Tuesday, October 14, 2014

CCIE Route/Switch v5: Great, Cheap Labs Book

Hey all!

Been a while since my last post. I've been spending time doing these large-scale labs. A great one for those with a subscription to CBTNuggets (which I highly recommend), you can check out one of my earlier posts that goes over their full-scale practice CCIEv5 lab.

But once that was done I started looking for more practice labs for download, or rented lab equipment, and I found a few, but most are very expensive - $400+ for a few labs. If all the practice labs you look at are at that cost, it's going to be a very expensive practice for a very expensive test.

I've just finished all 3 labs out of Martin J. Duggan's Cisco Press practice book, and I have to say, they are very well done. Lab 1 and 2 are perfect. Most can be completed (mostly) with GNS3. There are, of course, some switching technologies that you'll need to either do on a real switch or rent some lab equipment for because GNS3 doesn't (yet) virtualize switch ASICs.

In any case, you can find this book here on Amazon for $86. It also includes a bunch of troubleshooting practice examples. Highly recommended. Please check it out yourself!

Tuesday, September 9, 2014

CCIE Route/Switch v5 GNS3 Lab: DMVPN QoS Profile (Micro-Lab)

Hey all!

Just a tiny lab today to cover one line of the CCIEv5 study guide: DMVPN QoS Profiling per-group from the head-end.

It's a very flexible technology that allows you to assign groups from the DMVPN 'spokes' and QoS policy from the DMVPN head-end (hub).

In this lab I've build a very small DMVPN which works perfectly, but lacks per-group QoS policy. You've been asked by your senior network engineer to add this, what she thinks will be a quick task.

Here's your topology: Go!

You can download the solved and unsolved lab here: http://1drv.ms/Zgmfpf. Try it yourself!

Please note that the 'solved' version shows a DMVPN policy which is different between each client DMVPN router. You could just as easily assign all client DMVPN tunnels to the same group, and control them all with the same policy. This lab shows how granular you can be.

Good luck!

Sunday, September 7, 2014

CCIE Route/Switch v5 GNS3 Lab: GRE P2P Tunneling and DMVPN over GRE

Hey all!

GRE tunneling is a fascinating topic. To a host traversing a GRE tunnel, the hops are transparent. A router that doesn't support a protocol can be made to route it with no changes to the older router - just encapsulate it in something the older router understands and you're good to go. And the commands for a DMVPN and P2P GRE tunnel can be written in such a way that they can be simply copy and pasted to a new router to have it dial in, peer with your IGP, and start injecting routes. It's an incredibly simple and powerful tool which allows for good security.

With the way corporate hacks are becoming bigger news items every day, I'd think any network engineer worth their salt is going to want to know how to encrypt traffic between controlled routers for just about everything. Even on private networks we now know the government is listening and copying data for analysis, and I'm just not cool with that. Call me a liberal, but I think our right to freedom from illegal search and seizure means something. And here's a way you can enforce it.

In the following topology I had a few different technologies to setup, so I created a clover-leaf type topology, where each leaf is a different tech, and you bridge them in the middle for seamless routing. I wrote out hopefully good instructions and requirements, as well as validation steps that should help those of you working the 'Unsolved' version, which you can download below.

Here's the topology:

Download the solved and unsolved versions here: http://1drv.ms/1rViikp

Good luck!

Monday, September 1, 2014

CCIE Route/Switch v5 GNS3 Lab: BGP Pathing, Scalability, Summarization (+ BONUS MPLS VPN, VRF)

Hey all,

This GNS3 lab covers a breadth of BGP and MPLS topics:
BGP pathing and route preference
BGP scalability using route-reflectors and peer-groups
BGP summarization and redistribution
MPLS VPN config using a redundant route-reflector config and private VRFs (similar to what ISPs use to create private networks for their customers)
MPLS basic interface config

The 'unsolved' version (which you can download below) has the IGPs and IPs configured for both the ISP network and both the HQ and remote network for CompanyA, which has asked you to come in and configure the BGP portions. Because you also work for the ISP, you'll need to configure their MPLS and BGP, configure an MPLS VPN, and configure private VRFs to keep the company's traffic separate. It's a big job - get started!

