Saturday, August 30, 2008

Just got the CCIE Command Memorizer, SWEET!

Today, following a friend´s advice, and my feeling also, I got the CCIE Command Memorizer from ConfigureTerminal.com

I do receive Mr. David Bombal newsletter monthly (you can apply to it at his site - www.configureterminal.com). The newsletter is very nice, with tons of tips, good advices and examples. I specially like the "hands-on" examples! Those are little movies of how to achieve or correctly configure a specific task! I would sign-up for that, there are some really good tips and tricks in it! Anyway... back to the subject...

The CCIE Command Memorizer was created by him, during his studies to the CCIE so it must be a good product! The guy knows what he´s talking about in the newsletter, the product must be good too! ;)

I haven´t tried it that much yet (too busy this weekend), but the quick "tour" I took at it was sweet! I tried some tasks from Switching, and also some for OSPF... Man... you know what it looks like?! It´s like a mix of  a Workbook plus Dynamips! Of course, each task commands are limited to the task commands itself, BUT, it´s a WORKBOOK with a prompt to enter the configuration commands right away! No need to wait to get back home, or setup a Dynamips Topology, or even to wait for my Rack Rental time! It´s there, for you! Just type the commands and see if you get it right or not!  So cool!

Another great thing I liked (didn´t knew about that)  the CCIE Command Memorizer license allows for 2 simultaneous copies to be installed under 1 license. That way, I´ll be able to have it at my home computer, and also in my Laptop at work! So, anywhere I go, I´ll have it available! Good police! No more wasted time between one call and another at my job! :)

If the rest of the eBook looks like those few tasks I tried, it´s a MUST HAVE product! I´m so glad I finally took the decision to get it!

I just need to handle some issues, and I´ll be able to start using it! When that happens, I´ll write up a few posts, so you can check it yourself! Oh yeah... I´ll ask permission to add some screenshots to the posts! Let´s see!

Oh yeah, the price (USD 99.99) is not high for what you actually get! A Workbook (just like any other vendor workbook) with command prompt to enter the correct configuration lines right away! For sure it´ll become part of my daily study routine. Maybe a section by day, or 10, 20 configuration tasks, it´ll all depend of my available time! But anyway, another powerful tool to help me with my studies! AWESOME!!!! :)

Thursday, August 28, 2008

Wow! Two days out, and now candidates are interviewed before the CCIE Labs?!

That one was fast! I stepped away for a couple days to take care of some personal stuff, and now there´s this msg at Groupstudy regarding interviews before the CCIE Lab in Beijing China!

Is it a "hoax" ?! Is it true?! I don´t know... I know that when Cisco changed their rules for exams in China, Pakistan and India I´ve received an email (and I´m from Brazil). Now this msg... My mailbox is empty (well... not empty, but there are no msgs regarding this)...

In my opinion, if they want to interview a guy, that´s ok, but Cisco should change a bit their strategy, why not interview the guy a few months prior to his Lab, and if he pass the interview, he´s allowed to take the CCIE Lab?! Like a 3 steps for the Certification! That would be nice! Probably the pass rate would increase also, that way, Cisco would better select the engineers who will be allowed to take the test, not forgetting that it is kind difficult to cheat an interview! The guy in front of you asking questions will be a high qualified engineer, and he could change the questions according to his feelings!

But well... who knows... maybe one day, in the mean time, anybody can confirm if this is true?!

Read the full msg from Groupstudy bellow:

-----

Dear Candidate:

On August 27, Cisco will introduce a pilot for the CCIE Routing and Switching lab exam in Beijing, China. The pilot will add a 10-minute interview that will assess the candidate's ability to apply expert-level networking skills and knowledge to networking problems that are encountered on the job. After the lab orientation, a panel of three experts will conduct a verbal interview with each candidate, asking a series of expert-level
networking questions (questions and answers will be in English).

The ability to correctly answer these questions will affect the exam score. After completing the interview, the candidate will have the entire 8 hours to complete the lab portion of the exam.  These scores will then be calculated and then combined for a total score which will decide a pass or a fail.

Our goal with this email is to let you know that your day will extend beyond the normal testing day by approximately one hour.  The additional hour will be at the end of the day. We hope you find this interview process enlightening and helpful as we continue to strive for the standard the world has come to expect from CCIE.

-----

Tuesday, August 26, 2008

Private VLANs (PVLANs)

Until now, I thought PVLANs were a bit  difficult to understand and to implement, like when studying to CCNP that took me a while to digest, and I had some doubts about it, till today! Man... how simple it is, and there´s no much "magic" in that (like our friend Scott Morris usually says)!  Pretty straight-forward and no big deals! The Security Video from IPExpert is AWESOME. It´s short, informative, to the point, and solved MANY questions I´ve for a while in minutes! Man! What a nice way to do it!

So, let´s get into that:

There are tree type of Private VLANs Ports:

  • Promiscuous (P) - talk to everyone (usually connected to the exit Router, DNS, DHCP Server, NTP Server);
  • Isolated (I) - only talk to Promiscuous ports;
  • Community (C) - talk to others in the same Community & Promiscuous ports.

To have PVLANs configure the Switch MUST be in Transparent VTP mode, otherwise, it´ll not work.

Just keep in mind that when you configure your switch to VTP Transparent mode, you do not loose what you´ve learned so far, you´re just not gaining anything new about the changes from now on!

Hosts in different PVLANs are all in the same IP Subnet, BUT, they´re not able to talk to others in different community or isolated VLANs! That´s the main goal of a PVLAN, to split the VLAN domain into multiple isolated broadcast subdomains. But if one Community VLAN needs to talk to other Community VLAN?! Well... that can be done through a Router or L3 Switch. Also, you can apply some access-lists and other security features to permit only the things you want to pass through!

The best way to explain this is using an example, so check our topology, we´ll concentrate on the PVLAN ports:

PVLAN

There are three Community VLANs (there can be more if you want) so you put every client inside it´s own Community VLAN, avoiding that one client talk to another. That means Customer A could have a WebServer, and some other application server inside it´s own Community VLAN, and those equipments will be able to talk to each other, but they´ll NOT be able to talk to equipments in other Community or Isolated VLANs.

But, wait a minute, we´ve created one Community VLAN for each customer, and only one Isolated VLAN?! If we have more customers needing Isolated ports?! Should we create more Isolated VLANs?! The answer is NO. Isolated Ports only talks to the Promiscuous Ports and not to each other. So each customer inside an Isolated Port will be confined to this port only plus the Promiscuous Port.

