MY CCIE JOURNEY

As i have already mentioned my new site address which is located at

www.cciematrix.com

my love for my first blog is not over yet .. so i have decided to keep this blog alive along with the other one ..

Hello all .. i just replicated my same blog to a new address .... initially i thought of making a redirect but then i thought why not mention it in the first place so that readers can actually know where its getting redirected


My new site address is

http:// www.cciematrix.com

I did this because i thought i should have full control over my site and also i have other ideas as well..

Hope you will enjoy my new site and Thanks for you support

Best Regards
Rakesh

Hello everyone !

its been a while i wrote to my blog ! Many things happened in the mean while .. first of all i got a job and was busy in adapting to the new role and secondly i went through a very frustrating phase in my personal life and everything was near hell !

Moving on .. well i am done with mcse 2k3 and also planning for mcitp enterprise admin and also speaking of which have other juniper exams remaining which i need to clear up . Dint had any study and i dont know if i can pass them or not

completed some of the link layer technologies and also moving on to labs ..

a detailed excel sheet will be uploaded . You can get it and also make some of your own . excel sheet plan creation is helping me to keep some of the things track down .

Hello all in my certification rush got through some gift vouchers from my friends and went on to attempt my first ever 70-290 just to try my luck .. went through the study guide and poof went through exam .

Hello all two good news to start wtih

Hello guys , i have made a video on deploying and implementing syslog server in gns3 environment . A syslog server logs all messages from routers in gns3 and records them .

Dont know why my mind has been in an unpredictable state .. nothing settling down .. wanted to for jncia-ex as per my last posting .. dint get chance as i was attracted by cisco v4 written beta . done with mpls and ipv6 which were troubling me in two days .. now after that a thought came into my mind to prepare for jncia-ex switching which was obviously easy when compared with other tracks atleast .. quickly went through the study guide ..

Hello myself and another friend of mine are going for our rs studies and were on gtalk last night discussing some multicasting and general prep stuff . I suddenly got an idea on remote desktop and heard about team viewer few months ago. Quickly went to their website and downloaded the stuff .

Hello everyone as you know if i come across any exciting stuff i share with most of you . I happened to get narbik 'demo' of his cod which was roughly around 10min on ospf filtering techniques and the entire cod was awesome ... In ten minutes he covered most of the info with minute details . The demo vod should be up with in a day or two . can't wait to get hands on that one as iam going for rs v4 which includes troubleshooting.

for more info you can always visit his site @

http://www.net-workbooks.com/index.html

will update you if i happen to find any interesting stuff again ..

guday and take care

Rakesh

A sudden catastrophic change of plans has taken place in past 12 hours . i was happy that i got all of the juniper voucher and was about to take jncia-er exam this week until i went to cisco's website and found that ccie written v4 is now in beta phase and offered for as low as 50$ . Well who wont take that price (atleast students like me ;) ) to go out and take a dreadful exam which was 350$ and that too completely changed with mpls and troubleshooting introduced.

so , cant help for another month . i have been studying stuff seriously .. done with ipv6 stuff and will let you know if possible . iam excited about this beta exam even though i know it would be insanely tough to pass i still give the exam hell before it declares me as fail hehe

Thank you and sorry for change of plans

Topology :

-> minimum of requirement is that there must be multiple routers which are capable of running vrrp in a lan segment.

-> if there are two wan circuits and if there is any routing policy in place which uses only one wan link out of two vrrp should be tuned in such way.

Master or Backup:

->Beefy configuration router is obviously preferred over the non-beefy one as master ;)

-> Assignment of VIP address is one among the important aspects.


Load Balancing:


-> load balancing can be a tricky part . well not let us agree not that hard. assign two routers as masters. assign half routers with one vip address and others with other vip address. Load balancing will be done swiftly.


Preemption:

-> By default preemption is enabled by default. Disable preemption to eliminate unneeded mastership changes during failure and recovery scenarios if you have both routers as masters.

Security:

-> option exists for security vrrp exchanges.

first option : No Authentication

second option : simple text password

third option : most secure : HMAC-MD5-96 (md5)


Avoid Wan link Failure:

-> Either have complete Redundancy

-> Other implement Interface Tracking

-> 4 STATES

* INITIALIZE

* MASTER

* BACKUP

* TRANSITION

-> Initialize:

-> All routers begin in initializing state which essentially announces each vrrp participating routers capability , priority and other parameters

-> No forwarding of packets will be done in this stage as there is no master vrrp router to do the forward.


->Master/Backup:

-> A master router assumes the responsibility to forward packets and answer arp requests to the VIP address from the hosts

-> Master sends periodic announcements which indicates master router's state and priority.If these announcements are not received for a specific period of time the back up router takes the role of the master router.

-> Routers in the backup state observe masters presence and be ready to take the role if master is down.


->Transition:

-> In the event of mastership change, the backup router might fora very brief moment , be in what is known as the transition state. This state is simply a transitional step in which a router changes from the backup state to the master state where in no forwarding occurs for LAN.

-> Vrrp version 2 uses common advertisement packet (Buzz word) to communicate with other vrrp routers.

-> vrrp uses multicast address of 224.0.0.18 and has TTL of 255.

-> Default interval can be changed if needed . default being 1 and range being 1-255 subseconds can also be configured from 100-999 milliseconds which must be supported by all vrrp routers.

-> The above can be done with "fast-interval" option

-> Fields which should match in a vrrp packet for all vrrp routers

-> VRID
-> Authentication Parameters

if not then packets are discarded

-> Vrrp router uses Virtual mac address as its mac address when it sends a packet.
format may be some thing like this 00-00-5E-00-01-VRID


Determining Master:

-> Higher priority wins in a vrrp election process. The default being 100 and range being 1-255

-> A router can become a Master Router only when it has VIP address and in that case the priority must be set to 255. preemption is supported by default . If master happens to fail the other router which has higher priority will take over and if by chance master returns the other router will be down and this will take over the master role.