The topology looks like this:

You can download both the solved and unsolved GNS3 lab here: https://1drv.ms/f/s!AliOPzHSO-GngbgZiNH9YSAZv6hbhw

Good luck!

Sunday, August 31, 2014

CCIE Route/Switch v5 GNS3 Lab: OSPF IPv4 and IPv6 Neighbors, Network Types, and Path Selection

Hey all!

This lab covers OSPF on top of IPv4 and IPv6 to establish neighbors using different network types, tune those neighbors to converge in sub-second increments, and shows how you can use ospf interface cost to change the path OSPF selects to route packets around your network.

It's a really fun lab to build and work with, and I recommend you attempt it yourself! The solved and unsolved versions are available for download at the link below

Here's what it looks like:

You can download the lab here: http://1drv.ms/1vBv3U9

Good luck!

Thursday, August 28, 2014

CCIE Route/Switch v5 GNS3 Lab: BGP Peers, RouteReflectors, Scalability

Hey all,

This lab covers a portion of the BGP section of the CCIEv5 R/S study guide. This topology covers an OSPF topology with a BGP overlap, split into different sub-ASs inside a confederation. This allows a single route reflector to be assigned per sub-AS and relationship requirements are greatly reduced. Each sub-AS uses a different method of scalability - a method of reducing configuration lines and managing groups of neighbors at once.

Here's the topology:

Download the completed version here: http://1drv.ms/XWWcmQ


Thursday, August 21, 2014

CCIE Route/Switch v5 GNS3 Lab: EIGRP Named Instances

Hey all,

So EIGRP is a great IGP -- it's fast, flexible, and supports a ton of options to help you run your business network easily. Cisco works hard to keep that up. And in late 2012/early 2013, they introduced a mode to help make it even easier to keep EIGRP instances straight: Named Instance mode. It allows for names to be assigned which help sort purposes and keep things in order, and allows the 'old'-style of EIGRP instances to be 'nested' inside these named instances. It sounds confusing, but it's simple in practice.

I organized the lab like a problem ticket, ala the CCNP T-Shoot exam and CCIE route/switch.

The lab request: Amazon and Microsoft's Bing division need help. They are running EIGRP to connect their businesses, and need someone to configure it. One of their VPs heard about this great 'named' mode of EIGRP and wants you to do that. He has created the names for you to use, and wants your company to configure it. They don't care about leaking routes, and just want to get this working yesterday. It's your job. Go!

You can download the solved and unsolved GNS3 labs , as well as the image file for a 7200 router I used for this lab. Download that all here: http://1drv.ms/1tmJhWE

Good luck!

Wednesday, August 20, 2014

CCIE Route/Switch v5 GNS3 Lab: Routing Protocol Authentication

Hey all,

This is again a pretty straight-forward lab where I set up simple four-node IGP networks (EIGRPv4, OSPFv2, OSPFv3) and then turn on authentication between the neighbors. It's something you should definitely be doing in your own production network to obfuscate your routing updates and keep unauthorized members from joining your IGP hive-mind.

I'll do something interesting on this one (and maybe on future labs). I'll post both the completed lab, like I've been doing previously, as well as an incomplete one with basic topology setup so you can complete it yourself.

The topology follows and you can find the download links below it.

Find both the incomplete and complete download here: http://1drv.ms/1s1g0hp

Good luck!

Monday, August 18, 2014

CCIE Route/Switch v5 GNS3 Lab: Policy-Based Routing

Hey all!

This mini-lab covers PBR (Policy-Based Routing), a super-cool feature that allows different hosts or subnets to be routed to different destinations. It's a great tool when you have some hosts or services which you'd like routed out a different internet connection, or possibly through a SPAN services.

Honestly, this lab is pretty simple compared to the series I've been posting, but I find PBR so COOL I decided to make it its own post. I also stripped out my own solution, so you are free to solve this one yourself. You can find the answers by highlighting at the end of this post. Hope you enjoy!

