|
Filthy_McGreasy posted:Do you have any suggestions on how to prepare for the CCIE? What equipment is good to practice with? Did you just purchase a set amount of hours on practice equipment? Any online articles that are worth reading before I get started? For the record I am not a CCIE, but I've put in two R&S lab attempts. I believe I took my second lab concurrent with another goon, "The Router Ninja", that passed. Here's the info from Cisco on the blueprint, equipment, and suggested reading: http://www.cisco.com/web/learning/le3/ccie/rs/lab_exam_blueprint.html http://www.cisco.com/web/learning/le3/ccie/rs/lab_equipment.html http://www.cisco.com/web/learning/le3/ccie/rs/book_list.html Go read the group study email list: http://www.groupstudy.com/archives/ccielab/ Now pick a study vendor for practice labs / classes: http://www.netmasterclass.net/ http://www.internetworkexpert.com/ http://www.ipexpert.com/ http://www.ccbootcamp.com/ Rent rack time from someone that offers your chosen vendor's practice topology: http://www.gigavelocity.com/ http://ccie2be.com/ccie2be.html http://www.cconlinelabs.com/ I hear a lot about the dynamips router emulator, but I've never messed with it. http://www.ipflow.utc.fr/blog/ Study and lab for six to eight months, then try a Cisco assessor test (or a graded test from your vendor of choice): http://www.cisco.com/web/learning/le3/ccie/preparation/index.html Based on your results continue to study or book a lab date, repeat as needed.
|
# ¿ Dec 9, 2007 21:09 |
|
|
# ¿ Apr 19, 2024 06:00 |
|
Filthy_McGreasy posted:If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? You mention studying for 6-8 months, is that 2 hours a week, or 2 hours a day? Is the exam environment stressful? From your previous comments it sounds like there would be many people sitting around in a room taking the test at the same time. Do they try to minimize the distractions? How much experience did you have before you decided to start on this? Only on SA would someone coin the term "poopsocking the CCIE training". I started putting serious effort into attaining the CCIE about a year ago. I had 8 years of experience as a network engineer at that point. The material is ludicrously non real world, so studying beyond what's required for your day to day job duties is absolutely required. I attempt to study at work when I can by reading and mocking up small scale scenarios with three 1700 series routers. Ideally I would get in one 8 hour rack session a week, though that rarely happens on a weekly basis. Drop the $250 or whatever the cost is for a Cisco assessor test; that will reality check you on what you need to learn. The lab may contain candidates testing for any of the CCIE tracks. Someone may be sitting next to you or across from you. During my last attempt the guy in front of me was visibly freaking out for the entire eight hours. I also think the 7:30am start time for the RTP lab is straight up dickish.
|
# ¿ Dec 9, 2007 23:12 |
|
ionn posted:What effect, if any, will GRE have on network performance (mainly in terms of latency)? You're correct that a GRE tunnel will carry OSPF multicast hellos, however you may as well encrypt the tunnel also. As long as you have an appropriately powerful router & crypto accelerator the latency overhead shouldn't be that bad. I think crypto accelerators are coming standard with the 2800/3800 series now. Throw a "ip tcp adjust-mss 1400" on GRE interface to dial down the TCP max segment size; that will work around most of your fragmentation problems (tune size as appropriate). There's example config for an IPSec/GRE tunnel in this thread (pay no attention to the crazy man advocating an SSL vpn for this purpose). http://forums.somethingawful.com/showthread.php?threadid=2697661 If this is for a private WAN connecting a bunch of offices together, look into DMVPN. It's can create dynamic inter-office tunnels. http://www.cisco.com/en/US/products/ps6658/products_ios_protocol_option_home.html
|
# ¿ Dec 10, 2007 13:20 |
|
jwh posted:I don't know who your MPLS WAN vendor is, but if it's AT&T, ask about their 'AVPN' product. If it's anybody else, tell them you want VPLS maybe? I dunno. I've worked with Sprint's peerless IP MPLS service. You get a serial link to Sprint & talk BGP with them. All your sites run a separate AS and through the magic of MPLS you get one hop any to any connectivity. Overlaying point to point IPsec/GRE tunnels or DMVPN works fine if you have security concerns.
|
# ¿ Dec 11, 2007 02:33 |
|
InferiorWang posted:http://www.gns3.net/ I've never figured out the appeal of dynamips, it can't emulate a switch.