-> We can administratively disable preemption where vrrp routers do not own VIP address.

vrrp:

-> An election protocol used to designate one of multiple vrrp routers as master , which assumes forwarding responsibilites for a lan. similar to hsrp , glbp in cisco terms . not to say that vrrp is not there but it gives you an idea

-> All routers that could potentially assume the role of the master vrrp router for that subnet are known as backup vrrp routers .

Terms :

-> Virtual Router: The virtual router is a logical entity that functions as the default router on a lan segment or network

-> VRID : Virtual Router ID which identifies one virtual router from another

-> VIP : Virtual ip is managed by the virtual router and is attached to the vrrp router
functioning as the master of that network.



-> VRRP ROUTER : A vrrp router is any router participating in VRRP , including the master and backup routers. A vrrp router may belong to more than one virtual router group


->Master Router: Master router is responsible for forwarding packets on lan segment. also perform some arp functions for virtual router. election is typically based on user-define priority.


->Backup Router:As the name indicates it will take role of master when master is down .

Topics include :

-> VRRP

-> DHCP

-> OTHER COMMONLY USED FEATURES

Configuration of nat:

-> STEP 1 : DEFINE A SERVICES INTERFACE

-> STEP 2: CREATE A NAT POOL

-> STEP 3: DEFINE NAT RULES

-> STEP 4: CREATE SERVICE SET


Services Interface :

-> The services interface takes the form of sp-0/0/0 on all j-series routers and M-series routers it is named according to its position.

-> The services interface is used for processing nat traffic, and you configure it with a single logical unit and family inet


-> creating a nat pool and nat rule are obvious for nat and when we define a service set , that liks the nat rule and services interface so kind a important step.


once this is done , you can apply the service set to both the input and output directions on the untrusted interface.



Monitoring nat:

-> "show service nat pool" -> to view nat pools and pool details

-> "show services stateful firewall flows" -> to view nat flow details




Done with chapter 7

The basic definitions of nat / pat are obvious and we need no further explanations . so we will move on with some thing important with juniper ie, APPLICATION-LEVEL GATEWAYS

-> some protocols include some combination of IP addresses and TCP or UDP ports in their payload.If a router is configured to perform nat and translates only the layer 3 and layer 4 headers , some combination of the ip addresses and the TCP or UDP ports included in the payload by these protocols will be wrong and may prevent application from running properly

->additionally some protocols have control connections that begin other sessions.Because these sessions are created dynamically and often use random port numbers, the firewall rules will likely not allow these sessions.

->Application-level gateways (ALG'S) allow router to interact with protocols at Layer 4 and above.

->when you configure the router to use ALG, it inspects payload of connections, translating IP addresses and ports in the payload and updating the sessions started by control connection.

-> When you configure MLPPP, the router first sends the traffic to the PIC with the logical bundle interface for processing.

-> The pic performs any necessary fragmentation and determines how to distribute the traffic between the constituent links.

-> It then sends packets to PFE (packet forwarding engine) which sends to the output interfaces for transmission

-> You can configure upto 8 links per bundle

-> A member link is considered up when the PPP link control protocol (lcp) phase transitions to open state.

"show interface ls-0/0/0" for monitoring PPP

J-series services Architecture:

->J-series include virtual AS pic available.

->Implemented as real-time thread within the j-series forwarding process.

->Services thread presents itself as a virtual sp-0/0/0 interface in the JUNOS software


MLPPP: Multilink ppp

->Multilink Point-to-point is a protocol that facilitates the bundling of multiple point-to-point circuits

->MLPPP is a layer 2 service that you can configure in Junos software


BENEFITS OF MLPPP:

->Creates a virtual link that provides greater bandwidth than individual member links

->provides load balancing across member links by splitting , recombining and sequencing datagrams across multiple logical data links

cost effective solution while getting incrementing bandwidth

*** These are the core points from the student guide with some modifications if possible


Chapter objectives :

-> service architectures
-> mlppp
-> nat/pat

layer 2 services include

MLPPP -> multilink point-to-point
MLFR -> multilink frame-relay
CRTP -> compressed real-time protocol


layer 3 services

AS pic (BUZZ WORD)

-> Provides services through service sets and its adaptive services interfaces (sp-)

-> stateful firewalls , nat , ipsec vpn , ids can be provided by as pic


Service Interfaces:

Different services are provided by different Pics

-> AS pic : AS pic supports all services

-> ASM is an optional component that you can order with the M7I router

-> J-series router

-> Has software processes that support the same services as the AS pic

-> Interface on J-series router will be designated as ls- rather than lsq-


-> Link services pic

-> Provides MLPPP and MLFR support and designated as ls- similar to j-series

-> Tunnel services

-> gre , ip-in-ip

-> Multiservice Pic and AS pic service

-> Multiservice pic or as pic should be configured so that they provide Layer 2 or Layer 3 but not both

-> as pic defaults to settings of Layer 3

"show chassis hardware" -> to determine the service-package

hello all i have made up my mind that i would be taking this first exam may be somewhere in next week .. i went through the study guide and its absolutely simple .

mean while i will be highlighting you some core points about juniper systems and my plan for next three days

here i go

thursday / friday

i will be starting off with chapter 7 services section and will be working my way from there on

chapter 7 -> services

chapter 8 -> miscellaneous features

chapter 9 -> troubleshooting

-----------------------------------------------------------------


saturday

chapter 5 -> operational monitoring and maintenance

chapter 6 -> routing protocols and policy


-------------------------------------------------------------------

sunday

chapter 1 -> intro (no big deal)

chapter 2 -> juniper networks enterprise routers (already done different router stuff)

chapter 3 -> junos user interface (again no big deal)

chapter 4 -> installation and initial configuration (this needs to be brushed up)


--------------------------------------------------------------------


for all this work i will be using vmware image of a junos router lets see how this goes . i dont see many people highlighting some important points about juniper stuff let me be among few ;)

Best Regards
Rakesh

As you probably know i have started to get into juniper exams because of their fast track program . initially i thought i should give about 10 days for each exam so altogether it should take good 40 days for 4 exams .. but after going through the books and flash presentations there is nothing complex and the best thing is its organaisation which is flawless in most of the cases .. the logic flows step by step and there is no means that we can forget a step .. good one

as far as routing protocols all of them are pretty same . will highlight you with more info

Best regards
Rakesh

Hello all as you might already know Juniper is offering free certification exams on passing their pre assessment exams .. you will get 100% exam price discounted voucher for free .. each exam costs around 125$ and there are four such exams

two routing - specialist and associate
one security
one switching

so all together you can get 4x125$ voucher absolutely free .... iam confident about this because i have got all four vouchers on taking their pre assessment( i have failed every single exam for multiple times but that dosent matter they can be taken any number of times .. such a evil brain hehehe ;) ) . exams are straight forward . they test on fundamentals and security and specialist routing was very easy for me .. because it had general topics such as bgp , ospf , vpn , redistribution which will be same any where in the world . for the basic associate exams go through the course provided in the site and you will be fine ..

https://learningportal.juniper.net/juniper/default.aspx

you can register your self here .. you can take your pre assessment exams as many times as you want till you get above 70% ..


