Hello loyal CCIE candidates!Â I have to apologize ahead of time because I am going to be writing my reviews of Volume 3 labs 1 and 2 at the same time.Â So, they may not be as thorough as usual. To be honest, I’ve been going so hard at these labs, I kind of have already forgotten what the hell I did on Lab 1!Â I am going to sift through the proctor guide now to try and remember some things.
Task 1.4 — This had an interesting verification command I picked up. Part of the task said to “use the template on Cat1 that will allocate the TCAM resources to support the highest number of indirect unicast routes”Â Well, I was almost sure it would be “sdm prefer routing” but wasn’t positive.Â The docCD didn’t really mention any of the key words either when I looked up the different templates.Â I had forgotten all about the command “show sdm prefer”.Â This command is awesome, because it will actually show the numbers for template.Â So, if you run this command against each template you can simply look at the numbers and figure out which has the highest number of unicast routes.Â I’m still not sure what was meant by “indirect” but oh well.Â Oh yeah, don’t forget to save your config and reload your switch after changing the sdm template!!! Even though it tells you to do so, it is so easy to say “Oh yeah, I’ll do that after the switching section”Â Not good if you come to find out later you got 0 points for that task!
Cat1#sh sdm prefer routing
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1K VLANs.
number of unicast mac addresses:Â Â 5K
number of igmp groups:Â Â Â Â Â Â Â Â Â Â Â Â 1K
number of qos aces:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 512
number of security aces:Â Â Â Â Â Â Â Â Â Â 512
number of unicast routes:Â Â Â Â Â Â Â Â Â 16K
number of multicast routes:Â Â Â Â Â Â Â 1K
Task 2.2 – EVIL at it’s best — This task made me want to punch somebody in the mouth repeatedly.Â Or perhaps beat them on the head with one of those old style terminal keyboards…you know the really solid ones that could have potentially be used as a weapon At first it looks innocent, “For the connection between R4 and R5 use a PPP over frame configuration with RFC 1973 encapsulation.Â The connection should use CHAP authentication.Â For authentication, both devices should use a username of T3ST123 and a password of PPPoverFr@m3.Â Both sides should challenge and respond”
OK, so PPPoFR, not so bad.Â I did a quick check for “1973″ in the command reference to make sure I wasn’t missing something weird, but it turns out that RFC just specifies PPPoFR.Â The evil part came with the CHAP configuration.Â By default CHAP will use the router name as a username.Â Therefore, you would need to define “username <remote router> password <password>” in a simple config.Â Alternatively, you can specify what username and password to use with the “ppp chap hostname” and “ppp chap password” commands.Â If you just use “ppp chap hostname” it appears you also need that hostname set up as a user on the remote end with a password defined.
So here we had “ppp chap hostname T3ST123″ on both ends as well as “username T3ST123 password PPPoverFr@me” on both ends…NOTHING…and everytime I did debug on ppp auth all you get is some error saying the authentication was rejected because you have the same username on both ends.Â After 45 minutes of searching the documentation and playing on the router I broke and looked at the PG.Â The magic answer is an undocumented command called “no ppp chap ignoreus”.Â Even in IOS help you cannot see this command, and it is nowhere in the command reference.Â Truly insane.
Task 2.3 — This was the first task I have had that required one end of a PPP link acquire it’s IP address from the other end.Â I was aware of IPCP before, but had never configured it.Â I went to the doccd and was able to figure out “ip address negotiated” on the remote end.Â However, in the documentation it really doesn’t tell you how to specifiy which address you will receive from the other end.Â Turns out the answer to that one is “peer default ip address”Â If you look that up on the doc cd it makes perfect sense, but it sure would be nice if they had an example with both commands in the same place.
Task 3.6 — I pat myself on the back for getting these right.Â I love these questions that make you use insane access-lists!Â “Configure R4 to receive routes via RIP from BB2.Â R4 should receive routes from BB2 of the format 172.20.x.y.Â Only allow routes with a third octet from 33 to 46, using an access-list.Â Your access list should use the fewest number of lines that will not allow any extra networks”
The first thing I do with tasks like these is write out the binary.Â So in this case I wrote out in notepad the binary versions of 33 – 46.Â Then, carefully examine them and find out where you can group things together.Â I no longer have that notepad around, but the end solution was
access-list 20 deny 172.20.32.0 0.0.0.255
access-list 20 deny 172.20.47.0 0.0.0.255
access-list 20 permit 172.20.32.0 0.0.15.255
Task 3.9 — Redistribution — Here we had to “redistribute as needed on R1, R2, R5, and R6 so that all routers can reach all networks”Â This is a section where I am trying to improve my speed.Â This was the first time I attempted it with no filtering to save time, and it worked out OK.Â I carefully examined my diagram to make sure no loops would happen, and turned on “debug ip routing” on all the redistribution routers just in case.Â All was good!
Task 6.2 — Frankly, this task turned out to be a real bitch.Â I knew how to do it, it just was NOT working.Â I kept getting frame-relay encapsulation failed and it didn’t make any sense.Â After 2 or 3 days of having some of the most respected engineers in the industry graciously looking at my configs I found out it was an IOS bug.Â Go figure.Â This was a DHCP task.Â You had to setup a DHCP server on R4, to hand out addresses to hosts on an ethernet that was across R4′s frame cloud.Â The trick was using ip helper on R6, not that hard in theory.