You can download the topology here: https://1drv.ms/f/s!AliOPzHSO-GngahR8F1LsAfLZ9MTfQ

Good luck!

access-list 92 permit
access-list 95 permit
route-map PBR1 permit 10
 match ip address 92
 set ip next-hop
route-map PBR1 permit 20
 match ip address 95
 set ip next-hop

route-map PBR1 permit 30
interface FastEthernet1/0
 ip policy route-map PBR1

Sunday, August 17, 2014

CCIE Route/Switch v5 GNS3 Lab: Advanced IPv4 PIM, MSDP

This blog covers the CCIEv5 section entitled: "2.2.b Implement and troubleshoot IPv4 protocol independent multicast" as well as "2.2.c Implement and troubleshoot multicast source discovery protocol."

It covers a larger network of routers connected with the different varieties of PIM. Cisco's implementation of PIM supports the following modes:

PIM Dense Mode: This is closer to the original method of PIM, where all network locations are assumed to be part of the multicast. At a specific interval (3 minutes by default), traffic is flooded into a network segment, and the switch/router has to opt-out, and then the timer starts again. If you're watching this on a network monitor it looks like highly regular traffic spikes when multicast traffic is flooded.

PIM Sparse Mode: This version of PIM supports SSM (Source Specific Multicast) by default, and automatically routes traffic down the least costly path, directly from source to destination, instead of routing everything through the RP. It also assumes that hosts don't want to receive traffic, and clients must continually update their membership in the multicast group, or they are excluded.

PIM Sparse-Dense Mode: A mode that originated from migration scenarios from sparse to dense mode. Supports both, and upgrades to sparse mode when an RP is configured or located with auto-RP.

PIM Bidirectional Mode: This version of PIM is a mixture of sparse and dense mode oriented towards a large number of sources and destinations. It's targeted towards organizations that see great numbers of both, so many that the stability of their routers might be affected if using vanilla sparse mode.

RPs are elected automatically via Cisco's proprietary Auto-RP. This is supported on most Cisco routers, but if you're working with other types of routers or a mixed group, you can use the open source variety called BSR.

Auto RP allows PIM members to dynamically discover candidate RP nodes, instead of having them be statically configured. It allows for a more flexible network in the event of a failure or change, though not nearly as fast as an IGP - default 3 minutes failover time. Basically, there are two roles: RP Candidates, which are usually near the network or traffic flow core, and mapping nodes, which listen for RP candidates and communicate to PIM member nodes which ones to use. This allows for a distribution of tasks and processing, although both consume relatively low processing power.

BSR (Boot Strap Router): Very similar to AutoRP, except easier to configure and supported on most types of routers as an open standard. Maybe not quite as feature-riffic, but fits most use cases.

Here's my topology:

You can download it here: http://1drv.ms/1lc5jdN

Good luck!

Saturday, August 16, 2014

CCIE Route/Switch v5 GNS3 Lab: IPv6 Addressing, Subnetting, and IPv6 Multicast

This is a rather simple topology focused on different IPv6 addressing methods. There's a surprising amount of them:

EUI-64 Addressing: An addressing method for IPv6 where an engineer configures the subnet, and then tells the router to figure out its own host ID based on the local MAC address. Because of the large subnets supported by IPv6, this method of addressing is both possible, simple, and scaleable.

IPv6 Stateless AutoConfig/SLAAC: Hosts (or other router devices, if required) listen for RAs from an available router and copy the network/subnet address and add their own client address to the end (which they base on their MAC address if they can).

IPv6 Global Prefix: A shortcut on Cisco routers which allows a 'global' or 'organization' subnet to be set, which allows all local interfaces on that same router to be addresses with short-hand, instead of typing the entire address.

IPv6 Multicast Routing: Along with a new subnet range, PIM has been optimized for IPv6. It's also assumed to be on, and runs by default in sparse mode. There's very little config to set it up. Unfortunately there's no support yet for auto-rp, so route-points need to be set up manually, and each network device will need to be touched if there's ever a change. There is redundancy, though, by configuring multiple on each device - a manual but effective process.

Manual Addressing: That's not to say you can't just manually specify each octet (?) of your devices. A related thread: The groups are no longer 8 (oct-et) bit groups. Since IPv6 is based on hex, each grouping is worth 16 bits. So I guess they're.. hexakaidec-tet. But that's a really long name, so I'll continue calling it an 'octet,' unspecific as that is.

