Quoted from the CCIE R&S v4 study guide:

"OSPF has specific rules for selecting a path that crosses areas.....

- Take the shortest path to area 0

- Take the shortest path across area 0 without traversing a nonzero area"

- Take the shortest path to the destination without traversing area 0"

Would this imply that if I have 2 ABR's with interfaces in area 0 and 1, will downstream routers in area 1 choose the shortest path over the least cost path in order to reach area 0 ?

I tested this theory, and the downstream router chose the least cost path over the shortest path.

Hi Experts,

On R1 I have the below configuration:

R1#sh run | i tcp
ip tcp mss 1460

I have set the MSS value to 1460.

Still the tcp connetions origination from R1 to a remote router R3 is negotiated at a MSS value 536 in tcp sync sent from R1. Why is it so?

Can you guys give me some feedback on this new diagram format?  I'm trying to get a mix between complete information while at the same time not making the diagram too busy and unreadable. The diagram is optimized for 1080p.  Click it to open in fullscreen:

http://i.imgur.com/BuFzRvL.png

Hi all,

Looking for a best practice configuration for ASA failover.

From what I have read you can have separate interfaces for failover and state or you can use the same interface for both.

=== SEPATATE INTERFACES FOR FAILOVER AND STATE ===

failover lan unit primary

failover lan interface FAILOVER GigabitEthernet2

failover link STATE GigabitEthernet3

failover interface ip FAILOVER 192.168.0.1 255.255.255.252 standby 192.168.0.2

failover interface ip STATE 192.168.1.1 255.255.255.252 standby 192.168.1.2

=== SAME INTERFACE FOR FAILOVER AND STATE ===

failover lan unit primary

failover lan interface FAILOVER_STATE GigabitEthernet2

failover link FAILOVER_STATE GigabitEthernet2

failover interface ip FAILOVER_STATE 192.168.0.1 255.255.255.252 standby 192.168.0.2

Does anyone see any pros/cons? Apart from the obvious need for an extra interface.

Thanks

Hi all,

Is it possible to exclude certain flows from the global inspection policy on ASA?

We are using the global_policy which is fine for 99% of flows but would like to selectivity disable FTP inspection for certain flows based on interface or source/dest IP (ACL). We don’t really want to disable FTP inspection globally.

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect ip-options 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

  inspect icmp

 Can this be done?

Thanks

After watching the mpls sham link video from Brian, it made me wonder something.  He had a problem where the same route was learnt from two different neighbors, who were both advertising the route as the same type of LSA (Type 3), however one neighbor was in area0 and the other was in area78.  So even though the metric was lower via area 78, the path that was preferred was via area0.  This got me thinking.  If we had this same scenario again but the neighbors were in area 77 and 78 (i.e. not area 0), would the lower area number take preference (i.e. the path via area 77 regardless of metric) or could we use metric to influence the decision?  

Just trying to work out if this path selection is only applicable when using area0.

Thanks,
Stephen 

Just wondering if the lab does not specifically say to permit icmp to a specific subnet is there any issue with just doing the following?

access-list OUT_IN extended permit icmp any any

fixup icmp

As subject really.

At the moment I am about 4.5 months out from my lab. While I'm fairly happy with my knowledge so far (I am aware of my knowledge gaps... Multicast I'm looking at you) - I'm keen to get onto the full scale labs so I can see it all in action.

Thanks

G

Hi,

I just passed the CCIE R&S on my first attempt!

And only 1 day before v5 comes along!

I just want to share the experience of my journey with everyone.

It all started about a year and a half ago, when I decided I wanted to become a CCIE. I knew it was going to be a long and hard journey but I was determined to do it. 

I started by getting an all access pass and watching the videos, also read more books than I can remember, after about 6 months I passed the written exam.

After that I continued with the ATC videos and working on the Volume 1 and Volume 2 labs. I have to admit that after doing my first Volume 2 lab it went so bad I had the feeling that I had no idea what I was doing and I was never going to pass this exam.

But I'm lucky I had the support from my family and friends, and work colleagues that always kept me going when I was feeling down.

The rack rentals that INE has are a really good investment. I have tried a home lab, but just the amount of hours you waste setting things up and changing things around are better spent practicing. With work and family you really need to make the most of every minute you can dedicate to studying.

After working for a couple of months on the labs I attended the 10 day bootcamp in London last January. I can definitely say that I wouldn't have passed without this.

Dave Smith is an amazing teacher. The way he explains everything and walks you into all sorts of problems, helps you really understand how things work.

Also, meeting other people that are in your same situation helps a lot. I kept contact with a few of the other students and we formed a study group. I gained knowledge and friends from the bootcamp, so it was definitely worth it.

After this I kept practicing and took a few weeks of work in the final stages where I kept doing labs every day.

