Things are crazy down here

Man... things are "really" crazy down here! Too many projects to delivery in a short time! I´m actually working on 3 projects right now to replace old switches from customers networks by new 3750 (for Access) and 6509 (Core)!

All three projects are very similar, in fact, I finished the first one yesterday, I´ve created the scripts to be applied, the topology, and a few guidelines for the Field Engineer that´s going over there to actually "implement" the solution.

For sure, I should be prepared to support the Field Engineer for any "unknown" thing that can happen, you know... Like Murphy says, if anything can go wrong, IT WILL GO WRONG! hahahaha! But, I actually don´t believe that much on Murphy laws, so, I expect that everything goes really smoothly! ;)

Today I´ll prepare the second customer´s topology, scripts, and tomorrow the third one! That will consume all my time (including much of my "supposed" free time), so, it´s a little difficult to keep following with my Video-on-Demand regime today! Oh boy, how much I miss it! :) But I still reading my Doyle´s Book (right now almost finishing OSPF and IS-IS).

Also, my vacations are coming soon, so I´ll be able to catch everything up, but, if I really want my vacations, I need to finish everything that´s assigned to me right now! Not too much, but´s really time consuming!

If possible, and I arrive early at home tonight (yesterday I´ve arrived after 11:00pm), I´ll finish IPExpert CCIE R&S BLS Video-on-Demand Day 1! I´ll try to finish it at least by the end of the week, to not be too far from my schedule! As soons as I finish will publish my notes here in the blog!

Well... that´s it right now! Oh yes... If anybody is interested in those switch scripts I´ve created just let me know... They are not "perfect", but  an example doesn´t hurt, right?! One thing, the comments are in portuguese, but I can quickly translate them to english! Just let me know!

Up the Irons! :)

Switch Macros

Take a look at this examples of Switch Macros  available at the Switching Video-on-Demand from IPExpert, just a few, but, the possibilities for it are huge!

First one... Create a Macro to configure our "Access-Ports", this will include the VLAN, Portfast, BPDUGuard and Storm-Control... Seens simple... but how the assign the correct VLAN to each port?! Using variables!  Take a look:

macro name Port switchport mode access switchport access vlan $V spanning-tree portfast spanning-tree bpduguard enable storm-control $T level $L @

Now,  apply this to port FastEthernet 0/10 for example, and assign it to VLAN 10, Storm-Control Type Broadcast and Level 20:

int fa0/10 macro trace Port $V 10 $T broadcast $L 20

See?! Easy! One line, instead of 5!

In the show run, the field macro description Port | Port will show us how many times this macro "Port" (the one we created earlier) was applied to this interface (in this specific case, 2 times!).

Another example, a macro to create some VLANs:

macro name MakeVlan vlan 101 name My101 vlan 102 name My102 vlan103 name My103 exit @

Just be careful, after the last VLAN (in our case vlan103) we need to type exit, if you don´t, this VLAN will not be created!

We can double check if everything is ok with the command: sh vlan brief

Another tip in this Video is if you get asked to assign a data VLAN, Voice VLAN and Portsecure allowing 2 Mac-Addresses in this port using just one command line (I talked briefly about it yesterday), how to do it?!

Seens a bit strange, but possible, first, check the Macros "pre-defined" in your switch using the command: show parser macro , your output will look much similar to this one:

Now that we found our macro, apply it to the desired interface:

int f0/16 macro apply cisco-phone $access_vlan 10 $voice_vlan 20

And finally, take a look at the configuration:

You may ask yourself, how the proctor is going to grade that?! How he´s going to know that I actually used a Macro, or even better, how he´s going to know that I didn´t created a Macro to do it, and just deleted from the Switch after that?!

Well... the answer is simple... first, take a look at the line: macro description cisco-phone this description is telling us that this specific macro (cisco-phone in this case) was applied to this interface. Also, the macro configured the VLANs (Data and Voice) and Portsecure as asked, but it also configured some extra stuff (QoS, Portfast, etc), and that tells the Proctor that you actually used this macro! So, be cool, just understand exactly what the question is asking, and you´ll be fine!

To apply a macro we can use the commands:

• macro apply <macro-name>
• macro trace <macro-name> -> if you want to see it going through the commands.
• macro global apply <macro-name>
• macro global trace <macro-name> -> if you want to see it going through the commands.

Dead Weekend + Switching Video

Last weekend was not very "usefull" to study... I´ve started working on friday at 08:00am, till saturday 09:00am, that plus travel time from home-work, work-home is more than 28hours straight! So I pretty much spent my saturday sleeping... When I finally woke up, with a terrible headache (anyone want to guess why?!), my wife had this "dinner" plan with a couple friends, so, well... I couldn´t say no... We went out. It was fun... but we came back home a little late, so I woke up late on sunday (again)!

Couple house things to solve, shower to replace, get something to eat, and that´s it, almost 07:00pm, and no study! Oh my! So I sit in front of my computer and started watching IPExpert CCIE R&S BLS Switching Videos. As usual I got impressed! The quality of the material is unquestionable, those videos are AWESOME!!!! Again, you feel like you´re in class! Cool! :)

Very good stuff in the video, one point was, a lab tip, for instance if you need to configure something that will take a few lines to do it, but the lab asks you to configure it using JUST ONE command, well, it seens weird, but possible if you have a pre-defined macro in the switch (that is already there, not one that you create!), use the command show parser macro to check if there are any pre-defined macros in the switch, so, you may be able to do it just applying the macro itself!

Also, anytime you see a topology with a Switch in VTP Transparent mode in the middle (like VTP Server  <--> VTP Transparent <--> VTP Server) be affraid. The VTP Transparent Switch will forward the updates between the other two switches, but, if, for instance you "prune" a vlan, that can cause us some problems! If the VTP Transparent switch doesn´t have this VLAN (or, if the VLAN is inactive) no matter if your VTP Server switches are using it or not, this VLAN will get pruned (in the VTP Transparent switch), and that can create some issues in our lab. Off course, we can solve this issue in a couple different ways, like removing those specific VLANs from the "pruning", for this  use the command  switchport trunk pruning vlan remove <VLAN List>

Another way to solve this is just create the VLANs in the VTP Transparent Switch, and activate them! Use the command vlan <vlan number> state active if you want to active the VLAN with no ports assigned! It´ll all depend on your lab restrictions and requirements!

