I've seen it happen time and again to programmers, network engineers and administrators, and other IT personnel. They get a solid IT position, a good-paying job, and they get comfortable. They stop keeping up with the latest technologies, they stop studying, they no longer keep their CCNA, MCSE, and other industry certifications up-to-date.... and then one day, their comfortable job is gone.
Maybe they get laid off, maybe the company moves and they don't want to move with it... but for one reason or another, they're in the worst position possible. They have no job, and they have allowed their IT skills to deteriorate to the point where they are no longer employable.
If you're in IT, you must be constantly learning. You must continually take the long view, and ask yourself three important questions. First, where do you want to be in three years? Second, what are you doing now in order to reach this goal? And finally, if you were laid off today, are your current skills sharp enough to quickly get another job?
That third question can be the hardest of all to answer honestly. I'm reminded of Microsoft announcing years ago that they would no longer be recognizing the MSCE 4.0 certification, since the network operating systems that certification was based upon would no longer be supported by MS. (Keep in mind that this change was announced months in advance, giving those holding the MCSE 4.0 plenty of time to earn the latest MS certification.)
Some MCSE 4.0s just went nuts. Microsoft's certification magazine printed letter after letter from angry MCSEs saying that their company would always run NT 4.0, and that there was no reason for them to ever upgrade their certification.
This wasn't just denial. This was career suicide. Let's say that their network never moved from NT 4.0. Let's also say that they got laid off yesterday. Would you want to go out into the current IT workplace and have your most recent network operating system experience be on NT 4.0 ? I sure wouldn't.
The fact is that you've got to continue studying, continue growing, and continue learning new things if you want to have a successful long-term IT career. If you plan on studying only one topic, getting into IT, and then never cracking a book again, you're entering the wrong field. And for those of us who have been in it for a while - again, ask yourself this question: "Am I prepared for what would happen if I were laid off today?" And if you're not, do something about it!
Showing posts with label 12933. Show all posts
Showing posts with label 12933. Show all posts
Wednesday, January 7, 2009
Friday, December 26, 2008
How To Become A Cisco VPN Specialist
There's quite an emphasis on security in today's networks, and that's reflected in Cisco's certification tracks. Cisco offers a CCIE Security track and the Cisco Certified Security Professional (CCSP) intermediate-level certification, but there is no real equivalent to the CCNA on the security side. Instead, Cisco offers several different Security Associate certifications.
The good news is that you’ve got a lot of security specializations from which to choose; the bad news is that you’ve got a lot of choices! In choosing a specialization, take some time to choose a certification that will be of practical use to you in your current position or in your “dream job”.
One of the more popular Security Associate certifications is the Cisco VPN Specialist certification. This two-exam track consists of a Securing Cisco Network Devices (SND, 642-551) exam and a Cisco Secure Virtual Private Networks (CSVPN, 642-511) exam. To earn the Cisco VPN Specialist exam, you must hold a valid CCNA certification.
What should you expect on these exams? On the SND exam, expect to be grilled on basic security features on both switches and routers, as well as VPN 3000 concentrators, PIXes, and IDS/IPS Sensors. You'll need to be ready to configure and troubleshoot basic AAA configurations, access-lists, syslog, AutoSecure, and much more. You should also be solid with IPSec.
IPSec will also be part of your CSVPN exam. As you'd expect, you'll also be expected to be quite good with the VPN 3000 Concentrator series, including browser configuration, creating users and group, the Windows VPN Software Client, and more.
This is a demanding certification that is an excellent addition to your resume and your skill set. For the latest on this and other Cisco certifications, you should regularly visit the Learning & Events section of Cisco's website. As a Cisco certification candidate, it's your responsibility to stay current of any additions and changes to Cisco's certification paths - and it's good for your career!
The good news is that you’ve got a lot of security specializations from which to choose; the bad news is that you’ve got a lot of choices! In choosing a specialization, take some time to choose a certification that will be of practical use to you in your current position or in your “dream job”.
One of the more popular Security Associate certifications is the Cisco VPN Specialist certification. This two-exam track consists of a Securing Cisco Network Devices (SND, 642-551) exam and a Cisco Secure Virtual Private Networks (CSVPN, 642-511) exam. To earn the Cisco VPN Specialist exam, you must hold a valid CCNA certification.
What should you expect on these exams? On the SND exam, expect to be grilled on basic security features on both switches and routers, as well as VPN 3000 concentrators, PIXes, and IDS/IPS Sensors. You'll need to be ready to configure and troubleshoot basic AAA configurations, access-lists, syslog, AutoSecure, and much more. You should also be solid with IPSec.
IPSec will also be part of your CSVPN exam. As you'd expect, you'll also be expected to be quite good with the VPN 3000 Concentrator series, including browser configuration, creating users and group, the Windows VPN Software Client, and more.
This is a demanding certification that is an excellent addition to your resume and your skill set. For the latest on this and other Cisco certifications, you should regularly visit the Learning & Events section of Cisco's website. As a Cisco certification candidate, it's your responsibility to stay current of any additions and changes to Cisco's certification paths - and it's good for your career!
Cisco Certification: The "Secret" Key To Getting Your CCNA And CCNP
Whether you're working on your CCNA or CCNP, Cisco certification exams are the most demanding computer certification exams in the IT field. Cisco exams are not a test of memorization, they're a test of your analytical skills. You'll need to look at configurations and console output and analyze them to identify problems and answer detailed questions. To pass these demanding exams, you've got to truly understand how Cisco routers and switches operate - and the key to doing so is right in front of you.
The debug command.
Of course, there is no single "debug" command. Using IOS Help, you can quickly see that there are hundreds of these debugs, and I want to mention immediately that you should never practice these commands on a production router. This is one major reason you need to get some hands-on experience with Cisco products in a home lab or rack rental. No software program or "simulator" is going to give you the debug practice you need.
Now, why am I so insistent that you use debugs? Because that's how you actually see what's going on. It's not enough to type a frame relay LMI command, you have to be able to see the LMIs being exchanged with "debug frame lmi". You don't want to just type a few network numbers in after enabling RIP, you want to see the routes being advertised along with their metrics with "debug ip rip". The list goes on and on.
By using debugs as part of your CCNA and CCNP studies, you're going beyond just memorizing commands and thinking you understand everything that's happening when you enter a command or two. You move to a higher level of understanding how routers, switches, and protocols work -- and that is the true goal of earning your CCNA and CCNP.
The debug command.
Of course, there is no single "debug" command. Using IOS Help, you can quickly see that there are hundreds of these debugs, and I want to mention immediately that you should never practice these commands on a production router. This is one major reason you need to get some hands-on experience with Cisco products in a home lab or rack rental. No software program or "simulator" is going to give you the debug practice you need.
Now, why am I so insistent that you use debugs? Because that's how you actually see what's going on. It's not enough to type a frame relay LMI command, you have to be able to see the LMIs being exchanged with "debug frame lmi". You don't want to just type a few network numbers in after enabling RIP, you want to see the routes being advertised along with their metrics with "debug ip rip". The list goes on and on.
By using debugs as part of your CCNA and CCNP studies, you're going beyond just memorizing commands and thinking you understand everything that's happening when you enter a command or two. You move to a higher level of understanding how routers, switches, and protocols work -- and that is the true goal of earning your CCNA and CCNP.
Cisco Certification: Recertifying Your CCNA and CCNP
Once you get your CCNA and CCNP, you can't just rest on your accomplishment. You've got to continue to study and add to your skill set - and then prove to Cisco you've been doing just that by recertifying.
Recertification sounds like a pain, but it's actually one of the best things to ever happen to computer certification, and it helps your career as well. One trap many LAN and WAN personnel fall into is that they fail to keep up with changes in technology, and if they happen to be laid off or want to change jobs, they're unable to because they didn't keep their skill set up.
Cisco's recertification policies ensure that if you want to keep your CCNA, CCNP, or one of the other valuable Cisco certifications, you've got to take a recertification exam.
As of November 2005, to recertify as a CCNA, you need to pass either the current CCNA exam, ICND exam, or any 642 professional level or Cisco Qualified Specialist exam. (This does not include Sales Specialist exams.) Passing a CCIE written qualification exam also recertifies you as a CCNA. CCNAs are valid for three years.
For the CCNP, you need to pass the 642-891 Composite exam, a CCIE written qualification exam, or BOTH the BSCI and BCMSN exams (642-801 and 642-811, respectively.) CCNP certifications are valid for three years.
As you can see, you've got quite a few options either way. The one classic mistake you must not make is waiting too long to begin preparing for the exams, and give yourself a little leeway just in case you don't recertify the first time around. Once the deadline passes, your certification is gone, and in the case of the CCNP that means taking all the exams again.