You can download the configuration here, with tasks labeled: http://1drv.ms/1rHb1SJ

Good luck!

Monday, August 4, 2014

CCIE Route/Switch v5 GNS3 Lab: Multiple Default Routes

I recently discovered a secondary internet connection at our DR site. We have a private line between our sites, as well as another MPLS connection at our DR site.

I decided to built an automatic failover in case our internet or even the an entire site goes down, which is a wickedly complex problem. There is two-way redistribution between MPLS (which connects both sites) and our private link which runs EIGRP (obviously connecting both sites).

My solutions involves:
* Each gateway router running EIGRP has a default route based on a tracker. The trackers on each are a ping-check every 3 seconds to a public IP, which is forced (with a /32 static route) down a specific interface.
* Each gateway injects their default route when available into EIGRP with a route-map to set the default-route to a different value. The DR site's default-route adds 1,000,000 to the metric so no routers will use it. That number will vary based on the complexity of your company's topologies.
* Each BGP gateway router injects EIGRP routes into BGP with a route-map. That default route at our main site is set at metric 50 (remember, BGP's metric winner is lowest). The DR site prepends the local AS-number a few times to make sure it is a less desirable option than the primary MPLS site, and will only be used if the primary is down.

An internet connection failure can be simulated by shutting the loopback that's IP'd on either ISP router.

The topology requires many of the elements in our production network, so it's more complex than usual - 19 routers.

Download the files and GNS3 topology here: http://1drv.ms/1kuDUmU

Thursday, July 24, 2014

CCIE Route/Switch v5 GNS3 Lab: Infrastructure Security

Hey all,

This lab contains a whole lot of layer2 and layer3 infrastructure security features likes ACLs, RPF (reverse path forwarding checks), snmp controls, etc. GNS3 doesn't simulate switching features as well as routing, so some of what I wanted to do I wasn't able to. Some of that is documented in text on the right side of the lab where it can be read and still learned.

These labs are all based around subject matter defined in the CCIEv5 lab blueprint. The full workup is here: http://www.cisco.com/web/learning/exams/docs/ccieRS_Lab5.pdf (Cisco login required to view).

In any case, this lab contains an OSPFv3 IPv6 network bridged to an IPv4 EIGRP network, with these security features intertwined. I recommend looking at the requirements page and then deleting/renaming the local configs that I've uploaded. Then see if you can meet the requirements on the GNS3 file. Once done, compare your results to mine and see if we solved it a different way. Remember, there are always multiple ways to solve each problem, in real life and in the lab.

You can download the lab files and configs here: http://1drv.ms/1pfKL2g

Good luck!

Sunday, July 20, 2014

CCIE Route/Switch v5 GNS3 Lab: IGMP/PIM/AutoRP

Hey all,

This lab covers IGMP and PIM sparse-dense mode. I didn't delve much into sparse-mode and dense-mode PIM because they're all so similar -- a simple designation of mode, and they're configured. The main difference is whether the system assumes all nodes want the traffic (dense mode) or whether they assume everyone doesn't want the traffic (sparse-mode). Sparse-dense is an extension of PIM that allows a node to adapt to the group which it joins -- it defaults to dense mode but if a RP is known or configured for a group, it switches to sparse mode.

I also configured auto-rp, so all nodes will automatically learn the address of a route-point, and redundancy can easily be built into the system. This required one node to be configured to enter its candidacy for RP (or as many nodes as you want), and at least one rp-mapping agent. This agent doesn't have to be a RP candidate, and there can again be multiple configured. It'll listen for candidate RPs and advertise those to the regular members of PIM who are listening for information from them. You can learn more about Cisco sparse/dense/sparse-dense mode here: http://goo.gl/ZBZyoY

Download the GNS3 Lab toplogy with configurations here: http://1drv.ms/1qlAuFj

Friday, July 18, 2014

CCIE Route/Switch v5 GNS3 Lab: CBT Nuggets Practice Lab

Hey all,

This lab is a lot of fun. I've been using CBTNuggets to study for the CCIE, and Jeremy Cioara (who, by the way, is a GENIUS) teaches a great course that's just a practice CCIE lab that he walks you through.

