Nikolay Abromov blog

This actually turns to be one of the most complicated topics that people who are currently preparing for the CCIE R&S lab must understand. Written by: Brian Dennis This blog post is the first in a series covering Performance Routing (PfR) formerly known as Optimized Edge Routing (OER) that I will be publishing over the coming weeks.  I decided to cover PfR in a series of blog posts contrary to a single post as PfR is a very powerful and useful feature that leverages the power of Cisco’s IOS but at the same time PfR is potentially very complicated and often confusing feature to configure and troubleshoot.  Trying to cover PfR in a single blog post would be the equivalent of trying to cover OSPF in a single blog post.  In fact if you compare the IOS 12.4T OSPF Configuration Guide against the Optimized Edge Routing (OER) Configuration Guide you will notice that OER documentation is nearly 35% larger. ... http://blog.ine.com/2011/11/01/cisco-performance-rou...

I wife gave me a gift - A brand new apple mouse. It's really amazing what Apple can do. It's multi touch and it really nice to use.

I am not a fan of Apple but I just bought brand new mac book pro 15" with quad core i7 and I can say that Apple changed to way you can use your personal computer. After 15+ years using Windows and Linux as a desktop - its time for some change. 

I went through few technical interviews and looks like I am about to sign up a contract. Next week I will be in UK looking for a house and eventually stay in it. wish me luck with the new job 21DEC: If you have to chose between SPEEDY and DHL for courier. Chose DHL. Speedy simply suck. 15DEC: I got approval for my UK working visa. Preparing the BR3 form for the border agency. 25NOV:Looks like during the test period I will be living in the hotel - Thanks to Stefan for pointing me to right place :) 20NOV: I got the job offer and now I applied for work permit in UK.  I hope everything will be fine with that. The company I applied is one of the service integration leaders in UK who have really nice cisco,juniper and F5 labs. The start date is around 15th of Jan 2012.

Important trick I found on INE forum that should be remembered about NTP when you are using NTP access-control. One of the important things that are not mentioned in the INE post is that by default no one will be rejected from the NTP master if it's not trying to authenticate that's why you will restrict those stations with ACL.  "If your router is configured as NTP master, and you set up any access-control group, you must allow “peer” access type to a source with IP address “127.127.7.1”. This is because “127.127.7.1” is the internal server created by ntp master command, which the local router synchronizes to. If you forget to enable it peer access, your server will always be out of sync. Here are some examples. First one: configure R1 as NTP master and allow the server to be polled for NTP updates just by one client. Client should receive updates just from one source:" reating an Access Group and Assign a Basic IP Access List to It To control access to NT...

Ethernet over SDH. It's interesting topic though, I got such question on job interview few days ago and I think I was too stressed to give the answer straight away but after I left the interview I came out with few answers about that and I used such solution few years ago in Iceland. So, you want to carry native Ethernet over SDH but for some historical reasons you have a huge SDH/PDH network which carry mainly IP - so what you can do about it? I was thinking of Ethernet-over-IP-over SDH? why not? I tried something like that couple of years back and it works. The Telco way is to convert the SDH to ethernet with pseudo-wire (tunnelling) and Axerra networks and Tellabs have such solutions or using the so well advertised rfc4448 (ethernet-over-mpls)

because of security vulnerability in forum we had to stop it. ETA: unknown

short note about the dynamic ACLs: if you are going to use dynamic ACL to allow some kind of access to service/server with absolute timer it's very important to remember that you need to enable the "absolute timer" extensive of the ACL's R1(config)#access-list dynamic-extended and the rest that you have to remember is to put autocommand sub option but if you cannot remember what should be options after that they are available in exec mode R1(config)#username ENABLE autocommand ? LINE Command to be automatically issued after the user logs in R1#access-enable ? host Enable a specific host only timeout Maximum idle time to expire this entry example acl with dynamic statement ip access-list extended DYN permit tcp any any eq telnet permit tcp any any eq 7001 permit udp any any eq rip dynamic ACCESS timeout 15 permit tcp any any eq www deny ip any any deny ip any any log vty configuration R1(config-line)#autocommand access-enable timeout 5 One very ...

