blogosphere’ during the last week, here are some of them:
1) “U.U.U.U” à ever wondered what this means? à head-over to packetlife.net to find out
2) Tutorial: Filtering Routes in OSPF Part 1 » Filtering Within An Area by Arden Packeer
3) CCIE Job Searching by Emmanuel Conde
4) A series of MPLS related articles by Human Modem
An announcement:
I will be moving onwards and upwards next month into a Systems Engineer role at Cisco! J I am over-the-moon, it was a dream of mine when I focused on networking just 4 years ago that I didn’t think would ever materialize – and now it has! I really can’t wait for the opportunity to work within such a dynamic and prestigious company. J
One of my first tasks within my new role will be a trip to San Jose – I have earmarked the evenings in the hotel as ‘intense-study’ evenings, hopefully that time will take me past the 350-001 ‘knowledge-line’ and get a base-level in place ready for lab prep.
I think you will now understand why my manager has asked me to postpone my 350-001 written exam for a few weeks.
Posted in Bridging and Switching, CCIE Blogs, Ethernet, Gateway Load Balancing Protocol (GLBP), Gateway Load Balancing Protocols, Hot Standby Routing Protocol (HSRP), IP addressing, IP and IOS Features, Link Bundling, NAT, NTP, Personal, Spanning Tree, VLANs and VTP, Virtual Router Redundancy Protocol (VRRP), Web Cache Control Protocol (WCCP), ccie
Due to the current circumstances at work I have had to re-schedule my 350-001 exam à the new date is August 19th à at least I have less need to panic now J
Posted in CCIE Blogs, Personal, ccie
Last night I was reading through my “Ethernet Basics” and “Spanning Tree” notes and thought to myself - “Can I realistically take in all of my notes using this approach in the time I have left? ….and then also answer probing questions?” à an easy approach would be to hammer-away at Boson ExSim and hope it covers everything I need, in the event that I should come across something I don’t know the answer to I can then go away and look-it-up….
If I know myself as well as I hope I do, I know that just won’t work, I’ll get complacent and bored…. by complacent I mean I’ll read through my notes thinking “yeah, yeah, ok…..” and then when I’m quizzed about specifics I might begin to get into a panic (“should I re-arrange the exam?…..”)
I decided last night that I need to be more ‘dynamic’ in my approach to studying down the home stretch and therefore began to create myself a ‘quick-fire workbook’. The idea being that for each technology I reach: I read through my notes converting key points into questions à I then add the questions to my workbook à answer the questions without my notes available during the same evening à study more if required à use Boson ExSim à and then during lunch the next day run through my workbook again.
And here is what I have put-together, it’s probably not everybody’s cup-of-tea but it seems to be working for me.
The beginnings of the workbook can be found below:
CCIE R&S Quick-fire Workbook
(Note. Rename to .xls)
Please let me know what you think about the idea/workbook.
Posted in CCIE Blogs, Ethernet, Misc, Personal, Spanning Tree, ccie
Week 23 à “The written home stretch is upon me….”
Week’s Study Time: Study Hours = 9 inc. Lab Hours = 0 Total study time so far: Total Study Hours = 280 inc. Total Lab Hours = 20.5 What I have studied this week: Recent test scores: |
Well, last week was a very difficult week à I struggled to motivate myself all week and quite frankly I think it was due to sheer boredom of studying network technologies night after night à I only have 3 weeks left until my written exam date but I’m seriously considering taking a few days off – it might be better for me in the long run….
This evening will be the last night I spend with IPv6; I will initially take a look at RIPng, review all of my IPv6 notes, and self-test à after taking a look at the written exam blueprint I had noticed RIPng didn’t make an appearance and therefore omitted it from my studies, I realised today that it features on the lab blueprint! Why-o-why can’t the blueprints just cover the same protocols/technologies! I appreciate I don’t need to learn about RIPng for my 350-001 date but I want to keep my lab prep as hands-on as possible….