He recommended doing it yourself first to see if you could and I got all the way through it -- with a few exceptions. I posted it here for others to check out, and maybe learn from -- I didn't check most of my work against Jeremy's, so I imagine I solved some of the problems in different ways.

It's pretty ridiculous what you're asked to do -- very complex, overlapping technologies. Click on the picture below to see the entire topology that I used. Jeremy didn't provide one, so I built one myself.

You can download the unsolved as well as my version of the solved GNS3 lab below!

The GNS3 video series is here: https://www.cbtnuggets.com/it-training-videos/course/cisco-ccie-routing-switching-practice-lab <-- This requires a subscription, but you can check out the first minute or two of each video for free as a sample. You'll need to subscribe to get access to CBTNugget's great full lab topology and instruction requirements, but consider the solved as a taster for what you'll be asked to do.

Download both the solved and unsolved versions of the GNS3 lab here: http://1drv.ms/1jGAtsE.

Good luck!

Thursday, July 17, 2014

CCIE Route/Switch v5 GNS3 Lab: Layer2 WAN Technologies

A lab which covers HDLC and PPP encapsulation, CHAP and PAP authentication, MLPPP to multiplex serial connections like T1 lines, and PPPoE, the common authentication and negotiation protocol used for at-home DSL connections.

You can find the lab here: http://1drv.ms/1yz4tKt

Good luck!

Monday, July 14, 2014

CCIE Route/Switch v5 GNS3 Lab: MPLS VPN

Hey all,

As I lab practice for the CCIE, I think I'll upload my configuration samples and labs so you all are able to see them.

This lab covers a complete MPLS setup including private VPNs spanned across an MPLS cloud. It also includes the configuration many companies deploy at remote sites to redistribute their local site configurations into the MPLS VRF in order to use IGPs (this lab uses OSPF and EIGRP).

Lab is here: http://1drv.ms/1OFvMhw


Thursday, July 10, 2014

Software-Defined Networking in the Physical World

I just finished a short lunch-hour style training on the Cisco Prime platform, and I've got to say - they get it. No one wants to play with switches all day.

That's a hard thing to admit.I've spent 500+ hours studying for Cisco certifications, and I'm currently prepping for a CCIE, a certification solely in route/switch that costs over $1,500 per attempt in a far-away state. But I'm confident saying it:

I don't want to work on switches all day. 

I want to work on a management platform that can completely configure, control, and monitor my route/switch infrastructure. I want to use this platform to correlate threat data and alert me when my ports are filling up, let me know when to plug in another cable between my switches so it can configure a port-channel, and I want it to have the smarts to shut down a network storm.

If Cisco enabled CDP to allow for simple management, the management appliance could reach new devices by chaining through CDP-enabled devices to set up the management connection on new devices. It could also allow for recovery if a command renders a device unreachable.

In short, I want my network devices to act like lightweight APs - they have some ability to operate themselves, but they are able to act intelligently and seamlessly when controlled by a central management station.

This is entirely possible, and appears to be where Cisco is going.

Let me start over - Cisco's Prime platform is a super-charged monitoring platform. It's able to discover and monitor all your routers, switches, ASA, etc with great reporting. It's able to apply templates that you've built to a switch once you've given the switch a base config and a routable IP that the management device can reach.

But still, you need to know the configs. You need to know which things to turn on and turn off and why. I'm sure there's an argument there that only the experts in the field, who've invested significant time and money (wink wink), should be doing this anyway, so who cares?

If Cisco is able to realize this dream, they'll have brought the fantastic benefits of Software Defined Networking (SDN) into the physical world. 

They'd allow existing businesses with millions invested in 'heavy,' self-managed switches to upgrade their switches software and enable central, intelligent management. Costs for expertise in networking will go down, and the cost of running a business will go down. Constantly mutating security attacks can be more quickly identified by taking the aggregate data and correlating it in a central place.

More importantly, if Cisco doesn't move to do this quickly, someone else will. 

You can read Cisco's information on Cisco Prime here: http://www.cisco.com/c/en/us/products/cloud-systems-management/prime.html

Tuesday, June 24, 2014

CCIE Lab - Back To Business

My post to finish out my CCIE journey is here.