|
# ¿ Dec 15, 2007 15:05 |
|
foghorn posted:My question is whether the tables he taught us in class are actually viable ways of displaying rule sets. I certainly wouldn't use that table format for documenting rules, but it can be interpreted. The source port & ACK restrictions I might have to look up. Actually, that ACK field is straight up retarded, the PIX tracks state, so the ACK bit shouldn't be a concern. inignot fucked around with this message at 02:59 on Dec 19, 2007 |
# ¿ Dec 19, 2007 02:55 |
|
Spazz posted:So I'm not far enough into my cirriculum to know who to work with this yet, but I have a 2511-DC that I got and I have a LOT of equipment I plan to learn off of. Is there a way to configure Async 1-16 to plug into the CONSOLE port to manage multiple pieces of equipment via SSH or other means? Or am I just pissing into the wind? It will work fine, that's how everyone sets up a console server for a CCIE study lab. http://www.cisco.com/en/US/products/hw/routers/ps233/products_data_sheet09186a008009204c.html http://mail.cynico.net/~hucke/network/notes-2511.html
|
# ¿ Dec 29, 2007 12:14 |
|
InferiorWang posted:Anyone have any ideas how using two DHCP servers on one line might work? Seperate data & voip vlans = seperate dhcp scopes. Cisco phones will build a trunk to the switch & pass another data vlan to the pc.
|
# ¿ Jan 9, 2008 15:09 |
|
You should have complained to them about the performance impact. A carrier's network needs to be able to protect itself from customer misconfiguration, ignorance, and potential malice. Don't take any guff from those swine. That said, I have no idea how that would happen. If you & the other customers shared a broadcast domain; you could spoof the mac of the carrier's gateway and do man in the middle. But that doesn't happen by accident.
|
# ¿ Jan 18, 2008 18:45 |
|
For anyone who hasn't seen this yet, there's a new expert level certification in the design track : the CCDE. http://www.cisco.com/web/learning/le3/ccde/index.html http://www.cisco.com/web/learning/le3/ccde/ccde_exam_information.html No info on the lab yet, just a written blueprint.
|
# ¿ Jan 24, 2008 18:17 |
|
I can do drat near any kind of site to site VPN with IOS aside from EZVPN. I got nuthin for the ASA though. My magic stare and compare skills find this command: crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map only on one device per the provided configs, though I have no idea if that's significant or not.
|
# ¿ Jan 31, 2008 23:30 |
|
Noghri_ViR posted:
Step 1 : clear counters Step 2 : wait Step 3 : look again later Step 4 : if more errors, then something is bad; else drink beer.
|
# ¿ Feb 1, 2008 23:11 |
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Admin distance fuckery like this is what you want. Alternately you can look into this scary looking feature. http://www.cisco.com/en/US/tech/tk1335/tsd_technology_support_sub-protocol_home.html
|
# ¿ Feb 22, 2008 00:38 |
|
jbiel posted:While that is a viable option, why not keep the loving MAC tied to the port as long as the port stays UP/UP? God drat Cisco. Why do you think this matters?
|
# ¿ Feb 26, 2008 21:35 |
|
nmap -sP subnet/mask Now your mac cache is populated.
|
# ¿ Feb 27, 2008 00:06 |
|
internap is smoke and mirrors.
|
# ¿ Feb 27, 2008 00:40 |
|
brent78 posted:I have them in Chicago, and have been really happy with the service. Now I'm looking to add them in San Francisco.. Can you be less broad? When I dealt with them in 2001 they were all about promoting their "route optimization" voodoo. For anyone that hasn't heard of this provider, they have no network of their own at all. They pull in internet circuits w/BGP from a half a dozen ISPs into a couple of unconnected island POPs; then claim black magic path quality testing that produces alterations to the routing table which is allegedly better routing then what the BGP natively provides. Anyway, if you accept the black magic routes are better then the unaltered BGP routes there's a couple of underlying issues to consider: 1. Since their black magic routes differ from native BGP they are by definition creating asymmetric routing. Granted, this may or may not happen on the internet anyway. 2. Since the "better" route is by definition going to produce asymmetry, it's only going to take the "better" path in the direction you transmit in. Multihoming with internap and another ISP would be an adventure as well. You would have to prepend the AS path with the non internap ISP since the internap connection has their clown AS between you and the ISPs they are connected to. I have my doubts about their "path optimization" black magic as well. They wouldn't explain how it worked. Short version : they are the ISP version of an infomercial hawking exercise gear while shrieking about "the power of dynamic isolation of the abs".