Try your luck friends its always better to get certified without spending a penny right ..

for prep path i used junos olive router which is a vmware instance

It's almost one month that i posted to my blog and had many reasons behind it .. first of all i was studying and spending time on technologies and secondly i had some univ exams to deal with .. some ups and downs (all of them were down's ;) ) in my life to deal with and cope up with ..

well iam glad and feeling really good about myself after recovering so quick from the downtimes i had ... boosted my confidence ..

moving on ..

covered good ground on

tcp / ip --- various protocols and packet analyzers and packet headers

arp , icmp , upd , tcp , ipv4 , different types of tcp attacks , building a packet , route resolution etc ... will be summing up


my favourite routing protocols (eigrp , ospf , bgp )

ipv6 technology and last but not least qos and mpls technologies which i thought were very serious ...


done with some security stuff like perimeter defence , internal infra security management , firewall technlogies like checkpoint , cisco pix / asa , clavister , netasq so forth and knew some of the ground breaking technologies ...

will be back soon....


thank you to one and all who sent me emails and comments about my presence rather absence .... iam fine and will do good ..

have a great day

Bye

Hello everybody .. today i have done something which i feel very proud . not a feet really and already done by many of the people who are doing this .. but when ever i see any new technology which serves me i love it .. i simply love it and will share it ..

So what the topic about ?

Nothing serious really .... i have a spare pc (windows one) and what i did was to use check point ng r 55 platform on it ..

requirement :

1. spare pc with atleast 512 mb ram
2. pc has to have two network cards (one for your internal network and other for ext)

installation is fairly simple .. you can download the trial package from checkpoint for 15 day evaluation and install it on the old pc

configure your networks and bingo you network in now being protected by checkpoint ng firewall systems .

one option to consider is to buy license from checkpoint .. if you you need to format your pc in any form ;) and install your firewall

any doubts let me know

best regards
Rakesh

Even though done by many greats i still wanted to do this video just to help out people and simplify their life with pix / asa activation ..

i was having problems with searching activation keys ..so here iam uploading the activation key and also serial number obtained from google search ..

not this will only work pix723.bin image and i tried on other with no luck ....

Those who already knew pix emulation may skip this video ...

This videos base idea has been take from blindhog.net

here's the link to download ...

I found other interesting email which i got recently from http://www.netbraintech.com/

check out their demo video it impressed me some how .. hope ccie lab proctors allows it for trouble shooting section ;) lol

CISCO PIX UR LICENSE VIDEO (IN GNS3 SIMULATOR)

heres the video link

best regards
Rakesh

Hello iam amazed with the speed and performance of cisco pix firewall in gns3. Moving on its been fun learning whole new technologies ..

i have presently shifted my path towards security and voice way not that i will be attempting them but to gain good knowledge over all of the security and qos conepts before i take my R and S exam lab . just in case to feel extra bit of familiarity .. no hurry for me .. i still have 1.5 years to deal with R and s beast and silently waiting how cisco r and s team have been dealing with changes with the exam .

next i would be dealing with ccip track to gain high familiarity levels with bgp track .. as said iam enjoying my learning and what surprises me is that iam not learning for my certification of ccsp and ccvp tracks so it give me extra bit of edge over concepts and to take them as i wish as possible and grasp as much as i need ...


installed pix over gns3 and it was real fun part .As mentioned i had problems with UR license but could solve that problem . will be posting all of those videos .. just waiting to see what i can include in my presentations.

learnt concepts about pix firewall family , pix administration , and acls .. was refreshing , object groups , nat principles and pix filtering services ..

will update you with other things ..

best regards
RaKeSh

Hello i have been trying to install pix and asa in my gns3 .. for the past day i was trying heavily to do some vpn labs but was making mistakes all around after 5-6 attempts i have mastered the art with site-site vpn and gre tunnels .

configuring sdm and acs was done on windows server 2k3 and i managed to configure site-site vpn and gre over ipsec with sdm after going through painful set of sdm where in i faced problems with loopback adapters ..


any how i could manage them . soon i will be releasing a video labs and pics

gooday

today i have decided to complete off ipsec - vpn and i have done so ..

was having problem installing sdm over gns3 .. but finally could do it ..

i will be posting a detailed screen shots of sdm installation and one very important thing to remember

available sdm versions are 2.5 which seems to be latest along with java 1.6 updates .

my advice is not to use 2.5 use 2.3 with java 1.5 updates instead other wise you are going to waste time as i did

best regards

Maximum segment size

Ethernet packet size = 1518 bytes

Ethernet II HEADER = 14bytes

ip header = 20 bytes

tcp header = 20 bytes (without options)

data area = x bytes

ethernet II trailer = crc 4 bytes

1518 bytes = 14 + 20 + 20 + x + 4

x = 1518 - 58 = 1460 bytes

there fore a data packet segment size can be a max of 1460 bytes

TCP OPTIONS

MSS = MAXIMUM SEGMENT SIZE

SACK PERMITTED = SELECTIVE ACKS

WINDOW SCALE = INCREASE WINDOW

TIMESTAMP = DETERMINE ROUND TRIP LATENCY

Urgent Pointer

This pointer will make to read / skip in reading data field as wanted

This points to where data should be read first

only used if URG bit is set to 1


ETHERNET HEADER
IP HEADER
TCP HEADER
DATA AREA * --------------------------------> URG =1 ; URGENT POINTER = XXXX
ETHERNET II TRAILER CRC

