IPExpert Workbook Volume 1 (Focus Labs)

Although I haven’t actually passed my written I do not desire forking our another $411 until Cisco certsupport tell me to bugger off. For this reason I decided I might as well start lab study as I am just wasting time. I have decided to go with IPExpert as I have heard it is more complete.

They give you GNS3 files which don’t work. I did manage to modify them and save myself some time. Basically I had to add an extra two hypervisors (totaling four) and spent about an hour tweaking the idlepc values. It doesn’t seem to matter whether you pick a low number, a high number or something with an asterisk. You just have to keep changing it until your screen looks like this;

My PC specs are;
2.85Ghz Quad Processor
4GB RAM

At this point you can yell at your monitor “ALL THUNDERBIRDS ARE GO!!” or something similar 😉

MPLS VPN Backdoor links

When using any dynamic routing protocol over a backdoor link or secondary VPN problems will happen. There are several methods of dealing with this and some protocols even have special mechanisms built in;

– Administrative Distance
– Filtering (of static prefixes)
– Site of Origin
– OSPF Sham Link

Recently I had an issue like this at work. The customer had a layer two VPN as their primary and a MPLS VPN for the backup with OSPF as the PE-CE protocol and throughout the primary VPN. It isn’t really important what OSPF areas are where as it did not play into the equation in this scenario. The topology is as the diagram below where CE1 is the head office and CE2 represents one of 15+ spoke sites. Within the MPLS VPN any-to-any connectivity is possible but in the layer two VPN it is a hub and spoke configuration.

The major issue occurring was that routing loops were created because of lack of filtering/anti-loop features. In this instance the loopback inside the VRF on PE2 was advertised to CE2 via OSPF which was propagated to CE1 then PE1. At this stage the OSPF route beats the iBGP route due to administrative distance. To fix this the VRFs individual process administrative distance was lowered;

router ospf [process] vrf [name]
distance [value]

This meant that the iBGP routes were better than OSPF in terms of AD, to which I set 210. In this scenario I don’t think it was possible to the use SoO/Sham features to solve this but I would have to brush up on them.

The next problem which occured was that a loopback on CE2 was being advertised to PE1 as an external route. When this was redistributed into BGP it is not given the OSPF extended communities. It would make sense that an external route is not given the special OSPF extended communities because they wouldn’t be required to spit out a type 5 LSA on the other side.

The default behavior of the redistribution of OSPF into BGP for a type 1-3 LSA seems to be to leave the weight as 0. However this means that the external route had a weight of 32768. Using a route-map on the redistribution I zeroed all weight, the non redistributed route now won probably due to metric but I didn’t check.

It’s probably about time I did some SoO/Sham labs as I’ve only ever read about them.. I’m sure it will come up in the workbooks I’ve got can’t wait to get started!

CCIE SP Written 350-029 – Be Warned!

Had an attempt at this today, didn’t do much study leading up to it as I felt prepared. After finishing the test it graded and whoosh… FAIL! 776/783.. Now I hate to bitch about it but seriously this exam set an all time low for Cisco.

– Some questions had a diagram which did not correspond with the question (eg you must select 3/5 answers and 3 answers referenced R5 which was not in the diagram at all making it impossible to answer correctly).
– Some questions asked you to choose 3/5 answers yet three of the answers were exactly the same
– Many questions posed a problem but did not explain to what technology they were referring (this is extremely common with MPLSVPN/BGP questions where the answer would actually differ given a different technology).

I have registered my disgust at cisco.com/go/certsupport asking for a regrade of my written =p lol.. I do not expect them to do it but i just feel cheated. $AU411.00 for an exam that poorly constructed is outrageous. If they are going to make people fail (and I’m sure I’m not the first) because of the quality of the exam itself then set the floating pass mark based on that well come on.. This is the second exam I’ve failed out of a total of eight which I have taken. The other one I failed I got a free retake for so this is the first cost failing has incurred. I don’t mind if I fail a lab attempt because I wasn’t good enough but failing by 0.7% because Cisco can’t write a fair exam just sucks.

Anyway besides all this I have researched 11 questions which I found challenging and found different answers to what I put since I was unsure, I will reschedule if i hear nothing from Cisco and nail it with >80% next weekend.

Virtual-Access Service Policy

Over the last few months I have learned the hard way that the difficult aspect of implementing QoS (in production networks) is not developing the policy but enabling it on the interface. Various different implementations make it very difficult and there is mixed IOS support all around. In particular I was trying to get a priority queue working on a Virtual-Access interface.

Doing some research it quickly became apparent that
1. Cisco does not support per session queuing
2. That some IOS could do it but many people had tried and failed.