First, lets go ahead and create our VLANs:

SW1 and SW2:

vlan 10
private-vlan primary
exit
!
vlan 101
private-vlan isolated
exit
!
vlan 102
private-vlan community
exit
!
vlan 103
private-vlan community
exit
!
vlan 104
private-vlan community
exit
!
vlan 10
private-vlan association add 101-104
exit

So, VLAN10 is our  Promiscous VLAN, and it´s associated to ALL other VLANs (101, 102, 103 and 104).

Now, we´ll associate each port to it´s VLAN, check it out:

SW1:

interface fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 10 104
!
interface fa0/4
switchport mode private-vlan host
switchport private-vlan host-association 10 104
!
interface fa0/7
switchport mode private-vlan host
switchport private-vlan host-association 10 102
!
interface fa0/8
switchport mode private-vlan host
switchport private-vlan host-association 10 102

SW2:

interface fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 10 101
!
interface fa0/4
switchport mode private-vlan host
switchport private-vlan host-association 10 103
!
interface fa0/5
switchport mode private-vlan host
switchport private-vlan host-association 10 103
!
interface fa0/2
switchport mode private-vlan promiscuous
switchport private-vlan mapping  10 add 101-104

Every device MUST be associated with the promiscuous VLAN (in our case VLAN10)! Beyond that they´ll be associated with the non-promiscuous  (the isolated or community VLANs) in order to specify how those ports will behave! That´s why ALL ports are associated with VLAN10 + it´s own VLAN.

So, what can be connected in the Promiscuous VLAN?! Normally the devices that are common to everybody, and needs to talk to all VLANs, like Routers, DNS Servers, NTP Servers, DHCP Servers, and many others!

You can verify your configuration using the "show vlan" command. The info regarding PVLANs will be at the end of the output of this command.

A good advice from the IPExpert Video is that the current IOS on the LAB (12.2.25) doesn´t allow us to use switchport port-security commands and private-vlans  at the same port at the same time!  Once it hits a newer version (12.2.40) (that can happen anyday Cisco wants) we´ll be able to do that!

Ok! But... do you know that 3550 doesn´t support PVLANs?! Yep.., me neither! They´ve a feature named Switchport Protected for that, it´s really simple, and for example, if we have 15 devices in a vlan, but, only two of them are protected (with the interface command switchport protected), they can talk to everybody else, but not to each other!

So one protected device will not talk to other protected device! It works just like an isolated vlan. No unicast, multicasts, broadcasts between protected ports!

Not that difficult, right?!

Sunday, August 24, 2008

CCIE Lab Changes! Bye bye UniversCD! Hello Cisco Documentation

Just saw it on the internet! It seens that after Sep 24 2008 no one will be able to use the www.cisco.com/univercd as documentation reference! As far as the announcement goes it´ll be replaced by Cisco Documentation, but so far, no links were posted!

I think they´ll be using their "new layout", but, until Cisco´s officially announce the new start page for the documentation we can´t be sure about anything!

Just have that in mind if you´ll have your lab soon!

-----

CCIE labs changing from UniversCD to Cisco Documentation

22 AUG 2008: On Sept 24 2008 CCIE labs will no longer support using the UniversCD documentation for the lab exam.

All labs are migrating to Cisco Documentation only. For those scheduled to take the CCIE lab prior to Sept 24 access will still be available for UniversCD.

The Cisco Documentation pages have the same information that currently resides on UniversCD, please refer to the links on the CCIE web pages to view these pages and become familiar with the new format.

After Sept 24 2008 only the Cisco Documentation web pages will be available for CCIE labs.

-----

Here follows the link to this information at Cisco´s Website:

http://www.cisco.com/web/learning/le3/ccie/rs/index.html

Saturday, August 23, 2008

VACL, VLAN Maps & MAC ACL

A while back, more specific in July/14 we talked briefly about VACLs. That was when I took the IPExpert Volume 1 - Section 2: Quad Catalyst (PVST+) Switch Configuration. It´s not a very difficult task to be achieved, but TRICKY!

A friend from India (yeah Vipul, it´s you buddy!) asked me some things about it. So I´ll just elaborate it a while more. Also, at IPExpert CCIE R&S BLS you´ll find more info regarding that in the Security Section. It´s really well explained there! I would take sometime and review it with attention. The first time I watched it, I was like moving back and forward all the time to take notes, and to really stick the info in my head!

So,  starting with the basics... In a L2/L3 switch (like the ones in the CCIE Lab), where we can implement security?! Well, we can do it at the:

  1. Port Level - We can implement an Access-List in a particular port, and that will affect the traffic coming and going out of it (normally, it´ll affect only one host traffic). But imagine to implement that solution in many ports, over several equipment. Not very nice, right?!
  2. SVI - We can also implement an Access-List at the SVI Port! It´ll work everytime your switch is routing traffic between this particular VLAN and some other! Essentially, it´ll filter the traffic passing through the SVI.

Ok! So... Port-Level filters only that particular port.... SVI the routed traffic... and how about the INTRA-VLAN Traffic?! None of them will filter that!

VLAN Access-Lists (or VACL) works exactly there! At the Intra-VLAN Traffic! So everytime you need to filter internal traffic for a particular VLAN, VACL is your choice!

Just a couple more things to have in mind before getting into an example.

  1. IP Packets can only be processed by IP Access-Lists;
  2. Non-IP Packets like ARP, MAC-Addresses, and others can only be processed by MAC Access-Lists.

The MAC Access-Lists will bring all the interesting issues to the table... just check it out!

Let´s suppose for example you have two computers one with MAC Address 000b.dc24.ca47 and the second with the MAC Address 000b.dc25.cb51, both connected to VLAN7, and you want to allow all "non-IP" frames sourced from those two MAC Addresses to be forward anywhere, and also allowing only ICMP for example, denying everything else!

So, we have two different requirements there...

  1. Forward all "non-IP" frames sourced from those two specific MAC Addresses; That requires a MAC Access-List.
  2. Permit only ICMP, denying everyting else. That requires an IP Access-List (the one we´re all used to).

Ok, so let´s create our MAC Access-List:

mac access-list extended AllowThose
permit 000b.dc24.ca47 any
permit 000b.dc25.cb51 any

That will handle the first requirement.