So that’s it, I'm looking forward to getting my personal life back now :)

Thanks to everyone that helped me out and just remember to keep working hard and the results will come.

Luis Da Silva CCIE #44011

I can't seem to get FCSP authentication to work between my 7K and 5K. Authentication works great between the 5K and MDS switches, but the 7K fails everytime. I've compared configs and even torn down/built from scratch the config for the pairing, but still no joy. Just wondering, first, whether there's some trick to getting this to work, or if there's a verification command that can tell me where it's failing. Second, if I have a typo, I'd love for someone to point it out to me :D

7K:

feature fcsp

fcsp dhchap hash SHA1

fcsp dhchap dhgroup 4

fcsp dhchap password 7 qabzk7000

fcsp dhchap devicename 20:00:54:7f:ee:f9:22:80 password 7 qabzk5000

interface vfc1112

 fcsp on

5K:

feature fcsp

fcsp dhchap hash SHA1

fcsp dhchap dhgroup 4

fcsp dhchap password 7 qabzk5000

fcsp dhchap devicename 20:00:e4:c7:22:08:c4:80 password 7 qabzk7000

interface vfc1112

 fcsp on

Is there any documentation out there or information on building INE's Service Provider topology for learning?  I'd like to start studying for the SP track; but, would hate to start spending a bunch of money on gear if there's a way to do it virtually (even if it's only partially).

Thanks in advance!

Ethan M.
CCIE #44000

Hi,

 After watching the video I build the lab my self-according to the same diagram used in the video with the exact same setup. I tried to follow the movie as much as possible to learn the technology. I started with the configuration where the traffic still flows over the route reflector so the ebgp peers still are changing the next-hop vaue. That is where my issueis. The control plane is correct I received all routes in all VRF’s The dataplane for VRF B and C is also correct because I can reach the loopback addresses within the VRF. However the dataplane of VRF A is not working. I cannot reach the loopback address. I have researched the issue and found out where the problem is and how I can resolve it. However I failed to figure out exactly why this behavior is like this so maybe you can help me out here.

 I have enable: debug mpls packet on all IOS routers and found out that the path from R10 to R8 is okay the ICMP packets arrived at R8

R10#ping 8.8.8.8 source lo 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.10.10.10

.....

Success rate is 0 percent (0/5)

R8#

*May 15 08:38:12.787: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

*May 15 08:38:14.787: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

*May 15 08:38:16.789: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

*May 15 08:38:18.794: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

*May 15 08:38:20.793: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

At the debug mpls packet on R6 I can see the traffic returning from R8, XR2 did not send a transport label

R6#

*May 15 08:40:33.025: MPLS les: Et0/0.196: rx: Len 1514 Stack {16 0 251} {16001 0 254} - ipv4 data s:10.10.10.10 d:8.8.8.8 ttl:254 tos:0 prot:1

*May 15 08:40:33.025: MPLS les: Et0/0.206: tx: Len 1510 Stack {16001 0 250} - ipv4 data s:10.10.10.10 d:8.8.8.8 ttl:254 tos:0 prot:1

*May 15 08:40:33.027: MPLS les: Et0/0.206: rx: Len 1514 Stack {25 0 254} - ipv4 data s:8.8.8.8 d:10.10.10.10 ttl:254 tos:0 prot:1

R6#

*May 15 08:40:35.027: MPLS les: Et0/0.196: rx: Len 1514 Stack {16 0 251} {16001 0 254} - ipv4 data s:10.10.10.10 d:8.8.8.8 ttl:254 tos:0 prot:1

*May 15 08:40:35.027: MPLS les: Et0/0.206: tx: Len 1510 Stack {16001 0 250} - ipv4 data s:10.10.10.10 d:8.8.8.8 ttl:254 tos:0 prot:1

*May 15 08:40:35.029: MPLS les: Et0/0.206: rx: Len 1514 Stack {25 0 254} - ipv4 data s:8.8.8.8 d:10.10.10.10 ttl:254 tos:0 prot:1

When I look into the vpnv4 table on XR2 I can see it is using a VPN label 25 with a next-hop of 2.2.2.2

RP/0/0/CPU0:XR2#sh bgp vpnv4 unicast vrf A 10.10.10.10

BGP routing table entry for 10.10.10.10/32, Route Distinguisher: 100:1

Versions:

  Process           bRIB/RIB  SendTblVer

  Speaker                337         337

    Local Label: 16009

Last Modified: May 14 07:23:21.885 for 00:03:37

Paths: (1 available, best #1)

  Advertised to peers (in unique update groups):

    5.5.5.5

  Path #1: Received by speaker 0

  Advertised to peers (in unique update groups):

    5.5.5.5

  1

    2.2.2.2 (metric 1) from 2.2.2.2 (2.2.2.2)