As a professional, it's your responsibility to keep up with changes in the Cisco certification world, and this includes changes in the recertification program. Make a point of visiting the "Learning And Events" section of Cisco's website regularly to look for changes in the certification program. And while you're there, you just might see another cert that catches your eye!
Recertification sounds like a pain, but it's actually one of the best things to ever happen to computer certification, and it helps your career as well. One trap many LAN and WAN personnel fall into is that they fail to keep up with changes in technology, and if they happen to be laid off or want to change jobs, they're unable to because they didn't keep their skill set up.
Cisco's recertification policies ensure that if you want to keep your CCNA, CCNP, or one of the other valuable Cisco certifications, you've got to take a recertification exam.
As of November 2005, to recertify as a CCNA, you need to pass either the current CCNA exam, ICND exam, or any 642 professional level or Cisco Qualified Specialist exam. (This does not include Sales Specialist exams.) Passing a CCIE written qualification exam also recertifies you as a CCNA. CCNAs are valid for three years.
For the CCNP, you need to pass the 642-891 Composite exam, a CCIE written qualification exam, or BOTH the BSCI and BCMSN exams (642-801 and 642-811, respectively.) CCNP certifications are valid for three years.
As you can see, you've got quite a few options either way. The one classic mistake you must not make is waiting too long to begin preparing for the exams, and give yourself a little leeway just in case you don't recertify the first time around. Once the deadline passes, your certification is gone, and in the case of the CCNP that means taking all the exams again.
As a professional, it's your responsibility to keep up with changes in the Cisco certification world, and this includes changes in the recertification program. Make a point of visiting the "Learning And Events" section of Cisco's website regularly to look for changes in the certification program. And while you're there, you just might see another cert that catches your eye!
Thursday, December 25, 2008
Cisco Certification: In What Order Should You Take Your CCNP Exams ?
When you choose to pursue your Cisco Certified Network Professional certification, you've got some decisions to make right at the beginning. Cisco offers a three-exam path and a four-exam path, and you select the order in which you'll take and pass the exams.
While every CCNP candidate has to make their own decision, I'd like to share some thoughts based on my personal experience and the experiences of CCNPs worldwide.
The solid foundation of networking knowledge you built as a CCNA will help you a great deal on your BSCI (Building Scalable Cisco Internetworks, 642-801) exam. This is the most common exam to take first, and I'd recommend you do so as well. While there are some topics that will be new to you, such as BGP, many of the BSCI topics will be familiar to you from your CCNA studies.
The "middle" exams are the BCMSN (Building Cisco Multilayer Switched Networks, 642-811) and BCRAN (Building Cisco Remote Access Networks, 642-821). There is no real advantage in taking one of these before the other, although most candidates take the switching exam, then the remote access exam.
I do recommend you take the CIT (Cisco Internetwork Troubleshooting) exam last. This exam will demand you put into action the skills you have learned while earning your CCNA and passing the first three exams. Again, it's not written in stone and there are always exceptions, but CCNP candidates do seem to have more success on this exam when they take it last.
Should you choose the three-exam path, you'll be taking a Composite exam (642-891). This exam combines the BSCI and BCMSN exams, and it's best to take this one first. It builds nicely with your CCNA skills.
Again, I would take the BCRAN exam after the Composite, and t
he Troubleshooting exam last.
Whichever path you choose, you've chosen wisely in which certification to pursue. The CCNP is a true test of your networking skills, and when you make the decision to go after the CCIE, you'll be glad to have the solid foundation of networking skills your CCNA and CCNP studies gave you.
While every CCNP candidate has to make their own decision, I'd like to share some thoughts based on my personal experience and the experiences of CCNPs worldwide.
The solid foundation of networking knowledge you built as a CCNA will help you a great deal on your BSCI (Building Scalable Cisco Internetworks, 642-801) exam. This is the most common exam to take first, and I'd recommend you do so as well. While there are some topics that will be new to you, such as BGP, many of the BSCI topics will be familiar to you from your CCNA studies.
The "middle" exams are the BCMSN (Building Cisco Multilayer Switched Networks, 642-811) and BCRAN (Building Cisco Remote Access Networks, 642-821). There is no real advantage in taking one of these before the other, although most candidates take the switching exam, then the remote access exam.
I do recommend you take the CIT (Cisco Internetwork Troubleshooting) exam last. This exam will demand you put into action the skills you have learned while earning your CCNA and passing the first three exams. Again, it's not written in stone and there are always exceptions, but CCNP candidates do seem to have more success on this exam when they take it last.
Should you choose the three-exam path, you'll be taking a Composite exam (642-891). This exam combines the BSCI and BCMSN exams, and it's best to take this one first. It builds nicely with your CCNA skills.
Again, I would take the BCRAN exam after the Composite, and t
he Troubleshooting exam last.
Whichever path you choose, you've chosen wisely in which certification to pursue. The CCNP is a true test of your networking skills, and when you make the decision to go after the CCIE, you'll be glad to have the solid foundation of networking skills your CCNA and CCNP studies gave you.
Cisco CCNP Certification: Using The BGP Command “Update-Source”
When you start preparing for your CCNP exam, particularly the BSCI exam, you're introduced to Border Gateway Protocol (BGP) configurations. BGP is unlike any protocol you learned during your CCNA studies, and even the similarities are a little bit different!
BGP forms neighbor relationships, much like EIGRP and OSPF do. The interesting thing with BGP is that potential neighbors, or "peers", do not need to be directly connected and can use their loopback interfaces to form the peer relationships.
It may well be to your advantage to use loopbacks to form peer relationships rather than the actual interface facing the potential neighbor. This can be done because BGP uses static neighbor statements rather than any kind of dynamic neighbor discovery process.
Consider a router that has two paths to a BGP speaker. The interfaces are numbered like this:
Router1: Serial0, 172.1.1.1 /24, Serial2, 179.1.1.1 /24, loopback0, 1.1.1.1 /32.
Router2: Serial0, 172.1.1.2/24, Serial2 179.1.1.2/24, loopback0, 2.2.2.2 /32.
We could configure Router1 like this:
router bgp 200
neighbor 172.1.1.2 remote-as 200
In this case, BGP would automatically use 172.1.1.1 as the source for the TCP connection that has to be set up with the neighbor before updates can be exchanged; this address is known as the best local address. However, if the remote peer's serial0 interface is shut down or goes down for another reason, the peer relationship would be lost even though Router2 is still available.
Instead of using one of the physical interfaces, we can use the loopbacks on each router to establish the TCP-based peer connection. The configurations would look like this:
Router1:
router bgp 200
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source loopback0
Router2:
router bgp 200
neighbor 1.1.1.1 remote-as 200
neighbor 1.1.1.1 update-source loopback0
In this case, losing one of the physical connections does not necessarily mean the BGP peering is lost; as long as the routers have a valid path to each other's loopback addresses, the BGP peer relationship will stay in place. And better yet, we avoid the dreaded “single point of failure
BGP forms neighbor relationships, much like EIGRP and OSPF do. The interesting thing with BGP is that potential neighbors, or "peers", do not need to be directly connected and can use their loopback interfaces to form the peer relationships.
It may well be to your advantage to use loopbacks to form peer relationships rather than the actual interface facing the potential neighbor. This can be done because BGP uses static neighbor statements rather than any kind of dynamic neighbor discovery process.
Consider a router that has two paths to a BGP speaker. The interfaces are numbered like this:
Router1: Serial0, 172.1.1.1 /24, Serial2, 179.1.1.1 /24, loopback0, 1.1.1.1 /32.
Router2: Serial0, 172.1.1.2/24, Serial2 179.1.1.2/24, loopback0, 2.2.2.2 /32.
We could configure Router1 like this:
router bgp 200
neighbor 172.1.1.2 remote-as 200
In this case, BGP would automatically use 172.1.1.1 as the source for the TCP connection that has to be set up with the neighbor before updates can be exchanged; this address is known as the best local address. However, if the remote peer's serial0 interface is shut down or goes down for another reason, the peer relationship would be lost even though Router2 is still available.
Instead of using one of the physical interfaces, we can use the loopbacks on each router to establish the TCP-based peer connection. The configurations would look like this:
Router1:
router bgp 200
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source loopback0
Router2:
router bgp 200
neighbor 1.1.1.1 remote-as 200
neighbor 1.1.1.1 update-source loopback0
In this case, losing one of the physical connections does not necessarily mean the BGP peering is lost; as long as the routers have a valid path to each other's loopback addresses, the BGP peer relationship will stay in place. And better yet, we avoid the dreaded “single point of failure
Cisco CCNP Certification: The BGP Weight Attribute
When you're studying for the CCNP certification, especially the BSCI exam, you must gain a solid understanding of BGP. BGP isn't just one of the biggest topics on the BSCI exam, it's one of the largest. BGP has a great many details that must be mastered for BSCI success, and those of you with one eye on the CCIE must learn the fundamentals of BGP now in order to build on those fundamentals at a later time.
