Archive for July, 2006

Right, last updates done before D-day…

 | 31 Jul 2006 21:16

A nice relaxing day to write some last notes and relax, for my latest addtions have a look in the lab section of my CCIE R&S page. New topics:

  • Smurf/fraggle attacks
  • EIGRP bandwidth limitation
  • DHCP pool options
  • F/R with ‘dual’ QoS (thanks to the evil bastard for that one)Heinz Target
  • Redistribute BGP default into IGP

Will post again on wednesday evening (bad) or thursday (should be good)

CCIE R&S mocklab

 | 30 Jul 2006 18:46

Pfew, I’m typing this with the last little bit of energy left in me. I started this morning on the mocklab I screwed up during the bootcamp and I actually finished in time. I would not have had 100% score as there were two things I had to look up outside of the “univercd”.

So this has given me a last push to find little thing that I’d forgotten (already!) or hadn’t used yet. Like BGP and EIGRP authentication. I’ve written down some topics I want to work out on my CCIE R&S pages so stay tuned int the next two days.

Time for dinner now , ooh I’m soo happy that I managed this in 8 hours, the 1st mocklab I did took me 14 hours so this is a nice booster for this wednesday when it’s for real.

PS: I’ve bought a set of coloured pens, I really hope the proctor will allow me to use them as my drawings become a mess without them. I’ve used them the entire week and now have a nice colour coding scheme for different things like protocols and special notes. Also I’ve developed the habit of making a separate network drawings for BGP and Multicast, it really helps keeping the different forwarding planes separate and simple.

Virtual Tour – CCIE Lab

 | 29 Jul 2006 19:09

Found this 3 minute video showing the lab environment and detailing in simple terms what the 8 hour CCIE lab exam is.

My CCIE lab equipment

 | 03:56

My lab equipment can be seen here: PICT0012

My hardware: 3x 3640, 3620 (and a broken one), 2620XM, 2x 7204(VXR) NPE-200, 2x 2621, 7507 (dual RSP4), 3548XL, 2948G-L3 and a 2511.

BTW: The two 7304’s, two empty 3660’s and the 7204 under my laptop aren’t part of my CCIE lab.

autocommand access-enable (lock&key)

 | 02:31

Maybe this post will enable me to remember this feature. I hadn’t heard of it untill I was at Heinz’s CCIE R&S bootcamp last June.

The idea is that a user can log into a system and then that system will grant access to some traffic for a period of time. Nice heh, well be carefull it uses extended access-lists so the normal anti spoofing measures still need to be taken. So how do we do this then? Simply follow these steps:

# use a local account instead of the vty password:
line vty 0 4
login local
# User account to open the ACL dynamically:
username djerk password 123456
# User is allowed to open the ACL, sadly you can’t specify the ACL so all ACL’s will be opened by this user!
# The timeout value is the idle timeout!
username djerk autocommand access-enable host timeout 2
# The lock&key ACL:
ip access-list extended NACL-lock&key
remark *** Permit user:djerk to open this ACL (lock&key) ***
# Permit user access if he has to traverse this ACL
permit tcp host eq telnet
# Careful: timeout of the dynamic rule is in minutes
# The rule in the dynamic line will be installed into the ACL once the user has authenticated
dynamic DYN-lock&key timeout 10 permit tcp any any eq telnet
deny tcp any any eq telnet
permit ip any any
# Apply the ACL to the interface:
interface F0/0
ip access-group NACL-lock&key in

The idle timeout of the access list is configured in the autocommand. It is overridden by the absolute timeout in the dynamic access list.

The above config is from CCO minor changes and comments by me 🙂

F/R dual-FIFO

 | 00:04

frame-relay fragment
Enables dual-FIFO, but how to get VoIP into the voice queue? Is rtp heasder compression enough to do this or is LLQ needed with a priority class?

I’d be inclined to think that RTP header compression has no influence over FRF.12 fragmentation, unless it matches RTP traffic into the propper FIFO queue (dual-FIFO). Seeing that FRF.12 enables dual-FIFO I can only assume this matching to be the case, I’ve not yet found a doc stating this without doubt. So please leave a note if you do.

Anyway I think it’s good to know both options. Dual-FIFO applies fragmentation only to the ‘data’ queue, I know this from Multiclass Multilink PPP (MC-MLPPP) which is also dual-FIFO. I use MC-MLPoA for QoS on DSL lines.

——- (Without FRTS)
# One config:
Int S0/0
frame-relay fragment 40 end-to-end
Int S0/0.1
frame-relay interface-dlci 1
frame-relay ip rtp header-compression

——- (With FRTS)
# Other config:
Class-map match-any voip
match protocol rtp audio
Policy-map FR-voip
class voip
# Enable PQ so the router can differentiate between flows (dual-FIFO)
class class-default
map-class FR-voip+FRF12
service-policy output FR-voip
frame-relay fragment 40
Int S0/0
frame-relay traffic-shaping
Int S0/0.1
frame-relay interface-dlci 1
class FR-voip+FRF12

CCO: VoIP o F/R with QoS

OSPF filtering

 | 28 Jul 2006 17:39

In OSPF you can’t filter routes. This is only true inside an area, due to OSPF being a Link State protocol. LSA’s are flooded throughout the area and the protocol is based upon everyone in the area having the exact same database. There are no such things as communities like in BGP to aid in something of a route installment selection process.

