I feel like a teenage girl with a fashion blog who hasn’t posted in 6 months and comes back with “I know I haven’t posted in a while…”  Sigh.  It’s been right at a year since I actually published a post, so I figured I would give everyone an update.

I’ve had some personal things going on lately, and those have taken all of my energy.  We’ve made it through those rough times, so my energy is coming back.  I’m feeling better every day, and I hope I can get back to producing some content.  And, let me tell you…I’ve got some stuff to talk about.

Put it on your calendar.  Cisco Live US is June 25 - 29, 2017, in Las Vegas.  This is the largest conference I go to every year, and it’s the highlight of my professional year.  I’ve been going for a few years now and enjoy it for the content and camaraderie.  What are we doing this year?

We’ll fly in on Friday again and do something.  No idea what, but I imagine we’ll throw out an invitation for dinner to the public and meet somewhere.  If you’re going to be in town, let me know, and we’ll meet up.

I wrote this post during Cisco Live and said “I’ll just give it a once-over tonight and publish it.”  That was something like 6 weeks ago now. What a loser I am.

Yes, really. QoS has actually gotten some attention this year. After how many years of living in the dark and being feared by junior and senior engineers alike, we’re seeing some really cool technologies coming out for it.

It seems that Cisco Live is about the only thing I blog about in the last…well, few years.  At least I’m still writing, even if it is twice a year.  :)

Here’s a summary about Cisco Live for those who live in a dark hole.  It’s July 10 - 14, 2016, in Las Vegas.  If you do anything with Cisco, you should go.  If you do anything with technology that isn’t Cisco, you should go.  Bring your significant other.  There’s plenty to do for everyone.  Anyway, on to the details for this year’s show.

You should know by now that I always find something to complain about.  Is that a bad thing?  Probably.  Does it help improve things?  Absolutely!

Again, I love going to Cisco Live every year.  Without question, it’s my favorite event of the year.  It’s a great event with great people and great things to do.  With that said, let’s look at what could have been a bit better this year.

Another year, another Cisco Live.  Boy, was it a good one.  San Diego is a great city, and convention center there is plenty big to take care of all 25k attendees.  On top of that, the city itself is equipped to handle groups of 40 roaming the streets looking for food and entertainment.

This year’s event had the usual stuff that everyone talks about - breakout session, keynotes, exams, etc. - but Cisco stepped outside of technology this year by helping others.

There are three ways to manipulate the interface cost in OSPF.  One is very direct, one changes the presentation of the interface, and the other changes the calculations for every interface.

Set the cost of the interface directly - Just give it the number you want.  Easy.  This is the number OSPF will use in the SPF calculations without doing any math on the interface.

R1(config-if)#ip ospf cost 8482

Set the bandwidth of the interface - The formula that OSPF uses to calculate interface cost is pretty easy to remember - (reference bandwidth) / (interface bandwidth).  Changing the interface bandwidth will obviously change the result of the calculation.  The same caveat for EIGRP route manipulation holds true here; if you change the bandwidth of the interface, you may affect other things like QoS…or EIGRP, now that I mention it.

When you configure OSPF network statements, IOS orders them most-specific to least-specific then does a top-to-bottom match of the interfaces. It doesn’t matter which order you put them in, the configuration will always be ordered with the longest prefix matches first.  Lab time!

I have router R1 with these interfaces.

R1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.0.0.1        YES manual up                    up
FastEthernet0/1            unassigned      YES unset  administratively down down
Loopback100                10.0.101.1      YES manual up                    up
Loopback200                10.2.101.1      YES manual up                    up

Let’s add the OSPF configuration where 10.0.0.0/8 is in area 2 then check what OSPF thinks is happening.

Everything is in order for my trip to Cisco Live 2014 in San Francisco.  Conference passes are purchased.  Hotels are reserved.  Flights are booked.  It’s going to be a great event, and I can’t wait!

Note:  My wife will be with me again this year, and she is trying to get a tour group going to look around the city while others are in sessions.  If you want to be in on the tourist action, contact her via Twitter.

On Friday, and for the fourth time, I took the CCIE R&S Written exam (350-001).  For the third time, though, I failed.  Let me tell you, I am absolutely devastated.  I worked my buns off for the past few weeks, but I’m obviously missing some important piece to put me over the top.

Not only was I disappointed with my overall score, I was disappointed by my score in some of the focus areas.  For God’s sake, I made a 50% on each of the routing and switching sections, which is just absolutely embarrassing.  I mean, this is my bread and butter here.  This is what I do all day every day, and I could only muster a 50%?

