EIGRP for everyone… well, almost

If you have been living under a rock for the past few weeks you will have no doubt missed that Cisco have made the decision to make EIGRP an open* standard.

They have released an informational RFC (here) on the core workings of the protocol which means that in theory if any other manufacturers wanted they would be able to implement EIGRP into their own NOS (network operating system).

The reason for the Asterisk in the previous statement is due to the fact that whilst on the surface it may look like Cisco have drawn back the secrecy shroud from the previously exclusive protocol they have in-fact only revealed the workings of the basics.

What this means is that Cisco have decided to keep some of the EIGRP special use cases a secret; these include things such as stub networks and DMVPN.

So when can we expect other manufacturers to pick up and start supporting EIGRP? I shouldn’t think it will be anytime soon but I guess we will just have to wait and see.

Why would other people want to use EIGRP I hear you say? Think of it this way, at the moment in open standards we have RIP, OSPF and BGP (yes, IS-IS as well) which means there is a gap that EIGRP fills pretty well.

EIGRP is less complicated than OSPF to set up and scales far better with large topologies (in its default setup anyway) and yet offers far more granularity and control than RIP.

In my day-to-day I can say that the only times I have ever had to come into contact with EIGRP is on the CE’s peering with the customer but even then it is extremely rare, perhaps this will all change, I guess we will just have to wait and find out…

Moving on

Well since getting the result of my 3rd lab attempt (FAIL for those that haven’t already seen) I’ve spent the rest of the week getting on with my normal day-to-day but also considering where did I go wrong?

On both my first and second attempt I felt OK but I had known there were weak points that I could lose out on; the first attempt I ran out of time and didn’t check any task through and on the second I had to skip one of the big TS tickets, although these did not guarantee a failure it put me well on the way.

This time I felt good, definitely better than the other attempts and to the best of my knowledge I had answered all the tasks while doing exactly as they asked and without breaking any guidelines.

When I got the score report and I found one of the lowest scoring areas was in Layer 2 I was gobsmacked, perhaps more so than the fail itself, L2 was something that if you had asked me I would have said I was 100% confident on passing no problem.

I’m not letting the failure stop me as I have come too far and am too close to turn back now but I just need to step back and recoup before I head into the battlefield again.

On a side note I’ve changed the theme on the site and I’ve done some initial testing and everything looks OK I can never test everything so if you have any issues please let me know.

P.S. Thanks to all the messages I got after my last post, as always it really helps to not feel like banging your head against a wall in times like that.

Third time not so lucky…

I’ve been quiet on here since my last attempt but yesterday I once again made the trip to the Lab in Brussels…. and once again have come back empty handed.

Unlike my first two attempts I felt secure with this attempt, my troubleshooting went well and all tickets were completed and the configuration was sailed through with more than enough time to triple check everything and even reboot all the kit and check it again.

Someone said before that you never really fail until you give up but this time feels like a failure, where as before I have come away saying “I did ok but….” there was no such thing this time, if I were to do the same exam today I would do exactly the same.

I need to sit down and work out how I can improve on the results and tighten the areas where according to the score report I am weak as I felt that these areas were among my strengths not my weaknesses.

Perhaps more downtime is needed to study, perhaps I need to start again from the bottom up I don’t know….

Try again next time…

What do you mean I don’t get anything for a full set?

Unfortunately I got the results of yesterdays CCIE attempt and much like the first it was a failure.

The result came in a little quicker and arrived whilst I was on my flight back to the UK.

Where the failure differs is that this time I passed the config section (which I failed the first time) but failed the troubleshooting (which I passed last time) and unfortunately you don’t get anything for a full set 😛

I can’t say that I was expecting it as I thought it had gone well, the result is a little dejecting knowing that I’m going to have to go through it all again.

I’m going to try and get in as soon as possible to do the exam again, the fact that I have now passed the exam (albeit not on the same visit!) proves that I am ready.

Thanks for all the messages of support, it helps and keeps me going through the worst time of being a CCIE candidate.

Here we go again…

Well it’s almost time to take the plunge again and go for another attempt at the CCIE R&S Lab exam.

I fly out on Sunday and take the exam on the Monday morning, I’m taking a lot less time over in Belgium this time as I don’t personally feel that I need it.

This time round I have tried to polish up on some of my periphery topics that I felt weak on after the last round.

Will it have been enough? Only time will tell and you can only do as well as you can on the day at the end of things.

