CCIE Pilot

The risk to operations is significant with the loss of a qualified IT expert. The remaining staff must compensate to avoid disruptions that impact customer satisfaction, reduce productivity or inflict economic loss.
Return on investment in an employee is disrupted with turnover. Employers invest in certified staff through training courses, books and technical materials, practice equipment, time off for study and exams, and the cost of the exam itself.
It takes time to achieve certification. The typical CCIE will spend at least 18 months completing the process and take the lab exam more than once before passing.
The benefits of Gold or Silver Channel Partner status are only available to companies who maintain the required number of certified staff.

September 16, 2010

Hardship has payed off!

Posted by Mar Apuhin under CCIE
[6] Comments

After two years of hardship, study and no life, today I pass the CCIE RS exam in Hong Kong.

Thanks to all those who supported me on this journey.

More blogs to come!

April 29, 2010

CCIE Employer Information

Posted by Mar Apuhin under CCIE
[2] Comments

Cisco introduced CCIE in 1993 to help individuals, companies, industries and countries succeed in the networked world, by distinguishing the top echelon of internetworking experts.

Today the CCIE program sets the standard for internetworking expertise and evolves with the industry. The CCIE program is committed to valid, fair and high quality exams.

What CCIE certification stands for:

CCIE identifies experts with the skills and experience to handle the most challenging assignments in their field. CCIE exams are constantly updated and revised to evolve with the industry, focusing on current technologies and real-world applications.
CCIE is recognized worldwide as the most respected high-level certification in the industry (see Awards & Recognitions). The program continually updates and revises its testing tools and methodologies to ensure unparalleled program quality, relevance and value.
CCIE is an objective way to compare individuals, or job candidates, with different experience and backgrounds.
Preferred status is given to Cisco partners who employ CCIEs (find out more at Cisco Channel Programs).

Why you should hire a CCIE:

Maintenance of your network is fundamental to protect assets and to ensure seamless operations. The environment is growing more complex with operations conducted over VPNs, wireless, remote access and the Internet. You need proven experts to choose, implement and maintain the solutions required.
Having certified staff can increase the confidence of your customers, investors and business partners, and thereby boost your organization’s credibility, reputation and value.
Certified CCIEs are a highly-select group. Less than 3% of all Cisco certified individuals make it to the CCIE level, a tiny fraction of IT professionals worldwide.
Passing the exams is not easy. Earning your CCIE requires passing a lab exam in a time pressured environment. Hands-on experience is the only way to prepare for the lab.
CCIEs have invested a lot to expand their knowledge and further their careers. The average candidate spends thousands of their own dollars and at least 18 months pursuing certification. He or she will attempt the lab exam more than once before passing.
CCIEs are committed to maintaining their expert skills. Keeping their status active requires passing a recertification exam every two years.

Why you don’t want to lose a CCIE from your staff:

The risk to operations is significant with the loss of a qualified IT expert. The remaining staff must compensate to avoid disruptions that impact customer satisfaction, reduce productivity or inflict economic loss.
Return on investment in an employee is disrupted with turnover. Employers invest in certified staff through training courses, books and technical materials, practice equipment, time off for study and exams, and the cost of the exam itself.
It takes time to achieve certification. The typical CCIE will spend at least 18 months completing the process and take the lab exam more than once before passing.
The benefits of Gold or Silver Channel Partner status are only available to companies who maintain the required number of certified staff.

Source: http://www.cisco.com/web/learning/le3/ccie/employers/index.html

April 27, 2010

CCIE4.0-IPv6 Multicast – Multicast Listener Discovery (MLD)

Posted by Mar Apuhin under IPv6
[3] Comments

IPv6 multicast renames IGMP to the Multicast Listener Discovery Protocol (MLP). Version 1 of MLD is similar to IGMP Version 2, while Version 2 of MLD is similar to Version 3 IGMP. As such, MLD Version 2 Source Specific Multicast (SSM) for IPv6 environments.

Using MLD, hosts can indicate they want to receive multicast transmissions for select groups. Routers (queriers) can control the flow of multicast in the network through the use of MLD.

MLD uses the Internet Control Message Protocol (ICMP) to carry its messages. All such messages are link-local in scope, and they all have the router alert option set.

MLD uses three types of messages – Query, Report, and Done. The Done message is like the Leave message in IGMP version 2. It indicates a host no longer wants to receive the multicast transmission. This triggers a Query to check for any more receivers on the segment.