This is a study note post, so please don’t take this as written.  I’m not the authority on the subject, so please correct me if needed.

Back in the day, somebody decided that we all needed to have a Type of Service (ToS) field in the header of IP packets.  Only God knows what this spawn of Satan wanted to do with it, but we’re stuck with it on the CCIE R&S exams.

While walking through the World of Solutions, we ran across a big black truck with lots of antennas all over it.  It was obviously an emergency communications vehicle of some kind, but I was really surprised to see it was a Cisco truck.  It turns out that Cisco has a Tactical Operations group (Twitter) that was formed to provide disaster responders with much-needed communications for EMAs, fire, police, medical, etc.

The big truck was the NERV - the Network Emergency Response Vehicle (PDF link).  It’s full of traditional HF, VHF, and UHF radios that the ham radio operators usually bring to these disasters.  This is a necessity when all phones, cell, and Internet are down.  It could be the only way fire fighters are able to call for reinforcements or the only way a hospital can call for more supplies.  The NERV, though, takes it to the next level.  On top of the radio gear, it is equipped with satellite uplinks for Internet access, wifi, and digital voice and video through UCS Express, IP phones, and Telepresence.  Analog voice is always the first method of communications restored via battery- or generator-powered gear, but an area will eventually need a network with voice and video.  That’s where the NERV comes in.

Yes, I went to Cisco Live and survived.  It was the social event of the year, but the main focus is learning about the cool, new stuff.  One of the booths I visited was a demonstration of Cisco Active Advisor.

This is a cloud-based (BINGO!) application that keeps an eye on the lifecycles of your IOS devices.  Using the web interface, you can scan a range of IP addresses from your machine and have your gear automatically added to the service.  Once in there, you can see, among other things, the warranty and support contract information for your device.  If your contracts is about to expire, it’ll let you know via email.   It also tracks any vulnerabilities that may apply and emails you if any are detected.  This beats trusting your reseller to send you renewals or watching an RSS feed for PSIRTs and field notices.

I just got through a big weekend.  We upgraded our main production firewall, but the process had a few twists.

The old firewalls, a pair of ASA 5520s, were running at about 80% CPU during the day.  That’s high enough that even I cringe when I saw the utilization in ASDM.  It was obviously time to upgrade to something with more beef, but we also wanted something that will last for years.  After looking around and getting some quotes (that made me jump back in my seat), we finally decided to go with a pair of 5555Xs.  These guys give about 10 times the throughput of the 5520 with about 8 times the memory.  Seems to match the requirements.  Now for the complications we had to work through.

I’m all set up to go to Cisco Live in Orlando this year.  Good thing, too, since I couldn’t make it to San Diego last time. It’ll be a great and fun time as usual, and I’m quite excited.

As it turns out, ARRL Field Day happens to be the weekend leading up to the festivities.  I’ve been in contact with the local Orlando club, and they say the attendees are more than welcome to join them.  They are meeting at the City of Orlando Emergency Operations Center, which is about 20 minutes away from the Convention Center.

I spent the last of my Juniper exam vouchers on the JNCIS-SEC exam and passed by the skin of my teeth today.  Since I took a new job last month that’s 100% Cisco, this is the last Juniper exam I’ll take for the foreseeable future.  Too bad, too.  I really like the Juniper exams.

At my previous job, we were 90% Juniper with a whole mess of SRX firewalls around the world.  Since this exam is really about that platform, it was pretty logical that I should do alright on it.  Of course, a large part of the blueprint was on IDS and UTM, and I have no experience there.  For my entire career, those type of devices have been handled by other groups, so I had some studying to do.  That’s where I ran into problems.  I have absolutely no interest in IDS.  I have no interest in UTM.  There’s nothing about content scanning and analysis that interests me at all.  I promise you all that I tried my best to read up on these topics, but I was asleep after 10 words every time I tried.  After rescheduling the exam twice to try and study a bit more, I finally decided it wasn’t worth the trouble and just took the exam…and passed.

Here’s another story from the late night.  I’ve changed the details to protect the innocent, but you’ll get the idea.

I think most of you know that I started a new job late last year, and I’ve spent my waking hours getting caught up on how the new company works, how everything fits together, and all that jazz.  One of the big reasons that I (and a number of others) were brought in was to fix the biggest problem; the company doesn’t have a real central control over customer-facing technologies.  There’s a group that does central IT for the company (Exchange, SharePoint, Oracle apps, etc.), but there are dozens and dozens of applications out there.  That means there are dozens of “network teams” around the world doing their own thing.

