Posts Tagged ‘CCIE SP’

solution to get CCIE Certification

January 17th, 2012   by Daniel

Leading CCIE Teaching and therefore the proper way to get CCIE Certification CCIE Training

There is not a have got to have yet another skilled education or training course certificates to qualify. The CCIE Stability coaching is made up of a developed examination to qualify then the lab exam. You happen to be suggested to acquire in the least 3-5 decades of employment experience before than trying this certification.

The examination for your CCIE Stability is of two-hour duration with several possibilities. This is made of hundred queries, that will go over subjects equivalent to software protocols, doing work systems, protection technologies, basic safety protocols, and Cisco basic safety applications. The examination materials are presented around the spot and you aren't allowed to usher in outside reference supplies.

Network engineers possessing a CCIE certificates are thought to be since the professional inside the community engineering self-control and then the masters of CISCO services. The CCIE has introduced revolution within the neighborhood industry regarding technically tricky assignments and methods considering the necessary instruments and methodologies. There exists a plan which updates and reorganizes the instruments to provide quality service. There are several modes of CCIE Training like written examination planning and efficiency based mostly lab. This helps to reinforce the effectiveness and usual belonging to the community. CISCO has launched this certification coverage in 1993 by having a see to distinguish the very best industry professionals through the rest.

To be able to be certified, very first authored examination have got to be passed right after which has to cross the lab exam. CISCO whatsoever periods tries to use 100 % distinct CCIE Workout methods for bigger functionality. There are a number of measures for the CCIE certification. The very first action for certification should be to pass a two hrs lasting computer system primarily based largely MCQ oriented developed test. For this examination essential payments have to be completed by means of web-based. This examination is related with exam vouchers and promotional codes. The authenticity of the voucher giving company should be clearly regarded into the candidates. The promotional code need to be accessed appropriately and just in case of fraudulent vouchers in conjunction with promotional codes shouldn't satisfactory and CISCO will not repay the cost. The candidates need to wait around five days for that published examination immediately after fee and they cannot sit for your exact same test for your following 100 eighty days in case of recertification.

By using a see to receive certified and eligible for your CCIE Exercise some features are to become remembered correctly. Soon after passing the prepared examination the candidates possess a a lot of 18 months time for attempting the lab examination. In case the time period exceeds then the authenticity from the developed test is going to be invalid. For the number one timer applied to get CCIE certification the developed exam is available in the type of Beta examination with special discounts out there. Within the Beta interval the candidates can sit only the moment for the exam. The outcomes will come inside of six to eight weeks subsequent to the examination is in excess of.

Another step for the CCIE certification is considered the Lab exam. The shortlisted candidates of the written exam can entirely implement for the fingers-on lab examination. Nevertheless there are several authored examination centers of CISCO but Lab exam services are limited. It's an 8 hour fingers-on practical based mostly largely examination wherein the ability of troubleshooting and configuring neighborhood largely centered situations and application are checked. For your scheduling of Lab examination the shortlisted candidates of your earlier developed exam need to existing the identification amount coupled with passing ranking also, the date of passing.

The fee for Lab examination needs to be cleared earlier than 90 days belonging to the scheduled exam. With out the fee the reservation could quite possibly be cancelled. Once passing the Lab exam combined when using the prepared examination the candidates can apply for the CCIE certification. By considering many of the information involved considering the pointed out techniques, one can obtain the CISCO certification in hand and be trained for the CCIE Education.

Post in CCIE R&S | Comments Closed

Tags: ,,

jogging with your routers

January 16th, 2012   by Daniel

The answer to this situation will depend on the sort of traffic distinctions you need for making, also the version of IOS you will be working in your own routers.

There should be a thing that defines the various different kinds of traffic that you just wish to prioritize. On the whole, the easier the distinctions are to produce, the higher. It's because all the checks take router sources and introduce processing delays. The most prevalent guidelines for distinguishing among potential customers styles use the packet's input interface and very simple IP header tips these as TCP port figures. The following examples indicate how you can set an IP Precedence price of rapid (two) for all FTP control website traffic that arrives because of the serial0/0 interface, and an IP Precedence of concern (1) for all FTP data site visitors. This distinction is possible since FTP manage site traffic makes use of TCP port 21, and FTP information utilizes port 20.

The new way for configuring this employs course maps. Cisco primary introduced this characteristic in IOS Version twelve.0(five)T. This process number one defines a class-map that specifies how the router will detect this kind of visitors. It then defines a policy-map that really makes the changes to the packet's TOS area:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 permit any eq ftp any
Router(config)#access-list 101 permit any any eq ftp
Router(config)#access-list 102 permit any eq ftp-data any
Router(config)#access-list 102 permit any any eq ftp-data
Router(config)#class-map match-all ser00-ftpcontrol
Router(config-cmap)#description branch ftp control traffic
Router(config-cmap)#match input-interface serial0/0
Router(config-cmap)#match access-group 101
Router(config-cmap)#exit
Router(config)#class-map match-all ser00-ftpdata
Router(config-cmap)#description branch ftp data traffic
Router(config-cmap)#match input-interface serial0/0
Router(config-cmap)#match access-group 102
Router(config-cmap)#exit
Router(config)#policy-map serialftppolicy
Router(config-pmap)#description branch ftp traffic policy
Router(config-pmap)#class ser00-ftpcontrol
Router(config-pmap-c)#set ip precedence immediate
Router(config-pmap-c)#exit
Router(config-pmap)#class ser00-ftpdata
Router(config-pmap-c)#set ip precedence priority
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface serial0/0
Router(config-if)#ip route-cache policy
Router(config-if)#service-policy input serialftppolicy
Router(config-if)#exit
Router(config)#end
Router#