Checksum on the tcp header

source ip address field value

destination ip address field value

protocol field value

length value (tcp header + Data)

Congestion Avoidance

Assumption : If we are to deal with pure technique on how tcp reacts for congestion we assume things that packets are lost not because of faluts ; packets are lost because of congestion itself

as we know that congestion windows gradually increases with increments of 1MSS from previous post or the other way to deal with increments of packets are

SEGMENT SIZE * SEGMENT SIZE /CONGESTION WINDOW

once we hit threshold windows size drops to 50% of its present value and again the process continues

Let us say a packet encountered congestion at 10000 bytes of data . now it drops back to 50% therefore the present size would 5000 bytes and process continues

Starting Window Size

>According to RFC 2581 computing tcp's Retransmission timers , the initial window size should be no greater than MAX (2*MSS)

>Rfc 3390 , how ever suggests taht it could be upto 4*MSS OR MIN(4*MSS , MAX(2*MSS,4380BYTES))

MSS = MAXIMUM SEGMENT SIZE

Slow Start Process :

This process is used when there is an establishment of new tcp connection / session or when a timeout takes place

Every new tcp connection or a timoeout when occured is counted in increment of MSS

CONGESTION WINDOW cwnd = 2*MSS <-------- syn

CONGESTION WINDOW cwnd = 3*MSS<----------syn ack

CONGESTION WINDOW cwnd = 3*MSS<----------ACK.

CONGESTION WINDOW cwnd = 3*MSS<----------data

CONGESTION WINDOW cwnd = 4*MSS<----------ACK

........................................


Starting window size for ethernet = 2* MAX SEGMENT SIZE
= 2*MSS (1460) BYTES

*It increments window size by one every time

Types of windows

>Receiver Window

>Congestion Window

>Sliding Window

Congestion Window :

Congestion window may be defined as the minimum of Receiver's advertised window or in other words What that network can handle.


>Network congestion occurs between networks and Receiver congestion occurs in TCP Buffer which is obvious

Windowing

>If windows size is '0' then the other side of the connection doesnt accept the packets and stops the transmission

>Maximum window size MSS = 65635 bytes

>You can scale windows size . For more you can always see RFC 1323

>Ever wondered when such MSS is used . It is indeed used and those type of networks are called LFN networks

LONG , FAT-PIPE NETWORKS

advantages of tcp are

>connection-oriented communications

>Data Streaming

>Congestion Control

>Retransmission and Retry counters

>Extensions through the use of Tcp options

P=Push Flag Reserved U|A|1|R|S|F

If set , data should be sent through the outgoing and incoming tcp buffer space without being held

[Packet will be flushed very fast out of tcp buffer . Tcp buffer is created when ever a tcp session get initialised]

getting push bit -> may be it has some thing to do with our voice packet priorities


------------------------

S=Syn Reserved U|A|P|R|1|F

This is only used in the first two packets of the handshake process . This is used to inform the other side of the ISN (Initial sequence number)


-------------------------


F=Fin U|A|P|R|S|1

This is sort of interesting flag type . this if set , sender indicates that they are completed with a connection but they dont want to explicitly close or tear down the connection (they = two sides server and client)

U=Urgent Reserved 1|A|P|R|S|F

->If set , checks the urgent pointer field later in the header. That field indicates where you should start reading the data

------------------------


A=Ack Reserved U|1|P|R|S|F

->If set , indicates that the sender is acknowledging receiver from the partner


---------------------------

R=Reset Reserved U|A|P|1|S|F

->If set, sender is refusing or explicitly closing the connection


-----------------------------



understanding these flags helps in understanding our tcp connections which are very much helpful in getting protocols like BGP for example .. can you imagine importance of Reset flag in BGP?

The Tcp Flags

we have


Reserved bits like U|A|P|R|S|F

U=Urgent Reserved when set on 1|A|P|R|S|F
A=Ack Reserved when set on U|1|P|R|S|F
P=Push Reserved when set on U|A|1|R|S|F
R=Reset Reserved when set on U|A|P|A|S|F
S=Syn Reserved when set on U|A|P|A|1|F
F=Fin Reserved when set on U|A|P|A|S|1

Tcp Functionality

-> Connection-oriented communications

->sequencing and acknowledgement

->windowing

->congestion avoidance and recovery

->specialised functions (aka flags)

->variable length header

->Recovery for lost packets

people who were following me or just watching my progress kept me mailing about the blog status . i was down with personal problems and was buried deep ! very deep .. iam just making out to brighter side of my life again and hence started with studies ...

i will be continuing with tcp / ip sessions and my notes as well

best regards

iam finally done with bgp and iam happy that i had completed it at last ..

moving on my combination involves studying in two pair of concepts ..

bgp and qos

switching and multicast

eigrp and ipv6

ospf and security

are the primes .. so my next target would be going after qos ..

yes i had done it in the past but i want to gain perfection .. damn it iam gng to be a ccie

regards

had and exam in college all of a sudden and completed the hell now .. tonights plan is simple completing off bgp part 3 , bgp part 4 , bgp part 5 , bgp part 6 , qos part 1

will let you know where i landed ...

regards

Done with

bgp part 1 intro
bgp part 2 attributes
qos part 1
qos part 2
qos part 3

started with ccnp qos and just going along with it .. so most probably would complete the qos
tommorow along with three other bgp videos (hopefully)

http://www.supermemo.com/articles/paper.htm

-> here is the link and this is how i would be planning my revision path


guday

the saying "its easier said than done " is quite powerful .... i thought of covering bgp and qos today and you know what i could only cover qos beast today and that too only once without any proper perfection .. i dont know how to tackle this beast .. but i could see one thing .. i felt qos concepts easy infact very easy to master .. (i have mastered the concepts now i need to master the commands from this source ) .. hell its time talking ... but we need to have a proper grip .. ccie # is all about the proper grip right ..

