HELLO ALL,

         I am writing this to check my logic and to ensure that I have everything straight in my mind. I have just wrote up a little review. Please give me feedback so that I can fill any gaps in my knowledge.

Respectfully,

AntRal

EIGRP CLASSIC vs. NAMED (Authentication and Converting) 

The Basic behavior of EIGRP 

EIGRP uses Diffusing Update Algorithm (DUAL) to calculate and provide “loop-free” 

paths throughout the network allowing multiple routes to sync at the same time. Before any 

route in EIGRP can be added to the routing table it must meet the feasibility condition. The 

feasibility condition basically demands that the reported distance of a route must be less than 

the feasible distance before it is considered a loop-free path. The best path to a destination is 

installed into the routing table and selected as the next hop is called the successor, while the 

next best route that meets the feasibility condition is then installed as a feasible successor. The 

feasible successor makes it possible for EIGRP to recover from losing the successor quicker and 

without having to converge. 

EIGRP is a distance vector routing protocol that just advertises what it is directly 

connected to, this is sometimes referred to as “routing by rumor”. The benefit of this is that the 

network topology can be more forgiving than that of the link state routing protocols, making it 

possible to summarize at desire of the administrator and not on an area border router as in 

OSPF.  

EIGRP Packets

  Hello/Ack-   Has to be sent by both routers to establish and keep a neighbor adjacent with 

each other. They are sent to multicast address 224.0.0.10 in IPv4 and FF02::A in IPv6.

  Update- Once an adjacency has been created the routers send each other update packets. 

These are used to send the full table of known routes to the newly formed neighbor. These 

packets are also sent multicast. 

Query-   This packet is used to ask routers for a path for a destination, it also triggers all routers 

to converge. The response does not have to contain the exact same response of the request. 

This is where summarization can come in handy to limit the range of the query domain; this is 

also referred to as query scoping. Query scoping will help to prevent stuck in active in EIGRP 

domains that have grown to large. 

 Reply- Sent as a response to a query. 

Metrics Classic and Wide

   While there is a complex formula for both metrics all that needs to be remembered in this is 

that the classic metric is 32 bits with a multiplier of 256 only using the bandwidth and the delay 

( in milliseconds) by default. The wide metric has changed a few things from the classic first it 

has two scales that it uses as multipliers. When calculating the metric it multiplies by the wide 

scale which is 65536; this turns the metric into 64 bits. This large of a metric can make EIGRP 

more granular when picking the best routes. Once it has established the best route it will then 

divide it by the RIB-Scale before inserting it   into the RIB. 

Authentication in Classic EIGRP

   Classic EIGRP only supports clear text and MD5 authentication using key chains that are 

applied to the interfaces. The configurations are bulky and counter intuitive. (Note: the key 

string does count blank spaces as charters) 

Example –

Router1

!

Key Chain TEST 

Key 1

 Key-string CISCO

 Accept-life   00:05:00 Jan 1 2015 00:15:00 Jan 2 2016 

Send-life   00:05:00 Jan 1 2015 00:15:00 Jan 2 2016

Key 2 

Key-string CCIE

 Accept-life   00:05:00 Jan 1 2016 infinite

Send-life   00:05:00 Jan 1 2015 infinite 

!

Interface f0/0

IP authentication mode eigrp 100 MD5/TEXT 

IP authentication key-chain eigrp 100 TEST 

!

As you can see you need to have a little overlap time when you are configuring multiple keys to 

ensure that there is no re-convergence needed in the network. In addition to this it is a good 

idea to use network time protocol (NTP) to sync times on the neighbors. 

 Authentication in Named EIGRP

          Named EIGRP can support MD5 clear text and SHA-256 authentication. MD5 and clear 

text are both use key chains, while SHA-256 is done completely inside of the EIGRP process. 

Example –

Router2

!

Key Chain TEST 

Key 1

 Key-string CISCO

 Accept-life   00:05:00 Jan 1 2015 infinite  

Send-life   00:05:00 Jan 1 2015  infinite 

!

Router EIGRP TEST

address-family IPv4 unicast autonomous-system 100

af-interface f0/0

authentication mode MD5

authentication key-chain TEST 

!

Af-interface default 

Authentication mode hmac-sha-256 CCIE

!

 As you can see the configurations for authentication in EIGRP named mode are much simpler 

and more logical. What happened in this example is that we tide the key chain with MD5 to 

interface f0/0 while we set all of the other interfaces to use SHA by default. The MD5 is 

backwards compatible with classic EIGRP. (Note: in named mode you cannot apply the 

authentication through the interface its self.) 