Now the second one IP Access-List allowing ICMP and denying everything else:

access-list 101 permit icmp any any

Ok! Now, we need to create the VACL (or VLAN Maps, which one you preffer to call it) applying those rules:

vlan access-map Filter-VL7 10
action forward
match mac address AllowThose
!
vlan access-map Filter-VL7 20
action forward
match ip address 101
!
vlan access-map Filter-VL7 30
action drop

Now it looks ok, right?! Time to apply it to VLAN7 ?! What do you think about?! Let´s try?!

vlan filter Filter-VL7 vlan-list 7

Now testing! See if you can ping! Not working?! Hmmm... interesting... but why?! Well... I told... The MAC Access-List would bring all the interesting issues to the table! And, in fact,  it did! It´s allowing only those two MAC Address and nothing else! How about ARP?! Do we need it to make things work?! Of course we do! And that´s where we have most confusion! Just keep in mind, the end of an Access-List is always deny any any! So if there are no matching instances for ARP in the MAC Access-List, it´ll be dropped!

How to fix it?! Simple, allow it in the MAC Access-List:

permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000

But wait a minute! What´s that 0x0806 and lsap 0xAAAA ?! That´s the Ethertypes we´re allowing in our MAC Access-List, first one (0x806) is ARP, and the second one (lsap 0xAAAA) is PVST+. You do not want your switch running unprotected from loops right?! So it´s better to allow it!

For the sake of simplicity, the full configuration would be this one:

mac access-list extended AllowThose
permit 000b.dc24.ca47 any
permit 000b.dc25.cb51 any
permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000
!
access-list 101 permit icmp any any
!
vlan access-map Filter-VL7 10
action forward
match mac address AllowThose
!
vlan access-map Filter-VL7 20
action forward
match ip address 101
!
vlan access-map Filter-VL7 30
action drop
!
vlan filter Filter-VL7 vlan-list 7

The most common Ethertypes are: (and probably the ones asked in the LAB)

  • 0x0806 = ARP
  • lsap 0xAAAA = PVST+
  • 0x4242 = STP and PVST
  • 0x86DD = IPv6

Again... we need to understand all the little pieces involved in a particular task, and remember about the basics, OSI Model, ARP, and so on! It´s not difficult, but it´s a little confusing at the first time! Just go ahead, drink some watter (I did it several times) come back again, read over, and try some scenarios yourself, don´t have equipment?! Try it on Notepad, just try some, compare with the example, and you´ll see how easy it can be! The best way to learn is trying it yourself! ;)

You can also find a nice explanation about that in the wonderful Arden  Packeer´s Blog, just click here and it´ll direct you to the post.

Thursday, August 21, 2008

Mike Down departure...

I´m kind of sad today... Mr. Mike Down just left IPExpert! He was a CCIE Training Advisor, and for the last couple months he was  working closely with us "bloggers"!

I still remember the very first messages we exchanged, very nice guy! Full of energy and always with the best intentions!

No matter to were have you left man, consider me a friend, a partner, a brother, a family! You´re the MAN! :D

I just ask you to not disappear! Just let us know about your new email/skype id as soon as you set it!

Oh yeah, if you want to set a statement or something it´ll be a pleasure to have it done here in my small blog!

Also, if you ever need anything, just let me know brother, it´ll be a pleasure!

All the best and lucky on your new jorney! Hope to hear from you soon!

Cheers!

You can check the Original Post on Mike´s Blog by Clicking here

Yahoo! talking about CCIE Training?! Yeah! That´s true! So cool!

I was just surfing the internet, like I usually do, and take a look on what I´ve found at Yahoo! website:

-----

CHINA, Mich., Aug. 21 /PRNewswire/ -- Less than 20,000 individuals worldwide currently hold the CCIE (Cisco Certified Internetworking Expert) certification, which places them among the elite computer networking experts anywhere. This distinction also demands a six-figure annual salary in America, according to recent national surveys.

To become CCIE-certified, an engineer must pass a grueling 8-hour-long hands-on "lab" exam conducted by Cisco (http://www.cisco.com), the global leader in computer network solutions. IPexpert (http://www.ipexpert.com) is a primary training organization, focused solely on preparing seasoned computer network engineers for the coveted CCIE certification exams, through various learning solutions.

-----

So cool! That just show how hard work + a great product makes all the difference! How many times Yahoo! have talked about any CCIE Training Company?! Congratulations to everybody that puts it´s efforts to help us to achieve the CCIE Certification!

That´s also good for us CCIE Candidates or CCIE´s around the world, companies will know how hard it is to achieve the CCIE  Certification, and respect it more than they actually do! :)

Hope things stay hot as they are last couple months! :)

You can read the full text at Yahoo! by clicking here.

Wednesday, August 20, 2008

RIP

Continuing on IPExpert CCIE R&S BLS Video-on-Demand, by the way, very cool videos, tons of tips! So, today I choose to check RIP. For two particular reasons... First it´s pretty easy to understand, and we´re all facing it since CCNA days,  and even with new features and tricks in the video, we´re probably able to get it fast, and second, I´m with a terrible headache, so I need something simple today! :D In fact, after finishing the video, my headache was over, maybe I was too stressed or something and that relieved me! Cool! Another good useful use to the BLS, everytime you´re stressed, just jump in, watch a couple videos, and you´ll feel more relaxed! lol! ;)

In fact, the lab exam only cares about have RIP version 2, so, keep in mind that, everytime they ask you to configure it, use the version 2, like this:

router rip
version 2
no auto-summary

RIP is the simplest Routing Protocol we´re going to face in the exam (ODR doesn´t count!), and probably, just in the exam... Have anybody checked any RIP networks?! I haven´t so far!

There aren´t much things to play around, but, one of them are timers. If we ever need to change it, the "timers basic" command comes to the rescue! Also, there´s no rule saying that everybody needs to have the same timers, unlike OSPF, there are no "peering" in RIP, it´s only sending routes out, so timers will not have the same effect as it does in other Routing Protocols!

Of course, it´s a good idea to set everybody the same timers (or at least close to it) to avoid routes going occasionally inaccessible for no particular reason!

The default RIP Timers are:

  • Update - 30 seconds;
  • Invalid - 180 seconds;
  • Hold - 180 seconds;
  • Flush - 240 seconds.