|
# ¿ Feb 27, 2008 01:57 |
|
Girdle Wax posted:This is going to happen on the internet anyway, asymmetry is a fact of life and it will not be avoided. I'm aware of that and acknowledged it in what you quoted. My point is that, at best, Internap is selling a voodoo black box that creates asymmetry as their competitive advantage without acknowledging it only works unidirectionally. I also find their black box voodoo path optimization questionable. How do they judge a better path to a /16? A /16 could be disguising several hundred different path variations within one of their upstream ISPs. I don't believe for a second their path optimization is running at /32 granularity. How often to they poll these paths to determine which is optimal? Who knows. Just give me multihoming to a couple ISPs and I'll deal with the well established localpref or prepending or weight or whatever policies to influence inbound/outbound routing as required.
|
# ¿ Feb 27, 2008 03:40 |
|
brent78 posted:It's well known it's unidirectional, you can only control traffic leaving your network. As for "voodoo black box", just read their white papers about the FCP, flow control products. No secrets there. They measure latency, packet loss and broken routes and choose the best path. Have you ever been to their website or talked to an engineer there, doesn't sound like it. I last dealt with them in 2001. I concede they may be more open about their route optimization techniques and their implications today. In retrospect, it's possible the sales guy at the time may have been covering ignorance with claims of propriety; it was during the tail end of the bozo overloaded internet boom.
|
# ¿ Feb 27, 2008 12:59 |
|
godzirraRAWR posted:I'm not allowed to back it up, but over half of what you say here is patently untrue, and just plain wrong. To reiterate: inignot posted:I last dealt with them in 2001. I concede they may be more open about their route optimization techniques and their implications today. In retrospect, it's possible the sales guy at the time may have been covering ignorance with claims of propriety; it was during the tail end of the bozo overloaded internet boom.
|
# ¿ Mar 5, 2008 17:42 |
|
jwh posted:I'm looking for suggestions on how to conditionally advertise a default with eBGP. I don't have my head fully around what you're attempting to accomplish, but you might want to look into BGP conditional advertisements. http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml There's also a BGP default originate command that works a little differently then using a network statement. http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfbgp1.html#wp1152583 inignot fucked around with this message at 23:10 on Mar 19, 2008 |
# ¿ Mar 19, 2008 23:07 |
|
Irrespective of the failed ping, does the address arp successfully?
|
# ¿ Apr 3, 2008 15:05 |
|
CrazyLittle posted:Stupid question: Dare I ask..."What are you trying to accomplish with this?".
|
# ¿ Apr 8, 2008 22:18 |
|
brent78 posted:This got me thinking that maybe it's a MTU issue? Stick "ip tcp adjust-mss 1400" on both ends for a quick check/fix. Alternately sniff the traffic before it goes into the tunnel to see if there is an mtu issue. Most of the time when I have mtu over VPN problems, things just don't work as opposed to performing badly. You do have hardware acceleration for the crypto right? Hell, add compression to the crypto transform just for shits and giggles.
|
# ¿ Apr 11, 2008 00:55 |
|
wolrah posted:
I think your DH group in isakmp is mismatched. As I recall group 1 is 768 bits, and group 2 is 1024 bits. Try changing the pix thusly: code:
|
# ¿ May 6, 2008 18:36 |
|
wolrah posted:Thanks, but that didn't change anything except the default group listed in the error on the debug output. I dunno what to tell you. I do a lot of VPNs, but they are IOS to IOS; not PIX to whatever. The debugs look like a phase 1 failure. I'd look at the preshared key and the isakmp policy settings.
|
# ¿ May 6, 2008 23:30 |
|
You aren't going to get any ISP to do BGP peering on a consumer grade service. Optimized Edge Routing will do what you want. I've never used it, yet somehow I always end up posting the link to it when this issue comes up. http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/oer-overview.html
|
# ¿ May 22, 2008 00:39 |
|
Twlight posted:I've began monitoring on our Cisco equipment at work. I'm monitoring the interface load and its over 100 at some points during the day. I need to know more about how interface load is calculated. Anyone know of any documentation or ideas as to how it's done? What are you looking at to get the number that's over 100? If it's from show int the load is displayed as some value/255, so 125/255 would be around 50%. Also, input and output loads are tracked separately.