For earlier IOS versions, wherever class-maps had been not on the market, you have to make use of policy-based routing to alter the TOS discipline in the packet. Making use of this coverage into the interface tells the router to work with this policy to check all incoming packets on this interface and rewrite those that match the route map:Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 permit any eq ftp any
Router(config)#access-list 101 permit any any eq ftp
Router(config)#access-list 102 permit any eq ftp-data any
Router(config)#access-list 102 permit any any eq ftp-data
Router(config)#route-map serialftp-rtmap permit 10
Router(config-route-map)#match ip address 101
Router(config-route-map)#set ip precedence immediate
Router(config-route-map)#exit
Router(config)#route-map serialftp-rtmap permit 20
Router(config-route-map)#match ip address 102
Router(config-route-map)#set ip precedence priority
Router(config-route-map)#exit
Router(config)#interface serial0/0
Router(config-if)#ip policy route-map serialftp-rtmap
Router(config-if)#ip route-cache policy
Router(config-if)#exit
Router(config)#end
Router#

Previous to you can actually tag a packet for amazing procedure, you've got to own a particularly obvious concept of what different kinds of site visitors have to have amazing cure, plus precisely what kind of exceptional procedure they're going to will need. Inside the example, we've made a decision to give a distinctive priority to FTP potential customers acquired on a particular serial interface. We exhibit tips to do that employing each the old and new configuration methods.
This will seem to be a somewhat synthetic instance. Once all, why would you treatment about tagging inbound targeted visitors you have by now obtained from a low-speed interface? Realistically, among the list of most critical rules for implementing QoS in a very network is the fact that it is advisable to typically tag the packet as early as is possible, preferably in the edges on the network. Then, as it passes in the network, each and every router only needs to consider the tag, and isn't going to must do any more classification. In this case, we'd make certain which the FTP page views returning from the other route is tagged because of the number one router that receives it. So the outbound targeted traffic has definitely been tagged, and it is a waste of router assets to reclassify the outbound packets.

Many organizations truly consider this concept of marking in the edges 1 action even more, and remark each received packet. This facilitates to ensure that customers are not requesting special QoS privileges which they are not allowed to acquire. But, you should be mindful of this mainly because it may occasionally disrupt respectable markings. As an example, a real-time software may possibly use RSVP to reserve bandwidth in the network. It is usually relevant that the packets for this application hold the appropriate Expedited Forwarding (EF) DSCP marking or the network might not deal with them competently. Although, you also never like to permit other non-real-time apps from this identical source hold the same EF priority stage. So, if you are heading to configure your routers to remark all incoming packets at the edges, be sure you have an understanding of what incoming markings are respectable.

In that situation, the routers are managing DLSw to bridge SNA page views as a result of an IP network. Therefore the routers by themselves truly construct the IP packets. This produces an additional problem considering there may be no incoming interface. To ensure recipe takes advantage of lieu policy-based routing. The actual fact that the router produces the packets also presents it an important advantage as it does not have to consider any DLSw packets that may just come about to go through.

The benefits with the newer class-map solution are not noticeable in such a case in point, but on the list of initially big pros seems if you would like to utilize the greater modern-day DSCP tagging scheme. Since the older policy-based routing way doesn't straight assist DSCP, you've to faux it by environment both equally the IP Precedence and then the TOS separately as follows.

Router(config)#route-map serialftp-rtmap permit 10
Router(config-route-map)#match ip address 115
Router(config-route-map)#set ip precedence immediate
Router(config-route-map)#set ip tos max-throughput

In this case, the packet will wind up with an IP Precedence value of immediate, or 2 (010 in binary), and TOS of max-throughput, or 4 (0100 in binary).

Doing the same thing with the class-map method is much more direct:

Router(config)#policy-map serialftppolicy
Router(config-pmap)#class serialftpclass
Router(config-pmap-c)#set ip dscp af21

Class-maps can even be beneficial later on in this chapter when we talk about class-based weighted truthful queuing and class-based site visitors shaping.
It can be crucial to note that all through this complete case in point, now we have only set a particular worth into the packet's TOS or DSCP discipline. This, by itself, does not have an affect on how the packet is forwarded because of the network. To undertake that, you have got to assure that as every single router during the network forwards these marked packets, the interface queues will react appropriately to this information.

Lastly, we should always note that despite the fact that this recipe reveals two helpful techniques of marking packets, working with Committed Accessibility Charge (Automobile) characteristics. Auto tends to be greater successful on higher pace interfaces.

Post in CCIE SP | Comments Closed

Tags: ,,

Environment the DSCP or TOS Discipline

January 6th, 2012   by Daniel

The answer to this situation will depend on the sort of traffic distinctions you need for making, also the version of IOS you will be working in your own routers.

There should be a thing that defines the various different kinds of traffic that you just wish to prioritize. On the whole, the easier the distinctions are to produce, the higher. It's because all the checks take router sources and introduce processing delays. The most prevalent guidelines for distinguishing among potential customers styles use the packet's input interface and very simple IP header tips these as TCP port figures. The following examples indicate how you can set an IP Precedence price of rapid (two) for all FTP control website traffic that arrives because of the serial0/0 interface, and an IP Precedence of concern (1) for all FTP data site visitors. This distinction is possible since FTP manage site traffic makes use of TCP port 21, and FTP information utilizes port 20.