That means you can get up to 4 minutes to make a route go away! That´s a lot of time! :)

Oh yeah... everytime you change the timers at RIP, you can check it with the "show ip protocol" command! For example:

router rip
timers basic 5  15  15  30

That set´s the Update to 5 seconds, Invalid to 15, Hold to 15 and Flush to 30! Keep in mind that the HOLD Timer is "Cisco Proprietary" so if they ever ask you to get rid of it, set it´s timer to 0 and you´re good!

Another good one is the "neighbor" command, it changes the routing updates from broadcast to unicast packets. As we don´t have peering with RIP, we do not need to do it on both sides! It´s useful for non-broadcast links such as Frame-relay. Example:

router rip
neighbor 172.17.155.15

Also, we can use the "passive-interface"  command with it, otherwise, the router at the other end of the link will receive the "Unicast" information plus the "Broadcast" information, and that´s kind of odd thing! Just do it, otherwise, if you feel in doubt, just go ahead and ask the proctor for clarification, asking questions to the proctor is always a good thing to do, and keeps you in the safe side!

Offset list, which is an aditive to an metric, like if you receive routes with values 1, 2, 3, and you want that to show up in your rounting table as 4, 5, 6, you simple do an offset list of 3! So it´s going to add it to the routes as it comes in! Unfortunatelly there are no negative values! It´s used with access-list that will actually tells which routes to be affected!

router rip
offset-list 21 out 10

That will take the routes in access-list 21, and add a metric of 10 to the outgoing metric. (to incoming metrics use "offset-list 21 in 10" for example).

The "ip rip triggered" command only works on point-to-point links. It´ll make RIP "behave" more like Link State Protocols. It´ll only send updates something when it actually changes! Enabling it or disabling is pretty straight-forward, and I would actually use it if I was asked in the LAB, no where else!

To enable RIP authentication we use the command "ip rip authentication key-chain <name-of-chain>" it´s done on per interface basis, BUT... for that happen, you need to configure the key-chain first, and maybe some of you have never done that before (I haven´t), not difficult, but, we need to keep somethings in mind, check this example configuration:

interface Fastethernet 0/0
ip rip authentication key-chain trees
ip rip authentication mode md5
exit
!
router rip
network 172.19.0.0
version 2
exit
!
key chain trees
key 1
  key-string chestnut
  accept-lifetime 00:00:00 Aug 20 2008 23:59:59 Aug 20 2009
  send-lifetime 06:00:00 Aug 20 2008 18:00:00 Aug 20 2009
  
  exit

After you can issue a "show key chain" command to check if everything is ok, and apply it to RIP.

Keep in mind to use the accept-lifetime and send-lifetime command under IOS 12.4, otherwise, it´ll not work!

Follows two useful documents regarding RIP Authentication at Cisco´s Website:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ip_prot_indep.html#wp1056961

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ip_prot_indep.html#wp1057700

The "ip summary-address rip <summary-address>" command is also used on a per interface basis. And guess what it does?! :)

So, to finish, RIP works only on metrics, values of 1 to 15 and if there´s a tie between to routes, the first route advertised wins. There are no external or internal routes, everything is pretty much the same!

Oh yeah! If you issue a "network 0.0.0.0" it´ll add every active IP interface in the RIP Routing proccess!

You can find more on IPExpert CCIE R&S BLS Video-on-Demand and also, follows a good document for RIP at Cisco´s Website:

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_rip.html

Tuesday, August 19, 2008

CCIE Command Memorizer?!

It looks that I´ve a lot of doubts today!

I know Ethan asked already in his blog a while ago... But does anyone have tried the CCIE Command Memorizer ?!

It looks a pretty nice tool to use on the road, at the office, when you have no real equipment or computer power and time to run Dynamips!

It seens pretty cool! I´m thinking in buying it, but not now, maybe in a couple months! Just wonder to see if anyone have tried, and what do you think about it!

Cheers!

Web Hosting?! Is it better?!

Does anybody knows or uses any kind of Web Hosting Service?!  It really worth?! I mean... Blogspot is nice and everything else, but, sometimes I would like to have more "flexibility" to the posts, and I think a Web Hosting would fit that need!

I know Ethan uses some kind of service like that, just cannot say which type  or even, which provider.

Anybody can recommend me a good one?!

I saw the Dream Host Web Service, seens nice, lots of features, and not too expensive. Blue Host is not an option, I had some issues trying to log in, so I´ll not consider it!

Oh yeah... those services works with Windows Live Writer?!

Moving to a Web Hosting means moving away from Blogspot, and start with Wordpress... is it better?! What´s your opinion?!

Or should I stay with Blogspot and that´s it?! I´m a bit confused right now!? Even more with the latest facts that happened this week in the CCIE Training World... Let´s see what will happen (I´m waiting)!

Any help would be appreciated!

Thanks!

Monday, August 18, 2008

CCIE without Experience

A nice topic from Sadikhov Forums, CCIE without experience...

I agree in some parts and not that much in others... I think there are guys, 19, 20 year old who are facing the LAB with a knife in their teeth! If they´re studying, working on Dynamips or real equipment, following a structured approach from any vendor, and things like that, if this kind of guy passes the LAB exam, he will lack some field experience, I agree, but he knows his stuff already!!!! This is the type of guy I would like to work for me, dedication is priceless!

On the other hand, a very experienced engineer, that takes the "easy" way out, this is the kind of guy who needs to be banished from the business! We all here have a friend, who knows a guy, who did this in the easy way and ACED the exam with a  1000/1000! WoW! What a nice score! Yeah... tell me about it! I doubt this type  guy can answer 3 basic questions right! Not saying that take 1000/1000 is impossible, not at all! It´s possible, and how much it is! Questions are not that hard in the CCxP field, they´re a bit tricky, but, if you study well, and understand what is being asked you can do it easily! Otherwise, a guy that take a CCxP certification in 2, 3 months, that´s the one I doubt! He must be a genious, have A LOT of experience, know the stuff already, or well... you know! Any of these options would work, but only the first 3 are valid! Cheating is not cool! Not cool at all!

So, to conclude... in my opinion it doesn´t matter how old the guy is or  if he has field experience or not, if he did the right way, sweating blood, studying, missing parties, and everything like that he deserves respect! Otherwise... I would ask him 3 questions (no I´m not a genious, but most guys can´t answer really basic questions) to check his accuracy! ;)

That´s it! Any thoughts, opinions?!