Path attributes are a unique feature of BGP. With interior gateway protocols such as OSPF and EIGRP, administrative distance is used as a tiebreaker when two routes to the same destination had different next-hop IP addresses but the same prefix length. BGP uses path attributes to make this choice.
The first attribute considered by BGP is weight. Weight is a Cisco-proprietary BGP attribute, so if you're working in a multivendor environment you should work with another attribute to influence path selection.
The weight attribute is significant only to the router on which it is changed. If you set a higher weight for a particular route in order to give it preference (a higher weight is preferred over a lower one), that weight is not advertised to other routers.
BGP uses categories such as "transitive", "non-transitive", "mandatory", and "optional" to classify attributes. Since weight is a locally significant Cisco-proprietary attribute, it does not all into any of these categories.
The weight can be changed on a single route via a route-map, or it can be set for a different weight for all routes received from a given neighbor. To change the weight for all incoming routes, use the "weight" option with the neighbor command after forming the BGP peer relationships.
R2(config)#router bgp 100
R2(config-router)#neighbor 100.1.1.1 remote-as 10
R2(config-router)#neighbor 100.1.1.1 weight 200
Learning all of the BGP attributes, as well as when to use them, can seem an overwhelming task when you first start studying for your BSCI and CCNP exams. Break this task down into small parts, learn one attribute at a time, and soon you'll have the BGP attributes mastered.
Path attributes are a unique feature of BGP. With interior gateway protocols such as OSPF and EIGRP, administrative distance is used as a tiebreaker when two routes to the same destination had different next-hop IP addresses but the same prefix length. BGP uses path attributes to make this choice.
The first attribute considered by BGP is weight. Weight is a Cisco-proprietary BGP attribute, so if you're working in a multivendor environment you should work with another attribute to influence path selection.
The weight attribute is significant only to the router on which it is changed. If you set a higher weight for a particular route in order to give it preference (a higher weight is preferred over a lower one), that weight is not advertised to other routers.
BGP uses categories such as "transitive", "non-transitive", "mandatory", and "optional" to classify attributes. Since weight is a locally significant Cisco-proprietary attribute, it does not all into any of these categories.
The weight can be changed on a single route via a route-map, or it can be set for a different weight for all routes received from a given neighbor. To change the weight for all incoming routes, use the "weight" option with the neighbor command after forming the BGP peer relationships.
R2(config)#router bgp 100
R2(config-router)#neighbor 100.1.1.1 remote-as 10
R2(config-router)#neighbor 100.1.1.1 weight 200
Learning all of the BGP attributes, as well as when to use them, can seem an overwhelming task when you first start studying for your BSCI and CCNP exams. Break this task down into small parts, learn one attribute at a time, and soon you'll have the BGP attributes mastered.
Cisco CCNP Certification / BSCI Exam Tutorial: An Introduction To BGP
When you're studying for the BSCI exam on the way to earning your CCNP certification, it's safe to say that BGP is like nothing you’ve studied to this point. BGP is an external routing protocol used primarily by Internet Service Providers (ISPs). Unless you work for an ISP today or in the future, you may have little or no prior exposure to BGP. Understanding BGP is a great addition to your skill set – and you have to know the basics well to pass the BSCI exam.
Note that I said “the basics”. BGP is a very complex protocol, and when you pursue your CCIE, you’ll see what I’m talking about. As with all things Cisco, though, when broken down into smaller pieces, BGP becomes quite understandable. You will need to know the basics of BGP as presented in this chapter to pass your BSCI exam – so let’s get started.
BGP Defined:
“An Internet protocol that enables groups of routers (called autonomous systems) to share routing information so that efficient, loop-free routes can be established. BGP is commonly used within and between Internet Service Providers (ISPs).”
There are a couple of terms in there that apply to the protocols you’ve mastered so far in your studies. The term “autonomous system” applies to IGRP and EIGRP as well as BGP; you’ll be indicating a BGP AS in your configurations just as you did with IGRP and EIGRP. And we’re always looking for efficient, loop-free routes, right? As it did with IGRP and EIGRP, "autonomous system" simply refers to a group of routers that is managed by a single administrative body. An autonomous system will use an Interior Gateway Protocol (IGP) such as OSPF or EIGRP to route packets inside the AS; outside the AS, an Exterior Gateway Protocol (EGP) such as BGP will be used.
BGP shares some characteristics with some routing protocols you’ve already studied. BGP supports VLSM, summarization, and CIDR. Like EIGRP, BGP will send full updates when two routers initially become neighbors and will send only partial updates after that. BGP does create and maintain neighbor relationships before exchanging routes, and keepalives are sent to keep this relationship alive.
BGP has some major differences from the IGPs we’ve studied to this point. You’ll hear BGP referred to as a path-vector protocol. As opposed to distance-vector protocols that exchange relatively simple information about available routes, BGP routers will exchange extensive information about networks to allow the routers to make more intelligent routing decisions. This additional BGP path information comes in the form of attributes, and these path attributes are contained in the updates sent by BGP routers. Attributes themselves are broken up into two classes, well-known and optional.
BGP also keeps a routing table separate from the IP routing table.
We'll take a look at BGP attributes in future BSCI tutorials. In the meantime, keep studying!
Note that I said “the basics”. BGP is a very complex protocol, and when you pursue your CCIE, you’ll see what I’m talking about. As with all things Cisco, though, when broken down into smaller pieces, BGP becomes quite understandable. You will need to know the basics of BGP as presented in this chapter to pass your BSCI exam – so let’s get started.
BGP Defined:
“An Internet protocol that enables groups of routers (called autonomous systems) to share routing information so that efficient, loop-free routes can be established. BGP is commonly used within and between Internet Service Providers (ISPs).”
There are a couple of terms in there that apply to the protocols you’ve mastered so far in your studies. The term “autonomous system” applies to IGRP and EIGRP as well as BGP; you’ll be indicating a BGP AS in your configurations just as you did with IGRP and EIGRP. And we’re always looking for efficient, loop-free routes, right? As it did with IGRP and EIGRP, "autonomous system" simply refers to a group of routers that is managed by a single administrative body. An autonomous system will use an Interior Gateway Protocol (IGP) such as OSPF or EIGRP to route packets inside the AS; outside the AS, an Exterior Gateway Protocol (EGP) such as BGP will be used.
BGP shares some characteristics with some routing protocols you’ve already studied. BGP supports VLSM, summarization, and CIDR. Like EIGRP, BGP will send full updates when two routers initially become neighbors and will send only partial updates after that. BGP does create and maintain neighbor relationships before exchanging routes, and keepalives are sent to keep this relationship alive.
BGP has some major differences from the IGPs we’ve studied to this point. You’ll hear BGP referred to as a path-vector protocol. As opposed to distance-vector protocols that exchange relatively simple information about available routes, BGP routers will exchange extensive information about networks to allow the routers to make more intelligent routing decisions. This additional BGP path information comes in the form of attributes, and these path attributes are contained in the updates sent by BGP routers. Attributes themselves are broken up into two classes, well-known and optional.
BGP also keeps a routing table separate from the IP routing table.
We'll take a look at BGP attributes in future BSCI tutorials. In the meantime, keep studying!
Cisco CCNP Certification / BCMSN Exam Tutorial: Writing QoS Policy
QoS - Quality of Service - is a huge topic on both the BCMSN exam and real-world networks. QoS is so big today that Cisco's created separate specialist certifications that cover nothing but QoS! It can be an overwhelming topic at first, but master the fundamentals and you're on your way to exam and job success.
If you work with QoS at any level - and sooner or later, you will - you've got to know how to write and apply QoS policies.
Creating and applying such a policy is a three-step process.
1. Create a QoS class to identify the traffic that will be affected by the policy.
2. Create a QoS policy containing the actions to be taken by traffic identified by the class.
3. Apply the policy to the appropriate interfaces.
If the phrase "identify the traffic" sounds like it's time to write an access-list, you're right! Writing an ACL is one of two ways to classify traffic, and is the more common of the two. Before we get to the less-common method, let's take a look at how to use an ACL to classify traffic.
You can use either a standard or extended ACL with QoS policies. The ACL will be written separately, and then called from the class map.
SW1(config)#access-list 105 permit tcp any any eq 80
SW1(config)#class-map WEBTRAFFIC
SW1(config-cmap)#match access-group 105
Now that we've identified the traffic to be affected by the policy, we better get around to writing the policy! QoS policies are configured with the policy-map command, and each clause of the policy will contain an action to be taken to traffic matching that clause.
SW1(config)#policy-map LIMIT_WEBTRAFFIC_BANDWIDTH
SW1(config-pmap)#class WEBTRAFFIC
SW1(config-pmap-c)#police 5000000 exceed-action drop
SW1(config-pmap-c)#exit
This is a simple policy, but it illustrates the logic of QoS policies. The policy map LIMIT_WEBTRAFFIC_BANDWIDTH calls the map-class WEBTRAFFIC. We already know that all WWW traffic will match that map class, so any WWW traffic that exceeds the stated bandwidth limitation will be dropped.
