Wednesday, May 29, 2013

GNS As Network Interview Tool - Test 1 (Layer-2)

Recently I was interviewing lots of people for a Level-2 Engineer profile. The requirement  was for one of my Enterprise client NOC. The client simply asked me to ensure only quality Engineers get through this. So I decided to change my regular interview pattern this time. I designed a Series of hands on test for this purpose. So here is the Test-1. Though I wrote this for level-2 Engineers to ensure even a rusty CCNP Engineer can qualify this but even I expect a Good CCNA Engineer to pass this easily.




Guidelines
ü  All VLANs are preconfigured.
ü  All passwords are preconfigured.
ü  Verify VLAN database using “ sh vlan-switch brief “ command.
ü  Don’t configure any local user account.
ü  Don’t change default console settings.
ü  Use dummy username “abc” for ssh testing.
ü  There are some configuration faults which you may need to find and fix.
ü  Don’t reload the device without checking with Interviewer.
ü  The given time for test is 35 Mins.
Tasks

Ø  1. Configure all inter switch links as 802.1Q Trunks.
Ø  2. Make sure SW-1 is Root Bridge for VLAN 10 , SW-2 is Root Bridge for VLAN 20 , SW-3 is Root Bridge for VLAN 30
Ø  3. Confi gure the inter switch links between R1 & R2 , R1 & R3 so that none of the link is in spanning tree block state.
Ø  4. Make sure all switches are able to telnet each other. Use password as " cisco " whenever required. Management IPs are as Followed:
SW-1 > 1.1.1.1/24
SW-2 > 1.1.1.2/24
SW-3 > 1.1.1.3/24
Ø  5. Configure SW-1 so that it allows SSH connection for management in INBOUND direction. Make sure when you SSH from SW-2/SW-3, you are able to get SSH login Prompt.
 Example:

 

Ø  6. Enable SNMP environmental monitor traps on SW-2 to ensure traps are generated for High Temperature & Fan failures for example. The traps should be sent out to NMS Address “1.1.1.250”. Use community value as “ cisco “ if required.
Ø  7. Create a SPAN (AKA Port Mirroring) session with source interface as Fa1/5 on SW3. The SPAN Destination is Fa1/6

GNS Initials & Topology - http://www.4shared.com/rar/Zhou26u3/L2_Section.html

HTH...
Deepak Arora
Evil CCIE
Posted by at 6 comments:
Labels: ,

Tuesday, May 28, 2013

Old Is Gold ?


Last weekend got a call from my Boss, he asked if I can perform a activity for one of my colleague's customer account since he wasn't well. During the activity I was supposed to create Site To Site AKA Lan-To-Lan IPSEC tunnels from a customer NOC towards customer Data Center & customer DR site. Now that's fine, I mean I know how to setup such tunnels from Routers or ASA firewall but to surprise the customer was running Checkpoint R-75 based UTM on NOC side while they had Cisco's old 3000 Series VPN concentrators on the DR/DC sites. Now it's been almost 6-7 years I had worked on checkpoint and had never worked on VPN Concentrators. But 6-7 years back I worked on Nortel Contivity box which was much like Cisco's VPN concentrator. 

So it was like Dahhh!!!!






So day before activity I went back home and starting thinking about how can I complete that activity. I had couple of options to begin with actually.

1. To call any of friends good with Checkpoint or working specifically into Security domain for quite a while and of course there was long list of SOC Engineers :)

2. Why don't spend some time to study the stuff and do it myself.

And of course I chose second option :)

I remember I had CBT Nuggets some where covering cisco's old CCSP CSVPN exam. Later Cisco stopped making VPN concentrator boxes and exam died. So I spent nearly 2 Hrs going through CSVPN Vidoes from CBT nuggets and Also spent almost 2 hrs more on reading through my old checkpoint books. Did I tell you back in 2007 I passed by Checkpoint CCSE NG exam which was a expert level certification from checkpoint. Though R-55 I worked on was significantly different from today's R-75. But since Checkpoint is a GUI based firewall so it doesn't take much to figure out the stuff.

Anyways I reached at customer site on weekend after 2 hrs drive and all it took were 20 mins approx to setup up tunnels and making other network changes to complete the activity successfully.

So it was worth to keep that old stuff on my HDD some where and it saved my tale :) years later.

HTH...
Deepak Arora
Evil CCIE
Posted by at No comments:
Labels:

Sunday, May 19, 2013

Converting IP VRF To VRF Defination Using IOS



Earlier
=====
R1#sh run | s vrf
ip vrf ABC
 rd 1:1
 route-target export 1:1
 route-target import 1:1
####################

R1(config)#vrf upgrade-cli multi-af-mode ?
  common-policies      IPv4 VRF policies are moved to common VRF policies
  non-common-policies  IPv4 VRF policies are not moved to common VRF
                       policies,but kept as ipv4 only VRF policies.