Configuration options for MLD will be very similar to configuration tasks we needed to master for IGMP. You can limit the number of receivers with the ipv6 mld limit command. If you want the interface to “permanently” subscribe, you can use the ipv6 mld join-group command. Also, like in IGMP, there are several timers you may manipulate for the protocol’s mechanics.

Configuring IPv6 multicast-routing with the global configuration command ipv6 multicast-routing, automatically configures Protocol Independent Multicast (PIM) an all active interfaces. This also includes the automatic configuration of MLD. Here are verifications:

R0#show ipv6 pim interface
Interface          PIM  Nbr   Hello  DR
 Count Intvl  Prior

Tunnel0            off  0     30     1     
 Address: FE80::C000:2FF:FE97:0
 DR     : not elected
VoIP-Null0         off  0     30     1     
 Address: ::
 DR     : not elected
FastEthernet0/0    on   0     30     1     
 Address: FE80::C000:2FF:FE97:0
 DR     : this system
FastEthernet0/1    off  0     30     1     
 Address: ::
 DR     : not elected

Notice the PIM is indeed enabled on the Fa0/0 we have configured in this scenario. Now for the verification of MLD:

R0#show ipv6 mld interface
Tunnel0 is up, line protocol is up
 Internet address is FE80::C000:2FF:FE97:0/10
 MLD is disabled on interface
VoIP-Null0 is up, line protocol is up
 Internet address is ::/0
 MLD is disabled on interface
FastEthernet0/0 is up, line protocol is up
 Internet address is FE80::C000:2FF:FE97:0/10
 MLD is enabled on interface
 Current MLD version is 2
 MLD query interval is 125 seconds
 MLD querier timeout is 255 seconds
 MLD max query response time is 10 seconds
 Last member query response interval is 1 seconds
 MLD activity: 5 joins, 0 leaves
 MLD querying router is FE80::C000:2FF:FE97:0 (this system)
FastEthernet0/1 is administratively down, line protocol is down
 Internet address is ::/0
 MLD is disabled on interface

April 21, 2010

Internetwork Expert’s R&S Lab Workbook Volume IV Logs – Lab 6 of 10

Posted by Mar Apuhin under Troubleshooting, VOL4 | Tags: VOL4 |
Leave a Comment

Lab 6 Volume 4

by: CCIE Pilot

Ticket 1: EIGRP

The slower EIGRP link via the FR cloud been used. There is an optimal path via port-channel between SW3 and SW3 found to be down.

The fix of this issue is related to port-channel.

Per Etherchannel tunneling rules, you need to have a single separate VLAN for every pair or opposing channel links. Meaning, every VLAN are used : VLAN 100 and VLAN 101.

Make sure that each access-port is having unique vlan id towards the port-channel interface.

interface FastEthernet0/17

switchport access vlan 100 (or 101 on the second link)

switchport mode dot1q-tunnel

l2protocol-tunnel cdp

l2protocol-tunnel point-to-point lacp

no cdp enable

spanning-tree bpdufilter enable

The effect is that EIGRP will prefer the faster link vial the etherchannel.

Show ether-channel summary

Ticket 2: Connectivity

Use bottom up approach, check Layer by layer.

Here you will discover some frame-relay map statement is misconfigured.

Easily correct the config.

For RIP running on an NBMA interface, make sure that split-horizon is disabled to encourage route propagation.

Show ip interface serial 0/0/0

Show frame map

Ticket 3: BGP

In dealing with BGP make sure to clear out all lower layer issue.

In this case, the keepalive or essentially the LMI is turn-off effecting ckt to be brought down.

Watch also for IBGP route reflection issue. Make sure RR is enabled or used if you are not having a full mesh connection.

Show ip bgp neig

Sh run interface

Ticket 4: IPv6

This case is related to tunneling IPV6. This case uses 6to4 automatic tunneling.

Make sure the source IPv4 address is properly configured and reachable.

Check static route of 2002://16 towards the Tunnel interface.

Ping ipv6

Ticket 5: Multicast

Perform basic multicast topology analysis. PIM should be enabled on the path from R3 and R6. Check for tunnel and should run PIM also.

Watch out for RFP failures.

Static mroute command can be useful also.

Ticket 6: Core Dumps

Check reflexive access-list along the way. Passived FTP should be use under normal circumstances, else no data session will be established.

Active FTP will not bypass the packet filter.

Check correct configuration for the core dumps.

ip ftp username R6CORE

ip ftp password CISCO

exception core-file R6DUMP.txt

exception protocol ftp

exception dump 148.6.3.100

Ticket: 7: Time Synchronization

Make sure authentication key is configured properly and should be trusted.