Finally, apply the policy to the appropriate interface.
SW1(config-if)#service-policy LIMIT_WEBTRAFFIC_BANDWIDTH in
Getting your CCNP is a great way to boost your career, and learning QoS is a tremendous addition to your skill set. Like I said, learn the fundamentals, don't get overwhelmed by looking at QoS as a whole, and you're on your way to success!
If you work with QoS at any level - and sooner or later, you will - you've got to know how to write and apply QoS policies.
Creating and applying such a policy is a three-step process.
1. Create a QoS class to identify the traffic that will be affected by the policy.
2. Create a QoS policy containing the actions to be taken by traffic identified by the class.
3. Apply the policy to the appropriate interfaces.
If the phrase "identify the traffic" sounds like it's time to write an access-list, you're right! Writing an ACL is one of two ways to classify traffic, and is the more common of the two. Before we get to the less-common method, let's take a look at how to use an ACL to classify traffic.
You can use either a standard or extended ACL with QoS policies. The ACL will be written separately, and then called from the class map.
SW1(config)#access-list 105 permit tcp any any eq 80
SW1(config)#class-map WEBTRAFFIC
SW1(config-cmap)#match access-group 105
Now that we've identified the traffic to be affected by the policy, we better get around to writing the policy! QoS policies are configured with the policy-map command, and each clause of the policy will contain an action to be taken to traffic matching that clause.
SW1(config)#policy-map LIMIT_WEBTRAFFIC_BANDWIDTH
SW1(config-pmap)#class WEBTRAFFIC
SW1(config-pmap-c)#police 5000000 exceed-action drop
SW1(config-pmap-c)#exit
This is a simple policy, but it illustrates the logic of QoS policies. The policy map LIMIT_WEBTRAFFIC_BANDWIDTH calls the map-class WEBTRAFFIC. We already know that all WWW traffic will match that map class, so any WWW traffic that exceeds the stated bandwidth limitation will be dropped.
Finally, apply the policy to the appropriate interface.
SW1(config-if)#service-policy LIMIT_WEBTRAFFIC_BANDWIDTH in
Getting your CCNP is a great way to boost your career, and learning QoS is a tremendous addition to your skill set. Like I said, learn the fundamentals, don't get overwhelmed by looking at QoS as a whole, and you're on your way to success!
Cisco CCNP / BSCI Exam Tutorial: Using The OSPF Command “Area Range”
Your BSCI and CCNP exam success depends on knowing the details, and one such detail is knowing the proper way to summarize routes in OSPF. Route summarization is not just a test of your binary conversion abilities, but knowing where and when to summarize routes. It will not surprise any CCNA or CCNP certification candidate that OSPF gives us the most options for route summarization, and therefore more details to know!
OSPF offers us two options for route summarization configurations. In a previous tutorial, we looked at the "summary-address" command, and today we'll look at the proper use of the "area range" command.
The "area range" command should be used on an Area Border Router (ABR) to summarize routes being advertised from one OSPF area to another. In this tutorial, R1 is acting as an ABR, with interfaces in both Area 0 and Area 1. Four loopbacks have been placed into R1's Area 1.
R1(config)#router ospf 1
R1(config-router)#network 12.0.0.0 0.255.255.255 a 1
R1(config-router)#network 13.0.0.0 0.255.255.255 a 1
R1(config-router)#network 14.0.0.0 0.255.255.255 a 1
R1(config-router)#network 15.0.0.0 0.255.255.255 a 1
The routing table of an OSPF neighbor, R2, shows all four routes.
R2#show ip route ospf
12.0.0.0/32 is subnetted, 1 subnets
O IA 12.12.12.12 [110/65] via 172.12.123.1, 00:18:52, Serial0
13.0.0.0/32 is subnetted, 1 subnets
O IA 13.13.13.13 [110/65] via 172.12.123.1, 00:18:42, Serial0
14.0.0.0/32 is subnetted, 1 subnets
O IA 14.14.14.14 [110/65] via 172.12.123.1, 00:18:32, Serial0
15.0.0.0/32 is subnetted, 1 subnets
O IA 15.15.15.15 [110/65] via 172.12.123.1, 00:18:32, Serial0
To keep the routing tables of downstream routers smaller but still have the desired IP connectivity, we can use the area range command on R1 to summarize these four routes. The key to keep in mind with the area range command is that the area number given in the command is the area containing the destinations, NOT the area that will receive the summary route.
R1(config)#router ospf 1
R1(config-router)#area 1 range 12.0.0.0 252.0.0.0
R2 now shows a single summary route that can be used to reach all four remote networks.
R2#show ip route ospf
O IA 12.0.0.0/6 [110/65] via 172.12.123.1, 00:00:21, Serial0
Interestingly enough, there's now an additional route in R1's routing table.
R1#show ip route ospf
O 12.0.0.0/6 is a summary, 00:07:53, Null0
When you configure summary routes in OSPF, a route to null0 will be installed into the OSPF routing table of the router performing the summarization. This helps to prevent routing loops. Any packets destined for the routes that have been summarized will have a longer match in the routing table, and packets that do not match one of the summarized routes but do match the summary route will be dropped.
OSPF offers us two options for route summarization configurations. In a previous tutorial, we looked at the "summary-address" command, and today we'll look at the proper use of the "area range" command.
The "area range" command should be used on an Area Border Router (ABR) to summarize routes being advertised from one OSPF area to another. In this tutorial, R1 is acting as an ABR, with interfaces in both Area 0 and Area 1. Four loopbacks have been placed into R1's Area 1.
R1(config)#router ospf 1
R1(config-router)#network 12.0.0.0 0.255.255.255 a 1
R1(config-router)#network 13.0.0.0 0.255.255.255 a 1
R1(config-router)#network 14.0.0.0 0.255.255.255 a 1
R1(config-router)#network 15.0.0.0 0.255.255.255 a 1
The routing table of an OSPF neighbor, R2, shows all four routes.
R2#show ip route ospf
12.0.0.0/32 is subnetted, 1 subnets
O IA 12.12.12.12 [110/65] via 172.12.123.1, 00:18:52, Serial0
13.0.0.0/32 is subnetted, 1 subnets
O IA 13.13.13.13 [110/65] via 172.12.123.1, 00:18:42, Serial0
14.0.0.0/32 is subnetted, 1 subnets
O IA 14.14.14.14 [110/65] via 172.12.123.1, 00:18:32, Serial0
15.0.0.0/32 is subnetted, 1 subnets
O IA 15.15.15.15 [110/65] via 172.12.123.1, 00:18:32, Serial0
To keep the routing tables of downstream routers smaller but still have the desired IP connectivity, we can use the area range command on R1 to summarize these four routes. The key to keep in mind with the area range command is that the area number given in the command is the area containing the destinations, NOT the area that will receive the summary route.
R1(config)#router ospf 1
R1(config-router)#area 1 range 12.0.0.0 252.0.0.0
R2 now shows a single summary route that can be used to reach all four remote networks.
R2#show ip route ospf
O IA 12.0.0.0/6 [110/65] via 172.12.123.1, 00:00:21, Serial0
Interestingly enough, there's now an additional route in R1's routing table.
R1#show ip route ospf
O 12.0.0.0/6 is a summary, 00:07:53, Null0
When you configure summary routes in OSPF, a route to null0 will be installed into the OSPF routing table of the router performing the summarization. This helps to prevent routing loops. Any packets destined for the routes that have been summarized will have a longer match in the routing table, and packets that do not match one of the summarized routes but do match the summary route will be dropped.
Cisco CCNP / BSCI Exam Tutorial: Using Distribute Lists
To be successful on the BSCI exam and in earning your CCNP, you've got to master route redistribution. This isn't as easy as it sounds, because configuring route redistribution is only half the battle. Whether it's on an exam or in a real-world production network, you've got to identify possible points of trouble before you configure route redistribution - and you need to be able to control redistribution as well. You may have an OSPF domain with 100 routes, but only need to redistribute 10 of them into a neighboring RIPv2 domain. You've got to know how to do that, and one method is the use of a distribute-list.
A distribute-list is an access-list that is used to determine what routes can and cannot be redistributed. Distribute-lists let you specify what routes will be filtered from the process. You can use standard or extended ACLs, and you can filter routes that are coming into a routing process or being injected into another process.
In the following example, R1 is redistributing RIP routes into OSPF, but only wants to advertise network 150.1.1.0 /24 to other OSPF routers. An ACL will be written to match that particular network, and then the distribute-list will be written under the routing process. I'm going to show you the IOS Help output for the distribute-list command, and please note that routing updates can be controlled at the interface level or protocol level.
