Does anyone know an iou version that allows fast-reroute? My 15.3T does not allow it and its part of several initial configs, also the distributed option on ip multicast-routing does not seem to work either...
Brian are these integral to solving the lab or setting up the scenario?? If not cool if they are then using iou is going to suck 😐 !
Hi Guys,
Qualifying statement - I'm working with CSR1KV's
Few thoughts. My understanding of OSPF LFA FRR is that 3 conditions ideally need to be met when looking at the backup path.
I believe I've got those in place but it's not coming up with the expected result. Either by using the precise solution provided or by using other cost values. my output
Area 10:
Interface Protected Primary paths Protected paths Percent protected
All High Low All High Low All High Low
Gi1.1718 Yes 0 0 0 0 0 0 0% 0% 0%
Gi1.1617 Yes 31 19 12 1 0 1 3% 0% 8%
Questions.
The expected output has this under the "Area 10" section of the output. overwhelming majority of the prefixes are External Type 2's which
A)will have the same Metric in the RIB no matter where they are, but make their decisions with the forward metric.
B)from a database point of view aren't part of Area 10 at all.
I've tried changing them to E1's, no joy. I've tried stopping the redistribution into ospf 22 on R16, which causes the output of "show ip ospf fast-reroute prefix-summary" on R17 to go to 100% protected. as per
Area 10:
Interface Protected Primary paths Protected paths Percent protected
All High Low All High Low All High Low
Gi1.1718 Yes 0 0 0 0 0 0 0% 0% 0%
Gi1.1617 Yes 1 0 1 1 0 1 100% 0% 100%
but obviously very few primary's and protected's..:/
Which points to only having a problem with protecting External Prefixes.
Is anyone else having this issue or am I doing something incorrectly? Either way I've spent an uncomfortable amount of time on this :/.
Cheers,
Paul B
Hi All,
Some of you may know me from CLN. I don't usually post here. Anyway, I have a question on Shaping class-default and then nesting a policy map under the shaping with LLQ...
I remember reading something one time that LLQ is not really being shaped behind the scenes, but is actually queued outside of the shaping policy. I, however, cannot find this information again. Can anyone help me with this, point me to some material that states this? Actually shaping an LLQ would be a disaster under congestion.
Thanks for your help!
Hi all,
How can you tell from the output below if the router or the neighbors from which is learning the prefix is 4-byte aware?
I've seen this question somewere and I simultated this behavior on 2 routers, one being 4-byte aware and the other not. Its the same output, no difference.
Router#sh ip bgp
BGP table version is 3, local router ID is 150.1.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 150.1.2.2/32 1.2.3.4 0 100 0 65001 23231 10 i
r> 150.1.3.3/32 155.1.23.3 0 100 0 65001 23231 i
Hello community,
I'm a bit confused with this behavior as I thought creating a username with privilege level 15 would automatically place the user in that privilege level when he/she logs in but instead the user gets to be put in privilege level 1. Can anyone help me understand why this happens with AAA authentication but it does not with local authentication?
R1 with AAA authentication enabled (there is not a AAA server so it falls back to local)
R1(config)#do sh run | i username admin-15|aaa authentication login VTYs|aaa new-model
aaa new-model
aaa authentication login VTYs group tacacs+ local
username admin-15 privilege 15 secret 5 $1$EhZo$JK3C7Vc55q4h8HW31gXLs.
R1(config)#do sh run | b line vty
line vty 0 4
login authentication VTYs
transport input all
R3(config)#!Telnet to R1:
R3(config)#do telnet 155.1.13.1
Trying 155.1.13.1 ... Open
================================================
=== DBZ Battlefield ===
=== Unathorized Warriors will Perish ===
================================================
Enter your Warrior ID >>>admin-15
Enter your Warrior Secret >>>
R1>sh priv
Current privilege level is 1
R2 with Local Authentication (aaa new-model command has not been entered)
R2(config)#do sh run | i username admin-15|aaa
username admin-15 privilege 15 secret 5 $1$KRW/$US.lGlh0DTKbdSLtTjNMl.