Man, time is hard to come by of late.  I’ve had so little time to rest that’s it’s hard to get my thoughts together.  It’s a good thing in this case, though, since it’s my fantastic job that’s taking all my time.  It’s great to see new network and learn their internals…especially when they were designed by some long-time CCIEs who actually knew what they were doing.

One of the big things that I’m dealing with lately is VRFs.  I’ve implemented some VRF-lite stuff, but I’ve never had any practical experience with the full force of them.  I’m definitely learning here.  Since the blog here is really about my sharing what I’ve learned, let’s go through something that came up recently - terminating VPNs on one VRF while passing traffic to another.

This week we have a guest post from CJ Infantino. He is currently writes on convergingontheedge.com. You can find him hanging out on Google Plus as CJ Infantino or follow him @cjinfantino on twitter.

The other day I was adding VLANs to the the allowed list on the core routers at work. It was then a question came to mind, “Does the VLAN allowed list filter ingress or egress traffic?”.

Now, because all good engineers would configure the allowed list on both ends – as Aaron would say – in the grand scheme of things this really doesn’t matter, but being the inquisitive guy that I am, I wanted to know.

So I searched, and searched and google’d and could not find the answer. At that point there was only one thing left to do – lab it up!

• Tagging provides a way to mark common or similar routes to manipulate later.
• In redistribution scenarios with mutual redistribution on two different routers, any routes that gets redistributed from one route process to another are tagged.
  • When the other router sees those tags on the route, that route to keep from adding non-optimal routes to its routing table.
• Tags can also be used to do other manipulation such as setting higher metrics or changing ADs.

OSPF

This is required blogging…and reading for that matter.  A good chunk of this is taken from my CCNP posts from last year.  Corrections, please.

How does a BGP router decide which BGP route is the best?

Next-hop : Does the router have a route to the next-hop?

Weight : This is a numeric value where bigger is better.  Weight is not passed onto other peers and is a Cisco proprietary feature.

Make my corrections!  Please!

Well-known mandatory : These PAs must be recognized by all BGP routers and passed along to other peers.

Well-known discretionary : These PAs do not need to be in every update, but they must be recognized by all BGP routers.

Optional transitive : These PAs don’t have to be recognized but they must be passed along to other BGP peers if they are present in an update.

Corrigeme, por favor.

Open : When a neighbor is configured, the router sends an open to that neighbor to get the ball rolling.

Destination:  The neighbor's configured IP
Important fields:
  My AS

Update : The routing  information

Destination:  The neighbor's configured IP
Important fields:
  Advertised network Klonopin Online
  Path attributes

Keepalive : Sent every 60 seconds by default

Destination:  The neighbor's configured IP
Important fields:
  Nothing, really

Notification : When something is amiss, the router sends a notification message.  The receiver then closes the connection.

Corrections appreciated.

Idle : There is no relationship, but the router sends out a TCP SYN to the neighbor to get the ball rolling.

Idle (admin) : The neighbor is admined down.

Connect : The router is waiting for the TCP connection to finish.  If the TCP connection finishes, the router sends an open and transitions to OpenSent.  If it times out, it transitions to Active.

Active : The router tries Cialis to initiate a TCP connection.  If the TCP connection finishes, the router sends an open and transitions to OpenSent.

Per the standard rules, please correct anything that’s wrong.

One of EIGRP’s big features is the ability to use unequal cost paths for load balancing.  This is done with the variance command.

variance : A multiplier used to calculate which feasible successors can be used as active routes.  The router takes integer and multiplies it by the successor’s feasible distance, and any FS with a an FD less than this new number gets submitted to the routing table manager.

Please correct if I’m being stupid…which is a lot of the time.

Hello : Discovers and maintains neighbors

Destination:  224.0.0.10
Important fields:
  K values

Update : An update to the topology such as a route withdrawal or a metric change

Destination:  224.0.0.10 -or- unicast during neighbor discovery
Important fields:
  Message sequence number
  Route being updated including k values to compute metric

Query : Used to ask a neighbor if it has a route to a certain network; see casino online for free stuck-in-active

Corrections are always welcome.