R1(config)#access-list 24 permit 150.1.1.0 0.0.0.255
R1(config)#router ospf 1
R1(config-router)#redistribute rip subnets
R1(config-router)#distribute-list 24 ?
in Filter incoming routing updates
out Filter outgoing routing updates
R1(config-router)#distribute-list 11 out ?
Async Async interface
BRI ISDN Basic Rate Interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
Ethernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
Multilink Multilink-group interface
Null Null interface
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
bgp Border Gateway Protocol (BGP)
connected Connected
egp Exterior Gateway Protocol (EGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp Interior Gateway Routing Protocol (IGRP)
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
R1(config-router)#distribute-list 11 out rip
Using distribute-lists does guard against routing loops, but they have other purposes. You may have a network segment that should be kept secret from the rest of your company; a distribute-list can filter that segment's network number from the redistribution process. In this way, distribute-lists serve as a basic form of network security. (Very basic. I wouldn't sell that firewall on ebay if I were you.)
Keeping such networks out of routing updates and routing tables throughout the network has the side effect of reducing routing update overhead as well.
A distribute-list is an access-list that is used to determine what routes can and cannot be redistributed. Distribute-lists let you specify what routes will be filtered from the process. You can use standard or extended ACLs, and you can filter routes that are coming into a routing process or being injected into another process.
In the following example, R1 is redistributing RIP routes into OSPF, but only wants to advertise network 150.1.1.0 /24 to other OSPF routers. An ACL will be written to match that particular network, and then the distribute-list will be written under the routing process. I'm going to show you the IOS Help output for the distribute-list command, and please note that routing updates can be controlled at the interface level or protocol level.
R1(config)#access-list 24 permit 150.1.1.0 0.0.0.255
R1(config)#router ospf 1
R1(config-router)#redistribute rip subnets
R1(config-router)#distribute-list 24 ?
in Filter incoming routing updates
out Filter outgoing routing updates
R1(config-router)#distribute-list 11 out ?
Async Async interface
BRI ISDN Basic Rate Interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
Ethernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
Multilink Multilink-group interface
Null Null interface
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
bgp Border Gateway Protocol (BGP)
connected Connected
egp Exterior Gateway Protocol (EGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp Interior Gateway Routing Protocol (IGRP)
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
R1(config-router)#distribute-list 11 out rip
Using distribute-lists does guard against routing loops, but they have other purposes. You may have a network segment that should be kept secret from the rest of your company; a distribute-list can filter that segment's network number from the redistribution process. In this way, distribute-lists serve as a basic form of network security. (Very basic. I wouldn't sell that firewall on ebay if I were you.)
Keeping such networks out of routing updates and routing tables throughout the network has the side effect of reducing routing update overhead as well.
Cisco CCNP / BSCI Exam Tutorial: Ten IP Routing Details You Must Know!
To pass the BSCI exam and earn your CCNP, you've got to keep a lot of details in mind. It's easy to overlook the "simpler" protocols and services such as static routing and distance vector protocols. With this in mind, here's a quick review of some details you should know for success in the exam room and real-world networks!
When packets need to be routed, the routing table is parsed for the longest prefix match if multiple paths exist with the same prefix length, the route with the lowest AD is preferred. If there are still multiple valid paths, equal-cost load-sharing goes into effect.
The ip route command is used to create static routes the command ip route 0.0.0.0 0.0.0.0 < next-hop-IP or local exit interface> creates a default static route.
A static route with a next-hop IP address has an AD of one, while a static route with a local exit interface has an AD of zero.
A floating static route is a static route with an AD higher than that of the dynamic routing protocols running on the router, ensuring that the static route can only be used if the routing protocol goes down.
On-Demand Routing (ODR) is only appropriate in a hub-and-spoke network. The spokes effectively become stub routers. ODR uses Cisco Discovery Protocol (CDP) to send route information.
To propagate a default route with IP routing, use the ip default-network command. To do so with IP routing disabled, use ip default-gateway. You can also redistribute a static route into most protocols, but not IGRP. IGRP does not understand a static route to 0.0.0.0.
The ip helper-address command takes certain broadcasts and translates then into unicasts in order to allow the router to forward them. These default ports are:
TIME, port 37
TACACS, port 49
DNS, port 53
BOOTP/DHCP Server, port 67
BOOTP/DHCP Client, port 68
TFTP, port 69
NetBIOS name service, port 137
NetBIOS datagram services, port 138
To name other ports, use the ip forward-protocol command. To remove any of these ports from the default list, use the no ip forward-protocol command.
ICMP Router Discovery Protocol (IRDP) hosts hear multicast Hellos from routers, allowing host-router discovery. HSRP routers create a virtual router that hosts think is a real router. Both protocols help networks cut over to a functional router quickly when their primary router goes down.
When packets need to be routed, the routing table is parsed for the longest prefix match if multiple paths exist with the same prefix length, the route with the lowest AD is preferred. If there are still multiple valid paths, equal-cost load-sharing goes into effect.
The ip route command is used to create static routes the command ip route 0.0.0.0 0.0.0.0 < next-hop-IP or local exit interface> creates a default static route.
A static route with a next-hop IP address has an AD of one, while a static route with a local exit interface has an AD of zero.
A floating static route is a static route with an AD higher than that of the dynamic routing protocols running on the router, ensuring that the static route can only be used if the routing protocol goes down.
On-Demand Routing (ODR) is only appropriate in a hub-and-spoke network. The spokes effectively become stub routers. ODR uses Cisco Discovery Protocol (CDP) to send route information.
To propagate a default route with IP routing, use the ip default-network command. To do so with IP routing disabled, use ip default-gateway. You can also redistribute a static route into most protocols, but not IGRP. IGRP does not understand a static route to 0.0.0.0.
The ip helper-address command takes certain broadcasts and translates then into unicasts in order to allow the router to forward them. These default ports are:
TIME, port 37
TACACS, port 49
DNS, port 53
BOOTP/DHCP Server, port 67
BOOTP/DHCP Client, port 68
TFTP, port 69
NetBIOS name service, port 137
NetBIOS datagram services, port 138
To name other ports, use the ip forward-protocol command. To remove any of these ports from the default list, use the no ip forward-protocol command.
ICMP Router Discovery Protocol (IRDP) hosts hear multicast Hellos from routers, allowing host-router discovery. HSRP routers create a virtual router that hosts think is a real router. Both protocols help networks cut over to a functional router quickly when their primary router goes down.
Cisco CCNP / BSCI Exam Tutorial: Leading Zero Compression
The BSCI exam and CCNP certification requires that you be well versed in the basics of IP Version 6, or IPv6. If you're new to IPv6, you'll quickly learn that it's not exactly just two more octets slapped onto an IPv4 address! IPv6 addresses are quite long, but there are two ways to acceptably shorten IPv6 address expression. To pass the BSCI exam, become a CCNP, and get that all-important understanding of IPv6, you've got to understand these different methods of expressing an IPv6 address. My last IPv6 tutorial discussed zero compression; today we'll take a look at leading zero compression.
Leading zero compression allows us to drop the leading zeroes from every field in the address. Where we could only use zero compression once in an IPv6 address expression, leading zero compression can be used as often as is appropriate. The key with leading zero compression is that there must be at least one number left in each field, even if that remaining number is a zero.
You sometimes see books or websites refer to leading zero compression as "dropping zeroes and replacing them with a colon", but that explanation can be a little confusing, since the blocks are separated with a colon to begin with. You're not really replacing the leading zeroes, you're dropping them.
Let's look at an example of leading zero compression. Taking the address 1234:0000:1234:0000:1234:0000:1234:0123, we have four different fields that have leading zeroes. The address could be written out as it is, or drop the leading zeroes.
Original format: 1234:0000:1234:0000:1234:0000:0123:1234
With leading zero compression: 1234:0:1234:0:1234:0:123:1234
There's no problem with using zero compression and leading zero compression in the same address, as shown here:
Original format: 1111:0000:0000:1234:0011:0022:0033:0044
With zero and leading zero compression: 1111::1234:11:22:33:44
Zero compression uses the double-colon to replace the second and third block of numbers, which were all zeroes; leading zero compression replaced the "00" at the beginning of each of the last four blocks. Just be careful and take your time with both zero compression and leading zero compression and you'll do well on the exam and in the real world. The keys to success here are remembering that you can only use zero compression once in a single address, and that while leading zero compression can be used as often as needed, at least one number must remain in each field, even if that number is a zero.
Leading zero compression allows us to drop the leading zeroes from every field in the address. Where we could only use zero compression once in an IPv6 address expression, leading zero compression can be used as often as is appropriate. The key with leading zero compression is that there must be at least one number left in each field, even if that remaining number is a zero.