Classic to named Upgrade 

   You can upgrade classic EIGRP to named mode without flapping neighbor 

adjacencies through the use of the “eigrp upgrade-cli” command. You have to 

implement this per autonomous system number.

Example-

Router eigrp 100

Network 210.1.1.0 

Eigrp upgrade-cli TEST

Hello Guys , I am testing cisco Wccp between ASA and 2 Websense Box , Intialy plan was use Virtual IP on Websense for wccp but it turn out its not supported in wccp envouirment , So i just tested out with websense Physical Ip address in testing i assigned 2 wccp server ip address on ASA (out of curiocity) , i can see only one of them is active and same is confirmed logs on Websense I am setting Hits increasing on second ACL which is specified for WCCP servers not sure which traffic is htting there can anyone help me on this ,Also do second wccp server will take care when first websense box fails ?

Sorry if i posted in wrong theread count figure it out where to post .

Hi all,

I am back to my CCIE R&S study after initial failed attempt in version 4.

I am looking for a study partner who is aiming to give exam somewhere around Sep 2015.

Thanks in advance

Hitesh

Hi guys

I think there is some configuration error in the INE's workbook for CCIE R&S v5.0:

the task is the "MP-BGP Prefix Filtering"

In my idea, the problem is in here:

task:

...

• Make sure that R6’s VPN_A does not see the prefix 172.16.5.0/24 and R5’s VPN_B does not see the prefix 192.168.6.0/24.    Use export/import maps for this task.

--

configuration

R5:
interface Loopback101
ip vrf forwarding VPN_A
ip address 172.16.5.5 255.255.255.0
!
ip prefix-list LO101 permit 172.16.5.0/24
!
route-map VPN_A_EXPORT permit 10
match ip address prefix-list LO101
set extcommunity rt 100:55
!
route-map VPN_A_EXPORT permit 20
set extcommunity rt 100:1
!
ip vrf VPN_A
export map VPN_A_EXPORT
route-target import 100:66
R6:
interface Loopback102
ip vrf forwarding VPN_B
ip address 192.168.6.6 255.255.255.0
!
ip prefix-list LO102 permit 192.168.6.0/24
!
route-map VPN_B_EXPORT permit 10
match ip address prefix-list LO102
set extcommunity rt 100:66
!
route-map VPN_B_EXPORT permit 20
set extcommunity rt 100:2
!
ip vrf VPN_B
export map VPN_B_EXPORT
route-target import 100:55

================

I think the correct version of the configuration is like the follow:

R5:

ip vrf VPN_A
export map VPN_A_EXPORT
route-target import 100:2

R6:

ip vrf VPN_B
export map VPN_B_EXPORT
route-target import 100:1

Any idea?

BR

Hi :)

I just have one question, why the price changes for the CCIE Security Rack Rental Session?

Plus If I booked a session today for the 30/4 for one hour which now cost 3 Tokens and that was deducted from my account balance and reserved, after the 17/4 will it also deduct 2 Tokens extra because of the new pricing?

I saw that Ospf, when we issue the prefix-suppression command within an NSSA area where an external prefix has been redistributed, in addition to hide the FA address, it clears the P-bit disallowing the translation of the type 7 Lsa.

This means that even though we try to issue on the ABR the "area xyz nssa translate type 7 suppress-fa" command or nssa translate always, we cannot recurse anyway to the ABR since the translation is blocked because of the P-bit clearing.

For me this mechanism is a little bit inefficient from a path preservation point of view because the ABR knows every detail of the NSSA area and it can reach the ASBR that is originating the prefix. It just cannot translate it.

So im wondering why this is needed ? There should be maybe some  particular caveat behind this design choice?

Hi All,

I have been trying to connect to Collaboration rack & access the UC server post SSL vpn connection.

I have been able to get ping responses from the servers but not able to open up the web pages.

Though raised tickets with INE but strangely enough it has been returned back as Configuration Issue, when I have not been to login in the servers at all.

Anyone, faced similar problem.

Any help/feedback is apreciated.

Thanks

Dinesh

Hi All,

I have been trying to connect to Collaboration rack & access the UC server post SSL vpn connection.

I have been able to get ping responses from the servers but not able to open up the web pages.

Though raised tickets with INE but strangely enough it has been returned back as Configuration Issue, when I have not been to login in the servers at all.

Anyone, faced similar problem.

Any help/feedback is apreciated.

