CISCO EXPERT – CCIE#23373

Ricardo Martins

Cisco Expert – CCENT Certified

Posted by Ricardo Martins on October 22, 2008

Today I became a CCENT (Cisco Certified Entry Networking Technician), 3 weeks before my CCIE Lab (1st attempt).

About CCENT exam – Cisco Web Site

I guess I just love certification too much, so normally I take a Cisco Exam every other month just to check what’s new out there, for the case technologies may change or new contents are introduced in some certification.

About the exam:

First of all, I did very well in the exam but let me tell you something…it is hard.
I do have some good experience by now and I have been studying for CCIE for quite a while, but I am thinking, someone who is just starting in Cisco World…ouch, the exam will not be easy.

My advice is, go through as much materials as you can, especially, subnetting, it is definately a topic to master. On the other hand, I am glad Cisco made CCENT and CCNA harder, because it really makes these certifications hold their values.

The key is to study and enjoy networking…yes, because it is very ugly to see CCNA’s out there that they don’t know anything but they are still CCNA’s…you know…

Posted in Exams | Tagged: , | 7 Comments »

Cisco Expert – My little Baby = Cisco Rack

Posted by Ricardo Martins on October 2, 2008

Hi everyone!

Unfortunately, as much as I would like to write something in my blog every single day, I have been really busy lately studying, working and so on, and soon I will be a daddy. My Lab will be in a month in Brussels, so I kinda need to study all the time.

Anyways here are some pictures of my home rack, all bought in the ebay piece by piece.

Yes, this is where I spend 3 to 6 hours every day after work preparing for the CCIE R/S.

If I pass it, I will ugpgrade the rack for Service Provider, I am also buying Cisco phones (I only have one) and couple of analog phones to connect to 6 FXS ports I have. I will buy a rack server as well to have WIn2003 Server with a CA authority, TACACS, Radius and AD to play with. And of course Call Manager.

Happy studies to everyone…

Rack
R1 = Cisco 2610XM – 128/32
R2 = Cisco 2610XM – 128/32
R3 = Cisco 3640 – 128/32
R4 = Cisco 3640 – 128/32
R5 = Cisco 2611XM – 256/48 – 2FXS
R6 = Cisco 2651XM – 128/32 – 2FXS
R7 = Cisco 1750 – 2FXS
BB1 = Cisco 2501
BB2 = Cisco 2610
BB3 = Cisco 2610
FR = Cisco 2523
SW1 = Cisco 3550 EMI
SW2 = Cisco 3550 EMI
SW3 = Cisco 2950
“SW4” = Cisco 1721
TS = Cisco 2511
2 Analog phones, 1 Cisco 7940

Posted in Uncategorized | Tagged: , , | 6 Comments »

Cisco Expert – 2 months for the LAB

Posted by Ricardo Martins on September 12, 2008

I will be taking the lab exactly 2 months from now. I already did 10 out of 20 Internetwork expert labs and I am starting to feel more confident all the time. I am trying to calm down but I just feel like doing the lab as soon as possible. At this point I know I can score high, I just don’t know if I can pass on my first attempt. I supose everything depends on the type of questions and so on.

I practice every day 3 to 4 hours, between 9 pm and 1 am. It just feels so nice to apply configuration to my own rack at home. I have everyhting except the 3560’s but oh well…

I just got a bunch of phones yesterday and I cant help doing some voice labs, I should be studying for R/S hehe.

Anyways, I’m getting the feeling I will become a CCIE even though I might not pass on the first attempt…

Posted in Uncategorized | 2 Comments »

Cisco Expert – Very busy!!

Posted by Ricardo Martins on August 14, 2008

Yes…Finally I started Internetwork Expert workbook II towards my preparation to the CCIE Lab on 12th of November. I have done the workbook I couple of times, so from now on just daily labs over and over again. I still didn’t get all the switches I need to, so I have been skipping¬† some of the switching questions which I have to get back to it later.

Anyway, I just love to seat with a cup of coffee in my office at home, in my own rack doing all those labs. I gotta confess, if I would go to the lab tomorrow I wouldnt get over 50 points probably. I just get so pissed off with those difficult level 9 and 10 Labs which ask you the most freaking questions. They are just testing you to the limit. I dont even consider that networking anymore ūüôā

I would say if the real lab would be around level 6, I could maybe pass it on the first attempt but…. level 8 and 9 it is for maniacs…with absolutely mental redistribution scenarios, IPV6 tunnels and Multicast with tunnels (a miracle if you can ping your multicast group at all)…

After all, CCIE is not for everyone out there…Hope it is for me ūüôā

Posted in Uncategorized | Leave a Comment »

Cisco Expert – Virtual-Links and Tunnels

Posted by Ricardo Martins on July 29, 2008

In my opinion, there are certain network topics we need to understand and be able to configure them without any trouble. Virtual-links are likely to be tested in the CCIE Lab because it helps to solve a problem which is a big thing in OSPF – ALL AREAS HAVE TO BE DIRECTLY CONNECTED TO THE BACKBONE AREA 0. Virtual-links are meant to be configured for a scenario where you have some area not connected to the backbone. It is important to mention that this is a bad design. You dont want to have ospf areas all over the place, virtual-links everywhere and confusion. The goal of a netwok is to keep it simple and functional.