The new way for configuring this employs course maps. Cisco primary introduced this characteristic in IOS Version twelve.0(five)T. This process number one defines a class-map that specifies how the router will detect this kind of visitors. It then defines a policy-map that really makes the changes to the packet's TOS area:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 permit any eq ftp any
Router(config)#access-list 101 permit any any eq ftp
Router(config)#access-list 102 permit any eq ftp-data any
Router(config)#access-list 102 permit any any eq ftp-data
Router(config)#class-map match-all ser00-ftpcontrol
Router(config-cmap)#description branch ftp control traffic
Router(config-cmap)#match input-interface serial0/0
Router(config-cmap)#match access-group 101
Router(config-cmap)#exit
Router(config)#class-map match-all ser00-ftpdata
Router(config-cmap)#description branch ftp data traffic
Router(config-cmap)#match input-interface serial0/0
Router(config-cmap)#match access-group 102
Router(config-cmap)#exit
Router(config)#policy-map serialftppolicy
Router(config-pmap)#description branch ftp traffic policy
Router(config-pmap)#class ser00-ftpcontrol
Router(config-pmap-c)#set ip precedence immediate
Router(config-pmap-c)#exit
Router(config-pmap)#class ser00-ftpdata
Router(config-pmap-c)#set ip precedence priority
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface serial0/0
Router(config-if)#ip route-cache policy
Router(config-if)#service-policy input serialftppolicy
Router(config-if)#exit
Router(config)#end
Router#

For earlier IOS versions, wherever class-maps had been not on the market, you have to make use of policy-based routing to alter the TOS discipline in the packet. Making use of this coverage into the interface tells the router to work with this policy to check all incoming packets on this interface and rewrite those that match the route map:Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 permit any eq ftp any
Router(config)#access-list 101 permit any any eq ftp
Router(config)#access-list 102 permit any eq ftp-data any
Router(config)#access-list 102 permit any any eq ftp-data
Router(config)#route-map serialftp-rtmap permit 10
Router(config-route-map)#match ip address 101
Router(config-route-map)#set ip precedence immediate
Router(config-route-map)#exit
Router(config)#route-map serialftp-rtmap permit 20
Router(config-route-map)#match ip address 102
Router(config-route-map)#set ip precedence priority
Router(config-route-map)#exit
Router(config)#interface serial0/0
Router(config-if)#ip policy route-map serialftp-rtmap
Router(config-if)#ip route-cache policy
Router(config-if)#exit
Router(config)#end
Router#

Previous to you can actually tag a packet for amazing procedure, you've got to own a particularly obvious concept of what different kinds of site visitors have to have amazing cure, plus precisely what kind of exceptional procedure they're going to will need. Inside the example, we've made a decision to give a distinctive priority to FTP potential customers acquired on a particular serial interface. We exhibit tips to do that employing each the old and new configuration methods.
This will seem to be a somewhat synthetic instance. Once all, why would you treatment about tagging inbound targeted visitors you have by now obtained from a low-speed interface? Realistically, among the list of most critical rules for implementing QoS in a very network is the fact that it is advisable to typically tag the packet as early as is possible, preferably in the edges on the network. Then, as it passes in the network, each and every router only needs to consider the tag, and isn't going to must do any more classification. In this case, we'd make certain which the FTP page views returning from the other route is tagged because of the number one router that receives it. So the outbound targeted traffic has definitely been tagged, and it is a waste of router assets to reclassify the outbound packets.

Many organizations truly consider this concept of marking in the edges 1 action even more, and remark each received packet. This facilitates to ensure that customers are not requesting special QoS privileges which they are not allowed to acquire. But, you should be mindful of this mainly because it may occasionally disrupt respectable markings. As an example, a real-time software may possibly use RSVP to reserve bandwidth in the network. It is usually relevant that the packets for this application hold the appropriate Expedited Forwarding (EF) DSCP marking or the network might not deal with them competently. Although, you also never like to permit other non-real-time apps from this identical source hold the same EF priority stage. So, if you are heading to configure your routers to remark all incoming packets at the edges, be sure you have an understanding of what incoming markings are respectable.

In that situation, the routers are managing DLSw to bridge SNA page views as a result of an IP network. Therefore the routers by themselves truly construct the IP packets. This produces an additional problem considering there may be no incoming interface. To ensure recipe takes advantage of lieu policy-based routing. The actual fact that the router produces the packets also presents it an important advantage as it does not have to consider any DLSw packets that may just come about to go through.

The benefits with the newer class-map solution are not noticeable in such a case in point, but on the list of initially big pros seems if you would like to utilize the greater modern-day DSCP tagging scheme. Since the older policy-based routing way doesn't straight assist DSCP, you've to faux it by environment both equally the IP Precedence and then the TOS separately as follows.

Router(config)#route-map serialftp-rtmap permit 10
Router(config-route-map)#match ip address 115
Router(config-route-map)#set ip precedence immediate
Router(config-route-map)#set ip tos max-throughput

In this case, the packet will wind up with an IP Precedence value of immediate, or 2 (010 in binary), and TOS of max-throughput, or 4 (0100 in binary).

Doing the same thing with the class-map method is much more direct:

Router(config)#policy-map serialftppolicy
Router(config-pmap)#class serialftpclass
Router(config-pmap-c)#set ip dscp af21

Class-maps can even be beneficial later on in this chapter when we talk about class-based weighted truthful queuing and class-based site visitors shaping.
It can be crucial to note that all through this complete case in point, now we have only set a particular worth into the packet's TOS or DSCP discipline. This, by itself, does not have an affect on how the packet is forwarded because of the network. To undertake that, you have got to assure that as every single router during the network forwards these marked packets, the interface queues will react appropriately to this information.

Lastly, we should always note that despite the fact that this recipe reveals two helpful techniques of marking packets, working with Committed Accessibility Charge (Automobile) characteristics. Auto tends to be greater successful on higher pace interfaces.

