Test

The quick brown fox jumps over the lazy dog.

Cisco Error Messages

I really like some of the terminology that Cisco uses in their error messages.  And since I come across those quite often in my studies I am becoming familiar with lots of them.  I discovered one of my favorites today while attempting to remove the ip nat pool TEST…. statement.

%Pool TEST in use, cannot destroy

Cannot destroy…Nice!

So the lesson learned here is to remove the ip nat inside source list 1 pool TEST statement then remove the NAT pool!

Cisco Certified Architect

Cisco announced today a new credential available to network professionals. The Cisco Certified Architect is designed to meet the demands of today’s business markets and marries the implementation and design aspects of the Architect level job role.

Key Facts/Highlights:

    * Advanced technologies such as Cisco Unified Communications,
      Cisco TelePresenceTM and mobility are converging and
      increasing the opportunities for innovation and
      collaboration while adding to the complexity of enterprise
      networks.
    * According to IDC, "With many existing certifications
      focused on point technologies, architect-level
      certifications bring together project management, business
      needs analysis, and IT elements into a true solutions
      framework and validate a candidate's ability to address
      planning, design, interoperability, and connectivity
      issues."
    * Gartner reported in its 2008 IT market compensation
      study (U.S. based), that "IT organizations continue to
      have difficulty in finding skilled IT professionals,
      especially enterprise architects, network architects,
      project managers and Web application programmers." **

Cisco Certified Architect:

    * The Cisco Certified Architect certification recognizes
      the architectural experience and competency of
      network designers who can support the increasingly
      complex networks of global organizations and effectively
      translate business strategies into evolutionary technical
      strategies.
    * Cisco channel partners play a critical role in enabling
      customers to deploy advanced new technologies supported by
      professionals with the skills required to use these
      innovative solutions.
    * The certification stands above the expert-level CCIE®
      certification in terms of difficulty, with an emphasis on
      expertise in network infrastructure architecture and a
      proven ability to work with executive-level customers to
      ensure that business requirements are incorporated into
      successful designs.

Certification Process:

    * The Cisco Certified Architect certification will be
      administered as a board exam.
    * Candidates will propose and defend an architecture
      solution to a set of business requirements, and the
      candidates will be asked to modify their proposals "on
      the fly," based on additional requirements presented by
      the board.
    * Prerequisites include a CCDETM certification, approximately
      10 years of industry experience, and acceptance into
      the program via an application process.

From the perspective of a technologist who recently acquired the CCIE credential, I breathe a mild sigh of frustration.  But then, I take a moment and recenter myself in the world that actually exists and realize that the market is in great flux today.  Stakeholders, business market groups and technologists alike are looking for that all or none solution when it comes to talent.  Talent is hard to come buy by, and the CCA will be well worth their weight.

Off Topic: Microsoft eyes to the future with DreamSpark

Bill Gates is continuing to prove himself a formidable philanthropist as well a visionary by creating DreamSpark. DreamSpark, from what I can tell, is a program geared at creating Microsoft developers from a young age. Along with the Alice project, DreamSpark allows young developers to learn the tools of the trade at no cost while also allowing the university or high school student the opportunity to attain real world credentialing with a free MCTS test voucher.

Check out the program at http://www.dreamspark.com.

CCIE R&S Changes

Received the following email today from Cisco Learning:

Cisco has revised the certification requirements for CCIE Routing & Switching (CCIE R&S)-the expert level certification for network engineers.

The new certification standards reflect the job skills employers look for at the expert level and are outlined on the Cisco Learning Network at CCIE R&S v4.0 written exam topics and CCIE R&S v4.0 lab exam topics. The revised CCIE R&S v4.0 exams are scheduled for release on October 18, 2009 and will immediately replace the currently available v3.0 exams. 

To support the certification changes, the Cisco 360 Learning Program for CCIE R&S is being updated with new lessons on MPLS and Troubleshooting, additions to the instructor-led workshops, new lab exercises for self-paced practice, and new performance assessments. The Program is the only authorized expert training currently aligned to CCIE R&S v4.0. The program is delivered globally by Cisco Learning Partners . 

 

Finally!!!

After more attempts than I would like to admit, I finally passed the CCIE R&S Lab. I took it on April 24th, and found out the news today. Huge sigh of relief. I will post more with regards to the experience later, but the important part is #24221.

VRF-Lite

VRF-Lite is a simple solution for segregating traffic from different networks across the backbone.  It creates individual routing tables for each VRF we create, keeping them out of the global routing table.  Virtualization in this manner is very handy in large networks where we may want to separate traffic from our sales and logistics organizations.  We may also want to turn up a guest VRF to allow visitors access to the internet without mingling through our enterprise routing table!