      Received Label 25

      Origin incomplete, localpref 100, valid, external, best, group-best, import-candidate, imported

      Received Path ID 0, Local Path ID 1, version 337

      Extended community: OSPF domain-id:0x5:0x000000020200 OSPF route-type:0:2:0x0 OSPF router-id:10.10.104.4 RT:100:1

      Source VRF: A, Source Route Distinguisher: 100:1

RP/0/0/CPU0:XR2#

When I look into the forwarding table I noticed that destination 2.2.2.2 has  pop as outgoing label to 6.6.6.6 so it indeed does not send a transport label. This is what I cannot figure out why this is

RP/0/0/CPU0:XR2#sh mpls forwarding

Wed May 14 07:29:50.367 UTC

Local  Outgoing    Prefix             Outgoing     Next Hop        Bytes

Label  Label       or ID              Interface                    Switched

------ ----------- ------------------ ------------ --------------- ------------

16000  Aggregate   A: Per-VRF Aggr[V] A                            0

16001  Unlabelled  8.8.8.8/32[V]      Gi0/0/0/0.208 10.10.208.8     81840

16002  Pop         6.6.6.6/32         Gi0/0/0/0.206 10.10.206.6     6830

16003  Pop         10.10.56.0/24      Gi0/0/0/0.206 10.10.206.6     0

16004  Pop         10.10.196.0/24     Gi0/0/0/0.206 10.10.206.6     0

16005  18          5.5.5.5/32         Gi0/0/0/0.206 10.10.206.6     7370

16006  17          19.19.19.19/32     Gi0/0/0/0.206 10.10.206.6     0

16007  Pop         2.2.2.2/32         Gi0/0/0/0.206 10.10.206.6     3215

16008  20          4.4.4.4/32         Gi0/0/0/0.206 10.10.206.6     4860

16009  25          10.10.10.10/32[V]               2.2.2.2         1040

16010  26          10.10.104.0/24[V]               2.2.2.2         0

16011  21          100:2:10.10.115.0/24   \

                                                   5.5.5.5         0

16012  22          100:2:11.11.11.11/32   \

                                                  5.5.5.5         0

16013  23          100:3:10.10.125.0/24   \

                                                   5.5.5.5         0

16014  24          100:3:12.12.12.12/32   \

                                                   5.5.5.5         0

When I look into R6 MPLS forwarding table it does not say it is local but has a local label of 19 (so why is XR2 not have label 19 into its forwarding table)

R6#sh mpls forwarding-table

Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop   

Label      Label      or Tunnel Id     Switched      interface             

16         Pop Label  20.20.20.20/32   96772         Et0/0.206  10.10.206.20

17         Pop Label  19.19.19.19/32   0             Et0/0.196  10.10.196.19

18         Pop Label  5.5.5.5/32       9229          Et0/0.56   10.10.56.5 

19         16000      2.2.2.2/32       36336         Et0/0.196  10.10.196.19

20         16001      4.4.4.4/32       68130         Et0/0.196  10.10.196.19

I have cleared all process even reloaded all routers but this did not help

After that I decided to configure the next-hop unchanged command on the route reflectors and somehow this fixed the issue for VRF A to make it work for the other VRF’s I needed to redistribute the other PE loopbacks into the core IGP so they would also receive labels. This change also changed the MPLS forwarding table on XR2 in such way that it had a label for R2. I cannot related the next-hop unchanged feature to changing the LDP behavior it only ensures it does not change the next hop to its own address. Below is the BGP configuration of XR2

RP/0/0/CPU0:XR2#sh runn router bgp

Wed May 14 07:36:07.721 UTC

router bgp 2

address-family ipv4 unicast

!

address-family vpnv4 unicast

!

neighbor 2.2.2.2

  remote-as 1

  ebgp-multihop 255

  update-source Loopback1

  address-family vpnv4 unicast

   route-policy PASS in

   route-policy PASS out

  !

!

neighbor 5.5.5.5

  remote-as 2

  update-source Loopback1

  address-family vpnv4 unicast

   route-policy PASS in

   route-reflector-client

   route-policy PASS out

  !

!

vrf A

  rd 100:1

  address-family ipv4 unicast

   redistribute ospf main

  !

!

!

 When at the XR2 MPLS forwarding table it is different then the mpls ldp forwarding table. I caanot indetify where the pop label comes from in the mpls forwarding table. The mpls LDP forwarding table and binding table shows the correct label. The router however installes a pop label into the mpls forwarding table.