I used to fear IPv6.Â I was just very unsure about it.Â But after doing these practice labs, I am considering IPv6 to be easy points!Â Most of the configurations are fairly straight forward.Â It’s just a matter of knowing the basics.Â Hopefully the real lab is as kind
task 8.3 — This was cute, in that it asks you to configure R2′s fastethernet interface to drop ICMP type 0 and type 8 packets within a certain size range.Â Pretty simple QoS task IF you know what ICMP type 0 and 8 happen to be.Â Luckily for me, I had been debugging some ICMP earlier in the lab and if you do a debug ip packet detail on an icmp ACL it will actually reveal to you that type 0 and 8 are ICMP echo and echo-reply.Â Marvelous!
All in all, this was a success.Â I definitely passed this lab.
Stay tuned for Lab 2 review maybe when I finish this beer
With all this knowledge filling my head for the CCIE, I wanted to try to do something useful with the QoS!Â I’m not entirely sure I’ve accomplished what I set out to do, but I hope so.Â Maybe some of you QoS experts out there can lend a hand or a comment.
Here is the situation:Â Â I pay Comcast for 8Mb/384Kb internet service.Â I also have Vonage for phone service.Â Comcast comes into my Cisco 3725 router’s Fa0/1 interface.Â It’s other interface, Fa0/0 is trunked down to a cisco switch.Â The Fa0/0 interface is divided into 3 subinterfaces to provide VLANs.Â Fa0/0.1 is VLAN 1 for my wired network, Fa0/0.2 is VLAN 2 for my wireless segment, and Fa0/0.4 is for Vonage.
A problem I often run into is that if I am downloading a large file using bit-torrent or some such thing, it can really smoke all my bandwidth.Â It is not uncommon for me to be pulling down at 800KB/sÂ (yes kilo-Bytes! , which comes out to about 6.5 Mb/s).Â This puts a damper on simple things like checking email, and especiall web browsing, DNS query’s, etc.Â Also, if I do a speed test from speakeasy.net I can pull up to 16Mb/s during non-peak hours.Â My goal was to prioritize traffic such that if bit-torrent or some such thing was sucking all my bandwidth, priority protocols (such as http, pop3, https, smtp, dns, etc) would get guaranteed traffic.Â Additionally, if the phone rings or I place a call I want Vonage to have guaranteed traffic.
This presented more problems than I thought!!!Â Well what can I do?Â I first thought about CBWFQ.Â Going out fa0/1 to the internet it was easy.Â I set bandwidth 384 on the interface, and created the following:Â Basically, I have to shape the interface going to the internet to 384Kb/s outbound or else there will NEVER BE CONGESTION and thus NO queueing because it is just 384Kb going out a 100Mb interface!Â What this does is shape all the outbound traffic to 384Kb/s and gives my priority protocols 50% (192Kb), Vonage voice 128Kb and the SIP the other 10%.
Policy Map parent
Average Rate Traffic Shaping
CIR 384000 (bps) Max. Buffers Limit 1000 (Packets)
Policy Map priority-traffic
Bandwidth 50 (%) Max Threshold 64 (packets)
Bandwidth 10 (%) Max Threshold 64 (packets)
Bandwidth 128 (kbps) Burst 3200 (Bytes)
Class Map match-any priority-traffic (id 4)
Match protocol http
Match protocol secure-http
Match protocol telnet
Match protocol smtp
Match protocol pop3
Match protocol imap
Match protocol secure-pop3
Match protocol secure-imap
Match protocol secure-ftp
Match protocol ftp
Match access-group name rdp
Match protocol ssh
Match protocol icmp
Match protocol dns
no ip dhcp client request dns-nameserver
ip dhcp client route track 1
ip address dhcp
ip access-group firwall-wan in
ip nbar protocol-discovery
ip nat outside
no ip mroute-cache
no cdp enable
service-policy output parent
This actually worked really well so far as I can tell!Â That wasn’t so bad.Â But then I started thinking about the traffic coming back IN.Â So right now by queueing outbound it is good if I am uploading a bunch of traffic and need to go to a webpage…the GET request from me will get priority during congestion.Â But what about downloading?Â What if I am downloading a huge file and it is sucking all 8Mb of my bandwidth and I go to surf the net?Â Those http,dns, voice packets coming back into my network are going to get crapped on.Â So,Â I started thinking about outbound queueing on the LAN facing interfaces.Â This is where I ran into the bulk of my problems.
IF there is nothing priority going on, I want my PC to be able to pull down as much as possible from comcast, which as I said I have seen in speed tests peak to 16Mb/s.Â However, if say about 75% of the bandwidth I pay for is being sucked up, I want to prioritize my “priority” traffic and voice traffic so they are always fast.Â One problem again is that my Fa0/0.1 and fa0/0.2 , fa0/0.4 subinterfaces cannot have queueing without shaping first.Â After shaping you can nest in your CBWFQ configurations.Â What happens is that by shaping, you are actually creating congestion, which then allows queueing to happen.Â OK, so how do I shape those subinterfaces?Â If I use MQC to “shape average” to 8Mb it will not allow throughput of over 8Mb/s on average over time.Â Then, I could create congestion and queue, but lose out on that peak to 16Mb thing.Â If I “shape peak” with CIR of 8Mb and PIR of 16Mb it seems the shaper only goes active at 16Mb, which basically will never happen.Â Which I think means I will no longer have active queueing as there will be no congestion.Â So I was kind of stuck.