Make sure ACL is correctly configured.

ntp authentication-key 1 md5 13263E212823 7

ntp authenticate

ntp trusted-key 1

ntp access-group peer 5

ntp master 5

ntp peer 148.6.57.7

ntp server 204.12.1.254 key 1 prefer

access-list 5 permit 127.127.7.1

access-list 5 permit 204.12.1.254

access-list 5 permit 148.6.57.7

show ntp ass

show ntp ?

Ticket 8: NAT

This case is about NAT as a load balancer.

The real servers at the back should be define as type rotary.

Secondly, the access-list specifying the traffic to the virtual server should be mirrored – it should match traffic from sources to the virtual server’s IP address.

ip nat pool POOL1 <start-ip> <end-ip> prefix-length> 24 type rotary

ip access-list ext SERVERS

permit tcp any host x.x.x.x eq www (or 8080 or 443)

Ticket 9: Server Access

For RIP make sure the distance is not set to 255.

Any underlying layer 2 filtering like vlan filter will effectively drop traffic also.

Make sure that RIP udp port is not filtered out.

Take away unnecessary servers if needed.

Show ip route rip

Show vlan filter

Ticket 10: Convergence

Make sure you don’t make unwanted configuration for dampening.

interface FastEthernet0/1

no dampening 30 1000 17956 125 restart 17956

Rack6R5(config-if)#dampening ?

<1-30> Half-life time for the penalty

<cr>

Rack6R5(config-if)#dampening 30 ?

<1-20000> Value to start reusing an interface

<cr>

Rack6R5(config-if)#dampening 30 1000 ?

<1-20000> Value to start suppressing an interface

Rack6R5(config-if)#dampening 30 1000 17956 ?

<1-255> Maximum duration to suppress an interface

Rack6R5(config-if)#dampening 30 1000 17956 125 ?

restart Enable restart penalty

<cr>

Rack6R5(config-if)#dampening 30 1000 17956 125 restart ?

<1-20000> Penalty applied at restart

<cr>

Rack6R5(config-if)#dampening 30 1000 17956 125 restart 17956

April 14, 2010

Internetwork Expert’s R&S Lab Workbook Volume IV Logs – Lab 5 of 10

Posted by Mar Apuhin under Troubleshooting, VOL4 | Tags: VOL4 |
1 Comment

Lab 5 Volume 4

Ticket 1: OSPF

-Case related to dot1q tunneling between 2 indirectly connected devices.

-Make sure the dot1q tunnel port has and access vlan assignment and l2protocol-tunnel allowed.

-Do the usual OSPF routine checking.

-This case is not actually related to OSPF.

Interface f0/x

switchport access vlan 100

switchport trunk encapsulation dot1q

switchport mode dot1q-tunnel

l2protocol-tunnel cdp

show cdp neighbor.

Ticket 2: OSPF

-Optimal path issue.

-Make sure in OSPF network NBMA type, the Hub router is has higher priority with the spoke router.

-Check Virtual links location and if working properly.

no ip ospf priority 0 (at the hub of course)

show ip ospf virtual-links

show ip ospf neighbor

Ticket 3: BGP

-A reason of BGP router not receiving or dropping route advertisement is that AS path length limitation.

-Make sure AS path length configured properly. No limit by default.

%BGP-6-ASPATH: Long AS path 100 300 100 300 54 received from 204.12.1.6: More than configured MAXAS-LIMIT

router bgp 200

bgp maxas-limit 3

show ip bgp sum

clear ip bgp *

logging buffered

Ticket 4: IPv6

-The IPv6 router advertisement neighbor discovery helps the client IPV6 host in setting up its ipv6 address and default route.

ipv6 unicast-routing

interface FastEthernet0/0

ipv6 nd ra suppress <<-watch out for this!

show ipv6 interface

Ticket 5: MPLS VPN

-MPLS VPN via interface tunnel. Make sure tunnel source and destination ip address are reachable via global routing table.

-In EIGRP VPN, do not forget the AS number of the VPN address-family configuration.

show ip route vrf VPN_A eigrp

show ip eigrp neig

Ticket 6: MPLS VPN

-OSPF Sham links

-Make sure MPLS protocol is consistent either using TDP or LDP.

-Create a new loopback ip address on both PEs.

-Do not advertise the new loopbacks into OSPF but should be advertise via BGP or other protocol on the primary path.

-Make the OSPF area towards the backdoor as a sham.

-Increase OSPF cost at backdoor link to a high value.

sh ip ospf sham-links

show ip route vrf xxx

Ticket: 7: Multicast

-Watch out for PIM Stub routing feature.

