All posts by Loopy

I work for an MSP as a data infrastructure / cloud / sort of everything engineer. Since I have attended my first Intro to IT class in college, I knew Route and Switch was my passion in the IT world, and I have decided now is the time to finally earn my CCNP R/S certification. I have decided to publish my struggles here for fellow candidates to laugh with me at my struggles, hopefully learn a thing or two from me, and help the masses of me 10 years ago get the skills to get them into the professional world of network engineering. Please feel free to ask any questions on any topics or really whatever, unless you are a help desk recruiter looking for another IT email to flood with crap jobs, I can be reached at ande0255@gmail.com. I am sure I make mistakes at time with my posts at times,, so if you see discrepancies or just untrue facts about something, please let me know so I can correct it for myself and others - Thanks! This is not any kind of official training with any guarantee of accuracy, but I try to keep it as accurate as possible by labbing most concepts that are not theory, to confirm it on correct on live equipment.

IPV6: Quick straight forward notes on differences in modes for exam day!

Going to cut right to the chase here for exam day what you will need to know without a lot of explanation, as I’ve been reading the white papers for my second attempt this Friday, and there are just some things to know without knowing all the “why.”

NTPv6 – This does the same function as NAT for IPv4, only it does it ONLY for IPv6. So if you are asked to explain what it does, it allows communication between IPv6 networks (and if they aren’t dual stacking they aren’t talking)

NAT64 – This could be a local server in your building, or a server at your ISP, that translates V6 addresses to V4 addresses, so hosts can communicate without using Dual-Stack technology themselves.

Stateless NAT64 DOES NOT CONSERVE IPV4 ADDRESSES, 1:1 translations, no IP bindings done in this mode, requires manual or DHCPv6 address to assign an IPv6 address

Stateful NAT64 DOES CONSERVE IP ADDRESSES, 1:any usable translations, creates states or bindings for every entry requiring one to translate between IPv6 and IPv4

IPv6 Tunneling – As posted earlier about IPv6 there are some different Tunneling methods, but all of them do require devices capable of Dual Stacking, remember that on exam day

Dual Stacking – Ability of a host to speak IPv6 and IPv4 with other hosts with the same capability

That is all, remember that information, it may save you a few points on exam day ^

PPPoE: What you need to know for exam day, no fluff just straight facts, NEED TO KNOW FOR EXAM DAY!!

This was not covered much at all in my study materials, I am guessing because they were made as the new exam version rolled over, and they hadn’t introduced a lot of PPPoE just yet (is my only thought on why this was not covered to the extent it should have been).

PPPoE has 2 phases you need to know about:

  • Active Discovery – Where the client actively discovers PPPoE Servers
  • PPP Session Phase – Where client does negotiation and authentication

Do NOT forget those two phases, and that simple explanation of what they do, chant them until they are your mantra or scream them out loud until you can’t get the voices out of your head!

One thing also to note, beyond the session phase doing negotiation and authentication, there is one very important Layer specific data transmission now allowed to occur:

PPPoE now acts as a Layer 2 encapsulation method for data transmission over PPP Links with PPPoE Headers.

I would burn that into your brain, because its so easy to think it’s Layer 3, but when your in the exam room and if you get the topic, PPPoE question = Layer 2 encapsulation.

PPPoE uses the command “Dialer Persistent” to keep idle lines from going down due to lack of interesting traffic.

To authenticate with an Encrypted password, use CHAP, for clear text you’d use PAP.

If you are using a VPDN Group for PPPoE, you must first issue the command “vpdn enable” command before you can configure VPDN Goups. To enable VPDN Groups:

  • conf t
  • vpdn enable
  • vpdn-group (name)
  • request-dialin
  • protocol pppoe

This should have you covered for PPPoE on exam day, but I would heed my word, when I say you need to remember all of it down the word and syntax I highly advise you heed my warning 🙂

 

Failed first Route attempt, not due to content here being incorrect, but some Cisco gotchas and the timer beat me up!

First and foremost, I think saying that taking the route and failing the first time should be actually fairly standard, unless you use brain dumps or study / lab from CCIE level material (and even then…).

That being said, lets get into my thoughts:

It has the same old Cisco gotchas, so always compare the output / commands shown to the question context, as they may be two completely different things. Along with that, there are the classic Cisco gotchas that you can’t hardly prepare for unless as said you brain dump / come from a STRONG routing background / study at a CCIE level for years.