Post in CCIE Security | Comments Closed

Tags: ,,

Filtering BGP Routes Based on AS Paths

January 3rd, 2012   by Daniel

You can use AS Path filters, either inbound or outbound, to filter either the routes you send or the routes you receive, respectively. You must apply these filters to each peer separately:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip as-path access-list 15 permit ^65501$
Router1(config)#ip as-path access-list 25 permit _65530_
Router1(config)#ip as-path access-list 25 deny _65531$
Router1(config)#ip as-path access-list 25 permit .*
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 filter-list 15 in
Router1(config-router)#neighbor 192.168.2.5 remote-as 65520
Router1(config-router)#neighbor 192.168.2.5 filter-list 25 out
Router1(config-router)#exit
Router1(config)#end
Router1#
One of the most common reasons for filtering routes based on the AS Path is to prevent AS transit, as we showed in Recipes 9.4 and 9.5. However, there are some other useful applications for AS Path filters. The example shown above contains two distinct filters, one of which applies to routes received inbound from one neighbor, and the other works on outbound routes sent to a second neighbor.
AS Path filters are constructed by using a subset of UNIX regular expressions. Regular expressions provide an extremely powerful and general pattern matching syntax. Many scripting languages, such as Perl, Java, awk, sed, PHP, and Python, use regular expressions for string manipulation. A detailed description of the syntax is out of the scope of this book, but fortunately, BGP path filters don't require all of the magic of the regular expression syntax. This is because all AS Paths consist of simply numbers separated by whitespace. There are no other characters to worry about, and every AS Path has a similar construction. Only the specific ASNs and the number of whitespaces ever change. For more information on regular expressions in general, please refer to Mastering Regular Expressions by Jeffrey Friedl (O'Reilly).
So the pattern ^$simply means that the field is empty because the start is immediately followed by the end. In the case of a BGP AS Path, that means that this route must originate inside this AS.
Looking at the example above, then, it should be clear that access-list number 15 looks for paths that contain only one ASN, which must be 65501:
Router1(config)#ip as-path access-list 15 permit ^65501$
Because there is both a ^ and a $ in the pattern, this filter will match routes whose AS Path consists of just a single ASN, which must have a value of 65501. This filter will remove any downstream routes that AS 65501 is merely passing along. Also, as with normal access lists, AS Path filters end with an implicit deny all clause. So the router will suppress any other routes that don't match this pattern.
The second AS Path filter in the example is somewhat more complicated:
Router1(config)#ip as-path access-list 25 permit _65530_
Router1(config)#ip as-path access-list 25 deny _65531$
Router1(config)#ip as-path access-list 25 permit .*
This shows that you can have filters that span multiple lines, although the example itself is a little bit artificial. The first line in this filter permits any routes that pass through AS 65530. The ASN in this line is surrounded by _ characters. The _ character stands for whitespace, although it is a little bit confusing because, for example, _65530_ seems to imply that it will match the ASN 65530 only if it appears in the middle of an AS Path. But, in fact, _65530_ will match any path containing the ASN, 65530, even if it is at the beginning or the end of the path. Conversely, _65531$ will only match AS Paths that end with AS 65531, meaning those routes that originate in AS 65531.
This little _ delimiter character is extremely important because AS Path filters use a literal text pattern matching. For example, consider the following filter, which doesn't include this character:
Router1(config)#ip as-path access-list 26 permit 55
This AS Path filter will match not only paths containing AS 55, but any other ASN that happens to contain the digits 55, such as 65530, 7553, or 255. But it is unlikely that you actually want to match on substrings within an ASN like this. So you should always remember to include these delimiter characters.
We included the following line in the recipe example because we needed to counteract the implicit deny all at the end of any AS Path access list:
Router1(config)#ip as-path access-list 25 permit .*
This statement explicitly permits all other AS Paths that have not matched any of the earlier lines in the filter rule. The character "." in this filter matches any character, while the * indicates that there can be any number of characters. In fact, * literally means zero or more matches. In many cases, you actually need to match one or more times, for which you can use the + character.
There are many interesting uses for AS Path filters. For example, you might want to allow routes from an ISP and its immediate customers, but not from anything further away. This is easily accomplished with the following filter:
Router1(config)#ip as-path access-list 27 permit ^[0-9]+$
Router1(config)#ip as-path access-list 27 permit ^[0-9]+_[0-9]+$
This filter uses a couple of little tricks. The first trick is to specify a range, as in [0-9]. This means that the rule will match any character that falls in the range from 0 to 9, inclusive. Following this with the + character means that the rule matches one or more of these patterns. So the first line in this filter matches all paths that contain one and only one ASN, although it doesn't matter what this ASN actually is. The second line similarly matches all paths that contain exactly two ASNs. The net effect is to allow only routes from the directly attached ISP AS, and from any other AS that is directly connected to the ISP.
Another way to write the same thing is to match on the delimiters in the AS Path, instead of the actual ASN values. To do this, you might use a pattern like this:
Router1(config)#ip as-path access-list 28 deny _.+_.+_.+_
Router1(config)#ip as-path access-list 28 permit .*
In the first line of this access list, the "." character matches anything, including delimiters as well as digits. So this pattern will match an AS Path that includes at least four AS Path delimiters, with something in between them. Since the first and last delimiters could be the beginning and end of the AS Path, rather than actual whitespace, this access list causes the router to suppress any AS Path that includes three or more ASNs. It's slightly confusing because you have to think in terms of matching on delimiters rather than ASNs, but the net effect of AS Path access list number 28 is identical to 27 above. And, if you wanted to increase the maximum number of ASN values in the path from two to, say, five, this syntax is much more flexible:
Router1(config)#ip as-path access-list 29 deny _.+_.+_.+_.+_.+_.+_
Router1(config)#ip as-path access-list 29 permit .*
It's useful to remember that you can affect not only the routes you receive, but also the routes that you send using AS Path filters.
Router1(config)#ip as-path access-list 15 permit ^$
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65520
Router1(config-router)#neighbor 192.168.1.5 filter-list 15 out
In this case, the filter permits only routes that have an empty AS Path, meaning that the routes must have originated locally within this AS. This filter suppresses any external routing information when forwarding its routing table. So the external networks don't know about any downstream networks that can be reached through this router.
You could use a slightly more complicated outbound filter if you wanted. This example allows only directly connected networks to use your AS for transit:
Router1(config)#ip as-path access-list 16 deny _.+_.+_
Router1(config)#ip as-path access-list 16 permit .*
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65520
Router1(config-router)#neighbor 192.168.1.5 filter-list 16 out
The router applies this filter before it adds itself to the AS Path. So when we deny the pattern _.+_.+_, this suppresses all AS Paths with two or more ASNs, leaving only AS Paths that have a single ASN. Any path with one ASN must originate in a directly connected AS.
This AS Path filter might seem a little bit confusing because it denies paths that we don't want rather than permitting the ones we do. If you prefer, you could create a filter that has the identical effect by explicitly permitting only the paths that we want and implicity denying the ones we don't want:
Router1(config)#ip as-path access-list 17 permit ^[0-9]+$
Router1(config)#ip as-path access-list 17 permit ^$
Both of these filters allow the router to forward routing information that originates in this AS, and in any networks that are directly connected to us. Bear in mind that this doesn't prevent a device that is fifteen hops away from reaching one of our neighbors through our network. But it does prevent them from reaching anything more distant than one of our direct neighbors through our AS.CCIE Voice