It also talk about MST, and give us some good "insights" to avoid problems in the LAB itself, check this example configuration:

Enable MST (config)#spanning-tree mode mst Configure MST (config)#spanning-tree mst configuration Name (tree-name) Instance 1 vlan (#-#-#) Instance 2 vlan (#-#-#) etc

This example is creating 2 MST instances, but, in fact your switch will be running 3 MST instances (do not forget about the MST Instance 0, it´s always there), so if your lab asks to have just 2 instances in your switch, well, that will force us to create just one new MST Instance and put all VLANs inside it! ;)

There are many, many other really usefull stuff and explanations! I´ll try to work on some really nice examples regarding Macros that is also in the Video!!! Wait and see!

Our friend Suresh Mishra just passed his CCIE Lab Exam!

Our friend Suresh Mishra from Online Study List just passed his CCIE Lab Exam today!

Here follows his original message:

------

Hello all,

I passed CCIE LAB today. My ID is 21577. I would like to say thank you to all the people at IPEXPERT for their help. I used ipexpert as the only source for the preparation of my LAB exam and was able to pass within six months in my first attempt.

Thanks to all of you who help me in getting my ID.

Thanks
Suresh

------

That shows us Hard Work + Great Study Material = Success!

If you can, stop by to congrat him!

http://www.onlinestudylist.com/pipermail/ccie_rs/2008-July/001704.html

Well done buddy! Congratullations!!!!

TCL Script

This Video is included in IPExpert CCIE R&S BLS as one of the last things... but I couldn´t just hold to check it, and see if there´s any tips, advices, or anything else that could help in the exam! And what do I have discovered?! Yes, there is a few things I didn´t knew! COOL!

First thing... in order to mount your TCL Script you´ll need to get all IP Addresses from your devices, but, there´s this easy way showed in the Video-on-Demand, just follow those steps:

First, log into each device, and type the command:

sh ip int brief | ex una

Second, and most important (that´s the part I didn´t knew!), in SecureCRT, if you hold the ALT key, and use your mouse to mark the text to be copied, you can select just what you want, in this case, just the IP Addresses from the command output! Take a look at this screenshot:

So easy! I used to copy the full line, cut off what I didn´t want, and use the IP Address! Now you just have to past it into the Notepad:

You´ll need to log in each device, and build a list of ALL IP Addresses in order to create your TCL Script, that shouldn´t take more than 05, maybe 10min, and in the end you´ll have everything at your disposal! :)

Another good advice in there regards WHEN to do TCL ping testing. We all know that we need to check connectivity several times a day, but, most important after the:

1. IGP section;
2. Redistribution section;
3. BGP section;
4. Security section;
5. Last thing of the day (if you got time to fix any issues that may find).

And any other time you think you need to check it!

Always keep your diagram updated, with all information you judge as usefull, so if you have any failures you should be able to quickly identify why and determine if this makes any difference! In case of any doubts, proctor is always there for us!

Also, if you have any "Backbone" IP Addresses that should be reachable, add it to your TCL Script manually, and that´s it!

To exit the TCL Shell just type: tclquit

Remember, 3550 switches doesn´t support TCL, we can create some Global Macros to achieve the same results.

A "typical" day in my life

05:15am - Wake up.

05:20am - Take a Shower.

05:30am - Dress-up, get ready to work.

05:35am - Say hello to my cats! Wife still sleeping.

05:50am - Take the bus to the subway.

06:15am - Take the subway to come to work, during the travel, I usually read a book (right now I´m reading Doyle´s OSPF and ISIS book).

07:05am - Stop at Coffee Shop, get something to eat.

07:20am - Seat in front of my computer and quick lookup my emails, to discover what is waiting for me today, normally a new problem at any of our customer´s network. Why all kind of strange things happens at night?! Go figure! :)

07:30am - Find something usefull  in the DocCD and read it! Yesterday I finished reading through IRB.

08:00am - Start working, and quickly answer to all my emails.

08:30am - Call to my wife, check if everything is ok!

08:40am - Call to the customer and check the status of it´s network issue, and  gather more data about it.

09:30am - Work a solution for the problem.

11:30am - Everything is fine. No more issues so far, so back to the Doyle´s Book.

12:45pm - Receive a call, to check a new issue at another network.

01:00pm - Call customer, gather more data, and start all over again! :)

02:30pm - Everything is ok, so quickly go downstairs to lunch.

03:00pm - Back from lunch, still having 30min so, mine the DocCD for more documents to read at night.

03:30pm - Check my emails, no nothing new so far. Check the internet, blogs, everything CCIE related.

03:45pm - A buddy call me asking for help to handle a switch that is not syncronizing the configuration between the supervisors.

04:05pm - Everything is ok with the switch, just a config register problem, no big deal.

04:10pm - Check emails, answer them.

04:30pm - Emails answered, back to Doyle´s book.

05:00pm - Check emails, nothing new! Time to go home!

05:10pm - Take the subway, continue to read Doyle´s book.

06:20pm - Take the bus back home.

06:45pm - Arrive at home, say hello to my wife, my cats! Everything is ok!

07:00pm - Take a shower, order something to eat.

07:30pm - Talk to my wife about the day.

08:00pm - Dinner time!!!!

08:30pm - Wash the dish.

08:45pm - DocCD, read the document I found earlier (03:00pm).

09:15pm - View a new module of IPExpert CCIE R&S BLS Video on Demand. Take a LOT of notes while doing that. Those videos are very nice! Seens like I´m attending a live class, with the advantage that I can go back at any time!

10:30pm - Finish, exhausted, go to bed, watch some TV, talk to my wife.

11:00pm - Sleep, to begin everything again the next day!

Well... that covers pretty much it, off course, each day is different from the other, but that´s how I normally handle my days! Weekends are a different story, but, leave that for latter!

