cs1#traceroute mac 0015.f91c.4200 0017.08d1.4418 vlan 507 det
Source 0015.f91c.4200 found on cs1[WS-C6509-NEB-A] (x.x.17.2)
1 cs1 / WS-C6509-NEB-A / 10.40.17.2 :Po16 [auto, auto]
2 idf1ds1a / WS-C6509-NEB-A / x.x.35.137 :
Po16 [auto, auto] => Po76 [auto, auto]
3 0338 / WS-C4948-10GE / x.x.0.225 :
Po1 [auto, auto] => Gi1/1 [auto, auto]
Destination 0017.08d1.4418 found on 0338[WS-C4948-10GE] (x.x.0.225)
Layer 2 trace completed.

What this is showing is a single traceroute command from the core L3 switch (6509) to a destination MAC address.  The rad-worthyness of this comes from the fact that without this command, in order to find an end host, you have to do:

• show arp | i [address] (alternately “show ip arp [address]“)
• show mac- address [MAC]
• show cdp neighbor [interface that the last command told you the MAC was seen on]
• login to the downstream device and repeat the last two commands (unless this is the edge device, we have 3-tiers almost everywhere)
• login to the edge device and repeat the same commands again to find the port

If the host guys (identifiable by the words, “it’s the network” coming from their lips) know the MAC of their problematic server you can now shave that mess above down to 30 seconds.  If they just know the IP, 40 seconds.

1. You can do EIGRP metric computations.  With non-default K-values.  In your head.
2. Your 5 year old knows which piece of practice gear to power cycle when you say “R1″.
3. You have developed a personal relationship with the proctor that shows up in your dreams.
4. The word “mutation” makes you think of DSCP, not genetics.
5. You write your own redistribution practice labs because you think your vendor’s are too easy.
6. You know Brian Dennis’ CCIE number, his specialties, and when he earned them.
7. You hate the guy who decided that internal & external OSPF routes should have the same AD by default.
8. You re-write ACLs at work using non-contiguous wildcard masks, just because you can.
9. Dueling with a mock lab seems like an excellent way to spend a Saturday.
10. You have printed over 1,000 pages of DocCD PDFs and read them during lunch hours, neither of which strike you as odd behaviors.

Go ahead and add to my list…

In order to prepare for this work I knew I needed to bone up on MPLS. In 2001 I read Cisco’s VPN book and worked a tiny bit with MPLS at AT&T Labs in a managed firewall offering. But to be honest we did very little and it has been a few years since I touched it. So I asked my coworker for a book recommendation. He came up with the following:

So I started reading this gem this week. To give everyone a feel for the writing style, here’s a nice little nugget from the top of page 13:

“The fundamental LDP rule states that LSR A that receives a mapping for label L for FEC F from its LDP peer LSR B will use label L for forwarding if and only if B is on the IGP shortest path for destination F from A’s point of view.”

WOW! This brought back memories of reading Steven’s TCP/IP Illustrated in 2000 when I was a fresh CCNA working my first job. I can make out the meaning, but it’s a fist fight. And no, this quote was NOT in reference to a diagram. It was the first time I ever wrote “wtf?” as a comment in a margin. The whole book is like this - a paragraph per 10 minutes, and if you lose focus start over. I attribute this mainly to my unfamiliarity with the topic; if 95% of the material is new you have to move slowly. Also, with TCP/IP Illustrated, once I got some solid hands-on experience I re-read the book and it was like the clouds parted and a light shined down from heaven, landing lightly upon my beleaguered brow. I had revelation after revelation.

So to combat this problem I had to make an executive decision. I went ahead and bought Volume 1 of IE’s SP workbook, and went home early to set up Dynamips on my shiny new quad-core gaming box. May the gods have mercy, I started another CCIE book.

But this is NOT a commitment to the SP CCIE. Not in any way, shape or form. I need to learn MPLS and MPLS only right now (plus traffic engineering, VPNs and all the other little nuances of MPLS), and if you look at the table of contents for this workbook, it’s pretty much about MPLS. We may go with IS-IS later on in our core, but I’m confident I can pick that up pretty quickly. I just learn by *doing*, not by reading. Reading only helps me learn if I have some context to put things in, which I gain by fumbling around on the CLI. I can force myself through any book (I was a political science major), but it’s a fight just to stay awake. Better to do something interactive, and use the book to deepen the imperfect but reasonable knowledge gained from clowning around in a lab.

As for right now, I’ll try and get the first scenario labbed up, but we’re going down to Orange County today to see my 5-day old niece. My sister had her second child Monday morning, and I managed to study my way through her first kid’s life so far. And THIS is why I’m not committing to another CCIE right now. I’ll do what studying I can, but the tiny one comes first. Not the other way around.

I really appreciate everyone’s suggestions on my last post.  I guess that I should not be surprised to be changing tactics / plans so soon, but hey, things change.  It appears that based on most replies to my last entry that I need to alter my study plan a bit.

1. I am definitely going to go with Narbik’s Soup to Nuts to start. 
2. I have also rescheduled my bootcamp for Oct 13 - 17.  (this is the date I targeted to give me ample time before the 28 day policy kicks in)  so, I’m keeping my mind open to changing the date based on my progress at that point. 
3. IE Dynamips labs will be sprinkled here and there to keep things interesting.
4. Maybe CCIE assessor labs if all goes well
5. Take Lab Exam

**One additional study item that I failed to mention last post was the IPExpert R&S Audio Boot Camp (Scott Morris before his move to IE)  It’s a really great tool to listen to on the way to work considering the 1-1.5 hour one-way commute - very entertaining

As was pointed out as well I did not include much about my past experience, study habits, and my Cisco trek to this point…

I have been in the “networking” field for going on 8 years now.  For the first 3 years I worked as a Network Analyst in the healthcare arena.  I was focused primarily on Windows & Citrix with a bit of Cisco security, switching, and routing mixed in.  With my next job in the financial industry I dove much more heavily into the Cisco networking world, but I was also a manager, so I had to focus an ever-increasing amount of time on the administrative side of things.  I just started a new job in April with a network consulting company where I will be purely focused on technology.  (both Systems/Servers and Networking)

I have been studying / preparing for the CCIE exam going on 2 years now starting with getting my CCNP back in June of last year.  For the last couple of months I have been getting up to speed on the voice side of things and taking CCVP exams.  (3 out of 5 passed with the Call Manager tests to go)  I have, however, put the CCVP studies on hold until I pass my CCIE lab exam.  Hopefully that doesn’t mean I won’t get my CCVP for a couple of years. 

My current study regimen consists of 2-4 hours of study each evening during the week and then 6-8 hours on each day during the weekend.  I am still keeping a few days open for other activites here and there so that my wife does not divorce me.

Thanks again for the suggestions….I promise next post will contain a little more about technology.  I spent the last 2 days going over Frame Relay and the 3550/3560 switching sections from Soup to Nuts using GNS3 to bring up the topologies.  (I will be starting with RIP, EIGRP, and OSPF over the weekend)

• CCIE Quest
• Nickelby Thane
• Quest 4 Insomnia
• The Ferret’s Corner
• Victor Osborn

Swing on by and see how they are doing. Send me a message if you’d like your active blog added.

My lab exam is scheduled on December 15 so I have a little over 4 months to complete preparations for the exam.  4 months seems like so little time!