Also the allotted time seems like so much at first you can cozy up in your first sim and take your time, and that is not the case – Gas pedal to the floor until your exam is being scored!! Seriously do not make this mistake, I had to skip an entire sim due to time because of this and this really set me back!

 

I was glad to see that got some of that terrible English sentences out of the exam, but they still find a way to make a question clearly tricky, or the answers themselves.

If you are finding it difficult to read output or answers separately, use your dry erase board to cover the lines below it, the exam room is no place to look cool.

I’ve said it before, but write done some sort of subnet shortcut you’ve learned on the dry erase board provided before beginning the exam, it helps a lot to have a quick reference when your staring at a lot of numbers you need to decipher quickly.

Verification commands are just as important to know, as these are how you find the source of an issue or a question, so be familiar with how to use them to immediately identify which router you need to look at for the answer / configuration.

Also, I’d say relax, I was so worked up and its just not as hard of an exam as you would think it to be. It’s just some questions you’ll see and mouth “wtf” at the screen, and that is why I say a first time Fail should almost be expected, and then a quick brush up on that miscellaneous knowledge they throw in there and round number two should be a Pass!

(I hope)

If you have any questions about the exam, my experience, or any pointers before you go in for your attempt please feel free to email me at my ‘about me’ page with (loopedback) in the subject line!

Exam # 2 scheduled for 6/9 in the afternoon, which is when I pass this beast and move onto the other two beasts, SWITCH and TSHOOT!

 

IPv6: Tunnel type review, links to IPv6 address identification, migration, and GRE / DMVPN that I highly encourage you to review!

I know I said no more posts, but IPV6 was begging for some kind of review before exam day so here it is!

There are two general ways to route IPv6 packets, those being a fully native end to end IPv6 network from host – across the WAN – to the end host and back, or IPv6 Tunnels.

IPv6 tunneling consists of taking IPv6 traffic, and encapsulating it like interesting traffic for an IPSec tunnel before transmission into an IPv4 packet, so it can traverse the IPv4 network to its tunnel endpoint that then decapsulates the IPv6 packet for delivery to the inside IPv6 host.

Tunneling is generally done by only two routers, however the Tunneling protocol ISATAP can be done by the hosts themselves, if they are capable of creating the packet that includes the IPv6 payload encapsulated within an IPv4 packet type.

There are 4 general types of IPv6 Tunnels:

  • Manually configured – Point to Point, generally permanent, like any site to site VPN
  • GRE – Point to Point, manually configured, wide support of protocols it can transmit
  • 6to4 – Multipoint tunnel, dynamically formed, uses 3rd and 4th “quartets” for IPv4 address
  • ISATAP – Multipoint tunnel, dynamically formed, uses 7th and 8th “quartets” for the IPv4 address

Now, you may be asking yourself, what on Earth is a quartet, because I sure am. Being that it’s only 3am or so, why not google it, because I doubt it is the part of a musical ensemble.

After a quick google search (how did we even survive before google?), a quartet is 4 digits of the 128 bit address, so it would make sense that 4 of these bits are being used, as each bit represents part of a hexadecimal address as shown in this explanation.

I highly suggest you read that quick explanation of Hex conversion if you’re rusty.

NAT-PT will also get an honorable mention here, though it is not technically a tunnel so there is no encapsulation / decapsulation of packets, however it does translate between protocols. It does also translate and keep track of DNSv4 and DNSv6 name to address bindings, while translating both IPv4 to IPv6 and back between the two.

I have updated this link with how to identify some IPv6 addresses on exam day if asked “Which one of these is is an ISATAP / TEREDO / 6to4 / Link-Local” Address type. It is not conclusive, but that is really all I got before exam day that is now less than 24 hours away.

I was going to post something else about IPv6, but I am too tired to remember what at 3:30am now, just read everything I’ve ever written and you should be good to go for exam day I think – We’ll see how tomorrow goes 🙂

Ooop, just remember, migration strategies link for IPv6, if you add up everything I’ve said between those links and this post it will hopefully make sense and I don’t contradict myself in every explanation.

One big take away from the migration strategies, as a majority of it is using Tunnels as part of the Migration, is Dual-Stacking which is having your hosts run both IPv6 and IPv4, which is how most migrations work.

Start out with a single web facing server that is not critical to production, and give it both an IPv4 and IPv6 test, and see if you can communicate with it over IPv6 (while still having the reliable IPv4 address on it that you know works within your environment).