Integrated Routing and Bridging Example

Here follows an example of IRB, that will probably make our understanding about this topic a bit easier. This scenario  was based in the Video on Demand from IPExpert CCIE R&S Blended Learning Solutions. A full video dedicated just to it is available in there, and I recommend you to check it out! It rocks! :)

Take a look at the topology:

Those VLANs (VLAN2 and VLAN3) will be bridged through our serial link.

In order to do that, we need to:

1. Create the Bridge-Group;
2. Assign this Bridge-Group to our Interfaces;
3. Create the BVI Interface and assigns an IP Address to it;
4. Create our rules (specifically tell this particular Bridge- Group to Route IP) .

First... what is the function of a "Bridge-Group" ?! Well "Bridge-Group" job is to take  packets to an unknow destination and flood them out any available ports, or more important, to learn were those available ports are for each them.

The catch is, the router can do routing,  can do bridging, but in other to do both, like some interfaces to route, some interfaces to bridge we need to use IRB (Integrated Routing and Bridging).

Take a look in the configuration for all devices involved, interfaces FastEthernet0/0 and Serial1/1 in our routers R2 and R3 were assigned to Bridge-Group 1, all interfaces between the origin and destination will be "bridged", the IP Address will be assigned to the BVI Interface, take a look:

R2: int f0/0 bridge-group 1 no shut ! int s1/1  bridge-group 1 no shut ! bridge irb bridge 1 protocol ieee bridge 1 route ip ! int bvi 1 ip address 111.111.111.2 255.255.255.0 no shut R3: int f0/0 bridge-group 1 no shut ! int s1/1 bridge-group 1 no shut ! bridge irb bridge 1 protocol ieee bridge 1 route ip ! int bvi 1 ip address 111.111.111.3 255.255.255.0 no shut SW2 int f1/2 switchport access vlan 2 no shut ! int vlan 2 ip address 111.111.111.22 255.255.255.0 no shut exit SW3 int f1/3 switchport access vlan 3 no shut ! int vlan 3 ip address 111.111.111.33 255.255.255.0 no shut exit

To make double-sure about our IP assignment, we can use the show ip int brief command:

R2#sh ip int brief Interface       IP-Address    OK? Method Status      Protocol FastEthernet0/0 unassigned    YES unset  up          up Serial1/0       unassigned    YES unset administrat. down down Serial1/1       unassigned    YES manual up          up BVI1            111.111.111.2 YES manual up          up R3#sh ip int brief Interface       IP-Address    OK? Method Status      Protocol FastEthernet0/0 unassigned    YES unset  up          up Serial1/0       unassigned    YES unset  administrat. down down Serial1/1       unassigned    YES manual up          up BVI1            111.111.111.3 YES manual up          up

Everything looks good, BVI interface has it´s IP Addresses, and both FastEthernet and Serial interfaces don´t!

Using the command show bridge 1 verbose we can check which interfaces belongs to this specific Bridge-Group:

R2#sh bridge 1 verbose Flood ports (BG 1)           RX count    TX count FastEthernet0/0                     0           0 Serial1/1                           0           0

Seens fine too! So, what next?! Testing! How?! Ping!!!

R2#ping 111.111.111.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/128 ms R2#ping 111.111.111.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/58/136 ms R2#ping 111.111.111.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/83/140 ms --------------- R3#ping 111.111.111.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/65/128 ms R3#ping 111.111.111.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/88/144 ms R3#ping 111.111.111.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/58/120 ms --------------- SW2#ping 111.111.111.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/64/136 ms SW2#ping 111.111.111.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/95/184 ms SW2#ping 111.111.111.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/127/200 ms --------------- SW3#ping 111.111.111.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/72/124 ms SW3#ping 111.111.111.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/105/164 ms SW3#ping 111.111.111.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.111.111.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 92/145/224 ms

Now we have reachability between the two vlans! We can use the command show bridge 1 verbose again to check  the counters and the interfaces involved in this particular bridge group:

R2#sh bridge 1 verbose Total of 300 station blocks, 297 free Codes: P - permanent, S - self BG Hash  Address     Action Interface  VC Age  RX count TX count 1 00/0   cc02.09c0.0000 forward  Serial1/1       -  3  10   9 1 00/1   cc05.0f10.0000 forward  Serial1/1       -  1  25  24 1 00/2   cc04.0f10.0000 forward  FastEthernet0/0 -  1  30  28 Flood ports (BG 1)           RX count    TX count FastEthernet0/0                     7           0 Serial1/1                           0           7 R3#sh bridge 1 verbose Total of 300 station blocks, 297 free Codes: P - permanent, S - self BG Hash  Address     Action Interface  VC Age  RX count TX count 1 00/0   cc04.0f10.0000 forward  Serial1/1       -  2  20   19 1 00/1   cc01.09c0.0000 forward  Serial1/1       -  0  15   14 1 00/2   cc05.0f10.0000 forward  FastEthernet0/0 -  0  35   33 Flood ports (BG 1)           RX count    TX count FastEthernet0/0                     6           0 Serial1/1                           0           0

Just for curiosity, show arp at R3...

R3#sh arp Protocol  Address     Age (min)  Hardware Addr   Type   Interface Internet  111.111.111.33        5   cc05.0f10.0000  ARPA   BVI1 Internet  111.111.111.3         -   cc02.09c0.0000  ARPA   BVI1 Internet  111.111.111.2         5   cc01.09c0.0000  ARPA   BVI1 Internet  111.111.111.22        5   cc04.0f10.0000  ARPA   BVI1

...and show arp at SW2:

SW2#sh arp Protocol  Address     Age (min)  Hardware Addr   Type   Interface Internet  111.111.111.33        6   cc05.0f10.0000  ARPA   Vlan2 Internet  111.111.111.3         6   cc02.09c0.0000  ARPA   Vlan2 Internet  111.111.111.2         7   cc01.09c0.0000  ARPA   Vlan2 Internet  111.111.111.22        -   cc04.0f10.0000  ARPA   Vlan2

As you can see, everything is working fine! I do recommend you to check IPExpert Bridging Videos, and also Cisco DocCD for more information!