R2(config)#do sh run | b line vty
line vty 0 4
login local
transport input all
R3(config)#!Telnet to R2:
R3(config)#do telnet 155.1.23.2
Trying 155.1.23.2 ... Open
User Access Verification
Username: admin-15
Password:
R2#sh priv
Current privilege level is 15
I am strugling with the initial set up of l2vpn to the ine rack (collaboration) the tunnel seems to be up but i can not ping any of the "11 dot" addresses. i am using the test credentials "coracktest"
router 2821
switch 3750
Router#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : INECORACK
Inside interface list: Loopback0
Outside interface: GigabitEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Split Tunnel List: 1
Address : 11.0.0.0
Mask : 255.0.0.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 75.140.41.126
Hi Team,
I have configured a simple NAT pool with this topology attached.
I tried to cover all 14 hosts but still the last host 10.1.1.8 can't be translated... and I am running out of options
I tried using 10.1.1.0 0.0.0.16 to just cover:
10.1.1.5 - 10.1.1.8 but still only the last host is having problems. Does the prefix length on the pool configuration need to match the wild card mask?
NAT router:
R3#sh run | s nat
ip nat pool my_traders 124.24.34.250 124.24.34.253 prefix-length 24
ip nat inside source list traders pool my_traders
R3#sh run | s access-list
ip access-list extended traders
permit ip 10.1.1.0 0.0.0.16 any
Thanks,
Hi Guys. I have a question and it might look stupid. I would ask anyway: I have been trying to get a grasp of FabricPath and vPC/vPC+ and all these get to incorporate FHRPs in one way or the other...especially HSRP. In HSRP the hosts have the virtual default gateway configured and use the vMAC to route outside their VLAN. How does return traffic get routed? Is the destination MAC address the HSRP virtual MAC address? In vPC, much isn't talked about the vMAC in return traffic...but in vPC+ and FabricPath, there is idea of the virtual switch whose switch ID is the encapsulated OSA...and I guess frames are pushed to it in their respective ODAs. What would be the use-case in vPC, HSRP for returning traffic?
Cant get phase 2 to come up between a cisco and checkpoint firewall. The proxy ACL and transform set seem to match but yet no workie. Anyone have an idea why?
Oct 17 15:11:10: ISAKMP:(42743):Total payload length: 12
Oct 17 15:11:10: ISAKMP:(42743): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 17 15:11:10: ISAKMP:(42743):Sending an IKE IPv4 Packet.
Oct 17 15:11:10: ISAKMP:(42743):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 17 15:11:10: ISAKMP:(42743):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Oct 17 15:11:10: ISAKMP:(42743):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 17 15:11:10: ISAKMP:(42743):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Oct 17 15:11:10: ISAKMP (42743): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Oct 17 15:11:10: ISAKMP: set new node 2928898679 to QM_IDLE
Oct 17 15:11:10: ISAKMP:(42743): processing HASH payload. message ID = 2928898679
Oct 17 15:11:10: ISAKMP:(42743): processing SA payload. message ID = 2928898679
Oct 17 15:11:10: ISAKMP:(42743):Checking IPSec proposal 1
Oct 17 15:11:10: ISAKMP: transform 1, ESP_AES
Oct 17 15:11:10: ISAKMP: attributes in transform:
Oct 17 15:11:10: ISAKMP: SA life type in seconds
Oct 17 15:11:10: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
Oct 17 15:11:10: ISAKMP: authenticator is HMAC-SHA
Oct 17 15:11:10: ISAKMP: encaps is 1 (Tunnel)
Oct 17 15:11:10: ISAKMP: key length is 256
Oct 17 15:11:10: ISAKMP:(42743):atts are acceptable.
Oct 17 15:11:10: IPSEC(ipsec_process_proposal): peer address 1.1.1.1 not found
Oct 17 15:11:10: ISAKMP:(42743): IPSec policy invalidated proposal with error 64
Oct 17 15:11:10: ISAKMP:(42743): phase 2 SA policy not acceptable! (local 2.2.2.2 remote 1.1.1.1)
Oct 17 15:11:10: ISAKMP: set new node 2706240197 to QM_IDLE
Oct 17 15:11:10: ISAKMP:(42743):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 139643081102792, message ID = 2706240197
Oct 17 15:11:10: ISAKMP:(42743): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
Oct 17 15:11:10: ISAKMP:(42743):Sending an IKE IPv4 Packet.