The following is a tutorial on a simple VRF-Lite configuration using OSPF.  To begin with, you can download the the topology we will be working with from here:

http://rapidshare.com/files/193141474/VRF-Lite.zip

Our network consists of four routers, SG1 – SG4, all running OSPF 1.  Since we are only using a single physical interface between each device, we till set up the trunks and configure layer 3 connectivity via SVI’s. Here are a few extra notes on the topology and device configurations.  These will help us turn up SG5 and SG6 and verify connectivity across the backbone.

• 1. Loopbacks 0 are in OSPF 1
• 2. Loopbacks 2 are in OSPF 2 vrf Guest
• 3. SG1 f0/0 is an access port assigned to VLAN 51
• 4. SG4 f0/0 is an access port assigned to VLAN 46
• 5. SG5 f0/0 is a routed port
• 6. SG5 f0/0 is a routed port
• 7. Static zero routes between SG5-SG1 and SG4-SG6

On SG1 set the vtp mode to transparent and create the VLANs:

>enable

#vlan database
(vlan)#vtp transparent
(vlan)#vlan 12
(vlan)#vlan 13
(vlan)#vlan 51
(vlan)#vlan 112
(vlan)#vlan 113
(vlan)#exit

Set trunking on physical interface:

#configure terminal
(config)#interface FastEthernet 0/2
(config-if)#switchport mode trunk
(config-if)#exit
(config)#interface FastEthernet 0/3
(config-if)#switchport mode trunk
(config-if)#exit
(config)#end
#copy running-config startup-config (or write memory)

Create the loopback addresses

#configure terminal
(config)#interface loopback0
(config-if)#ip address 1.1.1.1 255.255.255.255
(config-if)#exit
(config)#interface loopback2
(config-if)#ip address 11.11.11.11 255.255.255.255
(config-if)#exit
(config)#end
#copy running-config startup-config (or write memory)

Configure OSPF

#configure terminal
(config)#router ospf 1
(config-router)#router-id 1.1.1.1
(config-router)#network 1.1.1.1 0.0.0.0 area 0
(config-router)#network 10.1.0.0 0.0.63.255 area 0
(config-if)#exit
(config)#end
#copy running-config startup-config (or write memory)

Perform the same steps on the other four routers using the information from the drawing.  Note that OSPF process 1 is in yellow and the VLANs are not the same.  Once you have that set up, verify your connectivity from SG1 – SG4 by pinging the loopbacks and looking at the routing tables.

SG1#sh ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/2] via 10.1.12.2, 00:00:09, Vlan12
3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/2] via 10.1.13.2, 00:00:09, Vlan13
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/3] via 10.1.13.2, 00:00:09, Vlan13
10.0.0.0/30 is subnetted, 4 subnets
C       10.1.13.0 is directly connected, Vlan13
C       10.1.12.0 is directly connected, Vlan12
O       10.1.24.0 [110/2] via 10.1.12.2, 00:00:09, Vlan12
O       10.1.34.0 [110/2] via 10.1.13.2, 00:00:09, Vlan13

SG1#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/96/120 ms

Now that we have our enterprise network (albeit small with only 4 routers) let’s build a VRF that will separate the traffic from SG5 and SG6 from the global routing table.  The first thing we need to do is build the VRF.  The VRF name can be any alphanumeric value but it needs a unique route distinguisher which has two values separated by a colon, value1:value2.  The values are arbitrary and must be numerical; you can assign an IP address to value 1 if desired.  Since we are not using BGP, redistribution, or MPLS tagging, (hence VRF-Lite!) this VRF must be built on all interconnecting routers where you want the traffic to travel.

#configure terminal
(config)#ip vrf Guest
(config-vrf)#rd 2:100
(config-vrf)# route-target export 2:100
(config-vrf)# route-target import 2:100
(config-vrf)#exit
(config)#exit

Now we need to identify the interfaces that are going to participate in the VRF.  In order to add them to the VRF and separate them from participating in the global routing table, we need to apply the ip vrf forwarding <vrf-name> command to the interface.  On SG1, it looks like this:

NOTE: Adding the ip vrf forwarding <vrf-name> command to the interface will automatically remove any IP address assigned to the interface.  In that case we will have to reassign the IP address.