You can read the full Sadikhov Topic clicking here

Saturday, August 16, 2008

General Routing Overview

Finally I´m back at home, things are getting better, these cool pills they gave  me will probably end  next week (those little things are really getting me down, you have no idea of how much I´ve been sleeping last couple days because of it, I look like one of my cats now!) But that´s ok! :)

Well... today besides some house keeping and a little shopping at the supermarket, I was able to rest a while more, and watch the General Routing Video-on-Demand from IPExpert CCIE R&S Blended Learning Solutions.

Very informative. Everytime you see a guy saying: Ah... I don´t need general or basic concepts, I do know it already... well... ok, he may know his stuff really good, but you can ALWAYS learn a new trick, or finally put an end to that doubt that´s bothering you for so many years!

And of course! Those videos are the real concept of " State of  Art" Class on Demand!

Enough on that... let´s get into the part that really pays for the product, the technical details...

The Network Command:

It starts with our friend the network command... As we all learned back in the CCNA days (on the CCNP, specially in the OSPF part of it, we start change our mind) the network command is used to advertise networks... we can´t say that´s incorrect, but there´s not the full true either! The network command actually enables an interface to participate in the Routing Protocol, thus this interface will advertise it´s network, and the Routing Protocol brings it to the RIB.

Check the example (exactly the same one on the video):

- F0/0 IP Address: 10.1.1.1/24

  • network 10.0.0.0 0.255.255.255
  • network 10.1.0.0 0.0.255.255
  • network 10.1.1.0 0.0.0.255
  • network 10.1.1.1 0.0.0.0

Regarding only this  interface F0/0, no matter which of the above network statements you choose, they all do the same thing! It´ll bring the F0/0 (10.1.1.1) interface into the Routing Protocol. The network command only tells which interface will be participating in the Routing Protocol, not how the network is going to be advertised, advertising actually is a secondary reaction of it!

Secondary Address:

Also, there is a really nice explanation on the video about Secondary Addresses! Follows some concepts learned from it:

You can´t just advertise the secondary address, you need to advertise the primary first, than, the secondary if you want to.  Also you can´t do passive-interface on your primary address and still send things out with your secondary address!  A general rule for that is: when you send any packet out of an interface (keep in mind that routing updates are packets too) ALWAYS the source IP Address for that packest will be the Primary IP  Address of that interface!

Check this example for RIP (it works for EIGRP too):

Secondary Address

Ok, so, everyone is on the same ethernet segment... and everyone will hear about each others Broadcast and Multicast packets which is good in our scenario. When R3 sends Routing Updates to R2, R1 will listen to this too, but it´ll treat it as invalid, because, it´s not on the same subnet as R3. The same happens when R1 sends it´s Routing Updates to R2.

So... how to make this happen?! Hmmm... R2 has both networks, so if we disable the split-horizon in it´s F0/0 we´re good?! Not exact like that... Remember... R2 Packets will ALWAYS use the Primary Address (in this case 10.1.1.2) as the source, so R3 will still having problems, it works for R1, but not for R3.

The solution would be (in this particular RIP example) to use the  no validate-update-source command under the Router RIP, that will tell your router to not validate the source IP Address of the routing updates when they´re received, just allow they to come in! So, to solve the problem, we can do that on both R1 and R3 of the example. Other solution would be disable split-horizon on R2 and use the no validate-update-source under Router RIP of R3, that work as well, but, doesn´t look  "clean" if you know what I mean! ;)

That basically says "I don´t care from who you learned, go ahead and allowed it to come in!"

IP Unnumbered:

Another topic brought up on this video regards IP Unnumbered!

The IP unnumbered interface configuration allows you to enable IP processing on an interface without assigning it an explicit IP Address. The IP unnumbered interface can "borrow" the IP Address from another interface that is already configured on the local Router, or Layer 3 equipment, thereby conserving network and address space.

Check out this topology:

IP Unnumbered

So how can we get this topology to work?! One side of the link is 10.1.1.0/24, the other end is using 11.1.1.0/24... How can that work?! Well... if you´re allowed to use PPP we´re good! PPP has a feature called "peer neighbor-route", that will get the exact IP Address of the router on the other end of the link, and show it as connected in our local router!

Take a look at the Routing Table with this setup:

R1(config-if)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,su- IS-IS summary,L1-IS-IS level-1,L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Loopback0
     11.0.0.0/32 is subnetted, 1 subnets
C       11.1.1.2 is directly connected, Serial0/0

R2(config-if)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,su- IS-IS summary,L1-IS-IS level-1,L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/32 is subnetted, 1 subnets
C       10.1.1.1 is directly connected, Serial0/0

     11.0.0.0/24 is subnetted, 1 subnets
C       11.1.1.0 is directly connected, Loopback0

Of course, we may not be able to use PPP over this link, they may ask for GRE Tunnels or something else, if so, another solution that meets their  requirements would need to be implemented, like static routes or something like that!

Administrative Distance:

I thought I knew almost everything about  Administrative Distance... again... I was wrong... the Master Jedis showed me once again, that, there´s ALWAYS something to learn.

Lets check some examples, like RIP and OSPF (the ones in the video) :

If you want to change the administrative distance for RIP, you´ll just change it for RIP at all, I mean, there´s no internal, external routes or anything else in it! So you just change the Administrative Distance for RIP. Example:

router RIP
distance 140

After that, all RIP learned routes in the Routing Table will have the Administrative Distance of 140!

Things get a little more complicated with OSPF... In OSPF we have intra-area, inter-area and external routes! Check this example:

router OSPF 1 
distance ospf  intra-area 110 inter-area 110
external 80

So, what that means, External Routes in OSPF will be preferred over Intra-Area routes?! Hmmm... not so fast buddy! That command does NOT change how the OSPF makes it´s decisions! It´ll always preffer intra-area routes first, than inter-area routes, and just after that the external routes!

The command only says if an external LSA wins the OSPF RIB election, than give it the administrative distance of 80, so it will be preferred over EIGRP for example! But, if it doesn´t win the election, if you get the same route announced internally from OSPF, the internal one will be used with the administrative distance of 110 and that´s it! The distance command only works if the routes gets handled to the Routing Table, that´s the order of operation!

As said earlier, it´ll NOT affect HOW OSPF makes it´s decisions!

Cool, isn´t it?! :)

Now, to manipulate distance for specific routes, we first need to create an access-list with the routes you want to change the Administrative Distance, the diagram bellow will give you all the reference you need specially for OSPF:

Route AD

Or... instead of that, you can use 0.0.0.0 255.255.255.255 and that will tell the router to really don´t care from who it  learned the route  from, just change the Administrative Distance on it!