any ways i am still left with good 6 hours of study and i may start off with bgp and cover some of the videos or may start of with qos and do the second glance part out of may be 7 or 8 lol ..

will post the matter soon ..

best regards
Rakesh

tired .... this day has been a good one for me ... i have done with half of the written videos from cbt and going very strong .. labbed with few different scenarios and knew some of the concepts like acl and other fun parts .. but as i need some revisiting of the topics i had to listen to them ..

went out and browsed forums / blogs as usual .. i think iam gonna do this cbt with in next four days if everything goes according to the plan ..

and yes from today on wards iam gonna follow the advice given by inetexperts Mr.anthony .. he told a better study technique of revision and has pointed to an article which has some detailed explanation of retaining the key points with number of revision attempts according to a algorithm ..

the algorithm states that revision should be done in 4 days , 9(days this is my own) , 13 (days my own) ..

so having done with the following concepts today iam gonna revist them after 4 days

cat 3550 concepts
stp
hsrp
ntp
acl
bridge
nat

today being firday - > sat - > sun -> monday -> tuesday (iam gonna revisti these videos again)

if i forget please remind me ;)

target for tommorow :

multicast
bgp part 1 , part 2 , part 3 , part 4 , part 5 , part 6 , part 7 , part 8

or

multicast
bgp part 1 - 4 and qos three parts ..

depends on the topic start ..

its bedtime ... bye and hot dreams

i have an overall of 5-6 sources of preparation path and i may look forward for buying ccie r and s from ipexpert .. but also considering the fact that inet expert does contain some of the best engineers ... out of all , i usually look for scott morris side .. i have never met him in person , and not even talked with him but he is more or less like an inspirational factor for me along with few others ... so having said that what did i do today and yesterday

i have started with core knowledge and went thorough some of the

multilayer switch features - > svi , intervaln routing , access-control
spanning tree features
access-list
nat
hsrp
ntp


what i look foreward for next two more days :

routing - remaning topics + revision of already done topics

so after the above plan i will be remaining with routing which will be done in two more days

so all in all source 1 out of 7 sources will be done successfully in next few days ...


Thank you

Hello everybody .... as i said i went ahead and created all the videos of the labs .. but unfortunately as i forgot they are from standard workbooks which cannot be uploaded as is ... so i need to make my labs and then make the videos again ..

i have decided to complete entire of the ccie written portion in 13 days from now . yes i mean it .. its not that new to me and i wanna revise it as we are given holidays ....

i will put the plan very shortly ...

regards
Rakesh

Hello every one .. as there was a gap with videos and presentations i have been getting lot of mails about their continuations ... the reason i discountiued was a bit wexed up and also rigorous study schedule in university of mine

From today or most probably tommorow i will post up the labs and their videos .. the problem being with the screen recorder itself .. iam on a linux machine and would love to screen cast from the same linux os itself but i had problems with that ..

so i had to reinstall windows and gns3 again to continue with the videos stuff

Best regards
Rakesh

The optional protocol qualifier
-------------------------------

> For icmp , the protocol qualifier an be echo , echo-reply or any of icmp packet types

> udp/tcp typcially uses port number specifications but tcp has an additional qualifier
called "eastablished"

> The "established" qualifier for all tcp matches all tcp packets that are a part of tcp
connection that is already set up , regardless of source or destination port

> The log keyword if used , then everytime that access-list entry is matched , a log entry
is produced . This is available only with extended acl

Reference : example acl's wildcard bits *->
---------------------------------------


> The number of values matched is a power of 2 . There are either 2,4.8,16,32,64,128 or 256
values can be matched together

> The starting address matched is a multiple of the number of values matches if you match 2
addresses, then the first address matched is a multiple of 2 (even) if ou match 4
addresses then starting address is a multiple of 4

>*even if you start a range with an address in the middle of the range , the router will
store and display that particular access-list entry with an address that starts the range
using the previous example , the router would change 192.168.34.0 0.0.3.0 to 192.168.32.0
0.0.3.0 . This property could cause confusion later when you debug an access-list problems

some rules:
----------

> For clarity , your matching rules should always give the base address of a range ,
followed by mask while any address within the range will work as the address , it is much
more understandable to start with the base value

> If you want to match some number of addresses that is not a power of 2 or that dosent
start at a multiple power of 2 , you have to write two or more access-list convering the
entries , part of range . an alternative to include more addresses in range


2.3.1 Good numbering practices
------------------------------

> just make sure you allocate one block of addresses or reserve a block of addresses for
present or future use

> let us say you want 4 ip's to access telnet service , better assign 4 ip's continuously in
one block rather than random ones . In this way defining an acl would be very easy

2.4 Building and maintanance of access-list
-------------------------------------------

use of tftp is preffered for easy editing

to copy a file named routera using tftp we use

copy tftp://192.168.30.1/routera system:running-config

Generally performing the following steps everytime you configure a router with tftp will
greatly reduce security exposure

1. make access-list readable only by router
2. configure router via tftp
3. make access-lists unreadable from the network to other users using tftp

saving acl is simple again using tftp:

copy system:running-confg tftp://192.168.35.1/routera

steps for tftp security:
------------------------

1. make area writable by router
2. save config via tftp
3. make config file unwritable and unreadable fro the network to other users on tftp server

2.5 Named acl
-------------

> To increase the number of acl available and to provide better more descriptive names more
recent versions of ios provide a facility called name acl

when creatig named acl , you first need to declare name and type

#ip access-list standard name
#permit -
#deny -


key word "ip" needs to be used first , type of acl "standard / extended" notice change in
prompt

2.2 Extended acl
----------------

Standard acl allow all or nothing

To do packet filtering at a finer level of granularity we need a way to extend the standard
acl to include things like protocol , port number , desitination ip

Understanding Tcp and Udp port numbers
--------------------------------------

> Understanding tcp and udp port numbers is fundamental for using extended acl .