Here is what I came up with.Â I am pretty much learning QoS for the CCIE lab exam so am very new to it.Â I’d love to hear any feedback from you guys on 1) If I am doing this correctly and 2) Better ways or ideas!!!!
So here is my fa0/0.1 interface… Oh yeah, you will notice the class “outside” which nests the other stuff instead of class class-default.Â This is so that only traffic from the internet coming into my LAN gets shaped.Â Otherwise, I would have Inter-VLAN routing traffic from WLAN –> LAN shaped!
So the idea here is this, and again I’m not sure this is a correct implementation of what I have explained.Â Â Â Anything with a source address of ANYTHING not 10.x.x.x gets shaped to 8Mb/s.Â Thus, if there is more than 8Mb/s traffic coming into the lan (out the fa0/0.1 interface) it is shaped and thus creates congestion, which in turn allows queueing.Â IF there is congestion my priority traffic should get a guaranteed 4.5Mb/s of traffic.Â That should be more than enough to keep my stuff snappy.Â Â Now, a problem.Â What happens to traffic that is NOT priority during congestion?Â It still gets passed as best effort through the default-class right?Â So say I am sucking down a huge download and it is taking all my bandwidth…the queueing kicks in and 4.5Mb gets allocated to my priority stuff and life is good.Â Now, the phone rings …..well the rest of the bandwidth is being chewed up by the large download so I’m screwed.Â Remember, Vonage is on a seperate sub-interface which is not bound by this queueing system.Â This is why I have a class called “other” which is basically the opposite of anything defined as priority traffic.Â It actually gets put into a priority queue with 1.5Mb because by creating a priority queue I also police!Â So hopefully if I am sucking down a huge download, 4.5Mb will be allocated to priority, 1.5Mb will be given to the rest of the junk (large download) and NO MORE than 1.5Mb ….this adds to 6Mb and should still leave me with more than enough for quality phone conversations.Â Note fa0/0.4 is a /30 and only has 1 device on it, the vonage phone, so the ONLY traffic going out that queue is voice traffic so I should not have to queue it.
encapsulation dot1Q 1 native
ip address x.x.x.x 255.255.255.252 secondary
ip address 10.1.0.1 255.255.255.0
ip access-group firewall-lan in
ip pim sparse-mode
ip nat inside
no ip mroute-cache
ipv6 address xxxx:F4B8:2600:C::1/64
ipv6 address xxxx:F4B8:2600:C::/64 eui-64
ipv6 nd prefix xxxx:F4B8:2600:C::/64
service-policy output lan
Policy Map lan
Average Rate Traffic Shaping
CIR 8000000 (bps) Max. Buffers Limit 1000 (Packets)
Class Map match-all outside (id 5)
Match access-groupÂ 55
Standard IP access list 55
10 denyÂ Â 10.0.0.0, wildcard bits 0.255.255.255 (29740 matches)
20 permit any (8771772 matches)
Policy Map priority-lan
Bandwidth 4500 (kbps) Max Threshold 64 (packets)
Bandwidth 1500 (kbps) Burst 37500 (Bytes)
Class Map match-all other (id 6)
Match not class-map priority-traffic
I guess that is it!Â I am still pretty uncertain about this and would love some feedback.Â On a sidenote, I am still screwed on that 16Mb burst thing so far as I can tell since I am shaping!
- Joe A
Another pretty decent lab effort!Â I was overall pretty pleased with performance on this lab.Â Here are the gory details I know you are all dying to hear!
Task 1.2 — Bridging — So to start the lab, they give you all the VLAN numbers and addresses you should be using and basically tell you to set them up as normal.Â They give you 2 VLANs, 8 and 81 with the same address….hmmmmm.Â I honestly thought this could possibly be an error in the lab workbook (things like this are not uncommon) so I peeked at the PG for a second to validate.Â Having noticed that it was a bridging configuration I had no problem configuring it.Â I had 2 subinterfaces on the router doing the bridging (R8), each trunking with their own tag (encap dot1q 8 and encap dot1q 81) down to the switch which was also set to trunk.Â Then I used IRB for my layer 3 address.Â The REALLY interesting part of this configuration came later when you were required to run 2 different EIGRP processes on the same router on that subnet.Â So EIGRP 65530 peers with the switch I think it was, and EIGRP 65531 peers with a BB router.Â I honestly didn’t know if it would work, but it did!