RP/0/0/CPU0:XR2#sh mpls ldp forwarding
Wed May 14 12:58:52.225 UTC

Codes:
  - = GR label recovering, (!) = LFA FRR pure backup path
  {} = Label stack with multi-line output for a routing path
  G = GR, S = Stale, R = Remote LFA FRR backup

Prefix          Label   Label(s)       Outgoing     Next Hop            Flags
                In      Out            Interface                        G S R
--------------- ------- -------------- ------------ ------------------- -----
2.2.2.2/32      16007   19             Gi0/0/0/0.206 10.10.206.6
4.4.4.4/32      16008   20             Gi0/0/0/0.206 10.10.206.6
5.5.5.5/32      16005   18             Gi0/0/0/0.206 10.10.206.6
6.6.6.6/32      16002   ImpNull        Gi0/0/0/0.206 10.10.206.6
10.10.56.0/24   16003   ImpNull        Gi0/0/0/0.206 10.10.206.6
10.10.196.0/24  16004   ImpNull        Gi0/0/0/0.206 10.10.206.6
19.19.19.19/32  16006   17             Gi0/0/0/0.206 10.10.206.6

Can you please help me clear this up.Thanks in advance

Maarten Vervoorn

hey guys - first time poster - long time INE lurker - (I have coworkers who are attempting the lab - first time failed but I have an idea of the tools and stuff used) - so I will be working on trying to get thru the V5 lab in 12-18 months

Passed my written on Wed. with 790 - yes...I passed it as close as I possibly could - having said that I knew I was rushing it cause it was a freebie at Cisco Live this year

the way I see it - here's what I have going for and against me

PROS - 14 years of hard network ops experience

large amounts of exposure to sniffers and troubleshooting tickets

a MASSIVE workplace network with exposure to CRS, Nexus, ISR's, and virtually every platform and code imaginable - I can't BREAK or CHANGE any of it but I can sure use the show commands

QOS and BGP certifications from the CCIP track - (though it's amazing how fast the QOS goes into the bit bucket when you aren't playing with it all the time)

CONS - virtually NO configuration experience - (and yes, this is a big part of the lab) - we're kinda compartmentalized

weakness in Multicast, IPV6, and other technologies we just don't touch much cause they don't break

no Access pass yet - have to finish a small payment to Uncle Samuel

anyways, I have 18 months from May 21st, I have a Safari Online Account from work, and I have some reading to do before I get into the INE track, and I have an early exposure to GNS3 and might have access to the CSR1000V images once I check with the bosses - I probably won't have a lot of lab hardware though

RB

Use this thread for discussion on building INE's CCIE RSv5 topology using physical switches.

Details of INE's RSv5 topology can be found here.

Details on LAN Access Switches can be found here.

This thread is a continuation of the original RSv5 build thread that can be found here.

PLEASE DO NOT POST REQUESTS FOR IOS IMAGES, IT IS ILLEGAL TO PROVIDE YOU WITH THEM UNLESS YOU ALREADY HAVE A VALID CISCO SERVICE CONTRACT.

I know it's been asked - I've searched and am still unclear.

What's available?  Configuration Guides?  Command References?  Design Guides?

I know where it is, just not which ones.

Thanks,

PC

dear all

i understan that 6PE is feature for peering vpnv6 peers of PE router nto Ipv6 dest

i understan that 6VPE is feature for peering vpnv6 peers of PE router  with vrfs into Ipv6 dest

my main question is the  2 magic command unders adress family ipv6 -- neighbor send-label and mpls ip update source 

its is known as 6vpe and 6pe feature, so for L3MPLS option B and C is equivelent of feature of 6PE n 6VPE lets call then 4PE n 4VPE------ is my reasoning correct or grasp the idea of technology utilized?

thank you 

Is there any documenation that could be shared for how AD is configured in the POD? I have my own POD that mirrors the INE POD but i am unsure how to configure AD to match the INE POD. Can any documentation be shared?

Thanks,

Eric Eddy

Use this thread for discussion on building INE's CCIE RSv5 topology using GNS3 with IOU or IOL.

Details of INE's RSv5 topology can be found here.

Details on GNS3 can be found here.

This thread is a continuation of the original RSv5 build thread that can be found here.

PLEASE DO NOT POST REQUESTS FOR IOU OR IOL IMAGES, IT IS ILLEGAL TO PROVIDE YOU WITH THEM.

In the Live Class each one of these week are differents topics or topics it's the same week by week?

Regards

Use this thread for discussion on building INE's CCIE RSv5 topology using GNS3 with 7200 series routers.

Details of INE's RSv5 topology can be found here.

Details on GNS3 can be found here.

This thread is a continuation of the original RSv5 build thread that can be found here.

PLEASE DO NOT POST REQUESTS FOR IOS IMAGES, IT IS ILLEGAL TO PROVIDE YOU WITH THEM UNLESS YOU ALREADY HAVE A VALID CISCO SERVICE CONTRACT.