> With tcp a connection is set up, with udp there is no connection set up

> ports are specified as 16 bit numbers

telnet - 23
http - 80
dns - 53

> A set of four values :

source ip address
source port
desitnation ip
destination port
uniquely identify client / server relationships and enable clients and servers to talk to
each other without confusion

> The port numbers below 1024 are called "well known ports " defined by IANA

> Services can live on non standard ports as long as both client and server processes agree
use those ports

ex:

policy set 101: http packets to host 192.168.35.1
policy set 101: ssl packets to host 192.168.35.1
no other packets

access-list 101 permit tcp 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0 eq 80
access-list 101 permit tcp 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0 eq 443
access-list 101 deny ip 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0

> Extended acl begin with "access-list" keyword , followed by a number between 100-199 which
is followed by permit/deny . This process is same for standard acl

> Things get different after permit/deny statements , extended acls specifies the "ip"
protocol to which the list applies

> Next we have 2 address/mask paris [which was single in standard acl] . The first pair
define the source and next pair define the desitnation

> The access-list ends with another protocol specifier , the port number ,"eq 80" allow
packets with destination port 80

> To use access-list once the policy set is defined , we must apply against a router
interface .

int fa0/0
ip access-group 101 in/out (depends on the condition and where you are applying)


2.2.1 Some general properties of access-lists
---------------------------------------------

> extended acl lists entry changes / matches against two ip addresses as opposed to one ip
address for standard acl

> Mask of 0.0.0.0 are not optional for extended acl . router assumes 0.0.0.0 if standard acl
leaves off a mask

> Both have a implicit deny

> Ip address , wildcard mask matching and the implicit deny are common to all cisco
access-list structures and are important concepts in understanding acl

2.2.2 Matching ip protocols
---------------------------

other ip protocols can be specified with extended acl

access-list 102 permit 47 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0

> ip protocol 47 is GRE (generic routing encapsulation) protocol. This protocol is used for
non-ip protocols such as novell ipx , apple talk through ip and by pptp , vpn protocol


2.2.3 More on matching protocols part
-------------------------------------

We have created acl entries that have matched on destination ort of an udp / tcp packet. we
can also match on the source port . This is useful to avoid spoofed packets from entering


ex : ntp uses both source and destination udp port 123 . so writing an acl would look
like this

access-list 102 permit udp 0.0.0.0 255.255.255.255 eq 123 192.168.35.1 0.0.0.0 eq 123

>* The source port is placed after source ip address / mask

> 'eq' key word forces matching packets to have port equal to the specified value

> 'gt' a matching packet must have port value greater than specified value

access-list 103 permit tcp 0.0.0.0 255.255.255.255 gt 1023 192.168.35.1 0.0.0.0 eq 20

for dns server :
----------------

access-list 102 permit udp 0.0.0.0 255.255.255.255 gt 1023 192.168.35.1 0.0.0.0 eq 53


2.2.4 Text substitues for commonly used ports and tasks
-------------------------------------------------------

Certain configs are so common that cisco developed text substitutes instead of port numbers
or address mask pairs

The ip address mask pair

0.0.0.0 255.255.255.255 -> any

0.0.0.0 -> host

80 -> http
23 -> telnet
123 -> ntp
47 -> gre ( ip protocol)

2.2.5 generic format of extended access-list
--------------------------------------------

access-list [listno] [p/d] [port no] [dest] [protocol] [logging]

the logging key word if present , it turns on a log of all packet information everytime the
access-list entry is applied

2.1.15 Access-list wildcard masks versus network masks
------------------------------------------------------

Generally for a network specified as a.b.c.d/n the access-list wildcard mask that matches
all addresses in a network wil have is in 32-n rightmost bits and 0 in the leftmost n bits

For a network , 192.168.32.0/16 , the acl wildcard mask that matches all addresses is
0.0.0.63

In a shorter way 255.255.255.255 - s.m = wildcard m

2.1.6 The implicit wildcard mask
--------------------------------

0.0.0.0 255.255.255.255

Since each bit is 1 in this mask , any ip address on any network will be matched

access-list 1 permit 192.168.30.1
access-list 1 permit 192.168.33.5

A o in the bit position indicates that there should be a match exactly that bit position

access-list 1 permit 192.168.30.1 0.0.0.0
access-list 1 permit 192.168.33.5 0.0.0.0

2.1.7 Sequential processing in access-list
------------------------------------------

access-list 4 permit 192.168.30.0 0.0.0.255
access-list 4 deny 192.168.30.70

will not deny 192.168.30.70 as permit statement is encountered first

access-list 4 deny 192.168.30.70
access-list 4 permit 192.168.30.0 0.0.0.255

is the correct way to deny the host

2.1.8 Standard access-list and packet filtering
-----------------------------------------------

Standard access-list are used to control packet flowing throug a router . Network Admins use
standard acl in this fashion when certain hosts need total access to hosts on particular
subnet

To deny entire subnet 172.28.38.0
To permit 172.28.38.1
To permit 192.168.30.1
TO permit 172.28.0.0

access-list permit 172.28.30.1
access-list permit 172.28.38.1
access-list deny 172.28.38.0 0.0.0.255
access-list permit 172.28.0.0 0.0.255.255


To assign it to an interface :

int fa0/0
ip access-group 6 out

2.1.9 Standar access-list generic format
----------------------------------------

access-list [list-number] [permit/deny] [ip addr] [wildcard mask(opt)]

chapter 2: Access-list Basics
-----------------------------

Two basic access-list type:

> The first kind of access-list is standard access-list used to build policy set of ip
address or ip networks

> Standard access-list cannot do all policies we may wish to specify , particularly when we
want to do packet filetering

> Extended access-list extends the format of the standard access-list to specify packet
filtering policies

2.1 Standard access lists:
--------------------------

A network administrator typically uses standard access-list to implement three types of
policy controls:

> access to router resources
> route distribution
> packets passing through a router

These policy controls use / require policy sets of ip addresses or network numbers , so the
standard access-list is used to build policy sets of either ip addresses or numbers


example 1:
---------

policy set 1: ip address 192.168.30.1
policy set 1: ip address 192.168.33.5
policy set 1: deny others

how does this policy set map to acutal access-list?

access-list 1 permit 192.168.30.1
access-list 1 permit 192.168.33.5
access-list 1 deny 0.0.0.0 255.255.255.255


> The number after access-list keyword is access-list number . In this case it is 1
The number also specifies what kind of access-list it is