Task 1.3 — I lost 2 points here because I didn’t come up with the right answer plain and simple.Â “Configure Cat2 port Fa0/15-20 so that the ports are set for increased security and reliability when connecting to desktops in VLAN 6″ hmmmmm port security crossed my mind for security, but what about reliability?Â Wouldn’t that make it LESS reliable due to possible port shutdowns, etc?Â Turns out they were looking for a built in macro “cisco-desktop” applied via “macro apply cisco-desktop $access_vlan 6″.Â If you get in a jam you can always use “show parser macro” to see the built in macros.Â To be fair, it actually says on the doc-cd that this macro increases security and reliability hehe
I have to say this was probably one of the more complex OSPF scenarios I have labbed, mainly due to the fact that there was a different kind of authentication used in every different area.Â It took me a while to setup, because I had MD5 here, plain text there, and even “use md5 with the default key” meaning NULL.Â I definitely made a stupid mistake in my OSPF setup here.Â I’m not entirely sure if it would be counted WRONG since I did find a way around it.
You are to configure Area 40 which is directly attached to area 0, but they tell you to “configure area 40 so that it only has a default route with a cost of 4444 to reach all networks not attached to BB1″Â So to me that meant totally-stubby area for sure. dude.Â So I configured area 40 as totally stubby and went about my business.Â BUT later in the lab you redistribute RIP into OSPF area 40 which caused me some grief.Â Since you can’t redistribute into a stub area, I simple created a tunnel between R4 and R6 and slapped it into area 0.Â It worked fine, but now I see the OBVIOUS better choice would have been to simply make area 40 a toally NSSA (dude). As far as the cost, I just did “ip ospf cost 4443″ on R4′s interface and that seemed to work nicely, although what they were looking for was a nssa configuration whereby you push out a default route using “area 40 nsssa default-information-originate no-summary” followed up with “area 40 default-cost 44444″.
Task 3.5 had another one of those annoying caveats whereby you shake your head and go “what the hell does that even mean?”Â “Configure OSPF area 69 between R6/R9.Â Authenticate this link with type 1 authentication.Â This area should be as fault resilient as possible”Â OK what the hell does “as fault resilient as possible” mean here?Â R6 connects to R9 with a multilink PPP interface so I guess that is what they mean — make sure both links are in the bundle?Â The already were from a previous task but whatever.Â No problem.Â Also this required a virtual-link over area 69 as off the other end of R9 we hadÂ a discontiguous area 0.
Section 6 — Redistribution — I should have been a better student and read the entire lab ahead of time!Â The first thing they ask you to do here is “redistribute all loopbacks into their IGP”.Â Of course I had already added all the loopbacks via the network command so I had to go back, remove all the network commands and write route-maps for all my routers.Â bah.
My redistribution seriously took me like 30 minutes.Â The lab called to “redistribute at every point on the network where thereis more than one protocol running on a router.”Â I always have a difficult time trying to figure out what needs to go where to end up with full reachability, no loops, and the least amount of typing, so my default solution is to do mutual redistribution everywhere with route tags and filtering just to be safe.Â I swear to God on R8 I had 5 route-maps totalling a couple pages long.Â I should seriously figure out how to do this more efficiently, but I always fear the dreaded routing loop.Â Everything worked fine, but I probably did way more redistribution than was required for reachability.
Task 7.3 — “ensure that only directly connected clients of AS 102 can transit AS 50″ hmmmm I definitely misunderstood this task entirely.Â I probably would have asked the proctor.Â When I thought of directly connected clients, I thought they meant like actual PCs, computers on the local subnet.Â Turns out they mean directly connected AS peerings because the solution here calls for an as-path access-list that only allows routes from neighbors with only 1 other AS in the path.
Task 8.2 — “provide a means for routers within the network to retrieve an IOS file called BACKUP.bin from R1″ — OK I got the idea here, tftp-server command pointing to flash but I didn’t know they wanted you to do it for REAL as in I typed in “tftp-server flash:BACKUP.bin” and the PG has “tftp-server flash:c2800nm-adventeeprisek9-mz.124-3a.bin alias BACKUP.bin” eh.
Task 8.3 — I was proud of myself for finding this one since I was dead in the water without the doc CD to figure out “monitor the total packet and byte count for each precedence value inbound on the multilink interface of R9″.Â I did a find for “precedence” in the command reference somewhere and found the answer “ip accounting precedence input”
Task 8.4 — The question nor the answer make any sense.Â “users behind BB1 on 184.108.40.206/16 must be able to transit the network transparently to connect to users behind BB3 on 220.127.116.11/16.”Â OK at first I thought transparently hmmmm maybe some NATing.Â The problem I kept running into was that those 200.x routes where nowhere to be found … uhhhhh even on the backbone routers.Â The solution guide calls for a GRE tunnel between the 2 routers that attach to the 2 backbone routers,Â and some PBR.Â That still doesn’t solve the problem though.Â Say your PBR matches a source packet from 18.104.22.168/16 OK it throws it out the tunnel.Â It gets to the other side and dies because the other side STILL has no route to 22.214.171.124/16.Â Bad task.
Task 9.3 — I made a dumb mistake here and configured my time range for 8:00 AM to 6:00 PM instead of 8:00 PM to 6:00 AM.Â Damn!
Task 9.4 — “There is an IP phone connected to port fa0/15 of Cat2 using 802.1p.Â Ensure that data frames are set to CoS 1″Â I came damn close but missed the “switchport priority extend cos 1″ command.Â I had “mls qos cos 1″ instead.