Since I currently lack lab equipment, I decided to begin with the Internetwork Expert Dynamips lab workbook.  (labs 1-10)  I began my quest in frustration a couple days back.    The frustration was with my CPU pegging when I started up all of the Dynamips routers.  I tried many different idlepc values with no luck on both Windows Vista and Ubuntu.  After reading posts from others about this issue, I decided to use our home iMac for dynamips.  It works perfectly.  (iMac 2.4GHz with 3GB memory)

I have now completed the first lab (nowhere near within the 8 hours allotted).  I got stuck on everything from frame-relay basics to multicast.  I did, however, start to get a really good feel for searching around the Cisco doccd.  Another thing that should have been obvious, but eluded me to this point, was that I will have to create a logical layer2 topology diagram for myself.  It was a little hard for me to follow what device was in what vlan without going back to the device and doing a show vlan and show cdp neighbor.  I am a visual learner so a drawing did quite nicely…

Unfortunately this post does not contain anything technical as I am still trolling through the details and trying to understand exactly what it is that I don’t understand.  I look forward to Labs 2, 3, and 4 which I hope to finish in the next 10-14 days or so.  At that point, I will go back over the first four labs and find every detail that I can in the doccd. 

Now that hardware is no longer a concern I look to be feeling a little more confident after Lab2.

My plan (as I see it at this time - it certainly may change)

• Complete IE Dynamips Lab Workbook 1-10 (Middle of September?)
• Begin Narbik’s Soup to Nuts workbook (Beginning of October)
• Attend Narbik’s boot camp in November (Nov 10 - 14)
• Work on Narbik’s material (Rest of November)
• Take CCIE assessor labs (maybe - if I can afford it at the time)
• Take real lab exam! RTP (December 15) best practice one can buy

“if i find the guys who told me sp will be easir after rs, i will f***’em up”

Figured that was as good a way as any to start a post here.

At any rate, my previous post described a problem wherein aggregating more than 2-3 10Gbps interfaces into a single 10G interface caused traffic bursts to drop due to identical serialization rates and shallow buffers on the 6704 line cards (any interface speed will be affected thusly, we just happened to see it on 10G).  The solution we opted for was to swap out 6704s for 6708s for the deeper buffers (not using all 8 ports), and if the drop rates didn’t go low enough for our tastes we can take further action.

Naturally this solution isn’t as easy as it sounds, and if you’ve got any experience running a huge, live, mission-critical network spanning multiple sites across the country, you know the logistics are a nightmare already.  Our latest problem is power.  My co-worker summed it up neatly:

1. 6708’s take 444.36 Watts of power compared to 295.26 Watts for a 6704
2. 6708’s with DFC3CXL’s use 473.76 Watts per blade
3. 2 Fans use 443.00 Watts of power
4. Dual sups take 564.48 watts
5. A 4000K Watt PS only provides 3795.12 Watts of power
6. 6000W power supplies take 4 power feeds of 230-260V AC / 20 A, otherwise the power supplies remain at 2900 Watts
7. 6000W power supplies are limited to 4500W in a 6509-NEB-A Chassis, which is our standard chassis

I took the liberty of bolding the important parts - the parts that explain why when we added a 6708 to a chassis last week it wouldn’t power up.

Previously I considered the 6500 platform as, “a little long in the tooth”.  It’s solid, versatile, and can push more traffic than almost any company would need it to.  The code base is mature, if a little confusing when trying to sift the 7600 from the 6500.  However requirements don’t go down, they only go up.  Even after the next 6500 chassis upgrade allows us to push 80G per slot instead of the current 40G, that’s pretty much it for the chassis (and even that’s a chassis upgrade - yeesh).  Thinking 5 years down the line, that only gives you two 40G interfaces per line card.  For versatility the 6500 will still be king, but for pushing 1s and 0s inside a data center it’s clearly not going to be the platform.  This latest problem really just kind of kicks that point home a little harder.  This isn’t a knock on the 6500 - to level set, the 6500 is *the* central platform right now, and has been a flagship and solid offering for almost a decade (I think, maybe even longer.  I can’t remember).  I certainly enjoy working on it more than the old flagship 5500, which made me wish I had become a poet.

So the Nexus 7,000….  We’ve got one in the lab, but haven’t had a chance to test it yet.  There’s also the non-Cisco (gasp!) world.  Foundry does cheap port density, and my experience with Foundry is that it works fine as long as you don’t ask it to do anything terribly complex (call it the Windows of the networking world).  MySpace was actually 100% Foundry for the first ~2 years.  Juniper rocks the face off most routers, but they are just now starting to penetrate the data center switch area, and don’t have anything to slap in the core.  Extreme and some other vendors look ok, but need extensive testing and will have another CLI to learn and maintain.

The main point of this post was supposed to be that we should have planned the electrical load better; we have a “capacity planning” team, but they haven’t managed to actually plan any capacity in a way that could be construed as successful, so there’s no excuse for us not to have done this on our own.  Sorry for the depressing post.  Here’s a smiley face in a vulgar attempt at emotional pandering. 

Working at MySpace means tons of high-speed links everywhere.  Typically we’ll have a pair of 6500s in the data center core, with multiple pairs of 6500s as distribution switches, and a mix of 2960s, 2960Gs, 3560s, and 4948s at the edge.  So the distribution layer aggregates a lot of 1g, but also a decent amount of 10g links, most of which aren’t running even close to hot (<30%).  The core <–> distribution layer connectivity is typically accomplished by 20G or 40G etherchannel, depending upon how much bandwidth is required for a specific distribution pair.  From the DC core, an etherchannel, typically 40G, flings bits upstream to a PoP located in some really expensive site with great connectivity, where we’ll house our border gear and not much else (~5 racks).

So everything seems, as my mother used to say, hunky dory (that means “great” in some weird dialect, she’s an immigrant).  But why were we dropping packets in a PoP when the 20G etherchannel was running at about 6G?  It’s all about serialization.

This particular site has a collapsed core/distribution, with about a dozen high-speed media racks running 10G straight to the core (it’s a very small installation), and the core runs a 20G trunk to the border.  So what we found is that at about 3G per 10G port, we started dropping packets.  It turns out that the 6704 line card for the 6500s has a pretty shallow buffer, and what was happening was that any time more than a couple high-speed racks burst at the same time, the output buffers on the 10G ports heading upstream couldn’t handle the extra packets.  Because the rate of serialization on the DC-facing ports was identical to that of the border-facing ports, the packets arrived at the same number of packets per second as the output ports could send them - but * N, where N equals all of the DC-facing ports.  And due to the shallow buffers on the 6704 line card, the packets just dropped.

So how to fix this slippery little problem?  First of all you have to find it, which in our case was accidental and rather difficult.  The packets we were dropping belonged to music and movie downloads, and those are rate-limited by the application anyway, so there was no noticeable degregation of performance as TCP just compensated.  When one of our architects noticed, we had to figure it out, which is not entirely obvious either.  After all that we had two potential solutions, which are NOT mutually exclusive, and a third which isn’t really an option for us:

1. Reduce the ratio of downstream to upstream 10G ports.  At this site we’re running about 14/2, so a 7-to-1 aggregation ratio.  This is way too much.  From a raw bandwidth perspective we’re doing just fine (everyone says they need 10G, then 6 months later you check and they’re pushing 300Mbps - asi es la vida), but any bursts from a few racks will overrun us.  From now on we’re looking at ensuring a rate of 3/1 depending on circumstances, or perhaps adding a second layer of aggregation, which we have at all sizable installations
2. Replace the 6704s with 6708s and only utilize half the ports.  The 6708 line cards have much deeper buffers, so they can handle the bursts more gracefully.  Obviously if you’re buffering packets you’re increasing latency, but less so than if TCP kicks into slow-start.  This is in fact what we did and we’re now seeing dropless traffic rates up to 6G per port, so more than double the previous levels
3. The third option is to aggregate 1G ports into 10G ports, or in the future aggregate 10G ports into 40G ports.  This solves the problem of the rates of serialization being identical, and that allows the upstream ports to survive multiple downstream ports bursting at the same time.  Obviously we’re not about to rip out 10G uplinks and replace them with 4 or 8-port etherchannels, but this problem isn’t going away any time in the foreseeable future, so when 40G ports hit the market these lessons will still serve well

There is a fourth option, which Ethan alluded to with his remark about “lossless ethernet”.  This is a feature I really like (on paper) about the Nexus.  When a packet comes into port 1 destined to go out port 2, IOS will check the buffer on port 2.  If port 2 can’t handle the packet, it buffers or even drops it at port 1.  This prevents 2-3 bursty racks from overloading the uplink buffers on a distribution switch, essentially telling them to sit down, shut up and wait their turn.  It’s nice to see the same attention TCP received regarding “fairness” (imperfect that it is) finally making its way to ethernet.