> Different types of access-list for different network protocols uses different ranges of
access-list numbers

ip uses 1-99 for standard access-list
100-199 for extended access-list

ipx uses 800-899 for its standard acl
decnet uses 300-399

> The permit keyword includes ip address in the policy set
The deny key word excludes the ip address following from the policy set

if we want to control router-login access

line vty 0 4
access-class 1 in


2.1.1 The implicit deny
-----------------------

access-list 2 deny 192.168.30.1
access-list 2 permit 192.168.33.5

this can also be written (or same as)

access-list 2 permit 192.168.33.5

> This is beacuse access-lists have an implicit deny at the end of them . everthing not
explicitly permitted in standard acl is denied

2.1.2 Standard access-list and route filtering
----------------------------------------------

follow the example from the labbing here are the outputs


r0#show access-list
Standard IP access list 1
10 permit 1.1.1.1 (10 matches)
20 permit 3.3.3.3 (10 matches)
30 permit 7.7.7.7 (4 matches)
40 permit 1.1.1.0
50 permit 5.5.5.0

router eigrp 20
distribute-list 1 in fast 0/0

also remember distribute list and the error commited (should always give network which
matches the routing table not the network which can alternatively match the ip address

for example to deny 1.1.1.1 to enter into routing table , the network 1.0.0.0 should be
mentioned in the routing table and not 1.1.1.0 which dosent match the routing table entry )

---------------------------------------------------------------------------------------------


2.1.3 Access-list wildcard masks:
---------------------------------

> An optional wild card mask can be uses to include many addresses in a policy set

access-list 3 permit 192.168.3.0 0.0.0.255


2.1.4 Specifying hosts in a subnet versus specifying a subnet:
--------------------------------------------------------------

> It is important to distinguish between specifying a network number and the host for
inclusion in a policy set nd specifying all of the hosts in a policy set

access-list 3 permit 192.168.30.0 0.0.0.255

includes all of the hosts in network 192.168.30.0/24

* This is not same as the below acl:

access-list 4 permit 192.168.30.0

This access-list entry includes the single ip address 192.168.30.0 in a policy set

192.168.30.0 could be one of the two:

a host ip address or a network number


line vty 0 4
access-class 4 in

only a host with the potentially valid ip of 192.168.30.0 would be permitted to have login
access to the router

> acl 4 would more typically be used to build a policy set of network addresses in routing
context

router eigrp 100
distribute-list 4 in serial 0/0

here only route to network 192.168.30.0 would be permitted into the routing table via eigrp
routing protocol

>* IN general it is best to be as specific as possible when defining policy sets

o'reilly cisco ios access-list
------------------------------

chapter 1:
----------

Network policies and cisco access lists
---------------------------------------

The three concerns that motivate the need for access policies are:

> security
> robustness
> business drivers


1.1 policy sets :
-----------------

If you think about policies in general every policy has two parts "what" and "how"

> "what" descirbes the objects included in a policy
> "how" describes how those objects are affected by the policy

The "what" of the policy , the set of objects affected , is what we will call the 'policy
set'


> policy sets are defined using a series of "policy set entries" . These entries include or
exclude objects of interest from a policy set


1.1.1 charecterstics of policy sets:
------------------------------------

> we add each entry to the policy set in order specified . This is important because objects
are compared sequentially against a policy set . As soon as object matches a plicy set
entry, no more matching is done

> enforcing policies takes up resources and has costs . The longer the policy set , the
longer it takes to enforce the policy and more resources are requried



1.1.2 Policy sets in networks:
------------------------------

> In network poicies , policy sets are sets of the network objects that pass through or into
router

> Three types of network objects that router process are :

host ip addresses
packets
routes

> policy sets of host ip addresses
> policy sets of packets
> complex policy sets

* The function of cisco access list is to hold the specification of a policy set

> access lists are built of access list entries , which directly correspond with policy set
entries



1.2 The policy toolkit
----------------------

> "policy toolkit" a set of four "tools" that are general techniques for manipulating policy
sets
> The policy tools fit into "how" of the conceptual frame work

There are 4 kinds of tools we can use with policy sets to implement network policy . These
tools control following

-> Router resources
-> Packets passing through the router
-> Routes accepted and distributed
-> Routes based on charecterstics of those routes

so having said that iam looking for perfection blended with full fledge knowledge . i would devote most of my time now concentrating on the studies and i would love again to fall back in the path

having said that, i came across this book called "cisco ios access-lists" o'reilly .. wanted to start of with access-list as they are the ones which will help in every move an access-list config is a must and what better time to kick off access-lists than this ...

it consits of 7 or (probably 8) chapter i guess and i plan to complete is asap

Regards
Rakesh

Hello everyone its been a while i posted something useful on blog ... i intially wanted to go with bgp as i have posted some of the important points about bgp ... i then thought i was lacking some thing .. its ok to have a overall picture of topics such as bgp as a matter of fact all of the routing protocols , switching redundancy techniques , security , qos .. but something started poking me .. "am i perfect atleast in one topic?" , " can i proudly say i have read books on that topic , watched instructor videos and labbed on that particular topic and i can now do what ever any one throws at my router?" ... so having all of these ideas and also some what wexed up with life i gave up cisco studies for a month of so ... yes i mean it i dint even touch any book regarding cisco ... then after seeing scott morris picture in one my pics inspiration was right on top ... he is a four ccie and may be more who knows .. when will i be one .. when should i become when will i get knowledge .. why did i left the studies and wasted one month of time in resolving non beneficial issues which dint help me out in any sort .. hence rocked back and here iam starting off with the following!!!!

bgp
-routers froming neigbhbor relationship with a.s . ibgp neighbors doesnt need to be directly connected

Ebgp
-router forming neighbor relationship between two different a.s .
EBGP neighbors needs to be directly connected

Bgp configuration

Bgp databases :

*neighbor table
- list of bgp neighbors

*BGP forewarding table / database
-list of all networks learned from each neighbor
-can contain multiple pathways to destination networks
-database contains bgp attributes for each pathway