Follows some usefull links:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml

http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_transprnt_brdg_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1003018

Bridging & Integrated Routing and Bridging

Everything went wrong this last weekend, I was a bit sick with fever and all this kind of stuff, and spent more time in bed, than actually doing anything else... That delayed me a little, I had plans to complete Workbook Volume 1 labs 3 and 4 this weekend but that wasn´t possible!

Today I´m better, really better, and in my lunch time I reviewed IPExpert CCIE R&S BLS Bridging Video. Nice topic, this is something we don´t get to see every day! In fact... I´ve never saw anything actually "bridged" in a network, and even it´s not on blueprint anymore we can still having some IRB Bridging. So I´ll spent more time on that for sure!

Couple quick notes I was able to get from the Video:

Basic job of a bridge is to bring things together, transparent bridging does that using the same media type, same MTU size, nothing changes!

Bridging on Routers:

Setup the basic bridge function:

• Bridge 1 protocol ieee

Then bind to interfaces:

• Bridge-group 1

If Frame-Relay is in the middle:

• Frame-relay  map bridge <DLCI>

Integrated Routing & Bridging:

Allows selective routing some protocols while bridging others:

Enable Bridge IRB in a router:

• Bridge irb

Configure a BVI (Bridging Virtual Interface):

• Interface bvi 1
• ip address <address> <mask>

Create our "rules", in other words tell bridge-group 1 to route IP.

• Bridge 1 route ip

Interfaces in middle simply have bridging.

A cool command to verify if everything is working (AFTER ping testing):

• Show bridge 1 verbose

It seens a little confuse, but with the example showed in the Video on Demand you´re able to get it! I´ll try to create a Dynamips topology to simulate a bridging scenario and post back later, to clarify things a bit better either for you reading this, and for me! :)

Remote Switched Port Analyzer (RSPAN)

This week I had a task in the IPExpert Workbook Vol 1 to use RSPAN. It can be used to monitor source Ports, VLANs and destination ports on different switches in your network.

Ok, I´ve already configure SPAN (local switch only) and knew about RSPAN, but never did it before! Hmmm ok! Not that difficult, a quick look at the DocCD will be more than enough to figure that out, BUT, there are some tricks you might be aware about!

In order to configure RSPAN we´ll need to have an RSPAN VLAN, those VLANs have special properties and CAN´T be assigned to any access ports! Never!

Also, we can use an Access-List (if desired) to filter the output to monitor, those access-lists should be specified in the RSPAN VLAN in the RSPAN source switch.

You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:

1. The same RSPAN VLAN is used for an RSPAN session in all the switches.
2. All participating switches support RSPAN.

Ok, so, let´s check a quick example on how to create the RSPAN VLAN:

vlan 250 remote span end

In the above example VLAN 250 was configured as RSPAN VLAN, remember, to use VLAN IDs that are lower than 1005!

Now, configure the RSPAN Source Session:

Source Switch: monitor session 1 source interface fastethernet0/1 tx monitor session 1 source interface fastethernet0/2 rx monitor session 1 destination remote vlan 250 end

Now the ports FastEthernet0/1 and FastEthernet0/2 are configured to be monitored and the destination is set to the RSPAN VLAN 250.

Finally, we need to create the RSPAN Destination Session:

Destination Switch: monitor session 1 source remote vlan 250 monitor session 1 destination interface fastethernet0/7 end

That will send ALL traffic from RSPAN VLAN 250 to the fastethernet0/7, where we can plug our sniffer, traffic analyzer, or anything that we may need/want.

Seens pretty simple, right?! In fact it is! Really! BUT, just keep those few things in mind:

1. The RSPAN VLAN should be allowed in ALL trunks between the involved switches (Source and Destination switches in this case);
2. If you have enabled "pruning" in your network, remove the RSPAN VLAN from the pruning, with the command: switchport trunk pruning vlan remove <RSPAN VLAN ID> under the interface configure as trunk;

And that´s pretty much it! You can check if the RSPAN VLAN is allowed/pruned on the trunk with the command: show interface trunk

If you need more information regarding SPAN/RSPAN, just follow this link at Cisco´s Website:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swspan.html#wp1036686

Study Strategy and Schedule Follow up

It´s time to do a little follow up on my schedule... After watching a few Videos from IPExpert CCIE R&S Blended Learning Solutions  I decided to change my strategy just a bit!

This new strategy includes checking the DocCD for each and every task in the workbooks, even the ones that I know!

Man... I must say... it´s really tough! It takes much longer than what I was expecting! So, instead of jumping in the rack I´m trying to solve the problems in the Notepad, and just after that, I rent a Rack!

It´s not the best approach for the Workbook Volume 2, but seens fair enough for me for the Workbook Volume 1 - Technology Labs! I´ll try a couple labs using this strategy, and decide if I´ll keep following this way or not!

One thing for sure, the experience I´ll get on DocCD will be priceless! This is a vital part of the CCIE preparation!

This is going to delay my schedule at first, but I think I´ll be able to catch it up, and stay on my goal to finish IPExpert Workbook Volume 1 + Video on Demand until September 29! My time to find answers in DocCD will increase with practice, and that should speed up the thinks a little bit before this date!

Well... time to study a while now! ;)

PPP Video on Demand (IPExpert CCIE R&S BLS)

Today I was watching the PPP Video-on-Demand from IPExpert´s CCIE R&S Blended Learning Solutions, and learned some new tricks! AWESOME!

PPP is fair simple, configuring it is not that difficult, BUT, as always, there are a couple tricks we can be asked in the exam, and that´s exactly WHERE the Video-on-Demand comes to rescue!

The worse thing that they could ask in the exam about PPP is  Authentication! Otherwise, we just set the encapsulation to ppp bring our interfaces up and that´s pretty much it!

In the PPP Video we get the chance to review some scenarios, not difficult ones, but trick!