If this was interesting to anyone, I have more stories of varying degrees of horror where this came from. 

The one major problem with this strategy is the network. The pipes we need to plumb into the blade centers have to be huge: we need big bandwidth going into these things. So, either we plumb a ton of 1G copper lines into the blade centers, or else we consolidate the network pipes from a ton of 1G coppers into a much smaller number of 10G pipes. 10G is clearly the way to go, but in my corner of the world, that has its challenges:

1. I don’t have 10G ports anywhere. Over the last 2 years, I’ve built a sizable data center on 1G copper, mostly using 6500s in a combined core/distribution layer and 3750s at the access layer. While the new 3750Es support 10G uplinks, the legacy 3750s do not. The 10G need happened all of a sudden, as so many things do in a fast-moving company. It’s not like we had a chance to get it built before it was actually needed.
2. The 10G standards do not include any sort of UTP copper. Blech. I have a data center full of Cat6a, which we were hoping would eventually become a 10G copper standard, but it ain’t happened yet, assuming it ever will. From what I hear, 10G over UTP is a problem.
3. 10G is expensive right now…really expensive. And if you want high port density, the options are few. My beloved 6500 platform isn’t a great answer for high 10G port density. I should restate that - you can get port density, but you’ll oversubscribe the 6500 badly. To eliminate or at least reduce the problem of 10G oversubscription at high port density, you have to get into the Nexus 5K and 7K boxes. Those boxes are so new, they ship with lab techs, never mind that I don’t have the budget for them. So I’m waiting until 2009 to do a serious Nexus eval.

Nonetheless, I still need to get 10G out to the incoming blade centers, so here’s what I’ve done. I’ve added 8 port 10G blades to my core/dist 6500s. To get a physical infrastructure going, I’ve got contractors on-site building a new fiber MDF. While we’re still hoping that we’ll be able to use our Cat6a to carry 10G at some point, for now the answer is multi-mode fiber. (CX4 is okay, but doesn’t go the distances we need.)

Now, to deal with port density…I’m ignoring that particular problem right now, at least as far as the oversubscription issue is concerned. What I ended up doing was buying 4900Ms to act as the 10G access layer. I’ve got the 4900Ms coming back into my 6500s using 2×10G etherchannels (or will just as soon as I’m done building it). So the 4900Ms pick up the blade centers, and the 6500s pick up the 4900Ms. Yes, this design is oversubscribed - this is not Cisco’s new “data center ethernet” proposed standard, which includes the concept of lossless ethernet.

I’ll blog about the 4900Ms later on. I’ve run into a couple of interesting “new to me” features getting them configured.

laura.gillis@insightglobal.net

You have probably read this again and again; it is all about the technologies! So, one of the most important workbook would be the technology labs workbook.

Cisco tells us what we need to know for the CCIE R&S lab exam. Here is the link: http://www.cisco.com/web/learning/le3/ccie/rs/lab_exam_blueprint.html.

So logically our technology lab workbook has to include at least all the topics in Cisco’s lab exam blueprint. This is our first objective measurement tool. Since some technologies can’t be explained well before explaining some other technologies first, there is some level of dependency in the topics covered on the exam blueprint. Another order of leveraging is the distinction between core and noncore topics.

So you will want a workbook which begins with the core topics first and in their right order of dependency. OK, so far we have three measurement points;

• The workbook has to include at least all the exam blueprint topics
• The workbook must present the topics in their right dependency order
• The workbook must begin with the core topics first 

The most important aspect of the workbook will be its didactical value! For that we need to explain the natural learning process which most of us follow. When we are learning something we want to be as efficient and effective as possible. This means that we don’t want any complexity if it is not needed but we do want to know what the technology is all about. Ask yourself the following questions;

• Do you want at this level of learning to be teased by wordings?
• Do you want at this level of learning to be teased by unnecessary complex topologies?
• Do you want a narrator style of explanation which shows you the thought process of a fictive candidate?

The above three points is what you probably don’t want. You want to be as efficient and effective as possible and you want to be helped to form your thought process but you don’t want to be bothered by some fictive thought process.

After creating the framework into which to put the workbook we need the content. The best content is the one written from an author with a sound knowledge in didactical theory and with a lot of teaching hours/experience and an absolute mastery of the content. This is a tough combination to find in one person!

I looked at the following technology workbooks;

• IPexpert Volume 1 Lab Workbook and Proctor Guide                        
• Internetwork Expert Lab Workbook Volume 1 Version 5.0 (beta)
• Net-Workbooks Advanced CCIE Routing and Switching - Technology Focused                           

At this moment the workbook which most comply with the measurement method presented above is, when looking at the complete product, the Net-Workbook Advanced CCIE Routing and Switching. This workbook is missing some  blueprint topics though (for instance L2 .1q tunneling) so it needs some work. But looking at the overall product this is the winner for now. A superb alternative is the upcoming IE Volume I version 5 workbook.  Although this workbook is not finished yet and is still in beta, it looks very very promising.

The one thing I like most about the Net-Workbook Advanced CCIE Routing and Switching is the level of explanation presented. The level of explanation is so detailed that it makes this workbook more of a blend between a study guide and a CCIE workbook. This is really an added bonus which makes the total didactical value of this workbook most superb.

I passed the R&S lab at the end of April - a little less than 3 months ago as I write this.  I have to tell you that I’m not entirely recovered yet.  It’s a subtle thing, hard to describe.  Yes, I passed.  Yes, “it’s over”…but I’m not over it quite.  I feel like I need to sleep for a week straight.  Or enter a demolition derby.  Or go bungee jumping.  Anything that would uncap whatever is still bottled up inside me and let it all go.  If I was a girl, maybe I’d need “a good cry”.  I’m not a girl, but maybe I need one anyway.

To be fair, it’s not just the lab exam.  Last year was personally rough for me, with a lot of demands made on my time and talents almost every time I turned around.  My job (which I’m very thankful to have in the down-turning economy) has a lot of high-profile stuff going on.  Various friends always seem to need something or other.  I can’t tell you how many hours I’ve spent in the last six months doing free (or nearly free) tech consulting for friends who want me to help them build a web site, set up an audio streaming server, whatever.

Some of you know that I’m a dad, too, which is a draining job if taken seriously.  Training kids to function in this world is tough.  They need advice.  They need guidance.  Sometimes they just need a hug and someone to tell them they’re loved and accepted at face value.  But being dad also contributes to the wearing out of a person.

I’m writing this from a beach in Florida.  Because I have to?  No.  Because I want to…doing something because I WANT to do it and not because I HAVE to do it is the first step in curing what I am calling my CCIE post-traumatic test disorder.  I need to get over being wound up all the time.  I need to be able to relax and not feel like I have 16 things I SHOULD be doing instead.  The stress needs to go away.  This vacation is much needed…I’ve taken time off here and there over the last few years, but it’s really been 5 years since I’ve had a real vacation.  My lovely wife and I even left the children behind.