What is available is filtering on an ABR or ASBR. ABR filtering is somewhat less known but here’s how it works on Cisco:

Let’s create a range (OSPF summary) and filter the summarised routes so that only the range is advertised to the other areas.

Router_A(config-router)#do srr
router ospf 1
# Filtering the range’s subnets (type 3 LSA filter) when they enter area 0
area 0 filter-list prefix PFL- in
# The range to create the summary:
area 1 range

router ospf 1
# Filtering the range’s subnets (type 3 LSA filter)
area 0 filter-list prefix PFL-subnets in

# On both:
ip prefix-list PFL-subnets description *** Filter subnets out of the range ***
ip prefix-list PFL-subnets seq 5 deny ge 9
ip prefix-list PFL-subnets seq 10 permit le 32


 | 17:25

Well I’m still studying hard, interrupted every now and then by sleep and some fun. My idea of fun? Well, two things at the moment:

The first is a nice list of things I’d love to have and haven’t got, yet. But feel free to change that for me!

The second is a (little) moped of mine I restorated a number of years ago, to my likings. It’s been unused due to expensive insurance and lack of storage space. now that we’re living in a house with our own shed it’s home again. This year is it’s 20th birthday which means oldtimer insurance.

So now I’m a member of the Nieuwe Veteranen Club am hoping to participate in some of the tours they organise. As that’s all my moped is good for really, my car is a lot more comfortable. I’ll make some pictures soon so you can all enjoy some of my spare time too.

Cisco’s NTP authentication is b0rked

 | 25 Jul 2006 11:35

ntp authentication-key 14 md5 ladida
ntp authenticate (see comment below)
ntp source Loopback0
ntp master
ntp server source FastEthernet0/0
ntp trusted-key 14 (see comment below)

ntp authentication-key 14 md5 ladida
ntp authenticate
ntp source Loopback0
! ntp trusted-key 14 (only required when not specifying a key on the line below)
ntp server key 14

Debug on the client:

21:05:03: NTP: rcv packet from to on Loopback0:
21:05:03: leap 0, mode 4, version 3, stratum 2, ppoll 64

21:05:03: Authentication key 0
21:05:03: NTP: packet from failed validity tests 10
21:05:03: Authentication failed
21:06:06: NTP: xmit packet to
21:06:06: leap 3, mode 3, version 3, stratum 0, ppoll 64

21:06:06: Authentication key 14

The Client does send authenticated packets but the Master doesn’t. Mind you configuring a ‘peer’ is symmetric (same stratum) and ‘server’ is asymmetric (ntp stratum hierarchy). Apparently Cisco knows about it for years but it’s too low a priority to fix it, so don’t bother running to TAC with this…

Even configuring peers so one can set the key on the master doesn’t help. The authentication error disappears but no association forms.

Just like the bootcamp

 | 23 Jul 2006 14:16

The weather is hot, I’m studying hard and BBQ for lunch. Now where’s my wine and the quad?

My lovely wife knows I like a German Riessling to that’s cold in the fridge for tonight and my oldtimer moped should be insured next week. Almost there… 😉

Oooh, I hate cosmetic bugs!

 | 10:29

C7500(config-router-af)#$-map D-list_EIGRP13_r2_in in f5/1/0.201
% Access-list filter exists, de-config first

I got this notification when trying to work my way around what I thought was a config line that did not generate an error nor ended up in configuration. When trying to configure a different distribute-list, this time with a route-map, it told me that I’d have to remove the old list first. So it should be in config and active.

Show me more… »

Final approach

 | 09:27

Sounds very definite doesn’t it. Well I know that on average it should take me 3 labs to pass but hey you can’t blame me for having a positive attitude. Last friday I started my last ‘week’ of studying before my 1st lab attempt. I’m curently working on the last ‘few’ lines of config to my own lab environment. Was counting on remote lab access to Heinz’s lab (delayed ‘one week access’ after the bootcamp). But due to a miscommunication it was scheduled for the week of my exam which isn’t very usefull as obviously I’ll be resting and taking the exam that week.

Anyway, I’ll get there myself as long as I don’t find any other dead Ethernet interfaces. The 7500 in my lab is upgraded to 12.4(8) Enterprise and is happily running VRF-lite on all routing protocols. As such I’m using it to simulate about 7 routers, only problem is that it’s config has become enormous but at the moment it’s working fine.

For those who still wonder were I’ve disappeared to this week, I’ve locked myself in my attick to get some serious studying done. I’ll be out on the 31st in an attempt to relax in preparation of the 2nd (of Aug) which is my lab date.

1st guy that passed (from my R&S bootcamp)

 | 18 Jul 2006 13:56

Wilfried HiemetzbergerHe passed yesterday, congratulations Wilfried! CCIE #16567

Back to studying

 | 14 Jul 2006 11:58

It’s been a while since my last post, the bootcamp was very tiring (believe it or not). So I’ve taken almost 2 weeks off from studying. Now this time is over I’m back with my nose in my laptop, at home trying to give some lab like shape to the equipment I have stacked up in the DataCenter (DC).

I managed to get hold of some back to back cables, 2 to be precise and I discovered I had 2 V.35 back-to-back links already active. So I’m about to re shuffle my layout, all in a days fun…

In case you hadn’t heard yet my lab is booked for the 2nd of August, 17 days and counting. not sure yet whether I’ll drive up in the morning (very early) or whether I should get a hotel.