Post in CCIE Voice | Comments Closed

Tags: ,,

CCIE Voice, Configuring BGP

December 31st, 2011   by Daniel

In its simplest configuration, BGP exchanges routes between a router in one AS and another router in a different AS. The first router is in AS 65500:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Serial0
Router1(config-if)#ip address 192.168.55.6 255.255.255.252
Router1(config-if)#exit
Router1(config)#router bgp 65500
Router1(config-router)#network 192.168.1.0
Router1(config-router)#neighbor 192.168.55.5 remote-as 65501
Router1(config-router)#no synchronization
Router1(config-router)#exit
Router1(config)#end
Router1#
The second router is in AS 65501:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface Serial0
Router2(config-if)#ip address 192.168.55.5 255.255.255.252
Router2(config-if)#exit
Router2(config)#router bgp 65501
Router2(config-router)#network 172.25.17.0 mask 255.255.255.0
Router2(config-router)#neighbor 192.168.55.6 remote-as 65500
Router2(config-router)#no synchronization
Router2(config-router)#exit
Router2(config)#end
Router2#
This example shows two routers in different Autonomous Systems. Router1 is in AS 65500, and is configured to share routing information only for a single network using the command network 192.168.1.0. Because this is a classful network, we don't need to include a mask. However, you will notice that the syntax of the network command on Router2 is different:
Router2(config-router)#network 172.25.17.0 mask 255.255.255.0
This is because the routing information we want to share only includes 172.25.17.0/24, and not the entire classful network, 172.25.0.0/16.
The first thing you should do after configuring two routers for BGP is to ensure that they are able to establish a BGP connection. You can verify this with the command show ip bgp summary:
Router1#show ip bgp summary
BGP router identifier 192.168.99.5, local AS number 65500
BGP table version is 7, main routing table version 7
4 network entries and 4 paths using 484 bytes of memory
2 BGP path attribute entries using 196 bytes of memory
BGP activity 11/7 prefixes, 11/7 paths

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.55.5 4 65501 17 18 7 0 0 00:12:38 2
Router1#
Here you can see that Router1 has a BGP neighbor, 192.168.55.5, in AS 65501. The most critical detail here is the last column, State/PfxRcd. In this column, you will see either a word, indicating the state of the peer connection, or a number, indicating the number of routing prefixes (that is, the number of distinct subnets in the routing table) that have been received from this peer.
In this case, the router had a valid BGP session with the neighbor device, 192.168.55.5 for just over 12 minutes. If this session is broken for any reason, you will most likely see either the word "Active" or "Idle" in this field. The following output shows another peer device, 172.25.2.2, which is down:
Router1#show ip bgp summary
BGP router identifier 192.168.99.5, local AS number 65500
BGP table version is 7, main routing table version 7
4 network entries and 4 paths using 484 bytes of memory
2 BGP path attribute entries using 196 bytes of memory
BGP activity 11/7 prefixes, 11/7 paths

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.55.5 4 65501 17 18 7 0 0 00:12:38 2
172.25.2.2 4 65531 527 526 0 0 0 21:05:23 Active
Router1#
More than one engineer has seen the word "Active" (or "Connect") here and thought that the session was active. But, in fact it means that this peer relationship is currently down. The BGP connection is only up if you see a number in the last column. Note also that the word "Idle" in this column indicates that the router doesn't believe that a session is even possible with this peer device, or that it has not yet attempted to connect (the router will wait several seconds before attempting a connection). If the Idle condition persists, this usually indicates that the remote peer is unreachable. A persistent "Active" state, on the other hand, most likely indicates a configuration problem.

It often takes almost a minute to establish a BGP peer connection, so be patient if you don't see the peers immediately connect. If after this time they still have failed to connect, you should double check your "neighbor" configuration statements. Make sure that you have the right remote IP address and AS number, in particular. If these are correct, and you can ping the remote peer's IP address. Then you should make sure that the routers are using the interfaces that you think they are to reach the destination.
The example in the Solutions section of this recipe shows an eBGP peer relationship because we have configured different ASNs on the two routers: CCIE Workbook

Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.55.5 remote-as 65501
This shows that Router1 is in AS 65500, while Router2 is in AS 65501. You configure iBGP peers the same way, but the neighbor statement specifies the same ASN value as the router bgp statement. We can add a iBGP peer in AS 65500 as follows:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Ethernet0
Router1(config-if)#ip address 192.168.1.5 255.255.255.0
Router1(config-if)#exit
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.6 remote-as 65500
Router1(config-router)#exit
Router1(config)#end
Router1#
And we would configure the other iBGP peer router like this:
Router3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#interface Ethernet0
Router3(config-if)#ip address 192.168.1.6 255.255.255.0
Router3(config-if)#exit
Router3(config)#router bgp 65500
Router3(config-router)#neighbor 192.168.1.5 remote-as 65500
Router3(config-router)#exit
Router3(config)#end
Router3#
There is no need to establish a peer relationship between this new router and the eBGP peer, Router2. Router3 may connect to one or more other, completely different ASs, though. And there is nothing to prevent you from having an iBGP peer that doesn't connect to any eBGP peers. However, it is important to create a full mesh of iBGP relationships among all of the BGP routers inside any given AS.
BGP uses a permanent TCP connection between pairs of peer routers, and every peer relationship must be configured manually. This is actually one of the biggest strengths of BGP because it allows you to configure unique properties, such as unique filtering for each peer. With the various IGPs that we have already discussed, the routing peers generally discover one another dynamically by default.
However, the above examples only specify the destination IP address, not the source address. In this particular case, there is only one way to reach the destination, so there is no need to specify the source address, as the routers will simply use the IP address of the nearest interface. There are some cases where you do need to specify the source address, though.
For example, you might have two iBGP routers in your network, with several different possible paths between them. In this case, it would be better to configure the two routers to use their loopback addresses for the peer configuration, rather than the physical interfaces, which could go down. If you have redundant paths, you may as well use them. You could configure the router to use its loopback address for BGP as follows:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Ethernet0
Router1(config-if)#ip address 192.168.55.6 255.255.255.0
Router1(config-if)#exit
Router1(config)#interface Ethernet1
Router1(config-if)#ip address 192.168.56.10 255.255.255.0
Router1(config-if)#exit
Router1(config)#interface Loopback0
Router1(config-if)#ip address 172.21.19.1 255.255.255.255
Router1(config-if)#exit
Router1(config)#ip route 172.20.1.2 255.255.255.255 192.168.55.1
Router1(config)#ip route 172.20.1.2 255.255.255.255 192.168.56.1
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 172.20.1.2 remote-as 65500
Router1(config-router)#neighbor 172.20.1.2 update-source Loopback0
Router1(config-router)#exit
Router1(config)#end
Router1#

Then, on the other router, you would have:
Router3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#interface Ethernet0
Router3(config-if)#ip address 192.168.55.1 255.255.255.0
Router3(config-if)#exit
Router3(config)#interface Ethernet1
Router3(config-if)#ip address 192.168.56.1 255.255.255.0
Router3(config-if)#exit
Router3(config)#interface Loopback0
Router3(config-if)#ip address 172.20.1.2 255.255.255.255
Router3(config-if)#exit
Router3(config)#ip route 172.21.19.1 255.255.255.255 192.168.55.6
Router3(config)#ip route 172.21.19.1 255.255.255.255 192.168.56.10
Router3(config)#router bgp 65500
Router3(config-router)#neighbor 172.21.19.1 remote-as 65500
Router3(config-router)#neighbor 172.21.19.1 update-source Loopback0
Router3(config-router)#exit
Router3(config)#end
Router3#
Each of these routers uses the other's loopback IP address for its BGP neighbor statement. But to create a TCP session, you need the source address from one end to match the destination address of the other. So we have included commands to force each router to use their loopback interfaces for these source addresses:
Router1(config-router)#neighbor 172.20.1.2 update-source Loopback0
We strongly recommend using the update-source option, specifying a loopback interface on both routers, whenever you have redundant paths between iBGP peers.
So far, everything that we have discussed has to do with establishing the iBGP and eBGP peer relationships. We haven't exchanged any actual routing information yet. This brings us to the network commands in the example configuration files. On the first router, we used the classful version of the command to advertise an entire Class C network, 192.168.1.0/24:
Router1(config)#router bgp 65500
Router1(config-router)#network 192.168.1.0
The second router, however, uses the more general classless version of the network command:
Router2(config)#router bgp 65501
Router2(config-router)#network 172.25.17.0 mask 255.255.255.0
These commands allow the router to pick up routes out of its routing table and pass them along using BGP. BGP will not advertise anything that it doesn't have in its routing table. The first command will advertise the prefix 192.168.1.0/24 if it is in the routing table, while the second one will advertise 172.25.17.0/24. It is important to realize that these are literally the prefixes that BGP will advertise. If you have a route for 192. 168.1.4/32, then the first network statement we mentioned will not cover it. Instead, you would have to explicitly include a network command for this prefix:
Router1(config)#router bgp 65500
Router1(config-router)#network 192.168.1.4 mask 255.255.255.255
You can also use redistribution to inject routes into BGP from either static routes or foreign routing protocols. We strongly recommend against redistribution to introduce routes into BGP if it can be avoided.
Note that because BGP will only advertise a prefix if it is in the routing table, an unstable IGP route could introduce instability into BGP. You can ensure the route is always available, though, by using a floating static route pointing to the null interface:
Router1(config)#ip route 192.168.1.0 255.255.255.0 null0 250
Here we have specified an Administrative Distance of 250 for this route. This value is deliberately very high to ensure that it is worse than any IGP, as well as iBGP. Now when the dynamic route drops out of the IGP routing table, the router replaces it with this floating static route, and BGP continues to advertise the prefix. This is not always desirable, of course. You may want this BGP router to stop advertising routes that it cannot reach. But in most cases, stability is more important. Looking back at the example in the Solutions section of this recipe, you will see that we disabled synchronization on both routers:
Router1(config)#router bgp 65500
Router1(config-router)#no synchronization
Synchronization is enabled by default. This feature is intended for situations in which your AS acts as a transit for packets from one AS to another, but where some of the routers in your AS do not run BGP. In this case, the routers that only run the IGP need to have the same routing table as the BGP routers, or the AS could become a black hole for the unsynchronized routes. If synchronization is enabled in this situation, BGP will only advertise routes that are present in both the IGP and BGP route tables. CCIE SP Lab

In this example, we had no intention of carrying the BGP routing table through the IGP. We generally recommend disabling synchronization, unless you are running an IGP and redistributing routes between BGP and the IGP.