Broadcast : Think an Ethernet segement

DR/BDR? : Yes Default hello interval : 10 sec Neighbor config required? : No

Point-to-point : Physical point-to-point links, frame-relay point-to-point subifs

DR/BDR? : No Default hello interval : 10 sec Neighbor config required? : No

Nonbroadcast Multiaccess : Frame-relay multipoint or physical

DR/BDR? : Yes Default hello interval : 30 sec Neighbor config required? : Yes

Point-to-multipoint : Partial mesh networks like a frame-relay hub-and-spoke configuration

Yes, it is inevitable that I cover these.  I’m sure network types will be next.  Per my usual request, please correct my stupidity.

Type 1 - Router : This LSA type lists all the routers by RID as well as the networks to which that router connects.

Type 2 - Network : These LSAs represent broadcast network where more than one OSPF router may live.  Think Ethernet or multipoint segment.  These LSAs are flooded by the DR for that segment.

My prediction about covering network types was wrong.  I’m going to puke out some information about neighbor states for now.  As is always the case, corrections are welcome.

Down : No hellos have been received from this router.

Attempt : This state only applies to manually-configured neighbors on an NBMA network.  In this state, a router has sent unicast hellos to the neighbor but has not received any back from it.

I have had my nose deep in several books in preparation for my CCIE R&S written exam, so I haven’t been blogging much at all.  Now that I’ve made it to the more familiar topics, I’m hoping to get some notes posted.  I’ll start with OSPF message types.

As always, please feel free to correct me here.  I’m learning just like the rest of us.

Hello : These messages are used to establish neighbors and serve as keepalives among other things.

For the first time ever, I’m headed to Cisco Live - the big Cisco users conference in Las Vegas! I usually don’t go to these things since I wind up just hanging out by myself, but I’m meeting all sorts of people there - from bloggers to Tweeps to personal friends. It should be a huge blast, and I can’t wait to get there.

For those interested, here’s my schedule.

It’s pretty widely known that I hate Cisco 3750 switches. We’ve had so many hardware and software failures with them that I’ve got a seriously bad taste in my mouth. Since I’m leaving for a new company, I thought I’d publish some statistics while I still have access to the numbers.

Total TAC cases online casino usa european roulette opened related to 3750s: 21 Number of 3750G-12S-S replaced: 21 Number of 3750G-24TS replaced: 7 Total number of RMAs issued: 28 Total number of 3750s in the company: ~120 Failure rate: 23.3%

Are you sensing a theme lately?  Since we covered the basics of the main IGPs (I’m an enterprise guy, so no IS-IS comments, please.), I thought I’d try to describe the basics of advertising IPv6 routes over BGP.  Yet again, we’re not going to do any route manipulation or change any of the 948284928 BGP attributes.  We’re just trying to get routes exchanged.

Configuration

There’s no new version of BGP for IPv6 here.  It’s the standard BGP version 4 that we’ve all been using for years, but we’re going to take advantage of the multiprotocol support (MPBGP, RFC 2858 RFC 4760).  We’ll get to the differences in a second, but the first thing to do is to set up the BGP process as normal.  

I don’t usually cover news from Cisco, but they’ve changed some certification stuff around again, and I thought I would bring it up.  This time they’ve changed the CCNA Voice, CCVP, and CCSP, so, if you’ve on those tracks, be careful what you’re studying!

CCNA Voice

Circle 28 February 2011 on your calendars.  That’s when the CCNA Voice track gets a shakeup.  The IIUC (640-460) exam will be no more, and passing CVOICE (642-436) will no longer be a valid way to get the cert.  After the big day, you’ll have to take ICOMM (640-461).  This seems to be a much broader exam instead of having the enterprise and commercial focuses in CVOICE and IIUC, respectively.  Look out for both CME- and CUCM-based topics including a troubleshooting section. 

Feel free to correct anything that is wrong or incomplete.

• Power over Ethernet (PoE)

  • Can provide power to a Cisco phone, access point, security camera, etc., through the network cabling, eliminating the need to plug the phone into the wall for power.
  • Generic term for providing power on the Ethernet cable
  • Provides centralized power that can be put on a UPS
  • Allows devices to be located away from power outlets
  • Removes cabling clutter at the user’s desk
  • Can be provided through PoE-enabled switches, power panels or inline couplers (power injectors)
  • Oversubscription is common
    • If every device on a switch asks for full power, the switch may not be able to handle the load.
  • Of course, devices can be powered with a power brick at the desk

• 802.3af

Feel free to correct.  No need to sugar-coat it; I’m pretty new at this stuff.  :)