Alright -- I passed the CCIE route/switch written. Which is awesome. There is a great deal of information and concepts in that test, and all the tests and study that've brought me to this point. I'm proud of myself and my accomplishment. My total is around 1600 hours of study thus far.

Damn right I'm proud

But that's behind me. I've taken two weeks off, and now it's time to start getting ready to face the dragon. The CCIE route/switch lab is a heck of a test. 8 hour long practical in a distant state, with many different rules and requirements that cost points and can fail an exam.

The failure rate on the first attempt is 90-95%
The failure rate for any attempt is around 80%

I've been using video on demand through CBTNuggets, and I've bought several books that cover the certification. Every single one says to expect to fail. The odds are so harsh, and it's so hurtful to a tester's confidence to expect to succeed and then fail, they all say that the first try is a 'practice' attempt.

A $1600 practice attempt!

I don't intend to take this test twice, but I'm not going to let that eat at me. The goal is to get the certification. If I have to test twice, 3x, 4x, I'm going to get it. But my wallet and my lovely wife would be thankful if, on this first attempt, I'd fall into that exceedingly qualified 5-10% that pass on the first try.

So it's back to studying. My studying schedule for around the past 18 months has been unchanged:
* M-F - study over my lunch hour, then 7-9:30 after work
* Saturday: Study 9-3, date night with Lindsey
* Sunday: 9-3, house chores, groceries, cooking

A part-time job would consume less time

It's almost 30 hours each week if I stick to my schedule. I invariably skimp on a single night, or take some extra time off to spend time with friends, but it's close.

The goal is still to get the CCIE number by Thanksgiving of this year. It's an aggressive, challenging goal. If I make it, I'll be around CCIE #50,000 in the world.

Wish me luck!

Thursday, April 17, 2014

Solution: EAP Wireless Failure, "Network authentication failed due to a problem with the user account"

Earlier today I set up an 802.1X EAP wireless network with a Ruckus WLAN controller.

Here's the setup:
Ruckus WLAN controller with a few dozen headless Ruckus WAPs
Domain CA that has enrolled in AD and is pushing certificates to all client pcs via group policy
Windows 2008R2 NAP server authenticating clients based on AD group "Domain Users"

I set up the NAP server and ruckus according to this guide - http://forums-archive.ruckuswireless.com/forums/8/topics/1278

Everything looked perfect, but I was getting a strange error on my test client when attempting to join the wireless network. Here's the error message:

A request was made to authenticate to a wireless network.

Security ID:
Account Name: kyler.middleton
Account Domain: (removed)
Logon ID: 0x517503

Network Information:
Name (SSID): Test-RadiusWireless
Interface GUID: {b02ab000-4120-483a-8633-9c473d7a5004}
Local MAC Address: 40:F0:2F:4B:FA:33
Peer MAC Address: C4:01:7C:96:FA:18

Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x40420110
EAP Reason Code: 0x40420110
EAP Root Cause String: Network authentication failed due to a problem with the user account

EAP Error Code: 0x40420110

I tore every piece of my NAP setup apart -- went through every line of relevant group policy, certificates, Ruckus wireless configuration, when I found the issue.

I had set the NAP server (Windows 2008R2) to use the certificate of the trusted domain CA to sign the EAP messages. Though the client had the same trusted CA installed locally, a trusted CA is not a certificate, so the client was rejecting the two-way EAP authentication.

The issue was fixed when I changed the certificate the Windows NAP server was using to sign the EAP messages. When I updated it to a certificate signed by the CA (rather than the CA's own certificate), everything started working immediately.

Good luck to you!

Friday, March 21, 2014

P2P Open-Sourced Comm Infrastructure

1. People are everywhere.

2. Most (at least in first-world countries) own a smartphone that they bring everywhere.

3. Because of this, there exists a 'living' network of programmable mobile computers with long-range data-capable antennas.

4. An application could be written that uses these data antennas to communicate p2p.

5. If enough users opt-in, the need for established ISPs and TelCos is eliminated.

If non-repudiation and reliable encryption could be written as an open-source software tool that's easy enough for non-technical, crypto-smart people to use, we could:

* Seriously disrupt the business model of highly entrenched ISPs and TelCos

* Strengthen the communications infrastructure of the populated world

This is my new project. Suggestions welcome.