This morning, we went out to the beach (after taking a dip in a vat of sunscreen, of course).  We hung out in the water, swam out to the sandbar and back, and watched the wildlife frolic in the water.  We actually saw a manta ray leap out of the water, maybe 50 meters away.  It’s one of those moments that will be etched in my memory forever - the brown/gray skin of the manta, “wings” flapping a bit, while the sun glistened off its body.  We stayed out for about an hour, then came back in to avoid sunburn, despite being dipped in sunscreen before we went out.  I haven’t hit my mellow spot yet, but at least I know how to find it now.  A week ago, my mellow spot was something I thought I’d lost forever.

Serious studying for the CCIE lab can mess you up.  It really can.  I’m going to be fine, as this vacation is going to help, plus I’m re-ordering my life such that people are less likely to come to me just because they need help with something.  I’ve realized now that I was stressed BEFORE I started down the CCIE road, so getting through it with my sanity intact was fortunate.

Why am I writing all of this?  To make this point - find some balance in your life before embarking on the CCIE journey.  I didn’t do that.  I didn’t find any balance.  I just decided I was going to start, and went for it.  I didn’t jettison any of the other responsibilities in my life.  Of course, I had to keep my job - but if you’re single and could live for 3 or 4 months without working, then I would seriously consider CCIE preparation as a full-time gig.  I have a family - that wasn’t going to change.  But if you’re single, stay that way until you’ve passed the lab.  If you have hobbies that eat into your time, especially if that hobby involves other people, dump the hobbies.  For example, I have done web hosting on the side for years, and also done consulting.  I most definitely should have dumped those things before I started down the CCIE road.  Even with CCIE behind me, I’m getting rid of my web hosting and consulting now to get some cycles back in my life.  Oh, and that CertGuard thing was just over the top.  Don’t even get me started with that.  If I hadn’t gotten such global support from the CCIE community, you can bet I wouldn’t be writing this now.

I’m trying to get to a point where when someone asks me, “Hey, are you going to do another CCIE track?” that I don’t mentally curl up into the fetal position and start sucking my thumb.  From a distance, I’m interested in another track.  Practically speaking?  No way, not close yet.  If my life had been better balanced, I don’t think that’d be an issue for me.  I could have passed the lab, felt all warm and wonderful about having my digits, and then said to myself, “So, what next?  Voice?  Storage?  C’mon, big man, what track will you add to your resume?”  But all I’ve been able to think so far is, “So, what next?  Burn the computers?  Sell all my equipment on eBay?  Become a Luddite?  Fall off the grid and become a subsistence farmer?”

Well, I’m off to perhaps swim a bit more.  My sunscreen awaits.  Here’s to better balance out there.

Here I’ll try to demonstrate EIGRP stub routing with leak map as well as what is called strictly controlled Leak Maps.

Our topology is shown in the figure.

The basic routing configuration on the routers is as follows.

R4 and R5 are running rip.

R5:
router rip
version 2
network 5.0.0.0
network 150.1.0.0
no auto-summary

The rip table of R4 is as follows.

R4#sh ip route rip
5.0.0.0/24 is subnetted, 4 subnets
R 5.5.0.0 [120/1] via 150.1.45.5, 00:00:22, Serial1/0
R 5.5.1.0 [120/1] via 150.1.45.5, 00:00:22, Serial1/0
R 5.5.2.0 [120/1] via 150.1.45.5, 00:00:22, Serial1/0
R 5.5.3.0 [120/1] via 150.1.45.5, 00:00:22, Serial1/0

The EIGRP configuration is as follows.

R4:
router eigrp 10
network 150.1.14.4 0.0.0.0
no auto-summary

R1:
router eigrp 10
network 150.1.12.1 0.0.0.0
network 150.1.13.1 0.0.0.0
network 150.1.14.1 0.0.0.0
no auto-summary
!

R2:
router eigrp 10
network 150.1.12.2 0.0.0.0
no auto-summary

R3:
router eigrp 10
network 150.1.13.3 0.0.0.0
auto-summary
!
Also at R4 we have mutual distribution between Rip and EIGRP.

R4
router eigrp 10
redistribute rip met 1 1 1 1 1
router rip
redistribute eigrp 10 met 1

Now we examine the routing tables on R2 and R3.
We notice that all eigrp routes, including the external RIP routes are in routing table.

R2#sh ip route eigrp
5.0.0.0/24 is subnetted, 4 subnets
D EX 5.5.0.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0
D EX 5.5.1.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0
D EX 5.5.2.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0
D EX 5.5.3.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0
150.1.0.0/24 is subnetted, 4 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:03:54, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:03:54, Serial1/0
D EX 150.1.45.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0

Now we’ll configure R1 as stub.
As a result all external routes should disappear from R2 and R3.

R2#sh ip route eigrp
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:00:23, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:00:23, Serial1/0

All right!

Now we’ll discover different options for leak maps by implementing different routing policies.

Policy 1:
Configure R1 such that R2 and R3 have reach ability to 5.5.0.5 and 5.5.1.5 networks.
For this we’ll match the desired networks in an access-list and then implement EIGRP stub Leak Map.

R1
access-list 1 permit 5.5.0.0 0.0.0.255
access-list 1 permit 5.5.1.0 0.0.0.255
route-map EIGRP_LEAK
match ip address 1
router eigrp 10
eigrp stub connected leak-map EIGRP_LEAK

Now we examine the routing tables on R2 and R3

R2#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.0.0 [170/2560537856] via 150.1.12.1, 00:00:28, Serial1/0
D EX 5.5.1.0 [170/2560537856] via 150.1.12.1, 00:00:28, Serial1/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:00:28, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:00:28, Serial1/0

R3#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.0.0 [170/2560051456] via 150.1.13.1, 00:00:20, Ethernet0/0
D EX 5.5.1.0 [170/2560051456] via 150.1.13.1, 00:00:20, Ethernet0/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/307200] via 150.1.13.1, 00:00:20, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.13.1, 00:00:20, Ethernet0/0

Policy 2:
Configure R1 such as R3 sees both 5.5.0.0 and 5.5.1.0 networks but R2 cannot.
Here we can use ‘match interface’ option in the route-map.
This is called strictly controlled Leak map.

The logic is as follows
1. If “match interface” options is not used, routes are leaked on all interfaces.
2. If “match interface” option is used, routes are ONLY leaked on the interface matched.

So we’ll use match interface argument in the route-map and only match interface Ethernet 0/0, which is connected to R3.

route-map EIGRP_LEAK permit 10
match ip address 1
match interface e0/0

R1#sh route-map
route-map EIGRP_LEAK, permit, sequence 10
Match clauses:
ip address (access-lists): 1
interface Ethernet0/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Now we examine the routing tables.
R2#sh ip route eigrp
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:02:42, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:02:42, Serial1/0

R3#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.0.0 [170/2560051456] via 150.1.13.1, 00:03:55, Ethernet0/0
D EX 5.5.1.0 [170/2560051456] via 150.1.13.1, 00:03:55, Ethernet0/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/307200] via 150.1.13.1, 00:03:55, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.13.1, 00:03:55, Ethernet0/0

So, only R3 is seeing the leaked networks now, and R2 isn’t

Policy 3:
Allow R3 access to 5.5.0.0/24 and 5.5.1.0/24 networks only.
Allow R4 access to 5.5.2.0/24 and 5.5.3.0/24 only.

So we’ll match the other two routes in another access-list and match that and Interface S1/0 in another route-map argument.