• Advantages of VoIP

  • Reduces costs of communications:  Eliminates/reduces long distance and international call tolls
  • Reduces costs of cabling:  No need for second network of phone lines
  • Integrates all voice into one large network:  All your remote offices can be implemented/maintained/controlled centrally
  • Provides mobility:  Moves, adds, and changes (MACs) are (nearly) eliminated since your phone is just a network node
  • Allows use of IP Softphones
  • Unifies emails, voice mails, and faxes:  All these can be treated as a single box for user messages
  • Increases productivity:  Ringing multiple devices at the same time eliminates phone tag.   <— pushing it, eh?
  • Enhances communications:  Applications can be launched/updated from a voice call through application servers
  • Provides open, compatible standards:  You can connect different vendor devices into the same VoIP network.   <— I’ve never seen that happen

• Cisco VoIP Structure

I’m way behind in talking about this, but Jeremy Stretch over at Packetlife.net has a community lab that is free to use.  This is a great resource for those of us who are too poor to have their own physical devices for Cisco studies.  All you need is an account on the site and a sense of community.

There are two labs to reserve, and each contains a firewall, routers, and switches.  This is plenty of stuff to get your feet wet with the gear, let you research some functionality that Cisco promised is great, and to lab out something you’re looking to implement.  The lab is offered for free, but Jeremy is giving his time and money for this lab.  I think it would be a great idea to drop a few dollars to him via his donate link if you use his stuff.   If you’re a regular user and don’t donate, I ask that you do a moral inventory on yourself so you might see just how bad you are being.

I’ve done it.  You’ve done it.  We’ve all done it.  You turn up another EtherChannel bundle and realize the hard way that your interface descriptions aren’t accurate.  Or you’ve swapped out a piece-of-crap 3750 and didn’t notice that the labels on the cables were wrong.  In either case, we all know that EtherChannel bundles don’t really work if the links aren’t plugged into the right switches.

So, what do you to make sure that your links are cabled the way you think they are?  Personally, I don’t trust any label at all - no matter if I did it or not.  At some point, someone has changed something on a switch, and that just might have been a change to where the port is question is cabled.  If I was onsite, I would hand-trace the cabling from one end to the other then do it again to make sure I didn’t hose it up the first time.  The big problem with this technique is that I’m not everywhere at the same time, and the travel budget isn’t very big these days.  If I can’t get my hands on the cables, I relegate myself to using CDP to see what’s on the other end of links when putting ports into EtherChannel bundles.

These are the notes I’ve taken as I read through the study materials.  Feel free to correct anything you see.

• Analog phone signaling

  • Misc
    • Ground = positive = tip
    • Battery = negative = ring
    • Signaling uses specific frequencies for specific events
  • Loop start signaling
    • When a circuit in the phone is completed (i.e., you take it off-hook), the CO detects it and provides services.
    • Susceptible to glare, where the phone requests dialtone at the same time that the CO sends a call.
      • Can connect two different calls if in a business with multiple lines
  • Ground start signaling
    • The circuit is temporarily completed to signal the CO for services
    • Doesn’t connect any call to any phone directly
    • Used in PBXes.
  • Supervisory signaling
    • On-hook:  Circuit is open
    • Off-hook:  Circuit is completed
    • Ringing:  AC current generated by CO to tell the phone to ring
  • Informational signaling
    • Gives information for the caller to use
    • Dial tone
    • Busy
    • Ringback: the ring you hear when you call
    • Confirmation:  the call is being attempted
    • Congestion:  no lines available to make the call
    • Receiver off-hook
    • Reorder:  can’t make the call
    • No such number:  can’t find the endpoint
  • Address signaling
    • Used to send digits
    • Dual-tone multifrequency (DTMF):  uses two electrical signals to indicate a digit; touch tone
    • Pulse:  flashes the circuit to indicate a digit; rotary dial
  • Disadvantages of analog signaling
    • Attenuation
    • Repeaters can’t differentiate between call and noise
    • One cable pair for each call; think about a pair for each call taking place in Manhattan right now

• Digitizing voice

I posed the philosophical question on Twitter the other day asking if single trunk links should be in an EtherChannel bundle just in case you need to expand later.  I didn’t really expect an answer, but the ever-verbose @WannabeCCIE pointed out (in not so many words) that you should watch your IDBs.  What is that?