So, the command now will look like:

router ospf 1
  distance 190 0.0.0.0 255.255.255.255 20

Much easier, don´t you think?!

ODR:

On Demand Routing, or ODR, it´s normally used in the Frame-Relay HUB Router. It is a feature that provides IP Routing for Stub Sites, with minimum overhead!

ODR uses CDP (Cisco Discovery Protocol) to carry the "routing" information between the hub and stub routers. The stub routers send IP Prefixes to the hub router via CDP, and the hub router will send a default-route to the stub also, via CDP. Oh yeah, almost forgot, ODR supports VLSM!

It is a nice solution to be used in a HUB and Spoke topology, if your Spoke is also a Stub Router.

The only thing you need to do is: start the ODR proccess in the HUB Router, nothing else, considering that your network is already configured. The command to achieve this is: router odr.

Don´t forget...ODR uses CDP, so in our frame-relay example, we´ll need to allow broadcasts in the map statements, and also, enable CDP in the frame-relay interface (you can check in CDP is already enabled or not with the command show cdp interface, if it is not you can enable it with the command cdp enable).

So what will happen now?! The HUB Router will send a default-route to the Spoke (that will set up the gateway of last resort to the ODR hub router), and the Spoke will send it´s IP Prefixes to the HUB Router, check the diagram below, you´ll get the idea:

ODR

Check the Routing Table for R1 (HUB) and R2 (Spoke):

R1(config-router)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,su- IS-IS summary,L1-IS-IS level-1,L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     15.0.0.0/24 is subnetted, 1 subnets
o       15.5.5.0 [160/1] via 10.1.1.2, 00:00:20, Serial1/0
     16.0.0.0/24 is subnetted, 1 subnets
o       16.6.6.0 [160/1] via 10.1.1.2, 00:00:18, Serial1/0
     17.0.0.0/24 is subnetted, 1 subnets
o       17.7.7.0 [160/1] via 10.1.1.2, 00:00:18, Serial1/0
     18.0.0.0/24 is subnetted, 1 subnets
o       18.8.8.0 [160/1] via 10.1.1.2, 00:00:18, Serial1/0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Serial1/0
     11.0.0.0/24 is subnetted, 1 subnets
C       11.1.1.0 is directly connected, Loopback0
     12.0.0.0/24 is subnetted, 1 subnets
C       12.2.2.0 is directly connected, Loopback1
     13.0.0.0/24 is subnetted, 1 subnets
C       13.3.3.0 is directly connected, Loopback2
     14.0.0.0/24 is subnetted, 1 subnets
C       14.4.4.0 is directly connected, Loopback3

R2(config-if)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,su- IS-IS summary,L1-IS-IS level-1,L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

     17.0.0.0/24 is subnetted, 1 subnets
C       17.7.7.0 is directly connected, Loopback2
     16.0.0.0/24 is subnetted, 1 subnets
C       16.6.6.0 is directly connected, Loopback1
     18.0.0.0/24 is subnetted, 1 subnets
C       18.8.8.0 is directly connected, Loopback3
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Serial1/0
     15.0.0.0/24 is subnetted, 1 subnets
C       15.5.5.0 is directly connected, Loopback0
o*   0.0.0.0/0 [160/1] via 10.1.1.1, 00:00:16, Serial1/0

Also, keep in mind that as soon as you enable any other Routing Protocol in the Spoke, that ceases to work. The Spoke will still learne the 0.0.0.0/0 default-route, but it´ll no longer send up to the HUB any detailed information about it´s networks, that will be done by the Routing Protocol if you configure it to do so!

So, to summarize:

HUB --> Spoke = 0.0.0.0/0
Spoke --> HUB = advertise it´s connected networks.

One more piece of advice... this may be a way to get a default-route without using any static route or default-information originate in the exam!

You can find more information about ODR either on IPExpert CCIE R&S Blended Learning Solutions or in Cisco´s Website, the following link is a good start:

http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080093fde.shtml#t7

Last thing... those Videos from IPExpert ROCKS man! If you´re following my posts till now, you now that already! It really looks like I´m attending a "on-site" bootcamp! I´m loving it!

Thursday, August 14, 2008

ARP, RARP, Proxy ARP, Gratuitous ARP and IP Redirect

Well... after a while away from my computer (in fact, away from any computer) due to some medical issues I´m back! Don´t worry, nothing bad, it was scheduled already, and I had the company of my wife, and guess who?! Yeah! Him! Mr. Jeff Doyle, not in person, but in his book version!

Books like TCP/IP Vol. 1 and 2 MUST be read from cover to cover! Always a good thing to learn!

Some of you may think, ARP, too basic... Yeah, I think too, but there were more than 10, 20 times that people who were supposed to know this asked me HOW it works... so here (with mr. Doyle´s help) you´ll find ARP some variations of  it.

ARP

Address Resolution Protocol (ARP) is used to map a known IP Address to a unkown data-link identifier (for example MAC Address). The ARP Request will contain:

  • Source IPv4 Address;
  • Source data-link identifier address (MAC Address for example);
  • Destination IPv4 Address;
  • Destination data-link identifier (MAC Address in our example) will be set to 00:00:00:00:00:00.

Check this ARP Request capture:

Ethernet II, Src: 00:30:b8:83:cb:40, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source:
00:30:b8:83:cb:40  (00:30:b8:83:cb:40 )
    Type: ARP (0x0806)
    Trailer: FFE000200020003035800000FFE000100030               Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address:
00:30:b8:83:cb:40 (00:30:b8:83:cb:40)
    Sender IP address: 201.6.115.1 (201.6.115.1)
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 201.6.115.254 (201.6.115.254)

By default Cisco Routers holds the ARP entries for 4 hours. You can change this value per interface basis with the command: arp timeout <value in seconds>. Example:

interface fastethernet 0/0
arp timeout 3600

RARP

RARP is the opposite of ARP, it maps an IPv4 Address to a know MAC Address, for example, old workstations  (dumb terminals) could have it´s firmware programmed to send a RARP request as soon as it was powered up, and a RARP Server would answer this RARP request with the workstation´s IP Address (Airline Companies used it ALOT in the past). Hmmm.. looks like DHCP right?! Yeah.. it looks, but it ISN´T ok?! ;)

RARP Request will contain:

  • Source and Destination data-link identifier (MAC Address in this example) will be the local host MAC Address;
  • Source and Destination IP Address will be set to 0.0.0.0.