There was a requirement in the lab to only use open standard protocols and I configured AutoRP instead of BSR in multicast section out of habit. bah.
Well, I had MLK off today, so I did lab 14 and some other reading.Â It was a pretty good effort I think, although to be honest I struggled with some of the IP services section….some just very not well known options that I failed to find on the DocCD.Â Â I’ll cover the things I missed here, as well as any other notes I feel relevant.
Task 2.1 had me confused for quite some time.Â It was very basic — assigning switch ports to the proper vlans.Â However, the mapping they gave you in the workbook referenced Gi0/0 on R2 for some reason, which didn’t exist on the diagram….hmmmm……After a good 10 minutes staring at it, I broke down and checked the final configurations…nothing there either.Â I take this as a typo.
The overall layout of the lab was confusing at first, becuase it was quite different than any of the other lab topologies.Â Particuarly, you had to use subinterfaces on R1 as well but it was definitely not clear in the diagram, and no task really mentioned it.Â You just had to figure it out from looking at the diagram.Â It just said R1 whatever interface was for VLAN A/C.Â So, wasn’t sure if I was to use a secondary or what.Â I did end up getting it.
Task 2.5 — Port Security — This has me puzzled for a while.Â It was a basic task whereby you are only to allow the mac address of R4 on it’s switch port.Â I configured switchport port-security prior to configuring switchport port-security mac-address and kept getting an error in IOS saying I had a duplicate MAC address.Â Turns out I had to configure the mac address on the port in port-security first, then do “switchport port-security”.Â I accomplished this by defaulting the interface and starting the task over.
Task 3.2 — No Peer Neighbor Route, and no documentation either!Â — Most of you reading this probably know about the “peer neighbor-route” command for PPP.Â It is the command that enables a /32 host route to be installed in your routing table when doing PPP.Â The “no” form of this command removes it of course.Â I got this part of the task, but I think it is worth noting that so far as I can tell this is an undocumented feature.Â It is not on the master command list for 12.4.
Task 4.3 — RIP Filtering — This task states very specifically “Various routes are being advertised from BB3 to R7. Using an access-list with a single line of config, accept only the following routes:
Now, I did get the answer to this as listed in the PG: access-list 1 permit 10.1.0.0 0.0.6.255.Â Â Then, link that to a distribute-list.Â The thing is that when I was writing this I noticed that it doesn’t allow ONLY those routes.Â technically, since we have 2 bits in the “don’t care” position in our ACL it actually allows 2^2 or 4 routes …. the other one it allows is 10.1.0.0/24.Â I guess it would be an “ask the proctor” because I don’t think there is a way to do this in one line as instructed.
Task 5.4 — This asks you to have R1 prefer all EIGRP routes from R2.Â You are not allowed to change the referenced bandwidth on any router.Â The solution is to simply change the delay.Â However, the PG opts to increase the dealy on R1′s interface connected to R2 ….which to me would do the OPPOSITE. I configured an increased delay on R1′s interface connecting to R5 so that routes coming from R5 would have a WORSE metric …seemed to work
My redistribution section was far more involved than the proctor guide called for …but whatever.Â They are using no filtering whatsoever, and I have decided to always to route-map filtering at every point of redistribution.Â To me, not using filtering is asking for trouble especially in a CCIE lab where you are doing mutual redistribution between everything.Â Well worth the 10 minutes to whip up a handful of route-maps.
Oh yeah, I also had to do some minor tweaking here.Â I had to change the distance of any RIP routes learned from R7 on R8 so that the RIP routes were preferred over OSPF.Â Otherwise, I ran into issues (a routing loop) trying to ping the R7 loopback from R1′s loopback.
Task 7.1 — Basic BGP setup — Technically I probably would have lost 3 points here.Â I forgot to do a “next-hop-self” when neighboring between R1 and R2.Â The reason it was needed is because the routes that are learned on R1 from BB2 have a next hop of 172.16.something and there was a previous lab requirement that 172.16 routes should not be in any routing tables other than “connected”.
Task 7.3 — BGP prefix-list — Frankly, this task pisses me off.Â I think the wording chosen is pretty poor — “R6 should not accept any prefix with a mask length of 24 bits or more from AS400 or AS125.Â As the admin of both As400 and AS125 make the necessary changes to provide redundant connectivity through AS67 to AS21.Â Do not suppress any other routes and ensure all AS-Path attributes remain unchanged”
OK, so right off the bat I know I need a prefix list on R6 inbound on both of it’s neighbors.Â R6 has a single BGP peering to both AS400 and AS125.Â But that wording about redundancy???? WTF?Â Do I need to make some sort of redundant peering?Â The answer turned out to be just adding an aggregate route on the AS400/As125 neighbors with as-set ….and make sure not to add the summary-only keyword.Â I don’t really get it ….I mean OK I guess it is “redundant” because now you have 2 routes …a summary /22 and the more specific /24 routes, but it is not TRULY redundant is it?Â I mean if the physical link goes down you are fucked anways.