*Ip routing table
- list of best paths to destination networks





BGP NEIGHBORS

* bgp neighbors are the routers forming tcp connection for exchanging bgp updates . also called bgp speakers or bgp peers

*two types of bgp neighbors exits
-iBGP
-eBGP

Bgp message type :

open
keep alive
update
notification

BORDER GATEWAY PROTOCOL

Autonomous system is a set of routers under a single technical administration , using an igp and common metrics to route packets withing AS

* usage of bgp

# bgp is more appropriate if one of the following conditions exits

- a.s working as transit a.s (isp)
- a.s connected to multiple a.s
- data traffic path entering or leaving a.s need to be manipulated

#when do you donot prefer bgp:

- if it is a single-home a.s
- lack of resources like memory and less processing power in routers
- low bandwidth link between a.s
- limited understanding of bgp route filtering and path selection process

#Bgp features

-open standard protocol
-advance distance vector protocol
- path vector protocol
-supports flsm, vlsm , cidr , auto and manual summary (bgp version 4)
-it is an egp
-designed to scale huge internetwork like internet
-updates are incemental and triggered
-it send updates to manually defined neighbor as unicast
-bgp is an application layer protocol , uses tcp port 179 for reliability
-metric = attributes
- administrative distance
- 20 external updates
-200 internal updates
-bgp is not designed for load balancing . uses only one path per network

I always like the powerpoint way ... i love it ... i was going through the internetwork expert blog today and found excellent article by mr.scott morris on some general trouble shooting techniques that can drive you insane if not observed ... i have made a power point ... its publicly available in their site if you want to visit it .. you can always do it on

internetworkexpert.com

here is the link

http://www.4shared.com/dir/12759943/811a5e55/sharing.html

Video 3 of the ospf lab has been released and it is based on ospf virtual link concept..... please feel free to see the topology and also some of the important points in the word doc which is also available ...

you can download the video here ..

http://www.4shared.com/dir/12759943/811a5e55/sharing.html

regards
Raaki

OSPF LAB VIRTUAL LINKS:

WHY SHOULD EVERYTHING CONNECT TO AREA 0:

In order to make sure that spf is executed properly , area 0
is used as reference point for all other areas in the network

Hence all other areas must have a direct adjacency to area 0

So, the discontiguos area should be connceted to area 0 thorugh
any transit area attached to it , through virtual links

Hence , after the configuration the entire set of ospf
databases will be synced and full connectivity will be esatblished

DOC:

To define ospf virtual link, use the area virtual-link command in
router


Usage Guidelines :

In ospf , all areas must be connected to a backbone router .If
the connection to backbone is lost it can be repaired using
virtual-links

For a virtual link to be properly configured , each
virtual link neighbor must include transit area id and the
corresponding virtual link neighbor router id

video 3 has been done and it is on eigrp convegence timers over frame relay ... a word document has also been attached for the reference of topology and points ...


you can download them at

http://www.4shared.com/dir/12759943/811a5e55/sharing.html

Hello ... the lab2 video of ospf point-to-point has been done and been uploaded ... please feel free download it and also the word doc ..

http://www.4shared.com/dir/12759943/811a5e55/sharing.html

All of the basic ip addressing and frame relay mappings are done and are not included in the video ... the word doc presents you with the topology and some of the important points

regards
Rakesh

I dint wanted to sell the videos even for 5$ but i thought of buying few routers and switches for the switching labs ... but its against my self .. so decided that i would be giving my work to any one who requires for free ... i got 4 paid requests from 4 of the friends .. but i would returning the money back to them tonight .... hence from here on please feel free to download labs and word docs for free .. and if you like you and you have something to throw you can always consider me ... ;)

Also looking for some good team members who can study with me and share some work with me .. it's not impossible to do all the word docs and videos but it would be much easier if there is 'team' / 'we' rather than 'me'


regards
Rakesh

ospf : network type loopback

The ospf network type loopback is a special case for loopback interfaces

Network type loopback is the default network type on loopback interfaces , and is not
normally configurable with ospf network command

The loopback network type treats the interface as stub host and injects the ip address of the
interface as host route into the ospf domain regardless of the actual subnet mask of the interface

setting the ospf network type to point-to-point disables this treatment and advertise the ip
address of the interface with the subnet mask configured on that interface

ospf network type : point - to - point

OSPF network type point-to-point is used for adjacencies between exactly
two ospf neighbors

Network type point-to-point uses multicast and has no DR/BDR election

As it uses multicast for hello packet transmission broadcast keyword is used
for frame relay mapping statements .

ospf network types : point-to-multipoint non-broadcast


ospf network type point-to-multipoint non-broadcast is similar to
the network type point-to-multipoint except that ospf packets are sent as
unicast instead of multicast

ospf network type point-to-multipoint , point-to-multipoint non-broadcast
does not support the DR/BDR election, and possesses the same next-hop
behaviour

hence layer 2 to layer 3 can be between directly connected devices on nbma network
and that ip routing will be used to communicate between devices that are not adjacent to layer 2

ospf network type : point-to-multipoint

ospf network type ponit-to-multipoint does not support DR and BDR election

point-to-multipoint sends hello packets to the multicast address 224.0.0.5

point-to-multipoint must be manually configured at the interface level using the
command "ip ospf network point-to-multipoint"

There is a difference between point-to-multipoint and the other two broadcast and non-broadcast
with the next-hop resolution on a nbma media .

ospf network type point-to-multipoint treats the network as a
collection of point-to-point links instead of one broadcast network

In broadcast and non-broadcast , ospf does not deal with layer 2 topology
and may not relate it with layer 3 network .

ospf network types broadcast and non-broadcast , next hop values are not
modified when updates are sent on nbma

This implies the device on nbma cloud requires layer 3 to layer 2 resolution
for any endpoint injecting into the network.

In ospf network type point-to-multipoint , next hop values are changed to the
address of directly connceted neighbor when they are advertised across
the NBMA cloud.

Routers on NBMA network only need layer 3 to layer 2 resolution for
directly connected neighbors when running ospf network point-to-multipoint

ospf network type point-to-multipoint advertises the endpoints of the
point-to-multipoint network as host routes instead of actual network itself