Check this example capture of a RARP Traffic:

Ethernet II, Src: Marquett_12:dd:88, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source:
Marquett_12:dd:88  (00:00:a1:12:dd:88)
    Type: ARP (0x0806)
    Trailer: FFE000200020003035800000FFE000100030               Address Resolution Protocol (reverse request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reverse request (0x0003)
    Sender MAC address:
Marquett_12:dd:88  (00:00:a1:12:dd:88) 
    Sender IP address: 0.0.0.0 (0.0.0.0)
    Target MAC address:
Marquett_12:dd:88  (00:00:a1:12:dd:88) 
    Target IP address:
0.0.0.0 (0.0.0.0)


---> EXAMPLE TOOK FROM Wireshark Wiki <---

Proxy ARP

A Proxy ARP enabled Router answers ARP requests intended for another machine, it does that by making the local host believe that the Router is the "owner" of that IP Address, local host will forward the traffic to the Router and the Router will be responsible to "route" the packets to the real destination.

For example, a Host in Subnet A wants to send traffic to Host in Subnet B, Host A and Host B are in the same subnet, but in different broadcast domains. Host A will send an ARP Request with Host B IP Address, the Router connected to both subnets will answer to Host A request using it´s own MAC Address instead of Host B MAC Address.

Now when Host A wants to transmit traffic to Host B, it´ll send to the Router MAC Address and the Router will just forward the traffic to Host B. That´s why "Proxy ARP".

It´s used on networks where the hosts are not configured with a default-gateway.

Oh yeah... it´s enabled by default in the Cisco IOS, and you can disable it on a per-interface basis with the command: no ip proxy- arp

Gratuitous ARP

In some circunstances a Host (Router, Switch, Computer, etc) might send an ARP Request with it´s own address  as the target address... But, to his own address?! Why a host would do that!?

Well... there are some reasons... for example:

  • It´s use to update other devices ARP Table (when a device receives an ARP Request with an IP that it´s already in it´s cache, the cache will be updated with the new information;
  • HSRP Routers that takes over the control will send Gratuitous ARP out the network to update the cache table of other devices ;
  • To check for duplicate addresses (if the host receives a response, it´ll know that somebody is using the same IP Address).

You can check this Gratuitous ARP traffic captured with Wireshark (the best opensource sniffer out there):

Ethernet II, Src: 02:02:02:02:02:02, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source: 02:02:02:02:02:02 (02:02:02:02:02:02)
    Type: ARP (0x0806)
    Trailer: 000000000000000000000000000000000000
Address Resolution Protocol (request/gratuitous ARP)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address: 02:02:02:02:02:02 (02:02:02:02:02:02)
    Sender IP address: 192.168.1.1 (192.168.1.1)
    Target MAC address: ff:ff:ff:ff:ff:ff (Broadcast)
    Target IP address: 192.168.1.1 (192.168.1.1)


---> EXAMPLE TOOK FROM Wireshark Wiki <---

IP Redirect: 

IP Redirect is used by routers to notify hosts of another router on the data link that should be used for a particular destination.

For example, Router A and Router B are connected to the same Ethernet Segment, so as Host C. Host C has Router A set as default-gateway, Host C will send the packets to Router A, and Router A sees that the destination address of the packet is reachable via Router B, so Router A must forward the packets out the same interface it has received to Router B. Router A does that, and also, sends an ICMP Redirect to Host C informing to use Router B to reach this particular destination next time.

IP Redirect is enable by default in IOS Routers and can be disabled on a per interface basis with the command: no ip redirects.

That´s it! I´ll lie down a while, my head is a little fuzzy right now!

Friday, August 8, 2008

CCIE FLYER.COM - Great Resource for CCIE´s!

ccieflyer-img_(2)

That´s interesting! For the  last couple months I´ve been receiving the CCIE FLYER from the greatest (if not the only) CCIE AGENT , Mr. Emmanuel "Eman" Conde. He was conducting the CCIE Salary Survey some time ago (you can see this post here in the Blog), and helping many, many companies and CCIEs around the world!

I´ve exchanged a couple emails with him, but due to my calendar I wasn´t able to talk to Eman yet, this is one thing I´ll try to fix ASAP! He seens to be a very nice guy, and I can´t wait to get to know him better!

Check this post from Mike Down:

----

Hey everyone! So, I have been chatting with the ever famous "CCIE AGENT" Emmanual "Eman" Conde over the past several weeks and he mentioned his CCIE FLYER that he has been putting out. Eman also just released the CCIE Salary Survey which you probably have seen on many other blogs. I surfed on over to www.ccieflyer.com to check it out.

Eman has developed a way to keep his clients updated on his activities while still dispensing advice about some of their career and professional concerns. His third issue of the CCIE Flyer is devoted to the economy. The September issue has the perspective of 3 educators from grade school through university level. In this issue he will be reviewing training companies and sharing his findings with his readers. Yes, this does include IPexpert.

Eman stops by IPexpert next week, which he will be meeting up with IPexpert Vice President Matt Brooks and IPexpert Instructors Vik Mahli and Jared Scrivener, along with dozens of aspirin CCIE's who will be attending class at our San Jose, California location.

So, shoot over to CCIEFLYER and check it out! Bookmark it! It is a monthly update with tons of great articles!!!

----

Fantastic news to the CCIE Community!

Getting ready for my Vacations

Well... My vacations will start next monday! I´ll have some time to do what I want and need to do! Rest a while and Study a LOT!

I´ll be at home for 20 days (sweet!), and during this time I want to finish watching IPExpert Video-on-Demand, and complete at least until IPExpert Workbook Vol. 1 Lab 10. No need to rush, if I can get this done, great, otherwise, I preffer to slow down a little to REALLY understand things than to speed up just to say to everybody: "Yeah, look at me! I can do many labs, tasks, I´m the man!",  that´s just not me! I don´t care if I´m giving baby steps, but at least I´m sticking the information in my head, and this new stuff I´ve learned while studying for CCIE Exam are already helping me out in my work!

That´s why work has been so hard last couple weeks, I´m finishing everything I´ve pending on my desk, so I can enjoy my free days without any interruption!

The beginning of next week (Monday, Tuesday, Wednesday) will be a little complicated to me, so don´t expect to see me online, or too much blog notes, I´ll not have time to that! Have some personal stuff to take care off! In fact, I´ll not be able to touch a computer, but, I´ll be able to read books... TCP/IP Vol. 1 will be my best friend during this time.