Take a close look at the examples in this recipe because they show how Cisco's BGP configuration syntax works. When you want to change the parameters for a particular peer, you must first define the neighbor and the AS that this peer resides in. Then you can start to define any nondefault behavior for this peer with further neighbor commands that specify the

Post in CCIE R&S | Comments Closed

Tags: ,,

CCIE lab exam, CCIE certification

December 29th, 2011   by Daniel

The CCIE lab exams are part of the certification programs carried out by Cisco to evaluate candidates based on the difficulty capturing and configuration abilities. This CCIE certification is awarded after profitable clearance of the written and the lab exam. It's thought of as one of the highest diploma of certifications in the world.

The CCIE lab exam is part of the Cisco Licensed Internetwork Skilled (CCIE) certification program. It is thought-about to qualify the best level of technical expertise within the industry. Using CCIE, professionals have an opportunity to determine themselves within the subject of networking. Only some thousand persons are believed to clear the CCIE exam. CCIE labs are thought of to impart high level of training surroundings, which acts as a major profit for candidates.

CCIE examination is conducted in 5 completely different tracks. They're routing and switching, safety, service supplier, storage networking and voice. CCIE examination involves two checks, that are a CCIE written take a look at and a CCIE lab exam. In order to attempt the lab exam, you should clear the written exam. If you're not in a position to clear the written exam the first time, you should anticipate a hundred and eighty days for retaking it. After clearing the written take a look at, it is best to make an try for the CCIE lab exam within 18 months. It you might be unable to clear the lab exam, then you could re-attempt inside 12 months as a way to keep the written examination consequence valid.

The written examination is computed based mostly, which entails one hundred multiple-selection questions. It has a time restrict of two hours and is conducted in varied check centers across the world. The subjects coated within the written exam rely upon the specialization or observe you choose. For service supplier, you may select from classes like Cable, DSL, IP Telephony, Dial, Content material Networking, Optical, WAN switching, and Metro Ethernet. Every written exam is made accessible in the beta type at a value of $50 USD.

It you are able to clear the written exam in in any respect track chosen, you can be called for the CCIE lab exam. The CCIE lab exam is exclusive in nature, as it is an eight-hour examination, which checks the flexibility of the candidate to configure and troubleshoot networking equipment. Cisco has excessive stage of kit in its CCIE labs for use within the lab exams. The blue print of the lab examination is on the market on its website. The lab exam shouldn't be available at all Pearson VUE or Prometric testing centers.

A typical CCIE R&S lab examination features a two-hour hassle-taking pictures part through which you're presented a collection of tickets for preconfigured networks in the CCIE labs. It is best to be able to establish and resolve the faults. You can proceed in the direction of the configuration section after you end the troubleshooting part.

A legitimate passing rating is critical to aim a CCIE lab exam. Cisco makes use of the help of proctors to judge the candidates in the preliminary rounds in its CCIE labs situated worldwide. Factors are awarded when a criterion is met and grading is performed utilizing some computerized tools. The results of a lab exam are mirrored within forty eight hours. A go/fail is projected within the end result and in case of a fail, the areas the place you're lacking behind are mentioned so to prepare well before a re-try.

Cisco stands out in the subject of networking by providing a CCIE certification for you to pursue your training as well as get acknowledged by a reputed organization. The CCIE lab examination can be used as a platform to challenge your means in numerous tracks supplied by Cisco. Attempting a lab examination requires rigorous training and high sense of understanding. The CCIE labs type the first step to your excessive potential career.

Post in CCIE R&S | Comments Closed

Tags: ,,

Finding an IP Route

December 20th, 2011   by Daniel

The EXEC level command to look at the entire IP routing table is:

Router>show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o – ODR


Gateway of last resort is 172.25.1.1 to network 0.0.0.0




     192.168.17.0/27 is subnetted, 1 subnets


C       192.168.17.0 is directly connected, Loopback1


     172.16.0.0/30 is subnetted, 1 subnets


C       172.16.1.0 is directly connected, Async1


     172.25.0.0/16 is variably subnetted, 6 subnets, 3 masks


C       172.25.25.0/30 is directly connected, Tunnel0


C       172.25.1.0/24 is directly connected, Ethernet0


C       172.25.9.0/24 is directly connected, Ethernet1


C       172.25.10.1/32 is directly connected, Loopback0


O       172.25.100.1/32 [110/11] via 172.25.9.2, 4d09h, Ethernet1


O IA    172.25.100.0/24 [110/11] via 172.25.1.1, 2d11h, Ethernet0


     192.168.1.0/32 is subnetted, 1 subnets


S       192.168.1.1 [1/0] via 172.25.1.4


O*E1 0.0.0.0/0 [110/11] via 172.25.1.1, 1d07h, Ethernet0


You can also find the route to a particular device, such as 172.25.100.15:


Router>show ip route 172.25.100.15


Routing entry for 172.25.100.0/24


  Known via "ospf 55", distance 110, metric 11, type inter area


  Redistributing via ospf 55


  Last update from 172.25.1.1 on Ethernet0, 2d12h ago


  Routing Descriptor Blocks:


  * 172.25.1.1, from 172.25.1.1, 2d12h ago, via Ethernet0


      Route metric is 11, traffic share count is 1


The output of first command contains a lot of useful information. At the top is an explanation of the different codes used in the information that follows. For example, every line that begins with a "C" refers to a route that is directly connected to one of the router's interfaces, "S" means a static route, and so forth.


Note it's possible to have more than one such code, as in the route for 172.25.100.0/24. In this case, the first letter, "O", indicates that this route was learned via the OSPF routing protocol. The next two letters, "IA," indicate that this is an OSPF interarea route. Similarly, the entry for 0.0.0.0/0 is an OSPF external route of Type 1. The "*" indicates that this route is a candidate for default route. There may be several such candidates, but the one that the router thinks is best is captured at the top of the table in the line beginning "Gateway of last resort."