Also since it was a tunnel type mentioned, and it is also in the VPN section of topics to be covered, do yourself a favor and read the GRE over IPSec tunnel configuration that I did a fairly brief write up about.

I gotta go to bed but wanted to post one last link, this is for mGRE used for DMVPN, which gives a very brief overview of concepts / terminology of how mGRE is used, as well as NHRP (Next Hop Routing Protocol) to make DMVPN works.

I highly encourage you to familiarize yourself with the DMVPN high level view setup process of the tunnels, not so much the configuration, so you are familiar with the terminology.

Ok, must stop researching and studying and posting resources, and test time tomorrow – Hope to see that Pass on the grade!

ALSO ONE LAAAST NOTE, NAT64 – This is used for your IPv4 hosts to communicate with IPv6 servers, hence the device configured for it holding the bindings / address mappings! Remember on exam day, IPv4 hosts talking to IPv6 hosts involves Dual Stacking, or NAT64 to translate for hosts / server on different IP versions!

Important BGP Address-Family notes, IPv4 and IPv6 behaviors for exam day! Last post before my exam 5/26, see you on the other side!!

No Topology again, I know the lack of pictures is boring.

A few things I wanted to note about configuring address-family’s in BGP:

You can either do it as a single IPv4 or IPv6 Peering, which would look something like:

router bgp 100
  neighbor 172.12.15.5 remote-as 500
  neighbor 2005::5/64 remote-as 500
address-family ipv4
   neighbor 172.12.15.5 activate
   network (ipv4 Prefix) mask (mask)
address-family ipv6
    neighbor 2005::5/64 active
    network (ipv6 prefix) mask (ipv6 mask)

By configuring it this way, you have set at the process level that you have two neighbor Peerings, one ipv4 and one ipv6, you can then go into those address families to add the “utility” commands as mentioned in EIGRP named mode where you need to create address-family configurations (such as next-hop-self, etc) in neighbor statements.

Again – These “Utility” or “Fine Tuning” commands will no longer show at the process level for neighbor statements once address-family’s are configured, you must go into the address-family to configure fine tuning!

A second way is to use a single Peering / IP Protocol for the peering, and share routes over that one peering as such:

router bgp 100
  neighbor 172.12.15.5 remote-as 500   <—- IPv4 Peering
address-family ipv4
  neighbor 172.12.15.5 remote-as 500 activate
  network (ipv4) mask (ipv4)
address-family ipv6
   neighbor 172.12.15.5 remote-as 500 activate   <— Must specify IPv4 Peering
   network (ipv6) mask (ipv6) <—- Advertise IPv6 networks
   neighbor 172.12.15.5 route-map (word) out <– (Assign IPv6 next-hop for networks)
route-map (word) permit 10
   match ipv6 next-hop (Prefix / ACL)

Now before I get into WHY we need route-maps, I wanted to point out the criteria you have to match in when creating an IPv6 route route-map to work with BGP:

R1(config-route-map)#match ipv6 next-hop ?
  WORD         IPv6 access-list name
  prefix-list  IPv6 prefix-list
R1(config-route-map)#match ipv6 next-hop

So you will need a Prefix-List or an Access-List to input here, you cannot just enter your own IPv6 address here (as far as I can see without fully configuring it).

Why would we need a Route-Map in the address-family in the first place? Because when you are sending networks to a Peer, it must contain the following 3 things:

  • AS_PATH
  • NEXT_HOP
  • ORIGIN CODE

Those 3 things must be present in its updates, but IPv6 cannot use the IPv4 formed Peering as a next-hop, so we need to add our own IPv6 IP address for this (local) side of the peer and input that into the Address-Family to send with network updates to our peer.

The way you can tell if it is Dual Ipv4 and Ipv6 Peerings, is they will both be configured at the Process (Top level) in BGP as neighbors, whereas if you ONLY see 1 IPv4 or 1 IPv6 neighbor configured before address families, that means you are Peering with that protocol only.

So if it was IPv6 doing the single Peering, the roles would be reversed, and our neighbor statements would still go into the IPv4 family as IPv6 addresses (as our neighbors are IPv6) however the “network” statements will still advertise IPv4 IP’s – However the Route-Map will still be needed to tell our IPv6.