R1(config)#vrf upgrade-cli multi-af-mode common-policies
You are about to upgrade to the multi-AF VRF syntax commands.
You will lose any IPv6 address configured on interfaces
belonging to upgraded VRFs.

Are you sure ? [yes]: yes
Number of VRFs upgraded: 1


Later
====
R1#sh run | s vrf
vrf definition ABC
 rd 1:1
 route-target export 1:1
 route-target import 1:1
 !
 address-family ipv4
 exit-address-family

The prime reason you would want to do this possibly IPv6 introduction for PE-CE (6PE or 6VPE) since traditional " ip vrf " syntax doesn't natively support IPv6.


HTH...
Deepak Arora
Evil CCIE



Posted by at No comments:
Labels: ,

Excellent Robotics Dance - 20:40 onwards



Posted by at No comments:
Labels: ,

Thursday, May 16, 2013

CCDE Resource List


Today I spent quite a bit of time to understand what is CCDE all about and what are general recommendation by people (CCDEs) to achieve it. 

 Though CCDE was always on my chart but I have yet to decide if I should focus on CCIE DC first Vs CCDE. Also I don't have too much of experience yet designing large scale networks for enterprise & sp per say. Also I was keeping CCDE earlier as long term goal. But on the flip side I have good understanding of MPLS now which is one of the key technologies they test you on in CCDE Lab. But of course from Design solution perspective. Also there is hardly any self placed material to prepare for CCDE. 

 While I am trying to reach Brian McGahan (INE) and Scott Morris (Evil Genius)  through mail to see what they have to say, here is a quick list I compiled which one would probably want to go through considering CCDE.
https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=TC&rID=66832857&rKey=147cc405fa9ccb66&act=pb
 
http://www.jeremyfilliben.com/2013/09/ccde-study-resources-update.html
https://learningnetwork.cisco.com/thread/52697

 https://learningnetwork.cisco.com/docs/DOC-16003

 http://rangello.wordpress.com/2012/06/26/ccde-written-exam-prep/

 http://rangello.wordpress.com/2012/06/26/ccde-practical-exam-prep/

 http://blog.ine.com/2011/03/21/ines-ccde-bootcamp-demo/

 http://blog.ine.com/2013/02/26/ccde-practical-2-0-review/

 https://learningnetwork.cisco.com/docs/DOC-2438

 http://blog.ine.com/2008/06/27/ccde-practical-exam-demoed/

 http://blog.ine.com/2008/10/01/ccde-beta-practical-exam-reviewed-part-1/

 http://blog.ine.com/2008/10/01/the-general-feeling-of-the-ccde-practical/

 http://blog.ine.com/2008/10/01/the-general-feeling-of-the-ccde-practical/

 http://blog.ine.com/2008/10/02/ccde-practical-perspectives/

 http://blog.ine.com/2009/01/02/ccde-certification/

 http://blog.ine.com/2010/12/28/announcing-ine-ccde-practical-bootcamp/

 http://blog.ine.com/2008/06/27/ccde-practical-exam-demoed/

 http://ieoc.com/forums/t/23682.aspx

 http://www.jeremyfilliben.com/2009/08/ccde-written-and-practical-study-plan.html

 http://blog.ine.com/2010/09/26/ccde-practical-exam-recommended-reading/

 http://blog.ine.com/2010/05/24/ccde-written/

 http://www.jeremyfilliben.com/p/ccde-practical-bootcamp.html?utm_source=linkedin&utm_medium=banner&utm_campaign=July2013Live

 https://learningnetwork.cisco.com/docs/DOC-2462

 https://learningnetwork.cisco.com/docs/DOC-6863

 https://learningnetwork.cisco.com/docs/DOC-2461

 https://learningnetwork.cisco.com/docs/DOC-13059

 https://learningnetwork.cisco.com/docs/DOC-1673

 https://learningnetwork.cisco.com/community/certifications/ccde

 https://learningnetwork.cisco.com/community/certifications/ccde/practical_exam?tab=4

 http://www.facebook.com/photo.php?v=10151408920022227&set=vb.101920147226&type=2&theater

 http://packetpushers.net/why-ccde/

 http://packetpushers.net/step-1-understand-the-domains-availability/

 http://packetpushers.net/prepping-for-the-ccde-the-sclability-and-flexibility-domains/

http://www.himawan.nu/2013/07/how-to-prepare-for-ccde-practical-exam.html

http://www.himawan.nu/2013/05/how-to-become-ccde.html
HTH...
Deepak Arora
Evil CCIE
Posted by at 1 comment:
Labels:

Tuesday, May 14, 2013

ISIS Route-Leaking On IOS - Tricky Part


Task - Leak The L-2 Routes into ISIS Level-1 Domain with minimal commands.