First, let´s take a look at the topology used in our simulation (again, I was running it in Dynamips, if anybody wants the .NET files, just let me know):

First scenario: R2 should initiate a secure authentication request to R3.

So, how to complete this task?!

Secure means the password cannot be sent in Clear-Text, so PAP is out, we can use CHAP! CHAP sends a MD5 hash, so it´s good!

But, how can we make sure R2 will initiate the authentication, and not R3?! Well... in fact it´s very simple (I didn´t knew about that so far), use the command ppp authentication chap only in R2. The ppp authentication command only specifies what you´re going to send out  as an authentication requirement not what you´re going to respond to, you always responding to stuff.

So, our configuration will look pretty much like this one:

R2: username R3 password 0 cisco ! interface Serial1/1 ip address 222.222.222.2 255.255.255.0 encapsulation ppp clock rate 128000 ppp authentication chap R3: username R2 password 0 cisco ! interface Serial1/1 ip address 222.222.222.3 255.255.255.0 encapsulation ppp

To BE SURE that R2 is initiating the request, we can run a debug ppp authentication in both routers and check the Outgoing (O) and Incoming (I) requests, take a look yourself:

R2(config-if)#do debug ppp authentication PPP authentication debugging is on R2(config-if)# Se1/1 PPP: Using default call direction Se1/1 PPP: Treating connection as a dedicated line Se1/1 PPP: Session handle[400001F] Session id[63] Se1/1 PPP: Authorization required Se1/1 CHAP: O CHALLENGE id 1 len 23 from "R2" Se1/1 CHAP: I RESPONSE id 1 len 23 from "R3" Se1/1 PPP: Sent CHAP LOGIN Request Se1/1 PPP: Received LOGIN Response PASS Se1/1 PPP: Sent LCP AUTHOR Request Se1/1 PPP: Sent IPCP AUTHOR Request R2(config-if)# Se1/1 LCP: Received AAA AUTHOR Response PASS Se1/1 IPCP: Received AAA AUTHOR Response PASS Se1/1 CHAP: O SUCCESS id 1 len 4 Se1/1 PPP: Sent CDPCP AUTHOR Request Se1/1 CDPCP: Received AAA AUTHOR Response PASS Se1/1 PPP: Sent IPCP AUTHOR Request R2(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up R3(config-if)#do debug ppp authentication PPP authentication debugging is on R3(config-if)# Se1/1 CHAP: I CHALLENGE id 1 len 23 from "R2" Se1/1 CHAP: Using hostname from unknown source Se1/1 CHAP: Using password from AAA Se1/1 CHAP: O RESPONSE id 1 len 23 from "R3" Se1/1 CHAP: I SUCCESS id 1 len 4 R3(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up

So what´s next?! Just try to ping from both sides, and you should be ok at your exam! Nothing more to worry about!

Second scenario: R2 and R3 should be configured to PPP Authentication using DIFFERENT secure authentication protocols.

Hmmm... is that possible?! Yeah, it is! We´ll be using CHAP in R2, and EAP in R3, and everything will be good!

Check the configuration of both routers:

R2: username R3 password 0 cisco ! interface Serial1/1 ip address 222.222.222.2 255.255.255.0 encapsulation ppp clock rate 128000 ppp authentication chap  ppp eap password 0 cisco R3: username R2 password 0 cisco ! interface Serial1/1 ip address 222.222.222.3 255.255.255.0 encapsulation ppp ppp authentication eap ppp eap local

Seens pretty straight-forward! Just a quick overview of this configuration:

In R2 the command ppp eap password  cisco needs to be used, because the password in EAP doesn´t need to be symmetric, so we MUST configure it in the CHAP side of the link.

Regarding the ppp eap local configured in R3, this command means, use the LOCAL database (that means username R2 password cisco) for authentication, instead of a Radius Server. If you do not use this command, EAP will expect to have a Radius Server to authenticate the connection, and we do not have it!

Doing that, R2 and R3 will be configured with two different secure authentication protocols! We´re good! That´s what we were asked for!

Take a look at this Debug Output:

R2(config-if)#do debug ppp authentication PPP authentication debugging is on R2(config-if)# %LINK-3-UPDOWN: Interface Serial1/1, changed state to up Se1/1 CHAP: O CHALLENGE id 60 len 23 from "R2" Se1/1 EAP: I REQUEST  IDENTITY id 71 len 5 Se1/1 EAP: O RESPONSE IDENTITY id 71 len 7 from "R2" Se1/1 EAP: I REQUEST  MD5 id 72 len 24 from "R3" Se1/1 CHAP: I RESPONSE id 60 len 23 from "R3" Se1/1 PPP: Sent CHAP LOGIN Request Se1/1 EAP: Using hostname from unknown source Se1/1 EAP: Using password from interface EAP Se1/1 EAP: O RESPONSE MD5 id 72 len 24 from "R2" Se1/1 PPP: Received LOGIN Response PASS Se1/1 PPP: Sent LCP AUTHOR Request Se1/1 PPP: Sent IPCP AUTHOR Request Se1/1 EAP: I SUCCESS id 72 len 4 Se1/1 LCP: Received AAA AUTHOR Response PASS Se1/1 IPCP: Received AAA AUTHOR Response PASS Se1/1 CHAP: O SUCCESS id 60 len 4 Se1/1 PPP: Sent CDPCP AUTHOR Request Se1/1 CDPCP: Received AAA AUTHOR Response PASS Se1/1 PPP: Sent IPCP AUTHOR Request R2(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up R3(config-if)#do debug ppp authentication PPP authentication debugging is on R3(config-if)# %LINK-3-UPDOWN: Interface Serial1/1, changed state to up Se1/1 EAP: O REQUEST  IDENTITY id 73 len 5 Se1/1 CHAP: I CHALLENGE id 61 len 23 from "R2" Se1/1 CHAP: Using hostname from unknown source Se1/1 CHAP: Using password from AAA Se1/1 CHAP: O RESPONSE id 61 len 23 from "R3" Se1/1 EAP: I RESPONSE IDENTITY id 73 len 7 from "R2" Se1/1 EAP: O REQUEST  MD5 id 74 len 24 from "R3" Se1/1 CHAP: I SUCCESS id 61 len 4 Se1/1 EAP: I RESPONSE MD5 id 74 len 24 from "R2" Se1/1 PPP: Sent CHAP LOGIN Request Se1/1 PPP: Received LOGIN Response PASS Se1/1 PPP: Sent LCP AUTHOR Request Se1/1 PPP: Sent IPCP AUTHOR Request Se1/1 LCP: Received AAA AUTHOR Response PASS Se1/1 IPCP: Received AAA AUTHOR Response PASS Se1/1 EAP: O SUCCESS id 74 len 4 Se1/1 PPP: Sent CDPCP AUTHOR Request Se1/1 CDPCP: Received AAA AUTHOR Response PASS Se1/1 PPP: Sent IPCP AUTHOR Request %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up

Again, a ping test will not hurt (it worked for me in my Dynamips simulation).