That’s an interface descriptor block.  I admit that I’m not intimately familiar with them, bu they’re data structs in IOS used to keep track of the interfaces on that device.  They come in two flavors - hardware and software.  HWIDBs usually represent a physical interface but they also represent tunnels, SVIs, PortChannels, subinterfaces, and any other virtual interface that you can configure.  The SWIDBs represent the layer-2 encapsulation of each HWIDB, so you’ll see entries talking about Ethernet, HDLC, PPP, etc.  That means that every interface you have on a router consumes two IDBs (there are always exceptions).  That’s important because each platform and IOS version combination has a limit to the number IDBs that device supports.

Last week, @fletcherjoyce posted an article on his blog about his positive experiences with Cisco’s 3750 switches.  If you follow my complaints tweets, you know that I’ve had quite the opposite experience with them.  I would never pick on anyone, but I had to throw in my 2 cents.

I’m guessing here, but we have about 50 3750 stacks in the enterprise.  Most of them are pairs, you wind up with roughly 120 switches.  Since we’ve done about 20 replacements over the last 5 years, that means we have a 17% failure rate.  That’s pretty horrible, isn’t it?

Another year of Aaron’s Worthless Words has come and gone.  This month marks the third full year of blog posts for me, and things sure have changed since the beginning.

At first, this blog was just for my personal rants, but no one cares about that stuff (thus the title), so I looked to move on to something else.  I decided that I would go into the non-technical side of the network field, so I started talking about the Principle of Least Privilege and about cabling standards.  That got a bit boring, so I started puking out information on the Content Switching Module from Cisco since I couldn’t find anything worth a cracker outside of the documentation.  That was a hit, and the topics started expanding and expanding until we got to where we are now.  Today, the articles are published in online magazine and are being translated into other languages around the world.  Quite a change from complaining about drivers stopping in the crosswalk.  :)

We ran into an issue the other day where an application was setting the DF bit in IP packets to 1.  We thought it may be causing problems, so we looked at setting up a route-map to set the DF bit to 0.  It turned out to be a different application problem, but it was a good exercise in looking at what you can do with route-maps and policies.

I set up a lab in GNS3 to replicate and do some captures.  It’s a really simple setup.  R1 connected to R2 connected to R3.

For those that don’t know, when I say “stack”, I mean a group of 3750s connected together using the StackWise technology.  When you use a very expensive and very proprietary cable, your individual switches are combined into a single logical device.  This means you configure one device to control potentially many switches.

To the point.  I’ve spent the last few weeks replacing a mess of 3750s in stacks.  These guys are very easy to replace, but the big problem I find is getting the IOS version in sync.  When the RMA comes, it’s inevitably got a different version on it, and you’ll see something like this.

Woohoo!  I passed the ROUTE test this morning.  That means I’m done with the CCNP track!  :)

If you remember, I took it over a week ago and had some bad luck on it.  Alright, bad luck is the wrong phrase.  I didn’t study enough and failed it.  This time, though, I had a special weapon on my side - the ROUTE Foundations book.  I haven’t used the Foundations books before, but, I saw some tweets about this one, so I picked it up off of Safari.  In just a couple pages, I realized that I was reading the answers to several questions directly out of the book.  It was amazing.  I only studied my weak points and wound up with 144 more points than I did last time.  I can’t say that was entirely because of the book, but I must say it was a big reason.

As always, corrections are requested.

Study Questions

• I’ve got IGRP and EIGRP both configured with the same AS number.  What’s special about this configuration?

If both use the same AS number, then they automatically redistribute their routes into each other without using the redistribute command.

• When redistributing one IGP into another, where’s a good place to filter routes?

There’s no one good place, but at the router(s) that’s doing the redistribution is a good start.  There’s no need to send an IGP a bunch of routes it doesn’t need.

I didn’t do so well on IGP redistribution the last time out, so here’s some more stuff to study.  As always, feel free to correct.

Study Questions

• What three things are needed to be able to redistribute one routing protocol into another?

1. One or more links into each routing protocol 2. A proper, working config for each protocol 3. The addition of the redistribute command to one or more of the protocols

I took the ROUTE test today and failed like I usually do.  That makes me 3-4 on these P-level tests if you’re scoring at home.  Don’t worry, though.  I’m not giving up.  :)

In atypical fashion, I must say that the ROUTE test was a good test.  Let me say that again.  The ROUTE test was a good test.  I said good, though…not great.  There were a few problems with it that I’ll get to, but, overall, this is the best test I’ve ever taken for a Cisco cert.  The questions were very well-written and there were no obvious omissions or wrong details.  I failed this test because I simply didn’t put in enough work.

Corrections, please.  I skipped a bunch of BGP intro stuff to get to the juicy center.  I’ll see if I can come back later and finish the other parts for posterity.