Using a Cisco-AV-Pair “lcp:interface-config=service-policy output/input [policy name]”, after some playing around I managed to get something to stick and learned quite a bit on the way. Logical interfaces in IOS do not necessarily naturally allow for a state of congestion. This means that for anything to hit the priority queue you will firstly need a shaper. Now that the logical circuit can become congested the fancy queuing can be put to use. Until the interface becomes congested you will not see packets hit the priority queue, by doing some maths and pinging with timeout set to zero you can force this;

LNS#show policy-map int vi2.1
Virtual-Access2.1

Service-policy output: 128k-shaper

Class-map: class-default (match-any)
732 packets, 201845 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
128000/128000 1984 7936 7936 62 992

Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
– 0 628 126309 100 85780 no

Service-policy : 128k-QoS

Class-map: Prec2 (match-all)
150 packets, 79500 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip precedence 2
Queueing
Strict Priority
Output Queue: Conversation 24
Bandwidth 64 (kbps) Burst 1600 (Bytes)
(pkts matched/bytes matched) 100/50500
(total drops/bytes drops) 70/35000

Class-map: Prec1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip precedence 1
Queueing
Output Queue: Conversation 25
Bandwidth 32 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)
582 packets, 122345 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 16
(total queued/total drops/no-buffer drops) 0/34/0

I’ve seen this working in a production environment using IOS
c7200p-advipservicesk9-mz.124-4.XD10.bin
c7200-js-mz.122-31.SB9.bin

My lab used and the same setup as the previous post
c3660-is-mz.123-23.bin

I guess this could even potentially be in the lab exam, doubt it though.

LNS/LAC L2TP Lab

As part of my preparation for the written I wanted to get a better grip on the practical configuration side of L2TP. This is something I dabble with at work on a regular basis but I never go around configuring vpdn-groups and the likes.

Just a basic topology, no need to try an do anything too fancy, just want to make L2TP tunnels between the LNS/LAC and have the CPE authenticate while receiving an IP address. A handy little way of not needing a RADIUS inside the Dynamips environment is to turn AAA on in the local mode. This allows for the domain/username to be configured locally. If you use the ppp keyword it will also not affect your vty authentication etc.

aaa new-model
aaa authentication ppp default local

The CPE configuration needs simply to use ppp encapsulation and send a username/password. There are many ways to do the CPE depending on the underlying technology but I doubt we will see DSLAMs in the lab exam anytime soon.. maybe if it were a Huawei CCIE lab 😛

CPE
interface Serial1/0
ip address negotiated
encapsulation ppp
no fair-queue
ppp pap sent-username john@cisco.com password 0 cisco

The LAC and LNS configuration are very similar for the actual L2TP parts. Other than the vpdn-group we just need to ensure that the LAC will pick up the attempts by using “pap callin” on the layer two interface facing the imaginary DSLAM/ISDN infrastructure.

LAC
vpdn enable
vpdn search-order domain

vpdn-group PPPCustomers
request-dialin
protocol l2tp
domain cisco.com
initiate-to ip 10.0.0.0
l2tp tunnel password 123

interface Serial1/0
no ip address
encapsulation ppp
ppp authentication pap callin

Now that the LNS is receiving and de-encapsulating L2TP packets (after the very similar vpdn-group) we just need to pick up the PPP packets on a virtual-template interface, again I’ve used “pap callin” is used to do this. There is also a pool to dynamically assign an address to the CPE router and the peer command actually passes it in IPCP.

LNS
vpdn enable
vpdn-group PPPCustomers
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC
l2tp tunnel password 123

username john@cisco.com password 0 cisco

interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool NetBlock
ppp authentication pap callin

ip local pool NetBlock 172.0.0.1 172.0.0.253

Some output of the IPCP process is displayed and below that you can see the session has the loopback of the LNS at one end and the /32 from the pool at the other. Debugging ppp/l2tp is extremely useful in production environments so I could imagine its good to have a handle on it for the lab also.

*Mar 1 01:45:56.771: Vi2.1 IPCP: Address 172.0.0.254 (0x0306AC0000FE)
*Mar 1 01:45:57.007: Vi2.1 IPCP: Pool returned 172.0.0.1
*Mar 1 01:45:57.007: Vi2.1 IPCP: Address 172.0.0.1 (0x0306AC000001)
*Mar 1 01:45:57.099: Vi2.1 IPCP: Install route to 172.0.0.1

LNS#show caller user john@cisco.com

User: john@cisco.com, line Vi2.1, service PPPoVPDN
Connected for 00:00:05, Idle for 00:00:04
Timeouts: Limit Remaining Timer Type
– – –
PPP: LCP Open, PAP (<-), IPCP
IP: Local 172.0.0.254, remote 172.0.0.1
Counts: 6 packets input, 82 bytes
7 packets output, 97 bytes

I think its important to identify that the 7200 image in the lab exam is not capable of any VPDN features. I’ve used “(C3660-IS-M), Version 12.3(23)” for this lab, which is the authorized image on the Cisco website.

GNS3 .net file (rename to *.rar)
WARNING!! Configurations in the “.rar” file are missing the command “l2tp tunnel password 123” on both the LAC & LNS