Archive for August, 2007

Static routes since 12.3

 | 31 Aug 2007 10:56

Since 12.3 (T?), static routes pointing to interfaces will be advertised by RIP and EIGRP as these static subnets are assumed to be part of the interfaces on which RIP and/or EIGRP is activated.

ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name next-hop-name] [permanent | track number] [tag tag]

Show me more… »

Activity limit exceeded

 | 16 Aug 2007 00:04
1053

Eek, Cisco keeps tabs on page hits when checking available lab seats. I set up firefox to automatically reload the page which works fine but resulted in me being locked out. Luckily only for a day but at 28 days before my ideal lab date this is not funny.

The following advice to all who’re desperate for a lab date: Be persistent but do not over do it.

ERROR: The ‘Available Lab Seats’ activity limit for the candidate has been exceeded for today. Please try again tomorrow.

2nd of October

 | 15 Aug 2007 15:41

Wow, I managed to spot and book the 2nd of October instead of my February 7th seat. Hopefully I’ll manage to swap this day for September 14th with someone from Vietnam. Poor guy that is a long way to come for a lab… But as you can see from my previous post swapping seats is a risky business.

[edit, 17 Aug 2007] I’ve managed to move to September 28th and I’ll stick with it for now. There’s enough to keep me busy till then, may circumstantially even have to move my date back. I’ll be diving back into the books/lab next week, too much social stuff going on this week.

[edit, 10 Sep 2007] Sadly I have cancelled my September 28th seat. There’s just too much going on right now to be able to concentrate, let alone to have enough time to commit to studying. I’m hoping I’ll ba able to move my Feb 19th date forward but for now it would be wise to keep the February date, at least until some things settle down.

Booking a lab seat

 | 13 Aug 2007 09:58

As many people have found it’s rather hard to book a lab seat these days. All locations are fully booked. The occasional cancellations are snapped up in minutes.

1051

I did manage to book a seat but it’s one of the seats that became available last Saturday, Cisco gives seats out 6 months ahead of time. They are snapped up within hours if not minutes. Many people just book anywhere in the hope they can swap later on, or figure out how to pay for the travel. Mails about swapping lab seats are becoming more and more frequent on Groupstudy.

I must admit that I’ve joined the ranks here. I’m looking for a seat on Sept 10th. Need to call Cisco today, hoping to be able to safely swap seats with someone who is willing to swap Sept 14th for my day in Feb. So my advice to anyone planning to take their lab in the next year: Plan your lab carefully.

[edit, 15 Aug 2007] Well I called Cisco (see this link) and as expected they refuse to swap lab dates. No manual database work will be done. When I argued that seats are booked within minutes after becoming available, their advise was to swap seats during off peak hours. My goodness even I considered flying out to Sao Paulo, this is a global struggle for CCIE lab seats. There are no off peak hours!

So for those planning to swap dates. My advice is get on the phone, MSN, IRC or whatever other low delay medium (this means no e-mail) and make sure you pick each others dropped seats up asap. Sadly there is no safe was of swapping seats.

Oh dear…

 | 11 Aug 2007 08:40

Well I received my results just as I took a snapshot of the window that’s been haunting me since I got home last night. No pass this time… 🙁

So I’ll have to pick up speed and book another lab asap.

[edit] To make matters worse, Cisco has no dates available at all. I hope this is a system error but I know that the earliest people have managed to book at this time is around end of Jan 2008…:

There are no available lab dates for the selections you made. You may want to adjust your criteria to find lab dates convenient for you. Also, check back frequently in case there are cancellations.

Pfew, 2nd attempt completed

 | 10 Aug 2007 20:29

Totally different from last year, I ran out of time. I’d knew it might happen as I just didn’t have the speed in my fingers and mind as I did for the first attempt and I wanted to be more thorough. I’d like to think I was more thorough but I also blanked out twice which lost me probably about half an hour in total. Stupid ‘bgp update-source’ addresses… 😉

Oh well, in all I think I lost 14 points to unanswered questions or uncertain answers. This leaves about 6 points leeway, not a lot but just maybe enough. Also nice is that this time I don’t have the mail before I get home so I’m taking that as a good sign: at least this time I wasn’t completely hopeless.

Will post as soon as I know, checking my mail regularly and the certification page. that page is weird by the way, it lists my attempt with links for a  ‘Submit Critique’ & ‘Request for Reread’ but no real result is stated. I’ll be twiddling my thumbs a little longer I guess.

Last post before my 2nd attempt

 | 8 Aug 2007 23:53

Well It’s Thursday evening and I’ve gone over (too?) many topics today. Time to take a break and rest before the big day. So I’ll be trying to stay away from my laptop tomorrow (fat chance I know) and get some rest, hopefully by some sleeping in the sun.

Will post here as soon as I get some time at home after the lab and of course as soon as I have my results.

NAC (dot1x)

 | 20:59

A quick and dirty rip from CCO just for those who’re in a hurry:

Enabling 802.1x Authentication

To enable 802.1x port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.

The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle, the authentication process stops and no other authentication methods are attempted.