One thing is for certain as always, you will get a can of expensive Coke and a decent lunch halfway through 😛

EDNS0 – DNS Extensions and their issues with ASA’s

EDNS0 – DNS Extensions

History

There are a growing number of issues that we have seen relating to this quite old however only recently used extension to DNS called EDNS0.

The extension was originally outlined in RFC2671 which was published in 1999.

The idea behind these extensions was that the DNS packet itself had a hard limit to its size when originally implemented and nowadays with more and more being done via DNS we had exhausted this hard limit.

One solution would have been to simply extend the size of the DNS packet however this would have caused issues with backwards compatibility with older devices and could have caused more issues than it solved.

With the advent of technologies such as DNSSEC the use of EDNS0 has come more apparent and this is the reason for seeing more and more issues arise over time.

How it works

Most of the time EDNS0 is not needed and hosts can carry on sending queries as they always have.

If the host believes that the query may be larger than a standard DNS packet it adds an option to the original query to state that the client supports the EDNS0 extension. Within this option it states the maximum size of response that is accepted (up to 4096 bytes) and other details such as version but these are out of the scope to this document.

When the resolver such as Googles public DNS servers or any public cache server receives one of these EDNS0 enabled queries it then knows that the response that it sends back to the client can be sent in a large packet (again, up to 4096 bytes depending on the field in the query).

Issues it causes

When DNS packets pass through firewalls such as the Cisco ASA they are usually inspected to ensure that they are not malformed or are other packets disguised as DNS packets.

Most of the time an inspect map is used against the DNS packets to set the maximum size to that of the original DNS specification (512-bytes).

When one of the large EDNS0 packets returns from the resolver and it is larger than this 512-byte limit the packet is dropped and a syslog entry triggered:

%ASA-4-410001: Dropped UDP DNS reply from outside:199.7.83.42/53 to inside:1.1.1.1/54266; packet length 1502 bytes exceeds configured limit of 512 bytes

The client does not receive this packet and due to it being UDP and not TCP (connectionless protocol) it just sends the query again and again which in turn means that the client cannot resolve that address and connectivity is broken.

Tests to see if this is happening

If on a UNIX/Linux/Mac system you can check if the issue affects you using a command such as below:

dig +dnssec +norec +vc +notcp any . @199.7.83.42

If you are on a Windows system you can do a similar check by doing the following:

nslookup -type=TXT rs.dns-oarc.net. 4.2.2.6

If the above return results then EDNS0 resolution is not an issue for you.

Fixes

There are a couple of fixes that can be used to get around this issue.

One option, which was used prior to ASA version 8.2(2) was to raise the limit of the DNS message size limit, this works however it may also allow malformed / non-DNS packets to make it through. This solution can be implemented by using something similar to the below:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 4096

The other solution and the one recommended is to use the below command that was added in ASA version 8.2(2):

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512

When using this second solution the message-length maximum client auto command allows the ASA to inspect the DNS packet to see if the query contains the EDNS0 extension and if so raises the limit to that of the size field in the EDNS0 option. At the same time the message-length maximum 512 command ensures that legacy DNS queries do not go over the 512-byte limit.

Posted in Uncategorized | 1 Reply

CCIE Lab… round two!

Well my seat and travel etc is all booked for my second attempt at the R&S lab.

I’ll be sitting the exam at the start of January (7th Jan) as this was the soonest seat they had (I checked on the Monday after my first attempt). I had wanted to try and get in there a little sooner as I felt I was ready but it seems that the whole of December was blocked solid!

This time around I will do much of the same yet more, I will be using the INE TS labs (hopefully more will be coming out soon), reading RFC’s, labbing things out and maybe some more the INE Vol1 labs as well.

My main weakness on my first attempt was not so much the core subjects which are covered in the Vol3 labs but more the periphery subjects that perhaps you don’t use all that much such as DHCP security (an example, not breaking NDA) or crash dumps. I will be focusing more on things like this for my next attempt to try and make sure I have a good rounded knowledge.

CCIE Lab attempt number one? FAIL!

Well last week I went over to Brussels to take my first lab attempt.

As most of you already unfortunately know I was unsuccessful and I failed the lab.

For my first attempt I decided that I was going to take my time and extend the stay past the usual ‘splash and dash’ stay.

I flew out on Tuesday evening and then checked in at the NH Hotel, I spent Wednesday mainly in my room going over a few RFC’s, checking some things on the DocCD and relaxing watching some TV/Movies.