On R1:
route-map EIGRP_LEAK permit 20
match ip address 2
match interface s1/0

R1#sh route-map
route-map EIGRP_LEAK, permit, sequence 10
Match clauses:
ip address (access-lists): 1
interface Ethernet0/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map EIGRP_LEAK, permit, sequence 20
Match clauses:
ip address (access-lists): 2
interface Serial1/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Now we examine the routing tables again at R3 and R2.

R3#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.0.0 [170/2560051456] via 150.1.13.1, 00:05:48, Ethernet0/0
D EX 5.5.1.0 [170/2560051456] via 150.1.13.1, 00:05:48, Ethernet0/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/307200] via 150.1.13.1, 00:05:48, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.13.1, 00:05:48, Ethernet0/0

Lets test connectivity

R2#ping 5.5.2.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/68/96 ms
R2#ping 5.5.3.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.3.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/58/80 ms
Policy 4:

Add a loopback0 3.3.0.0/24 on R3. Allow R3 to reach RIP networks when sourced from Loopback 0.
Well this is to emphasize the point that we need to consider all implications of the configuration we make.
Since R1 is a stub connected router, towards R4 it is advertising 150.1.13.0/24 and 150.1.12.0/24 networks which are directly connected, which are then redistributed into RIP and hence R3 and R1 can ping R5’s loopbacks.
But R3’s loopback won’t be advertised to R4 and until we add another route-map entry leaking this network to R4, we won’t be able to reach to R5’s loopback networks from R3’s loopback network.

Lets see this

R3:
int lo 0
ip add 3.3.0.3 255.255.255.0
router eigrp 10
net 3.3.0.3 0.0.0.0

R3#ping 5.5.0.5 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.0.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.0.3
…..
Success rate is 0 percent (0/5)

Now we add another route-map Entry to allow 3.3.0.0/24 network to leak to R4.

R4#sh ip route eigrp
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.0.0 [90/435200] via 150.1.14.1, 00:00:28, Ethernet0/0
150.1.0.0/24 is subnetted, 4 subnets
D 150.1.13.0 [90/307200] via 150.1.14.1, 00:01:39, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.14.1, 00:01:39, Ethernet0/0
Now this network will be redistributed into rip and we’ll have connectivity.

R3#ping 5.5.0.5 source lo 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.0.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.0.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/54/68 ms

Well that’s about it for EIGRP stub Leak Maps.
Please let me know if you find any ambiguity in tthe tutorial.

Me, I am more of a reader than a handyman� that is to say, I spend most of the time reading and far less time labbing. Even in the time I lab, I spend most of time making short labs, testing technologies than doing full scale labs. One reason is that I only have 10 dynamips IEWB full scale labs and I already did them twice anyway.

Recently I requested Brian Mcghann and Petr from InternetworkExpert to allow me access to their Vol 1 Beta labs and very generously they did. I am a customer of IE but due to financial constraints, I bought only first 10 dynamips labs and so the vol 1 beta access wasn’t automatically there for me.
While I am going through the labs, I must say I am impressed and there is also a feeling of déjà vu. My company financed Narbik’ bootcamp and hence I received his advance technologies workbook. I loved that. Basically Narbik took a technology and beat that to death. Quite similar approach of these Beta labs. When it comes to me, I’d prefer such approach above all other that is to learn everything about a technology rather than doing 40 full scale labs. Even before I went to Narbik’s bootcamp, my method of preparation was to read say 15 pages of documentation a day, and lab them up in small labs on dynamips.  Narbik’s labs saved time I spent for cooking up a topology to test a feature.

 I have not seen existing versions of Vol 1, but from what I heard those were very basic. These beta labs are not.

Though I am waiting for OSPF, security and QOS Vol 1 labs, and only after that I can rate these VOL 1 labs completely, I have to admit, I really liked these labs up till now. I even learned one new feature of EIGRP which is EIGRP stub routing with leak maps. If I were to advise anyone on how to prepare, my advice would be to go through Narbik’s Advance Technologies Workbook or( if by that time these VOL 1 labs are out) these VOL 1 beta labs, very slowly.

Do each technology in a week, and not only do the labs, read documentation about every feature and learn it properly. And at the end, do 10-20 full scale labs.

Anyway here are my initial impressions of the labs.

Bridging and Switching:

As I mentioned, my idea of technology labs is to cover all about a technology.

I feel bridging and switching sections should include small labs on following topics

1. IRB (Integrated Routing and Bridging). Of course, we’ll use routers for this J but technology wise the feature should be here
2. DAI (Dynamic Arp Inspection) (Though this topic can be potentially included in security. As I mentioned I need to see the security and QOS, before having a complete idea, as many feature I’d like to see can fall under switching as well as under these two topics. For me, DAI is more of a switching topic.)
3. MVR (Multicast VLAN Registration) And IGMP snooping, IGMP Profile commands etc. But then again, these features may have been covered in Multicast sections. Also IGMP snooping and DAI are inter-related, so for me these should be a part of switching.
4. SDM Templates
5. More explanation in lab 1.18. Trunk ether channel over DOT 1 Q tunnel can cause a lot of problems, if we are not sure of STP and VTP paths throughout our network. Instead of shutting down the links that can cause problems, these problems should be explored.
6. Port Security. ( Again, can be covered in security beta labs)

Frame Relay:

I again learned a new feature, bridging over frame relay and I thought I knew everything about frame relay.

Excellent

RIP:

Excellent labs,

Covering all the topics I think are necessary to learn RIP.

EIGRP:

I learned a new feature here. I can’t make it work though on dynamics unless I add the match interface option in Eigrp Stub Leak Route map.

This needs more research on my part though.

I’ll lab this up over the weekend, and maybe write a tutorial after understanding the feature completely.

Also, I believe strategy wise, IE is on right track.

I’ve known people going through full scale labs rigorously. This approach of learning everything, before doing full scale labs is what I’d recommend and I’ve followed.

I am really looking forward to QOS section, especially Catalyst QOS.

Let’s see how comprehensive those labs would be.

• Andy Lee - http://blog.netengineer.org/
• David Sudjiman - http://www.davidsudjiman.info/
• Dreaming - http://cciedownunder.blogspot.com/

If you are actively blogging about your CCIE journey, let me know if you’d like a link.

What does all of this mean to you and me?  I’m not sure exactly, so allow me to make Wild Speculation Just For Fun to provoke some thought.

• There’s too many CCIE training vendors out there with essentially parallel product lines.  Not everyone is going to make it. For example, I am interested in selling this site.  When I named my price to an interested vendor, negotiations ended.  My asking price was barely higher than one of their end-to-end programs.  If they’d sold 2 end-to-end programs as a result of taking ownership of CCIECandidate.com, they would have recouped their cost.  But they dropped out.  Why?  Obviously speculation on my part, but I can guess that cash flow is tight.  Advertising budgets are tight.  If my price for this site was a major consideration, then they are having to be very careful with their cash management.  (Alternatively, this site isn’t worth what I want for it.  LOL.) Possibly then, other CCIE training vendors are in a similar state.  Thus, my thought that not everyone’s going to make it.  There’s not enough CCIE training business out there to be had.  The CCIE certification is still perceived as too challenging, too difficult for the mere mortal, plus the value of earning and maintaining the CCIE certification is starting to be questioned by a jaundiced but notable few.  Techies are just not flocking to earn the CCIE designation like they do to the entry- and mid-level Cisco certs.
• Vendors are trying to differentiate their product lines, and that’s proving difficult.  Therefore, we might see a price war. You can find people who’ve used any of the big names for their studies, and have nice things to say about those vendors, me included.  I bet you can use this problem the vendors are facing to get some discounts on training products.  Why do I say this?  If you can’t differentiate your product through reputation or perceived quality, you end up having to compete on price.  While we all might have our opinions on which CCIE training vendor is “the best”, at the end of the day, all the big names have a long list of candidates that passed the lab.  In my opinion, most of the big names offer products roughly equal in terms of reputation and quality.  Therefore, the difference becomes largely one of price.  I have no idea if you’ll have any luck, but poke your CCIE training salesperson a bit, and see if you can get some discounts on products you are interested in.  Get competing quotes for competing products, and be ready to share those quotes to the competing salespeople.  Use the environment to your advantage, especially if you’re paying for training materials out-of-pocket.  If you’re an active CCIE blogger, mention it as negotiating tactic.  There’s no point in being a “I spent 80 million dollars on CCIE training” martyr just to impress people with how much you spent on your way to your digits.