To be honest, the point of this article is not so much the virtual-links because you probably have heard about it 100000 times but the interface tunnels. I would like to mention as well that I am more focus in in a small explanation and configuration than giving you a full boring description of the technology itself. You cal always get that sort of information in Cisco website.

As usual, we have a topology where I have already configured all the ip addresses and ospf.

The problem we run into is the routing table in R4. Because area 2 is not directly connected to the backbone, R4 is not receving any ospf routes installed.
R4#sh ip route ospf

R4#

Once again, in the real world this would be a bad design, but if you have run into it during a lab or exam you need to configure a virtual-link between R2 and R3 through area 1 as such:

R2#sh run | s ospf
router ospf 1
router-id 2.2.2.2
area 1 virtual-link 3.3.3.3
network 10.10.0.2 0.0.0.0 area 0
network 10.10.1.2 0.0.0.0 area 1

R3#sh run | s ospf
router ospf 1
router-id 3.3.3.3
area 1 virtual-link 2.2.2.2
network 10.10.1.3 0.0.0.0 area 1
network 10.10.2.3 0.0.0.0 area 2

Now if we look again to the routing table of R4 we have received the ospf routes as expected. And when I say expected I have to mention something that Brian Dennis has said in a video that always stayed in my head which is something like this – At CCIE level you should be able to look into your topologies and be able to know how your routing tables should look like.
Strong advice.

R4#sh ip route ospf
10.0.0.0/24 is subnetted, 3 subnets
O IA 10.10.0.0 [110/21] via 10.10.2.3, 00:01:04, FastEthernet0/0
O IA 10.10.1.0 [110/11] via 10.10.2.3, 00:01:29, FastEthernet0/0

So far so good. Another scenario would be if they would tell to configure area 1 as stub area, totally stubby area, NSSA and so on…
First, I will remove the virtual-links, configure the area as a stub and try to apply the virtual-link command once again, and let’s see what happens

R2(config)#router ospf 1
R2(config-router)#area 1 stub
R2(config-router)#no area 1 virtual-link 3.3.3.3
% OSPF: Area 1 is a stub or nssa so virtual links are not allowed

Yes, virtual links are not allowed in stub or nssa areas. In order to solve this problem, instead of virtual-links we have to use GRE tunnels. Take a look in the configuration bellow.

R2#sh run int tu 0
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 10.10.1.3

R2#sh run | s ospf
router ospf 1
area 1 stub
network 10.10.0.2 0.0.0.0 area 0
network 10.10.1.2 0.0.0.0 area 1
network 172.16.1.2 0.0.0.0 area 0

R3#sh run int tu 0
interface Tunnel0
ip address 172.16.1.3 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 10.10.1.2

R3#sh run | s ospf
router ospf 1
area 1 stub
network 10.10.1.3 0.0.0.0 area 1
network 10.10.2.3 0.0.0.0 area 2
network 172.16.1.3 0.0.0.0 area 0

It is actually very simple if you follow some simple steps. Create a tunnel interface, give it an ip address (or use ip unnumbered of a netwrok that is being advertised to area 0) and advertise it under ospf to AREA 0, then just apply the tunnel source and destination commands and you are good to go.

And once again, the routing table on R4

R4#sh ip route ospf
172.16.0.0/24 is subnetted, 1 subnets
O IA 172.16.1.0 [110/11112] via 10.10.2.3, 00:03:14, FastEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets
O IA 10.10.0.0 [110/11122] via 10.10.2.3, 00:03:04, FastEthernet0/0
O IA 10.10.1.0 [110/11] via 10.10.2.3, 00:03:14, FastEthernet0/0

We have received all the ospf routes.

Authentication:
As a final note, if you get asked to authenticate area 0 either with md5 or clear-text, you need to authenticate the virtual-links or the interface tunnels if it is the case. Remember that R3 now believes it is directly connected to the backbone so it needs to be authenticated in order to receive all the routes.

If you have the possibility of trying this article in GNS3 or real equipment is a plus. Sometimes, we think we know just because we read about it but when it comes to configure it ourselves ups…besides it is good to try all different scenarios that work or not, at least we will know.