-Both should be using DENSE mode, but the other side is filtering announcement using ip pim neighbor-filter command to avoid PIM neighborship between routers.

-To test do not forget the client router to run also pim DM/SM and use ip igmp-join group command.

-PIM SM and DM can combine on a multicast network.

-Identify the first hop router and next hop routers.

-Beware of RPF failures when dealing with multicast scenario.

-ip mroute x y z

-show ip pim interface x/x detail

-show ip pim interface

-show ip pim neighbor

Multicast Killer command:

sh run | i igmp|pim|mroute|multicast

Ticket 8: QoS

-Watch out for “Mr. 768” (that 768Kbps bandwidth), it means fragmentation is necessary and mandatory.

-For VOIP the recommended fragmentation size is = 768000 / 8 * .01 sec = 960 bytes.

To check Qos Fragmentation use:

Show frame-relay fragment

Configuration:

Frame-relay fragment 960 end-to-end (MQC compatible)

Else use map-class.

Ticket 9: Secure Access

-SSH Configuration Troubleshooting.

-Remember the 7 basic steps to a successful SSH server setup.

-Make sure routing is stable and the remote ssh server is ip reachable.

1. username and password

2. hostname

3. domain-name

4. crypto key generate rsa modulus

5. ip ssh version

6. line vty, transport input ssh – enable ssh as transport input.

7. line vty, login local

debug ip ssh

show line vty

ssh –l username –v 2 x.x.x.x

Ticket 10: Security

Dynamic ACL troubleshooting

-Make sure that username for the DYNACL has the autocommand access-host enable feature.

-Check AAA configuration and check AAA authorization – like

aaa authorization exec default local

-Watch out for the direction of ACL applied and the ACL config too.

-show run | i aaa

-show access-list

-debug aaa authentication

-debug aaa authorization

Search for:
Support CCIE Pilot’s charity works!
Recent Comments
Email Subscription

Join 12 other followers
Pages
Recent Posts
Subscribe to CCIE PILOT
Blogroll
IP Oasis
Login
- Cisco Certification Login
Archives
INE CCIE Blog
- INE’s Cisco Live 2013 Party at the Hard Rock Cafe May 18, 2013
  I would like to thank the over 600 people who RSVP’d for INE’s 2013 Party at the Hard Rock Cafe in Orlando during Cisco Live. Registration is closed as of today for our party but I wanted to be the first to let everyone know about the grand prize giveaway we are doing. On top [...]
  Brian Dennis, CCIE #2210
- New Voice Bootcamp Added Ahead of Blueprint Change May 15, 2013
  Again, while not officially a blueprint change just yet, it’s clearly coming. To that end we have gone ahead and taken the initiative to add another CCIE Voice bootcamp based on the current v3 blueprint. The new date and location will be from Oct 7 – 18 in our brand new Seattle/Bellevue WA classroom and [...]
  Mark Snow, CCIE #14073
- CCIE Voice to become CCIE **redacted** in November 2013! May 15, 2013
  UPDATE: We were contacted informally and kindly ask to remove the title that hasn’t been officially released as of yet. UPDATE-2: The last day to test for the CCIE Voice Written will be Nov 20, 2013, and the last day to test for the CCIE Voice Lab will be Feb 13, 2014. This is much [...]
  Mark Snow, CCIE #14073
- CCIE Security Version 4 Technology Labs and Solutions – Now Available! May 11, 2013
  Our new CCIE Security Version 4 Technology Labs and Solutions are now available in your members’ site account for customers who owned the previous CCIE Security Volume 1 or 2 workbooks. The labs are in the new HTML format like our Data Center material to ensure you always have the most up to date material [...]
  Brian Dennis, CCIE #2210
- Three iPad Mini Winners for the OSPF Virtual Link Problem May 11, 2013
  I offered one iPad Mini but in the end I’m giving three iPad Mini’s away. The first one to the person who answered it first as stated in my original blog post. The second one to the first person to answer it and explain why point-to-multipoint resolved it which is also worthy of an iPad [...]
  Brian Dennis, CCIE #2210
May 2013

S M T W T F S

« Nov

1 2 3 4

5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 21 22 23 24 25

26 27 28 29 30 31
Archives
Meta
Blog Stats
- 89,804 hits

May 2013
S	M	T	W	T	F	S
« Nov
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Support CCIE Pilot’s charity works!

Recent Comments

Email Subscription

Pages

Recent Posts

Subscribe to CCIE PILOT

Blogroll

IP Oasis

Login

Archives

Archives

Meta

Blog Stats

Follow “CCIE Pilot”