Introduction To begin with, recall that VLAN is essentially a broadcast domain. Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast “subdomains”, introducing sub-VLANs inside a VLAN. As we know, Ethernet VLANs can not communicate directly with each other – they require a L3 device to forward packets between separate broadcast domains. The same restriction applies to PVLANS – since the subdomains are isolated at Level 2, they need to communicate using an upper level (L3/packet forwarding) device – such as router. In reality, different VLANs normally map to different IP subnets. When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, yet now they need to use a router (L3 device) to talk to each other (for example, by using Local Proxy ARP). In turn, the router may either permit or forbid communications between sub-VLANs using access-lists. Commonly, these configurations arise in “shared” environments, say ISP co-locat...

google just rocks. You can enable mobile view for your blog from the blog settings menu.

http://www.youtube.com/watch?v=9bRbL_SOYfo&feature=player_embedded#at=202

Looks like this is one of the tricky small topics which every ccie r&s candidate should know. So imagine the following scenario. You have two routers R4 and R5 with serial interface and you have to configure multilink interleaving and fragmentation. One of the most important thing you should remember is that the interleaving is working only on "fair-queue" enabled interfaces. So usually the tricky question is when you are asked to configure frame relay traffic shaping and enable the ppp multilink interleaving and fragmentation(which will be automatically configured for you if you don't specify it) so, the first thing that you have to remember is if you have frame relay traffic-shaping it will disable the fair queue on the interface. So what we should do is to configure the interleaving on the Multilink interface. So there is the configuration output example: [I am using Internetwork Expert R&S Workbook 1, task 10.55, version of the document 5.019] Also in this par...

It's really basic topology with two VPN clients. I decided to use VRF CLIENT_A and VRF CLIENT_B; CLIENT_A is running OSPF and CLIENT_B is running BGP. There is another link between SW3 and SW2. I have configured sham-link to avoid it. Something interesting and maybe a common mistake is when you configure the sham-links to use wrong "area id" and what would happen is that the routes in your fib table will appear as INTER-AREA routes instead of INTRA-AREA routes. There is nothing specific about VRF CLIENT_B, anyway, if someone is digging and looking for some scenario maybe this picture will be useful.

When you use the sync yes option in the event cli command, the EEM applet runs before the CLI command is executed. The EEM applet should set the _exit_status variable to indicate whether the CLI command should be executed (_exit_status set to one) or not (_exit_status set to zero). A sample applet using the _exit_status variable in described in my “Schedule reload before configuring the router” post. With the sync no option, the EEM applet is executed in background in parallel with the CLI command. As the CLI command starts at the same time as the EEM applet, you cannot use the _exit_status variable anymore; you have to specify whether you want the CLI command to execute with the skip yes|no option of the event cli command. A sample applet using sync no skip yes options is described in my “Can you disable the reload command?” post. original post http://blog.ioshints.info/2011/01/eem-event-cli-command-options-and.html

it's part of the new r&s lab. Some of the examples looks very useful http://www.ine.com/petr/IEWB-RS-VOL-I-V5.OER.0.01.pdf update: this topic is headache..

important point if you have to do UDP-JITTER SLA: Time synchronization, such as that provided by NTP, is required between the source and the target device in order to provide accurate one-way delay (latency) measurements. To configure NTP on the source and target devices, perform the tasks in the "Performing Basic System Management" chapter of the Cisco IOS Network Manageent Configuration Guide. Time synchronization is not required for the one-way jitter and packet loss measurements, however. If the time is not synchronized between the source and target devices, one-way jitter and packet loss data will be returned, but values of "0" will be returned for the one-way delay measurements provided by the UDP jitter operation. You must configure NTP between the routers you are measuring the jitter (under question, confirming that with the INE guys right now) R5#show ntp as R5#show ntp associations address ref clock st when poll reach delay offset ...

how to push one of the routers in the broadcast ospf segment to be elected as a ABR; it's simple, based on rfc 1587 the only thing you should do is to make more preferable RID (higher RID)

I am quite sure I am able to explain what I think about the social networking and things like facebook but have you think about what would be if networks like linkedin extend their capabilities so you can actually chat with your business network or people interested in the same things as you. So, why facebook ? :) What facebook can offer you if you are looking for pro connections and people with common interests. - my 1 cent thought

Looks like the recommendation from the most of people I asked is to skip the very first labs and jump on 26-35 (the version 4),however, still the very first labs are great in terms of building strong knowledge on things like redistribution,route filtering and troubleshooting. I am about to finish lab 7 and jump to lab 26.