For anyone looking for a hotel to stay at whilst taking the lab I would highly recommend the NH Hotel, whilst it may not be the cheapest hotel is is most definitely the closest of the hotels to the Cisco offices. For anyone that is looking at booking then try the code ‘WEEKEND’ and you will get a discount (if you are staying over the weekend).

On the Wednesday I checked to see how easy it really was to get over to the Cisco offices and where I needed to go, I checked with the receptionist that I was indeed in the right place and then I went on my way.

I arrived nice and early (around 7:45) and the janitor let me in as it was pretty cold outside, guess I had the look of a scared candidate and deserved a comfy sofa and a warm drink 😛

At just after 8am our proctor Istvan greeted us and took us up to the fourth floor and took us up to our lab.

I have to say that a lot of my nerves before heading into the lab were regarding the complete unknowing regarding what I was going to see in the lab, without breaking NDA I would say that the lab isn’t as scary as I thought and it will definitely make it easier and less stressful the next time.

I stuck to a plan that was put forward on the INE bootcamp by Brian Dennis to not spend more than 10 minutes on a particular ticket before moving on and coming back if possible at the end, this strategy played out very well and I only had to come back to one ticket, leaving me with enough time to check over all tickets and giving me an extra 20 minutes to spend in the configuration section.

I was aiming to stick to a similar type of strategy in the config section however this didn’t really play out, I got stuck on something and spent more than I should have trying to get something to work when what I should have done is skipped over it and come back to it only once everything else was working 100% according to the specifications.

In the end I would say that both my strategy and the fact that I ran out of time was the contributing factors to my failure however I would also say that the first time nerves had something to do with it all and probably slowed me down at first.

I wanted to ‘get back on the horse’ as soon as possible so to speak and go for my second attempt as soon as possible but unfortunately it looks like there are no seats left for the whole of December and so it looks like the first week in January I will be visiting again and hopefully this time I will come home with my digits.

In the meantime I am going to concentrate my studies on more of the periphery subjects to try and make these a little more polished, this along with more INE TS Graded labs (awesome product by the way guys) and possibly some of the graded mock labs from them as well.

Hopefully the above will help someone else that is looking to take the lab soon, if not then oh well 🙂

Posted in Uncategorized | 1 Reply

CCIE R&S Lab… point of no return!

Well today I got the confirmation through from Cisco that my lab attempt has been paid for and therefore there is no turning back now!

Once you are within 90-days of your lab exam there are no changes or cancellations allowed which can seem a little extreme but I think it is more because of the fact that there are very limited amount of seats available.

For those interested I will be taking the lab exam in Brussels on the 8th November, I had considered keeping the attempt quiet but I have never been one to do this and don’t think it adds any additional pressure.

Initially I was wanting to take the lab in the middle of this month however after spending a couple of weeks in Florida without so much as touching a book / RFC I thought it would be better to push it back a couple of weeks.

I’m feeling ok about the exam however being that it is my first attempt I know there is a large amount of the pressure that is related to the exam environment / type of question itself but we will see…

Posted in Uncategorized | 1 Reply

INE Bootcamp complete…

Last Friday I finished the 10-day R&S bootcamp from the guys over at INE and I just though that I would post a few words about the overall experience.

If anyone is considering whether to go on the course then I can not recommend it enough and no matter what skill level you are at then there is always going to be something to learn from it.

Every student on the course gets access to their own rack for the 2 weeks, these are a number of new racks from INE that are setup using the Cisco 360 topology and this is then in turn used by the instructor for the 2 weeks.

One of the good points about the class is that none of it is done using powerpoint or is pre-recorded, it is all live and this in itself is good as it means you will run into problems and have to see the instructor run through troubleshooting them live which is always handy!

The ‘homework’ tasks that are given out can be useful as they help to cement what you have learned that day whilst also being slightly different to what you will have done in class so it is not just like regurgitating what you have seen the instructor do in the class itself.

There are several technologies/subjects that I feel the course is worth it for alone, those being multicast, redistribution and PfR/OER as those were mine (and a lot of the other candidates) weaker subjects.

Now that the course is over and done with I am going to start on the Vol3 and Vol4 labs from INE and then get the lab booked for the middle of October.

Over the 2 weeks I met some really awesome guys; Daniel (@danieldibswe), Gian Paolo (@gp_ifconfig), Jose (@joseleitao), Susana (@scontreraf), Steve, Harald and of course our fearless leader and instructor Brian (@ccie2210).

Jose managed to get a picture of the group on the last day, I’m the one in the bright blue t-shirt over to the far left.