Task 8.1 — Definitely missed this one.Â Â “Reduce the amount of time to a minimum that R6 will wait before timing out a telnet session that it has originated”Â hmmmmmm I searched the doc-cd for a bit but was unable to come up with “ip tcp synwait-time 5″
Task 8.3 — Smoked again by “On R8 ensure that configuration files are reduced in size before being saved to NVRAM” — After looking at some options like archive, and tar for a while, and searching some command references I gave up on this one which turned out to be “service compress-config”Â Had I been searching in the correct place I would have found this.
Task 10.1 — Custom Queuing — This task OWNED me hard!Â I knew how to do custom queueing, but the task asked you to also distribute a % of bandwidth for each queue.Â For instance “15% of bandwidth to DNS traffic with a packet size of 350 bytes”Â Turns out there is some insane formula for this conversion on the doc CD.Â If you look under QoS config guide, you will find it under the congestion management section overview.Â Even after having done all the math, my numbers did not come out to exactly what they asked for.
Task 10.2 — Rate Limit question — I got this task, but I am just wondering about the BC and BE values used.Â According to the documentation you are supposed to use (configured rate in bits / 8) * 1.5 for BC and (configured rate in bits / 8) * 3 for BE, but the PG seems to just pick random values for these
Task 10.3 — Marking — I got the idea here, but made a dumb mistake which ended up marking ALL traffic with IPP 1 instead of marking some traffic with IPP 1 and other traffic with IPP 2.Â It was a simple logic mistake in my policy map.
Task 12.4 — “Reduce by half the amount of time R8 will wait before issuing the following message “% Password: timeout expired!” when logging in.Â — Totally couldn’t find this.Â Turned out to be “timeout login response 15″ on the vty lines.Â Again, had I looked in the proper section I would have found this easily.Â I was hunting around the terminal services, management, and configuration fundamentals sections — naturally it was under security where I failed to look
All in all not too bad of an effort.Â It was actually pretty refreshing after Lab 13 completely and utterly owned me.Â Looking forward to lab 15 and finishing out volume 2!
Overall I was very happy with my performance on this lab.Â I was determined not to do any peeking at the proctor guide at all even if the question was unclear.Â Below you’ll find some random notes and stuff that I got dinged on.
Frame Relay Setup — The tasks stated that R5 and R6 could not use subinterfaces, but didn’t say anything about R4.Â Since R2,R4 were a seperarate subnet, I went ahead and did a p2p subinterface on both sides.Â The proctor guide used P2P on R2 and physical on R4, but no restriction no foul as far as I’m concerned
Task 6.2 — This task asked you to create a “logical interface” between R9 and R5 and allow them to talk in EIGRP AS 69.Â Despite the fact that R5 is in your OSPF domain and R9 is in EIGRP AS 69.Â No biggie, I did a GRE tunnel correctly.Â I just wanted to note that I went ahead and changed the AD of any routes learned over the tunnel to 111 just in case, so that routes learned via OSPF would be preferred.Â Otherwise, you can get into some nasty recursive routing issues with your tunnel.Â Another fun part about this task is that it is impossible to do without either adding a static route, or by doing your redistribution first.Â I chose to finish my redistribution and come back to this task.
Also, I’ve decided to ALWAYS use route-map filtering when redistributing multiple routing protocols.Â Even if you think there is no possibility for a loop…It only takes about 10 minutes after you get the hang of doing it and you will feel MUCH better.Â I always tag everything going out of a routing protocol and deny that tag coming back in at every point of redistribution.
Task 8.1 — BGP — Simply put, my setup was different than the proctor guide, but I don’t believe that their solution is a required way to do it.Â In the BGP setup, they say that R2 should be in AS 64513 and that it should peer to R1.Â R1 should see the peering as a peering with AS 200.Â Then, there is R9 over in AS 64512 which they tell you to ;peer to BB3 and that BB3 should see it as AS 96.Â In the proctor guide they configure a confederation using AS 200 as the main AS and 64512, 64513 as sub-AS as well as a local-as 96 on R9 to BB3.Â I simply just did local-AS 96 on the R9/BB3 peering and local-as 200 on the R1/R2 peering.Â Nowhere in the lab does it say anything about the R9/BB3 peering having anything to do with AS 200 so ….whatever I think this should be fine.
Task 8.2 — (- 2 points) – Absolutely retarded mistake.Â They tell you that R2, R4, R5 are in AS 64513 and that R2 and R4 should only have 1 internal peer each.Â Thus, R5 should be a route-reflector.Â I went ahead and configured R2 as a route-reflector, probably because I was so used to it from other labs, and because it is the frame-relay hub and sort of a natural place to put it.Â doh!