#configure terminal
(config)#interface FastEthernet 0/0
(config-if)#ip vrf forwarding Guest
(config-if)#ip address 10.2.51.1 255.255.255.252
(config-if)#exit
(config)#exit

Using the topology drawing, add the remaining interfaces to the VRF on all routers.

Now we will create the routing process for our VRF using OSPF.  The configurations are identical to our global OSPF process with one exception.  In order to designate the OSPF process for the VRF we need to add the VRF name: router ospf 2 vrf Guest.  Here is the configuration on SG1:

#configure terminal
(config)#router ospf 2 vrf Guest
(config-router)#router-id 11.11.11.11
(config-router)#network 10.2.0.0 0.0.127.255 area 0
(config-router)#network 11.11.11.11 0.0.0.0 area 0
(config-router)#exit
(config)#exit

Again, apply this configuration to SG2, SG3, and SG4 using the corresponding address assignments.  In order to view the VRF routing table and ping across or virtualized private network, we again add the VRF name at the end of the statement:

#show ip route vrf Guest
#ping vrf Guest 44.44.44.44

Verify your connectivity from SG1 – SG4 by pinging the loopbacks and looking at the routing tables.

SG1#show ip route vrf Guest

Routing Table: Guest
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

33.0.0.0/32 is subnetted, 1 subnets
O       33.33.33.33 [110/2] via 10.2.113.2, 00:37:33, Vlan113
22.0.0.0/32 is subnetted, 1 subnets
O       22.22.22.22 [110/2] via 10.2.112.2, 00:37:33, Vlan112
10.0.0.0/30 is subnetted, 5 subnets
O       10.2.46.0 [110/3] via 10.2.112.2, 00:37:33, Vlan112
C       10.2.51.0 is directly connected, Vlan51
O       10.2.124.0 [110/2] via 10.2.112.2, 00:37:33, Vlan112
C       10.2.112.0 is directly connected, Vlan112
C       10.2.113.0 is directly connected, Vlan113
11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback2
44.0.0.0/32 is subnetted, 1 subnets
O       44.44.44.44 [110/3] via 10.2.112.2, 00:37:33, Vlan112

SG1#ping vrf Guest 44.44.44.44

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/132/228 ms

Viola!  We know transport is good across our backbone.

Once we have applied these configurations we should have connectivity between SG5 and SG6.

SG5#ping 10.2.46.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.46.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/284/404 ms

SG6#ping 10.2.51.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.51.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/250/288 ms

Please post comments or questions.  Have fun!

IE-WB2: Lab 1

1) Created a task list but did not stick with it

• Need to stick with the task list
• Use the task list as a play book
• Pay close attention to the Core completion topics
• Be sure to include relevant notes if you need to return to a topic

2) Started to late and did not have my own drawing

• Allow more time to get a drawing in place
• Also allow enough time to read through the lab twice
• Begin to include Ethernet trunk drawing and inter-switch access and routed ports

3) Trunking

• Ok
• Task for making all the non-trunk interfaces never become trunk and vice versa is strange.
  • I assumed all interfaces on the Catalysts applied.
  • The solutions guide did not reflect every port on the device

4) VLAN Assignments and VTP

• Mixed VTP domain environment
• Applied VTP domain to Sw1, it was inherited by Sw2 but not SW3
  • Dont know why
  • Did not explore further due to late start
  • Try on my own equipment
• Be careful of not changing initial configurations of native routed interfaces
• Be careful to note where native routed interfaces terminate
• Plan VLAN builds accordingly if the Native routed interface falls on an inter-switch link
• Build VLANs based on the switches need for the VLAN or to support forwarding path requirements

5) Did not configure STP

• Items marked as non-core and did not make it back to the tasks
• Need more technology specific time with STP and STP advance features

6) PVLANs

• Item marked as non-core and did not make it back to the task
• Do a technology overview of PVLANs and VLAN ACLs to gain understanding of task requirements

7) No Frame Relay issues

OSPF

• Discontiguous OSPF area 0 issue
  • Did not see the possibility of a discontiguous Area 0
  • Based on the loss of the FR circuit between R5 and R4
  • Need to be able to identify and be able to fashion a Virtual Link
• Manipulation of OSPF Network types – no problem
• Manipulation of sub-second OSPF timers – no problem
• Manipulation of OSPF backup interfaces
  • Item marked as non-core and did not make it back to the task
  • If I had made it back I would have changed the bandwidth
  • The solution guide used Cost to meet the task requirements
  • Either solution would have worked

9) EIGRP

• Topology configuration – no problem
• External advertisement – no problem
• Authentication – no problem