You sometimes see books or websites refer to leading zero compression as "dropping zeroes and replacing them with a colon", but that explanation can be a little confusing, since the blocks are separated with a colon to begin with. You're not really replacing the leading zeroes, you're dropping them.
Let's look at an example of leading zero compression. Taking the address 1234:0000:1234:0000:1234:0000:1234:0123, we have four different fields that have leading zeroes. The address could be written out as it is, or drop the leading zeroes.
Original format: 1234:0000:1234:0000:1234:0000:0123:1234
With leading zero compression: 1234:0:1234:0:1234:0:123:1234
There's no problem with using zero compression and leading zero compression in the same address, as shown here:
Original format: 1111:0000:0000:1234:0011:0022:0033:0044
With zero and leading zero compression: 1111::1234:11:22:33:44
Zero compression uses the double-colon to replace the second and third block of numbers, which were all zeroes; leading zero compression replaced the "00" at the beginning of each of the last four blocks. Just be careful and take your time with both zero compression and leading zero compression and you'll do well on the exam and in the real world. The keys to success here are remembering that you can only use zero compression once in a single address, and that while leading zero compression can be used as often as needed, at least one number must remain in each field, even if that number is a zero.
Cisco CCNP / BSCI Exam Tutorial: ISIS Router Types
To pass the BSCI exam and earn your CCNP, you've got to know ISIS inside and out. There are many similarities between ISIS and OSPF, but one major difference is that ISIS has three different types of routers - Level 1 (L1), Level 2 (L2), and L1/L2.
L1 routers are contained in a single area, and are connected to other areas by an L1/L2 router. The L1 uses the L1/L2 router as a default gateway to reach destinations contained in other areas, much like an OSPF stub router uses the ABR as a default gateway.
L1 routers have no specific routing table entries regarding any destination outside their own area; they will use an L1/L2 router as a default gateway to reach any external networks. ISIS L1 routers in the same area must synchronize their databases with each other.
Just as we have L1 routers, we also have L2 routers. Anytime we're routing between areas (inter-area routing), an L2 or L1/L2 router must be involved. All L2 routers will have synchronized databases as well.
Both L1 and L2 routers send out their own hellos. As with OSPF, hello packets allow ISIS routers to form adjacencies. The key difference here is that L1 routers send out L1 hellos, and L2 routers send out L2 hellos. If you have an L1 router and an L2 router on the same link, they will not form an adjacency.
An ISIS router can act as an L1 and an L2 router at the same time; these routers are L1/L2 routers. An L1/L2 router can have neighbors in separate ISIS areas. The L1/L2 router will have two separate databases, though - one for L1 routes and another for L2 routes. L1/L2 is the default setting for Cisco routers running ISIS. The L1/L2 router is the router that makes it possible for an L1 router to send data to another area.
In the next part of my ISIS tutorial, we'll take a more detailed look at those ISIS hellos!
L1 routers are contained in a single area, and are connected to other areas by an L1/L2 router. The L1 uses the L1/L2 router as a default gateway to reach destinations contained in other areas, much like an OSPF stub router uses the ABR as a default gateway.
L1 routers have no specific routing table entries regarding any destination outside their own area; they will use an L1/L2 router as a default gateway to reach any external networks. ISIS L1 routers in the same area must synchronize their databases with each other.
Just as we have L1 routers, we also have L2 routers. Anytime we're routing between areas (inter-area routing), an L2 or L1/L2 router must be involved. All L2 routers will have synchronized databases as well.
Both L1 and L2 routers send out their own hellos. As with OSPF, hello packets allow ISIS routers to form adjacencies. The key difference here is that L1 routers send out L1 hellos, and L2 routers send out L2 hellos. If you have an L1 router and an L2 router on the same link, they will not form an adjacency.
An ISIS router can act as an L1 and an L2 router at the same time; these routers are L1/L2 routers. An L1/L2 router can have neighbors in separate ISIS areas. The L1/L2 router will have two separate databases, though - one for L1 routes and another for L2 routes. L1/L2 is the default setting for Cisco routers running ISIS. The L1/L2 router is the router that makes it possible for an L1 router to send data to another area.
In the next part of my ISIS tutorial, we'll take a more detailed look at those ISIS hellos!
Cisco CCNP / BSCI Exam Tutorial: IP Version 6 Zero Compression
BSCI exam success is all part of becoming a CCNP, and part of that success is now learning the basics of IP Version 6, or IPv6. One of the most difficult parts of learning IPv6 concepts is the radically different addressing scheme that IPv6 uses as compared to IPv4. Just look at these sample addresses:
Typical IPv4 address: 129.14.12.200
Typical IPv6 address: 1029:9183:81AE:0000:0000:0AC1:2143:019B
As you can see, IPv6 isn't exactly just tacking two more octets onto an IPv4 address!
I haven't met too many networkers who really like typing, particularly numbers. You'll be happy to know there are some rules that will shorten those addresses a bit, and it's a very good idea to be fluent with these rules for your exam.
You remember from your CCNA studies that there's no difference between an upper-case letter and lower-case letter in hexadecimal. That's one of three basic rules you need to know when working with IPv6 addressing. The other factors deal with all the zeroes you'll run into in IPv6 addresses! One of these rules is the rule of zero compression.
The rule of zero compression states that if an address contains consecutive fields of zeroes, they can be expressed with two colons. It doesn't matter if you have two fields or eight, you can simply type two colons and that will represent all of them. The key here is that you can only do this once in an IPv6 address. This is referred to as zero compression. Here's an example:
Original format: 1234:1234:0000:0000:0000:0000:3456:3434
Using zero compression: 1234:1234::3456:3434
Again, you must remember that you can only do this once in an IPv6 address expression.
What if there are zeroes in the address that don't quite fit this rule? The next part of our IPv6 tutorial will deal with leading zero compression, another tool you can use to shorten these long, long addresses!
Typical IPv4 address: 129.14.12.200
Typical IPv6 address: 1029:9183:81AE:0000:0000:0AC1:2143:019B
As you can see, IPv6 isn't exactly just tacking two more octets onto an IPv4 address!
I haven't met too many networkers who really like typing, particularly numbers. You'll be happy to know there are some rules that will shorten those addresses a bit, and it's a very good idea to be fluent with these rules for your exam.
You remember from your CCNA studies that there's no difference between an upper-case letter and lower-case letter in hexadecimal. That's one of three basic rules you need to know when working with IPv6 addressing. The other factors deal with all the zeroes you'll run into in IPv6 addresses! One of these rules is the rule of zero compression.
The rule of zero compression states that if an address contains consecutive fields of zeroes, they can be expressed with two colons. It doesn't matter if you have two fields or eight, you can simply type two colons and that will represent all of them. The key here is that you can only do this once in an IPv6 address. This is referred to as zero compression. Here's an example:
Original format: 1234:1234:0000:0000:0000:0000:3456:3434
Using zero compression: 1234:1234::3456:3434
Again, you must remember that you can only do this once in an IPv6 address expression.
What if there are zeroes in the address that don't quite fit this rule? The next part of our IPv6 tutorial will deal with leading zero compression, another tool you can use to shorten these long, long addresses!
Cisco CCNP / BSCI Exam Tutorial: A Guide To Ipv6 Addressing
Learning IPv6 is paramount in your efforts to pass the BSCI exam and go on to earn your CCNP, and it's going to help in your real-world networking career as well. IPv6 can be confusing at first, but it's like anything else in Cisco or networking as a whole - learn one part at a time, master the fundamentals, and you're on your way to success. In today's article we're going to take a look at IPv6 address types.
In IPv4, a unicast address is simply an address used to represent a single host, where multicast addresses represent a group of hosts and broadcasts represent all hosts.
In IPv6, it's not quite that simple. There are actually different types of unicast addresses, each with its own separate function. This allows IPv6 to get data where it's supposed to go quicker than IPv4 while conserving router resources.
IPv6 offers two kinds of local addresses, link-local and site-local. Site-local addresses allow devices in the same organization, or site, to exchange data. Site-local addresses are IPv6's equivalent to IPv4's private address classes, since hosts using them are able to communicate with each other throughout the organization, but these addresses cannot be used to reach Internet hosts.
Site-local and link-local addresses are actually derived from a host's MAC address. Therefore, if HostA has HostB's IPv6 address, HostA can determine HostB's MAC address from that, making ARP unnecessary.
Link-local addresses have a smaller scope than site-local. Link-local addresses are just that, local to a physical link. These particular addresses are not used at all in forwarding data. One use for these addresses is Neighbor Discovery, which is IPv6's answer to ARP.
You can identify these and other IPv6 addresses by their initial bits:
001 - Global address
(first 96 bits set to zero) - IPv4-compatible address
1111 1111 – Multicast
1111 1110 11 - Site local
1111 1110 10 - Link Local
As a future CCNP, you're more than familiar with the reserved IPv4 address classes. You also know that they're not exactly contiguous. The developers of IPv6 took a structured approach to IPv6 reserved addresses - any address that begins with "0000 0000" is an IPv6 reserved address. One of these is the IPv6 loopback address, and this will give you some practice with your zero compression!