Initial Configuration
=============
R1
===

 !
en
!
conf t
!
no ip do lo
!
line con 0
 no exec-time
 logging syn
 exit
!
ho R1
!
int lo1
 ip add 1.1.1.1 255.255.255.255
 exit
!
int p1/0
 ip add 12.0.0.1 255.255.255.0
 no sh
 exit
!
int p2/0
 ip add 13.0.0.1 255.255.255.0
 no sh
 exit
!
ipv6 unicast-routing
!
router isis
 net 49.0111.0000.0000.1111.00
 metric-style wide
 add ipv6
 multi
 exit
exit
!
int lo1
 ip router isis
 isis circuit-type level-2
 exit
!
int p1/0
 ip router isis
 isis circuit-type level-2
 exit
!
int p2/0
 ip router isis
 isis circuit-type level-2
 exit
!
end
!
wr
!
=============================

 R2
===

 !
en
!
conf t
!
no ip do lo
!
line con 0
 no exec-time
 logging syn
 exit
!
ho R2
!
int lo2
 ip add 2.2.2.2 255.255.255.255
 exit
!
int p1/0
 ip add 12.0.0.2 255.255.255.0
 no sh
 exit
!
int p2/0
 ip add 24.0.0.2 255.255.255.0
 no sh
 exit
!
ipv6 unicast-routing
!
router isis
 net 49.0122.0000.0000.2222.00
 metric-style wide
 add ipv6
 multi
 exit
exit
!
int lo2
 ip router isis
 isis circuit-type level-2
 exit
!
int p1/0
 ip router isis
 isis circuit-type level-2
 exit
!
int p2/0
 ip router isis
 isis circuit-type level-2
 exit
!
end
!
wr
!

 =============================

 R3
===

 !
en
!
conf t
!
no ip do lo
!
line con 0
 no exec-time
 logging syn
 exit
!
ho R3
!
int lo3
 ip add 3.3.3.3 255.255.255.255
 exit
!
int p1/0
 ip add 34.0.0.3 255.255.255.0
 no sh
 exit
!
int p2/0
 ip add 13.0.0.3 255.255.255.0
 no sh
 exit
!
int p3/0
 ip add 35.0.0.3 255.255.255.0
 no sh
 exit
!
ipv6 unicast-routing
!
router isis
 net 49.0133.0000.0000.3333.00
 metric-style wide
 add ipv6
 multi
 exit
exit
!
int lo3
 ip router isis
 isis circuit-type level-2
 exit
!
int p1/0
 ip router isis
 isis circuit-type level-2
 exit
!
int p2/0
 ip router isis
 isis circuit-type level-2
 exit
!
int p3/0
 ip router isis
 isis circuit-type level-1
 exit
!
end
!
wr
!

 =============================

 R4
===

 !
en
!
conf t
!
no ip do lo
!
line con 0
 no exec-time
 logging syn
 exit
!
ho R4
!
int lo4
 ip add 4.4.4.4 255.255.255.255
 exit
!
int p1/0
 ip add 34.0.0.4 255.255.255.0
 no sh
 exit
!
int p2/0
 ip add 24.0.0.4 255.255.255.0
 no sh
 exit
!
ipv6 unicast-routing
!
router isis
 net 49.0144.0000.0000.4444.00
 metric-style wide
 add ipv6
 multi
 exit
exit
!
int lo4
 ip router isis
 isis circuit-type level-2
 exit
!
int p1/0
 ip router isis
 isis circuit-type level-2
 exit
!
int p2/0
 ip router isis
 isis circuit-type level-2
 exit
!
end
!
wr
!
=============================

 R5
===

 !
en
!
conf t
!
no ip do lo
!
line con 0
 no exec-time
 logging syn
 exit
!
ho R5
!
int lo5
 ip add 5.5.5.5 255.255.255.255
 exit
!
int p3/0
 ip add 35.0.0.5 255.255.255.0
 no sh
 exit
!
ipv6 unicast-routing
!
router isis
 net 49.0133.0000.0000.5555.00
 metric-style wide
 add ipv6
 multi
 exit
exit
!
int lo5
 ip router isis
 isis circuit-type level-1
 exit
!
int p3/0
 ip router isis
 isis circuit-type level-1
 exit
!
end
!
wr
!


Simple Trick
=========


Earlier on R5
=========





On R3
=====

Redistribute level-2 into level-1 with a Dummy Access list that doesn't exist.


Later on R5
========


HTH...
Deepak Arora
Evil CCIE
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)