Study Notes

• Is BGP route selection a controversial subject?

Yes.  If you ask 1000 network guys the best way to influence BGP, you’ll probably get 1000 different answers.

• At what position in the PA list of a BGP update do you find the weight attribute?

You don’t.  Weight is a Cisco-proprietary thing.

Corrigeme, por favor.

Study Notes

• What do IPSec tunnels give you when a branch office is on a broadband connection?

Privacy through encryption Authentication of the remote peer through ISAKMP Delivery of private data over the public Internet

• What do you need to configure to get your branch router talking to the Internet?

ISP connection configuration such as PPPoE or PPPoA DHCP server configuration for internal users NAT Firewall services like inspection and filtering

Study Questions

• Your boss says that ever host in the network needs to be converted over to IPv6 by the end of the day.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use to help with that conversion?

Native IPv6

• The engineering department wants to permanently use IPv6 on their test boxes in two offices.  Which of multipoint tunnels, point-to-point tunnels, or native IPv6 would be the most appropriate to use?

Point-to-point tunnels

Study Questions

• Why would anyone develop a version of RIP that supports IPv6?

I have no idea.  Boredom, maybe.  Whatever the case, it works just like RIPv2, which is pretty scary.

• In EIGRP for IPv4, there are several requirements for two routers to neighbor up.  Which of those is not true for EIGRP for IPv6?

The two routers don’t need to be in the same subnet.  The concept of the link local address takes care of that need since neighbors always share a common medium like an Ethernet segment or a serial link.

Study Notes

• Exactly how big is an IPv6 address?

It’s 128 bits long.

• This shouldn’t be on the test, but how many unique addresses is that?

That’s 2^128 or a “3” with 38 zeros after it.  That’s also 2^95 addresses for each person on earth.

• Surely we’re not writing in binary, are we?

No way.  IPv6 uses 32 hex characters.  Each character is 4 bits, so we wind up with 128 bits of data.

Feel free to correct.

Study Questions

• What’s the most primitive way to get traffic destined to a single host to use a different path than your dynamic IGP dictates?

Use a static route.

• What’s the most primitive way to get traffic sourced from a single host to use a different path than your dynamic IGP dictates?

Use policy-based routing (PBR).

• What’s the most primitive way to get traffic sourced from a single host and destined for another host to use a different path than your dynamic IGP dictates?

Use PBR.

As always, feel free to correct.

Study Notes

• When a router redistributes from one routing protocol to another, where does the router get the list of routes to redistribute?

From the routing table.  Only IGP A’s routes (not topology or successors) are redistributed into IGP B’s domain.

• What are two methods of filtering redistributed routes?

Use a route-map in the redistribute line or a distribute-list.

• Of the two methods for filtering, which one has more options?

The route-map method has more options.  You can match on all sorts of stuff, including an ACL or interface, and filter based on that.

As always, feel free to correct.

Study Questions

• When you redistribute OSPF into EIGRP, what are you really redistributing?

Routes knows via OSPF Networks of OSPF-enabled interfaces

• What’s the default cost of an EIGRP route redistributed into OSPF?

20

• What’s the default metric of an OSPF route redistributed into EIGRP?

There is none since EIGRP has all those nifty k-values that have to be processed.  Routes actually won’t redistribute without them.

Feel free to correct.  I feel like I’m missing a big piece here, so please fill in a gap if you see one.  Thanks.  :)

Study Questions

• How many area 0s (zero) can you have in an OSPF implementation

Just one.

• If my company merges with another company, and we’re both running OSPF, how can we get our networks routing together properly?

The easiest thing to do is to connect your two area 0s together through some physical link.  If you can, you can use virtual links to connect an ABR to another ABR to extend the zones together.

Feel free to correct all this stuff.  Additions are also welcome.

Study Questions

• How do I keep an area route from reaching a router in that area?

You don’t.  That defeats the whole purpose of having the topology database on every router.  If you filtered one route from a router, there’s no way that SPF could calculate routes correctly.

• Fine, then.  Where do I filter routes?

You filter routes on an ABR or ASBR.  Since routers only have the whole topology for their area, it’s safe to filter routes from another area or from a redistributed routing protocol.  On a more technical note, you’re filtering type-3 LSAs on an ABR and type-5 LSAs on an ASBR.

Feel free to correct.

Study Questions

• What are the definitions of the hello and dead intervals?