I have put together a time plan for the countdown to my written exam date which will be used to review each subject and self-test (working to the idea that I don’t take time off + taking some annual leave), it can be found below:
| June 18th
Ethernet Basics
Spanning Tree Protocol |
June 19th
VLANs and VLAN Trunking Interface Bundling |
June 20th
IP Addressing IP Services |
June 22nd
TCP/IP Transport and Application Services IP Forwarding |
June 23rd RIPv2 + Protocol Independent Features | June 24th EIGRP + Protocol Independent Features |
| June 25th
OSPF + Protocol Independent Features |
June 26th
OSPF + Protocol Independent Features |
June 27th
BGP + Protocol Independent Features |
June 29th
BGP + Protocol Independent Features |
June 30th
BGP + Protocol Independent Features |
July 1st
QoS |
| July 2nd
QoS |
July 4th
WAN MPLS |
July 5th
IP Multicast |
July 6th
Security IPv6 |
July 7th
Self-test on all subjects |
|
Setting clear targets causes me to respond better when faced with a day/evening when I really can’t be bothered….
Lastly for today’s post - Here is a useful table I’ve added to my notes:
Common IPv6 into IPv4 tunnelling methods:
|
Tunnel Mode |
Topology and Address Space |
Applications |
tunnel mode |
Tunnel Destination Address |
| Automatic 6to4 | Point-to-multipoint
2002::/16 addresses |
Connecting isolated IPv6 networks | ipv6ip 6to4 | IPv4 address |
| Manually configured | Point-to-point
Any address space Requires dual-stack at both ends |
IPv6 packets across IPv4 networks | ipv6ip | IPv4 address |
| IPv6 over IPv4 GRE | Point-to-point
Unicast addresses; Requires dual-stack at both ends |
IPv6, CLNS, and other traffic across IPv4 networks | gre ip | Automatically determined |
| ISATAP | Point-to-multipoint
Any multicast addresses |
Connection of IPv6 hosts within a single site | ipv6ip isatap | Automatically determined |
| Automatic IPv4-compatible | Point-to-multipoint
::/96 address space Requires dual-stack at both ends |
Deprecated - Use ISATAP tunnels instead | ipv6ip auto-tunnel | Automatically determined |
Posted in Addressing and Types, CCIE Blogs, EIGRPv6, IPv6, Neighbor Discovery, OSPFv3, Personal, RIPng, Tunneling, ccie
Week 22 à “Almost there….”
|
Total study time so far: What I have studied this week: Recent test scores:
|
I must be amongst the worst bloggers in the Cisco blogging community! My apologies about the lack of useful/resourceful posts over the last couple of weeks - I’ve been sidetracked by something important recently (I might have an announcement to make in the near future….)
To try and make up for it you can find a downloadable presentation below, I created it for myself last week and thought someone else might find it useful - it covers MPLS VPNs:
The presentation starts with MPLS Unicast IP Forwarding and then moves on to MPLS VPNs including many of the CE to PE routing options available (some knowledge is assumed). Please leave a comment if you would like a copy of the full configurations of the provider routers (inc. comments I have added) – it might make the mud a bit clearer.
I really enjoyed studying MPLS and hopefully with the written exam homestretch within sight I’ll experience the same with the next technology.
And the next technology for me to cover is IPv6. ….and I’m really struggling to motivate myself for this L (yes, that scuppers my plans to enjoy studying it to some degree J). So far, I have taken the same approach for all of the technologies I have studied – i.e. read à take written notes à convert to electronic notes à lab-it à review à self-test à final review, I really can’t be bothered go through all of that for IPv6! Especially with my exam date approaching fast! I quickly realised last night that although IPv6 isn’t a core topic you need to understand many aspects of it and how it affects ‘real’ networks à IP Addressing, Routing (+ Routing Protocols), Multicast Routing, Tunneling (migration) etc etc. Up until now (i.e. CCNP) all I have had to learn about is EUI-64 and a few other things – the CCIE written and lab exams expect a lot more from you! I might decide to ‘mix-it-up’ and take a different approach to my IPv6 coverage.
Lastly for this post, please may I ask that any errors in the presentation are pointed out to me via a comment à I’m new to MPLS and I expect I have made a few of them…..
Posted in CCIE Blogs, MPLS, Personal, ccie
FYI.