|
# ¿ Jun 17, 2008 23:28 |
|
BoNNo530 posted:Are there any good resources out there for DMVPN? Here's a few: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6658/DMVPN_Overview.pdf http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml#intro I did a dmvpn project, it wasn't that bad. Setting up an IOS based Certificate Authority to authenticate the dmvpn sessions made me want to get down on my knees and cry like a woman though.
|
# ¿ Jun 19, 2008 21:38 |
|
para posted:I feel stupid not being able to figure this out. Show and debug commands are the way to figure these things out, not staring at the config and waiting for the error to jump out at you. Do roughly this: code:
|
# ¿ Jun 23, 2008 15:10 |
|
Paul Boz_ posted:I wrapped up the CCDA last week and I'm getting into the CCDP ARCH material now. I'm finding that design is really fun and I have a knack for it. Has anyone else taken the ARCH that has some tips? The info out there on the exam is scarce at best. The PDIOO process & Enterprise Composite model that Cisco pushes in their design certs are complete and total candyland nonsense used by no one.
|
# ¿ Aug 2, 2008 16:48 |
|
By all means pursue the CCDP for the increased employability. I've been a CCDP since 2002 and worked for a Cisco global partner for the past five years. Just be aware that the CCDA/CCDP material is insane and has no applicability beyond the test. I suggest you cynically treat the test as a hoop jumping exercise for a piece of paper. It's not something to kick yourself in the rear end over. None of the Cisco sales engineers or professional services people I've ever dealt with used or ever even mentioned the methodologies in the CCDA/DP track. For any real world designs you need to do, draw upon the general routing and switching skills you've built via the CCNP track. Simply knowing the types of OSPF non backbone areas will put your expertise beyond 80% of the "engineers" you will encounter.
|
# ¿ Aug 2, 2008 23:42 |
|
I have dim memories of receiving a demo AP from Cisco that was configured in lightweight mode. I couldn't make any config changes until I converted it to autonomous mode. The conversion procedure was different from a typical password recovery. This may or may not apply to your issue: http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp161272
|
# ¿ Aug 11, 2008 16:48 |
|
jwh posted:I try and gauge whether a candidate is focused on what they know, or what they don't know- Dunning-Kruger and all that. There's a good chance that if somebody is downplaying their abilities, it's because they know just how much they don't know, and it's hard to know what you don't know. It's like that saying, "confidence is the feeling you have before you understand the situation." My own personal corollary to Dunning-Kruger is, "The dumbest people are always the loudest.".
|
# ¿ Aug 15, 2008 20:02 |
|
I used to work with a CCIE who had a degree in Geology. Draw your own conclusions.
|
# ¿ Aug 17, 2008 13:02 |
|
Has anyone ever found a resource for looking up Cisco IOS debug messages? The error decoder doesn't accept debug output. I've got (yet another) vpn to hammer into shape. This one is between a router and a concentrator (ugh). It's giving me a problem after phase 1 completes successfully. The debug logs referencing message ids and payload type numbers look tantalizingly explicit in their descriptiveness; but I can't find anything that offers an interpretation. Googling them hasn't led me anywhere either. code:
inignot fucked around with this message at 23:07 on Aug 26, 2008 |
# ¿ Aug 26, 2008 18:42 |
|
Reefer Inc. posted:If you ever find a tool that can turn ISAKMP log messages into anything resembling English that will deserve its own thread. I don't own both ends of the VPN, if I did I would have already been done. Based on the config the other guy sent me for his 3000 series VPN concentrator, it looked like nat-t wasn't enabled. I suggested he enable it, and the tunnel started working yesterday. Only having access to one end of a VPN tunnel that doesn't work is the exact scenario for which it would be great to get a real read on debug output. Some programmer at Cisco had to have code the error message that contains : DELETE_WITH_REASON payload, message ID = 974969034; and that message ID means something.
|
# ¿ Aug 27, 2008 23:42 |
|
When using etherchannel I've always had only the etherchannel config on the physical ports and left the trunking only on the port channel virtual interface.
|
# ¿ Aug 30, 2008 02:25 |
|
Of course if you are reduced to xmodeming code onto a router, remember to turn the serial port speed on the router & your workstation up to the maximum supported value. It's still going to be horrible though.
|
# ¿ Sep 3, 2008 16:09 |
|
|
# ¿ Apr 19, 2024 06:00 |
|
Those acls are retarded.
|
# ¿ Sep 5, 2008 02:03 |