Remember, keep it always simple in your head…you will understand it better.

Posted in OSPF | Tagged: , , | 11 Comments »

Cisco Expert – 642-432 CVOICE exam – Passed

Posted by Ricardo Martins on July 22, 2008

On thursday 24th, I’m going to take the 642-432 exam. It is my 2nd exam towards the CCVP certification.¬†I have taken the QOS exam¬†about¬†6 months ago while doing my CCIP certification. Let’s see how this one goes. Voice is actually a very interesting field. It is really cool to see all those sweet IP phones full of colors getting their configuration from a router hehe.

I used Jeremy’s videos, gns3 and couple of routers I have home to prepare for it. I find CVOICE very interesting subject,¬†I love dial-peers and dial-plans. I’m really looking forward to start studying for CCNA Voice as well because I don’t know too much about CME (Cisco Call Manager Express) yet.

Worth to mention, that If any of you wishes to take the CVOICE exam, you can take the 642-436 because the 432’s last day is¬†7/26/08. Jeremy has upgraded the CVOICE videos for this exam¬†which can be found on CbtNuggets website

My next exam will be the Call Manager one, I have already watched jeremy’s videos, but didn’t have the time yet to set up a call mamanger. It’s not like I’m jumping into the exam without some hands-on.

Wish me luck!!

PS РI just took the exam today (7/24/08) and I passed. I actually found it easier than most of the exams I have done so far. I just felt like I still need to study a little bit more how to calculate the voice calls bandwith. I got one simulation how to configure dial-peers and it felt so good after I applied the configuration to the router, then pressed the phone icon and I could see the phone ringing message poping up hehe. 

Good luck with your studies!

Posted in Exams | Tagged: , , | 2 Comments »

Cisco Expert – New IOS Firewall, IOS IPS and CCP

Posted by Ricardo Martins on July 17, 2008

I had some gold partner training at Cisco couple of weeks ago and I thought I could share some announcements and some slides given to me in the training.

I actually went for the security training, though my work has to do more with network. The training was mostly based on ASA 5580-40 for Data Centers. By the way, the ASA 5505 for small offices does not support IPS now, but in the near future will support IOS IPS and Wireless. ASA 5510, 5520, 5540 uses an IPS Module. ASA 5550, 5580-20 and 5580-40 do not support IPS because it would simply slow down the ASA. I was told in cisco that it could eventually support IPS in the future. Anyway, the bit I want to share is the new IOS Firewall, IOS IPS and CCP.

So far, CBAC has been the IOS Firewall around the block, but 12.4(6)T has introduced the “Cisco IOS Firewall” which uses a concept of zones. To be honest, I haven’t tried the new IOS firewall so I canty say much about it, I liked CBAC though.

The new IOS 12.4(20)T introduces also a different approach for access-lists that can be used in conjuction with object-groups, looks like a very cool feature.

The new IPS introduces some new features. To be honest I haven’t really played around much with IOS IPS, however used to be that to upgrade the signatures we had to download .sdf files from cisco, but in 12.4T everything could be dome using the GUI SDM downloading dome XML files, no more .sdf.

CCP (Cisco Configuration Professional) is the next generation of the SDM wizard, basically does everything that SDM 2.5 does plus introduces configuration wizards for Voice, wireless and so on. The drawback in my opinion, is that it is only supported on the newest cisco routers, 800, 1800, 2800, 3800…

Here bellow you can find some slides I was given in Cisco. Not quite sure if I am allowed to share them, but i was not¬†told otherwise, so…

Posted in Security | Tagged: , , , , , | 2 Comments »

Cisco Expert – Intervlan with multilayer switchs

Posted by Ricardo Martins on July 16, 2008

In our studies towards CCNP, we learn about intervlan between 2950’s and a router called router on a stick. We also learn how to do intervlan with multilayer switchs. What we don’t learn is how to add a second or third multilayer switch in the “game”.

I thought it would be interesting to know more about this topic because in most production environments you find this sort of configuration with 6500’s switchs.

So lets imagine we have 6 vlans, vlan 1 to 6 and we want to do intervlan between all these vlans. If we would have only one multilayer switch, we would create 6 interface vlan (SVI’s) and we would have our hosts configured to point to the SVI’s as a default gateway.

However it is interesting to know how this would work with an extra multilayer switch.

Diagram:

In this case we need to have a trunk between both 3550’s switches and trunks to the 2950’s.
The 2950’s will have access ports to the hosts.

Now, because we can only have one default gateway per host, either has to be SW1 or SW2, meaning basically that one switch would be treated as a Layer 2 device, pointless… So what I have seen in the real world is using HSRP for the SVI’s.
SW1 would have for instance all odd vlans Active and all even vlans in Standby and SW2 vice versa. Simple and nice eh?