Those are the kind of situations we may encounter during the exam, and for sure, after watching this PPP Video that will not cause me any problems! Cool! :)

There are a lot more tips and advices like that in the Video (not only for PPP, but for everything), you have to check it out! :D

IPExpert Workbook 1 - Section 2: Quad Catalyst (PVST+) Switch Configuration

Summary:

• Time to Complete the Lab: 8h10m
• Times looked at DocCD: 32 (all tasks) 
• Times looked at Proctor Guide: 1 (Task 2.27)
• Tasks skipped: 0 (none)
• Rack Used: Notepad :)

Change of Plans:

I´m following a different approach after checking the CCIE Tips and Strategy Video from my IPExpert BLS! One of the many advices over there was to check EVERY task (even the ones you know) in the DocCD!

Fair enough! Seens right! So I decided to change a little bit my approach, instead of jumping into a Rack (by the way, ProctorLabs Rack Rental is great!) I decided to open a notepad (yep, notepad! I do not have Routers and Switches at my disposal, so to avoid loosing precious Rack time, I did most of the job in the notepad so far!), and try to solve the tasks in it using the DocCD.

Hmmmm, it was really tough! I´ve searched DocCD for hours and hours! And look, this is pretty much the Switching portion of the book, but that´s ok! I need to find my way through the DocCD, and really, in the end, I was taking like 10min to find a task in the DocCD! It´s really helping me out! I suggest you try it also, at least one time!

I read alot, and that took me sometime too! But, it´s Workbook Volume 1, and that´s what I´m suppose to do, right?! Learn technologies, and that´s pretty much I´m doing right now!

Things get really easier when you have someone with experience enough to guide you! My coach!? IPExpert CCIE R&S Blended Learning Solutions, I´m following most of the tips! It can take more time than I predicted in the beginning, but, for sure, I´ll learn a LOT more by doing exactly like that!

About the Lab:

Lab started easy, with some minor tasks, like VTP, Passwords, Etherchannel, Trunks, task 2.5 for example was asking to configure trunks, and to have every packet that traverses the link tagged with it´s VLAN ID, no exceptions! Nice! We can do that with the command vlan dot1q tag native ! Things got really interesting also in tasks 2.9, 2.10 and 2.11 regarding 802.1x, there´s a good advice to avoid locking yourself out (and most important, to avoid lock the proctor out of the equipment). I´ve saw somebody at Group Study, or Sadikhov asking about that a while ago, so I decided to depict here every single word used at the Proctor Guide regarding this specific task:

-> Dot1x needs to be turned on. dot1x system-auth-control aaa new-model aaa authentication dot1x default group radius radius-server host 150.100.220.100 key ipexpert -> To avoid further complications with any port using "login" you´ll want to create a workaround. The Proctor will NOT do password recovery for grading you! So let´s change the above: aaa authentication login MyVTY line aaa authentication login MyCon none ! line con 0 login authentication MyCon ! line vty 0 4 login authentication MyVTY -> The bottom line is that while it is very irritating to lock yourself out of a switch it is MUCh better than locking the Proctor out! -> Another thing you may do is "reload in 10" on the switch. If you haven´t validated your config and cancelled the reload, then at least you will fix things yourself! -> (Do NOT save unvalidated configurations!!!)

That can save our lab! For sure somebody did it already and paid a $1400.00 lunch to Cisco!

Everything were pretty straight-forward at this lab, another great piece of advice from Proctor Guide is always check the Command Reference Guide at the DocCD if you need the default value of anything, it´s always there! Cool!

Task 2.21 was all about Smart Port Macros! Wow! Never did it before! But again, not too much to worry about, easy to find in DocCD, and also easy to achieve the goal! Not that difficult, but again, nice one!

I´m not used to SNMP, so task 2.24 took me a while to understand and figure out in the DocCD what to do! But what really KILLED me was task 2.27, take a look at this trick question:

Task 2.27 Ensure that only the following traffic is allowed to pass through VLAN12: All non-IP frames sourced from MAC-adress 000b.cd96.cc4f destined to any host; OSPF traffic and ICMP traffic All other frames should be denied

Ok, seens simple right?! I thought it also! But indeed it´s not!

Breaking it down, step-by-step, we would have an MAC Access-List + Extended Access-List + VLAN Filter, right?! It´ll look pretty much like that:

mac access-list extended FilterMe
permit 000b.cd96.cc4f any
!
access-list 101 permit ospf any any
access-list 101 permit icmp any any
!
vlan access-map Filter-VL12 10
action forward
match mac address FilterMe
!
vlan access-map Filter-VL12 20
action forward
match ip address 101
!
vlan access-map Filter-VL12 30
action drop
!
vlan filter Filter-VL12 vlan-list 12

Now... try to ping any address from VLAN12... it worked?! Check the ARP table! Yeah! Now you see! We need to allow ARP, and also SPT to avoid any inconsistency in our network, final configuration would include those two lines in the MAC Access-List:

permit any any 0x0806 0x0000 permit any any lsap 0xAAAA 0x0000

Here follows the Ethertypes  available in this lab at Proctor Guide (good to have those in mind when creating VLAN Access Maps):

• 0x0806 = ARP
• lsap 0xAAAA = PVST+
• 0x4242 = STP and PVST
• 0x86DD = IPv6

This task alone took me 1h30m! I was trying to look at the DocCD, but I haven´t found those Ethertype values anywhere! It was really good to learn! We need to see every task´s "Big Picture"! What happens if we only allow the MAC Address of the Host to pass through?! Nothing! Without ARP nothing! So I need to pay more attention to those little details and take care to not underestimate the question! Ouch!