Just a reminder - this is purely an opinion article.  I have no inside track on what’s going on at any of these training vendors.  I don’t work for any CCIE training vendors, nor do I currently earn revenue for the banner ads you see in the left pane of this site.  This is just me talking about some things I’ve been contemplating for a while.

When configured on an interface, the router checks the incoming packet’s source address with its routing table. If the incoming packet’s source is reachable via the same interface it was received, the packet is allowed. URPF provides protection again spoofed packets with unverifiable source.

Though basically a single line command, URPF can be a little confusing when used with access-list feature if order of operation is not understood completely.

We’ll use this simple topology to demonstrate URFP

R1 and R2 are connected through frame-relay and an Ethernet connection.

We test our basic connectivity.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/93/192 ms

Without URPF, we should be able to ping R2’s loopback from R1’s loopback.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/48/80 ms

R1#ping 2.2.2.2 source lo 0

Here we have to understand the order of operations.

1) When packet arrives at the interface, URPF check is done. If the check is successful, the packet is transmitted, and ACL doesn’t come into play
2) If the check is failed, ACL is consulted. Traffic is allowed or denied based on ACL entries.
3) The thing to understand here is that an ACL with deny any any will not mean that all traffic is denied. It won’t come into play unless the URPF check is failed. If URPF check is successful all traffic is allowed. If it is failed then ACL is checked an traffic is allowed or denied based on the ACL.

access-list 101 permit tcp any any
access-list 101 deny ip any any log-input

From R1:

Password required, but none set

Now lets ping the loopback with source frame-relay interface.

As you can see that though ACL is denying all ICMP traffic our ping is successful.
For the simple reason that ACL won’t be checked until URPF check is failed. And in the above case, it’s successful.

Now lets change the ACL.
Now our intention is to allow HTTP traffic between the loopbacks as well as ICMP traffic and deny all other traffic.

We’ll be able to ping or telnet at port 80 but regular telnet will fail

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/57/80 ms
R1#telnet 2.2.2.2 80 /source-interface loopback 0
Trying 2.2.2.2, 80 … Open

1) IRB (Integrated Routing and Bridging)
2) CRB (Concurrent Routing and Bridging
3) Fall back bridging

IRB is discussed in Lab 3 of internetworkExpert labs.

Basically IRB and CRB are generally used on routers to bridging different VLAN domains. If IRB is used, we can route IP over these bridged interfaces. The topic that is least discussed is Fall Back Bridging that we configure on switches. It is basically for non-IP traffic, and thats why chances of it appearing on the LAB are slim.

I’ll be demonstrating how fall-back bridging works using this example. SW1 has VLAN 11 and VLAN 22 defined and R1 and R2 are in VLAN 11 and 22 respectively. R3 and R4 are connected to switch ports Fa0/3 and fa0/4.

SW1 has VLAN 11 and VLAN 22 defined and R1 and R2 are in vlan 11 and 22 respectively.
R3 and R4 are connected to switch ports Fa0/3 and fa0/4 and VLANS are not defined.
For simplicity the mac-address are as follows.
R1 F0/0 = 0000.0000.001
R2 F0/0 = 0000.0000.002
R3 F0/0 = 0000.0000.003
R4 F0/0 = 0000.0000.004

Our goal here is to make all four router bridge the non-ip traffic between them where as R1 and R2 are in VLAN 11 and 12 respectively and R3 and R4 are not in any vlan.

The configuration of switchports connecting to R1 and R2 are as follows
!
interface FastEthernet0/1
description To R1 F0/0
switchport access vlan 11
!
interface FastEthernet0/2
description To R2 F0/0
switchport access vlan 22

To enable bridging on the physical port first we have to issue no-switchport command on physical interface.
Interface fa0/3 and fa0/4 here.
Here is the configuration of these ports.

!
interface FastEthernet0/3
description To R3 F0/0
no switchport
no ip address
!
interface FastEthernet0/4
no switchport
no ip address
end

Now we configure our fall back bridging.
For R1 and R2 the bridging will be configured under SVIs and for R3 and R4 under physical interface

SW1(config)#bridge 1 protocol vlan-bridge
SW1(config)#int vlan 11
SW1(config-if)#bridge-group 1
SW1(config-if)#int vlan 22
SW1(config-if)#bridge-group 1
SW1(config-if)#int fa0/3
SW1(config-if)#bridge-group 1
SW1(config-if)#int fa0/4
SW1(config-if)#bridge-group 1

And we are done with simple fall back bridging.
For verification, we will simulate an IPX network.

SW1#sh bridge group
Bridge Group 1 is running the VLAN Bridge compatible Spanning Tree protocol
Port 25 (FastEthernet0/3) of bridge group 1 is forwarding
Port 26 (FastEthernet0/4) of bridge group 1 is forwarding
Port 22 (Vlan11) of bridge group 1 is forwarding
Port 23 (Vlan22) of bridge group 1 is forwarding

On R1:
R1(config)#ipx routing
R1(config)#int Fa0/0
R1(config-if)#ipx net
R1(config-if)#ipx netwo
R1(config-if)#ipx network ABC
R1(config-if)#ipx encapsulation sap
R1(config-if)#do sh ipx int f0/0
FastEthernet0/0 is up, line protocol is up
IPX address is ABC.0000.0000.0001, SAP

Similarly on R2, R3 and R4
Our IPX address are as follows
R1: ABC.0000.0000.0001
R2: ABC.0000.0000.0002
R3: ABC.0000.0000.0003
R4: ABC.0000.0000.0004

We will ping from R1 to all other routers and also monitor the bridge group table.

R1#ping
Protocol [ip]: ipx
Target IPX address: ABC.0000.0000.0002
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Verbose [n]:
Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to ABC.0000.0000.0002, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/66/192 ms
R1#ping
Protocol [ip]: ipx
Target IPX address: ABC.0000.0000.0003
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Verbose [n]:
Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to ABC.0000.0000.0003, timeout is 2 seconds:
!!!!!
R1#ping
Protocol [ip]: ipx
Target IPX address: ABC.0000.0000.0004
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Verbose [n]:
Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to ABC.0000.0000.0004, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/48/72 ms
Finally the bridging table on switch

Address Action Interface Age RX count TX count
0000.0000.0001 forward Vlan11 0 20 15
0000.0000.0002 forward Vlan22 0 10 5
0000.0000.0003 forward FastEthernet0/3 0 6 5
0000.0000.0004 forward FastEthernet0/4 0 5 4
Now we’ll play with some features.

SW1#sh bridge
Total of 300 station blocks, 296 free
Codes: P - permanent, S - self

Bridge Group 1:

By default the mac-address are learned dynamically.
We can discard a mac-address, and force a router out of bridge group.
Lets discard R4’s mac address.