To quickly demonstrate the difference:

router bgp 100
neighbor 2005::5 remote-as 500
address-family ipv4

    neighbor 2005::5 remote-as 500 activate  <– Must use IPv6 Peering for neigbor
    network (ip4) mask (ipv4) <— Advertise Ipv4 networks
    neighbor 2005::5 route-map (anotherword) out <– Gives Next-Hop for IPv4 Ad’s
address-family ipv6
    neighbor 2005::5 remote 500 activate
     network (ipv6) mask (ipv6)

That is all I got in me tonight on that subject, one more entire day to review BGP then a night off from studying before exam day except maybe lightly reviewing stuff like subnetting charts and Keith B’s excellent Distribute-List comparison chart.

So you probably will not hear from me again until I am on the other side of Pass / Fail.

So hopefully next time I post I will be celebrating going into SWITCH material, or healing my wounds with a couple shots of tequila and a sober cab home 🙂

See you on the other side!!

Keith Bogarts (INE) Comparison chart of how Distribute-List’s work between different protocols!

Distribute-List

One again with Keith Bogarts permission he allowed me to post this up for other who do not have his course (which you should go grab a copy of), to demonstrate the differences of Distribute-List’s behaviors between protocols.

The list speaks for itself, and if you’ve learned these and forgotten exactly which protocol does what, this list is a perfect visual reminder. The one thing Keith did mention is that under BGP, the only thing not to know for CCNP ROUTE exam day is the last information under the BGP column – You won’t see that level of detail on the exam… I hope.

So wanted to just get this graphic up as Keith said it was cool for me to throw it up for others to review, again he teaches this exhaustively and very well in his course, so I’d advise buying it via the GNS3 store as you get 50% off the CCNP R/S bundle through there apparently.

Just google GNS3 store and purchase right through there, and it will redirect you to INE’s website with the coupon code already applied, and for $200 for Keiths training its a steal!

BGP Filtering / Authentication / BGP Peer group notes for exam day!

No topology for this particular post, just some quick notes on BGP filtering which probably won’t be a huge topic on ROUTE as it’s more a Service Provider

So here we go.

BGP Filtering can be done on any router, there are no limitations like in OSPF where filtering is done on specific router types or points in the network.

Filtering can be done for inbound and outbound updates.

After filtering is enabled via filter-list / distribute-list / route-map, neighbor relationships must be reset or cleared to take effect which is done with “clear ip bg * soft [in/out]”

Now any type of filtering must be configured on a router per neighbor via the neighbor statement, whereas in IGP’s you could often just use a single command or two within the protocol itself.

Peer groups is beyond the scope of CCNP just a bit, but in case it does come up on the exam, it is a way to logically group together routers with exact the exact same BGP filtering where it will apply a light of commands across all neighbors in the Peer Group.

To Filter in BGP, you have 4 options:

  • Distribute-list
  • Prefix-list
  • Filter-list
  • Route-map

To show what they require as a next step in the command, I ran them on R1:

R1(config-router)#neighbor 172.12.15.5 distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP access list number (expanded range)
  WORD         IP Access-list name

R1(config-router)#neighbor 172.12.15.5 prefix-list ?
  WORD  Name of a prefix list

R1(config-router)#neighbor 172.12.15.5 filter-list ?
  <1-500>  AS path access list

R1(config-router)#neighbor 172.12.15.5 route-map ?
  WORD  Name of route map

R1(config-router)#neighbor 172.12.15.5 route-map (Word)

Now with Route-Maps you can match on ACL’s, Prefix-Lists, AS Path Access-Lists, so these give you the most flexibility.

With BGP, the filter-list does not work as it did with OSPF, where it requires a prefix-list to reference – Instead it wants something called an AS path access list.

The AS Path access-list is configured with the following:

R1(config)#ip as-path access-list ?
  <1-500>  AS path access list number

R1(config)#ip as-path access-list 1 ?
  deny    Specify packets to reject
  permit  Specify packets to forward

R1(config)#ip as-path access-list 1 permit ?
  LINE  A regular-expression to match BGP AS paths. Use “ctrl-v ?” to enter “?”

R1(config)#ip as-path access-list 1 permit 200 ?
LINE    <cr>

R1(config)#ip as-path access-list 1 permit 200 500 ?
LINE    <cr>

R1(config)#ip as-path access-list 1 permit 200 500 300 ?
LINE    <cr>

R1(config)#ip as-path access-list 1 permit 200 500 300

As you can see, this is meant to filter routes based on their AS_PATH, rather than any sort of network or prefix information.

I’m going to move on here, as the ROUTE exam I believe (hope) only really requires you to know of but not need to configure these different filtering types.

My next post I have a great screen snip of Distribute-List’s differences between protocols, then I have a lot of note reviewing for BGP to get to 🙂