10) RIPv2

• Configuration – no problem
• Authentication – no problem

11) Redistribution

• Access-list for networks redistributed into EIGRP to be redistributed again into OSPF
  • Created route-map denying the re-entry of the networks back into EIGRP
  • Happy as I saw this before I started configuring redistribution
  • Did a better job of planning the redistribution methodology
• Interesting EIGRP distance experience
  • Task required that R5 prefer the OSPF path over the EIGRP path to a Loopback address inside the EIGRP topology
  • I chose to manipulate the distance in EIGRP
    • access-list 1 permit 150.18.1.0 0.0.0.255
    • distance 121 0.0.0.0 0.0.0.0 1
  • This configuration worked and changed the AD to 121
  • I do not know if this is wrong as the solution guide indicated a distance command in the OSPF process
  • Also, I learned that if this address were redistributed into EIGRP, then the distance command under the EIGRP process would not have worked
  • You have to use the distance eigrp command to change the AD for all external routes
  • Alternatively, the AD can be changed in the other protocol being redistributed into

12) BGP

• Route reflection gave me a problem in AS 200
  • Could not see the Client/Non-Client Relationships well enough
  • Will need to practice this a few times
• Question: What are the BGP Route Reflection Cluster Rules?
• Question:  I observed that the NLRI for the multi-homed AS attached did not replicate through to the RR clients, Why?
• Best Path selection using Local-Preference
  • failed this task
  • Applied the route-map adjusting local-preference correctly
  • Forgot to match the prefix’s based on AS-Path
• Best Path selection using MED
  • Did not plan for or appropriately configure the next-hop-self command on R5 to R3

13) IP Multicast

• Enabling Multicast routing and PIM Interfaces – no problem
• Configure Auto RP – no problem
• Configure IGMP test – no problem
• Configure IGMP filter – no problem
• Work On
  • Do technology lab on Auto-RP
  • Labs on BSR
  • Labs on advanced Mcast configurations

14) No IPv6 problems

15) QoS

• Need to review FRTS math
• Policing – No problem

16) Skipped Security section and did not have enough time to go back to it.  Need to review all security topics

17) System management

• RMON
  • Need to work on SNMP server configuration
  • Syslog – no problems
• NTP
  • Confused NTP master prefer and NTP peer
  • Need to work on all NTP topics

18) IP Services

• Traffic Accounting – No problems
• HSRP – no problems
• NAT – no problems

Overall, nowhere near where I want to be.  This lab is rated as the easiest in the workbook and I clearly failed it.  So, a lot of work to do and not a whole lot of time to do it.

STP Overview

Ethernet Part III

Ethernet Error Analysis

When characterizing the health of an Ethernet segment the kind of errors captured and their quantity will differ as to how they will effect the segments ability to service upper-layer protocol forwarding.  There are six primary error types that can be received on an Ethernet interface:

1. Local Collisions
2. Remote Collisions
3. Late Collisions
4. CRC/Alignment Errors
5. Long/Short Frame
6. Jabber

Local Collisions

This type of collision is recognized as a frame smaller than the 64 byte minimum frame size.  This frame will also have a CRC error.  For Ethernet, this  value should be no greater than 2% on contention media.  Collision occurrence begins to inhibit the upper layers ability to communicate properly at 3% – 5%.

The remote collision has the exact same characteristics, except that it occurred on another segment.  The collision occurs on a remote segment and the repeating devices propagates it to the local segment.

Late Collisions

This type of collision is an indicator of excess media length.  It is recognized as a frame larger than the 64 byte minimum frame length and is received with a CRC error.  Devices prone to this type of error are at opposing ends of the segment and they do not detect that a collision occurred as the media length is longer than the recommended media maximum.

Cyclic Redundancy Checks and Alignment Errors

This type of error indicates that the frame checksum detected an accidental alteration of data during transmission.  If the frame is received at a normal length and the media is within recommended specifications and a CRC error is received, it can be assumed that  the transmitting device is having problems when the error rate is greater than 3 or 4%.

Long/Short Frame

Short < 64 Bytes & Long > 1518 Bytes.  Short frames can indicate local collisions and long frames can indicates late collisions.  Both could also indicate adapter issues on the segment.  Ethernet NICs are built to a standard that rely on the frame size being within a range of sizes.  If the frame comes in outside of the standard length, it will not be processed properly.

Jabber

This is an instance where a NIC is operating improperly and is utilizing the line 100% of the time.  This is caused by the NIC sensing a collision, transmitting a jam signal to clear the line and mistaking the jam signal for another collision and then repeating the cycle of events.  This can consume all segment resources.