Thanks

Dinesh

Ok, so here's a silly question, but one I'm going to ask anyhow.  When setting up a TE tunnel, my undestanding is that the LDP based LSP is replaced by the TE LSP as a normal part of the operations.  On the head end, however, once the tunnel is up and in us (using autoroute announce)e, the MPLS forwarding table looks like this:

2008  [T]  No Label   66.66.66.66/32   0             Tu1        point2point
2009  [T]  Pop Label  6.6.6.6/32       0             Tu1        point2point

6.6.6.6 is the dest loopback, while 66.66.66.66 is a loopback used just to inject a route into the topology.  My question is why is 6.6.6.6 "pop label" while 66.66.66.66 is "no label"?  It seems like the label is probably being popped sop that the TE labels can be used, so that's not all that surprising, but IIRC "no label" basically means that it's going out a non-mpls interface.  Show mpls int includes tunnel 1.  So, while I'm sure it's total minutia, this has been gnawing at me for a week or two now.

On the point to point  connection beteween XR1 and R5 , the XR doesnt take the configuration.

Error "RP/0/0/CPU0:XR1(config-isis-if)#hello-password hmac-md5 INEMD5 level 2
RP/0/0/CPU0:XR1(config-isis-if)#commit
Sun Apr  5 17:04:10.132 UTC

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from
this session to view the errors
RP/0/0/CPU0:XR1(config-isis-if)#show config fail
Sun Apr  5 17:04:26.501 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.


router isis 12
 interface GigabitEthernet0/0/0/2
  hello-password hmac-md5 encrypted 12302B323F2F59 level 2
!!% Invalid media class: Level-specific Hello Authentication may not be configured on a P2P interface
 !
!
end"

In the cisco documention the only caveat i see is that you MUST use the same password for both level 1&2,

Im using VIRL to test the the XR

Thanks in advance !

Hi All

Can anyone share a command to check the total number of lable consumed on the in memory/tcam. I remember the command starting with "show platform software/hardware"

hi all,

when configuring IPsec, I did undertsand to some extent IPsec crypto map, but when I moved to crypto profile, simply I did not get why do we use it !?

can someone please explain to me why do we use crypto profile !? 

thanks,

My company is in the market for a new blade chassis, and I pitched the idea of UCS. Everything was going great until the quote came in. We're not a huge shop by any means. We currently have about 200+ virtual desktops, and another 200+ virtual servers. When we met with the partner and cisco, they really focused on the common benefits of UCS, such as it being stateless computing. We're not adding new blade servers often, and I don't see my management buying spare blades that just sit idle waiting for a failure to happen. We currently have a Dell blade chassis and I said what's great about UCS, is once we're ready to replace the old Dell chassis, we plug in the new one to the FIs and off we go. While management admits that great, the FIs are making a huge price difference compared to Dell.

Just wondering if I'm missing any benefits that would make it worth wild to go with UCS.  We are going to be replacing our core with nexus 5600's

Hello All,

Can anybody tell me why my prefix filtering isn't working when trying to use a prefix-list to filter in BGP? The configuration and topology are below. Basically I'm trying to filter out the 172 prefixes from being advertised to AS 2. I have tried 15.3 and 12.4(24) code.

ip prefix-list PERMIT192 seq 5 permit 192.168.0.0/16 le 32

router bgp 1
 bgp log-neighbor-changes
 redistribute connected
 neighbor 10.1.1.2 remote-as 2
 neighbor 10.1.1.2 distribute-list PERMIT192 out

R1#sh ip bgp neighbors 10.1.1.2 advertised-routes
BGP table version is 10, local router ID is 192.168.4.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.1.1.0/24      0.0.0.0                  0         32768 ?
 *>  172.168.1.0/24   0.0.0.0                  0         32768 ?
 *>  172.168.2.0/24   0.0.0.0                  0         32768 ?
 *>  172.168.3.0/24   0.0.0.0                  0         32768 ?
 *>  172.168.4.0/24   0.0.0.0                  0         32768 ?
 *>  192.168.1.0      0.0.0.0                  0         32768 ?
 *>  192.168.2.0      0.0.0.0                  0         32768 ?
 *>  192.168.3.0      0.0.0.0                  0         32768 ?
 *>  192.168.4.0      0.0.0.0                  0         32768 ?

Total number of prefixes 9

Hi All.

I was on the lab of BGP path selection and was doing the first one where we need to test the weight.

I reliazed that there is a loop between R3 and R1. it is a dataplane loop (correct me if I am wrong).

I can fix it by increasing the weight towards R4 but is it intentional/ Because every lab after that using the same initial config and the loop will remain there.