NMC lab5; task 14.4;ipv6 l2 multicast

Wrong vlan mappings for sw2 to R1;

Router R3 is connected on it's ethernet interface to SW3 (working only as a l2 switch) and we have to send him default gateway via IRDP. This how such configuration would looks like: R3 R3#sh run int fast 0/0.50 Building configuration... Current configuration : 262 bytes ! interface FastEthernet0/0.50 encapsulation dot1Q 50 ip address 172.16.30.3 255.255.255.128 ip irdp ip irdp multicast ip irdp maxadvertinterval 20 ip irdp minadvertinterval 20 ip irdp holdtime 60 ip irdp preference 100 ip irdp address 0.0.0.0 100 end R3# and SW3#sh run int vlan 50 Building configuration... Current configuration : 93 bytes ! interface Vlan50 ip address 172.16.30.10 255.255.255.128 ip irdp ip irdp multicast end SW3# however, to make it work you'd need to enable it by entering ip gdp irdp SW3#show ip route Gateway Using Interval Priority Interface 172.16.30.3 IRDP 20 100 Vlan50 Default gateway is 172.16.30.3 Host Gateway Last Use...

The DHCP Authorized ARP feature enhances the Dynamic Host Configuration Protocol (DHCP) and Address Resolution Protocol (ARP) components of the Cisco IOS software to limit the leasing of IP addresses to mobile users to authorized users. This feature enhances security in public wireless LANs (PWLANs) by blocking ARP responses from unauthorized users at the DHCP server. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtautarp.html

In this topology I have 4 switches (2x3560 and 2x3550) and 6 virtual routers 3725 with Tbased IOS (pc with 12 network cards).I haven't tested the configuration against the netmasterclas workbooks,yet. Some features are missing on this platform or at least on this version of IOS like "object track" in ACL. The first visible difference is that there is no backbone routers as we used to have on INE labs. This is my configuration: "netmasterclass.net" autostart = False [localhost:7200] workingdir = /home/nabromov/dynamips/working udp = 11000 [[3725]] image = /home/nabromov/dynamips/images/c3725-adventerprisek9-mz.124-15.T14.bin ram = 256 nvram = 256 ghostios = True idlepc = 0x60c06028 [[Router R1]] model = 3725 console = 2001 # R1 e0/0 to SW1 fa0/1 f0/0 = NIO_linux_eth:eth0 # R1 f0/1 to SW2 fa0/1 f0/1 = NIO_linux_eth:eth1 s1/0 = FRSW 1 s1/1 = R3 s1/1 [[ROUTER R...

I am planning to try another training provider so I found netmasterclass who are working with Cisco based on Cisco 360 training program. I will post some impressions after I go through few of the labs.

Registration: JUNOS Bootcamp UK March 28th - April 1st 2011 (Mar 28, 2011 - Apr 01, 2011)

another trick that I just learned. If you want to limit the number of the concurrent sessions going through the inspect rules you can use: "RouterXXX(config)#ip inspect hashtable number" Usage Guidelines Use the ip inspect hashtable command to increase the size of the hash table when the number of concurrent sessions increases or to reduce the search time for the session. Collisions in a hash table result in poor hash function distribution because many entries are hashed into the same bucket for certain patterns of addresses. Even if a hash function distribution evenly dispenses the input across all of the buckets, a small hash table size will not scale well if there are a large number of sessions. As the number of sessions increase, the collisions increase, which increases the length of the linked lists, thereby, deteriorating the throughput performance.

this is one of the most important parts, the verification. labXXX#tclsh foreach i { 130.1.17.1 150.1.1.1 130.1.124.1 130.1.234.2 } { ping $i }

okey, everyone will configure the bba-groups in the right way to make the task working.For me the tricky bit was that I used the wrong identifier for this task and the static host map in the dhcp pool didn't work. If yo don't configure the right client identifier it want work. so, what I did was to start the debug of the pppoe session and get the identifier from the dump in the log. *Mar 1 00:13:42.243: Retry count: 1 Client-ID: cisco-c203.03d1.0000-Di1 *Mar 1 00:13:42.243: Client-ID hex dump: 636973636F2D633230332E303364312E *Mar 1 00:13:42.247: 303030302D446931 we should keep in mind that we need to add 00 of front of the first two digits for the client-id and it will looks like 6369.xxxx.xxxx.xxxx.xxxx