Final considerations:

This lab is seens to be really easy to accomplish, but, believe me, it´s not! Also, the many hidden issues, tricks and experience you get from it is HUGE! I would suggest doing it a couple times (I´ll do it again this weekend, but now, in live equipments).

VLAN Access Maps questions were the BEST ones in my opinion, the explanations at Proctor Guide really tell us to think about the "Full Picture" and not just to accomplish what was asked word-by-word! This is the key difference between who understand the technologies, and the guy who knows the commands! ;)

I´m also very happy with this new approach I´m using, trying to find every single task in the DocCD, and using Notepad for the first time (prior to the Rack Rental)!

Things that I need to improve myself after this Lab:

1. 802.1x;
2. SNMP;
3. VLAN Access Maps;
4. Still need to understand better what the task is REALLY asking  for instead of guessing it!

Next Steps:

1. Do the same thing with Workbook Volume I - Section 3: Quad Catalyst - MST;
2. Do those two labs (Section 2 + Section 3) in real equipments from ProctorLabs.com;
3. Watch VoD Chapters 3 (PPP), 4 (Bridging) and 5 (Switching).

IPExpert Workbooks (Printed Version) just arrived!

Uuuhuuuu! This afternoon I received my Printed version of IPExpert Workbooks, all volumes! Including Proctor Guide! What a nice surprise for a friday!

I´ve been using the online PDF version, but, printed is way better! I can take it everywhere! Nice!!

My baby just born! :)

Well... I think I´ll not be able to play outside for a while now!

Oh my... too much to do in such a little time! I need 48hs days to do everything I need to do!

Workbooks Volume 1, Volume 2 and Volume 3 + Proctor Guide!

Hmmm, interesting HSRP task! lol!!!

Really! I´m impressed! Take a look on the size of the books! How much time I´ll need to learn everything that is inside?! A lot I think!

Proctor Guide depicts every single task, step-by-step, including helpfull links, tons of good advices, instructions, and more!

I got too much to do right now! Need to focus and keep on track, never giving up, only with hard work I´ll be able to achieve my primary goal!

Tonight celebrate, tomorrow, site in front of the computer and study, study, study and when I feel tired, study a while more! hahaha!

Wanna join me?! ;)

Nice comment from Jared Scrivener about the wording used at the CCIE Lab Exam

I´ve just finished reading  this nice comment about the CCIE Exam from Jared Scrivener, CCIE2 #16983 (R&S, Security), CISSP - IPExpert Instructor - at Online Study List. Good words for us following our way to the CCIE Certification.

You can check the Original Post at Online Study List R&S Section!

----

Hey guys,

I thought I'd post a comment here to dispel a popular myth.

The CCIE is NOT a language exam more than a technical exam. If you KNOW what you are doing, and what it will affect, the questions are clear and straightforward.

If anything, the materials written by vendors like us prefer to err on the side of vagueness, rather than give away the answer - we do this so that in your pondering of what we are asking you consider alternative options. It is intentional, but sometimes annoying - that is why we have OSL for you to request clarification. :)

I only say this as I don't want people to feel that they have an additional battle to fight on top of the technical one - the exams from Cisco (in my experience) are challenging but clearly worded. If they use "strange" wording it is probably copied and pasted from the DocCD (much like a lot of our questions are if we do the same thing).

It is my opinion (as both a student and instructor) that for the most part the real CCIE lab exam questions are clearer but ALSO easier than ours, and the two are intertwined. We add ambiguity as a challenge and we push you harder. I could easily write a question that says "do this" and "do that" and you could follow it and configure it, but that wouldn't push you enough, nor teach you as broadly. When we write materials we often write questions
in such a way that your mind will consider many different answers.

Effectively we've tested you and trained you on multiple things, which direct questioning cannot do.

I found it frustrating at times as a student when I would configure a question differently to how the author of the PG did. But after looking at both mine and their solution, and identifying both the correct and incorrect elements of each, and realising I could interpret the questions differently and the nuances of each method the light bulb went on for me: I was ready to pass.

Some people often post questions as to other ways the question could be interpreted - keep doing that, as it stimulates discussion and forces thought.

The critical thinking ability is NOT what the lab tests for, but it IS what will ensure that you know you are ready to pass (and it will ensure that when you get CCIE-level jobs, you are prepared for them as the real world is oftentimes stranger than the lab).

As Einstein said - "Any fool can know. The point is to understand."

Cheers,

Jared Scrivener CCIE2 #16983 (R&S, Security), CISSP
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: jscrivener@ipexpert.com
Blog: jaredscrivener.com

PPP over Frame-Relay Example

Until few days ago, PPP over Frame-Relay was a bit confusing to me, not that I knew it or not, but I´d never configured it so far, just saw it on theory...

This week, after checking the VoD from IPExpert, things became much easier!

To clear things out, PPP over Frame-Relay is used to bundle PVCs together (or also for authentication over Frame-Relay links).

Frame-Relay multilink is used to bundle LINKs together.

So, in this example, we´ll be checking the PPP over Frame-Relay option,  take a look at the topology used:

Ok! First things first, the drawing is not showing  the PVCs that we´re supposed to be using, so... how can we check this information?! Well... in fact it´s pretty easy... We can just configure the Serial Link with Frame-Relay encapsulation and check the PVCs (sh frame-relay pvc) configured in our Frame-Relay Switch (not in the diagram):

R1, R2, R3 int s1/0 encap frame-relay no frame inverse-arp no shut

After the sh frame-relay pvc command, we can see that we have a FULL-MESH network, but, we´re not going to use them all!