IP v6 Loopback: 0000:0000:0000:0000:0000:0000:0000:0001
Using Leading Zero Compression Only: 0:0:0:0:0:0:0:1
Combining Leading Zero and Zero Compression: ::1
Zero compression looks pretty good now, doesn't it? You just have to get used to it and keep the rules in mind. You can use all the leading zero compression you want, but zero compression ("double-colon") can only be used once in a single address.
IPv6 is here to stay, not only on your BSCI and CCNP exams, but in the real world as well. Learning it now will not only aid you in passing your Cisco exams, but in supporting IPv6 in the future.
In IPv4, a unicast address is simply an address used to represent a single host, where multicast addresses represent a group of hosts and broadcasts represent all hosts.
In IPv6, it's not quite that simple. There are actually different types of unicast addresses, each with its own separate function. This allows IPv6 to get data where it's supposed to go quicker than IPv4 while conserving router resources.
IPv6 offers two kinds of local addresses, link-local and site-local. Site-local addresses allow devices in the same organization, or site, to exchange data. Site-local addresses are IPv6's equivalent to IPv4's private address classes, since hosts using them are able to communicate with each other throughout the organization, but these addresses cannot be used to reach Internet hosts.
Site-local and link-local addresses are actually derived from a host's MAC address. Therefore, if HostA has HostB's IPv6 address, HostA can determine HostB's MAC address from that, making ARP unnecessary.
Link-local addresses have a smaller scope than site-local. Link-local addresses are just that, local to a physical link. These particular addresses are not used at all in forwarding data. One use for these addresses is Neighbor Discovery, which is IPv6's answer to ARP.
You can identify these and other IPv6 addresses by their initial bits:
001 - Global address
(first 96 bits set to zero) - IPv4-compatible address
1111 1111 – Multicast
1111 1110 11 - Site local
1111 1110 10 - Link Local
As a future CCNP, you're more than familiar with the reserved IPv4 address classes. You also know that they're not exactly contiguous. The developers of IPv6 took a structured approach to IPv6 reserved addresses - any address that begins with "0000 0000" is an IPv6 reserved address. One of these is the IPv6 loopback address, and this will give you some practice with your zero compression!
IP v6 Loopback: 0000:0000:0000:0000:0000:0000:0000:0001
Using Leading Zero Compression Only: 0:0:0:0:0:0:0:1
Combining Leading Zero and Zero Compression: ::1
Zero compression looks pretty good now, doesn't it? You just have to get used to it and keep the rules in mind. You can use all the leading zero compression you want, but zero compression ("double-colon") can only be used once in a single address.
IPv6 is here to stay, not only on your BSCI and CCNP exams, but in the real world as well. Learning it now will not only aid you in passing your Cisco exams, but in supporting IPv6 in the future.
Cisco CCNP / BSCI Certification: Introduction To ISIS Terminology
When you're studying to pass the BSCI exam and earn your CCNP certification, you're going to be introduced to ISIS. ISIS and OSPF are both link-state protocols, but ISIS works quite differently from OSPF. You must master these details in order to earn your CCNP.
One of the major differences between OSPF and ISIS will be evident to you when you first begin your BSCI exam studies, and that is the terminology. ISIS uses terms that no other protocol you've studied to date uses, and learning these new terms is the first step to BSCI and CCNP exam success.
First off, what does "IS" stand for in "ISIS"? It stands for "Intermediate System", which sounds like a group of routers. As opposed to Autonomous Systems, which are logical groups of routers, an Intermediate System is simply a single router. That's it.
You'll also become familiar with End Systems, referred to in ISIS as an "ES". The End System is simply an end host.
ISIS and OSPF both use the concept of areas, but ISIS takes a different approach to this concept. ISIS routers use three different types of routing levels, according to the area a router has been placed in. Level 2 routers are connected only to the backbone and serve as a transit device between non-backbone areas. Level 1 routers are totally internal to a non-backbone area.
ISIS uses both Level-1 and Level-2 Hellos, meaning that the two types of routers just mentioned cannot form an adjacency. Luckily for us, there is a middle ground, and that is the Level 1-2 router. These routers connect non-backbone areas to backbone areas. L1-L2 routers keep two separate routing tables, one for L1 routing and another for L2 routing. This is the default setting for a Cisco router, and L1-L2 routers can form adjacencies with both L1 and L2 routers.
Part of the challenge of learning ISIS is getting used to the differences between ISIS and OSPF. Keep studying the terminology, master one concept at a time, and soon you'll be a master of ISIS and a CCNP to boot!
One of the major differences between OSPF and ISIS will be evident to you when you first begin your BSCI exam studies, and that is the terminology. ISIS uses terms that no other protocol you've studied to date uses, and learning these new terms is the first step to BSCI and CCNP exam success.
First off, what does "IS" stand for in "ISIS"? It stands for "Intermediate System", which sounds like a group of routers. As opposed to Autonomous Systems, which are logical groups of routers, an Intermediate System is simply a single router. That's it.
You'll also become familiar with End Systems, referred to in ISIS as an "ES". The End System is simply an end host.
ISIS and OSPF both use the concept of areas, but ISIS takes a different approach to this concept. ISIS routers use three different types of routing levels, according to the area a router has been placed in. Level 2 routers are connected only to the backbone and serve as a transit device between non-backbone areas. Level 1 routers are totally internal to a non-backbone area.
ISIS uses both Level-1 and Level-2 Hellos, meaning that the two types of routers just mentioned cannot form an adjacency. Luckily for us, there is a middle ground, and that is the Level 1-2 router. These routers connect non-backbone areas to backbone areas. L1-L2 routers keep two separate routing tables, one for L1 routing and another for L2 routing. This is the default setting for a Cisco router, and L1-L2 routers can form adjacencies with both L1 and L2 routers.
Part of the challenge of learning ISIS is getting used to the differences between ISIS and OSPF. Keep studying the terminology, master one concept at a time, and soon you'll be a master of ISIS and a CCNP to boot!
Cisco CCNP / BCSI Exam Tutorial: Configuring EIGRP Packet
Configuring RIPv2 and EIGRP authentication with key chains can be tricky at first, and the syntax isn't exactly easy to remember. But for BSCI and CCNP exam success, we've got to be able to perform this task.
In a previous tutorial, we saw how to configure RIPv2 packet authentication, with both clear-text and MD5 authentication schemes. EIGRP authentication is much the same, and has the text and MD5 authentication options as well. But EIGRP being EIGRP, the command just has to be a little more detailed!
As with RIPv2, the authentication mode must be agreed upon by the EIGRP neighbors. If one router's interface is configured for MD5 authentication and the remote router's interface is configured for text authentication, the adjacency will fail even if the two interfaces in question are configured to use the same password.
We'll now configure link authentication on the adjacency over an Ethernet segment. Below, you'll see how to configure a key chain called EIGRP on both routers, use key number 1, and use the key-string BSCI. Run show key chain on a router to see all key chains.
R2(config)#key chain EIGRP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string BSCI
R2#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R3(config)#key chain EIGRP
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string BSCI
R3#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
The EIGRP command to apply the key chain is a bit of a pain to remember, because the protocol and AS number is identified in the middle of the command, not the beginning. Also note that two commands are needed - one to name the key chain, another to define the authentication mode in use.
R2(config)#interface ethernet0
R2(config-if)#ip authentication key-chain eigrp 100 EIGRP
R2(config-if)#ip authentication mode eigrp 100 md5
5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.3 (Ethernet0) is down: keychain changed
R3(config)#interface ethernet0
R3(config-if)#ip authentication key-chain eigrp 100 EIGRP
R3(config-if)#ip authentication mode eigrp 100 md5
5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.2 (Ethernet0) is up:
As with RIPv2, the existing adjacency was torn down when one side was configured with authentication. If the key chain is correctly defined and applied on both sides, the adjacency will come back up. Always run show ip eigrp neighbor to make sure the adjacency is present. Learn the details of EIGRP key chains by configuring them on your home lab equipment, and you'll be more than ready for BSCI exam success!
In a previous tutorial, we saw how to configure RIPv2 packet authentication, with both clear-text and MD5 authentication schemes. EIGRP authentication is much the same, and has the text and MD5 authentication options as well. But EIGRP being EIGRP, the command just has to be a little more detailed!
As with RIPv2, the authentication mode must be agreed upon by the EIGRP neighbors. If one router's interface is configured for MD5 authentication and the remote router's interface is configured for text authentication, the adjacency will fail even if the two interfaces in question are configured to use the same password.
We'll now configure link authentication on the adjacency over an Ethernet segment. Below, you'll see how to configure a key chain called EIGRP on both routers, use key number 1, and use the key-string BSCI. Run show key chain on a router to see all key chains.