Worth to mention that if you wouldnt’ have HSRP in place and for example for vlan 1 to 3, SW1 would be the default gateway and for vlans 4 to 6, SW2 would be the default gateway, then you would need a p2p connection between both 3550’s, a Layer 3 etherchannel or just a Layer 2 trunk with¬†one SVI in same vlan¬†per router¬†in order to be able to send traffic between vlans.

Here some configuration example:

SW1

interface Vlan1
ip address 10.10.1.10 255.255.255.0
standby 1 ip 10.10.1.1
standby 1 priority 150
standby 1 preempt

interface Vlan2
ip address 10.10.2.10 255.255.255.0
standby 2 ip 10.10.2.1

interface Vlan3
ip address 10.10.3.10 255.255.255.0
standby 3 ip 10.10.3.1
standby 3 priority 150
standby 3 preempt

interface Vlan4
ip address 10.10.4.10 255.255.255.0
standby 4 ip 10.10.4.1

interface Vlan5
ip address 10.10.5.10 255.255.255.0
standby 5 ip 10.10.5.1
standby 5 priority 150
standby 5 preempt

interface Vlan6
ip address 10.10.6.10 255.255.255.0
standby 6 ip 10.10.6.1

Then it would be the opposite configuration on SW2.

In conclusion, if you want to have 2 or more multilayer switches performing at layer 3, then it is best to run HSRP between the switches with some vlans active in one switch and other vlans active in the other switch, that’s because you can only have one default gateway per host which would be the virtual HSRP ip address.

In this case, hosts in Vlan 1 would have the ip address 10.10.1.1 as default gateway, vlan 2, 10.10.2.1 and so on.

IMPORTANT – Keep in mind that the diagram is just a model. In fact, in this case, HSRP wouldn’t really work unless you would have trunks between the 2950’s or an extra trunk between the 2950’s and the other 3550.

Hope this helps!

Posted in Switching | Tagged: , , , , | 4 Comments »

Cisco Expert – Back home

Posted by Ricardo Martins on July 12, 2008

I will fly home today (Belfast, Northern Ireland). It was a very nice vacation in Finland where I have lived 5 years before but it is all over now.

Now it is time to get back to my CCIE R/S preparation. My Lab is scheduled for 12th Nov. so I have 4 months now to practice over and over again doing labs. My home rack is almost ready.

I got:

R1 – 2610xm – 128 dram, 32 flash
R2 – 2610xm – 128 dram, 32 flash
R3 – 3640 – 128, 32
R4 – 3640 – 128, 32
R5 – 2611xm – 128, 32
R6 – 2651xm – 256 dram, 48 flash – That’s my golden router where I will have CME 4.1 and nm-2v module with 2fxs and 2fxo for some voice stuff
FRS – 2523
TermServ – 2511
BB1 – 2501
BB2 – 2610
BB3 – 2610
SW1 – 3550

I am lacking another 3 switches which will be 3550’s but I will have these very soon.
Anyway, with 1 switch, you can practice all the routing stuff, 2 switches,you can practice all the switch stuff as well. 3 and 4 switches are used for the type of questions where you need to draw diagrams and make traffic engineering at switching level.

I will be posting more stuff here very soon

Once again holidays were nice, here some pictures:

Posted in Uncategorized | 3 Comments »

Cisco Expert – Holiday!!

Posted by Ricardo Martins on July 5, 2008

Hello everyone!!

I have been very busy lately that’s why I haven’t really posted anything lately. I was at Cisco in Dublin for a day for some gold partner training. Then back in Belfast, I was sent 3 days for some HP IT Management training where I had an exam in the end. Still waiting for the result…hehe

After that, I was finally back at my normal day routine. I’m actually very happy that I work for a¬†big company like HP, so¬†I get to go to all these nice trainings.

We are buliding a new project at moment with some new scurity devices, ASA 5510. I had done my CCSP some time ago, but never really had the chance to configure anything related to security in production. It was actually very nice to learn more about it and do some configuration. Cisco has a nice ASDM wizard to easy implement the configurations but I love CLI. However, looks like to me that for implementing secutiry these days, starts to be very hard doing it via CLI.

Anyway, I am in holiday now, just arrived yesterday in Finland where I will stay for a week, I lived here about 5 years before, so I decided to come and visit some friends. We (me and my girlfriend) have a cottage somewhere in north of finland near a lake where we can go fishing in a boat or so. I can already imagine myself, in the boat fishing, in the middle of the lake, with my laptop doing GNS labs..hehe..just kidding..

Posted in Uncategorized | Leave a Comment »