Oct 17 15:11:10: ISAKMP:(42743):purging node 2706240197
Oct 17 15:11:10: %CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:1.1.1.1 local_id:1.1.1.1 remote:2.2.2.2 remote_id:2.2.2.2 IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:1
Oct 17 15:11:10: ISAKMP:(42743):deleting node 2928898679 error TRUE reason "QM rejected"
Oct 17 15:11:10: ISAKMP:(42743):Node 2928898679, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 17 15:11:10: ISAKMP:(42743):Old State = IKE_QM_READY New State = IKE_QM_READY
Oct 17 15:11:10: ISAKMP (42743): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Oct 17 15:11:10: ISAKMP: set new node 3169756681 to QM_IDLE
Oct 17 15:11:10: ISAKMP:(42743): processing HASH payload. message ID = 3169756681
Oct 17 15:11:10: ISAKMP:(42743): processing SA payload. message ID = 3169756681
Oct 17 15:11:10: ISAKMP:(42743):Checking IPSec proposal 1
Oct 17 15:11:10: ISAKMP: transform 1, ESP_AES
Oct 17 15:11:10: ISAKMP: attributes in transform:
Oct 17 15:11:10: ISAKMP: SA life type in seconds
Oct 17 15:11:10: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
Oct 17 15:11:10: ISAKMP: authenticator is HMAC-SHA
Oct 17 15:11:10: ISAKMP: encaps is 1 (Tunnel)
Oct 17 15:11:10: ISAKMP: key length is 256
Oct 17 15:11:10: ISAKMP:(42743):atts are acceptable.
Oct 17 15:11:10: IPSEC(ipsec_process_proposal): peer address 1.1.1.1 not found
Oct 17 15:11:10: ISAKMP:(42743): IPSec policy invalidated proposal with error 64
Oct 17 15:11:10: ISAKMP:(42743): phase 2 SA policy not acceptable! (local 2.2.2.2 remote 1.1.1.1)
Oct 17 15:11:10: ISAKMP: set new node 1941872296 to QM_IDLE
Oct 17 15:11:10: ISAKMP:(42743):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 139643081102792, message ID = 1941872296
Oct 17 15:11:10: ISAKMP:(42743): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
Oct 17 15:11:10: ISAKMP:(42743):Sending an IKE IPv4 Packet.
Oct 17 15:11:10: ISAKMP:(42743):purging node 1941872296
Oct 17 15:11:10: ISAKMP:(42743):deleting node 3169756681 error TRUE reason "QM rejected"
Oct 17 15:11:10: ISAKMP:(42743):Node 3169756681, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 17 15:11:10: ISAKMP:(42743):Old State = IKE_QM_READY New State = IKE_QM_READY
Oct 17 15:11:17: IPSEC(delete_sa): SA found saving DEL kmi
Oct 17 15:11:29: ISAKMP:(42742):purging node 1673756212
We need some explanation. in Lab Overview section one point is made:
The resolution of one incident MAY depend on the resolution of previous incidents.
The dependency will not be visible if incidents are resolved in sequence.
so, it is better to solve those tickets in sequence?
The following notes are listed in the full scale lab - solutions for task 1.2. Can someone explain the "disjoint OSPF area design"? I noticed the virtual-links connect R1/R3 and R2/R4. There is already a OSPF neighbor and adjacency on the connected interface. Why do we require virtual links? I see the notes for area 10/area 121 to exchange Type 3 and the loopback notes. However, is the reason for connecting to Area 0, which is located on R3 and R4?
"The virtual-links configured here fix the disjoint OSPF Area design used by this lab. Area 10 and 121 will be able to exchange Type-3 LSAs, and also allow R1-R4 to advertise their Loopback0 into Area 0"
R1:
router ospf 100
area 20 virtual-link 192.122.3.3
R3:
router ospf 100
area 20 virtual-link 192.122.3.1
For the Version 4 Technologies Workbook, is becoming extremely familiar with all the topics that the workbook covers a good indicator of lab exam readiness?