The hello intervals is how often a router sends hello messages.  The dead interval is how long to wait before considering a neighbor dead from lack of hello messages; this is 4x the hello interval by default.

• How do you keep OSPF from trying to detect neighbors on an interface?

Don’t configure a network statement for that interface Make that interface passive

Corrections welcome.

Study Questions

• Why would you ever want to summarize routes?

Summarizing routes minimizes the routes advertised to the network.  For example, instead of advertising 192.168.0.0/24, 192.168.1.0/24…192.168.n.0/24, a router can advertise a single route to 192.168.0.0/16.  Keeping routing tables small saves hardware resources, minimizes convergence times, helps avoid route flapping, and makes the routing table easier to read for humans.

• When will an EIGRP router auto-summarize a route?

If a router has interfaces that that are in different classes of network (Class A, B, C), then that router will auto-summarize those routes up to the classful boundary.  For example, if you have a 10.0.0.1/24 and a 192.168.100.1/30, the router will advertise 10.0.0.0/8 and 192.168.100.0/24.

Study Questions

• How do you keep EIGRP from killing your WAN?

You can use the ip bandwidth-percent eigrp AS X command to limit the amount of bandwidth that EIGRP uses to update neighbors.

• How does EIGRP calculate how much bandwidth it can use for each frame relay PVC?

By default, EIGRP takes 50% of the (sub)interface’s configured bandwidth (with the bandwidth command) to use for updates on NBMA (non-broadcast mutliaccess) networks like frame relay.  This value is divided equally among all the PVC configured on that interface.

Last time, we talked about a nifty little lab I set up for redistribution and how the OSPF ASBRs acted a little differently than I expected.  This time, let’s look at how changing external OSPF routes to a metric-type of 1 (E1) affects the routing tables.

Here’s the network again.

The static routes are being redistributed into their respective IGPs, and EIGRP is being redistributed into OSPF.  Let’s look at the routing table on R1.

I just got back from Global Knowledge’s ROUTE class, and I must say that it was a great class.  John Barnes puts on quite the show and is the best instructor I’ve ever had.  I digress, though.

One of the topics we covered was route redistribution, so I went back to the hotel one night and fired off this network in GNS3 to study a bit.

The object was to see how redistributing statics into OSPF and into EIGRP differ.  It was also an opportunity to see how EIGRP redistributes into OSPF (and OSPF into EIGRP, but I didn’t make it that far).  To do that, I redistributed 10.10.10.0/24 from R1 into OSPF and 10.10.20.0/24 from R4 into EIGRP.  I then had R2 and R5 redistribute all EIGRP routes into OSPF.  It’s a nice mix, but I saw some weirdness in the paths to 10.10.20.0/24.

Just because I like giving more money to Pearson Vue, I took the BCMSN test today to see how I would do.  I passed with no problem.

In my mind, the CCNP is a technical certification, so I expect to be tested on technical topics.  Are there topics beyond technology that P-levels should know?  Of course there are, but I really don’t think whole chunks of the test should be about a preparation plan and rollback procedures.  The BCMSN had a lot more technical questions at a much higher level of expertise; it seems much better suited to the CCNP track than the SWITCH test did.

Certain divisions of the company tend to shoot themselves in the foot by kicking off large file transfers during business hours, so I had a thought that maybe we could use time-based ACLs to do some QoSing for those guys. I fired up GNS3 with a 3600 running 12.4(25b) with some virtual PCs on it’s Ethernet interfaces.

time-range BUSINESSHOURS
 periodic daily 8:00 to 17:00
!
ip access-list extended PINGS
 permit icmp any any time-range BUSINESSHOURS
!
class-map match-all PINGS
 match access-group name PINGS
!
policy-map PM-F0/0-OUT
 class PINGS

First, I set the router’s time to outside of the time range and sent some pings over.

If you’ve never used TCPDump before, you’re missing out on one of the best parts of being a network guy – pointing fingers at everyone else.

TCPDump is an open-source app that copies packets on a machine’s NIC to screen or to file. TCPDump is typically a Linux/Unix app; in the Windows world, TCPDump is replaced by WinDump or Ethereal, now known as Wireshark. It’s a must-know for network dude(tte)s since it lets you capture the packets that a machine is generating. An app may be documented to work one way, but I’ve seen many times where the documentation is out-of-date or just wrong, and I’ve had to look at captures to see what it was actualy doing. I used it one time way back when a developer told me the switch was changing his HTTP POST to an HTTP GET; I captured the packets he was sending, pointed to the GET, and never answered a phone call from him ever again.