New ConfigureTerminal.com and Internet Expert Newsletters have been published:
ConfigureTerminal.com May Newsletter inc. video demonstrations of GNS3 and Putty Connection Manager
Internetwork Expert June Newsletter inc. an explanation of the ip multicast helper-map command and the announcement of a scholarship program
Posted in CCIE Blogs, Newsletter, Personal, ccie
Week 21 à “that wasn’t too bad!”
|
Total study time so far: What I have studied this week: Recent test scores:
|
My initial hesitation when approaching MPLS turned-out to be an unfounded wariness. I was initially intimidated by MPLS because I’ve only had dealings with the CE side of things and therefore I hadn’t ever peered inside the ‘cloud’. It turns out that once you get ‘under-the-hood’ it really isn’t as complicated as it first appears! J I remember the first time MPLS was explained to me and “OSPF or IS-IS here, BGP here, TDP or LDP here, provider to customer dynamic routing protocol here” caused me to fear ever having to deal with it outside of studying, but after the last couple of nights I’m now in a position to put some good notes together to return to in a few weeks. I am currently putting together an MPLS VPN example featuring OSPF + LDP in the cloud, IBGP between the PE routers (the only option), and RIP, OSPF, EIGRP, BGP, and static’s between PE routers and CE routers for a couple of VPNs à a complicated diagram but one I think I need to create to understand the PE to CE configuration as well as I ought to.
I’ve got a around 12 hours to spend with MPLS now so I shouldn’t be ‘squeezing’ anything in to meet dates J
I find MPLS to be a very interesting area to study/lab but like ‘security’ I am aware that I shouldn’t spend too much time looking at it à MPLS features on the Written Exam Blueprint but not the Lab Blueprint L Oh well, maybe I’ll find a few months to squeeze the Service Provider IE in at some point….
Lastly, I’d like to say a couple of congratulations:
- Good friends of mine, Edward and Becky have recently become parents for the second time à a big welcome to Megan!
- The second congratulations is to my colleague and pal Steve Pomfret who passed the 350-001 CCIE R&S Written Exam last Friday!
Posted in CCIE Blogs
Week 20 à “and then there were two….”
|
Total study time so far: What I have studied this week: Recent test scores:
|
Security is an area that I could spend a lot of time with but I’ve done well to control myself on this occasion and compact everything I need to know for CCIE R&S into one week.
I have come across many of the protocols/technologies available on IOS loaded devices in the past having took the time to read the 3550 + 3560 + 3750 configuration guides and thinking “that’s a great feature, let’s roll that out….” “that’s a great feature, let’s roll that out….” (I miss the days before my first major mess-up, and then of course the spread of the “change control” bug). For example, I ‘broke’ a network configuring DAI, but because it was a Sunday and the offices weren’t open I had some time to play around with it – sometimes the best way to learn about something is to break it and then put it back together again…. It turned out that the DHCP snooping binding database wasn’t populated before DAI kicked-in
I’ve always made use of switch port macros and all of the edge port macros I have defined include configuration lines for port security, DHCP snooping, storm-control etc etc ß much of the theory is still fresh in my mind.
This last week I’ve managed to get into the habit of waking-up at 5 or 6am and studying for an hour in the morning à I have been amazed how much I can take-in at such an early hour (for me) so I plan to continue to do it for the foreseeable future à “the early bird catches the worm”
Next-up is MPLS, and then lastly IPv6 before I start my prep specifically for the 350-001 exam à I can see the light at the end of the tunnel!