Task 8.4/8.5 – Here we are asked to inject any routes learned as OSPF Type 5 LSAs into BGP without using the network command on R7.Â After that we are told to advertise them to R8 but NOT to R5.Â Â For the first part the proctor guide uses “redistribute ospf 1 match external” in the BGP process.Â I guess it is a faster way to do it then my solution, which is below.Â I used a route-map to match external routes, and also tag them with a community so I can use the community for the advertise to R8 but NOT R5 bit later on down.Â For the filtering bit the proctor guide used a prefix list ……eh same result.
ip bgp new-format
router bgp 700
redistribute ospf 1 route-map OSPF2BGP
neighbor 126.96.36.199 route-map BGP-R5 out
R7(config)#do sh route-map OSPF2BGP
route-map OSPF2BGP, permit, sequence 10
R7(config)#do sh ip community
Community standard list 1
route-map BGP-R5, deny, sequence 10
community (community-list filter): 1
Policy routing matches: 0 packets, 0 bytes
route-map BGP-R5, permit, sequence 20
Policy routing matches: 0 packets, 0 bytes
neighbor 188.8.131.52 route-map BGP-R5 out
Task 9.1 — Some insane shit that doesn’t make much sense — This task was pretty irritating to me.Â At the beginning of the lab they tell you that the ethernet segment off of R8, 172.31.80.0/24 should not be in the routing table of any other routers.Â To start this task they tell you to make sure that any telnet traffic sourced from BB1 from an address of 10.1.1.1 and going to the ethernet segment of R8 takes the path through R6.Â Well how in the world would somebody on BB1 have a route to the ethernet segment of R8 if they have no route to it?Â Ah good question.
Now, the very next task tells us that there are users on R8′s ethernet segment that need access to every subnet in the lab.Â It goes on to remind us that 172.31.80.0/24 should not be in anybody elses routing table.Â OK, that part is fine, I can NAT to handle that requirement.Â But, it still doesn’t solve the first issue….if I am natting , the network 172.31.80.0/24 is still hidden from everybody else, so how would you be able to telnet to it?Â Obviously they wanted PBR configured.Â I configured PBR, but for my destination I put in the subnet of the outside NAT network instead of 172.31.80.0/24.Â In the proctor guide it has the PBR solution with a destination of 172.31.80.0/24 …I don’t get it.Â If a router had no route to the destination address, does it still do PBR?Â I doubt it…even if it did, it would send it to the next hop (R6) and then R6 would have no idea what to do with it. bah.
Task 9.3 (-4 points) — Mobile ARP. I simply had no idea how to do this.Â I had heard of it before, and I was poking around in the right places on the docCD but I did not get it right.Â Furthermore, after looking at the answer later I realized that my lab routers (3640′s and 2600 series’) don’t even have the command “ip mobile arp”.Â I still need to read up on this.Â I was reading in the ip mobility config guide and it seemed pretty interesting, but none of the stuff in there was actually used as the answer.Â They were talking about stuff like the home agent and the foreign agent, and the solution simply used ip mobility arp on the remote router and did some sort of insane redistribution of mobile routes into OSPF.
Task 11.1 — This asks you to configure a DHCP server on one of the routes, with very specific requirements to provide the information for a call manager at a certain IP address.Â I couldn’t remember if it was option 150 or option 66 so I did both.Â The answer was option 150 , but I don’t think I’d be knocked points for putting in both???
Task 11.2 (-2 points) — I got half of this right.Â It asked you to “make sure the router keeps track of assignments to specific hosts so that a hacker cannot take over a previously assigned IP.Â Do not allow older-style devices to request an IP address”Â I nailed the first part with “update arp” in dhcp config mode, but the 2nd part threw me.Â Turns out the answer was “ip dhcp bootp ignore” bah!
– Task 14.1 (-2 points) – Multicast setup — I think I might have botched this a little to be totally honest, although the right idea was there.Â The task asked you to “using the most appropriate mode, configure R2,R5,R6,R7, and R8 to support multicast on all attached LAN interfaces.Â configigure all their LAN interfaces to receive multicast group 184.108.40.206 for their users.Â Configure R5′s loopback as the RP”
I used ip pim sparse-mode on all the LAN interfaces.Â The PG used sparse-dense-mode.Â Everything else was pretty much right, except in the PG they enable pim on the frame interface of R2 even though it only tells you to put it on the LAN interfaces….it’s because R2 has to travel over the frame to get to R5,7,8 in this lab and I overlooked that.Â So close, but yet so far haha.
14.3 (-1 point) — Multicast testing “Configure R1 to be able to test the multicast network”Â …….. uhhhhhhhhhhh ???? OK.Â I found some info on MRM and did my best but it wasÂ a far cry from the solution.
I just did “ip mrm test-sender-receiver” on R1′s ethernet interface.
The solution was below:
access-list 21 permit 172.31.12.2
access-list 22 permit 172.31.200.7
access-list 22 permit 172.31.80.8
ip mrm manager MyTest
manager fa0/0 group 220.127.116.11
receivers 22 no-join
receivers 22 sender-list 21
So I guess all in all according to my grading I got -11 for a total of 89/100.Â Now if only I could refrain from mouthing off to the proctor during the interview I will now be required to take, I would have passed
I just finished up volume 2 lab 11.Â I’ve had to put a limit on my study time on work days as of late.Â My new rule is to try to not go past 2:00 AM when I have work the next day, or I have a seriously hard time getting up in the morning.Â I was pleasantly suprised last night to have finished all the way through my BGP section in about 4 hours.Â This included the initial hour I spent drawing out my diagrams, reading the lab all the way through, etc.Â I would say this was a fairly mild lab in terms of difficulty.Â There was no IPv6 and no multicast so that was a nice suprise.
