CCDE Group Study by INE

Over the weekend I attended the CCDE group study sponsored by INE in Chicago. Discussion and material were let by Petr Lapukhov and Brian McGahan. I’m very excited to see high level networking event in my hometown. We had about 15-20 people in the class. This was my first exposure to CCDE so it was a lot of information absorbing. The test is composed of 4 scenarios. You have about 8 hours to pass the computerized test. Just like in other written Cisco certifications, you can’t go back once you answer the question. The test seems to be based on mastering the design’s information extraction from pages and pages of information. Most of the technology focus is on MPLS, routing, QoS and some security.

In the group study we went through Cisco’s CCDE practice demo (https://learningnetwork.cisco.com/docs/DOC-2438). I thought the discussion was very interested, especially from people that have been studying for the test. If you take it and want to look at the solution you can find it at http://www.shafagh.net/2012/08/ccde-demomystery-solved.html. Next we went through INE’s CCDE practice scenarios written by Petr and Brian.

Mainly, I wanted to post some very interesting documents that Continue reading

PBR – Policy-based Routing configuration example

How does the internet work - We know what is networking

Policy-Based Routing Configuration Here we will show different examples for configure specific PBR types: Enabling PBR on the Router Fast-Switched PBR Local PBR CEF-Switched PBR Enabling PBR This command will define that the router will use PBR and that the PBR will use route-map named TEST. R1(config)# route-map TEST permit 10 Defines a route map […]

PBR – Policy-based Routing configuration example

Show 136: Avaya – Considerations for Turning your Network into an Ethernet Fabric – Sponsored

We’ve done a few shows now on Ethernet Fabrics where we have been getting deep into the different technology options and different vendor implementations.  Avaya has sponsored this show where we actually interview customers who were early adopters of fabric-based  and talk about what drove these customers to implement a network fabric, how they went […]

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+LinkedIn

The post Show 136: Avaya – Considerations for Turning your Network into an Ethernet Fabric – Sponsored appeared first on Packet Pushers Podcast and was written by Greg Ferro.

Network behind an IPSec VPN peer

In this lab, I tried to simulate an environment where there are two customers, each connected to their respective ISP. Now, in real world, this might not be the best way things are done, but this lab is for the sake of understanding how VPNs deal with networks behind a VPN peer. 

PE: Provider Edge equipment
CPE: Customer Premise equipment

Following is the network diagram. CPE1 and CPE2 are customer edge routers. PE1 and PE2 are respective ISP provider edge routers. Each router connects to another over a /30 point to point link. Each router has a loopback (Lo0) with an IP address in the 192.168.0.0/16 range as shown.

CPE1 has a site to site VPN tunnel to PE1.
PE1 has two site to site VPN tunnels, one to CPE1 and another to PE2.
PE2 has two site to site VPN tunnels, one to PE1 and another to CPE2.
CPE2 has a site to site VPN tunnel to PE2.



I had a problem with VPN Hairpinning and wanted to build a lab to find possible solutions. I started off building the lab and after bringing up VPNs, I realized I built the lab wrong. Notice how Continue reading

Default route and RIB/FIB entries


If a router has multiple routes to a network over multiple routing protocols, it stores all routing information in the RIB. This information may not be necessarily used when determining best path to the network. To determine best path to the network, CEF uses the FIB. I understand this.

Consider a network where:

R2 ------- R1 ------- R3

R2 (10.0.0.2/24) connects to R1 (10.0.0.1/24)
R1 (192.168.0.1/24) connects to R3 (192.168.0.2/24)

On R2, R3: I have default routes pointing to R1:

R2: ip route 0.0.0.0 0.0.0.0 10.0.0.1
R3: ip route 0.0.0.0 0.0.0.0 192.168.0.1

Now, from R2, I can ping R3 fine.

R2#ping 192.168.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/39/44 ms

So, I try to see the route entry for 192.168.0.2

R2#sh ip route 192.168.0.2
% Network not in table

I don't see it. So I look at the CEF/FIB.