Regards

Mahir

Hi Guys,

I recently decided to start my CCIE preperation and i am trying to compile an essential reading list. I have looked at Cisco's (very large, very proprietory) list, as well as INE's and Brain Dennis personal one.

So far i have decided that the essentials will be:

- Routing TCP/IP V1 and V2 by Jeff Doyle

- TCP/IP Illustarated Volume 1 the protocols

- CCIE Certification Guide (v5) by Nabrik

- QoS Certification Guide by Odom

In addition to this i am considering:

- MPLS fundementals (cisco press)

- Deploying IP Multicast networks (cisco press)

- Internet Routing Architectures (cisco Press)

I am looking to gain a sound understanding of the concepts covered in the CCIE Written and the theory behind the concepts covered in the lab. Now, obviosuly reading additional books will not hurt: but i feel that it may be a poor allocation of time and money which could be better spent on other CCIE related things. So i am asking for some advice from anyone who has read some of these books and also anyone who has earned their CCIE already, as to which books i should purchase and read. I imagine there is some overlap between many of these and thus, i want to focus on the one's which i will gain the most from, generally speaking.

Thanks!

Hi Guys,

I have recently decided to start studying for the CCIE and i am trying to accumulate a relevant reading list for the V5 material. The aim of this reading is to give me a sound understanding of all concepts covered in the written and the theory behind the concepts covered in the lab.

I have considered Cisco's (very large) list from their website which seems a bit heavy with press books, Also INE's list and Brain Dennis's own list from his blog posts.

So far i have concluded that i should read:

TCP/IP V1/2 By doyle.

QoS cert guide by Odom

TCP/IP Illustrated V1 By  Fall

CCIE V5 Cert Guides by Nabrik 

I have considered adding to this:

Deploying IP Multicast networks by Williamson (but it is very old)

MPLS Fundementals bu Ghein

Implementing Routing Architectures by Halabi

I am looking for some advice from anyone who is well read in CCIE books, to point me in the direction of essential reading. Obviously reading additional books will not do any harm but it does consume time and money which could be spent on lab prep.

I Appreciate any thoughts

Hi Forum.

My Toplogy:

 <---------------(EIGRP AS202)---------------->

SPOKE1 -> 130.1.51.0 /24 -> SPOKE2 -> HUB1

I created 100.100.100.0/24 for my tunnel interfaces. So traffic to and from this network will get encrypted.I want to encrypt the 130.1.51.0 /24 network as well (learned via EIGRP process). It dosent work if I make a static route on the HUB1 that points the network to go throug tunnel interface. How can I solve this one?

My Config:

HUB:

!
crypto isakmp policy 1
 authentication pre-share
 hash md5
 group 2
 encryption 3des
!
crypto isakmp key CISCO address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Tunnel0
 ip address 100.100.100.1 255.255.255.0
 ip nhrp authentication CISCO
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 300
 tunnel source fa0/0.17
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!

Spoke:

!
crypto isakmp policy 1
 authentication pre-share
 hash md5
 group 2
 encryption 3des
!
crypto isakmp key CISCO address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Tunnel0
 ip address 100.100.100.2 255.255.255.0
 ip nhrp authentication CISCO
 ip nhrp map 100.100.100.1 130.1.76.7
 ip nhrp map multicast 130.1.76.7
 ip nhrp network-id 99
 ip nhrp nhs 100.100.100.1
 tunnel source Gi0/0.17
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!

Spoke:

crypto isakmp policy 1
 authentication pre-share
 hash md5
 group 2
 encryption 3des
!
crypto isakmp key CISCO address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Tunnel0
 ip address 100.100.100.3 255.255.255.0
 ip nhrp authentication CISCO
 ip nhrp map 100.100.100.1 130.1.76.7
 ip nhrp map multicast 130.1.76.7
 ip nhrp network-id 99
 ip nhrp nhs 100.100.100.1
 tunnel source Gi0/0.17
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!

Hi all.

I'm going to configure VSS on Cat 6509. I read white papers about the architecture and commands. I have one question regarding this. for building VSL between 2 chassis, do I need to attach physical cables between 2 chassis? for example, suppose I have decided to use gig 0/1 and g0/2 on each chassis. do I need to interconnect these ports with physical cables?

Dears,

Im trying to load the CCIE Security Bootcamp Workbook Technology Tasks on the Racks.

But all I can load is the Technology solutions?

Is my workbook missing something that can’t be loaded onto the racks ? 

Thank you :)