I ended up doing pretty well, but I screwed up on the following tasks:
Task 2.2 — Etherchannel setup — I cry proctor guide error on this for sure, and I’ve sent in an email.Â The task asks us to use an “industry standard” etherchannel protocol, so I configured LACP using “channel-group 1 mode active”, yet the proctor guide shows “channel-group 1 mode on”.Â I am pretty sure this is a mistake on their part.Â It also says that “etherchannel ports should be statically in trunking mode and should not use DTP to negotiate trunks.”Â Therefore, I configured “switchport mode trunk” and “switchport trunk nonegotiate” on all my etherchannels.Â For some reason the proctor guide did not include the switchport nonegotiate command, but I’m quite sure it should be there
Task 3.2 — R6/R9 PPP Setup — I don’t know if this would be considered wrong in the real lab or not.Â I did not read the question carefully enough.Â In this lab there are 2 serial links between R6 and R9.Â The task specifically asks you to configure an ip address for 1 of the serial links.Â I jumped right in and configured MLPPP instead of just configuring the 1 link and shutting the other down. bah!
Task 3.3 — R7/R8 back to back frame-relay — This seems to be a common problem area for me.Â I always seem to not fully understand the question and end up configuring something extra.Â The task was to configure the serial link between R7 and R8 with frame-relay encapsulation.Â Do not configure any layer 3 addresses on the physical interface. R7 and R8 should peer to each other in the 172.16.78.0/31 and 172.16.78.2/31 subnets over 2 seperate PVCs.
For some reason, when I see something involving back to back frame with multiple PVCs I seem to think PPPoFR.Â So, I went ahead and configured PPPoFR with 2 virtual-templates on each side, each with it’s own DLCI….and it worked great.Â But the easier solution, and thus the one in the PG was to simply configure 2 point-to-point frame-relay subinterfaces.Â The PPP part was totally unnecessary.Â Again, I’m not sure if I would get knocked points for this or not because technically my soltion did use the right subnets and 2 separate PVCs and it did work.
Task 5.4 — EIGRP Timers — I got the first part of this question which was to tweak the SIA timers, but I botched the 2nd one.Â I’m still not sure I fully understand the solution.Â The task asked me to “Configure the EIGRP process on R2 and R4 to drop routes from inactive neighbors after half of the default time”Â My solution was to configure the hold time on both R2 and R4 to 90 seconds (the default over NMBA interfaces is 180 seconds).Â The solution in the proctor guide was “timers nsf route-hold 120″.Â I looked up the command, and I am not really sure what the difference is between that and the hold timer to be honest
Task 9.1 – QoS — I nailed this 5 point task except for one little thing.Â In my MQC policing I entered “police <rate>” instead of “police rate <rate>” so I ended up configuring the CIR instead of an actual bitrate.
Thats it for now.Â Lab 12, coming soon
- Joe A
First let me say it’s good to see cciejourney back in the mix of things for the new year!Â We’re all behind you buddy, and going through it all together.Â With that being said, I’d like to announce that I have officially scheduled my lab date.Â 5/11/2009 @RTP.Â Be afraid.Â Be very afraid.
I am feeling pretty good after going hardcore into IPexpert volume 2 full scale 8 hour labs during the majority of my 2 week Christmas break from work.Â I am just finishing up lab 6 tonight, and overall I have done pretty well.Â Some suprises, and some things I did not know, but overall not a massacre or anything.Â I don’t know if this is a good thing completely.Â I’m paranoid.Â If I do fairly well on all these full scale practice labs, does it truly mean I am ready to sit the lab?Â How do you know?Â I dunno, I guess you never really DO know….so I just scheduled it.
If I am not ready by May and end up failing, well at least I will get to take a crack at it, and see what the real deal is all about.Â Otherwise, I might go insane.Â Sometimes I feel fairly confident, other times I can’t help but thinking of some fallen comrades that I know for sure know as much if not certainly more than I do that have failed on first attempts.Â Well, what can you do really….May 11 here I come!
- Joe A
I have been lost ever since I stepped off my plan after the emergency landing when heading out to Narbik’s. I have to thank Joe for keeping the blogs atleast updated with new material for the past seven weeks. My goals just became disconnected from Area 0 it seems Well with a new year starting there is no better time to recreate them and move forward I guess.
I have accepted the fact that I am going to have to retake the written exam. How much that really pains me to accept I just accepted it and moved on. This time though I think I am going to lab more along side of it. Makes it alot less punishing to study nine hundread pages of theory with practicing labs on the same subjects.
First thing I really need to do is get my week with Narbik rescheduled. I am going to attend Internetwork Experts 5 day camp as well. I just need to decide on a date for that, but that will come a while after Narbik’s. I plan on attending Narbik’s twice hopefully. Everything will become a bit fuzzy after April because I will be up for jury duty then. Hopefully I won’t be picked, or even called upon. If I am hopefully it is just for something small and quick.
There are a few things around the house that also need addressing such as finishing one half of the basement. Somehow when you have a child who is experiencing his first Christmas it means he is getting more gifts than your house can hold. So we really need to do this to have a little more room in the house. Hopefully that will not take all that long to do. ..