This will be done with the following command

SW1(config)#bridge 1 address 0000.0000.0004 discard
SW1#sh bridge
Total of 300 station blocks, 296 free
Codes: P - permanent, S - self

Bridge Group 1:
Address Action Interface Age RX count TX count
0000.0000.0001 forward Vlan11 2 20 15
0000.0000.0002 forward Vlan22 3 10 5
0000.0000.0003 forward FastEthernet0/3 3 6 5
0000.0000.0004 discard - P 5 4
Now R1 should not be able to communicate with R4 but still be communicating with R2 and R3.
Lets test this.

R1#ping
Protocol [ip]: ipx
Target IPX address: ABC.0000.0000.0004
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Verbose [n]:
Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to ABC.0000.0000.0004, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1#ping
Protocol [ip]: ipx
Target IPX address: ABC.0000.0000.0003
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Verbose [n]:
Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to ABC.0000.0000.0003, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/58/168 ms
All right!
Now we can also change the behavior of dynamic learning by using “no bridge 1 acquire” command.
In that case, we have to manually add the mac-address we want to communicate with.
Lets do this and we’ll not manually add R2ś mac-address.

Weĺl see that R1 can ping R1 and R3 and R4 but not R2.

SW1(config)#no bridge 1 address 0000.0000.0004 discard
SW1(config)#no bridge 1 acquire
SW1(config)#do clear arp
SW1(config)#do sh bridge
Total of 300 station blocks, 300 free
Codes: P - permanent, S - self

All right all addresses have gone now.

Now we add

SW1(config)#bridge 1 address 0000.0000.0001 forward vlan 11
SW1(config)#bridge 1 address 0000.0000.0003 forward fastEthernet
SW1(config)#bridge 1 address 0000.0000.0004 forward

We can specify interface if we want, to avoid unnecessary broadcast. But this is not essential for communication.
Let’s see the bridge table now.

SW1#sh bridge
Total of 300 station blocks, 296 free
Codes: P - permanent, S - self
Bridge Group 1:
Address Action Interface Age RX count TX count
0000.0000.0001 forward Vlan11 P 0 0
0000.0000.0002 discard Vlan22 0 0 0
0000.0000.0003 forward FastEthernet1/3 P 0 0
0000.0000.0004 forward - P 0 0

As you can see that R2 mac address is being discarded.
As after no bridge 1 acquire, we need to manually add the mac-adresses.
Now we ping from R1 to R2 and R3 and R4.

R1#ping
Protocol [ip]: ipx
Target IPX address: ABC.0000.0000.0002
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Verbose [n]:
Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to ABC.0000.0000.0002, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1#ping
Protocol [ip]: ipx
Target IPX address: ABC.0000.0000.0003
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Verbose [n]:
Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to ABC.0000.0000.0003, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/36 ms

Side Options:

Like spanning-tree we can modify forward time, hello time, and priority (for selecting root) by following commands

bridge 1 forward-time
bridge 1 hello-time
bridge 1 priority

Also under the interface we can modify cost and priority to choose the path to root-bridge

SW1(config-if)#bridge-group 1 priority
SW1(config-if)#bridge-group 1 path-cost

Also aging time in bridge group table can be modified using
SW1(config)#bridge 1 aging-time ?
<10-1000000> Seconds

That’s pretty much it for fall back bridging.
For IRB (Integrated Routing and Bridging) and CRB (Concurrent Routing and Bridging) IE LAB 3 has a good write-up, which should be enough for understanding

�

I am Barooq. I started preparing for CCIE back in September 2007 and also kept a blog http://ccie-chronicles.blogspot.com . I had been more of sporadic blogger, popping in with a few post over an year. Well, now my lab date is set at September 18th, and I am almost through with my preparation. I’ve started to write some tutorials on obscure topics regarding CCIE, and since Ethan has a much wider reader base, I requested him to allow me to put the tutorials here. Which thanks to him, he did.

So here I am, and I’ll start with two tutorials on Fall Back Bridging and URPF, with more to come.

I hope you find these helpful.

Regards

�

Summer 2008 Salary Survey

July 2008

I have on several occasions attempted to get a true international CCIE salary survey done. Most times I think these kinds of surveys are based on employer feedback. So for my first international attempt I am going for the gold. In putting together this survey I wanted to share with you the reason I think it is important.

I often state that we live in a global economy and that when thinking about your career CCIEs should consider the planet as their market. I also feel that salaries for CCIEs should be in step with the demand for their certification number and services. Mostly I think we can do something about retention strategies and wages if we are aware of the real numbers from your peers. I speak with many CCIEs and they are always asking, “What does a CCIE living in _______ make?”

While I was at Networkers this past week it was normal to have someone shake hands, introduce themselves and tell me they knew me from my activities on the internet. I would then be asked, “What does a CCIE living in ________ make?” Well let’s all find out together! Since I ask that question of many CCIEs as I consider them for roles with my clients I get a good feel for the wages and comp plans. There are many CCIEs out there who are not looking for a job though.

I ask candidates in my queue what they make and how they make it. Seems there are a lot of different compensation plans which often blend variables like pre-sales commissions, productivity bonuses, utilization, and certification incentives. Many CCIEs are not familiar with the cash flow beyond the base salary and annual bonus plans and turn a skeptical eye towards blended compensation plans. This survey will cover all these types of compensation scenarios, if I get it right!

(All information will remain in my possession with only the results being published not the names of the respondents. I will not share your name and details with anyone or any organizations. This information is being collected from you for you and will be published on my blog.)

• What state do you live in?
• Gender? (Female/Male)
• How many years of experience do you have in Networking?
• What is your base salary?
• What is your bonus structure? (How much do you actually receive?)
• Does your company have a retention strategy for CCIEs?
• If yes then what are the best components of it?
• Do you feel CCIE wages have kept up with demand?

I look forward to your response.

Thanks

Eman (Emmanuel Conde)
CCIE Agent

E-mail: eman@bridgeresourcing.com
Web: www.bridgeresourcing.com
Blog: www.ccieagent.com

“In order to facilitate a candidate’s desire to study with multiple vendor-provided materials and courses, IPexpert has partnered with Micronics, Inc., a competitor in some respects. Through this arrangement, a customer is able to purchase the products from both vendors at a discounted price.

The owner of Micronics, Narbik Kocharians, is a veteran in the IT (Information Technology) industry, with over 30 years of experience and many career certifications to his credit. Mr. Kocharians has worked with IPexpert in various capacities over the past several years, forming a strong relationship between the two companies.

“We are pleased to work closely with Narbik once again,” said Wayne Lawson, who is the Founder and President at IPexpert. “We believe that customers will greatly benefit from this offering,” he added.”

Thanks for your help with this!

Let me explain.

My exam was in Sydney and I was 1000 kilometres from home. I had flown down the day before the exam to try and get settled mentally. The date of the exam was not my choice as my employer needed to have the required certified individuals for partner status, thus they forced me to an earlier time that I would have liked. They were paying, so who was I to argue.

Day One - Morning

In 2001, the CCIE Lab exam was the two day format and most people considered it to have four parts. You get in, get your exam paper for the first day and wait to start. The morning of day one was building the network, including patching, IP addressing, terminal server configuration, and start work on the sections that you had planned to tackle first. We had to patch our own gear, and make it work, then perform the whole layer 2 configuration and so on up the stack.

At lunch time, we would troop down with some Cisco employee escorts to a food hall and get some food. After lunch, you would then continue on until the end at about five or five thirty depending on your start time.

So you configured on through the afternoon making sure you are pacing yourself against the clock leaving enough time to check your work over for mistakes and rework as needed. Why ? Because the proctor would mark you at the end of the day, before you went home. If you didn’t have enough marks, you were told not come back tomorrow.