A Cloud Without IPv6

As a Data Center junkie, I daily bear witness to the glorious transformations that are taking place all around me with respect to the “next-generation” of data center. Everyone who wants to move their DC to the next level are millions of dollars worth of DC networking gear that is EXTREMELY cutting edge, enabling virtualization and cloud to do things we only dreamed of being able to do mere years ago.

A Cloud Without IPv6

As a Data Center junkie, I daily bear witness to the glorious transformations that are taking place all around me with respect to the “next-generation” of data center. Everyone who wants to move their DC to the next level are millions of dollars worth of DC networking gear that is EXTREMELY cutting edge, enabling virtualization and cloud to do things we only dreamed of being able to do mere years ago.

Using GNS3 for Switching Labs

For so long, I’ve heard - as have many of you I’m sure - that GNS3, though a GREAT emulator for Cisco IOS software, is not practical for studying anything related to switching. Routing is handled just fine, but because of the proprietary ASICs in Cisco switches, it is not something that can be easily reverse-engineered, thus GNS3 cannot do it. After all, all routing is essentially done in software in GNS3.

Using GNS3 for Switching Labs

For so long, I’ve heard - as have many of you I’m sure - that GNS3, though a GREAT emulator for Cisco IOS software, is not practical for studying anything related to switching. Routing is handled just fine, but because of the proprietary ASICs in Cisco switches, it is not something that can be easily reverse-engineered, thus GNS3 cannot do it. After all, all routing is essentially done in software in GNS3.

The “D” in SDN

I have seen the conversation around SDN evolve over what amounts to the last few years from something that was barely whiteboard material, to something on everyone’s lips in this industry. Why? What’s so interesting about these three little letters? Well, if you’ve heard of it, you’ve undoubtedly heard from your local vendor account manager that their product is the leader in the SDN market, or that they just made a big acquisition that really puts them ahead in the SDN space, blah, blah, blah.

The “D” in SDN

I have seen the conversation around SDN evolve over what amounts to the last few years from something that was barely whiteboard material, to something on everyone’s lips in this industry. Why? What’s so interesting about these three little letters? Well, if you’ve heard of it, you’ve undoubtedly heard from your local vendor account manager that their product is the leader in the SDN market, or that they just made a big acquisition that really puts them ahead in the SDN space, blah, blah, blah.

TRIO Card: packet capture with pfe commands

During a complex case on Juniper platform, I looked for a tip to capture transit traffic on a MX960 with Trio cards. Indeed, I suspected a Junos box to rewrite transit mpls traffic with an unexpected exp value. As I love carry out reverse engineering,...

TRIO Card: packet capture with pfe commands

During a complex case on Juniper platform, I looked for a tip to capture transit traffic on a MX960 with Trio cards. Indeed, I suspected a Junos box to rewrite transit mpls traffic with an unexpected exp value. As I love carry out reverse engineering,...

vSphere Network Security Policies

The idea of security in a vSphere vSwitch is a concept not usually discussed in vSphere peer groups or curricula. They are somewhat specialized features that are normally either not used, or irrelevant due to the presence of another switching architecture such as the vDS (including the Cisco Nexus 1000v) or VM-FEX, where these policies also exist and are much more feature-rich. Thus, the idea of performing these functions on a native vSwitch is usually not talked about.

vSphere Network Security Policies

The idea of security in a vSphere vSwitch is a concept not usually discussed in vSphere peer groups or curricula. They are somewhat specialized features that are normally either not used, or irrelevant due to the presence of another switching architecture such as the vDS (including the Cisco Nexus 1000v) or VM-FEX, where these policies also exist and are much more feature-rich. Thus, the idea of performing these functions on a native vSwitch is usually not talked about.

Quiz #7 &#8211 MLS QOS

You have recently moved to a new company as a network administrator and you've started doing an audit of the existing network. Your network uses an end-to-end QOS approach between multiple offices. Access switches trust QOS markings received from IP Phones and higher layer devices trust the markings received from access switches, as seen in diagram below.

Windows 2008/Vista/7 ARP Cache

1360422920.604391 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:152) (ttl 128, id 311, len 60) ...1360422949.068248 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:171) (ttl 128, id 330, len 60) ...1360422952.102077 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:173) (ttl 128, id 332, len 60)
1 3,765 3,766 3,767 3,768 3,769 3,799