According to the drawing, we need two PVCs between R1 and R3 (103, 113 and 301, 311), as far as the task is not asking for anything specific, we can use any PVC that we want to achieve the goal. Also, we need only one PVC between R1 and R2 (102 and 201). How about the others?! Well... leave them for now, they´re not going to be used in this task!

R1(config-if)#do sh frame pvc | in ACT DLCI = 102, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 DLCI = 103, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 DLCI = 112, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 DLCI = 113, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 R2(config-if)#do sh frame pvc | in ACT DLCI = 201, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 DLCI = 203, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 DLCI = 211, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 R3(config-if)#do sh frame pvc | in ACT DLCI = 301, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 DLCI = 302, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0 DLCI = 311, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0

Now... in order to configure PPP over Frame-Relay, we need to create a virtual-template interface, and point the DLCIs that we´re going to be  using to this virtual-template interface that we just created, take a look on how all three routers were configured  (in this specific case, R1 and R3 are the only ones using PPP over Frame-Relay):

R1 int virtual-template 1 ip address 200.200.230.1 255.255.255.0 bandwitdh 64 no shut ! int s1/0 frame interface-dlci 103 ppp virtual-temp 1 frame interface-dlci 113 ppp virtual-temp 1 ! int s1/0.102 point-to-point ip address 200.200.220.1 255.255.255.0 frame-relay interface-dlci 102 broadcast R2 int s1/0.201 point-to-point bandwitdh 64 ip address 200.200.220.2 255.255.255.0 frame-relay interface-dlci 201 broadcast R3 int virtual-template 1 bandwitdh 64 ip address 200.200.230.3 255.255.255.0 no shut ! int s1/0 frame interface-dlci 301 ppp virtual-temp 1 frame interface-dlci 311 ppp virtual-temp 1

So, time for a quick test?! Yeah! It is! Let´s try to ping R2 and R3 from R1:

R1(config-fr-dlci)#do ping 200.200.220.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.220.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max= 20/60/112 ms R1(config-fr-dlci)#do ping 200.200.230.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.230.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/70/120 ms

It worked! Things seens good, don´t you think?! If we check the interfaces at R1 (show ip int brief), we can see our Virtual-Template1 interface down and what in the world are those Virtual-Access interfaces?! We never configured those!

In fact, the Virtual-Template will remain down, and each time the PPP connection gets reseted (up, down, up again, shut, or anything else) a new Virtual-Access interface (one for each DLCI)  will be created and those are the interfaces that will remain up/up for our connection. So the Virtual-Access interfaces are created everytime the PPP connection gets up!

R1(config-if)#do sh ip int brief Interface         IP-Address     OK? Method Status     Protocol FastEthernet0/0   unassigned     YES unset  down       down Serial1/0         unassigned     YES unset  up         up Serial1/0.102     200.200.220.1  YES manual up         up Virtual-Template1 200.200.230.1  YES manual down       down Virtual-Access2   200.200.230.1  YES TFTP   up         up Virtual-Access3   200.200.230.1  YES TFTP   up         up

A good thing to do also is to check the Routing Table...

R1(config-fr-dlci)#do sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS,su -IS-IS summary,L1-IS-IS level-1,L2-IS-IS level-2 ia-IS-IS inter area,*-candidate default U-per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C    200.200.220.0/24 is directly connected, Serial1/0.102      200.200.230.0/24 is variably subnetted, 2 subnets, 2 masks C       200.200.230.3/32 is directly connected, Virtual-Access2                          is directly connected, Virtual-Access3 C       200.200.230.0/24 is directly connected, Virtual-Access2                          is directly connected, Virtual-Access3

The /32 entry was created by the PPP, and both Virtual-Access2 and Virtual-Access3 interfaces are there also, so what does the routing protocols will do?! They will load balance, and that´s not what we want in first place!

To solve it, we just go into the Virtual-Template interface and "multilink" them together, using the command ppp multilink, this will create another Virtual-Access interface that will bundle to two others!

R1, R3 int virtual-temp 1 ppp multilink

To check if the interfaces are bundled together, we can use the following show command: show ppp multilink.

R1#sh ppp multilink Virtual-Access4, bundle name is R3   Endpoint discriminator is R3   Bundle up for 00:01:45, total bandwidth 128, load 1/255   Receive buffer limit 24384 bytes, frag timeout 1524 ms     0/0 fragments/bytes in reassembly list     0 lost fragments, 0 reordered     0/0 discarded fragments/bytes, 0 lost received     0x2 received sequence, 0x2 sent sequence   Member links: 2 (max not set, min not set)     Vi2, since 00:01:46     Vi3, since 00:01:46 No inactive multilink interfaces R3(config-if)#do sh ppp multilink Virtual-Access4, bundle name is R1   Endpoint discriminator is R1   Bundle up for 00:01:02, total bandwidth 128, load 1/255   Receive buffer limit 24384 bytes, frag timeout 1524 ms     0/0 fragments/bytes in reassembly list     0 lost fragments, 0 reordered     0/0 discarded fragments/bytes, 0 lost received     0x2 received sequence, 0x2 sent sequence   Member links: 2 (max not set, min not set)     Vi2, since 00:01:03     Vi3, since 00:01:03 No inactive multilink interfaces

And finally, we can check our routing table, and we see just the newly created Virtual-Access interface over there! Much better for our Routing Protocols!

R1(config-fr-dlci)#do sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS,su -IS-IS summary,L1-IS-IS level-1,L2-IS-IS level-2 ia-IS-IS inter area,*-candidate default U-per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C    200.200.220.0/24 is directly connected, Serial1/0.102      200.200.230.0/24 is variably subnetted, 2 subnets, 2 masks C       200.200.230.3/32 is directly connected, Virtual-Access4 C       200.200.230.0/24 is directly connected, Virtual-Access4

These little notes about PPP over Frame-Relay were based on the Frame-Relay VoD from IPExpert CCIE R&S BLS, an extremelly helpfull resource for me so far!

Also, I´ve simulated this on Dynamips, so, if anyone wants the .NET file, just let me know, and I can forward it to your email!