Its about how many marks you lose

I always considered the CCIE Lab Exam to be based on how many marks I lost, rather than how many I got. When you think about it, an 80% pass mark means that you know almost everything, with a bit for human error. My approach had always been that I would lose 10 marks to human error, therefore, I could only lose 10 marks to something I didn’t know and thus fail. This type of thinking made me consider that I had to be 90% correct, just short of perfect, rather than 80%, (which is good enough).

I know that other people think about making 80 marks, I always looked at it the other way around. Maybe that is just me.

Technologies

In 2001, the CCIE exam still had topics such as IPX, Token Ring, ATM, DLSW, classful routing and other older technologies. Even wiring the network was a challenge in its own way, token ring took some concentration to get right,

I remember hearing stories of people cabling up and making basic mistakes, or finding a faulty V35 serial cable. Of course, if this happened you had to work it out and fix it yourself. No extra time given.

We didn’t have many preparation resources either. There were only a few Cisco Press books (Doyle!), no bootcamps, and only two companies were that providing practice labs and no online labs. The main reference was the Cisco CCO documentation, and the Cisco Internetworking Guide and whatever you could glean from reading and discussions on Groupstudy ( forever grateful to my fellow candidates). This meant that you had almost no idea what would be on the exam.

My Routing TCP/IP Vol 1 was well thumbed and notated. Radia Perlman’s book on Routing and Bridging was well used as was Caswell’s Routing and Bridging bok. Groupstudy.com was about the only forum where you could go to speak with other candidates. I had about ten or twelve text books in all, and spent a lot of reading and rereading them to get the basics into my mind.

I will always recommend to candidates to take time to learn first principles, it will help more in the exam when you hit a make/break question.

Building a lab

One of the biggest problems with studying in Year 2000 was getting access to equipment. There were no online labs and buying it was really expensive. ATM and Token Ring switches were very rare. Ebay was only just starting out and not everything was even available. For example, I think a Cisco AS2511 terminal server cost about USD$2000. A 4MB flash module for a C2500 router cost USD$175.00.

It cost literally tens of thousands to build lab, including cables, and racks. Assuming you could actually get the kit. I was living in Australia at the time, and the cost of shipping the kit made it even worse.

Day One - Evening

So you get back to your hotel. You are tired /drained, you know you are going back tomorrow but you don’t how many marks you have lost. You can’t help but ask yourself how many more can I afford to lose ? You know the morning of the second day is usually harder than day one, but not always. Did I get the tough questions today ? What topics didn’t I get today, right, so good chance of getting them tomorrow. Are they my best areas ? Should I study ? Should I take a break ?

You might even get some sleep.

Second Day - morning session

On the morning of the second day, you were given another paper that covered more configuration on the network you had built on the second day. You look around and there were a few new faces, these were the Day 1 people replacing those who failed yesterday and didn’t get to come back for Day 2.

So you get started on the morning of Day 2. I knew that if made a good showing here, then I could make the afternoon and have a good chance as passing because I felt confident on troubleshooting. A couple of the Day 1 folks look out of their depth, and sure enough, ask the proctor some stupid questions, you know they won’t be coming back after lunch. Check the clock, make sure you can check your work and fix if needed. Do I need to triage some questions to make the time ? Yes, which question can I bypass ?

Break, and its time for lunch. Did I do enough to make the afternoon ?

Exam format and questions

From what I read of other candidates today, the basic format of the questions and the exam approach has not changed much in seven years. The classics are still there e.g.

• The Breaker - configuring this will break something you did earlier - you had better notice that is will
• The Simple Hook - the question reads complicated but has a simple answer
• The Cracker - A simple question but has a complicated answer
• Make / Break - what I called a make / break question, where either know a thing or you don’t.
• The Builder - the cumulative question where you will have four to six steps, all of which must be exactly right to get the marks.
• The Herring - The misleading question - the question where the obvious answer is not the right answer. We called these land mines
• The Time bomb - the questions is not misleading, but you need to think it through or do things that will suck up time.

Looking back now, I can see the questions are framed this work to make sure that you know your stuff back to front, as well as front to back. Why is this important ? Because that is what happens in real life. Sure, there are questions in the exam that would never happen in real life, or would they ?

People who pass the exam have enough basic knowledge, plus practical experience, to work their way around the questions. Its probably also an IQ test, written to test your ability to reason and carry a mental capacities that are useful for networking.

Second Day - Afternoon session - troubleshooting

So I come back from lunch in a cafe downstairs (escorted by proctors to ensure we didn’t talk about the exam or discuss with people), the proctor takes me and two other guys into a room and makes us wait for bit. He returns and tells one guy that he didn’t make it, time to go home. That’s two left out of sixteen starters on Day One.

Then he turns to us, and we have just made it to the afternoon for network troubleshooting, we need to score very well in this section to be able to pass. Elation - a shot at the title, but, how close am I, do I really need full marks ?

So close. I hadn’t expected to get this far, and I was almost there. What a lift! My wife is primed for a phone call about now, if I don’t call, she knows I made it into troubleshooting. She also knows that I feel good about troubleshooting, don’t know why, but I am hoping that 5 years of field work will be to my advantage.

We are given a new paper that explains that we have to download configurations into our routers and then find, fix and document as many problems in the configuration as possible. You have three hours. Back to the lab.

Instantly I have a problem. I cannot download my configs. Is this a part of the scenario ? I waste fifteen or twenty precious minutes checking, rechecking and then realise the config TFTP server must be shared, and that something else is blocking me. I check with the proctor, and, sure enough, one of the Day 1 people is using the wrong IP addressing scheme is his lab pod. Bad day for him, the proctor was not impressed.

So I finally get to load the troubleshooting configs into my lab pod and start troubleshooting like a man possessed. ATM inverse arp, Token Ring, OSPF Dial Backup, Network statement misconfiguration, redistribution loops and so on. The proctor collected the pages of troubleshooting notes to mark every hour or so. I had a feeling that he was surprised that I found so many, don’t know why, but I got a second wind.

At five thirty it was down tools, and go and sit in the lobby while he marked it up. I saw him go over to other guy doing troubleshooting and tell him that he didn’t make it.

Did I make it ?

I think it took about twenty minutes for the proctor to come down the lift. Every minute was an age, I couldn’t read the look on his face as he approached me. He held out a business card with my number on the back, and congratulated me on passing. Shook my hand, and that was it.

Yep, just like that.

I caught the lift downstairs to the building exit, and called my wife with the fantastic news. And that is when it hit me. It was over and I could return to normal life. No more all night study sessions, no more planning the next study session or lab time. Weird to sit in the hotel room, alone, surrounded by study notes and and text books, and just stare at the wall.

Groupstudy posting

When we passed, we posted in GroupStudy and here is mine:

Gentlefolks

I made my number last week on my second attempt in Sydney, Australia.

I had slightly differnet methods for preparing compared to what is normally posted here. I used a lot of textbooks, whitepapers and CCO reading. My study plan allowed for each hour of lab time to have one hour of book/study time.

The most difficult part was building a lab. It took my nearly 15 months, but once I had it together it was really only a matter of time and energy.

Thanks to all those people who answered my questions. I am off to enjoy my daughter who arrived four weeks ago, and really hasn’t seen much of her dad, and her older sister who rings to tell to come home and play with her.

Somehow I have the feeling that my journey is only beginning.

Regards

Greg Ferro
CCIE #6920

Wrapup

I don’t know if my journey was interesting, but I hope you get something from it. My best wishes to you if you decide to undertake the test.

My journey has certainly been interesting after passing, but I post on my blog when I can about that, come and visit if you can.

Greg Ferro

http://etherealmind.com