I'm enjoying going through all of the INE material, but I find myself wondering when my peparation will be good enough to make a lab attempt.
Hello everyone,
I'm looking for one to three virtual (online) study partners for the CCIE R&S exam. Preferably individuals who have gone through all of Workbook 1 or nearly all of it and are available from 7pm to 12am Central time and weekends for study sessions to review material.
What I'm looking for is humble and dedicated people who are not afraid to explain technologies to each other and run through scenarios. Most importantly, individuals that don't put other people down or make fun of others for not knowing a particual topic. It's important to have support from each member of the group.
Please add your name and email below if you are interested 
Use this thread for discussion on building INE's CCIE RSv5 topology using the Cloud Services Router 1000v (CSR1000v).
Details of INE's RSv5 topology can be found here.
Details on CSR1000v can be found here.
Check the CSR1000v Data Sheets for specific platform requirements.
This thread is a continuation of the original RSv5 build thread that can be found here.
PLEASE DO NOT POST REQUESTS FOR IOS IMAGES, IT IS ILLEGAL TO PROVIDE YOU WITH THEM UNLESS YOU ALREADY HAVE A VALID CISCO SERVICE CONTRACT.
Hello,
When the workbook V5 was published it was said some part of it could be usefull for the written too.
Now my question is :
how to use v5 workbook to study for the written ?
Is there a new guildline to stuyd for R&S v5 similar to http://blog.ine.com/2010/10/09/how-to-pass-the-ccie-rs-with-ines-4-0-training-program
Thank you!
Hi all,
I'm curious what exact time did your lab start in Brussels. I'm asking because on my last attempt the plane was leaving about 7:30 PM, while the lab ended on at 5 PM. The proctor warned us that it was risky, because sometimes the lab starts late (9-10 AM)
Now I'm trying to figure out how likely is this going to happen. Is it better to book a flight next day?
Hello Team,
I have one UCS Blade Running ESXi and I was trying to enable NPIV on a Virtual Machine in order to see the VM Flogi on the Fabric.
But I’m getting this error on the vmkernel every time I power up the VM:
~ # more /var/log/vmkernel.log | grep NPIV
2014-10-17T14:19:32.020Z cpu2:1239292)ScsiNpiv: 1149: NPIV vport rescan complete, [14:0] (0x4100060e96c0) [0x410012804260] status=0xbad0003
2014-10-17T16:26:05.647Z cpu14:1244751)ScsiNpiv: 1149: NPIV vport rescan complete, [14:0] (0x4100060e96c0) [0x410012804260] status=0xbad0003
2014-10-17T16:49:21.933Z cpu10:1245748)ScsiNpiv: 1149: NPIV vport rescan complete, [14:0] (0x4100060e96c0) [0x410012804260] status=0xbad0003
~ #
I found this document about the subject:
But I have the zoning correctly configured.
Is this supported ? I have the CNA M71KR-Q.
I see the FI and the EXSi Flogis on the Fabric.
Thanks.
Regards,
Antonio Soares, CCIE #18473 (RS/SP)
amsoares@netcabo.pt
In the ATCv5 R&S videos, when Brian shows where things are documented, he consistenty follows the same procedure for accessing the documention. This method worked fine until recently.
Now, when I follow his procedure step-by-step, it leads to an End-Of-Life notice for IOS 15.3T. When I try to follow the links for the other IOS versions, they all lead to similiar End-Of-Life notices.
Is anyone else experiencing this and has have figured out another way to navigate the documention correctly?
Thanks,
Brady
Please let me know what is the problem with my ACL since I do not know anymore if the concept in my head is wrong or right. Any inputs is greatly appreciated. I do not know what else to do in GNS3, I have shutdown and rebooted it number of times and still same result...
Requirement is that all hosts can do anything to the FINANCIAL_WEB_SERVER except web access. only host C can web access it.
Corp1#sh run int f0/1
Building configuration...
Current configuration : 125 bytes
!
interface FastEthernet0/1
ip address 172.22.242.30 255.255.255.240
ip access-group 100 out
duplex auto
speed auto
end
Corp1#sh run | s access-list
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
access-list 100 deny tcp any host 172.22.242.23 eq www
access-list 100 permit ip any any