I can’t put it into words how much I can’t wait to swing my study time towards the practical side of things after spending so much time pretty-much exclusively with the theory J
Posted in 802.1x, AAA, ACL Logging, Access Lists, Authentication Proxy, CCIE Blogs, CLI Views, Context Based Access Control (CBAC), DAI, DHCP Snooping, Dynamic ARP Inspection, Dynamic Multipoint VPN (DMVPN), IP Source Guard, Port ACLs, Port Security, Reflexive ACLs, Reverse Path Forwarding, Security, Storm Control, TCP Intercept, Time Based ACLs, Turbo ACLs, Unicast Reverse Path Forwarding (uRPF), VLAN Maps, VPN, ccie
Layer 2 Security – “Use either Dynamic ARP Inspection (DAI) or private VLANs to prevent frame sniffing”
Introduction to DAI:
- DAI prevents man-in-the middle attacks that misuse IP ARP (gratuitous ARPs)
- DAI checks at ingress only
- When DAI is enabled, all ports are untrusted by default, ports configured as being trusted bypass DAI checks
General Configuration (DHCP Snooping binding database used):
| ip arp inspection vlan ‘vlan-range’ ! interface GigabitEthernet0/1 ip arp inspection trust |
The DHCP snooping database is usually the primary source of information to be entered into the DAI database à therefore, DHCP snooping should be enabled before DAI, however it isn’t a pre-requisite à static MAC to IP mappings can be added using an ARP ACL (takes precedence):
| arp access-list host1 permit ip host 1.1.1.1 mac host 1111.2222.3333 exit ! ip arp inspection filter host1 vlan 1 ! interface GigabitEthernet0/1 no ip arp inspection trust |
In this example the uplink to a switch that doesn’t run/support DAI is untrusted to prevent a security hole from being opened by trusting the interface (this is the primary reason why an ARP ACL would sometimes be preferred)
Security Hole Details: DAI ensures that hosts on untrusted interfaces connected to a switch running DAI do not poison the ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the network from poisoning the caches of the hosts connected to a switch running DAI (downstream from a trusted interface)
Optional Additional DAI Checks:
>1 supported – you need to add them on the same configuration line
1) Check the source MAC address in the Ethernet header against the sender MAC address in the ARP body à performed on both ARP requests and responses à packets with different MAC addresses are classified as invalid and are dropped, to enable this DAI check (“step 3”):
| ip arp inspection validate src-mac |
2) Check the destination MAC address in the Ethernet header against the target MAC address in ARP body à performed on ARP replies à packets with different MAC addresses are classified as invalid and are dropped, to enable this DAI check (“step 4”):
| ip arp inspection validate dst-mac |
3) Check the ARP body for invalid and unexpected IP addresses à addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses à sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses, to enable this DAI check (“step 5”):
| ip arp inspection validate ip |
DAI Logging:
DAI Packet drop = entry in the log buffer (a log-buffer entry can represent more than one packet) à then generate system messages on a rate-controlled basis à clear the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses
DAI Logging Defaults:
- The number of entries in the log is 32
- The number of system messages is limited to 5 per second
- The logging-rate interval is 1 second
DAI Logging Configuration:
| ip arp inspection log-buffer {entries ‘0-1024’ | logs ‘0-1024’ interval ‘0-86400’} |
- “interval” no. must be >“logs” no.
- 0 for “logs” = entry but no message
- 0 for “interval” = entry + immediate message (1 for 1)
By default, all denied/dropped packets are logged (“logged” = an entry is placed in the log buffer and a system message is generated). To control the type of packets which are logged on a per-VLAN basis:
| ip arp inspection vlan ‘vlan-range’ logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} |
DAI causes a switch to work harder (CPU used), this opens-up another possible attack à a DoS attack using large numbers of ARP messages à default protection = a limit of 15 ARP messages per-port per-second on untrusted interfaces à >15 messages = ‘errdisable’ (recovery option is available). To change the threshold on a per-interface basis:
| ip arp inspection limit {rate ‘0-2048 pps’ [burst interval ‘1-15 secs’] | none} |
General DAI Commands:
| show arp access-list show ip arp inspection interfaces show ip arp inspection log show ip arp inspection vlan show ip arp inspection statistics clear ip arp inspection statistics |
On a side note.
You may have noticed the grey config/output boxes in my posts had stopped displaying borders around them and now they have re-appeared in this post. Editing a post within wordpress is limited, so I copy and paste a word document – this method gives its own troubles such as having to hold the shift key when moving down a line (otherwise html = default of 2) and bullet points are a nightmare. Anyway, back to the point, originally the borders copied across OK, but then suddenly stopped, I have finally gone to the effort of finding the html code that needs editing to get them to re-appear, I hope it’s worth the effort J
Posted in CCIE Blogs, DAI, Dynamic ARP Inspection, Security, ccie
Internetwork Expert
CCIE Training Providers
Subscribe to RSS feed in a reader (Feedburner)
Link to RSS feed
View my LinkedIn profile
This work is licenced under a
Creative Commons Licence
 | Richard @ Configuret… on Week 24 Summary |
 | Aragoen Celtdra on Week 24 Summary |
 | shifty on Week 24 Summary |
 | FredBloggs on Week 24 Summary |
 | Arden Packeer on Week 24 Summary |