In a large network, it is often not very useful to list the entire routing table like this. Instead, if you are looking for a particular route, you can search for it directly, as the second example in this recipe shows.


Notice that the router did not have a 32-bit match for this particular destination, so it shows instead its best match, 172.25.100.0/24. The result shows several useful pieces of information. It says exactly which match is being used. It tells you how the router knows about this route, via OSPF Process ID number 55, in this case. It also indicates that the next hop required to reach that destination is the device 172.25.1.1, and that it reaches this device through the interface Ethernet0.


If the desired route cannot be resolved except by means of the default gateway, the response is much shorter:


Router> show ip route 172.15.101.5


% Network not in table


This means that the router will use the default route when trying to reach this device. If there is no default route, it will drop the packets. Note that this assumes that we are using classless routing. If we had enabled classful routing on the router, then, if it has a route for any subnet of the classful network, it will also have an entry for the entire network. In this case the classful network would be 172.15.0.0/16.


Post in CCIE Voice | Comments Closed


Tags: ,,,,,




CCIE Lab Training, a vital step in the direction of acquiring a technical data


November 15th, 2011   by Daniel


The CCIE R&S coaching course has been introduced as a solution to the difficult nature of community systems. Routing and Switching is a crucial factor within the networking strategy of Cisco-trained individuals. The idea is a should for all professionals who wish to excel in the chosen field of networking. Many individuals concerned in data expertise have hassle addressing various communication glitches. Most of these individuals are in dire want of training. Though they have certifications to show that they undergone a learning course, their knowledge is certainly wanting. In addition, there are many who're struggling to manage up with the calls for of a community expert.


The CCIE RS Training procedures are very important to an individual accessibility to the data connection environment. For years, various seminars and orientations are given by many schools and companies. Academic directions are sponsored by corporations to upgrade the talents of execs in tackling the assorted facets of knowledge technology. Advancement in skills close to networking is a matter of need. Though a variety of tools and capabilities are available in resolving communication disturbances, people with network certification in the CCIE R&S field are very a lot in high demand. The provision of equipments and gadgets to take care of connection faults means nothing if no qualified personnel is in place to verify the problem. With regards to concepts, the numbers of specialists are numerous. Nevertheless, community ideas can never be utilized if these so-referred to as specialists cannot outline the significance of what they discovered in school.


CCIE R&S is all about application. This side of the networking program is troublesome to master. Its applied concept is associated with the essential community protocols. The curriculum of CCIE R&S training presents an intensive define of strategies crucial in straightening out communication problems. Networking shouldn't be solely about technological advancement. It is usually about controlling the connection lines. With vital info being shared and transmitted anyplace across the globe, the necessity to put every transmission into its proper perspective is essential to a thriving network process. Routing and switching relies on fundamentals. Greater than that, the principle behind their features is the transmission of information or info in probably the most simple, secure and quickest approach possible. Clearing the communication traces and controlling the traffic is important within the sharing of data. A certified network skilled must not solely find out about routing and switching functions. The application of those ideas have to be done based on correct protocols and procedures.


CCIE R&S is classed under advanced degree technologies. This class usually consumes as much as eighty hours of learning process. It enhances the advanced technologies laboratory workbook. Training inside the lab paves approach to a rather competitive environment. A number of routers are available and each candidate are then instructed or given situations to troubleshoot. This is the time the place networking information are utilized to the hilt. Functions of methods and procedures are noticed throughout the process. Candidates are given varied issues to work on. CCIE R&S affords an publicity which makes individuals to think. After being lectured and geared up with Cisco documentations and networking fundamentals, there is a must capitalize on what the students have realized contained in the classroom. Going into the CCIE Lab Training is a vital step in the direction of acquiring a technical data of bother taking pictures varied audio and video situations. Greater than that, it also allows the candidates to assume rapidly in assessing conditions on hand.


Post in CCIE R&S | Comments Closed


Tags: ,




Content-Filtering Examples of CCIE Exams


June 1st, 2011   by Michel


A corporation has two Websense CCIE SP located on the firewall's DMZ interface at 192.168.199.10 and 192.168.199.11. The firewall intercepts every HTTP request and relays them to the Websense servers. If neither server responds within the default 5-second period (for each server), the firewall allows the request.


The only exceptions to this policy are with all hosts on the 192.168.4.0/24 subnet, which are allowed to request any URL with no Websense intervention. Inside host 192.168.7.33 is allowed to request any URL as well. Inside host 192.168.7.40 is allowed to request URLs from outside server 172.24.1.10 without Websense intervention. If the inside host requests URLs from any other address, Websense is consulted.


All HTTPS and FTP requests are subject to the local Websense ccie voice policies.


To improve filtering server response, 128 blocks of memory are dedicated to buffering web content that arrives before the filtering server can respond. A cache is also configured so that repeated URL requests can be serviced immediately without waiting for further filtering server replies. This cache uses 128 KB of memory and is based on the source and destination address combinations.


The configuration for this example of CCIE exams are as follows:


url-server (dmz) vendor websense host 192.168.199.10 protocol TCP version 4

url-server (dmz) vendor websense host 192.168.199.11 protocol TCP version 4

filter url http 0 0 0 0 allow proxy-block

filter url except 192.168.4.0 255.255.255.0 0 0

filter url except 192.168.7.33 255.255.255.255 0 0

filter url except 192.168.7.40 255.255.255.255 172.24.1.10 255.255.255.255

filter https 443 0 0 0 0 allow

filter ftp 21 0 0 0 0 allow

url-block block 128

url-cache src_dst 128


Post in CCIE SP | No Comments »


Tags: ,,,