R2(config)#key chain EIGRP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string BSCI
R2#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R3(config)#key chain EIGRP
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string BSCI
R3#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
The EIGRP command to apply the key chain is a bit of a pain to remember, because the protocol and AS number is identified in the middle of the command, not the beginning. Also note that two commands are needed - one to name the key chain, another to define the authentication mode in use.
R2(config)#interface ethernet0
R2(config-if)#ip authentication key-chain eigrp 100 EIGRP
R2(config-if)#ip authentication mode eigrp 100 md5
5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.3 (Ethernet0) is down: keychain changed
R3(config)#interface ethernet0
R3(config-if)#ip authentication key-chain eigrp 100 EIGRP
R3(config-if)#ip authentication mode eigrp 100 md5
5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.2 (Ethernet0) is up:
As with RIPv2, the existing adjacency was torn down when one side was configured with authentication. If the key chain is correctly defined and applied on both sides, the adjacency will come back up. Always run show ip eigrp neighbor to make sure the adjacency is present. Learn the details of EIGRP key chains by configuring them on your home lab equipment, and you'll be more than ready for BSCI exam success!
Cisco CCNP / BCMSN Exam Tutorial: Static VLANs
BCMSN exam success and earning your CCNP certification requires you to add to your knowledge of VLAN configuration. When you studied for your CCNA exam, you learned how to place ports into a VLAN and what the purpose of VLANs was, but you may not be aware that there are two types of VLAN membership. To pass the BCMSN exam, you must know the details of both types.
In this tutorial, we'll take a look at the VLAN type you are most familiar with, the "static VLAN". As you know, VLANs are a great way to create smaller broadcast domains in your network. Host devices connected to a port belonging to one VLAN will receive broadcasts and multicasts only if they were originated by another host in that same VLAN. The drawback is that without the help of a Layer 3 switch or a router, inter-VLAN communication cannot occur.
The actual configuration of a static VLAN is simple enough. In this example, by placing switch ports 0/1 and 0/2 into VLAN 12, the only broadcasts and multicasts hosts connected to those ports will receive are the ones transmitted by ports in VLAN 12.
SW1(config)#int fast 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 12
% Access VLAN does not exist. Creating vlan 12
SW1(config-if)#int fast 0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 12
One of the many things I love about Cisco switches and routers is that if you have forgotten to do something, the Cisco device is generally going to remind you or in this case actually do it for you. I placed port 0/1 into a VLAN that did not yet exist, so the switch created it for me!
There are two commands needed to place a port into a VLAN. By default, these ports are running in dynamic desirable trunking mode, meaning that the port is actively attempting to form a trunk with a remote switch in order to send traffic between the two switches. The problem is that a trunk port belongs to all VLANs by default, and we want to put this port into a single VLAN only. To do so, we run the switchport mode access command to make the port an access port, and access ports belong to one and only one VLAN. After doing that, we placed the port into VLAN 12 with the switchport access vlan 12 command. Running the switchport mode access command effectively turns trunking off on that port.
The hosts are unaware of VLANs; they simply assume the VLAN membership of the port they're connected to. But that's not quite the case with dynamic VLANs, which we'll examine in the next part of this BCMSN tutorial.
In this tutorial, we'll take a look at the VLAN type you are most familiar with, the "static VLAN". As you know, VLANs are a great way to create smaller broadcast domains in your network. Host devices connected to a port belonging to one VLAN will receive broadcasts and multicasts only if they were originated by another host in that same VLAN. The drawback is that without the help of a Layer 3 switch or a router, inter-VLAN communication cannot occur.
The actual configuration of a static VLAN is simple enough. In this example, by placing switch ports 0/1 and 0/2 into VLAN 12, the only broadcasts and multicasts hosts connected to those ports will receive are the ones transmitted by ports in VLAN 12.
SW1(config)#int fast 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 12
% Access VLAN does not exist. Creating vlan 12
SW1(config-if)#int fast 0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 12
One of the many things I love about Cisco switches and routers is that if you have forgotten to do something, the Cisco device is generally going to remind you or in this case actually do it for you. I placed port 0/1 into a VLAN that did not yet exist, so the switch created it for me!
There are two commands needed to place a port into a VLAN. By default, these ports are running in dynamic desirable trunking mode, meaning that the port is actively attempting to form a trunk with a remote switch in order to send traffic between the two switches. The problem is that a trunk port belongs to all VLANs by default, and we want to put this port into a single VLAN only. To do so, we run the switchport mode access command to make the port an access port, and access ports belong to one and only one VLAN. After doing that, we placed the port into VLAN 12 with the switchport access vlan 12 command. Running the switchport mode access command effectively turns trunking off on that port.
The hosts are unaware of VLANs; they simply assume the VLAN membership of the port they're connected to. But that's not quite the case with dynamic VLANs, which we'll examine in the next part of this BCMSN tutorial.
Cisco CCNP / BCMSN Exam Tutorial: Changing The Active Router In HSRP
To pass the BCMSN exam and earn your CCNP certification, you've got to know HSRP inside and out. While the operation and basic commands of HSRP are pretty simple, there are some important details that are easily overlooked but are vital in getting HSRP to work the way you want it to. Let's take a look at using the priority command correctly on both the exam and in production networks.
A key value in the show standby command is the priority. The default is 100, and the router with the highest priority will be the primary HSRP router. We'll raise the default priority on R2 and see the results. R3 is currently the Active router and R2 the standby, so let's raise the priority on R2 and see what happens.
R2(config)#interface ethernet0
R2(config-if)#standby 5 priority 150
R2#show standby
Ethernet0 - Group 5
Local state is Standby, priority 150
Hellotime 4 sec, holdtime 12 sec
Next hello sent in 0.896
Virtual IP address is 172.12.23.10 configured
Active router is 172.12.23.3, priority 100 expires in 8.072
Standby router is local
1 state changes, last state change 00:14:24
R2 now has a higher priority, but R3 is still the active router. R2 will not take over as the HSRP primary until R3 goes down - OR the preempt option is configured on R2.
R2(config-if)#standby 5 priority 150 preempt
1d11h: %STANDBY-6-STATECHANGE: Ethernet0 Group 5 state Standby -> Active
R2#show standby
Ethernet0 - Group 5
Local state is Active, priority 150, may preempt
Hellotime 4 sec, holdtime 12 sec
Next hello sent in 1.844
Virtual IP address is 172.12.23.10 configured
Active router is local
Standby router is 172.12.23.3 expires in 10.204
Virtual mac address is 0000.0c07.ac05
2 state changes, last state change 00:00:13
In just a few seconds, a message appears that the local state has changed from standby to active. Show standby confirms that R2, the local router, is now the active router - the primary. R3 is now the standby. So if anyone tells you that you have to take a router down to change the Active router, they're wrong - you just have to use the preempt option on the standby priority command.
Another vital part of HSRP configurations is knowing how to change the MAC address of the virtual router, as well as interface tracking. We'll look at those features in the next part of my HSRP tutorial!
A key value in the show standby command is the priority. The default is 100, and the router with the highest priority will be the primary HSRP router. We'll raise the default priority on R2 and see the results. R3 is currently the Active router and R2 the standby, so let's raise the priority on R2 and see what happens.
R2(config)#interface ethernet0
R2(config-if)#standby 5 priority 150
R2#show standby
Ethernet0 - Group 5
Local state is Standby, priority 150
Hellotime 4 sec, holdtime 12 sec
Next hello sent in 0.896
Virtual IP address is 172.12.23.10 configured
Active router is 172.12.23.3, priority 100 expires in 8.072
Standby router is local
1 state changes, last state change 00:14:24
R2 now has a higher priority, but R3 is still the active router. R2 will not take over as the HSRP primary until R3 goes down - OR the preempt option is configured on R2.
R2(config-if)#standby 5 priority 150 preempt
1d11h: %STANDBY-6-STATECHANGE: Ethernet0 Group 5 state Standby -> Active
R2#show standby
Ethernet0 - Group 5
Local state is Active, priority 150, may preempt
Hellotime 4 sec, holdtime 12 sec
Next hello sent in 1.844
Virtual IP address is 172.12.23.10 configured
Active router is local
Standby router is 172.12.23.3 expires in 10.204
Virtual mac address is 0000.0c07.ac05
2 state changes, last state change 00:00:13
In just a few seconds, a message appears that the local state has changed from standby to active. Show standby confirms that R2, the local router, is now the active router - the primary. R3 is now the standby. So if anyone tells you that you have to take a router down to change the Active router, they're wrong - you just have to use the preempt option on the standby priority command.
Another vital part of HSRP configurations is knowing how to change the MAC address of the virtual router, as well as interface tracking. We'll look at those features in the next part of my HSRP tutorial!
Subscribe to:
Posts (Atom)