*Mar 1 01:41:22.403: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not full duplex), with Rack1SW2 FastEthernet0/2 (full duplex). to stop these messages you can type LabXXX(config)#no cdp log mismatch duplex

Use the access-list hardware program nonblocking global configuration command to cause the system to continue to forward frames even while a new security access-control list (ACL) configuration is being programmed into the hardware. Use the no form of this command to return to the default behavior, where traffic is blocked on affected interfaces when changes are made to the security ACL configuration while the hardware is updated with the new configuration. access-list hardware program nonblocking no access-list hardware program nonblocking

the company I work for gave me two months to prepare for the lab exam. So next couple of months I will be concentrated on this topic.

I just found this nice tutorial about the v6 tunnels and the ip over-head in particular. http://ardenpackeer.com/routing-protocols/tutorial-ipv6-tunnels-part-1-manual-gre-ipv6ip-tunnels/

First Published: July 11, 2008 Last Updated: September 6, 2010 The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so. In large networks, the number of ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs, simplifying static and dynamic ACL deployments for large user access environments on Cisco IOS routers. Cisco IOS Firewall benefits from object ...

source http://evilrouters.net/2011/01/18/cisco-iou-faq/ What is IOU? From the Cisco Engineering Education web site (a long time ago): IOS on Unix (IOU) is a fully working version of IOS that runs as a user mode UNIX (Solaris) process. IOU is built as a native Solaris image and run just like any other program. IOU supports all platform independent protocols and features. What operating systems does IOU run on? It is my understanding that, initially, IOU was Solaris (SPARC) only. Nowadays, however, there are also builds for OS X and Linux. Similar to dynamips, IOU allows you to build out a network topology on a computer, without the need for physical routers. This is useful for validating designs, proof-of-concept testing, and certification self-study. Is my system compatible with IOU? You will need to be running the operating system that your IOU image were built for, obviously. Other than that, there are no special requirements to run IOU. It is not very CPU- or memory-intensive, unlik...

Just got another book for my collection. I am not big fen of MPLS/VPLS,however, this topic is mandatory in routing and switching lab. MPLS Configuration on Cisco IOS Software: A complete configuration manual for MPLS, MPLS VPNs, MPLS TE, Any Transport over MPLS (AToM), and VPLS (Networking Technology) [Paperback] Paperback: 720 pages Publisher: Cisco Press; 1 edition (10 Jun 2010) Language English ISBN-10: 1587142503 ISBN-13: 978-1587142505

I've been trying to find a good explanations on some of the Internetwork Expert tasks and why they decided to use the solutions they used in some of the tasks. I tagged all posts related to the labs with tag "ccienotes". The one bellow is related to IE lab 11; task 1.3. 1) General overview of STP convergence process 2) How STP converges if a directly connected link fails 3) How STP converges when it detects indirect link failure 4) Topology changes and their effect See more detailed overview at: http://blog.ine.com/wp-content/uploads/2010/04/understanding-stp-rstp-convergence.pdf STP Convergence in General As we know, STP protocol follows certain simple procedure to calculate the loop-free subset of the network topology. STP protocol could be compared to RIP in some sense. Both execute a version of Bellman-Ford iterative algorithm, which could be described as “gradient” (meaning it iteratively looks for the optimal solution, selecting the “closest” candidate every time). ...

--- cut --- By default, EIGRP will choose the path with the lowest metric. For this topology, the Point to point link between R1-R3 is 1.536 Mbps, frame-relay link between R2-R3 is 1.28 Mbps and the frame-relay link between R1-R2 is 256Kbps. In this scenario, R1 will choose Path 1 to reach VLAN 26. At this point if we configure the variance of 5, then the traffic will be load balanced between the two paths at a ratio of 80:23 as shown in the output below. RSRack1R1#sh ip route 164.1.26.6 Routing entry for 164.1.26.0/24 Known via “eigrp 100″, distance 90, metric 3026432, type internal Redistributing via eigrp 100 Last update from 164.1.12.2 on Serial0/0, 00:00:56 ago Routing Descriptor Blocks: * 164.1.13.3, from 164.1.13.3, 00:00:56 ago, via Serial0/1 Route metric is 3026432, traffic share count is 80 Total delay is 40100 microseconds, minimum bandwidth is 1280 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 164.1.12.2, ...