SUMMARY STEPS

Configure:

  1. aaa authentication dot1x {default | listname} method1 [method2...]
  2. interface interface-id
  3. dot1x port-control auto

Verify:

  1. show dot1x

I love Safari

 | 20:55

As I’m on a roll posting things today anyway…

I love Safari, now reading “CCIE Practical Studies, Volume 2” by Karl Solie & Leah Lynch. I have a hard copy of “CCIE Practical Studies, Volume 1” by Karl Solie, but volume 2 is a great addition to volume 1. It brings a lot of up-to-date information while not doubling the info in volume 1, well not in great detail anyway as it often refers to volume 1.

So highly recommended for those prepping for their R&S!

PVLAN on a 3550 & 3560

 | 16:14

Amazingly the 3550 doesn’t support PVLAN, the 3560 does. So what are the options?

Catalyst Platform PVLAN Supported Minimum Software Version Isolated VLAN PVLAN Edge (Protected Port) Community VLAN
Catalyst 3550 Not supported Not supported Yes. 12.1(4)EA1 onwards Not supported
Catalyst 3560 12.2(20)SE – EMI Yes Yes. 12.1(19)EA1 onwards. Yes

Show me more… »

No IPv6 for ESM

 | 14:26

One has to love these little snippets dispersed across CCO. Reading up on Ether Switch Modules (ESM) I came across this little ‘Note’:

Layer 3 IPv6 packets are dropped when received by the switch.

I’m not sure if anyone can verify this for me, I should have a HWIC-4ESW somewhere but not in my CCIE lab so can’t lab this now. It seems rather silly not to having IPv6 support on there, especially with the increasing talk about ‘having’ to migrate to IPv6 ‘soon’. Would be even worse if you can Ipv6 enable the vlans on an ESW but it drops received IPv6 packets…

Labbing ODR

 | 13:32

ODR (On Demand Routing) is part of the R&S lab blueprint and the univercd has only one page on it. Can’t be too hard can it? Well that’s right but still it’s good to have done it once and see it in action. My first try failed as I didn’t know that ODR doesn’t work if there’s a routing protocol active on the stub router.

Some ODR characteristics:

  • Hub and spoke (stub) network
    • ODR is only enabled on the hub
    • Hub automatically advertises a default-route to the spoke
  • Uses CDP, so CDP neighborship must be established between hub and spoke
    • Enable CDP on F/R links and make sure the IP mappings support broadcasts
    • Vlans: Ensure that the routers can see each other rather than the switch they’re connected to (use l2protocol-tunnel or dot1q tunnelling)
  • No dynamic routing allowed on the spoke
  • Redistribution into ODR doesn’t work (not allowed)

My lab test:

Show me more… »

Smartport macros (3550)

 | 00:17

Nice of Cisco to preconfigure some macros for our usage, but how does one know what they do before applying them. Well using “show parser macro …” one can see what is supported and their content. My search for smartport macros first found me the following list (extract below), however this if for a 2955. The current R&S lab uses 3550 and 3560 so what to expect?

  1. cisco-global
    Use this global configuration macro to enable load balancing across VLANs, provide rapid convergence of spanning-tree instances and to enable port error recovery.
  2. cisco-desktop
    Use this interface configuration macro for increased network security and reliability when connecting a desktop device, such as a PC, to a switch port.
  3. cisco-phone
    Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
  4. cisco-switch
    Use this interface configuration macro when connecting an access switch and a distribution switch or between access switches connected using GigaStack modules or GBICs.
  5. cisco-router
    Use this interface configuration macro when connecting the switch and a WAN router.
  6. cisco-lre-cpe
    Use this interface configuration macro to optimize performance when the switch is installed in apartment buildings or hotels, or when it is used to deliver Video-on-Demand (VoD), or multicast video.
  7. cisco-wireless
    Use this interface configuration macro when connecting the switch and a wireless access point.

The complete supported list of commands on a 3550 is:

Show me more… »

Port-security maximum 3 (for phones)

 | 7 Aug 2007 23:22

3 for phones? Was reading this and it stated the following. Nice one to keep in mind during the lab…

switchport port-security maximum 1 (or 3 for phones)

If port-security is turned on, the default number of allowed mac-addresses is 1. For an IP phone, we need 3 – one for the workstation, one for the phone on the voice Vlan and one for the phone on the native Vlan for CDP.

[edit] It’s funny checking this that the smartport macro only sets the maximum at 2:

--------------------------------------------------------------
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template
...
# Enable port security limiting port to a 2 MAC
# addressess -- One for desktop on data vlan and
# one for phone on voice vlan
switchport port-security
switchport port-security maximum 2

[edit] Sneaking a peak at my 877 home cpe I notice that indeed the mac address of my 7960 phone is seen on both the data and voice vlan…

home-cpe#sh mac-address-table
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- -------------------
0011.2189.c317 _______ Dynamic ____ 1 __ FastEthernet0
0011.2189.c317 _______ Dynamic ___ 10 __ FastEthernet0

(irrelevant output removed)

Other 3550 voip phone ready access-port stuff from the same page:

Show me more… »

3550 mls qos

 | 22:37

Reading CCIE Practical Studies Volume II on Safari I thought I’d check out mls qos on the 3550 I have in my CCIE lab. Being familiar with the QoS mapping on a 6500 (sup720) and a 4500 (sup IV?), I was surprised to find something I’d not seen before:

  • Policed-dscp map

So I started searching for what it’s for and I quickly found the following information.

Show me more… »