At thursday I think I´ll be able to get back "online" and watch some Videos, Blog, and start my study regimen the way I want!Study during day, take wife out at night, enjoy the time with my cats, relax, study a while more, sleep, just the life any CCIE Candidate wants! lol! :D

That´s it guys! Hope everyone is enjoying the studies as much as I am! :)

Cheers!

Thursday, August 7, 2008

IPExpert + Narbik Bootcamps for $4000.00 ?!

This morning I was checking my emails, and received the latest IPExpert Newsletter, great news inside, but this one particularly called my attention:

Attend IPexpert's CCIE R&S Boot Camp -AND- Narbik's Boot Camp for ONLY $4000 (limited availability)

----

Here comes another unique opportunity...

  • During the week of August 25, Australia's own Jared Scrivener will be conducting IPExpert's CCIE R&S 5-Day Boot Camp in Sydney.
  • One month later, Narbik Kocharians will deliver his CCIE R&S 5-Day Boot Camp during the week of September 29.

You can attend BOTH of these courses for only $4000 - TOTAL. Now, think of this amazing opportunity...

  1. Spend the first week with Jared in our industry-recognized Boot Camp.
  2. Spend three weeks of continued preparation while also exploring Australia (additional costs, of course).
  3. Spend week 5 with Narbik rounding out your preparation.
  4. Pass your lab exam at Cisco's testing facility in Sydney and return home as a CCIE (hopefully!).

Give yourself six weeks to change your life. Think of the experiences you will have for so little cost.

----

I just wonder WHY don´t I live in Australia?! :)

Also, IPExpert just released the CCIE R&S Power Pack, that includes IPExpert CCIE R&S Blended Learning Solutions + CCIE R&S Technology Focused Workbook by Narbik Kocharians + A 10-Session of online rack time for use at Proctor Labs.

And much more! You must check this Newsletter!

--> IPExpert August Newsletter <--

Tuesday, August 5, 2008

WCCP - Web Cache Communication Protocol

Following with the notes/reviews from IPExpert CCIE R&S Blended Learning Solutions Video-on-Demand, we´re today presented with WCCP! :)

WCCP is used between Routers, Layer3 Switches and Web-Caches. It´s used to optimize resource utilization, and lower response times, when a user make a web request, for example, that´s the kind of traffic you want to redirect to the Web-Cache, hopefully you (better, your Web-Cache) have some information cached locally and that will decrease the response time.

As far as the exam is concearned, there´s no real Web-Cache on the LAB. Well... at least for now there isn´t! The "goal" would be setup the routers to talk with it, and that´s pretty much what we can be asked to do!

We´ll have no other way to test it than just a few show commands.

To enable your router (or layer 3 device) to talk to the Web-Cache, you need to enable WCCP with the global configuration command:

  • ip wccp web-cache

After that, we need to choose the traffic to send to the Web-Cache, it can be either the outside interface where requests goes out:

  • ip wccp web-cache redirect out

OR, the incoming interface as requests comes in:

  • ip wccp web-cache redirect in

Choose one (not both) that fits the best what was requested in your lab!

Just a few commands to do that, right?! Not too bad! But... which interface is supposed to be configured as "redirect in" and which interface is "redirect out" ?!

It´ll be easier to undesrtand checking the diagram bellow:

Web Cache

If you want to send the traffic coming from users connected in SW1 to the Web-Cache, you need to configure the interface F0/0 as ip wccp web-cache redirect in.

Now, if you want to send the traffic going out S0/0 to the internet, you need to configure the S0/0 as ip wccp web-cache redirect out. Don´t use both (redirect in and redirect out) choose the one that best fits the task requirements.

Remember, the redirect perspective is "router centric", so traffic coming from your network are IN and traffic going out to the internet from your network are OUT, just keeping this in mind, you´ll never have problems to figure which type of redirect to use when configuring WCCP.

Now, if for example, both user traffic to be sent to the Web-Cache, and the Web-Cache itself are connected to the same router interface (for example F0/0) we need to use the command: ip route-cache same-interface, this will "hairpin" the traffic coming from users in this interface to the Web-Cache. Off course, this solution is not the most efficient and it consumes the most resources (CPU, Interface bandwidth, etc), but, keep in mind that CCIE Lab is not graded on performance, it´s graded on achieving the results that the task is asking for!

Again, checking our diagram, if you want to send traffic from users either in F0/0 and F0/1 to the Web-Cache, we can do a ip wccp web-cache redirect in at F0/0 and F0/1 OR we can configure ip wccp web-cache redirect out at S0/0, both will attend the request! Select the best option, and use it!

Also you can apply a "Redirect Filter" (an access-list) filtering just the traffic you want, that is done with some optional parameters in the global configuration command ip wccp web-cache:

  • ip wccp web-cache redirect-list <ACL#> --> used to select which user traffic to send / not to send to the Web-Cache;
  • ip wccp web-cache group-list <ACL#> --> used to select which Web-Cache to use;
  • ip wccp web-cache password <password> --> used to configure a password to authenticate with the Web-Cache.

UDP port 2048 is the port used between the Router and the Web-Cache to communicate, and GRE is the tunnel method used. There´s nothing more to do at the routers than to say YES, I want to talk with the Web-Cache, and HOW to do the redirections, all other configurations goes in the Web-Cache itself.

As far as the CCIE Lab Exam will not include any real Web-Cache, we can only use the command show ip wccp web-cache detail to check some generic information and also if WCCP is enable and which interfaces are participating in the WCCP process!

Some examples:

access-list 10 permit host 10.1.1.1
access-list 10 permit host 10.1.1.2
ip wccp web-cache group-list 10

This will "notify" the router that only IP Addresses 10.1.1.1 and 10.1.1.2 are valid Web-Caches to register with!

Another one:

access-list 110 deny ip any host 200.207.108.2
access-list 110 permit ip any any
!
ip wccp web-cache redirect-list 100
!
interface FastEthernet 0/0
ip wccp web-cache redirect in

This example will configure the router to redirect web-related packets received via interface fastethernet 0/0, destined to any host except 200.207.108.2 to the Web-Cache.

And many others included in the IPExpert Video-on-Demand! You can also check Cisco´s DocCD to find some useful information and examples.

WCCP can be located at Cisco IOS IP Application Services Configuration Guide, Release 12.4